The threat of shared privileged accounts on social media

The threat of shared privileged accounts on social media
The threat of shared privileged accounts on social media

Social media is playing an increasingly important role within all enterprises, whether for building brand awareness or engaging directly with customers.  However it also poses a significant security risk.  Hackers have become adept at stealing social media credentials and hijacking accounts, as evidenced by attacks at large corporations over the past year.  Account takeovers can lead to unauthorised publishing of intellectual property and other sensitive data, as well as creating legal, regulatory and compliance violations.  The consequences can be severe, including damaged brand reputation and financial losses. 

When a corporate social media account is compromised, unauthorised content can be made visible to millions of people within seconds, which can result in untold damage.  In April 2013, hackers claiming to be from the Syrian Electronic Army successfully hijacked the Associated Press (AP) Twitter account.  A single unauthorised tweet then resulted in an £81 billion (US$136.5 billion) drop in the S&P 500 index's value within a matter of minutes.  AP was able to trace the attack to an employee who may have inadvertently exposed company passwords in a phishing attack. 

Burger King also fell victim to anembarrassing breach during which the company's Twitter account was made to look like McDonald's, with a post claiming that Burger King had been sold to its competitor.  This attack served as a wakeup call for all organisations aboutthe ease with which hackers are able to exploit high profile social media accounts.  Just a day after the Burger King hack, a similar account takeover occurred on the official Twitter page for Jeep, citing that the company had been sold to Cadillac.

These attacks were carried out by external groups, but equally damaging incidents can be caused by people inside an organisation.  At HMV after the company made a large number of  redundancies, one disgruntled former social media manager used her access to the company's Twitter account before officials realised she still had access.  Her unauthorised post called attention to what she dubbed the company's “mass execution of loyal employees who love the brand.”

The overlooked threat: Shared privileged accounts

The main reason why it is so easy to hijack corporate social media accounts is the large numbers of people who manage them within an organisation.  Enterprises commonly have numerous profiles on Twitter, Facebook, YouTube, LinkedIn and so on, which are typically managed by teams.  As a result, the passwords for these accounts are often shared, making them easy targets for hackers and malicious insiders alike.  Additionally, there is no record or accountability for an individual's posts, leading to further challenges in securing and managing social media credentials.

As is often the case with passwords in general – but particularly those shared among multiple individuals – security is frequently lax, with little or no management and control exercised over the access or activity.  The same passwords are commonly used across multiple accounts and these credentials may rarely be changed.  To make matters worse, companies may not even know who has access to their social media accounts or credentials.

Poor security leaves organisations vulnerable to rogue employees – whether current or former – and to increasingly sophisticated and organised hackers.  Indeed, today's attackers are adept at exploiting any weakness in an organisation's security armour, by using multiple methods of intrusion, including dictionary attacks, social engineering, or via software or social media applications.  The use of Twitter and Facebook accounts, for example, can introduce further risks as these platforms can provide hackers with access to valuable data including passwords, APIs, or other sensitive data.

How to mitigate the risk of social media breaches

To effectively secure and protect social media accounts and reduce the risk of compromise and damage to an organisation's brand, the following preventative measures must be taken: : 

  • Securely store credentials:  Protect social media credentials from being stolen by storing passwords for these accounts in a secure digital vault.  This will reduce the ability of hacker organisations to take over social media accounts.
  • Eliminate shared credentials:  Storing passwords in a digital vault also requires users to login individually for access, which eliminates the accountability challenges of shared credentials.
  • Enable transparent access:  Allow authorised users to seamlessly authenticate to the account without needing to know their passwords, using an agent-less technology.  This makes it difficult for hackers to discover and steal credentials.
  • Automate and enforce password changes:  Ensure that all passwords are changed on a regular basis.  Passwords can be changed as frequently as after every use and regular updates will reduce the chance of an outsider stealing and using a valid credential.
  • Trace account activity:  Create a record of activity on social media accounts to trace all posts directly back to an individual user.  This helps identify weak areas of security and identifies rogue employees that may be posting damaging or unauthorised content.
  • Record social media sessions:  This provides further accountability and an audit trail of exactly who did what within an account.

With the threat to social media evolving and as attacks of this nature become more frequent, organisations must take immediate action to prevent privileged account takeovers or misuse from damaging their business.

Contributed by Matt Middleton-Leal, regional director, UK and Ireland at CyberArk