Cyber Security Guidelines for Securing Social Media …...Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 2 of 19 Classification: Public Document History:

Cyber Security Guidelines for

Securing Social Media Accounts

Version: 2.1

Author: Cyber Security Policy and Standards

Document Classification: Public

Published Date: June 2018

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 2 of 19 Classification: Public

Document History:

Version Description Date

1.0 Published V1.0 document October 2015

2.0 Branding Change (ICT to MOTC) + added controls for other or changed social media platforms

November 2016

2.1 MoTC logo changed + Format Change June 2018


Table of Contents Legal Mandate(s) .................................................................................................................................... 4

Introduction ............................................................................................................................................ 5

Objective ................................................................................................................................................. 5

Scope ....................................................................................................................................................... 5

Intended Audience .................................................................................................................................. 5

Understand the Risks .............................................................................................................................. 6

General Recommendations .................................................................................................................... 6

Set up a Governance for Social Media ................................................................................................ 6

Account creation and administration ................................................................................................. 6

Account Login ...................................................................................................................................... 7

Password Management ...................................................................................................................... 8

Information Sharing / Acceptable Usage ............................................................................................ 8

Configure Privacy Settings .................................................................................................................. 8

Monitoring .......................................................................................................................................... 8

Third Party Solutions ........................................................................................................................... 9

Incidents: In case of any suspicious activity ........................................................................................ 9

Recovery Plan ...................................................................................................................................... 9

Security Awareness ........................................................................................................................... 10

Securing Most Common Social Networking Sites ................................................................................. 10

Facebook: .......................................................................................................................................... 10

Twitter: .............................................................................................................................................. 11

Instagram: ......................................................................................................................................... 12

LinkedIn: ............................................................................................................................................ 12

WhatsApp ......................................................................................................................................... 13

Snapchat ........................................................................................................................................... 15

Tumblr ............................................................................................................................................... 16

YouTube / Google ............................................................................................................................. 17

Telegram ........................................................................................................................................... 18


Legal Mandate(s) Emiri decision No. (8) for the year 2016 sets the mandate for the Ministry of Transport and

Communication (hereinafter referred to as “MOTC”) provides that MOTC has the authority to

supervise, regulate and develop the sectors of Information and Communications Technology

(hereinafter “ICT”) in the State of Qatar in a manner consistent with the requirements of national

development goals, with the objectives to create an environment suitable for fair competition,

support the development and stimulate investment in these sectors; to secure and raise efficiency of

information and technological infrastructure; to implement and supervise e-government programs;

and to promote community awareness of the importance of ICT to improve individual’s life and

community and build knowledge-based society and digital economy.

Article (22) of Emiri Decision No. 8 of 2016 stipulated the role of the Ministry in protecting the security

of the National Critical Information Infrastructure by proposing and issuing policies and standards and

ensuring compliance.

This guideline has been prepared taking into consideration current applicable laws of the State of

Qatar. In the event that a conflict arises between this document and the laws of Qatar, the latter, shall

take precedence. Any such term shall, to that extent be omitted from this Document, and the rest of

the document shall stand without affecting the remaining provisions. Amendments in that case shall

then be required to ensure compliance with the relevant applicable laws of the State of Qatar.


Introduction Social networks / media is an organization’s identity in the virtual world. This social identity is very

much linked to its corporate public image and needs to be protected as much in the virtual world as

in the real world. The social media account if not secured may open a floodgate to compromising and

maligning your corporate public image.

This document provides mitigation advice and security controls to help reduce threats such as

unauthorized access as well as steps to follow in order to retrieve a stolen account.

Objective Provide necessary guidance to help organizations manage their social media accounts securely.

Scope All organizations having social media presence.

Intended Audience Staff authorized to manage and use the corporate social media accounts.

However, private individuals may find the document useful too.


Understand the Risks Social media accounts related to government, semi government and national events represent an

ideal and logical target for our nation’s adversaries, as social media is seen as the virtual identity of

the governmental entity.

Further being a government accounts, they have a huge following and the followers have implicit

trust in them.

The risks associated with such social media profiles are:

- Leaking of confidential or inappropriate information

- Vandalism of content, spreading malicious content

- Legal implications

- Blackmail

General Recommendations

Set up a Governance for Social Media Define a policy for usage of social media in your organization, on a minimum, the policy should

include the following:

Identify who in the organization is authorized to engage in social media on its behalf?

Who controls and owns the information into a social networking site?

What information are the stakeholders passing on to other people?

Seeking consent from stakeholder prior disseminating information related to them.

Explicit procedures on social media networking. Who would the corporate account follow or

be influenced with etc.

How would information received from the follower network be broadcasted? i.e. re-shared

or re-tweeted etc.

Defined process for Incident handling / recovery plan in case of breach or malicious attacks.

Hardware and software authorized to access the social media account from.

Account creation and administration In order to create and manage account ownership it is recommended that organizations have:

A dedicated corporate email (usually used as the username), should be used to create and

maintain a social media accounts. This email address should be a generic/nonspecific

enterprise email account for logging into social media networks. Individual enterprise email

addresses are easy to guess and decrease the security of social media accounts.


Each social media channel/account should be associated with a separate and unique

corporate email. Example: the Username/Email associated with corporate twitter is different

from the Username/Email used on Facebook

Do not use the same passwords for social media that you use to access company computing

resources

Private emails should not to be used to manage and access a corporate social media account

such as twitter account or Facebook page

The social media account page should feature the communication department approved logo

and the profile text should include references that this account is “the official” account of the

organization.

Organizations should define which organizations / agencies they may follow. E.g. Government

agencies may follow other government agencies, verified accounts or trusted sources.

It is not recommended to follow individual users.

It is not recommended to access / re-post / re-tweet / share “unverified messages” with

imbedded links and URLs.

Account Login Configure social media accounts to use secure sessions (HTTPS) whenever possible. Facebook,

Twitter and others support this option. (Note: This is extremely important when connecting

via public Wi-Fi networks). QCERT can help you configure your account to use HTTPS at all

times

Login should only be from a dedicated corporate owned / managed device ( PC or Mobile

device)

Login should be from a trusted network, refrain from using public/open Wi-Fi networks like

café’s, airports, etc.

● Mobile devices linked to your corporate social media accounts should be adequately

protected using biometrics, strong passwords. We recommend that an extra layer of security

by securing the apps with an additional PIN / Password, which is different from the one, used

to access the device. This may be possible through use of certain third party applications.

Disable the geo-location feature while posting or tweeting.


Password Management Always use strong and secure passwords to access social networks. The passwords should

comply with the corporate password policy.

Change passwords frequently. Have different passwords for different accounts.

Use multi-factor authentication for social media accounts (if supported by the provider).

Never share your passwords with anybody.

Information Sharing / Acceptable Usage Do not disclose any official information upon registrations of social accounts.

Restrict employees from posting official and sensitive data or information over social

networks.

Only authorized personnel should be allowed to operate corporate social media accounts.

Do not post any information that may be discriminatory, disparaging, defamatory or harassing

comments regarding the organization or its employees or any third party in their electronic

postings or publishing.

Configure Privacy Settings Review and revise as necessary the default privacy settings offered by the social media

networking sites.

Monitoring Limit corporate social media account access to an authorized employee in order to control the

content distribution over social networks. This could be the Public relation officer (PRO),

official spokesperson, etc.

In case where more than one person has access to the corporate social media account,

internal procedures should be defined to regulate this activity, this should include training

user on usage of social media, active monitoring, and use of social media management

solutions and / or any other compensating controls as deemed necessary.

Regularly monitor the access granted to authorized user accounts and revoke the access of

employees who leave the organization or no longer have a business need to use social media.

Have a third party individual, who is not responsible for content, continuously monitor social

media accounts for unauthorized or unusual postings.


Third Party Solutions The organizations should consider usage of a social media management solution.

Incidents: In case of any suspicious activity Please report to QCERT ([email protected]) or call (+974 4493 3408) if you see any of the

suspicious symptoms below:

Automated likes, favorites, follows/un-follows or friend requests

Private messages being posted to your friends (this can be hard to spot unless

someone points it out to you)

Unexpected email/push notifications from the social network, such as:

Warning that your email address has been changed

Warning that your account was accessed from an unknown location.

Status updates/tweets that you didn’t make

Changes to the profile or pictures on the account.

Recovery Plan Please report to QCERT ([email protected]) or call (+974 4493 3408)

Collect all logs, traces, artifacts of malicious activity for investigation and possible legal

requirements.

Immediately change account passwords.

Verify and change the password for the associated emails and back up emails

Verify the password recovery options set for the social media account; verify the alternative

email address that has been setup.

Verify auto forward options if any setup for the account and associated emails.

Visit the applications page of the social network and remove any apps you do not recognize.

If the account continues to behave erratically, we recommend you revoke access to all

applications.

mailto:[email protected]

mailto:[email protected]


Security Awareness Employees managing and / or maintaining the organization’s social media accounts shall be

sensitized and educated on information security. They should be made aware of prevalent

threats such as Phishing and social engineering.

Securing Most Common Social Networking Sites

Facebook:

a. Ensure you're using a secure connection whenever one is available, click Security in

the left pane of Facebook's Account Settings and make sure Secure Browsing is

enabled.

b. The security settings also let you enable log-in notifications and approvals, and view

and edit your recognized devices and active sessions.

c. Security Tips:

i. Protect your password.

ii. Use Facebook’s extra security features.

iii. Make sure your email account(s) are secure.

iv. Logout of Facebook when you have finished your work.

v. Run anti-virus software on your computer.

vi. Think before you click or download anything.

d. Enable 'Login Approvals' from the 'Account Security' section of the account settings

page. Follow the link - https://www.facebook.com/notes/facebook-

engineering/introducing-login-approvals/101501726182589201

e. Update your accounts as per new security tips and guideline of Facebook. You can find

them at https://www.facebook.com/help/3792207254659722

1 This link may change. Refer to Help Section available on Facebook if this link no longer works 2 This link may change. Refer to Help Section available on Facebook if this link no longer works

https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920

https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920

https://www.facebook.com/help/379220725465972


Twitter:

a. When you sign up for Twitter, you have the option to keep your Tweets public (the

default account setting) or to protect your Tweets.

b. Accounts with protected Tweets require manual approval of each and every person

who may view that account's Tweets.

c. Security Tips:

i. Use a strong password.

ii. Use login verification.

iii. Government organizations shall get their account validated and verified You

may verify your Twitter account by following instructions and filling up a form

on Twitter (https://support.twitter.com/articles/20174631)3.

iv. Watch out for suspicious links, and always make sure you're on Twitter.com

before you enter your login information.

v. Never give your username and password out to untrusted third parties.

d. Using SMS text message login verification: To set up SMS text message login

verification:

i. Go to your Security and privacy settings on twitter.com and select the option to Verify login requests.

ii. When prompted, click Okay, send me a message. iii. If you receive our verification message, click Yes. (Note: you'll have to enter

your password). iv. You can generate a backup code by selecting the option to Get backup code.

Write down, print, or take a screenshot of this backup code; this will help you access your account if you lose your phone or change your phone number.

e. Update and follow the best practices mentioned by Twitter regularly. You can find

them at https://support.twitter.com/articles/760364

3 This link may change. Refer to Help Section available on Twitter if this link no longer works. 4 This link may change. Refer to Help Section available on Twitter if this link no longer works.

https://support.twitter.com/articles/76036


Instagram:

a. Security Tips:

i. Pick a strong password.

ii. Make sure your email account is secure. Change the passwords for all

of your email accounts and make sure that no two are the same.

iii. Logout of Instagram when you use a computer or phone you share with

other people. Don't check the "Remember Me" box when logging in

from a public computer.

iv. Think before you authorize any third-party app.

b. Update your accounts as per new security tips and guidelines of Instagram. You can

find them at https://help.instagram.com/3690011498433695

LinkedIn:

a. Security Tips:

i. Change your password regularly.

ii. Sign out of your account after you use a publicly shared computer.

iii. Manage your account information and privacy settings from the Profile and

Account sections of your Privacy & Settings page.

iv. Keep your antivirus software up to date.

v. Do not put your email address, home address or phone number in your

profile's Summary.

vi. Consider turning two-step verification on for your account.

vii. Be informed about reporting inappropriate content or safety concerns.

