Andrew Beckett, Managing Director, Cyber security and Investigations, at the risk management consultancy Kroll, said that the attack launched against the Westminster parliament on Friday, June 23 reinforced the need for careful audit of IT security policies and procedures and the need for a digital ‘Devil’s Advocate’ to question decisions, and their implementation.
He said: “The perpetrators used a fairly unsophisticated brute force attack which attempted to guess the passwords of the 9000 MPs, Peers, parliamentary aides and assorted other staff who use the system. The parliamentary authorities tell us that the fact that less than 100 accounts (about 1%) were compromised was because the compromised users didn’t follow the security policies regarding passwords put in place for their protection and the protection of other users.
“What is less clear is why such lax security controls were allowed and why it wasn’t picked up during routine security testing of the system.
“We don’t know at this stage whether the compromised users took a decision to ignore the policy or whether they were unaware of the security requirements, and the potential consequences of their actions. However, given that the UK Government has declared the cyber threat a Tier 1 threat to the UK, and the continued discussion around foreign powers mounting cyber attacks against countries in an attempt to influence elections, or as a tool in geo-political disputes, it was at best a naïve stance to take.
“Sacrificing security for expediency is a common problem in the cyber sector, but it is a trade-off that wouldn’t be acceptable in many other situations and one where the risks are increasingly outweighing the rewards.
“To avoid the problems associated with ineffective risk assessment or poorly implemented controls, we often suggest a process that is not new – in fact, it goes back to 1587, when the Catholic Church initiated a process for assigning someone, called “the devil’s advocate,” to present arguments against the canonisation or beatification of a candidate for sainthood. In the context of systems and cyber security, the job of the digital devil’s advocate is to evaluate issues like security and privacy, quality control, and vulnerabilities that may have been overlooked during development, as well as legal or regulatory considerations that may not have been fully analysed.
“In the case of Friday’s attack against the Parliamentary Systems, we are told that policies were in place requiring robust passwords but it’s not clear why the accreditor and regular security checks hadn’t identified that the password policy was being flouted by some users. There are numerous ways of technically enforcing strong passwords and any Chief Information Security Officer in a corporate environment would be checking this as a matter of routine. If it turns out that personal information relating to users or worse, constituents has been compromised by the breach, we can expect the Information Commissioner’s Office [the data protection regulator, the ICO] to be taking a close look at why this failure wasn’t picked up earlier.”
The National Cyber Security Centre said: “The NCSC is aware of an incident and is working around the clock with the UK Parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions.”