SOCIAL MEDIA - Websense
SOCIAL MEDIA - Websense
SOCIAL MEDIA - Websense
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
NOVEMBER 2010 • WWW.SCMAGAZINEUS.COM<br />
This premier “Spotlight” edition explores<br />
the pros and cons of embracing social<br />
media in the enterprise, highlighting the<br />
strategies and technologies that can be<br />
implemented to keep critical assets safe.<br />
<strong>SOCIAL</strong><br />
<strong>MEDIA</strong><br />
SHINING THE “SPOTLIGHT” ON:<br />
INCLUDING:<br />
P10 Socially inclined<br />
Many organizations have accepted social<br />
networking as part of doing business, but<br />
technology and governance can help control it.<br />
P20 Primary targets<br />
SC Magazine’s inside look at the security<br />
operations of Facebook and Twitter through a<br />
Q&A with security leaders at each company.<br />
P29 Contact point<br />
The use of social media in the workplace<br />
is examined in a new survey conducted by<br />
SC Magazine.
P10 Socially inclined<br />
Many organizations have accepted social<br />
networking as part of doing business, but<br />
technology and governance can help control it.<br />
P20 Primary targets<br />
SC Magazine’s inside look at the security<br />
operations of Facebook and Twitter through a<br />
Q&A with security leaders at each company.<br />
P29 Contact point<br />
The use of social media in the workplace<br />
is examined in a new survey conducted by<br />
SC Magazine.<br />
WEBSITE WWW.SCMAGAZINEUS.COM • EMAIL SCFEEDBACKUS@HAYMARKET<strong>MEDIA</strong>.COM<br />
Malware Protection<br />
Data Protection<br />
Business Productivity<br />
IT Efficiency<br />
Compliance<br />
Hospital food<br />
REGULARS<br />
5 Editorial Welcome to a special Spotlight edition<br />
6 DataBank: Social Gauge Some graphs awnd data bites on the use of<br />
social media and its effect on the enterprise<br />
8 News Update New cyber intelligence shows social media targets are<br />
generating big rewards for the bad guys<br />
FEATURES<br />
20<br />
10 Socially inclined<br />
Many organizations have accepted social networking as part of doing<br />
business, but technology and governance can help control it.<br />
16 IT’s new problem<br />
Consumer devices and social media may be too pervasive to ban within the<br />
enterprise, but precautions can be taken.<br />
20 Primary targets<br />
SC Magazine got an inside look at the security operations of Facebook and<br />
Twitter through a Q&A with security leaders at each company.<br />
24 Risk & reward<br />
The CISO of Intel believes the best social networking strategy involves<br />
embracing the threat, not avoiding it.<br />
24<br />
29 Contact point<br />
The use of social media in the workplace is examined in a new survey<br />
conducted by SC Magazine.<br />
worry less. accomplish more. www.sophos.com<br />
NOVEMBER 2010 • WWW.SCMAGAZINEUS.COM<br />
<strong>SOCIAL</strong><br />
<strong>MEDIA</strong><br />
SHINING THE “SPOTLIGHT” ON:<br />
INCLUDING:<br />
This premier “Spotlight” edition explores<br />
the pros and cons of embracing social<br />
media in the enterprise, highlighting the<br />
strategies and technologies that can be<br />
implemented to keep critical assets safe.<br />
This premier Spotlight issue<br />
of SC Magazine explores the<br />
pros and cons of embracing<br />
social media in the<br />
enterprise environment.<br />
SC Magazine (ISSN No. 1096-7974) is published 12 times a year<br />
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,<br />
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax<br />
646-638-6110. Periodicals postage paid at New York, NY 10001 and<br />
additional mailing offices. POSTMASTER: Send address changes<br />
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2010<br />
by Haymarket Media Inc. All rights reserved. Annual subscription<br />
rates: United States: $98; Canada and Mexico: $110; other foreign<br />
distribution: $208 (air service). Two-year subscription: United<br />
States: $175; Canada and Mexico: $195; other foreign distribution:<br />
$375 (air service). Single copy price: United States: $20; Canada,<br />
Mexico, other foreign: $30. Website: www.scmagazineus.com.<br />
Cover illustration by Charlie Griak<br />
www.facebook.com/SCMag<br />
www.twitter.com/scmagazine
WHAT IS SCWC 24/7<br />
SC Magazine has created a free virtual<br />
environment that is open year-round.<br />
Each month we host an event focused<br />
on a subject that you as an IT security<br />
professional face on a regular basis.<br />
UPCOMING EVENTS<br />
Dec. 9<br />
APT: Valid threat or overhyped<br />
Are advanced persistent threats (APTs)<br />
becoming like the legend of Sasquatch<br />
given all their recent publicity In the cybercrime<br />
world, APTs have been touted<br />
as major attacks launched by<br />
<br />
bad guys – usually with state<br />
sponsors – with which CXOs<br />
must be concerned. Others say APTs<br />
are nothing new – the same complex<br />
attacks with staying power to siphon off<br />
critical data for profit or use that have<br />
been happening for quite some time<br />
now. So, which is it and just how worried<br />
should executive leaders be about APTs<br />
More importantly, what do they do to<br />
safeguard their information assets from<br />
falling victim to these types of attacks<br />
ON DEMAND<br />
A review of PCI updates<br />
The Payment Card Industry Security<br />
Standards Council, the body that<br />
manages payment security guidelines,<br />
recently released updates to its 12-step<br />
Payment Card Industry Data Security<br />
Standard (PCI DSS). In this webcast,<br />
experts from the PCI Standards Council<br />
take you through these updates and offer<br />
help to comply with the standards.<br />
FOR MORE INFO<br />
For information on SCWC 24/7 events,<br />
please contact Natasha Mulla at<br />
natasha.mulla@haymarketmedia.com<br />
For sponsorship opportunities,<br />
please contact Mike Alessie at<br />
mike.alessie@haymarketmedia.com.<br />
Or visit, www.scmagazineus.com/<br />
scwc247<br />
SC MAGAZINE EDITORIAL ADVISORY BOARD 2010<br />
Rich Baich, principal, security and privacy practice,<br />
Deloitte and Touche<br />
Greg Bell, global information protection and<br />
security lead partner, KPMG<br />
Christopher Burgess, senior security adviser,<br />
corporate security programs office, Cisco Systems<br />
Jaime Chanaga, managing director,<br />
CSO Board Consulting<br />
Rufus Connell, research director -<br />
information technology, Frost & Sullivan<br />
Dave Cullinane, chief information security officer,<br />
eBay<br />
Mary Ann Davidson, chief security officer,<br />
Oracle<br />
Dennis Devlin, chief information security officer,<br />
Brandeis University<br />
Gerhard Eschelbeck, chief technology officer and<br />
senior vice president, engineering, Webroot Software<br />
Gene Fredriksen, senior director, corporate information<br />
security officer, Tyco International<br />
Maurice Hampton, information security & privacy<br />
services leader, Clark Schaefer Consulting<br />
Paul Kurtz, partner and chief operating officer, Good<br />
Harbor Consulting<br />
EDITORIAL<br />
EDITOR-IN-CHIEF Illena Armstrong<br />
illena.armstrong@haymarketmedia.com<br />
DEPUTY EDITOR Dan Kaplan<br />
dan.kaplan@haymarketmedia.com<br />
MANAGING EDITOR Greg Masters<br />
greg.masters@haymarketmedia.com<br />
REPORTER Angela Moscaritolo<br />
angela.moscaritolo@haymarketmedia.com<br />
TECHNOLOGY EDITOR Peter Stephenson<br />
peter.stephenson@haymarketmedia.com<br />
SC LAB MANAGER Mike Stephenson<br />
mike.stephenson@haymarketmedia.com<br />
DIRECTOR OF SC LAB OPERATIONS John Aitken<br />
john.aitken@haymarketmedia.com<br />
SC LAB EDITORIAL ASSISTANT Judy Traub<br />
judy.traub@haymarketmedia.com<br />
PROGRAM DIRECTOR, SC WORLD CONGRESS<br />
Eric Green eric.green@haymarketmedia.com<br />
CONTRIBUTORS<br />
Beth Schultz, Stephen Lawton<br />
DESIGN AND PRODUCTION<br />
ART DIRECTOR Brian Jackson<br />
brian.jackson@haymarketmedia.com<br />
VP OF PRODUCTION & MANUFACTURING<br />
Louise Morrin louise.morrin@haymarketmedia.com<br />
SENIOR PRODUCTION/DIGITAL CONTROLLER<br />
Krassi Varbanov<br />
krassi.varbanov@haymarketmedia.com<br />
SC EVENTS<br />
EVENTS MANAGER Natasha Mulla<br />
natasha.mulla@haymarketmedia.com<br />
EVENTS COORDINATOR Anthony Curry<br />
anthony.curry@haymarketmedia.com<br />
WHO’S WHO AT SC MAGAZINE<br />
Kris Lovejoy, director of Tivoli strategy, IBM<br />
Tim Mather, chief security strategist,<br />
RSA Conference<br />
Stephen Northcutt, president,<br />
SANS Technology Institute<br />
Marc Rogers, associate professor and research<br />
scientist, The Center for Education and Research in Information<br />
Assurance and Security, Purdue University<br />
Randy Sanovic, former general director,<br />
information security, General Motors<br />
* Howard Schmidt, cybersecurity coordinator, U.S.<br />
White House; president and chief executive officer,<br />
Information Security Forum<br />
Justin Somaini, chief information security officer, Symantec;<br />
former director of information security, VeriSign<br />
Craig Spiezle, chairman, Online Trust<br />
Alliance; former director, online safety<br />
technologies, Microsoft<br />
Hord Tipton, executive director, (ISC) 2 ;<br />
former CIO, U.S. Department of the Interior<br />
Amit Yoran, chief executive officer, NetWitness; former<br />
director, Department of Homeland Security’s National<br />
Cyber Security Division<br />
* emeritus<br />
U.S. SALES<br />
EASTERN REGION SALES MANAGER Mike Shemesh<br />
(646) 638-6016 mike.shemesh@haymarketmedia.com<br />
WESTERN REGION SALES MANAGER<br />
Matthew Allington (415) 346-6460<br />
matthew.allington@haymarketmedia.com<br />
SENIOR SALES EXECUTIVE<br />
Brittany Thompson (646) 638-6152<br />
brittany.thompson@haymarketmedia.com<br />
NATIONAL ACCOUNT MANAGER - EVENT SALES<br />
Mike Alessie (646) 638-6002<br />
mike.alessie@haymarketmedia.com<br />
SALES/EDITORIAL ASSISTANT Brittaney Kiefer<br />
(646) 638-6104 brittaney.kiefer@haymarketmedia.com<br />
UK ADVERTISEMENT DIRECTOR<br />
Mark Gordon 44 208 267 4672<br />
mark.gordon@haymarketmedia.com<br />
LICENSE & REPRINTS SALES EXECUTIVE<br />
Kathleen Merot (646) 638-6101<br />
kathleen.merot@haymarketmedia.com<br />
EMAIL LIST RENTAL<br />
EMAIL SENIOR ACCOUNT MANAGER<br />
Frank Cipolla, Edith Roman Associates<br />
(845) 731-3832 frank.cipolla@epostdirect.com<br />
CIRCULATION<br />
GROUP CIRCULATION MANAGER<br />
Sherry Oommen (646) 638-6003<br />
sherry.oommen@haymarketmedia.com<br />
SUBSCRIPTION INQUIRIES<br />
CUSTOMER SERVICE: (800) 558-1703<br />
EMAIL: Haymarket@cambeywest.com<br />
WEB: www.scmagazineus.com/subscribe<br />
MANAGEMENT<br />
CHAIRMAN William Pecover<br />
PRESIDENT Lisa Kirk<br />
DEPUTY MANAGING DIRECTOR Tony Keefe<br />
Editorial<br />
Welcome to a special “Spotlight” edition<br />
In this first SC Magazine “Spotlight” issue,<br />
along with the scores of others to follow, we<br />
go well beyond the varied but deep topical<br />
dives our monthly editions offer by focusing<br />
in on an individual industry subject crying out<br />
for a more in-depth analysis. With everything<br />
that happens in our marketplace, we thought<br />
it’d be helpful to slow down for a moment to<br />
thoroughly examine the more confounding<br />
issues with which we’re all struggling.<br />
In these special editions, we intend to focus<br />
on the most timely challenges hitting this<br />
space, exploring both the tribulations arising<br />
from them and the ways leading information<br />
security professionals are addressing them<br />
successfully. By zeroing in on a particular<br />
problem – along with some of the strategies<br />
that can be used to fix it – these special editions<br />
will provide you with laser-sharp views<br />
on all the ways your critical corporate information<br />
and systems can stay safe even in the face<br />
of new and aggressive threats.<br />
One of these threats that is proving particularly<br />
exasperating to many a CISO is the<br />
way increasing numbers of cybercriminals<br />
are finding entré into many organizations’ IT<br />
infrastructures by enlisting well-known social<br />
networking sites. That is the very reason why<br />
we decided to make the information security<br />
and privacy woes arising from social networking<br />
the main topic of our first special edition.<br />
It seems many SC Magazine readers, according<br />
to a recent survey we conducted (see pg.<br />
29), block end-user access to Web 2.0 sites,<br />
like Twitter, Facebook or YouTube. But, such<br />
a strict security measure is bound to fall out<br />
of favor. Too many enterprises s now rely on<br />
the viral public relations power that social<br />
networking sites offer. On the flipside,<br />
though, it is that very ease and speed<br />
by which information is accessed sed that<br />
appeals to online criminals looking oking for<br />
creative ways to steal personally fiable information and make money.<br />
To block all staff from accessing cessing<br />
identi-<br />
these sites is an action that, while<br />
perhaps acceptable to some, is downright<br />
Orwellian to others. Executive<br />
leaders must seek a happy medium<br />
that allows users to visit these<br />
sites under a holistic and centrally<br />
managed risk management<br />
plan that keeps critical<br />
