How to Stop Social Media Hacks
As social media accounts grow in size, they are more likely to become susceptible to a hacking attack, and as many organisations lack the requisite expertise and technical countermeasures to ward off an attack, they can be an easy target.
This whitepaper will guide you on:
- Enforcing strong authentication controls for social media accounts and applications
- Monitoring branded social media accounts for changes, unauthorised apps, admins, and content
- Enforcing policy, including automated account lock-down procedures.
Get the downloadBelow is an excerpt of "How to Stop Social Media Hacks". To get your free download, and unlimited access to the whole of bizibl.com, simply log in or join free. |
“Social media hack”: these words have become synonymous with embarrassing front-page news stories featuring major companies and figures who have fallen victim to misuse of their designated community channels. Hackers have splayed open the social networks of the Associated Press, Burger King, Jeep, and even President Obama, exposing major brands to an all-too-public scam. And, within a matter of hours after ringing in the New Year, both Microsoft/Skype and Snapchat suffered hacking attacks, demonstrating the heightened vulnerability that comes with the holiday season. As social media has risen in popularity, hackers have realized that it’s a ripe target.
Despite the frontline news coverage of the many hacks this year, not much has been done to actually address the problem. Hackers have thus continued to target big brands at an alarming rate despite the growing awareness of the threat, as most organizations lack the requisite countermeasures to ward off an attack or the know-how to mitigate risk and respond to incidents. Very few companies, for example, know how to re-gain control after their account has been compromised and, perhaps even more importantly, how to effectively prevent an attack in the first place. Of the few that have taken some kind of measurable action to prevent a hack, most often solely rely on the controls available within the social media platforms themselves, such as two-factor authentication (where available), Secure Socket Layer (SSL) encryption, and manual content filtering from their marketing, service team, or a third-party provider for secure web transactions. Additionally, poor password management practices – such as using Excel to store credentials and sharing passwords – are commonplace for most social media managers, and put their brands at risk.
But even when brands use the built-in security mechanisms of social platforms, each has its own particular set of problems and does little to mitigate the risk of a hack. For example, twofactor authentication is not universally available and does not operate on a per-user basis, meaning that accounts with multiple administrators – a common method of configuring corporate accounts – remain vulnerable. Likewise, SSL encryption doesn’t actually address the problem, as SSL is designed to enable secure communications in a web session rather than prevent an unauthorized user from accessing an account. And manual content filtering is simply unsustainable – not only is it inefficient and fundamentally prone to human error, but it is also tremendously resource intensive.
Although these kinds of internal controls do little to get to the heart of the hacking epidemic, organizations continue to embrace social media as a tool essential to their marketing and communications strategies and channel significant resources into building up their social infrastructure in spite of the risks. Indeed, within the past year alone, U.S. brands spent an estimated $4.1 billion on social advertising. That influx of money left unguarded by proper security has contributed to something akin to a hacker’s dream, in which a simple password is all that’s typically needed to turn a social infrastructure investment – a branded account, its followers, and fans – into a money-making opportunity for the bad guys.
Hacker Techniques, Detection, and Prevention Methods
Facebook, YouTube, Twitter, and the other social networks have tools in place to detect and defend against direct hacking attempts. The most common methods hackers use to gain access to your accounts is indirectly through poorly maintained passwords, authorized users, and compromised applications.
Poor Password Management
Let’s face it – today’s password management for social media is the like stepping back in time to email in the 1990s. Departments share passwords, dole out administrative access like candy to employees and partners who may not need it, and keep credentials stored openly on Post-Its.
If your organization is “advanced” you might even have an Excel file with a list of everyone who has access, including his or her username and password. And, quite often, you will email or IM those passwords to employees as they lose of forget them, or store the entire Excel file with everyone’s credentials on a shared drive.
Employees come and go, and often they will continue to have access to your accounts, especially if their initial access was established through their personal social media account (e.g., Facebook). And your PR and marketing firms will all share access with their employees, many of whom you will likely never know or meet.
Bottom line: we can all acknowledge the lack of security and efficiency in the social media security domain. It has become a waiting game before someone loses the password, the list, has a laptop or desktop infected and the Excel password file stolen, accidently publishes content to the corporate account instead of their personal one, or faces the wrath of a current or former disgruntled employee.
Your team must stop falling for the overly convenient storyline that a Social Media Marketing System and publishing tool will solve this password access problem. We have spelled out the weaknesses, but organizations need to get smart on the tools they use to interact so that no one marketing tool completely manages access., Every organization has reasons to leverage native functionality of the social platform like pinning posts or conducting media buys. But organizations need more than a publishing tool and standard operating procedures to ensure that only users who need to publish have access to that tool. They need to manage access to that tool.
