Background on the breach – key questionsWhile details emerge from the breach outlining clandestine techniques for collecting information, ranging from cell phones to televisions, the clear message to take away from this breach is that any connected device can be used for surveillance. While it is illegal for the CIA to use these techniques against United States citizens on sovereign soil, they can be used elsewhere at any time, and in virtually any place. The CIA was aware that this breach occurred at the end of 2016, but only now is the public becoming aware of the breach and the hacking techniques used for intelligence. Given the magnitude of the breach, citizens and organizations are asking some very basic questions:
- How was this data stolen and by whom? Was it an insider or an external attack?
- Were the techniques used by the CIA repeatable by hackers?
- Can I protect myself from hackers that copy-cat the exploits?
- Was this another case of a state sponsored attack?
For consumers – how vendors are respondingWhile this story plays out in the media, there are steps that vendors are taking to prevent continued data collection:
- Per Apple, the clear majority of techniques against iOS (the operating system used in iPhones and iPads) have been patched in the latest version. Apple recommends making sure your devices are using the latest version.
- For Samsung, the story is grim. They are investigating how SmartTV’s can be compromised, have no patches, and recommend disabling Internet access until this is resolved. They have even acknowledged that Samsung SmartTV’s that are turned off can still be leveraged.
- It is unknown if other Smart TV manufacturers are affected, but recent allegations and settlement against Vizio suggest the problem is much wider spread.
- For Android, the story is even more bleak. Due to the fragmentation of the Android market, it is unclear the threat per manufacturer and which carriers have distributed these patches to devices on their networks. Older devices (i.e. Android 4.x and lower) are the highest risk. Unfortunately, there is no clear recommendation for these devices.
Best practices for corporate and governments agenciesFor corporate and other government infrastructures, the recommendations fall in line with well-established security best practices:
- Monitor all privileged account activity and implement a password management solution. The CIA is trying to determine who had access to this volume of data and when. Even if it was an external attack, privileged access had to occur at some point to extract the information. There should be a record of this privileged activity by an insider or external actor. Businesses should consider monitoring all privileged activity to sensitive information and remove all administrator and/or root privileges when possible.
- Apply the latest security patches to all operating systems and infrastructure. If an exploit was leveraged against mission critical systems in the CIA, and they were not compliant with the latest security patches, this represents an attack vector that could have been mitigated. If the hack used a zero-day vulnerability (a previously unknown exploit), then application control could have helped mitigate the threat. Regardless, privileges to the data would still need to be obtained; even from an exploit that elevates privileges.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12 year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.