News broke earlier today that Britain’s parliament was hit by a “sustained and determined” cyber attack designed to identify weak email passwords. The House of Commons said it was working with the National Cyber Security Centre to defend parliament’s network and was confident it had protected all accounts and systems. IT security experts commented below.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
.
“The UK National Cyber Security Centre are quantifying the extent of the breach at this stage and taking precautionary measures to limit any further impact to parliament computer systems. This should serve as a red light to all organisations, it’s not a matter of ‘if’ but ‘when’ a breach may happen. It isn’t good enough to prepare for this type of event on paper, instead an organisation should prepare by regularly simulating incidents in order to put their response procedures into practice”
Andrew Clarke, UK Director at One Identity:
“We have to be careful in over-hyping events seen to be occurring this weekend with a so-called cyber attack on UK Parliament. It appears that the parliament IT team have done a good job in closing down access to their email systems – this would serve to protect them until the nature of the intrusion is understood. This may be inconvenient for MP’s wishing to access emails over the weekend, but we should acknowledge the pro-active response taken here is actually protecting their environment. With the news that last week, email addresses and passwords of various officials including members of parliament was up for sale would have made the IT team more cautious and watchful for any suspicious activities. Even before this news, I am sure that “hackers” tried to circumvent security controls for what would be seen as a prestigious hack. Nevertheless, with the publicity exposing the password haul, and its availability for sale, it is no surprise that someone has tried to take advantage.
“The key problem is that many of the passwords that have been exposed through external social media sites are the same passwords used for every day duties. This would contravene best practice and guidance published by the National Cyber Security Center (NCSC). One way in which government organisations can overcome the password reuse issue is by introducing Multi-factor Authentication (MFA). To access a system, the user has to not only provide the password but also the 2nd factor – which may be for example a code that has been sent via SMS to a trusted device. If passwords need to be used, then a Password Manager tool would help on a number of fronts. Firstly, it would help re-enforce organisational policies and data security standards – the department could ensure that sensible choices for a password are taken – and if a password is tried unsuccessfully then the system access is actually locked out. Associated with such a tool is a series of profile questions that empower the user to reset their own passwords by asking personalised questions to which the user has predetermined the answers. By taking this step to implement this type of control they are even able to realise a return-on-investment very quickly as it is simple to setup and simple to use – and as well as improving security cuts down on administrative overhead.”
Anurag Kahol, CTO at Bitglass:
“Since the UK Parliament disabled email access for even legitimate users, these attackers have effectively achieved a denial of service attack. Strong authentication policies, including multifactor authentication, combined with user behavior analytics not only within applications, but across applications, could have prevented the need to block users from being able to access work applications. This holds especially true for cloud based applications which, by definition, are available from any device, anywhere.”
Ravi Pather, UK Director at Eperi:
“We have to assume that the hackers will be successful if not today but tomorrow or the next day. The real question therefore is are these Houses of Parliament systems including email applications protecting its sensitive data itself.. ? After all, this is what they are after..
“‘Sustained and determined’ cyber-attack by hackers means the hackers have some access to your username and password credentials and use this to try and access IT systems and Emails. It’s been separately reported that UK MP’s user credentials were on sale in Russian criminal websites suggesting this may have been previously obtained.
“Recent NHS ‘Ransomware’ attacks is different but is generally also referred to as Cyber security attacks. This means attackers gain access to your IT systems and networks and then encrypt data making it unusable, asking for a ransom before this data is de-crypted, if they indeed do this.
“Back to the Parliament systems cyber security and the sustained and determined attack being experienced.. This is a bit like the hackers trying to break into your front door by trying to pick your front door locks.. Yesteryears, IT security was focused on implementing security systems, such as ‘two factor authentication’ and ‘access and identity management’ systems, to prevent this type of attack. It’s like making sure the locks and front door had good security systems preventing entry.
“In a modern day IT architecture you need multiple levels of both IT security as well as Data security. You have to believe that not only can attackers come through the front door but that they can also access your data via other points of entry and access. This is a fact given modern day distributed cloud architectures.
“We just hope that the Houses of Parliament do have these more modern day ‘data protection’ systems as well. In other words what if the attackers do gain entry via breaking in via user passwords, will they have easy open access to the data in email and other systems that contain sensitive data. HR, expenses, accounts, sensitive parliamentary data? Also, lets not believe just ‘data at rest’ encryption systems are enough – it’s a start but we have to be protecting this sensitive data through its entire life cycle. ‘Data in motion’, ‘ data in use’ and ‘data at rest.’
“We just hope that the Houses of Parliament has this next level of more advanced and modern data protection systems installed as well. If not, then we do have a very serious issue of gaining access to email and other systems that use and store sensitive data.
“The question is also where are the email systems storing this email data. Is it an on-premise email or a cloud based mail system where this email maybe stored on a cloud based service. Then is this data encrypted throughout its entire lifecycle? Modern day data encryption solutions will protect the sensitive data itself even through out its entire lifecycle even if it is based on modern day distributed cloud based architectures.”
Spencer Young, RVP EMEA at Imperva:
“While we aren’t sure exactly what caused the issue, it appears there are concerns that Members of Parliament’s email credentials and passwords have been compromised.
