Individuals calling themselves the “CyberCaliphate” hacked into the Twitter feed for the U.S. military’s Central Command last week, and for 40 minutes posted photos, links, and videos before the account was shut down. They also gained access to Central Command’s YouTube profile, updating the banner image and posting Islamic State propaganda videos. While no confidential or top secret information was stolen, and hackers did not gain access to the U.S. Department of Defense’s network, the incident illustrates the risks government agencies face as they increasingly rely on cloud services to fulfill their mission and communicate with the outside world.
Many in the media mistakenly focused on the alleged sensitive information being posted to the account, which turned out to be publicly available for several years. It turns out the scope of this attack was not much different from other acts of cyber vandalism in recent years that defamed and embarrassed victims, but did not materially breach sensitive data:
What the media missed, however, was how this incident could have involved another cloud app storing sensitive data. While it’s still early in the investigation, gaining access to a Twitter account doesn’t necessarily mean the hackers broke into Twitter, they could have guessed a weak password or used social engineering to reset the account’s password. Also, 2014 had more data breaches than any year on record and millions of account credentials are for sale on the black market. Since 31% of passwords are reused, it’s entirely possible their Twitter account was compromised using a password from another account. Or that their YouTube account used the same password as the compromised Twitter account.
5 Steps You Can Take to Protect Cloud Accounts
A multi-layered approach to preventing these types of breaches tends to be more effective than any single action taken in isolation. We’re identified 5 things CENTCOM could have done to prevent or significantly reduce the impact of this type of breach.
1. Enable multi-factor authentication
The good news is that Twitter is one of the 16% of cloud services profiled in Skyhigh’s Cloud Adoption and Risk Report that offers multi-factor authentication. Employing multi-factor authentication means that after you login with your username and password, you have to provide an additional step of verification using a code texted to your phone to validate your true identity. In most cases, if someone manages to get your username and password online they don’t have physical access to your cell phone, and so they’re not able to gain access to your account.
Now, requiring employees to use multi-factor authentication for every cloud service, even those not housing sensitive data, could be viewed as a bit of overkill. A more user-friendly approach is to leverage adaptive authentication, which automatically adds a multi-factor authentication requirement when a new device is detected, when a login attempt occurs from a new geography, or when there is a confidential data access attempt. This very simple step can make it significantly more challenging to gain access to your account.
2. Use strong, unique passwords for each cloud service
The next step requires a little more work. According to a study at the University of Cambridge, 31% of all passwords are reused multiple places. That makes the impact of one compromised account much larger because an attacker could potentially gain access to any account that reuses that same password. Using a strong, unique password for each cloud service is essential to protect yourself and limit the damage of a compromised account. It means you’ll need to use a secure password storage app. Changing those passwords every few months further limits your exposure, as attackers could not buy a stolen password online and use it to gain access to your account over time.
3. Monitor your data
Analyzing your data in the cloud can reveal breaches so you can take action while their impact is still limited. In the context of social media, free tools like Hootsuite can aggregate retweets, favorites, and mentions in a single dashboard, and deliver alerts to you on a mobile device. Almost immediately after sympathizers began posting Islamic State propaganda on their Twitter feed, there was a surge of mentions and retweets as people reacted to the hack. If CENTCOM had been using free tools that are commonly used by teenagers to monitor and manage their social media presence, they may have been able to react to the breach in less time and shut down their account.
4. Check your last login location
Many cloud services including YouTube provide the last location used to access your account. If the location does not match where you logged in, it’s likely someone else has access to your account credentials. If you notice something suspicious, you can block access by unauthorized devices and change your password to protect your account. A number of cloud services now offer this feature including Facebook, Dropbox, and cloud products from Google.
5. Identify stolen credentials for sale
Organizations like the Department of Defense as well as large companies can have hundreds of compromised credentials for sale on the black market. These accounts include everything from cloud services like Twitter and YouTube, financial applications, and websites. By monitoring and proactively finding credentials for sale on dark net marketplaces, you can see exactly which accounts need to be updated with new passwords to prevent the leak of sensitive information or loss of control. Also, if those passwords have been reused you know the other accounts that could be exposed.
What This Means for Government Cyber Security
Government agencies are using cloud services to fulfill their mission, whether known by the IT department or brought in by employees without knowledge of IT. As government data moves to the cloud, agencies should audit what cloud services are in use and what data is stored in those services. Every organization has shadow IT, often due to the creativity of end users looking for apps that make them more productive. And IT often underestimates the usage of cloud because they think all unauthorized cloud services are blocked, but blocking is more difficult in practice than in theory due to the complexity of egress device deployments and the need for policy exceptions, and data shows that actual blocking rates are much lower than expected
Even services like Twitter and YouTube that likely contain no sensitive data can be used to hurt the agency if compromised by an attacker given their reach to millions of people around the world. And these services and others can be used as a vector for data exfiltration – when attackers need to remove sensitive data from an organization. Skyhigh’s CTO Kaushik Narayan recently wrote about a novel technique for data exfiltration in which data was encoded into video files and uploaded to popular video shares sites. To stop these types of attacks, governments need new tools to enforce identity control and detect attacks in progress in the cloud so they can prevent attackers from compromising their data, or their reputation.