The cynical 140 character or less response to the question is simple: “You don’t need to lock the outhouse door.”
That’s the unfortunate position taken by many who ignore threats posed from data leakage, inappropriate content, lack of centralized IT control, loss of intellectual property, privacy concerns, regulation, and the general lack of confidentiality, integrity and accessibility controls. If past (and present) is any indication of the future, the changes needed to transform Twitter into viable platform for use in the enterprise may be on the horizon, but they’re a long way off. These core issues are compounded by both the explosive growth of the service and far too frequent attacks over the past year. To Twitter’s credit, they responded the most recent events by initiating password changes for users following suspicious accounts that were determined to be threats. While that is a valid reaction, it’s still just that, a reaction.
To better secure Twitter, you would need to address three fundamental aspects of information security: Identity, Authorization and Authentication.
One of the most immediate issues that became known as Twitter gained acceptance was that followers didn’t have a way to verify the identity of a user they were following. Anyone can create a Twitter account under any available name. Just for fun follow abevigoda for a few days. It’s a great gag: someone created a profile that impersonates the actor Abe Vigoda and posts a tweet daily proclaiming that he is alive. While that is fun, it illustrates how easy it has been for people with malicious intent can impersonate you or your company and spread false information. As I write this, Twitter has begun beta testing “verified accounts.” That’s definitely a step in the right direction, but is still concerning in the few accounts Twitter is taking the steps to verify. From their website, they state that they are “starting with well-known accounts that have had problems with impersonation or identity confusion. (For example, well-known artists, athletes, actors, public officials, and public agencies). We may verify more accounts in the future, but because of the cost and time required, we’re only testing this feature with a small set of folks for the time being. As the test progresses we may be able to expand this test to more accounts over the next several months.” They also state that currently they “are not accepting new business verification requests.” So what to do as a business and as a user of Twitter until this feature is ready for primetime? The simplest way to address this as a user is to be wary of who you follow, seek out Twitter accounts in “out of band” ways, i.e. from a company’s website or blog that you are sure is managed by the entity you want to follow or just ask them directly. As a business, be vigilant of your brand and identity. Search Twitter, use lists and monitor trending topics to see who is saying what about you (or as you) and notify Twitter support of accounts with a clear intent to confuse or mislead your customers so they can be permanently suspended.
Authorization is closely linked to identity and is a risk especially for organizations and businesses. Begin with the basics and decide what your policy for using Twitter should be, document it and make sure your employees and contractors are aware of the policy. The best recommendation I have is simply to restrict the business usage of Twitter to specific identified accounts that are authorized to speak on behalf of the organization. If you want to use Twitter to share information such as rate changes or information that requires oversight from compliance, make sure that approval of all messages go through the same publication processes that would be followed for print or website changes. As part of the education process with employees and contractors, ensure that they are aware of threats from data and information leakage posed by posting seemingly innocent tweets. What is considered acceptable behavior covers a wide range, there’s nothing wrong with your employees tweeting from their personal accounts that it’s cold in the office, but tweeting that the network has crashed and they’re waiting on someone to come fix it could provide information for a social engineer to use to gain knowledge of the inner workings of your environment.
It should go without saying that securing your Twitter profile relies on basic rules of strong authentication. Use a long, complex passphrase including alphanumeric and special characters, and change that passphrase as often as your password policy dictates. Although the temptation of convenience of linking Twitter to other services and applications, don’t entrust username and passwords to any third-party application.
While these three steps are the ways for you to securely use Twitter, there are numerous flaws and threats that Twitter must address before it is truly a platform that is secured and appropriate for enterprise use. Twitter’s largest security breaches over the past year were the result of a lax security posture within its own organization. An internal account used to manage their DNS records was compromised as well as documents used by Twitter corporate users were pilfered from a compromised Google Doc’s account. Cross-site scripting vulnerabilities have been identified that allow a malicious user to inject code into a tweet that would allow for the code to be executed on followers machines. These are all definite and real concerns that should be weighed while deciding on your organizations Twitter policy.