The Relentless March of the Cybermen

Stephen Smith

Stephen Smith

Cyber security is the protection of Internet-connected systems – including hardware, software and data – from cyber attacks. In a computing context, security comprises cyber security and physical security. Both are used by enterprises to protect against unauthorised access to Data Centres and other computerised systems. When it comes to cyber protection, are today’s end users focusing on the wrong areas? Stephen Smith believes so.

Cyber Security is the talk of the town right now. One can hardly turn the pages of a national newspaper, or flick between news channels on the television, without being confronted by the startling and revelatory news of some form of cyber attack. Last year, it was the National Health Service (NHS) that was the victim, its systems crashing to the point that even a thousand of the country’s best doctors could not bring them back to life. More recently it was British Airways, who despite playing down the damage caused by a malicious ‘hack’, must have still been embarrassed by the mass publicity that resulted.

Even as I write these lines today, we learn of another attack from Russia (or should that be ‘alleged attack’ from Russia?) as they seek to interfere with the UK Government’s quest to track down the Salisbury Novichok poisoners.

Of course, many of us can fall into the realms of complacency when it comes to our attitude towards cyber attacks and cyber crime. Most – and I include some of the biggest banks and institutions in this comment – are no doubt of the opinion that, if your system is on a separate network, or you have a decent firewall in-between, then nothing sinister can ever pass. They would be wrong to presume so because they’re looking in the wrong direction.

The threat from within

The biggest cyber threat currently stems from the people you employ. While crime capers on the big screen like ‘Die Hard’ and other such thrillers will have the IT genius hacking into systems and bypassing firewalls and passwords within a handful of moments wishing to open a crucial door or an impossibly large safe, the more likely scenario is a crime that has been many months – or even years – in the making.

It takes very little for a Control Room operator to introduce a disk or memory stick to spread malware or compromise a system’s security that then leaves the organisation vulnerable to attack. An operator paid only a few pounds an hour might easily be tempted by a sizeable ‘bung’, and particularly so if the intended outcomes match their own political or religious ambitions.

To a very large extent, individual systems can be risk-free, but once part of a wider integration, their weaknesses can become quickly exposed. Our own Physical Security Information Management (PSIM) solutions were recently robustly tested by one of the foremost bodies for protecting Critical National Infrastructure. The results were fascinating.

Weaknesses in a system’s construction can be unearthed in the places that you least expect them. A shortcut key on a keyboard, for example, opens the application that allows you to get into ‘Help’. From ‘Help’ you can open a command prompt and find your way into Power Shell, from where you can then change user rights and add details of a new admin user and subsequently log yourself in. From that point onwards, you have complete control over the system you’re operating. That’s just one small example of what’s now possible.

Dangerous journeys

The point is that opening the application will not ‘flag’ as an alert or an issue that needs investigation, and yet it may be the start of a nefarious and potentially very dangerous journey. You think you’ve locked down your serial ports when you haven’t. You think your system is safe, but it isn’t. Many months of trial and error may result in a security breach with catastrophic results. An operator may elect to use their new ‘power’ to configure a system to open a door automatically, at a particular time of the day or night, so as to coincide with a theft or a rather more sinister plot.

Certainly, there are things that can be done in terms of amelioration. The system needs to be protected from end-to-end, from PC to PC, and fully encrypted. Organisations need to think like a criminal or a terrorist about how their systems may be compromised. Organisations also need to consider how such things as software development kits might also introduce risk to what was an otherwise ‘safe’ environment.

For home use, none of us would ever seek to buy a television set unless it has the CE Mark to prove that it has been tested and is compliant, and yet we seem comfortable buying business systems that don’t meet the highest standards laid down by such organisations as the Centre for the Protection of National Infrastructure (CPNI), the Government authority for protective security advice to the UK’s national infrastructure.

Cyber attacks are frightening in their very nature because they are largely misunderstood, but some of this misunderstanding comes from not looking in the right place. If we are to avoid the next major catastrophe, it’s fair to suggest that we need to start looking at the threat from a different angle.

Stephen Smith is Managing Director of Intergrated Security Manufacturing (ISM)

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts