Some more follow up to the intrusion by bit-coin focused criminals. Twitter has confirmed that 130 accounts were accessed, and 45 sent tweets, of which many advertisted the con. Those intruders were able to view the private messages of 36 accounts.
CEO Jack Dorsey was quoted saying “Security doesn’t have an end point. It’s a constant iteration to stay steps ahead of adversaries. We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools.”
Why do we care?
I’m a bit security themed today. Jack’s quote reinforces it, although here it points out the real problem of social engineering.
I’m an advocate for a zero-trust security model. Assume everyone cannot be trusted rather than can, and you create many more controls and process for ensuring compromises are much harder to execute. Redundancies, requiring more than one person to execute sensitive actions, and the like are keys to this model.
Think about a classic phishing attack – if you can’t transfer money without two people signing off or even two verified interactions, you have more moments to consider the consquences. That’s my takeaway here.
Also think about your own internal tools – as a provider, you have a lot of power. Make sure you’re protected.
Source: Washington Post