Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Sat, 18 Mar 2017 00:57:57 +0000
Social media is a tough place for companies. That’s understandable. The idea of connecting people to each other breaks down when one of those people is a major multi-national brand. But there is a place on social for companies and when it’s handled well, it’s amazing.
Unfortunately, as much as positive examples show personality and flare, some of the worst examples do too. And it’s in these examples where we see some very real security concerns.
Social media is the new voice of your organization, you need to make sure it’s representing your companies brand.
This time, we see McDonald’s under fire.
This week a very political & aggressive tweet was pinned to the McDonald’s Twitter page. Before it was deleted, it was spreading fast with nearly 1,000 retweets in an hour.
McDonald’s quickly stated (aka tweeted) that their account was compromised. Once they regained control of the account, they immediately deleted the tweet.
We don’t have any evidence one way or the other to support their claim of compromise but this isn’t the first time this has happened to an account with a very large audience. There are three possible scenarios here;
- The account was compromised and an unauthorized individual posted the tweet maliciously
- The tweet was a personal one sent by mistake from the wrong account by an authorized McDonald’s user
- The tweet was maliciously sent by an authorized—and probably now former—McDonald’s user
Dealing with these scenarios falls under the category of “operations security” or “OpSec”. It’s a critical and often overlooked area of information security.
If you’re organization is on social media you should be planning for how to handle all three of these scenarios. Let’s see how…
Social media services are setup to make it as easy as possible to use their services. As a user, you don’t have to worry about how they’re patching their systems, running their firewalls, encrypting their data, or any other basic security activity. That’s all the responsibility of the service.
The challenge for the service is that they need to ensure that they are securing their systems and protecting their user’s data from hackers and unauthorized uses. But they also need to make sure that legitimate, authorized users can…well…use the service.
That’s where the venerable username and password come into play. Your username is public information but your password should be a secret that only you know.
Know there’s a lot of bad information out there about password usage. NIST (the go-to standards body for this type of thing) recently updated their guidance to reflect what the community has known for a while: longer passwords are better .
This means using a passphrase.
No more p@ssw0rd!. Now it’s Thisismypasswordandit’ssuperlongwitha.
Of course, the best of both worlds is to use a password manager. With one, you use a long passphrase to unlock the manager. As required, the manager creates a strong, unique password for every service you use.
That’s going to reduce the risk of all your accounts being breached if one of them is but it’s still not enough.
This is a setup where you need your username (public), password (private), and a one-time code (private & time sensitive) to login. This added layer of protection goes a long way to thwart hackers.
For individual accounts, this a no brainer. Turn on multi-factor now.
For organizational accounts, things are a little bit more complicated. Multi-factor authentication typically only allows one phone number to receive the code or one app to generate the code.
Services like Facebook and Google have implemented the concept of an organization or shared resource. Each team member has their own account where they can enable multi-factor authentication and those accounts have permissions to the organization’s account (or page on Facebook).
Twitter is the odd service out here. Until Twitter implements organizations, you should look at a 3rd party service to manage your organizational Twitter access.
Whoops, Wrong Account
The second scenario is that the tweet was meant for a personal account and was simply sent from the wrong account…unfortunately that being the person’s work account on behalf of McDonald’s.
It’s easy to understand how this happens. Most social media apps have a subpar experience when it comes to handling multiple accounts. The social media manager’s role is not the primary use case for these apps.
This naturally leads to posts coming from the wrong account.
Most of the time, the result is harmless. But when the personal post is commenting on a political issue or expressing a personal point of view, things usually end up viral.
The simplest method of tackling this is use completely different apps or devices for each account. Ideally you want to avoid the second device (no one wants the cost or burden of a second device) and stick with different apps.
If you can’t find a viable alternative native app. Use a browser. Mobile (both Android and iOS) allow for you to save a website as an app on the home screen. This has the added advantage of some behind-the-scenes isolation. If you’re logged into the main browser with your personal account, you can use another instance of that browser to stay logged into the corporate account.
The goal here is to add manual steps when transitioning between accounts that trigger that “I’m on my account now” and “I’m on the corporate account now” so that you don’t make the simple mistake of posting from the wrong one.
There’s no perfect fix here but making a context switch part of your standard operating procedure will help reduce the potential for these types of mistakes.
#(@$ You, I’m Out
The last scenario is more worrisome for organizations. A large part of social media is being able to react to changing situations quickly. This means that social media teams need a lot of autonomy to be effective.
It’s a position that requires a lot of trust.
Of course, “trust” is a word that sets off alarm bells in minds of the security focused. If you’ve followed along so far, you’ve taken reasonable steps to reduce the chance that a hacker will get access to your account or that a mistake will be made in a post.
The challenge here is if someone violates the trust you’ve placed in them.
This is the social media version of the dreaded insider attack. The worst part of this is that there’s no control that you can implement that will effectively stop this type of problem and still allow for an effective social media strategy.
From an HR perspective, you should be working with your teams to ensure that everyone feels valued and dealing with issues as they arise so they don’t escalate. But we all know that things happen.
You need to have a plan on how to respond if this situation ever arises.
Here’s the rough outline of the preparation;
- Make sure you always have access to the account. This means that the password should be stored in a password vault/manager that you have access to and the multi-factor backup codes are also stored somewhere safe and accessible (like a physical safe in the office)
- Prepare a tweet/post in advance that acknowledges a situation occurred, that you’re removed a post(s) based on that situation, you’re looking into it, and that more information will be available soon
- Make sure you’ve identified the key contacts that need to be notified in the event that something like this happens. This list probably includes; HR, legal, the comms team, and the CEO or another executive.
- Prepare an email to the key contacts with most of the explanation in place; there was a rogue post, it was shared x times, it was up for x minutes, it was noticed by the media, here’s what we’ve done, here’s what we’re going to do, etc.
- Have a checklist for the actions to take when a rogue post is noticed. There’s a template below to get you started.
Here’s the rough outline of what to do in the moment;
- Access the offending social media account
- Change the password and remove all third party/app access
- Remove the offending comment
- Post your prepared response post
- Inform your key contacts
- Start your investigation into what happened
- Update your audience as you go
This flow is like your incident response process for attacks on your infrastructure and that’s on purpose. This should be in your run book with the rest of your security practices.
Operational security is a key pillar of your security posture. Just because this area happens deal with social media doesn’t mean it’s any less important to your business and public reputation.
Preparation Is Key To Social Media Security
Social media can be a major boon to your business. The power to speak directly to your audience is amazing. But as with anything, there are steps you should take to ensure you’re properly protecting your interests.
Finding a balance between speed, autonomy, and caution is difficult. But with a little preparation and discussion ahead of time, you can reduce the chances of the most common corporate social media security problems.
What has you experience been? Are there any other steps that you would recommend? Let me know in the comments below or on Twitter, where I’m @marknca.