You’d think news of a breach is bad, and that’s the end of the story. However Rafal Los, a security strategist with HP Software, sees things differently. Based on Twitter’s own statements, there’s a bit of an upside to the breach that targeted 250,000 accounts.
On Friday, Twitter joined The New York Times, The Washington Post, and The Wall Street Journal, by announcing that they too had detected a “sophisticated” attack. According to the micro-blogging company, their investigation indicates that the attackers had limited access to usernames, email addresses, session tokens, and salted password hashes for up to 250,000 users.
Opting to err on the side of caution, Twitter reset the passwords on the impacted accounts, and sent notifications to the users. Interestingly, Twitter also hinted that vulnerabilities in Java may have initiated this incident, suggesting that one of their own staff may have been targeted – having their access leveraged to further attack the company.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later,” Twitter said in a blog post.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
But there’s a slight upside to this story, a different angle. It centers on how Twitter described the chain of events, including the fact that they detected unusual access patterns, discovered an active breach, and mitigated it and prevented further damage.
According to HP’s Los, “…there haven’t been many incidents where the organization breached came out and said that they were able to detect, respond and restore in a meaningful amount of time and more importantly limit the scope of damage.”
Given that most security professionals subscribe to the notion that it isn’t a matter of if they’ll be attacked but when, mitigation and detection are key points in their protection strategies.
“Your enterprise’s ability to detect an attack, respond meaningfully to both stop the attack and minimize its impact, and restore services to business-ready state should be your number one priority. The main reason for this is as Twitter security staff know full well, the determined attacker will be extremely sophisticated, extremely well resourced and likely will succeed,” Los wrote.
Thus, he adds, a more realistic approach to security is to move away from building moats around assets, and expand on intelligence gathering initiatives in order to detect, respond, and restore.
“Let’s face it, if we’re realistic about security we have to acknowledge that we won’t be able to perfectly protect everything of value (even the most critical assets) but we should strive to build intelligence platforms that directly give us actionable results to minimize the potential damage,” Los concluded.
In a statement, Paul Ayers, the VP EMEA for Vormetric said that these incidents – referencing the breach at Twitter, as well as the three news organizations, prove that even when there is security in place, perimeters are permeable.
Offering a separate view from the one Los envisioned, Ayers said that layers defenses are required, “defenses that go from the perimeter network layers, right down to encrypting and controlling access to sensitive data at the file level.” “Organisations need to get their business done but also make sure that, should they be compromised, whatever data spied-on is useless gibberish to whomever happens to steal it,” he said.
“Barbarians are at the gate, and yes you need to maintain that gate (aka network perimeter security), but you need to protect what matters – focus protection as closely as possible around sensitive data itself.”