When the Internet of Things Takes Down the Internet

The Internet tools that slowed some of the world’s largest sites for hours on a recent Friday morning weren’t just server farms or hacked key fobs.

Baby monitors helped take down Twitter.

Security cameras helped halt Amazon.

This nightmare scenario became a reality on October 21 when hackers used the Internet of Things (IoT) in a distributed denial-of-service (DDoS) attack that brought down major sites from PayPal to Spotify. While the attack was described as an Internet security issue, that’s not the whole story. It is a supply chain issue. The attack also represents a Doomsday scenario that security and supply chain experts have been predicting for years. Their focus is not high-level international villains, but low-level embedded technology.

What Happened

Early in the business day on that October Friday, major web sites started shuddering. The problems were quickly attributed to an attack on Dyn, a major Internet connection hub. Dyn monitors and routes Internet traffic. Their systems were overloaded with millions of access requests from IP addresses, so many that Dyn couldn’t handle the traffic in what’s known as a DDoS attack. Hackers had gained access to IP addresses that they then directed toward Dyn, through baby cameras and surveillance monitors — basically turning the Internet of Things against the Internet.

As Dyn’s leadership notes, businesses that had instituted network redundancy faired better against the attacks, as they could shift their access points to other services. That kind of spreading the wealth is actually encouraged by Dyn, as Dyn’s Chief Strategy Officer Kyle York notes in statements made after the attack. His firm supplies a service, and good supply chain practice for critical parts of a chain is to program redundancy so if one service falters, business can still continue.

“I don’t think you can ever be safe enough or redundant enough,”  he says, in Supply Train 24/7.

But that’s not the only supply chain issue at play.

Hardware, Software, Oops

This kind of attack relies on gaining access to the hardware and the software behind it. Vulnerabilities can arise when parts or software handled by an outside supplier aren’t tested for quality assurance, functionality and security. There are hundreds of parts that are now built into cars, for example, that make them smart, but also make them vulnerable to attack and exploitation.

Scott Montgomery, vice president and chief technical strategist in Intel’s security division, notes that companies inherit every problem in their supply chain, according to The New Stack, which covered a panel in San Francisco where he spoke.

And the problem isn’t just a faulty piece of hardware.

“If you think just because your software is on a chip, that they can’t get it off of there, you are mistaken,” says Billy Rios, a security expert who has worked with the Department of Defense, speaking at the same panel. “If you think that someone will never be able to understand your custom vertical, you are mistaken. If you think no one will ever find that hidden account you have in there to do debugging or to access to certain features that you don’t want your customers to get access to, you are certainly mistaken.”

Some security experts have been warning that lax oversight for parts in things that connect to the Internet pose a serious security risk, some of them saying it’s only a matter of time until a major hack similar to the one seen in October.

“Information security people ‘have been screaming bloody murder about this for years’,” reports the San Francisco Chronicle.

Take this 2011 example, reported in 2014 by the Heritage think tank:

“In October 2011, two people were convicted of selling as many as 59,000 counterfeit circuits from China to the U.S. military, defense contractors, and others for use in U.S. warships, airplanes, missiles, and missile defense systems. Not only were these cheap fakes, but these chips potentially contained serious vulnerabilities that could have disabled, impaired, or stolen information from these important systems.”

For businesses in the IoT market, rushing Internet-accessible products to market sometimes trumps careful vetting of all components in the supply chain. As one expert notes in the Washington Post, this DNS attack should be a “wake up call” to suppliers who aren’t vigilant about the security of their components.

Because no matter their focus, everyone in the security community agrees that while the volume of things used in this recent attack is unusual, it’s not going to be the last.

OPM’s Cyberattack and Lessons Learned

binary-hacker_mdWhat does it say about government agencies if the office in charge of handling information for federal employees suffers a hack deep enough to compromise the private information of more than 4 million people?

That’s the question Congress, as well as the leadership of the Office of Personnel Management (OPM), grappled with in the wake of a data breach that reached back to 2012.

A report released Sept. 7 by the Republican-led House Oversight and Government Reform Committee took the OPM leadership to task for failing to adequately protect their systems. The report was based on a year-long investigation into the breach, according to Federal News Radio.

This being Washington, there’s some partisanship at play here, but ultimately the public discussion of the attack and how OPM plans to ensure this doesn’t happen again has lessons for businesses and leaders beyond the Beltway.

What Happened

From the report:

“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals,” including fingerprint data from 5.6 million people.

On March 20, 2014, the first alert came — someone was pulling OPM data from deep inside the network, Krebs on Security explains. OPM leadership engaged in a monitoring strategy to learn more about the hacker. But, according to the report, this strategy assumed they had correctly identified the source of the problem. They hadn’t.

In May of that year, someone posing as an employee of an OPM contractor hired to do background research used legitimate credentials to log into the OPM system and install malware that opened a backdoor into the OPM network.

OPM found the first hacker, and thought they had mitigated the threat. But they didn’t find the second one until about a year later. Investigations show the first access may have come as early as 2012, according to the House committee.

By the time both threats were discovered, personnel records, including background investigations for security clearance and fingerprint data, had been swiped.

In just one example of the impact of this attack, the Central Intelligence Agency recalled officers from Beijing for fear the attack, tied back to the Chinese, might expose the identity of spies, according to the Washington Post.

Simple steps

A measure as simple as two-factor authentication could have mitigated the attack, the Congressional panel found, but OPM didn’t adopt that requirement for remote logins until 2015. And that was just one suggestion. The Congressional report also called for better vetting of agency personnel and the CIO.

In their original response to the breach, back in 2015, OPM leadership outlined the steps taken to ensure this doesn’t happen again. And therein lies a lesson for every business. The OPM laid out 23 steps that they are currently implementing.

Among the suggestions:

  • Enhance oversight of outside contractors, with detailed documentation for doing so.
  • Limit the number of privileged users and how long they can log into the system, and track all of their system activity
  • Hire a dedicated IT portfolio manager to handle all “security and performance requirements”
  • Cybersecurity training for every employee, mandated
  • Centralize cybersecurity management in the CIO’s office

While many of us may not draw the attention of foreign cyber-espionage hackers, the measures, and the warnings, are good practice for everyone worried about cybersecurity — which should be all of us.

Is Child Labor Lurking in Your Supply Chain?

Congress has recently banned the import of any products linked to child or forced labor with the passage of the the Trade Facilitation and Trade Enforcement Act of 2015. Many countries do not have laws that protect workers from harsh working conditions like the United States, and when companies take advantage of this, it creates an unfair trade advantage. The U.S. Department of Labor maintains a list of countries that manufacture goods with child or forced labor. According to Kaitlyn McAvoy at SpendMatters:

The law amends previous legislation that allowed any product into the country regardless of how it was produced if it met the “consumptive demand” rule, which is when demand is high but supply is insufficient. The Tariff Act of 1930 allowed the Customs and Border Protection Agency [CBP] to seize imports of goods suspected to be produced by forced labor. However, according to the Associated Press, the agency last used that authority just 39 times due to consumptive demand. Section 910 of the new trade act closes that loophole.

Past Supply Chain Failures

There have been quite a few high profile manufacturers who have been found to have forced or child labor in their supply chain. However, up until now, companies mostly faced bad press when it occurred, rather than tangible penalties. However, It is expected with this elimination of the “consumptive demand” rule, that CBP will be enforcing the law more vigilantly and pursuing stiffer penalties for violations.

Nestlé
Famed candy maker Nestlé signed the Harkin-Engel protocol in 2001, to work to end child labor in its cocoa production supply chain. The voluntary agreement had little teeth, and in 2005, a human rights attorney sued Nestlé, Cargill and Archer Daniels Midland for the use of forced child labor. A decade later, a report commissioned by Nestlé from the Fair Labor Association found continued use of child labor on farms used by Nestle on the Ivory Coast. Additionally, the company has found that its suppliers in Thailand also use forced labor.

Apple, Microsoft and Samsung
Cobalt is mined with child labor in the Democratic Republic of Congo (DRC) and is a critical material in the manufacture of electronic components used in products made by Apple, Microsoft and Samsung. A recent Amnesty International report identified that while these companies have policies in place that prohibit the use of child and forced labor, these companies are not fully aware if products further down their supply chain are or are not compliant.

Copyright : Paul Prescott

Walmart and Wrangler
Probably one of the most well-known child labor issues relates to clothing production. In a CBS News investigation in 2013 following several tragic workplace disasters, facilities in Bangladesh that supply Walmart and Wrangler were found to have unsafe working conditions and child labor. Both companies worked to resolve the issue upon discovery and would ban that particular supplier in question. However, the issue could recur as factories may trade manufacturing orders among each other without notifying the end customer.

How Can You Protect Yourself?

