One thing I’ve noticed with a few of the recent high profile attacks and breaches is that the human element played a significant role. The technology used to stop, thwart, defend and otherwise render these attacks useless can be the best in the world but if people make mistakes, then that can be the chink in the armor. While many companies focus on deploying infrastructure services to block malicious activity, there still needs to be continuing education for the fallible humans that we are. We often talk about how the attacks are evolving, network to application and everything in between, along with how technology needs to adapt to the changing threat landscape. So if the attacks are getting better, more sophisticated and ever changing, then people need to be aware that behaviors need to adjust also.
RSA has said that their breach was due to a spear phishing attack. The thieves sent emails to various RSA employees with the subject: 2011 Recruitment Plan. While the email itself went directly in the spam/junk folder, it was intriguing enough for one person to move it out of junk and open the infected excel attachment. From there, a remote access tool called ‘Poison Ivy’ went to work, looking for various employee credentials. They finally found their target, stole the data and sent it to another infected machine for transmission. Luckily for RSA, they noticed this anomaly and stopped the attack. It probably could have been much worse.
With HBGary, we’ve learned that many human factors played a role in this situation – social engineering, weak passwords and poorly written code. Technology really can’t defend against easy to crack passwords or people giving up information. These were not highly sophisticated attacks but basic errors that people made along the way. It should remind us to look at our own passwords and maybe make a few changes. It should remind us that if an authoritative-sounding someone contacts you asking for sensitive information, to be very cautious. There is nothing wrong with saying, ‘I don’t feel comfortable sharing that,’ or even ‘I’m not sure; I don’t know,’ especially if you have not verified who that person is. Personally, I’d rather make an IT admin’s job a little harder than make a malicious hacker’s job easier.
To be fair, I’m not picking on those companies or the people involved, I’m sure they wish they could go back and do things differently. It should, however, be a lesson to us all that good security involves both technology and people and that a good security policy also includes education. Sometimes technology can save us from ourselves but if you don’t lock your front door, you can’t expect your house to be safe.