Monday, October 24, 2016

Embarrassing Emails - Can We Secure This?

I was recently asked to provide some thoughts on the subject of the unauthorized access and disclosure of personal email used by national leaders. Specifically referring to the email issues surrounding Hilary Clinton, Colin Powell, and John Podesta, I was asked the following:

  • How did this happen in a world where security issues are so well known?
  • Can we secure personal email to prevent this sort of thing from happening in the future?
  • Do consumer email providers, like Google, provide sufficient access controls and account security?
  • Is this an education problem and do we need to increase email security awareness?
  • Is there a way to keep humans from falling victim to phishing attacks?
  • Why would someone like these high profile individuals intentionally ignore security capabilities generally and easily available to them?
  • Why didn't they use authorized communication (email) channels?
  • Are these people not aware of modern threats like phishing and social engineering?
My short answer is, there is no excuse for this. In my opinion, these email leaks represent the consequence of poor judgement and lack of integrity by the individual whose account was exposed.

You see, the problem isn't technology. The simple answer to the email security question is, yes, these people should have known better and they did have viable security options available to them to protect them from these outcomes. Viable and effective security controls do exist that can prevent this. The core problem is the fact that these individuals decided for their own personal ambitions, to bypass the controls and boundaries provided to them in the forms of propriety, policy, and technology, to do what they wanted to do in spite of the risks they were well aware of. That's called selfishness. Additionally, they chose to record controversial, sometimes vulgar, and potentially illegal thoughts and actions in writing. When exposed, that embarrassed them and revealed their true character and thoughts. That's an integrity and character issue. You can't fix that with technology. We have social boundaries and morality to help guide our public expressions. We have tools of accountability to help enforce integrity. If you choose to bypass those boundaries and extend your private thoughts and actions into the public realm via a means like consumer email, you are destined to have those private thoughts exposed. If your private thoughts and actions are immoral, illegal, or otherwise questionable, then when exposed you will be embarrassed as will those you have implicated in your communications. The issue with electronic communications is, once you send a message, you can't take it back and you lose control over where it goes and who has access to it. I can provide you with all the safety features you need, but if you choose to not leverage them, and intentionally take on the risk of what will happen without them, then what happens next is on you, not me. So it is with email security. 

The core problem is one of morality, submission, integrity, humility, and honestly, selfishness. What we saw from Clinton, Powell, and Podesta is a decision that they wanted to do what they wanted to do, how they wanted to do it, despite the boundaries (legal, moral, and protective) provided to them. That's arrogance and selfishness. They felt getting their thoughts communicated to facilitate their actions was more important than the controls they violated. I encounter this on a daily basis in my job. Employees who don't like the security policies and controls implemented to keep them and the company safe, look for ways to bypass security to get things done that they want, or to use things that they prefer over what has been provided to them. This is an issue of pride, integrity, and submission. Everyone has personal preferences. Everyone has their own way of going about things. However, when we come together as a group or community or nation for a collective objective, we must establish structure around how we will operate together, and we must all set our personal preferences aside to be successful. I'm not pitching socialism here. I'm simply saying that there are times, especially when we form as a unit to accomplish some goal, where we must set our personal preferences aside for the sake of the unit and the outcomes we seek. This is especially true for public figures who are directly involved in policy making and governance for our nation. Those individuals need to learn to respect the office they represent, and the people they will impact by their actions.

If you are part of corporation or formal organization, you must adhere to the policies and standards defined by that corporate body. To do otherwise is immoral. If you are part of society, you must adhere to the social norms and laws established by that society, otherwise society won't work. It's clear from what has been exposed in these leaked emails, that these individuals, Clinton, Powell, and Podesta, had their personal gain in mind above everything else. They went rogue, and selfishly so.

As far as security awareness is concerned, again, I believe there is no excuse for these individuals. Clinton and Powell have served in various capacities at the highest levels of national security within our government. There is no possible way that they were kept isolated for decades from the concern of information leakage. Powell, as a General in the US Army, would be well aware of the need for operational security (OPSEC), and establishing governing frameworks to ensure mission protection (including communication security). The cybersecurity story has been in national headlines for over a decade. If these individuals were unaware of the email security issue, then they are unfit to lead a nation. The Department of State has an information security program. Once upon a time, I supported it directly. It would be nearly impossible and very intentionally for the head of a federal agency to be unaware of the security issues and risks that agency faced. Especially cyber today. Especially following the major DHS breach of a few years ago. Presidents Bush and Obama signed executive orders regarding cybersecurity, and major threat monitoring consolidation among government agencies occurred while Powell and Clinton were engaged in their formal roles. As the spouse of a former President, Clinton should be well aware of the risks of working beyond the boundaries established, and the potential ramifications of "leaks." There is simply no excuse for these individuals.

So, what about the technical aspect, and what can people use that is effective?

When it comes to email security, there are a few very simple and effective solutions available to you. The first is Multi-Factor Authentication or MFA. Many banks offer MFA as a standard for online banking, as do email providers. MFA simply means more than one type of authentication method - something like a password plus a single use code - is used to access your account. The simplest example of this is when your provider sends you an authentication code via text or email when you attempt to access your account. Using MFA means only the person who has both your password and your device which receives the MFA code (like your cell phone) can access your account. For the most part, hackers can't get beyond MFA if you use it correctly.

However, it is also important, even with MFA, that you operate with caution and diligence with regard to your account information. Passwords you use should still be complex, and should differ from site to site as much as possible (even minor variations can help especially when used in conjunction with MFA). Take care to also restrain from publishing personal information that might be used to gain access to your accounts via other means. Finally, take care with regard to your browsing habits to help make sure the devices you use to receive your MFA tokens are secure and clean.

Additionally, there are solutions that can monitor and analyze email messages you receive to identify harmful messages that may be used to install malware on your computer. The most effective technology we have today to provide this level of security, is dynamic sandboxing analysis. Using this method, any file or link you receive via email is analyzed offline by the technology to determine if it performs malicious actions when accessed. Sandboxing is highly effective at threat detection and prevention when used correctly. Malware, once installed, can be used to perform many functions, including stealing your passwords, or directly monitoring your keyboard entries. This can lead to unauthorized account access without you knowing, if you aren't using secondary controls like MFA. Solutions that detect and prevent malicious email are widely available, but are usually adopted by companies or organizations due to their expense. Effective solutions are provided by security vendors Palo Alto Networks, ProofPoint, FireEye, CrowdStrike, Fortinet, McAfee, and others. This is why using sanctioned email systems on approved provider networks is the best idea for official email security.

There are also solutions out there that can monitor and analyze websites both proactively, and reactively, to determine if any malicious content or code exists on the web page that might compromise your computer or information. Once analyzed, these vendors categorize the website based on the content served, risk of exposure, and if malicious attributes are present. These reputation lists are widely shared and re-used among the information security industry providing a wide range of known and analyzed websites. You can leverage these lists to protect yourself from landing on unintentional or malicious sites. There are numerous tactics used by adversaries to also spoof websites that you think might be legitimate, or to poison legitimate websites with malicious code that can lead to malware being installed on your computer. For consumers, Google provides some website validation and checking services in their browsers (Safe Browsing), but more robust website analysis solutions are available via some of the same providers I mentioned before, as well as by consumer focused products like Symantec, McAfee, Sophos, Trend Micro, Microsoft, and others.

Finally there are many endpoint security solutions out there, often referred to via their legacy name as Anti-Virus, that monitor your computer for the presence of malware. They are designed to keep your system clean so that information cannot be stollen from it. Modern versions are referred to as endpoint protection solutions. These solutions are highly effective, especially when used in conjunction with most if not all of the above. In fact, you can make the argument that a highly effective endpoint protection solution, nullifies some of the upper level inspection and protection technologies (network based) that I mentioned above. After all, if you can prevent malware from installing on your endpoint, then it doesn't really matter if you received it or were exposed to it to begin with.

What endpoint and network inspection technologies do not provide for you, is security against people using legitimate data to access legitimate accounts in legitimate ways. What I mean by that is, if I'm not using some secondary validation method (like a single-use code), Google can't tell if it's me using my password to login to my email account via gmail, or if it's you using my password to access my email account via gmail. Yes, there may be ways to profile user behavior and make some educated guesses, but in my opinion, that invades privacy and there are other ways to protect your account that nullify that risk.

If you effectively leverage these solutions as a layered defense capability, you will have an extremely low likelihood of being the victim of a cyber issue, and if you are, then it's doubtful anything could have prevented it. At the end of the day, your security is in your hands.

No comments:

Post a Comment