You’re only as strong as your weakest link. That tired old adage has taken on new meaning when applied to the current state of cybersecurity. And often times, the weak links are a company’s employees. The fact is, every employee has the potential to present a security threat to his or her employer’s business in one way or another. That isn’t to say that every employee is a malicious data thief, but employees are certainly responsible for inadvertent behaviors that are giving rise to potentially devastating cyber incidents, sometimes involving hacktivists and cybercriminals and whose main goal is to cause business disruption and reputational harm. One way for malicious actors to do this is through the exploitation of employees’ personal privacy on third party service platforms such as social media.
As an example, earlier this month, it was widely reported that the Twitter and Facebook accounts of U.S. Central Command (CENTCOM) had been hacked by a group sympathetic to the terror group ISIS. Authorities believe hackers gained control of the accounts by stealing the login credentials of a CENTCOM administrator, probably by exploiting weak procedural controls governing how the Command promulgated and enforced minimum composition requirements for passwords, susceptibility to a phishing scam, or from keylogging malware. It is probably safe to say that CENTCOM administrators avoided use of two-factor authentication for this service as well which paved the way for this breach to occur.
Once inside, actors posted pro-ISIS messages as well as revealed personally identifiable information of retired general grade officers to include home addresses and personal e-mail information. Although the account was quickly shut down following the breach, the enormity of this event was quickly parlayed as a cyber attack against CENTCOM itself when in reality it was more of an act of vandalism. Regardless of the severity, however, it nonetheless caused great embarrassment to the Command, the Administration, and it offered the rest of us a teachable moment on how fast a breach to personal privacy can cause disruption and reputational harm to a parent organization.
As a first example, it reaffirmed the importance of ensuring passwords meet minimum requirements in order to defeat brute force tools. Regardless of the cause of this breach, passwords should always be at least 10 characters long, should not contain a full word or obvious things like a name, and must incorporate a unique combination of uppercase, lowercase, numbers, and special characters. If being shared by more than one person in an organization (and especially if used for public-facing purposes), credentials should be stored securely in a controlled area and mature procedural controls should be in place that prohibit access to these accounts via mobile devices or from unsecure networks.
Second, defense-in-depth perimeter and endpoint controls are a requirement and awareness for phishing attacks as well as minimum access control solutions like two-factor authentication are a must. Additionally, continuous holistic risk assessments are helpful in identifying other potential ingress points of vulnerability as well, since any cyber risk assessment is insufficient if it ignores expert examination on the role of insider threat, physical security, and the unique vulnerabilities introduced by business dependencies. If you would like to hear more about how Secure Halo can assist your organization defend its innovation, reputation, and execution, I would love to hear from you. Contact us.
