Byron Acohido's The Last Watchdog blog is one of the best combinations of social and security commentary out there. He's published some insightful analysis of the recent Twitter hack that's worth a read here. Keep an eye on Acohido's column - he's worth following.
I thought I'd share some of the questions he asked me for the article. It was quite thought provoking - the implications of any hack of a social media giant go well beyond wonky security concerns.
Here was our conversation. If you'd like to read the article (that features me, Twitter's Jack Dorsey, Facebook's Mark Zuckerberg and "Mafiaboy," you can find it here:
Byron Acohido: This hack has shed light on Twitter’s capacity to secure its service against disinformation and the potential abuse of its tools to interfere in the imminent presidential election. Social media discourse, at this moment, is also a major component of the social injustice debate. With respect to the continuing abuse of social media tools, what are one or two scenarios that you believe are likely to play out in the weeks and months ahead?
Karthik Krishnan: Facebook and Twitter are in an unenviable position between titanic, multi-front societal conflicts – demands to make positive contributions to the social justice movement, claims of suppression by political factions, angst over disinformation/foreign influence and the very real threat of regulatory responses driven more by politics than principle. There’s no way these social media giants are going to make everyone happy.
Here are a couple of possible scenarios:
- Twitter continues what they started – putting warning labels on high-profile tweets and removing QAnon accounts – and expands their efforts to control misinformation. Maybe they start weeding out white supremacist or anti-vaxxer accounts. Facebook follows suit, but with perhaps less enthusiasm. This might ping pong, with advances and retreats as each action provokes a superheated reaction by the affected users. The fight accelerates migration to platforms like Parler. However, it’s possible that once users sort by platform, social media giants might actually find it easier to police their content. After all, if Parler’s a viable alternative, it’s harder to make the case that the big boys own all four corners of the public square.
- The teen army that coordinates on TikTok pulls another Tulsa-caliber stunt and Trump follows through on his threat to ban it. This sets up a furious fight between the social media providers and Trump that will cause unpredictable results. One outcome might be that the social media giants decide they’ve had enough and begin applying their standards to everyone, even the President, and let the lawyers figure it all out. We might see a historic first Supreme Court hearing of a major social media/free speech case (and wouldn’t that be fun?). More likely the TikTok ban will have a chilling effect, making Twitter and Facebook more cautious and perhaps slowing their efforts to take more proactive steps to reduce disinformation and interference.
BA: How would you generally characterize the current state of preparedness of small and medium sized organizations (companies and local agencies) to make themselves less of a target for this type of attack?
KK: The hard truth is that you can never really fully protect against insider attacks (which I define as both literal insiders as well as compromised insider accounts). Some accounts need to be able to do really consequential tasks (like resetting a user’s password or reconfiguring a database), so the threat can’t be eliminated – but it can be contained.
Small to mid-sized companies are often poorly prepared because their limited IT teams operate on shoestring budgets while wearing multiple hats. That leads to overprivileged accounts simply because they don’t have the bandwidth to troubleshoot permissions problems. So they overpermission to keep operations afloat.
BA: How would you generally characterize the preparedness level of large organizations?
KK: They’re typically better prepared simply because they have more people and funds for IT. When IT roles are specialized, it’s more feasible to constrain account access and contain the damage from insider attacks without impacting operations.
Having said that, it’s certainly not a given that a big organization is more prepared. Equifax, for example, spilled nearly 150M records when one of their low-level engineers went on vacation for a couple of weeks and missed a patch window. Now, the Equifax breach wasn’t an insider job, but it just goes to show you that money and staff aren’t the only ingredients for effective cyber security. You still have to work at it.
BA: What responsibility do you or I have, as an individual consumer/citizen/employee?
KK: Tough question! I guess my flip answer is to just be less gullible. We seem to fall for everything from Bitcoin scams to bad science. It just encourages the bad guys.
Part of being less gullible is to stay as informed as possible too – people think cyber security’s complex (and it is!) but you don’t have to understand it to benefit from better awareness. If, for example, you hear about a Twitter-related Bitcoin scam, you don’t have to know how the scam works – you just have to hold on to your wallet when you see that tweet from Elon promising to double your money.
And use two-factor authentication whenever you can (and wash your hands!).
BA: What’s the going- forward lesson for SMBs, in particular, regarding the ‘least privileged’ security principle?
KK: The first principle of least-privilege is to restrict account access to only what that account truly needs to do. “Access” in this context extends not just to which resources, but also the tasks the account can do with the resource. For example, least-privileges might have different restrictions for who can delete or back up a sensitive database than who can read from it.
Least-privilege practices provide the framework for limiting damage. Organizations typically don’t give much thought to what admin accounts can do and, consequently, those accounts are often overprivileged. That’s a recipe for trouble. With least-privilege, each account gets access only to what’s needed. Damage is still possible but at least it’s contained.
My advice for smaller companies is to start by focusing. It might be tough to stand up a comprehensive least-privilege model, but it’s much more feasible to identify the critical resources you have and start there. For example, identify that mission-critical database with customer PII and start there. Cull out the accounts that don’t need access to it and identify the database operations you need to restrict, like copies or backups. That might be a workable start for smaller teams.
BA: Can you summarize, very high level, how Zero Trust factors in?
KK: It’s no surprise that cyber security defenses took their first cues from the physical world. Castles have moats. Your house has a door. It made sense to protect your network with a firewall. But cyber criminals got past the firewall and, when they did, they feasted on the unprotected targets behind it.
Zero trust’s first principle says that there are no safe networks. Access shouldn’t be granted based on network location or IP address but instead by the nature of the asset and the authorization of the user. The zero-trust model was created by John Kindervag while he was working for Forrester, a leading IT analyst firm.
Here’s an analogy. If you ran a zero-trust bar, you’d trade your bouncer at the door for a staff of ID checkers, each protecting an “asset” (e.g. the bar, the stage, seating areas) with different access requirements, like a minimum age to access the bar or needing to be in the band to get backstage. Patrons would get checked far more often and they’d be limited in what they could do.
Zero-trust is a hot topic in cyber security right now. It’s a really powerful way to think and strategize about cyber security. But implementation is a process that takes time. I don’t think there are that many full-on zero trust IT shops out there – it’s a work in progress.
Zero trust and least-privilege concepts are closely related. Zero trust establishes the collection of assets you’re protecting while least-privileges encourages you to get granular when you set up who can access those assets. It makes sense when you think about it – if you’ve gone to the trouble of atomizing your networked resources and then turn around and give every account access to every resource, you haven’t accomplished much.
BA: Do you agree or disagree with the following statement? Wider adoption of both ‘least privileged access’ and Zero Trust needs to happen in order to make our digital systems as secure as they ought to be.
KK: Oh yeah, I think it’s clear these frameworks make major contributions to security. They work on so many levels too – even if you only use the framework as a thought exercise to guide how you define access or identify critical resources, you’re going to get better results because you’ll think differently about the problem.
BA: Anything else?
KK: Both of these concepts are currently in vogue for primary networked resources (e.g. databases or web applications). We think they’re going to be influential in other areas as well, such as improving security for unstructured data (e.g. end-user files), operations, or other technology disciplines.