Operational Security Best Practices For Social Media

员工在社交网络和博客中张贴了不利于公司的信息,如何防止员工的无意张贴在未来给公司带来不利影响呢?信息安全管理人员一方面要制定适当的社交网络使用政策规范,另一方面要加强员工的安全意识教育。
Building a firm, clear policy on disclosures online can provide a flexible, adaptive response that will protect proprietary data from winding up in a public leak.
In recent years, we’ve seen the pace of database breaches and the subsequent distribution of Personally Identifiable Information (PII) accelerate to a breakneck pace, causing significant financial and personal damage to the individuals impacted. But what often goes unconsidered is the organizational damage that the loss of even a single email address can cause.
One carefully considered stolen pair of credentials can offer a jumping off point for a phishing campaign that appears to come from a trusted source, an intelligence source that affords an attacker targeting data for subsequent action, or a pivot point to access other accounts that may use the same password. In fact, attackers will commonly comb through leaked databases for high value targets and resell secondary lists to those looking to use the accounts before a password reset. A common defense against these sort of scenarios is practicing good organizational social media operational security – OPSEC – principally by keeping company data off LinkedIn, Facebook, Reddit, and the like.

OPSEC on social media demands good communication between first-line managers, legal policy, and your Security Operations Center (SOC). Legally, you can’t forbid your employees from using LinkedIn, but you can bar them from disclosing company assets publically, such as an organizational email. First-line managers are responsible for implementing legal policies, but more importantly – these managers can communicate back to the OpSec team when business needs are forcing employees to circumvent security policies.
Much more common than the malicious insider threat is the employee who can’t access data they need on the road, and decides to forward company email to a webmail service. Another dangerous scenario is the employee who is required to disclose their company email to third parties, but doesn’t have a separate account for sensitive data.
SOC: Your OPSEC Of Last Resort
There are generally simple, easy fixes for these issues that tend not
to be implemented due to poor communication with first-line managers. And there will always be individuals with exceptionally poor judgment, for example, those who would register for ashleymadison.com with a company email. Bottom line, making sure security policies are aligned with business needs is a low cost measure that decision makers should be doing as a matter of course.
The SOC affords your organization with OPSEC of last resort. If a SOC tech sees company information disclosed in a public space, something has already gone wrong. That said, a simple crawler set to look for a defined keyword or domain list on sites like Reddit or Facebook can find leaked PII fast, increasing the odds that a takedown will be more effective.
A Tier II SOC tech can triage a leak after the fact by pinpointing the precise point of egress. Asking for passive monitoring of PII can afford an additional layer of security for situations when policy is not sufficient. Brand Protection services will also do this as part of a vendor relationship, although typically at significant cost.
As with most cybersecurity issues, protecting company information on social media boils down to issues of communication. Building firm, clear policy on disclosures online, as well as providing channels for feedback to filter upwards, can provide a flexible, adaptive response that will protect proprietary data from winding up in a public leak.
信息化环境下的政府部门保密工作问题研究
为什么侵犯版权的地下黑产业多集中在荷兰、东欧、俄罗斯和中国呢?是不是这些地方的软件业缺乏创新精神,开发者的利益得不到保护?

猜您喜欢

IT早间报:微信小程序正式上线 主打轻量级服务
如何防范假冒WiFi热点
EHS培训计划的制定与培训策略的创新性选择
互联网中文域名可查企业信用 有望“火”起来
FREEONLINESURVEYS MOTEL6-ANAHEIM
安全管理与“伸手不打笑脸人”文化