Social media cyber-vandalism toolkit

Cyber-vandalism presents a serious challenge to online-based communication tools. This resource provides information for agency practitioners to prepare for, recover from, and respond to cyber-vandalism.

Readiness: Phase 1

Identify a social media stakeholder team to prevent and respond to cyber-vandalism

Responsible managers should be aware of their roles in the potential response to any social media cyber-vandalism, including the necessity of quick, decisive action. This team should be connected by email, phone, text and any other appropriate means of communication. The team includes, but is not limited to:

1. Social media team
2. Program manager
3. Public affairs representative
4. General Counsel
5. IT Security
6. Senior leader or manager

Review resources for various communication tools

Online-based communication tools offer resources. Browse their help centers to become familiar with their support and their unique characteristics.

• Facebook Security Features and Tips
• Keeping your Google account more secure
• Instagram Safety Center
• LinkedIn Transparency Center
• A Safer X (formerly Twitter)

Establish stakeholder rapid-outreach plan

Prepare a list of internal and external contacts and processes for a cyber-vandalism incident. For example:

• Who is the point of contact for incidents?
• Who is the government point of contact?
• Who is on your social media stakeholder team?
• Who are key audiences on social media and other channels to alert?

Incorporate their relevant contact information, including:

• Emails
• Mailing lists
• Phone numbers
• Social media handles
• Hashtags

Create communication templates

Pre-populate different types of messages for emails, texts, social media posts, and more. Also communicate essential information to convey the nature of the compromise such as:

• An account is compromised
• An administrator cannot access an account
• A username or password for an account is compromised;
• Information on the account is unauthorized.

Review secure social media best practices checklist

1. Institutionalize secure web standards, such as HTTPS, as a foundation for secure social media.

2. Establish accounts with official .gov or .mil domains of federal employees.

   • Allow for more than one employee to administer an account.
   • Designate an alternative as auxiliary support. Limit this designation to an individual essential to the operation and management of an account.
   • Clearly define the criteria for the administrator and alternative.
   • Provide adequate resources to the full-time employee (FTE) administrator, including a mobile device and third-party management tool whenever possible.

3. Create a social media policy with standard operating procedures for cyber-security.

4. Obtain approval from appropriate parties, including your agency’s IT security team and legal counsel.

5. Train stakeholders and others on the procedures and policies of social media cyber-security. Require training before use of an account.

6. Add all official accounts to the U.S. Digital Registry, verifying authenticity of ownership. (For the Department of Defense (DoD), add social media accounts to the DoD registry.)

7. Follow best practices for secure passwords.

Evaluate two-step verification

This type of authentication (also referred to as “two-factor authentication” or “2FA”) verifies a user attempting to access a device or system. It requires confirmation of two consecutive, yet dependent, entries. It may not be applicable to those without mobile devices or in secure environments that prohibit entry with such items. It may also require the use of third-party management tools to effectively allow multiple content coordinators.

• How two-factor authentication works on Facebook
• Authentication tools for secure sign in on Google and YouTube
• Two-step verification overview on LinkedIn
• How to use two-factor authentication on X (formerly Twitter)

Review special guidance

For supervisors and directors: Confirm policy is clear, accessible, and distributed among employees. Review, approve, and document all agency accounts regularly. Identify and eliminate rogue accounts. Instruct staff administering accounts to adhere to agency criteria and undergo training where appropriate.

For social media managers: Make security a part of regular social media meetings. Conduct security checks on a regular basis. Regularly update passwords. Keep the list of social media accounts updated. Keep account manager contact information accessible and updated. Remove access for users who are no longer with the agency. Develop a secure method of storing account names, owners, and passwords.

For social media coordinators: Use a protected, official government device. Use protected connections. Do not post from an open Wi-Fi network. Use a work VPN, 3G, or the work-related Internet connection. Generally, use network locations with strong firewalls and on standalone equipment. Preview shortened links to see the address of where they lead. Review the URL of a website in the address bar. Make sure the websites you visit use HTTPS encryption. If you are unsure of a link, double-click the `secure browsing icon` to the left of the URL in your browser’s address bar to display the digital certificate for a website (this will be a padlock icon in most browsers).

Increase knowledge on secure use of social media

It’s crucial for staff who manage social media functions to be knowledgeable about cybersecurity best practices to safeguard their public agency accounts.

• CISA cybersecurity alerts and advisories
• Defense Information School training on social media
• DoD social media education and training
• FTC consumer advice for scams
• FTC consumer advice for online privacy and security
• Login.gov authentication tool
• Deep fakes and social media: A Q&A with Alex Cohen (blog post)
• True crime detectives: How we used free web metrics tools to uncover a cybersecurity incident (blog post)

Recovery: Phase 2

Alerts of suspicious activity on social media can come from anywhere, including social media itself. If the social media cyber-security stakeholder team or responsible manager determines an incident is in progress, remember that minutes and even seconds count. Within minutes you’ll need to alert internal stakeholders, alert outside stakeholders to help you regain control, and act to isolate the compromise.

Immediately alert your social media cyber-security stakeholder team, and copy them on subsequent messages. Then, attempt to change passwords to isolate the incident and contact your points of contact at the platform to help regain control.

Information to regain control after cyber-vandalism

• Facebook Help Center: Hacked and fake accounts
• LinkedIn Help: Report a compromised account
• Instagram Help Center: Hacked Instagram Account
• X (formerly Twitter) Help: What to do if your account has been compromised and How to report impersonation accounts

Audit your social media inventory

First audit your list of social media accounts, password holders, agency hosted websites. Ensure no former employees, contractors, or interns have access to current passwords.

Then, review any third-party app you use to monitor or post to social media, plus other digital services, including websites, for signs of cyber-vandalism and any vulnerabilities.

Confirm cyber-vandalism recovery process on different channels

Once securing your other accounts, release pre-approved initial messages alerting your communities that an incident is occurring and that steps are underway in order to recover cyber-vandalized accounts.

Initiate restoration activities after regaining account(s)

Contact your agency records officers and office of general counsel to discuss social media records management issues.

1. Archive cyber-vandalism messages.
2. Delete cyber-vandalism messages.
3. Stop all pre-scheduled messages.
4. Restore normal settings and features.

Response: Phase 3

Agencies must not only prepare for and recover social media accounts after a cyber-vandalism incident, they should also quickly and effectively respond to their stakeholders and audiences as soon as possible using social media in order to maintain trust in digital services. Initial responses to the cyber-security stakeholder team and the public should be within minutes of recovering control of your accounts.

Confirm incident and recovery

• Cyber-security team confirmation: Send initial report of recovery to social media cyber-security stakeholder team.
• Public confirmation: Distribute, as soon as possible, social media posts confirming the cyber-vandalism incident and your recovery of affected accounts. Announce a return to regularly scheduled activities.
• Community confirmation: Deliver additional communication with pre-determined internal audiences and stakeholders to prevent the spread of rumors and misinformation.

Confirm and verify changes to access

1. Review account holders.
2. Confirm verification of login status.
3. Confirm changes and updates of passwords.

Conduct a review of lessons learned

• What type of response worked well?
• Why did this work so well?
• What did not work?
• What unforeseen events occurred?
• What changes will lead to a better response?

Apply data and analysis of outcomes to improving your program

• Develop an after-action report.
• Ensure future relevance with accurate information.
• Include lessons learned and best practices.