GUIDELINES FOR SECURING SOCIAL MEDIA ACCOUNTS. Version 1.0

Transcription

1 GUIDELINES FOR SECURING SOCIAL MEDIA ACCOUNTS Versin 1.0 Published Octber 2015

2 Dcument Cntrl Versin: 1.0 Authr: Cyber Security Divisin - ictqatar Classificatin: Public Date f Issue: Octber Page

3 Cntents Intrductin... 4 Objective... 4 Scpe... 4 Intended Audience... 4 Legal Mandate... 4 General Recmmendatins... 5 Understand the Risks... 5 Set up a Gvernance fr Scial Media... 5 Accunt creatin and administratin... 5 Accunt Lgin... 6 Passwrd Management... 6 Infrmatin Sharing / Acceptable Usage... 7 Cnfigure Privacy Settings... 7 Mnitring... 7 Third Party Slutins... 7 Incidents: In case f any suspicius activity... 7 Recvery Plan... 8 Security Awareness... 8 Securing Mst Cmmn Scial Netwrking Sites... 8 Facebk:... 8 Twitter:... 9 Instagram: LinkedIn: Page

4 Intrductin Scial netwrks / media is an rganizatin s identity in the virtual wrld. This scial identity is very much linked t its crprate public image and needs t be prtected as much in the virtual wrld as in the real wrld. The scial media accunt if nt secured may pen a fldgate t cmprmising and maligning yur crprate public image. This dcument prvides mitigatin advice and security cntrls t help reduce threats such as unauthrized access as well as steps t fllw in rder t retrieve a stlen accunt. Objective Prvide necessary guidance t help rganizatins manage their scial media accunts securely. Scpe All rganizatins having scial media presence. Intended Audience Staff authrized t manage and use the crprate scial media accunts. Legal Mandate Article 14 f Decree Law N. 16 f 2014 setting the mandate f Ministry f Infrmatin and Cmmunicatins Technlgy (hereinafter referred t as ictqatar ) prvides that ictqatar has the authrity t supervise, regulate and develp the sectrs f Infrmatin and Cmmunicatins Technlgy (hereinafter ICT ) in the State f Qatar in a manner cnsistent with the requirements f natinal develpment gals, with the bjectives t create an envirnment suitable fr fair cmpetitin, supprt the develpment and stimulate investment in these sectrs; t secure and raise efficiency f infrmatin and technlgical infrastructure; t implement and supervise e- gvernment prgrams; and t prmte cmmunity awareness f the imprtance f ICT t imprve individual s life and cmmunity and build knwledge-based sciety and digital ecnmy. Article (14) f Emiri Decree N. 27 f 2014 stipulated the rle f the Ministry in prtecting the security f the Natinal Critical Infrmatin Infrastructure by prpsing and issuing plicies and standards and ensuring cmpliance. Article (15) f Emiri Decree N.27 f 2014 stipulates that the Ministry build and enable incident respnse framewrk and enhance capabilities t detect and analyze malicius cntent. This Plicy Dcument has been prepared taking int cnsideratin current applicable laws f the State f Qatar. In the event that a cnflict arises between this dcument and the laws f Qatar, the latter, shall take precedence. Any such term shall, t that extent be mitted frm this Plicy Dcument, and the rest f the dcument shall stand withut affecting the remaining prvisins. Amendments in that case shall then be required t ensure cmpliance with the relevant applicable laws f the State f Qatar. 4 Page

5 General Recmmendatins Understand the Risks Scial media accunts related t gvernment, semi gvernment, natinal events represent an ideal and lgical target fr ur natin s adversaries, as scial media is seen as the virtual identity f the gvernment. Further being a gvernment accunts, they have a huge fllwing and the fllwers have implicit trust in them. The risks assciated with such scial media prfiles are: - Leaking f cnfidential r inapprpriate infrmatin - Vandalism f cntent, spreading malicius cntent - Legal implicatins - Blackmail Set up a Gvernance fr Scial Media Define a plicy fr usage f scial media in yur rganizatin. On a minimum, the plicy shuld include the fllwing: Identify wh in the rganizatin is authrized t engage in scial media n its behalf? Wh cntrls and wns the infrmatin int a scial netwrking site? What infrmatin are the stakehlders passing n t ther peple? Seeking cnsent frm stakehlder prir disseminating infrmatin related t them. Explicit prcedures n scial media netwrking. Wh wuld the crprate accunt fllw r be influenced with etc Hw wuld infrmatin received frm the fllwer netwrk be bradcasted? i.e. reshared r re-tweeted etc. Defined prcess fr Incident handling / recvery plan in case f breach r malicius attacks. Hardware and sftware authrized t access the scial media accunt frm. Accunt creatin and administratin In rder t create and manage accunt wnership it is recmmended that we have: A dedicated crprate (usually used as the username), shuld be used t create and maintain a scial media accunts. This address shuld be a generic/nnspecific enterprise accunt fr lgging int scial media netwrks. Individual enterprise addresses are easy t guess and decrease the security f scial media accunts. 5 Page

