The advent of social media is transforming the way people connect with each other. It plays a vital role in an enterprise’s marketing strategy as it helps in building brand awareness, provides real-time customer support and helps launch new products. Even governments around the world are using social media extensively to communicate with citizens. Hence a well thought-out framework and guidelines need to be in place, which government agencies can adhere to. Today, social media security has become a necessity.
Consequences of social media security breaches
Cyber attackers use different methods such as social engineering, dictionary attacks and phishing to steal social media account credentials. These attackers target corporate as well as government accounts. Such account takeovers can lead to the unauthorized publishing of malicious content, confidential information and personal data. Social media attacks can lead to reputational damage, loss of customer trust, compliance violations, identity theft, and significant financial implications.
For example, in 2017, IndiGo Airlines’ twitter handle was compromised and some incoherent tweets were sent out by hackers. It is one of the largest domestic airlines in the country with 40% market share of domestic skies. The company took it to Facebook stating that their twitter handle had been hacked and asked users not to send their queries on twitter but instead reach out either to their customer care or Facebook for any clarifications. Another instance of data breach was when Aadhaar, the government ID database, was compromised. According to the World Economic Forum’s Global Risks report, it was the largest data breach that happened in India in 2018, where Aadhaar suffered multiple breaches that potentially compromised the records of billions of people in the country. In United States, a group of hackers compromised the twitter handle and YouTube accounts of the US military’s Central Command and posted a series of threatening messages, propaganda videos and military documents.
These examples show how important social media security is. Without effective social media security, external cyber hackers can use social media accounts to spread chaos. But, significant damage can also occur from inside of an organisation – people who have, or once had, authorized access to various social media accounts. This happened to a UK-based music and film retailer. After a large layoff, an ex-employee (and former corporate social media manager) commandeered the company’s Twitter account and posted a defamatory tweet before her social media credentials were revoked.
Shared privileged accounts for social media platforms
Nowadays organisations have multiple corporate social media accounts on Twitter, Facebook, Instagram, etc., each with their own unique accounts for different product lines, languages, countries and stakeholders. Therefore, it is not possible for a single person to handle all these accounts, so multiple people manage and access these accounts on a regular basis. The passwords of these accounts are generally shared across different teams and even third party contractors to simplify workflows across users, office locations as well as time zones. These social media accounts are typically set up as shared privileged accounts. The passwords of these accounts are rarely changed, making it vulnerable for external attackers and malicious insiders.
Since social media credentials are normally considered as “low risk” because they don’t enable access to sensitive financial or customer data, and hence security is typically lax, with no record or accountability for who is responsible for each post . Many organisations have no idea who has access to their social media platforms and passwords at any given time.
Ways to mitigate the risks of social media cyber attacks with privileged access security
Social media accounts need to be secured properly from security threats and cyber attacks. These accounts should be viewed as privileged accounts and best practices for privileged access security must be implemented to mitigate the risk of compromise. These include:
- Secure credentials. Social media accounts can be protected by storing passwords in a secure and centralized digital vault. This reduces the ability of malicious insider or attackers to take control over the social media accounts.
- Enable transparent access. Social media platforms should be connected directly to allow authorized users, enabling them to authenticate to accounts without knowing the actual passwords. This makes it difficult for attackers to steal privileged credentials while balancing security and operational requirements.
- Eliminate shared credentials. Storing passwords in a digital vault eliminates the accountability challenges of shared credentials as it requires users to login individually for access. Furthermore, creating policy around which users can access which social media accounts mitigates the risk of credential-based cyber attacks.
- Enforce password changes. Changing passwords on a regular basis helps in reducing the chance of an outsider stealing and using a valid credential to wreak havoc.
- Trace account activity. Tracing all posts directly back to the individual authorized user is vital as it helps spot weak areas of security. It also helps in identifying the employee posting damaging content. Additionally, recording social media account sessions provides further proof for an audit trail of exactly who did what within each individual account.
- Assign risk scoring to sessions. Companies can pre-define high-risk activities such as unusual activities on any of the social media platforms which will enable automated alerting of security operations teams so that they can quickly assess the situation and take necessary action. This also helps prioritize the audit and review of social media sessions based on risk.
The threat to social media accounts are increasing at a rapid pace. It is the best time for companies to protect your social media accounts from takeovers. Privileged access security can play a critical role in protecting access to social media networks, preventing embarrassing incidents and stopping cyber-attacks before irreversible damage can be done to your business.
(Rohan heads CyberArk India as Regional Director of Sales. His responsibilities include managing sales operations and profitability of the business in the sub-continent. The opinions expressed in this article are his own)