InfoSec's Guide to Social Media [WHITEPAPER]

HIGHLIGHTS:

• Strategies to remediate traditional information security risks launched on social media

• How to leverage social media as an OSINT threat intelligence repository

• Working with marketing to secure corporate accounts like any other high-value asset

• Using security techniques to remediate business risks such as piracy, counterfeit goods, and ad dilution due to social botnets

• Outline of security’s responsibilities in remediating each type of risk

• ZeroFOX recommendations for an operational framework around mitigating social media risks across the organization

WHY INFOSEC NEEDS TO CARE ABOUT SOCIAL MEDIAA SECURITY TEAM’S GUIDE TO COLLABORATIVELY REMEDIATING SOCIAL MEDIA RISKS

WHITEPAPER

© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM Page 2 of 7

The information security team’s role has changed significantly over the last few decades. Ten years ago infosec was laser focused on securing the endpoint, getting a handle on the extended network perimeter, and minimizing the potential attack surface. Today, the information security team’s charter is much more complex. Yes, infosec is still tasked with protecting the organization from all potential information, technology, and digital risks, but the new twist is that they must do this while enabling more connectivity, mobility, and engagement across the organization. Security must now facilitate the expansion of

the attack surface, something that runs counter to every fiber of security best practices.

For security teams, this means working closely with several other departments, specifically marketing, finance, risk management, and fraud. These departments are all faced with risks on social media, and security teams are now tasked with remediating risk while enabling secure usage of social networking channels. Most importantly, security teams must lead this initiative.

INTRODUCTION

SOCIAL MEDIA SWIM LANES

In order for each department to achieve their goals, they must know where their responsibilities fall and how to work collaboratively to solve the security and business risks presented by social media.

SOCIAL MEDIA RISKS

FINANCE/RISK

BudgetingRisk Modelling

SECURITY

PhishingMalware

Social EngineeringTraining/Awareness

Testing

MARKETING

Content CreationEngagementOptimization

Social MediaAdvertising

PiracyPII/Sensitive Info

Counterfeit GoodsCustomer Fraud

Account ProtectionBrand Impersonation

Hashtag Hijacking

LOSS PREVENTION

ADVERTISING

BRAND PROTECTION

Bot FollowersFake Customer Reps

Policy Building

Page 3 of 7© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM

The tactics used on social media are classics: spearphishing, malware distribution, and social engineering. The industry has taken notice, and much has been written about the rise of social network exploitation and the use of social networks to compromise corporate and government networks. FireEye, PCWorld, SecurityWeek, McAfee, and CSO/CIO Magazine all included social media on their list of biggest and most dangerous threat vector predictions.

According to Norton, 40% of people have fallen victim to social media cybercrime and nearly 4 in 10 accept unknown, unsolicited friend requests. Barracuda’s research supports this as well: 92% of social media users report receiving spam, 54% have received phishing links, 23% malware, and nearly 20% have had an account hacked. TrendMicro’s research shows that 5.8% of tweets are malicious; that’s 29,000,000 malicious tweets per day. High profile attacks such as the Office of Personnel Management, CENTCOM, and the HAMMERTOSS APT have all leveraged social as an attack vector. The list goes on and on.

SOCIAL MEDIA AS A CYBER ATTACK VECTOR

Cisco’s 2015 Midyear Report claims Facebook scams are the #1 method for network security breaches, far more common than traditional email phishing. McAfee reported that employees experience cybercrime on social media more than any other business platform, including email.

A helpful comparison can be made between email phishing and social phishing. In the late 90’s and early 2000’s, the anti-phishing industry sprang up around the need to detect phishing attacks on email platforms. Social media is the next logical evolution for attackers to target an organization’s people, who have never been so accessible online. Social media phishing already accounts for $1.2 billion of the total $5.9 billion lost to phishing each year. Users are not only spending more time on social networks than any other online platform, they are far more willing to click potentially dangerous links while they’re at it.