So, if everyone knows this is a problem, how are we not better at addressing the access issue? The answer is simple: most marketers, security, and compliance personnel think there isn’t a solution when, in fact, there is
To start, organizations should stop giving out direct access to their social media accounts and social marketing applications to their employees and partners. Instead, there’s technology available for Single Sign-On (SSO) that can integrate with your internal corporate directory services (e.g., LDAP) to automatically identify users and groups, and provision access based on policy (e.g., my social media team can access our social media publishing tool). Rather than giving employees a myriad of passwords to access each of your social accounts and apps, social media security technology instead has its own, unique set of credentials to your accounts. Your employees and partners then log in using single sign-on to their social channels and marketing apps through your single security application, granting access to the apps they are authorized to use.
This process is entirely transparent to the user and any change to the user’s access to a channel or app can be centrally governed without any over-reliance on them. Again, your employees and partners simply log in to one system where even two-factor authentication can be deployed in conjunction with SSO to your social media security solution, and then have access to the social apps and tools you’ve authorized them for. They don’t need to remember any other usernames or passwords; in fact, their credentials can be the same as they use for your corporate network / email. What’s more and once again, when an employee joins or leaves your organization, just as they are added or removed to your corporate directory services (for company email, IM, file sharing, etc.), their access is added / removed from your social cannels and marketing apps.
Following the steps above will dramatically reduce your risk of a security threat, hack, and employee misuse of your accounts. To summarize, here are the steps to take to address poor password management:
- Set up a social media security solution that includes user authentication and access management for social media platforms and applications.
- Work with your IT department to identify groups of users that should have access within your directory services infrastructure
- Map which employees and partners should have access to which applications, and from within your social media security tool, create and apply those profiles and mappings (e.g., social response team can access listening and publishing tools).
- Don’t give out direct access to your social media accounts and applications. If you have in the past, rescind access and notify your employees and partners.
- Make sure your employees know not to share their credentials and why. Education is a cornerstone of a good standard of care.
Using Nexgate’s Password Lockbox administrators can streamline secure access controls to your brand’s social media accounts across Facebook, Twitter, LinkedIn, Google+, YouTube, and more. Password Lockbox centrally manages secure access to all of your brand’s social media accounts. Simply provision and de-provision access for your users on the fly, and seamlessly monitor and manage who can access what social accounts.
Password Lockbox dramatically reduces the attack surface area for hackers to exploit by ensuring that day-today users never have administrator-level passwords to your accounts and social applications (e.g., publishing tools). Employees and partners are thus protected from fraud and spear fishing attacks, and hackers are unable to obtain the credentials to directly access the brand’s social accounts.
Phishing Attacks
The most typical hacks originate via a phishing line. Phishing (typically done through email or private message) is a technique whereby a hacker sends a message that appears to be from your social network asking you to “log in” to or “authorize” your social media account. The user, who thinks s/he is logging into her Facebook or Twitter account, enters her real username and password into a fake login page, which captures the user’s credentials and passes them to the hacker.
Phishing attacks are also typically highly targeted, commonly known as “spear phishing” schemes. Hackers will use social media to identify who your account administrators are, and then use email and/or direct messaging to communicate with them. The best way to prevent a phishing attack is by following these four steps:
- Limit the administrators and applications with authorized access to your social media accounts. The fewer the number of users/applications that can legitimately connect to and publish from your accounts, the less surface area exists for an attacker to target. Use a password management solution such as Nexgate’s Password Lockbox to ensure your employees and partners don’t have the root credentials to your social media accounts and applications.
- Train your administrators to be on the lookout for email and direct/private messages that request their login information to social media networks and associated applications. Never click on links in email or messages as they may be malicious. Administrators should always use their web browser to navigate directly to their social media account. If that account requires a password change or re-authorization, it will prompt the user on the webpage directly.
- Ensure your administrators use very strong passwords for their social media accounts and that those credentials are always different from their other personal or corporate usernames and passwords. If there are too many passwords to remember, consider using a secure password vault such as LastPass, Nexgate or OneLogin. The other benefit of these tools is that they won’t automatically fill in information if you aren’t on the legitimate site.
- Using Nexgate’s ProfileLock technology, administrators can take account snapshots to keep apprised of any changes – legitimate or fraudulent. The snapshot takes into account changes to administrators, privileges, descriptions, photos, links, emails, etc., and it will alert admins automatically to any account updates. If the account is compromised, ProfileLock can automatically remove unauthorized content.
