In-Depth

A Tempest in a Twitter

Unless you employ appropriate safeguards, a minor Twitter problem could easily turn into a tempest.

• By Stephen Swoyer
• 05/12/2009

Even if you don't know a tweet from a chirp, there's a good chance someone in your organization does.

Odds are that a sizeable percentage of your users both update and monitor their Twitter accounts while at work. The upshot, industry watchers warn, is that you could soon have a Twitter problem. To the extent that your enterprise has embraced Twitter, either by establishing an official presence or by encouraging named or obvious affiliates to post on behalf of your organization, a minor Twitter problem could develop into a Twitter tempest quickly.

Consider the case of quasi-celebrity Tila Tequila; last month an unnamed person posed as Tila Tequila and posted disturbing messages to her Twitter account.

The point isn't just that highly visible entities have embraced Twitter as a means to both disseminate and control their messaging; it's rather that Twitter, by virtue of its use as a business tool, has become another vector for mischief.

Now that celebrities and many public organizations have established presences on Twitter – and, in some cases, according to a recent article in The New York Times, have even hired proxies to impersonate or embody their tweeting selves -- Twitter comprises still another exposed interface that must, to a degree, be hardened.

That point was driven home recently when Twitter confirmed that several malware attacks had compromised almost 200 of its user accounts. The upshot, says Gartner analyst John Pescatore, is that it's high time enterprises take stock of the security risks posed by Twitter.

"Twitter's recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site's business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are 'sprinkled on,'" Pescatore notes. "This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are 'business-strength.'"

Pescatore's prescription, not surprisingly, is a kind of enterprise-grade Twitter. "Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work," he argues.

Given Twitter's ubiquity and it's autonomy (many business consumers tweet on their personal cell phones, after all), this seems like a prohibitively difficult problem. Gartner and Pescatore urge a mix of education, policy, and -- where appropriate -- technology to treat the problem.

To that end, he says, shops should "ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter."

On the technology front, enterprises should be certain to update their Web security gateways or IPS tools to protect against malware infiltration. Just because Twitter is new and untamed doesn't mean it poses an irreconcilable security threat. After all, even if the use or consumption of Twitter can't be policed -- and organizations can and should restrict the abilities of certain classes of users to access Twitter via the Web -- most known Twitter attacks have exploited existing malware code. Hence Pescatore's policy recommendation that shops "[r]equire malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies."