Reports that the Norwegian military has admitted to being targeted by a potentially serious cyber attack should act as a wake-up call to UK organisations on both sides of the private/public-sector divide.
The rash of targeted cyber attacks in recent weeks against several major corporates such as Sony – and now attacks against military targets – shows that the cybercriminals are refining their attack strategy.
It doesn’t take an industry expert to know that “the bad guys”, aka hackers, will always target the most vulnerable area of a company’s security fabric. Often the weakest link is poor encryption key and certificate management.
Where previously cyberattacks against government systems and major corporates could be shrugged off or overlooked because of the efficacy of conventional, multi-layered IT security systems, it’s clear that a new strategy is called for.
That strategy now needs to draw in allied technologies such as pervasive encryption of all data—both at rest and in motion—which requires effective access controls and key and certificate management to protect an organisation’s private data, which of course, is what the cybercriminals are really after in these types of attacks.
The attack on the Norwegian military – in which 100 senior members of the country’s defense department received an email plus attachment that appeared to come from the government – was carefully planned and well executed.
It was interesting that at least one person is reported to have opened the attachment. This launched an unknown malware that executed commands that compromised the machine before it was stopped from spreading further.
This proves that – despite the best of security training and the high levels of security defences that military systems have – all it takes is one click and the integrity of an organisation’s IT resources are then put at risk.
What needs to be developed, he explained, is a holistic approach to security that actually steps beyond the boundaries of conventional IT security and into new areas such as defending intellectual property rights and general working practices, as well as using integrated security to defend an organisation’s digital assets.
There is now clearly no such thing as a security silver bullet, so we have to start from the premise that an organisation’s IT systems will be compromised in one form of another.
This isn’t defeatism, but pragmatism at play. If you start developing a security strategy on the basis that the IT resource may be compromised by unknown means at some stage in the future, then you can better defend your valuable and sensitive digital assets.
The Norwegian attack is an interesting example of this. It’s unlikely that Norway’s military will reveal the full facts of what happened, but it sounds as though their internal security systems were able to lock down the effects of the malware before it took hold.
This proves that a strategy of using multiple technologies, such as automation of key encryption and data protection systems, as well as good processes and best practices, can be useful. The days of set-it-and-forget-it IT security are now gone. Organisations need to wake up and smell the coffee.