Lessons From The Cyber Front Line

Very few weeks go by without news of another cyber attack or data breach and a quick scan of the BBC news website shows that in most months, there is at least one story that makes the national news headlines. While just a few years ago, many cyber attacks would go unnoticed by the public and quietly swept under the carpet, legal requirements to report breaches along with the power of social media, means that the world gets to know about them.

Like most news, today’s headlines are tomorrow’s chip paper, but for those directly involved it lives on for a long time, while the rest of us should be looking and learning to stop the same things happening again. Below is a selection of some infamous cyber attacks for a quick refresh as to how the criminals managed to wreak havoc and how they could have been avoided. 

SolarWinds 

Very few people outside of the tech community had heard of SolarWinds before late 2019 when cyber criminals gained access to the SolarWinds' network. They spent some time moving around and investigating the network landscape before testing a malicious code injection into the Orion Platform - a network management system used by government organisations and businesses to manage their IT resources. In February 2020, the code known as Sunburst was let loose and the following month, SolarWinds unknowingly sent out Orion software updates, which included the Sunburst malware.

This massive supply-chain attack was installed by more than 18,000 organisations, enabling the attackers to access SolarWinds' customers' IT systems. From that point, they were able to install further malware so they could spy on target organisations and cause major problems. According to SolarWinds, the attack, recovery and ensuing fallout cost $40 million in the first nine months of 2021, while a survey of IT decision makers across SolarWinds customers found that the average financial impact of the attack was 11% of annual revenue or about $12 million per company.

Travelex 

In December 2019, the Travelex foreign exchange company was targeted by the REvil ransomware group. The hacker group encrypted Travelex's network and made copies of 5GB of personal data. If Travelex didn't pay the ransom, they threatened to publicly publish the data. It's likely the cyber criminals were lurking on Tavelex's network before initiating their ransomware, having gained access via an unpatched VPN (Virtual Private Network). Travelex reportedly paid around $2.3M in ransom and the combination of business disruption plus the COVID-19 pandemic forced the world’s largest foreign exchange bureau into administration.

Equifax

For two months during 2017, the American credit bureau Equifax was subject to a massive data theft, where information relating to millions of customers was stolen. The company was initially hacked through a consumer complaint web portal, with the cyber criminals making use of a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.

The attackers were then able to move to other servers, due in large part because they were able to find usernames and passwords stored in a plain text file that then allowed them access. Data was pulled out of the network over a long period of time so that no large data movements could be detected. In total, the hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days, before they were detected. The information was also encrypted by the cyber criminals so that its theft was not spotted.

The subsequent financial impact on the organisation has been massive, not to mention the jail term for the CIO who sold $950,000 worth of company shares before the data breach became public knowledge. In February 2020, the U.S. Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.

Edward Snowden – the inside job

In 2013, the now infamous Edward Snowden pilfered documents from America’s NSA and gave them to journalists - and probably governments - in an effort, he claims, to expose the U.S. government spying apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys undetected by the NSA. Using these keys, he was able to gain access to systems and then locate the files he wanted to steal. 

For exfiltration, Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorised and allowed to pass unquestioned. He was able simply to copy data from the network to removable drives.

NHS 111

Most recently, in August 2022, a cyber attack on NHS supplier Advanced, the firm which provides digital services for NHS 111, targeted the system used to refer patients for care, including ambulances being despatched, emergency prescriptions and out-of-hours appointment bookings. 

The attack was reportedly due to ransomware, thought to have been the result of phishing. Once the ransomware had been inadvertently executed, it may have been operating in the background, exfiltrating data before attackers disabled systems in the network, alerting the company to the attack.

Lessons Learned?

For SolarWinds, since software such as Orion is built using components from multiple sources, a Software Bill of Materials (SBOM) should have been used. This is a way in which all the components may be listed and checked so that rogue components can quickly be identified and removed. In addition, keeping all source code encrypted on a per-file, per-user basis would have blocked any unauthorised hacker from being able to access code files.

In the case of Travelex, patching the VPN would have been a significant block to the cyber criminals, but the ransomware could easily have been deployed using other techniques such as phishing. An ‘allowlisting’ approach to application control would have blocked the ransomware, no matter how well it had been disguised. Application control, which uses allowlisting ensures that a system will only run processes that are on the authorised allowlist. All other processes are blocked. In a business environment, we know exactly what should be running on a machine, so this approach is both simple and highly effective. For SolarWinds customers, the deployment of application control which uses allowlisting would have prevented the attackers from running the malware which they installed after having gained access to each customer’s network.

In the case of Equifax, the consumer complaint web portal should of course have been patched, and no administrator or any other user should have stored usernames and passwords in a freely accessible file. While in most organisations it is highly unlikely that the whole series of errors would all happen, we all make mistakes. Systems cannot always be patched immediately because of conflicting system dependencies; and users - and administrators - sometimes do unexpected things. 

All these examples show the need for comprehensive off-network backups and better cyber security training, but also that we should always assume that a cyber criminal may always gain network access.

So, it’s important to protect the data itself. This means all of the data all of the time, no matter where it is stored or copied. Using file-level encryption to encrypt all data everywhere, the Equifax data breach would have resulted in a story which lasted just a few days, rather than years. If all their data had been encrypted so that when exfiltrated, it remained encrypted, the attackers would have stolen terabytes of completely useless data.

The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, then Snowden would have been able to do his job - even moving files around - but completely unable to decrypt and access the information.

20:20 hindsight is a wonderful thing but if we are going to gain anything from these cyber attacks, we need to learn from them and look at new ways of protecting our data and not simply carry on building up more layers of defence to prevent people from getting in. 

Nigel Thorpe is Technical Director at SecureAge

You Might Also Read: 

Who Can You Trust With Your Data?:

 

« Why Companies Need A Next-Gen Approach To Business Continuity
Modernising SecOps: It’s Time To Unpick The Complex Matrix »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tiro Security

Tiro Security

Tiro Security is a boutique company specializing in information security and IT audit recruitment and solutions.

Seceon

Seceon

Seceon OTM, is a cyber security advanced threat management platform that visualizes, detects, and eliminates threats in real time.

Aves Netsec

Aves Netsec

Aves is a deceptive security system for enterprises who want to capture, observe and mitigate bad actors in their internal network.

Cybraics

Cybraics

Cybraics nLighten platform implements a unique and sophisticated artificial intelligence engine that rapidly learns your environment and alerts security teams to threats and vulnerabilities.

Fornetix

Fornetix

Fornetix is a cybersecurity platform enabling Zero Trust while delivering critical encryption automation, access controls, authorization services, machine identity, and ICAM solutions,

Cyxtera Technologies

Cyxtera Technologies

Cyxtera offers powerful, secure IT infrastructure capabilities paired with agile, dynamic software-defined security.

Achtwerk

Achtwerk

Achtwerk manufacture the security appliance IRMA for critical infrastructures and networked automation in production plants.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

Voxility

Voxility

Voxility provides Infrastructure-as-a-Service in the biggest Internet hubs in the world.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

WheelHouse IT

WheelHouse IT

WheelHouse IT secures, manages, and advances businesses with innovative, cost-effective IT solutions.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Baidam Solutions

Baidam Solutions

Baidam Solutions is a 100% Australian owned and operated First Nations information technology business.