Alleged White House hack highlights typical security failings, say experts

The alleged penetration of sensitive White House computer networks highlights typical security failings, say information security experts

The alleged penetration of sensitive White House computer networks highlights typical security failings, say information security experts.

However, the White House has denied a CNN report that Russian hackers behind an intrusion at the US State Department in late 2014 also penetrated sensitive parts of the White House IT system.

US officials have also refused to confirm that Russian hackers were responsible for the breach, saying they “do not talk about where cyber intrusions originate from”, reported ABC News.

The statement attributed to deputy national security advisor Ben Rhodes comes in stark contrast to the US attribution of the November 2014 attack on Sony Pictures to North Korea that led to fresh sanctions.

However, US National Security Council spokesperson Mark Stroh said although the breach affected the unclassified "Executive Office of the President" network, any such activity is taken very seriously.

While separate from classified systems, that network is used to exchange sensitive information about White House activities.

"We took immediate measures to evaluate and mitigate the activity,” said Stroh.

According to the CNN report, the hackers were able to use the breach at the US State Department as a springboard for a subsequent attack against the White House.

CNN quoted an unnamed US official as saying the hackers had been able to access unclassified but prized "sensitive information, such as real-time non-public details of the president's schedule".

Read more about cyber security

  • North Korea has denounced fresh US sanctions in response to the November 2014 cyber attack on Sony Pictures Entertainment as “hostile” and “repressive”
  • In his State of the Union address, the US president pledges to urge Congress to pass legislation to improve US cyber security

Security commentators have used the reports to highlight the need for those responsible for information security to adopt a more proactive approach.

Dwayne Melancon, chief technology officer at security firm Tripwire, noted that once an attacker gets into an organisation’s IT systems, it can be notoriously difficult to get them out.

“This is particularly true when your network and internal security controls allow the attacker to move around on your network without being noticed," he said.

“That appears to be the case here, which could be the result of an outwardly focused security approach. If you assume the enemy is ‘out there’ you stop noticing their activities when they get ‘in here’.”

Melancon also noted that attribution is difficult because a savvy attacker can not only cover their tracks, they can often mislead investigators into believing someone else is behind the attacks.

He said he believes it is far more important for organisations to have a baseline understanding of what is normal on their internal network and systems.

“Without that understanding, it is difficult to tell which systems you can trust, which systems you can't and – more importantly – how to stop the attack and prevent future compromises,” said Melancon.

Phishing operation the most likely avenue for hackers

Independent security consultant Graham Cluley said the most likely avenue for the hackers would have been a plain-and-simple phishing operation, tricking users into handing their passwords over to the hackers, or visiting a web page which contains a drive-by malware attack designed to pilfer login credentials.

“Yes, it's basic social engineering – but it works an astonishing amount of the time,” he wrote in a blog post, underlining the importance of educating users on how to recognise and report phishing and other social engineering attacks.

But Secure Channels chief executive Richard Blech said technology still has a role, arguing that in this case, strong encryption would have prevented the breach from even being a news story.

“Hackers are always going to get in, the data has to be encrypted when it is stolen, when removed the data will be useless. Or we can continue to treat real cyber security as an afterthought. The choice is ours, I will go with the encryption,” he said.

Although there has been no indication that the US is considering sanctions against Russia in retaliation for the breach, Tripwire security and risk strategist Tim Erlin speculated that it may have been one of the motivating factors behind US president Barack Obama’s recent executive order setting up a framework for imposing sanctions on foreign hackers.

“The information security industry is likely to be disappointed with the lack of details on how attribution was determined. There will no doubt be debate among experts," he said.

“We live in a world where commerce is interconnected globally, and the increasing visibility of cyber attacks, along with nation-state attribution, will have a negative effect on business.”

Read more on Hackers and cybercrime prevention