How Government Can Prepare for and Respond to Social Media Hacks
Articles Blog

How Government Can Prepare for and Respond to Social Media Hacks


>>Hello everyone and welcome to digital government
University I am Justin and I lead social media for the division of digital government in
GSA office of innovative technologies and citizen services which is the office of system
services and innovative services in retrospect.>>Thank you very much for joining us today
we are here to discuss a very important topic which has both affected people in the private
sector, citizens and government to like it is a challenge we all share in the adoption
of emergent technology that we in government as you know had a greater response ability
to be able to not only lead to these challenges, understand them in address and understand
in order to maintain trust in our digital services.
>>Today in light of recent events we have asked Twitter, Google, Facebook, the big four
to be able to come today and talk to you and walk through one hour to what are the different
options that we have a different challenges that we have in order to address cyber security
concerns in social media. Today Facebook was great enough to be able to come and also hoot
suite is going to be here and so we are going to be able to walk through with also the Coast
Guard to be able to go through what are the common issues that we face in cyber security
for social media. What are things that you can do and also dive deep into the application
and find out what factors authorization what are some of the different options that you
have an challenges that you might have facing. Also we are going to be taking questions and
answers and we should redo the riot act that we do in the beginning of every webinar where
we basically let you know what are the roles and responsibilities of the viewers, participants
and other folks.>>Burst put down your pen and paper because
we are going to be sending afterwards basically a capture of all of the knowledge that was
shared during this copy will follow up with questions and we will connect you with resources,
connect you with more training, information and anything that we have at the disposal
of the federal government in order to ensure that you have the most up-to-date information
regarding cyber security and social media. Second, once again don’t worry about taking
notes we will get you that information let it all sink in. Second car throughout the
entire presentation you will be able to ask questions right through the go to webinar
field and we will get to as many of them as we possibly can. If there’s an answer that
someone does not know we will not pass it we will contact more security experts to get
you the answer you need.>>Once again throughout the presentation
you will have questions and we will get answers for those. Third, at the end of each of the
digital got the University we send out a survey along with other additional information in
which we ask how you have read to the program. More information that you need it or was there
something that we did not address in some way quad I promise you we read every single
one of the responses that get sent to customer service it is a critical part of our program
across the government so please take the time to fill that out so we can continue to develop
these system centers and federal manager centered programs that you need so much. With that
being said to end down the list do not worry about taking notes because we will send you
the information, have your questions ready and please remember that customer survey feedback.
>>Let’s get on with the presentation. Once again I am Justin Herman I work with what
is called the social dog community which is an objective-based community of over 800 were
almost 900 digital engagement managers from across all fields of government. For those
of you that did not know there were that many digitally engagement social media managers
in government there is. When I say objective-based, because we do not to share information like
cyber security training that we have very active working groups and everything from
patient, advancing accessibility for people disabilities, performance analysis of social
media and digital engagement of public services and also collaborating policy development
itself. Essentially what we do is across the government we identify the needs that we all
face and then we develop teams to create shared solutions that can benefit the entire government
as a whole. Once again this presentation is even public because it is important for people
to know that we are addressing these challenges and what you can do to help us in that. Whether
you are a federal manager calling in today or you are someone who works with the government
or has a vested interest like anyone should and knowing how their government transparently
operates. With that being said let’s get on with the presentation.
>>There will be introductions for each person as we go through. First off how can the government
prepare for and respond to social media hacks. Just to give you a background on this, by
the way this information right here I have literally purring from the Defense intelligence
agency. One of our great places on cyber security is Jordan Higgins at that intelligence agency
and this is coming back from training that he is given through blog posts or webinars
to the greater community. Just if you’re wondering where if this where this comes from. It’s
estimated that approximately half of Americans have been hacked in the past year. It is something
that we see in the news all the time whether it is occasionally a government account, a
company or something like that. It is often that people have compromised systems in the
private sector in the public sector. This is not anything unique to one specific community
with a challenge we all face together as we are embracing emerging technology.
