After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?

The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.

As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.

So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!

Sharing is caring!

<Fade IN:>

A few weeks back, I was sitting in my office in the middle of a meeting with one of my Directors and my phone rings. It came through as one of our trunk lines, so I knew it was a transfer form the receptionist, I was in a good mood, so I answered it. Low and behold it was my first call from a Rapid7 Sales representative (First that I actually answered that is). Knowing that Rapid7 recently acquired Metasploit, I gave the gentleman a listen. He talked up the RSA party, HD Moore, and the products that Rapid7 is currently marketing compared to some of the competitors. All in all, it was a perfectly fine conversation and I did walk away with some value add. My only critique was that it was pretty long, and I’m pretty busy to spend that much time talking about a product that we aren’t yet seeking a new vendor for.

<Announcers Voice:> Later the same day

I receive another call from a Rapid7 sales representative who had no idea that I had just spoken with a gentleman earlier! I might have been a little curt on the phone, but please refer back to the fact that I am actually extremely busy, and had already invested 40 minutes on the phone with the previous representative.

Later the same day I asked my twitterverse for information about Rapid7 products, because I trust my colleagues who have used them more then I could EVER trust a demo. Thanks to the great social community of Security Twits I gathered a great deal of information. Additionally, I learned from someone close to internal Rapid7 that Rapid7 follows all the Rapid7 mentions on twitter... what fun would a day be without throwing a #Rapid7 after some tweets?

<evil-grin>

In all seriousness, Rapid7 is doing some very positive things for the industry in regards to sponsorship of the SecurityTwits event at SourceBoston, employing some AMAZING researchers, and advancing the MetaSploit project with commercial funding!

Rapid7, please work on a sales team lesson in positive versus negative social media networking. Here are my examples of Rapid7 Negative Social Media Marketing:

LinkedIN

• Requests to professionals who they have never met or never worked with:

TwitterNames Ommited: “ Anybody know what’s the bright idea with Rapid7‘s sales team suddenly trying to join people’s networks on linkedin??”

“ Ok @Rapid7, your salespeople’s newfound relentless addition of my linkedin have grown irritating & bothersome. Please DIAF.<- Ah :”

• The February 16th slew of LinkedIN Spam from “Business Developers” that most of my colleagues received. Not cool!

Twitter:

• Rapid7 twitter feed is just a Press Release reel, there is no interaction with the community, same can be said for the Facebook page!

Notable mention:

Having the “JR” account reps monitor twitter for Rapid7 mentions — Boiler Room meets Rapid7!

+

The RSA Party!

I’m sure everyone is thrilled that Rapid7 is hosting a party at RSA. But again, this is another marketing fail. They might not want to use the acronym “VIP” as it generally doesn’t mean invite everyone in the world, post it on twitter, then brag about having 1,000+ people at the party.

In case you didn’t RSVP… you can do so here http://www.rapid7.com/forms/rsarsvp.jsp

Come on Rapid7, you can do better then this!

I’m sure you are a great organization, it sure looks as if your employees have fun working there, but I have to say that Rapid7 Sales and Marketing gets the *first ever* Official SecBarbie FAILBarbie award of the month for doing bad all by themselves!

- A Facebook Privacy Memoir Part I

Facebook is so lovely, you can learn about what your friends who you don’t have time to keep up with are doing, look at their pictures, watch some of their videos and generally cyber-stalk them with their permission. Opps, we call that ‘being social’ not stalking now. In the last few years people have really enhanced the art of the me-me using social networks such as Facebook under the guise of “maintaining transparency”. This does beg the question, how much is too much?

In the last year Facebook has come a long way when it comes to the privacy settings, and nearly everyone is hiding something from the general population so we do have a start for some security.  If you want to be ubber technical about it, you can use friend lists and play with your privacy settings to create different views for each segment of your life, but who has time for this? Just like any system, add more complex controls and the users who should be using them the most will not.

I have used firewall graphical interfaces that are less complicated then the Facebook privacy settings. This is mostly due to the privacy settings for Facebook are not all in one place. There are the Privacy settings in the drop down, but then you have to customize your photo privacy settings in a whole different screen. Now add in the option to great groups for your contact and manage the settings by those groups as well. All of the technical minded people might think this is a piece of cake, but my aunt who isn’t that technical, can barely handle navigating from one profile to the next much less the privacy settings! Yet, she has no problem posting pictures, tagging me on the pictures, and sharing them with her friends.

As a Christopher Burgess wrote in his Cisco Security Blog about ‘Security – Who is Responsible’

“ When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling.  During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.).  When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake.  You are responsible.  All of these actions are the responsibility of the operator—the user.  You, the user, will decide “How do I maintain my vehicle and operate it?”  When you violate motor vehicle laws (and are caught), what occurs?  You receive a ticket and tickets carry consequences.  In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court.  With choices and actions come consequences.

In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety.”

The unfortunate fact is that there is no education on the do’s and don’t of social media for people such as my aunt, nor would millions of high school students who are competing for the largest friend list and posting every little moment of their life even listen it it was! So here are my two tips for Facebook and a link to Cracked’s 10 Commandments of Facebook.

Don’t friend ANYONE you don’t know, and deny friend request if you don’t know them!

Don’t friend anyone you don’t know if you post anything to your Facebook that you wouldn’t post on a pubic or work bulletin board! You don’t really know who is on the other side of the profile.

