UK parliament cyber attack highlights the shortcomings of passwords
As we reported over the weekend the UK parliament's email system was subject to a brute force attack using passwords stolen in the 2012 LinkedIn breach.
Security experts have been quick to point out the inherent weakness in large organizations and government departments relying on passwords to protect highly sensitive data.
"A simple brute force attack can normally be detected and blocked within a minute," says Ilia Kolochenko, CEO of web security company, High-Tech Bridge. "This incident highlights once again that cybersecurity fundamentals are ignored even by the governments of leading countries. Today, two-factor authentication (2FA), advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the Internet. Strict password policies, regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented."
Spencer Young, RVP of EMEA at Imperva echoes the concern over password use. "Passwords continue to be an Achilles Heel in the fight against cybercrime as improper user behavior -- such as weak passwords or use of the same password across different sites continues. What's disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the House, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication, which have been shown to be extremely secure, yet usability issues have hampered adoption. This is an outcome of a continual lack of understanding and investment from the Government in security strategies that enterprise Britain adopt as standard operating procedures. This attack was unfortunately just a matter of time."
Some also question the use of normal email accounts for exchanging sensitive information. Daren Oliver, IT specialist and managing director at London-based business Fitzrovia IT says, "As data becomes more and more valuable we need to start asking the question whether exchanging highly sensitive and confidential information over email should be reassessed and if the introduction of multi-factor authentication [for example, a combination of password, PIN and fingerprint] should be compulsory for those communicating data of this nature."
On a positive note there has been some praise for the speed of response to the attack. "What is interesting about this organized and sustained attack, is that only one percent of email accounts were compromised, due to the quick response of security officials to disable remote access to the network," says Jamie Stone, vice president EMEA at threat intelligence platform Anomali. "However, this cannot be relied upon in future and improving education of staff, as well as enforcing strict strong password policies remains imperative to ongoing cyber defense. While governments worldwide should also share indicators of compromise (IOCs) and historical log data of malicious activity with industry peers in a trusted network to detect bad actors proactively."
While there has been speculation about whether this could be a state sponsored attack, High-Tech Bridge's Kolochenko warns against jumping to conclusions, "Such an attack is very simple and cheap to organize, and virtually any teenager could be behind it. However, for this particular incident, I would abstain from blaming any state-sponsored hacking groups. Because with such an unacceptably-low level of security -- they have likely already been reading all emails for many years without leaving a trace."
Could this be the beginning of the end for password security? Let us know your views.