Cyber Security Guidelines for Securing Accounts

Version: 2.1

Author: Cyber Security Policy and Standards

Document Classification: Public

Published Date: June 2018

Document History:

Version Description Date 1.0 Published V1.0 document October 2015 2.0 Branding Change (ICT to MOTC) + added November 2016 controls for other or changed social media platforms 2.1 MoTC logo changed + Format Change June 2018

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 2 of 19 Classification: Public

Table of Contents Legal Mandate(s) ...... 4 Introduction ...... 5 Objective ...... 5 Scope ...... 5 Intended Audience ...... 5 Understand the Risks ...... 6 General Recommendations ...... 6 Set up a Governance for Social Media ...... 6 Account creation and administration ...... 6 Account Login ...... 7 Password Management ...... 8 Information Sharing / Acceptable Usage ...... 8 Configure Privacy Settings ...... 8 Monitoring ...... 8 Third Party Solutions ...... 9 Incidents: In case of any suspicious activity ...... 9 Recovery Plan ...... 9 Security Awareness ...... 10 Securing Most Common Social Networking Sites ...... 10 : ...... 10 : ...... 11 Instagram: ...... 12 LinkedIn: ...... 12 WhatsApp ...... 13 Snapchat ...... 15 Tumblr ...... 16 YouTube / Google ...... 17 Telegram ...... 18

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 3 of 19 Classification: Public

Legal Mandate(s) Emiri decision No. (8) for the year 2016 sets the mandate for the Ministry of Transport and Communication (hereinafter referred to as “MOTC”) provides that MOTC has the authority to supervise, regulate and develop the sectors of Information and Communications Technology (hereinafter “ICT”) in the State of Qatar in a manner consistent with the requirements of national development goals, with the objectives to create an environment suitable for fair competition, support the development and stimulate investment in these sectors; to secure and raise efficiency of information and technological infrastructure; to implement and supervise e-government programs; and to promote community awareness of the importance of ICT to improve individual’s life and community and build knowledge-based society and digital economy.

Article (22) of Emiri Decision No. 8 of 2016 stipulated the role of the Ministry in protecting the security of the National Critical Information Infrastructure by proposing and issuing policies and standards and ensuring compliance.

This guideline has been prepared taking into consideration current applicable laws of the State of Qatar. In the event that a conflict arises between this document and the laws of Qatar, the latter, shall take precedence. Any such term shall, to that extent be omitted from this Document, and the rest of the document shall stand without affecting the remaining provisions. Amendments in that case shall then be required to ensure compliance with the relevant applicable laws of the State of Qatar.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 4 of 19 Classification: Public

Introduction Social networks / media is an organization’s identity in the virtual world. This social identity is very much linked to its corporate public image and needs to be protected as much in the virtual world as in the real world. The social media account if not secured may open a floodgate to compromising and maligning your corporate public image.

This document provides mitigation advice and security controls to help reduce threats such as unauthorized access as well as steps to follow in order to retrieve a stolen account.

Objective Provide necessary guidance to help organizations manage their social media accounts securely.

Scope All organizations having social media presence.

Intended Audience Staff authorized to manage and use the corporate social media accounts.

However, private individuals may find the document useful too.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 5 of 19 Classification: Public

Understand the Risks Social media accounts related to government, semi government and national events represent an ideal and logical target for our nation’s adversaries, as social media is seen as the virtual identity of the governmental entity.

Further being a government accounts, they have a huge following and the followers have implicit trust in them.

The risks associated with such social media profiles are:

- Leaking of confidential or inappropriate information - Vandalism of content, spreading malicious content - Legal implications - Blackmail

General Recommendations Set up a Governance for Social Media Define a policy for usage of social media in your organization, on a minimum, the policy should include the following:

 Identify who in the organization is authorized to engage in social media on its behalf?

