Posted by Travis Biehn on May 26, 2016
U.S. media coverage of the key politicians fighting for the 2016 presidential nomination is pretty overwhelming. But, at least now we have something worth talking about—the security of the sensitive information in which politicians are handling that could potentially ruin their careers and bring internationally damning implications. So today, let’s take a look at the lessons that the ongoing Clinton email scandal have to teach security stakeholders.
With details from the Inspector General’s report regarding the Ex-Secretary of State Hillary Clinton’s use of personal email and communications infrastructure now coming to light, some of the fears expressed by the security community have been confirmed.
Was the email server subject to attack? We know it was.
Were Hillary Clinton or her IT staff aware of ongoing attacks? Again, confirmed.
Was the email server compromised? We don’t know, but with at least one actor making a credible claim, it’s reasonable to discuss the probability that more focused and funded attackers were able to gain access to the email server and its contents.
So, let’s take a step back and examine the motivations of the players here: the Clintons and their attackers.
There’s some evidence that Hillary Clinton relied on personal infrastructure for “convenience.” There is also speculation of less innocent intentions. Let’s focus on the convenience angle.
Clinton was subject to IT policy that made it difficult to conduct business in her role as Secretary of State. To be fair, she did what many of us might do in a similar situation and worked around the problem.
There are lessons to be learned here by IT policy makers: are your policies hindering the effective workflows of your staff? If so, your staff will find ways around these policies, often in ways that subvert the security of your organization beyond what the original measures were introduced to mitigate.
Regarding the attacker motivations, we know as a fact that foreign state-sponsored attackers are working actively to compromise U.S. government, private, and public institution assets. They range from hobbyist attackers working alone and small groups to well-funded, supported, and organized teams.
The attackers are interested in assets that are directly located on their compromise boundary: correspondence between staffers, Clinton, diplomats, strategy around U.S. foreign policy, and so on. In addition, attackers seek to leverage transitive trust relationships between entities to increase their compromise boundaries and access more attractive assets.
Let’s review how transitive trust is abused by attackers. The five stages we’ll review below show a basic layout of assets and components which attackers are interested in accessing or leveraging for their trust relationships to those assets.
In this first stage, an attacker maps out the complete perimeter of the organization and selects weak-points. Individuals with trust relationships make attractive targets.
Attackers know that security sensitive organizations invest in technology, process, and staff to detect and mitigate active attacks. The Clinton email server was obviously outside of the purview of these controls and thus presents a very interesting first target for attack.
In the second stage, the attacker is able to compromise the email server and increase the compromise boundary to personal computers and laptops on the internal Clinton network. The attacker has access to email assets on the email server and can start analyzing the emails for credentials, trust relationships, further targets for social engineering or spear-phishing, and so on.
While Clinton has stated that no sensitive information was received at her personal email address, when infrastructure has mixed use, it’s almost impossible to prevent the leak of some sensitive information across boundaries (even when an organization has a highly mature information classification scheme). In other words, it isn’t effective 100% of the time. Even one leaked document, developing strategy, or the like is necessary to impact the organization—in this case the U.S. government. A compromise here can be publicly revealed, resulting in severe reputational damage to both the staffers and the organization. What is more concerning is the potential to subtly influence the ability of the government to conduct business in diplomatic missions.
Where can the attacker go from here?
In the third stage, we see the attacker further increase their compromise boundary to mobile devices—sharing trust relationships with local network machines and typical arrangements such as VPN access to U.S. State Department networks.
The attacker gains additional assets and information about trust relationships here. More alarmingly, roaming devices such as laptops and mobile devices might wind up connected to segmented networks in SCIFs (Secure Compartmentalized Information Facilities), the U.S. State Department, or the SIPRNet (Secret Internet Protocol Router Network). Myriad opportunities for the exfiltration of assets are introduced by laptops and mobile devices, with proximity to radio interfaces or microphones being all that’s required to bridge an air gap.
In the fourth stage, the attacker has all components and assets within the compromise boundary, and has entrenched themselves thoroughly on Clinton’s infrastructure. The attacker enjoys great flexibility in persistence of access—each component can be backdoored and leveraged for future access.
In the fifth and final stage, the attacker has compromised all mission-related assets and is free to slowly exfiltrate information using existing communication lines.
The perimeter, as we know, is incredibly porous. Ensuring the security of the software that gates access to assets both within and external to resources must be protected against a litany of attackers, including insiders. It’s not enough to base information compartmentalization against ‘clearance level.’ We aren’t worried only about the trustworthiness or fidelity of individuals, but whether those individuals are themselves on an attacker’s compromise boundary.
IT policy makers have a challenging position. Flexibility seems to erode the security of the perimeter. Software is often outside of an organization’s ability to secure. Restrictive IT policy decisions are then the norm. It is important that policy makers introduce mechanisms for understanding and mitigating the pain that these measures may introduce so that they can draft flexible solutions that still maintain organizational security controls. Additionally, it highlights the importance of conducting evaluation of security controls against multiple privileged levels of access in the component graph regardless of how trusted the privilege holders themselves are.
Would Clinton have made the same choices and introduced the same organizational risk if IT policy makers were available to accommodate her use cases? We can’t tell, but we can tell for sure that those mechanisms for understanding user pain points of IT policy decisions did not exist. As a result, the overall security of the U.S. government was weakened against a litany of attackers.