Last week Twitter announced that it had been the victim of a hack, that resulted in 250,000 users having their details compromised. Pretty big news. The password details were at least salted, but a 1/4 of a million records is a damaging amount of data to lose. Twitter responded by resetting the passwords of those impacted and revoking session tokens.
Not A Case Of If, But When
The attack again goes to highlight, that cyber attack activity is omnipresent. Regardless of how large the organisational defense mechanism (and you could argue, that the larger the beast, the more prized the kill, but more on that later), it is fair to say that you will be hacked at some point. A remote attacker only needs to be successful once. Just once, out of the thousands of blocked, tracked and identified attacks that occur every hour. Certainly if you're a CISO or infosec manager at a 'large' organisation (regardless of whether it's actively a web service company or not), from a risk and expectations management perspective, it will be beneficial for the organisations long term defense planning, to assume an attack will happen, if it already hasn't. This can help to focus resource on remediation and cleanup activities, to minimize an attack impact from both a data loss angle and also a public relations and brand damage perspective.
Target Definition - If You're Popular, Watch Out
How do you know if you'll be a target? I've talked extensively over the last few months regarding cyber attacks from both an organisational and consumer perspective and the simple start to that series of articles, was that "...any device that connects to the internet is now a potential target..". Quite a basic statement but ultimately far reaching. The 'success' of many cyber attacks is generally being driven by the complexity of how the attack has developed. It is no longer good enough to simply identify a bug on an un-patched system. As good as hackers are, anti-virus, intrusion prevention systems, client and perimeter firewalls, application white listing and kernel level security provide a strong resistance to most basic attacks. Twitter themselves acknowledged that the attack on them "..was not the work of amateurs.." and that they "..do not believe it was an isolated incident.."
The complexity of the Twitter attack, would make you think that the 250,000 accounts that were compromised where not targeted directly, and more would have been lifted if the attack was not stopped. It seems the main driver is simply the fact that Twitter is a massively popular site, with headline grabbing strength. Why are Windows XP and Android malware infections so high? Regardless of underlying technical flaws, it's simply because they are well used. A cyber attack will always gravitate to the path of least resistance, or at least greatest exploit-ability, which will always come from the sheer volume of exposure. Be that number of potential machines to infect, or number of users to expose.
Response & Handling
The underlying technical details of the Twitter attack are yet to be understood, so it's difficult to provide a rational assessment on how well the response was handled. If you separate the attack detection component for a second, the response was to reset passwords (thus rendering the captured password data, worthless), notify those impacted via email and revoke user tokens (albeit not for clients using the OAuth protocol). All pretty standard stuff. From a PR perspective the Twitter blog posted the basic details. I think the public relations aspect is again probably the area that many organisations seem to neglect in times of crisis. This is fairly understandable, but organisations the size of Twitter must realize that they will make significant waves in the headline news and this needs to be managed from a technical, community and media relations perspective.