>>When you are logging in you might’ve seen a link to it nor so which is a dashboard and
it just illustrates one percent of the cyber attacks that this website tracks. This website
actually was shared to us through the Defense intelligence agency in their blog post for
October they did the cyber security house of horrors blog post which we will actually
send out to people at the end of the presentation. It is just to show you the scope of these
things and that we were preparing for this webinar someone on the phone said I just got
a phishing scam sent to me. These are quite common and as the president said in other
people leaders in government have pointed out in now or in the private sector that such
a vulnerability and everything from cyber to attacks themselves are going to become
more common.>>To give you the scope of this many companies
and many people know these of vulnerabilities exist but the federal government we have more
than 5000 social media accounts and more than 1000 social media managers within the government.
To some people that blows their mind a little bit because they perhaps thought there was
only a few people or they did none of the scope. Something else to look at is that just
like companies do people do yes the government agencies there are some that primarily uses
social media to share content, blog posts, imagery on instant grandma or otherwise what
would he falling under communications, PR or marketing. That does not really taken the
full scope of what we do in the government. The largest greatest area in the federal government
social media is around using it for customer service. When you think about it people do
not traditionally or is not the norm, increasingly for people to use other options to make calls
on the phone or even emails that were seen in with it’s not a method but if you look
at federal student dates were able to use social media to answer 150, 200 questions
in our into languages for students who want to know more about federal student gains.
Taking social media and using that channel specifically for custom alert service to provide
better services and at a cost savings.>>These are the types of models that we increasingly
seen government in this is why the government account is compromised its not just potentially
embarrassing or a left femoral heaven an article it is critical that we maintain public trust
in these situations the weather it is customer service for student loans were an emergency
information during an earthquake or came these programs can save lives, these programs have
an immediate impact on people who rely on them, therefore even more so than the private
sector we had to take a responsibility upon ourselves for that.
>>That is why once again it is not just enough that we understand emerging cyber security
threats around social media but it’s not even enough that we address them internally. We
must publicly respond to these things. We must have people understand and know what
we too and we also have to, when an incident of the incurred occur it’s not just to get
control over your site again and talk about it the next day but you must use the same
channel that was compromised in order to respond and maintain trust and let people know that
your program is viable again.>>That is one thing that will go through
with on how to tackle this today. Lettuce jump right into it what can you do quite the
first thing we’ll talk about multiple ways that it is a two-step it should say authentication.
The security feature and different acts are going to go into basically allow you to have
two levels to be able to if someone’s trying to log into your account, like I said they’re
going to be going over that and if this is something you’re not aware of or you need
to get smarter on right now is the time. Not right now but when the webinars over. The
most important thing that you need to do is have a plan in place. You do not wait until
an account is compromised and then wonder what to do. Everyone’s policy, every office
that handles social media should have a document that does this is what we are going to do,
it’s like an emergency management were you have the extinguisher. Re-break the glass
to get the fire extinguisher. There is contact information. Who to contact at Facebook, twitter
what are the procedures in place, what are the people within your organization will need
to be on hand to be able to make the decisions that are going to regain control of your account
in people to respond and assure the public that it’s taking place.
>>These bullets right here have separation of agency and this was together by Jody who
worked at the agency of insurance he was not able to join us for the webinar but I did
not want to leave this out here this is actually directly from information insurance at the
State Department. Which by the way, when we send out resources and more information Jody
dinette in the State Department have been tested a fantastic cyber security training
and it’s open to.gov accounts in it absolutely fantastic and we will hook you up with that.
With that being said, these are things that the State Department that they wanted to share.
First maintain separation of your agency and personal accounts. That sounds very basic
and sounds good, it sounds like a given as we know in an emerging field like this there
has been things that move very quickly lately and there’s always a chance that somebody
had to Lord use their Gmail account to set up you will see this repeated often in use
your doubt, account when registering these things because ultimately you have complete
accountability over those accounts. Someone uses the Gmail account or anything else and
are locked out in their account is compromised, or they are gone and they move on from the
organization you cannot go into that person’s email and have full accountability unless
it’s a.gov accounts. Never download unverified software click on suspicious links. Often
people think government is behind social media is there some tool out there where all the
toolkits that they’re using and the government is not using it or Texas two years to get
it. There is a reason for it in the reason is not because we want to be uncool the reason
is not because were afraid of engaging or of the things that we read often when people
talk about it. The point is that in order to use an app for the government not only
to have to have security reviews you also have to negotiate a federal term of service
for a. Basically because of congressional law in the standard that we have to hold ourselves
to there has to be a negotiation and a standard that takes place legally and security wise
to use an app. Especially if it is a startup they do not have the capability to mediate
those legal standards or the secure and the authentic send standards. That is fine in
the lifecycle but once again that is why sometimes the government does not use these accounts.
