How experts say you can stop a hack like what happened to Twitter
- Twitter was hacked in mid-July through a social engineering scheme that targeted employees, which resulted in world-famous people’s accounts tweeting a bitcoin scam.
- The attack shows key areas of vulnerability for companies with remote workers, cybersecurity experts say.
- Stopping social engineering scams that come in through email and giving cybersecurity pros better visibility into attacks are critical to stopping scams, experts say.
- Microsoft rolled out new tools Tuesday that address visibility into insider threats and other remote work issues.
- A former White House chief information officer says the Twitter hack should “chill us to the bone” – but worries that companies won’t make the needed changes.
- Visit Business Insider’s homepage for more stories.
After a scammer tricked a Twitter employee into providing access to high-level controls of the social network, it opened the door to an earth-shaking hack of the accounts of world-famous people in mid-July.
Few companies’ computer systems are as public as Twitter’s real-time feed, but many could be hacked in a similar way, experts say, due to a combination of factors intensified by remote work.
While there are still some missing details and Twitter is not commenting beyond its blog post, here’s how security experts say companies can protect themselves from a hack like Twitter’s – including new tools released Tuesday.
Don’t click that odd link
Twitter, like many companies, has a remote workforce this summer, and isolated employees can be especially vulnerable to scams, experts say. Twitter wrote on its blog that “attackers targeted certain Twitter employees through a social engineering scheme.”
That kind of attack often takes the shape of a phishing email that convinces the user to click on something that looks work-related, says Ed Bishop, chief technical officer of Tessian, a cybersecurity company that focuses on how people engage with email.
“Social engineering in a remote world is all around trying to think through the mindset of the user: What emails would they be expecting? What we’re seeing is impersonation of services that are common with work-from-home situations,” he said.
For example, a remote worker might be more likely to click a link to a video conference that looks like it comes from a coworker, even if it’s unfamiliar.
“In the office you might ask a neighbor, ‘Hey, are we using a new video call tool now?’ But you can’t do that now, so maybe you are more likely to click,” he said.
When in doubt, don’t click on a strange email or respond to it, Bishop says. Ask your coworkers or IT team about the email if it looks like it was sent internally. If an email feels suspicious but appears to come from a client, customer, or other contact, look up an email address for the supposed sender and start a new thread or contact them via their website. (Get more guidance from Tessian on helping your employees avoid phishing here.)
“Remote workers are more vulnerable to phishing because we are all a little more unsuspecting and distracted at home,” said Oren Falkowitz, cofounder of Area 1 Security. “Phishing comes in many forms, not only email.”
Beware the human element — and avoid it through education
Twitter wrote that its hack was kicked off by “the intentional manipulation of people into performing certain actions and divulging confidential information.”
The human element is often the key to major hacks, says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “People continue to be the primary focus for threat actors. There are administrative tools on the backend at Twitter, and most organizations, that humans have to have access to and when they get compromised, it can result in fairly massive consequences.”
Even if a company has robust cybersecurity tools in place, the human beings that work there could still make the company vulnerable.
“Even the most sophisticated technologists, like those at Twitter, often overlook the human component of cybersecurity,” says Anthony Grenga, vice president of cyber operations at IronNet. “Twitter employees had the ability to ‘take over’ accounts using an admin panel. Even though an insider may not have malicious intentions, opportunity – bribes, layoffs, conflict of opinions – may tip the scales.”
And the employee may not even be aware they did anything wrong, Tessian’s Bishop says. “You can absolutely be socially engineered and not have a clue that you’ve done anything.
How should companies avoid this hazard? Empower, educate, and empathize with employees. Companies should regularly train their employees on how to spot phishing emails and on other security hygiene practices — and make sure they’re empowered to speak up if they sense anything fishy. A new empathetic approach is needed now, too, when dealing with remote employees, who are working away from the office and under the stress of a pandemic and economic downturn. New email tools and training may be needed that are tailored to this specific moment.
Attacks can move fast
Another important aspect of the Twitter hack was the inability to spot it early.
“We became aware of the attackers’ action on Wednesday, and moved quickly to lock down and regain control of the compromised accounts,” Twitter says in its blog. But they didn’t move quick enough:
Hackers were shopping their access to Twitter controls on the darkweb in the days before hacked tweets spilled into the world from Barack Obama, Elon Musk, Joe Biden, and many others who were cranking out phony bitcoin tweets. B
ut Twitter isn’t alone in being a day late to discover a hack. Only 58% of companies can determine vulnerable assets within 24 hours following news of critical exploits, according to new research from the cybersecurity firm Balbix.
“Cybersecurity teams are struggling with a lack of visibility into major risk areas,” Balbix said, noting 89% of cybersecurity professionals identified phishing as one of the biggest security threats, yet, only 48% said they are able to continuously monitor such threats with cybersecurity tools.
Insider threats – an employee who is knowingly or unknowingly assisting in a hack – can move very quickly, says Yonathan Klijnsma, a threat researcher at RiskIQ, a company that makes cloud-based cybersecurity software to detect threats. “When access to the account of a Twitter support member was gained, it gave the bad guys instant access to everything,” he says.
IT teams managing remote workers may need new tools to find threats. Microsoft just released new products Tuesday to help achieve this:
New tools and training
On Tuesday Microsoft rolled out new “insider risk management” tools to its Microsoft 365 users, including data-loss prevention for employees’ laptops.
“Remote work, while keeping employees healthy during this time, also increases the distractions end users face, such as shared home workspaces and remote learning for children,” the software giant said on its blog. “The current environment has also significantly increased stressors such as potential job loss or safety concerns, creating the potential for increased inadvertent or malicious leaks.”
Twitter vows it is “rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.”
Training may not be enough, says Chloé Messdaghi, vice president of strategy at Point3 Security, which tries to make cybersecurity risk personal to employees through discussions and empathy-based exercises. “This should reinforce for most companies that the phishing situation is really something that people aren’t taking seriously enough. No matter how much training you do, the human element is still there and many people are still apathetic when it comes to the cybersecurity of their company because they’ve never been directly affected by it.”
That apathy is dangerous, says Theresa Payton, former White House chief information officer and CEO of cybersecurity consultancy Fortalice Solutions, who says the Twitter hack “should chill us to the bone.”
This is not just a Twitter problem, Payton says. This should be a wakeup call for all companies, she urges: “We’re all in this pandemic together. We ignored all the past wake up calls to our detriment. The question is, are we hitting snooze again?”