corporate assets safe. Failing<br />
to create and maintain such<br />
a strategy will only see<br />
rogue users fi nding ways<br />
around blocks, which will<br />
enable the bad guys to still<br />
accomplish their goals.<br />
Enjoy this special “Spotlight”<br />
issue, let us know what you think<br />
and tell us what other subjects s<br />
you’d like to see us focus on in<br />
future specials.<br />
Illena Armstrong is editor-in-chief<br />
of SC Magazine.<br />
of respondents said they believe<br />
emergency responders should<br />
monitor social media sites to<br />
dispatch help in the event of an 69%emergency. – American Red Cross<br />
4 SC SPOTLIGHT • November 2010 • www.scmagazineus.com
DataBank<br />
SocialGauge<br />
The number of Facebook users in the United<br />
States grew 3.43 percent last month.<br />
Primary concern about Web 2.0<br />
<br />
Confidential information disclosed<br />
<br />
<br />
Fortune Global 100 companies<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The proliferation of corporate engagement in social media. Data was collected between<br />
November 2009 and January 2010 among the top 100 companies of Fortune’s Global 500.<br />
Source: Burson-Marsteller, The Global Social Media Check-up<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
More than $1.1 billion was lost by organizations surveyed due to security<br />
incidents caused by Web 2.0 technologies.<br />
Source: McAfee, Web 2.0: A Complex Balancing Act<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Social network users aren’t preoccupied with the real identity of the people<br />
they meet online or about the details they share while chatting with strangers.<br />
After two hours of conversation, respondents revealed the above data<br />
about their company.<br />
Source: BitDefender, Social Networking and the Illusion of Anonimity<br />
Which tools are used within your company<br />
<br />
Click-through rates<br />
<br />
<br />
Facts about<br />
Facts about<br />
<br />
<br />
<br />
<br />
<br />
<br />
500,000,000 active users<br />
50% of active users logon in any given day<br />
75% of members use third-party apps.<br />
300,000+ new users every day.<br />
Source: Panda Security,<br />
Social Media Risk Index for<br />
Small to Medium Sized<br />
Businesses<br />
Countries on Facebook<br />
<br />
<br />
<br />
<br />
<br />
<br />
Internet sharing trends have migrated in big numbers toward social<br />
networking, according to a recent report by marketing firm SocialTwist, but<br />
other platforms still have a strong presence for word-of-mouth advertising.<br />
The firm analyzed a million-plus referral messages sent out using its widget<br />
Tell-a-Friend, which allows users to share sites through social media.<br />
Source: SocialTwist via Fast Company<br />
150,000,000 people engage with Facebook on<br />
external websites every month<br />
30,000,000,000 pieces of content (web links,<br />
news stories, blog posts, notes, photo albums,<br />
etc.) shared each month.<br />
200,000,000 active users currently accessing<br />
Facebook through their mobile devices.<br />
Source: Facebook<br />
110,000,000 users of Twitter’s services.<br />
180,000,000 unique visits each month.<br />
600,000,000+ searches every day.<br />
Source: Twitter/Chirp Conference via Danny Brown<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the past month, global growth of Facebook users has continued to rise. Among the top five countries with<br />
the most users, growth increased 3.43 percent in the United States, 10.75 percent in Indonesia, 3.99 percent<br />
in the U.K., 2.68 percent in Turkey, and 4.45 percent in France. Source: Facebakers.com<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 7
News Update<br />
Social networking: Enterprise<br />
IT security’s nemesis<br />
Enterprise IT security professionals who fear social networking<br />
as their nemesis – and research shows that many do – aren’t<br />
merely suffering from bad cases of paranoia.<br />
Social media applications, such as Facebook, Twitter and You-<br />
Tube, known collectively as Web 2.0, present a real and growing<br />
security problem, and a costly one at that. On average, organizations<br />
hit by Web 2.0-related security incidents last year suffered<br />
losses of nearly $2 million, a recent global survey on usage, risks<br />
and best practices revealed.<br />
The survey, undertaken as part of a study commissioned by<br />
McAfee and spearheaded by researchers at Purdue University’s<br />
Center for Education and Research in Information<br />
Assurance and Security, also showed that a company’s size<br />
and location make for notable differences. The survey, which<br />
queried more than 1,000 decision-makers at organizations in<br />
17 countries, showed losses at large organizations averaging<br />
$4.5 million.<br />
In all, the six out of 10 surveyed organizations indicating that<br />
they’d been hit by a Web 2.0 security event tallied $1.1 billion in<br />
losses due to those incidents.<br />
The risks associated with Web 2.0 are giving some enterprises<br />
pause, the survey shows, but don’t seem to be bringing many to<br />
a dead stop. Only 13 percent of organizations worldwide block<br />
all social media access, while 33 percent allow restricted use.<br />
Another 25 percent actively monitor social media use.<br />
What these numbers show, says Tim Roddy, senior director<br />
of product marketing at McAfee, is that enterprise IT security<br />
professionals know they have to allow access to social media<br />
because the business is demanding it. “They know this is no<br />
longer about saying ‘yes’ or ‘no,’” he says. It is about saying ‘yes’<br />
with confidence.”<br />
Kevin Haley, director of Symantec Security Response, agrees.<br />
“Social networking is an inherent part of today’s internet, and<br />
any business that hasn’t been paying attention would probably<br />
THE QUOTE<br />
find that<br />
the vast majority of<br />
their employees use social networking,”<br />
he says. “This is not a future problem. It is one<br />
that companies need to deal with today.”<br />
That cybercriminals are flocking to Web 2.0 should come as<br />
no surprise, experts say. They tend to go where the people are,<br />
and that is certainly the case with social media.<br />
Social networking provides a real boon for cybercriminals<br />
because participants tend to let their guards down within those<br />
communities. As Haley says, “Cybercriminals don’t need incredibly<br />
complex or genius hacker software. You can come up with a<br />
pretty simple social engineering trick and get everybody to click<br />
on a link and infect themselves.”<br />
Phishers, too, are ramping up their focus on social media<br />
sites, says James Brooks, director of product management at<br />
security vendor Cyveillance, which sweeps the internet – including<br />
websites, blogs, message boards, IRC/chat channels, spam<br />
emails, tiny URLs and more – in producing its twice-yearly<br />
cyber intelligence reports. In its newly released report, reflecting<br />
data gathered for the first half of 2010, Cyveillance found slightly<br />
more than 126,000 phishing attacks, for an average of more than<br />
21,000 unique attacks per month.<br />
“As we look through those phishing attacks, more and more<br />
we’re seeing the names Facebook and Twitter pop up,” Brooks<br />
says. “This isn’t just about banks and credit unions anymore.<br />
Social networking is a goldmine for fraudsters.”<br />
This is not a future problem. It is one that<br />
companies need to deal with today.”<br />
—Kevin Haley, director of Symantec Security Response<br />
Behavior<br />
modification<br />
If enterprise IT security<br />
professionals are to fend<br />
off social media wolves<br />
successfully, they’re going<br />
to have to do more than<br />
tighten up their traditional<br />
defenses.<br />
“In the corporate sector,<br />
the biggest risk is not<br />
social media,” says Andrew<br />
Walls, a security research<br />
director at Gartner. “It is that<br />
social networking has shined a<br />
bright, white light on the limits<br />
of our current security programs.<br />
You can put choke points on your<br />
infrastructure and filter what people do<br />
while they’re at work all you want, but that’s not actually going to<br />
control what employees do out there on social networking sites.”<br />
The crux of the problem is that in focusing on infrastructure,<br />
enterprise IT security stopped prioritizing on human<br />
behavior, Walls says. Making sure anti-virus software is up<br />
to date and installing some data leakage prevention software<br />
aren’t going to be enough when dealing with social media<br />
threats. “The need for those doesn’t go away, but if we keep<br />
focusing on infrastructure, infrastructure, infrastructure all<br />
the time, we’ll miss the fact that our internal clients are walking<br />
right around our infrastructure and doing whatever they<br />
like out there,” Walls says.<br />
Now enterprises are essentially playing catch-up. “They’re<br />
developing security-awareness programs and using mass media<br />
marketing that focuses on security risks and so forth, trying<br />
to rebuild the corporate ethical standard regarding behavior,”<br />
Walls says. Enterprises need to study what employees are doing<br />
in advance of them doing something wrong, he adds. They need<br />
to provide stimulation that encourages appropriate behaviors<br />
and discourages damaging ones. When that happens, Walls says,<br />
“employees will be better equipped to make decisions.”<br />
Thinking about social media<br />
and information governance<br />
Enterprise IT and legal have long butted heads over data<br />
discovery and information disposal practices, with tensions<br />
promising to mount as social media use introduces fuzziness<br />
into the picture.<br />
“Social networking is one of the most under-regulated<br />
new marketing areas with industry, with companies being<br />
very slow to develop enterprise-wide policies governing their<br />
own use of social networking sites and being even slower to<br />
govern employee use of personal social networking sites,”<br />
says Tom Lahiff, an attorney and consultant on document<br />
management and e-discovery practice. “And, a lot of people<br />
don’t realize they have to have policies for both.”<br />
Even though enterprises don’t have control over social<br />
networking sites and don’t currently have to produce information<br />
from them for e-discovery purposes, they need to<br />
be cognizant of their use, says Lahiff, a former counsel at<br />
Citigroup and among the first members of the Compliance,<br />
Governance and Oversight Council (CGOC), a community<br />
of experts in information governance.<br />
Employees who post corporate information in social media<br />
contexts, including blogs, can be served with subpoenas, he<br />
explains. This applies to site providers, as well.<br />
This doesn’t bode well for companies struggling to come<br />
to terms with regulations, state and federal, pertaining to<br />
information governance. In a newly published benchmark<br />
study, the CGOC released survey results showing that while<br />
98 percent of respondents believe defensible disposal is a key<br />
result of an information governance program, only 22 percent<br />
of companies were able to dispose of data today. What is<br />
more, more than 70 percent of survey respondents – an equal<br />
number of legal, records management and IT professionals<br />
at Global 1000 companies – claimed that their retention<br />
schedules were not actionable by IT or could be used only for<br />
disposal of physical records.<br />
On a positive note, half of the companies surveyed do have<br />
executive committees in place. However, they appear to be<br />
struggling with fi nding the correct stakeholder mix. Seventy<br />
percent of respondents report using “people glue” to connect<br />
legal duties and business value to information assets, while a<br />
whopping 85 percent identified more consistent collaboration<br />
and systematic linkage between the three disciplines – legal,<br />
records management and IT – as the most critical success<br />
factor.<br />
As enterprises think about social media from a content<br />
perspective, assembling and enabling an effective information<br />
governance council is one of the most important things a<br />
company can do, Lahiff says.<br />
“That council should include lawyers, people in the business<br />
units, marketing groups and IT so that conversations<br />
about creating new websites and their content take place in<br />
advance,” he says. “As these discussions take place, legal,<br />
records management and information governance professionals<br />
can start thinking about how to preserve that information<br />
internally and produce it in the event of litigation.”<br />
– Beth Schultz<br />
8 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 9
<strong>SOCIAL</strong>LY INCLINED<br />
Many organizations have accepted social networking as part of doing<br />
business, but technology and governance can help. Dan Kaplan reports.<br />
Illustration by Charlie Griak<br />
For two days in July, one longstanding<br />
American brand rewrote the rules of<br />
