Cyber security is the protection of Internet-connected systems – including hardware, software and data – from cyber attacks. In a computing context, security comprises cyber security and physical security. Both are used by enterprises to protect against unauthorised access to Data Centres and other computerised systems. When it comes to cyber protection, are today’s end users focusing on the wrong areas? Stephen Smith believes so.
Cyber Security is the talk of the town right now. One can hardly turn the pages of a national newspaper, or flick between news channels on the television, without being confronted by the startling and revelatory news of some form of cyber attack. Last year, it was the National Health Service (NHS) that was the victim, its systems crashing to the point that even a thousand of the country’s best doctors could not bring them back to life. More recently it was British Airways, who despite playing down the damage caused by a malicious ‘hack’, must have still been embarrassed by the mass publicity that resulted.
Even as I write these lines today, we learn of another attack from Russia (or should that be ‘alleged attack’ from Russia?) as they seek to interfere with the UK Government’s quest to track down the Salisbury Novichok poisoners.
Of course, many of us can fall into the realms of complacency when it comes to our attitude towards cyber attacks and cyber crime. Most – and I include some of the biggest banks and institutions in this comment – are no doubt of the opinion that, if your system is on a separate network, or you have a decent firewall in-between, then nothing sinister can ever pass. They would be wrong to presume so because they’re looking in the wrong direction.
The threat from within
The biggest cyber threat currently stems from the people you employ. While crime capers on the big screen like ‘Die Hard’ and other such thrillers will have the IT genius hacking into systems and bypassing firewalls and passwords within a handful of moments wishing to open a crucial door or an impossibly large safe, the more likely scenario is a crime that has been many months – or even years – in the making.
It takes very little for a Control Room operator to introduce a disk or memory stick to spread malware or compromise a system’s security that then leaves the organisation vulnerable to attack. An operator paid only a few pounds an hour might easily be tempted by a sizeable ‘bung’, and particularly so if the intended outcomes match their own political or religious ambitions.
To a very large extent, individual systems can be risk-free, but once part of a wider integration, their weaknesses can become quickly exposed. Our own Physical Security Information Management (PSIM) solutions were recently robustly tested by one of the foremost bodies for protecting Critical National Infrastructure. The results were fascinating.
Weaknesses in a system’s construction can be unearthed in the places that you least expect them. A shortcut key on a keyboard, for example, opens the application that allows you to get into ‘Help’. From ‘Help’ you can open a command prompt and find your way into Power Shell, from where you can then change user rights and add details of a new admin user and subsequently log yourself in. From that point onwards, you have complete control over the system you’re operating. That’s just one small example of what’s now possible.
The point is that opening the application will not ‘flag’ as an alert or an issue that needs investigation, and yet it may be the start of a nefarious and potentially very dangerous journey. You think you’ve locked down your serial ports when you haven’t. You think your system is safe, but it isn’t. Many months of trial and error may result in a security breach with catastrophic results. An operator may elect to use their new ‘power’ to configure a system to open a door automatically, at a particular time of the day or night, so as to coincide with a theft or a rather more sinister plot.
Certainly, there are things that can be done in terms of amelioration. The system needs to be protected from end-to-end, from PC to PC, and fully encrypted. Organisations need to think like a criminal or a terrorist about how their systems may be compromised. Organisations also need to consider how such things as software development kits might also introduce risk to what was an otherwise ‘safe’ environment.
For home use, none of us would ever seek to buy a television set unless it has the CE Mark to prove that it has been tested and is compliant, and yet we seem comfortable buying business systems that don’t meet the highest standards laid down by such organisations as the Centre for the Protection of National Infrastructure (CPNI), the Government authority for protective security advice to the UK’s national infrastructure.
Cyber attacks are frightening in their very nature because they are largely misunderstood, but some of this misunderstanding comes from not looking in the right place. If we are to avoid the next major catastrophe, it’s fair to suggest that we need to start looking at the threat from a different angle.
Stephen Smith is Managing Director of Intergrated Security Manufacturing (ISM)