- Twitter « Secure Thinking

Posts tagged - Twitter

Monday, October 18, 2010

Can You Have Social Networks and Security? Ben Rothke Will Tell You at Interop New York

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP CISA

This Wednesday, I will be giving a presentation at Interop New York on “Social Networks and Security – Can You Have Both?”

The premise is that social networks simultaneously offer huge business benefits and unheard of security risks. With that, how then can enterprises effectively use social networks while not putting their security and data at risk?

In my presentation, I will detail the significant security and privacy risks that social networks create, and will also provide detailed guidance on ways organizations and individuals can use social networks in a safe and secure manner.

While social networks do introduce significant security risks, companies must recognize these risks and take a formal approach to deal with them.

The bottom line is that social networks and security are compatible. But this is true only as long as social network security is part of a corporate information security program. As part of this, it is crucial to ensure that end users are aware of the risks and their associated responsibilities.

Security awareness is an essential component of an information security program. But when social networks are involved, it is even more of an imperative because significant risks are tied to the behavior of staff when they are using social networks.

However, organizations should not shun social media for fear of bad end-user behavior. Rather, they should anticipate it and formulate a multilevel approach to security policies for effective governance.

So what do you tell your end users? First off, when it comes to social networking in the corporate environment, let staff know that they should curb their enthusiasm.

The creation of clear and concise social media guidelines is important, and you need to ensure that staff members are aware of — and are compliant with — those guidelines. If nothing else, let them know that Facebook is viral and addictive and that they should not waste their workday on it.

At the corporate level, without clear guidelines, breaches are inevitable. So make sure your guidelines cover the entire gamut of social networks; including blogs, wikis, virtual worlds, social media, and more.

Some organizations think the way to deal with social media is to totally block it within the corporate environments. But that is for the most part no longer an option. As Natalie Petouhoff of Forrester Research astutely observed – “Social media isn’t a choice anymore – it’s a business transformation tool.” The safe enablement of social media is possible, so make sure you take the time and effort necessary to ensure that.

Wednesday, March 3, 2010

Evil Memes: Toby Weir-Jones Guest Blogs for Jennifer Leggio’s ‘Social Business’

By Toby Weir-Jones, Vice President Product Management, Managed Security Solutions Group, T Global Services

Internet memes are harmless, right? Fun little things that make you giggle, right? According to Toby Weir-Jones these innocent memes have a much darker side. Today, as part of Jennifer Leggio’s RSA week guest blogger series, Toby explores the security implications of a business’s decision to enter the social media space as well as suggesting some social media-security best practices for those who have taken the plunge.

To read Toby’s post click below:

A few years ago, in 2006 – ancient history in social media – various researchers proposed methodologies to study how quickly a meme can spread. Some tried to characterize based on qualitative attributes of the meme itself, such as how funny it was, or how socially relevant, while others avoided those grey areas and focused instead on the quantitative attributes of network owners who posted links or tracked referral URLs. In both cases, the general conclusions were fairly predictable: given a good story, it can go viral and appear everywhere within hours . . .

Thursday, January 28, 2010

The Year Ahead: Top Security Threats and Trends in 2010

By Jill Knesek, Chief Security Officer, BT Global Services

In the last few weeks, a number of security companies have released their year-end security intelligence threat reports that highlight the biggest vulnerabilities of 2009 and, in some cases, offering signposts for what are likely to be the top threats in 2010.

Based on what I’ve read in these reports, as well as what I see as head of BT’s global security team, these are my thoughts on what will give us headaches in the coming year:

