With the news that Scottish Parliament has been hit by a cyber attack similar to that which affected Westminster a couple of months ago, security expert Dr Guy Bunker, SVP Marketing at cyber security specialists Clearswift commented below.
Dr Guy Bunker, SVP Marketing at Clearswift:
“This just shows that while you might have a variety of different pieces of protection in place, the brute force attack (aka trial and error) is still an approach that is taken. It is time to talk about ‘pass phrases’ rather than ‘words’, as this will make people think about using longer ‘phrases’ rather than single words which are then modified. The pass phrases should be, like pass words, not repeated on every account – as this can lead to potential compromise should other accounts be breached. When attackers get access to large numbers of accounts and passwords, they then spend time ‘off line’ cracking the password – which are then used in brute force attacks.
For those on the IT side, settings on how many attempts can be made should be set to a limited number, e.g. 3 or 5, before a lockout occurs. They should also ensure that the checks when users create or change passwords (phrases) are put in place with an appropriate amount of complexity. Most applications all ow this. While the default might be a length of 6 or 8 characters, forcing the change to 10 (or preferably more) will help mitigate brute force attacks. While thinking of a word with 10 characters is tough, a pass phrase is simple.
Individuals and organizations need to remember that their usernames and passwords are critical pieces of information which need to be protected – as, when compromised, they can unlock access to other pieces of critical information – with the appearance of being a legitimate user. This will then result in data leaks which have far reaching consequences.”
Jon Geater, CTO at Thales e-Security:
“Even as organisations and institutions across the UK continue to work to fortify their digital defences, hackers will stop at nothing to disrupt this and stay one-step ahead in the cyber war. This latest brazen attempt to access sensitive information shows that
no holds are barred in this fight: even guessing of information is on the table…and, if it fails, it will still lock out users and cause havoc when they come in for work in the morning.
With such crippling effects to a government’s bottom line and public reputation, the risk of falling victim to a severe cyber-attack is without doubt depriving today’s business leaders of much needed sleep. A watertight data security and encryption strategy to ensure data privacy is now an indispensable element of an organisation’s wider cyber security strategy.
The continued increase in the number of large-scale cyber-attacks impacting businesses and pubic bodies highlights just how vulnerable we remain to data breaches meaning organisations cannot continue to treat cyber security as a box-ticking exercise and risk falling foul to these harmful attacks.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
