Top ten points in the fight against cybercrime

At a summit of regulators and intelligence chiefs yesterday, the business secretary, Vince Cable, issued a timely warning to all in attendance of the vulnerability of Britain’s essential services to cyber-attack. The regulators, which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom, were briefed by the head of GCHQ, Sir Ian Lobban, on the threat posed to systems.

Clearly the threat presented by online criminals is now well beyond the realm of big business, financial institutions or even private companies; it now involves industries linked inextricably to our everyday existence – from power operators to telecommunications providers. 

In a joint communiqué, the government and regulators pledged, among other items, to adopt the security standards set by GCHQ’s “10 Steps to Improve Cyber Security plan’. Importantly, one step calls out the need to manage the access rights of “privileged users’.

The risk presented by unmanaged, and unmonitored, privileged user accounts has rightly leapt to the fore in recent months – not least in thanks to the archetypal example of Edward Snowden. Privileged users – typically assuming the titles of computer system administrators and the like – are a special concern because of the often unhindered access to systems and data typically associated with these roles.

The uncomfortable reality is that privileged insiders exist in every organisation and, while their presence is essential to the running and maintenance of corporate networks, their powerful network access rights often enable their user accounts to perform actions they simply should not be able to. The risk arises when these privileged accounts have access to read, copy or change documents – this is also why they are a strategic and alluring target for perpetrators of cyber-attacks like APTs.

Unfortunately, the swathe of data breaches at the moment are proof enough that far too many organisations are still floundering to protect themselves from abuse of this nature. It’s worthwhile remembering that the breaches affecting both US retailer Target and the Korea Credit Bureau (KCB) in recent weeks involved network access abuse.

Of course, it is not strictly privileged users that pose a threat, but indeed all users that have access to sensitive information. For example, an accountant with access to company financial records or a HR administrator with access to employee data have legitimate access needs, but compromises in these types of accounts can also have serious consequences. Unfortunately, traditional IT security defences are futile in protecting against the security risks posed when privileged user and other accounts are compromised. In effect, the “bad guys’ are then already within company walls and their actions are masked behind legitimate user accounts.

It must be remembered that the most valuable data an organisation has typically sits at the server / data centre level and the underlying operating systems in this part of the IT infrastructure have been designed in such a way that there is weak separation of duties between users. Often, the root or system administrators have inherent “god mode’ access to the data. Organisations need to ensure they have technology in place that allows users to perform their operational role of running the systems but prevent them accessing the data files themselves.

By choosing solutions that prevent admins from reading or editing the information in data files greatly reduces the risk of a breach.

Another area of focus must be on detection and system response capabilities; unfortunately with APT driven targeted attacks on the rise traditional defences are emerging as woefully inadequate. Indeed, according to the Mandiant report last year, the typical attacker went undetected for 243 days. It’s unsurprising then that another of the 10 steps on the GCHQ plan is the importance of “Monitoring’ in the fight against cybercrime. This point states that organisations need to establish a monitoring strategy and produce supporting policies. Equally, it advises that all ICT systems and networks should be constantly screened and activity logs analysed for any unusual or suspect activity that could indicate the onslaught of an attack.

The tools necessary to do this are known as “Security Intelligence and Event Management’ (SIEM) solutions, which provide an auditing capability that helps organisations to not only understand their security posture, but also crucially alert to improper data access by employees already on the network. By ‘watching the watcher’ and reporting on root and/or system administrator activities, these solutions help enterprises to understand unusual data access patterns before data breaches even occur.

As cybercriminals become increasingly skilled in their trade, much more will be needed to be done in order to protect IT systems and to safeguard the valuable assets they contain, whether that’s personal data, online services or intellectual property. While there may be initial challenges in identifying or implementing certain technologies, like encryption, that serve to control and dictate the parameters within which these users can access documents, the risk of not doing so far outweighs this.

Data has become one of the most valuable commodities for modern criminals, and Intellectual Property (IP) theft must be treated as one of the top concerns for organisations as the fight for competitive edge intensifies. Security must be seen as an enabler and data must be protected at all costs – after all, it cannot protect itself.