b. Update your accounts as per new security tips and guidelines of LinkedIn,

https://help.linkedin.com/app/answers/detail/a_id/267/~/account-security-and-

privacy---best-practices6

5 This link may change. Refer to Help Section available on Instagram if this link no longer works 6 This link may change. Refer to Help Section available on LinkedIn if this link no longer works.

https://help.instagram.com/369001149843369

https://help.linkedin.com/app/answers/detail/a_id/267/~/account-security-and-privacy---best-practices

https://help.linkedin.com/app/answers/detail/a_id/267/~/account-security-and-privacy---best-practices


WhatsApp

a. Impostor Alerts: Enabling this setting in WhatsApp will give you notice that you

may be communicating with an imposter. The way to protect yourself is to go

to the “Settings” icon at the bottom right of your WhatsApp screen (if using

mobile), open up the Account settings area, and turn on the "Show Security

Notifications" setting.

b. Privacy Settings:

i. Lock WhatsApp: Protect the app with a password or PIN. WhatsApp

itself doesn’t offer such a function, however you could look at secure

alternatives where available.

Currently no such feature is available on iOS / Android.

ii. Block WhatsApp photos from appearing in photoroll: You could restrict

your WhatsApp photos from appearing in photoroll.

i. iPhone: Go into your phone’s Settings menu, then ‘Privacy’,

‘Photos’, and deselect WhatsApp from the list of apps whose

images are fed into the photo stream.

ii. Android: Using a file explorer app like ES File Explorer, find

WhatsApp’s ‘Images’ and ‘Videos’ folders. Create a file within

each called ‘.nomedia’. That will stop Android’s Gallery from

scanning the folder.

iii. Hide ‘last seen’ timestamp: You can disable or restrict who sees your

‘last seen’ time in WhatsApp’s ‘Profile’; ‘Privacy’ menu, in Android, iOS,

Windows or Blackberry. Be aware though, if you turn it off, you won’t

be able to see other users’ ‘last seen’ times either.

iv. Restrict access to profile picture: If your WhatsApp sharing is public,

anyone you’ve ever spoken to – even if you’ve just replied to an

unwanted message – can download your pic from your WhatsApp

profile and, using Google Image search, very quickly find out more

about you. Set profile picture sharing to “contacts only” in the Privacy

menu. For corporate accounts, the profile image should be the

corporate logo.

http://indianexpress.com/about/ios/

http://indianexpress.com/about/blackberry/

http://indianexpress.com/about/google/


c. WhatsApp scams: WhatsApp itself will never contact you through the app.

Also, WhatsApp does not send emails about chats, voice messages, payment,

changes, photos, or videos, unless you email their help and support to begin

with. Anything offering a free subscription, claiming to be from WhatsApp or

encouraging you to follow links in order to safeguard your account is definitely

a scam and not to be trusted.

d. Lost / Stolen Mobile: Deactivate WhatsApp if you lose your phone. WhatsApp

recommends that you immediately activate WhatsApp with the same phone

number on a different phone, with a replacement SIM. Only one number on

one device can use the app at a time, so by doing this, you can instantly block

it from being used on your old phone. If that is not possible, WhatsApp can

deactivate your account.

e. Be careful what you talk about: Don’t send personal information if you can

possibly avoid it – addresses, phone numbers, email addresses – and never

send your bank, QID or credit card details, or your passport or other

identification details.

f. WhatsApp Web:

i. Although WhatsApp Web was designed to make life easier by accessing

WhatsApp on your desktop, the service is prone to misuse. Just anybody

who has access to your phone and WhatsApp application can initiate a

web session, scan your WhatsApp security QR code and have complete

access to your WhatsApp chats. This can be avoided by ensuring that

you do not let anybody else have physical access to your phone, in case

where you do need to share, make sure the application is locked with a

PIN.

ii. Remember to logout of WhatsApp Web: The mirroring service makes

life easier while working on PC. However, most users are unaware that

they should ideally logout of WhatsApp Web on Google Chrome

browser either from their mobile or the browser.

iii. WhatsApp web should only be accessed from a dedicated corporate

device


g. Encryption:

i. First, make sure that WhatsApp has access to your camera. You may

have already allowed this when you installed WhatsApp, but if you did

not, it is an easy setting in your Applications area of your phone.

ii. Next, open a conversation with your friend in WhatsApp and then select

the person’s name at the top of the conversation. This will open the

contact window for that person. Near the bottom of that screen you will

see a setting for Encryption.

iii. Tap on the encryption field, and you will be presented with a screen that

displays a QR code as well as a 60-digit decimal code that represents the

contents of that QR code.

iv. At the bottom of the QR code screen, there is a link that will enable you

to scan your friend’s code, and they can do the same for your code. This

is why you need to allow camera access in WhatsApp, even if only

temporarily.

v. Deactivate the access to the camera when done.

