Is your business’s social networking account a threat to you & your customers’ IT security?

For all the millions companies spend each year protecting their IT infrastructure against hackers, viruses, and other forms of malware, could their social networking accounts be their weak link?  And now, with Twitter DM scams on the increase what can companies do to protect themselves, their staff, and their customers, against social media threats? 

To find out we spoke to Threatscape’s Managing Director, Dermot Williams, about social networking security. We find out what to do if your accounts are hacked, and how to ensure your business protects itself, and its customers, from social media threats.

Threatscape specialises in protecting and advising multi-nationals, government departments, and large corporations about IT security and data communications. Threatscape is full-service leader in IT security in Ireland and the UK; covering everything from IT infrastructure, to providing practical advice and training. In June it became the first UK and Irish company to obtain Symantec Enterprise Security Specialisation and Symantec Platinum Partner status and is now one of only three companies in Europe, the Middle East, and Africa to hold such a position.

Can you tell us about the most common scams on Twitter -what should people be looking out for? 
One continuing method to scam people has been to compromise a Twitter account and post fake tweets; just today we have news that the account set up by Andrew Breivik few days before his killing spree has been taken over by hackers.

And of course another form of attack which continues to manifest itself on Twitter, and all social networks, is attempting to exploit a tragedy or other high profile news event to spread malware by propagating links to infected websites, or malware laden image etc.

How successful are social networking scams, surely people don’t fall for them anymore? 
Quite the opposite, unfortunately. Facebook alone continues to gain around a million new users per day. If even a tiny percentage were to be careless or clueless or both, that leaves a large number of new victims. But of course indications are that many new and existing users alike continue to fall for scams.

And it’s not just new users – the more savvy users aren’t somehow immediately immune to all scams, in many cases they just become better at spotting and discarding the simpler or more familiar ones but may still fall for some future more cunning attack.

If a company’s social networking account is hacked, does the company need to inform the Data Protection Commissioner or another body? 
The role of the DPC is to protect the privacy of individuals so a hack of a company’s account on a site such as Twitter or Facebook would probably not fall into its remit, as you don’t own or manage the private data concerning your ‘followers’ or ‘fans’ on those sites – you just share information with them. Were Twitter or Facebook themselves to be hacked – and user details stolen – that of course would probably be a matter for the DPC.

Beyond the DPC, a hack of a social networking account (especially one which is exploited in an attempt at financial fraud rather than less criminal ‘mischief’) may warrant a report to the Garda, or other Police service’s, Bureau of Fraud Investigation.

What advice would you give business users of social networking accounts?
I think the first step is to properly assess the value and business risks involved in engaging with social networking. Senior executives are acutely aware that intangible assets such as brand value and reputation as just as valuable to a business as cash in their bank account – yet while the organisation may have sophisticated, effective and carefully audited procedures in place in relation to writing cheques or transferring funds from bank accounts, their approach to engaging with social networking – with its associated risks to company reputation – may be far less rigorous.  One of my colleagues wrote blog post for the marketing institute of Ireland a few months back on a related topic.

A large number of companies are now using Twitter – how can they protect themselves from Twitter DM scams? 
Well a good starting point is to carefully control who has access to the company Twitter account – and ensure they are well versed in, and diligently follow, good security procedures.  Try not to let the number of staff with access to the Twitter account grow too large as that only increases the risk of a phishing attack finding at least one victim who may fall for clever social engineering.

A key point is to be very wary of incoming messages with links to web pages, photos, videos, etc. – and to be very very cautious about what, if anything, you ‘retweet’.

Another is to keep an eye on sources of information about the latest Twitter attacks.  Following Twitter’s own @spam and @safety accounts are an obvious place to start.

In relation to URLs in DMs, it’s unfortunate that the need for brevity has made the use of shortened URL services such as bit.ly and tinyURL the norm. This makes it difficult to know just where you are going to be redirected when you click on link (though some sites now offer a URL preview) which makes clicking on DM links all the more dangerous. While some of these services now check URLs against malware databases such as http://www.surbl.org before allowing a new URL to be shortened, this only offers limited protection. And the risk that someone you know and trust may have had their Twitter account compromised (or may naively retweet something malicious to you in a DM) means that ‘oh I know who sent me this…’ is NOT something to rely on.

A hack of a social networking account (especially one which is exploited in an attempt at financial fraud rather than less criminal ‘mischief’) may warrant a report to the Garda, or other Police service’s, Bureau of Fraud Investigation.

What should they do if their account has been hacked and has sent spam messages to followers? 
The most organised companies will have an incident response plan prepared in advance, ready to be followed in case of such an eventuality.  Of course those who take that level of care in their planning are probably also taking prudent steps to avoid becoming victims! So let’s assume the ‘victim’ company in this instance probably doesn’t have a plan in place and needs to scramble to put one together in response to an incident. There are a lot of aspects which they would need to cover in it – much of which needs to be done both quickly and carefully, two requirements which don’t always sit well together – and it’s beyond the scope of a few sentences here to do it justice. But a few bullet points for starters would be:

1. Make sure you inform and involve all relevant people in your organisation as early as possible – IT, PR, marketing, legal, etc. and bring in any outside expertise required to assist you
2. You will, as quickly as possible, need to warn recipients about the spam to limit its impact
3. As noted above, reporting to authorities may be advisable (or even mandatory) depending on the nature of the incident.  Other entities such as insurers may also impose mandatory reporting obligations.
4. A hack of one system such as a Twitter account may be just part of a larger incident. Can you determine how it was hacked? Did someone use the same password on other systems? Which user and which systems? Are there other attacks in progress or pending? Is the Twitter attack just a diversion to distract resources while an attacker launches an attack on something else?
5. Preserve evidence such as computer audit logs etc. which may be relevant to any later incident investigation