DNC Email Scandal Shows What Must Be Done to Prevent Breaches, Leaks
ANALYSIS: Once again the Democratic Party has been seriously embarrassed by an email leak scandal. But without the leaks the data breach might have been much worse
First, never assume that email is private. Even though you may trust the recipient, there’s nothing to prevent them from sharing your email with others. There’s also very little to prevent your email from showing up in the discovery process if you’re involved in a legal dispute or from law enforcement from finding it or for that matter a hacker.
Second, try to find some means of communications besides email. Just know that instant messaging isn’t secure either.
My approach once when I was on assignment somewhere in Eastern Europe shortly after the Soviets pulled out was to hold sensitive discussions while walking in the woods. You may not need to hike the Transylvanian hills, but face to face discussions are less likely to be intercepted than email. Just hope the other person isn’t recording you.
Third, since you’re going to use email no matter what I suggest, at least don’t discuss things that will land you in trouble if anyone finds out, because you have to assume they will find out. As Debbie Wasserman Schultz is now discovering, they always find out.
Encrypt your email
Finally, if you absolutely must, no matter what, discuss sensitive information by email, then at least use encryption.
Ray Rothrock, CEO of security vendor RedSeal, suggests sending email using encryption, but then sending the key using some other means. This is an instance where you could send the key via Facebook Messenger’s encrypted message service to decrypt sensitive email.
Of course encryption only goes so far, since if it’s a court or law enforcement, you may be compelled to provide the key. And if the email you’re sending exists in non-encrypted form somewhere on your computer, you can assume that that Russian hacker or the FBI (or both) will find it.
Take action
What else can you do? You need to protect your network so you can minimize the success of a hacking attempt. Rothrock said, “Start with good hygiene and policies, and then test everything to make sure it works.”
Rothrock said that it’s also important to make sure that exfiltrating information is very difficult through proper network design and management, as well as through the use of the right security products.
Unfortunately, for any of this to matter there need to be policies in place to support the people who are protecting your email and policies about what can and what cannot be sent via email.
And there has to be some effort to help people understand that the price of laziness, arrogance and stupidity is very high. It can cost your job and it may hurt even worse when it damages the organization. Allowing laziness or inattention to keep you from being secure is beyond stupid, as the soon-to-be former head of the DNC has just found out.
Originally published on eWeek