4 Tips for Writing a Great Social Media Security Policy

Facebook now claims 300 million active users. Naturally, social media growth has also been seen in the workplace, both with regard to employee use as well as functioning as a communication and/or marketing tool for some companies. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, the number of enterprises with a social media policy in place has jumped dramatically, too, in just twelve months. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives. Also see The Seven Deadly Sins of Social Networking Security Jack Phillips, IANS co-founder and CEO, said when IANS conducted the same survey in 2008, the majority of respondents did not have a social media policy. "They really hadn't done the hard thinking," said Phillips. "But then jumping forward to 2009 we saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies." Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. Instead, said Phillips, use this as an opportunity to draw attention to existing policies. "Most purists will say: This stuff isn't really new.

He shared with CSO four things he thinks organizations should consider when putting together policies and practices for use of Facebook, Twitter, Linked In and other social media within an organization. 1. Don't start from scratch The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. It should be part of our HR and acceptable use policies," said Phillips. "The same sort of norms apply to this new world that has applied to the world before today." (See How to Write an Information Security Policy for more on the basics of effective policy.) Phillips noted most of the organizations IANS polled with a social media policy already in place said they had not named specific medias because of changing pace of new media. "It's Twitter today, but it may be something else tomorrow," he said. 2. Use social media policies to raise security awareness "This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips. For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important. IANS is dispelling what Phillips says is age-old advice for enterprises when it comes to adapting to change. Same holds true this time around, said Phillips. "We are finding some innovative awareness tactics that focus on these technologies because they are front and center.

The percentages are so low in terms of success of awareness campaigns, this is an opportunity to jump in." 3. Use social media access to raise security's positive profile within the organization While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective. A Twitter campaign, or a Facebook campaign, a Linked In campaign, can all have real impact in terms of receptivity. Also see Security Awareness Programs: Now Hear This! "The advice we have given is, instead of just knee-jerk blocking everything, we find that this as an opportunity to record usage and activity among the employee base," said Phillips. "When the original data-loss-protection technologies were introduced, they were not in blocking mode, but in monitoring mode." Phillips believes the new technology of social media gives information security what he calls "an interesting opportunity" to see how critical these technologies are to the enterprise. "That kind of information is quite useful to other functions of the enterprise," he said "Sales, marketing, HR are all going to be interested and that raises information security's profile among management." 4. Be prepared for the next phase As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. As it stands now, he said, he finds his clients are more comfortable with some mediums and with others; not so much. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

Most organizations find Linked In to be the most controllable and with the least potential for damage. Particularly, said Phillips, because many employees are not respecting that line between personal and enterprise. "Because these technologies are so different, it is at some point we expect policies are going to have to get granular," he said. "Our sense is high-performing teams will have to create unique Facebook, Twitter, Linked In and Google Docs policies. But Facebook, with its security vulnerabilities, and the nature of its content, still makes many uncomfortable. And they are going to have to get that granular about what is appropriate and inappropriate with each tool. "We will end up with an open environment, but we will end up with some asterisks that say, it's open, but not 100 percent open. For example, some might say: 'It is not appropriate to use the company's name on your Facebook profile.'

Acadia, Cisco, EMC, VMware data center cloud unveiled

Cisco, EMC and VMware last week unveiled the much rumored joint venture to sell their products to companies wanting to build internal clouds. Vblocks will be sold by Cisco, EMC and VMware to their largest enterprise customers and through the channel by systems integrators, service providers and solution providers. Called Acadia (for who knows what reason), the joint venture is a collaboration between the three companies that will launch in 2010 and sell what they call Vblocks, preconfigured packages of Cisco UCS blade servers, EMC storage gear, VMware virtualization software and EMC Ionix management software.

