{"id":7027,"date":"2017-03-17T17:00:25","date_gmt":"2017-03-18T01:00:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-818\/"},"modified":"2017-03-17T17:00:25","modified_gmt":"2017-03-18T01:00:25","slug":"news-818","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-818\/","title":{"rendered":"3 Steps To Take For Social Media Account Security"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Sat, 18 Mar 2017 00:57:57 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Social media is a tough place for companies. That\u2019s understandable. The idea of connecting people to each other breaks down when one of those people is a major multi-national brand. But there is a place on social for companies and when it\u2019s handled well, it\u2019s amazing<\/a>.<\/p>\n<\/p>\n

Unfortunately, as much as positive examples show personality and flare, some of the worst examples do too. And it\u2019s in these examples where we see some very real security concerns.<\/p>\n<\/p>\n

Social media is the new voice of your organization, you need to make sure it\u2019s representing your companies brand.<\/p>\n<\/p>\n

This time, we see McDonald\u2019s<\/a> under fire.<\/p>\n<\/p>\n

Hacked?<\/h2>\n

This week a very political & aggressive tweet was pinned<\/a> to the McDonald\u2019s Twitter page. Before it was deleted, it was spreading fast with nearly 1,000 retweets in an hour.<\/p>\n<\/p>\n

McDonald\u2019s quickly stated\u00a0(ak<\/i>a tweeted<\/a>) that\u00a0their account was compromised. Once they regained control of the account, they immediately deleted the tweet.<\/p>\n<\/p>\n

We don\u2019t have any evidence one way or the other to support their claim of compromise but this isn\u2019t the first time this has happened to an account with a very large audience. There are three possible scenarios here;<\/p>\n<\/p>\n

    \n
  1. The account was compromised and an unauthorized individual posted the tweet maliciously<\/li>\n
  2. The tweet was a personal one sent by mistake from the wrong account by an authorized McDonald\u2019s user<\/li>\n
  3. The tweet was maliciously sent by an authorized\u2014and probably now former\u2014McDonald\u2019s user<\/li>\n<\/ol>\n

    Dealing with these scenarios falls under the category of \u201coperations security\u201d or \u201cOpSec\u201d. It\u2019s a critical and often overlooked area of information security.<\/p>\n<\/p>\n

    If you\u2019re organization is on social media you should be planning for how to handle all three of these scenarios. Let\u2019s see how\u2026<\/p>\n<\/p>\n

    Compromised Account<\/h2>\n

    Social media services are setup to make it as easy as possible to use their services. As a user, you don\u2019t have to worry about how they\u2019re patching their systems, running their firewalls, encrypting their data, or any other basic security activity. That\u2019s all the responsibility of the service.<\/p>\n<\/p>\n

    The challenge for the service is that they need to ensure that they are securing their systems and protecting their user\u2019s data from hackers and unauthorized uses. But<\/b> they also need to make sure that legitimate, authorized users can\u2026well\u2026use<\/b> the service.<\/p>\n<\/p>\n

    That\u2019s where the venerable username and password come into play. Your username is public information but your password should be a secret that only you know.<\/p>\n<\/p>\n

    Know there\u2019s a lot of bad information out there about password usage. NIST (the go-to standards body for this type of thing) recently updated their guidance to reflect what the community<\/a> has known for a while: longer passwords are better<\/a> .<\/p>\n<\/p>\n

    This means using a passphrase.\u00a0<\/p>\n<\/p>\n

    No more p@ssw0rd!<\/b>. Now it\u2019s Thisismypasswordandit\u2019ssuperlongwitha\":-)<\/b>.<\/p>\n<\/p>\n

    Of course, the best of both worlds is to use a password manager<\/a>. With one, you use a long passphrase to unlock the manager. As required, the manager creates a strong, unique password for every service you use.<\/p>\n<\/p>\n

    That\u2019s going to reduce the risk of all your accounts being breached if one of them is but it\u2019s still not enough.<\/p>\n<\/p>\n

    For any account that offers it\u2014and that includes all of the major services: Google<\/a>, Facebook<\/a>, Twitter<\/a>, etc.\u2014you should enable multi-factor authentication<\/a>.<\/p>\n<\/p>\n

    This is a setup where you need your username (public), password (private), and a one-time code (private & time sensitive) to login. This added layer of protection goes a long way to thwart hackers.<\/p>\n<\/p>\n

    For individual accounts, this a no brainer. Turn on multi-factor now.<\/p>\n<\/p>\n

    For organizational accounts, things are a little bit more complicated. Multi-factor authentication typically only allows one phone number to receive the code or one app<\/a> to generate the code.\u00a0<\/p>\n<\/p>\n

    Services like Facebook and Google have implemented the concept of an organization or shared resource. Each team member has their own account where they can enable multi-factor authentication and those accounts have permissions to the organization\u2019s account (or page on Facebook).<\/p>\n<\/p>\n

    Twitter is the odd service out here. Until Twitter implements organizations, you should look at a 3rd party service to manage your organizational Twitter access.<\/p>\n<\/p>\n

    Whoops, Wrong Account<\/h2>\n

    The second scenario is that the tweet was meant for a personal account and was simply sent from the wrong account\u2026unfortunately that being the person\u2019s work account on behalf of McDonald\u2019s.<\/p>\n<\/p>\n

    It\u2019s easy to understand how this happens. Most social media apps have a subpar experience when it comes to handling multiple accounts. The social media manager\u2019s role is not the primary use case for these apps.<\/p>\n<\/p>\n

    This naturally leads to posts coming from the wrong account.<\/p>\n<\/p>\n

    Most of the time, the result is harmless. But when the personal post is commenting on a political issue or expressing a personal point of view, things usually end up viral.<\/p>\n<\/p>\n

    The simplest method of tackling this is use completely different apps or devices for each account. Ideally you want to avoid the second device (no one wants the cost or burden of a second device) and stick with different apps.<\/p>\n<\/p>\n

    If you can\u2019t find a viable alternative native app. Use a browser. Mobile (both Android and iOS) allow for you to save a website as an app on the home screen. This has the added advantage of some behind-the-scenes isolation. If you\u2019re logged into the main browser with your personal account, you can use another instance of that browser to stay logged into the corporate account.<\/p>\n<\/p>\n

    The goal here is to add manual steps when transitioning between accounts that trigger that \u201cI\u2019m on my<\/b> account now\u201d and \u201cI\u2019m on the corporate<\/b> account now\u201d so that you don\u2019t make the simple mistake of posting from the wrong one.<\/p>\n<\/p>\n

    There\u2019s no perfect fix here but making a context switch part of your standard operating procedure will help reduce the potential for these types of mistakes.<\/p>\n<\/p>\n

    #(@$ You, I\u2019m Out<\/h2>\n

    The last scenario is more worrisome for organizations. A large part of social media is being able to react to changing situations quickly. This means that social media teams need a lot of autonomy to be effective.<\/p>\n<\/p>\n

    It\u2019s a position that requires a lot of trust.<\/p>\n<\/p>\n

    Of course, \u201ctrust\u201d is a word that sets off alarm bells in minds of the security focused. If you\u2019ve followed along so far, you\u2019ve taken reasonable steps to reduce the chance that a hacker will get access to your account or that a mistake will be made in a post.<\/p>\n<\/p>\n

    The challenge here is if someone violates the trust you\u2019ve placed in them.<\/p>\n<\/p>\n

    This is the social media version of the dreaded insider attack. The worst part of this is that there\u2019s no control that you can implement that will effectively stop this type of problem and still allow for an effective social media strategy.<\/p>\n<\/p>\n

    From an HR perspective, you should be working with your teams to ensure that everyone feels valued and dealing with issues as they arise so they don\u2019t escalate. But we all know that things happen.<\/p>\n<\/p>\n

    You need to have a plan on how to respond if this situation ever arises.<\/p>\n<\/p>\n

    Here\u2019s the rough outline of the preparation;<\/p>\n<\/p>\n

      \n
    1. Make sure you always have access to the account. This means that the password should be stored in a password vault\/manager that you have access to and the multi-factor backup codes are also stored somewhere safe and accessible (like a physical safe in the office)<\/li>\n
    2. Prepare a tweet\/post in advance that acknowledges a situation occurred, that you\u2019re removed a post(s) based on that situation, you\u2019re looking into it, and that more information will be available soon<\/li>\n
    3. Make sure you\u2019ve identified the key contacts that need to be notified in the event that something like this happens. This list probably includes; HR, legal, the comms team, and the CEO or another executive.<\/li>\n
    4. Prepare an email to the key contacts with most of the explanation in place; there was a rogue post, it was shared x times, it was up for x minutes, it was noticed by the media, here\u2019s what we\u2019ve done, here\u2019s what we\u2019re going to do, etc.<\/li>\n
    5. Have a checklist for the actions to take when a rogue post is noticed. There\u2019s a template below to get you started.<\/li>\n<\/ol>\n

      Here\u2019s the rough outline of what to do in the moment;<\/p>\n<\/p>\n

        \n
      1. Access the offending social media account<\/li>\n
      2. Change the password and remove all third party\/app access<\/li>\n
      3. Remove the offending comment<\/li>\n
      4. Post your prepared response post<\/li>\n
      5. Inform your key contacts<\/li>\n
      6. Start your investigation into what happened<\/li>\n
      7. Update your audience as you go<\/li>\n<\/ol>\n

        This flow is like your incident response process for attacks on your infrastructure and that\u2019s on purpose. This should be in your run book with the rest of your security practices.<\/p>\n<\/p>\n

        Operational security is a key pillar of your security posture. Just because this area happens deal with social media doesn\u2019t mean it\u2019s any less important to your business and public reputation.<\/p>\n<\/p>\n

        Preparation Is Key To Social Media Security<\/h2>\n

        Social media can be a major boon to your business. The power to speak directly to your audience is amazing. But as with anything, there are steps you should take to ensure you\u2019re properly protecting your interests.<\/p>\n<\/p>\n

        Finding a balance between speed, autonomy, and caution is difficult. But with a little preparation and discussion ahead of time, you can reduce the chances of the most common corporate social media security problems.<\/p>\n<\/p>\n

        What has you experience been? Are there any other steps that you would recommend? Let me know in the comments below or on Twitter, where I\u2019m @marknca<\/a>.<\/p>\n

        http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Sat, 18 Mar 2017 00:57:57 +0000<\/strong><\/p>\n

        \"\"Social media is a tough place for companies. That\u2019s understandable. The idea of connecting people to each other breaks down when one of those people is a major multi-national brand. But there is a place on social for companies and when it\u2019s handled well, it\u2019s amazing. Unfortunately, as much as positive examples show personality and…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[11231,11326,1932],"class_list":["post-7027","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-internet-safety","tag-opsec","tag-social-media"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7027"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7027\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7027"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}