Social media platforms such as Facebook serve as a way for individuals to connect and transmit information with each other Nevertheless, such social media websites may potentially pose a threat to its users since cybercriminals are increasingly using Facebook as a tool to acquire information on targets such as individuals, employees, and companies.
It is vital for everyone regardless whether they are a private citizen, whether they work for the government or a large enterprise to implement safe habits to diminish the risks associated with using social media websites such as Facebook.
This is a comprehensive Facebook security and privacy hardening guide that is focused on educating all social media users into applying the most effective security and privacy settings for their personal Facebook account by providing best practices and mitigation tactics.
We will first start off with enhancing our Facebook account’s security and then proceed to change our privacy settings to hinder the efforts of threat actors.
Changing Facebook Security and Login Settings In Options
Why Apply The Security Settings For Your Facebook Account
To reduce the chances of a successful account compromise by an attacker.
To reduce the chances that an attacker can successfully take control of your account and spread malware to your Facebook friends.
To ensure a safer Facebook experience for everyone, including yourself.
The first thing we are going to do is change our Facebook security and login settings to better protect ourselves from hackers who are interested in gaining unauthorized access to our personal social media accounts.
Let’s start by accessing our Facebook Settings from the Menu.
We’ll be presented with several menus, particularly with our starting menu “General.” Therefore, our “General Account Settings” section will appear.
For Contact, click Edit on the right and ensure that the Primary Contact email address is up-to-date.
Limit the number of email addresses associated with your Facebook account to reduce the cybersecurity risk of account compromise by clicking on “Remove” on the email addresses not needed.
Hit “Save Changes.”
Security and Login
Let’s proceed by clicking on “Security and Login” menu.
For Recommended, do NOT “Choose friends to contact if you get locked out.” This creates an additional attack surface despite Facebook recommending this option.
Review “Where You’re Logged In“, if you don’t recognize any devices or any devices you are not currently using, click “Log Out.”
For Login, ensure that you are using a unique password for your Facebook account. Turn off profile picture login which reduces the chance of someone else with physical access to your device to simply click on your profile click to log in your Facebook account.
Also, Remove profile picture login from Facebook for iOS on iOS 11.
In Setting Up Extra Security, under Get alerts about unrecognized logins, go to Notifications and select “Get notifications.” Under Messenger, select “Get notifications.” Under Email, select “Email login alerts to” Click “Save Changes.” These changes will enable Facebook to notify you in the event that there are unrecognized logins from a device or browser you don’t frequently use.
Under Use two-factor authentication, ensure that Two-factor authentication is on. Do NOT enable Text Message (SMS) as a type of 2FA. We do not want our Facebook accounts to be vulnerable to SMS hijacking. Hence, make sure that option is “Disabled.” If you have any Universal 2nd Factor (U2F) security keys, you may add them under Security Keys as Facebook supports this feature. Enable the Code Generator which lets you “Set up a third party app” to generate codes.
Under Advanced and in Encrypted notifications email, ensure that this feature is On and add in your OpenPGP Public Key by pasting it in the relevant field. Do NOT “Enable enable additional account recovery method.” Check the box for “Use this public key to encrypt notification emails that Facebook sends you” Hit “Save Changes.”
Changing Privacy Settings In Options
Why Change Your Privacy Settings For Your Facebook Account
To make it increasingly difficult for criminal hackers, state-sponsored actors, law enforcement, and jealous exes to spy and carry out cyber espionage on you especially on Facebook which is typically perceived as a more personal social media platform in contrast to others such as Twitter.
To hinder successful reconnaissance conducted by sophisticated threat actors who utilize social media websites to gather information regarding an individual or group of individuals which ultimately lead to well-crafted emails for the purposes of social engineering or spear phishing. Such emails can be dangerous given the possibility that malware is attached and could compromise the security of the target’s computer or network.
To prevent identity theft, particularly when threat actors attempt to gather personal information regarding the target to give them the advantage to illicitly impersonate them and their identity or obtain passwords which may compromise the target’s security pertaining to additional online sites or services.
Let’s proceed by clicking on “Privacy” menu.
