Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
In the online world the sheep get shorn, chumps get munched, dupes get deceived, and pawns get pwned. We have actually seen another terrific example of this in the recent attack on the UK Parliament e-mail system.
Instead of admitting to an e-mail system that was insecure by design, the main statement read:
Parliament has strong steps in place to secure all our accounts and systems.
Yeah, right. The one protective procedure we did see at work was deflecting the blame – pin it on the Russians, that constantly works, while accusing the victims for their policy infractions. While information of the attack are scarce, combing numerous sources does help to put together a minimum of the gross outlines. If these accounts are fairly close, the United Kingdom Parliament email system failings are scandalous.
What failed in this scenario?
Depend on single aspect authentication
“Password security” is an oxymoron – anything password secured alone is insecure, period, no matter the strength of the password. Please, no 2FA here, may impede attacks.
Do not impose any limitation on unsuccessful login efforts
Helped by single factor authentication, this enables basic brute force attacks, no skill required. But when attacked, blame elite foreign hackers – no one can verify.
Do not carry out brute force violation detection
Enable hackers to perform (otherwise trivially detectable) brute force attacks for prolonged durations (12 hours versus the United Kingdom Parliament system), to make the most of account compromise scope.
Do not impose policy, treat it as simply recommendations
Integrated with single element authentication, no limit on unsuccessful logins, and no brute force attack detection, do not impose any password strength validation. Supply enemies with extremely low hanging fruit.
Rely on anonymous, unencrypted email for sensitive communications
If assailants are successful in jeopardizing e-mail accounts or sniffing your network traffic, offer plenty of opportunity for them to score high value message material entirely in the clear. This likewise conditions constituents to rely on readily spoofable e-mail from Parliament, developing an ideal constituent phishing environment.
In addition to adding “Sound judgment for Dummies” to their summer reading lists, the UK Parliament e-mail system administrators might wish to take further actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant tracking and anomaly detection, and totally reassessing protected messaging are advised actions. Penetration screening would have revealed these fundamental weak points while staying outside the news headlines.
Even a few sharp high-schoolers with a free weekend could have duplicated this violation. And lastly, stop blaming Russia for your very own security failings. Presume that any weak points in your security architecture and policy framework will be penetrated and made use of by some party someplace throughout the global web. All the more incentive to discover and repair those weaknesses before the hackers do, so turn those pen testers loose. And then if your defenders do not cannot see the attacks in progress, upgrade your tracking and analytics.