Article by Ondrej Krehel
The computer security press reported a while back a hacker assault to the French Ministry of Economy, Finances and Industry.
The method of attack wasn’t exactly novel—spear phishing of government employees opened the backdoor.
It was, however, the largest such hacking attack against France.
The Australian government also was invaded recently, with the attacks originating in China.
U.S. intelligence alerted the Aussies to the breach; it was not picked up by an internal detection process.
This is no surprise: More than 50 percent of the organizations in the 2011 Verizon Data Breach Investigations Report were alerted to the breach by a third party.
Soon after the Australian breach was made public, the country’s National Audit Office criticized the Department of Prime Minister and Cabinet for allowing access to webmail services such as Gmail and Hotmail from government computers.
Just like the breach in France, the employees were victims of spear phishing on personal accounts.
So why is spear phishing so successful?
Governments, like many big businesses, have robust security programs, a layered cyberdefense plan, many technical elements of detection and protection, security audits, penetration testing and vulnerability assessments—all of which is regularly tested and implemented.
The incidents in France and Australia can be traced back to “information awareness” and the human factor in a form of social engineering.
And that’s exactly what spear phishers target: They con employees to download, install or simply click on malicious content.
So for all that big government data security, we have to ask, where is the cyberthreat training for employees?
What about information awareness training for security professionals?
It’s nice to have all the tech tools at hand to prevent a breach, but they don’t amount to much if no one knows how to extract intelligence from them.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911: Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.