2020 Cyber Security is not about Technology

On July 15, Twitter accounts of some of the most influential members on Twitter were compromised, including the former US President Barack Obama, Bill Gates, Joe Biden and more. But how much does this breach have to do with technology and how much is human error?

The Twitter Attack

On 15 July the news broke and was subsequently confirmed by Twitter that accounts of the most influential Twitter members including the former US President Barack Obama, Bill Gates, Joe Biden and more were compromised. 

A group of hackers used the unprecedented access and publicity for a seemingly unsophisticated purpose - namely a bitcoin scheme. More worrying might be that these Twitter Users’ Direct Messages may have been accessible to the “hackers” as Wired reports. 

Stock Photo Cyber Security

So I deliberately put “hackers” in quotation marks. As numerous affected account owners stated they had multi factor authentication protection activated for their account and Twitter confirmed they suspect a social engineering attack was successful on some Twitter employees with Privileged Access to the Twitter infrastructure. As soon as journalists write about “hackers” we immediately think of socially awkward tech geniuses using their superior command of programming for evil - wearing hoodies in dimly lit rooms. This also leads to a preconception that Cyber Security needs to focus on having even better technology in place to defend - invoking the stock photo mental image of a command center with a video wall and the “good guys” defending cyber attacks in real time.

In 2020 both those stock photo clichés could not be further from reality. The actual attack was likely a highly skilled - high E.Q. team of people that convinced Twitter employees to perform some action that gave the attackers significant access. 

Cyber Security in 2020

The details on the Twitter Hack are still developing, but based on what we know so far, this incident is the perfect storm of the cyber threat surface in 2020. Let me explain:

Shifting threats

Arguably 2020 has forced the biggest shift in threat surface in the shortest period of time since the dawn of IT. With everyone forced to work remotely, all previous paradigms of traditional security - such as the perimeter were torn down within days or weeks. Human communication was changed at the same time. If the Twitter engineers that were targeted had been sitting in their offices at one table, would the request of the attackers have been questioned or informally discussed with a colleague?

Cyber technology is a commodity

Implementing technology measures for security is a commodity service in 2020. In my university days, we learned how to perform RSA encryption on paper. Then in my early days in Cyber, making sure your certificate was up to date to enable secure https connections was a key cyber control. Today you simply leverage a service to take care of all of it. I would argue that Alyne’s technical security measures are on par or exceeding those of Fortune 500 companies - because cyber security technology is a commodity. As mentioned, many affected Twitter accounts confirmed they had multi factor authentication in place - one of the most effective technology measures to protect your Twitter account. With strong technical security in place, attackers must seek the weakest link to exploit outside of technology.

Relocated crown jewels

As Cyber professionals we have been trained to think of crown jewels. The thought process dictates that you can never protect everything, so you find the crown jewels and make sure you spend all of your energy on protecting them. Tesla does not run ads and their de-facto only channel to communicate to the public is Twitter. Just a few years ago the internal marketing department would have defined the integrity of the public information of the company facing the market to be their crown jewels - tightly guarded behind press releases and a PR team. In 2020 it’s just Elon and his Twitter Handle that even requires supervision through the SEC.

The weakest link

With a rapidly virtualised environment, shifted crown jewels and a generally strong technical security posture, the weakest link remains people. Put all that together and a coordinated social engineering attack on Twitter is a perfectly logical step for an attacker looking for financial gain (or at least that’s what it looks like so far - I would not exclude the possibility of the involvement of a hostile government at the moment). People are what tie all technical security measures together and people are what can break that chain link fence.

 

How do we increase Cyber Posture in 2020?

Awareness

This is not new - and it is also not going away. Keeping people informed, on their toes and vigilant is not a one off exercise and needs to be continuous. Virtualised working adds a new dimension to this. What channels do we reach people on now? How do you get the attention of people who are enjoying working from home because they are “no longer distracted” by all these “pesky things” like cyber security awareness? How do you compensate for the lack of informal interpersonal communication in the workplace that can help keep the “buzz” active around cyber?

Involvement

One thing that we are passionate about at Alyne is involving people in the security process. Writing a security policy and enacting it from above does not create ownership, accountability or acceptance in the wider audience in your organisation. If interacting with cyber topics is not collaborative and conversational, your team will not embrace your efforts in their daily work. We argue passionately for an Information Security Management System (ISMS) that enables people to communicate, chat, revise, update, change continuously as opposed to a quarterly tick the box exercise. If Twitter had a platform like that, would the compromised employees have thought about the ISMS before granting access? Would they have double checked the rules in place or asked a quick question for confirmation?

Management

Cynics will argue that more management has never solved anything, but hear me out. Management may no longer delegate cyber security. You cannot rely on your “Cyber Guy” to take care of it or fall for the stock photo cliché of the room full of screens “defending” your company. Cyber security must be on the agenda of all management members and they must actively advocate this priority in the organisation. It remains one of the most effective measures to increase awareness and foster a collaborative culture of addressing cyber security.

I am certain we will learn more about the background of the July 2020 Twitter attack. Watch this space for further analysis and commentary on developments.

PreviousNext
Karl Viertel

Related Posts

The Path to Building Better Business Practice in Compliance with UK SOX

Press archives over the past decade have demonstrated that many Public Limited Companies in the United Kingdom have either collapsed or made the headlines due to accounting irregularities or some other form of lack of internal control to ensure financial statements are reliable. This article explores the need for UK businesses to anticipate wide-scale adoption of SOX, as they progress down the path to building better businesses.
Read more

The Importance of Diversity & Inclusivity in the Workplace

At Alyne we strongly believe in diversity and inclusivity, as they foster creativity and highlight new perspectives in the workplace; translating into innovative ideas that ultimately benefit the organisation. In the last couple of weeks, many countries and companies across the globe have been celebrating and supporting LGBTQ+ Pride bringing awareness to all that has been accomplished in terms of equality, identity and inclusion, and all that is yet to be done. In this article, we analyse the importance of representation in the workplace and we take you through our rebranding decision for the months of June and July.
Read more

Automating Risk Assessments with Alyne

At Alyne, we are focused on providing cyber, compliance and risk professionals, as well as their clients, with next generation technology, expert knowledge and actionable risk insights, powered by Artificial Intelligence, to seamlessly identify, qualify and quantify their risks. Learn how Alyne’s solution will transform your risk assessment process and generate operational efficiencies, while providing your clients with an optimised, personalised and positive digital experience.
Read more