In November 2019 two Twitter employees sent ripples through the cybersecurity community when they were charged with spying on behalf of the Saudi Arabian government. While Twitter is a multi-billion-dollar company, managers at small to medium sized businesses can learn a big lesson from this tech giant: “least privilege”. The concept is simple: every module (process, user or program) must only have access to the information and resources that are necessary for its legitimate purpose.
When a company is hacked, one or more individuals with a strong understanding of computer science gain unauthorized access to a company’s systems. These individuals usually have to bypass security protocols to get to the sensitive data that they are seeking to access, but this is not what happened with Twitter’s breach. Twitter was victim of a crime that pre-dates computers – corporate espionage by a trusted insider.
According to the Handbook on Securing Cyber-Physical Critical Infrastructure, 29% of all reported electronic crimes are insider attacks. An insider attack is defined as a malicious attack perpetrated on a network or computer system by a person with authorized system access. Twitter is not a unique case. Over 50% of organizations report an insider cyberattack each year, resulting in $40 billion in losses due to employee theft and fraud.
So, What Happened?
In 2014, the Saudi government began interacting with Twitter insiders. The regime contacted the two Twitter employees now accused of espionage and offered them financial and professional incentives to collect and share user data. A short time later, the employees began sending data to the Saudi government. Unlike typical corporate espionage, the goal was not to steal the engine behind Twitter. Rather, the goal was to obtain user data of those seen as critical of the Saudi regime. The theft was ongoing until 2019 when the FBI’s investigation became public.
Why is Twitter Being Scrutinized for This Attack?
Twitter failed to practice the Principle of Least Privilege regarding access to user data.
The concept underlying the Principle of Least Privilege (POLP) has been around for a very long time. A basic example is a locked filing cabinet with completed employment applications. Only individuals whose duties require access to applicant data should have a key to this filing cabinet. While an HR manager in charge of hiring would need access to this data, an accountant would not in order to complete his/her legitimate purpose. Twitter gave the keys to the file cabinet to a vast number of employees, most of whom did not need access to the data to perform the duties of their positions.
One of the compromised employees was a system engineer and the other employee was a media partnerships manager. Neither required access to user data to do their jobs. Had the POLP been implemented, neither individual would have been granted open access to query a database of user information. Each would have been given the exact level of access necessary for their position.
To better understand how small and medium businesses can prevent insider attacks similar to that of Twitter, please read The Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. This document provides a detailed framework for preventing such crimes, monitoring company systems for potential attacks, and the best-practices to mitigate damages from such attacks.