Social networking overlaps corporate and personal lives, and so should the mission to create a culture of security awareness.
There was little – if nothing – any Facebook user could have done to prevent their passwords from getting exposed earlier this spring.
Just look at the facts of the case, said Theo Zafirakos, Chief Information Security Officer and Security Awareness Coach at Terranova Security.
“Facebook itself, and Instagram, didn’t properly protect the users’ passwords,” Zafirakos said. “No matter how strong a user’s password, no matter how good their practices, in this scenario, there was nothing that the user could have done to prevent the breach.”
All told, according to Forbes Magazine, in the massive security breach acknowledged by Facebook in March 2019, as many as “600 million users’ passwords were stored in plain text and accessible to 20,000 employees, of which 2,000 made more than nine million searches that accessed the passwords going back to 2012.”
What made matters worse, Forbes reported, was that Facebook discovered the breach three months before users were notified, and that only happened when a “concerned whistleblower leaked details, which forced the company to make a hasty admission.”
Why should a company, organization care about a cyber breach event like this that involves social networks?
It’s the opportunity to provide cyber security awareness training in a meaningful way that impacts most people on both the personal and corporate sides of their lives. Nearly all companies, organizations, whether it’s a company, an education institution or an association have employees, students or members that use social media like Facebook and Instagram in their personal lives. In most cases, businesses themselves have an online presence and utilize social networks like Facebook for marketing purposes, sales and client relations. And for the organizations that don’t have an online presence but do have employees that use social networks, they need to make sure their users and staff members’ identities are protected online.
“Many organizations provide information to their employees on safe Internet practices, in hope that they will adopt good practices at home and at work,” Zafirakos said. “This provides a real opportunity to prepare corporate security teams on what actions can be taken in an event like this to reduce the impact of a breach that’s out of your control, or to reduce its negative consequences.”
Need some ideas of where to start? Here are our top five ways to help reduce the risk of a social network – or other application – password breach.
Do not reuse passwords…and change them frequently. For the purposes of this blog post, let’s assume you and your team already know how to generate a good, secure password. It’s complex, a series of numbers and letters, upper and lower case, symbols and doesn’t reference your pet’s name. But now that you have this great password, don’t get comfortable.
We want you to change your password frequently. As was the case with the Facebook password breach, it might take time between when a data breach occurs, when an organization uncovers the data breach and when you are notified of your compromised information. If you are changing your password frequently, you shrink the window of damage opportunity between those milestone events.
Also, even if you have created what you feel like is the perfect password, don’t reuse it on multiple accounts.
“The number one best practice is do not reuse passwords,” Zafirakos said. That is, “don’t use the same password for your online banking as you do on Facebook.”
Based on surveys done by Terranova Security, Zafirakos said, “we see close to 80% of users using the same passwords on multiple systems. That number gets even higher for the younger generation – maybe because they don’t understand the risk or maybe because they don’t want to remember multiple passwords.”
Either way, if you are using the same account password combination on multiple channels, and one channel gets breached, hackers are more likely to be able to access your other accounts.
Consider using a password management tool to store your passwords. If you don’t want to remember – or can’t remember – all of those complex passwords you’ve set up, consider using a secure password management tool. From a functionality perspective, a password management tool is just that – a program you log into with one password that stores all of your other passwords.
Think of it like a digital wallet.
When looking to identify the right password management tool, look for one that’s well encrypted and allows for management between multiple platforms and devices (there’s an app for that, as they say). A few of the popular password management tools on the market include 1Password, KeePass and Dashlane.
Use two-factor authentication. Let’s say someone does get ahold of your password. What then? Chances are they will use your user name to access your social network accounts, or more – unless you have two-factor authentication set up.
Officially speaking, two-factor authentication is a tool – or security method – that only grants a computer user access after presenting multiple forms of evidence that they are the actual and authentic user. For instance, “if you are connected from a computer or location that you have not used before, and if you have two-factor authentication set up, the application will request a pin which was sent to your phone,” Zafirakos said. “If someone has stolen your password and is trying to connect to something of yours, you will receive a notification of an attempt of authorized access.”
If you get that attempt notification, and it’s not you logging in from a new source, “that means the hacker has passed the first stage, which is gaining access to your password,” Zafirakos said. If that happens, refuse the access, change your password immediately and be thankful you had two-factor authentication set up.
Avoid online applications that allow you to log in automatically with your Facebook credentials. More and more online applications are connecting back and forth and allowing users to access multiple channels with a single sign on. You’ve likely seen applications where you can sign in automatically, or create an account, only using your Facebook credentials. Seems smart? Saves time? Not really.
“While it might seem like a time saver, if your Facebook credentials are compromised then hackers could be accessing other applications under your name,” Zafirakos said. “Avoid using those opportunities.”
The perceived convenience of social media-based single sign-on is tempting but remember that if you are compromised on one platform, you could be compromised in another. The more interconnected systems you have, the more you are exposed.
See tips one through three above.
Pay attention when your friends’ social network accounts are compromised. “Don’t accept a friend request from me, my account has been hacked,” one Facebook user recently wrote.
“Don’t click on the link in the message it looks like I sent you on Facebook. It’s not me,” another reads.
But those are just the times we know about.
“You may have friends who have a compromised account and you may never know, and the hackers are using those accounts to start phishing,” Zafirakos said.
Other times, they are just collecting and listening to information people post willingly on social media.
“Sometimes you will know, and sometimes you will never know, if one of your contacts has had their accounts compromised,” Zafirakos said. “Do not put sensitive information on social media. Do not put your dog’s name on social media and use that question on your online banking to reset your password.”
And if you are breached, let your friends know. Especially on social media.
“It’s all about generating a culture of information security,” Zafirakos said. “By providing this information to users, organizations can show that they are not only concerned about themselves but also concerned about their employees and their well-being.”
Why Go Phishing? Build Your Business Case For Phishing Awareness
Attend this on-demand webcast to learn more about how to build your business case for phishing awareness. Topics will include:
▪ Benefits of combining phishing simulations and security awareness
▪ How to obtain leadership support and budget
▪ Key capabilities to look for in a phishing simulation platform