I worked with political figures for quite some time and most of them don't think twice about security of their networks. They hire people to do that. According to several press sources today there were warnings to the DNC that hackers were after information like what they had on hand. The DNC claims these were not very specific and did not raise any alarms there. Let's think about that a little bit.
This is almost the same language used by the folks who kept our security clearance records at OPM. They were hacked; they knew they were hacked; they couldn't see that any information had been taken. Don't worry about it, they say. The Chinese had been in their systems for 3 years by the time it was over and the damage is incalculable from the loss of that data. This is almost the same language used at IRS when hackers got into their records twice in the same year.
How specific does the information have to be to get understanding that hackers are after your data? There are some systems administrators and IT managers who want the type of attack being used and where the source of it is. They will take steps to shut it down by blocking the IP addresses of any country that is necessary, and getting some internal security that will help reduce the damage of phishing attacks. That does two things. First, it tells your adversary that you know they are hacking you and how they are doing it. That will cause them to change their attack vectors and work harder. Second, it focuses on doing a few things well, when a good deal more is required. It is laziness that causes them to ask for specific information about the attack, not curiosity or concern for the data. It produces the whack-a-mole mentality of attack prevention, always running behind the attacker.
Arrogance is the enemy. When professional work for a national organization with lots of politicos around, a person can easily get the idea that powerful people will cover for your mistakes. What you should think about is covering for them by doing security the way it is supposed to be done. OPM and IRS are just two of these cases where arrogance and "I know better than you" got the leadership into trouble. The DNC will sort this out and somebody will take the fall for it, but the pain is going to be great before it blows over. At the senior corporate levels and government leadership, ignorance is not the enemy, arrogance is. Being at the top of the food chain makes those people targets, but they can get security professionals who can make their systems reasonably secure. It is arrogance that allows them to turn things over to people who can't.
No comments:
Post a Comment