There has been a certain amount of excitement in the news media, as someone purportedly associated with ISIS has taken over and defaced US Central Command’s Twitter account. The juxtaposition with recent US government pronouncements on cyber security is obvious: Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity.
The Twitter account for U.S. Central Command was suspended Monday after it was hacked by ISIS sympathizers — but no classified information was obtained and no military networks were compromised, defense officials said.
To an IT professional, even without specific security background, it is pretty obvious that there is a huge difference between defacing a Twitter profile and accessing “classified information” or “military networks”.
However, there is a real problem here. IT professionals also have a blind spot: they don’t think of things like Twitter accounts when they are securing IT infrastructure. This oversight can expose organisations to serious problems.
One way this can happen is credential re-use and leaking in general. Well-run organisations will use secure password-sharing services such as LastPass, but without IT guidance, teams might instead opt for storing credentials in a spreadsheet, as we now know happened at Sony. If someone got their hands on even one set of credentials, what other services might they be able to unlock?
The wider issue is the notion of perimeter defence. IT security to date has been all about securing the perimeter – firewalls, DMZs, NAT, and so on. Today, though, what is the perimeter? End-user services like Dropbox, iCloud, or Google Docs, as well as multi-tier enterprise applications that run at least partly in the public cloud, span back and forth across the firewall, with data stored and code executed both locally and remotely.
I don’t mean to pick on Sony in particular – they are just the most recent victims, and I am sure that their IT department is having no fun at all right now – but their experience has shown once and for all that focusing only on the perimeter is no longer sufficient. The walls are porous enough that it is no longer possible to assume that bad guys are only outside. Systems and procedures are needed to detect anomalous activity inside the network, and once that occurs, to handle it rapidly and effectively. Further, security needs to take business operational needs into account. Sometimes you really do need do reboot a production system right now, but other times a small amount of planning and communication can help everyone achieve their goals without disruption.
This sort of integrated, proactive management of security cannot happen if IT is still operating as “the department of NO,” reflexively refusing user requests out of fear or potential consequences. If the IT department tries to ban everything, users will figure out a way to go around the restrictions to achieve their goals. This is how “shadow IT” happens: in the absence of an officially sanctioned corporate solution for file sharing, collaboration, application development and testing, or whatever other task, users figure out their own approaches. The risk then is that these users, who do not have an IT operational or security background, may inadvertently make choices which put the entire organisation and even its customers at risk. Instead of shutting them down, IT needs to engage with those users and find creative, novel ways to deliver on their requirements without compromising on their mandate to protect the organisation.
While corporate IT cannot be held responsible for the security of services such as Twitter, they can and should advise social-media teams and end-users in general on how to protect all of their services, inside and outside the perimeter.