In Your Activity and under Who can see your future posts, select “Friends.” This will ensure that people and strangers who are not added as a Facebook friend cannot see your future posts on your profile page.
Under Limit The Audience for Old Posts on Your Timeline, click on “Limit Past Posts.” This option will ensure that all your past posts will now be shared only with Friends. Thus, people and strangers who are not added as a Facebook friend cannot see these past posts on your profile page.
Under How People Find and Contact You and in Who can send you friend requests, change this from the default “Everyone” to “Friends of friends.” This will reduce the chance of a complete stranger you don’t know in real life possessing the option to add you as a friend on Facebook for the purposes of cyber espionage or distribution of malware. You are more likely to know friends of friends.
In Who can see your friends list, select “Only me.”
In Who can look you up using the email address you provided, select “Friends.”
In “Do you want search engines outside of Facebook to link to your profile?“, do NOT tick “Allow search engines outside of Facebook to link to your profile.” We do not want search engines to index our personal Facebook profiles for cybersecurity and privacy reasons.
Timeline and Tagging
Let’s proceed by clicking on “Timeline and Tagging” menu.
In Timeline and Tagging, select “Only me.” for every section. This will limit the amount of exposure.
In Review, select “On.” for both sections.
Let’s proceed by clicking on “Notifications” menu.
In Email, click “Edit.” and under WHAT YOU’LL RECEIVE, select “Only notifications about your account, security and privacy.” This will ensure that you will only receive notifications regarding the security and privacy of your Facebook account.
Under LIVE VIDEO SETTINGS, select “Turn off email notifications about comments added to your live video conversations.”
Under OFFER SETTINGS, select “Turn off email notifications about offers you have saved.”
Let’s proceed by clicking on “Mobile” menu.
In Mobile PIN, turn on the feature and create a “New PIN” The PIN that you choose will ensure that others cannot access your Facebook account by spoofing your mobile phone number or borrowing your device. Hit “Save Changes.”
Let’s proceed by clicking on “Public Posts” menu.
In Who Can Follow Me, select “Friends.” This will ensure that people you don’t know and are not friends with on Facebook cannot follow you and see your posts in News Feed.
In Public Post Comments and under “Who can comment on your public posts?“, select “Friends.”
In Public Post Notifications, select “Public.
In Public Profile Info and under “Who can like or comment on your public profile pictures and other profile info?“, select “Friends.”
Let’s proceed by clicking on “Apps” menu.
In Apps, Websites, and Plugins, click on “Edit.”
Proceed by clicking on “Disable Platform.”
The reason we need to disable the platform is that third-party Facebook applications are recognized as possessing the ability to access profile information without the user’s knowledge. Thus, we need to reduce the amount of information obtained that could be utilized for malicious purposes.
In Game and App Notifications, click on “Edit.” and click “Turn Off.”
In Apps Others Use, click on “Edit.“, ensure that all boxes are NOT ticked, and click on “Save.”
In Old Versions of Facebook for Mobile, click on the box and select “Only me.” This feature ensures that old Facebook mobile apps do not publicly expose the posts you make. For security reasons, refrain from using any old versions.
Let’s proceed by clicking on “Ads” menu.
Review all settings and make any changes you would like.
In Ad settings, click on Ads with your social actions to expand the section, scroll down until you see “Include my social actions with ads for:“, click on the box and select “No One.”
Changing Our Facebook About, Friends, Photos, and More Pages
Editing What We Like
We are going to change to continue changing how our public Facebook profile looks like.
First, we are going to click on our own Facebook profile, click on More, and click on Manage Sections.
We will see a popup window called Manage Sections, ensure that all boxes ARE ticked which allows the sections to be seen by us so we can easily adjust the privacy settings for them.
Now we can proceed to either our About page or click on More again, and click on one of the sections that we want to edit such as Movies.
Once you get to the Movie section, click on the little pencil icon, and click on Edit Privacy.
We will be presented with a popup window called “Edit Privacy: Movies.” Under Likes, click on the box and select “Only me.” Hit “Close.” after making the privacy setting change.
Proceed to edit the other sections such as Music, Sports, Check-Ins, TV Shows, Books, and Likes with the same setting as applied above on the page.
