Appendix E. Risks and Mitigation Strategies
Social media sites are not, for the most part, any more or less insecure than other types of Web applications. Many sites are operated by third parties (for example, Facebook, YouTube, and Twitter) and may be prone to security vulnerabilities. Since the social media technologies we use for public-facing interaction of outreach and marketing, the Federal Information Security Management Act or similar security risk assessments and standards don't apply. Guidance is available through the senior agency security officer in the Office of the Chief Information Officer at email@example.com.
To ensure our use of social media is safe and effective, this document provides guidelines and recommendations for mitigating security risks posed by social media tools and protecting our network. Because this landscape is constantly shifting, these recommendations and risks are only as good as the latest draft and should not be considered exhaustive or comprehensive. As we learn more from our experiences and yours, we'll regularly update this document to reflect the best practices to secure our network and still uphold GSA’s mission.
Types of Risks:
Social media technologies such as wikis, blogs and social networks are vulnerable to three types of cyber attacks: spear phishing, social engineering, and Web application attacks.
- Spear phishing is an attack targeting a user or group of users to get the user to do something that then launches an attack. For example, the user may open a document or click a link that then launches an attack. Spear phishers rely on knowing your personal information, such as an event, interest, travel plans or current issues. If you use social media, be careful in clicking links and communicating with other members of online groups.
- Social engineering relies on exploiting the human element of trust. The first step in any social engineering attack is to collect information about the attacker’s target. Social networking websites can reveal a large amount of personal information, including resumes, home addresses, phone numbers, employment information, work locations, family members, education and photos. Social media websites may share more personal information than users expect or need to keep in touch.
- Web application attacks are dynamic Web pages that use scripting to provide additional functionality to the user. Social media websites are advanced Web applications, and this opens them up to vulnerabilities exploitable by attackers. Advances in Web application technologies allow attackers to use new techniques against social media websites not previously possible in email. For example, emerging techniques include using custom Facebook applications to target users. Facebook applications are written by third-party developers and often have minimal security controls.
Strategies for Minimizing Risk
The risks previously outlined are serious, but they shouldn't be a reason or an excuse not to use social media. While launching an attack is technically complex, all you need to avoid them is a little bit of knowledge and common sense. Here are some strategies you can use to minimize risk and use social media safely.
- Procedural Controls. The most important question to ensure your safe use of social media tools is not “what tools do we use?” but “how do we use them?” Be explicit about the type of data or information you'll share. Who's authorized to post content? Who's authorized to approve it? Prepare a brief document that captures your goals and objectives for using social media and what types of interactions you are or are not seeking to engage in. Create operating procedures to filter content, address who will be the administrator and what you expect of users. Include specific activities or traffic that aren't allowed, such as the addition of third-party applications.
- Acquisition Controls. Most social media services provide administrative features that can customize how information is collected from and provided to the public, either bundled with the service or for an additional fee. A great example of this is GSA’s own terms of service agreements with social media providers (see the “Social Media Apps” section of apps.gov.) Many agreements include negotiated terms for IT security. Consider comparing the feature sets of platforms side by side, or engaging vendors to inquire about the security and privacy features they provide. Consider whether platforms that use voting or public comment are prone to being “gamed” or invite cheating or fraud, and what measures can be taken to prevent it.
- Training Controls. The key to using social media securely is ensuring that everyone who uses it has access to sufficient training materials and opportunities. Even for social media initiatives that aren't new, providing periodic awareness and training can help educate users about what information to share and with whom they can share it. Federal employees should also be trained to protect their agencies and themselves by not blurring personal and professional lives, and with additional guidance concerning if and how they should identify themselves on social media websites, depending on their official role. GSA's Office of the Chief Information Officer also operates a number of network controls and host controls to safeguard the agency’s information and networks.
A sample risk mitigation checklist may be useful. (These guidelines below are adapted from the Federal CIO Council’s document "Guidelines for Secure Use of Social Media by Federal Departments and Agencies." You should consult the original document for complete guidance.
Sample Social Media Risk Mitigation Checklist
Have you considered these elements and issues:
- A content disclaimer and site ownership disclaimer?
- A plan for regular content updating and content review?
- A blog comment moderation policy?
- A plan for security vulnerability checks, and is staff assigned the review?
- A written incident response plan that has been vetted and approved?
- A plan for regular review of things like profile pages, links, photographs and online vulnerability reports?