Skip to main content

Think twice before you tweet: the age of social media as ‘CNI’

(Image credit: Image Credit: freestocks.org / Pexels)

2019 started with a slight social hiccup for US Strategic Command. A poorly timed tweet on New Year’s Eve implied that B-2 bombers were going to drop weapons, just as New York’s Times Square prepared to drop its New Year’s ball.

It was dubbed as being in poor taste and also caused an unnecessary public backlash – but also has an important lesson for us about the new world of government social media accounts.

Any members of government or major public sector departments need to be mindful that social media can be a force to drive mass panic, just as much as it can be a force for good. And as our world becomes increasingly more digital, social media such as governmental Twitter accounts have to be robustly managed, vetted and protected in the same way as traditional critical national infrastructure is, such as dams and electricity supplies.

2018 IBM research revealed that we should expect to see more ‘panic attacks’ on major city infrastructure from flood defences, radiation detection, traffic monitoring systems and indeed the world of social media. There is certainly a renewed fear over the safety and security of all aspects of CNI from the ‘physical’ in our cities, to the technology in our offices and homes.

With this in mind, how can government departments in particular use 2019 as a fresh year to secure social media – one of the newest form of CNI?

Forgotten passwords causing chaos

This is the not the first case of social media causing mass havoc. In the last couple of years, there have been erroneous alerts regarding potential missile strikes that caused civil disruption in Japan and Hawaii. In the Hawaii case specially, the false alarm was sent out via Twitter, compounded by the fact that the Governor had forgotten his Twitter username and password, unable to log on to correct the tweet and provide public reassurance.

There has to be a thorough review in government departments in how accounts like Twitter are being managed for emergency communications with the public and eliminate the damage that the likes for a forgotten password can cause. Luckily, in the case of the US Strategic Command tweet, the team were able to quickly delete, apologise and alleviate public concern.

Reviews of social media platforms must also take place to ensure that hackers are unable to hack into these accounts to broadcast fake information. This is not too far-fetched a concept in today’s growing threat landscape. Hackers are only getting smarter and more sophisticated in their methods and have targeted social media accounts to post fake information over the last few years. One example here is that of a tweet sent from the US Associated Press’s Twitter handle. The consequence of this was a $136.5 billion drop in its S&P 500 index value within a matter of minutes.

It’s time to apply cyber security best practice to social media

All government-related and affiliated social media accounts that are used for communication with the public such as Twitter, Facebook and LinkedIn have to be treated as CNI. They have to be subject to the same cybersecurity procedures followed by the likes of our energy or chemical sectors. So, why is this the case?

Government social media accounts are typically managed in a ‘shared capacity’ meaning that multiple people have access to them at any given time, and multiple people manage them. What’s more, the passwords for these accounts are typically shared. The issue with this is that it makes them extremely easy targets for attackers or for malicious insiders.

The shared nature of such accounts also means there is no, or little record kept of who posted what and when – making a deliberate false missile alert or the idea of weapons being dropped on New Year’s Eve as part of a military exercise – seem like a tangible reality. To add to the headache even further, the passwords used to secure these accounts are seldom changed and often used across multiple platforms.

2019 has to be the year that government departments treat social media accounts as privileged. With this in mind, organisations can be safe in the knowledge that a simple misplaced password doesn’t hold up communications, whilst also strengthening these platforms against external hackers.

In order to thoroughly protect and secure social media platforms, agencies must roll out best practices for privileged access security which includes:

Enabling transparent access: Authorised users must be able to seamlessly authenticate to an account without knowing their passwords, making it harder for hackers to uncover and steal credentials. This kind of access would have given Hawaii's governor immediate access to his account to confirm that the missile alerts were indeed inaccurate.

Eliminating shared credentials: Storing passwords in a digital vault requires users to login individually for access, eliminating the accountability challenges of shared credentials.

Automating password changes: Changing privileged credentials ensures attackers can’t use old passwords across systems. Automating password changes regularly also updates access privileges, reducing the chance of an outsider stealing and using a valid credential.

Auditing account activity: By creating a record of activity on social media accounts, all posts can be traced back directly to an individual authorised user, making it easy to identify employees who may be posting harmful content.

Whilst the New Year’s Eve tweet from US Strategic Command was not an example of poor password management, only poor content taste, it does serve as a timely and pertinent reminder of the power that social media platforms now have in serving the public. Managing sensitive and accurate content has to be coupled with strong management of access and security.

The CNI landscape is evolving beyond the physical and well and truly into the digital world. As members of the public rely on social media more and more to get timely and reliable information, it is vital that cyber security is embedded into how these accounts run and operate.

Shay Nahari, head of red team services, CyberArk
Image Credit: freestocks.org /  Pexels