Threat Management, Identity, Incident Response, Leadership

Researchers warn of ‘rosy’ security reports in wake of Twitter whistleblower case

A thumbprint is displayed on a mobile phone as the logo for the Twitter social media network is projected onto a screen.
A thumbprint is displayed on a mobile phone as the logo for the Twitter social media network is projected onto a screen. (Photo by Leon Neal/Getty Images)

In the days since Peiter “Mudge” Zatko filed his complaint with the federal government about Twitter’s problematic security practices and while Twitter stands as a special case, security researchers see familiar themes in terms of the security issues many organizations face.

Issues with identity, lax privileged access among admins, and outdated computing infrastructure abound at many organizations, not just at Twitter, say security researchers interviewed by SC Media.

Many of the issues highlighted in Mudge’s whistleblower report are the same challenges that large organizations face every day with regards to access and data privacy, said Mike Puterbaugh, CMO at Pathlock. Puterbaugh said Twitter allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight.

“The separation of duties within core enterprise applications, like ERP and HR systems is a foundational risk reduction aspect for many organizations,” Puterbaugh said. “There's countless examples in the finance context of why companies should separate certain functions. Creating a vendor in a payment system vs. paying that same vendor in a payment system, for example. It appears that Twitter is no different.”  

Many security pros saw some room for lessons learned.

Andrew Hay, COO at LARES Consulting, said every organization should reevaluate the executive tolerance for reporting security issues and the expectations of their respective boards of directors. Hay said many organizations need to relevel what they consider "must be" versus what "should be," and elevate that to the organization's leadership team regarding security issues.

“Also, many security executives may look to their leadership team to define a whistleblower policy to protect themselves and the flow of information should a similar issue arise within the company,” Hay said. “The last thing we, as a security industry, need is to bury important security issues so as not to highlight inadequacies in our security programs. If anything, this is an opportunity to refine current processes and solidify buy-in from the executive team.”

The cybersecurity challenges Mudge pointed out are not uncommon, said Casey Ellis, founder and CTO at Bugcrowd. Ellis said excessive privileged access, for example, is common especially in the technology industry — and even more common since the pandemic prompted a rapid shift to work-from-home and hybrid work back in 2020.

“To me, there are two opportunities for lessons learned here,” Ellis said. “The first is for security leaders and teams to step back for a moment and consider how they are going at prioritizing, managing and burning down the basics. There are no shortage of ‘shiny objects’ in cybersecurity, and it's easy to get caught focusing on esoteric controls and threats when the simpler issues go unaddressed. The second would be to table-top the scenario from Twitter's point of view: regardless of the validity of the reason for whistleblowing, it’s a useful exercise to consider the cybersecurity impact, as well as the impact on trust and brand, if your security deficiencies as an organization were suddenly an issue of public record.”

Beware of rosy security reports, having 'happy ears'

Phil Neray, vice president of cyber defense strategy at CardinalOps, said Mudge has a ton of credibility as a former ethical hacker and cybersecurity expert at Google and DARPA.

For boards and management teams, Neray said the key lessons learned are that they should beware of rosy reports about security and privacy controls, and having “happy ears” when they're presented to them — because executives may have a big financial incentive to ignore systemic issues.

“The impact of willfully ignoring these issues can include painful regulatory fines, cumbersome consent decrees, and problematic shareholder lawsuits,” Neray said. “For security leadership, the biggest lesson learned is to make sure you have both detective and preventive controls in place to prevent privileged access to sensitive production environments by developers and others — because that can lead to data privacy violations and, in the case of social media companies, the spreading of disinformation by foreign adversaries or even groups challenging our election integrity.”

Chloé Messdaghi, chief impact officer at Cybrary, said in these situations cybersecurity teams must communicate carefully and effectively to all other departments about what’s happened — and communicate upwards to the C-Suite and board in plain English, not nerdspeak.

Messdaghi said that’s most effectively done with dollar signs: lay out projections on how much the business would be impacted, what impacts might look like, and even the potential overall impacts on line-of-business operations and customer relationships.

“This is speaking to the C Suite and BOD in their language,” said Messdaghi. “That’s how security practices spread outwards and upwards. Also, cyber teams must showcase that there’s heightened focus across the insurance industry on cyber upskilling training — both for users and for security teams — and that cybersecurity insurance payouts are increasingly dependent on proof of that ongoing upskilling training."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.