Fraud Management & Cybercrime , Governance & Risk Management , Insider Threat
Analyzing Twitter's Security NightmareAlso: Gartner's Magic Quadrant; Cyberthreats in 2023
The latest edition of the ISMG Security Report discusses the appearance at a Senate hearing this week by the former head of security for Twitter; the top-performing web application and API protection vendors, according to Gartner's Magic Quadrant 2022; and threat trends to watch for in 2023.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz explain how poor decision-making by Twitter's executives jeopardizes the security of users, which former cybersecurity executive-turned-whistleblower Peiter Zatko, aka Mudge, told a Senate committee this week;
- ISMG's Michael Novinson reveal this year's winners and losers of Gartner's Magic Quandrant;
- CSO Ron Green of Mastercard describe the threats of most concern for 2023 and the technologies to help defend against them.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Sept. 1 and Sept. 8 editions, which respectively discuss the possible unintended consequences of banning ransom payments and a new phishing-as-a-service toolkit that threat actors use to bypass multifactor authentication.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: Ex Twitter security chief faces Senate panel and the winners and the losers in this year's Gartner Magic Quadrant. The stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. On Tuesday, the former security chief of Twitter appeared on Capitol Hill to testify about alleged security shortcomings. Anticipation had been building for what Peiter Zatko, also known as Mudge, would say beyond the whistleblower complaint he filed last month with the federal government, alleging in part that Twitter's security posture had extreme egregious deficiencies. Joining me to discuss is Mathew Schwarz, executive editor for DataBreachToday and Europe. Mathew, what are the risks posed by the security shortcomings that Zatko has alleged?
Mathew Schwartz: Zatko has said that Twitter can pinpoint who you are and where you are at any given moment. This has obvious repercussions in repressive regimes or, for example, in parts of the United States where women might be trying to access reproductive health care. But hackers have also taken over Twitter accounts to run scans. In theory, they could also cause mass panic. Twitter functions like a megaphone, and as such, numerous senators said the service has a responsibility to ensure that it's protecting not just users' privacy, but also data security. Here's Dick Durbin, the Democratic senator who chairs the Senate Judiciary Committee, opening a hearing.
Dick Durbin: The bottom line says Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities.
Delaney: Peiter Zatko is a well-known, revered figure in the field and he was part of the influential security consultancy ATstake. He helped run cybersecurity programs at DARPA and later Google. In November 2020, he was personally hired by Jack Dorsey, then CEO of Twitter, to fix the company's security problems. But then he was fired in January by Dorsey's replacement. In between, Matthew, what went wrong?
Schwartz: In his testimony, Zatko doubled down on some of the deficiencies he alleged in his whistleblowing.
Peiter Zatko: What I discovered when I joined Twitter, was that this enormously influential company was over a decade behind industry security standards. The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us. When I brought concrete evidence of these fundamental problems to the executive team, I repeatedly sounded the alarm of the real risks associated with them. These were problems brought to me by the engineers and employees of the company themselves. The executive team chose instead to mislead its board, shareholders, lawmakers and the public instead of addressing them.
Schwartz: One of Zatko's big takeaways was this: Executives at Twitter were informed about these security problems, but he alleges they chose to instead prioritize profits.
Delaney: Mathew, what were the problems?
Schwartz: As alleged by Zatko, there were many. He described the company that appeared to be violating the 2011 settlement agreement it signed with the Federal Trade Commission, requiring it to establish and maintain a comprehensive information security program for the next two decades. He also described a problem raised with him by the company's engineers, concerning an inability to delete data for users who asked that their accounts be deleted. He further describes a lack of logging. About half of the company's employees are engineers, amounting to about 4,000 individuals, and they all have access to reams of personal data, but with virtually apparently no oversight or monitoring. So among the problems that Zatko alleged, in particular in his whistleblowing complaint was that multiple nations, including China and India, appeared to have agents on Twitter's payroll. Zatko said what executives response to his concerns about foreign agent infiltration was, "since we already have one, what's the problem if we have more.
Delaney: What's Twitter's take on this?
Schwartz: Zatko's whistleblowing and testimony comes at an awkward time for the social network. It's become ammunition for Elon Musk, the founder of SpaceX and Tesla, as he attempts to walk away from his agreement to buy Twitter for $44 billion. The same day Zatko testified, Twitter shareholders voted in favor of Musk's acquisition. So the Senate Judiciary Committee subpoenaed Zatko to testify. It also invited the current CEO of Twitter, Parag Agarwal to testify. But Chuck Grassley of Iowa, the committee's ranking Republican member, noted that the CEO had declined to appear.
Chuck Grassley: Twitter's CEO has refused to appear today. He rejected this committee's invitation to appear by claiming that it would jeopardize Twitter's ongoing litigations with Mr. Musk. Many of the allegations directly implicate Mr. Agarwal's, and he should be here to address them. So let me be very clear, the business of this committee, and protecting Americans from foreign influence is more important than Twitter's civil litigation in Delaware. In conclusion, if these allegations are true, I don't see how Mr. Agarwal can maintain his position at Twitter.
Schwartz: There's obviously no love loss there. Instead of the CEOs testimony, we have a statement from Twitter. In it, a spokesperson dismisses that goes allegations, saying the hearing only confirms that Mr. Zatko's allegations are riddled with inconsistencies and inaccuracies. The spokesperson adds that internal access to data is subject to access controls, and monitoring and detection systems.
