Information Security
How to protect your business from a Twitter-style hack
Background
Social Media platform giant Twitter reported a security incident on Wednesday 15th July 20 which affected scores of verified accounts including Bill Gates, Elon Musk and Jeff Bezos. These accounts were used to promote a bitcoin scam that netted hackers an estimated $120,000 bitcoin.
In a statement Twitter said:
“At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme.” …
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems“
What’s social engineering?
Social engineering attacks target people, manipulating and tricking someone into revealing confidential or sensitive information. It’s a common method of attack and is used widely in phishing emails, but also applies to phone calls or instant messaging too.
I get loads of these all the time and they’re pretty easy to spot, how did Twitter get hacked?
We all know the most common and easy to spot types of social engineering scams, generally targeting finance departments with calls claiming to be from their bank or HMRC or similar.
But what if they rang up your customer support or IT dept, would they be able to be so prepared for these types of attacks? Especially as COVID has forced most customer support teams to work remotely from the office, it’s even more difficult to stay in contact with co-workers, leaving it gaps for attackers to work with.
So how can we protect our business from these types of attacks?
Protecting your business from a twitter style attack can seem daunting, but there’s a number of things you can do right off the bat, such as
Raise awareness at every level of your business
Increasingly attackers are not targeting businesses finance depts or directors, but support staff and IT. It’s vital all business departments and staff are included when looking at security awareness training. Also, don’t assume that IT is immune to such attacks (as we’ve seen from the Twitter incident) as increasingly IT support desks are targeted by hackers posing as staff members trying to reset their passwords or similar types of scams.
TIP: Conduct security awareness training regularly and at least annually to ensure staff are up to date on the latest examples and styles of attacks so they can act accordingly. Ideally have a multifaceted campaign through the year that helps to raise awareness at frequent touchpoints, rather than just one annual hit.
Develop resistant business processes
Whilst details surrounding how Twitter employees were manipulated into giving access to Twitter’s internal systems are vague, one of the most likely scenarios is that they were tricked into resetting the credentials of another employee (or several employees) until they found one with access.
This highlights why it’s so important to consider likely scenario’s when designing business processes, especially support for end-users and customers. Consider the following typical business processes:
- Resetting a user or customers password.
- Changing account details such as email address or details used to verify someone’s identity.
- IT problems such as file access problems or problems opening an ’email attachment’.
- Requests for payments or transfers or changing payment details on an invoice.
Each of these processes has the potential to harm the business or it’s customers if an attacker exploits these processes successfully.
TIP: Challenge yourself and think how an attacker might be able to impersonate a customer or client. What checks do you do to verify someone’s identity before changing passwords or sending data? Do you ask questions that cannot easily be guessed or found on social media (such as favourite colour, pets name or date of birth)? Build in the right level of checks and balances into your business processes to help prevent a would-be attacker simply calling up your support team and asking for the CEO’s password to be changed.
Don’t forget your third parties too!
Suppliers, IT Support providers and other essential business providers are also a point of weakness for potential attacks. Attackers may conduct a number of calls or emails to businesses to discover more about how a business operates, or review websites and search for links to potential suppliers or providers. Using this information an attacker may exploit lax processes in an attempt to gain access to sensitive information.
TIP: Make sure you have robust security practises in place with suppliers and providers around sensitive business processes. Also, remember that phone numbers can be ‘spoofed’ to look like a genuine number and emails from business addresses could be the result of the supplier falling victim to an attack. Plan your processes accordingly and build in verification before doing anything sensitive, like reveal information or make payments.
Implement Multi-factor authentication on all admin areas, especially if these are accessible remotely
Multi-factor authentication adds another layer of security to your password. Instead of just using your password to log in, you’re also asked to provide a code or allow access provided to you via SMS, or increasingly an app like Authenticator. This helps to protect accounts from password hacks or resets as it ensures a second means of verifying your identity.
TIP: Make sure you have MFA enabled on all accounts containing or with access to sensitive information, especially for cloud-based services where you can log in from anywhere.
In Summary
You don’t have to be the size of business like Twitter to be targeted by a social engineering scam or attack. You also don’t have to be the size of Twitter to effectively defend yourself against this type of attack.
People are the key to any social engineering attack. Preparing your people and your business processes to handle potential scenarios around these types of attacks will not only strengthen your business but your confidence against these attacks as well.