 Who controls and owns the information into a social networking site?  What information are the stakeholders passing on to other people?  Seeking consent from stakeholder prior disseminating information related to them.  Explicit procedures on social media networking. Who would the corporate account follow or be influenced with etc.  How would information received from the follower network be broadcasted? i.e. re-shared or re-tweeted etc.  Defined process for Incident handling / recovery plan in case of breach or malicious attacks.  Hardware and software authorized to access the social media account from.

Account creation and administration In order to create and manage account ownership it is recommended that organizations have:

 A dedicated corporate email (usually used as the username), should be used to create and maintain a social media accounts. This email address should be a generic/nonspecific enterprise email account for logging into social media networks. Individual enterprise email addresses are easy to guess and decrease the security of social media accounts.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 6 of 19 Classification: Public

 Each social media channel/account should be associated with a separate and unique corporate email. Example: the Username/Email associated with corporate twitter is different from the Username/Email used on Facebook  Do not use the same passwords for social media that you use to access company computing resources  Private emails should not to be used to manage and access a corporate social media account such as twitter account or Facebook page  The social media account page should feature the communication department approved logo and the profile text should include references that this account is “the official” account of the organization.  Organizations should define which organizations / agencies they may follow. E.g. Government agencies may follow other government agencies, verified accounts or trusted sources.  It is not recommended to follow individual users.  It is not recommended to access / re-post / re-tweet / share “unverified messages” with imbedded links and URLs.

Account Login  Configure social media accounts to use secure sessions (HTTPS) whenever possible. Facebook, Twitter and others support this option. (Note: This is extremely important when connecting via public Wi-Fi networks). QCERT can help you configure your account to use HTTPS at all times  Login should only be from a dedicated corporate owned / managed device ( PC or Mobile device)  Login should be from a trusted network, refrain from using public/open Wi-Fi networks like café’s, airports, etc.

● Mobile devices linked to your corporate social media accounts should be adequately protected using biometrics, strong passwords. We recommend that an extra layer of security by securing the apps with an additional PIN / Password, which is different from the one, used to access the device. This may be possible through use of certain third party applications.

 Disable the geo-location feature while posting or tweeting.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 7 of 19 Classification: Public

Password Management  Always use strong and secure passwords to access social networks. The passwords should comply with the corporate password policy.  Change passwords frequently. Have different passwords for different accounts.  Use multi-factor authentication for social media accounts (if supported by the provider).  Never share your passwords with anybody. Information Sharing / Acceptable Usage  Do not disclose any official information upon registrations of social accounts.  Restrict employees from posting official and sensitive data or information over social networks.  Only authorized personnel should be allowed to operate corporate social media accounts.  Do not post any information that may be discriminatory, disparaging, defamatory or harassing comments regarding the organization or its employees or any third party in their electronic postings or publishing.

Configure Privacy Settings  Review and revise as necessary the default privacy settings offered by the social media networking sites.

Monitoring  Limit corporate social media account access to an authorized employee in order to control the content distribution over social networks. This could be the Public relation officer (PRO), official spokesperson, etc.  In case where more than one person has access to the corporate social media account, internal procedures should be defined to regulate this activity, this should include training user on usage of social media, active monitoring, and use of social media management solutions and / or any other compensating controls as deemed necessary.  Regularly monitor the access granted to authorized user accounts and revoke the access of employees who leave the organization or no longer have a business need to use social media.  Have a third party individual, who is not responsible for content, continuously monitor social

media accounts for unauthorized or unusual postings.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 8 of 19 Classification: Public

Third Party Solutions  The organizations should consider usage of a social media management solution.

Incidents: In case of any suspicious activity  Please report to QCERT ([email protected]) or call (+974 4493 3408) if you see any of the

suspicious symptoms below:

. Automated likes, favorites, follows/un-follows or friend requests

. Private messages being posted to your friends (this can be hard to spot unless

someone points it out to you)

. Unexpected email/push notifications from the social network, such as:

. Warning that your email address has been changed

. Warning that your account was accessed from an unknown location.

. Status updates/tweets that you didn’t make

. Changes to the profile or pictures on the account.

