Leadership, Training, Controls
As today’s business leaders struggle to remain competitive during the pandemic, it is quite likely that cyber-security awareness training is the last thing they are thinking about.
After all, how many times have employees heard that boring, repetitive training session that reminds them not to write down their passwords, click on links, open attachments from unknown senders, or post company information on social media? Turns out, not enough. Just ask Twitter.
In mid-July, cyber criminals hijacked the Twitter accounts of Joe Biden, Barack Obama, and some of the most prominent tech entrepreneurs—Bill Gates, Jeff Bezos, and Elon Musk—and about 125 others as part of a cryptocurrency scam. The large number of followers of these accounts enabled the criminals behind the attack to instantly push their scam to the 90 million followers of the accounts and reap more than $100,000 within a few hours.
There are two aspects of the attack that are startling: (1) the potential impact such an attack could have and (2) the lack of controls within Twitter to counter such an attack. Motherboard reported that it had communicated with the criminals and that a Twitter employee may have been paid to help the criminals access the accounts. The New York Times indicated the employee may have actually participated in the attack.
Shortly after the attack, Twitter said it was investigating whether the employee used an internal tool to take over the accounts or provided the tool to the criminals. Screenshots of the attack indicated that the tool had been used to change the email addresses associated with at least some of the accounts and to change ownership of special “OG” accounts, which have a handle of only one or two characters.
In response to the Motherboard article, Twitter tweeted, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” The New York Times also communicated with the attackers, who indicated that they were a group of young people, not a nation state or cyber-criminal ring.
Cyber-security awareness training should always provide tips on detecting insider threats, but the tendency to believe that “it won’t happen here” often results in less than adequate coverage on the topic. The Proofpoint/Ponemon Institute “2020 Cost of Insider Threats Global Report” states that insider-caused incidents have increased 47% since 2018, with an average cost per incident of $11.35 million. The report also noted that attacks involving “credential insiders”—those with administrator credentials—cost an organization more than three times that of an accidental insider incident.
We only have to remember Edward Snowden to realize the power that employees with administrator access have—and the damage they can wreak when they decide to turn against the organization. These are not isolated incidents. Just a few months back, in May, the online gaming platform Roblox suffered a privileged-insider attack when a hacker bribed one of its administrators to gain access to the company’s back-end customer support panel. This provided the hacker practically full control over user accounts. Motherboard earlier revealed that Facebook and Snapchat have both had employees misuse their privileged access.
Training and Controls to Counter Cyber Attacks
Cyber-security awareness training can be an effective control against the insider threat, but it needs to include more details on how insider attacks occur, warning signs to watch for, and how to report suspicious behavior. The training also needs to include details on how employees’ posts on social media can result in their being targeted and exploited. Employees need to understand the kill chain of these attacks and how criminals use their data and conduct social engineering. Cyber-security awareness training is a control, which can be boring and ineffective or enlightening and educational. It should teach employees about the current threat environment and how to be safe online.
There also is a need for cyber-security awareness training at the board and executive level. The ability of an insider to engage in such an attack is directly proportional to the controls in place to detect, prevent and mitigate it. It is the job of senior management and directors to ensure that appropriate controls are in place and are effective. Twitter’s management clearly has some explaining to do.
CNN reported that former Twitter employees indicated that hundreds of Twitter employees have access to an administrative platform, such as the one used in the attack. A Dark Reading article explored the lack of controls at Twitter and noted several areas where controls could have significantly reduced the attackers’ ability to disrupt the platform and blunt the impact of the attack, such as:
- Implementing the two-man rule, requiring the credentials of two people to perform administrative functions that could impact OG or other large accounts
- Using fraud analytics to detect account activity from unexpected locations, times, or formats
- Using keyword filters to generate alerts, such as the use of bitcoin in tweets from high-profile users
- Analyzing logs of administrative activity and detecting anomalies, such as an admin making changes to highly visible accounts or a large number of changes in a short period of time.
The business community should not sit back and assume this is largely a problem of the high-tech industry. When millions of Americans are out of work, working from home, and stressed out, the environment is ripe for the insider threat. This is every business’s problem. Agents and brokers need to work with their clients to ensure their policies address losses associated with these types of cyber attacks. This includes making sure D&O coverage is adequate to cover lawsuits against officers and directors for failing to ensure that adequate cyber-security controls were in place to protect the assets of the company.