It has been reported that hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.
In response to the news, please see below comments from security experts:
13 Responses
<p>The compromise of data from the United Nations is concerning not just because of the potential that it could be used to conduct future cyber attacks, but also because it highlights the continued blind spot organisations can have when using third-party software. The fact that attackers were able to break into a software solution using stolen UN credentials emphasises the importance of getting cyber hygiene right at the highest level.</p>
<p>Organisations need to have a complete and comprehensive overview of the third-party software they use and that their security configurations are up to the same level as on their own internal systems. Identity Access Management should stretch across their whole estate and not just their own networks, but also across all their third-party SaaS software so that they can have confidence that any data stored in those applications is safe and secure. They should also regularly evaluate the types of data that’s stored in these applications and the risk of it being compromised.</p>
<p>The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities. Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organisational level, and at the national/international level.</p>
<p>For enterprises and other organisations, emphasising a culture of data security from top down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data. No matter who gets ahold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a world-wide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>This isn\’t the first time the UN has been targeted by the bad actors of the world, and I believe it certainly won\’t be the last. As long as operations like the UN refuse to update their systems to plug security holes and implement protections like two-factor authentication, bad actors will continue to feast off of their sensitive data.</p>
<p><span lang=\"EN\">The United Nations has one of the biggest breach bullseyes of any organisation in the world on its back from a geopolitical standpoint. What I am somewhat surprised by in this latest breach, however, is that it took place when the attackers used stolen credentials lifted from a dark website.</span></p>
<p><span lang=\"EN\">The UN is no different than any public or private defender who must improve their training, preparation, and awareness, and the ability to detect malicious activity much earlier to reduce risk. Companies need to build a stronger resilience to malicious activity and ensure that the blast radius of payloads is minimised and generally use peacetime to foster anti-fragility. It’s about how we adapt and improve every day. </span></p>
<p><span lang=\"EN\">Given that nation-state-backed organisations often work diligently to obscure their activity and maintain persistence within a targeted organisation\’s network, they spend much more time hiding their presence than stealing data because specific information on any member country of the United Nations can fetch a pretty penny on the Dark Web.</span></p>
<p><span lang=\"EN\">Overall, there\’s no shame in being attacked, and disclosing it properly is laudable. There\’s a world of difference between an infrastructure beach where a nation-state, rogue group, or hacktivists gets in and an information or material breach that causes damage. This latest news comes close on the heels of the U.S. State Department breach and others like it in 2021. Given this news, the turmoil in Afghanistan, and other hot spots around the world, security teams from NATO and European Union nations need to be on high alert for unusual cyber-related activity against the U.S. government and other allies.</span></p>
<p style=\"font-weight: 400;\">The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.</p>
<p style=\"font-weight: 400;\">Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organizational level, and at the national/international level.</p>
<p style=\"font-weight: 400;\">For enterprises and other organizations, emphasizing a culture of data security from top-down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data.</p>
<p style=\"font-weight: 400;\">No matter who gets hold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a worldwide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>Organizations of all sizes and verticals are continually targeted, so all should take care, in particular, the government and other international groups need to be extra vigilant.</p>
<p>In many cases, relatively simple and known methods are used by criminals to break into organizations, be that taking advantage of weak passwords, unpatched software, or social engineering. A culture of security is important to build so that beyond the right technologies, the right procedures and awareness amongst employees are present to lower the likelihood an attack will be successful.</p>
<p>This is a very good example of why passwords as a credential are bad. In this scenario, it is not clear whether the passwords obtained on the dark web were UN-specific or happened to be passwords that a user is re-using to access their UN account. This is why the best thing is to eliminate the use of passwords from as many systems as possible.</p>
<p>If that is not possible, multi-factor authentication should be implemented for all access. MFA has become easy to implement over the last few years, and it should be the default.</p>
<p>Lastly, to prevent lateral movement, principals of least privilege must be observed. This means that each person has the minimal level of trust granted for the task at hand. For any escalation of privilege, one should:</p>
<ul>
<li>Look at user behavior in the context of the application, the task, and the user agent/device being used for any deviations from the norm, and</li>
<li>Depending on the threshold defined, invoking setup authentication or re-authentication using different mechanisms than initially deployed.</li>
</ul>
<p>Initial access via credentials purchased from the dark web is now becoming standard modus operandi. So much so that we now have Initial Access Brokers (IABs) who specialize in just that and then sell off that access to other entities like ransomware affiliates or state-sponsored groups.</p>
<p>Usually, organizations are too focused on the perimeter and once the attacker is inside there are little visibility on-premises and in the cloud. Organizations need to focus on both Endpoint and Network monitoring with a well-defined approach to detection engineering to deal with these types of stealthy attacks.</p>
<p>The fact that a high-value target like the UN wasn\’t using two-factor authentication is very worrying, as it could have easily prevented the attack. 2FA would have required the hacker to enter a one-time password sent to the account holder\’s authenticator app, phone number, or email (preferably the first one). The report suggests that Umoja moved to Microsoft Azure infrastructure and now supports multi-factor authentication. I sure hope the UN implements it, because cybersecurity experts have strongly recommended 2FA for many years to prevent credential abuse. Even better, they could use physical security keys or even biometric authentication to replace passwords altogether.</p>
<p>Organisations of all sizes and verticals are continually targeted, so all should take care, in particular, government and other international groups need to be extra vigilant. In many cases, relatively simple and known methods are used by criminals to break into organisations, be that taking advantage of weak passwords, unpatched software or social engineering. A culture of security is important to build so that beyond the right technologies, the right procedures and awareness amongst employees is present to lower the likelihood an attack will be successful.</p>
<p>Stolen credentials continue to be a significant problem and a primary means of gaining initial access to an organisation. While the best possible situation is to prevent initial access, it’s clear that organisations need to do more to detect the attackers activities once they’ve gained an initial foothold. Monitoring systems for unauthorised changes is one way to identify suspicious activities that might fly under the radar of other tools. With the increase in ransomware lately, we’re getting used to attackers announcing themselves in order to ask for a ransom. In this case, the attackers wanted to remain undiscovered, and as a result, had access to the compromised systems for at least 5 months. If all it takes to authenticate into your organisation is a username and password, you’re at risk.</p>
<p>When an organisation, such as the United Nations, is placed in a position of trust, security must be paramount, however, it doesn’t seem like this has been the case.</p>
<p>The attackers were able to compromise systems using credentials found on the Dark Web and this shows that the United Nations is not carrying out preventative reconnaissance on information found online, including Dark Web forums. This is an absolute must as more breaches occur through stolen credentials than by any other method.</p>
<p>However, the fact that the credentials also didn’t require two-factor authentication is perhaps the biggest security error here. Everyone knows how easy passwords are to breach and how many of these breached passwords end up being sold online, so using two-factor authentication should become a standard security practice among all organisations.</p>
<p>Organisations should also ensure that they have preventative measures in place to monitor both open and dark web sources for information in order to thwart attacks before they have even begun.</p>
<p>The United Nations holds some of the world’s most sensitive data, so it is very concerning that attackers were able to breach the organisation’s network using stolen credentials which were available on the Dark Web. This incident highlights the importance of organisations consistently monitoring the dark web and other rogue sites for user credentials and invalidating any that are found. It is also essential to use multi-factor authentication, so that even when passwords are leaked, there is still another strong line of security stopping intruders accessing systems. The United Nations should also employ strict remote access policies and also teach staff about good password hygiene, for instance, not reusing passwords and not using the same password across multiple sites.</p>
13 Responses
<p>The compromise of data from the United Nations is concerning not just because of the potential that it could be used to conduct future cyber attacks, but also because it highlights the continued blind spot organisations can have when using third-party software. The fact that attackers were able to break into a software solution using stolen UN credentials emphasises the importance of getting cyber hygiene right at the highest level.</p>
<p>Organisations need to have a complete and comprehensive overview of the third-party software they use and that their security configurations are up to the same level as on their own internal systems. Identity Access Management should stretch across their whole estate and not just their own networks, but also across all their third-party SaaS software so that they can have confidence that any data stored in those applications is safe and secure. They should also regularly evaluate the types of data that’s stored in these applications and the risk of it being compromised.</p>
<p>The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities. Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organisational level, and at the national/international level.</p>
<p>For enterprises and other organisations, emphasising a culture of data security from top down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data. No matter who gets ahold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a world-wide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>This isn\’t the first time the UN has been targeted by the bad actors of the world, and I believe it certainly won\’t be the last. As long as operations like the UN refuse to update their systems to plug security holes and implement protections like two-factor authentication, bad actors will continue to feast off of their sensitive data.</p>
<p><span lang=\"EN\">The United Nations has one of the biggest breach bullseyes of any organisation in the world on its back from a geopolitical standpoint. What I am somewhat surprised by in this latest breach, however, is that it took place when the attackers used stolen credentials lifted from a dark website.</span></p>
<p><span lang=\"EN\">The UN is no different than any public or private defender who must improve their training, preparation, and awareness, and the ability to detect malicious activity much earlier to reduce risk. Companies need to build a stronger resilience to malicious activity and ensure that the blast radius of payloads is minimised and generally use peacetime to foster anti-fragility. It’s about how we adapt and improve every day. </span></p>
<p><span lang=\"EN\">Given that nation-state-backed organisations often work diligently to obscure their activity and maintain persistence within a targeted organisation\’s network, they spend much more time hiding their presence than stealing data because specific information on any member country of the United Nations can fetch a pretty penny on the Dark Web.</span></p>
<p><span lang=\"EN\">Overall, there\’s no shame in being attacked, and disclosing it properly is laudable. There\’s a world of difference between an infrastructure beach where a nation-state, rogue group, or hacktivists gets in and an information or material breach that causes damage. This latest news comes close on the heels of the U.S. State Department breach and others like it in 2021. Given this news, the turmoil in Afghanistan, and other hot spots around the world, security teams from NATO and European Union nations need to be on high alert for unusual cyber-related activity against the U.S. government and other allies.</span></p>
