ShINING the “SPOtlIGht”

december 2012 •  WWW.SCMAGAZINE.COM 
shining the “Spotlight” on:
Social
Media
Enterprise use of social
networks brings convenience
and assists in marketing,
but it also opens new routes
for cyber criminals.
including:
P10 A vulnerable world
It is a relatively simple matter for criminals to
gather information from social media sites.
P14 Privacy in play
There’s a battle brewing about privacy controls
that can have consequences for online commerce.
P18 Winds of change
Social media was useful during Hurricane Sandy,
but data may never have been more vulnerable.
WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
IS YOUR COMPANY PRACTICING
SAFE SOCIAL MEDIA?
REGULARS
5 Editorial Welcome to our special Spotlight edition on social media.
14
6 DataBank Some statistics on social media use – and misuse.
8 Update News briefs on how social media affects the workplace.
22 Last Word: Finding privacy on a data-centric web Online data about a
user can impact how that person is perceived, says Microsoft’s Brendon Lynch.
FEATURES
10 A vulnerable world
18
Criminals can easily gather information from social media sites that can then be
used for social engineering and other attacks.
14 Privacy in play?
Don’t take chances until you read this….
There’s a battle brewing about privacy controls that can have significant
consequences for online commerce.
18 Winds of change
With Facebook reaching one billion users, Twitter at over 500 million and LinkedIn at 161 million
and growing, trying to stop social media is like trying to stop a speeding train!
Social media proved useful in communications during Hurricane Sandy, but
enterprise data may also have been vulnerable as a result.
The good news? Companies who leverage social media tools are experiencing more efficient
marketing, revenue growth and greater brand awareness.
The best news? EdgeWave Social Media Security creates safe social media with technology that
seamlessly monitors filters and reports on end-user interactions on your network. Our revolutionary
approach not only gives you granular, policy-driven control over social media interactions, it does so
from within the application itself. Your user gets a transparent experience, and you get integrated,
real-time visibility and control that no other solution can match.
See EdgeWave Social Media in action and download a
free guide, Social Media without the Risks
www.edgewave.com/safesocial
december 2012 •  WWW.ScmAGAZINe.cOm 
The bad news? Unmanaged social media access exposes you to the risks of brand damage,
employee productivity drain and confidential data loss.
ShINING the “SPOtlIGht” ON:
Social
Media
Enterprise use of social
networks brings convenience
and assists in marketing,
but it also opens new routes
for cyber criminals.
In this special Spotlight edition of
SC Magazine with a focus on social
media, we examine how the use of
social networks impact the security
of the enterprise. Some argue that
it augments productivity and helps
marketing efforts, while others
contend it places corporate assets in
danger. We take a thorough look.
INcludING:
P10 A vulnerable world
It is a relatively simple matter for criminals to
gather information from social media sites.
P14 Privacy in play
There’s a battle brewing about privacy controls
that can have consequences for online commerce.
P18 Winds of change
Social media was useful during Hurricane Sandy,
but data may never have been more vulnerable.
www.facebook.com/SCMag
SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2012
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazine.com.
www.twitter.com/scmagazine
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
this MOnth
Rich Baich, chief information security officer,
Wells Fargo & Co.; former principal, security and
privacy, Deloitte and Touche
Greg Bell, global information protection and
security lead partner, KPMG
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Kris Lovejoy, vice president of IT risk,
office of the CIO, IBM
Tim Mather, director, information protection, KPMG
Christopher Burgess, chief security officer
and president, public sector, Atigeo
Stephen Northcutt, president,
SANS Technology Institute
Jaime Chanaga, managing director,
CSO Board Consulting
Randy Sanovic, former general director,
information security, General Motors
Rufus Connell, research director information technology, Frost & Sullivan
* Howard Schmidt, former cyber security coordinator, White House; former president and chief executive
officer, Information Security Forum
Dave Cullinane, CEO, Security Starfish; former
chief information security officer, eBay
Ariel Silverstone, former chief information security
officer, Expedia
Dec. 11
eSymposium: Hacking
Mary Ann Davidson, chief security officer,
Oracle
Communications giant T-Mobile was
just the latest in a series of assaults on
corporate websites by cyber gangs whose
intention is not necessarily
to gain financially from their
11 activity, but to wreak havoc on
targets they deem offensive.
These vigilante-style attacks are meant
to embarass executives by publicizing
their secret dealings. However, as wellintentioned as these actions might be,
there is still a transgression of laws in the
exposure of personal, corporate or military
information. What can authorities do to
go after those behind these activities,
and how can corporations better protect
themselves so incidents – such as those
that happened at RSA, Twitter, PayPal,
Sony, Pfizer, the FBI, a number of police
forces, the U.S. military and many other
entities – don’t happen to them? We’ll take
a deep dive.
Dennis Devlin, assistant vice president,
information security and compliance services,
George Washington University
Craig Spiezle, chairman, Online Trust Alliance;
former director, online safety technologies, Microsoft
Gerhard Eschelbeck, chief technology officer and
senior vice president, Sophos
W. Hord Tipton, executive director, (ISC)2;
former CIO, U.S. Department of the Interior
Gene Fredriksen, chief information security officer,
Tyco International
Amit Yoran, chief executive officer, NetWitness;
former director, U.S. Department of Homeland
Security’s National Cyber Security Division
on demand
15
Vulnerability
management
Cyber criminals take advantage of
vulnerabilities in web and other apps to
gain entrance to corporate infrastructures.
With breaches now happening on a
regular basis using these methods, critical
information of all kinds is being exposed.
We learn from experts what companies
can do to mitigate against these threats.
For more info
For information on SCWC 24/7 events,
please contact Natasha Mulla at
[email protected].
For sponsorship opportunities,
contact Mike Alessie at mike.alessie@
haymarketmedia.com. Or visit
www.scmagazineus.com/scwc247.
Editorial
SC MAGAZINE EDITORIAL ADVISORY BOARD 2012
What is SCWC 24/7
Maurice Hampton, technical account manager,
Qualys
Justin Somaini, chief information security officer,
Yahoo
* emeritus
Who’s who at SC Magazine
EDITORIAL
VP, Editorial Director Illena Armstrong
[email protected]
executive editor Dan Kaplan
[email protected]
managing Editor Greg Masters
[email protected]
digital content coordinator Marcos Colón
[email protected]
reporter Danielle Walker
[email protected]
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER Mike Stephenson
[email protected]
DIRECTOR OF SC LAB OPERATIONS John Aitken
[email protected]
SC LAB EDITORIAL ASSISTANT Judy Traub
[email protected]
program director, sc congresS
Eric Green [email protected]
CONTRIBUTORS
Stephen Lawton, Deb Radcliff, Karen Epper Hoffman
DESIGN AND PRODUCTION
ART DIRECTOR Michael Strong
[email protected]
VP Audience Development & Operations
John Crewe
[email protected]
production manager
Krassi Varbanov
[email protected]
SC events
Events director Natasha Mulla
[email protected]
Senior Events Coordinator Anthony Curry
[email protected]
Events coordinator Maggie Keller
[email protected]
4 • SC SPOTLIGHT • www.scmagazine.com
U.S. SALES
VP, Sales Director David Steifman
(646) 638-6008 [email protected]
REGIOnal sales director Mike Shemesh
(646) 638-6016 [email protected]
West Coast sales director
Matthew Allington (415) 346-6460
[email protected]
Event Sales director
Mike Alessie (646) 638-6002
[email protected]
Account manager Dennis Koster
(646) 638-6019 [email protected]
account Manager Samantha Amoroso
[email protected]
SALES/EDITORIAL ASSISTANT Roo Howar
(646) 638-6104 [email protected]
Account Executive, Licensing and Reprints
Elton Wong (646) 638-6101
[email protected]
EMAIL LIST RENTAL
EMAIL SENIOR ACCOUNT MANAGER
Frank Cipolla, Edith Roman Associates
(845) 731-3832 [email protected]
CIRCULATION
Audience Development Director
Sherry Oommen (646) 638-6003
[email protected]
customer data manager
Joshua Blair (646) 638-6048
[email protected]
Subscription Inquiries
Customer service: (800) 558-1703
Email: [email protected]
Web: www.scmagazine.com/subscribe
MANAGEMENT
CEO of Haymarket Media Lee Maniscalco
Executive vice president Tony Keefe
A special “Spotlight” on social media
T
witter, Facebook, Tumblr and other
social networking sites have been making plenty of headlines lately – both
good and bad (But, let’s face it, mostly bad).
