On Tuesday afternoon, a new ransomware cyber attack was reported to have hit a variety of companies and infrastructure in Russia and Eastern Europe. By Tuesday evening, it had spread globally, affecting multinational companies, government organisations and yet more infrastructure.
By contrast, a small but ‘sustained’ cyber attack was launched on the UK’s Palace of Westminster on Friday 23rd June. According to officials, hackers ‘in an attempt to identify weak passwords’ mounted a ‘determined attack’ on infrastructure central to British democracy. To limit the spread of the attack, security authorities were forced to disable remote access to the emails of MPs, peers and their staff. But as the previous ransomware attack, WannaCry, demonstrated with devastating effect that, any and all organisations are targets for attack, not just those in the centres of democratic power.
The cyber attack on the NHS saw multiple hospitals and clinics alike stranded without the means to treat patients, even turning away some at the door. A central tenet of a devastating cyber attack is its ability to raise more questions than answers, and this onslaught achieved just that. What could motivate someone to carry out such a widespread and dangerous attack? Who might have the tech to carry this out on such a huge scale? And perhaps most worryingly – could this set a precedent for cyber attacks to come?
As part of its new DIGIT LEADERS series, DIGIT spoke to Gerry Grant, Chief Ethical Hacking Consultant for the Scottish Business Resilience Centre Ltd to investigate what these ongoing internet-based threats could mean for businesses, organisations and individuals.
Gerry noted that as digital breaches carry deeper real-life consequences, even networks which might not immediately present themselves as typically ‘desirable’ for hackers can bear fruitful results. He explained: “Hackers are no longer just the stereotypical teenager in a hoodie sitting in their bedroom looking to use mischief. Criminal gangs have spotted the opportunity to extort money and steal company secrets.
“Although it may appear on the face of it that attacking critical infrastructure offers no financial gain, the details stolen can lead to extortion of the victims. In the example of WannaCry which caused severe disruption to parts of the NHS, the attackers were looking for financial payment in order to allow the systems to be restored. The recent attack on Parliament where an attacker was trying to access the email of staff within Parliament could potentially lead to the extortion or blackmail of the individuals that have had their accounts compromised.”
Gerry went further, explaining that sophisticated cyber attacks can go beyond simple groups or motives. He said: “Nation states are always looking for ways in which to gain an advantage over each other and are not entirely innocent when it comes to attacking computer systems, particularly infrastructure. Researchers investigating a cyber attack on a Ukrainian power station in December 2016 have attributed the attack to Russia. The ‘Stuxnet’ virus, which was a very complex virus that searched for and attacked Iranian nuclear facilities, is widely thought to be the work Americans and Israelis.
I think that Q from the film Skyfall summed it up nicely when meeting James Bond. He said, ‘I can do more damage on my laptop sitting in my pyjamas before my first cup of Earl Grey than you can do in a year in the field.’
But Gerry explained that systems crucial to infrastructure act like cogs in an oiled machine, and would take time to remove and reverse their roles. He said: “We need to think carefully regarding the infrastructure of these systems. Many of these systems use bespoke software and hardware and the lifecycle of these needs to be considered. It can be difficult to update some of the systems that are attached to critical infrastructure since they cannot be easily ‘switched off’ without causing disruption. We need to not only plan the initial installation of these systems, but think about how they can be updated and modified in the future to prevent attack.”
More money is now being invested in cyber security, particularly with regards to infrastructure. We need to educate users on the dangers and how they can help prevent attacks.
Gerry explained that alongside investment, education was needed to ensure that networks remain secure. He said: “The user is commonly called the weakest link in any cyber security system and to a point this is true. However, they are also the last line of defence. The use of weak passwords is still all too common and phishing emails are becoming more sophisticated over time. Organisations spend a lot of time and money training staff on the vast array of Health & Safety regulations – fire drills, for example.”
But, as Gerry explained, not enough emphasis was put on explaining and re-explaining the ever-evolving threats so present in the digital world. He continued: “How much emphasis do we place on training staff on simple cyber security measures such as spotting phishing emails and the consequences of clicking on malicious links? How much time do we spend on training staff on what to do in the event of a cyber attack, or what to do if they think that they may have accidentally downloaded a malicious file? Organisations probably mention these at induction, but is training ongoing?”
Many staff feel a false sense of security at work, as the IT department will sort out any problem or all the email that arrives in their inbox must be genuine as the IT department will have procedures in place to prevent phishing emails. This is true to a certain extent, but there will always be phishing emails that still slip through the net. This isn’t the fault of the IT department or their tools, it’s just that these attacks are becoming more sophisticated.
Gerry noted that simple changes to careless habits could make all the difference when it comes to threats, both internal and external. He said: “All too often we still see people in offices sharing passwords or leaving them written on a post-it note on their monitors. Again, education can help to prevent this. We have been told for years to create complex passwords that contain letters, numbers and symbols. The issue with complex passwords is that they are difficult to remember.
“Better advice, in my opinion, is to educate users to create long passwords. Passwords that are 15-20 characters long take much more effort and time to brute force than passwords that are 8 characters long. Long passwords need not be complicated – they could be three or four words (but not the names of children or pets etc.), separated by special characters.
We need to educate users on tools like password managers to help prevent the reuse of passwords across other accounts.
Gerry concluded that, beyond simple habits, Scotland will continue to develop and reaffirm itself as a world-leader in cyber security tech. He said: “Scotland is a great place for cyber security with many innovative companies leading the way. The first Scottish Cyber Awards last November showcased the talent and innovation that is out there with companies like ZoneFox. The Universities are producing excellent cyber security graduates. Abertay led the way in 2006 with the launch of the Ethical Hacking degree. The graduates of these courses are in huge demand from industry.
“The development of the proposed Cyber Hubs across Scotland will help to keep Scotland at the forefront of cyber security.”