It’s not because were afraid of engagement, it’s not because were not cool, it’s because
we try to be. But there are certain standards that take place and that is why we say do
not use unauthorized software.>>Second to logon using a strong firewall
in standalone equipment, especially in a mobile age it’s very easy to say I’m just going to
use this on my mobile phone or my personal device. 17 it opens a flight vulnerability
where if you’re outside phone is compromised or your colleagues is quickly it creates a
Fisher end what should be your strength and cyber security. Once again, not have the temptation
to use out I device with. And of course the hack happens, have a plan in place. Do not
wait for something to happen to be like right now what do I do. Do I email clock first of
all we are always available and reside this week the fact that one day we could put together
a training that has 300 eco-managers on and we were able to get HootSuite and Facebook
is shows the strength of the unified federal community in the digital community that we
have.>>Our commitment to work together for these
things. With that means I do not take that for granted. Have a plan in place, have your
senior leaders review it and get the buy-in that is needed. We can always mitigate risks,
you can always attract vulnerabilities but as we know there are still always inherently
going to be all their abilities as we embrace emerging technologies. There is the lifeblood
word says within this week within certain ministering things happening we immediately
went out and sent out to 1000 social media managers and government said this is the rundown,
this is the audit that should take twice. First off again, use the.gov or.mil accounts
what often happened in the past was there was a new office in bracing social media early
on in they hired a contractor to do better work with them and then what happens is three
years later perhaps that person move down or something and then what happens is everyone
is locked out of accounts. There needs to other organizations and the private sector
they might even have their interns handle their social media. Via the government must
be at a higher standard, you are accounts should be going to.gov.mil accounts for government
full-time employees. That’s the way to maintain the safest level of accountability and that.
Do not be the only one. Do not have one breaking point where if that person is sick, that person’s
devices compromised, if basically there is one chokehold on that then you either have
to make that fantastic, like I said in your contingency plan in the way you manage your
apps you need to be able to have more than one option on regaining control over management
and things that.>>Another thing people ask is how do you
rectify the need for multiple voices, to put management with two factor authorizations.
This is a challenge. I will be frank about it. This is a challenge, but it’s a challenge
we must face and we must raise and that’s why we accrued suite and Facebook for us to
talk and ask the experts. Like I said there might be answers that there is no firm solution
on yet just because of the way the technology is emerging. At that does not mean that we
will not raise, address and hope fully attack that together. Second, use of authorized URL
short years. It’s not just apps, what we’ve seen in the past as people were able to go
in and attack the account. Not just the government account but the URL shortening and then they
were able to redirect that. There’s multiple levels of vulnerability it’s not just the
app is not just your phone third-party sites that are not approved or authorized your opening
yourself up to that vulnerability. Finally, use the federal social media registry. For
those of you who are not familiar with it because you’re not in the social talk golf
community the social media registry is the only repository for all official social media
accounts in government.>>I’ve read a lot of articles as of this
the most comprehensive list of social media accounts in the government and the was 150
of them we have 5000 social media accounts around government and so that often blows
people’s minds. Again people were able to go there and verify it, Facebook has used
the registry and in one day was able to verify and put a checkmark over 1000 federal social
media accounts regardless of their popularity for celebrity so that they could ensure that
you know that you are talking to the government when you’re talking to the government. Again
we are living in a world where a D list celebrity might be verified in a social media account
but an emergency management agency that could give you life saving the emergency perhaps
may not he. We look to and congratulate Facebook on that movie and I’ll get to that a little
bit later cock but start with the social media registry and make sure that you are accounts
are official, verified in part of the system.>>Those are things that you can do to protect
and provide things like that but that is not enough. Things happen. Sometimes, perhaps
you’re dealing with Matthew Broderick and the movie were green from back in the 1980s.
