social network management and security

8/4/2019 Social Network Management and Security

1/50

Deploying, Managing, andSecuring Social Media

Applications

Brian Mennecke


2/50

An Important Question

Who in an organization is responsible forsecurity?

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October2002


3/50

The primary message

Who in an organization is responsible forsecurity?

Good security in an organization starts at the top, notwith firewalls, shielded cables or biometrics.

Senior management has a much more significant roleto play in achieving security than they may think.



4/50

E-commerce and virtualorganizations

Organizations have an internal value chainand must interact with external entities ateither end of this chain.

External entities may be other businesses,

individual customers, or the government. Interactions must be protected from being

compromised by unauthorized parties,



5/50

Security vs. Privacy

What are the differences between privacyand Security? Privacy deals with the degree of control that

an entity, whether a person or organization,

has over information about itself. Security deals with vulnerability to

unauthorized access to content.



6/50

Root cause!

Why wont Sr. Managementengage in Security?

It is difficult to connect security security-related expenditures to profitability

Increases in security will often increase costsand reduce efficiency



7/50

What ShouldSr. Management Know?

Security is not a technical issue; it is amanagement issue

Total security is a myth. Not all information is of equal value

it is not technically possible to protect all informationassets

Stakeholders will be increasingly less tolerant ofcyber-related vulnerabilities



8/50

Threats

Where do threats come from? disgruntled current or former employees

Hackers

virus writers

criminal groups

those engaged in corporate espionage

Terrorists

foreign intelligence services

information warfare by foreign militaries and various other actors.



9/50

Barriers to Security

The worldwide diffusion of the Internetopens up new business opportunities(e.g., 3-R Framework)

It also increases an organization's

vulnerability since so many moreindividuals of unknown origin and intentnow have access to its systems



10/50

Increasing Richness;Good or Bad?

Active web content, such as Java applets,enhances interaction with customers andsuppliers.

This technical capability allows programscreated by external entities to also run onan organization's machines



11/50

Increasing Reach;Good or Bad?

Organizations that have an extensivepartnering network find it difficult to definethe boundaries of their informationsystems

There is an inherent conflict betweensecurity and "open systems" architecturesthat facilitate EC interactions



12/50

Clue IT In!

Organizations commonly look for technicalcertification when hiring IT staff, but howoften is any effort made to educate newsecurity workers on the organization's

strategic focus or to communicate to themthe criticality levels of their informationassets?



13/50

Three Cornerstones

Senior managers need to

remember that securitydepends on the strengthof the three cornerstones Critical infrastructures Organization

Technology Security also requires an

end-to-end view ofbusiness processes.



14/50

Critical Infrastructures

Critical Infrastructure Protection

Government-Industry Collaboration

Management's Role in Critical InfrastructureProtection

To recognize that critical infrastructure protection isan essential component of corporate governance aswell as organizational security



15/50

Organization

Structure leads to locus of ownership of data and processes

Business Environment: threats are based on Value of the firm's intellectual property The degree of change the firm is facing Its accessibility Its industry position

Culture

SOPs Education, Training, and Awareness



16/50

Technology

Firewalls and Intrusion Detection Password Layering

Public Key Infrastructure

Secure Servers VPNs



17/50

Ok, So What?Managerial Implications

Asset Identification

Risk Assessment

The Control Environment Physical

Data

Implementation Operations

Administrative

Application System Controls



18/50

Balancing Risks and Costs

Step 1: Identify information assets at an appropriate level of

aggregation Step 2: Identify the financial consequences of these informationassets being compromised, damaged, or lost

Step 3: Identify the costs of implementing the control mechanismsthat are being proposed to enhance organizational security

Step 4: Estimate overall risk based on the likelihood of compromise

Step 5: Estimate the benefits expected by implementing theproposed security mechanisms

Step 6: Compare the expected benefits obtained in Step 5 with thecost estimates obtained in Step 3



19/50

Management Actions

Corporate boards should ensure that seniormanagers buy into the process of riskassessment

Senior managers also need to ensure thattechnical and operational staff understand eachother's requirements and cooperatively engagedin the process

