The Democratic Party candidates have worked very hard to reach this crucial moment in their run for president. It’s not just about rallies or fiery debates: political campaigns have turned into sophisticated, heavily financed data operations. That may also be a cause of alarm and a downfall.
Candidates manage hundreds of online outreach programs, with thousands of campaign staffers involved. Digital campaign platforms and infrastructure, hurriedly built, are also constantly evolving. The digital content campaigns deal with private or strategic information they have about supporters, voters, political strategies, foreign affairs, etc.
“These organizations are focused on fast implementation and results, so they often forget a critical piece of the puzzle,” says CyCognito CEO & Co-Founder Rob Gurzeev. “They forget to put a robust security team in place that can monitor the build-up of cloud resources.”
Campaign organizations know they need to work quickly and get to every potential voter before their opponents take over the narrative. That is why, in most cases, they use third-party service providers to become operational as quickly as possible. While these outside firms monitor their own security posture, it is often beyond their scope of responsibility to manage the security of the campaign organization. “Even the most robust security teams are not capable of monitoring IT environments and cloud accounts it doesn’t know about or doesn’t control,” says Gurzeev. “And this applies also to some of the world’s most sophisticated commercial companies.”
Attackers pursue the path of least resistance, which leads them to the servers, devices, and cloud assets that campaigns use. These assets are usually unknown and unmanaged by IT and security teams.
CyCognito helps organizations identify and eliminate their most critical IT security risks: those posed by shadow IT. CEO Rob Gurzeev explains: “Without solving this problem – identifying and shoring up the vulnerable channels — it doesn’t matter how many millions of dollars you invest in cybersecurity: attackers will still win.”
Recently, the company discovered that the cloud-based digital content management system of a major US insurance company was exposed to attackers. “Hackers could have infiltrated and added malicious code to the content, and then millions of people who accessed that digital content would have been affected. That, in turn, would have left millions of computers unprotected from hackers that were looking to steal personal information, deploy ransomware or use these computers as part of a bot network. Political campaigns are similar to management systems of this kind, in that they distribute various forms of digital content that reaches millions of Americans through their personal and business devices.”
Just this Friday we learned about Russian efforts to help Bernie Sanders’ presidential campaign. It remains unclear how Russia is attempting to help Sanders, according to The Washington Post, which first reported the effort. “If a foreign entity wanted to “help” one of the candidates,” Gurzeev suggests a likely scenario, “they could launch reconnaissance operations on other candidates’ platforms to then corrupt or shut down their data and management systems.”
Campaign and other organizations usually implement fundamental security measures such as endpoint security, network firewalls, and more; however, in reality, even those who invest heavily in security are breached time and time again.
“Organizations should adopt an attackers’ mentality and keep challenging the campaigns’ IT ecosystem and digital assets. In the past,”Gurzeev says, “it cost millions of dollars in penetration testing and other security assessment services to do that, which is why most organizations didn’t monitor their entire attack surface. However, in recent years, emerging technologies allow organizations to continuously map, monitor, and protect their IT ecosystem based on an attackers’ mindset and methodologies.”
In a similar way to how Google indexes web pages to produce relevant search results, there is a new breed of security products that map internet-exposed devices, servers, and cloud assets and tie them back to the companies that use them — even if they don’t own or manage them. This helps organizations map their exposed Dropbox, Trello, and GitHub accounts. The new security platforms can then run attack simulations against these assets to identify weaknesses.”
It is critical for every campaign to have a cybersecurity plan in place. “Every campaign must continuously monitor and challenge attack surfaces, including related third-party software and IT service providers. That is the only way to make it harder for attackers to win.”
By Carrie Rubinstein