Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Twitter and the Importance of User Verification
Quick Take
On this episode of Compliance Unfiltered, we chat about that little bird app you may have heard of, called Twitter. More specifically, we discuss how Twitter’s recent policy changes highlight the importance of user verification.
- What exactly happened when the blue check became something you could purchase?
- Why is user verification so important?
- How can you avoid similar issues with your own user verification?
All on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who is guaranteed to bounce your compliance balls. Mr. Adam Goslin, how the heck are you, sir? I’m doing good, Todd. How about yourself? Man, I can’t complain. I really can’t. Today, though, we’re going to have a conversation about something that’s been in the news quite a lot, and that’s a little bird app you may have heard of. Today, we’re going to chat about Twitter and the importance of user verification.
So Adam, Twitter’s been in the news a little bit lately. Bring us up to speed on what’s going on at a high level. Well, when Elon bought the company and he went in and he cleaned house, one of the big changes that unfortunately grabbed a lot of attention was the way that they were handling verified accounts. It turned out to be kind of a disaster out of the gate. And, so it’s a lesson that everybody’s company should be paying close attention to with what Twitter was doing with user verifications in many ways, similar to the way many companies have, unfortunately, mishandled user verification internally. The result for Twitter happened to be on an epic scale, but I mean, really any organization can face similar disaster consequences when it comes to user verification.
Now, what happened with the user verification over there, though? Well, what they did is, you know, back before Elon came along, there was this little blue checkbox that showed up beside verified users. And that was how you were able to tell that, you know, that, oh, okay, well, this is really, whatever Bob Smith, Kim Kardashian, whoever tweeting out updates, and it wasn’t some imposter. And pretty much the only way that you could get the little verified checkmark was to go through conduct, you know, they conduct an internal process ID validation for every user that went in and applied for a verified account. For an undisclosed reason, Elon’s Twitter decided, yeah, we’re just going to go scrap the blue checkbox and replace it with an official badge. Select accounts were verified as part of an $8 monthly premium subscription, one that doesn’t include ID verification. I don’t know what ultimately drove the decision for making the change. I’m guessing that the ID process was a cost dump for Twitter. And so by just flipping it over to official and then having people go sign up for their $8 a month, you know, etc, the fundamentals of it were, hey, we’re going to make money and we’re going to drop costs and this is going to be great. But the problem was that, you know, the immediate result was predictable, but in some way, shape or form, it cut the Twitter crew off guard. Basically anybody can declare that they’re officially somebody as a result. So next thing you know, there’s dozens or hundreds of these fake verified accounts that claim to be the same person. There were fake governments, there were fake politicians, there were fake celebrities, fake brands. Hilariously enough, there were a number of fake Elon Musk’s’ on there as well. You’ve probably seen the stories in the news about how fake accounts were wreaking havoc, you know, on somebody. But there was one in particular that caught my eye and that was a tweet from Eli Lilly. Somebody signed up, got a fake account, posted a tweet, and I think Eli’s official Twitter account is like Lilypad or something. So somebody went in and made an Eli Lilly and Co. Twitter account, and then went and stuck a tweet out there. It was something along the lines that they felt really bad for all the people that had to take insulin, so they’re just going to make it free from here on out. And no joke, no sooner does this thing go out and hit the market, and I believe their stock price dropped something like $20 billion as a result of this tweet going out, and as soon as all of this news started flying out, Twitter users were effectively jumping ship to other social media platforms, and Tesla stock took a nosedive, and major brands started basically getting their shorts knotted pretty much overnight.
Twitter had to scrap this new verification process and go back to the drawing board and rework it. Now, I guess it’s funny that we made it this long into the podcast without asking this question directly so we’ll do it now. Why is user verification important Adam? Well, I mean, we saw the results of the lack of user verification in bright shiny lights when it came to some of the examples that were out there with all the fake accounts, and the baloney that people were pulling. I’ve got to tell you honestly though, I mean, I found it somewhat hilarious that this all happened in the way that it did. I think in many ways it taught numerous people a lesson. Hopefully but at the end of the day, user verification should have been a big deal for Twitter and it should be a big deal for your organization. It matters that you’re verifying your users. You don’t want people really nearly authenticated onto your platform and given a free pass to pose as fill in the blank. You’ve got to know whose on your system. The fact that they have a justified and rightful ability to be on there, you’ve got to appropriately authenticate the users. On most security compliance standards that exist today, if not all, unless they’re not directly related in any way, shape or form to authentication, every single one has various requirements for user identity validation and background checks, and things along those lines. So how the heck else are you gonna know that users are who they say they are? So these are just kind of fundamentals of the security and compliance arena. Organizations have a significant responsibility to make sure they’re handling that properly and that they’re taking that responsibility seriously.