public relations and marketing.<br />
On an otherwise idle week of television<br />
programming headlined by a record,<br />
low-rated Major League Baseball All-Star<br />
game, reruns of Glee and second-rate<br />
reality shows, like Wipeout, Old Spice<br />
simultaneously was running a groundbreaking<br />
online advertising campaign<br />
that leveraged three of the most popular<br />
social networking channels to deliver<br />
scores of laugh-out-loud, 30-second commercials<br />
to viewers.<br />
Parent company Procter & Gamble<br />
and ad agency Wieden+Kennedy<br />
teamed up to create more than 150 You-<br />
Tube videos promoting Old Spice Red<br />
Zone Body Wash. What made the viral<br />
blitz so unique was that the spots were<br />
produced in virtually real time, featuring<br />
towel-clad, uber-male pitchman<br />
Isaiah Mustafa humorously responding<br />
to viewer questions and comments sent<br />
via the brand’s Facebook and Twitter<br />
accounts. In one clip, Mustafa, a former<br />
NFL wide receiver, facilitates a marriage<br />
proposal. In another, he responds<br />
to a tweet he sent himself.<br />
Many experts now view the hybrid<br />
campaign as a marketing feat for<br />
the ages – the ads generated 35 million<br />
video views in seven days. And,<br />
while most American businesses will<br />
be hard-pressed to create an idea as<br />
innovative, popular and widely lauded<br />
as Old Spice’s, most now accept that<br />
social media is a viable, cost-effective<br />
alternative for connecting with customers,<br />
enhancing the brand and potentially<br />
generating new streams of revenue.<br />
“If you’re not on Facebook, you<br />
don’t really exist,” says Graham Cluley,<br />
senior technology consultant at antivirus<br />
firm Sophos.<br />
He is only half kidding. “Your company<br />
is probably looking for customers, and<br />
they want to be close to their customers,<br />
and customers are choosing to communicate<br />
with their companies via sites like<br />
Facebook and Twitter,” Cluley says.<br />
But Cluley, who specializes in<br />
researching social media and security,<br />
will be the first to warn that before<br />
racing headstrong into the social media<br />
frontier, one must realize that Web 2.0 is<br />
still very much an untamed Wild West.<br />
Aside from the fact that some social<br />
media marketing efforts may simply<br />
misfire because the stage is still so new, it<br />
also comes fraught with danger.<br />
A June Cisco study found that more<br />
than half of respondents (51 percent)<br />
listed “social networking” as one of<br />
the top three biggest security risks to<br />
their organization, while one in five<br />
(19 percent) considered it the highest<br />
risk. A recent McAfee survey of more<br />
13%<br />
than 1,000 global decision-makers in<br />
17 countries concluded that half of<br />
businesses were concerned about the<br />
security of Web 2.0 applications. An<br />
astounding 60 percent already suffered<br />
losses averaging about $2 million.<br />
Another six out of 10 were concerned<br />
about a loss of reputation as a result of<br />
Web 2.0 misuse.<br />
The downside of social media<br />
So, for as much success as a website<br />
such as Facebook or Twitter can lend<br />
a company, it also can lead to damage.<br />
As an example, in August, a hacker was<br />
able to compromise the Twitter account<br />
belonging to rock band Guns N’ Roses<br />
frontman Axl Rose to erroneously tweet<br />
that the group had canceled his upcoming<br />
U.K. tour.<br />
Sometimes, the pranks are more malicious<br />
than mischievous. Security firm<br />
<strong>Websense</strong> has noted a number of times<br />
that popular Facebook pages have been<br />
overtaken by cybercrooks to distribute<br />
malware. There also have been instances<br />
in which Twitter accounts were hijacked<br />
to spread insidious exploits. The notorious,<br />
trojan-dropping Koobface worm tore<br />
through Facebook and Twitter in 2009<br />
and 2010. It was still surfacing as recently<br />
of internet traffic goes to Facebook<br />
— <strong>Websense</strong><br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 11
Business concerns<br />
BAD GUYS:<br />
Exploiting Web 2.0<br />
Few doubt the revolutionary power of social<br />
networking for companies and individuals<br />
alike. Of course, less often mentioned when<br />
bestowing accolades upon the Facebooks,<br />
Twitters and LinkedIns of the world are the<br />
benefits they provide to cybercriminals. Here<br />
are just a few examples.<br />
Data mining: Because social networking<br />
websites have attracted hundreds of millions<br />
of users, naturally they house vast amounts<br />
of valuable personal information. Trawling<br />
member profiles for this data or persuading<br />
users to download a rogue application can<br />
provide crooks with coveted content that they<br />
can use to launch targeted attacks or track<br />
people. Location-based site applications,<br />
such as Foursquare, offer a user’s near realtime<br />
whereabouts. Sites such as LinkedIn can<br />
become a spear phisher’s nirvana because<br />
it contains mounds of data about a potential<br />
as October when security vendor Intego<br />
found a variant written specifically to run<br />
on Mac OS X platforms.<br />
And because of the user-generated<br />
nature of social networking sites, it may<br />
not even be necessary to take control of<br />
an account to distribute malicious code.<br />
Facebook company pages rely on fans in<br />
order to grow a following, so a malicious<br />
“friend” of the organization could<br />
easily post a rogue link under the guise<br />
of something benign. Then, if legitimate<br />
friends fall for the ruse, their machines<br />
could become infected with malware,<br />
which could jeopardize the company’s<br />
reputation. That, of course, is not to<br />
mention the possibility of an employee<br />
from the company itself clicking on the<br />
link and introducing malware into the<br />
corporate network.<br />
According to Sophos’ Mid-Year 2010<br />
Security Threat Report, there was a 70<br />
percent rise in firms running into malware<br />
and spam on social networking sites<br />
in 2009. Panda Labs, in its own survey<br />
of 315 U.S. companies with 15 to 1,000<br />
employees, uncovered similar results.<br />
The anti-virus vendor found that onethird<br />
of respondents reported malware<br />
on their network due to employee use of<br />
social networks.<br />
Most observers agree that social<br />
networking sites are fertile ground for<br />
malware distribution because of vulnerable<br />
code, members’ tendencies to trust<br />
friends on these channels, and the ability<br />
for viruses to easily propagate.<br />
“It does remind me of email several<br />
years back,” says Joey Tyson, security<br />
engineer at Gemini Security Solutions<br />
and author of the Social Hacking<br />
blog, which studies social networking<br />
target’s job.<br />
To highlight the privacy and data exposure<br />
shortfalls of these sites, a pair of researchers<br />
at this year’s Black Hat conference demonstrated<br />
how they created the profile of a fictional<br />
woman – Robin Sage – who claimed to<br />
work in military intelligence. She gained 300<br />
legitimate connections in 28 days across<br />
Facebook, Twitter and LinkedIn, including<br />
officials in the Pentagon, Department of<br />
Defense and National Security Agency.<br />
Meanwhile, Minaxi Gupta, an associate<br />
professor of computer science at Indiana<br />
University, is researching a potential positive<br />
of data mining: using tools to locate<br />
and document conversations people are<br />
having on Twitter about malware they have<br />
encountered. “The goal would be to make<br />
blacklists more real time than they are<br />
today,” Gupta says.<br />
Phishing/spam: There is a noticeable<br />
increase in the number of phishing ploys<br />
attempting to capitalize on the popularity<br />
security and privacy. “People are still<br />
adjusting to Facebook and Twitter<br />
becoming such an integral part of their<br />
social life and online interactions. I<br />
think you can draw a lot of parallels<br />
between how sites are exploited now<br />
and how email was back then.”<br />
For example, in September, a mas-<br />
of social networking sites. While financial<br />
and payment services brands still dominate<br />
as the most preferred target, ruses against<br />
social media sites are on the rise, according<br />
to the Anti-Phishing Working Group.<br />
Attackers can use socially engineered<br />
messages claiming to come from a reputable<br />
social media site to either siphon<br />
credentials – which allows them to hijack<br />
user accounts to send spam – or trick users<br />
into clicking on links that contain malware.<br />
Thieves also can use stolen social networking<br />
credentials to unlock other confidential<br />
accounts, such as online banks, because<br />
people tend to use the same password<br />
across websites.<br />
Cyber vandals also can capitalize on topics<br />
that are trending on Twitter. They simply<br />
include the trending words in their tweets<br />
that also include links to spam or other<br />
malicious sites.<br />
Botnet control: Why create and maintain<br />
one’s own command-and-control hub<br />
when an application such as Twitter already<br />
may provide the infrastructure<br />
In 2009, researchers discovered a Twitter<br />
account that was being used to issue<br />
instructions to infected computers that<br />
were part of a botnet. Tweets coming from<br />
the malicious account, called “upd4t3,”<br />
were encoded and looked like a random<br />
combination of letters and numbers.<br />
The process is becoming increasingly<br />
professionalized. In May, researchers<br />
detected a trojan-builder tool that allows<br />
a person to specify a particular Twitter<br />
account from which to send botnet commands.<br />
Security experts say botmasters may<br />
prefer using sites like Twitter instead of a<br />
traditional command center because they<br />
do not necessitate installation, configuration<br />
and management. Also, this tactic<br />
enables bot controllers to use mobile applications<br />
to deliver instructions to a network<br />
of compromised computers. – Dan Kaplan<br />
sive worm broke out on Twitter. The<br />
far-ranging cross-site scripting attack,<br />
which reportedly originated as a harmless,<br />
proof-of-concept attack by an<br />
Australian teenager, was estimated to<br />
affect more than 500,000 users of the<br />
microblogging site. Despite the threat of<br />
malware, though, most security professionals<br />
interviewed seem most concerned<br />
about social media enabling the exposure<br />
of sensitive data.<br />
Christopher Burgess, senior security<br />
adviser at Cisco, recalls a health insurance<br />
company that ran into some trouble<br />
when its employees began exchanging<br />
conversation on the web.<br />
“They found themselves engaging<br />
with each other on Facebook,” Burgess<br />
says. “And, as you know, Facebook<br />
wasn’t designed for HIPAA. Here were<br />
people trying to get their job done in<br />
the most efficient manner possible<br />
inadvertently putting their company at<br />
risk. They weren’t trying to be malicious.<br />
They were just trying to provide a better<br />
level of service.”<br />
But security observers agree that<br />
gone are the days when organizations<br />
realistically can block social media access<br />
without it dampening employee morale<br />
and costing the brand an opportunity to<br />
reach customers.<br />
Panda’s study found that only 21 percent<br />
of respondents do not allow personal<br />
use of social media during work hours,<br />
and a quarter of them block social media<br />
sites altogether. Privacy violations resulting<br />
in exposure of sensitive data rates as<br />
the top concern around social media, followed<br />
by employee productivity declines,<br />
malware infection, reputation damage<br />
and network performance issues.<br />
While those concerns certainly are<br />
valid, Burgess warns IT departments to<br />
take note. Those that choose to adopt a<br />
restrictive policy around social media<br />
may find themselves quickly losing<br />
control. Chances are, today’s generation<br />
of workers won’t stand for it.<br />
“If you’re not aware of the need, you’ll<br />
<strong>SOCIAL</strong> <strong>MEDIA</strong> TIMELINE<br />
continued<br />
on page 14<br />
2003<br />
2004<br />
2005 2006 2007 2008<br />
March<br />
Jonathan Abrams<br />
(above) launches<br />
Friendster.<br />
May<br />
LinkedIn<br />
launches.<br />
August<br />
MySpace<br />
launches.<br />
February<br />
Facebook launches<br />
from Harvard<br />
undergrad Mark<br />
Zuckerberg’s<br />
(above) dorm room.<br />
October<br />
19-year-old hacker<br />
Samy Kamkar exploits<br />
a flaw in MySpace’s<br />
site design to launch<br />
a worm that nets him<br />
one million “friends”<br />
within several hours.<br />
December<br />
Malicious QuickTime<br />
videos on MySpace<br />
profiles lead to users<br />
getting phished of<br />
their login credentials.<br />
March 21<br />
Twitter co-founder<br />
Jack Dorsey (above)<br />
sends the first-ever<br />
