SOCIAL MEDIA - Websense

NOVEMBER 2010 • WWW.SCMAGAZINEUS.COM
This premier “Spotlight” edition explores
the pros and cons of embracing social
media in the enterprise, highlighting the
strategies and technologies that can be
implemented to keep critical assets safe.
SOCIAL
MEDIA
SHINING THE “SPOTLIGHT” ON:
INCLUDING:
P10 Socially inclined
Many organizations have accepted social
networking as part of doing business, but
technology and governance can help control it.
P20 Primary targets
SC Magazine’s inside look at the security
operations of Facebook and Twitter through a
Q&A with security leaders at each company.
P29 Contact point
The use of social media in the workplace
is examined in a new survey conducted by
SC Magazine.

P10 Socially inclined
Many organizations have accepted social
networking as part of doing business, but
technology and governance can help control it.
P20 Primary targets
SC Magazine’s inside look at the security
operations of Facebook and Twitter through a
Q&A with security leaders at each company.
P29 Contact point
The use of social media in the workplace
is examined in a new survey conducted by
SC Magazine.
WEBSITE WWW.SCMAGAZINEUS.COM • EMAIL SCFEEDBACKUS@HAYMARKETMEDIA.COM
Malware Protection
Data Protection
Business Productivity
IT Efficiency
Compliance
Hospital food
REGULARS
5 Editorial Welcome to a special Spotlight edition
6 DataBank: Social Gauge Some graphs awnd data bites on the use of
social media and its effect on the enterprise
8 News Update New cyber intelligence shows social media targets are
generating big rewards for the bad guys
FEATURES
20
10 Socially inclined
Many organizations have accepted social networking as part of doing
business, but technology and governance can help control it.
16 IT’s new problem
Consumer devices and social media may be too pervasive to ban within the
enterprise, but precautions can be taken.
20 Primary targets
SC Magazine got an inside look at the security operations of Facebook and
Twitter through a Q&A with security leaders at each company.
24 Risk & reward
The CISO of Intel believes the best social networking strategy involves
embracing the threat, not avoiding it.
24
29 Contact point
The use of social media in the workplace is examined in a new survey
conducted by SC Magazine.
worry less. accomplish more. www.sophos.com
NOVEMBER 2010 • WWW.SCMAGAZINEUS.COM
SOCIAL
MEDIA
SHINING THE “SPOTLIGHT” ON:
INCLUDING:
This premier “Spotlight” edition explores
the pros and cons of embracing social
media in the enterprise, highlighting the
strategies and technologies that can be
implemented to keep critical assets safe.
This premier Spotlight issue
of SC Magazine explores the
pros and cons of embracing
social media in the
enterprise environment.
SC Magazine (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2010
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazineus.com.
Cover illustration by Charlie Griak
www.facebook.com/SCMag
www.twitter.com/scmagazine

WHAT IS SCWC 24/7
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
UPCOMING EVENTS
Dec. 9
APT: Valid threat or overhyped
Are advanced persistent threats (APTs)
becoming like the legend of Sasquatch
given all their recent publicity In the cybercrime
world, APTs have been touted
as major attacks launched by
bad guys – usually with state
sponsors – with which CXOs
must be concerned. Others say APTs
are nothing new – the same complex
attacks with staying power to siphon off
critical data for profit or use that have
been happening for quite some time
now. So, which is it and just how worried
should executive leaders be about APTs
More importantly, what do they do to
safeguard their information assets from
falling victim to these types of attacks
ON DEMAND
A review of PCI updates
The Payment Card Industry Security
Standards Council, the body that
manages payment security guidelines,
recently released updates to its 12-step
Payment Card Industry Data Security
Standard (PCI DSS). In this webcast,
experts from the PCI Standards Council
take you through these updates and offer
help to comply with the standards.
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Natasha Mulla at
natasha.mulla@haymarketmedia.com
For sponsorship opportunities,
please contact Mike Alessie at
mike.alessie@haymarketmedia.com.
Or visit, www.scmagazineus.com/
scwc247
SC MAGAZINE EDITORIAL ADVISORY BOARD 2010
Rich Baich, principal, security and privacy practice,
Deloitte and Touche
Greg Bell, global information protection and
security lead partner, KPMG
Christopher Burgess, senior security adviser,
corporate security programs office, Cisco Systems
Jaime Chanaga, managing director,
CSO Board Consulting
Rufus Connell, research director -
information technology, Frost & Sullivan
Dave Cullinane, chief information security officer,
eBay
Mary Ann Davidson, chief security officer,
Oracle
Dennis Devlin, chief information security officer,
Brandeis University
Gerhard Eschelbeck, chief technology officer and
senior vice president, engineering, Webroot Software
Gene Fredriksen, senior director, corporate information
security officer, Tyco International
Maurice Hampton, information security & privacy
services leader, Clark Schaefer Consulting
Paul Kurtz, partner and chief operating officer, Good
Harbor Consulting
EDITORIAL
EDITOR-IN-CHIEF Illena Armstrong
illena.armstrong@haymarketmedia.com
DEPUTY EDITOR Dan Kaplan
dan.kaplan@haymarketmedia.com
MANAGING EDITOR Greg Masters
greg.masters@haymarketmedia.com
REPORTER Angela Moscaritolo
angela.moscaritolo@haymarketmedia.com
TECHNOLOGY EDITOR Peter Stephenson
peter.stephenson@haymarketmedia.com
SC LAB MANAGER Mike Stephenson
mike.stephenson@haymarketmedia.com
DIRECTOR OF SC LAB OPERATIONS John Aitken
john.aitken@haymarketmedia.com
SC LAB EDITORIAL ASSISTANT Judy Traub
judy.traub@haymarketmedia.com
PROGRAM DIRECTOR, SC WORLD CONGRESS
Eric Green eric.green@haymarketmedia.com
CONTRIBUTORS
Beth Schultz, Stephen Lawton
DESIGN AND PRODUCTION
ART DIRECTOR Brian Jackson
brian.jackson@haymarketmedia.com
VP OF PRODUCTION & MANUFACTURING
Louise Morrin louise.morrin@haymarketmedia.com
SENIOR PRODUCTION/DIGITAL CONTROLLER
Krassi Varbanov
krassi.varbanov@haymarketmedia.com
SC EVENTS
EVENTS MANAGER Natasha Mulla
natasha.mulla@haymarketmedia.com
EVENTS COORDINATOR Anthony Curry
anthony.curry@haymarketmedia.com
WHO’S WHO AT SC MAGAZINE
Kris Lovejoy, director of Tivoli strategy, IBM
Tim Mather, chief security strategist,
RSA Conference
Stephen Northcutt, president,
SANS Technology Institute
Marc Rogers, associate professor and research
scientist, The Center for Education and Research in Information
Assurance and Security, Purdue University
Randy Sanovic, former general director,
information security, General Motors
* Howard Schmidt, cybersecurity coordinator, U.S.
White House; president and chief executive officer,
Information Security Forum
Justin Somaini, chief information security officer, Symantec;
former director of information security, VeriSign
Craig Spiezle, chairman, Online Trust
Alliance; former director, online safety
technologies, Microsoft
Hord Tipton, executive director, (ISC) 2 ;
former CIO, U.S. Department of the Interior
Amit Yoran, chief executive officer, NetWitness; former
director, Department of Homeland Security’s National
Cyber Security Division
* emeritus
U.S. SALES
EASTERN REGION SALES MANAGER Mike Shemesh
(646) 638-6016 mike.shemesh@haymarketmedia.com
WESTERN REGION SALES MANAGER
Matthew Allington (415) 346-6460
matthew.allington@haymarketmedia.com
SENIOR SALES EXECUTIVE
Brittany Thompson (646) 638-6152
brittany.thompson@haymarketmedia.com
NATIONAL ACCOUNT MANAGER - EVENT SALES
Mike Alessie (646) 638-6002
mike.alessie@haymarketmedia.com
SALES/EDITORIAL ASSISTANT Brittaney Kiefer
(646) 638-6104 brittaney.kiefer@haymarketmedia.com
UK ADVERTISEMENT DIRECTOR
Mark Gordon 44 208 267 4672
mark.gordon@haymarketmedia.com
LICENSE & REPRINTS SALES EXECUTIVE
Kathleen Merot (646) 638-6101
kathleen.merot@haymarketmedia.com
EMAIL LIST RENTAL
EMAIL SENIOR ACCOUNT MANAGER
Frank Cipolla, Edith Roman Associates
(845) 731-3832 frank.cipolla@epostdirect.com
CIRCULATION
GROUP CIRCULATION MANAGER
Sherry Oommen (646) 638-6003
sherry.oommen@haymarketmedia.com
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: Haymarket@cambeywest.com
WEB: www.scmagazineus.com/subscribe
MANAGEMENT
CHAIRMAN William Pecover
PRESIDENT Lisa Kirk
DEPUTY MANAGING DIRECTOR Tony Keefe
Editorial
Welcome to a special “Spotlight” edition
In this first SC Magazine “Spotlight” issue,
along with the scores of others to follow, we
go well beyond the varied but deep topical
dives our monthly editions offer by focusing
in on an individual industry subject crying out
for a more in-depth analysis. With everything
that happens in our marketplace, we thought
it’d be helpful to slow down for a moment to
thoroughly examine the more confounding
issues with which we’re all struggling.
In these special editions, we intend to focus
on the most timely challenges hitting this
space, exploring both the tribulations arising
from them and the ways leading information
security professionals are addressing them
successfully. By zeroing in on a particular
problem – along with some of the strategies
that can be used to fix it – these special editions
will provide you with laser-sharp views
on all the ways your critical corporate information
and systems can stay safe even in the face
of new and aggressive threats.
One of these threats that is proving particularly
exasperating to many a CISO is the
way increasing numbers of cybercriminals
are finding entré into many organizations’ IT
infrastructures by enlisting well-known social
networking sites. That is the very reason why
we decided to make the information security
and privacy woes arising from social networking
the main topic of our first special edition.
It seems many SC Magazine readers, according
to a recent survey we conducted (see pg.
29), block end-user access to Web 2.0 sites,
like Twitter, Facebook or YouTube. But, such
a strict security measure is bound to fall out
of favor. Too many enterprises s now rely on
the viral public relations power that social
networking sites offer. On the flipside,
though, it is that very ease and speed
by which information is accessed sed that
appeals to online criminals looking oking for
creative ways to steal personally fiable information and make money.
To block all staff from accessing cessing
identi-
these sites is an action that, while
perhaps acceptable to some, is downright
Orwellian to others. Executive
leaders must seek a happy medium
that allows users to visit these
sites under a holistic and centrally
managed risk management
plan that keeps critical
corporate assets safe. Failing
to create and maintain such
a strategy will only see
rogue users fi nding ways
around blocks, which will
enable the bad guys to still
accomplish their goals.
Enjoy this special “Spotlight”
issue, let us know what you think
and tell us what other subjects s
you’d like to see us focus on in
future specials.
Illena Armstrong is editor-in-chief
of SC Magazine.
of respondents said they believe
emergency responders should
monitor social media sites to
dispatch help in the event of an 69%emergency. – American Red Cross
4 SC SPOTLIGHT • November 2010 • www.scmagazineus.com