Establish an ongoing process of monitoring risk



20/50



21/50

The Bottom Line

Managers need to sort through which risks are

most likely to materialize and which could causethe most damage to the business, then spendtheir money where they think it will be mostuseful

When viewed through an operational lens,decisions about digital security are not muchdifferent from other cost-benefit decisionsgeneral managers must make


22/50

Back to the Risks

Facebook's Overblown Privacy Problems Google Hacks

Privacy Disaster At Twitter: Direct

Messages Exposed Social-networking sites concern cyber-

security experts
http://www.forbes.com/technology/2007/12/05/facebook-beacon-opt-tech-internet-cx_ag_1205techfacebook.htmlhttp://johnny.ihackstuff.com/ghdb.phphttp://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.star-telegram.com/100/story/1114533.htmlhttp://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://www.techcrunch.com/2008/04/23/privacy-disaster-at-twitter-direct-messages-exposed/http://johnny.ihackstuff.com/ghdb.phphttp://www.forbes.com/technology/2007/12/05/facebook-beacon-opt-tech-internet-cx_ag_1205techfacebook.html


23/50

A Key Requirement for DeployingSocial Media is Establishing Security

Without security, the integrity of

organizational IT resources will be at risktherefore, security is everyones business

Security is an increasingly important issue

because of an increasing number ofthreats


24/50

Security Concepts Authentication:The process by which one entity verifies that another

entity is who they claim to be Authorization:The process that ensures that a person has the right to

access certain resources Confidentiality:Keeping private or sensitive information from being

disclosed to unauthorized individuals, entities, or processes Integrity:Being about to protect data from being altered or destroyed

in an unauthorized or accidental manner Confidentiality:Keeping private or sensitive information from being

disclosed to unauthorized individuals, entities, or processes Nonrepudiation:The ability to limit parties from refuting that a

legitimate transaction took place, usually by means of a signature


25/50

Types of Threats and Attacks

Nontechnical attack:An attack that uses

chicanery to trick people into revealingsensitive information or performingactions that compromise the security of a

network


26/50

Types ofThreats and Attacks (cont.)

Social engineering:A type of nontechnicalattack that uses social pressures to trickcomputer users into compromisingcomputer networks to which thoseindividuals have access


27/50


Multiprong approach used to combatsocial engineering:

1. Education and training

2. Policies and procedures

3. Penetration testing


28/50


Technical attack:An attack perpetratedusing software and systems knowledge orexpertise


29/50


Denial-of-service (DoS) attack:An attackon a Web site in which an attacker usesspecialized software to send a flood ofdata packets to the target computer withthe aim of overloading its resources


30/50


Distributed denial-of-service (DDoS)attack:A denial-of-service attack in whichthe attacker gains illegal administrativeaccess to as many computers on the

Internet as possible and uses thesemultiple computers to send a flood of datapackets to the target computer


31/50


Malware:A generic term for malicioussoftware

The severity of virus attacks are

increasing substantially, requiring much

more time and money to recover 85% of survey respondents said that their

organizations had been the victims of e-

mail viruses in 2002


32/50

Types of Threats and Attacks Malware takes a variety of forms - both pure and hybrid

Virus:A piece of software code that inserts itself into a host,

including the operating systems, to propagate; it requires that

its host program be run to activate it

Worm:A software program that runs independently,

consuming the resources of its host in order to maintain itself

and is capable of propagating a complete working version of

itself onto another machine

Macro virus or macro worm: A virus or worm that is executed

when the application object that contains the macro is openedor a particular procedure is executed

Trojan horse:A program that appears to have a useful function

but that contains a hidden function that presents a security

risk
http://www.homestarrunner.com/sbemail118.htmlhttp://www.homestarrunner.com/sbemail118.html


33/50

CERT: Recommendations forGoverning Organizational Security Questions to ask:

What is at risk? How much security is enough

How should an organization

Develop policies on security

Achieve and sustain proper security

The CERT recommendations are derived from a report written byJulia Allen entitled Governing for Enterprise Security, which may be

found at http://www.cert.org/archive/pdf/05tn023.pdf
http://www.cert.org/archive/pdf/05tn023.pdfhttp://www.cert.org/archive/pdf/05tn023.pdf


34/50

CERT: Recommendations forGoverning Organizational Security

What is at risk? Trust that the public has in your organization

Reputation and brand Shareholder value Market confidence Regulatory compliance

Fines Jail time

Market share Customer privacy Ongoing, uninterrupted operations Morale of organizational members


35/50


How Much Security is Enough?

