© 2012 Deloitte Development LLC. All Rights Reserved. How Cyber Criminals make use of Social Media.

© 2012 Deloitte Development LLC. All Rights Reserved.

How Cyber Criminals make use of Social Media


• Overview of Social Media

• Drivers and Benefits of Social Media

• Social Media Risks

• A Governance, Risk, and Compliance (GRC) Roadmap to address Social Media Risk

Governance Risk Assessment Policy Awareness Communication Controls

Contents

Overview of Social Media


Web 1.0 Inspired by Industrial Age• Hierarchical (Hierarchy controls and regulates)• Linear interaction – simple minded• Organizations innovate• Organizational segments

Web 2.0 Information Age• Democratic (Community controls and regulates)• Network relationship – complex• Customers provide the innovation• Customers provide the segmentation

Evolution of social networking and media

Web 3.0 The Age of “Expertise”• In the recent years, the end users have taken the control of the Internet transforming its

use from a monologue to a dialogue.• Collaborative problem solving and innovation is leading to higher productivity.• User’s expectation of performance are driven by technology.• SoCoMo – Social, Cloud, Mobile & BYOD – Bring Your Own Device

“The differences between traditional and social media are defined by the level of interaction and interactivity available to the consumer.” – An ISACA Emerging Technology White Paper


Social media revolution

Source: YouTube, Socialnomics 3 [Video]. http://www.youtube.com/watch?v=fpMZbT1tx2o

Social media….it’s everywhere!


Of the Fortune Global 100, 65% have active Twitter accounts, 54% have facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs

– 2010 Burson-Marsteller study

75% of Internet users worldwide visit social networks or blogs; 22% of the time spent on Internet usage is spent on social media activities

– Nielsen Corporation, April 2010

Facebook has more than 845 Million users, making it equivalent in population to the world’s third largest country

-- Facebook.com, WorldAtlas.com, July 2011

More than 250 million users access Facebook through mobile devices and are twice as active as non-mobile users

-- Facebook.com

Did you know?Social media


Social media landscape

Social Media

Virtual

community

Entertainment

Multimedia

Review & opinion

Collaboration

Conversation

46% of Smartphone

Users 1

1‘The State of the U.S. Mobile Advertising Industry and What Lies Ahead”, comScore,June 2011

“Social media technology involves the creation and dissemination of content through social networks using the Internet.”

– An ISACA Emerging Technology White Paper


Social media platforms

Social Networking

Social Book

markingand

News

Wikis

Blogs

RSS(Rich Site Summary)

Presenceand

Microblogging

OnlinePhoto and

Video Sharing

Social Media

Social media are highly accessible, scalable methods of online communication and social interaction, which allow the creation and exchange of user-generated content.

There are 7 main types of social media platforms

Drivers and Benefits ofSocial Media


The adoption of social media as a business tool is rapidly increasing and can bring tremendous value

Business drivers for social media

Increase productivityand operational efficiencies through collaboration and

communication

Foster creativity, innovation,and collaboration

Enhance customer andstakeholder relationships

1

2

3


Human resources example – D Street

• D Street is Deloitte’s internal talent networking tool• Over 47,000 active profiles with about 120,000 views per month

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about

Social Media Risks

Discussion Point• Does your organization have an official policy for social media use?

• What is the average total productivity decrease for companies allowing employees to access social networking sites at work?

1% 1.5% 12% 52%


Social media incidents and risks

Employees at a Medical Center in California posted patient information on a social network.

Five nurses were subsequently fired.

An employee used a social network to post insulting comments about the city shortly before

presenting to the worldwide communications group.

A customer of a big airline carrier shared a video of a detailed complaint online, which caused a $180

million (10%) market cap impact.

A major news corporation’s social networking account was compromised . The hackers posted a

false message that an airliner had crashed at Ground Zero.

Privacy Risk Regulatory Compliance

Risk

Loss of control over content

Brand/reputation Loss

Negative Publicity

Identity theft

Impersonation


Social media – high-level threat landscape

Organization

People

Technology

Data

Unauthorized Disclosure

Intellectual Property leakage

Vulnerabilities

Identity Theft

Brand / Reputation Loss

Public

Unsatisfied Constituents

Impact network availability

(DOS)

Virus/ Worms/Trojans

Loss of Productivity

HR Policy Violations

Social Engineering / Impersonation

Privacy Risk

Trademark Infringement

Loss of Control Over Content

Copyright Issue

Lack of Situational Awareness

Negative Publicity

False Impression/ Misguidance

The advent of Social Media into the corporate environment brings along multiple risk to the Data, Technology, People, and Organization.


Social media attack illustration – pretexting+

The more someone knows about a person, the easier it is to impersonate them both electronically and in person to unwitting staff (Helpdesk, physical security personnel, etc.)

Access to the account provides further information, including home and mailing address, that can be used to redirect mail or examine transaction history, giving even more exploitable clues.

The hacker sees user has repeatedly mentioned bad experiences with the ATM of Bank Q on a social network.

Using the information gathered the hacker can exploit multiple channels to execute a password reset of the user’s account at Bank Q.