Recovery Plan  Please report to QCERT ([email protected]) or call (+974 4493 3408)

 Collect all logs, traces, artifacts of malicious activity for investigation and possible legal

requirements.

 Immediately change account passwords.

 Verify and change the password for the associated emails and back up emails

 Verify the password recovery options set for the social media account; verify the alternative

email address that has been setup.

 Verify auto forward options if any setup for the account and associated emails.

 Visit the applications page of the social network and remove any apps you do not recognize.

If the account continues to behave erratically, we recommend you revoke access to all

applications.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 9 of 19 Classification: Public

Security Awareness  Employees managing and / or maintaining the organization’s social media accounts shall be

sensitized and educated on information security. They should be made aware of prevalent

threats such as Phishing and social engineering.

Securing Most Common Social Networking Sites Facebook:

a. Ensure you're using a secure connection whenever one is available, click Security in the left pane of Facebook's Account Settings and make sure Secure Browsing is enabled. b. The security settings also let you enable log-in notifications and approvals, and view and edit your recognized devices and active sessions. c. Security Tips: i. Protect your password. ii. Use Facebook’s extra security features. iii. Make sure your email account(s) are secure. iv. Logout of Facebook when you have finished your work. v. Run anti-virus software on your computer. vi. Think before you click or download anything. d. Enable 'Login Approvals' from the 'Account Security' section of the account settings page. Follow the link - https://www.facebook.com/notes/facebook- engineering/introducing-login-approvals/101501726182589201 e. Update your accounts as per new security tips and guideline of Facebook. You can find them at https://www.facebook.com/help/3792207254659722

1 This link may change. Refer to Help Section available on Facebook if this link no longer works 2 This link may change. Refer to Help Section available on Facebook if this link no longer works Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 10 of 19 Classification: Public

Twitter:

a. When you sign up for Twitter, you have the option to keep your Tweets public (the default account setting) or to protect your Tweets. b. Accounts with protected Tweets require manual approval of each and every person who may view that account's Tweets. c. Security Tips: i. Use a strong password. ii. Use login verification. iii. Government organizations shall get their account validated and verified You may verify your Twitter account by following instructions and filling up a form on Twitter (https://support.twitter.com/articles/20174631)3. iv. Watch out for suspicious links, and always make sure you're on Twitter.com before you enter your login information. v. Never give your username and password out to untrusted third parties. d. Using SMS text message login verification: To set up SMS text message login verification: i. Go to your Security and privacy settings on twitter.com and select the option to Verify login requests. ii. When prompted, click Okay, send me a message. iii. If you receive our verification message, click Yes. (Note: you'll have to enter your password). iv. You can generate a backup code by selecting the option to Get backup code. Write down, print, or take a screenshot of this backup code; this will help you access your account if you lose your phone or change your phone number. e. Update and follow the best practices mentioned by Twitter regularly. You can find them at https://support.twitter.com/articles/760364

3 This link may change. Refer to Help Section available on Twitter if this link no longer works. 4 This link may change. Refer to Help Section available on Twitter if this link no longer works. Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 11 of 19 Classification: Public

Instagram:

a. Security Tips: i. Pick a strong password. ii. Make sure your email account is secure. Change the passwords for all of your email accounts and make sure that no two are the same. iii. Logout of Instagram when you use a computer or phone you share with other people. Don't check the "Remember Me" box when logging in from a public computer. iv. Think before you authorize any third-party app. b. Update your accounts as per new security tips and guidelines of Instagram. You can find them at https://help.instagram.com/3690011498433695 LinkedIn:

a. Security Tips: i. Change your password regularly. ii. Sign out of your account after you use a publicly shared computer. iii. Manage your account information and privacy settings from the Profile and Account sections of your Privacy & Settings page. iv. Keep your antivirus software up to date. v. Do not put your email address, home address or phone number in your profile's Summary. vi. Consider turning two-step verification on for your account. vii. Be informed about reporting inappropriate content or safety concerns. b. Update your accounts as per new security tips and guidelines of LinkedIn, https://help.linkedin.com/app/answers/detail/a_id/267/~/account-security-and- privacy---best-practices6