Snapchat

a. Privacy:

i. Keep your Snaps and Stories friends-only: Snapchat sets your account

options to friends-only by default. This means only people you have

added as a friend that have added you back can send you Snaps or view

your own. We strongly recommend keeping it that way so you know at

all times who is viewing what you create. Don’t change your settings to

‘everyone,’ as that means literally anyone with a Snapchat account can

send you messages or see your Stories.

ii. Make sure you know (read: really know) who is on your friends list. If

another user tries to add you as a friend, check whether you know who

it is before accepting it. If the username of the person who added you

does not appear to be anyone you know, it could be a spambot, or an


overly curious stranger who has no reason to learn about your life via

Snapchat. It is best to ignore these requests.

iii. If you don’t want it to be permanent, don’t Chat or Snap it: Snapchat

content expires after a set time, and Snapchat should also notify you if

someone screenshots one of your Snaps or Chats. But don’t let that fool

you into complacency – your Snaps can definitely be saved (and shared)

for posterity without your knowledge.

iv. Snapchat Live: If you ever try to submit something to a “Snapchat Live”

story — the collection of stories Snapchat creates for events, holidays,

locations or various other reasons — keep in mind that it has the

potential to be viewed by the entire world if it is selected. Therefore,

before trying to submit something, make sure you are comfortable with

that.

b. Passwords: Refer to Error! Reference source not found. section above.

Tumblr

a. Passwords: Refer to Error! Reference source not found. section above.

b. Enable Two-Factor Authentication

i. Click "Settings" under the Account menu at the top of the Dashboard.

ii. In the Security section, enable “Two-factor authentication.”

iii. Enter your phone number.

iv. Now decide whether you would like to receive the code via text or through an

authenticator app. We recommend both in case you need to use one as a

backup.

v. Follow the steps laid out in the Settings page

c. Application Lock: Set up the passcode lock in your account settings on mobile (if

available – it is still in the process of rolling out). This will let you require a passcode

or Touch ID to enter the Tumblr app on your phone.

d. Logging: Enable “Email me about account activity” turned on in your account

settings.

e. Never give an application access to your Tumblr account unless it is from a source

you trust.

f. Always logout of your session once you have finished your work. by clicking on the

account menu at the top of the dashboard and then clicking “Log Out” at the top of

the menu.


g. Report SPAM

i. From posts on the web: From the dashboard or a search results page, click the

share menu (paper airplane) at the bottom of the post, and click “Report.”

ii. From blogs on the web: Report an entire blog by hovering over the blog's

avatar, clicking the little person silhouette, and clicking “Flag this blog.”

iii. From messages in the app or on the web: Tap or click "Mark as spam" under

the spammer's first message. Note that "Mark as spam" won't appear if it's

somebody you follow, or somebody you've already had a conversation with.

iv. From fan mail on the web: From the inbox, click the three dots at the bottom

of a spam message and choose “Report.”

v. If you do not have access to a computer now, you can use a mobile browser’s

desktop view to report spam following the steps listed above. To get to the

desktop view in iOS, open Safari and visit tumblr.com, log in, tap the share icon

(little box with an arrow) at the bottom of the screen, and tap the gray

“Request Desktop Site” button. On Android, open Internet or Chrome and visit

tumblr.com, login, tap the three dots icon in the top right-hand corner of the

screen, and check the “Desktop View” box.

