I’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.
It’s a puzzle really. Why would any competent CIO approve an initiative that is set up on a cloud-based platform that does not really know who its users are, has no audit certification, is demonstrably insecure, and is subject to rampant fraud and impersonation. But that is exactly what is happening when marketing and digital media people launch sites on providers such as Facebook and Twitter.
We are quite used to cloud providers not letting us audit them directly so our next port of call is to check their certification; not only does no one do this standard check when setting up on social media, but in fact there isn’t any certification to review. Interestingly, if you look at associated cloud products such as social studio (Salesforce.com) and workplace (Facebook), these corporate-focused systems do have certification such as SOC 2 and ISO27001. But this is not the case for any of the main social media sites such as Facebook, Twitter, Instagram or WhatsApp. This should be a warning sign that all is not well in the world of security on these systems. Regardless, the marketing team will insist on using them anyway.
Even a cursory look at known vulnerabilities would inform you that these sites have exploitable vulnerabilities; just check them out in any CVE security vulnerability database. Did anyone in your organization do this very simple and quick review?
It’s not as if there are no consequences; look at the recent Facebook photo API bug that exposed 6.8 million users’ images. A bug in API granted developers access to Facebook users’ images even if those images had been uploaded but not published to the user’s timeline. Similarly, WhatsApp had a recent security issue when a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number. The upshot was that the hackers were able to infect your phone without you actually doing anything. If it weren’t social media, ask yourself, would you use these products?
There are countless other security concerns with social media: they are hosing up your data; did your team check the privacy statements before they signed up?; some are completely open to their employees to exploit your sites (remember the Donald Trump Twitter deletion by a Twitter employee?); and good luck enforcing your password policy on the site.
You can pretty much assume, therefore, that all the sites are insecure, your digital media team didn’t review or risk-assess any of them, and you have no idea who the people are interacting with you on the sites. The time for you to launch that audit is long overdue.
Editor’s note: Robert Findlay will be presenting on “Social Media and its Cyber Threats” at the GRC conference, to take place 12-14 August in Ft. Lauderdale, Florida, USA.
