Tuesday, July 21, 2020

Computer security and defending against insider attacks

Twitter suffered a very public attack on Wednesday, apparently only for the purpose of a bitcoin scam. But the scope of the attack raises all sorts of security questions, including how to guard against insider attacks.

Here's the NY Times story:
A Brazen Online Attack Targets V.I.P. Twitter Users in a Bitcoin Scam
In a major show of force, hackers breached some of the site’s most prominent accounts, a Who’s Who of Americans in politics, entertainment and tech.
By Sheera Frenkel, Nathaniel Popper, Kate Conger and David E. Sanger

"Twitter’s investigation into the breach revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack,” a spokesman said, referring to attacks that trick people into giving up their credentials. The attackers then used Twitter’s internal systems to tweet from high-profile accounts like Mr. Biden’s."

Twitter tweeted the following:

Twitter Support
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
7:38 PM · Jul 15, 2020·Twitter Web App
If there was ever a time in the past at which corporate computer security was merely a matter of building a wall between outsiders and inside information, that time is now well past.  This twitter attack was, at least in some respects, an insider attack, by someone with access to Twitter employees' access. Whether that access was obtained by fooling the employees, coercing them, or co-opting them is less important than the fact that, apparently, some (and perhaps many) twitter employees had access of a sort that let them do things that they would never have to do as part of their jobs.

(Here's an earlier post which includes a link to a story in which a twitter employee was apparently also working for Saudi intelligence: Saturday, March 14, 2020 Organizations' security policies in the news)

Regardless of how this recent attack was carried out, I'm sure that twitter is now looking hard at internal access and starting to think about how to avoid insider attacks by limiting the access of many employees.

As companies adopt "counterintelligence" security policies of this sort, there is a hidden cost, because openness promotes fruitful cooperation and problem solving, not just security vulnerabilities.

No comments: