January 17, 2017

Do Not Rely on Best Practices

The Democratic National Committee (DNC) email leak and its impact continue to be a topic of national discussion. Are there lessons to be learned from how the DNC handled its security for larger enterprises? According to a New York Times article, it would seem that the DNC followed best practices in regards to reporting a phishing email.  It was not sufficient enough to guard the DNC from the eventual breach. Let’s examine the actual incident and the actions taken by DNC personnel.

March 19, 2016: Campaign Chairman John Podesta received a false email disguised as an email from Google informing him “someone just used your password to try to sign into your Google account” from Ukraine.   The email instructed him to change his password immediately.  A bit.ly link was provided within the email that was disguised as a secure Google password reset page.  

An aide to Podesta took the correct precaution after viewing an email that raised suspicion, by reporting the email and requesting further instructions.  This aide forwarded the phishing email to a computer technician hired by the D.N.C. However, this computer technician mislabeled it as “legitimate” and sent it back with to Mr. Podesta. This mislabeling of the phishing email ultimately caused the compromise of Campaign Chairman Podesta’s email.

End users following best practices is not enough for enterprise cybersecurity. The DNC breach highlights this point. Mr. Podesta’s aide did the correct step and forwarded it to IT support, however, that person in haste mistyped a word, and left the aide with the impression that either the phishing email or the real google link were appropriate to change the password and turn on two factor authentication. Is your corporate cybersecurity hinging on one person’s email response? Enterprises need to have multiple layers of controls in order to protect the network appropriately. No enterprise should be one human error away from compromise.  

For more information on how to spot a phishing email go to: fortalicesolutions.com/phishing

Photo: stocksnap.io by Jay Wennington