tweet: “Just setting<br />
up my twttr.”<br />
March<br />
MySpace sues<br />
Sanford Wallace<br />
for spearheading a<br />
phishing scheme,<br />
later winning a $223<br />
million judgment<br />
against him.<br />
April<br />
Two hackers launch<br />
the “Month of<br />
MySpace Bugs”<br />
project, revealing a<br />
vulnerability a day<br />
for 30 days.<br />
July<br />
LinkedIn fixes a<br />
zero-day flaw in its<br />
Internet Explorer<br />
toolbar that could<br />
have permitted remote<br />
code execution.<br />
January<br />
Former New York<br />
Attorney General Andrew<br />
Cuomo (above)<br />
joins 48 other AGs to<br />
issue guidelines for<br />
online safety at social<br />
networking sites.<br />
April<br />
For the first time,<br />
Facebook passes<br />
MySpace in number<br />
of unique visitors.<br />
June<br />
Canadian legal<br />
professionals sue<br />
Facebook over 22<br />
alleged privacy<br />
violations.<br />
12 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 13
Business concerns<br />
find your employees have migrated and<br />
left you behind,” Burgess says.<br />
Cisco prides itself on enabling<br />
employees to leverage their subject<br />
matter expertise to communicate across<br />
the web. To control such conduct,<br />
the networking giant has published a<br />
16-page handbook outlining guidelines<br />
for social media use. The document<br />
describes a policy for Cisco employees<br />
to follow when using the social web to<br />
effectively engage stakeholders about<br />
the company. For example, workers<br />
are expected to identify themselves as<br />
Cisco employees, protect the company’s<br />
reputation, avoid posting confidential<br />
or copyrighted data, and steer clear of<br />
online disputes.<br />
Employees, meanwhile, also are<br />
permitted to use social networking sites<br />
for personal reasons – but are expected<br />
to follow general security principles.<br />
Personal use ranks as the most common<br />
reason employees use social media<br />
tools, according to the Panda study<br />
(research and competitive intelligence<br />
rates are the next most popular justifications,<br />
followed by customer service,<br />
public relations, marketing and sales,<br />
and revenue creation).<br />
“Cisco does not block employees’<br />
access to networking sites as the company<br />
believes in empowering its workforce<br />
and instills trust in employees to work<br />
75%<br />
responsibly and adhere to the Cisco Code<br />
of Business Conduct,” the guidelines<br />
read. Such a blueprint is becoming more<br />
common across industry. But that doesn’t<br />
mean security professionals are sleeping<br />
soundly at night.<br />
“Fundamentally, what keeps security<br />
personnel up late and worried about this<br />
social web are two things – the fact that<br />
they lack controls for it, combined with<br />
its widespread adoption,” says David<br />
Meizlik, director of product marketing<br />
and communications at <strong>Websense</strong>.<br />
“Folks just can’t say ‘no’ to it. They can’t<br />
just block it at the corporate border.”<br />
Implementing the controls<br />
So what is a security practitioner to do if<br />
they can’t simply add Web 2.0 sites and<br />
applications to the corporate blacklist<br />
Deply technology, for one. In recent<br />
months, a slew of vendors has released<br />
offerings that cater to the IT department<br />
specifically wanting control over and visibility<br />
into the social media sphere.<br />
Palo Alto Networks of Sunnyvale,<br />
Calif., recently announced that its<br />
next-generation firewalls now offer<br />
of organizations worldwide use<br />
Web 2.0 for business functions.<br />
— McAfee<br />
functionality allowing administrators<br />
to set “read-only” policies on Facebook.<br />
In other words, employees would only<br />
be able to browse the popular site – not<br />
add any content or follow any links.<br />
Such a capability theoretically protects<br />
against the possibility, say, of a worker<br />
falling for a clickjacking attack that<br />
brings the network to its knees or disclosing<br />
information about an impending<br />
acquisition.<br />
Other vendors are building Facebook<br />
applications. Romania-based BitDefender<br />
last month launched the beta version<br />
of safego, a Facebook app that uses scanning<br />
technology to search for malicious<br />
links and compromised content that may<br />
be present on users’ profiles. In addition,<br />
the program alerts users if their privacy<br />
settings aren’t strong enough.<br />
A social case study<br />
Don’t let the fact that Addison Avenue<br />
Federal Credit Union is headquartered<br />
in Silicon Valley fool you. The<br />
200,000-member fi nancial institution<br />
has long been averse to embracing Web<br />
2.0 technologies.<br />
Timeline photos (left to right) AP Photo/Paul Sakuma; Facebook; Twitter; Dima Gavrysh/Bloomberg via Getty<br />
Images; Ron Sachs-Pool/Getty Images; ChinaFotoPress/Getty Images; Theo Wargo/WireImage<br />
YouTube is restricted for personal use<br />
because of productivity concerns and<br />
only roughly a quarter of the 400-person<br />
staff is permitted to access Facebook, says<br />
Phil Romero, senior security architect.<br />
“As a financial institution, we’ve got<br />
a lot of regulatory issues to address,” he<br />
says. “We have to make sure we don’t lose<br />
data and that our systems are secure.”<br />
But the tune is gradually changing.<br />
Romero says the e-commerce and<br />
marketing departments have pushed the<br />
firm to adopt social media as a vehicle to<br />
communicate with clients.<br />
Addison Avenue now counts more than<br />
1,000 friends on its Facebook page, which<br />
it heavily leans on to service customer<br />
complaints and keep them abreast of the<br />
latest happenings at Addison Avenue and<br />
in the financial space in general.<br />
The company, though, may consider<br />
even further relaxing some of its limits<br />
thanks to the maturity of the security<br />
solutions marketplace. The company uses<br />
web security gateway and data leakage<br />
prevention technology from San Diegobased<br />
<strong>Websense</strong> to analyze (and potentially<br />
block) web content in real time<br />
and monitor for sensitive data exposure.<br />
Specific to Facebook, Addison also uses<br />
a plug-in known as Defensio, which it<br />
applies to its Facebook page to ensure<br />
members don’t interact with any malicious<br />
content.<br />
“It negatively impacts us if someone<br />
gets infected through our Facebook<br />
page,” Romero says.<br />
Experts also preach the basics: Ensure<br />
endpoints are running an anti-virus solution<br />
and keep systems and programs fully<br />
patched.<br />
Technology is just one part of the equation,<br />
though. Analysts agree that a sound<br />
social networking governance framework,<br />
which includes policy, education<br />
and enforcement, is critical to protecting<br />
assets and reputation.<br />
For their part, social networking<br />
sites are working harder than ever at<br />
protecting users from spam, malware,<br />
privacy leaks, account hijacks and other<br />
cyberthreats. Many experts, though,<br />
believe these companies can – and should<br />
– be doing more.<br />
In fact, just this month, many in<br />
the security industry called on social<br />
networking sites to implement HTTPS,<br />
a browsing protocol that ensures an<br />
encrypted connection for users. The<br />
clamoring came after a researcher<br />
released a free Firefox web browser<br />
plug-in, known as Firesheep, that lets<br />
anyone scan open Wi-Fi networks and<br />
hijack accounts belonging to sites such as<br />
Facebook.<br />
Most financial services firms have<br />
invoked secure browsing, but the social<br />
media world has not – likely due to costs<br />
– despite the fact that it is home to bundles<br />
of confidential information. (For<br />
its part, Facebook is testing SSL access<br />
across its site and hopes to provide it as<br />
an option in the coming months.)<br />
Here to stay<br />
Social networking has become a greater<br />
phenomenon than anyone ever could<br />
have imagined. And with each passing<br />
year, its use only will grow greater. Soon,<br />
companies hiring recent college graduates<br />
will find that very few of them have<br />
ever known a day without being able to<br />
send a tweet, tag a photo or watch a viral<br />
video of a chiseled man stumping for<br />
body wash.<br />
The Cisco study found that nearly<br />
three out of four survey respondents<br />
believe that overly strict security policies<br />
would have a “moderate” or “significant”<br />
negative impact on hiring and retaining<br />
employees under age 30. At chipmaker<br />
Intel, where the 80,000-employee<br />
company has developed its own internal<br />
social computing platform to satiate staff<br />
demands, employees wouldn’t respond<br />
well to web restrictions.<br />
“It [wouldn’t] fit our company<br />
culture,” says Laurie Buczek, a social<br />
media strategist at Intel. “The people<br />
we would likely attract to be Intel<br />
employees would likely be turned off if<br />
it was that kind of culture.” ■<br />
500,000,000<br />
2008 2009<br />
2010<br />
August<br />
Denial-ofservice<br />
attacks<br />
hit Twitter and<br />
Facebook<br />
October<br />
10,000 people are<br />
targeted in a spear<br />
phishing campaign<br />
claiming to come<br />
from LinkedIn.<br />
January<br />
The Twitter account<br />
of President Obama is<br />
hijacked by a French<br />
hacker who gained<br />
administrative access<br />
to the site.<br />
November<br />
The Twitter profile<br />
for Britney Spears<br />
is hacked to say the<br />
pop star worships<br />
the devil.<br />
Dec. 17<br />
A DNS records attack<br />
replaced Twitter’s<br />
welcoming screen with<br />
an image of a green flag<br />
and the caption “This<br />
site has been hacked by<br />
Iranian Cyber Army.”<br />
April<br />
The Koobface worm<br />
spreads through<br />
Facebook messages<br />
by claiming to offer<br />
hidden cameras showing<br />
erotic video.<br />
May<br />
Facebook updates<br />
its privacy settings<br />
to simplify the way<br />
users can control<br />
the data they<br />
share with others.<br />
June<br />
The Federal Trade<br />
Commission settles<br />
with Twitter over<br />
charges that the website<br />
failed to properly<br />
safeguard the privacy<br />
of its users.<br />
July<br />
Facebook has more<br />
than 500 million<br />
active users.<br />
September<br />
Twitter falls victim to<br />
a massive worm that<br />
enables attackers<br />
to insert pop-up ads<br />
and open unwanted<br />
websites on a user’s<br />
browser.<br />
October 1<br />
Major Hollywood film<br />
The Social Network<br />
(above), which recounts<br />
the origins of Facebook,<br />
earns critical acclaim<br />
and $22.5 million in its<br />
opening weekend.<br />
November<br />
A new survey shows<br />
users spent 4.6<br />
hours a week on<br />
social media sites,<br />
compared to 4.4<br />
hours on email.<br />
14 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 15
IT’S NEW<br />
PROBLEM<br />
Consumer devices and social media may be too pervasive to ban within<br />
the enterprise, but precautions can be taken, reports Stephen Lawton.<br />
Perhaps one of the most disruptive<br />
technologies facing IT security<br />
professionals today is social<br />
media. Sites such as Twitter, Facebook,<br />
LinkedIn and YouTube offer tremendous<br />
potential corporate value, but<br />
also present equally vast opportunities<br />
for technological and corporate harm.<br />
CISOs today are faced with the decision<br />
of incorporating social media and<br />
its inherent risks or locking it down and<br />
suffering the consequences.<br />
Social media has become essentially a<br />
generational divide between Baby Boomers<br />
who grew up with analog TV without<br />
remote controls versus the Gen X, Gen<br />
Y and Millennials who were raised<br />
with computer toys and devices as part<br />
of their daily routine. Many of today’s<br />
senior corporate and IT management are<br />
the boomers who became more technically<br />
inclined, while a large number of<br />
employees are 20- and 30-somethings<br />
who grew up with internet-enabled<br />
systems as part of their life.<br />
New consumer technologies, particularly<br />
those that connect to social media<br />
sites, are being introduced to enterprises<br />
by employees. In a research report<br />
by BoxTone and eMedia, Smartphone<br />
Management Survey: An Enterprise IT<br />
Operations Perspective, some 60 percent<br />
of more than 400 IT professionals<br />
questioned said that six out of 10 of<br />
their employees will have smartphones<br />
within the next two years, and 80 percent<br />
of those will be employee-owned.<br />
User-driven IT is having a significant<br />
impact on hardware being attached<br />
to corporate networks and is forcing a<br />
paradigm shift in how IT departments<br />
address non-corporate IT resources,<br />
according to a report published by the<br />
Security for Business Innovation Council<br />
(SBIC), a group made up of a dozen<br />
top information and security officers<br />
from technology, fi nancial services,<br />