<p style=\"font-weight: 400;\">The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.</p>
<p style=\"font-weight: 400;\">Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organizational level, and at the national/international level.</p>
<p style=\"font-weight: 400;\">For enterprises and other organizations, emphasizing a culture of data security from top-down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data.</p>
<p style=\"font-weight: 400;\">No matter who gets hold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a worldwide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>Organizations of all sizes and verticals are continually targeted, so all should take care, in particular, the government and other international groups need to be extra vigilant.</p>
<p>In many cases, relatively simple and known methods are used by criminals to break into organizations, be that taking advantage of weak passwords, unpatched software, or social engineering. A culture of security is important to build so that beyond the right technologies, the right procedures and awareness amongst employees are present to lower the likelihood an attack will be successful.</p>
<p>This is a very good example of why passwords as a credential are bad. In this scenario, it is not clear whether the passwords obtained on the dark web were UN-specific or happened to be passwords that a user is re-using to access their UN account. This is why the best thing is to eliminate the use of passwords from as many systems as possible.</p>
<p>If that is not possible, multi-factor authentication should be implemented for all access. MFA has become easy to implement over the last few years, and it should be the default.</p>
<p>Lastly, to prevent lateral movement, principals of least privilege must be observed. This means that each person has the minimal level of trust granted for the task at hand. For any escalation of privilege, one should:</p>
<ul>
<li>Look at user behavior in the context of the application, the task, and the user agent/device being used for any deviations from the norm, and</li>
<li>Depending on the threshold defined, invoking setup authentication or re-authentication using different mechanisms than initially deployed.</li>
</ul>
<p>Initial access via credentials purchased from the dark web is now becoming standard modus operandi. So much so that we now have Initial Access Brokers (IABs) who specialize in just that and then sell off that access to other entities like ransomware affiliates or state-sponsored groups.</p>
<p>Usually, organizations are too focused on the perimeter and once the attacker is inside there are little visibility on-premises and in the cloud. Organizations need to focus on both Endpoint and Network monitoring with a well-defined approach to detection engineering to deal with these types of stealthy attacks.</p>
<p>The fact that a high-value target like the UN wasn\’t using two-factor authentication is very worrying, as it could have easily prevented the attack. 2FA would have required the hacker to enter a one-time password sent to the account holder\’s authenticator app, phone number, or email (preferably the first one). The report suggests that Umoja moved to Microsoft Azure infrastructure and now supports multi-factor authentication. I sure hope the UN implements it, because cybersecurity experts have strongly recommended 2FA for many years to prevent credential abuse. Even better, they could use physical security keys or even biometric authentication to replace passwords altogether.</p>
<p>Organisations of all sizes and verticals are continually targeted, so all should take care, in particular, government and other international groups need to be extra vigilant. In many cases, relatively simple and known methods are used by criminals to break into organisations, be that taking advantage of weak passwords, unpatched software or social engineering. A culture of security is important to build so that beyond the right technologies, the right procedures and awareness amongst employees is present to lower the likelihood an attack will be successful.</p>
<p>Stolen credentials continue to be a significant problem and a primary means of gaining initial access to an organisation. While the best possible situation is to prevent initial access, it’s clear that organisations need to do more to detect the attackers activities once they’ve gained an initial foothold. Monitoring systems for unauthorised changes is one way to identify suspicious activities that might fly under the radar of other tools. With the increase in ransomware lately, we’re getting used to attackers announcing themselves in order to ask for a ransom. In this case, the attackers wanted to remain undiscovered, and as a result, had access to the compromised systems for at least 5 months. If all it takes to authenticate into your organisation is a username and password, you’re at risk.</p>
<p>When an organisation, such as the United Nations, is placed in a position of trust, security must be paramount, however, it doesn’t seem like this has been the case.</p>
<p>The attackers were able to compromise systems using credentials found on the Dark Web and this shows that the United Nations is not carrying out preventative reconnaissance on information found online, including Dark Web forums. This is an absolute must as more breaches occur through stolen credentials than by any other method.</p>
<p>However, the fact that the credentials also didn’t require two-factor authentication is perhaps the biggest security error here. Everyone knows how easy passwords are to breach and how many of these breached passwords end up being sold online, so using two-factor authentication should become a standard security practice among all organisations.</p>
<p>Organisations should also ensure that they have preventative measures in place to monitor both open and dark web sources for information in order to thwart attacks before they have even begun.</p>
<p>The United Nations holds some of the world’s most sensitive data, so it is very concerning that attackers were able to breach the organisation’s network using stolen credentials which were available on the Dark Web. This incident highlights the importance of organisations consistently monitoring the dark web and other rogue sites for user credentials and invalidating any that are found. It is also essential to use multi-factor authentication, so that even when passwords are leaked, there is still another strong line of security stopping intruders accessing systems. The United Nations should also employ strict remote access policies and also teach staff about good password hygiene, for instance, not reusing passwords and not using the same password across multiple sites.</p>