An IBM research team recently warned that a hacker could easily manipulate emergency systems to get rid of protections or dissemble alerts to warn people of catastrophic events. This has huge implications for the security of our critical national infrastructure (CNI) such as traffic monitoring systems, flood defences and radiation detection.
The security threat to our critical national infrastructure (CNI) is becoming a worrying reality. Take the recent erroneous alerts regarding potential missile strikes that caused mass concern in Hawaii and Japan. These should serve as a reminder to immediately evaluate the cyber security procedures used to protect these emergency warning systems.
Forgotten passwords causing chaos
In the case of the fake Japanese and Hawaiian missile strikes, both alerts can be traced back to employee error. In the Hawaii case specifically, the false alarm was sent out via Twitter. This case was compounded by the fact that the governor forgot his Twitter username and password and could not log on to fast enough to provide the public with accurate information. As social media becomes an increasingly more popular way to disseminate information with the general public, and as CNI attacks potentially start to grow in frequency, all government officials who use social media must re-asses how they are managing these accounts to ensure that a forgotten password does not delay crucial communications .
Social media platforms such as Twitter, for example, must be hardened to prevent hackers from hacking into these accounts to spread false information – a clear possibility in today’s threat landscape.
Clever attackers realise the power of communication platforms and have targeted social media accounts to plant false information over the years. Take the case of the false tweet sent from the US’s Associated Press Twitter handle. This resulted in a $136.5 billion drop in the S&P 500 index’s value in minutes.
Re-thinking social media security
When we think of CNI we think of power stations, traffic lights and water mains. But it must go one step further than that. Government-related social media accounts used for current or sensitive communications should be considered as CNI, held to the same cybersecurity best practices as the energy, transportation and chemical sectors.
Government social media accounts — like Twitter, Facebook, YouTube, LinkedIn and more – are often shared accounts. This means that teams of people within an agency have access to and can post information to them. The passwords for these accounts are commonly shared internally among team different team members.
This makes social media a very easy target for attackers or malicious insiders. The shared nature of these accounts also means there is no record kept of who posted what when – this is where we can quickly run into trouble. To add to the issue, passwords used to “secure” these accounts are rarely changed and typically used across multiple accounts.
By bolstering the security measures for these accounts, organisations can be safe in the knowledge that a simple forgotten password doesn’t hold up critical communications, while also strengthening these platforms against external hacks.
To thoroughly secure and protect social media accounts, agencies must undertake best practices for privileged account security, including:
Eliminate shared credentials: Storing passwords in a digital vault requires users to login individually for access, eliminating the accountability challenges of shared credentials
Ensure transparent access: Authorised users must be able to seamlessly authenticate to an account without knowing their passwords, making it harder for hackers to uncover and steal credentials. This kind of access would have given Hawaii’s governor immediate access to his account to confirm that the missile alerts were false.
Audit account activity: By creating a record of activity on social media accounts, all posts can be traced back directly to an individual authorised user, making it easy to identify employees who may be posting harmful content.
Automate credential changes: Changing privileged credentials ensures attackers can’t use old passwords across systems. Automating password changes regularly also updates access privileges, reducing the chance of an outsider stealing and using a valid credential.
The false alarms in Japan and Hawaii highlight the huge amount of trust that the government, organisations and civilians place in social media as a reliable and trustworthy means of public communication. They’re also prime examples of what can go awry when these trusted social sites aren’t managed properly and securely.
The incident in Hawaii needs to motivate agencies to safeguard against these same avoidable mistakes. Crucially, it’s a call to action to proactively protect social media against threats both nefarious and accidental. This will be of the upmost importance in the age of rising CNI attacks and as the public ‘catch on’ to their worrying consequences. This is only the beginning.
Head of Red Team Services
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.