DataBank
SocialGauge
The number of Facebook users in the United
States grew 3.43 percent last month.
Primary concern about Web 2.0
Confidential information disclosed
Fortune Global 100 companies
The proliferation of corporate engagement in social media. Data was collected between
November 2009 and January 2010 among the top 100 companies of Fortune’s Global 500.
Source: Burson-Marsteller, The Global Social Media Check-up
More than $1.1 billion was lost by organizations surveyed due to security
incidents caused by Web 2.0 technologies.
Source: McAfee, Web 2.0: A Complex Balancing Act
Social network users aren’t preoccupied with the real identity of the people
they meet online or about the details they share while chatting with strangers.
After two hours of conversation, respondents revealed the above data
about their company.
Source: BitDefender, Social Networking and the Illusion of Anonimity
Which tools are used within your company
Click-through rates
Facts about
Facts about
500,000,000 active users
50% of active users logon in any given day
75% of members use third-party apps.
300,000+ new users every day.
Source: Panda Security,
Social Media Risk Index for
Small to Medium Sized
Businesses
Countries on Facebook
Internet sharing trends have migrated in big numbers toward social
networking, according to a recent report by marketing firm SocialTwist, but
other platforms still have a strong presence for word-of-mouth advertising.
The firm analyzed a million-plus referral messages sent out using its widget
Tell-a-Friend, which allows users to share sites through social media.
Source: SocialTwist via Fast Company
150,000,000 people engage with Facebook on
external websites every month
30,000,000,000 pieces of content (web links,
news stories, blog posts, notes, photo albums,
etc.) shared each month.
200,000,000 active users currently accessing
Facebook through their mobile devices.
Source: Facebook
110,000,000 users of Twitter’s services.
180,000,000 unique visits each month.
600,000,000+ searches every day.
Source: Twitter/Chirp Conference via Danny Brown
In the past month, global growth of Facebook users has continued to rise. Among the top five countries with
the most users, growth increased 3.43 percent in the United States, 10.75 percent in Indonesia, 3.99 percent
in the U.K., 2.68 percent in Turkey, and 4.45 percent in France. Source: Facebakers.com
6 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 7

News Update
Social networking: Enterprise
IT security’s nemesis
Enterprise IT security professionals who fear social networking
as their nemesis – and research shows that many do – aren’t
merely suffering from bad cases of paranoia.
Social media applications, such as Facebook, Twitter and You-
Tube, known collectively as Web 2.0, present a real and growing
security problem, and a costly one at that. On average, organizations
hit by Web 2.0-related security incidents last year suffered
losses of nearly $2 million, a recent global survey on usage, risks
and best practices revealed.
The survey, undertaken as part of a study commissioned by
McAfee and spearheaded by researchers at Purdue University’s
Center for Education and Research in Information
Assurance and Security, also showed that a company’s size
and location make for notable differences. The survey, which
queried more than 1,000 decision-makers at organizations in
17 countries, showed losses at large organizations averaging
$4.5 million.
In all, the six out of 10 surveyed organizations indicating that
they’d been hit by a Web 2.0 security event tallied $1.1 billion in
losses due to those incidents.
The risks associated with Web 2.0 are giving some enterprises
pause, the survey shows, but don’t seem to be bringing many to
a dead stop. Only 13 percent of organizations worldwide block
all social media access, while 33 percent allow restricted use.
Another 25 percent actively monitor social media use.
What these numbers show, says Tim Roddy, senior director
of product marketing at McAfee, is that enterprise IT security
professionals know they have to allow access to social media
because the business is demanding it. “They know this is no
longer about saying ‘yes’ or ‘no,’” he says. It is about saying ‘yes’
with confidence.”
Kevin Haley, director of Symantec Security Response, agrees.
“Social networking is an inherent part of today’s internet, and
any business that hasn’t been paying attention would probably
THE QUOTE
find that
the vast majority of
their employees use social networking,”
he says. “This is not a future problem. It is one
that companies need to deal with today.”
That cybercriminals are flocking to Web 2.0 should come as
no surprise, experts say. They tend to go where the people are,
and that is certainly the case with social media.
Social networking provides a real boon for cybercriminals
because participants tend to let their guards down within those
communities. As Haley says, “Cybercriminals don’t need incredibly
complex or genius hacker software. You can come up with a
pretty simple social engineering trick and get everybody to click
on a link and infect themselves.”
Phishers, too, are ramping up their focus on social media
sites, says James Brooks, director of product management at
security vendor Cyveillance, which sweeps the internet – including
websites, blogs, message boards, IRC/chat channels, spam
emails, tiny URLs and more – in producing its twice-yearly
cyber intelligence reports. In its newly released report, reflecting
data gathered for the first half of 2010, Cyveillance found slightly
more than 126,000 phishing attacks, for an average of more than
21,000 unique attacks per month.
“As we look through those phishing attacks, more and more
we’re seeing the names Facebook and Twitter pop up,” Brooks
says. “This isn’t just about banks and credit unions anymore.
Social networking is a goldmine for fraudsters.”
This is not a future problem. It is one that
companies need to deal with today.”
—Kevin Haley, director of Symantec Security Response
Behavior
modification
If enterprise IT security
professionals are to fend
off social media wolves
successfully, they’re going
to have to do more than
tighten up their traditional
defenses.
“In the corporate sector,
the biggest risk is not
social media,” says Andrew
Walls, a security research
director at Gartner. “It is that
social networking has shined a
bright, white light on the limits
of our current security programs.
You can put choke points on your
infrastructure and filter what people do
while they’re at work all you want, but that’s not actually going to
control what employees do out there on social networking sites.”
The crux of the problem is that in focusing on infrastructure,
enterprise IT security stopped prioritizing on human
behavior, Walls says. Making sure anti-virus software is up
to date and installing some data leakage prevention software
aren’t going to be enough when dealing with social media
threats. “The need for those doesn’t go away, but if we keep
focusing on infrastructure, infrastructure, infrastructure all
the time, we’ll miss the fact that our internal clients are walking
right around our infrastructure and doing whatever they
like out there,” Walls says.
Now enterprises are essentially playing catch-up. “They’re
developing security-awareness programs and using mass media
marketing that focuses on security risks and so forth, trying
to rebuild the corporate ethical standard regarding behavior,”
Walls says. Enterprises need to study what employees are doing
in advance of them doing something wrong, he adds. They need
to provide stimulation that encourages appropriate behaviors
and discourages damaging ones. When that happens, Walls says,
“employees will be better equipped to make decisions.”
Thinking about social media
and information governance
Enterprise IT and legal have long butted heads over data
discovery and information disposal practices, with tensions
promising to mount as social media use introduces fuzziness
into the picture.
“Social networking is one of the most under-regulated
new marketing areas with industry, with companies being
very slow to develop enterprise-wide policies governing their
own use of social networking sites and being even slower to
govern employee use of personal social networking sites,”
says Tom Lahiff, an attorney and consultant on document
management and e-discovery practice. “And, a lot of people
don’t realize they have to have policies for both.”
Even though enterprises don’t have control over social
networking sites and don’t currently have to produce information
from them for e-discovery purposes, they need to
be cognizant of their use, says Lahiff, a former counsel at
Citigroup and among the first members of the Compliance,
Governance and Oversight Council (CGOC), a community
of experts in information governance.
Employees who post corporate information in social media
contexts, including blogs, can be served with subpoenas, he
explains. This applies to site providers, as well.
This doesn’t bode well for companies struggling to come
to terms with regulations, state and federal, pertaining to
information governance. In a newly published benchmark
study, the CGOC released survey results showing that while
98 percent of respondents believe defensible disposal is a key
result of an information governance program, only 22 percent
of companies were able to dispose of data today. What is
more, more than 70 percent of survey respondents – an equal
number of legal, records management and IT professionals
at Global 1000 companies – claimed that their retention
schedules were not actionable by IT or could be used only for
disposal of physical records.
On a positive note, half of the companies surveyed do have
executive committees in place. However, they appear to be
struggling with fi nding the correct stakeholder mix. Seventy
percent of respondents report using “people glue” to connect
legal duties and business value to information assets, while a
whopping 85 percent identified more consistent collaboration
and systematic linkage between the three disciplines – legal,
records management and IT – as the most critical success
factor.
As enterprises think about social media from a content
perspective, assembling and enabling an effective information
governance council is one of the most important things a
company can do, Lahiff says.
“That council should include lawyers, people in the business
units, marketing groups and IT so that conversations
about creating new websites and their content take place in
advance,” he says. “As these discussions take place, legal,
records management and information governance professionals
can start thinking about how to preserve that information
internally and produce it in the event of litigation.”
– Beth Schultz
8 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 9

