The Twitter hack, where some unknown party was able to gain access to notable Twitter accounts and sound out messages from those accounts soliciting bitcoins, made national headlines. It was an attack that became readily obvious to the world, and Twitter did seem to respond quickly and responsibly. Their initial posts, however, were specious regarding the problem.
Twitter claimed that they experienced a “coordinated social engineering attack,” and it makes it seem like the fault is in the actions of one or two employees. There are also reports of Twitter employees being bribed. This intends to give people the feeling that Twitter security is otherwise strong, but it is as vulnerable to those “users” as much as the next company.
I think we can safely assume that awareness vendors are, or will be, reaching out to companies warning them not to be the next Twitter, and to buy their awareness products. While better awareness may have helped, the cause of the hack is not a failing in awareness, but a failing in the security program as a whole.
As criminals already hijack Twitter accounts for a variety of purposes, and users and admins are the primary attack vector, per every industry study, Twitter should assume that their staff and admins will be targeted. Awareness training might help to a point, but a security program must assume that at some point a human will fail. Statistically, it is 3% of the time, per the latest Verizon Data Breach Investigations Report (DBIR). Let’s also not forget that privileged users may choose to violate policies, which actually did happen in 2017, when a Twitter employee deleted Donald Trump’s account.
Twitter should proactively anticipate that privileged accounts, whether it be the authorized account owner or not, will be used maliciously. That leads to two concerns that are more important than awareness: stopping outside parties from gaining access to accounts, and limiting actions that a malicious party can take with the account.
Twitter does have a strong security program and might have taken most reasonable precautions. From an account access standpoint, there should be multi-factor authentication in use, and there should be very limited remote access for privileged accounts. Admittedly, this could be a problem during the pandemic, but in this case, VPN software should be in place that authenticates authorized endpoints. There could also be a variety of checks in place for user confirmation. Perhaps all of this was in place, and the criminals tricked the employees into divulging credentials, one-time passwords, etc. Perhaps they social engineered Twitter to obtain VPN software. I did that in performing some of my social engineering tests against large banks, so perhaps the criminals read my case studies.
Either way, as Twitter should assume malice and misuse of privileged accounts, there should be controls in place that prevent modifying user accounts. Maybe there should be multiple privileged users approval required to access such controls, as is defined in the long forgotten Rainbow Series from the NSA. There could be an alert every time someone uses a privileged account to modify a user account, along with an approval process.
In order for a person to create damage, the entire system has to provide the ability for a user to cause damage and then allow the damage to be realized. What happened to Twitter was a failing of the entire system in facilitating and allowing the attack to be realized. Perhaps some user failed in their responsibilities, but that would have been just one failure among many.