Hillary Clinton, the former US secretary of state, recently came under fire for “exclusively” using her personal email account in all job-related matters. According to the New York Times, Clinton did not have a government email address during her four-year tenure at the State Department. Her aides also took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.
Although use of private email in an official capacity is not strictly illegal, it is intended to be used only in times of emergency – such as server failure.
In the US, all sent and received emails using federal officials’ personal accounts should be archived on government servers for record-keeping purposes. Clinton’s emails to government accounts would have been flagged for archiving on the recipients’ ends, however it can be assumed that emails sent to non-government accounts were not automatically retained.
The eagle-eyed among you will remember a similar scandal in the UK, involving ex-education security Michael Gove in 2011.
There is clearly an issue of transparency here – but that’s not the only reason to feel uneasy about it. What security measures were used to ensure Clinton’s communications were protected? How susceptible was Clinton’s account to hackers?
Downplaying the potential for cyber-criminals or foreign intelligence agents to crack into the server, officials that spoke with Business Insider said “because of these hacking risks, Clinton used an email server that provides more robust security options than those available on typical consumer email accounts.” Notwithstanding, this is clearly a serious example of shadow IT – a renowned and all too common security threat.
The idea that her personal server was safe behind the guns of the Secret Service misunderstands the fundamentals of internet security. Malicious actors who hacked Network Solutions, the provider of the domain name services, could quietly hijack the Clintonemail.com domain, intercepting, redirecting, and even spoofing email from Clinton’s account.
“As secretary of state for the United States government, the number of people who would want to hack into Hillary Clinton’s emails is almost innumerable”
This server was beyond the reach of the US government’s IT administrators and thus may have suffered from significant security risks ordinarily mitigated by the vigilance of the US government’s robust security.
So how can businesses learn from Clinton’s BYOS (Bring Your Own Server)?
The most obvious lesson is the reinforcement that businesses require to ensure that the whole IT infrastructure is protected. The usual reminders apply: carrying out full IT audits; constantly patching and updating software; using multi-factor authentication wherever possible; educating the workforce on the dangers of phishing; and implementing a positive BYOD strategy so that any device used is part of the IT infrastructure.
Just as important is assessing where the threats could be coming from. As secretary of state for the United States government, the number of people who would want to hack into Hillary Clinton’s emails is almost innumerable. Companies are likely to face the same level of threat from cyber-criminals, so it’s important not to dismiss this rogue server as hype and underestimate the issue.
We live in a time when the tools to attack vulnerabilities are available ‘off-the-shelf’ – downloading a trial copy of Metasploit can quickly exploit an unpatched system. This means that businesses are at risk from a wider range of people than ever before.
It’s not only those who are looking to gain financially that you should beware – the rise of online activism means that anyone with an axe to grind could attack your business. The worrying fact is that activists do not only target the root causes of their frustration – they will also target those who side with, support or condone their opponents.
Think about where your business advertises, who your partners are, and even whether any of your employees could potentially pose a risk. Are any of them controversial – or even simply perceived as such?
The real-time nature of today’s online discussion spaces, plus the natural tendency for people to overreact, means that your business, however uncontroversial you think it is, could be the target of activists’ attacks – just by association.
About the Author
Ian Trump is an ITIL certified IT consultant with 17 years of experience in IT security and information technology. He is a board member of the Canadian Cyber Defense Challenge and IC2, as well as an editorial review board member for the EDP Audit, Control, and Security newsletter