As pointed out in our previous post about Twitter, the attack has been successful because the least privilege principle has been completely neglected. More recent information confirms this analysis. Reuters points out that more than one thousand employees could use tools and privileges to manipulate user accounts, change their settings and grant rights on account to others. Also some contractors own the same privileges. According to Reuters
“That sounds like there are too many people with access”
said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes.
“In order to do cyber security right, you can’t forget the boring stuff.”
A first comment is that you cannot forget the boring stuff but you can automate it. This is a fundamental step.
A further comment confirms that too many people shared the privileges.
Former Cisco Systems Chief Security Officer John Stewart said companies with broad access need to adopt a long series of mitigations and “ultimately ensuring that the most powerful authorized people are only doing what they are supposed to be doing.”
However, the other interesting observation is that most of the accesses to tools to manipulate the user accounts was logged. But there was no tool to analyze the logs and produce some alerts about suspicious operations using the tools. Furthermore, it is not clear whether the logs where properly protected to prevent manipulations by powerful users with a large number of privileges. Even assuming that logs were properly protected, the lack of a real time analysis to produce alerts implies these logs can only be used for a forensic analysis rather than to detect and prevent insider attacks.
A final observation is that the Twitter attack shows the fragility of important social networks that can be easily manipulated to influence the results of elections and referendums. Security experts are concerned because there is too much work to do and too little time to strengthen Twitter before the campaign for the next presidential U.S. election, with potential domestic inference and from other countries. This is particularly worrisome because, in the same days, a report from UK parliament’s intelligence and security committee said ministers in effect turned a blind eye on the attempts to interfere with the 2016 Brexit referendum. Maybe after the one for critical infrastructures, the EU should define a new NIS directive for social networks.