Twitter is many things to many people. For the majority of users, it is a place to discuss ideas with like-minded (or not so like-minded) individuals, gain insights into the news of the day, or simply to look at kitten memes.
For the global elite, however, Twitter plays a fundamental role in their information distribution strategy; and can have a tangible effect on their lives, business, and upcoming projects. The most direct example of this comes from Elon Musk, who tweeted that his company Tesla’s share price was too high, causing it to plummet by ten percent. While this was undoubtedly a tongue-in-cheek action by Musk, it is an indication of the importance Twitter holds to those in the higher ranks of society.
It is for this reason that this summer’s Twitter hack, which targeted some of these very people, including Musk himself, rapper Kanye West, Amazon’s Jeff Bezos, and even former president Barack Obama, is so concerning. This hack was originally framed as a ‘Bitcoin hack’ due to the public-facing Bitcoin scam it facilitated across these accounts, but many suspected this was hiding a more sophisticated attack.
Whatever the motivation of the hackers involved, it brings to the forefront something crucial, and chronically undiscussed: What responsibility do these celebrities, politicians, and titans of industry have for the security of their own social media feeds?
Trust and security for high-end Twitter users
Trust and security is a joint relationship between technology platform providers and individual/end-users engaging with the platform. This particular breach occurred via the Twitter corporate environment, but it is also fundamentally important to look at this breach from a High-Value end-user targeted perspective.
The “High-Value Targets” user community must stay security conscious around the clock. It is up to them to make decisions to protect themselves and limit their personal risk.
I wonder how many of these High-Value Targeted individuals in the Twitter breach are security conscious and actively making personal risk-based decisions daily when signing up for new online and social media apps, accessing apps, and sharing data via these online and social media apps? As a High-Value Target, they must understand their personal risk and take appropriate actions to reduce this risk to an acceptable level.
While a lot of these individuals undoubtedly have corporate PR and social media teams running their account day-to-day, the principle remains the same that they are high-value targets in the social media world, and ought to be treated as such.
Access and assurance
Determining who has access to accounts is of paramount importance: monitoring, alerting, and reporting is also crucial to know what you have, knowing where it is, and what it is worth.
For instance, take the example of Barack Obama. Having access to his direct messages on Twitter is extremely valuable information in the hands of the right people: It could help to make public connections or plans that the former President wished to keep private. Knowing this helps to determine how to protect it.
Key industry best practices
Security is often considered an extremely complex beast unnecessarily. When considering the security of an application like Twitter, much of the actions to be taken fall under the umbrella of common sense. Some of these best practices include:
- Simplifying the total number of devices and systems managed: This will streamline the process of protecting them and limit the number of people who have access to them on a need-to-know basis. In addition to this, ensuring that you securely dispose of unused and/or old devices will also help to ensure that nobody outside of the organization gains access to accounts they should not have.
- Ensure two-factor authentication is applied on all apps, tools, and logins will help to provide the users that even in the eventuality of their password being compromised, there is a further line of defense to breach before a threat actor gains access to the account in question. That being said, setting strong and unique passwords, and keeping them safe and private is equally important: Passwords are imperfect, but unfortunately, remain a necessary evil for online accounts.
- Disable Bluetooth and GPS whenever possible. This can provide attackers with clues as to how to access an account, or to a geographical location that could inform an attack. It is also crucial to apply all updates and patches as they become available, as these will often plug known vulnerabilities that attackers could otherwise leverage.
- Enable monitoring and alerting for all social media and online accounts, which should help to quickly provide insights into unauthorized account access. You should also require that all account changes be subject to authorization via strong two-factor authentication.
These options are fundamentals of security that everyone should be undertaking, but these are of particular importance for those with public-facing accounts. Failure to take any of these steps could lead to an even more serious scenario than was faced by celebrities in July. It is better to exercise extreme caution and never need these features than to fail to undertake them.