Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
In cyberspace the sheep get shorn, chumps get munched, dupes get deceived, and pawns get pwned. We have actually seen another terrific example of this in the current attack on the UK Parliament e-mail system.
Instead of admitting to an e-mail system that was insecure by design, the official declaration read:
Parliament has strong steps in place to safeguard all our accounts and systems.
Tell us another one. The one protective step we did see at work was blame deflection – it must have been the Russians, that always works, while implicating the victims for their policy infractions. While details of the attack are scarce, combing different sources does assist to assemble a minimum of the gross scenario. If these descriptions are reasonably close, the UK Parliament e-mail system failings are atrocious.
What failed in this scenario?
Count on single factor authentication
“Password security” is an oxymoron – anything password secured alone is insecure, period, no matter the strength of the password. Please, no 2FA here, may restrain attacks.
Do not impose any limitation on failed login efforts
Helped by single factor authentication, this allows easy brute force attacks, no ability required. However when attacked, blame elite foreign hackers – nobody can validate.
Do not carry out brute force attack detection
Allow attackers to conduct (otherwise trivially detectable) brute force violations for prolonged durations (12 hours versus the UK Parliament system), to make the most of account compromise scope.
Do not impose policy, treat it as simply recommendations
Integrated with single element authentication, no limitation on failed logins, and no brute force attack detection, do not enforce any password strength recognition. Supply hackers with really low hanging fruit.
Depend on anonymous, unencrypted e-mail for sensitive communications
If hackers are successful in jeopardizing e-mail accounts or sniffing your network traffic, offer lots of opportunity for them to score high value message material completely in the clear. This likewise conditions constituents to trust easily spoofable e-mail from Parliament, producing an ideal constituent phishing environment.
In addition to adding “Good sense for Dummies” to their summer reading lists, the United Kingdom Parliament email system administrators may want to take additional actions. Strengthening weak authentication practices, imposing policies, enhancing network and endpoint visibility with continuous monitoring and anomaly detection, and totally reconsidering safe and secure messaging are suggested steps. Penetration testing would have uncovered these fundamental weak points while staying far from media attention.
Even a few intelligent high-schoolers with a totally free weekend might have duplicated this attack. And lastly, stop blaming the Russians for your own security failings. Presume that any weak points in your security architecture and policy framework will be probed and made use of by some hackers somewhere across the international web. All the more incentive to discover and fix those weak points prior to the enemies do, so get started immediately. And then if your defenders do not have visibility to the attacks in progress, upgrade your tracking and analytics.