The Issue

In Recent News, Twitter’s Security Incident made headlines for a few days due to a malicious attack, dubbed a “Coordinated Social Engineering Attack” on its employees. The attack was geared towards using the accounts of several prominent individuals to make tweets promoting what would be a cryptocurrency scam.

The accounts affected were those of former President Barack Obama, Kanye West, Kim Kardashian West, Warren Buffett, Jeff Bezos and Mike Bloomberg, posted similar tweets soliciting Bitcoin donations to their verified profiles. The attackers made roughly $118,000 USD in a matter of hours from this coordinated attack. Twitter has made moves in trying to investigate the incident and has made a public release confirming the source of the breach to be that of an internal one where employees who would have had access to internal tools to manage Twitter profiles were targeted via Social Engineering tactics.

During this attack, the implications were huge given the political nature of some of the victims of this hack. With even a letter being written to Jack Dorsey, Twitter’s CEO from Senator Josh Hawley requesting an explanation to the American Political Establishment given that this attack even occurred within an election year. To note in detail a bit more of the implications, we can state the following:

• Information Disclosure of User’s Data

• Internal System Compromise

• User’s Account Compromise

• Possible Reputational Damage

• Possible Legal Action

• A Decrease in Stock Prices.

Now we have a picture of an event that has already taken place, we can say without a doubt that a situation like this can apply to any company/organization with a network.

“The Norm” for most companies doing a Penetration Test exercise would be to focus on the following strategies among others:

• External Testing Strategy

• Internal Testing Strategy

• Targeted Testing Strategy

• Application Security Testing Strategy

With “The Norm” we cover all the bases linked to the network and the applications apart of it, however the weakest factor towards a company/organization’s network is sometimes not accessed for its weaknesses. That being the “Human factor”.

According to Twitter in their update on the incident, “we believe attackers targeted certain Twitter employees through a social engineering scheme.”

What is Social Engineering?

It is the act of using psychological manipulation of people to perform activities or disclose information that may help a malicious actor in an attack.

According to Twitter in their update, “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”

Given that this occurred, questions will be asked what level of preparation was done to prevent an attack such as this stemming back to the implications previously stated. The EU's General Data Protection Regulation (GDPR) states that organisations such as Twitter have to show "appropriate" levels of security, and if the data protection officers deem Twitter to have failed tp take certain measures to attain “appropriate” levels of security, they can be faced with fines.

How can you assess your level of security controls?

Assuming that your company/organization already conducts External and Internal Penetration exercises, it is advised to add Social Engineering to your strategy covering the following areas:

• Phone Interactions

• Physical Interactions

• Email Interactions

• Trash Searches “Dumpster Diving”

• Media Drops

With this added to your approach, you would be able to pinpoint the weaknesses within your company/organisation and be able to organise a plan of action towards adding resilience to your network.

Schedule a virtual appointment with one of our Security Consultants today to learn more.