Several weeks ago, the FBI and Secret Service launched an investigation into a report claiming a 13 year old American high school student hacked into the AOL email account of CIA Director John Brennan, exposing sensitive information.
Security experts are warning that the attack, which occurred in the middle of Cybersecurity Awareness Month, speaks to the current state of cybersecurity in America. Despite the increasing number of damaging, high profile data breaches, organizations and government agencies continue to fall victim to both sophisticated attacks and simpler ones like the breach of Brennan’s email account.
“As compared to other recent attacks, this particular attack could be considered less sophisticated,’ Kurt Rohloff, a cyber security expert and professor at New Jersey Institute of Technology, told Homeland Security Today. “I believe it speaks to the current of cybersecurity in America and that with the vast number of Internet users and the vast number of online accounts we all have, even relatively simple attacks will at times be successful, and we need to always remain vigilant.”
The teenage hacker allegedly tricked Verizon into giving him access to Brennan’s email account. While clever, the attack did not utilize sophisticated computer skills or hacking techniques. In the wake of the breach, WikiLeaks began publishing documents stolen from the account. The private documents contained sensitive information, including social security numbers, contact information and the personal information of US intelligence officials.
Speaking about the matter for the first time on Tuesday at a George Washington University conference co-sponsored by the CIA, Brennan expressed outrage over the publication of the sensitive data, and scolded media outlets for suggesting impropriety on his part.
“I think sometimes there is this ever-present thirst for trying to make something sexier and also blow it up more than it is, and also giving air to what is criminal activity and propagating information,” Brennan said. “I think that was inappropriate by some.”
Brennan also said the incident shows everyone is at risk on the Internet. The hack highlights the importance of keeping pace with the increasingly skilled cyber actors who intend to cause harm.
“What it does is to underscore just how vulnerable people are to those who want to cause harm,” Brennan said. “And so I think it does epitomize, in many respects, what we have to deal with in this increasingly modern and interconnected world. It’s a reality of the 21st century.”
The email hack is the latest in a long string of recent government security breaches. Earlier this year, a massive breach of the Office of Personnel Management resulted in the compromise of the personally identifiable information of more than 20 million federal workers. Months beforehand, the Department of State acknowledged that hackers breached its unclassified email system.
In addition, recently there has been a huge controversy over Hillary Clinton’s use of a private email server as Secretary of State.
Ed Cabrera, vice president of cybersecurity strategy at global security software company Trend Micro, said the hack of the CIA director’s private email account illustrated how dangerous it can be for employees to mix personal and professional emails on a computer or mobile device.
A recent Trend Micro report revealed government data breaches occur in waves, with 2015 being the latest surge of attacks. Furthermore, analysis of data breach information from 2005 through 2014 showed 57.4 percent of information stolen in government breaches is personally identifiable information.
Although cyberattacks over the past several years have served as a wake-up call, agencies need to think more proactively to stop advanced attacks before they havea chance to do real damage.
“This is a clear demonstration why it’s important to keep personal and professional email separate,” Cabrera said. “Attacks against personal email aren’t new – going back to 2008, a vice presidential candidate’s email account was compromised by an attacker who social engineered the password reset features. While we don’t know what the exact attack was here, social engineering it is a common means to target webmail accounts. To remain as safe as possible, users should use two-factor authentication where they can and select security questions that can’t be answered based on easy-to-find information.”
“Training could begin to address these issues,” Cabrera added. “Other solutions could be driven by letting the government employees use government-managed (or at least government regulated) unclassified email services for high-level individuals so that government employees could better track the use of these e-mail accounts to more quickly detect attacks.”
Similarly, Rohloff asserted that unlike previous attacks on government agencies over the past several months, the hack of Brennan’s account appears to be more primitive in nature. The attack’s lack of sophistication points to the need for greater precautions to avoid future incidents.
The lesson to be learned is the human factor opens up government agencies and businesses to serious cybersecurity vulnerabilities. Although the focus of many organizations is on countering sophisticated attacks, this latest breach demonstrates the need to focus on basic security measures as well, like placing sensitive information in the appropriate places.
Rohloff said, “The majority of these kinds of attacks are driven by human weakness where the target violates some policy, either (such as in the CIA Director’s case) putting sensitive material in places it should not be placed (such as his clearance application and draft policy documents on an unsecured e-mail service), or by using weak passwords and other inadequate security techniques.”