DNC Hack Serves As Cautionary Tale For IT Pros - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
7/26/2016
09:06 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

DNC Hack Serves As Cautionary Tale For IT Pros

Following the high-profile hack of the Democratic National Committee's computer system, cyber-security experts emphasize the importance of secure email correspondence.

10 Hot SaaS Security Startups To Watch
10 Hot SaaS Security Startups To Watch
(Click image for larger view and slideshow.)

The FBI is currently investigating a hack that surfaced the contents of email from the Democratic National Committee (DNC).

About 20,000 email messages were leaked late last week, highlighting officials' favor towards Hillary Clinton and throwing the party into disarray ahead of its 2016 Democratic National Convention. Chairwoman Debbie Wasserman Schultz will resign as a result.

The messages, which were published on WikiLeaks, did not shed any light on who was behind the breach. Clinton's campaign says it believes Russia conducted the hack to benefit Donald Trump, and sources close to the matter claim Russian hackers gained access to the DNC's system.

[Read: Snowden Designs iPhone Add-On to Thwart Surveillance]

"A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace," wrote the FBI in a statement, as reported by a number of news outlets.

Regardless of who the FBI finds guilty, this politically charged attack carries a few key lessons for IT pros. If the DNC is vulnerable to having their sensitive content breached and published, your organization could also be at risk.

The Experts Caution Organizations

Following the breach and publication of DNC emails, cyber-security industry experts spoke out about the importance of protecting sensitive data, maintaining email best practices, and having the right response prepared for when an attack takes place.

"This situation demonstrates that all data has value to someone -- even if it's not commercial data," said Mark Kraynak, SVP and general manager of enterprise solutions at Imperva, in an email. Kraynak explained how an attacker may value data more than its owner, at least until the information is compromised.

"Situations like this are a great reminder of the need for all organizations to ensure the security of their data and that they have appropriate response mechanisms in place for the inevitable attack," he continued.

Some security pros say they believe sophisticated hackers will always be one step ahead of the businesses they plan to attack. Brad Taylor, CEO at Proficio, noted a popular lesson within the security space -- once an experienced attacker is on your network, he or she can complete a breach in less than 30 minutes and maintain a presence for over 250 days without being detected.

"Security controls of any organization will never be capable of keeping out a determined adversary," Taylor cautioned. "Like water coming through a screen door on a submarine, they will find a way into any network."

Travis Smith, security researcher with Tripwire, says he expects it will be found that the DNC hack originally started with a phishing email. "Why knock down the wall if you can be welcomed in through the front door?" he asked.

(Image: Outline205/iStockphoto)

(Image: Outline205/iStockphoto)

"Phishing, spear-phishing, and whaling continue to be the dominant entry point for attackers, as humans are often the weakest link in an organization's security architecture," Smith explained.

Employees should be cognizant of suspicious email and of how they act online, cautioned Lamar Bailey, senior director of security R&D for Tripwire.

"We do not know the source of this leak," Bailey noted in an email to InformationWeek. "It could have been a hack, weak password, misconfiguration, or even an inside job. Regardless, the same things can happen to any business."

In terms of key lessons IT and security managers can take from these hacks, Bailey emphasized that data needs to be classified, and proprietary or confidential information should be treated with extra precautions.

While the 2016 presidential election has made political candidates like Clinton and Trump prime targets for cyberattacks, organized cyber-criminals have the potential to infiltrate any organization they have on their radar. Is your business protected?

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
7/27/2016 | 5:55:31 PM
Re: Who Hacked the DNC?
It is worth noting that officials are still officially referring to this as a "leak" and not so much a "hack."  The NYT and others are still referring to the notion that it was a hack as "unconfirmed speculation."  (And a leak/insider attack isn't so far-fetched, considering the circumstances.)

All we definitely know for sure?  WikiLeaks got a hold of the emails and released them.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
7/27/2016 | 5:52:06 PM
Re: email matters
@Michelle: The key, of course, is to do this in a way that is still respectful -- and perhaps even a little apologetic and/or deferential.  Otherwise, you run the risk of what I've seen happen in other organizations: The staff is well-trained, but they come to resent and disrespect IT and all its security measures -- resorting to workarounds, Shadow IT, etc.
jastroff
50%
50%
jastroff,
User Rank: Ninja
7/27/2016 | 11:58:44 AM
Who Hacked the DNC?
That's a big hack 

Who did it? Local? The Russians? 

Any thoughts? and will we ever know?
jastroff
50%
50%
jastroff,
User Rank: Ninja
7/27/2016 | 11:55:21 AM
Re: email matters
Really interesting and worthwhile idea -- if companies can afford it. 

I wonder if SMBs or others can accomplish it through immediate online learning or skype session

 

>> complete an on-the-spot 5-minute (or so) training on security -- reduces successful phishing attacks by 75%.
Michelle
50%
50%
Michelle,
User Rank: Ninja
7/26/2016 | 11:42:28 PM
Re: email matters
That sounds like a great idea. I'm sure plenty of those who click feel a little humiliated at first, then learn that all-important lesson of DO NOT CLICK. I've worked in offices where several users stuggled with computers. I saw multiple rebuilds over the years. The users seemed to click on everything they shouldn't and with regularity.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/26/2016 | 3:50:11 PM
Breeches and Delusions of Security

 "...organized cyber-criminals have the potential to infiltrate any organization they have on their radar." 

 

This is the real issue.  When I hear of another breech, I wonder what happened to all the security experts who are just so proud to claim that they are just that - an expert.   The fact is as noted within this piece is that hackers will always be a couple of steps ahead of companies.

 

If your company hasn't been hacked, it is not because of all the pompous security experts out there - it is simply because the Hacker has not identified you as a high value target.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
7/26/2016 | 2:56:18 PM
Re: email matters
I remember a stat from SECTF's Chris Hadnagy from a few years ago that found that sending "phishing" emails to your own employees -- which, if they click through and fall for them, then force the employee to complete an on-the-spot 5-minute (or so) training on security -- reduces successful phishing attacks by 75%.
Michelle
50%
50%
Michelle,
User Rank: Ninja
7/26/2016 | 11:42:51 AM
email matters
I'm glad to see this article posted about cyber security. So often, email is taken for granted and secured with weak or shared passwords. 
<<   <   Page 3 / 3
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll