An Industry Analysis Of The White House Computer Breach

Following today’s news that Russian hackers managed to breach part of the White House computer system, various industry experts offered their thoughts on the incident:

Jeremiah Grossman, founder of WhiteHat Security:

“If the White House or the State Department can’t keep our foreign hackers with the infinite resources at their disposal… what chance does the average company have? Not to mention the everyday person.

“Secondly, whatever new legislation the White House or Congress is planning, does it have any chance of preventing this kind of incident from happening again?”

Dwayne Melancon, CTO of Tripwire:

“Once an attacker gets into your systems it can be notoriously difficult to get them out, particularly when your network and internal security controls allow the attacker to move around on your network without being noticed. That appears to be the case here, which could be the result of an outwardly-focused security approach. If you assume the enemy is ‘out there’ you stop noticing their activities when they get ‘in here.’

“There are a few significant challenges in breaches like this. First, attribution is difficult. A savvy attacker can not only cover their tracks, they can often mislead you into believing someone else is behind the attacks. I hope the White House has strong evidence to claim Russian responsibility.

“Additionally, many organisations lack a baseline understanding of what is “normal” on their internal network and systems, making it difficult to tell which systems you can trust, which systems you can’t and – more importantly – how to stop the attack and prevent future compromises. ”

Ken Westin, senior security analyst at Tripwire:

“The intrusion into the unclassified State Department network was assumed to be Russian by many in the government and security community. As portions of the network were shut down for long periods of time for extensive security upgrades many speculated that the extent of the intrusion may have been more severe than originally thought.

“That the attackers were able to use that initial intrusion as a spearhead to gain access to the White House network is rather alarming, indicating a lack of network segmentation, or compromised credentials.

“The new insights into the investigation with the US government implicating Russia would imply that there is strong evidence that the Russian government was involved.  However, given the sensitive and confidential nature of US intelligence agencies methods only a few will have access to the actual evidence which may raise suspicions as to the accuracy and veracity of the accusation.

“I do not think it is a coincidence that this comes on the heels of Obama declaring a national emergency and issuing an executive order regarding cyberthreats. Those investigating this intrusion may have additional evidence that implicates a specific group and the executive order may be used to go after those deemed responsible with sanctions and other tools at their disposal.

“This is a good example of  ‘it is not a matter of if but when,’ but where we now must now also ask ‘for how long and how deep’ a breach has occurred, as it is being revealed the hackers had access potentially for months even after initial detection and remediation attempts.

“The governments and businesses should take note that  even networks we would expect to be impenetrable are still able to be compromised.

“A critical point not to miss regarding this intrusion is that it was detected and remediated, with the State Department taking a number of steps to increase their security posture and that classified systems appear to have not been compromised at this time.”