Companies seeking to protect their critical information and avoid data breaches must be aware of the cybersecurity of all of their suppliers along their supply chain. The same will be true for companies who need to protect themselves from violations of the new trade law. Thorough supply chain mapping of both direct and indirect suppliers will be important to ensuring that companies are not unintentionally using a supplier that sells their manufacturing contract to the neighbor across the street who isn’t following the rules, or using a supplier that’s not really checking the age of the workers that are harvesting its cocoa.

Once upon a time ignorance could be used as an excuse, but in this day of information and 24/7 news coverage, taking the time and making an investment to do a little proactive investigation can save your company money and brand reputation in the long run.

Securing the Internet of Things (IoT)

39540545_l

We live in an increasingly connected world. More devices–in more ways that we could have imagined even a few years ago–connect to the Internet. Some 5.5 million new devices are expected to go online daily in 2016, 30 percent more than 2015. These gadgets include not only smartphones, but fitness trackers, keyless door locks, urban traffic monitors, washing machines, and cars.

This growing internet connectivity also presents more opportunities for cybersecurity breaches. Just as our world moves online, so do risks. A hacker in possession of a stranger’s personal smartphone could steal one person’s bank information — and also commit industrial espionage if that small phone also links to a larger workplace network. One entry into a cloud server could snag information from thousands of consumers — or offices.

Workplace Security

Every office these days likely has at least one employee who wears a Fitbit or some other tracker that sends location and other information to a network. Even if you password protect your building network, your employees might use their passwords to login via their personal smartphones. These are all machines that your business is not protecting, nor protecting its network from.

One recent study of IT professionals found that 73 percent of them expect to suffer a data breach tied to an employee’s connected device, and almost as many say the manufacturers of these devices don’t offer enough security protection. Does your company have a smartphone access policy? Do you know who is connecting? If you don’t, you could be opening yourself to major security breaches. Your employees could also open up opportunities for theft of your proprietary information from their phone.

Some firms increase their vulnerability by having employees use personal phones for work or allow work machines to become essentially the employee’s personal devices. This also blurs lines about what information gets locked down, and what could unintentionally–or intentionally–come under cyberattack.

Even light bulbs may come into play. Home-based services link smart bulbs to phones and laptops for control–dim the lights for living room movie night. Or, in the case of an office, control all utilities for cost-effectiveness. Building security can go online, instead of utilizing a traditional closed circuit system. Experts expect this workplace-based IoT market to grow rapidly this year.

Manufacturing firms have machines connected to the Internet that can signal staff about mechanical problems that could impact production. But how safe is the hardware and the software that connects those machines to a business network? Who are the installation techs who have access to your network, but possibly have not undergone as stringent a background check as your employees? Risk comes from human, hardware and software elements.

“Last year, a hacker took control of the thermostats, lights, TVs and window blinds in all 250-plus rooms of a hotel in Shenzhen, China, after discovering a vulnerability in the hotel’s ‘butler’ mobile application that allows guests to control these settings with their smartphones and tablets,” as Dell’s Power More publication notes.

Whether a hacker breaches a server by a company-owned desktop or via an employee smartphone doesn’t matter — what matters is the stolen information. This is bad for business, and it could also be illegal. Businesses that don’t take precautions to lock down their networks and intellectual property could be vulnerable to legal action. Companies with overseas ties are also subject to strict laws that protect data from abroad even if that information merely passes through a foreign server.

Banning IoT devices risks angering employees and even worse, letting your business fall behind the times on technology. However, you can take steps to assess the risk your business faces from these devices, create company-wide usage policies, and educate everyone from the boardroom to the janitors, as well as outside vendors who might need access to your network.

This takes time and effort, of course. But better a little precaution now, rather than a multi-million dollar loss and lawsuits later.

CISOs Must Change With the Times

In years past, the Chief Information Security Officer (CISO) role focused on IT needs and internal security. Many CISOs only influenced their own departments, according to the Computer Business Review. They had to wheedle funds from within their organizations. They reported directly to CIOs or CEOs, but were not involved in any Board interaction.

Today, CISOs face changing technology developments and security requirements, as well as a growing awareness outside of IT departments that these needs are so intrinsic to the performance of any company that the CISO must be a partner in company-wide decision-making processes.

CISOs are increasingly called upon to serve as a bridge between tech rooms and the board room. Just as workplace dependence on technology increases, so does the need for buy-in at all levels to understand threats, how to mitigate them, and how to bring departments together to do so. In the coming years, we’ll see more CISOs in the board room, sitting at the table with major decision makers to ensure risk assessment and other technology needs are considered with every business move.

