The impact of social networking
on the IT audit universe
Presenter:
Nelson Gibbs, CIA, CISA, CISM, CGEIT, CISSP
Deloitte & Touche LLP
www.isaca.org
Today’s agenda
•
•
•
•
•
Definitions and terminology (3-17)
Why and how companies are using social networking (18-33)
Risks and challenges (34-52)
What is next in the world of social networking (53-56)
Q&A
www.isaca.org
2
Definitions and terminology
www.isaca.org
3
Social network — Some definitions
• As defined in Wikipedia
– A social network is a social structure made
of nodes (which are generally individuals or
organizations) that are tied by one or more
specific types of interdependency, such as
values, visions, ideas, financial exchange,
friendship, kinship, dislike, conflict, or trade.
The resulting structures are often very complex.
• As defined in Webmaster
– Social networking is a phenomena defined by linking people to each
other in some way. Digg is a popular example of a social network (using
social bookmarking). Users work together to rate news and are linked by
rating choices or explicit identification of other members. Generally, social
networks are used to allow or encourage various types of activity
whether commercial, social, or some combination of the two.
www.isaca.org
4
What makes a Social Network so powerful?
• Metcalfe’s law
– The value of a telecommunications network is proportional to
the square of the number of connected users of the system
(n2)
• Related to the fact that the number of unique connections
in a network of a number of nodes (n) can be expressed
mathematically as the triangular number n(n–1)/2, which is
proportional to n2 asymptotically
http://en.wikipedia.org/wiki/Metcalfe’s_Law
• Applying this to Social Networking — Consider LinkedIn —
it took 16 months to reach the first one million users. The
latest million users were added in just 11 days.
www.isaca.org
5
What makes a Social Network so powerful?
(cont.)
• Web 2.0
– “Web 2.0” was first coined in 1999, and, by 2004, had become used to describe the
next evolution of the Web.
– It’s based on the notion that people who consume media, access the Internet, and use
the Web shouldn’t passively absorb the flow of content from provider to viewer; rather,
they should be active contributors, helping customize media and technology for their
own purposes.
– Social network sites, blogs, wikis, and other collaborative technologies are the result.
Web 1.0 (Yesterday)
Web 2.0 (Today)
Power lies with: institutions,
platforms, and technology
Power lies with: users,
communities, and experiences
•
•
•
•
•
•
•
•
•
•
Structured
Siloed
One size fits all
Passive audience
Unilateral
www.isaca.org
6
Flexible
Collaborative
Communities
Engaged users
Multilateral
Social network — More terminology (cont.)
Social network
analysis
www.isaca.org
• Mapping and measuring of relationships and flows among
people, groups, organizations, computers or other
information, knowledge processing entities
• The nodes in the network are the people and groups while
the links show relationships or flows between the nodes
• Provides both a visual and a mathematical analysis of
human relationships
7
Social network — More terminology (cont.)
Blogs
www.isaca.org
• Web sites where entries are made (such as in a journal or
diary), displayed in a reverse chronological order; often
provide commentary or news on a particular subject
• Some function as personal online diaries or logbooks
• Combine text, images, and links to other blogs and Web
sites
• Typically provide archives in calendar form, local search,
syndication feeds, reader comment posting, trackback links
from other blogs, blogroll links to other recommended blogs,
and categories of entries tagged for retrieval by topic
8
Social network — More terminology (cont.)
Microblogging
www.isaca.org
• Short, frequent posts with questions, information, or current
status
• Twitter (public) and Yammer (private) are two examples
• Social software (including Facebook, LinkedIn, and
MySpace) now prompts for “what’s on your mind?” or
similar status or mood lines
9
Social network — More terminology (cont.)
Wikis
www.isaca.org
• Web sites which allow users to easily add, remove, edit,
and change most available content
• Effective for collaborative writing and self-service Web site
creation and maintenance
10
Social network — More terminology (cont.)
• Wikipedia – perhaps the best known Wiki
Wikis (cont.)
– Launched on 15 January 2000
– First edit on 16 January, followed by 1,000 articles in the first
month *
– Now has 17 million articles in 270 languages, all written by
volunteers *
– Billionth edit took place on 16 April 2010 *
– Used by 400 million people every month *
– Claims to have 80,000 editors, although reports suggest that it
has recently lost thousands; something Wikipedia disputes *
– Aims to grow to one billion users by 2015 with a focus on
women and people in the developing world *
– Critics maintain that many entries are untrustworthy
– But a disputed study has shown that for subjects such as
science it comes as close as traditional encyclopedias
* Statistics taken from http://www.bbc.co.uk/news/technology-12171977
www.isaca.org
11
Social network — More terminology (cont.)
Social networking
software
www.isaca.org
• A range of tools which facilitate social networking
• Personal Web pages, including bios, photos, interests,
audio and video, links to friends, messages from friends,
and personal networks
12
Social network — More terminology (cont.)
Social networking
software (cont.)
• Facebook – the biggest of them all
–
–
–
–
Over 500 million registered users *
50% of our active users log on to Facebook in any given day *
About 70% of Facebook users are outside the U.S. *
More than 30 billion pieces of content (web links, news
stories, blog posts, notes, photo albums, etc.) shared each
month *
– People spend over 700 billion minutes per month on Facebook *
* Statistics taken from http://www.facebook.com/press/info.php?statistics (Sept 2010)
• As of March 13, 2010 Facebook was America’s most popular
site according to Experian Hitwise with 7.1% of traffic
compared to Google’s 7.0%
www.isaca.org
13
Social network — More terminology (cont.)
Social
bookmarking and
tagging
www.isaca.org
• Sites which allow users to share links to sites with others
• Tags are metadata which classify content into categories
• Can be used to aid searches, create tag clouds, and link
disparate sources
14
Social network — More terminology (cont.)
Syndication and
mashups
www.isaca.org
• Using feeds available from a Web site to provide an
updated list of its content in the form of a subscription, an
embedded portion of a Web site, or a collection of disparate
content on a particular topic
• RSS (Really Simple Syndication) or Atom syndication and
.rss, .xml, or .rdf files used for the feeds
• Mashups combine data and feeds from multiple sources to
provide a single, integrated set of information “e.g., data
plotted on a map”
15
Social network — More terminology (cont.)
Videos and
photos
www.isaca.org
• Online collections of videos and photos from users
• Users can upload, tag, and rate content
16
Social Networking Companies
Social Media
Wikis
Popular Examples
Wikitravel, Wikipedia, wikiHow, WikiBooks, the TV IV
Blogs
livejournal, WordPress, Blogger, Technorati, xanga
Social Networking
myspace.com, LinkedIn, facebook, friendster, plaxo
RSS
newsgator, Bloglines, iGoogle, FeedBurner
(Really Simple Syndication)
Presence and
Microblogging
Social Bookmarking
and Tagging
Online Photo and
Video Sharing
www.isaca.org
twitter, Pownce, jaiku, Hictu!, tumblr
del.icio.us, digg, reddit, newsvine, StumbleUpon
YouTube, flickr, shutterfly, last-fm, slideshare
17
Why and how companies are
using social networking
www.isaca.org
18
Statistics on companies using Social
Networking
*Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies: U.S. = 29 companies, Europe = 48 companies, Asia-Pacific = 20 companies,
Latin America = 3 companies.
Source :
http://www.burson-marsteller.com/Innovation_and_insights/blogs_and_podcasts/BM_Blog/Documents/Burson-Marsteller%202010%20Global%20Social%20Media%20Checkup%20white%20paper.pdf
www.isaca.org
19
Statistics on companies using Social
Networking (cont.)
*Data was collected between November 2009 and January 2010 among the Fortune Global 100 companies: U.S. = 29 companies, Europe = 48 companies, Asia-Pacific = 20 companies,
Latin America = 3 companies.
