A Proactive Approach Could Have Prevented the DNC Email Hack

The NSA isn’t the only Washington organization being embarrassed by a data breach. The sorry state of cybersecurity in America has taken center stage in this year’s presidential election. In June, it was discovered that Russian cyber criminals had managed to hack the Democratic National Committee’s email server, stealing over 20,000 emails and sharing them with WikiLeaks. While most of the emails contain mundane correspondence, some of them are quite embarrassing and imply possible ethical violations on the part of DNC insiders, such as emails questioning Bernie Sanders’ religion and implying the party officers wished to derail his campaign. Shortly after the emails were released, the DNC’s chairperson, CEO, and communications director abruptly resigned. Even worse, the New York Times has revealed that the DNC email hack might be much more extensive than originally believed, involving the email accounts of over 100 individuals and groups.

The DNC email hack bears a strong resemblance to the equally scandalous email hack perpetrated on Sony Pictures two years ago, which was believed to have been carried out by North Korean nation-state hackers. That hack involved the release of 170,000 emails, many of them containing negative commentary about major Hollywood stars. Sony’s chairperson was removed, the company ended up being sued, and the emails are still live on WikiLeaks, neatly indexed and searchable.

While the Sony hack and the DNC email hack involved ethical and privacy violations, the release of corporate emails can damage an organization even if the employees in question did nothing wrong. Confidential information about new product launches, marketing strategies, and partnership negotiations are routinely discussed via email, and this information could destroy a company if it fell into the hands of a competitor.

Proactive Ways to Prevent Email Hacks

Both the Sony hack and the DNC email hack could have been prevented using proactive email security measures. Following are three things your company can do to prevent your emails from ending up on WikiLeaks – or in the hands of a competitor.

Train Your Employees How to Spot Spear Phishing

It is believed that the Sony hack and the DNC email hack happened after hackers used a spear-phishing campaign to get hold of legitimate login credentials. Spear phishing has become extremely popular among hackers as end users have become more aware of these scams and as spam filters have gotten better at recognizing and intercepting regular phishing emails. Because spear-phishing emails are sent to only a small group of targets and are carefully researched and crafted to appear legitimate, they tend to pass through spam filters. Therefore, the best defense is employee awareness. See our previous blog for more information on how to spot spear phishing emails.

Set Up Your System to Assign Employee Passwords

Regardless of how many times they are told not to do so, employees frequently choose passwords that are weak, and they tend to use the same password to access multiple systems, including their personal and work accounts. Thus, a hacker may be able to use an employee’s Dropbox password to get into their work email. For this reason, random, strong passwords should be assigned to employees, and the system should be set up to require periodic password changes.

Outsource Your Enterprise Email

In most cases, using a private email server for company email, as the DNC did, is a bad idea. The majority of companies do not have the in-house technical expertise to securely set up an email server, continuously monitor it for unusual user behavior, or maintain up-to-date spam filters. Large enterprise email providers such as Google and Yahoo do. While using one of these providers is not a guarantee that you will not be breached – especially in light of the popularity of social engineering – a third-party provider will offer a higher level of email security than you could achieve in-house.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help secure your organization’s data.

Human hacking, also known as social engineering, has surpassed hardware and software vulnerabilities and is now the top cybersecurity threat, Computer Weekly reports:

[A]ttackers shifted away from automated exploits in 2015. Instead, attackers engaged people through email, social media and mobile apps to do the dirty work of infecting systems, stealing credentials and transferring funds.

 Researchers found that machine exploits were replaced by human exploitation, with attackers opting for attachment-based social engineering campaigns rather than purchasing expensive technical exploit kits.

 Across attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.

What is Human Hacking?

Human hacking is a type of con during which, instead of trying to hack into a system, the hacker engages in old-fashioned espionage techniques that involve human interaction and prey on weaknesses in human psychology, such as helpfulness, curiosity—even greed. A human hacker may approach an access-controlled door carrying a number of packages and pretend to fumble for their key or access card; an unsuspecting employee, thinking they are being helpful to a co-worker, opens the door for the hacker. This technique is known in the industry as tailgaiting. Or, using the pretexting technique, the hacker may phone an employee, pose as a help desk worker, and attempt to get the employee to provide their system access credentials.

