NOVEMBER 2012
(U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES TO ASD SHOULD BE TAKEN TO BE REFERENCES TO DSD.
Security tips for the use of social media websites
Introduction
1. Social media websites can pose a number of risks to Australian government networks. Social media websites include blogs, wikis and forums – for example, Facebook, Twitter, LinkedIn, Google+, YouTube and Wikipedia. Due to their popularity, social media websites are a common way for malicious adversaries to gather information about the Australian government – on its employees, projects and networks. Adopting sound security practices when using social media websites decreases the risk of data spills and social engineering threats.
2. This publication provides information to government agencies to assist in user education.
Specifically, information about the security risks to Australian government networks from the use of social media websites. Additionally, this publication provides mitigation advice to help prevent the unauthorised disclosure of official government information on social media websites.
Intended audience
3. This publication is intended for information security practitioners. It aims to inform risk management decisions and assist security practitioners in developing user education about sound security practices when using social media websites.
4. Pages 4 and 5 are intended for users. These pages provide advice on the use of social media in an easy‐to‐read format that can be passed directly to system users.
Risks involved with social media websites
Using social media for official purposes
5. The primary security risk for using social media for official business is the possibility of data spills caused by employees posting too much information or information not authorised for public release.
Agencies can significantly reduce the security risk by developing and communicating sound usage policies.
6. There are also business risks that your agency will need to consider when developing usage policies. For example, damage to agency reputation caused by negative posts by the public.
Using social media for personal purposes
7. According to recent reporting, only half of social media website users have privacy settings to control what information they share and with whom, and over a third accept friend requests from people they do not know. Poor security practices such as this increase the likelihood of users being targeted through socially‐engineered communication campaigns by malicious cyber adversaries.
8. Users posting information about their personal life, their official duties, project details or government policy could unknowingly provide people with information that could be used to elicit government information from them or to tailor social engineering campaigns to compromise an agency’s networks. Users should assume everything posted on a social networking site is permanent.
9. Information that appears to be benign when posted in isolation could, if collated with other information, have a considerable security impact on the Australian government. Internet content is cached frequently, and information can be viewed, copied or forwarded on without the originator’s knowledge. Once a person posts information, they effectively relinquish control over it. Information posted on the Internet is nearly impossible to completely remove.
Mitigation strategies: social media for official purposes
10. The use of social media for official purposes should be governed by agency web usage and specific social media usage policies. Enforcing usage policies and implementing mandatory user education on the risks of social media is key to minimising security risks to government information.
11. The following security measures should be implemented for shared corporate social media accounts.
a. Ensure users are informed of your agency’s Internet usage policies and social media usage policies.
b. Provide regular information security awareness training on the use of social media to your agency’s system users. This could be incorporated into existing agency security training.
c. Ensure policy and user training includes processes and details for reporting suspicious contact from external sources via the web, or suspected postings of official information on unauthorised websites.
d. Ensure users are aware of what information is shared, monitor information posted and promptly remove any unauthorised content. If a data spill has occurred, follow agency procedure for reporting and responding to cyber security incidents.
e. Maintain an access control list including who can access the account and who is an account administrator. Change the account password when a person is removed from the access control list.
g. Use a strong password that is not reused for multiple accounts.
h. Use caution when deciding to enable third‐party applications.
i. Use multi‐factor authentication where possible (some social media sites may offer this as an option).
See page 4 and 5 for ASD’s advice to users about the secure use of social media websites in business and personal settings.
Further information
12. Further guidance can be found in the Australian Government Information Security Manual at www.asd.gov.au. In particular, the ‘Using the Internet’ section.
Contact details
Australian government customers with questions regarding this advice should contact the ASD Advice and Assistance Line on 1300 CYBER1 (1300 292 371) or [email protected].
Australian businesses or other private sector organisations seeking further information should contact CERT Australia at [email protected] or by calling 1300 172 499.
User security tips for the use of social media websites
Risks involved with social media websites
Social media websites can pose a number of risks to Australian government networks and to your personal privacy. Social media websites include blogs, wikis and forums – for example, Facebook, Twitter, LinkedIn, Google+, YouTube and Wikipedia.
Due to their popularity, social media websites are a common way for malicious adversaries to gather information about the Australian government – on its employees, projects and networks. For this reason, you should be aware of the two key risks involved with using social media websites.
1. Posting unauthorised official information – in the worst cases, this can harm Australia’s national interests or security, cause harm to your agency’s reputation, or even violate an individual’s right to privacy. Information that appears benign when posted in isolation could, if collated with other information, have a considerable security impact on the Australian government.
2. Posting too much personal information ‐ personal information you post on websites could be used to develop a detailed profile of your lifestyle and hobbies. This could then be used in social engineering campaigns, which attempt to elicit sensitive or classified information from you, or influence you to unknowingly implant malicious software on a government system.
Additionally, posting too much personal information could lead to identity theft.
To help minimise these risks and protect Australian government information and systems when using social media websites, consider the following tips.
When using corporate social media accounts…
Read, understand and adhere to your agency’s Internet usage policies. If you don’t understand a policy or are unsure whether it applies in a particular situation, ask your IT team.
If your agency is using social media websites as an authorised means of communication, ensure that all information you post is approved and recorded.
Limit the publication of your official email address, including in documents made available on social media websites. Supply a generic corporate email address or use web contact forms instead of individual email contacts where possible.
Carefully consider the type and amount of information you post regarding your work duties. Do not post information that is not for public release from your current or previous roles.
Restrict the amount of personal information placed on social media websites. Avoid posting information such as your home or work address, phone numbers, place of employment and other personal information that can be used to target you.
Monitor the information friends and colleagues post about you to prevent the unauthorised disclosure of your personal information.
Consider limiting access to posted personal data to ‘friends only’.
Apply any available security and privacy options to your accounts and use a ‘private’ profile where available.
Use a personal email address rather than an official email address when creating personal profiles, and use an alias rather than disclosing your full name. If possible, make your email address private to those viewing your page.
Several social media websites allow users to ‘opt‐out’ of allowing search engines to search and display your personal information. If possible, use this ‘opt‐out’ feature.
Review the website security and privacy policies regularly, as these can change with minimal communication to users.
Be wary of accessing unknown website links or attachments, unsolicited contact and scams (such as through the use of fake profiles).
Report any suspected security incidents when you or a colleague has posted sensitive or classified information on social media websites to your protective security team. Report any suspicious contact made to you or a colleague through social media websites.
Further information
For further security information on the use of corporate social media accounts, contact your IT team.
For further security and privacy information on the use of private social media accounts, visit www.staysmartonline.gov.au.