Book chapter

Social Media Security

The following is an excerpt from the book Social Media Security: Leveraging Social Networking While Mitigating Risk written by Michael Cross and published by Syngress. In this section, learn how to keep track of social media accounts, conduct security reviews and more. 

Security

Not everyone takes security seriously. It's not uncommon for people to create a social media account and never look beyond the default settings. In the same way, they'll buy a mobile device, computer, or some other equipment to access those sites and accept that it's set up in a way that best protects them. Often, the default settings provide the greatest ease of use but are also the least secure. It's never a good idea to trust someone else has your security in mind, so you should check and configure these settings yourself. Fortunately, in reading this book, you've already shown how you're willing to do that.

Security is a trade-off. The more you lock down a social media account, restrict content from appearing on your profile page, and prevent people from accessing photos and other content, the less chance people will have finding you in searches. This not only means people you'd rather avoid, but also any old friends and family members you'd like to connect with. A decision can make your social media use more secure, but it can cost you functionality and/or ease of use.

The trade-off of security applies to almost anything you can think of in technology, accounts, network access, equipment, and content. As we've seen throughout this book, and discuss further in this chapter, there are many threats on the Internet and many tactics, settings, and tools to protect you and your systems. The level of security you choose to use is subjective, where it's up to you how much and how little you use. Ultimately, you need to decide how much you're willing to expose yourself to risks, and what level of vulnerability you can live with.

Keeping track of accounts

Social Media Security: Leveraging Social Networking While Mitigating Risk

Author: Michael Cross

Learn more about Social Media Security from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

When you're exploring the different social media sites available, it's easy to create accounts and forget the ones you don't use. This can leave a security hole, especially if you've set up posts on one site to automatically tweet an update or publish to another site. If a hacker gained access to it, it could be confusing at first trying to figure out why strange posts were appearing, not realizing it was coming from another site. Since you haven't used that account for awhile, when you do realize what's happening, you might also realize you've forgotten the username and password for the site.

To keep track of your accounts, you should consider creating a master list. It should state the URL of the site, the account name, and password. Keeping a master list of administrator passwords is a practice of IT departments in organizations, in which administrator accounts and passwords are documented and stored in a secure location. It's important that you don't keep it someplace where people will be able to read it or as a document on your computer. If it's stored as an electronic document on your computer or network, as in the case of a spreadsheet or Word document, you can add an extra small measure of security by password protecting it. As changes occur, update the list so the information is there when you need it. The other benefit of keeping a list of accounts and passwords is that it shows you where the same passwords are being used on multiple sites. If a site was hacked, your credentials could be compromised, and the hacker could now potentially gain access to any site using the same passwords. When this occurs, you'd need to change the passwords on any sites using them. In referring to your list of passwords, look for ones used multiple times, and then change them so a unique password is used on each site.

TOOLS & TIPS…
Setting up Social Media for a Business
IT departments should have authority over the technical aspects of social media and be involved in setting up and maintaining accounts. While they aren't difficult to set up, it ensures that people who are well versed with security are configuring the account correctly and in a consistent manner that follows social media security guidelines. Any settings they initially make could be modified later by a person using the account, but at least you're assured it's done correctly at setup or since the last security audit.

Read the full excerpt

Download the PDF of chapter 10 to learn more!

Security reviews

Threats change, so security needs to change and address them. Even if you've done everything right in configuring your security settings, there's no guarantee that new settings won't be introduced or old settings may be reset. Changes can occur anywhere. It may be on your computer or other devices used to access the Internet, or on the sites themselves.

Social media sites often make changes to their security to address identified or potential issues. While some sites notify you of updates and new settings, others may implement them without your knowledge, leaving you unaware of what's happened. How often this happens, and whether you're notified depends on the site. Because of this, you should review your settings from time to time to ensure they're configured the way you intended.

When a social media site changes its security, it can affect the options that are available. While you may have thought security was set up properly, the options may have changed. In some cases, the changes may reset your security settings to their default settings or provide additional options that may need to be set. The site may decide to turn on a setting that you don't want or make the option available and turned off. To benefit from the available security options, you need to review them and make sure they're set properly.

Being that social media involves using a computer or other devices, you also need to review how they're protected. You should evaluate the effectiveness of any security tools used to protect your computer, network, and mobile devices. Antivirus software needs to have signature files updated on a regular basis so it can identify any potential threats and block, quarantine, or remove them accordingly. To ensure you're protected, you should check the software to ensure it's being updated automatically, and that your system is being scanned on a regular basis. The operating system and software installed on a system will need to be updated from time to time. Doing so will patch any known vulnerabilities, which can be exploited by malicious software. This applies not only to your computer but also to any mobile devices you use.

