For administrators at a big, very visible company like Twitter, it's not if your network defenses will be penetrated; it's when. It took Twitter several hours to regain control of its systems Wednesday after a small group of hackers were able to obtain the login credentials of a Twitter staffer and commandeer its account tools.
Twitter's experience was an extreme one, and while we don't know exactly how much information was compromised, the outcome could have been much, much worse. But it's clear that steps taken to improve controls in the aftermath of two other high-profile incidents — a 2010 settlement with the Federal Trade Commission over account access issues and the 2018 indictment of two employees who were spying for the Saudi Arabian government — were not enough, and there are lessons for everyone in the aftermath.
In a blog post Monday, security expert Bruce Schneier called the Twitter incident a "class break," describing this category as "security vulnerabilities that break not just one system, but an entire class of systems." "Class breaks are endemic to computerized systems," he wrote, "and they're not something that we as users can defend against with better personal security."
As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit. This need has only accelerated in a pandemic, during which so many employees are working from their home networks and outside of the traditional defenses around corporate networks.
Software from companies like Okta allows workers to securely access the internal corporate applications they need to do their jobs with "single sign-on" technology, sort of like a password manager for work. Then, once workers pass that test, other tools are needed that grant certain people access only to specific data sets or controls, so that one breach doesn't open up the entire company to an attacker.
At Twitter, lots of employees have access to user accounts. Any attempt to provide customer service requires that, to some extent, but it's also clear that the company needs to consider additional controls, such as requiring two employees to sign off on proposed changes to prominent user accounts.
Companies also need to move past the idea that a user who has entered the proper login credentials is a valid user — the so-called "zero trust" approach. The central idea here is paranoia: No person or device should be automatically trusted outside or inside a network, and Google pioneered this line of thinking over the last decade with an internal service called BeyondCorp.
It's not clear what type of approach is in place at Twitter, but the company has been operating without a chief information security officer in 2020, according to The Wall Street Journal. That vacancy will likely be filled in short order, and like lots of companies re-evaluating their internal processes in the wake of this incident, one of that person's first jobs will be to rethink how Twitter manages identity and access to its systems.