What We Can Learn From the Twitter Whistleblower
Twitter is making headlines yet again, this time thanks to whistleblower Peiter Zatko who called out the company for its cybersecurity mismanagement. Find out what happened — and what we can learn from it.
Want to guess which company is responsible for “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy?”
It’s Twitter — at least according to an explosive report by Peiter Zatko, the company’s former head of security.
From buffer overflow researcher, to Lopht member, to worker at the Pentagon’s Defense Advanced Research and Projects Agency, Peiter Zatko has had an impactful career and has plenty of experience discovering and exposing secrets in order to stop malicious activity. It’s unsurprising, then, that when he joined Twitter’s security team, he quickly began calling out the company on the issues he found, first internally and, now, publicly.
The fallout of Zatko’s allegations is significant, from negatively impacting Twitter’s financial and legal prospects to potentially enabling Elon Musk to walk away from his promised $44 billion buyout. However, Zatko’s 84-page complaint, dated July 6, isn’t just relevant to Twitter. It also holds lessons for every organization, from global enterprises like Twitter to small and medium-sized businesses who might be making the same high-impact errors.
A Deep Dive into Zatko’s Allegations
So, what exactly did Zatko allege in his complaint to the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Justice Department? As you can imagine from the large page count, quite a lot.
At the center of Zatko’s complaint was Twitter’s mismanagement of cybersecurity. Specifically, he called the company out for its lack of basic security controls. Not only do thousands of employees’ laptops contain complete copies of Twitter’s source code, but around a third of employee computers have significant problems that put them (and Twitter’s code) at risk. For example, many laptops had system firewalls turned off, blocked automatic security fixes, and even allowed non-approved remote desktop access.
To make matters worse, Twitter doesn’t actively monitor what its employees do on their laptops. That lack of oversight meant individuals could install spyware for external organizations that gave them access to Twitter users’ private data or the ability to affect Twitter’s workings. But that’s not all.
According to Zatko, half of Twitter’s data center servers are running on outdated software, so regular security updates and data encryption aren’t available even if the company or employees wanted to implement them. Zatko also realized that overlapping outages in Twitter’s data centers could result in a lack of service for months or a complete loss of data and says that, despite Twitter’s public commitment to fighting spam, not much is being done behind the scenes. What’s more, Twitter doesn’t delete users’ data when they cancel their accounts, violating a 2011 FTC agreement.
As a result of all these failures, Twitter hasn’t been able to provide its users — from government agencies to presidents and other influential or even everyday users — with the protection they deserve. In fact, Zatko says that Twitter had over 40 security incidents in 2020 alone and 70% of them were access control-related. Worse still, Twitter’s executives have deceived board members and federal regulators by lying about the number of severe security breaches they’ve experienced and withholding information about data protection.
What We Can Learn From Twitter’s Failures
While Zatko’s complaint is specific to Twitter, its significance travels far beyond the social media platform — it should be a wake-up call for every business and organization. Robust cybersecurity is essential in every space because the plain fact is, bad actors are relentless and are forever in pursuit of the easiest wins. They’ll take any opportunity to exploit your weaknesses, so you can’t let your guard down. That’s precisely what happened with Twitter. If they had proper cybersecurity measures in place, the many incidents Zatko described in his report would likely never have occurred. At the very least, the cybercriminals would’ve had to work much harder to breach the company’s defenses, meaning they might have given up before they could succeed.
Knowing how important it is to proactively implement proper cybersecurity measures isn’t enough, though. It’s all too easy for things to fall through the cracks — especially if you don’t have a dedicated team to address them. Again, look at Twitter. Zatko claims he repeatedly alerted the company to their lack of security, but they didn’t make any substantial changes and are now paying the price.
The good news is that there’s a simple solution to ensuring your cybersecurity measures are always up to date: working with a cybersecurity-as-a-service (AAS) partner. When you work with an AAS company, you put your organization’s cybersecurity into the hands of experts. Not only can your partner build a robust cybersecurity infrastructure from the ground up, but they can also take management off your plate, ensuring that every patch and update is taken care of immediately. They’ll even deal with detecting and responding to phishing, ransomware, distributed denial-of-service, and other cybersecurity attacks, so you can rest easy knowing you’ve done everything you can to protect your data and users.
Additionally, outsourcing to a cybersecurity-as-a-service partner can save you money since it’s far cheaper to pay a company to create your cybersecurity infrastructure than to hire, train, and maintain an in-house team that has to navigate cybersecurity issues as well as regular IT issues. Plus, with a cybersecurity partner you’ll instantly gain access to the best of the best, with greater flexibility that lets you secure your network while also letting you concentrate on your core business. In short, working with a cybersecurity-as-a-service partner is the smartest and simplest way to stay secure and gain peace of mind.
Up Your Cybersecurity Game with TTI
Zatko’s whistleblower complaint may have put Twitter in the spotlight, but it’s also a valuable eye-opener for everyone on the critical importance of cybersecurity in any space. A robust cybersecurity infrastructure is non-negotiable, but not every company has the time, resources, or in-house expertise to protect its data and servers adequately.
Enter Turn-key Technologies, Inc. (TTI), the perfect cybersecurity-as-a-service provider. Our team is composed of experts who can secure your networks and devices. Not only can we recommend and install powerful cybersecurity solutions, but we can maintain and manage those solutions, ensuring they are always up to date.
Contact us today to learn more about how TTI can improve your cybersecurity!
By Tony Ridzyowski