social network management and security
TRANSCRIPT
-
8/4/2019 Social Network Management and Security
1/50
Deploying, Managing, andSecuring Social Media
Applications
Brian Mennecke
-
8/4/2019 Social Network Management and Security
2/50
An Important Question
Who in an organization is responsible forsecurity?
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
3/50
The primary message
Who in an organization is responsible forsecurity?
Good security in an organization starts at the top, notwith firewalls, shielded cables or biometrics.
Senior management has a much more significant roleto play in achieving security than they may think.
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
4/50
E-commerce and virtualorganizations
Organizations have an internal value chainand must interact with external entities ateither end of this chain.
External entities may be other businesses,
individual customers, or the government. Interactions must be protected from being
compromised by unauthorized parties,
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
5/50
Security vs. Privacy
What are the differences between privacyand Security? Privacy deals with the degree of control that
an entity, whether a person or organization,
has over information about itself. Security deals with vulnerability to
unauthorized access to content.
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
6/50
Root cause!
Why wont Sr. Managementengage in Security?
It is difficult to connect security security-related expenditures to profitability
Increases in security will often increase costsand reduce efficiency
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
7/50
What ShouldSr. Management Know?
Security is not a technical issue; it is amanagement issue
Total security is a myth. Not all information is of equal value
it is not technically possible to protect all informationassets
Stakeholders will be increasingly less tolerant ofcyber-related vulnerabilities
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
8/50
Threats
Where do threats come from? disgruntled current or former employees
Hackers
virus writers
criminal groups
those engaged in corporate espionage
Terrorists
foreign intelligence services
information warfare by foreign militaries and various other actors.
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
9/50
Barriers to Security
The worldwide diffusion of the Internetopens up new business opportunities(e.g., 3-R Framework)
It also increases an organization's
vulnerability since so many moreindividuals of unknown origin and intentnow have access to its systems
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
10/50
Increasing Richness;Good or Bad?
Active web content, such as Java applets,enhances interaction with customers andsuppliers.
This technical capability allows programscreated by external entities to also run onan organization's machines
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
11/50
Increasing Reach;Good or Bad?
Organizations that have an extensivepartnering network find it difficult to definethe boundaries of their informationsystems
There is an inherent conflict betweensecurity and "open systems" architecturesthat facilitate EC interactions
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
12/50
Clue IT In!
Organizations commonly look for technicalcertification when hiring IT staff, but howoften is any effort made to educate newsecurity workers on the organization's
strategic focus or to communicate to themthe criticality levels of their informationassets?
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
13/50
Three Cornerstones
Senior managers need to
remember that securitydepends on the strengthof the three cornerstones Critical infrastructures Organization
Technology Security also requires an
end-to-end view ofbusiness processes.
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
14/50
Critical Infrastructures
Critical Infrastructure Protection
Government-Industry Collaboration
Management's Role in Critical InfrastructureProtection
To recognize that critical infrastructure protection isan essential component of corporate governance aswell as organizational security
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
15/50
Organization
Structure leads to locus of ownership of data and processes
Business Environment: threats are based on Value of the firm's intellectual property The degree of change the firm is facing Its accessibility Its industry position
Culture
SOPs Education, Training, and Awareness
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
16/50
Technology
Firewalls and Intrusion Detection Password Layering
Public Key Infrastructure
Secure Servers VPNs
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
17/50
Ok, So What?Managerial Implications
Asset Identification
Risk Assessment
The Control Environment Physical
Data
Implementation Operations
Administrative
Application System Controls
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
18/50
Balancing Risks and Costs
Step 1: Identify information assets at an appropriate level of
aggregation Step 2: Identify the financial consequences of these informationassets being compromised, damaged, or lost
Step 3: Identify the costs of implementing the control mechanismsthat are being proposed to enhance organizational security
Step 4: Estimate overall risk based on the likelihood of compromise
Step 5: Estimate the benefits expected by implementing theproposed security mechanisms
Step 6: Compare the expected benefits obtained in Step 5 with thecost estimates obtained in Step 3
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
19/50
Management Actions
Corporate boards should ensure that seniormanagers buy into the process of riskassessment
Senior managers also need to ensure thattechnical and operational staff understand eachother's requirements and cooperatively engagedin the process
Establish an ongoing process of monitoring risk
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
