You don’t have to be an expert in cybersecurity to notice that there has been a dramatic increase in cyber attacks over the COVID-19 worldwide pandemic. Attacks on all sizes of organizations have happened, from multinationals such as Microsoft or Tesla to small businesses and entrepreneurs.
Earlier this year, the internet went ablaze over the high profile Twitter security hack, which targeted Elon Musk, Bill Gates, Kanye West, Barack Obama, and others, in a Bitcoin scam, that saw a Florida teen mastermind arrested.
Understanding the Twitter hack
The Bitcoin hack showed that no one is safe from cybersecurity threats, be that the rich and famous, or one of the major social media networks 80% of modern data breaches go back to privilege access abuse (fraudulent access to an account, under the guise of altruism).
The Twitter hack was a perfect example of social engineering, the act of tricking people into taking action or giving information, in this case via technology and grounded in the victims’ trust of these public figures.
With the use of SIM swapping, the criminals were able to coerce, bribe or trick the victim’s employees to get access to account information and admin tools, meaning that hackers could change the email address linked to each of the targeted accounts.
They then turned off two-factor authentication, meaning the alert was sent to the updated email address, and now with these accounts under their control, the hackers were free to promote the scam.
Strangely, incidents like this indirectly impact companies being interested in the cloud, with most companies citing data risks to their financial as the main factor for not migrating to cloud-based servers, despite the majority of data breaches being internal, such as the Twitter hack.
This is despite the fact that most cloud-based accounting and invoicing services used for handling finances for online businesses today come with PCI-DSS certification, which means financial data is encrypted and protected with firewall configurations, a unique ID is assigned to each user with authorized access and which must be verified before accessing financial data, and security systems are regularly audited and tested for vulnerabilities.
Furthermore, cloud-based service providers also tend to make more investments than on-premise data centers because they have built-in security features such as role-based authentication and infrastructure monitoring from dedicated IT professionals. To put it simply, cloud-based servers offer superior security than legacy-based data centers, which even a company as large and reputable as Twitter had to find out the hard way.
Narrowing the search
Data center by data center, Twitter staggered the shutdowns, to try and isolate the problem and in an attempt to not overwhelm the system with a mass log out and in.
Next, Twitter had to trigger an event known in the security industry as Zero Trust, which basically states to never trust and always verify everyone on your virtual private network (VPN).
This shouldn’t surprise anyone, really. With privacy scandals, data leaks, geo-restrictions, and censoring making headlines and impacting lives every day, VPN usage has skyrocketed in recent months as many organizations transition to a predominantly remote work culture.
This approach deemed everyone untrustworthy until the leak was found and plugged. But ironically, the tighter you lockdown the internal network, the less ability you have to counter the scam. In addition, you also are unable to properly track the hackers or locate the compromised team member or members.
In cybersecurity, this is a systems-level failure, it wasn’t actually the employee getting potentially phished that was the problem, it was the lack of Twitter having appropriate systems in place to protect against this.
Unsecured privileged access
In regards to Twitter, they gave their users privileged access to an admin tool to allow them to moderate content and respond quickly to customer service queries. It’s estimated that at the time there were hundreds of users who had access to this tool, creating a lot of potential for breaches.
Why did so many users have admin access to verified accounts? How could these users easily access and alter these accounts without approval? Who had back-end access to this admin tool? Are some of the security questions that arise when thinking about this hack,
This created a plethora of vulnerability points throughout Twitter, it was only a matter of time. By siloing information, access, and data, you can avoid having a single access point, such as this. Using custom delegation groups you can set privileges at the lowest level required for each employee’s job role, limiting these types of issues.
Any stakeholder in your organization with access to your systems could be in a potential position to compromise your data, from contractors to employees, to service providers, to other insiders, there could be threats in all your business areas.
Unsurprisingly the more access to sensitive information the user has, the more likely they are to pose a bigger threat, so managers or IT professionals pose larger security risks than other departments.
Insider threats are much more likely to be the root of your cybersecurity issues, and the attackers claim they had bribed a Twitter staff member for access to the control panel.
The Twitter hack could have been a malicious insider or an unsuspecting employee, but either way, the evidence leaned to an insider having some form of involvement.
Regardless of whether or not it was an internal attack, the severity and potential are still present, so organizations should be aware and prepare for these kinds of threats.
Stopping insider threats
So what lessons can companies learn from Twitter’s breach? Let’s look at insider threat solutions, as these are one of the major sources of threat (and linked to their hack too).
First off, you should always know who has access to your sensitive data and who has access to it. See, security testing of applications and APIs, no matter which tool or method used, all comes down to dynamic or static evaluation. Interacting with the application as it runs, could mean manual penetration testing, using an automated DAST tool, or even an IAST tool.
When you identify your most at-risk assets, then you can prepare for where the issues are likely to arise, and which employees will be a target to hackers. Create a baseline of normal employee behaviors, and have certain alerts or trigger phrases to help identify when something is wrong. These abnormal behaviors could be copying sensitive data, logging in at weird times, accessing non-job-related data, or unauthorized downloads.
Establish and implement security controls. Admin privileges should just be granted to employees performing tasks that require advanced permissions or activities that span across Active Directory domains. Furthermore, old admin accounts should be removed as these can access resources undetected.
These are just three methods to help reduce and remove insider threats, but unfortunately, as long as they are staff at an organization, there will always be a level of threat, albeit minimalized with these kinds of measures.
Regardless of how exactly the Twitter hack happened, it shows how detrimental a hack can be from outsiders who get access to admin accounts.
Understanding the number of admin accounts your organization has, the level of access they have, and their potential risk are all important factors to think about.
As alluded to in previous sections, removing stale admin accounts and limiting access are two of the best ways to limit unwanted access. Practices such as rolling passwords or utilizing reports that track any suspicious log-in activity can help manage these admin accounts.
Future hack prevention
So what steps did Twitter implement to lower their chances of such a large scale cyber attack? Well for starters, they hired Rinki Sethi as their new information security officer, a role they had vacant for months prior to the attack.
Regardless of your size, cybersecurity should be ingrained in your organization from the ground up but startups often overlook security measures, and this can lead to issues further down the line.
There is no cure-all for cybersecurity, and a multi-layer approach is vital to having a secure network, whether it’s conducting penetration testing, limiting access to certain systems, or putting in place better preventative measures to make future attacks much harder.
Luckily for Twitter, they were able to react in a fairly quick and productive manner, but they should have had systems in place to not even let the hack get to the level it was, it’s about stuffing out flames before they start a fire.