If businesses are caught unawares and fail to monitor this data transit blindspot, this is how sensitive data is stolen.
It’s been long understood that as technology becomes vaster and more complex, so do the capabilities of cyber hackers, writes Steve Patton, Director and Cybersecurity Specialist, Telesoft.
However, a couple of months ago, a report released by the government, an assessment of the UK’s Critical National Infrastructure (CNI), exposed the extent of this – that unless we take measures to safeguard our biggest networks, data will be leaking into the wrong hands faster than ever before, with catastrophic consequences.
It’s an area the government has neglected when it comes to budget spend, but increasingly, security disasters have been abundant and highly damaging to businesses. So imagine what could happen if criminals infiltrated our CNI – everyone’s data will be compromised. Not just data, but critical infrastructure too. One month into 2019, and whispers of spying, corrupt behaviour and political mayhem are only adding fuel to the fire.
What’s so interesting about the CNI report itself is it highlighting the ambiguity in the definition of CNI. It argues that the definition has become unclear, this being due to the increasing necessity to integrate technology into critical infrastructure. Technology has fundamentally changed the way we store information and communicate.
Look back twenty to thirty years, and the internet didn’t even exist, to put this into perspective. Energy companies had no need to be conscious of securing smart meters, and the endless streams of data that flow between all kinds of networks.The rapid digitalisation has given us very little time to adjust and re-write the code, so to speak, of our own national security systems. And this is where action needs to be taken.
The report also raised other concerns, relating to involvement and agendas of private sector companies that work within the CNI unable to account for budget allocation and costs on security. There was also hints towards a widespread lack of leadership within the government bodies dealing with the issue. What hasn’t been addressed is the difficulty in protecting the carrier-grade networks that process and deliver an infinite amount of data packets per second.
Prevent National Disasters
In the UK, we are passively aware that we are one of the most heavily surveillanced countries in the world. Privacy, as a concept, is very superficial in 2019, and cybersecurity at least must prevent national disasters from occurring. For this reason, CNI definition needs to be expanded and defined in a more concise manner. It’s only a matter of time before really crucial account details are stolen; this could mean no lights, no power – held for ransom at the hands of skilled hackers. Think: Russia cutting off Ukrainian gas supplies in 2006, and even more recently in 2015. Political disruption like this will be on the cards for the UK if more attention isn’t paid to protecting sensitive infrastructure.
Continuing the theme of tech integration with some rather unwelcome news, this month a report revealed that UK firms have one of the lowest internet-of-things device breach detection capabilities in Europe. With no consistent guidance or regulations set for IoT-connected devices, it’s no surprise that businesses are unable to handle the vast increase in breaches. What this illustrates is that hackers are finding loopholes in both private sector and public sector technology, but ultimately it’s the government that needs to take responsibility and regulate not only the industry, but its own use of data-sharing technology.Public sector and national networks are vulnerable, but equally it’s network and mobile operators, large enterprises, datacentres, cloud providers and ISPs who possess millions of users and connected devices that compile huge amounts of data and are responsible for storing it. When this data is travelling, it is incredibly vulnerable and under constant attack.
What needs to be considered to tackle this issue is adoption of technology designed to handle high calibre data networks. Both private companies and public sector bodies also need to educate themselves on how to confront large scale attacks. After all, cyber security needs to be tailored to specific business needs, and isn’t a one-size-fits all solution.
Networks this active are subject to ‘slow-release’ or ‘low and slow’ attacks, so called due to their insidious nature. Their approach and method is simple – infiltrate, explore surroundings undetected, assess best point of entry, and plan to destroy.
It’s understandable, then, why most companies are unaware of these IoT breaches. The attacks happen in transit, away from legacy infrastructure and traditional security – and out of control. Once the path is discovered, the attack vector moves across a network and infrastructure. But this takes time, so is unlikely to raise any alarm bells and trigger any cybersecurity responses. The content of the attack can be fragmented, disguised as genuine traffic, or even hidden within another attack (like DDoS). The trojan horse analogy still applies.
If businesses are caught unawares and fail to monitor this data transit blindspot, this is how sensitive data is stolen. Imagine this happens to government data, and we have a potentially national scale disaster on our hands. When these ‘low-and slow’ attacks are installed on the target and activated, a slow poisoning of the system occurs, disrupting operations. Slow exfiltration of data is another method hackers use to ensure their tactics go unnoticed. Equally it can take place as a single event; disc encryption, ransomware, extortion, you name it. The point is, these incidents are rife and will only continue to happen if proper security measures aren’t taken in time.
So, since the CNI report has been released, how far has the government come in tackling the matter? Thankfully, plans have just been unveiled to pledge £100m towards cyber security research.This is a welcome start. Most of this budget will go towards integrating security software into the design process, and the rest to researching security of internet-connected devices. Arguably this pledge is well overdue – but better late than never.