Why securing social media matters
There have been numerous high profile breaches of twitter accounts recently. Most significant was the fake tweet from the Associated Press twitter account about a bomb in the White House, which resulted in a blip in US stock market prices. Other noteworthy victims were CBS, NPR, both Sepp Blatter and the official FIFA account, and The Guardian.
All of these were carried out by a group calling itself the Syrian Electronic Army. We’ll blog more about them in the future, for now I want to focus on social media. These were all very high profile compromises of accounts with large numbers of followers. Whilst the victims have not suffered too much long term damage, they will certainly have taken a hit on their reputation. It is vital for any organisation that uses twitter (or other social media) for official purposes makes sure they understand how the accounts are used, and that those with access are aware of the possible risks.
The twitter accounts were compromised by phishing attacks (emails purporting to be from Twitter, asking users to follow a link and enter their password). Organisations need to make sure staff have awareness training on phishing attacks, and that there is an internal structure for reporting and alerting when phishing emails are received. Without this attackers are free to repeatedly target your staff, until eventually they succeed. Encouraging reporting of incidents will enable you to spot such repeated attacks, and take action as appropriate.
Social media accounts must have strong passwords. Stringing words together is effective (e.g. WorktopFridgeOverHobMicrowave) as is using a password generating tool. Access to social media accounts should be reviewed regularly, and the password changed periodically.
Twitter has released some guidance. Whilst some of this may seem onerous, it can in reality be implemented with some simple internal processes. It is much better to take some pre-emptive steps rather than be very publicly embarrassed.