By Mark Lanterman
This past July, Twitter fell victim to a wide-scale cyberattack that compromised the accounts of some of its highest-profile users. It was soon determined that the attack was largely orchestrated by a 17-year-old boy, who apparently had a history of online scams—including some perpetrated on Minecraft—that amassed him a huge bitcoin fortune.1 Twitter posted details about the attack on its blog: “The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack… Not all of the employees that were initially targeted had permissions to use account management tools, but the attacks used their credentials to access our internal systems and gain information about our processes.”2 The post goes on to say that the attack focused on exploiting the human vulnerabilities that contributed to its success.
This episode underlines a simple truth that most cybersecurity experts acknowledge: The human element is what ultimately determines the strength of an organization’s security posture. No degree of compliance or security budgeting can eliminate the potential for an attack on employees or staff themselves. As in the case of Twitter, once credentials were willingly offered up, the cybercriminals were able to access critical assets and compromise accounts.
Human vulnerabilities are always going to be much easier to hack than technology. In this instance, a 17-year-old boy was able to trick a number of employees at one of the largest tech companies in the world. And the scary thing about it is that it was relatively easy to do. So how do we mitigate some of this continuing, inescapable human risk?
One step that Twitter is taking is to more carefully manage access controls. Twitter has pledged that the company will be improving its procedures and policies to better monitor and restrict access to internal assets. Access controls are a critical piece of an organization’s overall security posture. Limiting access to critical data, systems, and networks is a surefire way to mitigate some of the potential risk. The more an employee is able to access, the greater the liability that employee poses in the event of a compromise. Restricting and auditing access controls do not make employees immune to spear phishing attacks, but these measures definitely limit the damage if and when employees become victims.
Second, training and education are always going to strengthen organizational security, but in particular, employees should be reminded that avoiding hastiness is always important when dealing with digital communications. The Twitter hackers conducted their social engineering attack via phone, by convincing an employee that they were calling from the technology department and required their credentials to access a customer service portal.3 It is important to communicate to employees how personal information will be requested, and to establish that following up in person is encouraged (or required) when a request for personal information has been received. While email is the standard phishing method, it is important to remember that phone calls and texting can also be used to gather information. If anything appears suspect or out of the ordinary, make sure that reporting procedures are in place and that all employees know the designated communication channels. Taking a moment to slow down before acting on a request may make all the difference.
Like all high-profile breaches and cyber events, the Twitter breach should inspire organizations, firms, and companies to take a closer look at their own security postures and implement positive change. Security cultures thrive with top-down management support and a company-wide awareness that security is everyone’s responsibility.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.businessinsider.com/twitter-hacker-florida-teen-past-minecraft-bitcoin-scams-2020-8
2 https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
3 https://www.nytimes.com/2020/07/31/technology/twitter-hack-arrest.html