The Mueller Indictment of 12 Russian agents was released last week. It is a very interesting read as a whole, but it outlines some particular aspects of cybersecurity.
During the hacking of DCCC and DNC networks, the Conspirators covered their tracks by intentionally deleting logs [..]
This is why we at LogSentinel have been trying to evangelize the use of secure audit logs – because you never know when and who will break in and then clear their tracks, making it impossible to even know they have broken in. Many organizations (apparently, including the DNC) rely on the fact that they have logs and believe those logs make them secure and/or compliant. But that’s not the case, as one book on ISO 27001 warns:
System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.
Had the DNC protected their logs cryptographically, they would’ve been able to immediately know when the “conspirators” tried to clear their tracks, or the conspirators would not have been able to clear them at all. Which would have given the DNC precious time to react. Not to mention it would have been very useful for forensics.
Information security is a non-intuitive concept – you need to invest in it, sometimes without a clear indication of the risk and of potential savings. Can we measure the loss of an election? Or the loss of credibility once it becomes known that employees have been abusing organizations’ data? Too often it’s hard to put a number on it and it only becomes evident that you should have done more after a disaster occurs.
Logging is obviously not the only point we can take away from the Mueller indictment, here are some more:
- Verify email headers – the conspirators used spoofed emails which would’ve been and the mail client used should have been aware of that
- Use plugins to block active content by default (e.g. NoScript) – the conspirators sent a link to a website that potentially infected the machines
- Don’t run macros – an excel file is mentioned in the indictment. It’s unclear whether the excel file was infected, or the GRU-website itself, but either way, macros are a big risk
- Use multi-factor authentication – having someone’s password should not be sufficient to gain access. And this is true not only for email accounts, but for system (e.g. ssh) access as well.
- Use intrusion detection and intrusion prevention systems – once the conspirators had the passwords, they dumped a lot of data over the network; that could have easily been detected and blocked by such systems.
- Encrypt – especially in small, well organized groups, email encryption (e.g. PGP) is a necessary precaution. If PGP was used, the attack carried out would not have been sufficient to extract all emails.
You see that all of these measures require knowledge and resources from both tech users and every non-technical staff member. Security awareness, especially when working in high-profile organizations, is a must. You can no longer be “I just use the computer for email and movies”.
So the Mueller indictment reminds us, once again, how vulnerable many organizations are. And that information security is neither “it can’t happen to me”, nor “let’s buy some software and we’ll be good”, nor “our tech guys will take care of it”. It’s a combination of many factors that should not be overlooked – secure logs, fraud detection, intrusion prevention, encryption, secure user behavior.