ALPS blog

Social media has become an integral part of peoples’ lives, as it is a primary channel through which we get information and interact with others. The pandemic has only exasperated this as isolation pushed people to lean even more on social media platforms as their primary connection to the rest of the world. This has resulted in the amount of information people are sharing to skyrocket.

With Social Media Day upon us, as we give thanks for all the benefits these platforms give us, we wanted to share some best practices for using social media platforms securely.

Think before you share

What is posted on social media is not necessarily only seen by the friends and family with whom you are directly connected. Depending on your account settings, what you post could be seen by anyone and everyone. And this isn’t limited to what you post, but also what posts or photos you are tagged in, groups you are part of or interests you follow.

Cybercriminals frequently leverage publicly accessible social media information to tailor their attacks. The process, which is one aspect of Open Source Intelligence (OSINT), allows them to target specific individuals for an attack, or profile broad groups of people to attack.

You may be thinking, “I’m not interesting, so that wouldn’t happen to me.” But that is not a safe way to think about social media security.

Any employee can be targeted as a point of entry for a corporate level attack. Your profile tells a lot about you and might inspire a targeted phishing email or vishing call or text that results in a corporate network compromise.

Common social media sharing mishaps include:

  • Workplace photos that expose details about your employer: First day of work photos with an ID badge can allow an attacker to create their own badge to walk through your workplace without question. Passwords or account details can be seen on sticky notes or visible on screens in a photo. Even the type of laptop, email client, browser or phone system you use could fuel an informed and convincing phishing attack.
  • Personal posts can lead to professional attacks: A new car photo in front of your home can give away your address and more. Credit cards, driver’s licenses, passports and any other personal identifiers can be found in the background (or forefront) of images on social media. All of this personally identifiable information (PII) can put your identity at risk, and it can be used to impersonate you to your employer for a corporate attack.
  • Any photo with geolocation enabled can let criminals know you’re out of town and your home is empty. And photos can be easily reverse searched to find out additional information.
  • Having a phone number and email address associated with your social media accounts may be required for the account or requested for security purposes, but check the setting to make sure those don’t make you or the account vulnerable.

Practice good account hygiene

As security professionals, we know securing accounts starts with a strong password. However, with password cracking software continuously evolving, what we considered a strong password before may not be enough anymore to keep us secure.

Passphrases are much stronger than passwords – the more complex and unusual, the harder it will be to crack. These involve a sentence that contains a mix of letters, numbers, and special characters. If you are wondering how in the world you will remember all these different passphrases, consider using a secure password manager.

It is also important to be careful which emails you are linking to your social media. Organizations should put in place a policy that prohibits the use of corporate emails with social media accounts. This will help mitigate the risk of attackers gaining access to corporate networks through compromised social media account credentials. It is best to use a unique email specifically for social media accounts, limiting the valuable information available to an attacker should your account be compromised.

Some additional best practices to follow are:

  • Use a different password for every account. This way if one account is compromised, other accounts may not suffer the same fate.
  • Enable multifactor authentication (MFA) for an additional level of security.
  • Keep apps updated. Just like any software, it is important to keep them up to date to ensure you are secure from any newfound threats or vulnerabilities.
  • Delete any accounts that you no longer regularly use. This ensures they cannot be compromised and leveraged to access other linked accounts, like your email.

Keep corporate accounts secure

Most organizations today have multiple corporate social media accounts, as this is a direct connection to communicating with consumers. A Least-Privileged Administrative model, which is commonly used in IT teams, can be applied to social media access and used to increase security. Employees that have direct access to social media accounts through the native application should be minimized.

Organizations can also use a social media management platform to further limit their users’ privileges to exactly what they need to complete their responsibilities and nothing more. This access model will help control the posts that are published, ensuring quality, and avoiding deliberate sabotage – a win-win.

Beware of Cyberpropaganda

Social media feeds are filled with a plethora of fake news and misinformation. Cyberpropaganda has existed for a long-time, and social media platforms are perfect for this type of nefarious activity. Misinformation sharing on social channels has even become a service offered in the underground or gray marketplaces. It is important to remember this when browsing on social feeds and check the sources of links carefully before clicking or sharing.

To ensure you are not a victim, or a part of the problem by sharing fake news, you should be vigilant about what you click and share. Here are some ways to verify a post is real:

  • See if a news story has been reported directly on reputable sites: If it is real news, you can bet more than one media outlet is reporting on it.
  • Look at the link: You can use similar principles that you use to protect yourself from phishing. Are letters in the URL replaced with similar characters?
  • Look at the quality: Are there real comments? Are there spelling and grammar mistakes? Is it a professional looking website?
  • Beware of clickbait headlines using hyperbolic terms.

When browsing through social media feeds, you could use a mindset similar to the concept of Zero Trust. This means that you do not inherently trust anything, even if it is posted by a trusted person. Start from a place of Zero Trust and verify before deciding to trust a post. You never know if your friend or another organization may have been tricked and shared fake news, or their account may have been compromised.

Staying safe on audio-only apps

A recent trend has been the social media apps that are audio-only, like ClubHouse, and recently launched Greenroom by Spotify. And like the rest of social media platforms, it is subject to malicious activity as well. Here are some security best practices to use when on these platforms:

  • You never know who could be recording, so only say things you would share publicly.
  • Just because someone’s bio says it is them, it doesn’t mean it is. Don’t trust someone by their bio alone.
  • Minimize the amount of data you share by only granting the absolutely necessary permissions and actively managing your account settings.

Social media is a double-edged sword. It has been a lifeline during a very difficult time, allowing us to find another way to communicate, when the traditional, in-person method was unsafe. It allowed us to connect with loved ones and delivered critical information in a very uncertain time. However, cybercriminals abuse it, and will continue to do so, as it is full of valuable data they can steal and is an easy platform for them carry out malicious plots. By using best practices, we can stay safe and reap the benefits that social media offers.