It has been reported that the Northern Ireland Assembly has issued warnings to staff following cyber attacks on its IT system. External hackers e attempted to access staff email accounts by brute-forcing passwords. IT security experts commented below.
Richard Walters, Cheif Security Strategist at CensorNet:
“This attack shows that it doesn’t matter who people are or where they work, basic cyber security practices are still being ignored. For years now, the advice has been: don’t reuse passwords across different sites and regularly change those passwords, yet for some reason, it isn’t sinking in. Even after a similar attack on the UK Parliament last year, the Northern Ireland Assembly and its staff clearly haven’t heeded the warnings.
“Given most people cannot be trusted to undertake basic security hygiene practices themselves, organisations – whether public or private – need to take steps to make them. If the Northern Ireland Assembly had, for example, had multi-factor authentication in place then it could rest easy that, even if a hacker did try and get in, they would have an impossible task accessing any information.”
Tony Pepper, CEO at Egress:
“This attack against the Northern Ireland Assembly comes less than a year after a very similar attack on the Houses of Parliament. Both attacks have targeted email systems, trying to take advantage staffs’ weak passwords to gain access to sensitive information contained in mailboxes. Cyber criminals come back to this type of attack time and time again because human error is always the greatest area of weakness when it comes to cybersecurity.
“In this attack, and countless others, hackers were banking on poor security practices to help them through the door, such as weak or re-used passwords,and urging staff to update their credentials is simply not enough. Organisations, public or otherwise, need to put technologies and procedures in place to reduce the impact of human error. Should hackers find a weakness, organisations need to be confident that they can’t access the sensitive information that is shared via, and therefore stored in, email systems. For example, encryption that secures email content at rest is one way to protect critical assets should the worst happen and a hacker gain access. Good security should work with staff,accepting their behaviour will be unpredictable and helping them to be productive while making sure they are not letting cyber criminals access sensitive content, and in this case potentially putting the public at risk.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.