Critical lessons for cyber security
What have we learned from the latest TalkTalk cyber-attack? Well, this was the third attack in the past 12 months, and this time they struck the jackpot.
I’m sure organizations who have been subject to a cyber-attack look at where they could be vulnerable, bringing in new policy and practice in order to prevent further attacks. This was probably the case here too, yet, cyber-attacks continue to prevail across the business landscape. Today’s cyber attackers are in it for the long game. The days of a quick bit of web defacement are long gone – today it’s all about money. Hackers know that if you can infiltrate the infrastructure then you can develop a long lived attack.
Today’s organizations, especially large, global, organizations have infrastructures which are hugely complicated, with many hundreds, if not thousands, of applications within. Ensuring they are all free from vulnerabilities is more than a full time job. Applications which were seemingly ‘secure’ can turn into nightmares overnight. In the case of TalkTalk, a ‘simple’ SQL injection attack, a code injection technique used to attack data-driven applications was used. These have been around for a long time, but applications are seldom re-developed in the light of new threats – I suspect this was the case here. There are also issues around infrastructure if it is supplied by third parties, if owned then scouting around to find weaknesses would be relatively simple.
Usually this type of attack involves a lone application, which slipped through the re-development net but can often lead to dire consequences. Re-developing an application is costly, but this is what needs to be done to ensure that if it builds a SQL statement it cannot be tampered with.
Where do you begin?
For organizations who have been hacked, the challenge is knowing whether the systems are now truly clean – all the malware has been truly removed, and is not just dormant, to be awakened in 6 months’ time opening another back door.
Protection needs to be kept up to date, ensuring that it remains safe and unfortunately there is no silver bullet, one solution to keep it secure – no matter where it is. For this reason, defence-in-depth is still the only way to go about protecting critical information.
There are three fundamentals:
- Keep the bad stuff out: This comprises of a number of different technologies, anti-virus, zero-day threat protection, sandboxing, whitelisting, intrusion detection and prevention to name the most popular. For many organizations there is an affordability of a complete suite – so picking the most cost-effective is important. However, these technologies won’t prevent the malicious insider – as they are already inside.
- Watch for the intruders inside: Deep packet inspection, behavioural analysis and event correlation all fit into this category – and these can be expensive, although event correlation is becoming more mainstream and affordable for medium sized enterprises. As with behavioural analysis, the cost of the solution is not the expensive part, it is the expertise need to do the analysis and to spot the anomalies which need to be investigated. It’s not dissimilar to finding a needle in the haystack.
- Mitigate and Educate: This is where Data Loss Prevention (DLP) solutions provide the cornerstone. The next generation of DLP, Adaptive-DLP understands the needs of today’s organizations and their changing business practice and can adapt the information based on the context of the request. So, if the request is to send the critical information in a file through email, it might encrypt it. You are only as strong as your weakest link and in many cases the weakest links are the people – people make mistakes, it’s only human. Adaptive-DLP can be used to mitigate the impact of an employee mistake, it can also be used to help employees learn about policies and policy changes.
Good information security requires vigilance
Never should you set-and-forget policies, it is about constantly looking at new attacks and ensuring that they will not be effective against the applications and the critical information that is held. There have been calls for the government to do more in the light of recent attacks, but it is up to organisations to take responsibility, for the information they hold and the application and people who access it. While the government can promote awareness and offer advice, organisations need to heed the warnings and do something about it themselves. In cyber-security, there is no pause button.
By Dr. Guy Bunker @guybunker