Obama’s E-Mail: Lessons Learned

Security

Big news this past week that U.S. President Barack Obama’s sensitive (but unclassified) e-mails were accessed by Russian hackers. It is surprising this news is surprising. The U.S. government’s unclassified network suffers from the same problems that have led to and will continue to promote other high profile attacks, including Sony, Home Depot, etc. Despite immense expenditure on IT security, these organizations are at the mercy of well-funded, sophisticated attackers, because computing infrastructures are fundamentally flawed, due to the following “Trifecta of Death”:

  • widespread use of general-purpose computers
  • computers connected to the Internet
  • large number of humans accessing those computers

Most enterprise computing platforms, from Windows PCs to Linux/Apache web servers, were never designed to protect against sophisticated attackers. The operating systems have poor privilege models, enabling vulnerabilities in massive middleware packages (like Flash and Java) to be exploited for total security bypass.

Any organization with a large number of users (the U.S. State Department has 34,000 employees) is an easy spearfishing target, no matter how much IT trains users.

And because users and computers in large enterprise networks require Internet access, one spearphish is easily converted into complete control via Internet-borne malware. The commandeered system can then be used to leisurely explore and infect the rest of the network, aiming for more juicy targets – like archived e-mail.

How can enterprises address this problem? The enterprise must first understand its high value resources – where disclosure or loss of function would have catastrophic consequences.  For a tech company, this might be some source code, designs, or strategic plans. For a pharmaceutical or beverage company it might be product formulas and research. For a money management firm, it might be the PII and financials of its wealthiest clients. For a hospital, it might be the network managing robotic surgeons. Enterprises must not expose these digital crown jewels to the Trifecta.

Avoiding the Trifecta means employing strict network segregation, where the crown jewels are colocated in partitioned computing resources, accessed only by operating environments that are not (ever) connected to the Internet.  This may seem heavy-handed, and many scoffed at former US Cybercom chief Keith B. Alexander’s call for an isolated network for critical infrastructure, but he was spot on. The trick is to ensure segregation does not stifle productivity. Obama accesses information from a plethora of operating environments (BlackBerry devices, tablets, laptops, desktops), each never permitted to cross classification boundaries.

But few people in the corporate world would tolerate having to manage such a large set of computers. Solutions like BlackBerry Balance on mobile devices and virtual machines on laptops and desktops can be used as multi-network access solutions. Entry into the ultra-sensitive network from PCs should be guarded by VPN and dual-factor authentication – but allow users the convenience of using their mobile device as the secondary authenticator.

Finally, limit access to the ultra-sensitive network to the smallest possible group with need-to-know and encrypt data (e-mail, files). If the network grows too large, consider further segregation. In the Obama e-mail exposure, it was reported that his BlackBerry device and communications were never accessed. In addition to the obvious security advantages of a BlackBerry device, Obama’s BlackBerry contacts are purportedly limited to only 10 to 20 people.

In order to protect high value resources against sophisticated attack threats, follow these least privilege, defense-in-depth guidelines, anchored by strong network isolation made user-friendly by trustworthy multi-platform access solutions. And for those networks with many users and connections to the Internet: expect their data to be disclosed, just like Obama’s unclassified e-mail. All the expensive firewalls and UTMs in the world won’t prevent that. Don’t be the next front-page story!

About David Kleidermacher

I am dedicated to the vision of a trustworthy, scalable Internet of Things, including mobile devices, connected embedded systems, and cloud infrastructure. I oversee product security strategy as BlackBerry's Chief Security Officer. I am a leading authority in systems software and security, including secure operating systems, virtualization technology, and the application of high robustness security engineering principles to solve computing infrastructure problems. I earned my bachelor of science in computer science from Cornell University and am a frequent speaker and writer in the area of computer security, including delivering the 2014 Embedded World Conference Keynote, "Securing the Internet of Things" and author of the book "Embedded Systems Security", Elsevier 2012.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus