The Biggest Lesson from the Twitter Breach
On July 15, 2020, approximately 130 Twitter accounts were “hacked” by bad actors who gained control of the accounts and sent tweets on behalf of the account owner. Victims of the attack included Elon Musk, Bill Gates, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Kim Kardashian, Mike Bloomberg, Uber, Apple and even Twitter's own official support account. Using these celebrities and major entities’ platforms, the hackers solicited Bitcoin donations, which yielded more than $100,000.00 in profit before Twitter temporarily suspended the accounts and re-set the credentials.
Some news outlets reported that the attackers accessed the account credentials by bribing a Twitter employee with access to certain control panels. Without explicitly denying the scenario, Twitter released a statement claiming that the attack was the result of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
Brian Krebs reported “strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via ‘SIM swapping,’ an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.”
Hackers purportedly purchased the ability to change email addresses associated with the victimized accounts and then disabled multi-factor authentications.
Many tech-focused cybersecurity professionals attributed the success of the attacks to Twitter’s failure to use fraud analytics, geolocation data for employee access, or key word indicators that would have caught the abnormal number of references to “bitcoin” on celebrity accounts. However, apart from any technical measures, there is perhaps a bigger lesson: Focus on the vulnerability of humans.
From an attorneys’ perspective, the three best ways to defend against the vulnerability presented by human behavior are:
(1) Routine Social Engineering Training for Employees:
This type of training helps employees look for red flags. Social Engineering tactics used by bad actors are only becoming more effective and continue to change. In the last few years, email-based phishing attempts morphed from the “Nigerian Prince” scenario to a bombardment of fresh domains that evade spam filters, voice spoofing, and text phishing (a.k.a., “smishing”). Therefore, one-time social engineering training is, at best, temporarily useful.
Decent social engineering instructors often break such training into 3 parts: 1) Discuss successful attacks and explain the exploited vulnerability; 2) Identify social engineering tactics and explain indicators of each; and 3) offer solutions and countermeasures. Some insurance policies will require annual or bi-annual training to lower premiums or deductibles.
(2) Insider Threat Policies:
A significant number of security incidents occur from the inside out, resulting from either intentional or thoughtless actions of an employee. Insider threat policies teach all personnel how to look for signs of malfeasance or just pure negligence on the part of their co-workers. Insider threat policies differ based on industry, but generally, should involve these minimum standards: 1) Digital monitoring that will alert designated personnel in the event that any employee attempts to evade access controls; 2) Training to spot behavioral changes (money problems and drug use being major motivators of poor behavior and lack of impulse control); and 3) Allowing employees an anonymous manner in which to report potential problems. No employee wants to be a “snitch,” but many have a vested interest in the success of his/her employer.
(3) Strict Access Controls:
Access controls severely limit access to critical material to essential personnel within an organization. Access controls refer to both digital privileges and physical privileges (ability to access rooms/floors of a building). With Twitter, one criticism was that too many employees could access and had administrative privileges for high-profile, authenticated accounts. With fewer individuals able to access certain information, the ability to monitor for fraud or negligence is easier, quicker, and facilitates a more efficient response.
It is paramount to remember that cybersecurity is not just a technical matter, it is a behavioral issue. Failure to recognize and address this duality will yield breaches and economic loss.