“Malicious cyber actors that successfully compromise social media accounts could spread false or sensitive information to a wide audience,” the United States Cybersecurity and Infrastructure Security Agency (CISA) said on December 9 while releasing a guide detailing ways to protect the security of organisation-run social media accounts on platforms such as Twitter, Facebook, and Instagram.
As CISA points out, a compromised social media account can:
- Damage the organisation’s reputation
- Disrupt operations
- Impose financial costs
Why this matters: Many organisations use social media as a primary way to engage with the public, but very few have the safeguards in place to prevent their accounts from getting compromised. Just yesterday, Prime Minister Narendra Modi’s Twitter account, which has over 73 million followers, was compromised and the malicious actor posted fake news about bitcoin from that account. In a more widespread campaign, multiple high-profile Twitter accounts, including those of Apple, Bill Gates, Elon Musk, Warren Buffett, Joe Biden, Kim Kardashian West and Barack Obama were compromised last July. CISA’s guide lays out measures that organisations can adopt to prevent such security lapses or at least minimise them
“The trusted nature of verified social media accounts—including those of large organizations or public figures— increases the likelihood that false stories posted by these accounts may be initially viewed as true.” – CISA.
While CISA’s guide is primarily intended for US federal agencies, the recommendations are broad enough to apply to any public or private organisation. Many of CISA’s suggested measures are commonplace, but the guide works as a good checklist of sorts to ensure that organisations don’t overlook key aspects.
Power MediaNama’s coverage of the news that is defining the future of the Internet in India. Subscribe here
What organisations should do?
CISA’s recommendations prescribe the following measures:
1. Establish and Maintain a Social Media Policy: Organisations must establish a social media policy to govern how their personnel use the organisation’s social media accounts. The policy should detail the measures described below and organisations must provide relevant training to personnel and review and update the policy at appropriate intervals.
2. Implement Credential Management: Organisations should secure the credentials used to log in to social media accounts by taking the following measures:
- Limit the number of people who can access the organisation’s social media accounts.
- Use the “corporate account” feature where available. This feature allows an administrator to assign roles and access privileges to individual user accounts, which limits the number of people that possess administrative control and gives each user their own unique credentials.
- Administrator accounts must use strong multi-factor authentication (MFA). Facebook Business Suite, LinkedIn Company Pages, and Twitter TweetDeck are platforms that offer this feature, CISA stated.
- Separate employees’ personal social media from the organisation’s accounts to reduce the risk of third-party applications gaining undue access to any of the organisation’s accounts.
- Protect email accounts linked to the social media account by enrolling the email account in additional security measures like MFA. Google’s Advanced Protection Program and Microsoft’s Advanced Threat Protection service for Office 365 users are examples of security measures that organisations can enrol in.
- Do not share credentials between employees
- Review the list of authorised users and logins regularly
- Monitor alerts for unauthorised activities such as unauthorised logins, logoffs, permission changes, additions, deletions, or any unusual activity.
- Limit third-party app access to social media accounts. Third-party apps generally request excessive privileges and should therefore be limited. To do this, organisations must develop a process to evaluate and approve third-party apps and review each third-party app’s access privileges to verify that they comply with the social media policy.
- Secure the credentials used to interact with a social media service’s application programming interface (API) such as API keys and tokens. “Compromised API keys or tokens may allow malicious actors to impersonate authorized users during a login session without requiring usernames or passwords,” CISA stated. For example, Twitter suggests encrypting tokens and storing session data via secured cookies.
- Create strong passwords by adhering to best practices for length and complexity and maintain a policy that enforces changing passwords and tokens at regular intervals.
- Replace compromised credentials immediately even if there is just an indication or suspicion that a password has been compromised.
3. Enforce Multi-Factor Authentication (MFA):
- What is MFA? “MFA combines two or more distinct authentication factors to confirm an individual’s identity, drawn from the following types: (1) something that is “known,” such as a password; (2) something that is “possessed,” such as a physical security key or authenticator app linked to a secondary device; and (3) something that a person “is,” such as a distinguishing feature, e.g., a fingerprint or other biometric,” CISA explained.
- Physical security keys vs authentication apps: Organisations can use either physical security keys or authentication apps. The former provides a physical authentication factor that only works when a user is on the correct website, thus preventing attackers from using credentials stolen on a phishing site. The latter is an app that displays a code that the user must enter to log into a particular account. The code typically regenerates in a short period of time.
- Avoid using text or email-based MFA: Physical keys and authenticator apps are generally more secure than text or email-based MFA because “text and email message-based MFA methods are vulnerable to phishing and subscriber identification module (SIM) swap attacks,” CISA said.
4. Manage Account Privacy Settings: Limit the data sharing by using account privacy settings. For example, modify location permission to share physical location only when a legitimate need exists and limit data shared for advertising purposes.
5. Use Trusted Devices: Use only organisation-issued computers and smartphones to manage social media accounts and take the following steps to secure these devices:
- Continuously monitor devices for any unusual activity.
- Control devices by using a mobile device management platform.
- Implement restrictive mobile application download permissions on the devices.
- Implement device tracking and locating functions.
6. Vet Third-Party Vendors: If your organisation uses an external vendor to manage social media account ensure that the vendor’s security practices adhere to the organisation’s security policy and codify this adherence in a service-level agreement (SLA) with the vendor.
7. Maintain Situational Awareness of Cybersecurity Threats: Organisations should be aware of cybersecurity threats against their social media accounts by:
- Continuously monitor the organisation’s social media accounts for unusual behaviour.
- Creating and distributing a summary of the threats the organisation faces to help reinforce the role employees play in reducing cybersecurity risk.
- Explore communities of interests such as sector-specific information sharing and analysis centres and other government and intelligence programs.
- Provide the social media account administrators with relevant and situational security awareness training.
8. Establish an Incident Response Plan: Organisations should have an incident response plan that covers:
- What actions to take when there is unauthorised access or postings, compromised devices, and the disclosure of private communications.
- How to report an incident to relevant authorities.
- Contact information for the relevant social media platforms should a breach occur.
- Hacked Twitter Account Of PM Modi Falsely Declares Bitcoin As Legal Tender In India
- More Cybersecurity Incidents Reported Till October This Year Than Whole Of 2020: MeitY Reveals In Rajya Sabha
- 76% Of Indian Companies Were Impacted By Ransomware Attacks Last Year, Survey Reveal
- UN Cyber Stability Conference: Understanding Threats In Cyberspace
- Pakistani Hacker Group Targeted Indian Defence Personnel With ‘Romantic Lures’: Report
Have something to add? Subscribe to MediaNama here and post your comment.