Professor of Cyber Security at Ulster University Kevin Curran outlines some of the security concerns faced by governments when deploying online services and suggests methods to combat them.
This post first appeared on Agenda NI on October 9th 2017.
The internet has become the fulcrum of modern economies. It is not a surprise therefore to see government services becoming increasingly accessible online. The benefits are clear – ease of access and searchability 24/7 365 days a year in addition to the reduction in paper consumption. The risks however must not be underestimated. The primary risk is the breach of sensitive user records.
The truth is that the true cost of a data breach to an organisation can be difficult to estimate. It can be both under and overestimated. There are some guides in estimating the cost which can be sought from previous cyber-liability insurance claims. In general, the cost of stolen records is affected by the type of data and total number of records compromised. Of course, the presence of credit card numbers or medical records can affect this greatly. There is a linear relationship between the figure estimated for breach and number of records compromised. Other factors which can affect the costing include whether IP was stolen, business downtime; and damage to brand reputation. These can all be significant cost adjustors in the final estimation. In fact, the true cost can only really be gauged years after the breach. Will this stop governments moving to provision of online services? It is unlikely. However, they must implement security best practices and avoid embarrassing hacks like the recent Equifax debacle.
Equifax are a consumer credit reporting agency aggregating information from over 800 million individual consumers and more than 88 million businesses worldwide including the Northern Ireland. It is considered one of the most sensitive large-scale breaches to date. That is simply due to the nature of the data. It contained social security numbers, birth dates, names and addresses. It also leaked drivers’ license numbers and credit card numbers for over 200,000 people. Sensitive data like this can be used by criminals for identity theft where they convince targeted individuals to give up something important, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it. It turns out that 40 per cent of cyber-insurance claims are filed for phishing email attacks. You see, once identifying information like this gets loose, it is loose for ever. You cannot change your name, date of birth, social security number. Yes, you can (and may have to) change your credit card number but just like biometric data such as fingerprint scans which were leaked in another hack, it really does make that individual more prone to targeted attacks in the future. That is why this is a bad day for the internet. Cybercrime is on the rise, therefore we should think about security in terms of process, people and technology.
So, what can our government do to prevent such leaks? They can start by creating security policies with internal departments, performing audits, implementing physical security control and classifying risk. The implementation of internet-based services and rapid connectivity to external parties has led to increased risks to internal assets. Information that is more valuable than ever before is more accessible and easier to divert. Governments that fail to address the broader security issues that accompany this change will have insufficient controls in place to minimise risks. These risks could lead to significant financial, legal difficulties and reputation risk for them. Appropriate preventive, detective and corrective controls in the form of policies, standards, procedures, organisational structures or software/technology functions and monitoring mechanisms are therefore required to minimise the risks associated with the confidentiality, integrity and availability of information assets within an organisation. These aspects of security should be the underpinnings of any investment in cybersecurity.
The areas that require special attention will differ from commercial organisations but ultimately, they need to involve all relevant staff in efforts to remain secure. This is because the actual technology is only part of the equation. Humans are generally the weakest part. Education is a large part of it. Staff simply must be made aware from day one about the dangers when breeches or leaks occur. Appeal to their selfish nature and perhaps results may occur. In fact, the proper policies should commence with strict physical access to virtual access. If the boss forgets his badge, the security team should apply the same policies as they would to another member of staff. It can however be difficult to involve everyone in the company in the security effort. Most organisations when implementing the necessary security and control mechanisms face a number of issues as security investments are justified against hypothetical losses and communicating risks and benefits of security investments to non-technical stakeholders can be difficult.
To overcome these obstacles, companies could develop risk-based decision analysis that enables them to allocate security resources and prioritise security measurements. Such an analysis considers the risk decision and uncertainties that make the decision difficult. It would also consider any preferences that value the outcomes. This should help ascertain the expected annualised cost of security. It is vitally important to gain the support of upper management and employees who will use the system. There also needs to be governance structures in place which will oversee the monitoring and maintenance of the security policies over time, tweaking it as necessary. Quite often, security awareness and training is mandatory because of compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) and the European Data Protection Directive. This is crucial if an organisation employs external contractors who could have access to personal, identifiable data. Staff have to be trained properly therefore to train employees that touch this data about security policies. Classifying data is also becoming a critical IT activity for the purposes of implementing the optimal data solution to store and protect data throughout its lifetime. Developing a data classification methodology for a business involves establishing criteria for classes of data or application based on its value to the business.
Government online services also face a threat in the form of distributed denial of service attacks (DDOS). DDOS attacks are designed to send an overwhelming amount of ‘fake requests’ to a site in order to bring it to its knees. Very few websites can cope with such dedicated fraud requests. The problem of course is that it is very difficult in real-time to isolate real requests from genuine customers from the malicious DDOS flood requests. DDOS attacks will continue for the foreseeable future as long as unpatched systems remain online and easy to deploy DDOS tools exist. Unfortunately, a DDOS attack is the simplest of all hacking exploits to undertake.
Governments also have the problem of international espionage to deal with. To date we have seen sophisticated malware used to conduct espionage on targets in news organisations, power companies, and other industrial groups but government departments need to be vigilant. Stuxnet, Flame and Volatile Cedar are malware names that come immediately to mind when it comes to nations conducting attacks. There is no reason to believe that Northern Ireland could not suffer a similar attack. There are many employees who regularly access control systems remotely thus leaving the door open for breaches. These mission-critical systems are also often the last to be patched. The prevalence of cyberespionage is starting to increase in the public consciousness and we can expect to see rogue nations come looking for our data or to wreak havoc in our systems. Countries have always fought against rival governments, and they will use every means possible to get what they want. The US government for one has admitted to working on offensive and defensive cyber war systems. Unfortunately, the problem with any malware attack is that once it is discovered (and inevitably we can expect this to be the case) – the enemy will be able to analyse the code and repurpose it for their own attacks. In fact, it seems that the success of these newer strains of malware is due to their modular nature. It is entirely possible that any of these were initially released as a smaller focussed virus to do a single task, then as this was deemed a success, more features may have been added until we reach the state as we find them today.
It is difficult to predict how attacks will evolve. The clever ones in the future will exhibit behaviour we simply had not predicted. One thing we can anticipate is that they will most likely continue to ‘phone home’. That is, all these sophisticated malware systems tend to encrypt their ‘calls out’ to secret servers where they upload their data but they disguise the IP addresses of the master and command servers very well with sophisticated algorithms so by peeking into the code, it is not obvious where they send that data to. They will basically dynamically generate domain names on the fly. At specific times in the future, the ‘bad guys’ register new domains so that they can allow these systems to send the data out. They will also continue to use anonymising proxies which hide the data trail to shove their data over. This makes it very hard for the authorities to trace.
Governments also should be careful as to how our national critical infrastructure systems are connected to the internet (or if they should of course). Cyber-attacks generally come in two forms; one against data, the other control systems. Theft and corruption of data leads to servicing being sabotaged and this is the most common form of internet and computer attacks. Attacks which focus on control systems are used to disable or manipulate physical infrastructure. For example, the provision of electrical networks, railroads or water supplies could be infiltrated to have wide negative impact on geographical areas. This is done by using the internet to send data or by penetrating security systems. Countries are beginning to set up cyberspace network operations centres which include internet service providers and computer hardware and software developers. Their task is to develop secure technology such as intelligence analysis software which will be capable of sifting through and analysing existing data, both public and private, in order to uncover suspicious activity. The have found that they cannot continue to rely on smaller commercial organisations to do this on their own. Governments could do likewise.
We must be aware that modern networks were not designed with security in mind. What we have in place at present is a series of sticking plasters designed to allow e-commerce and online communications to take place in a functional manner for the most part. In summary, hackers are using increasingly clever methods and tools to attack national infrastructure systems. Issues of national safety are now at risk. The reason this risk exists is that the internet offers little or no regulation, potentially huge audiences, anonymity of communication and a fast flow of information.