“Malicious cyber actors who successfully compromise social media accounts could disseminate false or sensitive information to a large audience,” the United States Cybersecurity and Infrastructure Security Agency (CISA) said on December 9 while posting a guide detailing the means to protect the security of the organization. manage social media accounts on platforms such as Twitter, Facebook and Instagram.
As CISA points out, a compromised social media account can:
- Damaging the reputation of the organization
- Disrupt operations
- Impose finance charges
Why this is important: Many organizations use social media as their primary means of interacting with the public, but very few have safeguards in place to prevent their accounts from being compromised. Just yesterday Prime Minister Narendra Modi’s Twitter account, which has over 73 million subscribers, was compromised and the malicious actor posted fake bitcoin news from that account. In a more widespread campaign, several high-profile Twitter accounts, including those of Apple, Bill Gates, Elon Musk, Warren Buffett, Joe Biden, Kim Kardashian West and Barack Obama were compromised last July. The CISA guide sets out steps organizations can take to prevent or at least minimize such security breaches.
âThe reliable nature of verified social media accounts, including those of large organizations or public figures, increases the likelihood that fake stories posted by these accounts will be initially viewed as true. “- CISA.
Although the CISA guide is primarily intended for U.S. federal agencies, the recommendations are broad enough to apply to any public or private organization. Many of the measures suggested by CISA are common, but the guide works as a good checklist to make sure organizations don’t overlook key areas.
Power MediaNama’s coverage of the news that defines the future of the Internet in India. Subscribe here
What organizations should do?
The recommendations of the CISA prescribe the following measures:
1. Establish and maintain a social media policy: Organizations should establish a social media policy to govern how their staff use the organization’s social media accounts. The policy should detail the actions described below and organizations should provide appropriate training to staff and review and update the policy at appropriate intervals.
2. Implement credential management: Organizations should secure the credentials used to sign in to social media accounts by taking the following steps:
- Limit the number of people who can access the organization’s social media accounts.
- Use the “business account” feature if applicable. This feature allows an administrator to assign roles and access privileges to individual user accounts, which limits the number of people who have administrative control and gives each user their own unique credentials.
- Administrator accounts must use strong multi-factor authentication (MFA). Facebook Business Suite, LinkedIn Company Pages, and Twitter TweetDeck are platforms that offer this functionality, CISA said.
- Separate employee personal social media from organization accounts to reduce the risk of third-party applications improperly accessing any of the organization’s accounts.
- Protect email accounts linked to social network account by enrolling the email account in additional security measures such as MFA. Google’s Advanced Protection Program and Microsoft’s Advanced Threat Protection Service for Office 365 users are examples of security measures organizations can enroll in.
- Do not share credentials between employees
- Regularly check the list of authorized users and connections
- Monitor alerts for unauthorized activity such as unauthorized logins, logouts, permission changes, additions, deletions, or any unusual activity.
- Limit third-party app access to social media accounts. Third-party applications typically require excessive privileges and therefore should be restricted. To do this, organizations must develop a process to assess and approve third-party applications and review the access privileges of each third-party application to verify that they comply with social media policy.
- Secure the credentials used to interact with a social media service’s application programming interface (API) such as API keys and tokens. “Compromised API keys or tokens can allow malicious actors to impersonate authorized users during a login session without the need for usernames or passwords,” CISA said. For example, Twitter suggests encrypting tokens and storing session data through secure cookies.
- Create strong passwords adhering to best practices in length and complexity, and maintaining a policy that requires changing passwords and tokens at regular intervals.
- Immediately replace compromised credentials even if there is just a hint or suspicion that a password has been compromised.
3. Apply multi-factor authentication (MFA):
- What is the AMF? âMFA combines two or more distinct authentication factors to confirm the identity of an individual, drawn from the following types: (1) something that is ‘known’, such as a password; (2) something that is âownedâ, such as a physical security key or an authenticator app tied to a secondary device; and (3) something that a person ‘is’, such as a distinguishing characteristic, for example, a fingerprint or other biometric, âexplained CISA.
- Physical security keys vs authentication apps: Organizations can use physical security keys or authentication applications. The former provides a physical authentication factor that only works when a user is at the correct website, preventing attackers from using stolen credentials on a phishing site. The latter is an application that displays a code that the user must enter to connect to a particular account. The code usually regenerates in a short time.
- Avoid using MFA text or email authentication: Physical keys and authenticator applications are generally more secure than text-based or email-based MFA because “text-based and email-based MFA methods are vulnerable to phishing and exchange attacks. Subscriber Identification Module (SIM), “CISA said.
4. Manage account privacy settings: Limit data sharing using account privacy settings. For example, change the location permission to share the physical location only when a legitimate need exists and limit the data shared for advertising purposes.
5. Use trusted devices: Use only organization-provided computers and smartphones to manage social media accounts, and complete the following steps to secure these devices:
- Continuously monitor devices for any unusual activity.
- Control devices using a mobile device management platform.
- Implement restrictive mobile app download permissions on devices.
- Implement device tracking and location functions.
6. Check the third-party providers: If your organization uses an external vendor to manage the social media account, ensure that the vendor’s security practices comply with the organization’s security policy and codify this membership in a service level agreement (SLA) with the supplier.
7. Maintain situational awareness of cybersecurity threats: Organizations should be aware of cybersecurity threats to their social media accounts by:
- Continuously monitor the organization’s social media accounts for any unusual behavior.
- Create and disseminate a summary of threats facing the organization to help strengthen the role employees play in reducing cybersecurity risks.
- Explore communities of interest such as centers for industry-specific information sharing and analysis and other government and intelligence programs.
- Provide relevant and situational security awareness training to social media account administrators.
8. Establish an incident response plan: Organizations should have an incident response plan that covers:
- What action to take in the event of unauthorized access or posts, compromised devices, and disclosure of private communications.
- How to report an incident to the appropriate authorities.
- Contact details of relevant social media platforms in the event of a violation.
Read also :
Do you have something to add ? Subscribe to MediaNama here and post your comment.