consumer and the business sectors. The<br />
organization was convened by RSA, the<br />
security division of EMC.<br />
The report identifies eight specific<br />
areas where hardware owned<br />
by employees, such as smartphones,<br />
netbooks, tablet computers and the<br />
like, are changing the way IT departments<br />
should deal with data security<br />
and management. Denise Wood, CISO<br />
and corporate vice president of FedEx<br />
and a participant in the SBIC, is quoted<br />
in the report as saying: “These personal<br />
productivity and collaboration tools<br />
are just so easy to use and so powerful<br />
that everybody’s got to have one. We’re<br />
trying to understand: What happens<br />
when you want to leverage these powerful,<br />
consumer platforms for unbridled<br />
collaboration at work”<br />
IT professionals tend to agree that<br />
social media adds value to a company,<br />
says Rich Baich, principal in the security<br />
and privacy practice at Deloitte &<br />
Touche, but that it comes with a price.<br />
For the generation that grew up with<br />
this emerging technology, “social media<br />
is part of their life and a great way to<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 17
Enterprise implementation<br />
communicate.” Because these users<br />
grew up with consumerized technology,<br />
it has become second-nature, as are the<br />
benefits and drawbacks intrinsic to it.<br />
The challenge for CISOs, he says, is<br />
to understand the risk associated with<br />
that value and determine how best to<br />
embrace it.<br />
“The reality is that there is a lot of<br />
risk with social media sites,” Baich says.<br />
“Oftentimes, people are not cautious of<br />
what they’re posting.” In order to make<br />
the employees more security-conscious,<br />
he says, organizations must get them<br />
personally involved with understanding<br />
the potential threats caused by careless<br />
use of these sites.<br />
In the heartland<br />
At a large, regional bank in America’s<br />
heartland, access to some social media<br />
sites is restricted. “We block access by<br />
employees from company networks to<br />
social networking sites that we consider<br />
to be primarily personal in nature,<br />
such as Facebook, MySpace and Twitter,”<br />
says Bradley Schaufenbuel, chief<br />
information security and privacy officer.<br />
“We permit access to social networking<br />
sites that we consider to be primarily<br />
professional in nature. LinkedIn, for<br />
example.”<br />
The company’s acceptable-use policy<br />
includes extensive guidelines on the<br />
proper use of social networking sites –<br />
whether accessed from the company’s<br />
network or elsewhere, he says. “This<br />
includes the use of disclaimers that<br />
opinions are those of the poster and not<br />
the company, no posting of company<br />
confidential information, requiring<br />
dignified and respectful behavior since<br />
employee actions may reflect on the<br />
company, no use of company trademark<br />
without permission and the like.”<br />
But Schaufenbuel’s bank does not<br />
allow any employee-owned device to<br />
connect to its network. “We adopted<br />
a mobile device policy,” he says. “This<br />
policy sets forth a standard mobile<br />
device platform that is officially supported<br />
by the organization. Employees<br />
can only obtain the ability to synchronize<br />
corporate email, calendar, etc., and<br />
access corporate resources via a mobile<br />
device if that device runs the standard<br />
platform.”<br />
The platform was chosen because<br />
of its support for enterprise security<br />
controls, such as centralized policy<br />
management, remote wipe and encryption,<br />
he says. To be set up for access<br />
to corporate information on a mobile<br />
device, an employee must sign a special<br />
Security has been elevated<br />
to a business issue rather<br />
than just a technical issue.”<br />
– Michael Meikle, CEO, Hawkthorne Group<br />
SURVEY SAYS:<br />
SC Magazine poll<br />
A new survey conducted by SC<br />
Magazine on social media use in the<br />
enterprise surveyed 273 of its readers<br />
with such titles as chief information<br />
security officer, chief technology officer<br />
and security administrator. The top<br />
concern of misuse of social networking<br />
sites is falling out of compliance with<br />
regulatory mandates.<br />
72% of those polled said their organizations<br />
are concerned about threats to<br />
their data from social networking sites;<br />
31% said their companies block<br />
access to all employees to these sites;<br />
64% allow access to specific employees<br />
and departments, such as marketing<br />
and public relations;<br />
While 77% of companies provide<br />
security awareness training and policies,<br />
only 51% have specific social networking<br />
governance policies in place.<br />
mobile device agreement. In this<br />
agreement, the employee acknowledges<br />
their responsibilities for safeguarding<br />
information, as well as reporting timely<br />
loss of the mobile device, not tampering<br />
with security controls, and other<br />
regulations.<br />
“Despite IT and security’s desire to<br />
accommodate employees’ information<br />
needs by providing them with secure<br />
access to corporate information on<br />
company-sanctioned mobile devices,<br />
senior-level executives continued to<br />
demand access to corporate information<br />
via non-standard mobile devices<br />
(specifically iPhones and iPads),” says<br />
Schaufenbuel. To accommodate these<br />
requests, he says an addendum was<br />
created for the acceptable-use policy.<br />
Access to corporate information on<br />
non-standard mobile devices is now<br />
granted for executives of a certain level<br />
if the executive agrees to permit the<br />
IT department to implement security<br />
software on the non-standard device,<br />
including encryption and remote wipe<br />
capabilities, and not to tamper with<br />
these controls.<br />
Bad connection<br />
The challenge IT departments face<br />
with user-owned devices are not only<br />
technological – Do the devices meet the<br />
corporate standards for data security<br />
and data leakage prevention – but also<br />
how are employees using these devices<br />
to connect to social networks. Security,<br />
CISOs agree, is as much a function<br />
of personal action as it is technology.<br />
Today security is measured not only on<br />
data leakage through malware, viruses<br />
and attacks, but also by employees who<br />
provide corporate confidential data or<br />
other information on social networking<br />
sites, often without even realizing what<br />
they did.<br />
Monitoring social networking<br />
sites has become a key management<br />
and public relations task, Baich says.<br />
Corporate reputations – what Baich<br />
calls a company’s “cyber beacon” – is<br />
affected significantly and quickly by<br />
social media. When a comment, good<br />
or bad, is posted online, it can circle<br />
the globe in seconds and lives on the<br />
internet forever. A negative comment or<br />
inappropriate posting could endanger a<br />
company’s standing.<br />
Companies have clearly understood,<br />
written policies and procedures in cases<br />
of fire or natural disaster, but few organizations,<br />
he says, have policies for or<br />
clear defi nitions of cyber disasters. “It<br />
comes down to governance,” he adds.<br />
“It’s how you mitigate risk.”<br />
In fact, Baich says, social networking<br />
management is far more wide-ranging<br />
than just a task for human resources<br />
or IT. Managing social networking<br />
policies should be shared by executives<br />
involved in privacy, security, IT, audit,<br />
compliance and governance. “Look at<br />
your cyber beacon,” he says. “It’s only<br />
as strong as its weakest link.”<br />
Set understandable policies<br />
Michael Meikle, CEO of the Hawkthorne<br />
Gourp, a Richmond, Va.-based<br />
management consulting firm, adds<br />
that since many younger workers are<br />
using social media sites extensively at<br />
home, it is unreasonable to think that<br />
they will change their habits at work.<br />
Rather, he recommends that companies<br />
set standards that the employees will<br />
understand and embrace.<br />
For example, Meikle says an acceptable-use<br />
policy should include such<br />
64%<br />
or<br />
rules as: Don’t give out personal information,<br />
comment only about issues that<br />
are within your work responsibilities<br />
and not other departments, and don’t<br />
lie in a post.<br />
Once information is posted online,<br />
he says, it is there forever, and both the<br />
company and the person who makes<br />
the post will be judged in the future on<br />
what they say today.<br />
Meanwhile, information used for<br />
social engineering can be gleaned easily<br />
from social media sites, he says. Many<br />
users post their travel plans, photos<br />
from trips, or seemingly innocuous<br />
comments about their employers. Such<br />
information makes the employees<br />
vulnerable to possible home break-in by<br />
crooks who monitor certain sites.<br />
In some cases, he says, fake technical<br />
support sites are created in hopes<br />
of learning about a company’s network<br />
configuration or problems an organization<br />
might be having with its technology.<br />
This data can be used to identify<br />
weaknesses in technology, conduct<br />
corporate espionage or put employees’<br />
homes at risk for burglary.<br />
“Security has been elevated to a business<br />
issue rather than just a technical<br />
issue,” Meikle says.<br />
Michael Everall, chief information<br />
security officer at LAMCO, a subsidiary<br />
of Lehman Brothers Holdings, agrees<br />
that getting employees to take a personal<br />
stake in security is the key to protecting<br />
a company from security risks.<br />
By businesses explaining corporate<br />
security in terms of personal protection,<br />
employees better understand why<br />
companies create and enforce the rules<br />
they do, he says.<br />
Senior management must not only<br />
create and communicate an acceptableuse<br />
policy for social media sites, but<br />
also explain why these policies are in<br />
place, Everall says. Training and acceptable-use<br />
procedures are not a one-time<br />
action that the human resources department<br />
conducts when a new employee is<br />
hired, he says. Enterprises need to provide<br />
regular security-awareness training<br />
programs for workers, preferably annually,<br />
that will help the staff be not only<br />
safer from a technology standpoint at<br />
work, but also more secure at home.<br />
Put to good use<br />
Everall agrees that employees should<br />
have no expectations of privacy when<br />
using corporate assets, including the<br />
network. In addition to the acceptableuse<br />
policy, senior management also<br />
must create and disseminate rules to<br />
employees about approved behaviors.<br />
There are three basic ways data is lost<br />
through social media: through technological,<br />
social engineering and innocent<br />
accidents. Security experts agree that<br />
staff training is by far the strongest of<br />
the defenses against such loss, as it is<br />
the only one in which workers actively<br />
defend against data breaches.<br />
If a company chose to shut down<br />
all access to social media sites, says<br />
Deloitte’s Baich, it would be failing to<br />
use valuable corporate assets. These<br />
sites, he adds, can be used effectively<br />
for sales, marketing and recruiting. If a<br />
company denies employees access, some<br />
likely would access the sites from home<br />
or mobile devices to discuss activities<br />
that could affect the business, and the<br />
company would lose the opportunity to<br />
impact that message.<br />
“Social media opens up a new channel<br />
of exploitation,” Baich says. The<br />
best way for a company to protect itself<br />
is through training and awareness on<br />
the part of its employees, he says. ■<br />
the largest proportion of U.S. IT security decision-makers<br />
polled in a recent Cisco survey perceive social networking as<br />
the biggest risk to their organization.<br />
18 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 19
An inside look at the<br />
information security<br />
operations of Twitter<br />
and Facebook.<br />
Dan Kaplan reports.<br />
Between them, Facebook and Twitter<br />
have accrued more than 600<br />
million members, twice the population<br />
of the United States. In fact, only<br />
two countries in the world – China and<br />
India – are home to more people than<br />
are members on two of the world’s most<br />
popular social networking sites.<br />
But, as the platforms attract legions of<br />
fans, so too have cybercriminals joined<br />
the party. To learn what Facebook and<br />
Twitter are doing to keep the crooks in<br />
check, SC Magazine got an inside look at<br />
the information security operations of<br />
the two companies.<br />
Deputy Editor Dan Kaplan asked the<br />
sites’ security leaders – Joe Sullivan, chief<br />
security officer at Facebook and Del Harvey,<br />
director of trust and safety at Twitter<br />
