Holding a gun to data

News stories are free to read. Click here for full access to all the features, articles and archive from only £8.99.

With more and more businesses working remotely and using online transactions, Adam Bernstein considers the importance of taking cyber safety seriously

Cyber-attacks are in the news again. First seen in 1972 when a researcher working in the US on ARPANET, a precursor to the internet, created a computer program called Creeper that could move across ARPANET’s network. It left a breadcrumb trail wherever it went which read: ‘I’m the creeper, catch me if you can.’

Are you enjoying this feature? Why not subscribe to continue reading?

Subscribe for just £10 a month with our annual print and digital offer, Or login if you are already a subscriber

By subscribing you will benefit from:

  • Operator & Supplier Profiles
  • Face-to-Face Interviews
  • Lastest News
  • Test Drives and Reviews
  • Legal Updates
  • Route Focus
  • Industry Insider Opinions
  • Passenger Perspective
  • Vehicle Launches
  • and much more!

But now the intrusions are more insidious. In May, Colonial Pipeline which operates a pipeline that carries three million barrels of fuel a day between Texas and New York – was the subject of a ransomware cyberattack that shut its systems down for five days leaving the East Coast short of fuel. A few days later, at the start of June, the world’s largest meat processor, JBS, was also attacked by ransomware and its operations in Australia, Canada and the US were halted. And at the end of June, hackers managed to exploit flaws in Western Digital’s My Book Live backup devices to remotely wipe the hard drives. Western Digital’s advice to those owning the drive was to remove them from the web as soon as possible.

And the world of passenger transport has not been exempted. In February 2020, the Irish News wrote that public transport operator Translink had suffered a suspected ‘ransomware’ cyberattack. A source told the newspaper that Translink’s IT network had been in ‘lockdown’ with some staff unable to log into computers.

Translink seems to have been lucky as the company said that transportation had not been affected and that it could still take payments. But there have been other attacks on public transport systems around the world. In October 2020 Société de transport de Montréal, a public transport agency in Canada, disclosed that its digital systems were down due to a ransomware attack and so its website would remain inaccessible to users for some days. A source from Bleeping Computer stated on Twitter at the time that the RansomExx gang was responsible for malware spread. It’s suspected that Defray777 ransomware was introduced into the network in the first week of October to first steal unencrypted files and then lock down the database from access.

The cyberattack problem is acute reckons a Government report, Cyber Security Breaches Survey 2021. It found that 39% of businesses were subjected to a cyberattack or breach in a 12-month period and 21% lost money, data or other assets. Further, the average cost of the cyber security breaches these businesses experienced was estimated to be £8,460. For medium and large firms combined, the average cost was higher at £13,400.

Defining a cyberattack

So, what is a cyberattack? According to Dai Davis, solicitor, chartered engineer and partner at Percy Crow Davis & Co, the Wikipedia definition of ‘any attempt to expose, alter, disable, destroy, steal or gain information through unauthorised access to or make unauthorised use of an asset that is a computer information system, computer infrastructure, computer network, or personal computer device,’ is one that he agrees with.

He says that it “matches the broad definition of an offence under s1 of the Computer Misuse Act 1990 which criminalises any action that ‘causes a computer to perform any function with intent to secure access to any program or data held in any computer where that access is unauthorised’.”

Roy Isbell, a cyber security specialist and advisor to the UK Forensic Science Regulator, agrees with Davis. He defines a cyberattack as: “fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome.”
Of course, how the attack manifests itself is dependent upon the outcome that the threat actor is hoping to achieve, the level and type of access that they have been able to create, and the skills and tools available to the threat actor.

Nevertheless, he’s aware that many believe that ‘cyber’ is just an alternative word for the internet and devices that are connected to it. Whilst this may be true, he says ‘that this is not the whole scope of what the cyber environment covers.’

Davis recalls an old information technology saying: “There are two types of business – those who know they have been breached, and those who don’t yet know.” But as to where the threats originate, Davis says that some are performed by ‘script kiddies’ “who try and hack into a system for fun. They are mostly out to hack well known sites, or ones that will give them some ‘prestige’.” He adds that non-monetary sites include those that attract opposition, such as those belonging to political parties.

Isbell takes a similar line but has seen ‘some operate in a more random fashion’ as they look to prove their skills or develop tools in order to raise their profile within a community.

For the criminally minded, making money is the goal and they attack anything where it pays them to do so. “They may,” says Davis, “adopt a scattergun approach, sending out millions of scam emails in the expectation that only a few people will fall for the scam, alternatively they may target a particular ‘rich’ target but in a more subtle, considered manner.” Of course, at the extreme, states such as China, Russia and North Korea attack companies to steal technology.

Worryingly, as Isbell points out, Covid-19 has altered the landscape somewhat because ‘we now have a more distributed business model with workers working from home, often on shared networks with only limited security implemented.’ Making a similar point, Davis has found that any newsworthy topic may be used to persuade a staff member or individual to click on a link that will take them to a compromised website. “In that sense, the pandemic is no different and has given malicious actors opportunity to create appealing false links, for example, with offers of having an early vaccination,” he says.

