Having attended a couple of defence-focussed cyber security events on either side of the pond recently, it’s always interesting to hear the alternative perspective of a cyber breach. Within the commercial world, data loss is both a reputational and financial disaster with large fines imposed on organisations, however a data breach for the defence industry really can mean that lives are put at risk.
Not only are the various departments for defence responsible for the security of their respective nations, they are also significant employers. In the USA, the DoD is America’s largest employer with 1.3 million employees. In the UK, the MoD is the eighth largest government department (the NHS takes the top spot), and it’s a similar case in Australia. The type of data stored by defence sector organisations make them an even more lucrative target for hackers, and hence the consequences of a major breach could be catastrophic. No matter the size of the organisation or department in the sector, cyber defences must be a top priority, and continually revisited to keep up with evolving technology.
Today communications are no longer as controlled as in the past, the ubiquity of the smart phone and Internet of Things (IoT) has meant that cyber security needs to be constantly re-evaluated. Who would have thought that an exercise device could be used to map a defence base? However, the high-profile case of the Strava fitness device, which exposed the exact location and perimeter of a US military base, demonstrated the ease with which the cloud is overlooked as a cyber security concern. We have also seen meta-data from smart phone pictures posted to social media accounts have devastating consequences.
Cyber-attackers are becoming increasingly sophisticated and are looking at technology with a view to how it can be exploited. So, while thinking about modern technology which has had unintended security consequences, here are three others that also don’t get due consideration:
You may not have realised the threat the multi-function printer can pose to the security of an organisation. This is not about the print functionality (which has always been a potential threat – don’t leave sensitive documents behind after a meeting!), but about the ability to scan a document to a PDF file, which is then sent via email. Scanned PDFs are, in effect, a set of images inside an otherwise empty document. As such they can evade traditional data loss prevention (DLP) technology which looks for the electronic text usually found in a document and ignore images. Images containing sensitive data are not limited to multi-function printer scans but can also be found through other applications, for example screen shots from computers or pictures of documents taken on smart phones.
To help mitigate this risk, organisations need to look at optical character recognition (OCR) technology, which analyses images and extracts the text. The text can then be treated in the same way as any other text and protected using a DLP solution. Advanced DLP solutions can redact text from documents, and today’s advanced OCR enabled DLP can redact text from images to provide another level of security.
Systems are locked down. Access is tightly controlled. Backups are secured. Umm… are they? As smart phones have got smarter, they have ‘helped’ the average user by backing themselves up into the cloud. The idea being that if the phone is lost or stolen, then not all the data has gone forever, and it can be readily restored to a new device. While this is great for individuals, it does pose a risk for organisations, especially those who need to control all types of sensitive information.
As mentioned earlier, we saw huge ramifications of this issue with the Strava app incident in 2018. However, for those who enable email to be delivered to users’ devices there is the default setting whereby data such as the contacts are uploaded (and hence, backed-up) to the individual’s personal cloud storage. This can create risk should the account be hacked, and also has wider ramifications when regulations such as GDPR are taken into account.
When employees are permitted to download and install new apps, without the knowledge of the IT department, they can inadvertently grant access to everything from the device’s camera, microphone and contacts without realising the potential consequences. The La Liga app hack highlighted how simple it is for a device to be unknowingly used for nefarious purposes. More recently, it was revealed that a number of applications had escaped the eagle eyes of app stores and were allowed to be hosted for all to download, despite their malicious content.
Mobile devices are frequently attached to corporate devices and networks, without an understanding of what the installed apps have been granted access to. To mitigate this risk, it is vital to ensure that only applications which have been thoroughly vetted have access to the network to ensure they pose no threat. There’s no need to stop the use of Cloud devices altogether – but employees must be educated on the risks of BYOD and downloading apps which require access to both information and the network.
For many years, there has been a mantra about regularly patching applications to ensure security issues are fixed or installing the latest version. Checks are made that the update has been appropriately signed and therefore it’s a bona fide update. Alas, cyber attackers have realised this and have figured out how it can be exploited with fake updates and compromised certificates for code signing. They are similar to other attacks where the device asks to install an update, including plug-ins for browsers, and the employee automatically clicks ‘ok’ as they are from what appears to be a reputable site. With almost half of all cyber security incidents reported in the last year caused by internal errors, it is not difficult to imagine the case where an employee unintentionally downloads and installs a malicious update which in turn impacts the entire network.
One mitigation is to only allow updates from authorised sites (which may be hosted internally), but unfortunately not all organisations can do this. Furthermore, when work from home policies are in place, employees can take their devices home and connect to their own internet for updates, which would ordinarily by-pass the restrictions of their organisation. Education is needed to ensure employees are as aware of this kind of threat as they are of phishing or other attacks. However, this then needs to be backed up with appropriate technology. Technology is the last line of defence, enforcing policies and ultimately keeping people, the organisation and its information safe.
Above and beyond
Security incidents are not limited to a specific size or type of organisation. Defence organisations hold critical information both operationally and around their people, both of which are targets for cyber-attackers. However, it’s the people and the changes in both working and leisure practices in conjunction with new technology which needs closer scrutiny. Defence organisations must go above and beyond to educate their employees on the importance of cyber security and what they can do to mitigate risks.
Employees must be confident of the day-to-day processes to follow in order to avoid risk, and what to do if they spot an issue. An evolving approach to cyber security must be inclusive of all employees and other third parties in the information supply chain in order to ensure the security of both people and nations, looking beyond the usual threats and into the mind of the cyber-attacker.
To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.
If you would like to join our community and read more articles like this then please click here.