20/50
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002
-
8/4/2019 Social Network Management and Security
21/50
The Bottom Line
Managers need to sort through which risks are
most likely to materialize and which could causethe most damage to the business, then spendtheir money where they think it will be mostuseful
When viewed through an operational lens,decisions about digital security are not muchdifferent from other cost-benefit decisionsgeneral managers must make
-
8/4/2019 Social Network Management and Security
22/50
Back to the Risks
Facebook's Overblown Privacy Problems Google Hacks
Privacy Disaster At Twitter: Direct
Messages Exposed Social-networking sites concern cyber-
security experts
http://www.forbes.com/technology/2007/12/05/facebook-beacon-opt-tech-internet-cx_ag_1205techfacebook.htmlhttp://johnny.ihackstuff.com/ghdb.phphttp://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://johnny.ihackstuff.com/ghdb.phphttp://www.forbes.com/technology/2007/12/05/facebook-beacon-opt-tech-internet-cx_ag_1205techfacebook.html -
8/4/2019 Social Network Management and Security
23/50
A Key Requirement for DeployingSocial Media is Establishing Security
Without security, the integrity of
organizational IT resources will be at risktherefore, security is everyones business
Security is an increasingly important issue
because of an increasing number ofthreats
-
8/4/2019 Social Network Management and Security
24/50
Security Concepts Authentication:The process by which one entity verifies that another
entity is who they claim to be Authorization:The process that ensures that a person has the right to
access certain resources Confidentiality:Keeping private or sensitive information from being
disclosed to unauthorized individuals, entities, or processes Integrity:Being about to protect data from being altered or destroyed
in an unauthorized or accidental manner Confidentiality:Keeping private or sensitive information from being
disclosed to unauthorized individuals, entities, or processes Nonrepudiation:The ability to limit parties from refuting that a
legitimate transaction took place, usually by means of a signature
-
8/4/2019 Social Network Management and Security
25/50
Types of Threats and Attacks
Nontechnical attack:An attack that uses
chicanery to trick people into revealingsensitive information or performingactions that compromise the security of a
network
-
8/4/2019 Social Network Management and Security
26/50
Types ofThreats and Attacks (cont.)
Social engineering:A type of nontechnicalattack that uses social pressures to trickcomputer users into compromisingcomputer networks to which thoseindividuals have access
-
8/4/2019 Social Network Management and Security
27/50
Types ofThreats and Attacks (cont.)
Multiprong approach used to combatsocial engineering:
1. Education and training
2. Policies and procedures
3. Penetration testing
-
8/4/2019 Social Network Management and Security
28/50
Types ofThreats and Attacks (cont.)
Technical attack:An attack perpetratedusing software and systems knowledge orexpertise
-
8/4/2019 Social Network Management and Security
29/50
Types ofThreats and Attacks (cont.)
Denial-of-service (DoS) attack:An attackon a Web site in which an attacker usesspecialized software to send a flood ofdata packets to the target computer withthe aim of overloading its resources
-
8/4/2019 Social Network Management and Security
30/50
Types ofThreats and Attacks (cont.)
Distributed denial-of-service (DDoS)attack:A denial-of-service attack in whichthe attacker gains illegal administrativeaccess to as many computers on the
Internet as possible and uses thesemultiple computers to send a flood of datapackets to the target computer
-
8/4/2019 Social Network Management and Security
31/50
Types ofThreats and Attacks (cont.)
Malware:A generic term for malicioussoftware
The severity of virus attacks are
increasing substantially, requiring much
more time and money to recover 85% of survey respondents said that their
organizations had been the victims of e-
mail viruses in 2002
-
8/4/2019 Social Network Management and Security
32/50
Types of Threats and Attacks Malware takes a variety of forms - both pure and hybrid
Virus:A piece of software code that inserts itself into a host,
including the operating systems, to propagate; it requires that
its host program be run to activate it
Worm:A software program that runs independently,
consuming the resources of its host in order to maintain itself
and is capable of propagating a complete working version of
itself onto another machine
Macro virus or macro worm: A virus or worm that is executed
when the application object that contains the macro is openedor a particular procedure is executed
Trojan horse:A program that appears to have a useful function
but that contains a hidden function that presents a security
risk
http://www.homestarrunner.com/sbemail118.htmlhttp://www.homestarrunner.com/sbemail118.html -
8/4/2019 Social Network Management and Security
33/50
CERT: Recommendations forGoverning Organizational Security Questions to ask:
What is at risk? How much security is enough
How should an organization
Develop policies on security
Achieve and sustain proper security
The CERT recommendations are derived from a report written byJulia Allen entitled Governing for Enterprise Security, which may be
found at http://www.cert.org/archive/pdf/05tn023.pdf
http://www.cert.org/archive/pdf/05tn023.pdfhttp://www.cert.org/archive/pdf/05tn023.pdf -
8/4/2019 Social Network Management and Security
34/50
CERT: Recommendations forGoverning Organizational Security
What is at risk? Trust that the public has in your organization
Reputation and brand Shareholder value Market confidence Regulatory compliance
Fines Jail time
Market share Customer privacy Ongoing, uninterrupted operations Morale of organizational members
-
8/4/2019 Social Network Management and Security
35/50
CERT: Recommendations forGoverning Organizational Security
How Much Security is Enough?