SOCIALLY INCLINED
Many organizations have accepted social networking as part of doing
business, but technology and governance can help. Dan Kaplan reports.
Illustration by Charlie Griak
For two days in July, one longstanding
American brand rewrote the rules of
public relations and marketing.
On an otherwise idle week of television
programming headlined by a record,
low-rated Major League Baseball All-Star
game, reruns of Glee and second-rate
reality shows, like Wipeout, Old Spice
simultaneously was running a groundbreaking
online advertising campaign
that leveraged three of the most popular
social networking channels to deliver
scores of laugh-out-loud, 30-second commercials
to viewers.
Parent company Procter & Gamble
and ad agency Wieden+Kennedy
teamed up to create more than 150 You-
Tube videos promoting Old Spice Red
Zone Body Wash. What made the viral
blitz so unique was that the spots were
produced in virtually real time, featuring
towel-clad, uber-male pitchman
Isaiah Mustafa humorously responding
to viewer questions and comments sent
via the brand’s Facebook and Twitter
accounts. In one clip, Mustafa, a former
NFL wide receiver, facilitates a marriage
proposal. In another, he responds
to a tweet he sent himself.
Many experts now view the hybrid
campaign as a marketing feat for
the ages – the ads generated 35 million
video views in seven days. And,
while most American businesses will
be hard-pressed to create an idea as
innovative, popular and widely lauded
as Old Spice’s, most now accept that
social media is a viable, cost-effective
alternative for connecting with customers,
enhancing the brand and potentially
generating new streams of revenue.
“If you’re not on Facebook, you
don’t really exist,” says Graham Cluley,
senior technology consultant at antivirus
firm Sophos.
He is only half kidding. “Your company
is probably looking for customers, and
they want to be close to their customers,
and customers are choosing to communicate
with their companies via sites like
Facebook and Twitter,” Cluley says.
But Cluley, who specializes in
researching social media and security,
will be the first to warn that before
racing headstrong into the social media
frontier, one must realize that Web 2.0 is
still very much an untamed Wild West.
Aside from the fact that some social
media marketing efforts may simply
misfire because the stage is still so new, it
also comes fraught with danger.
A June Cisco study found that more
than half of respondents (51 percent)
listed “social networking” as one of
the top three biggest security risks to
their organization, while one in five
(19 percent) considered it the highest
risk. A recent McAfee survey of more
13%
than 1,000 global decision-makers in
17 countries concluded that half of
businesses were concerned about the
security of Web 2.0 applications. An
astounding 60 percent already suffered
losses averaging about $2 million.
Another six out of 10 were concerned
about a loss of reputation as a result of
Web 2.0 misuse.
The downside of social media
So, for as much success as a website
such as Facebook or Twitter can lend
a company, it also can lead to damage.
As an example, in August, a hacker was
able to compromise the Twitter account
belonging to rock band Guns N’ Roses
frontman Axl Rose to erroneously tweet
that the group had canceled his upcoming
U.K. tour.
Sometimes, the pranks are more malicious
than mischievous. Security firm
Websense has noted a number of times
that popular Facebook pages have been
overtaken by cybercrooks to distribute
malware. There also have been instances
in which Twitter accounts were hijacked
to spread insidious exploits. The notorious,
trojan-dropping Koobface worm tore
through Facebook and Twitter in 2009
and 2010. It was still surfacing as recently
of internet traffic goes to Facebook
— Websense
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 11

Business concerns
BAD GUYS:
Exploiting Web 2.0
Few doubt the revolutionary power of social
networking for companies and individuals
alike. Of course, less often mentioned when
bestowing accolades upon the Facebooks,
Twitters and LinkedIns of the world are the
benefits they provide to cybercriminals. Here
are just a few examples.
Data mining: Because social networking
websites have attracted hundreds of millions
of users, naturally they house vast amounts
of valuable personal information. Trawling
member profiles for this data or persuading
users to download a rogue application can
provide crooks with coveted content that they
can use to launch targeted attacks or track
people. Location-based site applications,
such as Foursquare, offer a user’s near realtime
whereabouts. Sites such as LinkedIn can
become a spear phisher’s nirvana because
it contains mounds of data about a potential
as October when security vendor Intego
found a variant written specifically to run
on Mac OS X platforms.
And because of the user-generated
nature of social networking sites, it may
not even be necessary to take control of
an account to distribute malicious code.
Facebook company pages rely on fans in
order to grow a following, so a malicious
“friend” of the organization could
easily post a rogue link under the guise
of something benign. Then, if legitimate
friends fall for the ruse, their machines
could become infected with malware,
which could jeopardize the company’s
reputation. That, of course, is not to
mention the possibility of an employee
from the company itself clicking on the
link and introducing malware into the
corporate network.
According to Sophos’ Mid-Year 2010
Security Threat Report, there was a 70
percent rise in firms running into malware
and spam on social networking sites
in 2009. Panda Labs, in its own survey
of 315 U.S. companies with 15 to 1,000
employees, uncovered similar results.
The anti-virus vendor found that onethird
of respondents reported malware
on their network due to employee use of
social networks.
Most observers agree that social
networking sites are fertile ground for
malware distribution because of vulnerable
code, members’ tendencies to trust
friends on these channels, and the ability
for viruses to easily propagate.
“It does remind me of email several
years back,” says Joey Tyson, security
engineer at Gemini Security Solutions
and author of the Social Hacking
blog, which studies social networking
target’s job.
To highlight the privacy and data exposure
shortfalls of these sites, a pair of researchers
at this year’s Black Hat conference demonstrated
how they created the profile of a fictional
woman – Robin Sage – who claimed to
work in military intelligence. She gained 300
legitimate connections in 28 days across
Facebook, Twitter and LinkedIn, including
officials in the Pentagon, Department of
Defense and National Security Agency.
Meanwhile, Minaxi Gupta, an associate
professor of computer science at Indiana
University, is researching a potential positive
of data mining: using tools to locate
and document conversations people are
having on Twitter about malware they have
encountered. “The goal would be to make
blacklists more real time than they are
today,” Gupta says.
Phishing/spam: There is a noticeable
increase in the number of phishing ploys
attempting to capitalize on the popularity
security and privacy. “People are still
adjusting to Facebook and Twitter
becoming such an integral part of their
social life and online interactions. I
think you can draw a lot of parallels
between how sites are exploited now
and how email was back then.”
For example, in September, a mas-
of social networking sites. While financial
and payment services brands still dominate
as the most preferred target, ruses against
social media sites are on the rise, according
to the Anti-Phishing Working Group.
Attackers can use socially engineered
messages claiming to come from a reputable
social media site to either siphon
credentials – which allows them to hijack
user accounts to send spam – or trick users
into clicking on links that contain malware.
Thieves also can use stolen social networking
credentials to unlock other confidential
accounts, such as online banks, because
people tend to use the same password
across websites.
Cyber vandals also can capitalize on topics
that are trending on Twitter. They simply
include the trending words in their tweets
that also include links to spam or other
malicious sites.
Botnet control: Why create and maintain
one’s own command-and-control hub
when an application such as Twitter already
may provide the infrastructure
In 2009, researchers discovered a Twitter
account that was being used to issue
instructions to infected computers that
were part of a botnet. Tweets coming from
the malicious account, called “upd4t3,”
were encoded and looked like a random
combination of letters and numbers.
The process is becoming increasingly
professionalized. In May, researchers
detected a trojan-builder tool that allows
a person to specify a particular Twitter
account from which to send botnet commands.
Security experts say botmasters may
prefer using sites like Twitter instead of a
traditional command center because they
do not necessitate installation, configuration
and management. Also, this tactic
enables bot controllers to use mobile applications
to deliver instructions to a network
of compromised computers. – Dan Kaplan
sive worm broke out on Twitter. The
far-ranging cross-site scripting attack,
which reportedly originated as a harmless,
proof-of-concept attack by an
Australian teenager, was estimated to
affect more than 500,000 users of the
microblogging site. Despite the threat of
malware, though, most security professionals
interviewed seem most concerned
about social media enabling the exposure
of sensitive data.
Christopher Burgess, senior security
adviser at Cisco, recalls a health insurance
company that ran into some trouble
when its employees began exchanging
conversation on the web.
“They found themselves engaging
with each other on Facebook,” Burgess
says. “And, as you know, Facebook
wasn’t designed for HIPAA. Here were
people trying to get their job done in
the most efficient manner possible
inadvertently putting their company at
risk. They weren’t trying to be malicious.
They were just trying to provide a better
level of service.”
But security observers agree that
gone are the days when organizations
realistically can block social media access
without it dampening employee morale
and costing the brand an opportunity to
reach customers.
Panda’s study found that only 21 percent
of respondents do not allow personal
use of social media during work hours,
and a quarter of them block social media
sites altogether. Privacy violations resulting
in exposure of sensitive data rates as
the top concern around social media, followed
by employee productivity declines,
malware infection, reputation damage
and network performance issues.
While those concerns certainly are
valid, Burgess warns IT departments to
take note. Those that choose to adopt a
restrictive policy around social media
may find themselves quickly losing
control. Chances are, today’s generation
of workers won’t stand for it.
“If you’re not aware of the need, you’ll
SOCIAL MEDIA TIMELINE
continued
on page 14
2003
2004
2005 2006 2007 2008
March
Jonathan Abrams
(above) launches
Friendster.
May
LinkedIn
launches.
August
MySpace
launches.
February
Facebook launches
from Harvard
undergrad Mark
Zuckerberg’s
(above) dorm room.
October
19-year-old hacker
Samy Kamkar exploits
a flaw in MySpace’s
site design to launch
a worm that nets him
one million “friends”
within several hours.
December
Malicious QuickTime
videos on MySpace
profiles lead to users
getting phished of
their login credentials.
March 21
Twitter co-founder
Jack Dorsey (above)
sends the first-ever
tweet: “Just setting
up my twttr.”
March
MySpace sues
Sanford Wallace
for spearheading a
phishing scheme,
later winning a $223
million judgment
against him.
April
Two hackers launch
the “Month of
MySpace Bugs”
project, revealing a
vulnerability a day
for 30 days.
July
LinkedIn fixes a
zero-day flaw in its
Internet Explorer
toolbar that could
have permitted remote
code execution.
January
Former New York
Attorney General Andrew
Cuomo (above)
joins 48 other AGs to
issue guidelines for
online safety at social
networking sites.
April
For the first time,
Facebook passes
MySpace in number
of unique visitors.
June
Canadian legal
professionals sue
Facebook over 22
alleged privacy
violations.
12 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 13

