Tackling the rising force of cyber terrorism
The technology and know-how are available for terrorists to wreak havoc through cyber warfare. Here, defence writer Peter Jackson talks to Paul Rose of CNS, who outlines the threat and how to guard against it.
WikiLeaks has been at it again.
In early March, the group that publishes secret and classified information from anonymous sources released another tranche of material – 8761 files allegedly exposing the work of the CIA’s Centre for Cyber Intelligence.
This not only highlights – yet again – the vulnerability of even sophisticated intelligence agencies to security breaches, which, if it can be done by WikiLeaks, can be done by terrorists; it also potentially adds to the cyber terrorism arsenal. For the latest leak, known as the Vault 7 documents, contained a highly technical catalogue of hacking tools.
The cyber terrorism threat just got greater; and this keeps those who defend against the threat awake at night, fully alive to the damage that can be done.
This was amply demonstrated in December 2015 when the Ukrainian electricity system was infected by computer malware called BlackEnergy, which led to about half the homes in the Ivano-Frankivsk region being left without energy for several hours.
Five years earlier the US and Israel infected Iran’s nuclear enrichment facilities with Stuxnet.
“Stuxnet was targeted at specific Siemens devices that controlled pumps at Iranian nuclear facilities,” says Paul Rose, Chief Technical Officer at cyber security specialist CNS Group. “These devices were supposed to turn on or off at certain temperatures but the virus told the pumps to lie about the temperature and this essentially blew up the centrifuges.”
London-based CNS does managed services and consulting and advises organisations on putting in place secure procedures and infrastructure to be able to withstand cyber threats from wherever they might originate.
CNS Group was founded in 1999, has more than 50 employees and is based in Chancery Lane, with offices in Camberley and a data centre in Enfield. It focuses its activities purely on UK organisations.
“We get heavily involved in auditing and getting people to meet best practice standards,” Rose explains. “We will tell customers how best for them to secure their architecture and we have done that for a myriad of government agencies and departments. We audit them against those standards, such as ISO27001 or PSN (Public Services Network) or best practices.”
PSN, the Government’s high-performance network which helps public sector organisations work together, reduce duplication and share resources, has its own code of practice. This code calls for a series of technical and procedural controls to be in place before an organisation can be part of the network. These are policed by audits and penetration tests and CNS helps customers meet these standards.
“We also have a suite of customers who don’t need to meet a standard but who have been asked by their third parties to prove that their security is robust,” adds Rose.
With these cases CNS uses best practice as well as the top 20 CSCs (critical security controls), which are technical and procedural and which, like the music charts, can and do change.
These include controls such as number 3 at the time of writing: ‘secure configurations for hardware and software on laptops, workstations and servers’, and number 15: ‘controlled access based on need to know’.
CNS will perform a gap analysis against the controls.
“The top threat in any company is that people don’t know their assets. Number one never changes – it’s asset control,” says Rose. “If you don’t know what assets you’ve got that are deployed on your network or what your staff have got in their bags there is no way that you can manage your architecture. If you know your assets then you can control those assets.”
He explains that ransomware has become one of the major threats to organisations because it does not need to attack the central infrastructure but targets the users via techniques such as phishing attacks.
So, how should an organisation go about controlling its assets?
“You can put end-user controls on them, you can put tools on a device that will stop staff clicking on unauthorised applications or will not allow them to go to websites that are not known or trusted,” Rose says.
He also emphasises the importance of governance and policies and procedures to maintain and enforce a system of controls.
A stringent back-up policy is important, enabling recovery from an attack and giving an ability to resist the demands of terrorists attacking with ransomware. Again, it will only be as effective as the governance structure behind it.
Clearly, staff awareness and training are key to this. Rose says the threat from insiders is one of the most prevalent CNS encounters.
He explains: “If someone is trying to hack you, that is called north to south traffic – coming from the outside to the inside. But a disgruntled employee, once they’re in, is not being monitored – that insider threat is called east to west traffic.”
He adds: “In a large organisation, I can guarantee that people are doing stuff inside that they shouldn’t be doing; apart from knowing your assets, you must know your staff. I’ve been to customers where they’ve done no vetting whatsoever. That’s crazy – how do you know that the person you are taking on is who they say they are?”
It’s also vitally important to be aware of what devices staff are using that might compromise your organisation’s IT integrity. It is necessary to ensure the security of their smart phones and that they are not, for example, downloading bogus apps which may be infected with malware or other viruses.
This threat is set to grow with the ‘Internet of Things’. One of the tools detailed in the Vault 7 leak was a program called Weeping Angel, which uses Samsung smart televisions as covert listening devices, even when the TV is switched off, recording conversations in the room and sending them to a remote server. The WikiLeaks allegation was that this was a CIA tool, but the important point is that if it is technically feasible, then it could be employed by hostile agencies such as terrorist groups to gain information on organisations through the supposedly private conversations of their key personnel.
This opens up a whole new theatre of cyber warfare.
If you would like to join our community and read more articles like this then please click here