SECURITY TEAMS RESPONSIBILITIES:

• Work with marketing to gain access to social accounts

• Continuously monitor corporate social media accounts for cyber threats

• Blacklist/block malicious URLs and IPs found on social media

• Establish workflows for dealing with social media cyber crime targeting the organization

• Takedown malicious posts and profiles

• Test employees on susceptibility to social media cyber attacks

• Train employees on safe usage, best practices, and what to do in the event of an attack

• Working with marketing, keep a close eye on social media initiatives and campaigns


Many attackers are coordinating their efforts in broad daylight. For example, attackers launch DDoS attacks on Twitter, posting IP addresses, domains, attack tools, the time of the attack and the desired target. Because this all occurs on public venues, intel is readily available to security personnel. Security teams can use that forewarning to prepare a response strategy, such as blackholing the incoming requests or coordinating with network teams, professional services, and ISPs.

Security teams can also monitor threat actor chatter to determine if their organization is being mentioned. Any threats posted on social media, be it physical or cyber, can be alerted upon. To do this, security teams ought to establish a list of organization-specific keywords and phrases including IP, proprietary/sensitive phrases, codebase, copyrighted content, employee PII, and unique words and phrases such as organization monikers and abbreviations. By analyzing the context around these unique phrases as they appear on social media, security teams can ensure a decisive early warning system against attacks.

SOCIAL MEDIA AS AN OSINT THREAT INTELLIGENCE PLATFORM

1. ACCOUNT SECURITY

• Reduce the number of people with access to accounts and publishing tools.

• All social logins should be routed through a centralized, corporate controlled email address with a robust password and 2-factor authentication.

• For networks like LinkedIn and Facebook, which associate a company’s page with a personal account, the admin should have extensive security controls.

• All authentication should come through a single securely managed device.

2. CONTENT SECURITY

• Continuously monitor accounts for suspicious settings changes.

• Continuously monitor accounts for malicious outgoing posts.

• In conjunction with both internal and external stakeholders (infosec department, marketing department, social networks), establish a plan of action in preparation for an account compromise.

Page 5 of 7© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM

When it comes to the website, marketing is in charge of conception, design, content creation, maintenance, and optimization. Security is charged with surrounding the asset and ensuring it is safe from intruders. In the the new marketing paradigm, social media accounts are the latest and greatest way to engage with customers and prospects. When it comes to social networking profiles, marketers aren’t burdened by hosting, databases, network infrastructure, and development. They can focus on what they do best: content creation, engagement, lead nurturing, and advertising. But the security team’s job hasn’t changed. They must keep a keen eye on these highly public assets and ensure they are surrounded by the most robust protections available.

Unlike other assets, security teams can’t pull the proverbial plug on breached social media accounts, meaning the attacker can remain in control for hours if not days. ZeroFOX research shows the average account compromise lasts 5.5 hours. At the high end, ABAJournal took nearly three days to recover their Twitter account. The cost? Every second you don’t have control over your account causes a viral information cascade that results in brand and customer relationship damage, loss in revenue, public relations nightmares, and huge customer support costs.

SECURITY MUST SECURE ALL DIGITAL ASSETS

160,000 Facebook accounts breached every day.(if you know the name of your social media manager’s dog, you are halfway to brute forcing your organization’s account)

Other high profile account compromises include:

ZEROFOX RECOMMENDATIONS: A TWOFOLD APPROACH


P


Social media can cause major headaches elsewhere in the organization as well. Business risks such as hashtag hijacking, corporate impersonations, customer fraud (a global annual cost of nearly $4 billion), bot followers, counterfeit goods, online piracy (a global annual cost of over $70 billion), and fake customer service can hamstring an organization’s online revenue.

Using similar techniques for identifying and mitigating information security risks, security teams can help address a variety of threats that span information security, compliance, revenue generation, and marketing. By continuously monitoring social media for malicious activity, security and marketing teams can identify profiles advertising pirated content or counterfeit goods, thus saving the organization potentially millions in lost revenue. Teams can also find and takedown scammers and fraudulent actors targeting an organization’s hashtags or impersonating the brand. This is a perfect opportunity for security teams to go beyond locking down assets and hardening walls by empowering other departments to do their jobs more safely and effectively. Moreover, the financial benefit is immediately tangible and quantifiable.

One issue of particular note is fake follower and botnets following the corporate accounts, whether purchased by the marketing team or gained involuntarily. The presence of bot followers makes distributing content to legitimate supporters very difficult. This issue becomes especially problematic with social media advertising. Ads are often judged by the number of impressions the recieve online. Because bots can account for the vast majority of an ad’s total impressions, their presence greatly undermines marketing ad spend. In the long run, removing fake followers leads to higher click through rate, higher conversion rate, more engagement, and a healthier social media marketing and advertising program.

SECURITY TECHNIQUES USED TO MITIGATE BUSINESS RISKS ON SOCIAL MEDIA

On Facebook, a post only reaches 2-7% of followers. The more bots, the less likely real followers will see and engage with posted content.

SECURITY TEAMS RESPONSIBILITIES

• Test and train employees on safe social media usage

• Continuously monitor for business risks on social networks

• Continuously monitor for organization-specific sensitive keywords and phrases

• Identify and remove fake followers and social botnets

• Establish workflows for dealing with business risks targeting the organization

• Takedown malicious posts and profiles


© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM Page 7 of 6© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM Page 7 of 6

Social media is an inevitable constant for conducting business in the modern world. As marketers continuously expand their presence, security teams must work alongside them to ensure it is done safely and securely.

SECURITY CANNOT SUCCEED IN ISOLATION

ZeroFOX combats the cutting-edge threat of social network exploitation, protecting your employees, your customers, and your business. Our software platform enables organizations to mitigate modern infosec and business risks: targeted phishing, account takeover, piracy, attacker chatter, customer scams, fraud and more. Social media is the new foundation for business and personal communication, representing the largest unsecured network in the world; security teams must continuously monitor for threats where their people are most vulnerable: social media.

ZeroFOX Enterprise is a cloud platform built to monitor social media objects (profiles, keywords, hashtags, etc.) and detect threats impacting your organization. At the heart of the ZeroFOX Enterprise technology stack is FoxScript, a customizable JavaScript-based language that opens the power of ZeroFOX’s data collection and analysis engines to virtually any use-case. You control what data to monitor and which analyses to perform.

THE ZEROFOX EDGE

Identify employee targeted phishing attacks on social networks

Find and takedown fraudulent & impersonating accounts

Mitigate costly customer fraud and scamsUncover stolen information, counterfeit goods and pirated content

Continuously monitor key employee & company accounts for compromise

Investigate attacks being planned against your organization

Integrate via API into existing security technology

Develop custom FoxScripts to detect unique security use-cases

ZEROFOX RECOMMENDATIONS: A COMPREHENSIVE APPROACH


PHASE 1: FORM A SOCIAL MEDIA SECURITY TEAM TASK FORCE

• The size and makeup of this group will vary by organization, but should include security, marketing, and any other departments facing risks on social media (fraud, compliance, HR, sales, risk management, finance, etc).

PHASE 2: ESTABLISH CONTROLS AND BEST PRACTICES FOR PROTECTING ACCOUNTS

• 2-factor authentication, robust passwords, centralized email address for logins, password managers such as LastPass and Dashlane, etc.

PHASE 3: TRAIN RELEVANT PARTIES ON SAFE SOCIAL MEDIA USAGE

• This should include setting passwords, clicking links, and i dentifying malicious social profiles.

PHASE 4: SECURITY TEAMS TAKE LEAD ON CONTINUOUSLY MONITORING SOCIAL MEDIA

PHASE 5: REGULAR MEETINGS TO REVIEW CONTROLS AND ASSESS EFFECTIVENESS

• The social media security task force should meet monthly or quarterly to review the initiative and make appropriate changes.

Documents

InfoSec's Guide to Social Media [WHITEPAPER]