This also calls on CISOs to embrace more “soft skills.” Think business school instead of engineering school — the ability to translate tech-speak into broadly understood needs and goals, and the business savvy to see them implemented company-wide.

This is how security leaders themselves see their future. “The role of the CISO today now requires new skills such as business acumen, risk management, innovation, creating human networks, and building cross-organizational relationships,” writes Bill Bonney, a CISO and security analyst, on a series of LinkedIn posts.

Bonney’s dual roles highlight the other change in the CISO job description. As Katz told the magazine, “In the next five to ten years, it will become two roles – the technology expert and the information risk expert.”

Monitoring PCs and other company-issued devices, and non-company issued, has become just a part of the CISO’s role. As more of our workspace technology shifts outside of direct control–cloud data storage, third-party software contracts, employees’ own electronic devices who blur the lines between personal and business technology usage–the job description has been rewritten. The stakes are higher and the risk keeps growing, as more and more information moves online.

Mike Kalac, the CISO of Western Union, told one industry blogger:

“The most important thing to understand is not technology, it’s risk management. Security is not a binary function… we aren’t ‘secure’. We have a spectrum of risks that we will manage to the best of our abilities.”

Nothing can be 100 percent secure, he notes, and some firms will decide to accept certain risks for the sake of their specific business needs.

But making those decisions increasingly means having a trusted CISO who can navigate the management waters and the boardroom as well as they manage IT offices.

How DFARS Impacts Your Business

What do the new DoD DFARS (Defense Federal Acquisition Regulation Supplement) subpart 204.73 rules mean for contractors?

If you contract with the DoD, or work with a firm that contracts for the DoD, it’s vital to understand the security of every part of your network, whether it’s a laptop in your office or a server half a country away.

The rules basically require business owners to understand every aspect of a data chain. That includes second- and third-tier suppliers, including those that handle cloud storage — if there’s a violation, the contractor is held responsible for understanding any leaks the subcontractors might have contributed. It also includes connections between the cloud and what ends up linking to the DoD, as well as the employees of any subcontractors or suppliers, so you can be assured that no one who has access to your information via working in the cloud can cause a rupture in the security chain.

“The biggest thing your company needs to do is have an assessment done as soon as possible,” says the Association of Procurement Technical Assistance Centers’ blog.

Alexander W. Major, an associate in the Government Contracts, Investigations & International Trade Practice Group, writing in The National Law Journal, agrees:

“Contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. All contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS [capitalization Major’s]– if they expect to do business in accordance with the regulations being imposed by all executive agencies.”

Contractors also carry the burden of understanding exactly which government rules apply to them. As law firm Holland & Knight explains, regulations from different agencies can be contradictory:

“That data could be subject to one standard under a DoD contract and another standard under a civilian agency contract. Accordingly, there is no one-size-fits-all process for determining what cybersecurity compliance will look like for government contractors. At this point, a contractor may want to determine the most stringent controls potentially applicable to its mix of contracts and types of information and measure the adequacy of its information assurance systems against that standard.”

Proving this point, NextGov.com notes that the Office of Budget Management is also working on it’s security rules — which was opened for public comment — and will work in addition to, but likely dovetail with, DoD requirements.

In sum: Figure out which rules are the most stringent when it comes to your business, and follow those, all the way through to the lowest-tier supplier.

Businesses will also need to explain how they will track any “spillage,” notes another law review article. That means contractors will need to have plans in place on how to deal with problems well before they arise.

Ideally, your firm will have a solid grasp of all the regulations that apply to your business, and abide by the most stringent ones in order to ensure that you’re fully compliant.

It’s not easy to track every potential risk to your information so that you can accurately report those details should the DoD come calling. But now, it’s more vital than ever to know the answers. Your business depends on it.

How Safe Is Your Cloud?

Knowing the answer, down to the most obscure-seeming data point, could be the difference between successfully navigating government contracting, and closing up shop.

New rules rolled out at the end of August codify the Department of Defense’s cybersecurity policy, including the responsibilities of DoD contractors and subcontractors when it comes to information security. The new “interim rule” pulls together some requirements already scattered through other acts and memorandums, but adds some new items.

And in early October, the federal government made it clear that these are not voluntary regulations, but instead requirements for doing business, according to The National Law Review.

Some 10,000 businesses will be impacted by the changes, according to NextGov.com.

