[BreachExchange] Democrats Ignored Cybersecurity Warnings Before Theft

Inga Goddijn inga at riskbasedsecurity.com
Wed Jul 27 19:58:52 EDT 2016


https://www.bloomberg.com/news/articles/2016-07-27/democrats-said-to-ignore-cybersecurity-red-flags-before-theft

The Democratic National Committee was warned last fall that its computer
network was susceptible to attacks but didn’t follow the security advice it
was given, according to three people familiar with the matter.

The missed opportunity is another blow to party officials already
embarrassed by the theft and public disclosure of e-mails that have
disrupted their presidential nominating convention in Philadelphia and led
their chairwoman to resign.

Computer security consultants hired by the DNC made dozens of
recommendations after a two-month review, the people said. Following the
advice, which would typically include having specialists hunt for intruders
on the network, might have alerted party officials that hackers had been
lurking in their network for weeks -- hackers who would stay for nearly a
year.

Instead, officials didn’t discover the breach until April. The theft
ultimately led to the release
<http://www.bloomberg.com/politics/articles/2016-07-24/sanders-calls-on-dnc-chief-to-resign-while-still-backing-clinton>
of almost 20,000 internal e-mails through WikiLeaks last week on the eve of
the convention.

The e-mails have devastated party leaders. Representative Debbie Wasserman
Schultz, the DNC chairwoman, has agreed to resign at the end of this week’s
convention. She was booed off the stage on opening day after the leaked
e-mails showed that party officials tried to undermine the presidential
campaign of Senator Bernie Sanders in favor of Hillary Clinton, who was
formally nominated on Tuesday evening. Party officials are supposed to
remain neutral on presidential nominations.
Russia Suspected

The Federal Bureau of Investigation is examining the attack, which law
enforcement officials and private security experts say may be linked to the
Russian government. President Barack Obama suggested on Tuesday that Russia
might be trying to interfere with the presidential race. Russian officials
deny any involvement in the hacking and say
<http://www.bloomberg.com/news/articles/2016-07-27/russia-denies-trying-to-influence-u-s-presidential-election>
they’re not trying to influence the election.

Donald Trump, the Republican presidential nominee, said
<http://www.bloomberg.com/politics/articles/2016-07-27/trump-denies-ties-to-russia-says-he-hopes-it-finds-dirt-on-clinton>
Wednesday that he didn’t think Russia was behind the attack. But he also
said he hoped the Russians would get their hands on e-mails that Clinton
exchanged using a private server while she was secretary of state, to
expose any e-mails she might have deleted.
The consultants briefed senior DNC leaders on the security problems they
found, the people familiar with the matter said. It’s unclear whether
Wasserman Schultz was present. Now, she is likely to face criticism over
not only the content of the e-mails -- including one in which a party
official proposes pushing stories in the news media questioning Sanders’s
Jewish faith -- but also the failure to take steps to stop the theft in the
first place.

“Shame on them. It looks like they just did the review to check a box but
didn’t do anything with it,” said Ann Barron-DiCamillo, who was director of
US-Cert, the primary agency protecting U.S. government networks, until last
February. “If they had acted last fall, instead of those thousands of
e-mails exposed it might have been much less.”

The assessment by Good Harbor Security Risk Management, headed by the
former Clinton and Bush administration official Richard Clarke, occurred
over two months beginning in September 2015, the people said. It included
interviews with key staff members and a detailed review of the security
measures in place on the organization’s network, they said.
Security Flaws

The review found problems ranging from an out-of-date firewall to a lack of
advanced malware detection technology on individual computers, according to
two of the people familiar with the matter. The firm recommended taking
special precautions to protect any financial information related to donors
and internal communications including e-mails, these people said.

The DNC paid $60,000 for the assessment, according to federal filings.

Mark Paustenbach, a spokesman for the DNC, declined to comment on the Good
Harbor report. Emilian Papadopoulos, president of Washington-based Good
Harbor, said he couldn’t comment on work done for a specific client.
Missed Warnings

The security review commissioned by the DNC was perhaps the most detailed
of a series of missed warnings. Officials at both the Republican National
Committee and the DNC received government briefings on espionage and
hacking threats beginning last year, and then received a more specific
briefing this spring, according to another person familiar with the matter.

Cyber-security assessments can be a mixed blessing. Legal experts say some
general counsels advise organizations against doing such assessments if
they don’t have the ability to quickly fix any problems the auditors find,
because customers and shareholders could have cause to sue if an
organization knowingly disregards such warnings.

Papadopoulos said a risk analysis by his firm is designed to “help an
organization’s senior leadership answer the questions, ‘What are our unique
and most significant cyber security risks, how are we doing managing them,
and what should we improve?’ ”

The firm typically recommends that clients conduct a so-called breach
assessment to determine whether hackers are already lurking in the network,
Papadopoulos said. He wouldn’t confirm whether such a recommendation was
among those delivered to the DNC.

“We give recommendations on governance, policies, technologies and crisis
management,” he said. “For organizations that have not had a compromise
assessment done, that is one of the things we often recommend.”

It isn’t certain a breach assessment would have spotted the hackers,
according to Barron-DiCamillo, but it would have increased the chances.
“Why spend the money to have Good Harbor come in and do the recommendations
and then not act on them?,” she asked.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160727/970b5904/attachment.html>


More information about the BreachExchange mailing list