More on social media security

Avoiding pitfalls in social media compliance, security

Social media regulations and compliance: What enterprises should know

How to implement and enforce a social networking security policy

Social networking website threats manageable with good enterprise policy

It's equally important to reevaluate strategies used to keep your organization and employees secure. The Social Media Officer should work with the IT department to provide information on changes that have occurred, and the IT staff should be aware of the social media sites being used when configuring security settings on equipment. Browsers, operating systems, and other tools may be updated, so it's necessary to identify and resolve any issues that could occur in using social media on these devices.

Businesses also need to audit their security so they're aware of changes in requirements. A company may have initially been fearful in using social media but now wants the sites accessible in the workplace. Conversely, they may have allowed users free reign over the social networking sites they visit but now want to limit access due to a number of incidents. These require changes to the existing firewall rules, how users are trained to use Internet resources, and may require changes to existing policies.

Security strategies

One of the major benefits and problems of social media is that you don't need any additional hardware or software to begin using it. Despite the hidden costs we'll discuss in Chapter 11, a person can simply create an account and begin using it. This allows employees to bypass the normal channels of employing new technology, along with any risk assessment and safeguards provided by an IT department. So long as they're able to go online and access social media sites, they're essentially out of your control.

The purpose of a social media security strategy is to give people the ability to do what's needed without compromising security. In creating one, you need to identify what areas need to be secure, how security will be achieved, and who will be responsible. The strategy should encompass any areas related to using social media, inclusive to the corporate workstations people may use, mobile devices issued to employees, network security, and firewall restrictions.

The security of corporate networks and computers is maintained by members of an IT department, who can grant or deny the ability to access features, resources, and perform certain actions. Because public social media sites are external to your network, this level of control doesn't extend to those sites. Don't expect the same level of support for an external site that you would for your intranet Web site or another network resource.

There is greater control over private social networking sites that your company may use. For example, if they have sites created with SharePoint, the Administrator can control who within the organization can view, contribute and approve content added to pages, as well as documents and other files that are uploaded. Because applications deployed to this environment may have their own security controls, the IT staff may have granular control over what people can do. In creating a security strategy, you'll need to identify what sites are effected (e.g., Facebook, Twitter, or your corporate intranet) and create rules and procedures that are applicable to them.

The other area where the IT department needs to be consulted is in relation to the firewall settings. A firewall is a hardware and/or software security system that controls what is allowed to pass in and out of the network and will use content filtering features or tools to look at the content to determine if it should be allowed. It blocks unwanted content through rules that are created and looks at the data packets entering or leaving the network to determine whether they match those rules. For social media use, content filtering tools like Websense (www.websense.com) could be used to allow or block sites like Facebook and Twitter, or sites that fall into specific categories, such as social networking. It's important to work with the network administrator in your IT department so that the security settings can be configured to allow employees to access the sites.

If you want people to use certain apps, the IT department will also need to be aware of these requirements. For example, some apps use Adobe Flash, which means it needs to be installed on the computer being used. In other cases, the site may use HTML 5 to deliver content, which isn't supported by all browsers. Because employees probably (and should) have restrictions on what they can install on corporate computers, the IT staff would need to have these programs installed.

The level of support an IT department gives is another important topic to discuss, as social media can be accessed from home computers and personal mobile devices. A Social Media Officer may feel that the IT department's help desk should provide social media support to employees, but the IT staff may have a different opinion. They're probably not going to suddenly provide technical support to equipment that isn't owned by the company. They also wouldn't want to touch a personal mobile phone or tablet brought into the office, as the company could be liable for infringing on someone's personal privacy and any problems occurring later with the device.

This isn't to say that a company should ignore the fact that employees will use personal devices to access social media or the potential risk. As we've mentioned in previous chapters, an employee could fall victim to social engineering and give away their password or other sensitive information, or have their home computer infected with a virus or malware. To prevent this, the company should train employees on security-related issues and also look into corporate discounts for them to purchase antivirus software and other security tools for home use.

TOOLS & TIPS…
Don't Expect Miracles
The same security controls available on your personal social media account is what's available to a business one, so don't expect the IT department to configure any settings beyond what you can see. Also remember that they won't be able to access any settings if they haven't been given the account's username and password. Due to their technical background, your IT staff can be useful in recommending the best possible settings and provide insight on how to configure them to achieve the results you want.

 

About the author:
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS). He performs computer forensic examinations on computers involved in criminal investigation. He also has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration. As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems. Michael also owns KnightWare (www.knightware.ca), which provides computer-related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario, Canada, with his lovely wife, Jennifer, his darling daughter, Sara, and charming son, Jason.


This was first published in March 2014