Why the New York Times network was simple to breach

(Editor’s note: The recent network breaches of the New York Times and Wall Street Journal may be the tip of the iceberg. At least six separate Chinese hacking groups, steeped in Advanced Persistent Threat, or APT tactics, are likely responsible for targeting US, UK, Australian, Canadian, Korean and Philippine media organizations, says Adam Vincent, CEO of security startup Cyber Squared, which runs the ThreatConnect intelligence-sharing exchange. In this guest commentary, Aaron Higbee, chief technology officer at training firm PhishMe, outlines why APT attacks remain viable and pervasive. — Byron Acohido)

By Aaron Higbee

It is unfortunate that security giant Symantec is taking a lot of heat for failing to detect the malware involved in the breaches last week of the New York Times and Wall Street Journal websites.

The limitations of antivirus technology are very well known. These reports are completely ignoring the real problem and not getting to the heart of the matter: How did the attack start? The answer: one simple spear-phishing email.

Higbee

Whether AV, spam filtering, or other technologies are present, spear phishing remains the one threat that consistently bypasses enterprises’ technical defenses. Most major breaches begin with spear phishing.

Organizations shouldn’t and can’t give up security technologies. In fact, based on some of the good work security technology vendors have been doing, we have witnessed firsthand spearphishers changing their methods to cope with the ever-improving technologies that are doing their best to prevent breaches.

In addition to technology, enterprises need to increase the responsiveness of their employees to new security threats. Humans can be a key element in detecting and reporting new or anomalous activity — an essential part of enterprise defenses.

That’s because even the best defensive technologies will have gaps, and the role your human assets play in defending the network cannot be dismissed. An educated user base is the best choice you can make when it comes to filling these gaps.

The real problem is that too many programs are designed to only rely on technical controls and feed useless information to users. Holistic information security is a balance between technical controls — both tried and true and bleeding edge — and IT consumers who understand their role in security. The latter has either been neglected for too long or inundated with information that is too technical or focused on items that don’t matter.

With consistent and relevant training, the vulnerabilities that technical controls cannot patch would be protected by another layer of security.

One has to wonder if the NY Times be making headlines today if one of their staffers reported suspicious email based on training they received?

About the author: Aaron Higbee is co-founder and CTO of PhishMe, which runs training and behavior modification programs. He is on the board of directors at Intrepidus Group, and previously served as principal consultant for McAfee’s Foundstone division.