Business concerns
find your employees have migrated and
left you behind,” Burgess says.
Cisco prides itself on enabling
employees to leverage their subject
matter expertise to communicate across
the web. To control such conduct,
the networking giant has published a
16-page handbook outlining guidelines
for social media use. The document
describes a policy for Cisco employees
to follow when using the social web to
effectively engage stakeholders about
the company. For example, workers
are expected to identify themselves as
Cisco employees, protect the company’s
reputation, avoid posting confidential
or copyrighted data, and steer clear of
online disputes.
Employees, meanwhile, also are
permitted to use social networking sites
for personal reasons – but are expected
to follow general security principles.
Personal use ranks as the most common
reason employees use social media
tools, according to the Panda study
(research and competitive intelligence
rates are the next most popular justifications,
followed by customer service,
public relations, marketing and sales,
and revenue creation).
“Cisco does not block employees’
access to networking sites as the company
believes in empowering its workforce
and instills trust in employees to work
75%
responsibly and adhere to the Cisco Code
of Business Conduct,” the guidelines
read. Such a blueprint is becoming more
common across industry. But that doesn’t
mean security professionals are sleeping
soundly at night.
“Fundamentally, what keeps security
personnel up late and worried about this
social web are two things – the fact that
they lack controls for it, combined with
its widespread adoption,” says David
Meizlik, director of product marketing
and communications at Websense.
“Folks just can’t say ‘no’ to it. They can’t
just block it at the corporate border.”
Implementing the controls
So what is a security practitioner to do if
they can’t simply add Web 2.0 sites and
applications to the corporate blacklist
Deply technology, for one. In recent
months, a slew of vendors has released
offerings that cater to the IT department
specifically wanting control over and visibility
into the social media sphere.
Palo Alto Networks of Sunnyvale,
Calif., recently announced that its
next-generation firewalls now offer
of organizations worldwide use
Web 2.0 for business functions.
— McAfee
functionality allowing administrators
to set “read-only” policies on Facebook.
In other words, employees would only
be able to browse the popular site – not
add any content or follow any links.
Such a capability theoretically protects
against the possibility, say, of a worker
falling for a clickjacking attack that
brings the network to its knees or disclosing
information about an impending
acquisition.
Other vendors are building Facebook
applications. Romania-based BitDefender
last month launched the beta version
of safego, a Facebook app that uses scanning
technology to search for malicious
links and compromised content that may
be present on users’ profiles. In addition,
the program alerts users if their privacy
settings aren’t strong enough.
A social case study
Don’t let the fact that Addison Avenue
Federal Credit Union is headquartered
in Silicon Valley fool you. The
200,000-member fi nancial institution
has long been averse to embracing Web
2.0 technologies.
Timeline photos (left to right) AP Photo/Paul Sakuma; Facebook; Twitter; Dima Gavrysh/Bloomberg via Getty
Images; Ron Sachs-Pool/Getty Images; ChinaFotoPress/Getty Images; Theo Wargo/WireImage
YouTube is restricted for personal use
because of productivity concerns and
only roughly a quarter of the 400-person
staff is permitted to access Facebook, says
Phil Romero, senior security architect.
“As a financial institution, we’ve got
a lot of regulatory issues to address,” he
says. “We have to make sure we don’t lose
data and that our systems are secure.”
But the tune is gradually changing.
Romero says the e-commerce and
marketing departments have pushed the
firm to adopt social media as a vehicle to
communicate with clients.
Addison Avenue now counts more than
1,000 friends on its Facebook page, which
it heavily leans on to service customer
complaints and keep them abreast of the
latest happenings at Addison Avenue and
in the financial space in general.
The company, though, may consider
even further relaxing some of its limits
thanks to the maturity of the security
solutions marketplace. The company uses
web security gateway and data leakage
prevention technology from San Diegobased
Websense to analyze (and potentially
block) web content in real time
and monitor for sensitive data exposure.
Specific to Facebook, Addison also uses
a plug-in known as Defensio, which it
applies to its Facebook page to ensure
members don’t interact with any malicious
content.
“It negatively impacts us if someone
gets infected through our Facebook
page,” Romero says.
Experts also preach the basics: Ensure
endpoints are running an anti-virus solution
and keep systems and programs fully
patched.
Technology is just one part of the equation,
though. Analysts agree that a sound
social networking governance framework,
which includes policy, education
and enforcement, is critical to protecting
assets and reputation.
For their part, social networking
sites are working harder than ever at
protecting users from spam, malware,
privacy leaks, account hijacks and other
cyberthreats. Many experts, though,
believe these companies can – and should
– be doing more.
In fact, just this month, many in
the security industry called on social
networking sites to implement HTTPS,
a browsing protocol that ensures an
encrypted connection for users. The
clamoring came after a researcher
released a free Firefox web browser
plug-in, known as Firesheep, that lets
anyone scan open Wi-Fi networks and
hijack accounts belonging to sites such as
Facebook.
Most financial services firms have
invoked secure browsing, but the social
media world has not – likely due to costs
– despite the fact that it is home to bundles
of confidential information. (For
its part, Facebook is testing SSL access
across its site and hopes to provide it as
an option in the coming months.)
Here to stay
Social networking has become a greater
phenomenon than anyone ever could
have imagined. And with each passing
year, its use only will grow greater. Soon,
companies hiring recent college graduates
will find that very few of them have
ever known a day without being able to
send a tweet, tag a photo or watch a viral
video of a chiseled man stumping for
body wash.
The Cisco study found that nearly
three out of four survey respondents
believe that overly strict security policies
would have a “moderate” or “significant”
negative impact on hiring and retaining
employees under age 30. At chipmaker
Intel, where the 80,000-employee
company has developed its own internal
social computing platform to satiate staff
demands, employees wouldn’t respond
well to web restrictions.
“It [wouldn’t] fit our company
culture,” says Laurie Buczek, a social
media strategist at Intel. “The people
we would likely attract to be Intel
employees would likely be turned off if
it was that kind of culture.” ■
500,000,000
2008 2009
2010
August
Denial-ofservice
attacks
hit Twitter and
Facebook
October
10,000 people are
targeted in a spear
phishing campaign
claiming to come
from LinkedIn.
January
The Twitter account
of President Obama is
hijacked by a French
hacker who gained
administrative access
to the site.
November
The Twitter profile
for Britney Spears
is hacked to say the
pop star worships
the devil.
Dec. 17
A DNS records attack
replaced Twitter’s
welcoming screen with
an image of a green flag
and the caption “This
site has been hacked by
Iranian Cyber Army.”
April
The Koobface worm
spreads through
Facebook messages
by claiming to offer
hidden cameras showing
erotic video.
May
Facebook updates
its privacy settings
to simplify the way
users can control
the data they
share with others.
June
The Federal Trade
Commission settles
with Twitter over
charges that the website
failed to properly
safeguard the privacy
of its users.
July
Facebook has more
than 500 million
active users.
September
Twitter falls victim to
a massive worm that
enables attackers
to insert pop-up ads
and open unwanted
websites on a user’s
browser.
October 1
Major Hollywood film
The Social Network
(above), which recounts
the origins of Facebook,
earns critical acclaim
and $22.5 million in its
opening weekend.
November
A new survey shows
users spent 4.6
hours a week on
social media sites,
compared to 4.4
hours on email.
14 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 15