Managements perspective needs to shift

From To

Scope: Technical problem Enterprise problem

Ownership: Enterprise IT

Funding: Expense Investment

Focus: Intermittent Integrated

Driver: External Enterprise

Application: Platform/practice Process

Goal: IT security Enterprise


36/50


Good Security Strategy Questions

What needs to be protected? Why does it need to be protected?

What happens if it is not protected?

What potential adverse consequences need to be prevented?

What will be the cost?

How much of a disruption can we stand before we take action? How do we effectively manage the residual risk whenprotection and prevention actions are not taken?


37/50

CERT: Recommendations forEvolving the Security Approach


38/50



39/50


What Does Effective Security Look Like at the EnterpriseLevel? Its no longer solely under ITs control

Achievable, measurable objectives are defined and included instrategic and operational plans

Functions across the organization view security as part of theirjob (e.g., Audit) and are so measured

Adequate and sustained funding is a given

Senior executives visibly sponsor and measure this work againstdefined performance parameters

Considered a requirement of being in business


40/50

Managing IS and Social Media

Technology


41/50

Why Establish a Strategy for SocialMedia?

Page

To provide direction for diverse segments ofthe organization

To communicate a vision of the future

To provide a coherent and consistent theme

that can be used in making individual decisions Such a dialog helps managers and IS

professionals make decisions about how thebusiness of IS will be conducted


42/50

The results of the process

An Information Resources Assessment

Information resources assessment includes

inventorying and critically evaluating these resources interms of how well they are meeting the organizations

business needs


43/50

Information vision a written expression of the

desired future about how information will be usedand managed in the organization

Information Vision and ArchitectureThe results of the process


44/50

Information Vision and Architecture

Information technology architecture depicts theway an organizations information resources will be

deployed to deliver that vision


Information vision a written expression of the

desired future about how information will be usedand managed in the organization


45/50

Information Resources Plans

Strategic IS plan contains a set of longer-term

objectives that represent measurable movementtoward the information vision and technologyarchitecture and a set of associated majorinitiatives that must be undertaken to achievethese objectives



46/50

Operational IS plan is a precise set of shorter-term goals and associated projects that will beexecuted by the IS department and by businessmanagers in support of the strategic IS plan

Information Resources Plans

Strategic IS plan contains a set of longer-term

objectives that represent measurable movementtoward the information vision and technologyarchitecture and a set of associated majorinitiatives that must be undertaken to achievethese objectives



47/50

THE PROCESS OFSETTINGDIRECTION

Assessment

Vision

Strategic Planning Operational Planning


48/50

Strategic Planningthe process ofconstructing a viable fitbetween the organizationsobjectives and resourcesand its changing marketand technologicalopportunities



49/50

Operational Planninglays out the major actionsthe organization needs to

carry out in the shorterterm to activate itsstrategic initiatives



50/50

Business Plan vs. Strategy

Chesbrough and Rosenbloom (2003)

Creating value vs. capturing value - the business model focus is on valuecreation. While the business model also addresses how that value will becaptured by the firm, strategy goes further by focusing on building a sustainablecompetitive advantage.

Business value vs. shareholder value - the business model is an architecture forconverting innovation to economic value for the business. However, the

business model does not focus on delivering that business value to theshareholder. For example, financing methods are not considered by thebusiness model but nonetheless impact shareholder value.

Assumed knowledge levels - the business model assumes a limitedenvironmental knowledge, whereas strategy depends on a more complexanalysis that requires more certainty in the knowledge of the environment.

social network management and security

Documents