A Little Trust in Humans = A Major Email Security Issue

It was reported earlier this month that Russian hackers accessed President Barack Obama’s email system inside the White House. When asked to comment on the attack, Deputy National Security Advisor, Ben Rhodes, said: “We do not believe that our classified systems were compromised.”

Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire. After the recent barrage of data breaches in the U.S. – spanning the retail, entertainment and healthcare industries, and now the government – it’s time for organizations to take action when it comes to email security, specifically, making employees aware of existing threats. Here’s why:

The White House hack was triggered when a compromised email account in the State Department was used to send a spear-phishing email to an individual in the White House and the executive office of the President. The State Department was aware of the breach and forced its network offline to try and rid themselves of the hackers.

Some are drawing the conclusion that human error was at fault – exploiting individuals in the White House allowed the hackers to pivot their network access into a more sensitive and secure network than the one they initially compromised. In complex long-con attacks like this, where threat actors are resident on a network for long periods of time, it becomes almost inevitable that someone will eventually (and unknowingly) help them reach their ultimate goal. Trust is built quickly by email, and it is likely the attackers exploited the trust of having a @state.gov email address to gain access to the White House and POTUS. This use of a trusted third-party is getting more common, and something I’ve written about previously.

What worries me about Rhodes’ statement is; he’s hinting about the security of the classified systems at the White House. No doubt checks have been made to ensure there are no obvious compromises. But just as humans were used to move from the State Department to the White House, the same could surely be true of a further attack inside the White House to gain access to the classified systems. It wouldn’t take too much effort on the part of hackers to move from the unclassified to classified systems. Exploiting the weaknesses in humans once is easy, with only a little trust to abuse, but given a lot more trust, elevating privilege internally becomes very simple.

Humor me for a moment. If I was an attacker, and had been successful, I would have made sure that Mr. Rhodes and his colleagues from the FBI and Secret Service would never detect my presence. So while Rhodes does not believe his classified systems have been compromised, I’m sure he is still hunting for intruders.

Given the complexity of this attack, against what could be one of the most protected governments in the world, it would be fair to say that there’s no amount of technology that can keep out skilful and determined hackers. Do we give up on the technology? Or perhaps revert to pen and paper or typewriters? Of course not.

Making humans aware enough to not react to the social engineering in a spear-phishing email in the first place should be a top priority of any CISO, CIO and IT manager. Deploying a new spear-phishing gateway is important but may not be enough. You need to make sure users – humans – understand the risk, the threat and how to detect the presence of an attack.

Once you achieve this understanding you’ll have deployed a key part of your security infrastructure - your own human firewall. And it’s humans who are your key protection against these new and emerging threats. 

FILED IN