Browser and Cookie Attacks
Some hackers may gain access to your social media accounts by hijacking your browser’s session, either from your personal, work, or a shared computer. Facebook, Twitter, YouTube, and the other social networks are designed to remain open once credentials have been accepted, so that the user can continually track and engage with their community. However, keeping a browser session open indefinitely may provide the perfect avenue for hackers to access to your social media accounts.
Your connections to all the social media networks don’t time out because they utilize an authentication cookie, which is used to tell the network how long you have been logged in. Unfortunately, these cookies are easily intercepted when you connect to open Wi-Fi networks and are not using a secure connection. If an attacker intercepts the cookie from one of the social networks, s/he can post or make changes with the same permissions of the logged in administrator.
If an administrator of your social media account logs into your corporate Facebook page from a shared computer and forgets to log out, the next user of that computer’s browser may be able to publish to your page. Additionally, if an administrator inadvertently visits a page infected with malware and s/he has a browser open to your branded Facebook or YouTube account, the hacker may be able to inject content onto your page via the open browser session.
Browser attacks are either very targeted or not at all. A targeted browser attack is typically a combination of a phishing scheme (see above) and a generic browser attack via malware. However, a nontargeted attack usually circulates in a mass email or hacked website that your administrator randomly encounters. The latter – the non-targeted attack – is well defended through consistent security awareness. The targeted browser attack is typically best prevented through a combination of the above recommendations.
Want more like this?
Want more like this?
Insight delivered to your inbox
Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy
The best way to prevent browser and cookie-based attacks is by following these five steps:
- Ensure administrators access your social media accounts from only trusted machines and require them to log out of their social media accounts after each browser session.
- Ensure that administrators always use secure connections (i.e., HTTPS) when logging in.
- Use only authorized publishing, listening, and other social media tools to access your social media accounts. Do not login to Facebook or the other social media networks directly unless necessary and from a trusted and clean computer.
- Ensure your administrators use only trusted devices to access your social media, and that those machines are running anti-malware and anti-virus software persistently.
- Use Nexgate’s ProfileLock technology to provide you with an overview of your account, alert administrators to any changes, and automatically remove unauthorized content in the event of a hack.
How to Secure Your Social Media Accounts
Preventing a social media hack requires that social media teams team up with IT to identify and mitigate areas of risk. While the onus of protecting a brand’s accounts ultimately falls on IT security, the two groups must work together, because marketing typically runs day-to-day social media management. There are many safeguards to people, process, and technology that brands can enact to protect themselves and their followers. As a start, here are three steps you and your organization can take:
1. Know Your Basics
To start, you need a full understanding of your social account footprint. Knowing what accounts you have is a prerequisite to implementing security and controls to protect them. First, identify your primary and secondary accounts as well as the key stakeholders responsible for managing each of them, including the primary account holder and your crisis communication team. In doing so, you’ll create a working committee of key players, foster a culture of awareness and open interaction across departments, and put the necessary pieces in place to protect your brand from hackers.
When you begin searching from your accounts, take stock of both your company and employee-owned accounts, as both may serve as outlets for corporate communications, knowingly or not. Employees often create accounts for themselves or on behalf of the organization (e.g., affiliated with a particular region or product, etc.) unbeknownst to the brand manager or corporate communications team. These accounts may sit orphaned or be active, but are often widespread across the social web. Although your organization may have its list of “official” accounts, a hacker targeting an unknown or unofficial page can still do a lot of damage.
Make sure to search all the major social networks for accounts affiliated with your brand. We recommend that your team use technology to automate the search process and provide recurring scans, as new accounts may be created at any time and by any one. Once you have an inventory of your accounts, take stock of who has access to both your accounts and applications. Make sure that that access is authorized, and work with your IT team to integrate a social media security tool to govern who can access which social platforms and apps, and automate seamless provisioning and de-provisioning.
2. Prevent and Detect
Seemingly minor procedures you’ve heard countless times before, such as reducing the number of direct administrators for each account, strengthening passwords and using password management solutions, can make a huge difference in minimizing risk. So, be smart when it comes to account access. Simple passwords create a vulnerability, and with your brand’s reputation potentially at stake, isn’t it worth the effort to amp up your basic security measures? Take the time to create a strong, complex password and refresh that password regularly to make accessing your account a challenge for hackers. And, perhaps most importantly, make sure your users do not self-manage passwords or have direct access to your social accounts and apps. Instead, manage access via your social media security tool just as you govern access to the rest of the applications your organization uses (e.g., email, IM, corporate network access, etc.).
Knowing who is logging into your accounts is as important as the password they are using to do so. The more people with access to your account, the more likely it is an unauthorized party will gain access. The more employees have direct access, the more hackers have viable target points, so be selective. Limit the number of personnel with the power to perform certain key activities that could potentially open your company up to risk such as installing apps and authorizing a mobile device.