– to open up about their efforts around<br />
malware removal, code hardening, victim<br />
assistance and law enforcement collaboration,<br />
plus much more.<br />
What do you consider to be the<br />
greatest security threat facing<br />
your site<br />
Joe Sullivan: We prioritize spam,<br />
phishing and malware. However, we take<br />
all threats seriously and focus on building<br />
systems to detect and block suspicious<br />
activity, as well as offer innovative tools<br />
that give people powerful control over<br />
their accounts and logins.<br />
Del Harvey: The most important thing<br />
facing us is educating our users about<br />
online safety to prevent security threats.<br />
There is no one greatest security threat.<br />
How is the company working to<br />
combat it<br />
JS: We focus on technological solutions.<br />
We’ve built numerous defenses to combat<br />
threats, including complex automated<br />
systems that work behind the scenes<br />
to detect and flag Facebook accounts<br />
that are likely to be compromised based<br />
on anomalous activity.<br />
Once we detect a phony post or message,<br />
we delete all instances of it across<br />
the site. We block malicious links from<br />
being shared and work with third parties<br />
to get phishing and malware sites<br />
added to browser blacklists or taken<br />
down completely. People who have been<br />
affected are put through a remediation<br />
process so they can reset their password<br />
and take other necessary steps to secure<br />
their accounts.<br />
Joe Sullivan<br />
chief security officer<br />
We also devote a lot of effort to education<br />
programs that teach how to be safe<br />
on Facebook and across the internet.<br />
DH: Twitter is developing an Online<br />
Safety Center. We have help pages about<br />
passwords, instructions about password<br />
types, and we do automated resets of<br />
passwords on accounts we believe may<br />
be compromised.<br />
Why do you think your site<br />
is such a preferred target by<br />
cybercriminals<br />
JS: As a communications platform<br />
used by hundreds of millions of<br />
people around the world, Facebook<br />
faces a security challenge that few, if<br />
any, companies have ever had to face.<br />
Our service is under constant attack,<br />
and we work hard not only to defend<br />
against current threats, but to predict<br />
future ones so we can be prepared. The<br />
systems we’ve built have helped us stay<br />
one step ahead of our attackers, so that<br />
as we’ve more than doubled in size over<br />
the last year, the actual effect of the<br />
attacks on people who use Facebook<br />
hasn’t changed.<br />
DH: Twitter hasn’t become a preferred<br />
Q&A<br />
PRIMARY TARGETS<br />
target for cybercriminals more than<br />
any other website. Obviously, as a site<br />
grows in popularity, the use cases for it<br />
will grow as well, but we haven’t seen<br />
indications of serious cybercrime. To a<br />
large degree, our users themselves function<br />
as protection from bad behavior<br />
because when it is noted, it is reported.<br />
Twitter succumbed to a serious<br />
worm in September. What caused<br />
this and what has been done to<br />
ensure a repeat incident won’t<br />
happen<br />
DH: The security exploit that caused<br />
problems was caused by cross-site<br />
scripting (XSS). In this case, users submitted<br />
JavaScript code as plain text into<br />
a tweet that could be executed in the<br />
browser of another user. We discovered<br />
and patched this issue.<br />
Del Harvey<br />
director of trust and safety<br />
What is your site doing to limit<br />
security vulnerabilities in its<br />
code that can enable attacks to<br />
spread<br />
JS: We hire the most qualified and<br />
highly skilled engineers we can fi nd –<br />
most from industry or from top universities.<br />
Upon joining the company, every<br />
engineer and engineering manager participates<br />
in a six-week intensive “boot<br />
camp” training. Our code review process<br />
is rigorous, and we phase changes<br />
and test them before they go live to<br />
detect any potential issues. During code<br />
pushes, our engineering, user support<br />
and operations teams work cross-functionally<br />
to monitor the state of the push<br />
and to identify any problems early.<br />
We also have the capability to quickly<br />
push code updates to all of our data<br />
centers worldwide, and to enable or disable<br />
critical features of the site if there<br />
is a problem. We do regular audits of all<br />
key features and perform regular risk<br />
reviews.<br />
Finally, we maintain and build<br />
relationships with security researchers<br />
around the world and provide an easy<br />
way for them to contact us – through<br />
the “White Hats” tab on our Facebook<br />
Security Page – in the rare event that<br />
they fi nd a vulnerability.<br />
DH: Twitter is focusing on identifying<br />
possible vulnerabilities beforehand.<br />
What is being done to stem the<br />
spread of socially engineered<br />
malware, spam and other unsolicited<br />
communications<br />
JS: We’ve built automated systems<br />
to flag behavior that might indicate<br />
an account has been compromised<br />
through malware. When this happens,<br />
we block access to the account<br />
and put the account owner through a<br />
special version of our account recovery<br />
process that includes a free virus scan.<br />
We worked with McAfee to build this<br />
unique scan and repair tool, and<br />
to offer all 500 million people who<br />
use Facebook a complimentary subscription<br />
to McAfee security software<br />
through the Facebook Security<br />
and McAfee pages. We also regularly<br />
work with others across the industry<br />
to identify and respond to malware<br />
threats.<br />
DH: A variety of efforts are done to<br />
stem the spread of malware, including<br />
working with URL blacklists, internal<br />
spam reports, user spam reports<br />
and empowering our users to block<br />
accounts. Our users act as anti-bodies<br />
to shut down “bad acts” pretty quickly.<br />
What has been done to strengthen<br />
the authentication of users,<br />
beyond username and password<br />
JS: We innovate on security just as we<br />
do on the products that help people<br />
share and connect. We have systems<br />
that detect suspicious login attempts<br />
(for example, someone logging in from<br />
an unusual location or device). When<br />
this happens, we ask the person to verify<br />
their identity as the true owner of the<br />
20 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 21
Q&A<br />
account by providing information, like<br />
birth date or the answer to a security<br />
question, entering a mobile verification<br />
code or identifying friends in a small<br />
number of tagged photos to which the<br />
account owner has access.<br />
DH: The easiest way to confirm your<br />
identity to your followers is linking to<br />
your Twitter profile from an official website.<br />
More suggestions on verification are<br />
outlined in the Help Center here.<br />
How is the site helping to restore<br />
users’ accounts if they are victimized<br />
JS: When we detect that an account may<br />
be compromised, we immediately block<br />
access to it. The next time someone tries<br />
to login, we put the person through a<br />
series of steps to verify their identity and<br />
resecure the account. In cases where the<br />
account was compromised through malware,<br />
we also provide a free virus scan.<br />
DH: Users can file tickets on our website,<br />
and we’ll restore their user accounts.<br />
The Federal Trade Commission<br />
recently settled with Twitter over<br />
charges that the site failed to protect<br />
user data. How does Twitter<br />
view this settlement<br />
DH: We recently reached an agreement<br />
with the FTC that resolves concerns<br />
they had raised related to our security<br />
practices involving hacking incidents<br />
on Twitter in 2009. Even before the<br />
agreement, we’d implemented many of<br />
the FTC’s suggestions. The agreement<br />
formalizes our commitment to those<br />
security practices.<br />
What is Facebook doing to ensure<br />
its users are protected from malicious<br />
and rogue applications and<br />
that app developers are vetted<br />
JS: We provide a number of ways for<br />
people to control what information they<br />
share with the applications they use. We<br />
require developers to specify the exact<br />
pieces of information they need, present<br />
them in an easy-to-understand dialog,<br />
and get explicit permission from the<br />
person using the application before they<br />
81%<br />
can access anything. This helps people<br />
understand exactly what they’re sharing<br />
with which apps.<br />
We also recently launched a new<br />
application dashboard that allows people<br />
to see what information the apps they<br />
use are accessing and easily remove,<br />
report or block applications they think<br />
might be violating our policies. We<br />
have a dedicated enforcement team that<br />
conducts spot reviews of applications,<br />
including those that have been reported,<br />
or that our systems have flagged because<br />
of anomalous behavior. We’ve disabled<br />
thousands of applications in the past for<br />
violating our policies.<br />
What security recommendations<br />
do you have for organizations<br />
whose employees leverage your<br />
site both for personal and business<br />
use<br />
JS: We recommend that organizations<br />
invest time in teaching their employees<br />
safe practices for the internet. We work<br />
hard to educate people through the<br />
Facebook blog, which reaches more than<br />
20 million people, and through our Facebook<br />
Security Page. This page, which<br />
is liked by almost three million people,<br />
lists helpful tips and best practices and<br />
includes a quiz people can take to test<br />
their knowledge, post a badge to their<br />
profile, and share tips with friends.<br />
DH: Some basics are: Use a strong<br />
password; watch out for suspicious links;<br />
always make sure you’re on Twitter.com<br />
before you enter your login information;<br />
don’t give your username and password<br />
out to untrusted third-parties, especially<br />
those promising to get you followers<br />
or make you money; make sure your<br />
computer and operating system is up to<br />
date with the most recent patches and<br />
upgrades and anti-virus software; and<br />
don’t share personal information.<br />
of social network users are likely<br />
to accept the friend request of<br />
a stranger and share sensitive<br />
information.<br />
— BitDefender<br />
How is Facebook working with<br />
law enforcement to track down<br />
cybercrooks<br />
JS: We regularly work with law<br />
enforcement around the world to<br />
identify cybercriminals and bring<br />
them to justice, and we have dedicated<br />
teams whose responsibility it is to<br />
investigate specific spam, phishing and<br />
malware campaigns and go after the<br />
people behind them. These efforts have<br />
resulted in the two largest U.S. CAN-<br />
SPAM judgments in history: $873 million<br />
against Adam Guerbuez and $711<br />
million against Sanford Wallace. In<br />
another victory for us, a few weeks ago,<br />
a court in Montreal, where Guerbuez is<br />
based, ruled that the U.S. court’s judgment<br />
against him could be enforced in<br />
Canada.<br />
Please talk about some of the<br />
other security features that<br />
Facebook has instituted that you<br />
haven’t mentioned.<br />
JS: We’re committed to providing<br />
people with the best tools possible to<br />
protect themselves and their accounts.<br />
Back in May, we launched a login<br />
notifications feature that allows people<br />
to approve the devices they use to access<br />
Facebook and be notified immediately<br />
by both email and SMS if their account<br />
is ever accessed from a device that hasn’t<br />
been approved. Last week, we finished<br />
rolling out a feature that allows people to<br />
view all of their active Facebook sessions<br />
and close any they no longer want open.<br />
This is particularly helpful for people<br />
who access Facebook from a device they<br />
don’t own and then forget to log out.<br />
We also launched a brand new, one-time<br />
password feature that allows people logging<br />
in from devices they don’t trust to<br />
request a temporary password via SMS<br />
that expires after 20 minutes. ■<br />
COLLABORATE<br />
WITH CONFIDENCE<br />
Leverage the power of the Web freely with <strong>Websense</strong>® TRITON—<br />
the first and only unified Web, data, and email security solution.<br />
Making point solutions pointless.<br />
The TRITON architecture consolidates industry-leading Web, email, and data<br />
loss prevention security technologies into a unified solution, providing you with the<br />
best protection against modern threats — anywhere — at the lowest total cost of<br />
ownership. Finally, your entire team can collaborate without compromising the security<br />
and protection of your essential information.<br />
22 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
To learn more, visit websense.com/TRITON.
