If you are reading my blog posts regularly, you might have seen that I am not a big friend of blocking social media at the edge. When I talk with customers about why they are blocking it, I usually get these type of answers:

• People are spending too much time playing games on Facebook: This, to me, is a management problem and not a technology problem and should be addressed accordingly.
• We are afraid of malware: This makes sense to me. The question is, whether this is limited to social media or better, how much you can really reduce the risk of a malware attack by blocking social media
• We are afraid of information leakage: Interesting. Steve Ballmer was once asked, why Microsoft applies such an open policy when it comes to social media and whether he is not afraid of information leakage. His answer was, that he lets people talk to media and customers as well and that the risk is not much higher. Well, this is probably not true anymore but fairly often, when it comes to internal events, people are reminded that this information is not to be tweeted or blogged. It works well and where it does not, there might have to be administrative processes to be invoked.

A modern company today most probably has to use social media to position itself. So, we are kind of caught between two angels. I would really like to understand your view on this:

• Why do you think that blocking social media is good (or bad)?
• What are the risks you are trying to address?
• If you block, how big do you see the risk of users trying to get around your filtering mechanisms?

Let’s start a debate here, I want to learn from you.

As I would like to consolidate the discussion, would you mind leaving your comments on my main blog here? Thank yu

Roger

Well, I will continue to announce this, until I see the hitrate decline

At the moment, I am running two blogs. This one and the one on http://www.halbheer.info/security which both contain more or less the same content. I am still planning to move over to http://www.halbheer.info/security over time. So, if you read this, please change your RSS feed to http://www.halbheer.ch/security/feed/

Thank you

Roger

There is an good article on CIO Central: Are You Focused On The Wrong Security Risks?

An interesting discussion and I part agree that we have to challenge the way we look at the security risks. I would even broaden the questions he raises. When I talk about industry trends, which impact your risk landscape are these:

• Users ask for more flexibility: For a lot of roles, it does not really matter, when you work and where you work. I am fairly open when I work personally, from where and how I split my private and work life. This means that in my case, my notebook is not directly connected to the Microsoft corporate’s network more than once a month.
• Cybercrime moved from “Cool to Cash”: This is not new but we have to understand that the real threats are the targeted threats and not anymore broad spread attacks like Blaster in the past. It is all about going for money and understanding the business case.
• Consumerization of IT: That’s a tricky one. I am convinced that more and more consumers are taking strategic IT decisions. You disagree? Give me the one single company who decided to use iPhone or iPad as a strategic device. It came in by the consumers as they love the device and wanted it to be integrated into the IT infrastructure. This will continue. When the younger generation is entering the business, the ones which grew up with Facebook and Twitter, they will ask to be as productive as possible using the tools they know – and we are giving them a one size fits all and give them a standard build. We even feel good by doing so and are not realizing that they will find ways around the security boundaries we are building – with the intention to do their job efficiently. We need to help them to work productively in a secure and safe way.
• Security as a Business Enabler: We need to understand that our job is to help IT to help the business to be successful. We are not here to be the “no”-sayer.
• Cloud: That’s obvious but we need to be part of these discussions in each and every IT. Again, not to say “no” but to help the business to understand the real risks, not just our gut-feeling of losing control.

And then, we probably should look into the way we do risk management overall: Fixing Risk Management

So, let us accept these trends. I do not think that there is disagreement on the trends above. If yes, we have to embrace them and especially move towards a business asset. I am tired of having the touch of being just the pain in the back and so are the CxO’s to pay our bill.

Let’s become a business enabler and not a disabler as in the past.

Roger

I just read this blog post by ESET laboratories: Inside a phishing attack: 35 credit cards in 5 hours.

They analyzed a very poorly designed phishing attack and found that:

• The first access to the site was on January 20 at 10:01 pm (as seen in picture). The latest registered access was on the same date at 15:24 pm. Therefore, the attack actively lasted just over five hours.
• During those hours, 164 people accessed the phishing site, which indicates an average of about 30 people per hour; therefore, there is a potential victim every two minutes.
• Out of the 164 participants, 35 entered valid credit card data, which indicates an effectiveness of 21%: one out of every five people who accessed the web site provided their sensitive data.

This shows that there is still a long way to go with consumer education and technology like phishing filters.

Roger

You are worried about compliance and risks in the cloud? Well, listen to our CISO and see his views:

The promise of cloud computing is great and yet this new computing paradigm presents new challenges in the area of information security. In this session, you will hear directly from Microsoft's CISO as he shares his perspective on cloud security. Items will include privacy and security implications of the cloud, maintaining a secure posture of your IT portfolio in the cloud, and sharing some of our current challenges and what we are doing to address these challenges.

Listen to him: Microsoft IT CISO Perspective on Cloud Security

Roger