Defense contractor hacks underscore vulnerability to phishing attacks

To combat this rise in corporate network attacks, Steven Sprague, chief executive officer of security firm Wave Systems, offers a number of security tips to companies to protect their data from hackers.

First of all, companies should take advantage of security measures that are already deployed on employee PCs. Many current PCs can authenticate email securely using the trusted platform module (TPM) security chip embedded in the motherboards. The TPM can replace passwords to access email on public systems with cryptographic methods that are well understood. There is no cost for the user to use the TPM, nor is there any cost for an e-mail provider to make it an optional authentication means for its email system, Sprague said.

“We have the infrastructure to provide security but in general don’t turn it on and use it. One of the challenges we have enterprise-wide is to enable the security features we already have. Today, there are almost a half a billion PCs with hardware security on the motherboard that can be used to reduce or eliminate the need to have a password to log into your email”, Sprague told Infosecurity.

“The trusted platform module was very broadly deployed and was part of Microsoft’s Vista rollout back in 2005. As a result, it is quite broadly deployed on everybody’s PCs today, but not very broadly used. One of the challenges…is to move toward a more hardware-assured access that can provide us with an enhanced level of defense”, he said.

One of the advantages of using this technology is that a cybercriminal cannot send phishing emails to employees and ask for their password because they do not know the password. “So it really helps to remove one of the vulnerabilities that are out there, which is the poor human who can’t remember complex passwords”, he added.

The attack on RSA, which leaked the seed database to its Secure ID token used by Lockheed Martin and other defense contractors, was the result of a successful phishing attack against RSA employees.

Sprague also recommended that company only allow the handling of official business on corporate email accounts. “If you are logging into Google mail, your password is going across the WiFi in the clear. So it becomes much easier to set up a rogue hotspot or intercept the traffic, and therefore compromise the user’s authentication credentials with the public services that are out there”, he said.

If an employee uses the corporate network and there is a breach, the corporate IT department can help “put the genie back in the bottle.” However, “calling customer service at Yahoo mail is a somewhat futile effort”, Sprague observed.

What’s Hot on Infosecurity Magazine?