Source :
http://www.burson-marsteller.com/Innovation_and_insights/blogs_and_podcasts/BM_Blog/Documents/Burson-Marsteller%202010%20Global%20Social%20Media%20Checkup%20white%20paper.pdf
www.isaca.org
20
Companies typically adopt Social Media for
three major benefits
www.isaca.org
1
Increase employee productivity
and operational efficiencies
2
Foster creativity, innovation,
and collaboration
3
Enhance customer and
partner relationships
21
Increase employee productivity and
operational efficiencies
• Creates a lightweight institutional memory system for a company’s intellectual assets
to be easily captured, stored, and accessed
• Reduce the net volume of e-mail and allow users to “pull” information at their
convenience, as opposed to spending time reading through mass e-mail chain
• Create better quality deliverables, faster, by drawing on the collective talents,
knowledge, and experiences of other employees around the world
Operational efficiencies
• A leading energy company realized approximately $250K in annual cost savings by
conducting its employee conference virtually using Social Media
Improved reporting
• A global investment bank tightened reporting cycle times from several
weeks to “about 30 seconds” per stakeholder by enabling them to
submit their information directly into a team wiki and making that
information instantly available to others in a rich dashboard
mashup
www.isaca.org
22
Increase employee productivity and
operational efficiencies (cont.)
• American Red Cross
– Designed to incite discussions around issues the American Red Cross cares
about and describe actions individuals can take (online or offline) to help
people prevent, prepare for, and respond to emergencies and give valuable
information about preventing, preparing for, and responding to emergencies.
http://redcrosschat.org/
www.isaca.org
23
Increase employee productivity and
operational efficiencies (cont.)
• Deloitte’s D.Wiki
– Provides a safe, flexible knowledge creation and information sharing
environment for all Deloitte practitioners across country, practice, and
Deloitte organizational borders
– Enhances the client service delivery capabilities of our Deloitte practitioners
– Serves as a test environment for innovative concepts and solutions, which
expand the business interests of Deloitte
As used in this document, “Deloitte” means Deloitte
LLP. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte
LLP and its subsidiaries.
www.isaca.org
24
Foster creativity, innovation, and
collaboration
• Harness product, process, and service innovations by unlocking creativity
and ideas from any area of the company
• The diverse group feedback inherent in social computing accelerates the problemsolving process and produces better solutions
• Employees create unexpected connections with one another and expand their base of
knowledge, experience, and circle of trusted colleagues
Product innovation
• A leading high-tech manufacturer instituted a “submit-and-vote-for-your-favorite-idea”
social community with its consumers, generating over 5,000 ideas and over 300,000 votes
in its first three months and subsequently identifying new product offerings
Information capture
• A federal agency created an internal wiki to bolster the capture and
dissemination of mission-critical information between field agents
www.isaca.org
25
Foster creativity, innovation, and
collaboration (cont.)
• Best Buy
– A community of Best Buy employees who convene regularly to share
knowledge, best practices, frustrations, aspirations, and a few jokes.
Community members include everyone from recent high school graduates to
semi retirees.
https://mix.blueshirtnation.com/
www.isaca.org
26
Foster creativity, innovation, and
collaboration (cont.)
• Deloitte’s DStreet
– Enterprise talent networking site - changing the way we connect with each
other
– Enables another way of collaboration and community building
– Network, build new relationships, and forge successful careers
– Learn about colleagues and interesting ways to introduce yourself
– Identify new connection points to create a basis for meaningful conversation
– A new way of assembling the right team
As used in this document, “Deloitte” means Deloitte
LLP. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte
LLP and its subsidiaries.
www.isaca.org
27
Enhance customer and partner
relationships
• Opens the lines of communication beyond typical spokespeople, such as marketing,
sales, and PR and provides an avenue for other important stakeholders (e.g., engineers,
scientists, product managers) to gather firsthand feedback from customers
• Allow customers to access help beyond traditional means, with networks that provide
peer support and a user-generated knowledgebase, while monitoring customer
perception
• Provide a forum for collaborative business development, education, and
communications with vendors, OEMs, and other partners
• Allow consumers who know your products and services best to become a part of the
new offering development process
Revenue growth
• A major consumer goods company improved sales by 31.5% by including
customer ratings, user-generated product reviews, and other social
features on its online storefront, also resulting in a 40% uptick in
average order value
www.isaca.org
28
Enhance customer and partner
relationships (cont.)
