About the DNC Data Breach
Much has been made of the security implications of the recent Democratic National Committee's significant data breech. As of this writing, most experts are pointing to the Russian government as the possible source of the hack, but it turns out that the DNC's security by all indications was incredibly lax.
Some widely known techniques that we currently know the DNC was not making use of:
- Password complexity policies that require combinations of letters, numbers, and symbols like "@" or "&". Neglecting this allows an attacker to use a short dictionary of words to determine a password in a matter of a few minutes.
- Two-factor authentication. This is where you have both a password (Factor 1: Something only you would know) and demonstrate that you are holding some physical device such as your cell phone (Factor 2: Something only you would have). That combination is much harder for an attacker to crack, and had the DNC been using this approach their data would have been a lot harder for the Russians to access.
- Encryption of critical data such as credit card numbers and Social Security numbers. This means that if the attackers do manage to read your data, they won't be able to understand it unless they have the proper security key which you have stored on a different system.
- Set as a matter of policy the use of internal email only for internal communication. Emails are not a secure communications mechanism. The contents of an email are transmitted around the Internet in plain text, which means that can be intercepted and read in between the sender and the receiver. If the sender and receiver are both within your organization, then keeping all emails in your organizations' system will prevent them from being intercepted in transit.
As best as we can tell, the DNC's systems were wide open to intrusion, not just by professional Russian government cyberwarriors but by curious kids casually trying to see what they could do for fun.
In one email, the DNC was pish-poshing the idea that their security was weak. Like many non-technical people, they were ignorant of the many risks they were taking. If you don't want to be caught in the same situation, contact us for a basic professional security evaluation.
Share on Facebook