Twitter beefs up security for internal tools from potential misuse
To further secure its internal tools from potential misuse after the massive crypto hack in July, Twitter has rolled out phishing-resistant security keys, requiring its team to use them when authenticating to systems around the world.
The move, the company said, is to help reduce the risk of an unauthorised third-party gaining access to Twitter internal systems using compromised employee credentials.
The July 15 hack resulted in Twitter profiles for celebrities, executives and public figures sending out tweets advertising a bitcoin scam.
Twitter then admitted that the hackers “targeted a small number of employees through a phone spear phishing attack,” that “relies on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The micro-blogging platform said this week that it has beefed up its access management processes and authentication systems.
“To further secure our internal tools from potential misuse, we have been strengthening the rigorous checks that team members with access must undergo. This also helps reduce the potential for an unauthorised person to get access to our systems,” Twitter CTO Parag Agrawal said.
He said that internal detection and monitoring tools “are constantly being improved, even since the July incident, to include things like expanding our detection and response efforts to include suspicious authentication and access activity”.
In addition to requiring security and privacy and data pProtection training for all newly hired Twitter employees, the company has introduced new courses and increased the frequency and availability of existing courses for all employees.
“For example, we introduced two new mandatory training sessions for people who have access to non-public information. These trainings make clear the dos and don’ts when accessing this information and ensure employees understand how to protect themselves when they are online so they can better avoid becoming phishing targets for attackers,” Agrawal explained.
By targeting specific Twitter employees in July, the hackers were able to gain access to internal Twitter tools and targeted 130 Twitter accounts, tweeted from 45 of them, accessed the DMs of 36 accounts, and downloaded the Twitter data of seven.
In addition to existing security training courses, Twitter said it has also enhanced training content on secure coding, threat modeling, privacy impact assessments, and privacy by design.
“We are continuing to invest more in the teams, technology, and resources to support this critical work,” it added.