The team over at Ars Technica released last December detailed technical articles on the “Russians Hacking” during the US elections and a year later, much of it has been forgotten.
There are a few choice dates in one of the articles which high-light how if a simple warning as heeded, the hack might have been prevented.
The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. >
Plenty of time to put in a plan and keep the bad guys out. This is good.
But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April. >
Four months have passed since the FBI warning. The attackers start stirring up trouble. Well hopefully we can now deal with the issue,
The DNC’s information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn’t bring in outside help until May.>
They had another alarm bell raised and waited another 2 months? So that means in 6 months, they did not address the problem. Does that mean one of the following occured:
- Management knew about it but were "too busy" with an election?
- The FBI, Dell Security and in house IT were all ignored?
- Did the machine of bureaucracy turn too slowly to react?
“But this attack used advanced technology. Nobody could have prevented it!”
All the 3 letter security agencies along with third party security researchers have stated quite clearly, that the breach was caused by a phishing campaign, which is the very old technique of tricking a victim into handing over something to the attacker through a bogus email, a bogus phone call, etc.
This is not a new technique at all. It all comes down to the simple fact that whether it was a state government or a gang of criminals, the method relied on the oldest trick in the book, fooling people.
People are the number 1 security risk.
This is not news to anyone who has been in IT for more than 5 minutes. Here are three reasons why people are the security risk.
When the movie “The Interview” the spoof about a certain nation in Asia was being released, Sony suffered a cyber-breach. Given the damage the breach caused, they would have surely improved their processes.
Then this happened
A breached twitter account announcing the hoax death of Britney Spears. Was it a technical breach of Twitter or someone being careless at Sony? Most likely, Sony dropped the ball again.
April 2015 a french media company TV5Monde suffered a huge breach, believed to be the work of extremist sympathisers at first, some have cited the Russian Government performing cyber tests of advanced weapons but there is a far simpler explanation...
The company has spent millions upon millions on security and protection software since the breach. Not to mention hugely disruptive policies yet if they just kept the post-it notes off the walls, would that have worked out cheaper and more effective?
Despite huge media coverage, the easy tricks are working very well for the bad guys. When they do a bit of research on a company and target a scam email at that company, they usually get a result.
Solving the problem
Some organisations when they budget for security do one of the following
- Pay for security products
- Get your team better at security
Nine times out of ten, they pay for security products or services first because improving the team is a more difficult challenge, it is easier to put in a magic box that solves all the problems.
We also have a culture of security companies who focus on selling these tools and promising that if you have the latest from brand X, you will be safe. Yet how do we know
Practical tips on what you should do
There is no point owning the most expensive firewall on the planet, if the IT department is not properly trained how to use it, what if you bought a cheaper firewall and spend the money you saved on training the IT team how to properly defend the business.
When someone is caught stealing money, Should you ask the accountant who found the problem to discipline the employee. Why do we ask IT to play the role of sheriff when security rules are broken? Have clear rules and procedures in place and enforce them.
If security is a concern, find a reputable company to test the defences. They might send fake emails and see who opens them, they can check the software to see if there is anything bad waiting.
Anti-Virus alone is not enough. We have proven repeatedly with our clients that no matter which product you use. The success rate of preventing threats is dangerously low. You need layers of defences.
Dismiss the illusion that you are too small a target. If a thief can steal money from a low security shop or a secure bank, which would he try first?