The power of a single insider – lessons from Twitter

A recent Twitter incident should be a great reminder for others on how one single person inside your organization can cause a significant incident with a lot of public exposure.

trump govt employees twitter
CC0 Public Domain

On Thursday, November 2, we read about how President Trump’s Twitter account mysteriously deleted itself… only to return after a very brief eleven-minute disappearance. Twitter initially stated that the issue was a technical one, but after investigation the company announced later in the evening that the account was deleted by a “customer support employee” who was working their last day. I guess that’s one way to go out with a bang.

With that in mind, I wondered if there was a lesson for us as security professionals. Just how much damage could a single person in an organization do on their last day? Sure, something as minor as deleting a Twitter account isn’t going to do much damage in the long term – other than to reputation – but what if that employee had significantly more privileges in their organization?

It’s important to have a good idea and understanding of where the critical points of failure are inside your own environments, especially around assets like production servers, payment processing, core databases, and customer-facing web properties. Do you know how quickly you could recover if a malicious or mischievous insider on their last day decided to start flipping switches, defacing web copy, or rm -rf’ing disks?

We’ve long talked about rotation of duties in the world of IT and security, but in practice, how often do we actually do it? Probably not as often as we should. Do you have great documentation, including hard copy backups, of how infrastructure has been architected and deployed? If not, it might be time to dust off the copy of Visio and start mapping things out. Do you have tools in place to monitor the administrative actions of your most privileged users? Could you detect an employee walking out the door with a thumb drive full of internal data?

Yesterday’s Twitter incident should be a great reminder for others on how one single person inside your organization can cause a significant incident with a lot of public exposure. Perhaps Twitter could institute a new policy requiring at least two people to press the “delete account” button in the future? While that might not stop a pair of insiders from colluding together, it would take the Lone Wolf actor out of the equation. Getting your team together and doing a tabletop exercise to talk out how you might respond to a similar event might just uncover a hole or two you didn’t realize you had.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report