Top Seven Tips for Securing Official Social Media Pages
The official Facebook page for the Navy ship USS Kidd was recently compromised and used to stream video games. The threat actor post titled one of the streams “Hahahahaha”, but this is of course no laughing matter. While the Navy doesn’t use the Facebook page for delivering operational orders (we hope), they do use the page to keep sailors serving on the ship connected with their families and the public. Effectively, this is a public relations page. A threat actor could damage relations with the public and impact morale, but the overall impact is likely limited.
The Navy isn’t alone among the military in its use of official social media accounts for public relations. After the Fort Bragg official Twitter account posted some fairly lude comments, the Fort Bragg Public Affairs Officer briefly claimed the account had been hacked. They walked that statement back after learning someone with access to the account simply forgot to change which login they were using (business vs. personal). An Internet shaming pile-on ensued when the official account was briefly deleted, drawing more attention from the press (and ultimately the public).
But it’s not just military units who use official social media pages to communicate with the public. Many small and medium businesses rely on Facebook, Instagram, Twitter, and LinkedIn (among others) to communicate with the public as well. Traditionally, when threat actors compromise official social media accounts, they are used to spread links to fraudulent “giveaways” (usually involving cryptocurrency). Twitter’s support staff was compromised in 2020 to gain access to high profile accounts for such a scam. While individual accounts (including official business accounts) are also compromised, most don’t have enough impact to draw media attention. A series of these compromises gained media attention in 2018.
Given that many small and medium businesses use their social media accounts as a primary mechanism to communicate with the public, a compromise of one of these accounts can be devastating. In addition to nearly certain brand damage, a hacked account posting malicious or prohibited content may be suspended by the platform. If you’ve ever tried to recover a hacked account from a social media platform, you know how challenging the process can be. If you haven’t had to experience the account recovery process, consider yourself lucky.
The use of multifactor authentication (MFA) to secure accounts is paramount, particularly for business accounts. If possible, use an MFA method other than text messages (SMS), such as Google Authenticator. If the platform only allows SMS, consider obtaining a Google Voice number for SMS. Google Voice numbers are not portable, mitigating SIM swapping attacks. While SIM swaps are usually reserved for high value targets, that may very well describe your business page. An ounce of prevention, as they say, is worth the pound of cure.
However, MFA presents special challenges with shared accounts. How will users first authenticate? Who manages the MFA token (most often an SMS message)? These very real issues prevent many from using MFA on group accounts. However, most platforms allow multiple identities to be associated with an account. When multiple people need to be able to post from a business account, use platform features to share access. Each user should be coached to enable MFA on their individual account, which will be delegated access to the corporate/organizational account. The following section provides handy links for configuring delegated access:
Administering user roles for a Facebook page:
Administering user roles for a LinkedIn page:
Adding multiple users to a Twitter account (TweetDeck Teams):
Adding multiple users to an Instagram account:
Tips For Securing Social Media
1. Protect your accounts with a strong password. Password managers make it easy to use passwords too strong for humans to bother remembering.
2. Always use multifactor authentication (MFA) when available to secure your accounts, particularly accounts for social media.
3. If possible, use an MFA other than text messages (SMS), such as Google Authenticator.
4. Don’t share a username and password for an organizational account. Instead, delegate access using the resources above.
5. Protect the organizational account with MFA and a strong password.
6. Monitor your organizational account pages/feeds for suspicious behavior that might indicate that the account has been compromised.
7. Monitor email addresses associated with the organizational account for evidence that the password has been compromised and change it immediately if you believe there’s a possibility of compromise.