IT’S NEW
PROBLEM
Consumer devices and social media may be too pervasive to ban within
the enterprise, but precautions can be taken, reports Stephen Lawton.
Perhaps one of the most disruptive
technologies facing IT security
professionals today is social
media. Sites such as Twitter, Facebook,
LinkedIn and YouTube offer tremendous
potential corporate value, but
also present equally vast opportunities
for technological and corporate harm.
CISOs today are faced with the decision
of incorporating social media and
its inherent risks or locking it down and
suffering the consequences.
Social media has become essentially a
generational divide between Baby Boomers
who grew up with analog TV without
remote controls versus the Gen X, Gen
Y and Millennials who were raised
with computer toys and devices as part
of their daily routine. Many of today’s
senior corporate and IT management are
the boomers who became more technically
inclined, while a large number of
employees are 20- and 30-somethings
who grew up with internet-enabled
systems as part of their life.
New consumer technologies, particularly
those that connect to social media
sites, are being introduced to enterprises
by employees. In a research report
by BoxTone and eMedia, Smartphone
Management Survey: An Enterprise IT
Operations Perspective, some 60 percent
of more than 400 IT professionals
questioned said that six out of 10 of
their employees will have smartphones
within the next two years, and 80 percent
of those will be employee-owned.
User-driven IT is having a significant
impact on hardware being attached
to corporate networks and is forcing a
paradigm shift in how IT departments
address non-corporate IT resources,
according to a report published by the
Security for Business Innovation Council
(SBIC), a group made up of a dozen
top information and security officers
from technology, fi nancial services,
consumer and the business sectors. The
organization was convened by RSA, the
security division of EMC.
The report identifies eight specific
areas where hardware owned
by employees, such as smartphones,
netbooks, tablet computers and the
like, are changing the way IT departments
should deal with data security
and management. Denise Wood, CISO
and corporate vice president of FedEx
and a participant in the SBIC, is quoted
in the report as saying: “These personal
productivity and collaboration tools
are just so easy to use and so powerful
that everybody’s got to have one. We’re
trying to understand: What happens
when you want to leverage these powerful,
consumer platforms for unbridled
collaboration at work”
IT professionals tend to agree that
social media adds value to a company,
says Rich Baich, principal in the security
and privacy practice at Deloitte &
Touche, but that it comes with a price.
For the generation that grew up with
this emerging technology, “social media
is part of their life and a great way to
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 17

Enterprise implementation
communicate.” Because these users
grew up with consumerized technology,
it has become second-nature, as are the
benefits and drawbacks intrinsic to it.
The challenge for CISOs, he says, is
to understand the risk associated with
that value and determine how best to
embrace it.
“The reality is that there is a lot of
risk with social media sites,” Baich says.
“Oftentimes, people are not cautious of
what they’re posting.” In order to make
the employees more security-conscious,
he says, organizations must get them
personally involved with understanding
the potential threats caused by careless
use of these sites.
In the heartland
At a large, regional bank in America’s
heartland, access to some social media
sites is restricted. “We block access by
employees from company networks to
social networking sites that we consider
to be primarily personal in nature,
such as Facebook, MySpace and Twitter,”
says Bradley Schaufenbuel, chief
information security and privacy officer.
“We permit access to social networking
sites that we consider to be primarily
professional in nature. LinkedIn, for
example.”
The company’s acceptable-use policy
includes extensive guidelines on the
proper use of social networking sites –
whether accessed from the company’s
network or elsewhere, he says. “This
includes the use of disclaimers that
opinions are those of the poster and not
the company, no posting of company
confidential information, requiring
dignified and respectful behavior since
employee actions may reflect on the
company, no use of company trademark
without permission and the like.”
But Schaufenbuel’s bank does not
allow any employee-owned device to
connect to its network. “We adopted
a mobile device policy,” he says. “This
policy sets forth a standard mobile
device platform that is officially supported
by the organization. Employees
can only obtain the ability to synchronize
corporate email, calendar, etc., and
access corporate resources via a mobile
device if that device runs the standard
platform.”
The platform was chosen because
of its support for enterprise security
controls, such as centralized policy
management, remote wipe and encryption,
he says. To be set up for access
to corporate information on a mobile
device, an employee must sign a special
Security has been elevated
to a business issue rather
than just a technical issue.”
– Michael Meikle, CEO, Hawkthorne Group
SURVEY SAYS:
SC Magazine poll
A new survey conducted by SC
Magazine on social media use in the
enterprise surveyed 273 of its readers
with such titles as chief information
security officer, chief technology officer
and security administrator. The top
concern of misuse of social networking
sites is falling out of compliance with
regulatory mandates.
72% of those polled said their organizations
are concerned about threats to
their data from social networking sites;
31% said their companies block
access to all employees to these sites;
64% allow access to specific employees
and departments, such as marketing
and public relations;
While 77% of companies provide
security awareness training and policies,
only 51% have specific social networking
governance policies in place.
mobile device agreement. In this
agreement, the employee acknowledges
their responsibilities for safeguarding
information, as well as reporting timely
loss of the mobile device, not tampering
with security controls, and other
regulations.
“Despite IT and security’s desire to
accommodate employees’ information
needs by providing them with secure
access to corporate information on
company-sanctioned mobile devices,
senior-level executives continued to
demand access to corporate information
via non-standard mobile devices
(specifically iPhones and iPads),” says
Schaufenbuel. To accommodate these
requests, he says an addendum was
created for the acceptable-use policy.
Access to corporate information on
non-standard mobile devices is now
granted for executives of a certain level
if the executive agrees to permit the
IT department to implement security
software on the non-standard device,
including encryption and remote wipe
capabilities, and not to tamper with
these controls.
Bad connection
The challenge IT departments face
with user-owned devices are not only
technological – Do the devices meet the
corporate standards for data security
and data leakage prevention – but also
how are employees using these devices
to connect to social networks. Security,
CISOs agree, is as much a function
of personal action as it is technology.
Today security is measured not only on
data leakage through malware, viruses
and attacks, but also by employees who
provide corporate confidential data or
other information on social networking
sites, often without even realizing what
they did.
Monitoring social networking
sites has become a key management
and public relations task, Baich says.
Corporate reputations – what Baich
calls a company’s “cyber beacon” – is
affected significantly and quickly by
social media. When a comment, good
or bad, is posted online, it can circle
the globe in seconds and lives on the
internet forever. A negative comment or
inappropriate posting could endanger a
company’s standing.
Companies have clearly understood,
written policies and procedures in cases
of fire or natural disaster, but few organizations,
he says, have policies for or
clear defi nitions of cyber disasters. “It
comes down to governance,” he adds.
“It’s how you mitigate risk.”
In fact, Baich says, social networking
management is far more wide-ranging
than just a task for human resources
or IT. Managing social networking
policies should be shared by executives
involved in privacy, security, IT, audit,
compliance and governance. “Look at
your cyber beacon,” he says. “It’s only
as strong as its weakest link.”
Set understandable policies
Michael Meikle, CEO of the Hawkthorne
Gourp, a Richmond, Va.-based
management consulting firm, adds
that since many younger workers are
using social media sites extensively at
home, it is unreasonable to think that
they will change their habits at work.
Rather, he recommends that companies
set standards that the employees will
understand and embrace.
For example, Meikle says an acceptable-use
policy should include such
64%
or
rules as: Don’t give out personal information,
comment only about issues that
are within your work responsibilities
and not other departments, and don’t
lie in a post.
Once information is posted online,
he says, it is there forever, and both the
company and the person who makes
the post will be judged in the future on
what they say today.
Meanwhile, information used for
social engineering can be gleaned easily
from social media sites, he says. Many
users post their travel plans, photos
from trips, or seemingly innocuous
comments about their employers. Such
information makes the employees
vulnerable to possible home break-in by
crooks who monitor certain sites.
In some cases, he says, fake technical
support sites are created in hopes
of learning about a company’s network
configuration or problems an organization
might be having with its technology.
This data can be used to identify
weaknesses in technology, conduct
corporate espionage or put employees’
homes at risk for burglary.
“Security has been elevated to a business
issue rather than just a technical
issue,” Meikle says.
Michael Everall, chief information
security officer at LAMCO, a subsidiary
of Lehman Brothers Holdings, agrees
that getting employees to take a personal
stake in security is the key to protecting
a company from security risks.
By businesses explaining corporate
security in terms of personal protection,
employees better understand why
companies create and enforce the rules
they do, he says.
Senior management must not only
create and communicate an acceptableuse
policy for social media sites, but
also explain why these policies are in
place, Everall says. Training and acceptable-use
procedures are not a one-time
action that the human resources department
conducts when a new employee is
hired, he says. Enterprises need to provide
regular security-awareness training
programs for workers, preferably annually,
that will help the staff be not only
safer from a technology standpoint at
work, but also more secure at home.
Put to good use
Everall agrees that employees should
have no expectations of privacy when
using corporate assets, including the
network. In addition to the acceptableuse
policy, senior management also
must create and disseminate rules to
employees about approved behaviors.
There are three basic ways data is lost
through social media: through technological,
social engineering and innocent
accidents. Security experts agree that
staff training is by far the strongest of
the defenses against such loss, as it is
the only one in which workers actively
defend against data breaches.
If a company chose to shut down
all access to social media sites, says
Deloitte’s Baich, it would be failing to
use valuable corporate assets. These
sites, he adds, can be used effectively
for sales, marketing and recruiting. If a
company denies employees access, some
likely would access the sites from home
or mobile devices to discuss activities
that could affect the business, and the
company would lose the opportunity to
impact that message.
“Social media opens up a new channel
of exploitation,” Baich says. The
best way for a company to protect itself
is through training and awareness on
the part of its employees, he says. ■
the largest proportion of U.S. IT security decision-makers
polled in a recent Cisco survey perceive social networking as
the biggest risk to their organization.
18 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 19

An inside look at the
information security
operations of Twitter
and Facebook.
Dan Kaplan reports.
Between them, Facebook and Twitter
have accrued more than 600
million members, twice the population
of the United States. In fact, only
two countries in the world – China and
India – are home to more people than
are members on two of the world’s most
popular social networking sites.
But, as the platforms attract legions of
fans, so too have cybercriminals joined
the party. To learn what Facebook and
Twitter are doing to keep the crooks in
check, SC Magazine got an inside look at
the information security operations of
the two companies.
Deputy Editor Dan Kaplan asked the
sites’ security leaders – Joe Sullivan, chief
security officer at Facebook and Del Harvey,
director of trust and safety at Twitter
– to open up about their efforts around
malware removal, code hardening, victim
assistance and law enforcement collaboration,
plus much more.
What do you consider to be the
greatest security threat facing
your site
Joe Sullivan: We prioritize spam,
phishing and malware. However, we take
all threats seriously and focus on building
systems to detect and block suspicious
activity, as well as offer innovative tools
that give people powerful control over
their accounts and logins.
Del Harvey: The most important thing
facing us is educating our users about
online safety to prevent security threats.
There is no one greatest security threat.
How is the company working to
combat it
JS: We focus on technological solutions.
We’ve built numerous defenses to combat
threats, including complex automated
systems that work behind the scenes
to detect and flag Facebook accounts
that are likely to be compromised based
on anomalous activity.
Once we detect a phony post or message,
we delete all instances of it across
the site. We block malicious links from
being shared and work with third parties
to get phishing and malware sites
added to browser blacklists or taken
down completely. People who have been
affected are put through a remediation
process so they can reset their password
and take other necessary steps to secure
their accounts.
Joe Sullivan
chief security officer
We also devote a lot of effort to education
programs that teach how to be safe
on Facebook and across the internet.
DH: Twitter is developing an Online
Safety Center. We have help pages about
passwords, instructions about password
types, and we do automated resets of
passwords on accounts we believe may
be compromised.
Why do you think your site
is such a preferred target by
cybercriminals
JS: As a communications platform
used by hundreds of millions of
people around the world, Facebook
faces a security challenge that few, if
any, companies have ever had to face.
Our service is under constant attack,
and we work hard not only to defend
against current threats, but to predict
future ones so we can be prepared. The
systems we’ve built have helped us stay
one step ahead of our attackers, so that
as we’ve more than doubled in size over
the last year, the actual effect of the
attacks on people who use Facebook
hasn’t changed.
DH: Twitter hasn’t become a preferred
Q&A
PRIMARY TARGETS
target for cybercriminals more than
any other website. Obviously, as a site
grows in popularity, the use cases for it
will grow as well, but we haven’t seen
indications of serious cybercrime. To a
large degree, our users themselves function
as protection from bad behavior
because when it is noted, it is reported.
Twitter succumbed to a serious
worm in September. What caused
this and what has been done to
ensure a repeat incident won’t
happen
DH: The security exploit that caused
problems was caused by cross-site
scripting (XSS). In this case, users submitted
JavaScript code as plain text into
a tweet that could be executed in the
browser of another user. We discovered
and patched this issue.
Del Harvey
director of trust and safety
What is your site doing to limit
security vulnerabilities in its
code that can enable attacks to
spread
JS: We hire the most qualified and
highly skilled engineers we can fi nd –
most from industry or from top universities.
Upon joining the company, every
engineer and engineering manager participates
in a six-week intensive “boot
camp” training. Our code review process
is rigorous, and we phase changes
and test them before they go live to
detect any potential issues. During code
pushes, our engineering, user support
and operations teams work cross-functionally
to monitor the state of the push
and to identify any problems early.
We also have the capability to quickly
push code updates to all of our data
centers worldwide, and to enable or disable
critical features of the site if there
is a problem. We do regular audits of all
key features and perform regular risk
reviews.
Finally, we maintain and build
relationships with security researchers
around the world and provide an easy
way for them to contact us – through
the “White Hats” tab on our Facebook
Security Page – in the rare event that
they fi nd a vulnerability.
DH: Twitter is focusing on identifying
possible vulnerabilities beforehand.
What is being done to stem the
spread of socially engineered
malware, spam and other unsolicited
communications
JS: We’ve built automated systems
to flag behavior that might indicate
an account has been compromised
through malware. When this happens,
we block access to the account
and put the account owner through a
special version of our account recovery
process that includes a free virus scan.
We worked with McAfee to build this
unique scan and repair tool, and
to offer all 500 million people who
use Facebook a complimentary subscription
to McAfee security software
through the Facebook Security
and McAfee pages. We also regularly
work with others across the industry
to identify and respond to malware
threats.
DH: A variety of efforts are done to
stem the spread of malware, including
working with URL blacklists, internal
spam reports, user spam reports
and empowering our users to block
accounts. Our users act as anti-bodies
to shut down “bad acts” pretty quickly.
What has been done to strengthen
the authentication of users,
beyond username and password
JS: We innovate on security just as we
do on the products that help people
share and connect. We have systems
that detect suspicious login attempts
(for example, someone logging in from
an unusual location or device). When
this happens, we ask the person to verify
their identity as the true owner of the
20 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 21

Q&A
account by providing information, like
birth date or the answer to a security
question, entering a mobile verification
code or identifying friends in a small
number of tagged photos to which the
account owner has access.
DH: The easiest way to confirm your
identity to your followers is linking to
your Twitter profile from an official website.
More suggestions on verification are
outlined in the Help Center here.
How is the site helping to restore
users’ accounts if they are victimized
JS: When we detect that an account may
be compromised, we immediately block
access to it. The next time someone tries
to login, we put the person through a
series of steps to verify their identity and
resecure the account. In cases where the
account was compromised through malware,
we also provide a free virus scan.
DH: Users can file tickets on our website,
and we’ll restore their user accounts.
The Federal Trade Commission
recently settled with Twitter over
charges that the site failed to protect
user data. How does Twitter
view this settlement
DH: We recently reached an agreement
with the FTC that resolves concerns
they had raised related to our security
practices involving hacking incidents
on Twitter in 2009. Even before the
agreement, we’d implemented many of
the FTC’s suggestions. The agreement
formalizes our commitment to those
security practices.
What is Facebook doing to ensure
its users are protected from malicious
and rogue applications and
that app developers are vetted
JS: We provide a number of ways for
people to control what information they
share with the applications they use. We
require developers to specify the exact
pieces of information they need, present
them in an easy-to-understand dialog,
and get explicit permission from the
person using the application before they
81%
can access anything. This helps people
understand exactly what they’re sharing
with which apps.
We also recently launched a new
application dashboard that allows people
to see what information the apps they
use are accessing and easily remove,
report or block applications they think
might be violating our policies. We
have a dedicated enforcement team that
conducts spot reviews of applications,
including those that have been reported,
or that our systems have flagged because
of anomalous behavior. We’ve disabled
thousands of applications in the past for
violating our policies.
What security recommendations
do you have for organizations
whose employees leverage your
site both for personal and business
use
JS: We recommend that organizations
invest time in teaching their employees
safe practices for the internet. We work
hard to educate people through the
Facebook blog, which reaches more than
20 million people, and through our Facebook
Security Page. This page, which
is liked by almost three million people,
lists helpful tips and best practices and
includes a quiz people can take to test
their knowledge, post a badge to their
profile, and share tips with friends.
DH: Some basics are: Use a strong
password; watch out for suspicious links;
always make sure you’re on Twitter.com
before you enter your login information;
don’t give your username and password
out to untrusted third-parties, especially
those promising to get you followers
or make you money; make sure your
computer and operating system is up to
date with the most recent patches and
upgrades and anti-virus software; and
don’t share personal information.
of social network users are likely
to accept the friend request of
a stranger and share sensitive
information.
— BitDefender
How is Facebook working with
law enforcement to track down
cybercrooks
JS: We regularly work with law
enforcement around the world to
identify cybercriminals and bring
them to justice, and we have dedicated
teams whose responsibility it is to
investigate specific spam, phishing and
malware campaigns and go after the
people behind them. These efforts have
resulted in the two largest U.S. CAN-
SPAM judgments in history: $873 million
against Adam Guerbuez and $711
million against Sanford Wallace. In
another victory for us, a few weeks ago,
a court in Montreal, where Guerbuez is
based, ruled that the U.S. court’s judgment
against him could be enforced in
Canada.
Please talk about some of the
other security features that
Facebook has instituted that you
haven’t mentioned.
JS: We’re committed to providing
people with the best tools possible to
protect themselves and their accounts.
Back in May, we launched a login
notifications feature that allows people
to approve the devices they use to access
Facebook and be notified immediately
by both email and SMS if their account
is ever accessed from a device that hasn’t
been approved. Last week, we finished
rolling out a feature that allows people to
view all of their active Facebook sessions
and close any they no longer want open.
This is particularly helpful for people
who access Facebook from a device they
don’t own and then forget to log out.
We also launched a brand new, one-time
password feature that allows people logging
in from devices they don’t trust to
request a temporary password via SMS
that expires after 20 minutes. ■
COLLABORATE
WITH CONFIDENCE
Leverage the power of the Web freely with Websense® TRITON—
the first and only unified Web, data, and email security solution.
Making point solutions pointless.
The TRITON architecture consolidates industry-leading Web, email, and data
loss prevention security technologies into a unified solution, providing you with the
best protection against modern threats — anywhere — at the lowest total cost of
ownership. Finally, your entire team can collaborate without compromising the security
and protection of your essential information.
22 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
To learn more, visit websense.com/TRITON.