Managements perspective needs to shift
From To
Scope: Technical problem Enterprise problem
Ownership: Enterprise IT
Funding: Expense Investment
Focus: Intermittent Integrated
Driver: External Enterprise
Application: Platform/practice Process
Goal: IT security Enterprise
-
8/4/2019 Social Network Management and Security
36/50
CERT: Recommendations forGoverning Organizational Security
Good Security Strategy Questions
What needs to be protected? Why does it need to be protected?
What happens if it is not protected?
What potential adverse consequences need to be prevented?
What will be the cost?
How much of a disruption can we stand before we take action? How do we effectively manage the residual risk whenprotection and prevention actions are not taken?
-
8/4/2019 Social Network Management and Security
37/50
CERT: Recommendations forEvolving the Security Approach
-
8/4/2019 Social Network Management and Security
38/50
CERT: Recommendations forEvolving the Security Approach
-
8/4/2019 Social Network Management and Security
39/50
CERT: Recommendations forEvolving the Security Approach
What Does Effective Security Look Like at the EnterpriseLevel? Its no longer solely under ITs control
Achievable, measurable objectives are defined and included instrategic and operational plans
Functions across the organization view security as part of theirjob (e.g., Audit) and are so measured
Adequate and sustained funding is a given
Senior executives visibly sponsor and measure this work againstdefined performance parameters
Considered a requirement of being in business
-
8/4/2019 Social Network Management and Security
40/50
Managing IS and Social Media
Technology
-
8/4/2019 Social Network Management and Security
41/50
Why Establish a Strategy for SocialMedia?
Page
To provide direction for diverse segments ofthe organization
To communicate a vision of the future
To provide a coherent and consistent theme
that can be used in making individual decisions Such a dialog helps managers and IS
professionals make decisions about how thebusiness of IS will be conducted
-
8/4/2019 Social Network Management and Security
42/50
The results of the process
An Information Resources Assessment
Information resources assessment includes
inventorying and critically evaluating these resources interms of how well they are meeting the organizations
business needs
-
8/4/2019 Social Network Management and Security
43/50
Information vision a written expression of the
desired future about how information will be usedand managed in the organization
Information Vision and ArchitectureThe results of the process
-
8/4/2019 Social Network Management and Security
44/50
Information Vision and Architecture
Information technology architecture depicts theway an organizations information resources will be
deployed to deliver that vision
The results of the process
Information vision a written expression of the
desired future about how information will be usedand managed in the organization
-
8/4/2019 Social Network Management and Security
45/50
Information Resources Plans
Strategic IS plan contains a set of longer-term
objectives that represent measurable movementtoward the information vision and technologyarchitecture and a set of associated majorinitiatives that must be undertaken to achievethese objectives
The results of the process
-
8/4/2019 Social Network Management and Security
46/50
Operational IS plan is a precise set of shorter-term goals and associated projects that will beexecuted by the IS department and by businessmanagers in support of the strategic IS plan
Information Resources Plans
Strategic IS plan contains a set of longer-term
objectives that represent measurable movementtoward the information vision and technologyarchitecture and a set of associated majorinitiatives that must be undertaken to achievethese objectives
The results of the process
-
8/4/2019 Social Network Management and Security
47/50
THE PROCESS OFSETTINGDIRECTION
Assessment
Vision
Strategic Planning Operational Planning
-
8/4/2019 Social Network Management and Security
48/50
Strategic Planningthe process ofconstructing a viable fitbetween the organizationsobjectives and resourcesand its changing marketand technologicalopportunities
THE PROCESS OFSETTINGDIRECTION
-
8/4/2019 Social Network Management and Security
49/50
Operational Planninglays out the major actionsthe organization needs to
carry out in the shorterterm to activate itsstrategic initiatives
THE PROCESS OFSETTINGDIRECTION
-
8/4/2019 Social Network Management and Security
50/50
Business Plan vs. Strategy
Chesbrough and Rosenbloom (2003)
Creating value vs. capturing value - the business model focus is on valuecreation. While the business model also addresses how that value will becaptured by the firm, strategy goes further by focusing on building a sustainablecompetitive advantage.
Business value vs. shareholder value - the business model is an architecture forconverting innovation to economic value for the business. However, the
business model does not focus on delivering that business value to theshareholder. For example, financing methods are not considered by thebusiness model but nonetheless impact shareholder value.
Assumed knowledge levels - the business model assumes a limitedenvironmental knowledge, whereas strategy depends on a more complexanalysis that requires more certainty in the knowledge of the environment.