Nothing that I say below precludes the possibility of Russian hacks; my purpose for writing this is to provide you with details to suggest we need to take our foot of the hacking gas pedal to let our brains catch up with emotion. So, with that out of the way, let’s talk hacking.
Assessing hack origins is a complex problem. Unlike art, where we can see the artist’s brush strokes, use of color and light to identify the artist and determine authenticity, hacks are a much more complex matter. Hackers operate in networks and they share pieces of successfully implemented computer code with other networks. Successful hacks are rarely conducted against IT infrastructure, for example a network’s router or firewall. That’s too difficult and time consuming. It’s much easier to send out phishing e-mails to trusting individuals. Hackers may send out thousands of e-mails to get 2% bites. These e-mails are increasingly sophisticated and they are part of the sharing program.
For example, you get an e-mail from a bank asking you to validate your online access. It may be a bank that you use, or not. If it happens to be a bank that you do business with, you may be lured into using the link provided in the e-mail. Once you use the link, you’ll be asked to provide name, address, login i/d and password, etc. The hacker now has information they can use to defraud you or worse yet, sells it. They may sell that information to a crime network or a government. Other hacks begin with a similar e-mail but the link takes you to a site that implants malware, keyboard loggers and in some cases will deposit computer code that allows the hacker to create a virtual private network to your computer, which they can call up as needed to transfer files in and out of your computer or device.
Other tricks include downloading free software from a variety of internet sites. Bleach Bit, for example, is downloaded free of charge. The problem is that it hijacks your web browser, directing your web searches to sites that will implant malware on your machines or servers. So, I’ll guarantee you that SOMEONE has a complete record of the Clinton server contents just waiting to be sold.
Eighty percent of hacks can be eliminated by increasing end-user awareness and agency / enterprise IT discipline. The following steps need to be taken at all levels of government and the enterprise.
Train your computer users to identify e-mail phishing attempts. You need to use examples that are as official looking as you can find. Some phishing attempts are crude and poorly written others look like official sources. Train your people!
Set policy that prevents employees from using company or government IT resources for personal use. No personal web browsing or personal e-mails on company PCs, smart devices or laptops.
No local or remote access to enterprise or government resources with personal smart devices, PCs or laptops.
If your agency or company is hacked, chances are that it was self inflicted and points to ineffective IT security. IT managers and senior managers need to implement policies that contain all three elements I’ve identified.
Updated 3 Jan 2017
Here is an example of a phishing e-mail (I’ve removed all hyperlinks so it’s inert)
★account deactivation progress★
Unusual sign-in activity
Malicious content you put your account at risk of losing your emails, click on Verify Now and update you account.
We apologize for any inconvenience and appreciate your understanding.
The Microsoft account team.