News broke earlier today that Britain’s parliament was hit by a “sustained and determined” cyber attack designed to identify weak email passwords. The House of Commons said it was working with the National Cyber Security Centre to defend parliament’s network and was confident it had protected all accounts and systems. IT security experts commented below.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
.
Andrew Clarke, UK Director at One Identity:
“The key problem is that many of the passwords that have been exposed through external social media sites are the same passwords used for every day duties. This would contravene best practice and guidance published by the National Cyber Security Center (NCSC). One way in which government organisations can overcome the password reuse issue is by introducing Multi-factor Authentication (MFA). To access a system, the user has to not only provide the password but also the 2nd factor – which may be for example a code that has been sent via SMS to a trusted device. If passwords need to be used, then a Password Manager tool would help on a number of fronts. Firstly, it would help re-enforce organisational policies and data security standards – the department could ensure that sensible choices for a password are taken – and if a password is tried unsuccessfully then the system access is actually locked out. Associated with such a tool is a series of profile questions that empower the user to reset their own passwords by asking personalised questions to which the user has predetermined the answers. By taking this step to implement this type of control they are even able to realise a return-on-investment very quickly as it is simple to setup and simple to use – and as well as improving security cuts down on administrative overhead.”
Anurag Kahol, CTO at Bitglass:
Ravi Pather, UK Director at Eperi:
“‘Sustained and determined’ cyber-attack by hackers means the hackers have some access to your username and password credentials and use this to try and access IT systems and Emails. It’s been separately reported that UK MP’s user credentials were on sale in Russian criminal websites suggesting this may have been previously obtained.
“Recent NHS ‘Ransomware’ attacks is different but is generally also referred to as Cyber security attacks. This means attackers gain access to your IT systems and networks and then encrypt data making it unusable, asking for a ransom before this data is de-crypted, if they indeed do this.
“Back to the Parliament systems cyber security and the sustained and determined attack being experienced.. This is a bit like the hackers trying to break into your front door by trying to pick your front door locks.. Yesteryears, IT security was focused on implementing security systems, such as ‘two factor authentication’ and ‘access and identity management’ systems, to prevent this type of attack. It’s like making sure the locks and front door had good security systems preventing entry.
“In a modern day IT architecture you need multiple levels of both IT security as well as Data security. You have to believe that not only can attackers come through the front door but that they can also access your data via other points of entry and access. This is a fact given modern day distributed cloud architectures.
“We just hope that the Houses of Parliament do have these more modern day ‘data protection’ systems as well. In other words what if the attackers do gain entry via breaking in via user passwords, will they have easy open access to the data in email and other systems that contain sensitive data. HR, expenses, accounts, sensitive parliamentary data? Also, lets not believe just ‘data at rest’ encryption systems are enough – it’s a start but we have to be protecting this sensitive data through its entire life cycle. ‘Data in motion’, ‘ data in use’ and ‘data at rest.’
“We just hope that the Houses of Parliament has this next level of more advanced and modern data protection systems installed as well. If not, then we do have a very serious issue of gaining access to email and other systems that use and store sensitive data.
“The question is also where are the email systems storing this email data. Is it an on-premise email or a cloud based mail system where this email maybe stored on a cloud based service. Then is this data encrypted throughout its entire lifecycle? Modern day data encryption solutions will protect the sensitive data itself even through out its entire lifecycle even if it is based on modern day distributed cloud based architectures.”
Spencer Young, RVP EMEA at Imperva:
Passwords continue to be an Achilles Heel in the fight against cybercrime as improper user behaviour – such as weak passwords or use of the same password across different sites continues.
What’s disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the House, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication which have been shown to be extremely secure, yet usability issues have hampered adoption. This is an outcome of a continual lack of understanding and investment from Government in security strategies that enterprise Britain adopts as standard operating procedures. This attack was unfortunately always a matter of time.”
James Romer, Chief Security Architect – EMEA at SecureAuth Corporation:
“Liam Fox, International trade secretary, hit the nail on the head by saying, “warning to everyone, we need more security and better passwords”. The way organisations approach authentication and securing credentials needs to be rethought. Simple two-factor authentication is no longer enough to safeguard against today’s attacks. It is important to deliver a form of authentication which feels low effort for the user yet has enhanced layers of protection working in the background. Adaptive access control techniques and identity based detection work invisibly to the user but work to protect, detect, and ultimately remediate attacks essentially rendering stolen credentials useless.”
John Gunn, CMO at VASCO Data Security:
Adam Laub, Senior VP of Product Marketing at STEALTHbits Technologies:
“It’s also no surprise that email was the prime target in this and many attacks, but perhaps for a different reason than one might think. While the body content of an email and the conversations themselves have their own distinct value, email quietly maintains a high ranking position as one of the largest file repositories within any organization. The amount of files contained within email inboxes is staggering. It’s also a given that a substantial portion of those files will contain sensitive information that could be just as (if not more) damning as the off-color comment that accompanied it in its initial delivery.”
Csaba Krasznay, PhD, Product Evangelist at Balabit:
“Nevertheless, we should pay attention to one remarkable part of this story: MPs all over the world use other e-mail addresses as well. Who will protect their Gmail accounts from such phishing attacks? Cyber espionage is not someone else’s problem anymore, they should understand the risks and countermeasures as well.”
Richard Parris, CEO at Intercede:
“It’s one thing for a business or consumer to be hacked, but the UK Parliament? The past few years have seen company after company hacked at the hands of opportunistic cyber criminals, and it’s no surprise that they’ve now moved on to legislative bodies and government departments. Why? Because we’re making it too easy for them. Cyber criminals don’t have to be geniuses, particularly when we continue to use outdated, insecure forms of security such as usernames and passwords to protect our nation’s secrets.
“The sustained hack on the UK Parliament should be a wake-up call for all organisations and enterprises that continue to use passwords as the first point for securing systems. When it becomes a question of national security, we need to think about the people and systems we’re counting on for protection. Legacy systems need to be updated, appropriate funding needs to be allocated and users need to be educated on best practice so that any holes can be plugged. More importantly, government needs to be looking at more robust methods of security – strong authentication – that incorporate three distinct elements. These are possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as a fingerprint or an iris scan).
This type of security method is much more robust, and verifies that the person accessing the service is who they say they are. Strong user authentication is already best practice in Germany and across the executive branch of the US government, protecting critical national infrastructure. This level of security will also be required for the upcoming PSD2 initiative for EU payments, and is implied under GDPR. The UK government needs to be more proactive in following best practice to protect national and individual privacy, including MP, constituency and constituent data.
“Consumers are already losing confidence in businesses that continue to play fast and loose with their data. The UK government should be learning from the private sector’s mistakes; the repercussions and backlash could be far more severe and difficult to come back from if warnings are not heeded.”
Javvad Malik, Security Advocate at AlienVault:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.