The recent disclosure of a document leak from the National Security Agency that contains details about the Russian hacking attempt on a vendor of voter registration software has the making of a spy thriller, even including a perpetrator with a name that might be right out of a James Bond spy thriller.
But as bad as that leak was, the ease with which the Russians penetrated the voter registration software company’s security was worse. Worse yet was the ease at which the Russians penetrated some of the state election officials’ defenses.
The theft of the top secret report on Russian hacking by a former NSA contractor with the unlikely name of Reality Winner is something that the intelligence agency always tries to prevent. But there are some things that even the best security can’t stop and bad faith on the part of a trusted individual is one of them.
The U.S. Justice Department announced on June 5 that it had charged Winner with mailing a classified document that contained details of the Russian hack on a voter-registration system known as EViD to “The Intercept,” news website.
It’s easy to criticize the NSA for allowing Winner to have access to such files, but in reality employees and contractors need access to classified information to do their jobs. Every now and then, there’s a failure in the system, which is what happened here.
Last fall, however, a series of other system failures put the integrity of the 2016 election at risk. While it’s not clear that the Russians were able to were actually able to tamper with election results, the fact that they got access so easily is deeply troubling.
There were two types of failings that gave the Russian hackers access. The first was a phishing attack against a vendor of voter registration software, VR Systems of Tallahassee, Florida. Someone in the targeted company clicked on a link that provided the hackers with access to a database containing the contact information of election officials in several states.
The second attack was another phishing attack, this time with a payload of purported Microsoft Word files. Those emails were crafted to appear to be from the vendor of the voter registration software. The apparent goal was to provide access to voter registration records in several states and then to alter them in a way to create chaos on election day.
Had the software vendor or the states involved had adequate security, the cyber-attack launched by the Microsoft Word files would not have been successful, which is apparently the case in at least some of the states. This may have been partly because the bogus emails used to approach the states were so blatantly phony that state officials recognized them as such and complained to the software vendor.
But suppose the fake emails had been more expertly crafted. Would the states still have caught on? That would require an additional level of security, and at this point it’s not known whether there was another level of security to thwart this attack.
But the apparently unsuccessful hacking attempt is behind us, so the next step is to find lessons to learn from the attempt. The first lesson is how to deal with a phishing attack. After all, if your employees don’t act on a phishing email, then nothing will come of it.
This is one area that requires constant training. There’s currently no effectively way to filter out phishing emails, so your employees need to recognize a potential phishing attempt, and at the very least not act. Preferably, those employees should then notify your head of IT or head of security of the apparent attempt. That person can then take further action to prevent or render useless any further phishing attempts.
Second, your security software needs to recognize the payloads and actions of the malware that may be included in a phishing email. Because the malware providers are trying to find ways to evade such detection, you can’t just buy an anti-virus product and hope for the best. You also need anti-malware software that recognizes the threat hidden inside the payload.
It’s worth noting that the voter registration software company was fairly small, which may it was targeted by the Russian hackers. It’s a fact of life that many smaller companies have only a minimal IT staff, if they have any at all. They are even less likely to have an IT security staff, which makes them a very soft target and exactly what attackers are looking for.
That small under-protected company can then lead the attackers to their larger partners by providing an attack pathway and by providing a credible disguise for phishing emails. In addition, attackers depend on those smaller companies not believing that they’re a potential target, which in turn makes them more susceptible to attacks.
Just as in the case of constant training to handle phishing attacks, your employees also need to recognize other vulnerabilities where they’re the first line of defense. That means they need to be suspicious about releasing email addresses and phone numbers for executives and other senior employees for example. And remember, that release of information can come from phone calls as easily as from emails.
While it’s probably impossible to block every attempt to extract information from any company, the ultimate goal is to make it sufficiently inconvenient that the attacker targets someone else. If enough companies make it really hard to get info, then eventually the attackers will try another line of work.