YouTube / Google


b. 2 Step Verification for your Google Accounts: Enable 2 Step verification for your

Google accounts to ensure that whenever you log in to YouTube from a new device

(or every time you log on anywhere, depending on your preference), you’ll be sent

a verification number as an SMS text or voice call. Then you can enter your

verification code to ensure that you’re the real you. This protects you against third

parties trying to log in to your account, even if they have your password

c. Always logout of your session when you have finished your work by clicking on the

account menu at the top of the dashboard and then clicking “Log Out” at the top of

the menu.

d. Account Recovery: Add a recovery phone number and secondary secure email to

your YouTube account. Not having both a phone number and a secure email means

your account could be accessed by someone who knows or guesses the answer to

your security question. Keep your recovery information secure and up-to-date.

e. Don’t give your information away via email: You shouldn’t trust emails that you

receive that request the password with which you access your YouTube account. In

fact, if it comes from Google itself, be extra wary – an attack uncovered a few

months ago shows that a malicious URL, in the guise of a company link, could make

users enter their information without realizing it.

http://dailyoftheday.com/youtube-phishing-attack-need-watch/

http://dailyoftheday.com/youtube-phishing-attack-need-watch/


Telegram


b. 2 Step Verification for your Google Accounts: Enable 2 Step verification for your

Telegram accounts to ensure additional security. Once enabled, you will need both

an SMS code and a password to log in.

c. Account Recovery: Set up a recovery email address that will help regain access,

should you forget your password. If you do so, please remember that it is important

that the recovery email account be also protected with a strong password and 2-

Step Verification when possible. The recovery email should also be a corporate

email.

d. Screenshots: There is no bulletproof way of detecting screenshots on certain

systems (most notably, some Android and Windows Phone devices). Although

Telegram does make every effort to alert you about screenshots taken in your

Secret Chats, but it may still be possible to bypass such notifications and take

screenshots silently. As a general precaution, it is recommended that sensitive

information is shared only with people you trust.

e. Logging Out: Telegram can work simultaneously on as many devices at the same

time, as you like. You should log out of the applications if you are physically moving

away from the device where you are running Telegram. If you log out, you do not

lose your cloud messages. However, you will lose all your Secret Chats and all

messages inside them when you log out. Note that logging out doesn‘t trigger

remote deletion of your secret chat messages on your partner’s device — to do that,

choose ‘clear history’ first.

iOS: Go to Settings, then Edit, then Log out.

Android, Windows Phone: Go to Settings, then Log out.

f. Lost Phones: The phone number is the only way for us to identify a Telegram user

at the moment. So whoever has the number, has the account. There is no way to

recover / secure the data unless you have access either to the phone number or to

Telegram itself on any of your devices.

If have access to Telegram on another device

Go to Telegram Settings — Privacy and Security and turn on Two-Step

Verification. This way the phone number alone will not be enough to log in to

your account.

Go to Settings — Privacy and Security — Active Sessions and terminate your

Telegram session on the old device. Whoever has your phone will not be able

to log in again, since they don't know your password.


Contact your phone provider, so that they block your old SIM and issue a new

one with your number.

If you decide to switch to a new phone number, don't forget to go to Settings,

tap on your phone number and change your Telegram number to the new

one.

If you don't have access to Telegram on any other devices

First and foremost, you need to contact your phone provider, so that they

block your old SIM and issue a new one with your number.

Wait till you receive your new SIM with the old number, log in to Telegram,

then go to Settings — Privacy and Security — Active Sessions and terminate

your Telegram session on the old device.

g. Removing sensitive data:

If you have reasons to worry about the data on the device and are unable

to log out the other device, it is best that you wipe it remotely. Telegram does

not support remote Wipe, however you could use such features provided by

the phones such as Apple iOS , Android. This requires you to have prepared

in advance for this scenario.

You can delete your Telegram account if you are logged in on at least one of

your other devices (mobile or desktop). Note that inactive Telegram accounts

self-destruct automatically after a period of time — 6 months being the

default setting.

Privacy: You can choose who sees this info in Privacy and Security settings. You won‘t see Last Seen

timestamps for people with whom you don’t share your own.

https://telegram.org/faq#i-have-access-to-telegram-on-another-device

https://telegram.org/faq#q-how-do-i-delete-my-account

https://telegram.org/blog/privacy-revolution

Documents

Cyber Security Guidelines for Securing Social Media …...Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 2 of 19 Classification: Public Document History: