Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

The least privilege has been really forgotten together with other things

As pointed out in our previous post about Twitter, the attack has been successful because the least privilege principle has been completely neglected. More recent information confirms this analysis. Reuters points out that more than one thousand employees could use tools and privileges to manipulate user accounts, change their settings and grant rights on account to others. Also some contractors own the same privileges. According to Reuters

“That sounds like there are too many people with access”

said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes.

“In order to do cyber security right, you can’t forget the boring stuff.”

A first comment is that you cannot forget the boring stuff but you can automate it. This is a fundamental step.

A further comment confirms that too many people shared the privileges.

Former Cisco Systems Chief Security Officer John Stewart said companies with broad access need to adopt a long series of mitigations and “ultimately ensuring that the most powerful authorized people are only doing what they are supposed to be doing.”

However, the other interesting observation is that most of the accesses to tools to manipulate the user accounts was logged. But there was no tool to analyze the logs and produce some alerts about suspicious operations using the tools. Furthermore, it is not clear whether the logs where properly protected to prevent manipulations by powerful users with a large number of privileges. Even assuming that logs were properly protected, the lack of a real time analysis to produce alerts implies these logs can only be used for a forensic analysis rather than to detect and prevent insider attacks.

A final observation is that the Twitter attack shows the fragility of important social networks that can be easily manipulated to influence the results of elections and referendums. Security experts are concerned because there is too much work to do and too little time to strengthen Twitter before the campaign for the next presidential U.S. election, with potential domestic inference and from other countries. This is particularly worrisome because, in the same days, a report from UK parliament’s intelligence and security committee said ministers in effect turned a blind eye on the attempts to interfere with the 2016 Brexit referendum. Maybe after the one for critical infrastructures, the EU should define a new NIS directive for social networks.




More to explore

La startup Haruspex sbarca in Silicon Valley

L’azienda di cybersecurity spezzino-pisana è stata selezionata dal prestigioso programma “Global Startup Program” dell’Italian Trade Agency, a San Francisco. Per il momento il programma sarà svolto in virtuale dato il persistere delle limitazioni agli ingressi sul suolo statunitense.

Leave a Comment

Your email address will not be published. Required fields are marked *