Election Season Security: Tips for Campaign IT Administrators

As election season approaches, we’ve seen a clear uptick in hacks directed towards political organizations. To help, Hustle’s security team would like to share its experience with some technical tips for upping security at political campaigns.

Hustle Security has your back and is here to help out for election season!

Key emerging threats this season are:

• Hackers are getting around phone-based two-factor authentication
• Advanced Persistent Threat (APT) grade malware is becoming more common

If you’re an administrator or IT person at a campaign, putting up defenses against this level of hacker can be daunting. Here, I’ve condensed three inexpensive and quick-to-implement ways to help protect your organization against these new threats.

Secure staff’s phone accounts and/or Disable SMS 2FA

There has been a recent uptick in hacking users protected by SMS and voice call-based two factor authentication. I’ve personally seen a few examples in the wild. Two means are used to takeover the users’ cell phone to intercept 2FA codes:

1. (Hacker’s choice): Login to the phone company’s web site using the person’s e-mail address, and a password obtained from a previous breach or phishing.
2. Call the phone carrier and impersonate the victim, using public and/or hacked records to answer security questions.

An easy mitigation here is to have your staff change their password at their phone provider to a new, unique password. However, that doesn’t help much in our second scenario, so moving away from SMS-based authentication to an authenticator app or device is the only surefire way.

Rollout Next-Generation Endpoint Protection

We know that election hackers have been using sophisticated, customized malware. If your current antivirus/antimalware solution doesn’t have next-generation capabilities, now is a good time to consider rolling out something new. While imperfect, this is one of the best tools we have at our disposal to catch and contain advanced persistent threat (APT) level hacks.

My recommendations for vendors here are enSilo, SentinelOne and CrowdStrike.

Also, having forensics capability on each machine is very valuable in the event of a compromise. The solutions listed above all feature varying levels of endpoint forensics, which both enables and simplifies incident response. It may be difficult to ever determine the extent of a breach without these capabilities.

Require FIDO U2F Security Keys

The FIDO U2F standard represents a vast improvement on previous USB-based security keys. While far less convenient than having users use phone apps for 2FA, FIDO U2F has been proven to completely defeat phishing attempts.

The FIDO alliance, rather than individual tech companies, now sets 2FA standards.

Regular 2FA tokens have some defense against phishing, notably they expire fast. Hackers are getting used to seeing more and more 2FA however; and have upped their game with scripts that quickly compromise accounts once they’ve phished a token.

FIDO U2F actually performs a public-private key exchange, so that if a phishing site causes a user to use their FIDO U2F key, they’ll get a vastly different cryptographic handshake than Google, Office365, etc.

There’s no viable way right now to phish or otherwise compromise FIDO U2F tokens. Since we know that election hackers used phishing extensively in almost every recent hack, this is an especially strong tool for campaign security.

How to require FIDO U2F’s use

First, you’ll have to order a package of FIDO U2F keys. They cost about $20/piece on Amazon, and are worth every penny in security value!

If you’re on G Suite, you can require users or groups of users to use the U2F key. They call this Security Key Enforcement.

Personal GMail accounts can also enable Google Advanced Protection. I strongly recommend candidates themselves along with key personnel enable this on their personal accounts; as those are commonly used to move on to work-related computers and apps.

Office365 and Microsoft Active Directory users can similarly enable Passwordless Login, which uses FIDO 2UF keys.

Stay Dedicated

It’s easy as an IT administrator at a small organization to feel overwhelmed by the cyber threats out there. Of course, there’s no panacea to ensure you’re unhackable.

Instead of being resigned to having an incident, start rolling out security keys and next-gen AV instead. Adding these measures to your information security program will surely help stop modern hack attempts in their tracks.