Hacker looks for info provided on unsecured social media profiles and collects key info

(DOB, Hometown, employer, picture of a new baby or car).

1. Pretexting target selection

2. Gain a toehold 3. Deep discovery 4. Exploit leverage


Detour: Brand and Crisis Management

Real-time Social Media

Conversations

Blogs, News Articles, Videos

Search Engines

Caching, Perm-anent

Archives

Social Media Strategies

Discussion Point

• Do you think your organization is currently prepared to handle social media risks?

• What areas are currently well covered? What areas are not?

• What tools do you have in place to help?

• What is percentage of American employees watch online videos in the workplace?

2% 19% 51% 64%


The control of social media in the corporate environment lacks consistent practice. Based on our observations, organizations’ control approach generally falls into the following categories:

No Policy Block*

Limited Access

Controlled Access

Current Observations - social media controls

* It should be noted that blocking and limiting users’ access to social media sites only work within the corporate network environment. There are no effective ways of restricting users’ access when they use public Wi-Fi, hotel network, home network, cellular network, etc.


Fact check - Deloitte LLP’s Ethics and Workplace Survey

• 74% of working Americans believe it is easy to damage a brand’s reputation via social networking sites, though relatively few organizations are actively creating strategies and policies;

• 1/3 stated they never consider what their boss, colleagues, or clients think before posting materials online;

• 53% of employees believe that their social networking activity is none of the employers’ business;

VS• 60 % of executives state the organization has a “right to know” how

employees portray themselves and their organizations online, with 30% acknowledging informal monitoring practices;

• 49% indicate that, even if there were a policy in place, it would not affect their behavior.

Source: http://www.deloitte.com/view/en_US/us/About/Ethics-Independence/

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about


Auditing social media – from a GRC perspective

An implementation includes:

Evaluation of the entity’s involvement in social media

Alignment of strategy and the business objectives

Identification of the target audience and how each uses social media

Mapping of risks to the social media practice

Prioritization of organizational resources to address the risks

Establishing accountability and ownership of the controls

Supervision of the release of content to social sites

Implementation of process and technology controls

Policy Education

Risk Identification and Analysis

Strategy and Governance

Strategic Plan

Monitoring

Establish Responsibility and Ownership

Align the control

activities to the overall strategy


Auditing social media - strategy and governance

• Has a risk assessment been conducted to map the risks to the enterprise presented by the use of social media?

• Is there an established policy (and supporting standards) that addresses social media use?

• Do the policies address all aspects of social media use in the workplace—both business and personal?

• Have effective trainings been delivered to all users?

• Do users (including employees) receive regular awareness communications regarding policies and risks?

Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].


Auditing social media - risk assessmentThe agency should consider the following when identifying

social media risks:

Risks of using social media as a business tool to communicate with customers or constituents

Risks of employee accessing to social media sites while on the corporate network Risks of using social media tools from their corporate issued mobile devices Risks of employee personal user of social media from home and personal computing

devices

Analyse Risk Impact: How will it adversely affect the organization? What functions would get impacted? How likely would it happen?

Examples: People | Loss of Productivity Data | Unauthorized Disclosure Organization | Reputational Loss Technology | Virus/Worms


Auditing social media - social media policy

Key Guidelines

• Does the policy address intellectual property rights?

• Does the policy require monitoring of all content posted on social media sites?

• Does the policy give a careful consideration to review and accept the social media provider’s terms of service?

• Does the policy specify whether only public information can be posted on social media websites?

Business Use of

Social Media

Does the policy specify what the employees can and cannot do on a social network? Such as sharing non-public or confidential information.

Does the social media policy connect with other policies that might be affected by social media (including IT, Ethics, IP, Privacy, Anti-discrimination, harassment, etc)?

Does the policy clarify consequences?

Employees’ Personal Use of Social Media

+

Do NOT disclose confidential information Do NOT share information that may violate copyright laws Do show respect, honesty, and transparency during your social media activities

Bottom Line


Auditing social media - risk awareness program

Develop the training curriculum: Establish the training program committee: marketing, legal, IT, HR Take into consideration the organization needs and resources when designing the

training program In house or e-learning? Mandatory or optional? Organization wide or particular department focused?

Develop a curriculum tailored to the level of social media involvement of your company Update the curriculum regularly

Establish a social media facilitator: Responsible for the organization’s social media awareness program Conduct social media training with employees Develop and maintain awareness communications regarding social media policies and

risks Provide consultation to employees with social media questions Consider the role of this facilitator in incident response processes


Auditing social media - risk awareness program (Cont’d) ISACA recommends any strategy to address the risks of social media usage should first focus on user behavior through the development of policies and supporting training and awareness program that covers:

• Whether it is allowed• The nondisclosure/posting of business-related content• The discussion of workplace-related topics• Inappropriate sites, content or conversations

Personal use in the workplace

Personal use outside the workplace

Business use

• Whether it is allowed• The nondisclosure/posting of business-related content• The discussion of workplace-related topics• Inappropriate sites, content or conversations

• Whether it is allowed• The process to gain approval for use• The scope of topics or information permitted to flow through this channel• Disallowed activities (installation of applications, playing games, etc.)• The escalation process for customer issues


Auditing social media - control implementation

• Have business processes that utilize social media been reviewed to determine that they are aligned with policies and standards of the enterprise?

