Security experts from VASCO Data Security, STEALTHbits Technologies, Lastline and InfoArmor provide their insight on DNC email and email Encryption below.
John Gunn, VP of Communications at VASCO Data Security:
“Encryption is simple to use, inexpensive, and highly effective. It doesn’t guarantee the hackers could not have obtained the information, but it certainly would have made their job a lot more difficult. This issue again underscores that there is a significant shortage of qualified IT security professionals – this
event is just more evidence of the problem. Political campaigns are not known for paying well or for providing long-term employment. They should have hired outside consultants, but buying was airtime likely the priority. (Re emails sent to known associates) The old “if someone is respected they can’t be hacked and have no personal motives” strategy: obviously, it is utter nonsense.
“With Public Key Encryption (PKI), the email message is encrypted with the sender’s key, so it is actually integrated into the data that is sent along with the contents of the email. There are multiple ways to obtain information in emails. The primary methods are: intercepting the email in transit, accessing the data files on an email server, and simply logging in as the sender or the recipient. The highest level of security uses public-key infrastructure (PKI) encryption, but this involves exchanging keys and is not easy for most individuals. This process is automated by use of gateway appliances in government and private enterprises where security is important. There are many commercial solutions that do exactly what was needed to protect these leaked emails – it just takes a pro and some dough.”
Brad Bussie, Director of Product Management at STEALTHbits Technologies:
“The technology to encrypt emails is well known, but not commonly implemented. The main reason for this is complexity and infrastructure cost. Most weight the value of the information that is transmitted against what it would cost to protect it. If the protection cost outweighs the value of the information then most do nothing and let operations continue as normal.”
(Re Sec. Clinton comment that messages were sent to a relatively few, highly respected and trusted professionals who would not have shared such information)
“The reason that this is not a secure approach is that Sec. Clinton was not using a messaging service that would have guaranteed the recipient of her email was indeed the intended party. A person being “highly respected and trusted” does not immediately grant them cyber security skills. It is unknown if any of the recipients systems may be compromised or if others outside of the user have access to the system or account used to access the information. Closed and secured networks are created for a reason and the open nature of the internet has made sensitive and privileged information unfit for general devices.
“There are services that represent a true encrypted approach by offering end to end encryption. The method involves the sender logging into an encrypted service, created the message and then sending it. The recipient then visits the same service, logs in, and then is able to obtain the message. Not even the provider of the service has the private key to unencrypt data, making the sender and receiver the only two that can get the information. Keep in mind, once messages have been opened, the basic threats users expose themselves to are still in play (leaving a device unattended, copying or printing the email, or an attacker socially engineering personal information from the user).”
Giovanni Vigna, Ph.D, Co-founder and CTO at Lastline:
“Using encrypted email would have helped. Encryption adds another layer of protection, which requires an attacker to obtain the encryption keys of a user in order to decrypt the messages. However, if a nation-state is involved, it is not unthinkable that a compromise might include access to the secret key of the email recipient(s).
“People do not use encryption because it requires additional tools and procedures. For example, the handling of keys is often too complex a task for many non-tech-savvy users.
(Re Sec. Clinton comment that messages were sent to a relatively few, highly respected and trusted professionals who would not have shared such information) “Information flow control in such a large group is a daunting task, and probably not feasible. Security is as strong as the weakest link. If a message is sent to 300 people, the security around the handling of that message is determined by the person with the worst security setup.”
John Marshall, Sales Engineering Director at Lastline:
“The DNC incident highlights a couple of realities of e-mail that organizations need to reflect in how they think about security:
- You cannot pre-emptively stop anyone sending you an e-mail. That is why email-based phishing attacks remains a significant exposure
- E-Mail encryption is very limited in terms of being able to work across organizations or different mail systems
- Ongoing use of personal archives means that e-mail content is exposed to an infiltrator without them needing to gain access to the email system
The use of web-based email that requires two-factor authentication does help in terms of encrypting access but the usability and functional differences these have to corporate mail systems will lead users to prefer to use those, which typically rules encryption out.”
Byron Rashed, Senior Director of Marketing at InfoArmor:
“When dealing with sensitive information through email, it should always be encrypted. It is imperative that organizations – especially any political or government agency – encrypt emails due to the high level of cyber espionage, hacktivism and state sponsored infiltration. As we know, security is an inconvenience and there is a surprisingly number of organizations that are lacking data and network security. Still today, many think that a “firewall” is sufficient, and of course it’s not.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.