An InfoSec perspective of Security Failures at Stratfor

It is not surprising that company with such sensitive information such as Stratfor would become a target of hacker infiltration. The now-notorious case started late last year in a number of reported incidents where webservers were initially compromised, then emails were stolen and are now being released by the WikiLeaks group. How a small risk-analysis company became the target of this alliance between WikiLeaks and Anonymous, which reportedly performed the compromise, is not clear. In the realm of possibilities, the sad answer is most likely due to circumstance and opportunity.  An easy target is an easy target.

The very thought that an organization that works with such sensitive information, even selling this information to interested parties should elevate security level by default.  That security level is equal parts process and technology. No network is hack-proof, however the sheer amount of emails captured and taken from the environment should have sounded an alarm, at a minimum. Compromised privileged credentials are the lynchpin of such compromises. This begs the question of how this information was obtained and how did such privileged access get out of hand to allow this to happen.

True, details of how this compromise came about have not and may not ever come out in specifics, so many questiong will loom. To stop a hacker, or minimize exposure (there’s a word for this – risk), you have to think like a hacker. This is InfoSec 101 material and why the title referring to “security failures” is not harsh in the slightest, this represents a full-on failure from the most basic levels. Let’s review some basic infosec tenets:

  • What resources on your network are worth protecting?
  • How are these resources protected?
  • Who has access?
  • How do we audit this access?
  • Who and when do we review these all?

Going through the motions, and setting up a traditional security setup without appropriate regard for the type of information at stake is just plain inexcusable. If the company is in the business of utilizing network resources with sensitive information, they have an absolute obligation to secure that information by all practical means. In this case, it just doesn’t seem that with the volume and type of information taken, that such an obligation was sufficiently fulfilled. In fact, in one released email, George Friedman, the CEO and founder of Stratfor, sent an email from his BlackBerry responding to a suggestion that the company buy email encryption software. This one email alone may haunt him more than the rest:

“40k is a lot of money to spend on that obviously,”

“It probably prices the solution out of our means right now.”

This was not the only warning, in other released emails, Fred Burton, the vice president of intelligence, reportedly called for wide-spread encryption of sensitive information,  among other measures. The results clearly show this was not implented at any level as company financials, emails, and other intelligence information are now open for all to see.  Looking within the company’s confidential dealings creates a slightly ethical question, but from the perspective of information security, there are many lessons to be learned.

The number of case studies that will refer to the failure to encrypt email in the face of such a paltry expense are already spreading. If anything, examples of security process analysis have already presented themselves for practicioners throughout the industry to review.