TSG IntelBrief: The Email Cyber Threat
The Email Cyber Threat
Bottom Line Up Front:
• Reports that the penetration of an unclassified but highly sensitive White House computer system originated with an employee opening a phishing email highlights the utter necessity of training personnel to better resist what will only be an increase in cyber-human attacks
• Recent cyber penetrations such as that at the White House can barely be considered “hacking” since the front door to the system was opened for them; the best technical defenses are only as good as the least-prepared personnel with computer access
• Email is a common vector of social engineering attempts as well as the medium over which much of all business is conducted
• Mitigation approaches include strict compartmentalization and encryption of sensitive information both in transmission and storage, in tandem with training personnel in systemic protections against tried and true tactics that bad actors use to gain entry.
Yesterday saw the disclosure that the penetration of one of the White House’s computer systems used for unclassified but still highly sensitive information began as far too many cyber penetrations do; with the opening of an email. Using a compromised U.S. State Department email address, the cyber criminals—believed to be Russians—used a social engineering tactic called spear phishing to get a White House employee to open the email and inject whatever malware was used to get into and then remain in the computer system. That one of the most monitored and defended computer systems was still successfully attacked should give pause to any organization, and shows the truth in the statement by FBI Director James Comey that there are those who know they’ve been hacked and those who don’t.
This latest cyber penetration is the lowest form of “hacking” in that the bad actors didn’t have to hack anything; rather they just got an employee to open the front door to the system and let them in. This is the case in a majority of cyber penetrations, which should be called cyber-human penetrations because it is the human factor that is often the unnecessarily weak link. The advances in the technical tools that criminals and governments use to exploit cyber systems are staggering, adding even more threat to routine and mundane operations such as email that are ripe for social engineering attempts.
The White House joins an ever-lengthening list of computer systems that were thought to be quite secure but proved otherwise. The February 2015 data breach on the health insurance company Anthem resulted in the loss of personally identifiable information of perhaps 80 million people. From Sony, Home Depot, and Target, the trend is clear that cyber crimes or espionage are as much of a threat as terrorism, and like counterterrorism, will need a holistic approach to effectively counter. Information at rest (in “the cloud”) is as vulnerable as information in transit, requiring layers of defense such as the consistent use of encryption not just for email but for data in storage. A work flow and philosophy that empowers and then requires cyber threat awareness among personnel routinely will prove to be a better defense than one that relies purely on technical solutions, even though the technical solutions certainly are vital.
The military breaks down operations into missions, and before each mission it trains its personnel to a level conducive to consistent success. What is becoming clear is that organizations need to view the cyber operations of their personnel (which is almost every employee in every department given how much business involves online access) as a mission, and train accordingly. For larger organizations, ensuring those in your supply chain also have some level of awareness and resistance against social engineering tactics is vital, since indirect attacks such as the massive Target point of sale (POS) devices attack began with a trusted vendor. The scale of the problem is impossible to overstate, as it is comparable to the scale of the Internet. The challenge for every company with email is to maximize the immense benefits of cyber while limiting wherever possible its risks.
For tailored research and analysis, please contact: firstname.lastname@example.org