Governance of Social Media & E-Mobility Risks #CPESOX Copyright ©2012 Infinitive 1 1 As a matter of their respective company policies our panelists today are expressing their views and perspectives as professionals in their respective industries. These views are their own, and do not necessarily reflect the views of their respective Companies. DISCLAIMER Copyright ©2012 Infinitive 2 Agenda Introduction ……………………………………………..………..(5 Minutes) Opening Remarks.………………………………………..….….(10 Minutes) Panelist Remarks………………………………..……………….(50 Minutes) Question & Answer………………………………….………….(25 Minutes) Copyright ©2012 Infinitive 3 Introductions Douglas Miller, Vice President and Global Privacy Leader, AOL - Douglas Miller, CIPP, is Global Privacy Leader at AOL Inc., overseeing a full range of privacy operations, guidance, education, and planning. Prior to becoming a full-time privacy professional in 1998, his AOL duties included child and teen protection, online conduct, content and advertising guidelines, antispam initiatives, and consumer safety and security. Before joining AOL, he led government affairs for the Software Publishers Association. From 2004-07, he taught courses in Internet Policy and Computer Ethics at Old Dominion University. He serves on the Board of Directors for the Network Advertising Initiative, the Advisory Board of the Future of Privacy Forum, and the Education Advisory Board of the International Association of Privacy Professionals. Copyright ©2012 Infinitive 4 Introductions Dino Tsibouris - Tsibouris & Associates, LLC Tsibouris & Associates concentrates in technology and intellectual property law with a focus in electronic commerce, online financial services, licensing, and privacy law. In addition, the practice includes the implementation of electronic signatures, records management, and information security. Mr. Tsibouris was previously an attorney with Thompson Hine LLP and a Vice President and Counsel for eCommerce and Technology at Bank One Corporation (now JPMorganChase). He has presented at CLE and trade association presentations on various ebanking and e-commerce matters and participated in regulatory and industry task forces addressing new legislation. Listed in The Best Lawyers in America in the area of Technology Law 2007-2011. Copyright ©2012 Infinitive 5 Introductions Angelos Stavrou, Associate Professor, George Mason University Angelos is associate Professor in the Computer Science Department and an associate director of the Center forSecure Information Systems at George Mason University, Fairfax, Virginia. He received his M.Sc. in Electrical Engineering, M.Phil. and Ph.D. (withdistinction) in Computer Science all from Columbia University. He also holds an M.Sc. in theoretical Computer Science from University of Athens, and a B.Sc. in Physics with distinction from University of Patras, Greece. Dr Stavrou has published over 40 papers on large systems security & survivability in major international journals and conferences. Dr. Stavrou’s research interests are focused in security for Mobile Devices and Mobile Applications. His research has been funded by DARPA, IARPA, NSF, NIST, ARO, AFOSR, AFRL, and Google among others. Copyright ©2012 Infinitive 6 Session Objectives Social media and mobile applications are the modern day gold rush for companies. The velocity of information and products are creating new risks and financial reporting challenges. This session will cover the emerging risks and considerations for internal control specialists. • Identify and document current and intended social media use • Perform a risk assessment for the use of social media and mobile devices • Implement security policies that address the use of social media and mobile devices • Provide social media training • Monitor social media channels Copyright ©2012 Infinitive 7 Triple Play Mobile WWW Social Media Copyright ©2012 Infinitive 8 Governance Social Media platforms such as Facebook and Twitter blend personal and professional lives into a seamless ecosystem. Companies must navigate the policies, procedures and a complex risk environment in order to answer the following: • Who are your clients • Who are your friends • What’s a professional position • What’s a personal point of view • What’s secret and what’s public? • What can you monetize and what would violate your privacy policies? Copyright ©2012 Infinitive 9 Camouflaged Fraud: Mobile Devices Mobile Fraud • The power of mobile is breaking the speed of business by opening new markets and allowing even the smallest companies to play big • The increase use of mobile applications has lead to a rise in fraud targeted at the mobile space • Mobile fraud schemes are successful when companies are operating in silos and not sharing their view of risks across the organization Rogue Mobile Apps Defined: • Created by non-authorized individuals or entities • Seek to confuse consumer to believe it is published from an authorized source – similar name, use of logo, or similar publisher • Similar to other applications but its objectives are to compromise other apps on the device Copyright ©2012 Infinitive 10 Copyright ©2012 Infinitive 11 Panelist Perspective – Doug Miller Copyright ©2012 Infinitive 12 Panelist Perspective – Dino Tsibouris Copyright ©2012 Infinitive 13 Governance Francesca’s CFO terminated for “improperly communicated company information through social media” – 05/14/12 BMW salesman posting pictures about Costco hot dogs served at a new model release – (Protected Concerted Activity because others had complained) Social media coordinator fired and would not surrender passwords (Ardis Health, Phonedog) Social media consultant fired for posting “FBomb” on Chrysler’s official Twitter feed Copyright ©2012 Infinitive 14 Governance Challenges abound: • C-suite • Sales and Marketing • In house-social media coordinators • Vendor social media coordinators Copyright ©2012 Infinitive 15 Governance Legal Implications of Social Media • Brand image • E-Discovery and litigation • Human resources/Employment • Privacy • Regulatory • Security • Torts Copyright ©2012 Infinitive 16 Governance Example 1: Sarbanes-Oxley Section 409 • Must “disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the [company], in plain English” • Events requiring Form 8-K or Regulation FD disclosure • How to harmonize with social media strategy? Copyright ©2012 Infinitive 17 Governance Example 2: The NLRB • Concerted action by employees is protected • Cannot prohibit employees from blogging about work or criticizing it • Can’t prohibit them from using company contact information on personal sites • Memorandum OM 11-74 08/1/11 • Is current company policy overbroad? Copyright ©2012 Infinitive 18 Governance Social Media Policy should address: • Permissible activity • Consequences of violations • Required employee agreement • No reasonable expectation of privacy • Personal responsibility for actions Copyright ©2012 Infinitive 19 Governance • Require confidentiality of trade secrets, company strategies, product development, and all financial information • Authorization required to share copyrighted materials • Address “official” social media use (Official voice of company) . Copyright ©2012 Infinitive 20 Governance • Encourage employees to link to the company website when possible • Clear and conspicuous disclosure of any relationship or connection an employee has with the company • Disclose and any compensation or gift received from any company mentioned Copyright ©2012 Infinitive 21 Governance Create a policy that addresses your company’s unique business goals Train employees and contractors Monitor Archive content – even if third party, when needed Take remedial action for violations Incorporate changes into policy periodically Repeat… Copyright ©2012 Infinitive 22 Panelist Perspective – Angelos Stavrou Copyright ©2012 Infinitive 23 CIO Business Priorities Copyright ©2012 Infinitive 24 Maturity of Technologies Copyright ©2012 Infinitive (source Gartner) 25 The real picture: Malicious Apps exist... Analyzed ~267,000 Applications from the Google Android Market • Thousands with incorrect/permissive manifest • Hundreds with excessive functionality that can be constituted as malicious • Hundreds of Trojans (i.e. take over existing, legitimate applications) • Who will download these apps? • People who use SEARCH to find apps • Virtually everyone… • Two infection vectors: - Regular Web Search - Search inside the Mobile App Market Copyright ©2012 Infinitive 26 The real picture: Malicious Apps exist... A multifaceted problem: Developers maybe well-intended but… They do not necessarily understand the mission or the security/policy requirements They make mistakes They use third-party libraries and code The Android permission model is neither sound nor complete Intentions, Reflection, JNI, Webkit, others… Android permissions are enforced inside Dalvik not everywhere in the device Copyright ©2012 Infinitive 27 What about existing Analysis Tools? Commercial application testing tools cover regular, non-Android specific Bugs: • No Security Analysis of the Code Functionality • No Power Analysis of the Application components and code • No Profiling of the resource consumption of individual applications • Cannot Regulate/Deny the access and use of phone subsystems (Camera, Microphone, GPS..) Existing tools do not cover Program Functionality • We reveal the application capabilities and access Copyright ©2012 Infinitive 28 28 Questions Copyright ©2012 Infinitive 29