Security Breaches – Social Media – This is clearly the hot topic for this year. Now that it’s clear that social media can be monetized, and businesses are joining Facebook and Twitter in droves, it was only a matter of time before the opportunists, social engineers and hackers began to work out exploits from which they could profit – including shortened URL scams. However, just because social media is ripe for exploitation doesn’t mean your company should abandon the space. Instead, focus on at-work user education policies on how to spot fake URLs, as well as review policy on permissions. Does everyone really need access to Facebook and YouTube at work — or should access be limited by job description or role? With your IT team, make sure to review patching protocols to ensure your network is robust enough to survive common worms, such as Koobface.
Botnets – A perennial favorite, botnets continue to make the top vulnerability lists because they continue to proliferate at an alarming rate due to the potential for economic gain. With organized criminals firmly in control of a number of significant botnets, IT security professionals need to become more savvy — not just about detection, but also about knowing where their sensitive data is housed. As we saw in the Heartland case, not knowing where your data is nor if it has been compromised can make the difference between a minor internal breach and a public relations nightmare.
Mobile Device Security – It doesn’t matter how smart phones are, people still leave them in a New York City cab, and hackers find ways to access data stored or exchanged on devices. So, as phones become smarter, they introduce increasing risk into the IT equation. The more capable these devices are to help employees access and manipulate data, the more capable they are to be used by hackers to do the same. Unfortunately, far too many organizations fail to manage their mobile security risks, or the devices, for that matter. The first step organizations need to make is to take control over the devices by providing staff with a uniform device or set of devices. Just keep in mind that some devices are created for general consumers, while others have been developed for enterprises with security controls, such as requiring authorization and limiting apps.
Remote Access – It also doesn’t matter if employees are traveling to Cleveland or China, or working from home — remote access to networks and data is challenging and must be addressed.
The Absent-Minded Employee – With the economy beginning to pick up, there is less likelihood that your company is dealing with a deliberately malicious employee bent on stealing data or disabling your network as he’s being given his pink slip. However, with most companies still facing hiring and resource freezes, there’s ample opportunity for very costly mistakes to occur due to under-investments in user education and overburdened employees — from the improperly trained employees to the ones who have one too many tasks on their plates and forget to change a password — or worse still, writes the password down next to their computer. Now is the time to refresh or startup a Security Awareness and Training program with mandatory training requirements as well as communication of security messages that educate the employee-base on current threats they are likely to encounter. In addition, it is also a good time to review policy and procedures with all employees and to review core responsibilities with your IT Security team.
Data Loss Prevention – As BT’s Ben Rothke has previously stated, the sound of confidential data escaping from enterprises can be deafening. DLP is imperative for today’s mobile work environment, and of course, it is the very mobility of the workforce which has increased data leakage risk beyond imagination. Organizations must educate employees on how to use mobile devices safely and securely as well as pay serious attention to how many communication channels the IT and security teams are able to fully support.

So, will 2010 be filled with more surprises than 2009? I’m confident that if you prepare for 2010 with a renewed focus on strategic security solutions and on employee education, year you’ll have a successful and safe year.

Monday, November 16, 2009

Integrating Web 2.0 Tools Securely into the Business Environment

Pete Russo, Senior Marketing Manager, BT Global Services

How would you solve this problem? As a network security expert, you understand that your company’s employees need to access Web 2.0 tools to build new business relationships, collaborate with partners and reach prospective customers. But how do you ensure not only their online safety but the company’s overall network security?

Ray Stanton, Global Head of BT’s Business Continuity, Security, and Governance Practice, discusses BT’s approach in a recent Computerworld article (Computerworld, “BT’s Web 2.0 security strategy,” October 19, 2009).

BT was an early adopter of Web 2.0 tools and has a strong social media presence including:

SecureThinking Community Blog and Twitter
Bigger Thinking on Facebook
BT Conferencing on Twitter
BT CloudApps on Twitter
Partnership with the XPrize Foundation on YouTube

Mr. Stanton identified data leakage as his number one concern when employees are allowed to access social media tools at work. Data Leakage not only exposes the company to security risks, such as the inadvertent sharing of proprietary information, but it also can lead to an employee becoming a victim of personal crime. In addition, companies should be mindful of these other top Web 2.0 threats:

Cross Site Request Forgery
Cross Site Scripting
Information Integrity Violations

BT uses a combination of policy and technology to ensure that employees and the company are secure online. By setting acceptable use policies and conducting regular awareness training, users are knowledgeable about their responsibilities and the vulnerabilities their actions could introduce into the network. Acceptable use policies are reinforced by software, hardware and managed solutions which, in addition to providing physical barriers to access, enable flexible access policies. For example, BT works with BlueCoat, using their Proxy SG Appliance to categorize URLs of web pages. Web sites can be identified by their purpose – e.g., “business productivity sites,” such as LinkedIn – or segmented by who needs to access a type of site – such as permitting the marketing department to have access to YouTube, but not the rest of the company.

While no single solution will provide absolute protection for the employee, the company or the network, taking a multi-pronged approach sets up checks and balances throughout the business environment. Let us know what you think of this strategy in the comments or by sending us a tweet @SecureThinking.