It has been reported that hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.
In response to the news, please see below comments from security experts:
<p>The compromise of data from the United Nations is concerning not just because of the potential that it could be used to conduct future cyber attacks, but also because it highlights the continued blind spot organisations can have when using third-party software. The fact that attackers were able to break into a software solution using stolen UN credentials emphasises the importance of getting cyber hygiene right at the highest level.</p>
<p>Organisations need to have a complete and comprehensive overview of the third-party software they use and that their security configurations are up to the same level as on their own internal systems. Identity Access Management should stretch across their whole estate and not just their own networks, but also across all their third-party SaaS software so that they can have confidence that any data stored in those applications is safe and secure. They should also regularly evaluate the types of data that’s stored in these applications and the risk of it being compromised.</p>
<p>The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities. Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organisational level, and at the national/international level.</p>
<p>For enterprises and other organisations, emphasising a culture of data security from top down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data. No matter who gets ahold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a world-wide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>This isn\’t the first time the UN has been targeted by the bad actors of the world, and I believe it certainly won\’t be the last. As long as operations like the UN refuse to update their systems to plug security holes and implement protections like two-factor authentication, bad actors will continue to feast off of their sensitive data.</p>
<p><span lang=\"EN\">The United Nations has one of the biggest breach bullseyes of any organisation in the world on its back from a geopolitical standpoint. What I am somewhat surprised by in this latest breach, however, is that it took place when the attackers used stolen credentials lifted from a dark website.</span></p>
<p><span lang=\"EN\">The UN is no different than any public or private defender who must improve their training, preparation, and awareness, and the ability to detect malicious activity much earlier to reduce risk. Companies need to build a stronger resilience to malicious activity and ensure that the blast radius of payloads is minimised and generally use peacetime to foster anti-fragility. It’s about how we adapt and improve every day. </span></p>
<p><span lang=\"EN\">Given that nation-state-backed organisations often work diligently to obscure their activity and maintain persistence within a targeted organisation\’s network, they spend much more time hiding their presence than stealing data because specific information on any member country of the United Nations can fetch a pretty penny on the Dark Web.</span></p>
<p><span lang=\"EN\">Overall, there\’s no shame in being attacked, and disclosing it properly is laudable. There\’s a world of difference between an infrastructure beach where a nation-state, rogue group, or hacktivists gets in and an information or material breach that causes damage. This latest news comes close on the heels of the U.S. State Department breach and others like it in 2021. Given this news, the turmoil in Afghanistan, and other hot spots around the world, security teams from NATO and European Union nations need to be on high alert for unusual cyber-related activity against the U.S. government and other allies.</span></p>
<p style=\"font-weight: 400;\">The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.</p>
<p style=\"font-weight: 400;\">Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organizational level, and at the national/international level.</p>
<p style=\"font-weight: 400;\">For enterprises and other organizations, emphasizing a culture of data security from top-down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data.</p>
<p style=\"font-weight: 400;\">No matter who gets hold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a worldwide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>The compromise of data from the United Nations is concerning not just because of the potential that it could be used to conduct future cyber attacks, but also because it highlights the continued blind spot organisations can have when using third-party software. The fact that attackers were able to break into a software solution using stolen UN credentials emphasises the importance of getting cyber hygiene right at the highest level.</p>
<p>Organisations need to have a complete and comprehensive overview of the third-party software they use and that their security configurations are up to the same level as on their own internal systems. Identity Access Management should stretch across their whole estate and not just their own networks, but also across all their third-party SaaS software so that they can have confidence that any data stored in those applications is safe and secure. They should also regularly evaluate the types of data that’s stored in these applications and the risk of it being compromised.</p>
<p>The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities. Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organisational level, and at the national/international level.</p>
<p>For enterprises and other organisations, emphasising a culture of data security from top down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data. No matter who gets ahold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a world-wide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>
<p>This isn\’t the first time the UN has been targeted by the bad actors of the world, and I believe it certainly won\’t be the last. As long as operations like the UN refuse to update their systems to plug security holes and implement protections like two-factor authentication, bad actors will continue to feast off of their sensitive data.</p>
<p><span lang=\"EN\">The United Nations has one of the biggest breach bullseyes of any organisation in the world on its back from a geopolitical standpoint. What I am somewhat surprised by in this latest breach, however, is that it took place when the attackers used stolen credentials lifted from a dark website.</span></p>
<p><span lang=\"EN\">The UN is no different than any public or private defender who must improve their training, preparation, and awareness, and the ability to detect malicious activity much earlier to reduce risk. Companies need to build a stronger resilience to malicious activity and ensure that the blast radius of payloads is minimised and generally use peacetime to foster anti-fragility. It’s about how we adapt and improve every day. </span></p>
<p><span lang=\"EN\">Given that nation-state-backed organisations often work diligently to obscure their activity and maintain persistence within a targeted organisation\’s network, they spend much more time hiding their presence than stealing data because specific information on any member country of the United Nations can fetch a pretty penny on the Dark Web.</span></p>
<p><span lang=\"EN\">Overall, there\’s no shame in being attacked, and disclosing it properly is laudable. There\’s a world of difference between an infrastructure beach where a nation-state, rogue group, or hacktivists gets in and an information or material breach that causes damage. This latest news comes close on the heels of the U.S. State Department breach and others like it in 2021. Given this news, the turmoil in Afghanistan, and other hot spots around the world, security teams from NATO and European Union nations need to be on high alert for unusual cyber-related activity against the U.S. government and other allies.</span></p>
<p style=\"font-weight: 400;\">The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.</p>
<p style=\"font-weight: 400;\">Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organizational level, and at the national/international level.</p>
<p style=\"font-weight: 400;\">For enterprises and other organizations, emphasizing a culture of data security from top-down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data.</p>
<p style=\"font-weight: 400;\">No matter who gets hold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a worldwide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.</p>