Charles Leaver – Design Insecurities Need Fixing After UK Parliament Email Breach

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

 

In the online world the sheep get shorn, chumps get chomped, dupes get deceived, and pawns get pwned. We have actually seen another great example of this in the current attack on the United Kingdom Parliament e-mail system.

Instead of admitting to an e-mail system that was not secure by design, the main statement read:

Parliament has robust procedures in place to protect all of our accounts and systems.

Tell us another one. The one protective procedure we did see in action was deflecting the blame – the Russians did it, that constantly works, while accusing the victims for their policy violations. While information of the attack are limited, combing numerous sources does assist to assemble a minimum of the gross scenario. If these descriptions are reasonably close, the UK Parliament email system failings are egregious.

What failed in this case?

Count on single element authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the password strength. Please, no 2FA here, might restrain attacks.

Do not impose any limitation on unsuccessful login efforts

Assisted by single factor authentication, this allows simple brute force attacks, no skill required. However when violated, blame elite foreign hackers – no one can confirm.

Do not implement brute force attack detection

Allow hackers to carry out (otherwise trivially detectable) brute force attacks for extended periods (twelve hours against the United Kingdom Parliament system), to make the most of account compromise scope.

Do not enforce policy, treat it as simply recommendations

Integrated with single aspect authentication, no limitation on failed logins, and no brute force violation detection, do not enforce any password strength validation. Supply attackers with extremely low hanging fruit.

Count on unsigned, unencrypted email for delicate interactions

If enemies do succeed in jeopardizing email accounts or sniffing your network traffic, offer a lot of opportunity for them to score high worth message content entirely in the clear. This likewise conditions constituents to rely on easily spoofable email from Parliament, creating an ideal constituent phishing environment.

Lessons learned

In addition to including “Good sense for Dummies” to their summertime reading lists, the United Kingdom Parliament email system administrators might want to take further actions. Reinforcing weak authentication practices, implementing policies, enhancing network and end point visibility with constant monitoring and anomaly detection, and completely reassessing protected messaging are suggested steps. Penetration testing would have discovered these foundational weak points while remaining outside the news headlines.

Even a few intelligent high-schoolers with a totally free weekend might have replicated this violation. And finally, stop blaming Russia for your very own security failings. Presume that any weak points in your security architecture and policy structure will be penetrated and made use of by some cyber criminals someplace across the global web. Even more incentive to discover and fix those weak points before the enemies do, so turn those pen testers loose. And after that if your defenders don’t have visibility to the attacks in progress, upgrade your monitoring and analytics.