Companies may be avoiding politics, President Donald Trump tweets, and the almost daily hubbub, but enterprises might want to note some key security lessons from the latest headlines about Russian intelligence and spearphishing days ahead of the US presidential election.
Russian intelligence sent spearphishing emails to local election officials just days before the US presidential election, according to a leaked NSA document surfaced by The Intercept. CBS News also verified the document.
Meanwhile, the Justice Department filed a criminal complaint against Reality Leigh Winner, a 25-year-old federal contractor. Winner was arrested by the FBI on Saturday for leaking documents.
Among the key lessons to note:
You might want to start taking printer security seriously. According to a criminal complaint filed by the Justice Dept., Winner printed intelligence reporting with classified information and then retained it. Winner then passed the doc along to The Intercept. Enterprises have been locking down printers and tracking usage more, but one key item comes from Errata Security, which outlined how Winner was outed.
Newer printers print yellow dots that can track down when and where a document was printed. The NSA was able to track Winner down because it tracks printing jobs and can match a person with the document. The walkthrough is interesting and makes you wonder how many companies are utilizing this tracking -- even as documents with plans, strategy, and product designs walk out of the door.
Printer security and management has been primarily a cost issue at this point, but the Internet of Things and cybersecurity issues have exposed these relatively boring end points as a risk.
Read also: Unsecured printers a security weak point for many organizations: HP | TechRepublic: Network printers: the often overlooked piece to the security puzzle | Tech Pro Research: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world | Network security policy | Guidelines for building security policies | Security awareness and training policy
Contractor security isn't so hot. My initial reaction to the NSA doc and election tampering was almost blasé -- gee, here's another contractor security issue. As if you needed another reminder: Make sure your employee and contractor security policies are up to date and actually followed.
Voting machines aren't secure even though we knew that already. Here is what The Intercept said about the NSA report:
"The report indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document."
Is anyone really surprised? The lesson here is that anything connected is vulnerable to tampering and cyberattacks. Voting machines -- despite precautions and hardened systems -- are no different.
The election security chain is only strong as its local links. Enterprise security policies are only as strong as employees and how well they are educated about cyberattacks.
Spearphishing attacks ahead of the US election targeted local officials for a reason: You're bound to have some success. By posing as a technology vendor, spear phishing efforts likely had some success.
Perhaps the biggest takeaway is that spearphishing still works fairly well. A lack of communication and warning about potential attacks only makes success more likely. This communication needs to come from federal, state, local, and technology vendors.