Delaney: What happens next?
Schwartz: Twitter looks at to see a lot more scrutiny. No doubt the FTC is going to be very interested in Twitter's settlement agreement. The Securities and Exchange Commission could also be looking at whether Twitter has been misleading shareholders. Also, toward the end of the Tuesday hearing, Senator Lindsey Graham said he's writing legislation with Democratic Senator Elizabeth Warren to create a new agency to regulate matters such as digital privacy and content moderation. Will this go forward? Will this succeed? Who knows when it comes to Congress and privacy? But another challenge for Twitter is that Musk has launched illegal salvo arguing that Zatko's separation agreement, worth $7.75 million with Twitter was made without his consent or knowledge. He said the company and Zatko executed the agreement on June 28. At the end of Zatko's hearing meanwhile, Musk tweeted, "my tweets are being suppressed."
Delaney: The drama continues. As always, thank you so much, Matt. Who are this year's winners and losers according to Gartner's Magic Quadrant? Our business editor Michael Novinson says there were big shifts this year, as cloud deployments replaced the appliance market. I caught up with him to find out about the latest trends. Gartner has released its Magic Quadrant for cloud web application and API protection. 2022. Who were this year's winners and losers?
Michael Novinson: Big winner this year is Cloudflare. They had been gaining but outside of the Leaders Quadrant for a couple years now. And they broke into the Leaders Quadrant for the first time this year, joining Akamai as well as Imperva, who had both been leaders in this web application and API protection space for many, many years. The losers were a couple of companies who fall down to the niche players mark from the Challengers Quadrant, that being Barracuda and F5. ThreatX fell from being a visionary to being a niche player. We're seeing some bifurcation in this market, seeing some clear winners and losers. Gartner this year had three leaders, they had five niche players and then only three in the visionaries and challengers categories combined. The haves and the have nots in this market are becoming a lot clearer.
Delaney: The Magic Quadrant for cloud web application API protection was in previous years published as The Magic Quadrant: The Web Application Firewalls. What triggered the change in this title?
Novinson: It's a significant change. As a driver behind a lot of the movement is that Gartner made it clear this year that they're not considering appliance-based protection; that they're focused only on cloud protection of web applications. This hurt a number of the legacy providers. The Barracudas and the F5s of the world, who had been delivering these capabilities more through appliances. Cloudflare is a newer company; first time they were even in the Quadrant was 2016. They only have a cloud delivery form factor. They don't even do an appliance-based one. They benefited with the Quadrant focusing just on cloud delivery at the expense of appliance delivery.
Delaney: Are there any other interesting trends you'd like to highlight?
Novinson: In terms of the leaders this year, we're seeing a couple different things. Akamai has been focused on trying to automate the process, certainly spent a lot of manual rule setting for each application, which was very labor intensive process. They've been trying to use their visibility across all of their customers to create preset rules for a customer's applications based on the specificity of their environment so that it's less upfront work for the customers. Cloudflare has been focusing on anomaly detection, threat intelligence, as well as client side security as a newer entrants in the market, just trying to build out that full functionality and get a little bit more depth across all the components of the market. Imperva has done a lot historically, and the web application market has turned their attention more to API security and doing more around API discovery, monitoring, data classification, etc. But they want to beef up that side of the practice. It's as strong as what they do around web applications. We're seeing some big bets from the leaders in this market. The appliance based market is flattened off and is being driven at this point by renewals. There's not much in that new business in the appliance market. But still a lot of growth in the cloud delivered, form factor as what Gartner was saying, as well as that API security market is certainly growing faster than the web application side.
Delaney: This has been an excellent overview of this year's Magic Quadrant from Gartner. Thank you so much, Michael. Finally, at our recent Government Summit, our Senior Vice President of editorial Tom Field, met with MasterCard's CSO Ron Green. He shared the cyberthreats he expects to see in 2023, and the technologies that can help defend against them.
Ron Green: Two cyberthreats that I think we should expect to see in 2023 - First, still prominent is unintentional insiders. We have to do more to help educate people on how to do internet hygiene stuff safely. Cisco is doing a great deal of work with multi factor authentication. That's also another thing that people should just not for their companies, even for their own lives, take advantage of some of those things. Another thing to think about for 2023 is just technologies that are ubiquitous, and we all leverage and use. I think we've seen what, like a Log4j or just other pervasive vulnerabilities can mean to our environment. We're going to see those again. I think we can do more in exercising at scale, like we have Cyber Storm where we can tabletop cross sector. But I think we can get to a place where we can test companies and infrastructure in a cohesive way. If we had something like a national cyber training center, kind of like the army has NTC for taking large units out and testing them, we should be able to take out our industries and test them. So rather than wait for the worst of worst days, let's go out and try it out and see what we can do. Another thing that I think technology-wise, that'll help this is just more of the automation that we're enabling our team members to have. So rather than having our humans have to lever by lever, switch by switch, find an issue and then remediate the issue, the more that we can bring in automation to speed that along so that like our team members can work on the harder things. It's better for the people and it also reduces our reaction time.
Delaney: That's it for the ISMG Security Report. I'm Anna Delaney. Until next time.