Why Employee Training is a CRITICAL Component of Security Training

According to Buzzfeed, nine days after Hillary Clinton had won big on Super Tuesday, the Russians launched their cyber attack on her campaign.

The Russians sent malicious emails to all of her senior campaign staff.  The emails looked like standard Google GMail emails alerting to suspicious activity on their accounts and asked them to click on the link.  The link led to a page, likely hosted in Russia, that looked very much like a GMail password reset page.  Unless they checked the address in the address bar.

As soon as they entered their email and password, the Russians had full, unfettered access to all of their emails from that point forward.

POINT #1: Call me paranoid, but from a security standpoint does it really make sense to use GMail for the official campaign email system for a presidential campaign?  Sure, that make sense for uncle Joe in Pittsburgh, but did it never occur to anyone that this might not be very smart?

POINT #2:   Did campaign workers receive any cyber security training?  That is a pretty normal phishing technique.  Out of all the people who received these emails, did not even one of them question it?

POINT #3:  If they did question it, did the campaign have a chief cyber security staffer to send the concern to?  Not physical security, but cyber security.

But I digress….

Since that worked so well, the Russians tried the same trick with the Democratic National Committee.

POINT #4:  Did (or does) the DNC  train its people on phishing?

And then, being successful beyond their dreams, they tried the same trick with the Democratic  Congressional Campaign Committee.

POINT #5:   I am not even going to ask.

By mid June, the first leak had been identified and the DNC emails started coming to light.

I assume that others started to panic at this point and those who didn’t use email (like Trump, apparently) were laughing.

The group that orchestrated this is known as APT 28 or Fancy Bear, but there is nothing fancy about this attack.  In fact, a fifth grader could have likely done it.

In a rare display of political annoyance, the White House definitively said last week that Russia did this.  There was no beating around the bush.  The Department of Defense piled on.  I am sure that there is a fair bit of classified evidence, but apparently, the government was convinced enough to publicly blame Putin.

If you want more details, please read the Buzzfeed article below, but for the purposes of this post, this is sufficient.

After reading this, I have a few thoughts and those thoughts apply to everyone – political parties on any side of the fence, businesses or private citizens.

THOUGHT #1 : Email is private – until you hit the send button.  Beyond that, all bets are off.

THOUGHT #2: If you would be concerned, embarrassed or thrown in jail if that email appeared on the front page of the New York Post (or Wall Street Journal), DO NOT SEND IT!  You just cannot guarantee what will happen after you hit the send button.

THOUGHT #3:  At the very least, a private email server gives you some more control and the ability to monitor traffic.  BUT ONLY IF YOU DO IT RIGHT.  It is 10 times easier to do it wrong than to do it right.

THOUGHT #4: Encrypted email (and I don’t mean SSL based web mail) also helps, but again, the devil is in the details.  I have a few patents with my name on them in this area, so I think I understand the problem, what works and what doesn’t work.

THOUGHT #5: Training is critical.  Really.  Human beings are always the weak spot.  Period.  Invest in training.

THOUGHT #6: Monitoring and alerting is the next most critical thing.  If, by chance, the Ruskies accidentally logged in from Russia, alarm bells should have gone off.  There is no monitoring for users of GMail.  You are on your own.

THOUGHT #7:  I like Sergey Brin and Larry Page.  Google is a great search engine.  Not so much is it a great enterprise email solution, even though they would argue with me.  Vehemently.  But then, I am calling their baby ugly.  U.G.L.Y!  Sorry.

THOUGHT #8, 9 and 10:  If security and privacy is important to your organization – and they may not be – then treat it that way.  Find the expertise and hire it (#8).  Listen to what they tell you to do (#9).  And tell your users that this is not a democracy and they don’t get a vote on whether or not to follow the security policies (#10).

I know that is harsh, but the question is, is security and privacy important to you.

Information for this post came from Buzzfeed.



Leave a Reply

Your email address will not be published. Required fields are marked *