No matter how much you try to mitigate risk as we know there is no failsafe solution that
will take care of everything. That is why in your plan there needs to be a response
of okay when this happens it is not enough to just regain control perhaps put out a press
release the next day it is imperative that we respond using the channel that was compromised
to ensure people that was going on and you’ve seen certain hacks in both public and private
sector that have even affected the stock market. This is imperative like I said that people
maintain public trust in in these digital services and it comes down to the principles
of broken government maintaining active, credible and responsive feedback for the citizens that
rely on them that means not just preparing, not just regaining control responding and
responding quickly to ensure people. That is actually the end of my presentation that
was not supposed to be that long to begin with. With that being said Janel who do we
have next.>>[ Indiscernible – low volume ]
>>Next up is Lieut. Anastasia and I apologize that my screen went blank I do not have her
last name she will give you an introduction of herself and she is from the US Coast Guard
and she will be talking about issuing scams. We get them all the time. So how do we handle
that block what can we do thank you for joining us.
>>High I’m Lieut. digital media officer for the US Coast Guard and what we will be talking
about today is fishing and fishing is basically the attempt to acquire sensitive information
by a third party. Passwords, money, any of that sort of thing. Access to your bank account,
credit cards, basically it feeds into identity theft. How these things come up is he will
get an email and it’s almost always an email. It will be a webpage sometimes but you’ll
get an email and it will have the real name of a real employee, it will be fermented dress
you have interacted in the past with. For example literally this morning I got a phishing
attempt from an account from one of my classmates from officer candidate school. The first email
looked like it was from him so I responded and I said hi with going on. Email response
was a huge long thing asking for money I recognized, a classmate would not do this into the grammar
was off. This is a phishing scam so I immediately forwarded it to the appropriate resources
to show them the scan. A lot of times it’ll be from real names and real employees of people
that you’ve talked to in the past which means their account has been compromised. You will
also see that particular phishing scam of compromised accounts come up on twitter. Hacker
will get into a twitter account in basically what they do is they send direct messages
to your friends saying I saw this picture of union never believe that, I feel faces
really you in this picture what they’re trying to do is get an emotional response you click
on the response and that’s what leads you down this crazy rabbit hole. They will also
URL that look real in LinkedIn was having problems. There are great articles online
where what the fishers did was they took the URL and it looks legitimate when you first
go but what it actually does this redirects you to their site so they basically have stolen
your LinkedIn password. You would be amazed how deep someone can go just by getting your
LinkedIn password they could probably figure out where you are at, identity theft and all
sorts of things if they could just get the password to one thing.
>>They tend to go for urgent messages that are intended to urge an emotional response.
My grandma’s diner all my gosh this picture will get you fired that one is very successful
when they send something to a federal employee. This picture of you partying in college will
get you fired, people tend to click on that one pretty quickly. Can we go to the next
slide. So I’m going to assume we went to the next slide. How not to get caught with this
stuff. If you get emailed eight URL type in the URL yourself do not click on the link
or use a previous bookmark. If you use USAA and you get a bookmark thing we had a security
breach or we had a problem someone’s been using your account please click on this link
what it will do is take you to a site that is not USAA. Instead of doing that if it says
I’m USAA you’ve probably gone to that site before. Close the email go to that site and
login there because if there is a real security problem they are going to tell you. Get a
thing is to pick up the phone. Do not reply to an email asking for information. Call your
bank and say I just got an email asking me for this information. Or call the doctor and
say I got an email saying this, call whoever is sending the email with the one from my
classmate origin I hit him up on Facebook and now he did not even Nelson now he knows
it been compromised. It still risky because his Facebook could be also but I didn’t have
any other option. When you go to the page in the upper left-hand corner what you will
see a lot of times as a page icon and if you are on a secure page what you should see in
the upper left-hand corner of the URL is a little box. The interesting bit about the
lack is that they can be copied so I can choose whatever I wanted the picture of that logo
and so before you move forward even if you see the lack however your mouse over the lack
click on it because the browser now a day is set up so that when you click on it it
will tell you identity verified it if you did not get identity verified back from the
webpage close out and do not go any further input and any information because they’re
pulling it in.>>Check to make sure that cute little luck
on the left-hand side Israel. Never fill out forms in an email. If someone sends you an
email claiming to be in charge of your family reunion for your high school reunion do not
fill out your information. The reason being is obviously you do not know who you are actually
sending it to. The last big thing and this is the big one is due not to quizzes on social
media. The reason being is a lot of times I’ll say put your mother’s maiden name plus
the street you lived on as a kid plus your favorite pet’s name and you’ll get an answer
on when you will die or whatever. The thing is when you look at what your mother’s maiden
name, your favorite pet’s name those are often security questions for webpages. What you’ll
find is that these questions especially the really long ones what they’re going to do
is ask you this information because then they can use that to access your account later.
