social media security policy€¦ · unlike other security awareness training aspects, employees...
TRANSCRIPT
Social Media Security Policy
The Art of Herding Cats
Chaim Sanders
`su chaim`
Current Roles • Security Lead at ZeroFOX • Member of ZeroFOX Alpha Team • Lecturer at Rochester Institute of Technology
(RIT) • Project Leader of the OWASP Core Rule Set • Chapter Co-Leader for OWASP Baltimore
Previous Roles • Commercial Consultant • Governmental Consultant • Security Researcher • Full-time lecturing
|
Disclaimer
● I work at a Social Media Security Company – I do internal security, but it’s obviously important to us
● I’m not a lawyer – The information contained here will cite legal cases – I don't and am not giving out legal advice – I Swear I only watch Law & Order to see Ice-T
What is Social Media
This should be obvious, right?
● Everyone agrees Facebook is Social Media... ● What about LinkedIn? ● How about Reddit? ● What about YouTube? ● or things like Indeed.com? ● Blogs? ● Emails and Text Messages?
Many sites have ‘social’ aspects - and the security issue that comes with it
The Ask
● Most Social Media attacks leverage phishing ● Phishing is a very popular attack vector
– Accounts for ~77% of all socially based attacks[1] ● SE most often picks on vectors that many people share in common.
● Mobile Phone - 6 billion People ● Toilets - 4.5 billion People ● Email - 3.7 Billion ● Facebook - 2 Billion People ● Other’s tools - 100’s of Millions ● Size of DOD - 3.2 Million People ● Your Product - ???
Who are the other 32.8%
Traditional Perimeter Security
Social Media Threat Environment
Naive Approaches
● The academic answer: – Block Social Media (Facebook, Twitter, etc.)?
● Your company wants it: – Sales, – Marketing, – Support, – Communication
● There is also the chance that if you don’t register your account, someone else will.
Employee BehaviorEmployees need their fix:
● Tether their phones
● Connect to other open wireless
● Setup their own Wireless AP
● Tunnel their connections
Employees are veritable masters of getting around policy … when it suits them.
If they move their traffic off your network...
● You are minimizing what activities you have insight into
● Thereby limiting your effectiveness as an information security organization.
Policy Avoidance Samurai
Protection Approaches
Return on Investment
There is no magic bullet
A two pronged approach
● A policy that directs our employees what behavior is expected of them
● A training program that tries to guide our employees towards this expected behavior
On the Other HandProperly trained and incentivized employees can become very helpful to your brand.
● Many organizations have pushed for “brand ambassadors”
These may help in:
● Extending your brand culture
● Attracting new recruits
● Assisting consumers.
● Attracting new customers
Don’t use and abuse● Helpful employees becomes targets
o All the gains that you were receiving are now nullified. ● You become liable to provide some level of training or protection
o How do we teach our brand ambassadors to become effective.
● Unlike other Security Awareness Training aspects, employees generally tend to recognize the security issues that social media may pose.
What’s ‘Social Media Training’● Employees should be taught HOW to use the protections that are available.
● They need to know that their personal information can be used against them
● They should be taught HOW TO speak on behalf of the company
o Employees need to be made aware of what and where they can share.
No Good Deed
● While we often hear about employees acting maliciously, employees can also harm your organization by trying to help.
● This applies both on company time and on personal time and extends to the employees personal accounts.
● What could possibly go wrong?
What could go wrong?
● Making promises that can’t be fulfilled
● Providing the customer with the wrong answer
● Implying illegal or unsafe activities are being undertaken
● Sharing private or confidential information
● Divulging information that can be used as evidence (even if untrue)
● Misuse the brand identity
You should restrict an employee from acting on behalf of the organization in any capacity outside of their official work capacity.
Social Media Security Policy
Talking at work● Whether your employees love or hate their job it is important to advise them
on discussing work over social media.
● Regardless of how hard you strive to provide a great working environment some employees will always find something to complain about.
o As an organization you need to walk a fine line here.
● Even internal things said over social media, may come out
Awkward….
● d
Talking at Work● Legislation in the US offers employees a great deal of latitude
o only dropping protection for employees if their statements are blatantly or maliciously false, or defamatory.
● The bulk of this regulation is set forth in the National Labor Relations Act.
o “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection," as well as the right "to refrain from any or all such activities."
NRLB RightsYou have the right to...
● Engage in union activity ● “protected concerted" activity ● Address work-related issues ● Share information about pay, benefits, and working conditions
with co-workers ● Take action with one or more co-workers to improve your
working conditions by, among other means, raising work-related complaints directly – with your employer or – with a government agency, – or seeking help to form a union.
Case StudiesOur first example - Hispanics United of Buffalo, Inc (2010)
● A worker posted on Facebook that another employee felt that her coworkers did not help the Employer’s clients enough.