• Procter & Gamble
– Capessa launched in the “Yahoo! Health” section of Yahoo.com, one of the
world's leading internet destinations. Women who register with
Capessa.yahoo.com have access to several topic areas, including parenting,
pregnancy, weight loss, relationships, career, healthy living, and care giving
http://realwomenrealadvice.com/
www.isaca.org
29
Enhance customer and partner
relationships (cont.)
• American Express
– OPEN Forum, an online resource and networking site for business owners.
The site is designed to forge meaningful business connections and provide
practical, actionable information and insights from influential bloggers,
industry leaders, and savvy entrepreneurs.
http://www.openforum.com/
www.isaca.org
30
Enhance customer and partner
relationships (cont.)
• State of Louisville, Kentucky
– Interactive audit findings on Web site. Allows the users to discuss previous
audit findings.
http://www.louisvilleky.gov/InternalAudit/
www.isaca.org
31
Enhance customer and partner
relationships (cont.)
• Amazon
– A social network for people who love books. Users are able to create a
virtual shelf to show off their books, see what their friends are reading, and
discover new books.
http://www.shelfari.com/
www.isaca.org
32
Enhance customer and partner
relationships (cont.)
• Bank of America (BofA)
– On January 29, 2010, Bank of America Web site was down. BofA used
twitter to keep in touch with its customers to let them know the latest update.
www.isaca.org
33
Risks and challenges
www.isaca.org
34
Risks and challenges
• Farmers and Mobsters
– Top Facebook Applications
Rank
Name
Monthly Active
Users *
1
FarmVille
82,580,911
2
Static FBML
46,827,021
3
Birthday Cards
41,904,049
4
Café World
30,032,716
5
Facebook for iPhone
29,438,848
6
Texas HoldEm Poker
28,332,917
7
Slide FunSpace
25,630,033
8
Happy Aquariam (BETA)
24,915,971
9
Mafia Wars
24,704,179
10
Causes
24,317,292
• Source - http://statistics.allfacebook.com/applications/leaderboard/ (March 2010)
• There are now more than 500,000 active applications on the Facebook Platform
www.isaca.org
35
Risks and challenges (cont.)
• New security concerns and attack vectors — as a result of the shift in
technology through Web services that are empowering server-side core technology
components as well as Asynchronous JavaScript and XML (“AJAX”) and Rich
Internet Application (“RIA”) clients that are enhancing client-end interfaces in the
browser itself.
• Top 10 Web 2.0 Attack Vectors — http://net-square.com/whitepapers/Top10_Web2.0_AV.pdf
–
–
–
–
–
–
–
–
–
–
Cross-site scripting (“CSS”) in AJAX e.g., “Samy worm that exploited MySpace.com’s CSS flaw”
XML poisoning — poison XML blocks coming from AJAX client
Malicious AJAX code execution — replay of cookies for each request
RSS/Atom injection — inject JavaScripts into the RSS feeds to generate attack on client browser
Web Services Definition Language (“WSDL”) scanning and enumeration
Client-side validation in AJAX routines — fail to perform server-side checks
Web services routing issues — compromise of intermediate nodes
Parameter manipulation with SOAP — web services consume information and variables from SOAP
XPATH injection in SOAP message — bypass authentication mechanisms
RIA thick client binary manipulation — issues with session management
www.isaca.org
36
Risks and challenges (cont.)
• Example worms / phishing attacks affecting social networking sites
– Koobface – targets Facebook, MySpace, hi5, Bebo, Twitter, and other sites. Users are
prompted to click on a URL purporting to be an update from Adobe and a worm is
downloaded to the PC which looks for personal data
– Fbaction - Facebook phishing attack that encourages users to sign up for fbaction.net
using their Facebook credentials. Those credentials are then used to hijack the
Facebook account
www.isaca.org
37
Risks and challenges (cont.)
– Boface - convinces users to click on a link pointing to a video resulting in a download.
Shortly after the download is complete, the user’s Facebook account will be hijacked and
used as a means of spamming (and propagating a worm to) all their friends
• Common element – they all take advantage of the implied trust that
social networking users have with each other
www.isaca.org
38
Risks and challenges (cont.)
“Has what we've learned about writing software the last 20 years been
expressed in the design of Web 2.0? Of course not! It can't even be said to
have a 'design.' If showing people what vulnerabilities can do were going to
somehow encourage software developers to be more careful about
programming, Web 2.0 would not be happening.”
