This autumn heralded two significant developments for UK security professionals. The proposed updating of the “anachronistic” Official Secrets Act (OSA) was announced by the Law Commission in response to 21st Century advances that have changed our conception of espionage, where current threats mean sensitive information can be hacked or betrayed.
At the same time, a new director has been appointed to the National Cyber Security Centre (NCSC, a division of GCHQ), with the outgoing director warning that a “national cyber emergency” due to a “category one” cyber attack on our national infrastructure, which could cause loss of life or severe economic damage, has moved closer to probability. Emergencies have been reported that “came close”, suggesting it feels very much like it’s a matter of ‘when, not if’.
This grim warning of a “near miss” is one we would be wise to heed as a wakeup call for all risk reduction regimes. For the CISO (Chief Information Security Officer), therefore, with complex infrastructure responsibilities, two streams of recommendations for security risk management (OSA and NCSC) can now be compared and profited from, as this brief overview of trends in cyber espionage by hostile actions – including terrorism – will attempt to summarise.
Comprehensive data breach audit
The proposed new Official Secrets Act statute for repeal – containing modern language and updated provisions – is clearly intended to assert the importance of maintaining confidentiality in spheres of infrastructure subject to the OSA. Intensified emphasis has been placed on the need for appropriate national security clearance and premises assurance for those tasked with safeguarding sensitive data.
Achieving this enhanced safeguarding, in line with the latest cyber risk roadmap from the Royal Institute of International Affairs (“Chatham House”), is an essential – albeit formidable – task. Chiefly, to anticipate worst-case outcomes, the roadmap requires the classification of data breaches applicable to all data held within an organisation, enabling a comprehensive audit to evaluate risk across a spectrum of major categories of cyber risk. This could range from “sensitive personal data” (such as individuals’ ID, medical and bank card details) through to corporate “financially sensitive information” (such as payroll data) and “value-sensitive information” (whether serving the nation state or of civil origin, such as proposed mergers or acquisitions that could critically affect market movements or influence national reputational risks).
As the Chatham House research paper reminds us, organisations are “often surprised to discover that they hold more data than expected,” so, this being so, more realistic projections of exposure to data breaches are likelier to be determined, with resultant estimates of data losses for each classification of risk giving a greater understanding of the scale of loss an organisation hopes to prevent, and granting the foresight to confront the cold facts of a worst-case scenario.
However, with refreshing candour, the research concedes that cyber risk is “a relatively new field” so – as systems continue to achieve greater safety levels – measurements to inform calculations on which to base assessments for incident mitigation will require constant monitoring over an extended period of time. It also follows that the sensitivity and unique variety of your data could mean that your incident response planning as a business model will, unavoidably, evolve independently while reliance on proprietary programs may have to be reevaluated and outcome-driven bespoke solutions developed.
‘Air-gaps’ to defeat extraterritorial hackers
In proposing updates to the UK’s espionage legislation, the Law Commission points to “hostile states” that “can conduct cyber-attacks on the UK through multiple servers across multiple countries. At the same time, the potential impact of spying and leaks has increased: a single disclosure could contain terabytes of data.”
Further, the territorial sphere of the existing Official Secrets offences should be expanded so that crimes such as hacking can be recognised as committed irrespective of the individual’s nationality. To ensure that sensitive UK assets overseas receive maximum protection, any new definition of ‘prohibited place’ (to reflect the modern espionage threat) should explicitly provide that such places may be overseas.
Crucially, however, the economic imperative to keep the infrastructure seamlessly connected can be shown to actually breed unwelcome countervailing hazards that threaten systems required to maintain cyber security at the highest levels of protection. NCSC identifies these hazards as “the big state threat, traditional espionage with a modern twist that can now affect our democracy” and the UK’s “critical national infrastructure”; not forgetting “the threat to prosperity from an aggregation of cyber attacks that would damage consumer confidence.”
It would seem, then, Titanic-like, the unbreachable is destined to be stricken by breaches. Because though an “organisation’s most sensitive information is often stored on ‘air-gapped’ computers, which are physically separated from the internet,” the NCSC “recommends that security scanning tools are deployed to detect and locate potential unauthorised or spoof access points.” No CISO should underestimate the possibilities for physical breaches of air-gapped devices by, say, aggrieved rogue employees or suborned company insiders colluding with hostile interests to exploit the connectivity of IoT (Internet of Things) devices such as Wi-Fi or peripherals affording external access (USB drives, printers, smartphones, etc.).
The NCSC warns of the penalties from failure to air-gap these high-security resources from the rest of their IT assets, and prompts questions for CISOs: “Are they using the same internet-facing account to administer the system as they use for normal internet-facing business?”
If they answer ‘Yes’, their system is compromised and in jeopardy. The infrastructure is only as secure as the security of the users who operate its networks.
Collaboration between physical and cyber
A recent poll conducted by InfoSecurity magazine revealed over two thirds of respondents reported that their respective security teams in charge of their physical and cyber infrastructures never collaborated, with the survey concluding that “organisations are not fully prepared to manage security effectively across both cyber and physical environments.”
The NCSC echoes this concern by reminding the nation’s business and industry leaders that “information sharing should be encouraged” but regretting that “information sharing uptake”’ is poor and, because of this, corporate defences are “weaker than they should be.”
Through collaboration, CISOs should engage with their interdependent security teams and share priorities to monitor, measure and improve systems while constantly advancing a comprehensive understanding of controls and risks across both IT and Operational Technology environments, both physical and cyber.