Just recently, a group engaging in an “antiblogging” campaign attacked various major
sites, like CNN, along with the microblogging
platform and social media site Tumblr. The
assault spread a pretty passionate, yet rather
aggressive diatribe blasting “self-indulgent”
bloggers, which packed along with it a nasty
little worm that enabled the group’s statement to post itself onto victims’ pages, as
well as onto the pages of those who visited
them. Some 8,000 Tumblr users reportedly
were affected – only this time it was just by
inflammatory post, rather than compromised
accounts and personal information.
Meanwhile, it was discovered just this
week that users sending and receiving Twitter
messages via text message on their mobile
phones could fall victim to spoofing attacks.
Apparently, a flaw in the system could allow
attackers to spoof the user’s account to tweet
whatever they wish via text. After reports of
the vulnerability, Twitter issued a fix.
Still other attacks have persisted through
social media, both those that result in havoc
on the networking sites themselves, as well
as those aimed at particular companies or
government agencies that social media sites
often facilitate. After all, one gullible end-user
can mean a host of problems for organizations
and CSOs like you.
Then there are all the privacy-related issues
surrounding social media. Not only do cyber
criminals harness the power of these sites
to reach their aims, but government entities
across the globe have used them, for example,
to spy on unsuspecting individuals or, in many
a recent conflict, taken them offline to squelch
the communications of protesters.
On the flipside, social networking sites
aren’t all pain. Of course, we all have
experienced various departments using
them to help market new product
launches or stay in touch with customers.
But there’s more. During Superstorm Sandy, folks everywhere
turned to social media to get in
touch with loved ones. Companies
of all sizes used sites to account for
staff and keep some form of business continuity.
Social networking is part of our
everyday interactions. They’re
a bane to some and a boon to
others. An unavoidable truth is
that the many vulnerabilities
social networking introduces must be addressed.
Cyber criminals obviously love social media
sites given the variety
of ideas for attacks they
have spawned. Individual users of them
must ponder their own
relationships with social
networking sites and the
privacy and security issues
that plague them. And, for
the purposes of this last
SC Spotlight of the year, business executives must figure out
just how to marry businessrelated social media use with
all the risks that they embody,
and then decide if social networking is friend or foe.
Illena Armstrong is VP, editorial
director of SC Magazine.
Social networking is part of
our everyday interactions.”
DataBank
SocialMediaGauge
Social media stats
and demographics
1
2
What do people want from brands on social media?
Social media accounts
for only 16% of customer
engagement today, but is
expected to increase to 57%
— the second-most used
channel, behind only face-to-face interaction — within five years.
Percentage of people who use social networks
(Source: Marketing Pilgrim)
ork
w
t
e
k
o
bo
ce
Fa
Every minute of
the day:
ln
ia
c
so
y
An
%
6
5
100,000 tweets are sent
%
4
5
In
ed
k
in
684,478 pieces of content
are shared on Facebook
3%
1
L
er
itt
w
T
2 million search queries are
conducted on Google
%
0
1
%
8
le+
g
o
Go
48 hours of video are
uploaded to YouTube
3,600 photos are shared on
Instagram
571 websites are created
$272,000 is spent by
consumers online
Source: AllTwitter
Source: Browser Media, Socialnomics, MacWorld
Twitter by the numbers
Kuwait sent almost 60 million tweets
Twitter has more than 500 million
15% of online adults use Twitter
represented on Twitter, at 29% of the user
base, ahead of those aged 30-49 (14%)
and 50-64 (9%)
28% of black online internet users use
14% of online men use Twitter versus
registered users, but just 140 million active
users (compared to Facebook’s 950 million
active users and likely more than two billion
registered users)
The United States, with 141.8
million accounts, represents 27.4 percent of
all Twitter users, finishing ahead of Brazil,
Japan, and the U.K.
in March
Twitter
The 18-29 demographic is most
15% of online women
14% of Hispanic internet users are
40% of Twitter accounts have never
12% of white internet users are active
18% of Twitter users tweet once or more
a day
(Source: AllTwitter)
active on Twitter
on Twitter
6 • SC SPOTLIGHT • www.scmagazine.com
sent a single tweet
30% of the world’s population is now online, and
social networking is the
most popular and timeconsuming online activity
— with users spending more than one-fifth
(22%) of their time engaging on social
media channels. This means that more
than 250 million tweets and 800 million
Facebook status updates are now published
every single day. (Source: MindJumpers)
3
4
5
6
Brazilians have the
highest number of online
friends of any country,
averaging 481 friends per
user, while the Japanese
average only 29 friends. (Source: MindJumpers)
56% of Americans have
a profile on at least
one social networking site. And it’s not
just millenials: 55% of
those aged 45-54 have at least one social
network profile. (Source: Convince & Convert)
Social networks and
blogs in the United
States reach 80% of
active internet users and
represent the majority of
Americans’ time online. (Source: MediaPost)
60% of people who use
three or more digital
means of research for
product purchases
learned about a specific
brand or retailer from a social networking
site. 48% of these consumers responded
to a retailer’s offer posted on Facebook or
Twitter. (Source: MediaPost)
Deals and
promotions
Rewards
programs
Exclusive
content
Feedback on
new products
83%
70%
58%
55%
Source: AllTwitter
Top ten most engaged countries for social networking
Israelis use social media nearly twice as much as Americans
Average hours per
month per person
Israel Argentina Russia
10.7
10.4
Turkey
10.2
Chile
9.8
8.7
The Philippines
Colombia
Peru
11.1
8.5
8.3
7.9
Venezuela
7.7
Canada
United States
7.6
Source: Browser Media, Socialnomics, MacWorld
SC SPOTLIGHT • www.scmagazine.com • 7
News Update
Spam migration
Maybe Bill Gates was on to something when he predicted that
the scourge of spam would be “solved” by 2006. According to
security firm Symantec’s first-quarter threats report, published
in April, unwanted email accounted for roughly 75 percent
of all messages sent in 2011, sharply down from 89 percent in
2010. Experts attribute the decline to a number of developments, notably growing resistance by spammers to the high
cost of sending large batches of unsolicited email, stronger filters and built-in browser protection mechanisms, and smarter
consumers who are less likely than ever before to click on an
email lure.
But don’t raise those Champagne glasses just yet. Spammers
haven’t yet forfeited their trade – they’ve simply moved the
operation to a more viable and costeffective channel, namely
8 • SC SPOTLIGHT • www.scmagazine.com
75%
of the Fortune 100 are on Facebook.
social media. By their very nature, social media websites, such
as Facebook, provide fraudsters with a platform that is fundamentally built on sharing things – with the hope they spread like
wildfire.
Troy Hunt, a software architect, recently studied a common
Facebook gift card spam that was propagating across news
feeds, this one promising users a $400 free voucher at Woolworths, an Australian supermarket chain. Clicking on the link,
which is shared by a trusted “friend” who already has fallen
for the con, brings users to a site that feigns urgency (the free
vouchers are almost gone!) and encourages victims to share the
offer with their friends on Facebook.
Then, they are taken on a wild ride of redirects, finally landing on a survey page that offers the fake possibility of winning
an Apple iPhone, iPad or iMac. The spammers get paid a
small amount of cash for every person they can trick into
completing one of the surveys. Many of these scams take a
similar form, but sometimes the miscreants behind them
are even more pernicious and may be looking to harvest
personal information or serve malware.
Once victims catch on to the deception, they often take
their angst to the Facebook or Twitter pages of the very
companies whose names are being abused by the scammers, causing them reputational harm. “Their Facebook
wall [is] littered with very unhappy customers,” Hunt
says in a recent SC Magazine podcast. “It’s not a good
look for them.”
What makes hoaxes like these so effective is unsuspecting users are likely to fall for them because a person
they trust already has.
“It’s endorsement, right?” Hunt says.
“You’re seeing someone who
you know, someone who you
trust, and they’re recommending something. For the most part,
email spam – even the very clever
phishing scams that try to look
as official as they can, brand
themselves, use the company
imagery— you can normally
dissect those as a scam pretty
quickly…So short of someone
having their email account hacked and
having large volumes of spam mail sent [from]
their address book, it was really hard to give this level
of endorsement and credibility, but now with social media, it’s
just extremely easy to do that.”
He advises platforms like Facebook to implement better
controls, like heuristics, to identify these threats. Hunt also
encourages internet marketing companies to institute a code
of conduct so certain affiliates aren’t permitted to do business
through them. And finally, for users, if the bait seems too good
to be true, it almost always is. – Dan Kaplan
Social sprawl
As brands continue to recognize the power of using social
media to connect with customers and clients and improve their
competitive advantage, the number of accounts they own is
on a meteoric rise. Many of these accounts may not even be
permitted, but are stood up by groups of employees who, for
instance, are working on a specific project for the company.
According to a report this year from the Altimeter Group,
the average enterprise operates 178 corporate-owned social
media accounts across properties such as Facebook, Twitter
and YouTube.
But herein lies a serious risk. Much like the astonishing proliferation of data with which most businesses are dealing, social
media sprawl is challenging organizations to institute controls
that allow them to manage this unprecedented growth. And in
many instances, companies are failing.
Take KitchenAid, for example. During one of this year’s
presidential debates, an employee, thinking he was using his
personal account, delivered an offensive tweet: “Obama’s gma
[grandma] even knew it was going 2 b [be] bad! She died 3
days b4 he became president.” KitchenAid rushed to apologize,
according to reports, but the damage had already been done.
Incidents like this present legitimate reputational harm to a
brand. The problem in combating them is that most companies
lack visibility, and the ability to monitor content is a tedious
task, especially when done manually, says Devin Redmond, cofounder of start-up Social iQ Networks, which helps organizations manage their social media infrastructure.
And, a lack of control over social media can render injury to
a brand’s good name through many ways other than inappropriate tweets, including the exposure of proprietary information, or if an account is compromised by a hacker to spew
malware or spam. Account sprawl also brings with it significant compliance exposure, considering some of the data that
– Burston-Marstellar
appears on a company’s social media channels may be regulated – or necessary for legal discovery reasons.
According to another study from Altimeter, only 60 percent
of companies either coach their employees about social media
policies, or do so only upon hiring. The report suggests that
companies must implement more effective strategies, specifically assessing, prioritizing and evaluating social media risk.
A recent Forrester Research report supports these conclusions. The study contends that technical controls can be used
to meet some of these risk management requirements – for
example, an existing data leakage prevention tool may be able
to be customized for use for social media.
“While this may not be a sustainable model, you may be
surprised what you can accomplish through ‘archaic,’ but free
methods, such as performing ad-hoc web searches at daily or
weekly intervals to identify information leaks or breaches of
policy,” the report says. “This approach certainly won’t catch
everything, but it will at least provide a glimpse into the number and types of issues your organization faces. It might also
help you justify budget for vendor tools.” – Dan Kaplan
Looking in the mirror
Some companies are including social media awareness training
as part of their overall end-user security education programs.
But one might be surprised to learn that Facebook workers are
undergoing similar treatment.
According to a recent story on news website Mashable, each
October, the social networking behemoth runs an event called
“Hacktober” during which engineers bombard employees
with bogus cyber attacks, like phishing scams, to ensure they
won’t click on a rogue link or attachment, which could invite
malware into the organization. The company purposely avoids
traditional teaching methods, like PowerPoint presentations, to
stay in line with Facebook’s hip culture.
And, it seems, the event has been a triumph, with a majority
of users detecting the threats. Each time they do, they win a
prize, like a shirt or bandana. Employees who fail to discern an
attack are required to take additional training.
“We launched a worm to simulate some of the spam campaigns we see on Facebook and other sites, and this was our
grand finale,” Ryan McGeehan, a director on the security team,
told Mashable. “Within minutes, we were overwhelmed with
reports from employees and it was a wild success.” – Dan Kaplan
SC SPOTLIGHT • www.scmagazine.com • 9
Social media
a
vulnerable
world
Hackers, for good reason, have turned their
attention to social media sites. But companies don’t
need to wave the white flag, reports Alan Earls.
W
hen filmmakers put together The Social Network – a
movie based on the story of
Facebook’s early years – their chosen subtitle was, “You don’t get to
500 million friends without making
a few enemies.”
Today, in an ironic twist, as the
number of Facebook users soars past
the one billion mark, the social networking site is collecting “enemies”
in droves – attracted by its limitless
cache of personal data and what
many say are inadequate security
provisions, especially for individual
users. Indeed, according to many
industry observers, hackers and
others with malicious intent now see
social media as the most fertile place
to practice their wiles.
10 • SC SPOTLIGHT • www.scmagazine.com
“From a malicious perspective,
social media is the best thing that
has ever happened,” says Caitlin
Johanson, a former hacker and now
customer support and training
manager at Core Security, a Bostonbased maker of predictive security
intelligence solutions. “People have
turned a blind eye to the implications of social media in terms of
privacy, and the sites have done little
to encourage users to secure their
accounts and information.” As a
consequence, she says, it is a relatively simple matter for criminals to
gather information that can be used
for social engineering and other
more sophisticated forms of attacks.
And it is now happening on an
industrial scale. Johanson says
botnets can be programmed to scour
social media sites for keyword combinations that can “spit out profiles”
of individuals primed for exploitation. Likewise, botnets can comb
through metadata and “every single
part of the internet” to find complementary information to further
assist in exploits.
In fact, there are hundreds of
ongoing discussions and threads
in hacker chat rooms and forums
focused on this topic, says Rob
Rachwald, director of security
strategy for Imperva, a Redwood
Shores, Calif.-based security firm
that recently published a study on
the social media threat. His company’s study examined the chatter
on a wide range of forums, one of
SC SPOTLIGHT • www.scmagazine.com • 11
Social media
which has a quarter-million members,
as well as on sites targeting more narrow geographic or language groups. But
the conclusion, he says, is inescapable:
Social media – particularly Facebook,
with its huge user base – has reached
critical mass, and hackers aim to exploit
its latent power.
Variations on a theme
Rachwald says he has seen two different “hack” focuses. On the consumer
side, some intruders work to manipu-
then power other exploits – financial
crimes and thefts of intellectual property, for example. And, again, botnets and
analytic tools are making the process
ever easier for criminals, Rachwald says.
Others see a growing problem, too.
“Just as there is a lot of hacking activity
directed toward financial and retail
websites, there is a growing level of
criminally motivated communications
being directed at social networking
sites,” says Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT
The goal is obtaining
information in bulk...”
— Jerry Irvine, Prescient Solutions
late Facebook rankings as a means of
attracting even more “friends,” and
then spread malware to them by, for
example, encouraging visitors to click
on a link or a photo. To further this
kind of activity, other cyber criminals
offer “bulk” Facebook accounts – some
“real” and others bogus. The other
focus is on services that provide tools
that can help individuals (particularly
hackers) break into specific accounts.
Rachwald says there are numerous
variations on this theme, including
“e-whoring,” which involves stealing
suggestive images from social media
sites and then recycling them in various
kinds of pornographic schemes that can
generate money.
Many of the same risks apply within
corporations that allow employees to use
social media, he says. “After Bin Laden
was killed, there were hacker schemes to
post and distribute fake photos of him
through social media sites,” Rachwald
says. “But the photos were actually
vehicles for malware and could compromise corporate computers.”
Social networks are also a powerful
tool for identifying corporate information and, especially, job functions and
structures in companies, which can
consultancy that focuses on data privacy
and security issues. In fact, according
to Irvine, hacking of even the largest
of financial institutions, retail sites or
other company websites cannot provide
the amount of user data that social sites
represent singly or in combination.
Additionally, he says, while corporate
entities have entire departments dedicated toward designing, maintaining
and monitoring the security of their systems, social media networks are “managed” by their individual users who,
for the most part, pay little attention to
the security of their information. As a
result, it is easier and more rewarding
for miscreants to attack these platforms.
And, the problem is getting worse.
Initially, says Irvine, malicious activity was more limited to individual
accounts. Today, however, there are
toolkits available for hacking, phishing
and smishing (a form of phishing using
text messages) designed specifically to
help malicious individuals obtain large
numbers of user IDs and passwords.
“The goal for the most part is obtaining information in bulk, parsing it to
determine authentication parameters
for other websites and applications –
financial institutions, credit cards and
12 • SC SPOTLIGHT • www.scmagazine.com
more – and then even complete identity
theft,” he says.
Bait and switch
The simplest of the many scenarios used
to leverage social media sites is having
an application that will send phishing
emails or smishing texts to unsuspecting
users claiming to be an authorized person
or department of the social networking
company, and then requesting the user
provide their login information. “Some of
these tools may even use cross-site scripting to capture authentication parameters
prior to forwarding the user into their
actual site so that the link appears more
legitimate,” says Irvine.
More elaborate solutions use illgotten IDs and passwords to breach an
account and send “friends” malicious
applications, plug-ins and URLs to grab
more personally identifiable information
(PII) off of the friends’ PCs, laptops and
mobile devices, he says.
While none of the malicious activities employed against social sites are
entirely new, the important difference
compared to previous hacks, Irvine says,
is twofold: They are happening much
more often and they affect a greater
numbers of users per incident. In fact,
says Irvine, “If you are a member of a
social networking site, you have most
likely been attacked and may not even
know it.”
Alan Webber, a principal analyst
and managing partner with Altimeter
Group, a research firm based in San
Mateo, Calif., says social media is evolving into the number one threat to corporations. And, he says, even though it can
be an exercise in frustration when some
employees don’t comply with corporate
policies, user education about vulnerabilities and risks is just as important as
having traditional IT security measures
in place. “A lot of 20-somethings think
this is all no big deal, but they are starting to learn otherwise,” he says.
However, Rachwald sees hope in technology. “Companies could simply try to
block employees from using social media,
but there are many reasons why social
media is important for business today,” he
says. One potential, in his view, is more
pervasive and sophisticated monitoring,
which should be able to catch many of
the harvesting and information-theft
activities by the bad guys.
Security: An impossible dream?
For businesses, protection from the
misuse of social networking sites is very
difficult at best, says Irvine. First, companies have little if any control over the
content users place within their individual account. Additionally, there are many
state laws prohibiting employers from
viewing or using information contained
within these social networking accounts
for any employment reasons (i.e., hiring, termination, performance reviews
and more). In some situations – such as
when there is a suspicion of corporate
espionage – employers cannot even view
information on social media sites without
involvement of law enforcement.
Additionally, technologies that scan,
monitor and alert on social networking use are “not fully baked.” Irvine
says there are solutions that can do
keyword searches and services, which
will scan individual social platforms for
fees. However, he says he has not come
across a completely automated solution that can scan, monitor and alert
24x7x365 across multiple platforms to
detect positive or negative comments,
inappropriate use and malicious activity
or intent.
Large companies may use multiple
platforms, services and internal web
content filtering to monitor employees’ social network access while using
corporate devices, or while they are on
corporate premises. On the other hand,
small to midsize businesses, for the
most part, are limited to either allowing
access – and hoping for the best – or
blocking usage, says Irvine. Additionally, they may have a “social network
appropriate usage” policy and some
level of training, but the lack of authority or ability to control content placed
on social environments limits their
abilities to protect themselves.
Possible, maybe
Even with all the challenges posed
by social media, this is no time to roll
over and play dead. Andrew Walls, a
research vice president at the Grass
Valley, Calif. office of research firm
Gartner, says offshoring and technology have enable attackers to find
success targeting social media sites.
For example, he says, hackers have
developed ways to “forward” CAPTCHA challenges – typically a request to
rekey the images of a distorted word or
character combination – to porn sites
where visitors are required to repeatedly “solve” them in order to maintain
access. It is a tidy and economical, if
64%
col filtering solutions can be configured
to monitor, filter, block and report on
specific sites and content. Finally, he
says, traditional anti-virus and malicious application detection solutions
can offer protection from users being
infected by malicious attachments,
applications, plug-ins and URLs.
Webber says corporations also need to
build a “solid listening platform” so they
can understand what people are saying
about a company – from a brand management perspective, as well as regarding
whether an attack is in progress. “The
fact of the matter is that your competitors are probably being attacked, too, so
what you learn by monitoring them also
can help you,” he says.
