The Twitter Attack
On 15 July the news broke and was subsequently confirmed by Twitter that accounts of the most influential Twitter members including the former US President Barack Obama, Bill Gates, Joe Biden and more were compromised.
A group of hackers used the unprecedented access and publicity for a seemingly unsophisticated purpose - namely a bitcoin scheme. More worrying might be that these Twitter Users’ Direct Messages may have been accessible to the “hackers” as Wired reports.
Stock Photo Cyber Security
So I deliberately put “hackers” in quotation marks. As numerous affected account owners stated they had multi factor authentication protection activated for their account and Twitter confirmed they suspect a social engineering attack was successful on some Twitter employees with Privileged Access to the Twitter infrastructure. As soon as journalists write about “hackers” we immediately think of socially awkward tech geniuses using their superior command of programming for evil - wearing hoodies in dimly lit rooms. This also leads to a preconception that Cyber Security needs to focus on having even better technology in place to defend - invoking the stock photo mental image of a command center with a video wall and the “good guys” defending cyber attacks in real time.
In 2020 both those stock photo clichés could not be further from reality. The actual attack was likely a highly skilled - high E.Q. team of people that convinced Twitter employees to perform some action that gave the attackers significant access.
Cyber Security in 2020
The details on the Twitter Hack are still developing, but based on what we know so far, this incident is the perfect storm of the cyber threat surface in 2020. Let me explain:
Arguably 2020 has forced the biggest shift in threat surface in the shortest period of time since the dawn of IT. With everyone forced to work remotely, all previous paradigms of traditional security - such as the perimeter were torn down within days or weeks. Human communication was changed at the same time. If the Twitter engineers that were targeted had been sitting in their offices at one table, would the request of the attackers have been questioned or informally discussed with a colleague?
Cyber technology is a commodity
Implementing technology measures for security is a commodity service in 2020. In my university days, we learned how to perform RSA encryption on paper. Then in my early days in Cyber, making sure your certificate was up to date to enable secure https connections was a key cyber control. Today you simply leverage a service to take care of all of it. I would argue that Alyne’s technical security measures are on par or exceeding those of Fortune 500 companies - because cyber security technology is a commodity. As mentioned, many affected Twitter accounts confirmed they had multi factor authentication in place - one of the most effective technology measures to protect your Twitter account. With strong technical security in place, attackers must seek the weakest link to exploit outside of technology.
Relocated crown jewels
As Cyber professionals we have been trained to think of crown jewels. The thought process dictates that you can never protect everything, so you find the crown jewels and make sure you spend all of your energy on protecting them. Tesla does not run ads and their de-facto only channel to communicate to the public is Twitter. Just a few years ago the internal marketing department would have defined the integrity of the public information of the company facing the market to be their crown jewels - tightly guarded behind press releases and a PR team. In 2020 it’s just Elon and his Twitter Handle that even requires supervision through the SEC.
The weakest link
With a rapidly virtualised environment, shifted crown jewels and a generally strong technical security posture, the weakest link remains people. Put all that together and a coordinated social engineering attack on Twitter is a perfectly logical step for an attacker looking for financial gain (or at least that’s what it looks like so far - I would not exclude the possibility of the involvement of a hostile government at the moment). People are what tie all technical security measures together and people are what can break that chain link fence.
How do we increase Cyber Posture in 2020?
This is not new - and it is also not going away. Keeping people informed, on their toes and vigilant is not a one off exercise and needs to be continuous. Virtualised working adds a new dimension to this. What channels do we reach people on now? How do you get the attention of people who are enjoying working from home because they are “no longer distracted” by all these “pesky things” like cyber security awareness? How do you compensate for the lack of informal interpersonal communication in the workplace that can help keep the “buzz” active around cyber?
One thing that we are passionate about at Alyne is involving people in the security process. Writing a security policy and enacting it from above does not create ownership, accountability or acceptance in the wider audience in your organisation. If interacting with cyber topics is not collaborative and conversational, your team will not embrace your efforts in their daily work. We argue passionately for an Information Security Management System (ISMS) that enables people to communicate, chat, revise, update, change continuously as opposed to a quarterly tick the box exercise. If Twitter had a platform like that, would the compromised employees have thought about the ISMS before granting access? Would they have double checked the rules in place or asked a quick question for confirmation?
Cynics will argue that more management has never solved anything, but hear me out. Management may no longer delegate cyber security. You cannot rely on your “Cyber Guy” to take care of it or fall for the stock photo cliché of the room full of screens “defending” your company. Cyber security must be on the agenda of all management members and they must actively advocate this priority in the organisation. It remains one of the most effective measures to increase awareness and foster a collaborative culture of addressing cyber security.
I am certain we will learn more about the background of the July 2020 Twitter attack. Watch this space for further analysis and commentary on developments.