These simple techniques are surprisingly effective. TechTarget reports that a human hacker recently used pretexting to compromise the U.S. Department of Justice. The hacker phoned the DOJ, pretending to be a new employee who was having difficulty accessing the department’s web portal. The hacker was quickly provided with a token that granted him full access to the DOJ intranet. As a result, information on 20,000 FBI agents and 9,000 Department of Homeland Security employees was publicly leaked.

Other common human hacking techniques include:

• Baiting takes advantage of human curiosity—or, in some cases, greed. The attacker puts a legitimate-looking and interesting label (such as “Employee Salary Report Q4”) on a malware-infected device, such as a USB drive, then leaves it in a place where someone will find it, such as a bathroom, a hallway, or an elevator. Then, the hacker simply waits for someone to pick up the device and insert it into their computer.
• Phishing is a technique most Internet users have seen in action. The hacker (or phisher) sends an email that appears to be from a legitimate source, usually a bank or another business. The email requests that the receiver “verify” information by clicking on a link and warns of dire consequences, such as their account being deactivated, if the receiver does not do so. The link leads to a legitimate-looking but fraudulent website that requests personal information, such as online banking access credentials or even a debit card PIN.
• Spear phishing is a more targeted form of phishing where a particular individual or organization is phished, as opposed to random mass attacks.
• A Scareware scheme combines malware and human psychology. The con involves tricking victims into believing they have downloaded illegal content or that their computers have been infected with malware. The human hacker then offers the victim a “fix” in the form of a download – which is actually malware.

How Can Your Organization Prevent Human Hacking?

As with all cybersecurity issues, the best defense is a good offense. Lazarus Alliance recommends that organizations take a proactive approach to preventing human hacking, beginning with establishing a comprehensive cybersecurity policy and employee training program. If employees are aware of the types of cons human hackers run, they can learn to identify and report them before any damage is done.

Additionally, organizations that conduct ongoing risk assessments and fix the gaps identified are on average a whopping 96% less likely to suffer a breach by hackers. Lazarus Alliance recommends organizations of any size implement a risk management program sooner than later when it may be too late.

Lazarus Alliance offers full-service risk assessment and risk management services helping companies all around the world sustain a proactive cybersecurity program. Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help you prevent human hacking.

Federal cybersecurity breach has left millions of American citizens as casualties. Lazarus Alliance responds with proactive cyber-crime prevention.

Lazarus Alliance ups the ante with proactive cybersecurity weapons in the corporate arsenal to fight cybercrime, corporate fraud, espionage and criminal cyber-misconduct.

The egregious revelations following this security breach is that the Office of Personnel Management did not have even entry-level cybersecurity controls in place as reported on June 4, 2015 by NBC affiliate KPNX 12 News and many other outlets is proof that it’s time for the U.S. to take strong action to harden its technological infrastructure with proactive measures instead of the reactive posture demonstrated today.

KPNX went on to report that “Fundamental controls missing that facilitated this massive security breach affecting millions across the federal space were identified as a lack of data encryption, multifactor authentication and modern endpoint computing platforms all of which are critical in preventing cyber breaches and criminal misconduct.”

Michael Peters, CEO of Lazarus Alliance said “Proactive cybersecurity measures taken through competent IT risk, audit & compliance and governance assessments coupled with proven assessment tools like the IT Audit Machine are all known to prevent about 96% of all breach potential.”

“As long as public and private organizations remain reactive instead of proactive in their approach to cybersecurity, they will continue to fail the constituents they work to protect. This federal cyber data breach is a painful reminder that not enough is being done even at minimal levels.” said Peters.

Cyber-crime prevention is of paramount concern to the federal government and organizations of all sizes, all industries and in all parts of the world. Lazarus Alliance put its extensive experience in cybercrime and fraud prevention in the governance, risk and compliance (GRC) spaces to work for the federal and global business community.

“Survey after survey shows that simple and intermediate controls prevent espionage and cyber-crime and yet breach reports are escalating. These criminal acts could have been prevented through a proactive cybersecurity plan. Lazarus Alliance is proactive cybersecurity.” continued Peters.

Lazarus Alliance’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Lazarus Alliance specializes in IT security, risk, privacy, governance, cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines.

Learn more about Lazarus Alliance and why Lazarus Alliance is Proactive Cybersecurity™

Video: https://youtu.be/8eRv4zc9l4M