Gary Henderson, ANME ambassador and director of IT at Millfield School, explores why there needs to be a shift from cyber security to cyber resilience
Read the full article below or read on page 40 in our October magazine
The term ‘cyber security’ has largely been replaced in discussions by ‘cyber resilience’. This is due to the fact that ‘security’ implies that an organisation is ‘secure’ and what we have seen in relation to cyber incidents is that no organisation – no matter the size, the resources, or the investments in cyber security – can ever be truly secure. This is an important message that, no matter what you do, you can never be 100% secure and, therefore, we need to take a risk-based view.
Authentication
Let’s take authentication and passwords as an example. Weak or re-used passwords continue to be a significant risk as they allow external threat actors to compromise user accounts. The general advice in this area is two-fold. First is user awareness; advising and training staff that they should use only strong passwords – following the NCSC advice of three random words, for example – and that they shouldn’t re-use passwords across sites.
This advice is good in encouraging users to display good password etiquette; however, sadly, not all users will follow the advice. The risk is reduced, but there some riskstill remains. The second approach is to use multi-factor authentication (MFA), which means the username and password combination is insufficient for threat actors to gain access to user accounts – and at this point we might consider the risk addressed; the cyber criminals won’t have access to the second factor and, therefore, should be unable to log in.
Unfortunately, cyber criminals don’t stop at this point. Yes, MFA might reduce your risk, but it isn’t undefeatable. Cyber criminals might seek to use sim-jacking, for example, to take control of a user’s ‘phone number to intercept one-time passcodes. This involves convincing your service provider that your ‘phone has been lost or stolen and, therefore, your number should be transferred to a new sim card – a sim card that cyber criminals control. As a result, when the one-time passcode is sent from the service the criminals are seeking to access, they receive it rather than you. Given the wealth of information about us online, it might be easier for a criminal to convince a call centre operator that they are you than you would like to think.
Criminals might, alternatively, ‘phone you and pretend to be an online service, saying that they need to confirm your identity by sending you a one-time passcode. You will then receive a passcode, which they will ask you to reveal to them, but the passcode comes from the service they are trying to compromise and, by telling it, you are providing the criminal with the code they need to confirm and log in as you. Once in, they will immediately change the ‘phone number and email account associated with the user account; account takeover complete.
‘Pass the cookie’
In addition to social engineering style attacks, described above, there are more technical attack methods. When we access services and ‘trust’ our device such that we don’t need to authenticate using MFA as often, this results in the storage of authentication data via cookies. A cyber-criminal can identify, and seek to use, these cookies to prove the validity of their authentication attempt, thereby bypassing MFA by convincing services that the login comes from a trusted device when it actually comes from the criminal’s device. This ‘pass the cookie’ style attack is becoming more common – and this isn’t the only more technical-style attack possible; there are also options that include a combination of social engineering and more technical attacks.
You can never be 100% sure about being secure. A good security posture, regular patching, user awareness, and use of MFA can all help to increase your cyber security or resilience. However, we need to be wary of being overconfident. In relation to MFA, I do worry that there is sometimes some complacency where it is in place. Yes, it reduces the risk of account compromise; however, it is far from foolproof.
So, we find ourselves back at risk management, and here the key for me is simply doing all we can to reduce risk. This might involve patching one more server, reducing access rights for users who don’t need them or implementing MFA.
Each and every step we take which reduces risk is a win.
Be the first to comment