5 This link may change. Refer to Help Section available on Instagram if this link no longer works 6 This link may change. Refer to Help Section available on LinkedIn if this link no longer works. Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 12 of 19 Classification: Public

WhatsApp

a. Impostor Alerts: Enabling this setting in WhatsApp will give you notice that you may be communicating with an imposter. The way to protect yourself is to go to the “Settings” icon at the bottom right of your WhatsApp screen (if using mobile), open up the Account settings area, and turn on the "Show Security Notifications" setting. b. Privacy Settings: i. Lock WhatsApp: Protect the app with a password or PIN. WhatsApp itself doesn’t offer such a function, however you could look at secure alternatives where available. Currently no such feature is available on iOS / Android. ii. Block WhatsApp photos from appearing in photoroll: You could restrict your WhatsApp photos from appearing in photoroll. i. iPhone: Go into your phone’s Settings menu, then ‘Privacy’, ‘Photos’, and deselect WhatsApp from the list of apps whose images are fed into the photo stream. ii. Android: Using a file explorer app like ES File Explorer, find WhatsApp’s ‘Images’ and ‘Videos’ folders. Create a file within each called ‘.nomedia’. That will stop Android’s Gallery from scanning the folder. iii. Hide ‘last seen’ timestamp: You can disable or restrict who sees your ‘last seen’ time in WhatsApp’s ‘Profile’; ‘Privacy’ menu, in Android, iOS, Windows or Blackberry. Be aware though, if you turn it off, you won’t be able to see other users’ ‘last seen’ times either. iv. Restrict access to profile picture: If your WhatsApp sharing is public, anyone you’ve ever spoken to – even if you’ve just replied to an unwanted message – can download your pic from your WhatsApp profile and, using Google Image search, very quickly find out more about you. Set profile picture sharing to “contacts only” in the Privacy menu. For corporate accounts, the profile image should be the corporate logo. Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 13 of 19 Classification: Public

c. WhatsApp scams: WhatsApp itself will never contact you through the app. Also, WhatsApp does not send emails about chats, voice messages, payment, changes, photos, or videos, unless you email their help and support to begin with. Anything offering a free subscription, claiming to be from WhatsApp or encouraging you to follow links in order to safeguard your account is definitely a scam and not to be trusted. d. Lost / Stolen Mobile: Deactivate WhatsApp if you lose your phone. WhatsApp recommends that you immediately activate WhatsApp with the same phone number on a different phone, with a replacement SIM. Only one number on one device can use the app at a time, so by doing this, you can instantly block it from being used on your old phone. If that is not possible, WhatsApp can deactivate your account. e. Be careful what you talk about: Don’t send personal information if you can possibly avoid it – addresses, phone numbers, email addresses – and never send your bank, QID or credit card details, or your passport or other identification details. f. WhatsApp Web: i. Although WhatsApp Web was designed to make life easier by accessing WhatsApp on your desktop, the service is prone to misuse. Just anybody who has access to your phone and WhatsApp application can initiate a web session, scan your WhatsApp security QR code and have complete access to your WhatsApp chats. This can be avoided by ensuring that you do not let anybody else have physical access to your phone, in case where you do need to share, make sure the application is locked with a PIN. ii. Remember to logout of WhatsApp Web: The mirroring service makes life easier while working on PC. However, most users are unaware that they should ideally logout of WhatsApp Web on Google Chrome browser either from their mobile or the browser. iii. WhatsApp web should only be accessed from a dedicated corporate device

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 14 of 19 Classification: Public

g. Encryption: i. First, make sure that WhatsApp has access to your camera. You may have already allowed this when you installed WhatsApp, but if you did not, it is an easy setting in your Applications area of your phone. ii. Next, open a conversation with your friend in WhatsApp and then select the person’s name at the top of the conversation. This will open the contact window for that person. Near the bottom of that screen you will see a setting for Encryption. iii. Tap on the encryption field, and you will be presented with a screen that displays a QR code as well as a 60-digit decimal code that represents the contents of that QR code. iv. At the bottom of the QR code screen, there is a link that will enable you to scan your friend’s code, and they can do the same for your code. This is why you need to allow camera access in WhatsApp, even if only temporarily. v. Deactivate the access to the camera when done.

