The concept of privileged access to data and resources became a national headline when President Trump’s Twitter account was deactivated by a departing Twitter employee. The unauthorized account closure was first noticed when followers saw his Twitter page declare, “Sorry, that page doesn’t exist!”.

This single act brings up a slew of thoughts and questions, especially for security aware organizations, about how Twitter manages its accounts and with it, the personally identifiable information (PII) of hundreds of millions of people (Twitter has about 330 million monthly active users).

The first, most obvious question is, “Can only a single person deactivate a Twitter account?” In your organization, do certain people have the same type of power and control? Do you provide for any oversight over those with privileged access? And this leads simply to the obvious, “Do your processes include a confirming feedback/approval cycle when making changes to user accounts?” We call it the two-man rule. In the Twitter case, President Trump’s account could not have been deleted without at least a secondary level of approval.

The next question is, “How many people at Twitter have the same absolute power to delete an account without invoking two-man rule principles?” In your organization, the same question applies: Do you employ additional and deeper vetting of people with this level of privileged access? Is there such a policy, or should there be?

Third: “Why did Twitter (and perhaps other social media sites) not have the ability to notice that the account was deleted and, instead, waited for the Wisdom of the Crowds to tell them?” How does your organization learn of security events? Through internal detection-reaction processes, or do you wait for customer complaints?

Finally, “Should ‘famous’ people be treated the same as everyone else? Or do they deserve First Class service?” Does your organization have two or more classes of users, where some get far better services and perhaps security? Or is everyone treated exactly the same? For Twitter to employ its users as a human detection system demonstrates a less than ideal internal incident response system.

The principle of privileged access or escalated privileges has been a low-level security issue for entirely too long. This Twitter incident exposes a soft underbelly, too long insufficiently scrutinized by security experts and the media, and ignored by organizations who should already have put far better controls in place.

Twitter has since conducted an internal review and claims to have implemented safeguards, so this event can’t happen again:

But it’s still a lesson in privileged access, insider threats, and nontechnical security that organizations would be wise to heed.

Winn Schwartau

President & Founder at SAC
Winn Schwartau is one of the world's top recognized experts on security, privacy, infowar, cyber-terrorism, and related topics. Winn is gifted at making highly technical security subjects understandable and entertaining & has authored more than 12 security books.