Email security for people in sensitive positions is a growing topic of concern.
There is of course the ongoing discussion around the security of former Secretary of State Hillary Clinton’s “homebrew” email server, and now news that the personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson may have been breached.
Certainly the possible compromise of personal email of anyone in a sensitive position is cause for concern. But based on what we know so far, unless or until there’s more information, this would seem to be more likely an annoyance and an embarrassment than a national security crisis.
First of all, this episode is a reminder of why it’s important to keep personal and professional email separate. Generally speaking, professional email systems have better overall protections than free, webmail systems. Especially when we’re talking about organizations that deal with highly sensitive information — they have greater protections to match the heightened risks they face.
It also reminds us that personal email can be the weak link that enables an attacker to bypass the stronger safeguards of organizations have to gain access. This is where the adage that a “defense is only as strong as the weakest link” applies. If you mix personal and professional email you’re introducing a weak link that can lead to a compromise.
If you keep your personal and professional email separate, then a breach of personal account doesn’t have translate to exposure for your professional account or organization. So far at least, that would appear to be the case here.
It’s also good to remember that hacks against personal webmail accounts aren’t new. Back in the middle of the 2008 presidential race, Sarah Palin’s personal Yahoo! email account was compromised. In that case, the attacker, David Kernell, was able to reset the account password by posing as Sarah Palin and correctly answering biographical details to “prove” he was her.
He found the answers to the security questions like her birthdate and high school through basic Internet searches and used that information to gain control of her account. While we don’t have specific details of how these hacks occurred, it’s reasonable that a similar attack was carried out in this instance. Resetting the password for webmail accounts is a common and ongoing attack vector to this day.
If nothing else, this latest episode serves as a good reminder that good webmail security practices are important. These accounts are the “keys to the kingdom” for stealing your digital identity: almost every major case of digital identity theft traces back to an initial compromise of a webmail account.
Two easy things you can do to protect your webmail account include enabling two factor authentication (all major webmail providers offer this today), and ensuring that the answers to your security questions can’t’ easily be researched on a routine web search. Protecting access to your account and the ability to reset it goes a long way to securing your overall digital identity.
And of course, don’t mix personal and professional email. Ideally, you shouldn’t include them on the same computer or device. But realistically, if you do need to check them both on the same piece of technology, use different, dedicated email clients for each — don’t go for the convenience of a unified inbox — that makes for an easy target.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.
