CIA WikiLeaks Breach Reinforces Need for Integrated Privilege & Vulnerability Management

Morey Haber, March 9th, 2017

CIA Wikileaks Breach

There is no computer system that is immune from a cyber security attack. Even if it is powered off, in an isolated room, air gapped, and monitored 365x24x7, the information contained within that system can be stolen. Such is the case with the most recently publicized breach against the CIA where the stolen data contained classified, mission critical information that outlines how the agency conducts cyber surveillance. Per NBC news, only 1% of the information stolen has been published by WikiLeaks online, but the contents are extremely damaging to say the least. This is the latest breach that highlights that no organization, person or government is safe from a cyber-attack, but there are steps we can take to mitigate those risks.

Background on the breach – key questions

While details emerge from the breach outlining clandestine techniques for collecting information, ranging from cell phones to televisions, the clear message to take away from this breach is that any connected device can be used for surveillance. While it is illegal for the CIA to use these techniques against United States citizens on sovereign soil, they can be used elsewhere at any time, and in virtually any place. The CIA was aware that this breach occurred at the end of 2016, but only now is the public becoming aware of the breach and the hacking techniques used for intelligence.

Given the magnitude of the breach, citizens and organizations are asking some very basic questions:

  • How was this data stolen and by whom? Was it an insider or an external attack?
  • Were the techniques used by the CIA repeatable by hackers?
  • Can I protect myself from hackers that copy-cat the exploits?
  • Was this another case of a state sponsored attack?

For consumers – how vendors are responding

While this story plays out in the media, there are steps that vendors are taking to prevent continued data collection:

  • Per Apple, the clear majority of techniques against iOS (the operating system used in iPhones and iPads) have been patched in the latest version. Apple recommends making sure your devices are using the latest version.
  • For Samsung, the story is grim. They are investigating how SmartTV’s can be compromised, have no patches, and recommend disabling Internet access until this is resolved. They have even acknowledged that Samsung SmartTV’s that are turned off can still be leveraged.
  • It is unknown if other Smart TV manufacturers are affected, but recent allegations and settlement against Vizio suggest the problem is much wider spread.
  • For Android, the story is even more bleak. Due to the fragmentation of the Android market, it is unclear the threat per manufacturer and which carriers have distributed these patches to devices on their networks. Older devices (i.e. Android 4.x and lower) are the highest risk. Unfortunately, there is no clear recommendation for these devices.

Best practices for corporate and governments agencies

For corporate and other government infrastructures, the recommendations fall in line with well-established security best practices:

  • Monitor all privileged account activity and implement a password management solution. The CIA is trying to determine who had access to this volume of data and when. Even if it was an external attack, privileged access had to occur at some point to extract the information. There should be a record of this privileged activity by an insider or external actor. Businesses should consider monitoring all privileged activity to sensitive information and remove all administrator and/or root privileges when possible.
  • Apply the latest security patches to all operating systems and infrastructure. If an exploit was leveraged against mission critical systems in the CIA, and they were not compliant with the latest security patches, this represents an attack vector that could have been mitigated. If the hack used a zero-day vulnerability (a previously unknown exploit), then application control could have helped mitigate the threat. Regardless, privileges to the data would still need to be obtained; even from an exploit that elevates privileges.

Considering the magnitude of the breach, and the sensitivity of the information, it is clear that current security solutions failed at the CIA. For everyone else, education, secure processes and protecting sensitive information should be at the forefront of everyone’s mind. If you need help understanding how to protect privileged access or identifying missing security patches, BeyondTrust can help. To get started, try a free scanner for all of your Internet of Things devices – it will give you a report on patch status and whether or not there are old passwords that need to be changed.