I did not realize so much power given to one employee posed such a security risk.
After nearly a month from the Twitter fiasco where Pres. Trump’s account blinked off for 11 minutes, finally we meet the man behind this fiasco as CNN had a video chat with the perpetrator, Bahtiyar Duysak, and in that chat there were some really interesting nuggets that serve as a chilling reminder of the bestowed power, lack of hygiene and plain tiredness that can bring down the best of them. But before we go there, here are some first-hand quotes to keep in mind:
It could have happened to anyone. It was my last day, hectic day, tired, sometimes human beings do mistakes. I could not think that it would be see easy to deactivate it. And to the interviewer’s question – as a contractor, not even an employee – did you ever think that you would have the “power” to deactivate the account of the President of the United States? No – I don’t think that I did. Not everyone should have access to such a high-profile account. Other people should decide about it. In order to prevent problems.
#Wow. So going back to the basics of security and how there are more than a few lessons to be learned from this.
1. Bestowed power
In this case, the ability to delete an account (a high profile one) was granted to a contractor. How could that happen? It’s easy to cast aspersions and wax eloquently about best practices. Enough of that BS. Let’s be realistic. This can happen and does happen all the time. How so? For example, an employee goes on vacation and a contractor has to step in for a day – and changing the AD permission or his role in some other authentication server is the easiest way to do this. And the temporary escalation of privileges for the contractor is never revoked. Why? Because life is too hectic, there are way too many competing priorities and other things take precedence and this falls by the wayside. And so “privilege creep” happens. Over time, across many employees, this can be a humongous risk.
2. Lack of hygiene
This follows from the above. Let’s say that there is a starting blueprint indicating who has permission for what, they are assigned to their respective roles and everyone feels safe. Except that after a day, week, month, year – this is no longer the case. Roles have changed, new privileges have been accorded etc. But just like we brush our teeth every morning and night to remove any bacteria and foreign particles that may have collected during the day or night, having a cleansing process to ferret out these excess privileges and rights that may be been accorded is essential. Without this, the best-laid plans will go waste.
3. Plain tiredness
This has been called various names – some derogatory like “stopping stupid.” But Bahtiyar’s candid admission is really the most common issue. Tiredness, Stress, Oversight – but no compliance mandate or security best practices talk about this. Why? Because it is a sign of weakness? That we are all humans and have the right to get tired – and make mistakes. #WakeUp. This epidemic is not going to go away anytime soon. With more capabilities (I was at the AWS Re:invent last week, and the number of new capabilities they just announced is mind-boggling) being offered and challenged to take advantage of yet legacy capabilities continuing to demand time and attention, people resources becoming scarcer, this human tiredness is only going to get worse. Which means, having checks and balances in place – like the “secondary approval rule” where any critical operation automatically demands a second person to approve – needs to become the norm.
While ransomware, sophisticated social engineering attacks, IoT malware – all deck up the front page of major publications, and enterprises may even budget for this – it is time for enterprises to wake up to the more “clear and present danger.” I am not suggesting that the ambulance chasing vendors trying to shout themselves hoarse about how they could have prevented the Twitter-like issue from happening should be given any attention at all.
On the contrary – look beyond the noise, see what Bahtiyar had to say firsthand, map that to what might be the situation in your enterprise across your infrastructure (including any cloud properties – as that is an extension of your infrastructure) and challenge yourself with the three facets of bestowed power, lack of hygiene and plain tiredness and how this may be-be true in your enterprise as well. And if so, what are you doing to expose this and take corrective action. But, if you are already doing all this and feel secure, then it is also incumbent upon you to educate your peers about your journey, so they can follow suit and we can all feel safer today than we did yesterday.
This article is published as part of the IDG Contributor Network. Want to Join?