The 2016 presidential election has spawned a variety of topics that generate heated discussions. The subject suitable for this blog is associated with network security and particularly email security.
You’ve heard the story, but let me quickly revisit the cyber attack. A well-known hacker, Guccifer 2.0, infiltrated the Democratic National Committee’s network using malware likely introduced via email or by an infected website link. The hacked accounts may have been compromised with the acquisition of a less secure personal account's credentials which might then have leveraged access to the DNC.org mail accounts.
Over 19,000 emails with some 8,000 attachments have been made public. They cover a period from January 2015 to this May. If you’re interested, you can view them all here at WikiLeaks.
I won’t comment on the contents of these messages (not the point of this blog) other than to point out that lots of embarrassing, sensitive and private information was breached.
Their network security, technical support and network security training was so pathetic that the sender Rachel Palermo repeatedly emailed updated passwords to users after they knew that they had been hacked. Note to self, "email should be considered to be about as secure as a postcard."
This attack likely could have been prevented with some very simple and inexpensive fortifications. Here are suggestions that might protect your business from the same type of breach.
Use complex passwords, minimum of 8-characters with three of these four types: lowercase, uppercase, number, and/or symbol.
Never use the same password for multiple accounts.
Change your passwords. The more valuable the data, the more often passwords should change.
Use 2-Factor Authentication wherever available.
Implement multi-layered anti-virus defenses with business class anti-virus on desktops and notebooks and email filtering for SPAM, malware and dangerous email attachments.
Web Protection filtering to block users from accessing dangerous sites.
Automated patch management service to keep not just Microsoft software but all security patches all other common applications.
Use secured, encrypted file transfer services for transmitting and receiving sensitive data that may include private business information, PII (Personally identifiable information): Usernames, social security accounts, credit card information, passwords, accounts, dates of birth.
As always the end user is the final line of defense. They must be trained with network security best practices and educated about phishing schemes and social engineering attacks.The only good thing about this breach is that we can all learn from it and hopefully take a few steps to protect ourselves from the same type of embarrassing, expensive and possibly ruinous event in our own businesses.