Thank you.
For sure. Now, what are some of the ways that listeners can avoid similar issues? Well, you know, Certainly there are the, you know, the core groups that actually administer the accounts, etc. But, you know, HR, HR plays a role. You know, the management plays a role. The user participant patient plays a role. You know, the security groups that are in granting access, changing access and removing access play a role. I mean, even if you think about it, some of the responsibilities for, you know, just when you’re at the office and you’re in a security area of the office, I mean, it’s everybody’s responsibility to be on the lookout. If there’s somebody brand new, you’ve never seen before, etc., you know, should they be there, etc. So, you know, there’s a lot of ways that across the board, you know, folks need to participate, if you will. You know, first and foremost, trust no one is a good place to start. You know, I’ve seen instances where people not validating the identity, you know, identities in different forms can cause problems. I had, you know, one organization’s finance department that a ruse went into them saying, we need to cut a check to cover this vendor wire, you know, 25 grand to this account. And before anybody’s double checking, is it who they really said they were? Is this legitimate? Should I be doing this? Yeah, hey, guess what? You know, somebody goes and boom, you know, wires 25 grand and sure is nuts, the bad guys were laughing all the way to the bank. You know, the bad actors were just loving it. Different things pop up in different ways in an organization. You know, they may not be after, after dollars, they might be after intellectual property. So, you know, somebody goes in, gets a text message from the CEO who happens to be on the road and lost his company phone, he’s got a big meeting in the morning with an important investor, can you please move all the source code for our product to this Dropbox for me type of thing. There’s all sorts of examples of where user validation is going to come into play, but just making sure that you’re going through appropriate validation, you’re sanity checking the things that you’ve received. Is this coming from a legitimate source for the administrators that are responsible for it? Making sure that they got their appropriate authorized request that should be coming from a ticket from HR, is now coming in an email or a text message or something. Start asking questions. This happens in organizations oftentimes because folks either don’t bother to follow the process or maybe they’re unaware of what the process is, but great examples. Somebody in marketing goes and picks up some new contractor to do some miscellaneous web work on the marketing website or something, just bypassing appropriate channels and making requests directly to teams to provision accounts. Those are the instances where the administrators need to push back on those requests. I’m sorry, I can’t process this directly in this manner. It’s got to flow through this channel, whatever it is for that particular organization. Maybe go pass your request over to HR. They’ll go through all the appropriate vendor onboarding stuff. That way we make sure we have all the right paperwork filled out. Then I’ll get the request to go enable Sally to go in and do this stuff. It may not be, you know some end of the world instance where it’s, you know, some bad actor or whatever, it might just be somebody internally that, you know, that doesn’t know what that process is. But, you know, most of the time, user authentication requests, especially, will typically come through some type of a pre-approved process, whether it’s, you know, invocation of a ticket entered by a particular group or individual, you know, etc., that all of the pre-checks have already been done. And now you’ve got authorized approval to go take action on the user, you know, deprecating the user or adding the user, changing their permissions, etc., just making sure that it’s coming through those appropriate channels. That’s really where it comes into play.
Now, I guess, you know, it’s kind of you are what you do, right? So what should users, and what should listeners, excuse me, be doing on a regular basis? Well, you know, if somebody, if somebody is changing roles within the organization, you know, you want to make sure that not only are you granting them the new permissions, but also removing any old permissions they no longer need. So part of it is a procedural change internally. I’ve seen a lot of organizations that, you know, didn’t have as much maturity in the user administration arena. But that’s one of the areas where they’re typically struggle. So make sure if you’ve got somebody changing from, so I’ll make this up, if you’ve got somebody that’s changing from being a firewall administrator ,to being a development manager, you know, let’s say, when they do that job switch from firewall admin over to the dev manager, do they need to continue to possess their admin credentials to the firewall with their new role? Maybe there’s a transitionary period. Maybe they don’t need it at all. They’re going to walk away. There’s eight other people there that can go take care of this, right? But whatever the circumstances are, making sure that you’re keeping an eyeball on those permissions that you’ve got to get rid of when you’re doing those, you know, kind of those reviews.
