News broke earlier today that Britain’s parliament was hit by a “sustained and determined” cyber attack designed to identify weak email passwords. The House of Commons said it was working with the National Cyber Security Centre to defend parliament’s network and was confident it had protected all accounts and systems. IT security experts commented below.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
.
“The UK National Cyber Security Centre are quantifying the extent of the breach at this stage and taking precautionary measures to limit any further impact to parliament computer systems. This should serve as a red light to all organisations, it’s not a matter of ‘if’ but ‘when’ a breach may happen. It isn’t good enough to prepare for this type of event on paper, instead an organisation should prepare by regularly simulating incidents in order to put their response procedures into practice”
Andrew Clarke, UK Director at One Identity:
“We have to be careful in over-hyping events seen to be occurring this weekend with a so-called cyber attack on UK Parliament. It appears that the parliament IT team have done a good job in closing down access to their email systems – this would serve to protect them until the nature of the intrusion is understood. This may be inconvenient for MP’s wishing to access emails over the weekend, but we should acknowledge the pro-active response taken here is actually protecting their environment. With the news that last week, email addresses and passwords of various officials including members of parliament was up for sale would have made the IT team more cautious and watchful for any suspicious activities. Even before this news, I am sure that “hackers” tried to circumvent security controls for what would be seen as a prestigious hack. Nevertheless, with the publicity exposing the password haul, and its availability for sale, it is no surprise that someone has tried to take advantage.
“The key problem is that many of the passwords that have been exposed through external social media sites are the same passwords used for every day duties. This would contravene best practice and guidance published by the National Cyber Security Center (NCSC). One way in which government organisations can overcome the password reuse issue is by introducing Multi-factor Authentication (MFA). To access a system, the user has to not only provide the password but also the 2nd factor – which may be for example a code that has been sent via SMS to a trusted device. If passwords need to be used, then a Password Manager tool would help on a number of fronts. Firstly, it would help re-enforce organisational policies and data security standards – the department could ensure that sensible choices for a password are taken – and if a password is tried unsuccessfully then the system access is actually locked out. Associated with such a tool is a series of profile questions that empower the user to reset their own passwords by asking personalised questions to which the user has predetermined the answers. By taking this step to implement this type of control they are even able to realise a return-on-investment very quickly as it is simple to setup and simple to use – and as well as improving security cuts down on administrative overhead.”
Anurag Kahol, CTO at Bitglass:
“Since the UK Parliament disabled email access for even legitimate users, these attackers have effectively achieved a denial of service attack. Strong authentication policies, including multifactor authentication, combined with user behavior analytics not only within applications, but across applications, could have prevented the need to block users from being able to access work applications. This holds especially true for cloud based applications which, by definition, are available from any device, anywhere.”
Ravi Pather, UK Director at Eperi:
“‘Sustained and determined’ cyber-attack by hackers means the hackers have some access to your username and password credentials and use this to try and access IT systems and Emails. It’s been separately reported that UK MP’s user credentials were on sale in Russian criminal websites suggesting this may have been previously obtained.
“Recent NHS ‘Ransomware’ attacks is different but is generally also referred to as Cyber security attacks. This means attackers gain access to your IT systems and networks and then encrypt data making it unusable, asking for a ransom before this data is de-crypted, if they indeed do this.
“Back to the Parliament systems cyber security and the sustained and determined attack being experienced.. This is a bit like the hackers trying to break into your front door by trying to pick your front door locks.. Yesteryears, IT security was focused on implementing security systems, such as ‘two factor authentication’ and ‘access and identity management’ systems, to prevent this type of attack. It’s like making sure the locks and front door had good security systems preventing entry.
“In a modern day IT architecture you need multiple levels of both IT security as well as Data security. You have to believe that not only can attackers come through the front door but that they can also access your data via other points of entry and access. This is a fact given modern day distributed cloud architectures.
“We just hope that the Houses of Parliament do have these more modern day ‘data protection’ systems as well. In other words what if the attackers do gain entry via breaking in via user passwords, will they have easy open access to the data in email and other systems that contain sensitive data. HR, expenses, accounts, sensitive parliamentary data? Also, lets not believe just ‘data at rest’ encryption systems are enough – it’s a start but we have to be protecting this sensitive data through its entire life cycle. ‘Data in motion’, ‘ data in use’ and ‘data at rest.’
“We just hope that the Houses of Parliament has this next level of more advanced and modern data protection systems installed as well. If not, then we do have a very serious issue of gaining access to email and other systems that use and store sensitive data.
“The question is also where are the email systems storing this email data. Is it an on-premise email or a cloud based mail system where this email maybe stored on a cloud based service. Then is this data encrypted throughout its entire lifecycle? Modern day data encryption solutions will protect the sensitive data itself even through out its entire lifecycle even if it is based on modern day distributed cloud based architectures.”
Spencer Young, RVP EMEA at Imperva:
Passwords continue to be an Achilles Heel in the fight against cybercrime as improper user behaviour – such as weak passwords or use of the same password across different sites continues.
What’s disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the House, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication which have been shown to be extremely secure, yet usability issues have hampered adoption. This is an outcome of a continual lack of understanding and investment from Government in security strategies that enterprise Britain adopts as standard operating procedures. This attack was unfortunately always a matter of time.”
James Romer, Chief Security Architect – EMEA at SecureAuth Corporation:
“Liam Fox, International trade secretary, hit the nail on the head by saying, “warning to everyone, we need more security and better passwords”. The way organisations approach authentication and securing credentials needs to be rethought. Simple two-factor authentication is no longer enough to safeguard against today’s attacks. It is important to deliver a form of authentication which feels low effort for the user yet has enhanced layers of protection working in the background. Adaptive access control techniques and identity based detection work invisibly to the user but work to protect, detect, and ultimately remediate attacks essentially rendering stolen credentials useless.”
John Gunn, CMO at VASCO Data Security:
Adam Laub, Senior VP of Product Marketing at STEALTHbits Technologies:
“It’s also no surprise that email was the prime target in this and many attacks, but perhaps for a different reason than one might think. While the body content of an email and the conversations themselves have their own distinct value, email quietly maintains a high ranking position as one of the largest file repositories within any organization. The amount of files contained within email inboxes is staggering. It’s also a given that a substantial portion of those files will contain sensitive information that could be just as (if not more) damning as the off-color comment that accompanied it in its initial delivery.”
Csaba Krasznay, PhD, Product Evangelist at Balabit:
“Nevertheless, we should pay attention to one remarkable part of this story: MPs all over the world use other e-mail addresses as well. Who will protect their Gmail accounts from such phishing attacks? Cyber espionage is not someone else’s problem anymore, they should understand the risks and countermeasures as well.”
Richard Parris, CEO at Intercede:
“The sustained hack on the UK Parliament should be a wake-up call for all organisations and enterprises that continue to use passwords as the first point for securing systems. When it becomes a question of national security, we need to think about the people and systems we’re counting on for protection. Legacy systems need to be updated, appropriate funding needs to be allocated and users need to be educated on best practice so that any holes can be plugged. More importantly, government needs to be looking at more robust methods of security – strong authentication – that incorporate three distinct elements. These are possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as a fingerprint or an iris scan). This type of security method is much more robust, and verifies that the person accessing the service is who they say they are.
“Consumers are already losing confidence in businesses that continue to play fast and loose with their data. The UK government should be learning from the private sector’s mistakes; the repercussions and backlash could be far more severe and difficult to come back from if warnings are not heeded.”
Javvad Malik, Security Advocate at AlienVault:
http://www.informationsecuritybuzz.com/expert-comments/uk-parliament-cyber-attack/