Already the coalition of Cisco, EMC and VMware has inked deals with six integrators, six service providers and nine solution providers. The company Acadia, which is being formed as we speak, will hire its own CEO and is hiring sales representatives. At the moment, Vblocks are pr-built, pretested and preconfigured packages that include Cisco's recently announced UCS blade servers, the company's networking switches, EMC Symmetrix V-Max or Clariion arrays and VMware's vSphere virtualization software. No one yet knows (or they aren't talking about it) where the company will be based. Vblock's consists of three configurations: * Vblock 2 is a high-end configuration supporting up to 3,000-6,000 virtual machines that is targeted at large enterprises and service providers. Acadia has investments from Cisco, VMware and EMC and minority investments from Intel.

It uses Cisco's Unified Computing System (UCS), Nexus 1000v and Multilayer Directional Switches (MDS), EMC's Symmetrix V-Max storage and the VMware vSphere platform.* Vblock 1 is a midsized configuration supporting 800 up to 3,000 virtual machines that uses Cisco's UCS, Nexus 1000v and MDS, EMC's CLARiiON storage and the VMware vSphere platform.* Vblock 0 will be an entry-level configuration available in 2010, supporting 300 up to 800 virtual machines that uses Cisco's UCS and Nexus 1000v, EMC's Unified Storage and the VMware vSphere platform.

Facebook groups disrupted but not hijacked, Facebook says

A group calling itself "Control Your Info" appears to have taken control of several dozen Facebook groups, inserting its own logo and stating "Hello, we hereby announce that we have officially hijacked your Facebook group." 12 tips for safe social networkingWith a link back to a site, the apparent members - using the names "Bella Roregit," "Burstin Woltan" and "Janis Roukkos" - began leaving their mark on various Facebook groups intended for topics that include entertainment, business and sports. If we wanted, we could make you appear in a bad way which could damage you severely." According to the Control Your Info Web site, the group's mission is to bring attention to security weaknesses in social media. "Social media has become a natural part of most people's daily lives. The Control Your Info statements declared: "This means we control a certain part of the information about you in Facebook.

Unfortunately, the security aspects of social media have been more or less neglected." Control Your Info did not immediately respond to a request for comment about its activities. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Facebook, however, has issued a statement about the incident that says, "There has been no hijacking and there is no confidential information at risk. Group administrators have no access to private user information and group members can leave a group at any time. The names of large groups cannot be changed nor can anyone message all members.

For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups." Some users in the groups affected by the Control Your Info takeover were obviously displeased about the turn of events and scornful of Control Your info's explanation about how it's making a point about security by taking control. "I have an idea, why don't I teach you about traffic safety by running you over with my car? wrote one irate Facebook user in a group that had been commandeered by Control Your Info. "Is that how it works? That's because the person who creates a group of this sort on Facebook is by default the administrator, and when this individual decides to abandon that by de-listing as the admin, anyone else in the group can step in to promote themselves be the administrator. Michael Sutton, vice president of security research at zScaler, said he doesn't think the Control Your Info takeovers constitute a major security concern. That's the way Facebook designed this type of group and is clear about it, though other types of Facebook groups, such as closed ones, have different security procedures.

In that case, the Control Your Info people simply did a search to discover the type of Facebook groups that had the administrator position abandoned, and stepped in with their dramatic hijacking routine. "This is really making a mountain out of a molehill," he said.

As driving summit opens, AT&T launches anti-texting campaign

AT&T Inc. announced a campaign today to warn cell-phone users, especially teens, about the dangers of texting while driving in advance of a federal Distracted Driving Summit that kicks off in Washington on Wednesday. AT&T will also revise its policies to expressly prohibit texting while driving for its employees who drive as part of their job. The carrier said it will put warnings about texting on phones it sells before the holiday season and on signs in its stores.

AT&T is one of the country's largest employers, with 290,000 workers. Information about the dangers of texting while driving is being included in defensive driving classes. U.S. Transportation Secretary Ray LaHood is expected to attend the two-day meeting as well as federal highway safety officials and researchers on cell phone use while driving. Public service announcements are also planned to bring home the message to the public. All the major wireless carriers have campaigns opposing texting while driving, although the companies vary on their views about laws banning the practice.