Along with specific tools and techniques, Webber says companies should
of Facebook users have
clicked on a Facebook ad
bizarre, means of bypassing an important element in site protection.
Fortunately, Walls says, more sophisticated security products are coming to
market for platform providers, as well as
for individuals who focus on areas such
as credit monitoring and reputation management. Collectively these might help
hold the line against hackers.
Irvine, too, says there are steps
companies can take to become more
secure. For instance, he says, data leakage prevention and information rights
management (DLP/IRM) solutions can
help to provide improved protection for
proprietary and confidential data. Specific functions of DLP/IRM applications that could help minimize security
risks of social networking applications
include limiting the ability of data to
be copied, modified, transferred to
another location, emailed or printed.
Additionally, web content and proto-
also “triangulate,” using risk management tools to identify and focus on
areas of greatest vulnerability.
However, Johanson adds that “there
is still no patch for stupidity.” Organizations should continue to educate
users, though that still may not be good
enough to protect against the most
sophisticated of threats. That’s where
tools come in to play – backing up
processes and helping to predict where
problems will occur, so to identify them
before they become full-blown crises.
Finally, Angel Grant, principal product manager at RSA Security, says companies need to revisit access controls and
make sure they are appropriately aligned
with social media threats. “Believe it or
not, many companies forget about taking
away access to a company social media
site when an employee leaves a company,
and that can be a gaping security gap,”
she says. n
SC SPOTLIGHT • www.scmagazine.com • 13
Do not track
Privacy
in play?
There’s a battle
brewing about
privacy controls that
can have significant
consequences for
online commerce,
reports Jim Romeo.
R
ecently, a man entered a Target
Store in Minneapolis with a
coupon that had been sent to his
teenage daughter for cribs and baby
clothes. He was offended the promotion had landed in his family’s mailbox.
Owing to its savvy statistical methods
in gathering data on its consumers, Target knew something about this man’s
daughter that even he did not yet know:
She was pregnant.
Shop at Target, online or in-store, and
customers will discover the retail chain’s
uncanny ability to present custom promotions designed to appeal to personal buying
habits. In today’s competitive online environment, the ability of online enterprises
to capture information about consumers
– from their preferred coffee brand to their
curiosity about oil painting or a newfound
interest in cribs and strollers – has brought
the issue of consumer privacy to the
forefront. The question is: How concerned
are consumers that much of their private
information is fair game?
This new paradigm of consumer
intelligence gathering may have been
a factor in prompting the Obama
administration in February to unveil a
“Consumer Privacy Bill of Rights” to
serve as a foundation or “comprehensive
blueprint to improve consumers’ privacy
protections and ensure that the internet
remains an engine for innovation and
economic growth.”
But, while privacy controls are a topic
about which many consumers have
expressed some concern, few know
much about how they work. Researchers
14 • SC SPOTLIGHT • www.scmagazine.com
at the University of California,
Berkeley School of Law, presenting
at the Amsterdam Privacy Conference
in October, released findings indicating
that of 1,203 adult internet users surveyed, a mere 13 percent of respondents
had some knowledge of privacy controls,
while a whopping 87 percent hadn’t even
heard of them. But, when asked about
their utility, respondents were in favor
of disallowing online enterprises from
collecting information about them. One
of the researchers’ questions asked: “If
a ‘do not track’ option were available to
you when browsing the internet, which
of the following things would you most
want it to do?” Sixty percent of respondents replied “prevent websites from
collecting information about you.”
“We’ve already seen major sites, like
Facebook and Twitter, come under
fire for their lack of security features,”
says Mark Orlando, director of cyber
operations for Lake Mary, Fla.-based
Foreground Security. “However, we
need to remember that user data is what
enables these companies to monetize
their services through advertising,
marketing and the like, so there is little
incentive for companies to add privacy
controls unless users demand it or stop
using the service.”
Of course these sites continue to grow
in popularity, so it seems for now users are
content to trade in security and privacy for
the features and functionality they’re getting by using the services, he says. “Until
that changes, or until the business model
changes, we shouldn’t expect to see many
improvements in the privacy restrictions
and controls offered by these sites.”
Twitter has improved its privacy
controls. So has Mozilla Firefox, which
offers a ‘do not track’ (DNT) feature.
Bob Bunge, associate professor at the
College of Engineering and Information Sciences of DeVry University in
Seattle, says that as DNT becomes
widely adopted, the real winners will
be incumbent tech companies – like
Microsoft, Facebook, Google, Amazon
and eBay – which have huge opt-in
customer databases.
“The real technical drivers of ‘do not
track’ are the competing web browser
companies,” he says. “Microsoft, in
particular, has announced that Do
Not Track will be the default setting
in [Internet Explorer] 10.” This has
set off a firestorm of criticism from the
advertising industry and online retailers.
However, Bunge says companies that
rely on understanding their customers’
browsing habits in order to generate
revenue will find other ways to do so,
such as through data mining.
On the other hand, Facebook is on
record as supporting DNT, Bunge says,
adding that such Big Data repositories
allow companies to track customers
through data mining, so a locked-down
browser will not affect them as much.
Stephen Cobb, security evangelist for
Privacy & LinkedIn:
“Old people issue”?
LinkedIn is all about professional
networking. For those who maintain
a profile, the information one shares
with others may be sensitive, but the
site does have privacy control options
in its settings to select and edit data
depending on the degree of sensitivity.
Reid Hoffman, the billionaire founder
of LinkedIn, called privacy an “old
people issue.”
Hanzi Durzy, a spokesperson for the
company, helped explain LinkedIn’s
philosophy on privacy.
SC: Can you give us an overview of
LinkedIn’s privacy policy and how it
came to be? Has it changed much
over the last year or two?
Hanzi Durzy: LinkedIn’s privacy
policy is designed to reflect the evolving ways in which our members are using the platform and exchanging their
insights and data. The principle that
guides all of our decisions, including
ones regarding privacy and
data protection, is to put
our members first. As the
world’s largest professional network, LinkedIn
takes the privacy of our
members’ data seriously.
We believe that more than
187 million professionals
who have joined LinkedIn
want to be seen and heard
by people that
they
may not know personally. We also
believe that those professionals should
be able to easily manage the information they share and how they share it.
So, our privacy and data protection
product philosophy is based on three
ideas: clarity, consistency and control.
SC: What is LinkedIn’s philosophy
with regard to ‘do not track’ privacy
controls?
HD: We understand the desire to
provide people with choice about how
their internet browsing history is used.
LinkedIn is also very aware of the need
to provide its members with innovative
products. Achieving the right balance in
this equation is crucial, and in doing so, we
will strive to stay true to our focus on our
members and maintain consistency, clarity and providing easy-to-use controls to
our members to manage their experience
on LinkedIn.
SC: Is LinkedIn a believer in
such a policy and have plans
to implement tighter tracking controls in the future?
Why or why not?
HD: We have no immediate plans to implement
DNT, given the fact that
there still is no consensus
on what the DNT signal should
exactly mean.
SC SPOTLIGHT • www.scmagazine.com • 15
Do not track
ESET, a global security vendor with U.S.
headquarters in San Diego, says there
seems to be much praise for these developments in privacy circles, but they are something of a yawn in consumer circles. This is
not surprising to him because, he says, the
average internet user is not really aware of
how much tracking goes on.
