Organizations rebuilding after a security breach learned some valuable lessons, and other organizations should pay attention to the recover effort and apply those same lessons. For organizations worried about phishing attacks and the prospect of losing control over their files—isn't that practically everyone?—the checklist from the Democratic National Committee is a good place to start.
After phishing played a central role in the breach that resulted in attackers stealing internal emails during the 2016 United States presidential election, the DNC tech team has been running phishing simulation tests on staffers since September. DNC staffers are getting better at spotting, reporting, and avoiding phishing emails, with nearly 80 percent of staffers either not clicking on the links at all, or asking clarifying questions about the links beforehand, DNC CTO Raffi Krikorian told CyberScoop.
“People have such PTSD about what happened in 2016 that there’s a real desire to improve [security] here,” Krikorian told CyberScoop.
Making sure employees know what phishing is an important part of security defense, but the DNC can't depend all its defenses on every staffer's ability to detect every single malicious link, every single time. Krikorian also issued a checklist of best security practices, which CyberScoop uploaded to DocumentCloud, so that even if someone makes a mistake, the attackers don't automatically succeed. While the goal is to protect the devices and accounts in a phishing attack, following the checklist would help organizations improve security for other situations, such as lost or stolen devices and malware outbreaks.
The major points on this checklist are installing updates on phones and laptops; turning on encryption on phones and laptops; generating strong and unique passwords and storing them in a password manager; and turning on two-factor authentication where available for online banking, social media, and email accounts.
No one should look at the list of best practices and assume they will stop all attacks, but they close off some of the easier avenues of attack.
“If we can just raise the baseline security of most people and the campaigns, if we can do the simple things right, than [sic] it will have a disproportionally positive effect,” Krikorian said.
Checklists don't have to be a dirty word in security. This list is especially useful because instead of just listing to-do items, it breaks down each item into specific tasks so that staffers know exactly what to do. For example, the item for installing software updates in a timely manner on mobile phones and laptops has separate tasks for manually looking for and applying updates for each operating system, as well as updating installed apps. The encryption item specifically says to turn on encryption on laptop hard drives, set up a passphrase on laptops that are more than 12 characters, and creating an unlock code on phones that are more than 6 characters long.
"After all, an intrusion into someone else’s account can lead to an intrusion in yours. We all need to find ways to protect the herd," the document said.
The checklist reflects some of the lessons that the DNC has learned since the breach, such as the focus on protecting both personal and work accounts. In 2016, the attackers had targeted personal Gmail accounts because the DNC had enabled two-factor-authentication for staff accounts.
"Attackers will follow the path of least resistance. If you harden your personal and work accounts, the next best path may be through family members. Although we realize it may be a challenge to get families to complete this checklist, the reality of the current climate is that they should," the document said.
While it's fair to say that these measures may not hold up against targeted, non-commodity attacks like the ones the DNC should be considering in its threat model, Krikorian is right in that there would still be a positive impact on overall security. Increasing the cost of the attack by making attackers look for more sophisticated approaches (and perhaps increase the likelihood of detection) is a good outcome for defenders.
The DNC is organized differently from most other enterprises, but the security and technology challenges such as defending against phishing and technical debt it faces are familiar ones. “[You] can have the best technical defenses, but the weakest link could be your people...So culture change is probably one of the biggest things that we need to execute on.” Krikorian said in an episode of the podcast The Great Battlefield.