The US Senate is just the latest target in what seems to be an unending string of hacks this summer against high-profile targets—including Citigroup, Sony and the IMF to name just a few. As they so often do, BankInfoSecurity has a good summary of the latest attack targeting senate.gov (see “Group Claims Hack on Senate Computers“).
In that article, the Sergeant at Arms for the Senate is quoted on the extent of the security breach, claiming that, “The intruder did not gain access into the Senate computer network and was only able to read and determine the directory structure of the files placed on senate.gov. That server is for public access on the public side of the Senate’s network firewall, and any files that individual Senate offices place there are intended for public consumption.”
In related news, this InformationWeek article (see, “What Do IMF, Citigroup, And Sony Hacks Share?“) caught my eye. Of particular interest to readers of this blog, that InformationWeek story posits that—while the recent IMF (International Monetary Fund) compromise could possibly have been caused by compromised RSA SecurID tokens—a more likely vector is good old-fashioned phishing. Author Mathew J. Schwartz notes:
“Instead [of SecurID], most security experts suspect spear-phishing to be the cause. This technique, which uses personalized but fake emails to entice recipients into installing malware or visiting malicious websites, has lately been on the rise.
“Earlier this month, for example, Google warned Gmail users about a spear-phishing attack that was targeting high-ranking politicians, among others, and alleged that the attacks had originated in Jinan, China. According to news reports, the city’s Lanxiang vocational school may train computer engineers for the People’s Liberation Army. Both the Chinese government and the school have denied any involvement in the Google attacks.”
The article concludes with a thought-provoking quote from Gretchen Hellman, the VP of product management at (data security vendor) Vormetric who, when asked why so many organizations are suffering system breaches lately, says that organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured.
“… there’s been a focus on complying with regulations, and not focusing on a strong, holistic, layered security program–everything from end user awareness training to encrypting and controlling access to data with a strong separation of duties program, to monitoring activity to ensure that you can capture malicious activity as soon as it starts,” says Hellman.
Indeed, just “ticking the boxes” on a compliance checklist doesn’t—in itself—necessarily equate to better security. Of course, IT security personnel need to allocate limited resources in a sensible manner based on relative risks.
Given that advanced forms of phishing attacks continue to be one of the most dangerous risk vectors, it’s worth taking a closer look at whether one’s current email security defenses are up to protecting against the latest attacks.