venerdì 9 dicembre 2011

Andrea Zapparoli Manzoni - Social Business Security & Risk Management Strategies

As promised, Andrea is back with the second part of his contribution to Punto 1 and now it's the turn of the threats of "Computer aided social networking".

Those who have missed the Andrea's previous post can find it here.

As introduction to this post,  I can say that sometimes I found a guest post that I feel very close to my vision and my approach to security... in this case I have a complete synthony with the Andrea's post.

Thank you again Andrea!

Punto 1 will be always open for your posts.


"Social Networking" is not new at all, in fact it is something that humans do since a half million years or so.

But "Computer Aided Social Networking" is *very* new, and it has so many far reaching consequences that even the terms of the problem are hard to define.
As of today, there are no laws, no institutions, no existing socio-economical nor philosophical tools that we can apply to this subject without a distinct feeling of inappropriateness. So, before we talk about risk management and security countermeasures of any kind, let me briefly introduce a couple of key concepts.

First (and hardest) concept: we are entering the uncharted waters of a new age, where computer & internet aided (some would say "augmented") human interactions become *prevalent*, both at the one-to-one and at the one-to-many level, re-shaping any other aspect of everybody's life.
This is why Social Business isn't something we already know but "with a different name", it's something completely new (like people developing all at once a new "sense", i.e. becoming able to see a different part of the spectrum, etc).
It is interesting to note here that those who do not directly participate in this new form of human interaction will be strongly affected by its consequences too, much like the invention of language did (I believe this is a much better metaphor than, for example, comparing SM to the invention of the press), since Computer Aided Social Networking is reshaping people's brains, perceptions, priorities and values, everywhere.
The second concept is also quite hard to grasp: while the Internet was mainly a technological breakthrough which generated some interesting socio-economic byproducts, Computer Aided Social Networking represents a geopolitical, socio-economical and, above all, mental phase-change for the human kind. We are going to become "Semantic Cyborgs", and because of this fact both individuals and societies will evolve in previously undreamed of directions.

This said, when talking about adopting Social Business, organizations must first realize the magnitude of the consequences, make a true intellectual effort in order to metabolize them, and change accordingly in order to survive. Reacting to these changes without a vision, on a day-by-day basis, only when and if problems arise, will most likely *not* work.

Today a company entering the Social Business arena is immediately exposing itself to a wide range of serious risks in terms of brand and reputation management, of responsibilities and liabilities towards users, customers and partners, and of open source intelligence on the part of competitors.
Of course, given that Social Media is an excellent vector for hacktivists' attacks, and cybercriminals preferred playground, its adoption will also seriously increase the probability for an organization of being damaged by having its computer systems breached, its most sensitive information / intellectual property stolen, etc...

As we described in our previous post, there are further threats that are becoming increasingly worrisome (terrorism, cyber-warfare activities, sabotage) but here let's just concentrate on the simplest and more diffuse ones. The following suggestions won't protect a company from targeted hostile cyber-warfare activities, but will certainly add resilience and protection against the most common threats.

What is required is a serious commitment from stakeholders and top management, and a continuous effort undertaken by a multidisciplinary team of highly skilled people in order to monitor, understand and anticipate trends so that it becomes possible to define, apply and enforce appropriate rules and policies dynamically, remembering that these phenomena evolve daily, almost in real time.
This is not something that the Marketing Department can handle alone, nor the IT, and not even the Security Team nor the HR or the Legal Department: all these otherwise perfectly capable professionals will fail if given the task of managing an organization's Social Business Strategy outside a multidisciplinary and truly integrated approach.
The marketing people will see all and only the advantages and the marvels of social networking, ignoring any other consideration; the IT will only see an increase in bandwidth usage and help desk calls, the Security guys will scream that shutting down the perimeter defenses would be less dangerous than opening access to SM sites to all employees (as Marketing demands), HR will only try to recruit the best resources with the lowest effort, end users themselves will happily find ways to bypass any policy and restriction, and so on. With Social Business, this is THE recipe for disaster.

There are also several main obstacles that work against the implementation of an effective Social Business Risk Management Strategy and that must be taken into account:
- Awareness of the problems is still very low at all levels (if non-existent);
- A growing number of threats is realized at the semantic level, impossible to monitor and manage with traditional security tools;
- Consumerization of Enterprise IT / BYOD are putting security workflows at risk (sometimes beyond any remedy);
- For various reasons, it is "forbidden to forbid" (especially in Italy);
- Legislation protects the privacy and freedoms of employees and users (and rightly so), complicating monitoring activities;
- Mitigation technologies are not yet up to date with the issues (nonetheless they're evolving at great speed);
- Policies and virtuous behaviors are always lagging years behind the technology (nowadays first we invent something, then we find how to make a profit out of it, then we see if there are contraindications);

In addition, recent researches showed that companies do not have adequate tools to monitor and measure data loss & leakage through Social Media, and that the phenomenon is simply out of control in 98% of cases.

So, let's go back to countermeasures. In order to find solutions applicable in the real world we must take into account strategic, educational, economic, organizational, technological and legal issues.
In a comprehensive Social Business Risk Management Strategy, there are seven areas to be simultaneously pursued:
- Create a Social Business Officer position, with a staff capable of managing risk across (at least) 5 different domains: Marketing, Legal, IT Security, HR and IT. These organizational changes are mandatory: without such a team, the organization will be blind, deaf and incapable of reacting quickly and appropriately in case of an incident or of an attack. And no, your Advertising Agency cannot supply you a Social Business Officer.
- Remedy the lack of standard procedures, organizational tools, plans and corporate culture in general by implementing continuous risk and security awareness programs, explaining and enforcing the new Social Business rules and policies to all parties involved (achieving understanding, acceptance and participation);
- Implement effective multi-layer technical tools to monitor and control in real time all the different kind of threats that flow within the Social conversation (from semantic threats to suspicious URLs to malware), whereas firewalls, proxies and antiviruses are becoming almost useless, being transparent for most of today's threats;
- Empower and responsibilize all users and corporate structures involved, for whatever reason, in the use of Social Media, and make them accountable for managing their own share of risks. Social Business is not just another IT problem and it's not only a "marketing thing". Since Social Network owners are not willing to do it, enforce strict identity and access management processes on your side;
- Reduce unnecessary risky behaviors and choose wisely the way you manage your IT Security: do not allow the marketing sirens of the Bring Your Own Device, or of Cloud based Whatever-as-a-service fool you. If somebody fries or steals your database, no cool marketing concept will bring it back;
- Measure your KSIs and your KPIs and monitor closely both progresses and failures. Ideally your security trend graph should have daily control points. If you are using more than one Social Network, measure and monitor them all, each one with its distinctive tools and parameters.
- Finally, increase your reaction speed. Nowadays the lag between the birth and growth of a risky trend and its impact on organizations has become merely weeks, not years or months like it used to be. Stay ahead of the pack and set up preventive measures, including education at all levels, an effective early warning system and contingency plans for handling incidents while they are happening, in real time, before they get out of control.

Social Business related problems are much more complex than they seem at first and there are no magic wands: the variables involved are so many, and the issues to be addressed have non-linear consequences at so many (apparently) unrelated levels, that we have no one-size-fits-all solutions yet... but we are learning fast. 

I personally find it all extremely fascinating: let's talk about it!

Andrea Zapparoli Manzoni was born in Milan in 1968.
With a multidisciplinary background both in political science and in computer science, since 1997 he developed an active interest in ICT security, with particular reference to GRC (Governance, Risk and Compliance), cybercrime and cyber warfare issues.
Over the years he worked in the IDM, IAM, DLP, Anti Fraud, Security Intelligence, Forensics, Vulnerability Assessment & Management fields in Enterprise, Industrial, Central PA and Gov-Mil environments.
He writes articles and essays on InfoSec topics and follows very closely all developments in Cybersecurity, working as a trusted advisor with national and international organizations.
He partecipates to the activities of CLUSIT (Italian Association for Information Security) speaking at conferences, contributing papers (two ROSI patterns about IAM and DLP, seminars about SCADA Security and Social Media Security) and spreading the culture of IT Security in Italy.
In addition to collaborating with numerous Italian and foreign companies, he is the founder and CEO of iDialoghi, a consulting firm specializing in the design and implementation of advanced information security solutions, including the Social Business Security field.

Nessun commento:

Posta un commento