Security Tips for the Use of Social Media Websites
Download CSOC Protect Notice: Security Tips for the Use of Social Media Websites (PDF), November 2012
- Social media websites can pose a number of risks to Australian government networks. Social media websites include blogs, wikis and forums – for example, Facebook, Twitter, LinkedIn, Google+ and Wikipedia. Due to their popularity, social media websites are a common way for malicious adversaries to gather information about the Australian government – on its employees, projects and networks. Adopting sound security practices when using social media websites decreases the risk of data spills and social engineering threats.
- This publication provides information to government agencies to assist in user education. Specifically, information about the security risks to Australian government networks from the use of social media websites. Additionally, this publication provides mitigation advice to help prevent the unauthorised disclosure of official government information on social media websites.
- This publication is intended for information security practitioners. It aims to inform risk management decisions and assist security practitioners in developing user education about sound security practices when using social media websites.
- User security tips for the use of social media websites (below) is intended for users. These pages provide advice on the use of social media in an easy-to-read format that can be passed directly to system users.
Risks involved with social media websites
Using social media for official purposes
- The primary security risk for using social media for official business is the possibility of data spills caused by employees posting too much information or information not authorised for public release. Agencies can significantly reduce the security risk by developing and communicating sound usage policies.
- There are also business risks that your agencies will need to consider when developing usage policies. For example, damage to agency reputation caused by negative posts by the public.
Using social media for personal purposes
- According to recent reporting, only half of social media website users have privacy settings to control what information they share and with whom, and over a third accept friend requests from people they do not know. Poor security practices such as this increase the likelihood of users being targeted through socially-engineered communication campaigns by malicious adversaries.
- Users posting information about their personal life, their official duties, project details or government policy could unknowingly provide people with information that could be used to elicit government information from them or to tailor social engineering campaigns to compromise an agency's networks. Users should assume everything posted on social networking sites is permanent.
- Information that appears benign in isolation could, if collated with other information, have a considerable security impact on Australian government. Internet content is cached frequently, and information can be viewed, copied or forwarded on without the originator's knowledge. Once a person posts information, they effectively relinquish control over it. Information posted on the Internet is nearly impossible to completely remove.
Mitigation strategies: social media for official purposes
- The use of social media for official purposes should be governed by agency web usage and specific social media usage policies. Enforcing usage policies and implementing mandatory user education on the risks of social media is the key to minimising security risks to government information.
- The following security measures should be implemented for shared corporate social media accounts.
- Ensure users are informed of your agency's Internet usage policies and social media usage policies.
- Provide regular information security awareness training on the use of social media to your agency's system users. This could be incorporated into existing agency security training.
- Ensure policy and user training includes processes and details for reporting suspicious contact from external sources via the web, or suspected postings of official information on unauthorised websites.
- Ensure users are aware of what information is shared, monitor information posted and promptly remove any unauthorised content. If a data spill has occurred, follow agency procedure for reporting and responding to cyber security incidents.
- Maintain an access control list including who can access the account and who is an account administrator. Change the account password when a person is removed from the access control list.
- Apply any available security and privacy options on websites.
- Use a strong password that is not reused for multiple accounts.
- Use caution when deciding to enable third-party applications.
- Use multi-factor authentication where possible (some social media sites may offer this as an option).
See User security tips for the use of social media websites for ASD's advice to users about the secure use of social media websites in business and personal settings.
- Further guidance can be found in the Australian Government Information Security Manual, in particular, 'Using the Internet'.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.
User security tips for the use of social media websites
Risks involved with social media websites
Social media websites can pose a number of risks to Australian government networks and to your personal privacy. Social media websites include blogs, wikis and forums – for example, Facebook, Twitter, LinkedIn, Google+, YouTube and Wikipedia.
Due to their popularity, social media websites are a common way for malicious adversaries to gather information about the Australian government – on its employees, projects and networks. For this reason, you should be aware of the two key risks involved with using social media websites.
- Posting unauthorised official information – in the worst cases, this can harm Australia's national interests or security, cause harm to your agency's reputation, or even violate an individual's right to privacy. Information that appears to be benign in isolation could, if collated with other information, have a considerable security impact on the Australian government.
- Posting too much information – personal information you post on websites could be used to develop a detailed profile of your lifestyle and hobbies. This could then be used in social engineering campaigns, which attempt to elicit sensitive or classified information from you, or influence you to unknowingly implant malicious software on a government system. Additionally, posting too much information could lead to identity theft.
To help minimise these risks and protect Australian government information and systems when using social media websites, consider the following tips.
When using corporate social media accounts...
Read, understand and adhere to your agency's Internet usage policies. If you don't understand a policy or are unsure whether it applies in a particular situation, ask your IT team.
If your agency is using social media websites as an authorised means of communication, ensure that all information you post is approved and recorded.
Limit the publication of your official email address, including in documents made available on social media websites. Supply a generic corporate email address or use web contact forms instead of individual email contacts where possible.
When using private social media accounts...
- Carefully consider the type and amount of information you post regarding to your work duties. Do not post information that is not for public release from your current or previous job roles.
- Restrict the amount of personal information placed on social media websites. Avoid posting information such as your home or work address, phone numbers, place of employment and other personal information that can be used to target you.
- Monitor the information friends and colleagues post about you to prevent the unauthorised disclosure of your personal information.
- Consider limiting access to posted personal data to 'friends only'.
- Apply any available security and privacy options to your accounts and use a 'private' profile where applicable.
- Use a personal email address rather than an official email address when creating personal profiles, and use an alias rather than disclosing your full name. If possible, make your email address private to those viewing your page.
- Several social media websites allow users to 'opt-out' of allowing search engines to search and display your information. If possible, use this 'opt-out' feature.
- Review the website security and privacy policies regularly, as these can change with minimal communication to users.
- Be wary of accessing unknown website links or attachments, unsolicited contact and scams (such as through the use of fake profiles).
- Report any suspected security incidents when you or a colleague has posted sensitive or classified information on social media websites to your protective security team. Report any suspicious contact made to you or a colleague through social media websites.
For further information on the use of corporate social media accounts, contact your IT team.
For further security and privacy information on the use of private social media accounts, visit www.staysmartonline.gov.au.