On Monday, the news buzzed with a story about a high school student who had managed to break into the email accounts of CIA Director
John Brennan and DHS Secretary Jeh Johnson.
We've seen this scenario played out all too often. The teen used the standard social engineering techniques
to find out enough information about the targets to force a password reset on the accounts. At that point, it was fairly easy pickings for the teen.
According to the report in the New York Post
, the teen fooled both Verizon and America Online employees – I am sure that if that is true, we will be hearing the standard statements from them about how they will review their policies to prevent future occurrences of these incidents.
Happily, this is not a story about weak passwords, as the account was not accessed through a brute-force password attack
. However, the information that was revealed, such as Mr. Brennan’s application for a CIA security clearance, indicates a broader problem that exists with many email accounts. These are not being used in the manner in which they were originally intended.
Email is supposed to facilitate quick communication. For most folks, however, email has become the primary file system for too many important documents. This has opened up a new vulnerability; if the email account is compromised, so are many of the important documents that are stored in the email system.
Using email for file storage leaves it susceptible as a “one-stop shopping” portal for all of that personal information if that account is breached.
The one extra step that we need to teach our friends, family and co-workers that could minimize the damage of a compromised email account is the use of a separate storage area for sensitive documents.
In the early days of computing, documents were stored on hard drives, and without a good backup, they were in danger if the hard drive crashed. Today, locally stored documents are susceptible to ransomware attacks.
The other problem with locally stored documents is that they are only accessible from one location. These were once reasonable arguments for those who store all of their documents within the email client. Now, there are multiple, secure cloud-based storage offerings that eliminate all of the earlier concerns about accessibility and redundancy.
Using a cloud-based storage system would make it very difficult for a criminal to get to these documents. In fact, it would be difficult for a criminal to ascertain if a person is using a cloud storage service, as this is not something that would normally be publicized the way most email addresses are.
This is perhaps the extra layer of protection that could isolate sensitive documents in a safer location than an email system. Of course, if you plan to use a cloud-based file system, please set up a two-factor authentication method to log into that system. We could speculate whether two-factor authentication could have prevented access to the email accounts in the first place.
Perhaps it is time for us to teach the value of detaching sensitive documents for storage in a more secure location and then permanently deleting the original message. This simple layered defense model can dramatically improve security.
About the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock