Bertrand Cambou, a professor of nanotechnology and cybersecurity at Northern Arizona University, is available to discuss what went wrong in the Russian hack attack revealed this week and what organizations, including the U.S. government, can learn from the attack. Cambou is a senior member of the National Academy of Inventors and is an invention ambassador of the American Association for the Advancement of Science.
Media coverage has mentioned two specific methods the hackers used:
- The contamination of Microsoft's Office 365 email, which is a cloud-based service.
- The contamination of updates of SolarWind Orion's network monitoring system, which is supposed to offer anti-virus protection.
According to Cambou:
The use of these products is inherently risky; cloud-based email services should not be trusted for security and sensitive operations. In general, software tools with mandatory updates can be used as Trojan malware. These updates are forced on the client devices without authentication, and the servers have the upper hand and are able to shortcut security.
The weak link for massive attacks is the server or cloud having the authority to infect terminal devices at large scale. Tools like MS Duo have the objective to block malicious users, not malicious cloud services.
It was reported that SolarWind customers often use Microsoft's DUO multi-factor authentication, which did not prevent the attack.
Due to the recent attack, the information already stored on the cloud is as suspicious, and all government personal computers with the monitoring system should be quarantined, with the assumption that worms were potentially planted in the software stack. In both cases the users were interacting with contaminated networks. This is a really bad situation.
Implement two-way authentication, which is much more secure than cloud-based multi-factor. The objective should be both to prevent a bad server to play and block malicious users.
Earlier this year, Cambou hosted industry and military partners on a multimillion-dollar cybersecurity project. Learn more about the grant from the U.S. Air Force.