Why assuming data is secure is dangerous and stupid

It just annoys the hell out of me every time I hear Hillary Clinton talk about her email, because she says something to the effect that there is no evidence that her email server was ever hacked even though it was poorly secured. This likely speaks to why many of my peers in the IT security business are weary of her even though they are far from Trump fans.

What is even more troubling is that she apparently was clearly aware this can’t be true. Why this torques me off is that there was no tracking on that server so no one can tell whether it was penetrated or not, and that is why the FBI’s report indicated it was probably penetrated.

I saw the same thing with the Manning and Snowden events where the implication in both cases were that these were isolated, but given both people were caught after they disclosed their actions it is likely they are simply the only folks who stole records that went to the media.

This is often the case in a security breach or an embezzlement. The firm acts like the event is isolated, but the lack of controls that enabled the crime are typically not tied to the single individual that was caught suggesting the firm has no idea if there was one person or a thousand involved (well, other than the fact that if the latter was true they’d be out of business).  

This is the problem with assumptions: They’ll come back to bite you in the butt and can make you look either dishonest or stupid to folks who do security for a living.

I see this a lot and I think it is worth flagging here because we are entering a very frightening time with nearly 100K estimated Ransomware attacks a day, and the recent DOS DNS server attack that should force us to once again realize we are in an arms’ race we are losing. We can no longer assume we are secure.

Stuart’s lesson

I do account reviews when one of my clients points out something I find interesting. One such review was triggered by an update from Varonis [Disclosure: Varonis is a client of the author] where they talked about a security specialist named Stuart who was doing something unusual. The class of product that Varonis makes looks at data access and reports on anything that looks unusual. This is done on email and file servers because that is where we assume the attacks are most likely to occur. But Stuart wrapped all of the firm’s servers with this technology.

Stuart realized, and this is particularly pertinent given that recent DOS DNS attack, that any server could be vulnerable. In fact, after talking to Stuart I went on the web and apparently you can buy compromised servers in almost any company for about $5-$6 and use them to your heart’s content. Pick a company, and there are a surprising number of tech companies that are unaware they have hacked servers in their shops being sold on the dark web.

I clearly missed that update and I’m willing to bet you did too, and, I expect, the only reason Clinton’s email server isn’t on this list is because it has been taken down. Think about it — if there are secure government servers on this list what are the odds that an unsecure email server would be on it?  

Perimeter security is dead

A few years back in 2013, Kaspersky said something to the effect that there are two kinds of companies, those that know they have been hacked that those that don’t know they have been hacked. Three years later we still don’t seem to be taking this problem very seriously. If anyone thinks perimeter security is working let’s hope those folks aren’t responsible for it, because they’ll soon be out of a job. Our homes and businesses aren’t secure, and rather than assume they are we should assume they aren’t and focus on mitigating the damage.  

It is particularly annoying that both candidates have been hurt by breaches in security. Clinton the DNC email breach, and Trump the NBC breach that put his “off the record” comments on newspapers radio and TV.   You’d think both would prioritize a fix but the only thing either can seem to talk about is that they aren’t the other person.

Assume the worst hope for the best

This is the only advice I can suggest because we can’t be sure we haven’t been penetrated. In fact, we can be almost certain we have been. The best we can do is find a way to limit the damage, and when we can, aggressively go after the attackers.

Varonis shared one final story, one of their accounts flagged the head of HR who was suddenly downloading tons of confidential documents. Likely thinking they had a disgruntled executive problem they instead discovered the poor guy had been hacked and his machine turned into a Zombie.   Why this hit home is that I’d been recently called in to help on a case where a child after graduating had been expelled for sending sexually explicit material to a teacher. It came from his school-issued PC and the school was apparently covering up that this PC had been hacked. I expect this will eventually reach national attention and no one will look good.  

In the end, we can’t assume anything is secure. If we don’t implement solutions that track access on user behavior the next Clinton, Manning, Snowden event may be our problem or our excuse to explore early retirement. Don’t let an assumption kill your career or your kid’s life