With Twitter making headline news, questions are now being asked about how a tech savvy company that prides itself on impeccable security controls can be the latest to be hacked by scammers. What can we all learn from this?
On Wednesday evening, Bitcoin scammers took over the verified accounts of various prominent US figures, from Bill Gates to Barack Obama to Elon Musk. From there, they started posting spam messages requesting donations in the cryptocurrency.
Twitter claimed on its support account that hackers gained control of the verified accounts, via “what we believe to be a co-ordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.
In cases such as these, the reputational damage to a company is far reaching and can affect the way your customers, or even future customers, see you as a business.
The takeaway for you? Ensure you have a compliance team that regularly undertakes internal audits around security systems and access rights, so you can start to minimise the risk that your company is exposed to.
Here’s a few practical steps for reducing the risk of a security breach
Roll out social engineering awareness training
For an attacker, gaining insider information is the key to your business. Phishing attacks invite users to click on links that request account details, so cyber criminals can gain access to privileged accounts. Social engineering often extends to out of band communication, and users may also be contacted via social media or telephone. Training and awareness is vital to help staff recognise malicious behaviour.
Review access rights to systems
By limiting access rights to the users that need them, you reduce the risk and limit the scope of compromise. ISO 27001 user access management offers good guidance for housekeeping. This includes guidance on user registration and deregistration, user access provisioning, management of privileged access rights, review of user access rights, removal or adjustment of access, secret authentication, information access restrictions and secure log-on procedures. As well as looking to ISO 27001 guidance, make sure you restrict the use of utility programs that could override system and application controls.
Raise a security incident if you detect a breach
Whether it’s an attempted or successful breach of log-on controls, make sure you report it to your IT and/or security team. That way they can deal with it as swiftly as possible and minimise impact.
Have good password management controls
There are a range of password controls you can implement, including:
- individual user IDs and passwords to maintain accountability
- change of passwords at first log-on
- regular password changes
- keeping records of previously used passwords to prevent re-use
- not allowing passwords to be displayed on the screen when being entered
- storing password files separately from application systems data
- storing and transmitting passwords in protected form
Our expert Node4 SOC (Security Operations Centre) team is on hand to advise. Should you have any concerns relating to cyber threats, social engineering or phishing scams, then please get in touch.