The campaign will be announced today by AT&T CEO Randall Stephenson at the Detroit Economic Club, AT&T said. "Our goal is to send a simple, yet vital, message to all wireless users: Don't text and drive," Stephenson said in a statement. AT&T and others carriers want to take advantage of the timing before the summit, which AT&T will attend and support. Pending in the U.S. Senate is a bill to require states to ban texting while driving or face the partial loss of federal highway funds. "We think the decision as to whether there is specific legislation required is up to the public and to their legislators," the spokesman said in an e-mail today. But an AT&T spokesman said the carrier has decided to let the public decide its position on proposed legislation. The bill, called the ALERT Driving Act , was introduced in July and would require states to ban drivers from sending text or e-mail messages or risk losing 25% of their federal highway funds each year they fail to comply. Verizon Wireless supports the legislation, while Sprint Nextel said it hadn't taken a position, but has long argued for better driver education to urge drivers not to text and drive.

AT&T said in July, before it had reviewed the ALERT legislation, that it was generally supportive of legislation prohibiting texting while driving, but did not explain its apparent shift today. The financial sanctions in the bill caused the Governors Highway Safety Association to oppose the measure. One recent study found that the risk of getting into an accident is 23 times higher when texting while driving. Currently, 14 states have various laws that ban texting while driving, which some research studies have found greatly impairs a driver's ability to drive safely. Some groups argue that more laws won't help.

Vlingo's view is that laws are hard to enforce, making hands-free technology all that more important. Vlingo Corp., which makes a mobile voice application, today released data from a survey of 4,800 people that showed little or no impact from state bans on driver behavior.

Google Street View Battle Highlights Privacy Challenge

Google is being sued by a Swiss watchdog agency for allegedly failing to take adequate measures to protect privacy. The debate in Switzerland is over Google's Street View image indexing. The legal battle in Switzerland is just the latest in a long line of privacy issues with Google and illustrates the challenge of providing as much information as possible without violating privacy concerns.

Hanspeter Thuer, the Swiss Federal Data Protection and Information Commissioner (FDPIC) made recommendations to Google to address concerns with Street View images displaying car license plates and people's faces. This isn't the first time Street View has gotten into trouble over privacy. Google claims it has taken strides to comply with those recommendations, but the FDPIC doesn't feel Google has done enough. Google has also faced backlash over Street View in the United Kingdom, Canada, Greece, and Japan. Greece is distressed by how long Google plans to maintain the Street View images in its database.

One concern in Japan, which has been echoed in Switzerland, is that the height of the car-mounted Street View cameras is capable of seeing over fences and into homes. Google's privacy issues are not restricted to the Street View images, though. Google recently launched a new feature allowing you to set up alerts that can notify you when a friend is nearby. Google Latitude, a GPS mapping and tracking service, keeps track of your location in real-time and maintains a mapped database of previous locations. The cool factor is tempered with a creepy Big Brother vibe. There are privacy issues related to Google Social Search, Google recently modified indexing of Gmail messages to address concerns over transcribed Google Voice emails showing up in the search engine, and even the embryonic Chrome OS has raised privacy concerns.

The list goes on and on. Google recently unveiled the Google Dashboard to address privacy concerns. But, the Google Dashboard itself also has privacy and security implications as well. The Google Dashboard displays all of the information associated with your Google profile, providing you with an at-a-glance resource to see just how much Google knows about you. It is a difficult balance for Google to manage.

Technology has brought us to the point where, unless you live in an unmarked cabin in the Rockies and live off the land, data about you is being indexed virtually everywhere. If you read books like Database Nation by Simson Garfinkel, or The Soft Cage by Christian Parenti, you come to the realization that privacy is largely an illusion at this point. Privacy is a myth. On the contrary, perhaps it suggests we need to be more vigilant about protecting what little privacy we might have left. That doesn't mean we should all just give up and accept that we have no privacy. Google has to struggle with the conflict of interest between indexing all of the data in the world, and protecting privacy.