Security is a relative term

No system is perfect. But Davis knows ‘that the amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place.’ He cites one of the first ever recorded security breaches where a website could be hacked by clicking on a certain part of the web page in a public part of the site with the left mouse button instead of the right mouse button. Doing so revealed other customers’ details.

Moving on, Isbell talks of a process developed by Lockheed Martin that maps the stages of a cyberattack. Called the ‘Cyber Kill Chain,’ he says that the steps involve reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and ‘actions on object.’ “Each step,” says Isbell, “is required for the subsequent step to have a chance of being successful. Therefore, a security breach is not a single event or tool, though it often appears this way, but a combination of knowledge, skills and intelligence used in sequence to achieve the effect or outcome the threat actor wants to achieve.”

For him, the only way to achieve 100% security is for a system to not connected to any form of external communications. He emphasises that cyber security is about managing risk: “this requires that we spend time evaluating and understanding the cyber environment and what it is we need to protect; it is not always the data that requires protection, but the systems themselves.”

Countering threats

As both Isbell and Davis detail, there is no easy way to counter cyber threats. Apart from a company’s own systems, Isbell would also look at the supply chain, ‘especially where processes may share data between firms.’ For him, having a strategy is key, and for that to work ‘an understanding of the firm’s cyber ecosystem is essential… and not just focussed on the data that resides on the various IT systems it may have.’

Davis, on the other hand, would create a budget and appoint someone at board level to maximise its use. He would bring in an independent consultant to consider where the budget should be spent. He also cautions against placing too much reliance on specific security products, ‘many of which are good, but which solve only the security issue that the particular vendor advertises.’

Staff training is something else to consider. While it’s not fool proof, the more staff training, the lower the probability that a staff member will introduce harm to the business. But as Davis warns: “Training needs to be regular. There is little point in only training during induction week and then not following that training up with regular reminders… staff may be sent a malicious email containing a spurious link at any time.”

Isbell too values training. He says that: “The most efficient and well understood security environments I have witnessed are where the company has worked to develop security as part of the culture of the organisation. A combination of carrot and stick is used to great effect without defaulting to a punitive strategy on what happens should a breach occur.”

And then there’s the option of placing a notice on every email which a staff member receives warning them if an email has come from an external source and that it may be malicious. On this Davis thinks warnings unlikely to be of much assistance: “It is likely to be ignored as the staff member is anxious to read the email not the header, let alone the repeat warning in the header.”

Crucially, Isbell recommends including cyber security breaches as part of business continuity disaster recovery planning: “Whilst some firms have been unable to continue after a cyberattack, those that have had a robust incident response plan have not only been able to recover but recovered faster and as a consequence, minimised the overall impact on the business and its operations.”


The risks from doing nothing

Firms that do nothing, and which suffer an attack, risk legal fallout. Davis points first to the fines for poor security under the civil part of GDPR – the General Data Protection Regulations. He says that the probability of a fine is tiny, but the risk of criminal sanction under the GDPR is not: “Criminals, like regulators, have limited budgets and look for ‘low hanging fruit.’ If you can make your business more secure than that of your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target.”

Beyond that, Isbell says that a firm that does nothing should expect to suffer a breach at some point, if they have not already. But apart from implementing security, he states that:”It also requires some form of monitoring… and if no monitoring is implemented, the firm will not know it has been breached until the breach is made public by the threat actor.” And when this happens, there comes a natural question: “Who would trust an organisation that does not take security seriously?”

Further, there’s the risk of corporate failure. Canada’s Nortel Networks Corporation filed for bankruptcy in 2009, having once been valued at a third of the entire worth of the Toronto Stock Exchange. Its technology and intellectual property had been stolen by Chinese hackers who had infiltrated the entirety of the company’s systems in 2000. The breach was discovered in 2004 but not fully cured by the time of the company’s bankruptcy. Davis says that the breach is widely regarded as being one of the prime causes of the company’s failure.




The Government’s role

It’s important for businesses and organisations to consider the role of government. Davis isn’t impressed and describes it as ‘woefully inadequate.’ He says that most governments do little to help their citizens. The UK has some ‘high profile vanity projects’ such as the National Cyber Security Centre (NCSC). He says that: “That organisation does a good job protecting national infrastructure, but it does little for smaller organisations.” By way of example, he says that in May 2017 the WannaCry ransomware cryptoworm attacked many businesses and public bodies, including hospitals. It was not the NCSC that found a solution – that came from private security researchers within a few days.

While Isbell doesn’t disagree with Davis, he says that the Government has a responsibility to put in place legislation and provide guidance on how organisations might best protect themselves. Even so, he notes that: “Governments cannot legislate for every possible attack or threat that may emerge, and nor can they provide the detailed measures that are appropriate for individual businesses.” In essence, he says that individuals and organisations must take their own security seriously and take appropriate measures to ensure they are able to recover should they suffer an attack.

Lastly, it bothers Isbell that cyber security is seen as a distraction by business: “It provides no business benefit and is a cost many would choose not to spend. It’s a bit like an insurance policy that is needed just in case, but what is the lowest premium that can be paid whilst still getting a payout?”

In summary

So, when evaluating security, firms need to consider not just themselves but also their information chain. They ought to think what would happen if hackers were to gain access to systems… they could make far more by not revealing that a breach had occurred. Management has been warned.