Weekly Video: November 7, 2022
11–7–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, November 7th, and winter has definitely arrived in the Pacific Northwest. Snow, wind, and storm warnings. ’Tis the season.
This week, even we can’t ignore the elephant in the room.
Let’s talk about Elon and Twitter from a security perspective. I’ll try to keep it to five minutes or less!
Elon and Twitter: Security Implications
Elon, Twitter, and the Terrible, Horrible, No Good, Very Bad Day
Elon is nothing if not a consummate showman - showing up with a literal kitchen sink when he closed the deal for Twitter, and tweeting like a literal mad man as he appeared to be working out product and pricing strategy in real-time, via tweet.
So what might the proposed changes mean from a security perspective?
Erosion of Trust. However the blue checkmark saga ends up, it’s clear that it will be more difficult moving forward to verify the authenticity of the source of a tweet. Up until now, the verification process has been rigorous enough to keep some semblance of “verifiability” amongst users with this feature. Now, when it’s enabled for $8/mo. to anyone with the ability to pay, it’s going to be much more difficult to determine what sources to trust.
In today’s world of hyper rapid sharing, finger pointing, and racing to click the next thing, we’re going to see a sharp rise in disinformation and misinformation, along with a significant addition of the friction that this all brings.
Expect to have to spend more time managing the narrative - even the true ones - amongst stakeholders. It will put more emphasis on brand management and official communications channels, and will increase the value of clear official communication for portfolio companies to their customers/users.Increased Attack Surface. At the same time, these mechanics will no doubt be used to launch attacks. Some of these attacks are going to be classic social engineering - think phishing, but instead of getting people to click in an email, they are clicking on a tweet.
There will also be an increase in other types of social engineering attacks, where tweets are used to promote a particular narrative (think election disinformation or a crypto pump and dump scam). These could expand to things like manipulating a betting line using falsified information about injuries from key players or any other number of things. In many ways, it’s going to become difficult to trust or even consume information from this channel for most users.Entropy, Code Quality, Vulnerability. One thing that Elon has already made abundantly clear is that changes are coming. Significantly reduced headcount, new features, and other major shifts. Perhaps these are all needed - Twitter has been relatively stale from an innovation perspective, as far as SaaS platforms go, for the last 7-10 years. But, ramming through a decade of change in a quarter is a recipe for disaster from a code quality, vulnerability, and security perspective. I expect that we will see threat actors continue to focus on exploiting these weaknesses to attack the platform itself (i.e. pull data from the backend - because they no longer need to compromise accounts to manipulate content, they can now do that for $8/mo.).
Additionally, we’re going to start to see some degradation in operations - it’s inevitable. What’s unknown is the scale of these impacts. They may be minimal, but from the early reports from Site Reliability Engineers, Trust & Safety, and other teams - the headcount has been hit hard, and the scale of Twitter is such that keeping everything moving is a Herculean effort. Expect to see some cracks in the facade soon - further eroding trust and enabling opportunity for threat actors.Reduced Knowledge Sharing. Finally, there is actually quite a vibrant information security community that users Twitter to share information, discuss issues, and provide insight into threats and threat actors. As these people leave the Twitter platform for Mastadon or other alternatives, we’re going to see a fracturing of this centralized, accessible knowledge, which will be detrimental not only to this community, but to all of the organizations who benefit from this knowledge sharing. I don’t want to be alarmist about it, but we’re definitely losing a key information sharing resource as the platform changes.
Fundraising
A relatively small week for funding announcements, clocking in at nearly exactly $1B/day - with a grand total of $6.99B raised. We’re seeing a significant drop in tech stock prices - I’m thinking of Twilio’s 35% drop on Friday - which set up a rash of take private opportunities (though obviously not without risk).
Perhaps it’s time to start putting all that dry powder to use?
You can find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.