I would like to start off by saying that nobody’s Twitter account gets “hacked”. Well, almost nobody. The vast majority or cases where an account is “hijacked”, it’s because the password was either guessed, or obtained through a phishing type attack.
But the end result is still awful: Your carefully managed corporate LinkedIn account is now posting all kinds of horrific things that you’ll have to go apologize for later. It hardly seems fair. After all, you’ve spent so much time and energy building defenses around all the IT assets in your organization, only to have this hijacked account on a website outside of your control get all the publicity. <heavy sigh>
But fortunately some security awareness training will go a long way towards reducing the likelihood of something like. After all, sites like Facebook and Twitter go to great lengths to secure their own platforms, so if you use the controls they have in place along with some good security practices, you can reduce a lot of the risk.
A quick caveat here: social media security is a monster topic, and all we’re going to talk about here today is keeping your organization’s account under your control. There’s lots more to discuss for sure, but those topics are for other posts. Back to the business at hand…..
In most organizations the marketing or corporate communications groups handle the social media accounts, so they’ll be our intended audience. Depending on the platform, several people may have access to the account, either directly with the log-in credentials, or delegated to their own account. Which reminds me, you have social media accounts on your out-processing paperwork for when these employees leave the organization, right? Just checking.
- Change the password regularly.
- Don’t use the same password on multiple sites
- Keep the password in a password safe.
- Password reset options should be secured just like your password.
- Know what a phishing attack is, and be careful clicking on links in email.
Change the password regularly.
This is good advice for pretty much everything, but especially here. Changing the password on a regular basis ensures that only active participants will be able to use the account. So even if Bill writes down the password on a sticky note under his keyboard, in 30 days it will be different anyways. Which leads to my next point…
Use different passwords on different sites
It’s one of those ironic things about a password: In most cases it’s the only way a website really knows it’s you, so they tell you to keep it secret. Then the website goes and does silly things like store the password in cleartext, making it possible for attackers to recover your password. I can promise you, if your user account for a given site is an email address, they are going to try and log into your email account with your password. Next they’ll go to Facebook, Twitter, LinkedIn, etc. Don’t make it that easy for them. There are lots of good password manager tools out there, and they all have the ability to generate really good passwords for you to use.
Keep the password in a password safe
OK, so you’ve already made it a habit to regularly change your passwords, and you are making some really good passwords (like Kz8fWKh8Mrsq&@H – great password!). Of course now you find yourself stuck having to keep these super complex and ever-changing bits of nonsense in a word file on your desktop. That’s no good either. Time to use a password manager. The password manager provides a secure place to store all of these credentials, and provides the appropriate access controls to limit access to only those who need it, and log when they retrieve it. Your organization may already have this capability around for IT systems, why not leverage it here?
What do you do when you forget your password? It’s the exact same thing an attacker would do: see if the password reset feature will help. Some sites offer a few different options, from security questions to receiving a link or code via email. Twitter, for example, let’s you select either an email of text message option once you input your username:
This is a great option, since it makes the process that much more difficult for the attacker: they would have to either be in control of your phone or your email account. It’s probably worth checking now what those settings are for your organization’s account.
In fact, just documenting what sites your organization uses and who has access to it is a good idea.
Know what a phishing attack is, and be careful on clicking links in email.
Phishing is such a pain point for security teams these days, because they’re hard to identity ahead of time, and they are just so successful. It’s important that you provide some kind of awareness training for individuals who have privileged access to sensitive systems, and given the high profile of social media mishaps, we’re going to include those folks in this group too.
It’s important to know what a phishing attack is, and how they work. Phishing comes in lots of flavors, but essentially it is sending a message designed to prompt and action from a target. Sometimes the attacker hopes you’ll visit their malicious website so that they can take over the computer, sometimes they are hoping you’ll provide them the credentials to a specific system.
A good rule of thumb is to never click on links in emails like that. If you get a message that Paypal needs your attention on some activity with your account, open a browser and go to paypal directly, don’t click on the link. And if the “help desk” needs to verify your credentials, report the email right away. You do have a mechanism for reporting this type of activity, right? That everyone in the company knows how to use, right? Good.
As a quick side note, no one from Enterprise Integration will ever ask for your username and password. Ever. If that happens, it’s not someone from EI, Do us a favor and report that activity immediately.
Thanks for reading. Stay safe!