Alleged White House hack highlights typical security failings, say experts

The alleged penetration of sensitive White House computer networks highlights typical security failings, say information security experts

The alleged penetration of sensitive White House computer networks highlights typical security failings, say information security experts.

However, the White House has denied a CNN report that Russian hackers behind an intrusion at the US State Department in late 2014 also penetrated sensitive parts of the White House IT system.

US officials have also refused to confirm that Russian hackers were responsible for the breach, saying they “do not talk about where cyber intrusions originate from”, reported ABC News.

The statement attributed to deputy national security advisor Ben Rhodes comes in stark contrast to the US attribution of the November 2014 attack on Sony Pictures to North Korea that led to fresh sanctions.

However, US National Security Council spokesperson Mark Stroh said although the breach affected the unclassified "Executive Office of the President" network, any such activity is taken very seriously.

While separate from classified systems, that network is used to exchange sensitive information about White House activities.

"We took immediate measures to evaluate and mitigate the activity,” said Stroh.

According to the CNN report, the hackers were able to use the breach at the US State Department as a springboard for a subsequent attack against the White House.

CNN quoted an unnamed US official as saying the hackers had been able to access unclassified but prized "sensitive information, such as real-time non-public details of the president's schedule".

Security commentators have used the reports to highlight the need for those responsible for information security to adopt a more proactive approach.

Dwayne Melancon, chief technology officer at security firm Tripwire, noted that once an attacker gets into an organisation’s IT systems, it can be notoriously difficult to get them out.

“This is particularly true when your network and internal security controls allow the attacker to move around on your network without being noticed," he said.

“That appears to be the case here, which could be the result of an outwardly focused security approach. If you assume the enemy is ‘out there’ you stop noticing their activities when they get ‘in here’.”

Melancon also noted that attribution is difficult because a savvy attacker can not only cover their tracks, they can often mislead investigators into believing someone else is behind the attacks.

He said he believes it is far more important for organisations to have a baseline understanding of what is normal on their internal network and systems.

“Without that understanding, it is difficult to tell which systems you can trust, which systems you can't and – more importantly – how to stop the attack and prevent future compromises,” said Melancon.

Phishing operation the most likely avenue for hackers

Independent security consultant Graham Cluley said the most likely avenue for the hackers would have been a plain-and-simple phishing operation, tricking users into handing their passwords over to the hackers, or visiting a web page which contains a drive-by malware attack designed to pilfer login credentials.

“Yes, it's basic social engineering – but it works an astonishing amount of the time,” he wrote in a blog post, underlining the importance of educating users on how to recognise and report phishing and other social engineering attacks.

But Secure Channels chief executive Richard Blech said technology still has a role, arguing that in this case, strong encryption would have prevented the breach from even being a news story.

“Hackers are always going to get in, the data has to be encrypted when it is stolen, when removed the data will be useless. Or we can continue to treat real cyber security as an afterthought. The choice is ours, I will go with the encryption,” he said.

Although there has been no indication that the US is considering sanctions against Russia in retaliation for the breach, Tripwire security and risk strategist Tim Erlin speculated that it may have been one of the motivating factors behind US president Barack Obama’s recent executive order setting up a framework for imposing sanctions on foreign hackers.

“The information security industry is likely to be disappointed with the lack of details on how attribution was determined. There will no doubt be debate among experts," he said.

“We live in a world where commerce is interconnected globally, and the increasing visibility of cyber attacks, along with nation-state attribution, will have a negative effect on business.”

Read more on Hackers and cybercrime prevention

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

"do not talk about where cyber intrusions originate from" unless its North Korea in which case we will shout it from the roof tops

Cancel

you are sooo right :)

Cancel
I'm naive. I've decided to own the tag. Because I used to think our government had access to the smartest minds and most secretive and secure technology. But when something like a common breach happens on their systems, it gets me worrying. How can I then be sure my IRS data, my social security info and whatever other stuff they've collected on me - and I'm sure it's more than any credit card company has - isn't now floating on some Russian server? I think it's time we hold ourselves and our government to a much higher standard.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close