“If you take Mozilla’s numbers, less
than nine percent of desktop users of
Firefox have adopted DNT, and less
than 20 percent of Firefox mobile
users,” says Cobb. “Those numbers may
change as more people understand the
data-gathering process going on behind
tracking. However, if you turn off tracking, you will start to lose some of the
features and functionality offered by
other big social media players – notably
Facebook, Google, LinkedIn and Instagram – for whom tracking is part of the
business model.”
He says he sees Facebook continuing
to evolve its privacy control mechanisms
and interface, although it is still a long
way from easy to use. “Again, if userbehavior tracking is part of your business model, that makes it hard to deliver
simple user controls that don’t break
that business model,” he says.
Meanwhile, Michael Sprague, co-found-
90%
make it simple for users to understand
and use privacy settings. At Scrambls,
we advocate that users should be able to
design their own privacy settings and use
them across the web.”
In any case, social networks make frequent changes to their privacy controls,
Sprague adds. “Often, these changes
are driven by business requirements,
rather than addressing the needs of the
consumer. For example, a privacy change
will allow a new type of advertisement
to be displayed, targeting users based on
their personal information. It is rare to
see a company taking an active stance to
increase the privacy of its users.”
Further, Sprague says Twitter has
taken an impressive leadership position
in attempting to defend the privacy of its
users. He points to a recent case in September where tweets sent by an Occupy
Wall Street protester were ordered
unsealed. Twitter did not want to reveal
the tweets, but a Manhattan Criminal
Court judge ruled that they were to be
turned as evidence. “The implications
of that decision are deeply troubling
for anyone sharing personal content on
social networks,” says Sprague.
And, he also expresses concern about
how the the bring-your-own device
of companies with 100 or
more employees use social
media in their marketing mix.
– eMarketer
er of Scrambls, an open source technology
that provide controls for online posts in
social media applications, says DNT privacy controls have been well received. He
also points out how many people are still
unaware of how much information social
media companies collect about them and
the ways in which this data can be used.
“The case of Target figuring out that
a girl was pregnant before her father
did is an excellent example,” he says.
“Facebook, LinkedIn and others should
trend is affecting personal privacy. “It
has already become common practice
to bring your personal devices to work:
smartphones, tablets, notebooks and
more,” says Sprague. “Now what we’re
doing is bringing our different identities
into the work environment, with different
levels of access associated with them.”
The interesting question to consider, he
says, is when and why one will have access
to online information in the future. “It will
be absolutely essential to have the ability to
16 • SC SPOTLIGHT • www.scmagazine.com
develop access policies based on context,
and to have the ability to make dynamic
changes to these policies,” he says.
The prognosis, say many privacy
experts, is that privacy policies with
regard to online posting and access will
likely become more critical, where a new
watchword will govern: caution.
“Businesses should remind users
that everyone is a potential target,” says
Foreground Security’s Orlando. “You
don’t have to be a high-ranking executive or have access to sensitive corporate
information. Sometimes it’s strictly a
numbers game for the bad guys, where
they want to accumulate as much data as
possible regardless of who their targets
happen to be.”
The lesson: Don’t give them anything
with which to work, Orlando says. A
good rule of thumb is to remain as vague
and boring as possible when posting to
these sites, and don’t post anything one
wouldn’t be comfortable posting on a
sign on one’s front lawn, he says. “Don’t
vent about difficult projects or difficult
people at work. Don’t advertise dates
and destinations for trips you’re taking.
Always assume that there are no privacy
protections for what you’re sharing, even
if you think it’s only going to your small
network of friends.”
ESET’s Cobb says the biggest challenge is to build a business model that
enables transparency to your intentions
toward user data. For example, he sees
Twitter as figuring out how to build revenue streams without tracking because
of the demographic it attracts – and part
of the allure for customers is the service’s
position to tracking.
Looking forward three to five years, he
believes the public may reach the privacy
cliff – where people have to choose
between free content supported by an
advertising system that requires acceptance of tracking, or paid content that is
delivered without any tracking.
“This stark, binary choice is more
likely, in my opinion, than the evolution
of widely embraced granular privacy
controls,” says Cobb. n
It’s a big IT security
world out there...
But, it doesn’t have to be so daunting. Not with the launch of
SC MarketScope. This new site, brought to you by SC Magazine,
is the place for purchasing IT security products and services.
SC MarketScope is the first stop for key decision-makers.
Features include:
1. Vendor overviews
2. Reviews of products/services
3. Expert advice and opinion from IT security
contributors and columnists (exclusive to SC MarketScope)
4. Lead generation
We’re live! Visit us at www.scmarketscope.com
For more information, please contact
Samantha Amoroso
sales campaign manager, SC Magazine
[email protected]
646-638-6021
Disaster recovery
winds of
change
Social media proved useful in communications during
Hurricane Sandy, but enterprise data may also have been
vulnerable as a result, reports Stephen Lawton.
W
hen Hurricane Sandy blew in to the coastal New
York and New Jersey, it also churned up information
security contingency plans that had never been so
challenged by an act of nature.
With the loss of data centers and cell phone towers, and
interruptions of the local and regional communications infrastructure, companies still needed ways to keep in contact with
employees, customers and vendors. As a result, social media
sites became hubs of connection and correspondence.
Outside of those who lost
internet and cellular connections, social media sites saw
increased activity. According to Twitter, more than
20 million tweets were sent
at the height of the storm.
Twitter based its number on
tracking the terms “sandy,”
“hurricane,” “#sandy,”
and “#hurricane.” As well,
Facebook uses a metric called
Talk Meter, which measures
topic mentions on a scale
of one to 10. On the
day the storm hit,
just a week
18 • SC SPOTLIGHT • www.scmagazine.com
prior to the run-up to the presidential election, Facebook said
it reached a level of 7.12, compared with “Obama” (3.86) and
“Romney” (3.5).
While these mentions were overwhelmingly news about the
storm and how affected individuals were coping, businesses
also made use of social media. But the emergency should not
be cause to skirt security issues that are always present with
enterprise use of social media.
“Using Twitter, Facebook
and other social media sites
is fine as long as workers use
common sense,” says Blair
Pleasant, president and principal analyst at COMMfusion,
a Santa Rosa, Calif.-based
technology consultancy that
focuses on unified communications. “My motto about
using social media is, ‘Don’t
be stupid.’ Understand that
this is a public forum and
don’t release any confidential
information.” Some companies have developed
social media guidelines and tools so
that workers understand what is and
isn’t OK to say in these public forums,
she says.
Because of the inherent insecure
nature of sites like Twitter or Facebook,
social media should be used during
disasters to relay information about
safety, provide status updates – “We’re
OK, but have no electricity” – or
provide information about where to get
supplies, Pleasant says. “You can let
customers know that you lost power or
communications, and maybe give them
alternative ways to contact you, but
don’t conduct real business over public
social media sites.”
Rather than focusing on consumeroriented social media sites, which offer
minimal security options, Pleasant
instead recommends that IT organizations use enterprise-grade social media
services and products – such as IBM
Connections, Cisco’s WebEx Social,
Yammer and Jive. “These let workers get
the benefits of social software, but in a
secure, private environment,” she says.