RISK&<br />
REWARD<br />
Intel CISO Malcolm Harkins believes the best social networking strategy<br />
involves embracing the threat, not avoiding it. Dan Kaplan reports.<br />
Malcolm Harkins, CISO, Intel<br />
Photo by Edward Caldwell1<br />
If it were up to Malcolm Harkins,<br />
drivers would spend their days<br />
navigating through many more traffic<br />
circles and much fewer traffic lights.<br />
Before cueing the “Look kids, Big<br />
Ben” scene in European Vacation when<br />
Chevy Chase’s character gets stuck driving<br />
in a roundabout for hours, it may be<br />
wise to hear Harkins out on this one.<br />
The 43-year-old chief information<br />
security officer of Intel is a contrarian,<br />
of sorts, who believes that “running<br />
toward risk” is much more rational<br />
than the conventional business<br />
approach of avoiding it entirely.<br />
As Harkins explains, since a circle<br />
results in far fewer fatal collisions<br />
while still enabling cars to move, albeit<br />
slowly, it actually is more effective and<br />
efficient than a traffic mechanism that<br />
stops automobiles altogether, but occasionally<br />
leads to a frightening wreck.<br />
So what do traffic control strategies<br />
have to do with Harkins’ job A lot,<br />
actually, and the conversation particularly<br />
is applicable to organizations trying to<br />
balance the security risks of social media<br />
with the growing demand for it.<br />
“Information is going to flow, just<br />
like traffic wants to flow,” Harkins says.<br />
“When you put in artificial blocks, like<br />
a traffic light, people may just blow by<br />
the red light. But if people enter the<br />
roundabout, they are more situationally<br />
aware. You become immediately aware<br />
of your surroundings. What I challenged<br />
my team to do was to build the<br />
equivalent of roundabouts.”<br />
Roughly five years ago, at the urging<br />
of Harkins, the powers that be at Intel<br />
arrived at a revelation: If they did not<br />
enable and empower their 80,000-strong<br />
creative, intellectual and tech-savvy<br />
employee base to communicate and<br />
collaborate with each other beyond<br />
traditional platforms, such as email, they<br />
would be in for a rude awakening.<br />
Company executives recognized<br />
that the perimeter as people knew it<br />
was breaking down, Harkins says. The<br />
workforce demanded not just mobility,<br />
but also the ability to interact with data<br />
on a more social level. If Intel failed to<br />
provide employees with this opportunity,<br />
they would find a way to satisfy the craving<br />
themselves, management concluded.<br />
Blocking or stymieing the flow of<br />
information would lead employees to find<br />
other avenues for their thoughts – outlets<br />
that would be out of the direct control of<br />
Intel’s security team – a move that could<br />
lead to dire consequences for the company’s<br />
reputation and bottom line.<br />
“Thinking you can just block it is<br />
really the wrong strategy,” Harkins<br />
says. “It just means they can’t do it on
Case study<br />
the corporate network, but if they’re<br />
going to spout off something, they can<br />
just do it offl ine.”<br />
In other words, Intel needed to<br />
develop the social networking version<br />
of a traffic circle.<br />
“If we give them that freedom of<br />
expression, but within the boundaries<br />
of our code of conduct, it is kind of all<br />
within the family, so to speak,” Harkins<br />
says. “Your risk is less if you enable it<br />
ahead of your users so they can do their<br />
work in that form.”<br />
“Planet” launches into orbit<br />
Roughly three years ago, Intel tapped<br />
Laurie Buczek to develop its social<br />
computing strategy. Already well-versed<br />
in web planning, Buczek led the launch<br />
of an internal, collaborative platform,<br />
known as Planet Blue – in essence,<br />
Wikipedia, Facebook, Blogger and<br />
YouTube all rolled into one.<br />
The goal of the platform is to enable<br />
employees to build a professional network<br />
of contacts, while connecting and<br />
sharing ideas.<br />
“Fundamentally, the traditional<br />
enterprise collaboration tools are very<br />
cumbersome for employees,” says<br />
Buczek, who now works in digital<br />
marketing at Intel. “They’re not easy<br />
to use. Today, we work in a very global<br />
company, and some of our traditional<br />
tools have not been able to even connect<br />
a face to a name.”<br />
Through Planet Blue, employees can<br />
“fi nd people who may have been previously<br />
unknown to you, but are working<br />
on interesting things,” she adds. “There<br />
would have been no way to fi nd those<br />
people in the past.”<br />
The birth of Planet Blue couldn’t<br />
have come at a more opportune time.<br />
1<br />
/3<br />
People are mixing<br />
both worlds.”<br />
Not long before the platform launched,<br />
Intel’s security team had to deal with<br />
the brief exposure of intellectual property.<br />
An employee posted a video to a<br />
public social networking site – Harkins<br />
wouldn’t say which one – that detailed<br />
the capability of a yet-to-be-released<br />
product. “The person wasn’t doing<br />
anything malicious,” Harkins recalls.<br />
“They were sharing knowledge that<br />
could help peers in the company.”<br />
Employees noticed the problem,<br />
and the video quickly was taken down.<br />
However, the incident validated Intel’s<br />
plan to enable its employees to exchange<br />
ideas, but in an environment that could<br />
be more readily controlled. “If somebody<br />
needed to share a video broadly,<br />
would you rather them post it externally<br />
or internally, where it can be indexed,<br />
used and shared” Harkins asks.<br />
Security and privacy<br />
Despite the fact that Planet Blue sits<br />
behind the corporate firewall, there still<br />
are a number of security and privacy<br />
ramifications that Harkins and his team<br />
must consider.<br />
Foremost, the platform contains<br />
robust authentication and access<br />
controls. While an external intruder<br />
theoretically would be unable to reach<br />
Planet Blue, that doesn’t mean a nosy or<br />
disgruntled employee – bent on helping<br />
out a competitor, for example – couldn’t<br />
compromise sensitive data housed in<br />
the portal.<br />
of small- to medium-sized businesses have<br />
been infected by social media malware.<br />
— Panda Security<br />
– Laurie Buczek, digital marketing, Intel<br />
Privacy also factors in, Buczek says.<br />
In some ways, the site mimics popular,<br />
external social networking sites, in that<br />
each member has a profi le. But Intel<br />
was careful not to include the same<br />
fields one might fi nd on, say, Facebook.<br />
For one, the company didn’t want to<br />
have to collect and protect that type<br />
of information, Buczek says. Also, by<br />
including fields, such as age or college<br />
graduation year, Intel could open<br />
itself up to a discrimination lawsuit, for<br />
example.<br />
“You have to understand that when<br />
you are building an environment where<br />
people naturally are putting in personal<br />
information, what can we allow them to<br />
do” she says. “Where do we draw the<br />
line How are we allowed to use that<br />
information as a company How much<br />
notification do we have to give”<br />
User profi les on Planet Blue mostly<br />
include information one would fi nd on<br />
a résumé – certifications, past projects<br />
and more – and they contain no personal<br />
data beyond what already appears<br />
in the employee phonebook. As an<br />
additional privacy measure, employees<br />
must opt-in to share any information.<br />
Beyond the firewall<br />
Even though Intel has developed a<br />
robust internal social computing platform,<br />
users still are permitted to visit<br />
practically anywhere on the internet and<br />
install whichever program they choose,<br />
Harkins says, with the exception of inappropriate<br />
sites or rogue applications that<br />
may steal personal data.<br />
Employees may want to take a break<br />
to visit Facebook to see what their<br />
friends are up to, Harkins figures, or<br />
they may want to blog about a recently<br />
released Intel product they helped<br />
bring to market.<br />
“An interesting trend is occurring,”<br />
Buczek says. “People are mixing both<br />
worlds. It is becoming so blurry that it is<br />
hard for folks to claim [using social networking<br />
sites] is 100 percent personal.”<br />
Worries over productivity declines<br />
because of social media use don’t enter<br />
into Harkins’ line of thinking. Workers<br />
are going to fi nd the time to get their<br />
jobs done, he says, much like they did<br />
when the telephone and email found<br />
their way to people’s desks. “If someone<br />
is not getting their job done, that’s a<br />
performance management issue,” he<br />
says. “Don’t blame the tool.”<br />
The theory of full access goes back<br />
to one of Harkins’ self-devised “irrefutable<br />
laws of information security.”<br />
Number one Information wants to be<br />
free, and people are going to post and<br />
share it.<br />
Encouraging Web 2.0<br />
Recognizing this, Intel not only enables<br />
users to visit Web 2.0 sites, such as<br />
Facebook and Twitter, but it actually<br />
champions it. “We encourage everybody,<br />
once trained, to be able to go out and…<br />
speak about Intel and the work they are<br />
doing,” Buczek says.<br />
Of course, Intel would be foolish to<br />
let its employees run free without first<br />
schooling them for the terrain. Before<br />
they can be anointed brand ambassadors,<br />
workers must complete an hourlong<br />
digital training course that teaches<br />
them to think twice about the content<br />
they decide to post.<br />
Users receive additional social networking<br />
training through Intel’s general<br />
security program, which instructs<br />
them not to click on things such as<br />
untrusted links, a common malware<br />
ploy leveraged by cybercriminals on<br />
social media sites, where an air of trust<br />
and safety may prompt people to make<br />
poor decisions.<br />
Part of the training process at Intel<br />
focuses on how employees can protect<br />
themselves and their children while<br />
accessing the web at home. Harkins says<br />
applying this context to the program<br />
forces users to more personally think<br />
about what they’re learning – and the<br />
message tends to stick better. “When<br />
you carry it to that extent, you get a better<br />
behavior model,” he says.<br />
Harkins is confident that employees<br />
are heeding the advice. He references<br />
a 2005 email blast delivered to 5,000<br />
employees at random. The emails<br />
contained a survey, created by senior<br />
management, which asked recipients<br />
to click on a link and explain what<br />
they like and don’t like about Intel’s<br />
company culture. The security team<br />
never was informed of the blast, but as<br />
it turned out, hundreds of employees<br />
thought it was bogus – the ultimate pat<br />
on the back for Harkins.<br />
“Our phone lines lit up,” he recalls.<br />
“We had calls instantly. I had my<br />
cell phone ringing within a couple of<br />
minutes. The administrative assistants<br />
started blasting out emails saying,<br />
‘Don’t click on this.’ They reacted faster<br />
than what we could’ve done to block it.”<br />
Tech solutions<br />
From a technology perspective, Intel<br />
uses a combination of content filtering,<br />
firewalls, anti-virus and intrusion<br />
prevention to defend against malware<br />
that may be present on social networking<br />
platforms. The company also is close<br />
to adopting a data leakage prevention<br />
(DLP) solution now that the technology<br />
has matured to the point where it<br />
can track and fingerprint confidential<br />
HUMAN NATURE:<br />
We want it, now<br />
The “Irrefutable Laws of Information<br />
Security,” according to Malcolm Harkins,<br />
CISO of Intel:<br />
Information wants to be free<br />
Code wants to be wrong<br />
Services want to be on<br />
Users want to click<br />
Even a security feature can be<br />
used for harm<br />
content, as opposed to the first iterations<br />
of DLP that solely searched for patterns<br />
or numbers.<br />
Harkins says Intel is proof that an<br />
organization can remain secure without<br />
dodging risk. Not everyone shares his<br />
viewpoint. He recalls a conversation<br />
he recently had with the security chief<br />
of a large company whose mantra is,<br />
“In God we trust. Everything else, we<br />
block.”<br />
To Harkins, such a reaction to the<br />
current web climate may be myopic and<br />
ignorant – but also is understandable.<br />
It is a product of human psychology, he<br />
says. Many times, security professionals<br />
become emotional and rash if they<br />
choose to look at a certain issue, such as<br />
social networking, from an alarmist or<br />
biased perspective.<br />
Embrace the risk<br />
He recalls another discussion he had not<br />
too long ago with a security practitioner<br />
who admitted he was leery of arming his<br />