● She asked her coworkers how they felt about it.
● Four co-workers responded to the post. (There was light swearing)
o The poster and the four coworkers who were later discharged
Case StudiesPolicy conversation - Costco Wholesale Corp (2012)
● Costco has a policy prohibiting posts “that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement.”
● Board found that this wasn’t valid as it “clearly encompasses concerted communications”
Case StudiesMore Policy - Direct TV (2013)
● Do not contact the media ● Employees should not contact or comment to any media
about the company unless pre-authorized by Public Relations ● If law enforcement wants to interview ...the employee should
contact the security department ● never discuss details about your job, company business or
work projects with anyone outside the company ● “Employees may not blog, enter chat rooms, post messages
on public websites or otherwise discuss company information that is not already disclosed as a public record
Case StudiesThree D, LLC (Triple Play), 361 NLRB No. 31 (2014)
● A post was made criticizing the company o It was followed up by other employees and customers
commented ● Two employees were fired for violating “engaging in
inappropriate discussions about the company, management, and/or co-workers.”
● Employees are entitled to Section 7 protections for clicking an icon
GuidelinesRestruction NRLA Suggestion
No language that is disparaging, inappropriate, embarrassing, defamatory, unprofessional, etc.
More definitions and examples needed
Do not post pictures of company logos, facilities, uniforms,
needs to be limited so that things like picket signs can be shown
Do not discuss private and confidential information (regarding other employees, customers, etc.)
need to define what confidential information isn’t (wages, treament)
Do not use the company’s name and information in a social media profile
Hinders employees capabilities find each other and discuss employment
Obtain prior approval to post something or talk to the media
This restricts ability to organize labor
Guidelines Cont.
Restruction NRLA Suggestion
Report unusual or inappropriate internal social media activity
Too broad, can be seen as discouraging protected activities.
No commenting on legal matters Claims against employers are protected
No participating in social media communications using company resources and/or on company time
Employees have a right to engage in protected activities on the employer’s premises during non-work time and in non-work area
Actualities● You can obviously still get fired
● You may remember:
Your exposure● Because of NRLA employers must be careful on restrictions they put in
place ● Social Media posts are covered under the Stored Communications Act
(SCA) – Accessing private Facebook posts can be charged as a criminal act.
Such actions can result in fines and very real prison time ● This can put employers in an dubious position.
– Conversations and posts on social media can become the source of liability (harrassment etc.)
● In such cases the guiding president has been, that if information is presented to the employer, and the employer did not seek it out in any way, then they are free to act on that information in the interest of the organization
Restricting EmployeesCan I restrict employees?
● Yes, granted that exceptions from NRLB
o Online association with an employer o Adding disclaimers on forums
● Note:
o Kroger Co of Michigan v. Granger
Managers as Friends● When talking about mixing business and pleasure, managers interacting with
employees is also a hot topic. While managers might think that they are acting in their capacity as a friend, what happens when they see a post against company policy, or an opinion that the employee has that they disagree with?
● On the other hand, often a manager liking an employee's post might allow them to build comradery.
● Often we recommend most often that employers to do no friend employees
Your Corporate Accounts
An Example: Compromise
Impersonations
● Where do impersonations occur?
o Brands o CEOs o Regular employees
● Verification
o Facebook will only verify public figures and there is no form to do it, it happens automatically.
o If you have a page facebook will allow verification
An Example: Impersonation
Current Events… heh
Action Against Imposters
● You can report it to Facebook/{Insert Network Here}
o At which point it’s at Facebook’s discretion as to the legitimacy of the account.
● You can file a lawsuit
o It will be civil (at this point) charges against the perpetrators for defamation or emotional distress.
Twitter Requirements
Who Detects Imposters
● Generally this type of activity falls to the Information Security team. There are of course a number of services that can assist with this.
● Generally it will always require some level of human exertion and as such time should be allocated for finding and/or reviewing these threats. Common indications of impersonation include duplicate names, images, and information.
Corporate Policy
Corporate Policy
● Suggestion: Choose a single application to post from (or limit them)
● People posting to your pages
o Detection of malware and phishing, spam o Inappropriate content - discrimination, sexual content, o profanity
Employees and their access
● limit the amount of people who can post to your account.
● Leverage login managers
o An added advantage it's easier to remove people ● Special attention should be paid when letting go individuals
who have access to social media accounts.
Case Studies
Good Resources
● A collection of social media polcies (outdated)
o https://docs.google.com/spreadsheets/d/1aWvbqbxDmN_fVEJR4Kg-eEiv_D4_vgD8cQXGjVR3fxs/edit?hl=en&hl=en#gid=0
● The NRLB has endorsed WalMart's Social Media Security Policy, because it only forbids things already forbidden by other laws
o https://corporate.walmart.com/policies
Questions