Recently, two teens and a young adult infiltrated one of Silicon Valley’s biggest companies in a high-profile hack – and the biggest ever for Twitter. Authorities say the 17-year-old “mastermind” used social engineering tactics to convince a Twitter employee that he also worked in the IT department and gained access to Twitter’s Customer Service Portal. The 130-account takeover proved unique, as it was fundamentally a dramatic manipulation of trust and could have had far more world-changing consequences if the attackers had the aspirations of say, a dangerous fringe group versus that of a teenager. There are a few takeaways to learn here, especially when it comes to considering redefining what we classify as “critical infrastructure” and what must be protected at all costs.
Changing methods of communication
Things are different now, that we can all agree. Compared to even five months ago, what we value has significantly shifted. Zoom and other video conferencing platforms are now our workplaces, classrooms for our children, and the digital equivalent of a social bar scene. In the last five years, social media companies are now inarguably a tool for primary communications by prominent people – world leaders, governments and those who speak directly to Twitter’s 330 million users. But, as trusted names post on social media, their messages become even more widespread when global media outlets report their words – reaching billions around the world.
It’s reminiscent of the 2013 breach when stocks tumbled briefly after cybercriminals hijacked the main Twitter feed of The Associated Press and sent out a false tweet about a terror attack at the White House. The Dow Jones plunged more than 130 points, or roughly 1 percent, demonstrating the power of Twitter.
Consequently, social media companies should have a duty to ensure they know who their authors are and that those authors are always authentic – as there are no middlemen or reporters to confirm validity. This is heightened by our recent susceptibility to misleading and false information, which can easily be transmitted and amplified by traditional media.
It’s time we start thinking of these platforms as critical infrastructure to ensure similar attacks don’t happen and don’t result in much more severe consequences. This was an issue of identity, access and security, and Twitter truly lucked out that this hack wasn’t more nefarious. Imagine if this was not an odd request for bitcoin but a fake, destructive conversation between world leaders?
Who should have access to what
Another glaring issue in this social engineering attack is the question of just how many Twitter employees have access to all accounts, along with the ability to post from them. Any solid security program implements the concept of least privilege, wherein authorized access is granted to only a small group of people. Further, a separation of duties is vital – an employee who needs to access an account for maintenance should not be able to post on other accounts or have the inroads to do so. Those two functions should require two different accounts, and high-level access like what was demonstrated in this incident should be logged, tracked and investigated immediately if it’s touching multiple accounts in quick succession.
Keeping sensitive data out of dangerous hands
Sensitive data can fall into the wrong hands at any organization. These kinds of cybercrimes rely on the fallibility of humans, which is an aspect of humanity that won’t change. Security teams can prevent this by investing in training, like simulated phishing attacks and gleaning actionable data from employee responses, identifying which departments are most susceptible and developing a continuous training process to combat attacks. Knowing weak spots is important, too as an analysis from Social-Engineer found that Friday is the most vulnerable day for social engineering attacks and HR open enrollment is the most successful pretext. More so, companies should institute the four pillars that make for successful security programs: endpoint protection, identity access management, multi-factor authentication and network segmentation. Organizations need to operate with the assumption that they are always under some level of attack.
A massive manipulation of data
Ultimately, there’s a larger need to take the security of social media and its distillation of information more seriously as we continue to use social media as a main source of communication. The Twitter hack was social engineering on steroids and a massive violation of trust – successful not by the exfiltration of data, which has been a historic cybersecurity concern, but by the manipulation of data through the words of trusted figures. When this happens, trust in both the organization and the source is lost completely. We may not always agree with what our leaders tweet, but that’s part of an open society. What we cannot accept is if that message is inauthentic. Just as we ensure the integrity of printed media, don’t we need to ensure the integrity of business leaders, politicians and the like on these platforms? This should not be any different.