6 Each scial media channel/accunt shuld be assciated with a separate and unique crprate . Example: the Username/ assciated with crprate twitter is different frm the Username/ used n Facebk D nt use the same passwrds fr scial media that yu use t access cmpany cmputing resurces Private s shuld nt t be used t manage and access a crprate scial media accunt such as twitter accunt r Facebk page The scial media accunt page shuld feature the cmmunicatin department apprved lg and the prfile text shuld include references that this accunt is the fficial accunt f the rganizatin. Organizatins shuld define which rganizatins / agencies they may fllw. E.g. Gvernment agencies may fllw ther gvernment agencies, verified accunts r trusted surces. It is nt recmmended t fllw individual users. It is nt recmmended t access / re-pst / re-tweet / share unverified messages with imbedded links and URLs. Accunt Lgin Cnfigure scial media accunts t use secure sessins (HTTPS) whenever pssible. Facebk, Twitter and thers supprt this ptin. (Nte: This is extremely imprtant when cnnecting via public Wi-Fi netwrks). QCERT can help yu cnfigure yur accunt t use HTTPS at all times Lgin shuld nly be frm a dedicated crprate wned / managed device ( PC r Mbile device) Lgin shuld be frm a trusted netwrk, refrain frm using public/pen Wi-Fi netwrks like café s airprts etc unless using a crprate VPN t secure yur sessin. If any mbile devices are linked t yur crprate scial media accunts, make sure that these devices are adequately prtected. Disable the ge-lcatin feature while psting r tweeting. Passwrd Management Always use strng and secure passwrds t access scial netwrks. The passwrds shuld cmply with the crprate passwrd plicy. Change passwrds frequently. Have different passwrds fr different accunts. Use multi-factr authenticatin fr scial media accunts (if supprted by the prvider). 6 Page

7 Infrmatin Sharing / Acceptable Usage D nt disclse any fficial infrmatin upn registratins f scial accunts. Restrict emplyees frm psting fficial and sensitive data r infrmatin ver scial netwrks. Only authrized persnnel shuld be allwed t perate crprate scial media accunts. D nt pst any infrmatin that may be discriminatry, disparaging, defamatry r harassing cmments regarding the rganizatin r its emplyees r any third party in their electrnic pstings r publishing. Cnfigure Privacy Settings Review and revise as necessary the default privacy settings ffered by the scial media netwrking sites. Mnitring Limit crprate scial media accunt access t an authrized emplyee in rder t cntrl the cntent distributin ver scial netwrks. This culd be the Public relatin fficer (PRO), fficial spkespersn, etc. In case where mre than ne persn has access t the crprate scial media accunt, internal prcedures shuld be defined t regulate this activity, this shuld include training user n usage f scial media, active mnitring, and use f scial media management slutins and / r any ther cmpensating cntrls as deemed necessary. Regularly mnitr the access granted t authrized user accunts and revke the access f emplyees wh leave the rganizatin r n lnger have a business need t use scial media. Have a third party individual, wh is nt respnsible fr cntent, cntinuusly mnitr scial media accunts fr unauthrized r unusual pstings. Third Party Slutins The rganizatins shuld cnsider usage f a scial media management slutin. Incidents: In case f any suspicius activity Please reprt t QCERT (incidents@qcert.rg) r call ( ) if yu see any f the suspicius symptms belw: Autmated likes, favrites, fllws/un-fllws r friend requests Private messages being psted t yur friends (this can be hard t spt unless smene pints it ut t yu) Unexpected /push ntificatins frm the scial netwrk, such as: Warning that yur address has been changed 7 Page