If you don’t know the person, deny the friend request promptly! Unfortunately there is a bug in Facebook right now that allows people who request you as a friend to see your live feed while the friend request is pending. As of right now, there is not a privacy setting on the live feed. This is bound to change soon, but it is good measure to always deny friend request until you know that person.

Unless part of your job is using Facebook, don’t update your Facebook from work!

You don’t know who is really on the other side of your ‘Friends’, so unless part of your job is social media, don’t update your Facebook status from work. Wait for lunch, or after work. This is ESPECIALLY important if your organization doesn’t allow access to Facebook.

The 10 Commandments of Facebook

Until next time….

Thank you Mr. Jimmy Carter, I am blaming you for the demise of Business Sociability thanks to you condemning the practice of the three-martini lunches during your 1976 presidential campaign. Why is this your fault? Well, prior to the late 1970′s, it was socially acceptable to do many thing at work that fostered sociability such as drinking, long business lunches, and early happy hours.  By today’s standards all of these practices are unhealthy, and quite taboo in most organizations in the US. But what happened when we stopped drinking at lunch? We all stopped going to lunch!

The working society went digital, we ‘streamlined’ our workplaces, created ‘efficiencies’, and continued to show ‘ROI’ on digital investments by cutting employees. We became so efficient, that instead of reducing the hours we work, we have increased them in order to produce more! Some people don’t stop to get to know people at work, they use them just as they would a copy machine. Let’s take for example an excerpt that Emily Lawton wrote about Drinking at work:

Consider this:

Professional A has an ongoing feud with Professional B, but they have to work in close concert with one another. For one year, Professional A and Professional B nurse a slowly-increasing

hatred of one another. They are snappish, and uncordial. Ultimately morale in Department X goes down. Others tiptoe around Professional A and Professional B, fearing an outburst. Employees call in sick, or linger at the coffeepot. Productivity suffers. Then one day Mr. W, the department supervisor, announces the birth of his first child and everyone in Department X celebrates with a case of champagne. Professional A and Professional B realize the folly of their ways. They giggle and slap one another on the back. Perhaps they even continue their bender through the rest of the night and wake up in an old shed somewhere, but that’s a bit much to hope for. Let’s just say they make up and become, if not pals, then at least amiable co-workers. As you can plainly see, much time and effort was wasted, when a small dose of alcohol could’ve smoothed things over.

And so you see, the value in drinking is not just for chatting up cute girls in bars. That same social lubricant is useful (I daresay necessary?) in the workplace. Do not look down upon those of us who can be both drunk and productive. It is not a talent of the many. Those of us who understand its power can harness it for good, not evil. Recognize and celebrate—employers of the world, the next round is yours.

Have you ever talked with an older person (over the age of 60), and have them try to relate to putting in 10 hours in the office a day, then another 3-4 hours a night, and doing this 5-6 days a week?  It just doesn’t make sense to many of them. Now, ask yourself how many of you know your neighbors, or still are friends with people you went to highschool or college with?  Welcome to social media! Since we have forgotten how to be social people in real life, our digital life has evolved to allow for us cultivate our relationships in small, digital quips! It is only a matter of time before all businesses begin forcing the technology and security departments to allow for more secure vehicles of social networking to broaden the digital reach of their product.

We do have a few things to learn from the martini lunches of the past though. Much like the business lunches that starts with the best of intentions, social media initiatives always start out the same as well. As social media is being cultivated without restraints, it has potential to allow employees to overindulge. Once people are comfortable, they begin letting out pieces of information, little-by-little the organization can end up with information leakage.

Create a sound Social Media policy by setting reasonable objectives, allow for growth and cultivate creativity, but set boundaries. After the policy is set, monitor, monitor, monitor. Make sure there is a set person or group with the job responsibility to know what is being said by employees in social media that can impact the organization.

For those of you that have weathered the test of technological time, then the outage that occurred yesterday on Twitter was nothing out of the ordinary. Sure, the stakes have changed, but this event brought me back to the days of BBS’s and how it always seemed like when you really wanted or needed to send an email or get onto a conference that the BBS was down or all lines were busy.

We had DDoS attacks of sorts back then, just not nearly as sexy as botnets, mostly it was people trying to load up the modem banks and toggle the auto-answer off. Back then it was thought to just be comical to deface the ASCII page of the a friend’s site, and all-in-all it was good fun, but we sure didn’t make CNN back then. What has all this new media adaption done in regards to our dependance on communication? I believe it just has expanded it to a new cross-section of the world. The society of today is built upon 99% availability, and dependancy on the newest communication outlet is mind-blowing! Yesterday, one of the top news stories internationally was TWITTER BEING DOWN!

Amazing.

One might ask why would a Techie-geek security management person like myself would go to #140 Conference in New York? There are lThe security reason of interest to myself and to my organization is related to information leakage through twitter as well as furthering social education about new technology risks. 

What is #140Conf : You can check it out in the words of Jeff Pulver on his ideas of creating the conference.

Having just spoke of the issue of adult social networking education last week, I feel that this will be a fantastic opportunity to get to the grass roots of how viral social networking can change personal brand definition and how information leakage impacts organizations. The magnitude of people getting fired, expelled from schools, and socially blacklisted due to lack of some forethought when using twitter is absolutely amazing, couple this with what information can be distributed with malicious intent and we have one powerful medium. Security Awareness needs to be outreached to better educate everyone on the impact of what they say today on the life they will live tomorrow. 

Please look forward to my photo-blog that I will be uploading daily through my trek through the #140conf jungle, as well as the recaps of key topics.