The concept of privileged access to data and resources became a national headline when President Trump’s Twitter account was deactivated by a departing Twitter employee. The unauthorized account closure was first noticed when followers saw his Twitter page declare, “Sorry, that page doesn’t exist!”.
What happened to Trump’s Twitter account? pic.twitter.com/6FZBWhswoI
— Brandon Wall (@Walldo) November 2, 2017
This single act brings up a slew of thoughts and questions, especially for security aware organizations, about how Twitter manages its accounts and with it, the personally identifiable information (PII) of hundreds of millions of people (Twitter has about 330 million monthly active users).
The first, most obvious question is, “Can only a single person deactivate a Twitter account?” In your organization, do certain people have the same type of power and control? Do you provide for any oversight over those with privileged access? And this leads simply to the obvious, “Do your processes include a confirming feedback/approval cycle when making changes to user accounts?” We call it the two-man rule. In the Twitter case, President Trump’s account could not have been deleted without at least a secondary level of approval.
The next question is, “How many people at Twitter have the same absolute power to delete an account without invoking two-man rule principles?” In your organization, the same question applies: Do you employ additional and deeper vetting of people with this level of privileged access? Is there such a policy, or should there be?
Third: “Why did Twitter (and perhaps other social media sites) not have the ability to notice that the account was deleted and, instead, waited for the Wisdom of the Crowds to tell them?” How does your organization learn of security events? Through internal detection-reaction processes, or do you wait for customer complaints?
Finally, “Should ‘famous’ people be treated the same as everyone else? Or do they deserve First Class service?” Does your organization have two or more classes of users, where some get far better services and perhaps security? Or is everyone treated exactly the same? For Twitter to employ its users as a human detection system demonstrates a less than ideal internal incident response system.
The principle of privileged access or escalated privileges has been a low-level security issue for entirely too long. This Twitter incident exposes a soft underbelly, too long insufficiently scrutinized by security experts and the media, and ignored by organizations who should already have put far better controls in place.
Twitter has since conducted an internal review and claims to have implemented safeguards, so this event can’t happen again:
Update: We have implemented safeguards to prevent this from happening again. We won’t be able to share all details about our internal investigation or updates to our security measures, but we take this seriously and our teams are on it. https://t.co/8EfEzHvB7p
— Twitter Government (@TwitterGov) November 3, 2017
Latest posts by Winn Schwartau (see all)
- Your Security Awareness Program is Just Another Dynamic Business Process - December 28, 2017
- President Trump’s Twitter Account and Lessons in Privileged Access - November 6, 2017
- WINNsday: Wrapping Up the 2015 Conference Season - November 25, 2015