Twitter: A False Sense of Security?

Twitter, and its post-breach announcement touting new key security initiatives and features, is playing on dangerous ground. 

Before we can understand why this is the case, some historical context is necessary -- so let's flash back to the turn of the millennium.

In 2001, Oracle’s CEO Larry Ellison (News - Alert) claimed that the Oracle ‘9i database and its application system were “unbreakable.” Shortly thereafter in early 2002, Microsoft’s CEO Bill Gates (News - Alert) penned, “Trustworthy Computing is the highest priority for all of the work we are doing.” Unfortunately, those bombastic declarations fueled public distrust and the need for quick PR rebuttals addressing numerous breaches. Thousands of vulnerabilities have been identified in Oracle and Microsoft products in the last 10 years.

Fast forward to 2011. 

Mark Zuckerberg (News - Alert), the CEO of Facebook, had his own account temporarily breached, releasing his personal pictures for the world to see. Facebook’s response was quick and precise: security was now important and they were implementing enhanced security measures to include HTTPS and a new form of two-factor authentication that requires users to identify five friends via their pictures. Despite best efforts, countless accounts have been compromised to include recent victims Colin Powell, Paris Hilton and Selena Gomez.

History is on the verge of repeating itself as Twitter digs a deeper, reactive PR hole. In response to negative publicity generated from the Associated Press’ (News - Alert) coverage of the April 23 account breach, Twitter announced to the world on last Thursday its intentions to double down and take security more seriously by offering two-factor authentication.

Simply explained, two-factor authentication requires a user to provide two sets of information when logging into a system. The three most common factors include something a user knows (i.e. their password), something a user has (i.e. a token – think an RSA token) or something a user is (i.e. logging in from a specific computer or device). 

While multi-factor authentication has existed for a while, new forms of two-factor authentication include cell phone proximity to a known location, pre-authorized pictures, or even the results of a user drawing.

On a positive note, security practitioners commend the defense-in-depth theory and the addition of any new security mechanisms within the platform. Conversely, Twitter’s response offers the public a false sense of security. When the next account is comprised – and it will happen – the headlines will be worse given Twitter’s perceived empty promises.

Twitter could have hired a Chief Information Security Architect to shake up its internal technical teams and create a framework of accountability. No, this wasn’t a typo. While most enterprise organizations have Chief Information Security Officers (CISOs) who report up to the CIO and are responsible for the internal security and personnel security operations, I am advocating for a new role within next generation platform companies (Facebook, Twitter, LinkedIn (News - Alert), Zynga, Evernote; the list goes on). The CISA should work with the product management, infrastructure, and engineering teams to design, architect, and implement the technical security strategy for the company and its products.

Twitter two-factor authentication is a fair, reactive band-aid response.  However, the absence of a persistent approach to re-embed security throughout the entire platform diminishes its effectiveness more rapidly. 

Only time will tell how effective these changes will be for Twitter but, in the interim, you can bet I will be verifying and enabling my Twitter account.