RISK&
REWARD
Intel CISO Malcolm Harkins believes the best social networking strategy
involves embracing the threat, not avoiding it. Dan Kaplan reports.
Malcolm Harkins, CISO, Intel
Photo by Edward Caldwell1
If it were up to Malcolm Harkins,
drivers would spend their days
navigating through many more traffic
circles and much fewer traffic lights.
Before cueing the “Look kids, Big
Ben” scene in European Vacation when
Chevy Chase’s character gets stuck driving
in a roundabout for hours, it may be
wise to hear Harkins out on this one.
The 43-year-old chief information
security officer of Intel is a contrarian,
of sorts, who believes that “running
toward risk” is much more rational
than the conventional business
approach of avoiding it entirely.
As Harkins explains, since a circle
results in far fewer fatal collisions
while still enabling cars to move, albeit
slowly, it actually is more effective and
efficient than a traffic mechanism that
stops automobiles altogether, but occasionally
leads to a frightening wreck.
So what do traffic control strategies
have to do with Harkins’ job A lot,
actually, and the conversation particularly
is applicable to organizations trying to
balance the security risks of social media
with the growing demand for it.
“Information is going to flow, just
like traffic wants to flow,” Harkins says.
“When you put in artificial blocks, like
a traffic light, people may just blow by
the red light. But if people enter the
roundabout, they are more situationally
aware. You become immediately aware
of your surroundings. What I challenged
my team to do was to build the
equivalent of roundabouts.”
Roughly five years ago, at the urging
of Harkins, the powers that be at Intel
arrived at a revelation: If they did not
enable and empower their 80,000-strong
creative, intellectual and tech-savvy
employee base to communicate and
collaborate with each other beyond
traditional platforms, such as email, they
would be in for a rude awakening.
Company executives recognized
that the perimeter as people knew it
was breaking down, Harkins says. The
workforce demanded not just mobility,
but also the ability to interact with data
on a more social level. If Intel failed to
provide employees with this opportunity,
they would find a way to satisfy the craving
themselves, management concluded.
Blocking or stymieing the flow of
information would lead employees to find
other avenues for their thoughts – outlets
that would be out of the direct control of
Intel’s security team – a move that could
lead to dire consequences for the company’s
reputation and bottom line.
“Thinking you can just block it is
really the wrong strategy,” Harkins
says. “It just means they can’t do it on

Case study
the corporate network, but if they’re
going to spout off something, they can
just do it offl ine.”
In other words, Intel needed to
develop the social networking version
of a traffic circle.
“If we give them that freedom of
expression, but within the boundaries
of our code of conduct, it is kind of all
within the family, so to speak,” Harkins
says. “Your risk is less if you enable it
ahead of your users so they can do their
work in that form.”
“Planet” launches into orbit
Roughly three years ago, Intel tapped
Laurie Buczek to develop its social
computing strategy. Already well-versed
in web planning, Buczek led the launch
of an internal, collaborative platform,
known as Planet Blue – in essence,
Wikipedia, Facebook, Blogger and
YouTube all rolled into one.
The goal of the platform is to enable
employees to build a professional network
of contacts, while connecting and
sharing ideas.
“Fundamentally, the traditional
enterprise collaboration tools are very
cumbersome for employees,” says
Buczek, who now works in digital
marketing at Intel. “They’re not easy
to use. Today, we work in a very global
company, and some of our traditional
tools have not been able to even connect
a face to a name.”
Through Planet Blue, employees can
“fi nd people who may have been previously
unknown to you, but are working
on interesting things,” she adds. “There
would have been no way to fi nd those
people in the past.”
The birth of Planet Blue couldn’t
have come at a more opportune time.
1
/3
People are mixing
both worlds.”
Not long before the platform launched,
Intel’s security team had to deal with
the brief exposure of intellectual property.
An employee posted a video to a
public social networking site – Harkins
wouldn’t say which one – that detailed
the capability of a yet-to-be-released
product. “The person wasn’t doing
anything malicious,” Harkins recalls.
“They were sharing knowledge that
could help peers in the company.”
Employees noticed the problem,
and the video quickly was taken down.
However, the incident validated Intel’s
plan to enable its employees to exchange
ideas, but in an environment that could
be more readily controlled. “If somebody
needed to share a video broadly,
would you rather them post it externally
or internally, where it can be indexed,
used and shared” Harkins asks.
Security and privacy
Despite the fact that Planet Blue sits
behind the corporate firewall, there still
are a number of security and privacy
ramifications that Harkins and his team
must consider.
Foremost, the platform contains
robust authentication and access
controls. While an external intruder
theoretically would be unable to reach
Planet Blue, that doesn’t mean a nosy or
disgruntled employee – bent on helping
out a competitor, for example – couldn’t
compromise sensitive data housed in
the portal.
of small- to medium-sized businesses have
been infected by social media malware.
— Panda Security
– Laurie Buczek, digital marketing, Intel
Privacy also factors in, Buczek says.
In some ways, the site mimics popular,
external social networking sites, in that
each member has a profi le. But Intel
was careful not to include the same
fields one might fi nd on, say, Facebook.
For one, the company didn’t want to
have to collect and protect that type
of information, Buczek says. Also, by
including fields, such as age or college
graduation year, Intel could open
itself up to a discrimination lawsuit, for
example.
“You have to understand that when
you are building an environment where
people naturally are putting in personal
information, what can we allow them to
do” she says. “Where do we draw the
line How are we allowed to use that
information as a company How much
notification do we have to give”
User profi les on Planet Blue mostly
include information one would fi nd on
a résumé – certifications, past projects
and more – and they contain no personal
data beyond what already appears
in the employee phonebook. As an
additional privacy measure, employees
must opt-in to share any information.
Beyond the firewall
Even though Intel has developed a
robust internal social computing platform,
users still are permitted to visit
practically anywhere on the internet and
install whichever program they choose,
Harkins says, with the exception of inappropriate
sites or rogue applications that
may steal personal data.
Employees may want to take a break
to visit Facebook to see what their
friends are up to, Harkins figures, or
they may want to blog about a recently
released Intel product they helped
bring to market.
“An interesting trend is occurring,”
Buczek says. “People are mixing both
worlds. It is becoming so blurry that it is
hard for folks to claim [using social networking
sites] is 100 percent personal.”
Worries over productivity declines
because of social media use don’t enter
into Harkins’ line of thinking. Workers
are going to fi nd the time to get their
jobs done, he says, much like they did
when the telephone and email found
their way to people’s desks. “If someone
is not getting their job done, that’s a
performance management issue,” he
says. “Don’t blame the tool.”
The theory of full access goes back
to one of Harkins’ self-devised “irrefutable
laws of information security.”
Number one Information wants to be
free, and people are going to post and
share it.
Encouraging Web 2.0
Recognizing this, Intel not only enables
users to visit Web 2.0 sites, such as
Facebook and Twitter, but it actually
champions it. “We encourage everybody,
once trained, to be able to go out and…
speak about Intel and the work they are
doing,” Buczek says.
Of course, Intel would be foolish to
let its employees run free without first
schooling them for the terrain. Before
they can be anointed brand ambassadors,
workers must complete an hourlong
digital training course that teaches
them to think twice about the content
they decide to post.
Users receive additional social networking
training through Intel’s general
security program, which instructs
them not to click on things such as
untrusted links, a common malware
ploy leveraged by cybercriminals on
social media sites, where an air of trust
and safety may prompt people to make
poor decisions.
Part of the training process at Intel
focuses on how employees can protect
themselves and their children while
accessing the web at home. Harkins says
applying this context to the program
forces users to more personally think
about what they’re learning – and the
message tends to stick better. “When
you carry it to that extent, you get a better
behavior model,” he says.
Harkins is confident that employees
are heeding the advice. He references
a 2005 email blast delivered to 5,000
employees at random. The emails
contained a survey, created by senior
management, which asked recipients
to click on a link and explain what
they like and don’t like about Intel’s
company culture. The security team
never was informed of the blast, but as
it turned out, hundreds of employees
thought it was bogus – the ultimate pat
on the back for Harkins.
“Our phone lines lit up,” he recalls.
“We had calls instantly. I had my
cell phone ringing within a couple of
minutes. The administrative assistants
started blasting out emails saying,
‘Don’t click on this.’ They reacted faster
than what we could’ve done to block it.”
Tech solutions
From a technology perspective, Intel
uses a combination of content filtering,
firewalls, anti-virus and intrusion
prevention to defend against malware
that may be present on social networking
platforms. The company also is close
to adopting a data leakage prevention
(DLP) solution now that the technology
has matured to the point where it
can track and fingerprint confidential
HUMAN NATURE:
We want it, now
The “Irrefutable Laws of Information
Security,” according to Malcolm Harkins,
CISO of Intel:
Information wants to be free
Code wants to be wrong
Services want to be on
Users want to click
Even a security feature can be
used for harm
content, as opposed to the first iterations
of DLP that solely searched for patterns
or numbers.
Harkins says Intel is proof that an
organization can remain secure without
dodging risk. Not everyone shares his
viewpoint. He recalls a conversation
he recently had with the security chief
of a large company whose mantra is,
“In God we trust. Everything else, we
block.”
To Harkins, such a reaction to the
current web climate may be myopic and
ignorant – but also is understandable.
It is a product of human psychology, he
says. Many times, security professionals
become emotional and rash if they
choose to look at a certain issue, such as
social networking, from an alarmist or
biased perspective.
Embrace the risk
He recalls another discussion he had not
too long ago with a security practitioner
who admitted he was leery of arming his
employees with laptops and other mobile
devices because of data loss and malware
concerns.
Harkins challenged his peer to more
deeply examine the rationale behind his
apprehension.
“Well since you allowed printers and
CDs and people to get on the internet,
your data is already mobile,” Harkins
recalls telling him. “You haven’t
reduced your mobility risk. And most
people are getting their malware on the
internet, so you haven’t reduced your
malware risk.”
In the end, Harkins says, the most
significant vulnerability facing organizations
is the misperception of risk.
“To manage risk, you have to run
to the risk,” says Harkins, who earlier
this year received the Excellence in the
Field of Security Practices award at the
RSA Conference in San Francisco for
his efforts around social media. “That’s
the only way to shape it or be a part of
it.”
Perhaps Clark Griswold (Chevy
Chase’s character) would even agree. ■
26 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 27

