Social Media Series—Twitter and Facebook Best Practices (Part 2)
Do you know how much information adversaries can gain by examining your Twitter account?
Besides what you tweet, of course, they can find out who you’re following, which may tell them what products you use, where you work out, what your vices are, etc. Simply by looking at who follows you, an adversary can find out who you may have influence over.
Depending on your phone settings, any pictures you upload may contain your location, which could be helpful when plotting an attack or gaining intelligence on a competitor: “Hey look, the mergers and acquisition guy from Company X is at a café in Seattle inside the Company Y building!”
What to do?
Separate your work and personal accounts and don’t blend the contacts, nor the information. Have your work postings reviewed by someone before they go live to ensure the correct information is being sent and the proper image is being projected. And be careful with those Tiny URLs—not knowing what you’re clicking on until after you’ve clicked is a bad guy’s dream come true!
Facebook and Your Company
One of the things I find perplexing today is the amount of corporate information being posted on Facebook—not just by employees, but by companies themselves! While the pull to “go where the people are” and “stay connected” is admittedly strong, companies are losing control of their own information and how their messages are being presented.
If Facebook decides to display a competitor’s ads on your page, there’s not much you can do to stop it. And if you want to permanently delete something—well, read the terms and conditions to find out who owns the data.
So how does this relate to corporate information security?
It’s great that people “Like” your company, but did you know you just gave out your client list? Not so great if you’re a credit union and want to protect your customers from phone scams. And how do you control your customer information when it’s not your website to control? Worse, how do you convince your employees not to post company information on Facebook if the company itself is doing it?
No easy answers on this one, but it certainly gives me pause. How about you?
About the Author
Doug Shields is an expert in information security, particularly in the fields of social engineering and employee security-awareness training. He has a long career with the U.S. Government Intelligence Community and private industry in the “white-hat hacker” security space. After recognizing a need for training programs to fix growing security concerns, he founded Humanisec, with a primary focus “to secure the human network”.