Digital espionage, disinformation campaigns, and willful lack of data protection. What can be learned from Twitter’s whistleblower? And how can you mature your security program rapidly?

No publicity is bad publicity—until a federal cybersecurity consultant warns of your company’s digital espionage, disinformation campaigns, and willful lack of data protection.

All eyes are on Twitter lately, as the social media giant faces allegations of cyber-negligence from their former head of security, Peiter “Mudge” Zatko. For his years and reputation in ethical hacking communities, Zatko was hired two years ago by then-Twitter CEO Jack Dorsey to overhaul the company’s cybersecurity infrastructure. Now he’s come forward to the Securities and Exchange Commission with an over 200-page disclosure detailing Twitter’s security nightmare.

Zatko’s testimony is disturbing, but what does it mean for the future of digital security standards? Given the opportunity, why would a company run the risk of making headlines over making an effort for their user base? Knowing what Zatko knew about chronic mismanagement and the absence of cohesive oversight, would you enable the culture… or blow the whistle?

Bad Press, Worse Policies

Lackluster data security is a group effort. Zatko noted multiple confounders in the company’s security policies, including: overly permissive access to high-level information and security controls, leadership allowing bots that spread spam and disinformation to run amok, and poor stewardship of user data—failing to delete it upon account deactivation, for instance.

In today’s world, user data is a critically important currency. One of Zatko’s more explosive allegations claims that Twitter unknowingly employed plants working for foreign state intelligence. Earlier this month, a former Twitter manager was convicted of acting as an agent of Saudi Arabia, where he allegedly accepted money from the Saudi Arabian government in exchange for information on accounts of dissidents or critics.

Zatko claimed that Twitter executives knew of the company’s cybersecurity shortcomings, choosing to ignore them and, in some cases, actively covering them up. According to Zatko, CEO Parag Agrawal told him to cast his reports on Twitter’s problems in a more positive light and omit data that would implicate Twitter in a lack of progress toward their security and privacy goals.

But damning statements on the company’s flimsy internal security don’t come as a surprise to experts who witnessed the mass breach of verified accounts in 2020. After hackers gained control of several high-profile accounts and used them to tweet out information on a bitcoin scam, Twitter came under fire for what the incident revealed: it did not have appropriate privileged user management controls in place, nor differentiated access for administrators or developers. In short, gaining the credentials to even one account opened up a world of possibilities to malicious actors. And if multiple accounts could be compromised, the whole platform could be at risk.

How might Twitter have mitigated their sprawling security problem? 

No one is above a major threat to their daily operations, especially when company executives have made a point of decentering cybersecurity. Entities like Twitter have a responsibility to their users just as organizations in healthcare, energy, and more have a responsibility to their clients, and IT security controls are a major consideration.

User permissions are a big piece of the puzzle. Prioritizing certain account permissions, installing multi-factor authentication, and even implementing a Zero Trust system helps choke hackers’ access to the wider server in the event of a breach.

Twitter has also reported that the 2020 attack was the result of social engineering, which points to the importance of educating your workforce on cyber-criminal tactics. Employees tested on phony communications and primed to communicate with their IT security team will be a stronger line of defense against potential breaches. This can be achieved with a Social Engineering Evaluation and/or Red Team Assessment.

User data protection is critically important and, in the case of HIPAA regulations on PHI, required. Every organization will have a different means of protecting their clients’ information, but applying care and integrity is a good start, especially when lingering user data can be commandeered in ransomware attacks or other grabs for valuable assets.

Investment in protecting user data will also protect your organization from fines and a tarnish on your reputation, which can stem an influx of new clients and bring you under further scrutiny. Twitter claims to be conducting an internal review of Zatko’s allegations, in part to address the damage to their own public image. But IT security isn’t just treatment—it’s proactive care. And we can help with that.

Rapidly Mature Your Security

Between annual security assessments, it’s easy to lose sight of your security status. It’s also slow-going to advance your security posture when you only get in-depth reporting once a year. The solution? BAI Security’s Red Team Residency

Our Red Team Residency (RTR) is made up of routine real-world cyberattacks against your organization, spread across varied locations and time (e.g. 12-18 months or longer).

Like our Red Team Assessment, the RTR serves as a comprehensive assessment of your organization’s targeted assets — technical, human, and physical.

But with ongoing testing and regular reporting over this residency, you can help your team pivot in real time. This expedites the maturation of your security program and increasingly reduces real-world risks over the engagement.

Learn more about the Red Team Residency and all our assessment options.