Your father’s middle name, what town were you born in, these fun cute little quizzes
a lot of times can lead to falling into a fish
>>The biggest thing is common sense. If you are getting an email or message from someone
asking for personal security information do not answer an email until you have checked
the webpage to verify they are they say there because you cannot even use the email. Like
I said today I got an email from my classmate and it was his email address but they had
hacked into it. Verified. Check the security of the page copy the phone. I know like me
I would prefer to be on my computer all day and not talk on the phone that you can pick
up the phone and call the bank or call someone and say I just got this email. The other thing
is we go to the next slide. There is a site called anti-phishing.org. That site is pretty
awesome because you can go in there and find out what phishing scams have been going on.
They have great resources on how to train your people or how to talk to your boss about
fishing problems. They also have lists of some of the biggest phishing scams that have
gone around. Back in the day when this thing started they were very blatant it would say
I’m the Prince of Nigeria and I need your money to help me rescue people or basically
asking for help. They have gotten smarter they don’t do the I’m overseas and I need
to whatever. They respond to your craigslist ad we are trying to sell your bike and try
to get information from you that we. They email you from accounts that you know. They
do things like that essentially to try to trigger and emotional response and a comfort
response. A feel if you can give them a little information they can go further.
>>Do not think that your work accounts are not going to be emailed by these things. It’s
a little more rare depending on how far your agency takes the filtering system but again
today the email I got from my classmate was to my work address from his work address from
the Bahamas because he is a bohemian officer. The other big thing is if you get an email
that you’re not sure about or webpage that looks unclear make sure you reported to your
agency security. Even if it’s something personal at home. If you realize you have been snagged
by a phishing scam you need to let your company, agency know. The main reason is that it is
nothing to be embarrassed about that if they start messing with your identity we can do
the best we can to beat the phishing scams that something could get through. If you somehow
fall into a do not be embarrassed, do not worry about it. Go in. Do not worry about
your pride, let your security people know because of someone has done identity theft
on you they could completely decimate your credit record which means you could start
looking at security clearances yanked and all sorts of things. Let the security at your
agency know if you got a phishing email or if you somehow think you are the subject of
a phishing scam.>>That is pretty much what I have I’m always
available to talk about this kind of stuff. Were there any questions,
>>We will actually take questions at the end. Thank you again Lieut. who is the Coast
Guard digital media expert and also it’s just kind of funny to see the issues that go along
just while you were talking we got an email from the CIA from their social media team
and if you go to twitter.com/the people at home if you go there they put out a tweet
in Russian about Dr. Zhivago and I’m not shirk his I don’t speak Russian but people think
that the account was hacked because it’s in a different language. Even fantastic content
like that that in the government we have to ask questions and we have to wonder how things
are on their. That was just interesting even lower getting the presentation that these
things go about. Next up we had Crystal Patterson. Crystal also joined us at our White House
Summit social data and open data and Kristin Patterson is a government policy outreach
manager for Facebook she has more than a decade of experience in digital strategy and communication
and like I said works a lot with the government. She has been there and done that. She has
a background working on Capitol Hill as well with campaigns in private in public sector
and now she works with elected officials, government agencies people like us, nonprofits
and other associations we are so glad you’re able to join us Crystal so please take it
from here.>>Thank you so much just and I’m thrilled
to be able to join you today. This is such an important topic and I tried to keep my
piece of the simple because it’s pretty straightforward on how to keep your Facebook account secure
in your page secure. This is actually something we get called about quite a bit when I hear
about people of accessing their account a lot of it has to do with problems with the
login in making sure that their account is secure. I’m very happy to be here. There are
three main things I want to cover everybody today that will help a lot of you in keeping
your page secure as well as your Facebook profile secure. And it will ensure that you
don’t have to worry so much about having a good experience on this book we keep it simple
so you can easily keep yourself safe. The first one when you’re thinking about your
page is making sure you have more than one person as a top-level administrator on the
page that way if one person loses access, if an admin loses access you still have another
backup person who can access the account and make sure you’re not having any problems with
someone posting content that you don’t want or making changes to the page that you do
not want. Make sure you have a second person who makes changes as needed particularly in
an emergency situation.>>When you are admitting a page make sure
that you are using your own distinct profile to do so. I will defer to Justin on the best
way to handle managing your online profiles but you want to make sure you have your own
