Every once in a while, something happens where you throw your hands up and say: “That’s what I’ve been saying!” No, it wasn’t when NFL analysts predicted that my Dallas Cowboys will play well this year. Instead, it was when I read a story about how over the summer, hackers took control of various Twitter accounts and went on an embarrassing joyride.
OK, so bad news for Twitter. But there’s something we can learn by recounting the events from the hacker’s perspective. And it points to something I’ve been saying over and over again has become the modern-day Achilles heel of corporate security: insecure communication and collaboration tools.
When something goes wrong, there’s seldom one factor to blame. That’s why I like “5-why” exercises. By forcing ourselves to ask more questions even after we think we have an answer, we not only do a better job of finding the true root of the issue, but we often learn that if we had done any one of a number of tasks differently, it could have been avoided.
Of course, I don’t work at Twitter. I don’t know the results of their root cause analysis and I can’t speak to all of the tasks they could have done differently to have avoided this incident. But I can tell you one factor that should be somewhere in the mix: their failure to prioritize internal communications security. To me, it’s an old familiar tune.
Apparently, it all started when hackers gained access to Twitter’s Slack channel and found the login credentials to an internal “masquerade” tool that lets Twitter employees send messages as any user on the platform. I would imagine a thorough retrospective might question the necessity of having such a tool. Since, as a service, I’d think Twitter would want a pretty tight connection between the ability to authenticate to an account and the ability to tweet or message from the account. However, as an outsider, I’m not sure I can do that analysis justice.
But something jumped out at me when I read the story, clear as day: Twitter’s choice of an internal communication/messaging tool. Often it’s a hidden cost to a company, especially when it comes to security, since it’s difficult to measure issues that never happen. It’s pretty clear it was a factor in the incident. Lots of questions come to mind when we see how events unfolded. Maybe Slack isn’t the best place to store critical system passwords. Password managers are a better choice. Maybe the security team doesn’t know its employees are using it to share passwords, or maybe they even have policies against password sharing (something Twitter might say) – to which I’d say maybe companies shouldn’t use a messaging service that perpetually stores every whimsical thought that passes through an employee’s mind on a third-party server in the cloud. Undoubtedly, chronically exposing data the company doesn’t really need to the ongoing risk of compromise does not make for the wisest security strategy in the world.
The moral of the story: use the right tool for the job. Easy, right? Well, in all fairness, it wasn’t always easy. Not long ago, there weren’t a lot of communication/collaboration solutions that offered strong security, solid usability, and flexible integration options. The result was that companies were forced to weigh their priorities and sometimes that meant settling for “secure enough” to satisfy their more pressing feature needs.
Slack is the perfect example. When it emerged, it was a hit with the developer/techie class, who loved its usability features and integration capabilities. These just weren’t available in other SaaS messaging services, so management compromised. Fast forward a few years, and now it’s clear that for any kind of serious business, “secure enough,” really isn’t enough. Many have learned this the hard way. More and more are getting out ahead of this before it bites them. Security pros who have done their homework know that there are uncompromising secure messaging and collaboration tools out there today that have closed the gap on usability and features like integration and compliance, so it’s no longer an either/or proposition.
So, I say again – this incident and literally several years’ worth of similar ones should teach us that in any corporate information security plan, organizations should prioritize communications security. Hard incident response data from firms like Verizon tells us that corporate communication tools are a prime target for attackers and a real point of vulnerability. Maybe we all understand that in theory, but for whatever reason, when it comes to our communications, we either don’t think we’re saying anything important or think only a fraction of what we say is important enough to worry about. Maybe. Maybe that’s what the folks at Twitter said, too.
Chris Howell co-founder and CTO of Wickr