https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52678#M5901 <P>What are your thoughts on this? Is this just a disgruntled employee who couldn't make the case for better security or was it gross negligence on Twitter's part? I've always worked in a regulated environment so I have zero experience working for a tech company.&nbsp;</P><P>&nbsp;</P><P>There are some pretty serious security allegations being reported such as:</P><P>&nbsp;</P><UL><LI>Broad access to the production environment and user data</LI><LI>Minimal to no logging on changes to the production environment</LI><LI>Access to resources from unpatched work and BYOD devices</LI><LI>Datacenters didn't support data at rest (In their defense, not a lot of places have that setup)</LI><LI>Engineers tested on production environment instead of test environment</LI></UL><P><A href="https://www.wired.com/story/mudge-twitter-whistleblower-security/" target="_blank" rel="noopener">https://www.wired.com/story/mudge-twitter-whistleblower-security/</A>&nbsp;</P><P><A href="https://s3.documentcloud.org/documents/22186782/whistleblower_disclosure.pdf" target="_blank" rel="noopener">https://s3.documentcloud.org/documents/22186782/whistleblower_disclosure.pdf</A>&nbsp;</P><P>&nbsp;</P> Thu, 25 Aug 2022 14:47:51 GMT tmekelburg1 2022-08-25T14:47:51Z https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52678#M5901 <P>What are your thoughts on this? Is this just a disgruntled employee who couldn't make the case for better security or was it gross negligence on Twitter's part? I've always worked in a regulated environment so I have zero experience working for a tech company.&nbsp;</P><P>&nbsp;</P><P>There are some pretty serious security allegations being reported such as:</P><P>&nbsp;</P><UL><LI>Broad access to the production environment and user data</LI><LI>Minimal to no logging on changes to the production environment</LI><LI>Access to resources from unpatched work and BYOD devices</LI><LI>Datacenters didn't support data at rest (In their defense, not a lot of places have that setup)</LI><LI>Engineers tested on production environment instead of test environment</LI></UL><P><A href="https://www.wired.com/story/mudge-twitter-whistleblower-security/" target="_blank" rel="noopener">https://www.wired.com/story/mudge-twitter-whistleblower-security/</A>&nbsp;</P><P><A href="https://s3.documentcloud.org/documents/22186782/whistleblower_disclosure.pdf" target="_blank" rel="noopener">https://s3.documentcloud.org/documents/22186782/whistleblower_disclosure.pdf</A>&nbsp;</P><P>&nbsp;</P> Thu, 25 Aug 2022 14:47:51 GMT https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52678#M5901 tmekelburg1 2022-08-25T14:47:51Z https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52679#M5902 <P>Y'all remember the breach of those 100+ high-profile accounts?&nbsp; I heard that was because they shared priv credentials in a slack-type environment.&nbsp; The whole of these complaints, writ large, points to a culture of severe sloppiness.&nbsp; I envision their offices all looking like Wayne Knight's workstation in Jurassic Park.</P> Thu, 25 Aug 2022 16:26:40 GMT https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52679#M5902 ericgeater 2022-08-25T16:26:40Z https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52681#M5903 <P>The Twitter security team asking the Engineers not to test in the production environment:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tmekelburg1_0-1661448160071.png" style="width: 400px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/6357i417F229272AB33F1/image-size/medium?v=v2&amp;px=400" role="button" title="tmekelburg1_0-1661448160071.png" alt="tmekelburg1_0-1661448160071.png" /></span></P><P>&nbsp;</P> Thu, 25 Aug 2022 17:23:31 GMT https://community.isc2.org/t5/Industry-News/Twitter-s-Whistleblower/m-p/52681#M5903 tmekelburg1 2022-08-25T17:23:31Z