Snapchat

a. Privacy: i. Keep your Snaps and Stories friends-only: Snapchat sets your account options to friends-only by default. This means only people you have added as a friend that have added you back can send you Snaps or view your own. We strongly recommend keeping it that way so you know at all times who is viewing what you create. Don’t change your settings to ‘everyone,’ as that means literally anyone with a Snapchat account can send you messages or see your Stories. ii. Make sure you know (read: really know) who is on your friends list. If another user tries to add you as a friend, check whether you know who it is before accepting it. If the username of the person who added you does not appear to be anyone you know, it could be a spambot, or an

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 15 of 19 Classification: Public

overly curious stranger who has no reason to learn about your life via Snapchat. It is best to ignore these requests. iii. If you don’t want it to be permanent, don’t Chat or Snap it: Snapchat content expires after a set time, and Snapchat should also notify you if someone screenshots one of your Snaps or Chats. But don’t let that fool you into complacency – your Snaps can definitely be saved (and shared) for posterity without your knowledge. iv. Snapchat Live: If you ever try to submit something to a “Snapchat Live” story — the collection of stories Snapchat creates for events, holidays, locations or various other reasons — keep in mind that it has the potential to be viewed by the entire world if it is selected. Therefore, before trying to submit something, make sure you are comfortable with that. b. Passwords: Refer to Error! Reference source not found. section above.

Tumblr

a. Passwords: Refer to Error! Reference source not found. section above. b. Enable Two-Factor Authentication i. Click "Settings" under the Account menu at the top of the Dashboard. ii. In the Security section, enable “Two-factor authentication.” iii. Enter your phone number. iv. Now decide whether you would like to receive the code via text or through an authenticator app. We recommend both in case you need to use one as a backup. v. Follow the steps laid out in the Settings page c. Application Lock: Set up the passcode lock in your account settings on mobile (if available – it is still in the process of rolling out). This will let you require a passcode or Touch ID to enter the Tumblr app on your phone. d. Logging: Enable “Email me about account activity” turned on in your account settings. e. Never give an application access to your Tumblr account unless it is from a source you trust. f. Always logout of your session once you have finished your work. by clicking on the account menu at the top of the dashboard and then clicking “Log Out” at the top of the menu.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 16 of 19 Classification: Public

g. Report SPAM i. From posts on the web: From the dashboard or a search results page, click the share menu (paper airplane) at the bottom of the post, and click “Report.” ii. From blogs on the web: Report an entire blog by hovering over the blog's avatar, clicking the little person silhouette, and clicking “Flag this blog.” iii. From messages in the app or on the web: Tap or click "Mark as spam" under the spammer's first message. Note that "Mark as spam" won't appear if it's somebody you follow, or somebody you've already had a conversation with. iv. From fan mail on the web: From the inbox, click the three dots at the bottom of a spam message and choose “Report.” v. If you do not have access to a computer now, you can use a mobile browser’s desktop view to report spam following the steps listed above. To get to the desktop view in iOS, open and visit tumblr.com, log in, tap the share icon (little box with an arrow) at the bottom of the screen, and tap the gray “Request Desktop Site” button. On Android, open Internet or Chrome and visit tumblr.com, login, tap the three dots icon in the top right-hand corner of the screen, and check the “Desktop View” box.

YouTube / Google

a. Passwords: Refer to Error! Reference source not found. section above. b. 2 Step Verification for your Google Accounts: Enable 2 Step verification for your Google accounts to ensure that whenever you log in to YouTube from a new device (or every time you log on anywhere, depending on your preference), you’ll be sent a verification number as an SMS text or voice call. Then you can enter your verification code to ensure that you’re the real you. This protects you against third parties trying to log in to your account, even if they have your password c. Always logout of your session when you have finished your work by clicking on the account menu at the top of the dashboard and then clicking “Log Out” at the top of the menu. d. Account Recovery: Add a recovery phone number and secondary secure email to your YouTube account. Not having both a phone number and a secure email means your account could be accessed by someone who knows or guesses the answer to your security question. Keep your recovery information secure and up-to-date. e. Don’t give your information away via email: You shouldn’t trust emails that you receive that request the password with which you access your YouTube account. In fact, if it comes from Google itself, be extra wary – an attack uncovered a few months ago shows that a malicious URL, in the guise of a company link, could make users enter their information without realizing it.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 17 of 19 Classification: Public

Telegram

a. Passwords: Refer to Error! Reference source not found. section above. b. 2 Step Verification for your Google Accounts: Enable 2 Step verification for your Telegram accounts to ensure additional security. Once enabled, you will need both an SMS code and a password to log in. c. Account Recovery: Set up a recovery email address that will help regain access, should you forget your password. If you do so, please remember that it is important that the recovery email account be also protected with a strong password and 2- Step Verification when possible. The recovery email should also be a corporate email. d. Screenshots: There is no bulletproof way of detecting screenshots on certain systems (most notably, some Android and Windows Phone devices). Although Telegram does make every effort to alert you about screenshots taken in your Secret Chats, but it may still be possible to bypass such notifications and take screenshots silently. As a general precaution, it is recommended that sensitive information is shared only with people you trust. e. Logging Out: Telegram can work simultaneously on as many devices at the same time, as you like. You should log out of the applications if you are physically moving away from the device where you are running Telegram. If you log out, you do not lose your cloud messages. However, you will lose all your Secret Chats and all messages inside them when you log out. Note that logging out doesn‘t trigger remote deletion of your secret chat messages on your partner’s device — to do that, choose ‘clear history’ first. iOS: Go to Settings, then Edit, then Log out.

Android, Windows Phone: Go to Settings, then Log out.

f. Lost Phones: The phone number is the only way for us to identify a Telegram user at the moment. So whoever has the number, has the account. There is no way to recover / secure the data unless you have access either to the phone number or to Telegram itself on any of your devices. If have access to Telegram on another device

. Go to Telegram Settings — Privacy and Security and turn on Two-Step Verification. This way the phone number alone will not be enough to log in to your account. . Go to Settings — Privacy and Security — Active Sessions and terminate your Telegram session on the old device. Whoever has your phone will not be able to log in again, since they don't know your password.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 18 of 19 Classification: Public

. Contact your phone provider, so that they block your old SIM and issue a new one with your number. . If you decide to switch to a new phone number, don't forget to go to Settings, tap on your phone number and change your Telegram number to the new one.

If you don't have access to Telegram on any other devices

. First and foremost, you need to contact your phone provider, so that they block your old SIM and issue a new one with your number. . Wait till you receive your new SIM with the old number, log in to Telegram, then go to Settings — Privacy and Security — Active Sessions and terminate your Telegram session on the old device.

g. Removing sensitive data:

. If you have reasons to worry about the data on the device and are unable to log out the other device, it is best that you wipe it remotely. Telegram does not support remote Wipe, however you could use such features provided by the phones such as Apple iOS , Android. This requires you to have prepared in advance for this scenario. . You can delete your Telegram account if you are logged in on at least one of your other devices (mobile or desktop). Note that inactive Telegram accounts self-destruct automatically after a period of time — 6 months being the default setting.

Privacy: You can choose who sees this info in Privacy and Security settings. You won‘t see Last Seen timestamps for people with whom you don’t share your own.

Cyber Security Guidelines For Securing Social Media Accounts Version 2.1 Page 19 of 19 Classification: Public