- Marcus Ranum in InfoSec Magazine, May 2008
• Trust — Data reliability commonly causes issues for social media in the
workplace. The Web has partially solved this with techniques, such as
inbound link counting, but reputation and voting systems are starting to
appear, often as plug-ins, for social media tools
• May also take advantage of URL Shortening – bit.ly, tr.im, tinyurl.com etc.
www.isaca.org
39
Risks and challenges (cont.)
• More on phishing — social networks are a target rich environment
www.isaca.org
40
Risks and challenges (cont.)
• More on phishing — social networks are a target rich environment (cont.)
“Dearest One…
Sorry for the nature of this email, please bear with me.
I am Natasha Kone, a 22 year old lady now, i was born on the 1st of January 1986 to the family of
Kone. My father’s name is Kamara Cone. He was a very wealthy Gold and Cocoa Merchant based in
ACCRA and ABIDJAN respectively. I am their only child. When I was a kid, I attended a private
school and things were well for me and my parents. Things changed when I was in High School, my
mother died on the 21st October 1994. My father then took me very special and gave me motherly
care. As fate had it, my father died last year…………………..”
- See http://www.419legal.org for more details
• The 419 scams have evolved with the technology – now using LinkedIn to
target specific individuals
www.isaca.org
41
Risks and challenges (cont.)
• Reputation — Damage to company brand/reputation through
inappropriate comments or remarks from employees
– Even a lack of a response may damage the brand. For example, XYZ Company, Inc.
creates a Twitter account call @XYZ_Cares and then fails to use the account.
– Other examples include creating social media program, but not telling the rest of the
company about it, so they may be unaware of any promotions or offers being publicized.
• Copyright violation — Third-party material, such as essays, articles, and
photographs, are used without written consent from the proprietor
• Intellectual Property theft — Harder to prevent inadvertent data leakage
through the one-to-many nature of Web 2.0 as a medium
www.isaca.org
42
Risks and challenges (cont.)
• Failures in the use of Social Media — most companies that use Social
Media don’t approach it the way they would with other mission critical
technology
– At best, it can be said that most companies today are merely dabbling with Social
Media…
– Few have approached the solution with an integrated strategy or a concrete business
case, usually because they either aren’t fully convinced of its value or have been slowed
by the security and legal issues
– Without a strategy and proper metrics based on a business case, their projects will
remain small, mismanaged, and likely to fail
“Fully half of all Social Media investments will fail”
— Gartner
www.isaca.org
43
Risks and challenges (cont.)
“When I discovered YouTube, I didn't work for five days. I did nothing. I
viewed cookie monster sings chocolate rain about 1,000 times.”
- Michael Scott from The Office
• Productivity — Users employ social media tools for nonproductive
purposes, such as socializing (“Social Notworking”)
http://news.bbc.co.uk/2/hi/business/8325865.stm
www.isaca.org
44
Risks and challenges (cont.)
• Technical Integration — Most organizations note that integration
between individual Web 2.0 applications and their overall infrastructure is
a major concern
– Sign in using your account with:
•
•
•
•
•
•
Facebook
Twitter
Myspace
Yahoo!
Google
Windows Live ID
www.isaca.org
AOL
Blogger
WordPress
Netlog
OpenID
flickr
45
Risks and challenges (cont.)
• Information hoarding — In many industries, value is placed on what an
employee knows that others do not know. This belief prevents data
sharing
• Quantification — Researchers currently face challenges quantifying
social networking benefits
– Valuation techniques include, among others, Beckstrom’s law which states that — “The
value of a network equals the net value of each user’s transactions conducted through
that network, valued from the perspective of each user, and summed for all.”
Or alternatively
– http://en.wikipedia.org/wiki/Beckstrom’s_law
www.isaca.org
46
Risks and challenges (cont.)
• Litigation issues — Discrimination, defamation, violation of privacy, and
harassment are some of the potential concerns that might result in
litigation issues
www.isaca.org
47
A quick word on privacy
“People have really gotten comfortable not only sharing more information
and different kinds, but more openly and with more people. That social
norm is just something that has evolved over time.”
