Twitter said today it’s been working over the past months to bolster its internal security by requiring staff to go through additional security training, engaging in penetration tests, and by deploying hardware security keys to all employees.
The measures announced today are part of Twitter efforts to prevent a repeat of the July 2020 hack during the US presidential election later this fall.
In July this year, hackers phished Twitter staffers, gained access to its internal platform, and then tweeted a cryptocurrency scam via high-profile and verified accounts. Some of the defaced accounts belonged to political figures, including presidential candidate Joe Biden.
Twitter learned a hard lesson in July, but in a blog post today authored by Parag Agrawal, Twitter Chief Technical Officer, and Damien Kieran, Twitter Data Protection Officer, the company said it learned its lesson and has taken corrective actions.
Staff to go through security training more often
The first of these was to require that all new hires go through a “Security and Privacy & Data Protection training.”
Second, Twitter also introduced new courses and increased the frequency and availability of existing courses for all employees.
Third, Twitter also introduced two new mandatory training sessions for people who have access to non-public information stored in its backend tools.
“These trainings make clear the dos and don’ts when accessing this information and ensure employees understand how to protect themselves when they are online so they can better avoid becoming phishing targets for attackers,” Agrawal and Kieran said today.
Twitter employees now use hardware security keys
Additional changes were also made to secure coding, threat modeling, privacy impact guidelines, so future in-house backend tools would be developed with more security features from the get-go.
But since the July hack started from a phishing attack, Twitter employees also received hardware security keys from the company. Employees are to use these security keys to access various sections of Twitter’s infrastructure.
Even if an attacker gets ahold of a Twitter’s employee’s credentials, the security key makes it impossible for the attacker to access any Twitter service without the proper key attached to each username and password pair.
Twitter underwent penetration tests
However, Twitter is also keeping its eye on the big picture, which are the upcoming US presidential elections, a consequential event in US history, during which the company expects to possibly be targeted again.
To prepare for this, Agrawal and Kieran said Twitter has been subjecting its staff to penetration tests to test its own platform’s security in a controlled environment.
“Specifically, over a five month period from March 1 to August 1, Twitter’s cross-functional elections team conducted tabletop exercises internally on specific election scenarios,” Agrawal and Kieran said.
“Some of the topics included: hacks and other security incidents, leaks of hacked materials, platform manipulation activity, foreign interference, coordinated online voter suppression campaigns, and the post election day period.”
Other measures the company has taken to safeguard the US elections and limit foreign interference were to impose new security rules for US political accounts, launch a dedicated US election hub to counter misinformation, and tweak its rules on what counts as election misinformation.