Here I go again
Earlier this month President Trump’s Twitter account was deactivated for eleven minutes, apparently the work of a soon-to-be ex-employee who was determined to make a political statement on their last day at the company. Twitter officials have yet to release any details, except to say the now-ex-employee “inadvertently deactivated” the president’s account “due to human error.” It’s unlikely the public will hear much more from Twitter about this incident after the “investigation” the company claims to be launching.
That the president’s account was deactivated by Twitter should raise some questions for security professionals—and not political ones. Customer service and technical teams at Twitter have access to users’ accounts. This fact shouldn’t be shocking to anyone. Plus, by voluntarily using Twitter, users submit to the company’s terms of service, which include the ability for Twitter to “suspend or terminate [a user’s] account or cease providing [the user] with all or part of the Services at any time for any or no reason.” Most of us know or have heard about accounts being deactivated or suspended by Twitter for violation of the terms of service. The thing that’s concerning to a lot of security professionals about the Trump deactivation debacle is that Trump—whatever you feel about his politics or tweeting activity—didn’t appear to violate any terms of service on that day, at that time. What’s more, Twitter admitted that a “rogue” employee took down the account without any cause. Now, again, read the terms of service: “at any time for any or no reason…” Therefore, technically it’s Twitter’s right to deactivate an account.
Goin’ down the only road I’ve ever known
The problem here is that this particular employee was apparently not authorized to make this change. Frankly, the outside world doesn’t know much about Twitter’s policies or processes for suspending or deactivating a user’s account, which is fine, but it’s causing consternation among the security community. People are speculating that Twitter has serious lack of oversight of decisions to alter user accounts. Which may or may not be true. However, according to a former senior employee, Twitter’s processes for managing user accounts is lax. The former employee told Buzzfeed that Twitter uses a dashboard-like tool to which “a lot” of employees have access. If an authorized employee wants or needs to suspend or deactivate an account, “It’s one click if you have the rights to access the tool,” the person said. Apparently “hundreds” of people at Twitter have the ability to deactivate an account with one click.
Like a drifter I was born to walk alone
What we don’t know—and will likely never know—is if Twitter has a review or escalation processes for a suspension or deactivation request. While security folks are speculating that none exists, it’s possible the ex-employee who deactivated Trump’s account was working with a senior person on their team who provided necessary approvals for deactivation. The Buzzfeed source claims “that Twitter was aware that its suspension permissions could be abused but did not change its protocol,” indicating that a secondary approval or review was not needed. That’s a problem. On the bright side, though, that the deactivation was discovered mere minutes after it was enacted tells us that someone at Twitter might have been auditing changes.
This type of issue is precisely what should prompt security pros to take a hard look at their organizations and evaluate what permissions, authorizations, and change management processes are in place. Even if the organization has a thorough and vetted approval process for making changes, complete with secondary review by upper management, to employee and/or customer access and permissions, it must consider how quickly employees come and go, move job functions within the company, etc. Does your organization maintain a regular review process to ensure that employee access is current and appropriate for each job function? Are you sure you know what appropriate is? Have you consulted with department heads or have some sort of assessment process that allows you to determine who needs access to what and at what level? Have you looked at your administrator accounts lately, to ensure permissions on those high-stakes accounts are set at least privilege? Is it easy for an admin to make a change that would adversely affect others in the organization? Are those types of changes checked by a team member or manager?
And I’ve made up my mind
These are the types of questions organizations need to be asking about access and change management. That said, not all changes need to go through a rigorous approvals process. IT and security teams don’t need to be on high alert, for instance, if a user gets locked out of their account and needs a password reset. Even with that—and given today’s threat landscape in which it’s fairly easy for a malicious actor to pilfer a legitimate user’s valid credentials—certain levels of checking and double checking need to be in place.
It behooves organizations to create a risk matrix that helps assess different functions. For instance, an admin deactivating another employee’s or user’s account access: relatively minor risk. You might have an aggravated employee/user, but little (if any) long-term damage will be done. What happens, though, if an employee has system permissions to delete the company’s financial records, R&D schedule, or M&A activity, and these permissions allowed this person to click one button (as the ex-Twitter employee claimed happened with Trump’s social media account) and wipe everything out? One unilateral decision puts the entire company at great risk.
I ain’t wastin’ no more time
When it comes to information security, there are too many variables and too much damage that can be done if access controls and change management are left to the discretion of one person. Much like government, a system of checks and balances needs to be in place for security and IT teams. If your organization hasn’t looked at this in a while, current events are good reminders to us all that one bad apple can spoil the bunch.
Attend the Privacy and Risk Management Summit at InfoSec World 2018 in Orlando, Florida, on March 22, 2018 to discuss strategies and techniques for lowering cybersecurity risks to your organization, and ensuring your employee and user data remains private.