When you are done, we can scroll back to the top of our page and click on More, and click on Manage Sections again. We can untick all the boxes again since we don’t need to apply anymore changes to the sections.
Editing The About Page
Work and Education
Let’s proceed by going to our About page. We should edit the various sections to limit the amount of information the public can see on our personal Facebook profile.
Click on the Work and Education section. If you have any occupations listed in here, click on “Options.” and select “Edit.”
We will see a blue box on the left of the section, click on it, choose “Friends“, and hit “Save Changes.”
We can also apply the same changes to our Education in this section as well.
All the changes you are making will ensure that the public cannot see your personal information on your About page without first adding you as a friend.
Places You’ve Lived
Click on the Places You’ve Lived section. Under CURRENT CITY AND HOMETOWN and in Current City, click on the blue box located on the left of the section. Choose “Friends“, and hit “Save Changes.”
Contact and Basic Info
Click on the Contact and Basic Info section. Under CONTACT INFORMATION and in Mobile Phones, click on the blue lock icon, select “Only me“, and hit “Save Changes.”
Apply the same changes to the other areas in this section, including your Birthday under BASIC INFORMATION.
Family and Relationships
Click on the Family and Relationships section. Under RELATIONSHIP and in Relationship Status, click on the blue box located on the left of the section. Choose “Friends“, and hit “Save Changes.”
Apply the same changes to the other area in this section, notably FAMILY.
Details About You
Click on the Details About You section. Under ABOUT YOU and other areas of this section, click on the blue box located on the left of the section. Choose “Friends“, and hit “Save Changes.”
Previewing Your Facebook Profile From The Public Perspective
Let’s go ahead and scroll back to the top of our Facebook profile and click on the box with three dots (…) towards our right. Select “View As…” This will enable us to see our Facebook profile from the perspective of someone who is a stranger and not added as a friend.
A potential adversary can’t really see much now other than a name, profile picture, and a cover picture. They wouldn’t be able to scroll down our main profile page to obtain additional information. They don’t even have an option to choose to add as a friend unless they are friends of friends with someone. They can only choose to message.
As we can see, no information on the About page is revealed unless the person becomes a friend on Facebook.
No friends and no photos except the cover photo is shown. Since we changed the privacy settings for our interests like movies, TV shows, music, check-ins, etc we don’t see them in the public profile as well. Do note that Facebook friends won’t be able to see these interests unless you change the option from “Only me” to “Friends.”
Clicking on More also shows absolutely nothing.
Previewing Your Facebook Profile From A Facebook Friend’s Perspective
If a Facebook friend looks at our profile, they won’t see an Intro section or other important like where we studied, where we work, and whether we have any relationships on our main profile page unless they click on our About page and click on the sections. Also, they won’t be able to see our friends and will only see mutual friends.
After applying the privacy settings in this tutorial, you can reduce the cybersecurity risks of using social media:
Reduce pictures posted and made available in your public profile as it can serve as a source of information for threat actors, providing clues to passwords or answers to security question which can ultimately lead to account password resets.
Reduce the amount of information available in your public profile which is useful for diminishing the crafting of successful, credible malicious emails.
Limit the point of entries for threat actors to access personal information. Reduce threat actors’ ability to identify your friends and colleagues.
Tips For Staying Safe On Facebook
Always use a unique password for every account on the internet. Never re-use passwords.
Never accept friend requests from people you don’t know. People you have never met in real life should never be accepted as a friend on Facebook.
Be cautious when clicking on links even if a friend gives you that link on Facebook. Links may serve as an attack vector and can potentially maliciously install malware on your computer. If in doubt, refrain from clicking or click while in a sandboxed/virtualized environment.
Remember just because you have Anti-Virus installed on your system doesn’t mean you are completely safe and that you can’t get infected from surfing social media sites.
Use your best judgment when deciding whether to post personal information on Facebook and other social media websites.
Frequently review your social media account’s privacy settings for changes.
Try not to publish email addresses on the internet that are associated with your sensitive activities such as online banking.
Apply the security and privacy options made available to you on Facebook.
Report any suspicious security incidents to Facebook Security.