By Mark Crowther
Recent takeovers of prominent organization's social media accounts by the Syrian Electronic Army raise concerns (once again) over the impact protest groups have with the rise of 'hacktivism'. The Pro Assad Syrian Electronic Army has successfully targeted a number of Western, predominantly media, organizations. These have included the Guardian, France24 and the White House. Dramatically, the hijacking of Associated Press’s twitter feed contributed to a significant drop in the Dow Jones. Often organizations batten down the hatches and attempt to hide the actual techniques used. However, another media victim, satirical news organization The Onion, interestingly revealed details of how the attack occurred.
The Onion's exposé of the attacker's mandate reads as a simple and classic social engineering attack – spear phishing a small number of users, compromising an account, spear phishing some more users internally from the compromised ‘trusted‘ account and elevating access. Eventually access to all The Onion's social media accounts was obtained, at which point political propaganda was published via these accounts.
The most recent attack against Thomson Reuters followed a similar mandate, using social engineering techniques to compromise the official Twitter account.
Social media has now become a staple, and a powerful tool that businesses utilize to connect and engage with their customers. It also provides significant scope to engage with a new generation who have grown up in the ‘Digital Age’ and consequently have different expectations with regard to customer service – they expect constant communication.
Due to the exorbitant rise in business use of social media, organizations must have an awareness of the risks of compromise. Business employees who have control of these accounts (often someone residing in the marketing department) should know the potential implications of a compromise if they are to control what is effectively a key business asset.
Social media accounts should be seen, managed and controlled as more tangible business assets are – through robust risk management and control. While user education plays a role, organizations cannot rely on user education alone to protect their assets. Controls should be robust enough to not require sole reliance on the human element. Separation of social media account management and control from day-today organizational systems is a wise step in protecting these accounts from compromise and avoiding the resulting negative implications to an organization’s brand and reputation.
Mark Crowther is a managing consultant at IRM. His responsibilities include managing a technical team, the maintenance and improvement of technical delivery and quality control, and leading IRM’s Impact service. Impact is a return to holistic security testing; examining the security posture of the enterprise as a whole, probing for the dependencies and weaknesses that are often missed at project or system level.