Passwords continue to be an Achilles Heel in the fight against cybercrime as improper user behaviour – such as weak passwords or use of the same password across different sites continues.
What’s disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the House, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication which have been shown to be extremely secure, yet usability issues have hampered adoption. This is an outcome of a continual lack of understanding and investment from Government in security strategies that enterprise Britain adopts as standard operating procedures. This attack was unfortunately always a matter of time.”
James Romer, Chief Security Architect – EMEA at SecureAuth Corporation:
“It’s worrying that members of our parliament do not seem to be clued up on the security risks of weak passwords. The hackers specifically probed for those who were not following government protocol, and only updating passwords by simply varying letters and numbers. This leaves the door wide open for hackers. Individuals, especially those in governmental positions, need to have security more front of mind and realise that even the most minute security weakness can be exploited to gain access.
“Liam Fox, International trade secretary, hit the nail on the head by saying, “warning to everyone, we need more security and better passwords”. The way organisations approach authentication and securing credentials needs to be rethought. Simple two-factor authentication is no longer enough to safeguard against today’s attacks. It is important to deliver a form of authentication which feels low effort for the user yet has enhanced layers of protection working in the background. Adaptive access control techniques and identity based detection work invisibly to the user but work to protect, detect, and ultimately remediate attacks essentially rendering stolen credentials useless.”
John Gunn, CMO at VASCO Data Security:
“It is an interesting paradox that more mature users tend to have access to the most valuable assets and the least awareness of modern cybersecurity practices – another argument in favor of abandoning the outdated use of passwords for modern biometric authentication techniques.”
Adam Laub, Senior VP of Product Marketing at STEALTHbits Technologies:
“To keep an attack like this from occurring in the future, it would be interesting and pertinent to first understand the definition of “weak” in this context. Were the passwords simply not complex enough? Or is it that the passwords being used were common passwords that were already known to an attacker through the use of something like a password dictionary? While both are “weak”, the fix is different and the potential burden on the user will vary. Arguably, both are important problems to fix, but using well known passwords is almost as useful as no password at all.
“It’s also no surprise that email was the prime target in this and many attacks, but perhaps for a different reason than one might think. While the body content of an email and the conversations themselves have their own distinct value, email quietly maintains a high ranking position as one of the largest file repositories within any organization. The amount of files contained within email inboxes is staggering. It’s also a given that a substantial portion of those files will contain sensitive information that could be just as (if not more) damning as the off-color comment that accompanied it in its initial delivery.”
Csaba Krasznay, PhD, Product Evangelist at Balabit:
“This cyberattack might have been considered as a high risk incident by U.K. Government, as full shutdown of the affected services is highly unusual. In such cases, incident management experts collect all evidence that can reveal the impact of the attack and as this seems to be a national security issue, they can also provide information to attribute the potential attacker. Centrally-collected logs or more detailed forensics information is used as a base for incident investigation from the technical perspective, but as the U.K. has one of the most professional secret services, we can be sure that they also try to collect as much information as they can from human sources.
“Nevertheless, we should pay attention to one remarkable part of this story: MPs all over the world use other e-mail addresses as well. Who will protect their Gmail accounts from such phishing attacks? Cyber espionage is not someone else’s problem anymore, they should understand the risks and countermeasures as well.”
Richard Parris, CEO at Intercede:
“It’s one thing for a business or consumer to be hacked, but the UK Parliament? The past few years have seen company after company hacked at the hands of opportunistic cyber criminals, and it’s no surprise that they’ve now moved on to legislative bodies and government departments. Why? Because we’re making it too easy for them. Cyber criminals don’t have to be geniuses, particularly when we continue to use outdated, insecure forms of security such as usernames and passwords to protect our nation’s secrets.
“The sustained hack on the UK Parliament should be a wake-up call for all organisations and enterprises that continue to use passwords as the first point for securing systems. When it becomes a question of national security, we need to think about the people and systems we’re counting on for protection. Legacy systems need to be updated, appropriate funding needs to be allocated and users need to be educated on best practice so that any holes can be plugged. More importantly, government needs to be looking at more robust methods of security – strong authentication – that incorporate three distinct elements. These are possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as a fingerprint or an iris scan).
This type of security method is much more robust, and verifies that the person accessing the service is who they say they are. Strong user authentication is already best practice in Germany and across the executive branch of the US government, protecting critical national infrastructure. This level of security will also be required for the upcoming PSD2 initiative for EU payments, and is implied under GDPR. The UK government needs to be more proactive in following best practice to protect national and individual privacy, including MP, constituency and constituent data.
“Consumers are already losing confidence in businesses that continue to play fast and loose with their data. The UK government should be learning from the private sector’s mistakes; the repercussions and backlash could be far more severe and difficult to come back from if warnings are not heeded.”
Javvad Malik, Security Advocate at AlienVault:
“Nearly every aspect of modern life has reliance on digital systems, be that the government, banking, healthcare, or any aspect of personal lives. It is therefore of utmost importance that organisations invest in appropriate security controls to ensure threats can be quickly detected and responded to, so as to ensure ongoing business resilience.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.