Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
Here are 5 cybersecurity lessons learned from the recent Twitter Hack; use these lessons to prevent or minimize an attack on your systems.
On Wednesday, July 15th, 2020, a number of high-profile Twitter accounts were taken over. Accounts of notable people and brands such as Elon Musk, Jeff Bezos, as well as Cryptocurrency Exchanges, were taken over and tweeted messages in a charity scam to raise bitcoin from the public. Over $120,000 was sent to a bitcoin wallet by unsuspecting people!
Was this a sophisticated advanced persistent threat by a state-sponsored actor? Maybe someone trying to influence the elections?
This was a relatively straightforward social-engineering attack on Twitter Employees, specifically those that had access to Twitter’s Admin Panel. It was done by opportunistic casual teenagers and those in their 20s. For a complete breakdown of the event, see this Medium post by Lucky.
Something I see time and again is a lack of a solid password reset flow. You want your password reset flow to be fully automated. Additionally, you do not want customer services reps setting “default” passwords for users and asking them to change them later. Users are likely not going to change their passwords later, and now you have a whole subset of users out there with the same password! Additionally, you don’t want any other human knowing the password at all. Period.
Here are my recommendations for all PW reset flows:
Admin employees often hold the keys to the kingdom. Some examples of employees that hold administrative roles are:
Some things they can do include:
Take a look at the people in your company that have these kinds of privileges. Understand their current workflow and the privileges they need to do their job. Take a look at the admin panels they use. Are there multiple roles where the least privilege is enforced? Or even worse: are shared passwords being used?
If you don’t believe me, check out Darknet Diaries Episode – Human Hacker. Or check out this video where a hacker breaks into your phone account in 2 minutes (below)!
Many of us already know all the little things that we need to do to improve security in our environment, but prioritization is the hard part. There is no ONE SIZE FITS ALL in Information Security, so we need to understand:
These are just some of the questions that are asked during a threat modeling exercise. Having the right people in the room and asking all the right questions will help you build a holistic threat model.
Additionally, having engaged engineers—especially senior ones—come up with scenarios they may know specific to their industry is another success signal.
Make sure you update and revisit your threat model periodically. I recommend quarterly since many things change at a company experiencing high and fast growth.
Empower your employees to ask questions and have a sense of when something is peculiar. Listen to the Darknet Diaries Episode – Human Hacker and see how employees were tricked or phished for their credentials.
Remember: our employees are not “dumb” or “stupid.” If this is what you think about your employees, then your security efforts will fail. Sorry, I can’t sugarcoat that. As security practitioners, we need to be enablers: not gatekeepers. Contact me, and I’d be happy to discuss this over coffee.
Customer services employees are often the front lines to the outside world. Ensure they verify accounts and rely on automation and metadata before making drastic changes to an account (see above for tips of password reset flows). Social engineers are trying to get more information about the type of systems in place at your company. Even knowing where or what the outsource provider is for your Customer Service can be valuable. Train your employees to not let others know more information than they need.
Log ALL changes. Having the ability to go back makes it much easier to understand what happened in the event of an incident.
Additionally, creating alerts for summarized changes may also help shorten the window for detection. Of course, I’m a believer in preventative and corrective controls over detective ones; however, if the former is not available, then we have detective controls.
Sometimes, small startups use “God Mode,” an admin panel that is basically direct read/write access to the companies SaaS platform or database, which is very often insecurely protected and has minimal controls.
I have seen admin panels with no password complexity requirements and where everyone had the same full admin access. Sometimes, all the email addresses could be added as a user to the panel.
Here are some general guidelines:
The concept of least privilege means people (and machines) only have access (authentication) and permissions (authorization) for the minimum required to get the job done.
Do you have RBAC roles on admin or does everyone have admin privileges?
The idea is that you create different groups with different sets of permissions particular to their job. In the event they change jobs, you can simply change their role.
Below are some sample roles:
Of course, find the number of roles that fit your organization; just try to keep it more than one.
Is your admin panel available to the world? Do you have 2FA to login and make changes? Are logins scheduled to timeout or are users logged in forever? Do you have geo-fencing setup?
What about if someone logged in from San Francisco, California, and then logged in from Montreal, Quebec Canada?
With such extraordinary power of the admin panel, you want to make sure it’s protected from the world. For example, what if your admin panel uses an outdated ruby gem with a CVE (vulnerability), allowing unauthenticated access to the panel? Or maybe the server it’s running on got compromised, and now an attacker has access. Limiting the exposure of your admin panel will reduce your threat surface.
Adding a Zero-Trust network proxy in front of the admin panel reduces its footprint dramatically.
Can someone change the email address of 100 users in an instant? If so, make them re-authenticate, get secondary authorization, and/or add notifications to an admin group.
Not many companies will do this, but you may want to consider conducting these tests if you are a large public organization with sensitive data or government customers.
According to the New York Times, attackers accessed data stored in engineer’s Slack channels to further their access into other systems. It’s unclear whether they had credentials in those chats that gave access or whether there were links to other internal administrative portals. Those links could have been authenticated or unauthenticated. Sometimes, internal portals are “trusted” and have little or minimal authentication other than the fact they are coming from an internal source. They could have been using a shared password for all we know.
Here are the major takeaways:
As you can see, there is no one solution or silver bullet to all of this—it’s all part of a defense in depth strategy. Attacks can come in many different directions and different ways, but either way, the impact of access can have severe implications.
For a relatively novice attacker to get through so easily says something about how fragile our systems are sometimes or how we underestimate the abilities of an attacker.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).