The primary reason to go this route,
she says, is because social engineering
continues to be a challenge for many
companies. From a corporate and business perspective, workers might give
away proprietary information, including “soft” intelligence, such as identities
of employees or locations of premises,
which could assist social engineer-
vulnerabilities:
Exposure
Blair Pleasant, president and principal analyst at technology consultancy COMMfusion, cites several security vulnerabilities
related to social media. These include:
• Information leakage – loss of
confidential information;
• Network and data security –
viruses, spyware, malware spread
through accessing links, applets;
• Compliance – Storing and sharing
data and content as required by
law or regulations;
A good social media policy
won’t erase all of the risk...”
—Alan Webber, Altimeter Group
ing attacks against the company. “In
an economy where information is the
lifeblood of an organization, preserving the confidentiality, integrity and
availability of information is vital,” she
says. “Virus and malware protection is
still important, but data loss prevention
is fast becoming an indispensable component of an organization’s technology
protection.”
In order to overcome these potential vulnerabilities, she recommends a
combination of approaches, including
technology, policies, guidelines, controls, enforcement and education.
Authentic communication
Pleasant’s concerns are echoed by
Nicholas Percoco, senior vice president
of security vendor Trustwave’s SpiderLabs, a research team that performs
penetration testing, develops security tools and issues public advisories
about vulnerabilities it finds in various
products and technologies. He says that
when non-traditional forms of communications are employed during events
•
Exposure to legal liabilities and
financial penalties – data con-
tained on social media accounts
may be regulated or necessary
for discovery;
•
•
•
Client or patient identity and
privacy – potential violations of
various privacy laws;
Damage to business value –
company brand and reputation;
Data exfiltration – stopping
corporate data from leaving the
company’s network is the primary
challenge.
like Sandy, such as distributing information over social media networks, two
major security issues come to the fore.
First, he says, recipients of the messages need to know that the messages
are authentic. Second, recipients must
know where to go to obtain valid information from the company.
It is easy to create a Twitter or
Facebook account that looks official,
but can dupe readers, Percoco says. For
example, a potential attacker could create an account that has a company name
and the word “alert” after it. Employees
might not realize that this is a fake
account and that posted information
could be misleading, causing those who
follow it to take actions that could create
security risks.
Companies need to create written
policies and explain them to employees,
customers or anyone else who might need
to see a message from the company, Percoco says. Too, a company’s policies need
to outline where authenticated information can be found and who is authorized
to distribute that information.
Alan Webber, principal analyst specializing in digital risk management for the
San Mateo, Calif.-based Altimeter Group,
posted a blog just days before the storm,
advising companies to institute a social
media policy. While the timing was
coincidental, Webber says in an interview
that Sandy underscored his belief that
companies need to include social media
planning as part of an overall disaster
plan. While social media can open some
new vulnerabilities, it is not unlike email
or other traditional forms of communications and, therefore, the risk that social
media creates can be mitigated. Companies need to use social media as a communications tool that includes acceptable-use
SC SPOTLIGHT • www.scmagazine.com • 19
Disaster recovery
policies and proper training, just as they
would with phones or laptops.
“A good social media policy won’t
erase all of the risk of having a social
media presence,” he says, “but it will
outline what is considered acceptable,
and if and when things go wrong, a
process for addressing the issue.”
Brian Honan, CEO of BH Consulting, agrees. “Companies should decide
beforehand on how they plan to use
social media in the event of an emergency,” says Honan, who is also CEO
of the Irish Reporting and Information Security Service, Ireland’s first
CERT (Computer Emergency Response
Team). These protocols, he adds,
should be built into the company’s
social media strategy.
“In the event of a disaster, companies need to be aware that a number
of stakeholders may be looking for
updates on what is happening,” he says.
“People – such as staff, family members
of staff, customers, suppliers, partners
and the media – may be looking to see
how the company has been affected.”
As such, the company should look to
post relevant news, but ensure that news
does not unduly alarm those looking for
information, he says.
Companies should also be aware that
due to the public nature of social media,
they should not post too many details
about the effects the disaster has had on
their premises, particularly their physical security, as criminals may be looking
for such information.
Another challenge companies face
when using social media is ensuring
that stakeholders are getting authentic
information, as criminals will exploit
disasters to launch phishing and social
engineering scams. Employees need
23%
to be trained and aware of the social
networks and the type of messages the
company will be sending over these
networks, Honan says. “In a time of crisis, staff will be looking for information on what they should
do – for example, whether or not they
should turn up for work,” he says. “This
could be an opportunity for criminals
to use the disaster as a means to attack
the company by using phishing messages within social media platforms.” In
addition, a number of fraudsters have
been known to set up fake accounts in
the names of companies and post false
information that could damage the
reputation of the company or even influence stock market prices.
Additionally, Honan says that these
bogus accounts could be used to send
messages to staff that contain links to
websites infected with malware that
would enlist their computers and/or
smartphones to either steal financial
data, intellectual property or gain a foothold within the company’s network to
exploit at a later time. “Employees also
need to verify that accounts claiming
to represent their employer are actually
real,” he says.
The data center
During Sandy, flooding throughout
the greater New York area caused
widespread power outages, including
to data centers, SpiderLabs’ Percoco
says. When power at the data centers
failed, backup power generators would
have been used to keep systems up long
enough for IT departments to shut them
down safely. However, when all power
was lost to the data centers, not only
did the servers go dark, but so did the
physical security barriers guarding the
of Fortune 500 companies
maintain an active blog.
– V3 Integrated Marketing
20 • SC SPOTLIGHT • www.scmagazine.com
facility, such as cameras, cardkey locks
and other electronics.
In such cases, he says, a company could
be breached by attackers who could
enter the data center and pull hard disks
directly out of servers. In cases where
the attacker would not want the victim to
know they were compromised, they could
simply clone hard disks and then return
them to their original servers.
While such attacks on physical assets
are possible, they are less likely today
than they were in the past, says Altimeter
Group’s Webber. It is more likely today
that attackers will use social engineering
techniques to introduce malware onto
corporate systems than to burglarize a
data center.
Ideally, Percoco says, companies
in potential disaster zones will have a
failover disaster recovery facility that
can take the load in case the primary
data center is damaged or destroyed.
But, if the failover facility is cloud-based,
companies still need to have plans in
place for servers that are not cloudbased. These need to handle confidential
company data, such as trade secrets or
client lists, which data security policies
state must be on secure servers.
Comparing the scope of Sandy to the
nation’s to another devastating event of
recent times, Hurricane Katrina, Pleasant says, “New York City has more data
centers than New Orleans, not to mention
it’s the center of the financial world, so
obviously there was more damage to the
business world.”
Honan agrees, adding that companies
should look at the risks and assess them
based on their business requirements.
For example, an e-commerce site would
have more dependency on its data center
than a company that is only hosting a
“brochure ware” website, he says. Once
the company identifies the risks, it should
look at ways to address them, including
having backups and an alternate data
center. Companies also need to consider
having “real-time synchronization of
data and automatic fail-over to another
data center,” Honan adds. “This would
also require building that functionality
into their environment and applications,
which could prove quite expensive.”
Be prepared
At Montefiore Medical Center in the
Bronx, roughly 100 miles north from
where Sandy hit the shore in New Jersey,
CIO Jack Wolf said he was prepared for
the storm. The hospital conducts annual
tests of its disaster recovery plan, and
three times a year evaluates additional
backup systems. While the facility does
not currently have a disaster recovery
plan that specifically identifies social
media, it was able to use Facebook,
Twitter and Yammer extensively on an
ad-hoc basis during Sandy.
Wolf says an important directive he
sent to employees was to make sure
they did not disclose protected health
information (PHI) of patients over nonsecure communications (PHI is covered
under the Health Insurance Portability
and Accountability Act, or HIPAA).
While some employees communicated via texting, Twitter and Facebook
to coordinate transportation to and
from the hospital, “direct patient care
was limited to voice communications,”
he says. Because of the danger of a third
party intercepting a message or installing malware on systems, he discouraged
the use of internet cafés and Wi-Fi hot
spots for connecting to hospital databases, viewing patient data or accessing
other information.
A Yammer account was set up and
used extensively for communicating with
employees, he says. This proved to be a
viable hub for communications because
it was easy for the employees to use.
While Montefiore did not lose power,
other facilities in the area did. As a
result, it was able to assist other hospitals
in the region, Wolf says.
One of the key lessons learned from
Sandy was the need for the medical
center to incorporate social media into
its emergency response policies and
procedures, Wolf says. While the use
of social media worked well during the
340m
tweets per day are sent.
– Digital Buzz Blog
Sandy crisis, every IT disaster recovery
component needs to be documented
and tested, and the employees trained
in their proper use. Sandy tested the IT
department’s ability to use social media
during a disaster, but Wolf says it is better to have a vetted policy in place. He
also says he will look into new methods
for remote clinicians to access hospital
records when traditional virtual private
networks (VPNs) are not available.
Wolf was pleasantly surprised at how
quickly the employees and IT staff were
able to set up a social media command
center and use it successfully. Unanticipated challenges, such as the loss of
power across such a wide swath of New
York, meant that employees who were not
at the hospital had to improvise in charging their cell phones and other internetconnected devices. The loss of cell towers
also complicated network access.
Overall, social media got relatively
high marks during Hurricane Sandy.
However, data security breaches are
insidious, and it is still far too early to
tell if the storm led to any significant
compromises. But even if informationloss incidents are discovered over time, it
may be too difficult to determine if they
were related directly to the storm or to
the use of social media. n
Social media:
Policy
Alan Webber, principal analyst for the
Altimeter Group, says there are three
reasons to have a social media policy:
Establish an acceptable pattern of
behavior. Social media policies should
first establish what acceptable patterns
of behavior (or PoBs) are for employees,
and even customers on social media.
These acceptable PoBs can be as broad
as saying ‘Do no harm’ to being highly
restrictive around content, platforms,
who gets to participate and how social
communications are cleared. Some of
the companies best at this include cases
that give employees and others some
context around the acceptable PoBs.
Protect the company and the
employees. Secondly, social media
policies should defend both the company and employee. By outlining what
is acceptable, the company can then
identify who and what the company
will and won’t allow, and if an employee
should step past that line or outside
that pattern, the company is somewhat
protected legally. At the same time, the
policy should protect employees. That
way, if they are following the policy and
something goes wrong, they are covered. But check that with legal counsel.
Provide an enforcement framework. If and when something goes
wrong, the policy should provide a
process to address the issue. For
example, if someone continues to
post inappropriate content on the
corporate Facebook page, then there
is a level-handed process in place to
address the issue.
SC SPOTLIGHT • www.scmagazine.com • 21
LastWord
Finding privacy on a data-centric web
Online data about
a user can impact
how that person
is perceived,
says Microsoft’s
Brendon Lynch.
A
s the digital world
continues to evolve,
social networking will
remain an essential component. Services like Xbox
LIVE, Facebook and Twitter
attract millions of members
and weave seamlessly into
everyday life – from our
smartphones to web search.
As we share this information, we generate massive
amounts of data. In fact, 90
percent of the data available
in the world today was created
in the last two years. Considering the amount of information we share and store
online, some might ask: Does
privacy still matter?
Privacy remains tremendously relevant, especially
in the social media-infused,
data-rich world in which
we live. Consumers expect
strong protections, as they
are increasingly aware of
the digital “trails” they leave
behind online. The Pew
Research Center recently
found that more than half of
Americans who use mobile
apps have uninstalled or
avoided certain apps due to
concerns about the way personal information is shared
or collected. Interestingly,
young people cared about
this just as much as older
people.�
The fact that the next
generation of consumers
is growing up on social
networks and constantly
interacting with their mobile
computing devices is redefining privacy. They want to
share more information, but
still want to maintain control
over how much they share,
who they share it with and
how it is used. They don’t
want their data to be later
used or shared in ways they
did not expect or that do
not provide value to them.
People want to share information, but they want the
organizations that hold their
information to use it responsibly and to protect it.
That said, privacy on
social networks is a two-way
street: Users are expected
to responsibly manage their
own information. Every
single piece of data that
22 • SC SPOTLIGHT • www.scmagazine.com
exists online about a user
can impact how that individual is perceived by family
and friends, an employer, a
mortgage lender – anyone.
Unfortunately, many of us
are unaware of the cumulative “portrait” created by the
aggregate of this online data.
A Microsoft survey found
that while 91 percent of people at some point have done
something to manage their
overall online profile, only
67 percent feel in control of
their online reputation, while
fewer still – 44 percent of
adults – actively think about
the long-term consequences
of their online activities.
There are many simple
ways you can better protect
our online reputations. For
The next
generation of
consumers...
don’t want
their data to be
used or shared
in ways they
did not expect.”
instance, on social networking
sites, personal blogs and other
places where you maintain
personal data, use privacy
settings to help manage who
can see your profile or photos,
how people can search for
you, who can comment and
how to block unwanted
access. According to our
research, 49 percent of adults
do not use privacy settings on
social networking sites.
Think about what you
post (particularly personal
photos and videos), with
whom you share information, and how this content
reflects on your reputation.
Let others know what you do
and do not want shared, and
ask them to remove anything
you don’t want disclosed.
Our research showed that
only 38 percent of adults and
39 percent of children (ages
8 to 17) actively think about
the long-term impact their
online activities might have
on someone else’s reputation.
There will need to be
more focus on the use of
information in the future to
help ensure better privacy
protection for everyone. It’s
essential to maintain an open
dialogue about this subject
to keep privacy headed in the
right direction while we reap
the benefits that technology
advances and increased data
sharing will provide.
Brendon Lynch is the chief
privacy officer at Microsoft.
Don’t be anti-social. Follow us.
Our websites, scmagazine.com and scmarketscope.com, combined
receive more than 1,000,000 monthly impressions and 80,000 monthly
unique visitors. Readers have come to expect timely news, in-depth
feature stories, virtual events and industry opinions, and we fully enlist
social media to bring our award-winning editorial content to as extensive
an audience as possible. Through blog posts, tweets and specialized
newsletters, we keep you connected to the pulse of the security industry.
Visit us today at www.scmagazine.com or at
Sponsor
The EdgeWave portfolio of web, email and data protection technologies delivers comprehensive protection with unrivalled ease
of deployment and the lowest TCO on the market. The company’s
award winning product lines include iPrism Web Security, Social
Media Security and the ePrism Email Security Suite.