Twitter was victimized by a security event earlier this week. Just in case you don’t remember or are reading this post some time after it occurred, this was the event where a number of well-known, verified accounts all started sharing messages for a standard Bitcoin scam. former President Obama, former Vice President Biden, Bill Gates, Elon Musk, Warren Buffet, Kanye West were among the accounts that seemed to have been taken over by the fraudsters. There were a lot of theories over this week, including that someone at Twitter with access to an admin panel was involved, either as having their account compromised or as a willing participant that took a payout to provide the access.
It’s the latter point I want to focus on and it’s a point plenty of others have discussed too, most notably Rachel Tobac. In a nutshell, the theory involves that a single individual at Twitter, with access to the admin panel, would be able to make any changes to accounts without any other authorization. This has nothing to do with poor password practices or a failure to implement some form of multi-factor authentication. It speaks to one of the lesser touted practices when it comes to security functions and it’s a part of mitigating the risk of an insider threat.
Everyone has heard of principle of least privilege. You only provide levels of permission to staff commensurate with the tasks they need to assign. You couple this with a segmented network, so staff can only access the part of the network they need, and you’ve increased your defense-in-depth. It can be time-consuming to establish, which is why it’s difficult to implement in an organization. It can also go against certain cultural beliefs that senior members in leadership have, so getting executive buy-in is another hurdle. Rotation of duties is one that’s not mentioned often enough. It’s the premise that you rotate staff through different roles on a cycle, so no one person sits in a position without successive oversight. This is thought to greatly combat against fraud, especially in positions with financial responsibilities. One that rarely gets discussed is the two-man rule. Really, it should be the two-person rule.
Two-person rule is probably best well known to most of us as part of nuclear weapon strategy, dramatized in the movies “War Games” and “Hunt for Red October.” The opening scene in “War Games” brings us to a nuclear silo, where the order to launch the missiles comes. Launching the missile requires two armed forces members to turn their key to arm for launch. In “Hunt for Red October,” Captain Ramius takes the missile launch key from the political office who died from “something as foolish as slipping on tea.” The point is made explicitly, when the doctor aboard the nuclear sub, portrayed by Tim Curry, lets the audience know that the purpose for having two people having the keys is to prevent one individual from launching the weapons by themselves. It is this multi-person requirement that is often neglected in areas of systems security.
The component of the Twitter compromise that was drawing the most attention was the appearance of screenshots of an apparent Twitter admin panel. This panel allows select employees at Twitter to access any Twitter account, we’ve been told that President Trump’s account has additional security due to potential security threats, and change the associated email address, access the direct messages (DM), edit profiles, and send, edit, or delete tweets from the account, as if they were done by the account owner themselves. If the theory that a single insider’s account access would have allowed for this level of control, it should make one consider if a two-person rule shouldn’t be implemented to avoid situations like this one. It would even mitigate against a single person making an accidental change or entry, potentially taking a system down, destroying data, or otherwise inadvertently causing an organization harm.
There are certain responsibilities within organizations where it may be too much power or responsibility to leave to a single member of a team. You gain a marked measure of control and security if you require two or more individuals to authorize the action. It mitigates against a single insider threat, whether it be a rogue employee or one who’s been victimized by having their credentials compromised. It too, is likely to be complicated to implement and requires failsafes, should one of those people be unavailable at a time when the change is needed in a dire situation. If Twitter had implemented a two-person rule for use of its admin panel to access an account, it would not be possible for a single employee’s access to be responsible for any of the changes. If there were a way to randomize the pairings, so that no one employee could be certain who their assigned partner for access would be, even better.
If you’re wondering how that would work, there was another movie, whose title I can’t remember, about a prison complex in the future. The prisoners were allowed to roam the grounds free, with no walls or gates surrounding the prison. All they had was an electronic collar. That collar was linked with another prisoner. The prisoners weren’t aware of who their connection was, but what they did know, was that there was a maximum range the collars could be apart. You and your partner could be on opposite sides of the grounds and be fine. But break that distance, but just a few feet, and both collars would explode, basically blowing the heads off of both prisoners.
Now that may be a bit of an extreme method, and I’m sure Human Resources would have a few issues with that as a suggestion, and that’s before we get counsel involved. But there is an effectiveness there. The two-person rule goes a step beyond principle of least privilege, separation of duties, and rotation of roles. It may not be necessary for most situations but it should certainly be implemented in certain cases, especially those that are affect high value, high visibility targets.