distinct one answer administrating pick this book pages. That means is you should not be
using a shared login for everyone that helps manage the page. We have had a lot of agencies
and in the county, city federal level where people have one email address that is sickly
is named after the agency. They all share that long in to get into Facebook and user
page. Really compromises the security and integrity of your page and also your ability
to access the page. If someone manages to get a hold of that login and password if each
of you has your own then you know it is secure with your distinct password and also means
that you can gain access if another one loses access architect themselves you can still
maintain take control of your page.>>Another thing about having your own distinct
profile is something you can do appreciate a profile is using the two factor authentication
the Justin described earlier we offer that on Facebook in order to set it up you have
to have a distinct mobile number that we can use to text you your code so we can verify
that it is you and logging into your account please make sure that you have your own distinct
profile set up and that you are using the two factor authentication to set up your profile
oysters go to your profile settings and in that menu it’s listed under the heading login
approvals that’s what we call it at Facebook if you go into the login approvals setting
you can enable the two factor authentication by putting in your mobile number and it will
make sure that your account is safe just to recap you want to make sure you have more
than one administrator on your page and make sure you are not sharing profiles even if
you have a separate work and private profile make sure you’re not sharing that and maintain
to factor it’s pretty straightforward on Facebook that you.
>>Thank you very much Crystal and I will tell you we are already getting a lot of questions
and just so to prepare you there’s a number of them about Facebook. One of the things
that we won’t get to if you’re thinking about this is how do we balance effects of having
personal emails or being able to have two factor authorization but also may maintain
it through a government account there’s a lot of questions on that balance there and
there might be answers but right now we cannot get them 100%. We still have to better understand
that. We look forward to getting into those questions later. With that being said our
final presenter today is Sergey he manages technical governments in management on dashboard
that many of you in our community use. Also it represents many of the things in government
agency many don’t post directly to twitter or LinkedIn they like to be able to track
the hashtags and things like that and reach wheat and other dashboards like it to perform
that Roper social network integration metrics and other things like that with that being
said hockey could you please talk to us a little bit about these options and what you
see from the dashboard angle.>>Sure thank you for letting me be here I
am in Washington DC and a lot of what I’m going to talk about has been mentioned before
but it needs repeating and I will elaborate on some of the techniques that hackers use
to gain access as well as some of the simple and sometimes more complex solutions that
can be used. But that we talked about fishing it comes in many different forms in the email
is the most famous one. It continues to happen to this day my daughter’s twitter account
was hijacked by a phishing attack if you will and her account is private so I don’t know
why anyone would go after her. She clicked on a link in her account was taking over and
boom they started advertising weight loss supplements to her 12 friends. And I noticed
we talk about vulnerability in social media of the terms we like to use MSs hijacking,
the endless them in that sense. So thank you for using the preferred terminology on that
one. And there are other techniques also is very simple techniques like password guessing.
Password guessing trying multiple passwords on the same accounts and just by doing a little
bit of social engineering I can find out a lot about who you are, what your favorite
football team is what your dog’s name is all of that and one of the most far more interesting
ways of finding that out is if I go to your agency primary twitter account and I take
a look at the list of individuals and accounts that that mean account is following there’s
a good chance that your are following yourself. Because how cool is that if my agencies account
is following a private account that kind of social engineering is simple to do if I can
find out who you are and I go to LinkedIn and find out your the social media manager
for agency X, Y, Z and I go to your Twitter account if I didn’t live in Pittsburgh and
he loved the Steelers in your dog’s name is Bob Obama. I can find out. I can find out
a lot about you and guess what your password will be password reset every common as well
and one that is not talked about frequently but happens very frequently is some third-party
websites might have gotten hacked it may not have been an important website but some place
that you went in you said I want to try out the free software or try their game I register
with my Gmail account and I put in my password in that site gets hacked and then the hacker
out there has a huge list of passwords and login IDs may take input in the script and
it goes in attacks of these other social networks refuse the same password for your Gmail account
it’s very simple to figure out in very easy to script. So that’s another thing to be careful
of do not use your official government account when you are going to try software or register
for a website to try it out and say this magical new social network I want to be the first
one on there and do not use the same combination of login IDs and passwords.