— Mark Zuckerberg, Facebook founder
“If you have something that you don’t want anyone to know, maybe you
shouldn’t be doing it in the first place...”
— Eric Schmidt, CEO Google, Inc.
www.isaca.org
48
A quick word on privacy (cont.)
•
•
•
•
Loss of Fourth Amendment protection
Encryption of data storage unlikely
Lack of encryption while data in use
Data remanence: limited attempt to address
www.isaca.org
49
Responding to the risks and challenges
• Policies and procedures
– Acceptable use policy
•
•
Details how social networking sites and applications can be used
Define consequences for failure to comply e.g., “termination of employment and
legal action”
• Risk assessment
– Establish what information is most critical to the business
– Understand how information might become vulnerable and how to protect it
(data mapping)
www.isaca.org
50
Responding to the risks and challenges
• Education and awareness
– Inform user of the information security risks involved and how to guard
against them
•
For example only install or run applications from trusted sources approved by the
corporate IT department
www.isaca.org
51
Responding to the risks and challenges
(cont.)
• Vulnerability Assessments
– Identifying, quantifying, and prioritizing the potential vulnerabilities that Social
Networking may present to the organization
• Firewalls
– Historically firewalls focused on ports, IP addresses and packets
– But social networking applications operate on Ports 80 & 443
– Next-generation firewall technology that offers granular control of social
networking functionality
•
•
•
•
Identify applications, regardless of port, protocol, evasive tactic or SSL
Identify users regardless of IP address
Scan application content in real-time
Visibility and policy control over application access
www.isaca.org
52
What is next in the world of
social networking
www.isaca.org
53
Where we are at today
• Enterprise Social Media has crossed the tipping point and is no longer
considered an “emerging” technology
“The Hype Cycle”
http://en.wikipedia.org/wiki/Hype_cycle
www.isaca.org
54
What’s next in the world of social
networking
• Increase in the use of mobile devices to access Social Networks
– Over 600 million people will use their phone to access Social Networks by
2013, and increase of more than 400% than 2009 figure of 140 million
Source — eMarketer
• Increase in frequency of access
– Facebook mobile users are 50% more active than other users of the site
• Take your social profile with you as you travel the Web
– For example — Facebook Connect
• Social Networks will become more pervasive — broadcasting your
location in geo-networking apps
– Interaction between devices. For example, your car’s navigation system will
be able to learn your friend’s location and provide directions to them
www.isaca.org
55
Some further predictions
• Some quotes on social networks
– “Probably the greatest transformative force in our generation, absent a major
war.” — Mark Zuckerberg, Facebook founder
– “(Twitter is)… Something important that has the potential to change the
world, though we have a long way to go.” — Biz Stone, Co-founder of Twitter
www.isaca.org
56
Q&A
www.isaca.org
57
Today’s Presenters
Nelson Gibbs
Senior Manager
AERS – Audit & Enterprise Risk Services
Deloitte & Touche LLP
[email protected]
+1 213 593 4241
www.isaca.org
58
Appendix
• Additional resources
– Gopal, Raj et al. “Web 2.0 reinvents corporate networking.” Deloitte
Consulting LLP (2008)
– The Economist — A special report on social networking “January 30, 2010”
– Fraser, Matthew; Dutta, Soumitra (2008). Throwing Sheep in the Boardroom:
How Online Social Networking Will Transform Your Life, Work and World
– “Wall of Facebook: The Social Network's Plan to Dominate the Internet” —
and Keep Google Out by Fred Vogelstein, Wired Magazine (June 2009)
– http://www.wired.com/techbiz/it/magazine/17-07/ff_facebookwallGreat
– “The Future is Social, Not Search, Facebook COO Says” by Ryan Singel,
Wired Magazine (October 2009)
http://www.wired.com/epicenter/2009/10/facebook-social-2/
– British Computer Society Social Media Web site —
http://www.bcs.org/socialmedia
www.isaca.org
59
This presentation contains general information only and Deloitte is not, by means of this presentation,
rendering accounting, business, financial, investment, legal, tax, or other professional advice or
services. This presentation is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person
who relies on this presentation.
www.isaca.org
60