Everyone with a vested interest in cybersecurity was at first shocked at the media headlines “CIA Director John Brennan and DHS Secretary Jeh Johnson emails hacked”. Once over the initial shock and reading below the headlines it became clear that it was the personal emails of the two government officials that were hacked, not their ‘official’ accounts, so nothing serious…right?
The story raises a few issues to be sure. First it illustrates that you have to be very guarded in what you say and do with your personal communications because once your hit the ‘Send’ key it is out there. Numerous current and former government officials are finding this out the hard way. According to reports, nothing important or sensitive was lost in the email hack. Or, a great deal of sensitive information was exposed depending on what version of the story you read or believe. If you believe the ‘anonymous’ hacker, data from the well know SF-86 forms was exposed. Needless to say the sensitive data from the SF-86 form of a high placed official in the CIA or DHS would be a gold mine of information for foreign powers. We’ll just have to wait and see where the truth finally lies.
What is really interesting is how the hack was done. Some might suspect that a special unit from a foreign power had been hard at work seeking to crack the data base that held such sensitive information. It turns out not to be the case. According to the reports a politically motivated ‘high school person’ with an axe to grind against our government’s activities in the Middle East was responsible…..a high schooler! And the hacker didn’t even use high power technology, he resorted to the tried and true low level technology of ‘social engineering’ to get access to the emails. Social engineering is in reality the old fashioned con man wrapped in modern technology. It simply gets people who should know better, to break established rules and give out information they know they shouldn’t. In this case the hacker called a well known communications company (granted it was a call center) and actually smooth talked them into giving out personal information on the two officials and leveraged that information to get passwords reset on their email accounts. Once the hacker had the passwords it was simply a matter of logging into the accounts and reading all the information (sensitive or not TBD) that the emails contained.
Social engineering is one of the favorite methods that hackers use to gain access to data. After all why bother with high tech and time if a simple phone call can get you the information you need. We can build high strong walls of cyber defense, but if someone cheerfully opens the gate for the hacker, all the defense is for naught. Human beings are generally a trusting lot and seek to be kind, courteous, and helpful to people, especially at a call center. To combat social engineering we need to train employees to be kind, courteous and helpful, but always with a suspicious and jaded eye towards activity that is out of the norm. If we do that much, we can cut down dramatically on the ease of which our systems are breached. If nothing else we will force those with malicious intent to work a bit harder for the data they seek.
Does cybersecurity fascinate you? Do you dream of a career in cybersecuity? You can do it!….Enroll in classes and explore your passion. The NCI through Excelsior College offers many degree options as well as certificates in cybersecurity.
Dr. Jane A. LeClair is currently the Chief Operating Officer at the National Cybersecurity Institute (NCI) at Excelsior College in Washington, D.C.