>>We talked about two factor authentication is available on all social networks as well
as most enterprise platforms and use your official email account I cannot repeat that
enough. Also I would suggest that for your major property create a special official email
account that is not tied to an individual is more tied to a team for example I’ve seen
it happen in the past where people did use their official email account and then they
quit in moved on to greener pastures perhaps and their IT staff shut down the email account
and then when you go to try to recover login credential the reset request is sent to that
debt account in that it’s hard to get the credentials back.
>>To clarify this important point your scene to use a group email like HootSuite versus
Facebook for that particular tool to not to that.
>>But this is where becomes challenging because it’s a unified thing for anyone at that for
each individual platform that we need to use we need our own password.
>>The challenges if you have the prime property registered under one individual official email
account may take off for vacation and they have their blackberry home tickets tough to
get that information back you have to get access to the information it becomes very
challenging and it becomes even more difficult if that person leaves without transferring
authority to another individual. So there are pros and cons but the best thing to do
is to have your primary property in an account that is recoverable very quickly. Use complex
passwords that simple that cannot be determined by research social engineering and use different
passwords if you have multiple social media properties make sure you mix and match and
you do not have the same password for all of the accounts I know it’s easy but that’s
not a good idea. If it’s available use a single sign-on.
>>Explained that.>>Most agencies have single sign-on which
ties authentication to your work computer so that when you are using an enterprise tool
like HootSuite to gain access to your official social property you are restricted to devices
and networks before you can authenticate and because it’s tied to a single tyrant you won’t
be able to accidentally tweet anything out from your iPhone or from home or your mobile
device so that’s another layer of security that you can do. If you are part of a team
as I mentioned before don’t share login IDs and passwords. Abysses has been going on for
a very long time it just has not had a workaround. So people share. There’s only two or three
of us and we all share the same login and password and it’s very hard to have been when
it was hijacked or what happened then. Enterprise platforms we talked about that, there are
security and monitoring tools that are out there that keep track of what is being posted
to social property for a lot of social media teams he might have hundreds of properties
out there and constantly to have those in front of your eyes at all times is kind of
difficult to do. Sometimes is automated tools keeping track as water people posting at 2
AM and everyone else’s back in your DC in your team is asleep
>>Will you be able to delve into that more later. Different options on that.
>>Options for what.>>If you want to skip through this because
we’ve gone through fishing and a fair emergency planning this is sort of like the biggest
question that I have gotten many times this week how do we plan for what might happen
to our accounts. There are a lot of things I think we mentioned before and just any mentioned
before make sure you know your contacts people are for all of your major accounts, Facebook,
Twitter, Google and ideally have a phone number for someone to contact and have a backup phone
number in case of an emergency. Sometimes these things happen at the end of the day
and you are sleeping. Emergency contacts for enterprise tool providers if you have one
in your internal process know who to contact inside your security team your boss and everyone
else that’s involved and have content drafted and ready to go on sites that have not been
compromised so if you have a Facebook page that has not been compromised or a page these
are great avenues to go out and say this is going on and have been preapproved and ready
to go.>>You want me to go back in greater detail.
>>Something that people need to know and we can go over this another time but everyone
out there there are tools available that you can prevent cyber vandalism and hijacking
simply by identifying keywords or trends that normally do not happen. Like he touched upon.
Words that are being used that you know would never come out of your account on a normal
basis all of a sudden that tries to come out you’ll get an alert about it and it will prevent
in block as messages from coming out. In this day and age some of the cyber hooliganism
oriented hike tracking and things like that this is preventable now. Through all three
of these presentations that you seemed the common theme sign place but still we need
to do better and we still need to repeat these and pound the table and drill it in that we
made a plan and we need these concerns addressed and we need it now. Now is the time. So with
that being said thank you and we are going to into questions and there are a lot of them.