Business lists to reach
key decision makers
Photo by John Lund/Blend Images
haymarket media’s b-to-b postal and
email lists offer you premier access to
key executives in healthcare, sales
and marketing, public relations and
information technology. These decision
makers have proven responsive to
offers including tools, cellular, hardware,
relevant seminars, insurance, financial,
advancement courses and services that
will help them expand their market share,
grow their employees, drive their
organizations forward and stay ahead
of their competition.
CONTACT POINT
Our new survey examines the impact – positive and negative – of the
use of social media within the enterprise. Stephen Lawton reports.
To find out how Haymarket Media’s
business lists can help you attract
new customers contact:
For Email Information:
Frank Cipolla, 800.223.2194 x 832
frank.cipolla@epostdirect.com
For Direct Mail Information:
Kevin Collopy, 800.223.2194 x 684
kevin.collopy@epostdirect.com
The survey on social media, conducted by
That social media technology is here to stay, at least for the foreseeable future,
does not appear to be at issue. How companies embrace it and make it their
own certainly is. Managing social networking internally and externally has
become deeply entwined with other operational aspects of enterprises – from
marketing and public relations to product development and human resources to
industrial research.
Social networking is to Generation X, Generation Y and Millennials what televisions
with remote controls and automobiles were to Baby Boomers — the next,
great technology that became a big part of their daily lives. As Boomers flooded to
the highways as part of their communications rituals, today’s youth see Facebook,
MySpace and YouTube as part of their voice. To determine what corporate security
executives are thinking about social networking and its impact on their corporations,
SC Magazine surveyed 273 of its readers with such titles as chief information
security officer, chief technology officer, security administrator, and the like.
Are you and your organization concerned
about the threats to corporate
data that the use of social networking
sites by employees can introduce to
your infrastructure
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 29

Survey
Does your organization block
employee access to social networking
sites, such as Facebook, Twitter
and MySpace
Does your organization allow access
to social networking sites, such as
Facebook, Twitter and MySpace for
certain groups of its employees
What information security solutions does your organization enlist to protect its
information assets from social networking (number of respondents)
Has your organization experienced
an attack through the use of social
networking sites, such as Facebook,
Twitter, or MySpace, by employees
Do you have a specific social
networking governance policy
in place
“Information security professionals
are generally concerned with the risks
posed to organizations by the introduction
and wide adoption of social media
sites and technologies,” says Jaime
Chanaga, CEO of The CSO Board, a
management consulting firm. “Starting
at the lowest common denominator
– personal information – social media
sites don’t have the best track record in
strong privacy practices and protection.”
However, despite Chanaga giving
voice to some of the apprehension of
many security executives, “Social media
is here to stay,” he says. “The genie is out
of the bottle. Organizations will find it
increasingly impossible to reign in and
block social media from becoming a
part of the corporate culture. Until the
information security industry develops
new and stronger technology solutions
for monitoring and enforcement of the
use of social media, organizations will
find it difficult to monitor and enforce
business use of social media websites
and technologies.”
Patricia Titus, CISO of Unisys Corp.,
says that clear and simple acceptable-use
policies help employees understand what
is and is not acceptable online. Social
networks, she says, have value both
internally and externally for companies,
but employees need to understand how
and when to use them.
Titus firmly believes that blocking
access to social networking sites could
have a negative impact on many of the
younger workers at a company. She
describes employees who grew up with
this technology as “digital natives,” and
Baby Boomers and older workers who
did not as “digital immigrants.”
Most CIOs and CISOs are digital
immigrants who look at social media
differently than do younger employees,
she says.
“[But] the generations growing up
now just expect to have access to social
networking at all times,” says Chad
Barr, security consultant for enterprise
information management at Wells
Fargo. “More than likely, they grew
up with unlimited, always-on internet
access and can’t imagine a world without
being connected all the time.”
Workforce demand
Social networking sites are now the
new way to communicate from person
to person, he adds. “I once interviewed
a person right out of college. His first
question about benefits was if we paid
for his internet usage at home and if we
blocked Facebook at work.”
Some 70 percent of the respondents to
SC Magazine’s social networking survey
— 190 security executives out of 273
— say social engineering and phishing
What threats are you and your company most concerned about experiencing when
debating employee access to social networking sites (number of respondents)
attacks are major concerns. Another 150
respondents, or 55 percent, say theft or
breach of corporate and/or customer
information is a major concern.
Titus agrees with the findings, noting
that the use of internet-connected
devices could provide intelligence to
competitors about one’s whereabouts.
Christopher Burgess, Cisco senior
security adviser, who has made a career
of understanding security and intelligence
at the highest levels of the
corporate and governmental sectors, says
employees who don’t consider what they
share on social network sites might well
be providing valuable corporate information
to competitors, even by posting the
most seemingly mundane information.
Industrial espionage occurs daily on sites
like LinkedIn, he says. Unsuspecting
employees post travel itineraries, discuss
what might be innocuous technologies,
and post pictures taken from their
smartphones. Savvy data miners can
scrub this information to obtain travel
schedules (this can identify suppliers
or clients), leads on new products or
product enhancements, and the exact
location – latitude and longitude – of
where a photo was taken by checking
the picture’s metadata. Such information
could put corporate assets or personnel
at risk, he says.
Wells Fargo’s Barr agrees that training
and well-understood acceptable-use
policies are essential. “The best option
is security and awareness training,” he
says. “You can have some of the best
security devices in place, but there is no
way to catch 100 percent of data leakage.
You need your employees to know
what they can and can’t post on social
network sites.”
Disclosure considerations
The government sector runs into many
of the same problems as the private
sector, with one notable exception: the
Freedom of Information Act (FOIA).
While corporations are not required
to disclose all communications by its
employees, government agencies are
bound by FOIA, which means a citizen
or organization (such as the media) can
obtain copies of government employee
text messages, email and all other
electronic conversations, says Dan
Lohrmann, the state of Michigan’s chief
technology officer.
Because of open government laws, the
state has additional challenges when it
comes to employees accessing and using
social networks. If an employee accesses
a social network during working hours,
but with a personal device, such as a cell
phone or laptop, does the state need to
disclose those communications Additionally,
as video becomes a more significant
component of social networking,
will increased use of bandwidth impact
the state’s ability to operate Lohrmann
says these types of questions challenge
public sector IT administrators in ways
that never were considered in the past.
He agrees that younger workers
expect to have full access to social
networks, just as workers today have full
internet access. Indeed, he expects use
of social networking sites to be phased
in as was traditional internet access in
the 1990s.
One tricky issue facing managers
today in both the public and private
sectors is how to work with hourly
employees who use social network sites
for non-work-related purposes. While
some employees see nothing wrong
with checking their favorite sites during
work hours, or perhaps when working
past 5 p.m., employers are faced with
paying more overtime because of it.
Such agreements must be made prior to
hiring the employee, Lohrmann says.
Ensuring that employees understand
their company’s acceptable-use policy,
and make it their own, was the common
thread that ran through the answers to
the survey. Employees who understand
what they can and cannot do, as well
as why these are the policies, are much
more likely to use social media sites
appropriately and not put company data
or personnel at risk, Cisco’s Burgess
says. ■
30 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 31

Sponsors
Sophos enables enterprises to secure and control their IT infrastructure. Its network access
control, endpoint, web, email and encryption solutions simplify security to provide integrated
defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse,
data leakage and compliance drift. Sophos protects more than 100 million users in nearly 150
countries.
For more information, visit www.sophos.com.
Websense, a global leader in unified web, data and email content security solutions, delivers
the best security for modern threats at the lowest total cost of ownership to tens of thousands
of enterprises, mid-market and small organizations around the world. Distributed through a
global network of channel partners and delivered as software, appliance and software-as a
service (SaaS), Websense content security solutions help organizations leverage new communication,
collaboration and Web 2.0 business tools while protecting from advanced persistent
threats, preventing the loss of confidential information and enforcing internet use and security
policies. Websense is headquartered in San Diego, Calif., with offices around the world.
For more information, visit www.websense.com.