Most organizations can limit the number of users that need access to their brand’s social media accounts with planning and technology. Using SSO technology, for example, like Nexgate’s Password Lockbox, an enterprise can create roles for access for a limited set of users. These roles typically include those responsible for managing and protecting the infrastructure, including installed apps and account configurations, media and ad purchasing leads, and social engagement managers. Adding more profiles and roles should be carefully evaluated as each may introduce risk. Further, despite the need for direct account access, SSO technology can mitigate the need for the user to personally have, know, and use credentials to directly access the accounts and apps.
When you limit the necessary functional operations made directly through the social media platforms (e.g., Facebook, Twitter, etc.), you can significantly reduce your risk profile. Use a publishing application, for example, to distribute content and engage with followers, rather than directly logging in to the social network and using their UI. By doing this, you’ll be able to consolidate direct access to your social media networks, as well as implement workflow and additional controls to review content before it’s published and impose limits for account access and authorization. User access can even be limited to your publishing app using SSO technology, so that authorized application is no longer a source of risk.
Third party applications, or apps, typically go hand-in-hand with social media use, yet they can also introduce risk. While great tools for promotional, publishing, and listening capabilities, they can also be a hack source. Social media apps connect to your accounts via the authorization of an access token. These tokens often provide read and write access to comments and posts – access that is provided indefinitely unless revoked. If an application’s access token database is unencrypted, hacked, stolen, or lost, an attacker can simply pass the access token over the platform’s API, which will respond with the account information corresponding to the user the token belongs to and provide access to the account.
One recent well-known example of this occurred in October 2013 when the Syrian Electronic Army (SEA) breached President Obama’s Facebook and Twitter accounts by way of a third-party URL shortening application. In just one step, the SEA manipulated the URL shortening tool from a useful device for paring down characters in posts and identified a chink in the Obama administration’s armor. This is why inventorying and managing security for third-party apps, especially for those authorized on your brand’s behalf, is critical to avoiding a hack such as that experienced by President Obama.
To mitigate this risk, reduce the number of apps installed on your account and number of users with access to those apps. For example, the enterprise should ideally only use three to six connected apps at one time. These could include a publishing app; customer support / CRM, or community management app; a photo / video sharing app (if applicable); an ad or content placement platform; a designated mobile content publishing app (if different from your primary publishing app); and your security app.
Use social media security technology to automatically limit the apps authorized to publish on your behalf and to ward off the risk of an admin mistakenly installing another application and inadvertently subjecting you to a hack. You can also use this technology to lock and monitor your accounts for anomalies that may be indicative of a hack. Automation is especially helpful for secondary accounts where day-to-day governance may not be as tight as that on your primary accounts. While manual monitoring of accounts for warning signs is certainly important, implementing technology will help improve accuracy and expedite the process, saving you time and resources in both the short and long run.
3. If a Hack Does Occur, Respond Immediately
In the aftermath of such an event, you must take swift, immediate action to expunge the unwanted content. The best way to do this is through automated technology, which will act instantaneously after a hack has taken place to address the problem and put your social accounts back on the right track.
If your account is compromised, immediately lock down all publishing apps and technology. The last thing you want after a hack is for your publishing platforms to continue churning out bad content – or content that isn’t timely – while you are a step behind. So, be sure to address any mechanism capable of proliferating the hacked content to avoid such a situation.
After you have completed these steps, contact the respective social platforms and regain total control.
- Facebook report a hacked account: https://www.facebook.com/hacked
- Twitter support request: https://support.twitter.com/forms/signin
- Google+ account recovery: https://www.google.com/accounts/recovery/
- YouTube hacked YouTube account: https://support.google.com/youtube/answer/76187?hl=en
- Instagram hacked accounts: http://help.instagram.com/368191326593075/
- Pinterest account security: https://en.help.pinterest.com/forums/21100817-Account-Security
- LinkedIn no access to primary email address: http://help.linkedin.com/app/answers/detail/a_id/1501
Don’t forget to create and implement a clear communication plan across all accounts for the smoothest recovery possible following a hack. This plan should not only be directed towards your employees, but also the media, who will undoubtedly cover your misfortune. It’s important that your company runs as cohesively as possible following such a traumatic event, and putting a comprehensive plan in place is critical to creating a unified response and ensuring that each member of your team knows his or her role in helping you get back on track.
While there may be no such thing as an impenetrable social media account, the above steps can help your organization strengthen your company’s social fortress, remove vulnerabilities to hackers, and respond to an attack efficiently and effectively
Want more like this?
Want more like this?
Insight delivered to your inbox
Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy