Social Media Security

I know of a few organisations who are wishing to leverage social media to connect with their customers. I'd advise that they do a solid business focused and technical focused risk assessment before doing so. There are some major benefits that can result, but one should consider the risks and prepare to respond.
Some of the things they should consider and develop policy, standards and contingency plans could include the following:
- what social Media sites and services will you use, and what will you share and accept back? Do you want to set up a youtube channel? will you accept people re-mixing your video posts, what is going too far, how will you respond? Do you want to set up a twitter account? How will you respond to "trolling" and mocking copycat accounts (see @BPGlobalPR for a case study). If you set up a facebook company profile or user group, what will you put on there? Will you allow/respond/remove advertisers/head hunters etc.

-consider if the social Media platform can leak information about your personnel or systems to an attacker. Consider if personnel should be individually identifiable? Could someone who is mentally disturbed trace a person from a corporate social media account to their personal one and retrieve information as to their location, appearance etc. that could lead to a physical security problem.

- Consider if the target demographic are vulnerable or targeted by another group. For example consider the case study of when internet miscreants raided an epileptic web forum and posted scripts and images intended to give viewers a seizure. Is your target audience elderly, a persecuted minority, subject to foreign or domestic government monitoring/intimidation etc.

Thoughts on the infosec industry

Here's a few thoughts on the state of the security industry, please excuse the rampant use of automotive analogies as I'm blogging this from my garage :)

- Aftermarket products are sold to try and fix insecure operating systems and applications. They don't work all that well because the signature detection/prevention paradigm can be defeated by simple obfuscation or a custom developed exploit. It's sort of like trying to retrofit an airbag to a car with a button to press in case of an accident rather than designing a strong safety cell and crumple zones. If we were doing security well at the operating system, we wouldn't need firewall technology at all. If we did security well at the application level, no need for antivirus !

- we're not attracting the best and brightest to work securing organisations. The kids seem to want to learn to break rather than learn to build. Maybe we need "drag-strips" or hackerspaces for the fast and the furious who want to play.

- We're not so good about understanding and marketing to our target markets and putting together solutions that work. Why one ISO standard for everybody? Why not separate ISO standards aligned with the risk profiles of SOHO, SMEs, state government, banks, federal government and military