The recently well-timed release of thousands of emails from DNC servers during the national convention by Wikileaks displayed demonstrates the potential disaster that awaits companies and organizations that do not take cybersecurity seriously. As is known, those emails contained information deemed sensitive to the DNC leadership and rank and file and this recent release provided both Republicans and advocates of Senator Sanders sufficient ammunition to disrupt the convention and to cause DNC leaders to resign from their posts.
Recent reports indicate that the DNC conducted a 2 month assessment in the fall of 2015 which provided them with numerous recommendations, which if followed, would have possibly lead to the discovery of the hackers at that time. Instead, the recommendations were ignored and the hackers were not discovered until April of this year. Without knowing the exact nature of the attack, the emails released indicate that personal accounts of key DNC leaders were compromised giving the hackers access to DNC servers allowing them to collect large amounts of damaging emails and transmit them out of the system. Usually, these types of attacks are not a very complex, and replicate the types of attacks such as phishing, pharming or social engineering hacks that damage small and mid-size businesses every day.
So what caused this and what are the lessons that companies can learn?? There are several ways in which companies, large and small can mitigate the potential for hacks…
Cybersecurity Training: 80% of hacks occur by compromising employee email accounts. Cybersecurity training is the most overlooked, inexpensive and effective means to prevent hacks such as the DNC attack. A workforce, educated in basic cybersecurity awareness, makes a company a lot more difficult to penetrate. As we know, hackers, like most criminals, are lazy and will attack the weakest target. An workforce that is aware of what phishing, pharming, social engineering and other attacks look like will be harder to compromise, forcing hackers to look elsewhere. There are numerous training providers and even online training that can be found that is relatively inexpensive.
Log Management and Analysis: All computer events leave evidence behind of the activity taking place in the form of logs. Log management and analysis are tools that can be used by a cybersecurity company, corporate IT shop or other IT providers to analyze log traffic for events that show an indication of compromise. An analysis of the logs would show, in this case, that email traffic, or bundles of emails were being copied off the server and sent to another address. While all companies may not be able to afford a Security Event Identification Management (SIEM) system, there are Managed Security Service Providers (MSSP) that can do this for a price, or open source systems such as the Elastasearch, Logstash and Kibana (ELK) stack or MainNerve’s Netforce Defender are more inexpensive solutions.
IT System Monitoring and Alerting: Most companies have Next Generation Firewalls or Unified Threat Management systems that can monitor network traffic for events that infer that a compromise has taken place. Companies can set the “rules” such as limiting the amount of data that can be sent over the net or identifying malicious IP or URL addresses on these firewalls to send out alerts when that rule has been violated. Additionally, if the firewall manufacturer provides updates or patches, companies should ensure that these upgrades to security are done automatically and monitored. Companies, whether done internally or by a third party, should be updating the rules on their firewalls to reflect recent alerts and activities and providing daily monitoring and immediate reaction to those alerts. Again, these services can be done in house, by a MSSP or by an outsourced third party to improve safety. There are open source solutions such as the Snort IDS (also part of the MainNerve Netforce Defender solution) and free firewalls that can be used, if a company has access to someone with credible IT configuration experience to better monitor network traffic.
Penetration Testing, Assessments and Scanning: As we have repeatedly said, nothing tells a company more about the status of its system than vulnerability scanning and penetration testing. These tests, done on a repetitive basis, can keep a company’s management and IT personnel highly informed about vulnerabilities on their networks and provide mitigation strategies to fix them. Additional retests ensure management that improvements on the network are continuing and test for additional vulnerabilities based on new modifications to the network. Additional penetration tests can be done for everything from mobile and web applications, to social engineering tests, to Wi-Fi and Internet of Things testing. An important point is to not just check the block but to pay attention to the vulnerabilities found. After the breach assessment paid for by the DNC, numerous deficiencies were found, but ignored, possibly resulting in the leak.
These are some of the basic strategies small companies can take to review the security status of their IT infrastructure and protect themselves as best possible from being hacked. Every company’s IT security expert should be assuring the C-suite that at least some of these actions are taking place to protect their assets.