Don’t Blame The Russians UK Parliament Fix Your Security – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver

 

In cyberspace the sheep get shorn, chumps get munched, dupes get deceived, and pawns get pwned. We’ve seen another excellent example of this in the current attack on the United Kingdom Parliament email system.

Rather than admit to an e-mail system that was not secure by design, the official statement read:

Parliament has strong measures in place to secure all our accounts and systems.

Of course you do. The one protective procedure we did see at work was blame deflection – the Russians did it, that constantly works, while implicating the victims for their policy offenses. While details of the attack are limited, combing various sources does help to put together at least the gross scenario. If these stories are fairly close, the United Kingdom Parliament e-mail system failings are scandalous.

What failed in this scenario?

Count on single element authentication

“Password security” is an oxymoron – anything password safeguarded alone is insecure, period, irrespective of the password strength. Please, no 2FA here, might hinder attacks.

Do not enforce any limitation on failed login efforts

Facilitated by single aspect authentication, this allows simple brute force attacks, no ability required. But when violated, blame elite foreign hackers – nobody can validate.

Do not execute brute force violation detection

Permit attackers to carry out (otherwise trivially detectable) brute force violations for extended periods (12 hours versus the UK Parliament system), to take full advantage of account compromise scope.

Do not implement policy, treat it as simply suggestions

Integrated with single element authentication, no limitation on unsuccessful logins, and no brute force violation detection, do not enforce any password strength recognition. Provide assailants with very low hanging fruit.

Rely on unsigned, unencrypted email for sensitive communications

If hackers do succeed in jeopardizing e-mail accounts or sniffing your network traffic, offer plenty of opportunity for them to score high worth message content totally in the clear. This likewise conditions constituents to trust easily spoofable email from Parliament, producing a perfect constituent phishing environment.

Lessons found out

In addition to adding “Good sense for Dummies” to their summer season reading lists, the United Kingdom Parliament email system admin may want to take further actions. Enhancing weak authentication practices, implementing policies, improving network and end point visibility with continuous tracking and anomaly detection, and completely rethinking safe and secure messaging are suggested actions. Penetration testing would have revealed these foundational weak points while staying far from media attention.

Even a few sharp high-schoolers with a free weekend might have duplicated this violation. And lastly, stop blaming the Russians for your very own security failings. Presume that any weaknesses in your security architecture and policy framework will be penetrated and made use of by some party somewhere across the worldwide web. Even more incentive to discover and repair those weaknesses before the attackers do, so turn those pen testers loose. And after that if your protectors do not cannot see the attacks in progress, upgrade your tracking and analytics.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>