• Are content control processes in place to determine that social communications intended to represent the company are approved before dissemination?

Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].

ISACA Business Model

• Does IT have a strategy and the supporting capabilities to manage technical risks presented by social media?

• Do technical controls and processes adequately support social media policies and standards?

• Does the enterprise have an established process to address the risk of unauthorized/fraudulent use of its brand on social media sites?

Process/Data

Technology

• Has effective trainings been delivered to all users?• Do users (including employees) receive regular awareness

communications regarding policies and risks?People


Auditing social media – controls | people

Loss of Productivity

Identity theft

Social Engineering

Risk Control

Objective:

Employees, contractors and customers are aware of their responsibilities relating to social media.

Activities: • Establish user agreements for social

media use• Conduct awareness training to inform

users of the risks involved using social media websites

• Use content-filtering technology such as DLP (Data Loss Prevention)

• Limit access to social media sites

Responsible parties:

HR, Information Security

HR Policy Violations


Auditing social media – controls | process

Reputational Loss

Regulatory Compliance Risk(i.e. Copyright, trademark infringement, and privacy issues)

False Impression

Risk Control

Objective:

The enterprise brand is protected from negative publicity or regulation violation

Activities: • Establish policies to ensure legal-

sensitive communications are tracked and archived

• Conduct awareness training to inform users of the risks involved using social media websites

• Scan the internet for misuse of the enterprise brand


Legal, HR, Information Security


Auditing social media – controls | data

Unauthorized Disclosure

Improper Content

Intellectual Property leakage

Risk Control

Objective:

Enterprise information is protected from unauthorized access or leakage through/by social media.

Activities: • Establish user agreements for social

media sites• Develop policies on the use of

enterprise-wide intellectual property• Ensure there is a capability to log all

the communications


Legal, HR, Information Security

* Please bear in mind that these risk control mapping are being presented to help illustrate the approach in evaluating your business involvement in social media practice. It is not designed to include a comprehensive listing of risks and control activities.


Auditing social media – controls | technology

Constraining network bandwidth

Virus/Worms via the social media sites

Risk Control

Objective:

IT infrastructure supports risks introduced by social media.

Activities: • Install anti-virus applications on all

systems including mobile devices• Use content-filtering technology such

as DLP• Limit access to social media sites

during business hours


Information SecurityData theft from mobile devices


Cyber Threat Profile Analysis

• Perform a study on what organization specific foot printing information is available on the Internet, and how it might be used to produce an exploit that targets the organization’s IT or Industrial Systems.

Suspicious Program Diagnostics

• Use available industry hash data sets and cyber intelligence to match against a generated inventory of system files endeavoring to identify hidden exploits. Perform digital forensic analysis on suspect computers including examining system memory.

Social Media Impact Survey

• A policy assessment is performed to assess how social media is being used within the organization.

Intranet Cyber Compromise Diagnostic

• Security event logs and infrastructure logs are analyzed to look for evidence of internal machines that may have been compromised and are attempting to communicate with miscreant controlled devices on the Internet.

Anti-Phishing Capability Diagnostic

• Assess organizations’ anti-phishing program in order to help identify gaps and improvement opportunities. It includes looking at recent phishing incidents, intelligence services, and the organization’s incident handling procedures.

Additional considerations

Footer

Questions?


Reference and Additional Resource

• “Web 2.0 reinvents corporate networking.” Gopal, Raj et al. Deloitte Consulting LLP

• “Market Intelligence and Content Curating.” Eric Openshaw, Deloitte & Touche LLP

• “Social Media Audit/Assurance Program “ ISACA

• “Social Media: Business Benefits and Security, Governance and Assurance Perspective” ISACA

• “2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier” Javelin Strategy & Research

• “Auditing Social Media: A Governance and Risk Guide” by Peter R. Scott and J. Mike Jacka

• “Security, Mobility, and Social Media: Minimizing Risk in the Era of Sharing “ by Partha Mukherjee, Lawrence J. Bolick and Brian Cain

• “Securing the Clicks: Network Security in the Age of Social Media” by Gary Bahadur, Jason Inasi, and Alex de Carvalho

• “Sophos Security Threat Report – 2011” by Graham Cluley

• Cisco 2010 Annual Security Report

• “KOOBFACE – Inside a Crimeware Network “by Nart Villeneuve of the Information War Monitor


Contact info

Mike WyattDirectorDeloitte & Touche LLP+1 512 771 [email protected]

mailto:[email protected]

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

Member of Deloitte Touche Tohmatsu Limited

© 2012 Deloitte Development LLC. All Rights Reserved. How Cyber Criminals make use of Social Media.

Documents

Transcript of © 2012 Deloitte Development LLC. All Rights Reserved. How Cyber Criminals make use of Social Media.