You know, another thing is, and most of the compliance standards will, you know, will require this, but it’s just a good idea, is periodically, ideally, quarterly, you know, pull the list of all of the, you know, all the personnel that you’ve got provisioned.
Look through their permissions, make sure that they’re appropriate. Sanity, check them again. I did this a quarter ago, what new people showed up, what people are gone, and who had any changes, and sanity check that against your access request list. There’s a couple of good detection mechanisms in there that you can leverage to identify if somebody didn’t follow a process, or if possibly something nefarious is going on, etc. As you’re looking through that last quarter to this quarter, you should see access requests for these new personnel that were appropriately authorized. Anybody that had their accounts disabled type of thing, then we similarly ought to see whatever deactivation requests as well. Anybody that had a modification, well, there better be an access control for that too. You can also at that time go in and do the double check of did we appropriately remove the old permissions? One of the kind of new problems that I’ve seen in organizations, especially in this arena is where that firewall, going back to that firewall admin moves to a dev manager. Maybe that firewall admin needs to retain those credentials because they’re only supposed to retain them for a certain period of time. A lot of times organizations will struggle with, hey, we’re gonna allow this individual to hold their firewall admin responsibilities and permissions for 90 days, so that they can appropriately do their transition while they’re spinning up in the dev arena, setting some type of a reminder, and that kind of quarterly cadence. It’s good because what you can do is you’re going in and doing the review, and you go, oh, well, this person switched from firewall to this. Okay, they’ve got to retain their firewall stuff until this date. Put a note in advance on your next quarterly review, hey, I’ve got to check so and so, make sure that they dialed off the firewall permissions, or if they needed to extend it, okay, great, well, what’s the new date type of thing? So that way you can go in and track it, etc. You wanna be doing reviews of those accounts for things that look like they may be shared accounts that haven’t been used in 90 days. If nobody’s used an account in 90 days, do we really still need this account? Then there may be some justifiable reasons why those accounts should be there.
So, one example I’ll see a lot is that so and so has a domain account, but they only use it for web mail. I don’t know, maybe somebody in sales that’s always on the road, etc. And they never need to actually log into the domain because they’re using SAS applications for managing their sales leads, etc. Maybe it’s that they don’t have to go in and log in. But that’s where you can start identifying, seeing patterns, making profiles for people that have that particular situation. And that way, you don’t need to go in and address it next time, as long as you go in at your periodic reviews and categorize those appropriately. One other thing that organizations can do in relation to their system accounts. People otherwise refer to those as service accounts. They’re like systematic accounts that are used by the system type of thing. If that’s the case, then those same accounts should not be able to be logged in at the login prompt. And that’s typically referred to as having interactive login turned off for those accounts. So just make sure that you do have the interactive login and turned off for those accounts, the existing system or service accounts that you’ve got. And then if you see a new service account pop up at your quarterly review, well, then go in and do that check on just the net new, just the net new service accounts.
Parting shots and thoughts for the folks this week, Adam? Well, I mean, really Twitter showed us in real time, you know, how important it is to take user authentication seriously. You know, it’s a critical element of security, of any security compliance program.
It should apply to small businesses as well as the Twitters of the world. You know, it’s an important element of any good security compliance program. And it’s critical that you’re making sure that you’re controlling those user access requests, getting them from the proper sources, granting only the permissions that are needed, deprecating those that are no longer needed, you know, and having oversight management and curation of those accounts. And then I think that’s about it on that particular topic, but I just wanted to take a moment to thank the listeners for joining us. We have fun, we have fun creating content and putting fun topics out there. We hope that you enjoy it and we appreciate you listening.
Absolutely. Thank you guys so much. Now that right there. That’s a good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less. Thanks for watching!
