Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
In cyberspace the sheep get shorn, chumps get munched, dupes get deceived, and pawns get pwned. We’ve seen another excellent example of this in the current attack on the United Kingdom Parliament email system.
Rather than admit to an e-mail system that was not secure by design, the official statement read:
Parliament has strong measures in place to secure all our accounts and systems.
Of course you do. The one protective procedure we did see at work was blame deflection – the Russians did it, that constantly works, while implicating the victims for their policy offenses. While details of the attack are limited, combing various sources does help to put together at least the gross scenario. If these stories are fairly close, the United Kingdom Parliament e-mail system failings are scandalous.
What failed in this scenario?
Count on single element authentication
“Password security” is an oxymoron – anything password safeguarded alone is insecure, period, irrespective of the password strength. Please, no 2FA here, might hinder attacks.
Do not enforce any limitation on failed login efforts
Facilitated by single aspect authentication, this allows simple brute force attacks, no ability required. But when violated, blame elite foreign hackers – nobody can validate.
Do not execute brute force violation detection
Permit attackers to carry out (otherwise trivially detectable) brute force violations for extended periods (12 hours versus the UK Parliament system), to take full advantage of account compromise scope.
Do not implement policy, treat it as simply suggestions
Integrated with single element authentication, no limitation on unsuccessful logins, and no brute force violation detection, do not enforce any password strength recognition. Provide assailants with very low hanging fruit.
Rely on unsigned, unencrypted email for sensitive communications
If hackers do succeed in jeopardizing e-mail accounts or sniffing your network traffic, offer plenty of opportunity for them to score high worth message content totally in the clear. This likewise conditions constituents to trust easily spoofable email from Parliament, producing a perfect constituent phishing environment.
Lessons found out
In addition to adding “Good sense for Dummies” to their summer season reading lists, the United Kingdom Parliament email system admin may want to take further actions. Enhancing weak authentication practices, implementing policies, improving network and end point visibility with continuous tracking and anomaly detection, and completely rethinking safe and secure messaging are suggested actions. Penetration testing would have revealed these foundational weak points while staying far from media attention.
Even a few sharp high-schoolers with a free weekend might have duplicated this violation. And lastly, stop blaming the Russians for your very own security failings. Presume that any weaknesses in your security architecture and policy framework will be penetrated and made use of by some party somewhere across the worldwide web. Even more incentive to discover and repair those weaknesses before the attackers do, so turn those pen testers loose. And after that if your protectors do not cannot see the attacks in progress, upgrade your tracking and analytics.