If you’re CEO of one of the most influential destinations on the Internet, the last thing in the world you want to do is tweet out an abject apology to your nearly 200 million customers: “Tough day for us at Twitter. We all feel terrible this happened.”
And yet that’s exactly what happened in July 2020, when intruders took over Twitter’s internal network to run a Bitcoin scam. What probably made Twitter CEO Jack Dorsey feel even more terrible is the knowledge that the data breach, which compromised some of its most prominent accounts (Barack Obama and Elon Musk, to name just two high-profile victims), was caused by an unsuspecting employee who fell for a garden-variety social engineering attack.
It might be cold comfort for @jack (his distinctive Twitter handle) to know that his company’s not alone, and that human error is the cause of 23% of data breaches, according to a 2020 IBM report that analyzed more than 500 security incidents.
We humans are, after all, only human, which means we’re capable of being momentarily distracted or tired or poorly trained or, sometimes, just plain lazy. Humans in charge of online infrastructure can postpone installing critical software updates, or misconfigure an online database, or surrender their credentials to a phishing attack. The results of these unforced errors can be catastrophic. IBM estimates that the average total cost of a data breach is nearly $4 million, and that figure can skyrocket in sensitive industries such as healthcare.
The impact of human error is multiplied in an environment where an outside attacker can impersonate a trusted insider to gain essentially unlimited access to internal data.
One of the most devastating data breaches in recent years was the 2017 attack on the giant credit-reporting agency, Equifax. Thieves who broke into the Equifax network were able to steal private data belonging to some 143 million Americans, including sensitive information like Social Security numbers that can make identity theft all too easy.
What happened at Equifax was a cascade of human errors. Engineers initially ignored an urgent security warning from the U.S. Government’s Computer Emergency Readiness Team (US-CERT) and then failed to detect the presence of the vulnerable Apache Struts software package in a later scan. Attackers had access to the compromised network for months and were able to exfiltrate massive amounts of data.
Ultimately, CEO Richard Smith resigned and delivered a public apology in testimony before a Congressional committee. More importantly, Equifax adopted some zero trust techniques, including tighter access controls on data housed within critical databases, segmentation of networks to prevent unverified access to backend data stores, and increased logging. Had those techniques been in place initially, it’s likely that the attack could have been blocked or mitigated.
The Equifax attack pales in comparison to this year’s Solar Winds breach, which redefines our understanding of how massive a security failure can be. Solar Winds management software is widely used on corporate and government networks, including those of Microsoft and Cisco, as well as the United States Department of Homeland Security.
An intern had configured the company’s update server using the incredibly weak password “solarwinds123” and then stored that password on their publicly accessible Github page. A security researcher reported the flaw to Solar Winds, but no one took the report seriously. As a result, outsiders were able to insert a backdoor into a legitimate Solar Winds update, which was then deployed throughout its customer base. Victims are still trying to wrap their arms around the scope of the breach.
Don’t blame that intern, though. Even the most basic zero trust principles should have blocked this attack. The fact that outside attackers from unknown locations, using unverified devices, were able to use leaked credentials to compromise some of the most sensitive networks on the planet is the real failure here.
And then there’s the infamous Twitter hack, which occurred in July 2017. The perpetrators convinced tech support personnel at Twitter to visit a compromised website and enter their credentials as well as multi-factor authentication codes, which they then used to access the company’s internal network.
As a former Twitter employee told WIRED Magazine, “There was a systems-level failure. The whole thing should not have happened. The issue isn’t that someone got phished; it’s that once they got phished, the company should have had the right systems in place.”
Since the attack, Twitter has accelerated its security efforts, deploying some zero trust techniques that had been rolling out slowly. The company has dramatically tightened security on its infrastructure, mandating the use of physical authentication devices and segmenting its network to restrict access to critical tools.
If you look at all three of these examples, and indeed at almost every security breach affecting companies large and small, there’s a common thread: Enforcing zero trust access would have blocked or seriously mitigated the impact of most of those attacks.
For example, requiring a trusted device and a physical hardware key for authentication minimizes the danger of stolen or leaked credentials. Outside attackers who try to sign on using those credentials will fail, because they can’t provide hardware-based proof of identity.
Similarly, segmenting networks and requiring additional verification for access can prevent damage when an attacker gains access to a low-trust portion of a corporate or government network and then tries to move laterally across the network.
And, of course, increased logging and reporting of network access can help security professionals identify a possible intrusion before the attackers are able to gain a foothold.
As long as humans run networks, human error will be inevitable, but those missteps don’t have to result in serious damage. Implementing procedures and protocols that take a holistic view of security, including zero trust access, can make a world of difference. And maybe, just maybe, they can keep your CEO from having to deliver a painful apology.