Bloomberg broke the news on Friday that the servers of Dow Jones & Co. were hacked by a group of Russian hackers. And in another hacking incident last month, the email of CIA Director was hacked by teen using social engineering. Here to comment on this news is Leo Taddeo, CSO, Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office.
Taddeo comments on Dow Jones hack :
“This is one more case in a pattern of unsettling breaches by Russian hackers targeting the US financial sector. While the Obama administration recently announced it had reached an agreement with China to reign in cyber corporate espionage, we have not heard of any such discussions with the Russians. The agreement with the Chinese probably won’t change much, but even less is being done with the Russians. The lack of engagement with the Russian authorities on this issue means that the financial sector will continue to come under attack from professional hackers operating with relative impunity from behind the borders of the Russian Federation.
The lesson for network defenders in the financial sector is clear: Assume your adversary has, or can easily obtain, valid credentials. Strategies that focus too heavily on perimeter defense will continue to to come up short. More work needs to be done to deploy technologies that make it harder for hackers inside the perimeter. These include encryption, multi-factor authentication, and secure gateways that limit access by third parties and privileged users.”
Taddeo comments on CIA Director email hack :
“According to the hackers, they social engineered Verizon and leveraged the info they got from them to social engineer AOL.
This hack points out that security questions designed to protect our accounts and enhance a network’s ability to authenticate a user are not a challenge that hackers find difficult to overcome. So much information is available from open sources, such as reverse phone look up and personal data aggregators, that assembling answers to most security questions is almost trivial.
What network defenders need is true multi-factor authentication. For consumer services, like cell phone accounts and email accounts, the most secure methods of authentication rely on device attributes and out-of-band confirmation.”[su_box title=”About Cryptzone” style=”noise” box_color=”#336588″]Cryptzone secures the enterprise with dynamic, context-aware security solutions that protect critical services, applications and content from internal and external threats. For over a decade, enterprises have turned to Cryptzone to galvanize their Cloud and network security with responsive protection and access intelligence. More than 750 public sector and enterprise customers, including some of the leading names in technology, manufacturing and consumer products trust Cryptzone to keep their data and applications secure.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.