White House hack: By way of Russia with help from spear phishing

The White House got hacked again, and it all started with a suspicious email. Also in Searchlight: The FBI still wants a backdoor into your software; the Apple Watch is here.

Russian hackers might have hacked the White House -- again. And the way they got in could have been through an innocent-looking email.

Earlier this week, hackers penetrated the "Executive Office of the President" network, which is used to exchange information that -- while unclassified -- is highly sensitive and sought after by foreign intelligence agencies, according to reports from CNN and others.

The culprits are believed to be the same hackers behind the cyberintrusion of the U.S. State Department's email system last year, U.S. officials briefed on the matter told CNN. They said that these hackers, whom the department has been struggling to rout since November, used that system to penetrate the White House network. Agencies involved with the investigation told CNN that they consider the cyberattack one of the most sophisticated ever launched against the U.S. government's systems, leading them to believe that the Russian government is involved (a claim the White House hasn't confirmed).

Yet despite the sophisticated nature of the White House breach, the way it began was deceptively simple: with a spear phishing email from a State Department email account, the U.S. officials said.

Sound familiar? That's because another recent high-profile cyber break-in, on Sony Pictures, also started with a spear phishing email. And there have been countless other spear phishing attacks in recent years -- some on organizations you wouldn't expect. Victims include: RSA, the security division of EMC Corp.; and Oak Ridge National Laboratory, which conducts security research for the federal government. Countless isn't that much of an exaggeration. Approximately 91% of hacking attacks start with a phishing email, Wired estimates.

The Sony attack, attributed to North Korea, also showed that the private sector is vulnerable to spear phishing attacks from foreign governments. The event prompted James Clapper, Director of National Intelligence, to address the private sector directly at an FBI conference on cybersecurity earlier this year. One of his commandments? Make sure employees know what spear phishing looks like.

"So many times, the Chinese [government] and others get access to our systems just by pretending to be someone else and then asking for access, and someone gives it to them," Clapper warned.

Spear phishing message: Just don't click

One reason spear phishing attacks are so common is because they're so successful, said Wired's Kim Zetter. For starters, because they're in the form of emails, they appear legitimate and are therefore not caught by firewalls or other perimeter-based security tools. What's more, "employees click on that at an alarming rate, even when emails are obviously suspicious," she writes.

Yet despite the crucial role employees play in companies' security chain, their awareness of security best practices still lags and appears to be getting worse, according to a 2015 information security survey by PwC. Fifty-one percent of respondents, from a pool of 9,700 high-level executives worldwide, reported that they have a security awareness and training program -- down from 60% the previous year. Furthermore, only 36% of these executives said their boards of directors are involved in security policies.

The disconnect, the report's authors state, ultimately comes down to a general breakdown in how organizations communicate with employees on important topics. While 84% of the CEOs surveyed by PwC said they believed their strategies deliver on business goals, only 41% said their employees understand the strategy well enough to make the right decisions day to day.

CIOs and directors of IT are not blameless either, according to Kathleen Richards, features editor of Information Security magazine, citing a CompTIA survey on the lack of security training provided by IT organizations.

Behavioral modification from infosec tools

Andrew Walls, a vice president at Gartner Inc., told me that some companies are turning to another tactic to combat what seems to be our inability to resist clicking on email solicitations, even highly suspicious ones: a breed of security tools, such as Wombat and PhishMe, that focus on altering how employees react to phishing emails. As security teams send employees customized messages that simulate phishing emails, the anti-phishing tools monitor how employees respond, and then they generate reports about how well the employees performed. Organizations can then use the data to pinpoint problem areas and develop training programs. Still, the tools are not failproof. "These solutions, which focus on altering the behavior of employees in reaction to phishing emails, will never be perfect," Walls said.

Never? I doubt that. Until they are, however, the standard best practice still holds true:

"Employees can play a major role in detecting and responding effectively to social engineering threats, but the most effective approach is to combine employee-based risk management with automated, infrastructure-based risk management," said Walls.

CIO news roundup for week of April 6

Here are more tech happenings from the week:

  • It's one thing for foreign actors to try to gain access to your network; what if it's your own government? Last week, FBI Director James Comey renewed his campaign to introduce backdoors into tech companies' encryption programs. The response of online privacy activist Sunday Yokubaitis: Encryption is our fundamental right.
  • At long last, you can now pre-order your Apple Watches! To help you decide whether to buy one, Time has collected a bunch of reviews, ranging from the very excited (a New York Times reporter says that "someday soon, it will change your world") to the unconvinced ("I've found the experience somewhat inferior to that with a conventional wristwatch," notes a Bloomberg reporter).
  • Add Microsoft to the growing list of mobile payment players. There are signs that the company could be joining Android, Apple and Samsung in providing payment services, Ars Technica reports.
  • Did you know you could serve divorce papers over Facebook? Last week a Manhattan Supreme Court justice ruled that the social network was an appropriate platform for a Brooklyn nurse to serve her husband a divorce summons. Virtual reality creeps another step forward to being just plain reality.

Check out our previous Searchlight roundups on IBM's $3 billion bet on the IoT and Google's Wall Street CFO hire. 

Next Steps

Head over to ComputerWeekly for more coverage on the White House hack. Then, find out how CIOs are beefing up their security arsenals in the age of the data breach.

Dig Deeper on Enterprise information security management