Following the news about a large proportion of police websites lack any form of automatic secure connection, meaning potentially sensitive data is communicated in plain unencrypted text – according to research.
Findings from non-profit body the Centre for Public Safety, revealed that 73% of websites accessed either lacked a secure connection for visitors or their implementation was deemed insecure. Only 27% demonstrated the highest “world-class” standard of secure connection, said the report. Richard Cassidy, UK cyber security evangelist at Alert Logic commented below.
Richard Cassidy, UK Cyber Security Evangelist at Alert Logic:
Far too many web services still fail to implement even the most basic levels of security capabilities, but it’s not entirely the fault of the business or public sector organisations. Legislation, e-data guidelines and their enforcement, are still far behind where they need to be. As a result, the fight against the new wave of highly organised cyber-criminal and hacker groups is fast becoming an impossibility, as a result of the governments almost glacial propensity to enforce change in areas where it’s most fundamentally required.
We’ve seen excellent headway in the finance, banking and e-commerce sectors over the years, with healthcare paying the price for less stringent efforts in terms of leaked records overall relevant to other industry sectors, but this is now improving vastly and to far greater effect than ever before. That said however, our national police, fire & rescue services are now fast becoming a target, as low-hanging-fruit for relatively younger, less sophisticated attackers, armed with complex, but easy-to-use automated attack tools, that make light work of poorly patched web services and poorly secured web facing assets. These organisations are left at the mercy of internal expertise to make best use of ever decreasing budgets to achieve the best security practices possible. When it comes to police matters, this is no trivial matter; e-portals that allow members of the public to report crimes through online forms, must be mandated to conform to the highest levels of security best practices in terms of data-in-transit (and at rest) encryption; the repercussions of an informant being identified or their data being intercepted/stolen as part of an attack, has implications not only in public confidence, but in the actual criminal cases they’re related to also.
Standards such as HTTPS & HSTS (which enforces an encrypted connection from client browser to web-server”) have been widely available for some time, both of which can be easily embedded into web application frameworks, or enforced at security gateways protecting the web-facing services. Questions have to be raised therefore, as to why it is acceptable for such a fundamentally critical service can be allowed to launch without these minimum security standards implemented. For me at least, this has to point back to legislation and e-data mandate inefficiencies and proves the point that organisations of all shapes and sizes need to carefully look at their IT security spending and look to work smarter, not harder, embracing the new wave of capabilities available to help achieve far better security outcomes, right across the board.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.