employees with laptops and other mobile<br />
devices because of data loss and malware<br />
concerns.<br />
Harkins challenged his peer to more<br />
deeply examine the rationale behind his<br />
apprehension.<br />
“Well since you allowed printers and<br />
CDs and people to get on the internet,<br />
your data is already mobile,” Harkins<br />
recalls telling him. “You haven’t<br />
reduced your mobility risk. And most<br />
people are getting their malware on the<br />
internet, so you haven’t reduced your<br />
malware risk.”<br />
In the end, Harkins says, the most<br />
significant vulnerability facing organizations<br />
is the misperception of risk.<br />
“To manage risk, you have to run<br />
to the risk,” says Harkins, who earlier<br />
this year received the Excellence in the<br />
Field of Security Practices award at the<br />
RSA Conference in San Francisco for<br />
his efforts around social media. “That’s<br />
the only way to shape it or be a part of<br />
it.”<br />
Perhaps Clark Griswold (Chevy<br />
Chase’s character) would even agree. ■<br />
26 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 27
Business lists to reach<br />
key decision makers<br />
Photo by John Lund/Blend Images<br />
haymarket media’s b-to-b postal and<br />
email lists offer you premier access to<br />
key executives in healthcare, sales<br />
and marketing, public relations and<br />
information technology. These decision<br />
makers have proven responsive to<br />
offers including tools, cellular, hardware,<br />
relevant seminars, insurance, financial,<br />
advancement courses and services that<br />
will help them expand their market share,<br />
grow their employees, drive their<br />
organizations forward and stay ahead<br />
of their competition.<br />
CONTACT POINT<br />
Our new survey examines the impact – positive and negative – of the<br />
use of social media within the enterprise. Stephen Lawton reports.<br />
To find out how Haymarket Media’s<br />
business lists can help you attract<br />
new customers contact:<br />
For Email Information:<br />
Frank Cipolla, 800.223.2194 x 832<br />
frank.cipolla@epostdirect.com<br />
For Direct Mail Information:<br />
Kevin Collopy, 800.223.2194 x 684<br />
kevin.collopy@epostdirect.com<br />
The survey on social media, conducted by<br />
That social media technology is here to stay, at least for the foreseeable future,<br />
does not appear to be at issue. How companies embrace it and make it their<br />
own certainly is. Managing social networking internally and externally has<br />
become deeply entwined with other operational aspects of enterprises – from<br />
marketing and public relations to product development and human resources to<br />
industrial research.<br />
Social networking is to Generation X, Generation Y and Millennials what televisions<br />
with remote controls and automobiles were to Baby Boomers — the next,<br />
great technology that became a big part of their daily lives. As Boomers flooded to<br />
the highways as part of their communications rituals, today’s youth see Facebook,<br />
MySpace and YouTube as part of their voice. To determine what corporate security<br />
executives are thinking about social networking and its impact on their corporations,<br />
SC Magazine surveyed 273 of its readers with such titles as chief information<br />
security officer, chief technology officer, security administrator, and the like.<br />
Are you and your organization concerned<br />
about the threats to corporate<br />
data that the use of social networking<br />
sites by employees can introduce to<br />
your infrastructure<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 29
Survey<br />
Does your organization block<br />
employee access to social networking<br />
sites, such as Facebook, Twitter<br />
and MySpace<br />
Does your organization allow access<br />
to social networking sites, such as<br />
Facebook, Twitter and MySpace for<br />
certain groups of its employees<br />
What information security solutions does your organization enlist to protect its<br />
information assets from social networking (number of respondents)<br />
<br />
<br />
<br />
Has your organization experienced<br />
an attack through the use of social<br />
networking sites, such as Facebook,<br />
Twitter, or MySpace, by employees<br />
Do you have a specific social<br />
networking governance policy<br />
in place<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“Information security professionals<br />
are generally concerned with the risks<br />
posed to organizations by the introduction<br />
and wide adoption of social media<br />
sites and technologies,” says Jaime<br />
Chanaga, CEO of The CSO Board, a<br />
management consulting firm. “Starting<br />
at the lowest common denominator<br />
– personal information – social media<br />
sites don’t have the best track record in<br />
strong privacy practices and protection.”<br />
However, despite Chanaga giving<br />
voice to some of the apprehension of<br />
many security executives, “Social media<br />
is here to stay,” he says. “The genie is out<br />
of the bottle. Organizations will find it<br />
increasingly impossible to reign in and<br />
block social media from becoming a<br />
part of the corporate culture. Until the<br />
information security industry develops<br />
new and stronger technology solutions<br />
for monitoring and enforcement of the<br />
use of social media, organizations will<br />
find it difficult to monitor and enforce<br />
business use of social media websites<br />
and technologies.”<br />
Patricia Titus, CISO of Unisys Corp.,<br />
says that clear and simple acceptable-use<br />
policies help employees understand what<br />
is and is not acceptable online. Social<br />
networks, she says, have value both<br />
internally and externally for companies,<br />
but employees need to understand how<br />
and when to use them.<br />
Titus firmly believes that blocking<br />
access to social networking sites could<br />
have a negative impact on many of the<br />
younger workers at a company. She<br />
describes employees who grew up with<br />
this technology as “digital natives,” and<br />
Baby Boomers and older workers who<br />
did not as “digital immigrants.”<br />
Most CIOs and CISOs are digital<br />
immigrants who look at social media<br />
differently than do younger employees,<br />
she says.<br />
“[But] the generations growing up<br />
now just expect to have access to social<br />
networking at all times,” says Chad<br />
Barr, security consultant for enterprise<br />
information management at Wells<br />
Fargo. “More than likely, they grew<br />
up with unlimited, always-on internet<br />
access and can’t imagine a world without<br />
being connected all the time.”<br />
Workforce demand<br />
Social networking sites are now the<br />
new way to communicate from person<br />
to person, he adds. “I once interviewed<br />
a person right out of college. His first<br />
question about benefits was if we paid<br />
for his internet usage at home and if we<br />
blocked Facebook at work.”<br />
Some 70 percent of the respondents to<br />
SC Magazine’s social networking survey<br />
— 190 security executives out of 273<br />
— say social engineering and phishing<br />
What threats are you and your company most concerned about experiencing when<br />
debating employee access to social networking sites (number of respondents)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
attacks are major concerns. Another 150<br />
respondents, or 55 percent, say theft or<br />
breach of corporate and/or customer<br />
information is a major concern.<br />
Titus agrees with the findings, noting<br />
that the use of internet-connected<br />
devices could provide intelligence to<br />
competitors about one’s whereabouts.<br />
Christopher Burgess, Cisco senior<br />
security adviser, who has made a career<br />
of understanding security and intelligence<br />
at the highest levels of the<br />
corporate and governmental sectors, says<br />
employees who don’t consider what they<br />
share on social network sites might well<br />
be providing valuable corporate information<br />
to competitors, even by posting the<br />
most seemingly mundane information.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Industrial espionage occurs daily on sites<br />
like LinkedIn, he says. Unsuspecting<br />
employees post travel itineraries, discuss<br />
what might be innocuous technologies,<br />
and post pictures taken from their<br />
smartphones. Savvy data miners can<br />
scrub this information to obtain travel<br />
schedules (this can identify suppliers<br />
or clients), leads on new products or<br />
product enhancements, and the exact<br />
location – latitude and longitude – of<br />
where a photo was taken by checking<br />
the picture’s metadata. Such information<br />
could put corporate assets or personnel<br />
at risk, he says.<br />
Wells Fargo’s Barr agrees that training<br />
and well-understood acceptable-use<br />
policies are essential. “The best option<br />
is security and awareness training,” he<br />
says. “You can have some of the best<br />
security devices in place, but there is no<br />
way to catch 100 percent of data leakage.<br />
You need your employees to know<br />
what they can and can’t post on social<br />
network sites.”<br />
Disclosure considerations<br />
The government sector runs into many<br />
of the same problems as the private<br />
sector, with one notable exception: the<br />
Freedom of Information Act (FOIA).<br />
While corporations are not required<br />
to disclose all communications by its<br />
employees, government agencies are<br />
bound by FOIA, which means a citizen<br />
or organization (such as the media) can<br />
obtain copies of government employee<br />
text messages, email and all other<br />
electronic conversations, says Dan<br />
Lohrmann, the state of Michigan’s chief<br />
technology officer.<br />
Because of open government laws, the<br />
state has additional challenges when it<br />
comes to employees accessing and using<br />
social networks. If an employee accesses<br />
a social network during working hours,<br />
but with a personal device, such as a cell<br />
phone or laptop, does the state need to<br />
disclose those communications Additionally,<br />
as video becomes a more significant<br />
component of social networking,<br />
will increased use of bandwidth impact<br />
the state’s ability to operate Lohrmann<br />
says these types of questions challenge<br />
public sector IT administrators in ways<br />
that never were considered in the past.<br />
He agrees that younger workers<br />
expect to have full access to social<br />
networks, just as workers today have full<br />
internet access. Indeed, he expects use<br />
of social networking sites to be phased<br />
in as was traditional internet access in<br />
the 1990s.<br />
One tricky issue facing managers<br />
today in both the public and private<br />
sectors is how to work with hourly<br />
employees who use social network sites<br />
for non-work-related purposes. While<br />
some employees see nothing wrong<br />
with checking their favorite sites during<br />
work hours, or perhaps when working<br />
past 5 p.m., employers are faced with<br />
paying more overtime because of it.<br />
Such agreements must be made prior to<br />
hiring the employee, Lohrmann says.<br />
Ensuring that employees understand<br />
their company’s acceptable-use policy,<br />
and make it their own, was the common<br />
thread that ran through the answers to<br />
the survey. Employees who understand<br />
what they can and cannot do, as well<br />
as why these are the policies, are much<br />
more likely to use social media sites<br />
appropriately and not put company data<br />
or personnel at risk, Cisco’s Burgess<br />
says. ■<br />
30 SC SPOTLIGHT • November 2010 • www.scmagazineus.com<br />
www.scmagazineus.com • November 2010 • SC SPOTLIGHT 31
Sponsors<br />
Sophos enables enterprises to secure and control their IT infrastructure. Its network access<br />
control, endpoint, web, email and encryption solutions simplify security to provide integrated<br />
defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse,<br />
data leakage and compliance drift. Sophos protects more than 100 million users in nearly 150<br />
countries.<br />
For more information, visit www.sophos.com.<br />
<strong>Websense</strong>, a global leader in unified web, data and email content security solutions, delivers<br />
the best security for modern threats at the lowest total cost of ownership to tens of thousands<br />
of enterprises, mid-market and small organizations around the world. Distributed through a<br />
global network of channel partners and delivered as software, appliance and software-as a<br />
service (SaaS), <strong>Websense</strong> content security solutions help organizations leverage new communication,<br />
collaboration and Web 2.0 business tools while protecting from advanced persistent<br />
threats, preventing the loss of confidential information and enforcing internet use and security<br />
policies. <strong>Websense</strong> is headquartered in San Diego, Calif., with offices around the world.<br />
For more information, visit www.websense.com.