Here's whats Missing from your Cyber Security Strategy!
In Recent News, Twitter’s Security Incident made headlines for a few days due to a malicious attack, dubbed a “Coordinated Social Engineering Attack” on its employees. The attack was geared towards using the accounts of several prominent individuals to make tweets promoting what would be a cryptocurrency scam. The accounts affected were those of former President Barack Obama, Kanye West, Kim Kardashian West, Warren Buffett, Jeff Bezos and Mike Bloomberg, posted similar tweets soliciting Bitcoin donations to their verified profiles. The attackers made roughly $118,000 USD in a matter of hours from this coordinated attack. Twitter has made moves in trying to investigate the incident and has made a public release confirming the source of the breach to be that of an internal one where employees who would have had access to internal tools to manage Twitter profiles were targeted via Social Engineering tactics.
Figure 1. Blockchain Summary of Transactions made to address Tweeted
During this attack, the implications were huge given the political nature of some of the victims of this hack. With even a letter being written to Jack Dorsey, Twitter’s CEO from Senator Josh Hawley requesting an explanation to the American Political Establishment given that this attack even occurred within an election year. To note in detail a bit more of the implications, we can state the following:
Information Disclosure of User’s Data
Internal System Compromise
User’s Account Compromise
Possible Reputational Damage
Possible Legal Action
A Decrease in Stock Prices.
Figure 2. Letter to Jack Dorsey from Senator Josh Hawley
Now we have a picture of an event that has already taken place, we can say without a doubt that a situation like this can apply to any company/organization with a network.
“The Norm” for most companies doing a Penetration Test exercise would be to focus on the following strategies among others:
External Testing Strategy
Internal Testing Strategy
Targeted Testing Strategy
Application Security Testing Strategy
With “The Norm” we cover all the bases linked to the network and the applications apart of it, however the weakest factor towards a company/organization’s network is sometimes not accessed for its weaknesses. That being the “Human factor”.
According to Twitter in their update on the incident, “we believe attackers targeted certain Twitter employees through a social engineering scheme.”
Figure 3. Twitter's Blog update on recent security incident.
What is Social Engineering?
It is the act of using psychological manipulation of people to perform activities or disclose information that may help a malicious actor in an attack.
According to Twitter in their update, “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”
Given that this occurred, questions will be asked what level of preparation was done to prevent an attack such as this stemming back to the implications previously stated. The EU's General Data Protection Regulation (GDPR) states that organisations such as Twitter have to show "appropriate" levels of security, and if the data protection officers deem Twitter to have failed taking certain measures to attaining “appropriate” levels of security, they can be faced with fines.
How can you assess your level of security controls?
Assuming that your company/organization already conducts External and Internal Penetration exercises, it is advised to add Social Engineering to your strategy covering the following areas:
Trash Searches “Dumpster Diving”
With this added to your approach, you would be able to pinpoint the weaknesses within your company/organisation and be able to organise a plan of action towards adding resilience to your network.
Agyei Masters has over two years of experience in Information Security Services. He works closely with the Advisory and Assurance teams to assess the security posture of our client’s IT infrastructure, applications and systems designed by means of penetration testing, code reviews, social engineering, and cloud security reviews.