FBI Hack Proves That People Trump Technology in Cyber Security

Stop me if you’ve heard this one before: a secure system was compromised by exploiting a user through social engineering. At this point, we’re all suffering from a bit of “breach fatigue” — but each incident undoubtedly provides the information security community opportunities to learn and improve. It’s critical to capitalize on these teachable moments because security breaches will only increase if the infosec community continues to underinvest in managing end-user risk and insists on looking to technology as the sole source of security controls.

The latest high-profile story is of an FBI breach that was first reported by Motherboard over the weekend, an attack that ultimately resulted in the public disclosure of the contact information (names, positions, email addresses, and phone numbers) of approximately 20,000 FBI and 9,000 Department of Homeland Security employees. Motherboard’s due diligence showed that, though some of the phone numbers were out of date or routed to a general switchboard, many did connect directly to the people named in the data dumps.

The FBI and DHS (and their employees) are certainly the victims in this case — though the U.S. government has been downplaying the severity of the breach (no doubt because it’s still doing damage control from the slow-motion train wreck that was the Office of Personnel Management breach). And, granted, this doesn’t appear to be as “bad” as the OPM incident (though the attackers did claim to snag 220GB of data, which means they could have much more than they’ve published to date). That said, the statement by Homeland Security spokesperson S.Y. Lee — that “there is no indication at this time that there is any breach of sensitive or personally identifiable information” — is a bit of weak deflection seeing as names, email address, and phone numbers are widely considered to be PII (and by none other than the U.S. government itself).

How It Happened – and How It Could Have Been Prevented

According to details provided by the attacker — who is apparently part of a #FreePalestine hactivist movement that calls itself the DotGovs — the first point of entry was via a compromised email account of a Department of Justice employee (though exact details of that compromise weren’t shared). After attempting to log into a DoJ web portal without success, the attacker then called into a help desk. The operator did ask if the caller had a token code (which seems to indicate that a two-factor authentication solution was in place). When the attacker said no, the operator gave him one.

Game. Set. Match.

Once the attacker had the token code, he had unfettered access to DoJ systems. According to the Motherboard article, he logged into the work machine that belonged to the owner of the compromised email credentials. He claims the user’s documents and other documents on the local network gave him access to 1 TB of data — including military emails and credit card numbers. He said he simply couldn’t take it all.

In commenting about the events that led to the breach, Wombat CTO Trevor Hawthorn cautioned against having an inflated sense of confidence in hardware and software. “The industry’s reliance on technical security controls, when humans are in the mix, is dangerous,” he said. “How much money went into the two-factor authentication solution that was in place? It could have been the best 2FA on the market, but it was made virtually useless by the employee who circumvented it. All the security technology in the world won't matter if the operators aren't secured as well.”

Hawthorn certainly sees the value of technical safeguards — but he also recognizes their limitations. “Whenever you design a system, or a process, and you want it to be secure, always keep in mind that ‘the enemy gets a vote,’” he advises. “Many security systems are deployed with the attitude that as long as the attacker ‘plays by the rules,’ they will work. Assumptions go out the window when the bad guy cheats. Having someone call the help desk and obtain a token code without authorization isn’t something a 2FA solution can protect against. But that is something that a security team can plan for — and attempt to prevent.”

Unfortunately, there is a continued assumption that users understand the mechanics of their job responsibilities and that deployed security solutions will do the heavy lifting with regard to breach prevention. Clearly, that is not the case. Users are consistently shown to be weak links. So why are users not receiving even close to the time and attention that technical safeguards are?

“From our perspective, it’s relatively simple: Organizations need to set the expectation with their users that because security is important to customers and the company mission, it needs to be important to them as well. Employees at all levels need security awareness training, but organizations also need to be persistent about the security message. They need to employ an ongoing ‘security marketing’ effort, if you will,” Hawthorn said. “We don’t expect every user to be a cyber security expert, but security should be part of the culture. Call it whatever you like: ‘security hygiene,’ ‘smart skepticism,’ ‘habitual caution,’ or ‘efficient vigilance.’ None of this is overbearing, but it fortifies the organization for when mistakes are made and attackers cheat.”

Once-a-year, check-the-box training is not enough to keep cyber security top of mind. Best practices must become a part of daily routines in order for users to have what Hawthorn likes to call “security muscle memory.” At the end of the day, as the FBI and DHS are finding out, employees’ privacy is also on the line. Make training personal, make it frequent, and make the benefits clear. Only then can you be sure that your users really should “know better.”