APAC CIOs and CISOs must heed Twitter attack

The hack on Twitter last week showed, all organisations were vulnerable to an attack, through social engineering and phishing.

On the 15th of July social media giant Twitter reported, attackers targeted certain Twitter employees through a social engineering scheme.

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.

In a statement Twitter wrote, “they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames”.

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through its “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.

“We are reaching out directly to any account owner where we know this to be true — none of the eight were verified accounts,” wrote Twitter.

The FBI’s San Francisco division is leading an inquiry into the Twitter hacking as more Washington lawmakers called for an accounting of how it happened.

The law enforcement agency said hackers committed cryptocurrency fraud after they seized control of the Twitter accounts of celebrities and political figures including Joe Biden, Kim Kardashian, Barack Obama and Elon Musk.

Morey Haber chief technology officer and chief information security officer at BeyondTrust told CIO Tech Asia, type of attack could happen to any organisation anywhere in the world.

“There is no security training or security solutions that are 100 per cent effective,” he said. “That is a hard fact to acknowledge.”

Haber said the primary issue of the situation that organisations should be mindful of is that tools existed in Twitter that had administrative access to accounts that were verified, secured, and reportedly protected from attacks and false posts.

“The truth is that tools internally bypassed all of these security controls and allowed it to happen,” he said. “All the threat actor needed to do was get inside and they accomplished this through social engineering and a phishing attack — the tools and their security are the issue.”

CIOs and CISOs should learn the importance of protecting “sensitive data” and “all the tools that interact” with that data from database tools to custom administration tools that could be abused like Twitter.

“These programs should be protected using a privileged access management solution and gated for appropriate and approved usage,” Haber said. “They are just too powerful to be sitting on anyone’s desktop for access.”

Haber suggests CISOs or CIOs evaluate their last penetration test to find out if the results of the assessment to find out if their security strategy is 100 per cent effective.

“They either are not testing effectively or ignoring the flaws and gaps in their security model that could allow this type (or others) to occur within their organisation,” he said. “An incident can occur to anyone at any time and only measuring your defences against attacks will indicate your resilience. Even then, a simple phishing email may introduce ransomware and upend everything. This is not a situation any executive should overlook.”

According to Retuers Twitter had stepped up its search for a chief information security officer in recent weeks before the breach occurred.

Haber said this isn’t an ideal situation for any organisation that needs their data and operations protected.

CISOs or at least, someone in authority to look after cyber security, provides a central voice and ownership to inventory; identify; and address security concerns, he said.

“Protecting against modern threats and bad habits requires a coordinated approach and a CISOs responsibility is to perform those actions,” he said. “In addition, the response from Twitter on the incident appears to have come more from marketing.”

According to Haber the response doesn’t “appear legal or a CISO was involved in crafting public responses”.

“They may have unintentionally revealed too much information, too quickly, and left themselves open for a legal investigation,” he said. “A CISO’s role is to also coordinate an incident response.”

The posts from Twitter Support over the last two days would indicate that someone else is approving external communications regarding the incident and for a company the size of Twitter, that is potentially an additional problem they will need to address, said Haber.