8 Warning that yur accunt was accessed frm an unknwn lcatin. Status updates/tweets that yu didn t make Changes t the prfile r pictures n the accunt. Recvery Plan Cllect all lgs, traces, artifacts f malicius activity fr investigatin and pssible legal requirements. Immediately change accunt passwrds. Verify and change the passwrd fr the assciated s and back up s Verify the passwrd recvery ptins set fr the scial media accunt; verify the alternative address that has been setup. Verify aut frward ptins if any setup fr the accunt and assciated s. Visit the applicatins page f the scial netwrk and remve any apps yu d nt recgnize. If the accunt cntinues t behave erratically, we recmmend yu revke access t all applicatins. Security Awareness Emplyees managing and / r maintaining the rganizatin s scial media accunts shall be sensitized and educated n infrmatin security. They shuld be made aware f prevalent threats such as Phishing and scial engineering. Securing Mst Cmmn Scial Netwrking Sites Facebk: a. Ensure yu're using a secure cnnectin whenever ne is available, click Security in the left pane f Facebk's Accunt Settings and make sure Secure Brwsing is enabled. b. The security settings als let yu enable lg-in ntificatins and apprvals, and view and edit yur recgnized devices and active sessins. c. Security Tips: i. Prtect yur passwrd. ii. Use Facebk s extra security features. iii. Make sure yur accunt(s) are secure. 8 Page

9 iv. Lgut f Facebk when yu use a cmputer yu share with ther peple. If yu frget, yu can lgut remtely. v. Run anti-virus sftware n yur cmputer: vi. Think befre yu click r dwnlad anything. d. Enable 'Lgin Apprvals' frm the 'Accunt Security' sectin f the accunt settings page. Fllw the link - e. Update yur accunts as per new security tips and guideline f facebk. Yu can find them at Twitter: a. When yu sign up fr Twitter, yu have the ptin t keep yur Tweets public (the default accunt setting) r t prtect yur Tweets. b. Accunts with prtected Tweets require manual apprval f each and every persn wh may view that accunt's Tweets. c. Security Tips: i. Use a strng passwrd. ii. iii. iv. Use lgin verificatin. Gvernment rganizatins shall get their accunt validated and verified. Q-CERT can help yu in this. Watch ut fr suspicius links, and always make sure yu're n Twitter.cm befre yu enter yur lgin infrmatin. v. Never give yur username and passwrd ut t untrusted third parties. d. Using SMS text message lgin verificatin: T set up SMS text message lgin verificatin: i. G t yur Security and privacy settings n twitter.cm and select the ptin t Verify lgin requests. ii. When prmpted, click Okay, send me a message. iii. If yu receive ur verificatin message, click Yes. (Nte: yu'll have t enter yur passwrd). iv. Yu can generate a backup cde by selecting the ptin t Get backup cde. Write dwn, print, r take a screensht f this backup cde; this will help yu access yur accunt if yu lse yur phne r change yur phne number. e. Update and fllw the best practices mentined by Twitter regularly. Yu can find them at 9 Page

10 Instagram: LinkedIn: a. Security Tips: i. Pick a strng passwrd. ii. Make sure yur accunt is secure. Change the passwrds fr all f yur accunts and make sure that n tw are the same. iii. Lgut f Instagram when yu use a cmputer r phne yu share with ther peple. Dn't check the "Remember Me" bx when lgging in frm a public cmputer. iv. Think befre yu authrize any third-party app. b. Update yur accunts as per new security tips and guidelines f Instagram. Yu can find them at a. Security Tips: i. Change yur passwrd regularly. ii. Sign ut f yur accunt after yu use a publicly shared cmputer. iii. Manage yur accunt infrmatin and privacy settings frm the Prfile and Accunt sectins f yur Privacy & Settings page. iv. Keep yur antivirus sftware up t date. v. Dn't put yur address, hme address r phne number in yur prfile's Summary. vi. Only cnnect t peple yu knw and trust, r thse yu have trustwrthy cmmn cnnectins with. vii. Cnsider turning tw-step verificatin n fr yur accunt. viii. Be infrmed abut reprting inapprpriate cntent r safety cncerns. b. Update yur accunts as per new security tips and guidelines f LinkedIn, 10 Page