Background on the breach – key questionsWhile details emerge from the breach outlining clandestine techniques for collecting information, ranging from cell phones to televisions, the clear message to take away from this breach is that any connected device can be used for surveillance. While it is illegal for the CIA to use these techniques against United States citizens on sovereign soil, they can be used elsewhere at any time, and in virtually any place. The CIA was aware that this breach occurred at the end of 2016, but only now is the public becoming aware of the breach and the hacking techniques used for intelligence. Given the magnitude of the breach, citizens and organizations are asking some very basic questions:
- How was this data stolen and by whom? Was it an insider or an external attack?
- Were the techniques used by the CIA repeatable by hackers?
- Can I protect myself from hackers that copy-cat the exploits?
- Was this another case of a state sponsored attack?
For consumers – how vendors are respondingWhile this story plays out in the media, there are steps that vendors are taking to prevent continued data collection:
- Per Apple, the clear majority of techniques against iOS (the operating system used in iPhones and iPads) have been patched in the latest version. Apple recommends making sure your devices are using the latest version.
- For Samsung, the story is grim. They are investigating how SmartTV’s can be compromised, have no patches, and recommend disabling Internet access until this is resolved. They have even acknowledged that Samsung SmartTV’s that are turned off can still be leveraged.
- It is unknown if other Smart TV manufacturers are affected, but recent allegations and settlement against Vizio suggest the problem is much wider spread.
- For Android, the story is even more bleak. Due to the fragmentation of the Android market, it is unclear the threat per manufacturer and which carriers have distributed these patches to devices on their networks. Older devices (i.e. Android 4.x and lower) are the highest risk. Unfortunately, there is no clear recommendation for these devices.
Best practices for corporate and governments agenciesFor corporate and other government infrastructures, the recommendations fall in line with well-established security best practices:
- Monitor all privileged account activity and implement a password management solution. The CIA is trying to determine who had access to this volume of data and when. Even if it was an external attack, privileged access had to occur at some point to extract the information. There should be a record of this privileged activity by an insider or external actor. Businesses should consider monitoring all privileged activity to sensitive information and remove all administrator and/or root privileges when possible.
- Apply the latest security patches to all operating systems and infrastructure. If an exploit was leveraged against mission critical systems in the CIA, and they were not compliant with the latest security patches, this represents an attack vector that could have been mitigated. If the hack used a zero-day vulnerability (a previously unknown exploit), then application control could have helped mitigate the threat. Regardless, privileges to the data would still need to be obtained; even from an exploit that elevates privileges.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.