20
Social media security How to prevent hacks and manage them if they happen
Social media security
How to prevent hacks and manage them if they happen
1. Preventing hacks1. Preventing hacks
Why are social media hacks a problem?
• You are the CEO of a bank, tweeting regularly, and generally being hip
• And then your Twitter account is hacked. There’s a tweet in your name that says the bank has made huge losses and doesn’t have enough money to pay account holders
• People panic and there is a run on the bank…
How do hacks happen?
• People who want to cause mischief can get access to your password in a number of ways:– Passwords are hacked using “brute force” software that runs
through all the possible combinations of letters and numbers– People steal (or find) unprotected portable devices – Devices are infected with spyware (often after a phishing attack)– Passwords are not changed when an employee who knows
them leaves the company– The password is stored on a shared personal device which
allows access by non-authorised people– Password lists are made available to non-authorised people
• So what can you do about this?
How can you stop hacking?
• You can’t be sure of preventing hacking• But you can take some basic steps to make it
less likely that people will succeed:– Use robust passwords– Limit access to social media accounts– Limit direct access to social media accounts– Keep in control– Watch out for Cookies– Educate people to avoid phishing attacks– Take care with mobile devices
Use robust passwords
• Ensure passwords are strong – minimum of 12 characters including at least one each of capital
letter, lower case letter, number, keyboard symbol (e.g. ! $ % &)
• Don’t use words or names in the password– Password isn’t a great password– And people realise that numbers are commonly substituted for
letters: So P455w0rd isn’t great either!
• Think of a phrase and use the first letters:– I love my wife Delvina and my two boys Caspar and Tarquin!
becomes IlmwD&m2bC&T!
• Ensure passwords are different for all accounts• Change passwords a couple of times a year
Limit access
• Audit number of people who have access (check for 3rd parties like agencies)
• Severely limit the people who have access – If necessary appoint an “editor” who uploads content
written by other people– Ensure that the contracts of people with access stipulate that
passwords must not be shared – Keep a record of who has access
Manage access
• If you can, implement Single Sign On technology to manage access to your social media accounts
• This means that people don’t have to sign onto social media accounts directly– they get access when they sign into your company network
• Preventing direct access means that fewer people need to know or remember passwords and that passwords can be changed at any time
Cookie attacks
• Some platforms (e.g. Twitter, Facebook) are designed to remain open continuously– This is so that you get access every time you go to your
computer or mobile phone
• Keeping an account open all the time gives people an easy way into your account– If it is open on a mobile device which subsequently gets lost – if you are using a shared device and forget to log out.
• The most secure way to handle this is to require access to corporate social media only via fixed company equipment
Ensure you have control
• Some platforms (e.g. Facebook) say business pages must be set up by private accounts– Don’t allow individuals to set up these pages: create an account
representing your “corporate personality” instead– If private accounts have been used, you may have to start afresh
even if it means sacrificing assets such as Likes
• If you ask people to Tweet or Post for you make sure the accounts they set up are owned and capable of being managed by the company
Avoid phishing attacks
• Phishing: a hacker sends you message “from” your social network, asking you to log in to your account and provides you with a handy link
• You enter username and password into a fake login page, which promptly captures the data– Often these attacks are personalised with your name and job
title (“spear-fishing”) and look very credible
• Prevent this through education. Train people to:– Recognise suspicious emails– Check the address of the site in the browser address bar– Avoid links in emails and navigate directly to their account
Mobile devices
• Mobile devices represent a risk because they can be lost or stolen
• Limit access to corporate social media accounts via fixed computers in secure office locations
• If you need access outside the office (e.g. for tweets at a conference):– Protect the device with a robust password– Make sure you have the ability to lock or wipe it remotely – Avoid using password vaults that remember passwords for you
• If you are logging on to Twitter or Facebook on a mobile device log off after you finish
Wi-Fi
• Wi-fi connections may be insecure or dangerous• Check to make sure you are using the official
wi-fi (check the exact name) – Don’t be tempted to use an alternative wi-fi even if seems to
offer easy access
• Don’t use the corporate account to tweet on wi-fi– Set up a secondary account and use it for out-of-office events– Use the event hashtag in tweets to ensure that people find your
posts– Get colleagues to follow the secondary account and share your
posts via the main corporate account as soon as possible
Educate
• Most protection can be gained through education
• Help people understand where the risks lie, what they can do to minimise them, and why it is important
2. Five steps for 2. Five steps for managing if you are managing if you are
hackedhacked
Step 1. Regain control by resetting passwords
• Change the password on the account (to something harder to hack)
• If the hackers have changed the password, reset it using the forgotten password link on the site– At the same time change the password of the account
administrator’s email address as this may have been hacked too
• If the hackers have locked you out of your account contact the social platform directly:– Search [platform name] AND hacked OR compromised to find
the right page
Step 2. Protect your other platforms
• Now check all your other social media platforms and ensure they have not been hacked as well
• If they are safe check that they have a secure password and that this is different from the passwords on your other social media sites
Step 3. Get back to normal
• Get your social media accounts back to the state they were in before the hacking incident
• Delete unwanted content– Delete any content sent out without your authorisation
• This doesn’t guarantee it will disappear completely and for ever as other people may have saved or shared it
• Check your account settings– Make sure there aren’t any nasty surprises waiting for you
• Have any automated responses been altered? • Does your profile contain strange links? • Have any Twitter lists been tampered with? • Do you have unexpected new some “friends”?
Step 4. Let people know
• Tell your audience– Post messages to followers apologising for any offence caused
• Pay to promote these messages if the hack was serious – Put a message on your website and any other content such as
blogs and social media profiles
• Tell your employees– Reassure them and tell them what to do and say if they are
asked about the crisis by friends or peers
• Tell the media– Especially if the breach is potentially damaging you will want to
make sure the media have your version of events
5. Review your security
• Review security to reduce the risk of anything similar happening again– Ensure that you have followed the advice in the first part of this
presentation
• Review any applications that have access to your accounts; remove any you don’t recognize
• Run a virus scan on devices that have accessed your accounts including mobile devices
• If available, set up “2-factor authentication” (unless you have Single Sign On software)
• Make sure employees are properly educated
