To protect a political campaign, re-read the Mueller Report

SAN FRANCISCO—Whether you’re Democrat, Republican, Green, Libertarian, or Pastafarian, if you’re running (and thus trying to protect from hacking) a political campaign in 2020, the Mueller Report should be required reading.

That’s the advice of Arkadiy Tetelman, the head of application and infrastructure security at online bank Chime, who presented on what political campaigns can learn from former Special Counsel Robert Mueller’s investigation at the B-Sides San Francisco conference here Sunday.

“It’s pretty easy to sit here and judge the DNC, but realistically, few organizations can defend against a nation state,” Tetelman warns.

Nevertheless, he says campaigns should employ three techniques to reduce some of the risks—including public embarrassment—of hackers gaining access to sensitive campaign information.

First, Tetelman says, campaigns should set up two-factor authentication on all their accounts. Had the Clinton campaign secured its Gmail accounts with 2FA, the spear-phishing attack against John Podesta, Clinton’s campaign manager, would likely have been thwarted. Instead, Podesta’s assistant forwarded a phishing message to the Clinton campaign IT department, and the person who responded claims to have sent Podesta a typo when advising him to change his account password.

An email included in the Mueller Report from Charles Delavan, an IT administrator for the Clinton campaign, to Sara Latham, Podesta’s assistant, stated that the phishing email Podesta received was “legitimate” (rather than the intended “illegitimate”). Regardless of this apparent blunder, if Podesta had set up 2FA, a hacker possessing his email password could have accessed his account only after also gaining access to the separate device he’d set up to receive or generate one-time-use access codes.

Second, Tetelman recommends that campaigns invest in end-point monitoring, which means keeping an eye on devices connected to the campaign’s network. This includes monitoring whether a device is connected to the network, what it’s doing when it’s connected to the network, what software is installed on the device, who is authorized to use the device, and whether the device has been authorized to do the activities that it’s doing on the network.

Even if hackers succeed in accessing a network through phishing attacks, end-point monitoring can help catch their activity before they can steal much data.

Third, he says campaigns have to adopt the practice of “least privilege.” That’s when network administrators restrict account holders by giving them access only to the resources that they absolutely need in order to do their jobs. Most people encounter least privilege as a restriction on their work computer or phone that prevents them from installing new software and apps without special permission. They might also encounter it in using work software and apps, and systems and devices, that have restricted functions or access. A campaign volunteer in a remote location probably doesn’t need access to Bernie Sanders’ personal calendar or his phone’s GPS location, for example.

And as a bonus, Tetelman admonishes that network administrators absolutely, positively, must set up an alert for Mimikatz, a powerful computer security tool that malicious hackers and computer system penetration testers alike have used to steal account credentials and escalate system privileges.

Awareness of “Mimikatz has done more to advance security than any other tool I can think of,” Jake Williams, founder of security-testing company Rendition Infosec, told Wired. Mimikatz has been involved in some of the biggest hacks of the past decade, including the use of NotPetya ransomware,  multimillion-dollar heists by the Carbanak gang, a Russian breach of German parliament servers, and, yes, the 2016 Russian hacks of Clinton’s campaign, the Democratic National Committee, and Democratic Congressional Campaign Committee.

“These attacks were pretty standard. You see similar things in corporate breaches,” Tetelman says.

While corporate breaches can be expensive, leak highly sensitive data on consumers and business leaders, or ruin reputations, however, a campaign breach can cost a candidate all of those—plus the election.