I’m going to try to end the Peace Corps just tweeted cyber hooliganism they would like
us to trademark that so Emily were on that. So we will knock out a couple questions very
quickly. TD rush asks do not send me any more questions yet so I can read the screen. We
were talking to so many questions coming in that when I look at the screen is constantly
moving. Hold on one second I asked the question TD rush asked of it digital golf which is
our office we have social glove in a simple hack in response plan for cyber vandalism
and hijacking other agents can read and use.>>This is exactly why we’re here yes we are
going to do that we are going to develop that because while individual agencies already
have this in place if an agency doesn’t your needs to be updated that’s why our digital
community exist. Were interconnected the way we are we will create the most up-to-date
ones and make sure every government agency has access to that to customize and use and
employ and we will have that within days. We will have an interagency working group
to develop that so thank you for raising that point that’s exactly the type of objective
to get things done that we try to establish so thank you very much Katie.
>>What Meredith asks is what can we do in the event of a hack.
>>You can rewind the presentation to download stuff and for example we contacted Facebook
and twitter to regain control of a compromised account so what will do in the follow-up information
that we have is we will we do have email addresses like a bad twitter.com and Facebook also maintains
a government account so that if there are these problems we are able to email them in
triage it out to 18. And people like this are always helping hand with varying things
and are incredibly helpful so we will send out that information so you’ll have that email
and we have a community in place for a reason. When you check into a hospital you have to
identify who to contact in case of an emergency. This will go into your plan out how you will
handle things internally but also outside stakeholders who can you contact, can you
rely on. Is not enough to regain but you must respond and ensure the public’s trust. Thank
you Meredith.>>Now Mary asked is there a specific GSA
person that we should contact in case of hacking would get us in touch with someone from a
compromised tool.>>So after hours or on a weekend if that’s
when the hack occurs. And regretfully I am that person Mary and it’s not that I should
be available after hours or weekends I just do not have loved ones that can often check
this but humorous side this is why we have this digital community in place. Because social
media managers are doing this around the globe through the digital community there is always
going to be someone who can back you up and work with you on that. Whether it is me for
someone on our digital golf team and there are a number of us and we are all here to
help you. Somewhere in the global community community you will have back off and put that
in your plan not just people internal to our team but also outside stakeholders who can
help you with this in people in the application themselves more people in the community can
help walk you through that. Thank you very much on doing that. Kristallnacht that we
have not got those questions we are coming to you. The majority of these questions, around
to factor authentication and as we know this is the standard. That that be inside we have
unique problems, limitations, characteristics one would say in government. Like I said use
a group email in your same don’t use a group email because every tool is different. With
public officials, government agencies how do we balance that using official accounts
and maintaining to factor authorization but like in the case of digital golf winds our
Facebook page and I know everyone will go look at now. We have six administrators for
were able to go in while we have authentication we also have people in multiple people on
the floor and ensure you have seen it all crystals so for everyone who asked a question
on building that please share with us.>>So what do you want me to cover exactly.
The best way to approach it.>>Yes right now with options that are currently
available to us let us walk through a pattern here let’s say there is a team of three people.
Three people that want to be an administrator on a Facebook page I be able to have two factor
authorization individually or what is a balancing act on that.
>>So they do have, all three have access to two factor authentication through Facebook
profile and whether they are using their own personal profile or a separate work profile
that they had that may just exist specifically for people logging into the page they do have
access to those settings. They should use it. That is an alternative. Obviously we like
people to have one authentic profile that using a second separate one is better than
having multiple people share in official one. If you want a secondary one to use your work
email or maybe you have your job create an email that you use just for social media that
is fine you can use those and create a profile for info and activate the two factor authentication
there. The two factor authentication there’s a couple ways to use it on faith but obviously
you can use your cell phone number and I can send you codes and we also have a code generator
that exist within the Facebook app and so if you cannot get text messages you can get
the code through Facebook on your app and we can also have a codes that you can print
out and put some are securely that the least secure but it’s a backup in case you cannot
get text on your phone at a particular time.>>Here’s a follow-up. It’s less of a question
more of a common raised by number of people’s allowing an exception for a second page management
only account because of this comes from Renée, the sun maintaining separation of agency and
personal accounts and she says that if they spoke are you able to use your.gov account
and set up a login to be able to manage a page or do you have to go because obviously
people have a personal Facebook a page through their personal email but are they able to
set up one through their official.gov or dot MAL account I think that’s the struggle people are having.
[ Event exceeded scheduled time. Captioner must proceed to captioner’s next scheduled
event. Disconnecting at 12:05pm EST ] [ Event concluded ]

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top