Open sesame
The government’s email is shockingly vulnerable.
The article was published in the Hindu on September 22, 2015. CIS research on private email accounts is mentioned.
As the Centre moves towards smart cities and a Digital India, some critics have cited the country’s increased vulnerability to cyber attacks. To be sure, cyber threat groups could disrupt our infrastructure by taking control of many systems. Such attacks could be quite damaging. Yes, they are rare today, but are much more likely to arise in conjunction with traditional armed conflicts. Cyber criminal groups target Indian organisations on a daily basis.
Almost two years ago, the IT minister’s office triggered national outrage when it used a public email service for official communication. There was much hand-wringing about security practices in a ministry responsible for setting the technology direction (secure email policy) for the country. Then in December 2013, the Centre for Internet and Society revealed that up to 90 per cent of Indian government officials used private email accounts for professional purposes.
A big deal
Between then and now, we’ve read about a new email policy and revelations of several cyber attacks on government officials. And FireEye revealed a decade-long cyber espionage operation by a group we call ‘APT30’, which is likely to be sponsored by China. How did they break in? By sending targeted ‘spear-phish’ emails with malware attached.
Email doesn’t sound like a big deal. Most of us have been using it for over a decade, and think we know how to use it right. But when you’re in a position of authority with access to sensitive information, you shouldn’t leave it to chance.
Today, state-sponsored attackers craft these spear-phishing emails after considerable research. APT30 carefully researched their targets and crafted mails which would appear extremely relevant, with interesting content. The moment a victim would open an attachment, an exploit would secretly install a backdoor. Through that backdoor, groups can compromise the employee’s entire network and extricate sensitive data. Groups bent on destruction can deploy malware to destroy the data. They could also take control of systems managing infrastructure or industrial processes and create havoc.
Spear-phishing has an open rate of 70 per cent, while regular mass emails had an open rate of just 3 per cent. Email is the front- door for today’s threat groups. That’s why governments around the world are improving the security of their email systems to fend off these spear-phishing threats.
Public concerns
When government employees use webmail for official business, they trade away their security for convenience. The emails they receive are no longer screened by cyber security solutions, which detect advanced targeted email attacks before they reach the inbox. In addition, because people typically retrieve their webmail in a browser, attackers have a larger attack surface to exploit when carrying out their attacks. For example, attackers can coax victims to click on a link to a website, which delivers an exploit via Adobe Flash.
Webmail opens the door to threats that would otherwise have been intercepted. When our government employees use webmail for official business, they leave the front door wide open to threats. One of the best steps we can take towards improving our government’s cyber security defences is abandoning public email services.
The writer is a software architect at the cyber security firm FireEye