Major headache after US cyber attack threatens 4m public sector workers

The FBI are currently investigating the latest major data incursion into the heart of US Government announced today, as hackers (believed to originate in China) are suspected of the latest large scale ‘cyber intrusion’ into US personnel records, which has sent nervous ripples around the Pentagon.

The Office of Personnel Management which holds the records for other departments of US federal workers across the States, today sent out notifications to around 4 million employees warning them that some of their personal information may have been compromised.   This includes employment details, medical records and financial information.

The security community believes that the profile of the attack emanates from either Russia or China, due to the sophistication of the attack and the type of data taken.

This goes way beyond just a criminal act and into the murky world of nation state cyber espionage. To succeed requires nation state backing and sophisticated resources.  Indications are believed to show that the penetration began 6-8 months ago.  The concern here is that some of the data belongs to individuals in high positions of trust in Government circles and may lead to them being threatened, coerced or compromised in future.

To counter this, the US Government has launched a high priority effort to make users use two factor authentication PIV cards (smartcard with chip) as a first phase defence.  A second step, is to move to separate authorised users from being able to re-configure the system or networks as part of the same process.  This would be done through creating entitlement privileged management separation processes to create more physical barriers to penetrating central systems.

Big or small, companies need to defend against increasingly sophisticated intrusions and commit to higher scrutiny of systems and investment in data defence.   There is no single fix any more.

Responsibility of the Data Controller to manage an individual’s records whether digital or manual weighs heavily on commercial businesses and organisations of every hue and sector.  Ignorance is not a defence, though good security and governance can make for a softer fall.

2000px-US-OfficeOfPersonnelManagement-Seal_svg

This weeks cyber security news – Friday 16th January 2015

Three different tales of terrorism mark the end of 2014 and the start of 2015 and make cyber security the hot topic for 2015:

Picture this – don’t let it happen to you
In December 2014 we witnessed the fallout from the attacks on Sony Pictures which destroyed data and hardware and proved very costly with the leak of a slate of films due for release.  Whether or not North Korea were behind it, the events and initial capitulation by the studio damaged the studio’s brand inexorably.  Cyber attacks are highly challenging and pose a serious threat to a company’s economic stability and security, as well as wider reputations.

Exploited by foreign governments, hackers, criminals and the disaffected who all probe computer networks daily, this New Year marks a timely opportunity for organisations to prevent their own “Sony situation”, by assessing and identifying any potential infrastructure weaknesses, updating processes, staff education and awareness – and implementing new, tighter measures and governance procedures to assure customers.

sony_pictures_logo

 

 

 

 

 

 

 


Securing communications data – an acceptable price for us Charlies?

On Friday 9th January 2015 two tragic terrorist attacks concluded in Paris, with the perpetrators treated as criminals and shot.

Incidents like this are frightening and a prompt for sombre reflection.   Behind the Paris attacks is the multifarious use of the internet, social media, email, telephone and mobile communications connecting individuals and groups, to inform global audiences on extreme topics and ideologies. This has accelerated so fast in the last 15 years, that it makes control of such communications and intelligence gathering, challenging but highly essential if nations are to have any chance of preventing the next atrocity.

Both the UK and the US are responding by seeking to toughen up their legislative processes to track communications.  In the UK, the Government wishes to collect data in bulk from all sources including social media, irrespective of citizen (from child to grandparent). This effort they believe, by intercepting communications would help identify new perpetrators and build up a body of evidence to be used in court.

Defenders of civil liberties with privacy concerns are correctly identifying the wider impact this would have on individuals and companies. However, when set against the motive of defending the public and infrastructures to keep the lights on, it is an increasingly hard position to argue against.  Only time will tell, but it will be interesting to see if a bi-product becomes the further movement of information to sovereign controlled data centres to ensure improved access and regulation.

19867036_s

 

 

 

 

 

Cyber threats – an urgent and growing danger
Finally, Tuesday 13th January 2015, saw a CyberCaliphate attack breaching US Central Command’s Twitter feed Centcom and YouTube feed.  With several thousand social media accounts, social media is seen as a fast and effective way for the US military to communicate globally with its staff and families – on anything from on-base events to power outtages.  The ‘cyber vandalism’ as it is being described, only showed information widely available online – there was not believed to be any theft or disclosure of classified information.

The timing was embarrassing though and created a PR disaster for the President, given that he was outlining plans to strengthen cyber security when it happened. This was unlike the 2008 foreign intelligence breach via malware into the Pentagon mainframe computer system.  This latest public hack is believed to have been caused by password disclosure (inadvertently or not) from an individual.  US officials have duly updated passwords and issued tip sheets to staff to bolster online security advice and are reviewing processes.   In social media, both Twitter and Google now recommend two-factor authentication, so anyone logging on to the account from a new computer has to enter a code sent to their mobile phone.

Whilst the Centcom attack did not have the impact that the perpetrators hoped for, lessons are there and must be learned and applied by all organisations using the internet.  Financial systems, powergrids, pipelines, healthcare systems and wholescale society infrastructures run on networks connected to the internet.  Safeguarding these are the crux to public safety and public health.

As we go to press today, David Cameron on a visit to Washington confirmed that MI5 and the FBI will be playing cyber wargames targeting the Bank of England, commercial banks, the City of London and Wall Street and be followed by “further exercises to test critical national infrastructure”.

As a healthcheck, businesses and organisations should do the following:

  • ensure good password hygiene is maintained
  • review and update processes regularly
  • ensure internet security is up to date
  • limit the number of administrators who can access accounts
  • ensure accounts are regularly monitored

In this case, a sense of proportion needs to be maintained.  Yes, it was embarrassing, but nobody died.

Centcom