AP’s Twitter Hack: This Isn’t About Twitter’s Security Protocols, It’s About Yours

Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.

This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.

As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:

  1. Twitter account hacks are now “business as usual” for the social network. It seems every week there is news of another Twitter account hack (see CBS 60 Minutes, Burger King, Jeep, not to mention Twitter’s own breach). Clearly, Twitter needs to do more to enhance its own security protocols -- two-factor authentication is sorely missing from the social network’s arsenal – but Twitter can’t take all the blame. Companies need to accept the existing limitations of the social network and reinforce their social media efforts with better security practices of their own.
  2. There are relatively easy ways to reduce the risk. The frequent Twitter account breaches also signify a larger trend of poor security behavior when it comes to social media. Easily discoverable passwords, shared accounts, minimal governance, and no security oversight are common reasons why recent social media hacks were successful. An effective spearphishing campaign opened the gates to the Associated Press Twitter account. These are relatively easy issues to fix, especially when you consider some of the much more complex security threats that exist today. They’re not completely solvable, but basic security protocols, such as using strong passwords, restricting access rights, and better awareness training would vastly improve your security posture.
  3. Security and risk pros avoid the conversation today. Still too often S&R pros seek reasons to block social media altogether at the company and do not try to join social media strategy discussion. As much as they would like to do this, completely blocking social media isn’t practical or effective (as I’ve pointed out before). Moreover, current security awareness efforts that can promote and educate the company on effective security behavior are insufficient and often seen by the security team as unimportant. In fact, according to our Forrsights Security Survey, security awareness initiatives fall towards the bottom on a long list of security priorities (10th on list of 15 possible initiatives).

Remember: This isn’t about Twitter; it’s about your own security and protecting your own company’s brand and reputation. The only way this can happen is if security and risk management become regular parts of the social media conversation, and conversely, when the security and risk management start to value social media as an important business tool with real benefits, and real consequences.


Can you trust those Tweets?

Nick, great post. Of course, the next security challenge is that if social media accounts are easily hacked, how do analysts trust the information posted? This puts a new spin on risk. Not only will hackers steel your information, they can harm your reputation by using your reputation to send false statements.

For big data analysis - does the adage of "good enough" still hold when you can't fact check the content?

This goes to show the need to build a tighter link between security and data, not just for access control but also for data governance/trust.

RE: Can you trust those Tweets?

Michele, you bring up some excellent points. The idea of trust in the context of social media is a very interesting one. How do you know that the information being posted is accurate or trustworthy?

In times of crisis, this becomes extremely important as people are increasingly using social media to communicate with loved ones and to find information that will keep them safe throughout the crisis, particularly as telecommunications and other traditional channels fail to operate. The problem is, much of the information posted may be inaccurate, or worse, intentionally fabricated (e.g. During Hurricane Sandy, there were images of sharks swimming through metro stations and huge tsunami waves hitting the statue of liberty -- all of which were fabricated). If interested, you can read more details in the Forrester report: "Seven BT Resiliency Lessons Learned From Superstorm Sandy."

I completely agree that more needs to be done to create a tighter link between security and data, and I'm sure you have some more ideas for how we can do this. Access control is a start, but further ways to build more trustworthy online identities and better data governance models will hopefully help.

both agree and disagree

Nick, I would agree with most of your post except your conclusion. While yes the end use is ultimately responsible for their own security, supplying inadequate security measures (UID/PW, Really?), especially after multiple incidents, is pretty much unacceptable.

This is analogous to the issue in retail banking.

Both parties cannot act as if the responsibility is solely the other party's. This does nothing but lead to millions in fraud or loss of credibility and millions spent on law suits, instead of fixing the issue.

Traditional credentials are wholly inadequate and if they are the sole form of authentication then the user is most likely DOA.

So like I said I agree mostly and like the post but supplying inadequate authentication methods because it is the easy route cannot be the norm and end users must take some responsibility for their security.

RE: both agree and disagree

Matt, I think we're actually in agreement here. I completely agree that Twitter needs to do more to support its users' security, and current Twitter account holders should not tolerate the status quo and should be demanding that the social network takes action, fast. But, a lot of the security practices of social media teams that are managing these accounts today are extremely lackluster to say the least.
Companies aren't going to stop using Twitter even with these account hacks becoming more commonplace, but they can do a lot more on their end to avoid them, and hopefully Twitter will follow suit soon as well.

Twitter 2FA is long overdue

I sure wish Twitter would hurry up and roll out 2 factor, not a panacea, but something I will sign up for immediately.

Risk Based Authentication can help avoid hacks of social media

I think social media should wake up and use Risk Based Authentication (along with 2FA) to protect its properties selectively. Google, Yahoo! and other 'legacy' web email providers have long been doing this or something similar: use context information of the login activity (IP address, device fingerprint, speed analysis, etc.) so see if the user is logging in from a coffee shop in Estonia from a brand new device at 1am on Sunday morning or they are just trying to use their company laptop during normal business hours. Creating a risk score based on the above, then prompting high-risk users only for two factor authentication or security questions is a great way to have your cake and eat it too: provide end user ease of use with a higher degree of security. We even have a Wave on Risk Based Authentication at http://www.forrester.com/The+Forrester+Wave+RiskBased+Authentication+Q1+... and a TechRadar on 2FA at http://www.forrester.com/A+Look+At+Forresters+TechRadar+Research+On+Stro...

Check these out!

User Responsibility

Security & Risk professionals *do* still avoid the problem and their default behaviour is one of block and ignore despite the fact the business is crying out to use the tools (social media or BYOD). Yet at the same time I see the same people adopt work arounds to security practices for convenience, shared admin logins is the most common example.

The key is getting the business engaged in the value/risk assessment for the need for security and compliance.