Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
In cyberspace the sheep get shorn, chumps get chewed, dupes get deceived, and pawns get pwned. We’ve seen another great example of this in the current attack on the UK Parliament email system.
Rather than admit to an e-mail system that was not secure by design, the main statement read:
Parliament has strong measures in place to safeguard all of our accounts and systems.
Tell us another one. The one protective measure we did see at work was blame deflection – pin it on the Russians, that always works, while implicating the victims for their policy infractions. While details of the attack are scarce, combing different sources does help to assemble at least the gross outlines. If these stories are reasonably close, the United Kingdom Parliament e-mail system failings are scandalous.
What went wrong in this case?
Count on single aspect authentication
“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the strength of the password. Please, no 2FA here, may hinder attacks.
Do not enforce any limitation on failed login efforts
Facilitated by single element authentication, this permits easy brute force attacks, no skill required. However when attacked, blame elite state sponsored hackers – no one can validate.
Do not carry out brute force attack detection
Permit hackers to conduct (otherwise trivially noticeable) brute force violations for extended periods (12 hours versus the UK Parliament system), to maximize account compromise scope.
Do not impose policy, treat it as simply recommendations
Combined with single factor authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength validation. Supply assailants with extremely low hanging fruit.
Count on anonymous, unencrypted e-mail for delicate communications
If enemies do prosper in compromising email accounts or sniffing your network traffic, supply a lot of chance for them to score high value message content entirely in the clear. This also conditions constituents to trust easily spoofable e-mail from Parliament, developing an ideal constituent phishing environment.
In addition to including “Good sense for Dummies” to their summertime reading lists, the United Kingdom Parliament e-mail system administrators may wish to take further actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant monitoring and anomaly detection, and completely reassessing secure messaging are suggested actions. Penetration testing would have discovered these fundamental weaknesses while staying outside the news headlines.
Even a couple of clever high schoolers with a complimentary weekend could have duplicated this attack. And lastly, stop blaming the Russians for your own security failings. Presume that any weaknesses in your security architecture and policy framework will be probed and exploited by some party somewhere throughout the international internet. All the more incentive to discover and fix those weak points prior to the enemies do, so turn those pen testers loose. And after that if your protectors don’t cannot see the attacks in progress, update your tracking and analytics.