The Small Print (Some of It)

Data breaches have become such a major concern that the DoD says “urgent and compelling reasons” pushed authorities to issue the new rules without any public comment, effective immediately. Likely weighing heavily on their minds was an alleged Russian spearfishing attack against the Pentagon just weeks before the August announcement.

Ultimately, the issuances demand a closer examination of data security and resources along every step of a defense contractor’s supply chain.

Essentially, contractors must report any incident that impacts “covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support” according to one trade organization. In return, the DoD promises to protect proprietary information on behalf of the contractors should they need to investigate.

The Government Contracts, Investigations and International Trade blog from the law firm of Sheppard Mullin lays out the changes in great detail. It’s worth reading the entire post. Some of the highlights:

  • The DoD has expanded the definitions of the unclassified information that, if involved in a potential “incident,” contractors are liable to report.
  • The burden of following the new rules falls on contractors. Those who can’t follow the new rules will have to prove why it’s impossible or inapplicable.
  • Contractors must report whether their work utilizes cloud computing, and includes wording for contracts.

Additionally, all cloud computing facilities must be located in the U.S., another law journal post notes, and firms must be able to explain how they will track everything and work with the DoD should the worst happen.

Businesses have 72 hours to report any breaches — the clock starts as soon as the problem is discovered — and reporting happens via a DoD website. Law firm Holland & Knight reports that it’s up to the contractor to investigate the scope, as well as the circumstances while the DoD reserves the right to dive into systems to check the breaches themselves.

And if you think there is wiggle room because you may be a small business with only a handful of employees? Think again–there are no exceptions for small businesses.

 

Is Your Home Security System Actually Secure?

The news shocked the car and tech industries: Two hackers accessed the control systems inside a Jeep Cherokee — and they weren’t anywhere near the driver’s seat.

Using a vulnerability they found in the SUV’s WiFi-enabled control system that utilized a cellular connection via Sprint, the hackers were able to control almost everything from the brakes and steering to the door locks, according to a report released this July. They could potentially override a driver from some 70 miles away.

Fiat Chrysler recalled well over 1 million vehicles due to the findings. Part of the problem was that the company couldn’t develop a patch to fix the issue.

The Internet of Things is everywhere, from our kitchens to our backpacks to our garages. And yet, as the technology develops, so do potentially dangerous security holes, and it’s not limited to hacking a single machine — some of these connected devices could potentially put a whole network at risk.

This summer, several agencies have banded together to create best practices to help both manufacturers and customers navigate this new arena of growth and risk.

The Online Trust Alliance (OTA) Internet of Things (IoT) Working Group that includes ADT, Microsoft, Symantec, TRUSTe and Verisign released a framework for security for IoT connected devices that aims to encourage companies to share security information and best practices as well as a code of conduct, and create criteria by which firms should judge security.

“We’re focusing on three pillars,” Craig Spiezle, OTA’s executive director and president said earlier this year. “Privacy, security and sustainability. By sustainability, we mean lifecycle issues beyond the traditional product warranty. Such as, how will it be patched? What happens if the company is no longer in business?”

As an example of this, two other experts found an outdated browser that had a known vulnerability linked to the high-end Tesla cars. Who is responsible for the patch? And what would happen if Tesla went out of business?

Providers, Spiezle says, “must look at security and privacy simultaneously. Second, they need to look at the flow of data and touch points, and hold their partners and service providers accountable.”

It’s not enough, in other words, to monitor product development. Companies also need to monitor the development and assessments of all their vendors.

Bob Wang, founder and CEO of the company that produces the table-top electronic pressure cooker Instant Pot, recently released a Bluetooth-enabled device, which allows mobile devices to “talk” to the cooker and program basic heat and cooling steps. Some have questioned the usability of the Bluetooth, and WiFi connectivity may have potential. But WiFi capability rushed to market could create a breach that allows a hacker access to a homeowner’s network — on all of that home’s devices — Wang says. Or worse, allow hackers to worm into the Instant Pot servers and potentially all of the homes connected to that server.

And that’s just for one piece of equipment, in a relative handful of homes, that takes up less space than most microwaves. Multiply that potential out to almost every home tool or appliance, from keyless locks to refrigerators that Tweet, and the future may seem exciting — and petrifying — without some kind of protocol or safety net.

The formal IoT framework should be finalized around mid-November.