My fellow PC World writer David Coursey has pointed out that Google has not yet done anything to lead us to believe it has evil intentions for our data, but the data is still there on the Google Servers. Not only that, but Google must also to tailor its indexing and business practices on a country by country basis to comply with local data protection and privacy regulations. Coursey ponders what might happen following another 9/11-caliber terrorist attack "Would Google provide information it has about suspects? If it did, how long would it be before we knew? Use its data and profiling capability to find more suspects?

And where, exactly, is the line between patriotism and invasion of privacy?" That is a valid question. Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page . Google has to continue strike a balance between information and privacy, and users need to grasp that the convenience provided by Google's products and services comes at a cost.

Do collaboration tools enable collaboration?

At the recent IT Roadmap conference in Washington D.C. there was a panel discussion about how the younger generation uses tools such as texting to stay in touch with friends. Another implication was that as the younger generation enters the workforce, they will bring their collaborative approach with them to the workforce and this will drive the existing workforce to be more collaborative. One of the implications of the discussion was that the younger generation is more facile with collaboration than is the current workforce. We want to use this newsletter to express an alternative opinion.

However, most people that we know that are currently in the workforce also text – perhaps not as much as the younger generation, but they do. Ford driving Exchange 2010 into collaboration plans There is no doubt that the younger generation, the kids that are currently in grammar school and high school, are very facile with collaboration tools such as texting. Hence, we do not see that age is a barrier that keeps the current generation of workers from texting. In fact, in some cases, they seem to prefer to send texts back and forth vs. having a conversation. One concern that we have is that young people often use texting as an alternative to face-to-face communications.

Is this really collaboration or is it running away form collaboration? That is a form of collaboration – but a very low level form. Collaboration tools such as texting, instant messaging, and twitter are well suited to support a simplex or at best half duplex conversation, such as sending a text to inform someone that you will be late for a meeting. Let's set up a hypothetical situation. The company pulls together a project team comprised of people in different organizations, including someone from the WAN organization, from the software development group, security and compliance, and one or more business units. A company is considering using a software-as-a-service provider for some new application.

The various members of the team have different, and in some cases, conflicting goals.  For example, the people who represent the business units want to get the solution running as soon as possible; the security and compliance people are worried that they will not be able to pass an audit if the solution is deployed; the person from the software organization feels their organization is being bypassed, and the person from the WAN organization is concerned about how much extra traffic will now transit the WAN. The disparate goals of the project team members will not be resolved by sending text messages, IMs, or tweets. One IT professional we talked with told us that his organization had used traditional videoconferencing for years. That is not to say that there are not collaboration tools that can help. He added that he believes that telepresence is more powerful than traditional videoconference in part because the picture quality allows you to see body language and facial expressions as well as you could in person. It does, however, have a better chance of succeeding than a text that reads: OMG, c u @ 10:15.

Of course, telepresence does place a tremendous burden on the WAN. Just seeing body language and facial expression may not resolve the fact that the project team members have disparate goals.

Vendor group forms cloud storage initiative

The Storage Networking Industry Association (SNIA) announced today the formation of the Cloud Storage Initiative (CSI) in order to establish a lexicon of cloud-computing terminology, publish use cases, white papers and technical specifications, and to create reference implementation models for grid-storage architectures. The organization also plans to perform market outreach highlighting the virtues of cloud storage. The CSI will coordinate and deliver educational materials for cloud storage vendors and user communities. The group is developing a single specification as part of its efforts.

The SNIA made the announcement at the Storage Networking World conference, which is co-sponsored by Computerworld . "Part of the challenge with cloud is where does the data live? The Cloud Data Management Interface (CDMI) will be an application programming interface to which vendors can write management software that will allow interoperability between heterogeneous cloud storage offerings, according to Wayne Adams, SNIA's chairman emeritus. And how are you able to manage it once it's in the cloud, and can you get it back in the same format that you now have," said Mark Carlson, a SNIA Technical Council member said. "There's this idea of how portable is my data that once I get it out there can I get it back in a format that can be ingested by another vendor?" Carlson said the CSI will focus on disseminating information about technology to build both public cloud service, such as Amazon's S3 service, and private cloud architectures in data centers. The CSI will complement the technical innovation and de velopment from the SNIA Cloud Storage Technical Working Group , which has more than 140 members representing over 50 commercial vendors, service providers and educational institutions. CSI published cloud storage cases and requirements for cloud storage in June.

The CSI will aid the Technical Working Group in bringing specifications and technical developments to international standards development organizations. It is also releasing a joint white paper with the Open Grid Forum (OGF) focused on cloud storage for cloud computing all developed by the working group. "It's both encouraging and timely to see this new initiative from SNIA," said Simon Robinson, research director of storage for research firm The 451 Group. "It's gratifying to see this co-operative effort around standards and education, since those are two of the current impediments to fast adoption as technologies mature and become integrated into more vendor offerings." For example, the CSI will promote and deliver a new cloud storage tutorial to be unveiled at Storage Networking World this week.

Restaurants sue vendors after point-of-sale hack

When Keith Bond bought a computerized cash register system for his Broussard, Louisiana, restaurant, he thought he was modernizing his restaurant. His story reads like a warning for small businesses, who in connecting their businesses to the Internet, have also become prey for sophisticated cyber-criminals. Today, he believes he was unwittingly opening a back door for Romanian hackers who have now cost him more than US$50,000. Bond's is one of more than a half-dozen Louisiana restaurants that have sued the makers of their point-of-sale system, alleging that the companies that made and resold the systems are the ones who should be responsible for fines levied by payment processors following the hack.

Bond says that systems at his Mel's Diner, Part II, were hacked, along with several other restaurants in the region, sometime around March 2008. Investigators told him that the systems were compromised by Romanian hackers who used the devices' remote access software to steal credit card numbers from the systems. The criminals took those credit card numbers and then used them to make fraudulent purchases throughout the U.S., he said. This software let Bond's reseller, Computer World, provide remote support to the systems. In the class-action lawsuit, Bond and the other plaintiffs allege that their point-of-sale systems were out of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which defines how secure the big credit card companies expect their merchants' computers to be. He was then assessed tens of thousands of dollars in fines and chargeback fees generated by the 699 credit card numbers that were stolen from his three point-of-sale devices. "Our clients are restaurants," said Bond's lawyer, Charles Hoff, in a statement. "They are food experts, not technologists.

Bond and others blame the maker of his Aloha point-of-sale system, Radiant Systems, and its Louisiana reseller, Computer World (Computer World is not related to IDG's ComputerWorld magazine). After the hack, Bond had to spend close to $20,000 to audit his systems. When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them." The class-action lawsuit was filed in October but was not widely known until the privacy blog DataBreaches.net disclosed it last week. Citing company policy, a Radiant spokeswoman declined to comment on the lawsuits, but in an e-mailed statement, she said that the company believes that the allegations are without merit. "These customers were victims of criminal acts almost two years ago. Another similar lawsuit was filed against Radiant and Computer World in April by plaintiffs in Georgia. Unfortunately, in today's world criminal acts like these are not uncommon in the restaurant industry," the statement read.

