Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
In cyberspace the sheep get shorn, chumps get chewed, dupes get duped, and pawns get pwned. We have actually seen another excellent example of this in the current attack on the UK Parliament email system.
Rather than admit to an email system that was insecure by design, the main declaration read:
Parliament has strong procedures in place to secure all our accounts and systems.
Of course you do. The one protective procedure we did see in action was deflecting the blame – pin it on the Russians, that constantly works, while accusing the victims for their policy offenses. While details of the attack are scarce, combing various sources does assist to put together at least the gross outlines. If these descriptions are reasonably close, the United Kingdom Parliament email system failings are shocking.
What failed in this scenario?
Count on single factor authentication
“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, no matter the strength of the password. Please, no 2FA here, may restrain attacks.
Do not enforce any limit on unsuccessful login efforts
Assisted by single aspect authentication, this enables simple brute force attacks, no ability needed. However when violated, blame elite foreign hackers – no one can verify.
Do not implement brute force violation detection
Permit opponents to carry out (otherwise trivially detectable) brute force violations for extended durations (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.
Do not implement policy, treat it as merely suggestions
Combined with single element authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength recognition. Offer attackers with extremely low hanging fruit.
Count on anonymous, unencrypted email for sensitive communications
If attackers do prosper in jeopardizing email accounts or sniffing your network traffic, offer a lot of opportunity for them to score high worth message material entirely withput obstruction. This likewise conditions constituents to trust easily spoofable e-mail from Parliament, producing an ideal constituent phishing environment.
In addition to adding “Common Sense for Dummies” to their summertime reading lists, the United Kingdom Parliament e-mail system admin might wish to take more actions. Enhancing weak authentication practices, imposing policies, improving network and end point visibility with constant tracking and anomaly detection, and completely reassessing protected messaging are suggested actions. Penetration testing would have uncovered these fundamental weak points while staying outside the news headlines.
Even a few intelligent high schoolers with a totally free weekend might have replicated this violation. And lastly, stop blaming Russia for your own security failings. Presume that any weaknesses in your security architecture and policy framework will be probed and made use of by some hackers somewhere throughout the global internet. Even more incentive to find and repair those weaknesses prior to the enemies do, so take action now. Then if your defenders don’t cannot see the attacks in progress, update your tracking and analytics.