Hostile informants hiding in plain sight
Hacktivists, cybercriminals and state-sponsored cyberattackers are not the only perpetrators conducting industrial espionage. The experienced CISO is well aware of other routes for intrusion to steal a nation’s secrets – there are thousands of covert hostile stratagems that don’t involve computers.
Almost daily, news items call our attention to counterintelligence investigations that reveal cases of unlawful acquisition of classified information for leaking state or corporate secrets to hostile powers.
For instance: “Scientist with dual-nationality working for US pharmaceutical corporation steals $1 billion trade secrets to help boost his motherland’s economy.”
Espionage specialists and security experts have known for almost a century that spying operations have penetrated international academia by deploying corrupted academics, awarded spurious doctorates by their own governments, to provide local intelligence concerning a rival nation’s research and development. A foreign scientist with two PhDs working in a grant-aided academic laboratory funded by his own national government, therefore, might well prompt suspicion.
Memo: Double-checking CVs demands scrutiny of enhanced due diligence. Truth will out!
Spy tactics are not short of invention: ‘honey-traps’; blackmail; bribes of life-changing cash; visitors capturing secrets by covert smartphone videoing, such as ‘shoulder surfing’ (observing someone typing in their password); or even the incentive of a spurious headhunting enquiry, whereby a spoof interview pumps applicants to unwittingly betray their company by confiding sensitive inside information. A similar ploy is the gate-crashing of company events by interlopers spying for your competitors.
Your suppliers or consultants or even journalists who cover your industry could be tricked into divulging facts about your company.
Memo: Careless talk costs assets. You never know who’s listening!
Such a multitude of potential threats can be anticipated only by formulating industry-specific crisis simulations of eventualities to provide effective ways of developing a culture of high level security within your organisation, supported by a comprehensive programme of security awareness training for all staff to safeguard valuable assets.
10 steps to reduce the impact of security breaches
According to the NCSC, most cyber attacks have four stages: Survey, Attack, Breach, and Affect. The following security controls summarised from the NCSC’s own advice, applied at each stage, can reduce your organisation’s exposure to a successful cyber attack.
(Clearly these guidelines are not exhaustive; they are aids solely to spur CISOs to review their unique corporate responsibilities.)
1) User education. Train all users to consider details they include in publicly available documents and web content. Users should also be aware of the risks from discussing work-related topics on social media, and the potential of being targeted by phishing attacks.
2) Network boundary defences should block insecure or unnecessary services, with firewalls and internet gateways to guard your network, supported by, particularly, web proxy, web filtering, content checking, and defensive policies to detect and block executable downloads, block access to known malicious domains and to prevent users’ computers from communicating directly with the internet.
3) Malware protection controls should scan all data for malicious content at the network perimeter and maintain malware defences to detect compromising downloads and respond to malicious attack code or to quarantine suspicious or infected inbound and outbound content for further analysis. Removable media, if introduced, should be automatically scanned by the system for malicious content.
4) A secure password policy should be applied to prevent selection of easily guessed passwords and to lock accounts after a low number of failed attempts. Examine and (if necessary) challenge existing corporate password policies, and help update to a modern approach. Minimise the password risk by implementing passwords only when they are really needed and suitable. Use multi-factor authentication (MFA) for important high security accounts. Consider alternatives to passwords such as Single Sign-On (SSO), hardware tokens and biometric solutions.
5) Secure configuration, to be resistant to compromise, means restricting system functionality to the minimum needed for business operation, systematically applying the policy to every device that is used to conduct business. Unnecessary functionality should be removed or disabled (such as peripherals and redundant ports). Well-maintained user access controls should be configured to restrict the applications, privileges and data that designated users can access.
6) Patch management means patching known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs, allowing attackers unauthorised access to system resources and information. Implement policies to ensure that security patches are applied in a defined time frame, such as 14 days for critical patches.
7) Monitoring capability. Monitor and analyse all network activity to identify any malicious or unusual activity. System monitoring in accordance with organisational policies should aim to detect actual or attempted attacks on systems and business services. Monitoring is a key capability needed to comply with legal or regulatory requirements.
8) Create and maintain hardware and software inventories of all authorised installations used across the organisation. Ideally the inventory should capture the physical location, business owner and purpose of hardware together with the version and patch status of all software. Tools can be used to help identify unauthorised hardware or software.
9) Continuous learning and development – User training is extremely valuable in reducing the likelihood of successful cyber attacks. Users should be continually instructed on appropriate trends and to report any strange or unexpected system behaviour to the appropriate security team. Regular training of users to identify risks to the system should be maintained together with instruction on rapid procedures to report security breaches.
10) Controls for the ‘Affect Stage’ of an attack. Regular up-to-date backups are the most effective way of recovering from a cyber attack. Critically, offline backups should be kept separate, in a different location (ideally offsite), from your network and systems. Ensure devices containing your backup are not permanently connected to your network. Attackers will target connected backup devices to make recovery more difficult. Scan backups for malware before you restore files. There have been cases where attackers have destroyed copied files or disrupted recovery processes before conducting ransomware attacks.
The NCSC has comprehensive guidance on how to defend your organisation against malware or ransomware attacks.
Remember: Once is an accident. Twice is coincidence. Three times is a hostile action.
Keep up with the access control market
The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Global’s comprehensive State of Physical Access Control in EMEA Business report, covering all the latest developments within the market.
Get your copy for free today.