How Even the Smallest Microchip Can Be A Supply Chain Vulnerability

Globalstar’s Simplex satellite network has become a leader in tracking and communications uplinks. Many organizations use Globalstar products to monitor assets in remote locations, from military personnel abroad in the field to cargo trucks traveling cross-country.

So when a researcher at the Black Hat cybersecurity conference reported that he could not only hack into and see data on the Globalstar’s Simplex satellite network, but he could upload his own data — that caught a lot of attention.

Colby Moore, of the network security company Synack, says with about $1,000 worth of equipment he was able to access the Simplex system, as the company’s STX3 transmitter doesn’t encrypt the data before it sends it.

Globalstar says that most of its business comes from small satellite phones, both mobile and stationary in remote areas. But its technology is also used in trackers on Congo shipments and trucks. Hacking the system, as Moore says he was able to do, offers the frightening potential to track a cargo or military shipment, and also potentially upload misleading information.

Imagine a terror scenario of someone tracking a shipment of military hardware — and then uploading information so the government believes the truck is in-bound, when in fact it’s been taken. The same could potentially happen with a drug cartel invading a food shipment to sneak illegal substances across the border.

Besides the ability for adversaries to see where assets may be located, if they can change what you see, the threat becomes so broad it is much more difficult to respond effectively.

Moore’s research has touched off a controversy that has pitted security experts against each other, with outsiders demanding more proof of the safety of Globalstar’s security protocols and others see this as exemplifying a worse case scenario in a connected world that’s not protected nearly enough.

Globalstar has fiercely defended the security of the network and data. Leaders point to all of the good work it has done, including a touching story of the connection a soldier in a remote location made with his family back home.

The company has also countered that it is continuously updating its security. For larger purposes, such as major cargo or government needs, Chairman and CEO Jay Monroe says that those agencies add their own layers of security as well.

“Globalstar is, in the simplex world, a purveyor of a little piece of end technology that someone builds into something else that they want to do,” he told Satellite Today. “So, if they are going to be tracking nuclear waste for the federal government, you can be very certain that that signal is encrypted.”

Of course, that puts more pressure on agencies that handle sensitive materials such as nuclear waste to make sure they understand any potential risks involved with all of the equipment they’re using, down to the smallest tracking chip — and that the agencies are doing their best to mitigate those risks, including establishing their own risk assessments, vendor vetting, and security protocols.

A Summer Season of Spear Phishing

Spear phishing: A cyber attack typically sent via an email message that appears to come from a trusted source and requests that the victim take some kind of action. The actual attack might be hidden in Web links in the email or in an attachment, and the sender likely knows enough about the intended target to fake messages that seem more real than spam. The goal: Collect personal information or information about an agency.

If this scenario sounds familiar, it should — these kinds of scams have been around for more than a decade. The FBI has been warning the public since at least 2009.

Presumably, savvy users — and savvy offices — have protections in place. But just as technology has improved, so have the techniques of nefarious actors. And no one is safe — not when the U.S. is accusing Russia and China of separately hacking major federal government installations, including the White House, the State Department and the Pentagon — all of which occurred just this year, the most recent a few weeks ago.

For the first set of attacks, experts told CNN they believed that the scammers obtained access to the account of someone in the State Department. That was enough to gain a foothold to send seemingly trusted emails to others in the government, and start seeding the attack. The breach was apparently discovered when the White House picked up on strange activity in a network that wasn’t classified, and codes seemed to tie the problem, via several servers, back to Russian hackers working for the government there.

The Pentagon shut down the entire email and Internet of their unclassified system for about two weeks in July, after that email system was hacked. NBC News reported that Russia was the likely culprit. There’s also been reports of terrorists, such as ISIS, using sophisticated spear phishing attacks against Syrian interests — and fears that energy providers globally may be next.

This is an example of a convergence of insider and outsider threats. Insider threats, both accidental and malicious, represent someone inside your organization who knowingly or unknowingly reveals information that can be used as an attack against your business. Outsider threats represent attacks from outsiders. In these spearphishing cases, an insider releases information, often unknowingly, that can be used by outsiders to lure others into an email trap.

The fix for this isn’t easy. It’s no longer enough to simply look for obvious scam notices from a Prince of Nigeria, or to warn employees not to download links from strange emails. Staff need to understand what they’re facing, what precautions they should take, and what to look for. It’s vital to understand the ties every vendor has, no matter how innocuous the person, the job, or their associations may seem. One person, with one page from an employee’s personnel file that was tossed in the trash, has the potential to throw a phishing line into your whole system.