Warning to UK Public Sector about leaky Amazon Web Services

Amazon Web Services (AWS) are currently in the news for all the wrong reasons.  Their Simple Storage Servers (S3) – known as ‘buckets’ – have been successfully targeted by hackers.  The AWS servers have been found to be alarmingly leaky, enabling the new Buckhacker search engine tool to readily access unsecured sensitive data.

AWS, as one of the UK Government’s chosen cloud service providers (GOV.UK PaaS) runs from AWS in Ireland (a UK-based hosting centre is planned for 2018) and is accredited for handling personal and confidential information classified at ‘Official’ level.

Users are able to search either by ‘bucket’ name, which may typically include the name of the company or organisation using the server, or by filename. The service collects bucket names, grabs the bucket’s index page, analyses the results and stores it in a database for others to search.  There are other tools like AWSBucketDump and according to the hackers exposed buckets can also be trawled for rich pickings with a specific Google Search.

Created by anonymous hackers, a Buckhacker developer commented:  “The purpose of the project is to increase the awareness on bucket security, too many companies were [sic] hit for having wrong permissions on buckets in the last years”.

Clearly, it is in the public sector’s interests not to risk exposure of any sensitive data (theirs or the public’s) and thus a prime consideration for any public sector organisation is to scrutinise the credentials, security performance and sovereignty badge protections of their chosen cloud provider.  Public sector organisations struggle to find funding in already tight IT budgets to defend against cyber attack, but with so many different lines of attack facing them, IT managers are having to take a risk-based approach to identify where to allocate their limited funds.

Amicus ITS Director of Technology, Security & Governance JP Norman commented:   It is worth remembering that the security of the data, no matter where it resides is the responsibility of the Data Controller in each organisation. There are ways to provide security assurance in the cloud layer that conform to the basics of Cyber Essentials. Furthermore, the right partner organisation, such as Amicus ITS, can act as a cloud broker providing proven security assurance recommendations and actions to mitigate such risks.

At Amicus ITS, we are happy to challenge the status quo as we brand ourselves are the safe pair of hands for our customers.  So with any digital transformation journey we will ensure intelligent, joined up thinking to ensure our Security and Governance views chime with those of our technical architects and sales professionals.

UK healthcare: cyber attack focus

NHS
More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber-attacks in 2015.

IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.

These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.

Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.

In 2015
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter.   730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.

NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.

Why is the healthcare industry under attack?

Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.

Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”

Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.

How to stop these attacks

Step 1: Cyber Essentials certification

Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.

Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously.  Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.

Step 2: ISO 27001

ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.

Step 3: Protect your perimeter

With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.

Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.

Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes