Managing Cybersecurity Risk Entails More Than Installing Firewalls.
Legal News & Analysis - Asia Pacific - Cybersecurity
16 February, 2016
ANALYSIS: The management of cybersecurity risk cannot be left to IT departments alone. Instead, businesses must deploy a number of organisational and technical measures to address the growing cyber risks they face.
The focus should not just be on prevention of security risks. A good governance framework will address detection of and response to cyber incidents.
Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series. We previously looked at which people are typically behind cybersecurity breaches and the methods they use. Here we look at what the common vulnerabilities are and what good IT security looks like.
Common technical vulnerabilities
Cybersecurity vulnerabilities – any system or process flaw which exposes systems or data to those not authorised to access it – are many and varied, but can be broadly be broken down into three types: technical vulnerabilities; supply chain vulnerabilities and vulnerabilities relating to people, such as social engineering and insider threats.
The most common technical vulnerabilities include 'SQL injection'; software flaws; and issues relating to passwords, including their storage.
An SQL injection is where an attacker uses special coding - Structured Query Language - to instruct databases to reveal information or even edit or delete the database, when the online applications attached to those databases are only supposed to be used to input information only, typically through webpage forms.
IT security guidance published by the Information Commissioner's Office (ICO) (47-page / 507KB PDF) provides a useful 'real-life' analogy.
The guide said: "A person applies for a passport using a paper application form. In the space reserved for surname, they write 'Smith. Now tell me all the information you have about all the other passport applicants.' The officer processing this application form enters the name 'Smith' into their system but then obeys the subsequent instruction and sends the applicant information about other passport applicants. Of course, this exploit would not generally succeed in the real world, since an officer is likely to realise that any instructions contained within the form should be ignored. Unfortunately the same is not true of many applications that are used to access databases."
Software vulnerabilities that require patching
Most pieces of software will, from time to time, require to be updated as a result of security vulnerabilities being identified in the coding. Software companies regularly release 'patches' to address known vulnerabilities that have been identified. Businesses that do not install those updates will be operating software with security flaws that attackers could use to compromise the systems of those organisations.
WordPress is a blogging application which recently urged users to update their software after hackers exploited a security vulnerability to deface bloggers' pages. Third party plugins used with WordPress may also suffer from security vulnerabilities and equally need to be kept updated.
Password storage and other password related issues
This type of common vulnerability can be split into two – errors at organisation level, such as a failure to 'hash' and 'salt' passwords stored; and errors of users.
A failure to implement strong hashing and salting of passwords can lead to information breaches.
Hashing – this is essentially where organisations convert user passwords into alternative, disguised values which they then store rather than storing the plain text sensitive passwords themselves. As the ICO puts it, "when a user first registers with a service and provides a password this is hashed and only this hash value is stored. When a user returns and enters their password, the hash is freshly calculated [from the entered password] then compared with the stored hash. If the two hashes match, then the user can be authenticated". With hashing, it should not be possible to derive the original value (e.g. password) from the hash value. It is important that a strong conversion method, or "hashing algorithm", is used; some older hashing methods have been broken or "cracked".
Salting – this essentially involves adding random characters to a password before it is 'hashed'. It makes the process of cracking a password more challenging for attackers. The ICO said: "A 'salt' in this context is a string of random data unique to each user. The salt is used by combining it with the user's password, then hashing the result. The salt is then generally stored alongside the hash in a database. When a user logs in to the service the stored salt and the supplied password are freshly combined and hashed. As in the unsalted method, the new hash and the stored hash are compared to determine if the user should be authenticated".
Hashing and salting can be done multiple times to increase their efficacy.
However, errors of users can also undermine password security. Many passwords commonly used by employees are insufficiently strong, used for multiple different accounts, services or systems, including possibly non-work systems, and/or are written down or stored in a way that enables them easily to be learned by another person.
Examples of common weak passwords are those discovered to have been popular amongst Ashley Madison users, such as 123456, password, default and qwerty.
Strong passwords should be as long as possible and ideally contain a mix of lower case letters, capital letters, numbers, and symbols. Using the same passwords for multiple accounts is a second end user error that increases their vulnerability. If a password is compromised for one account, then other accounts used by the user are vulnerable if the same password was used for them too. Imagine using the same key for all your possessions – home, car, safety deposit box, locker etc.
A third error is writing down your password. It is much better to use a password manager application, installed on your computer or online, to help you manage your passwords, although unfortunately some websites do not support their use.
Supply chain vulnerabilities
The legal requirement under data protection legislation is threefold.
'Data controllers' that process personal data using a third party processor must:
- choose a processor guaranteeing security
- ensure stipulated provisions are contained in a written contract, and
- monitor on an ongoing basis the processor’s compliance
These three requirements are broadly similar under GDPR, the EU General Data Protection Regulation, which comes into effect on 25 May 2018.
Somewhere between one third and two thirds of information security incidents, depending upon which survey you read, are caused by vulnerabilities in the supply chain. Supply chain vulnerabilities are behind some of the biggest attacks that we know about, such as the attack on Target in the US in 2013, where a phishing attack on a heating/air conditioning supplier allowed malware to be installed on that vendor’s systems and, from there, compromise Target’s systems.
Data controllers need to pay particular attention not just to having appropriate contracts in place with their supply chain, meaning those that contain the provisions required by data protection legislation, but should also vet vendors before they put those contracts in place, and then periodically monitor the compliance of those vendors with their information security obligations after those contracts have been concluded. A gap in one or more of these three legal requirements means the data controller is not complying with the law, and it exposes them to a potential cyber attack.
Of course, data controllers should also ensure that, from a technical viewpoint, third party vendors are not given more access rights to the controller's systems than the vendor needs.
Social engineering means deceiving or manipulating a user into divulging personal data such as passwords or financial information, or take action that the user should not take, such as sending funds to a fraudster. It may be used as a way to access confidential information and/or to gain control over a computer or network.
Reverse social engineering is when the attacker masquerades as a technician to fix a problem on your computer that does not exist or which they created.
Typical methods of social/reverse social engineering include phishing/spearphishing/vishing and waterholing. Whaling involves social engineering too, and combines this with infecting a website with malicious code.
Addressing technical vulnerabilities, supply chain vulnerabilities and social engineering form three areas of defence that organisations need to prioritise if they wish to defend themselves effectively against cyber attack, and also comply with the law.
What does good IT security look like?
It is important for an organisation to assess and manage its security risk, as part of its general risk management. Security risk has legal, regulatory and reputational implications that can hit the bottom line so organisations need to conduct a risk assessment to identify their own information assets – their 'crown jewels' – and where they are – and tailor their security measures accordingly.
Organisations must bear in mind that, as with any other risk, it is not possible to eliminate all risk and have 100% security, and that security involves a journey, not a destination. It is an ongoing process. Security is also not just an IT issue. Good security involves people and policies and processes as well as technology. Not all employees are sufficiently aware of good security practices, so raising staff awareness and educating and training staff is important.
Governance is also very important. Organisations need to have a good governance framework, covering security as well as other risks, and need to make sure it is followed in practice. This includes having a crisis response plan that has been prepared and tested in advance.
The legal framework is evolving to place a greater emphasis on the way businesses respond to cyber and data security incidents and breaches. It is no longer sufficient just to focus on detection and prevention measures.
Good IT security is multi-faceted. It ranges from protecting systems and networks with firewalls, anti-virus and other protections, to implementing appropriate access and authorisation policies and practices, sound password policy and storage protocols, coding securely, patching software, encrypting data - in storage and in transmission, controlling the encryption keys properly, backing up data regularly to different geographical locations, training employees, testing systems and the incident response plan, and managing vendors appropriately.
Industry standards like the ISO 27000 series, guidance from the ICO and Financial Conduct Authority views, and the UK government's 'Cyber Essentials' scheme are just some examples of the tools businesses can turn to to bolster their approach to cyber risk. Codes and certifications may be given a boost by the forthcoming General Data Protection Regulation also, if various uncertainties can be resolved.
For further information, please contact:
Ian Laing, Partner, Pinsent Masons