Guide to securing a Facebook fan page

Posted on June 26, 2012 in Security, Tutorials

It is a little kinda obvious on how to secure facebook fan pages – but sometimes businesses who invested time and money in building their social media presence feel the need to have a document or a guide on how to keep their Facebook fan page secure and an emergency plan to refer to if shit hit the fan.

So here is a little something i put together – hope it can be of some help -keep in mind that security settings and FB settings in general change every once in a while.

click for full view

original link

A crucial step in security is to educate users and ensure they have a full understanding of the different security measures used by the platform. This infographic by Facebook puts it all together and makes it easy to have a full understanding.
It is recommended to have a workshop to explain the above concepts and to do a live implementation for the company team along with Q&A, this helps remedy the fact that everyone knows security guidelines but is too busy to implement them.

It also helps communicating techy details in a friendly way to non tech-savy personnel.

A workshop would also allow the troubleshooting of different devices being used as well as checking security for each user and make guidelines compatible with users internet habit, otherwise those guidelines will be ignored.

Below are the security topics that must be well explained and configured via the included links:

• HTTPS : https://www.facebook.com/settings?tab=security&section=browsing&view
• ID Verification:
  • Secret question
  • SMS https://www.facebook.com/settings?tab=mobile
• Login Approval
  • 2 Step authentication https://www.facebook.com/settings?tab=security&section=approvals&view
  • Login Notifications https://www.facebook.com/settings?tab=security&section=notifications&view
  • App passwords https://www.facebook.com/settings?tab=security
  • Session classifiers https://www.facebook.com/settings?tab=security&section=devices&view
  • Remote logout https://www.facebook.com/settings?tab=security&section=sessions&view
  • Hacked Facebook http://www.facebook.com/hacked
  • Social Recovery (url dynamically generated depending on user after clicking “forgot password” or initiating account recovery )
  • Login notifications and active devices https://www.facebook.com/settings?tab=security&section=notifications&view
  • Road Block ( url dynamically generated)

HTTPS, 2 step authentication and SMS ID verification are the top 3 preventive steps to take with a setup once procedure and must be considered a minimum-security-requirement. Combined with facebook robust security, they make hacking facebook page a near impossible task.

Remote logout, Social recovery and facebook.com/hacked are the top3 procedures to use once a security breached happens.

Protecting page content from spam and adverts

Block lists can be generated under “manage permissions”, Moderation and profanity block lists.

Facebook page security

Facebook pages don’t have a separate login, to be able use a page, one must first log in using a personal account, and then select the option to use facebook as a page. ( ref )  This ties security down to user level. However Facebook gives the ability to map users to different roles as per this matrix

It is recommended to have only one master “manager” or “super user” account dedicated to managing this page with “annoying” security measures enabled (strong password, 2 step authentication etc). To minimize security risks, it is to be used only from secured computer/network and only to do tasks that other accounts don’t have permissions to do.

A detailed audit/map of users and their permissions must be performed, any un-necessary privileges revoked.

What to do if someone got Hacked?

• If a non-administrator account was hacked, the page manager must be immediately notified. The user must be removed from the page until the security breach has been fixed and control over account restored. Afterward, the user is re-Added to the page in the appropriate role.

• If the administrator account is hacked and the 2 step authentication bypassed – you will get an immediate notification via SMS/Email. Restoring the logins is initiated on facebook.com/hacked
  • As soon as you report hacking, Facebook locks your account. While you can’t use it yet, the scammer can’t access it either.
  • After locking your account, Facebook will then ask you to complete the security check (SMS,Social login) to unlock the account and proceed as usual.

Below are the screens involved in restoring your account:

so that’s pretty much it – I believe facebook has huge security measures in places, all you need to do is “activate” them and make sure the corresponding people in your organization have the basics and know about them.