IT Security is not difficult…if we remove the people

None of these cameras are plugged in. But it looks secure right?

The team over at Ars Technica have been releasing detailed technical articles on the “Russians Hacking” during the US elections and there are a few choice dates in one of the articles.

The FBI warned the DNC of a potential ongoing breach of their network in November of 2015.

Plenty of time to put in a plan and keep the bad guys out. This is good.

But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April.

This is a 4 month delay since the FBI warning. The attackers start stirring up trouble. Well hopefully we can now deal with the issue:

The DNC’s information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn’t bring in outside help until May.

Whoops.

They had another alarm bell raised and waited another 2 months? So that means in 6 months, they did not address the problem.

  • Were the management teams incompetent?
  • Is there a lack of technical ability?
  • Did the machine of bureaucracy turn too slowly to react?

“But this attack used advanced technology. Nobody could have prevented it!”

Wrong.

All the 3 letter security agencies along with third party security researchers have stated quite clearly, that the breach was caused by a phishing campaign, which is the very old technique of tricking a victim into handing over something to the attacker through a bogus email, a bogus phone call, etc.

This is not a new technique at all. It all comes down to the simple fact that whether it was a state government or a gang of criminals, the method relied on the oldest trick in the book, fooling people.

People are the number 1 security risk.

This is not news to anyone who has been in IT for more than 5 minutes. Here are three reasons why people are the security risk.

  1. When the movie “The Interview” the spoof about a certain nation in Asia was being released, Sony suffered a cyber-breach. Given the damage the breach caused, they would have surely improved their processes.
    Then this happened 2 weeks ago
    A breached twitter account announcing the hoax death of Britney Spears. Was it a technical breach of Twitter or someone being careless at Sony?
  2. April 2015 a french media company TV5Monde suffered a huge breach, believed to be the work of extremist sympathisers at first, some have cited the Russian Government performing cyber tests of advanced weapons but there is one theory…
    Post-it note on the wall revealing passwords during TV broadcast
    The company has spent millions upon millions on security and protection software since the breach. Not to mention hugely disruptive policies yet if they just kept the post-it notes off the walls, would that have worked out cheaper and more effective?
  3. We don’t learn from our mistakes. Despite huge media coverage, the easy email tricks are working very well for the bad guys. When they do a bit of research on a company and target a scam email at that company, they usually get a result.

Solving the problem

Some organisations when they budget for security do one of the following:

  • Pay for security products
  • Get your team better at security

Nine times out of ten, they pay for security products or services first because improving the team is a more difficult challenge, it is easier to put in a magic box that solves all the problems.

We also have a culture of security companies who focus on selling these tools and promising that if you have the latest from brand X, you will be safe.

So what should you do?

A few suggestions:

There is no point owning the most expensive firewall on the planet, if the IT department is not properly trained how to use it, what if you bought a cheaper firewall and spend the money you save on training.

When someone is caught stealing money, Should you ask the accountant who found the problem to discipline the employee. Why do we ask IT to play the role of sheriff when security rules are broken?

If security is a concern, find a reputable company to test the defences. They might send fake emails and see who opens them, they can check the software to see if there is anything bad waiting.

Dismiss the illusion that you are too small a target. If a thief can steal money from a low security shop or a secure bank, which would he try first?

Your thoughts on security

Leave a comment, start a discussion.