After the Twitter hack, organisations need to take physical social engineering seriously
By Neil Gibb on August 14, 2020

After the Twitter hack, organisations need to take physical social engineering seriously

When we think of cyber-attacks, we often think of a skilled operation that targets an organisation’s network but attacks have become much more multi-layered.

The recent attack on Twitter saw attackers breach the social network’s safeguards and take control of several high-profile accounts, including Joe Biden and Elon Musk. Then tweets were sent out to bitcoin scam links.

The depth that the attackers reached was staggering, and left Twitter scrambling to react by locking or restricting accounts and trying to figure what went so wrong.

As the dust started to settle, it emerged that Twitter had fallen prey to a social engineering ploy.

In the context of cybersecurity, social engineering refers to a psychological tactic of gaining access credentials from employees or contractors rather than a brute force attack.

With technical defences evolving and improving, such as two-factor authentication, it should come as little surprise that attack methods are evolving too.

In one of its post-attack updates, Twitter admitted that a social engineering operation targeted a number of its employees with a phone spear phishing attack. This entailed attackers targeting the social platform’s employees through their phones to cajole details from them.

The Twitter breach provides a simple but devastating example other organisations should heed. Attackers were able to contact Twitter employees, posing as a colleague or contractor and persuade them into handing over access information.

It’s brazen. However, it’s seemingly quite easy to exploit, as Twitter put it, “human vulnerabilities”.

Ultimately, the culprits logged onto Twitter’s internal network with these employee credentials and that gave them access to the support tools that enabled taking control of accounts like Elon Musk’s.

The harm was extensive. In total, 130 accounts were targeted and tweets sent from 45. The direct message inboxes of 36 accounts were accessed and the account data of seven accounts was downloaded.

A later news report would reveal that more than 1,000 Twitter employees were able to use the system for internal controls that could access this information. Such broad privilege, coupled with the margin for human error, leaves a door wide open.

This all raises questions around the physical aspect of attacks and breaches. If something like last month’s attack can be pulled off on a major social network with more than 4,000 employees and more than 300 million monthly active users, it can happen to any organisation.

On-site protection

Physical social engineering is a whole other threat that organisations need to be wary of.

For good reason, companies put a lot of stock in protecting their data and cloud systems. Now it’s time to start thinking about threats from inside the walls.

Protection from physical attack refers to how well protected an organisation is on-site. It is a threat that forces organisations to evaluate access credentials among staff, who has access to what documents, and what the protocols are for external access to internal systems.

While an attacker might try to physically spoof their way into an organisation to carry out an attack, employees on the premises going rogue or sharing their credentials is just as much a threat to an organisation.

In the age of working from home, which appears set to continue for the foreseeable future, organisations will need to carry out an extensive review of how their internal systems are accessed externally.

Physical assessments

Physical social engineering assessments are another necessary precaution that companies will need to take. The assessment will typically involve carrying out a number of psychological and social engineering tests on a company in an attempt to breach its perimeter and access sensitive data.

The assessment will highlight holes in defences and processes, what needs to be plugged and what day to day policies and habits need to change. These include workstations or open files left unattended for any length of time.

Physical social engineering assessments are still a relatively new thing for many organisations and cybersecurity firms alike.

They haven’t gained much traction outside of the US, but the Twitter incident is a stark reminder that physical security and social engineering cannot be ignored. A dual approach of cyber and physical security is crucial to stay safe.

 

If you’re considering a Physical social engineering assessment for your business and would like to discuss what would be involved please get in contact. We have a specialist team who would be happy to discuss your operation and offer guidance in line with your business needs.