There's no level of responsibility with the processor, the reseller or with Visa Mastercard. Bond doesn't buy that. "You're buying an expensive point-of-sale system," he said. "But when you're compromised, Visa and Mastercard come after the merchant. So the merchant is the person who is suffering." The lawsuit claims that Visa warned Radiant and Computer World that they were not PCI compliant the year before the hack, but that merchants were never notified of these problems, even though they were the ones who ultimately had to pay big fines. The alert warned Aloha users to disable a Remote Desktop feature on their equipment if it's not being used to provide remote support to the point-of-sale system. That's a real problem, said Avivah Litan, an analyst with the Gartner research firm. "Merchants should be notified directly when Visa or MasterCard issue alerts about non-compliant software," she said in an e-mail interview. "Restaurants are in the business of selling food; they should not be expected to be experts in the intricacies of credit card processing certification processes, especially when they are not even privy to most of the communications surrounding them." Radiant warned about the problem, according to a security alert posted by a San Francisco Bay Area Radiant reseller.

The plaintiffs in Bond's lawsuit say they received no such alert. According to Bond, Computer World used this Remote Desktop feature to access his systems. Computer World did not respond to a request for comment on this article. To make matters worse, Computer World had set up his and other restaurants with the same default password: "Computer," Bond said.

Lawsuit claims HP PCs suffer constant lockups, crashes

A Colorado man has sued Hewlett-Packard, saying that its Pavilion Elite desktop computers are "inherently defective," and constantly lock up within 10-20 minutes of use. Pegatron Technology is a subsidiary of Taiwan-based Asustek Computer, which is best known for its ASUS line of netbooks. "After operating the [Pavilion Elite] e9150t for approximately two weeks, Plaintiff's computer began experiencing repeated disruptive failures including lock-ups, freezes, and blue screen errors, requiring him to reboot the computer," read the suit, which was filed on behalf of Michael Kent of Arvada, Colo. The lawsuit, which was filed with a California federal court last Thursday, seeks class-action status that, if granted, would open the case to all HP customers who have purchased one of the allegedly defective PCs. According to the lawsuit, HP's Pavilion Elite e9150t, e9180f, e9180t, m9600t and m9650f, when equipped with the "Truckee" motherboard from Pegatron Technology and Intel's i7 quad-core processor, crash or lock up soon after they're powered on.

Kent purchased the Pavilion Elite e9150t in late July 2009. "Since that time, Plaintiff experiences the aforementioned errors on an almost daily basis. Kent's lawyers cited 20 messages posted on an HP support forum as proof that others have complained of the same problem. These errors occur most frequently within 10 to 20 minutes after a 'cold boot,'" the lawsuit continued. The lawsuit also included a link to a support thread that as of Monday ran 288 pages, and boasted nearly 2,900 messages submitted by customers. Others on the thread said that although HP had replaced either the CPU or the entire computer, they were still seeing frequent crashes or lock-ups of the Pavilion. "Even though HP is replacing the e9150t models with the upgraded e9180 models and including faster, more costly processors, the computers still exhibit the same defects," Kent's lawsuit read. The thread is the most-heavily-trafficked of all those on the HP support forum dedicated to lockups and freezes . On the Pavilion Elite e9150t lock-up thread, users said that they had tried several different HP-suggested remedies, including installing a BIOS update, a tack Kent claimed he also tried to no avail.

Users continued to post messages on the support forum today. "I hereby give up with HP 'support,'" said a user identified as "GaryJ51," in a message added to the thread Monday morning. "After dozens of calls to HP, and many broken promises, I eventually wrote to the CEO as suggested by someone on this site. My unreliable PC is still ... here, waiting for a returns box. Nothing. It's many weeks now since I began this effort to fix the thing. I don't know what else to do." "I just received a call from a Case Manager Supervisor," added "Hanspuppa" in a message posted shortly after GaryJ51's. "I explained all my issues with the two systems I purchased, and requested the defective systems be replaced with new systems, and she denied my request. $3,500.00 down the drain." Kent's lawsuit charged HP with deceptive advertising, fraud and breach of warranty, and asked the federal judge to grant the case class-action status, as well as to force HP to pay compensatory and statutory damages.

I give up. HP did not respond to a request for comment.