In the book Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks, it states that businesses that take days to respond to social media issues are way behind the curve.
Social media operates in real-time, and responses need to be almost as quick.
In a valuable new book on the topic, Securing the Clicks Network Security in the Age of Social Media, Gary Bahadur, Jason Inasi and Alex de Carvalho provide the reader with a comprehensive overview on how not to be a victim of social media based security problems.
Social media is now mainstream in corporate America, and even though it is hot, the security and privacy issues around it are even hotter. In the past, many firms simply said no to social media at the corporate level.
The main security and privacy issue around social media is that users will share huge amounts of highly confidential personal and business information with people they perceive to be legitimate.
Besides that, issues such as malware, vulnerabilities (cross site scripting, cross site request forgery, etc.), corporate espionage, phishing, spear phishing and more; are just a few of the many security risks around social media that need to be taken into consideration.
In the book, the authors detail a framework for analyzing the corporate threats that arise from social media. The book uses the H.U.M.O.R methodology (Human resources, Utilization of resources and assets, Monetary considerations, Operations management, Reputation management) a matrix that outlines a systematic approach for developing the necessary security plans, policies and processes to mitigate social media risks.
At 325 pages, the books 5 parts and 18 chapters provide the reader with a comprehensive overview of all of the critical areas around social media secure, that can be used to safeguard its assets and digital rights, in addition to defending their reputation from social network-based attacks.
The book covers all of the core topic areas, from assessing social media security, to monitoring in the social media landscape, threat assessments, reputation management: strategy and collaboration and more; the authors provide the reader with an enlightening overview of all of the core areas.
In chapter 1, the authors astutely note that no company today is immune to the many threats posted by a single individual, let alone a socially engaged and networked population. No firm should engage in social media before they fully understand the security and privacy risks that are being introduced. This book not only effectually does that; it also provides an all-inclusive framework around social media security.
As to the notion of the inherent security risks around social media, this was recently proven when Chris Hadnagy (author of Social Engineering: The Art of Human Hacking, reviewed here) and James O’Gorman detailed in their Social Engineering Capture the Flag results from Defcon 19 observed that information leakage via social media is a difficult problem to solve due to how it is used and the frequency it is used in today’s society.
Having access to social media from computers and cell phones means that people can update their accounts instantaneously, from anywhere. The ease of which an employee can share data can contribute heavily to information leakage.
Chapter 4 on threat assessments provides an exhaustive list of the different types of attackers and threat vectors that need to be considered when using social media. The attacks in the social media space are often different from typical IT attackers.
As to threat vectors, there are a number of different vectors, both internal and external that can impact an organization. The chapter lists those vectors and details them.
Chapter 9 – monetary considerations – strategy and collaboration – is a fascinating chapter in that it notes that in many firms, IT security budgets have not yet clearly defined the line item for social media security.
In addition, trying to retrofit the IT security budget by assuming that tools already purchased for data loss prevention will also cover social media security concerns will likely be inadequate.
Chapter 11 deals with reputation management – which has the goal to build and protect a positive Internet-based reputation, and not let it get subterfuged via social media. This is a significant issue as the risk to a firm’s reputation is significant and growing with the increased use of social networks.
One very helpful feature of the book that effectively brings home the message is numerous real-world case studies in every chapter. One fascinating example in chapter 13 is about the Cooks Source infringement controversy and the nature of how not to respond to a social media issue.
The book also lists numerous amounts of tools. Chapter 13 has a comprehensive list of monitoring tools and the appendix has a list of nearly 100 tools for activity tracking, analytics, geolocation, plagiarism checking and more. These lists are extremely helpful, and the reader can start using many of these tools to get an initial pulse on the level of security around how their firm uses social media.
Chapter 14 provides excellent guidance on how to execute social media security on a limited budget. The authors suggest the use of free or inexpensive software and other resources that can be used to help a company monitor the impact of their social media infrastructure.
The chapter also details how social media security can be executed on a bugger budget, via the use of more sophisticated tools that can be used to secure manage the data flows within an organization.
It will not be long until Facebook has its 1 billionth user. Given that a New York court recently referred to a user’s reasonable expectation of privacy on sites like Facebook and MySpace as wishful thinking, the importance of Securing the Clicks Network Security in the Age of Social Media can’t be overemphasized.
For those firms that are looking to securely use social media, and not get abused by it, this book should be required reading.
Cross-posted from RSA