Social media and the security issues that flow from it

The latest subject I'm tackling in my blog has a wide focus: definitely relevant in the digital banking and financial services world, but also something that should be on the radar for organisations across many more industries. The issue under my microscope revolves around the risks associated with the use of official 'corporate' social media accounts against a backdrop of growing numbers of organisations embracing social media as a legitimate means of business. We turn the lens on the implications for those responsible for protecting the corporate assets, both from threats arising through ill managed internal use to novel attacks by determined outsiders, writes Mark Waghorne

The latest subject I’m tackling in my blog has a wide focus: definitely relevant in the digital banking and financial services world, but also something that should be on the radar for organisations across many more industries. The issue under my microscope revolves around the risks associated with the use of official ‘corporate’ social media accounts against a backdrop of growing numbers of organisations embracing social media as a legitimate means of business. We turn the lens on the implications for those responsible for protecting the corporate assets, both from threats arising through ill managed internal use to novel attacks by determined outsiders, writes Mark Waghorne

The use of social media by organisations can produce major benefits and most financial institutions have now embraced it as a legitimate and significant communications channel. As we see below there are challenges as well, ranging from external attacks to internal issues where social media accounts are either poorly secured or where people have limited guidance about who may say what, on which channel and how they should clearly differentiate between personal views and statements and those that represent the organisation.

So, some background to the potential problem. There have been many well publicised events recently where entirely legitimate Twitter accounts and other social media ‘feeds’ have been taken over and messages posted either mischievously or maliciously.

The Syrian Electronic Army, have had considerable coverage but like many alleged ‘hactivist groups’ their motives and targets are wide. However, they have taken credit for the compromise of the main Associated Press Twitter feed. The impact was happily short-lived but the bogus news claimed that the US Whitehouse had been bombed and US President Obama hurt, as a result the US stock markets briefly dived. It is easy to imagine that other organisations could have their social media feeds subverted with bogus messages – perhaps – saying the business is in financial trouble or suggesting some form of impropriety.

There are more sophisticated attackers at work too. Some recent research by Trusteer has identified an active configuration of financial malware targeting Twitter users. As Trusteer say, the malware launches a Man-in-the-Browser attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, previously used to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service.

Then there are others, such as attackers who seeks to masquerade as an organisation in order to exploit others. An example of this with no malicious intent was ‘Santiago Swallow’ a ‘thought leader’ who on the face of it had over 85,000 followers on Twitter but in fact was nothing more than an experiment by technology writer Kevin Ashton.

What should we do? Any strategy must at least address policies around the use of social media, training and awareness, and a governance framework regarding corporate information. There are also some specifics to think about:

– What rules do we have in place to govern the organisation’s formal use of social media?
– Do we use all of the existing built-in security controls that currently exist? For example do we use the often standard two (multi) factor authentication for our social media administrators? Not relying on simple userids and passwords would help defeat many of the ‘account take-over scenarios’ described above.
– Do we rely on our current use of intelligence, analytics and threat assessment and do we have the capability to identify when key words appear in social media, or do these need to be enhanced? Similarly, compromise may be a "when" not an "if" and in these circumstances it is far better to know about it quickly and respond proactively rather than in response to reports from customers or the media.

An information security or IT-led approach to developing a social media policy and security framework will rarely produce a truly effective result. Cross-functional involvement from departments such as legal, risk, HR, customer service and brand protection will be necessary to cover all bases.