Managing threats in a digital world

In light of the ransomware attacks on Lincolnshire County Council’s computer system, Des Ward of Innopsis analyses the issue of security in local authorities, and offers advice on the potential threats to council’s information sharing capability.

The reports of a cyber attack against Lincolnshire County Council over the past few weeks has highlighted a technique used to encrypt data on a computer and then demand payment to unlock it again. This isn’t the first high-profile use of this technique within the public sector; MP Chi Onwurah had her Parliamentary account affected in late 2015.

The impact of these attacks are often discounted and the value demanded by hackers often determines the seriousness; but, with 300 systems affected in Lincolnshire County Council and their frontline services having to resort to paper, the impact can be far beyond the money demanded.

Unfortunately, it is becoming increasingly common for criminals to use this technique, commonly called ‘ransomware’. Indeed, with 40 per cent of malware attacks targeted at the public sector in the UK, and new Data Protection guidelines on the horizon, what can organisations do to prevent themselves from falling victim to attack or foul of increasingly stringent information management obligations? Is a concentration on cyber the right focus or is a more holistic approach required to meet the needs of public sector organisations in the digital era?

The rise of ransomware
Ransomware has been a technique used by criminals since 2006, but it has gained popularity through the existence of software that automates the process to the extent that very little skill is required to execute the attack at all.

Ransomware is often deployed using malware that exploits a weakness in the application or operating system software on a device to install, run and encrypt the files.

It would, therefore, be logical to assume that a good anti‑malware solution can be used to detect these attacks and prevent against them; but as the Lincolnshire Country Council example shows, their protection software didn’t pick it up. This is likely to have been because malware is fighting a constant battle to bypass the signatures within the anti-virus software installed within organisations. So what can you do about this to reduce both the likelihood and impact of this happening?

Deploy patches
Make sure that you deploy patches and updates to software regularly, including application software. A good starting point is to subscribe to alerts and notifications from the vendors, although if you have a link to an advisory organisation (such as a WARP within the public sector) then this can be useful to understand when weaknesses are being exploited.

There is good guidance within the Public Services Network Code of Connection (PSN CoCo). Also, it is recommended that you agree timescales for application of patches with any suppliers you have.

Some malware installs itself using features within applications (e.g. macros and Visual Basic) that you don’t require, at least for most users. Always ensure that software is configured in a manner that disables features that you don’t need.

It is also useful to set your email software to view plain-text by default as this highlights a lot of the spam emails. It’s also recommended to ensure that administrator accounts aren’t used for daily tasks, use normal user accounts instead and run another account for special tasks (this can prevent malware being installed in some cases).

Keep anti-malware updated
Of course, you should be looking to ensure that anti-malware software is kept updated, with attacks changing every day I’d always recommend looking to deploy signatures every 24 hours. That said, you need software that doesn’t just rely on signatures (i.e. matches against known attacks) but looks at what’s happening across your network as well (also called heuristics). This approach will provide more effective protection.

You should also note that anti‑malware will not provide long-term protection against unpatched weaknesses due to the nature of the changing techniques being used.

Educate users
Ransomware usually requires someone to do something (i.e. click on a link or attachment), so it’s important to ensure that your users think about the email they have received.

Typically, there are tell‑tale signs such as: the web address being wrong, hover over the link or right-click and view the source to see if the link matches the text in the email; the language used in the email being incorrect, with spelling mistakes; information that you would usually expect in the email being said to be in an attachment; the email coming from someone you haven’t heard of; or an email demanding that something happens urgently. More guidance is available on Get Safe Online.

Business continuity strategy
It’s tempting to treat this as a solely technical issue, yet it is easier to ensure that you have a sound, tested business continuity plan that caters for your business when you don’t have access to systems or data.

This plan should identify how much data you can lose access to before it presents an issue to the business processes, which should ensure that you backup information that is critical to maintaining your operations.

Testing this plan is crucial to ensure that you can get it back when required to maintain delivery of services, which is a legal obligation under the Civil Contingencies Act 2004 for both the public sector and its suppliers.

Understand your information
It’s tempting to merely look at the recovery aspects when disasters happen, but an increasing strategic shift to Cloud services is also uncovering another elephant in the room – the rise of dark data – data created as part of everyday business that’s not used elsewhere.

The recent report from the House of Commons Science and Technology Committee on The big data dilemma raised some interesting challenges to be addressed in the areas of data sharing, open data and data protection. There is much to commend from the findings, but is the answer really about looking at data by itself? Are we missing areas that are still to be addressed prior to exploiting the full ‘big data’ potential from the information held within organisations.

The rise of dark data
The reported fact that 90 per cent of the data in the world has been created in the past two years is of note, given that a report from Veritas last year showing a typical organisation in the UK has 59 per cent of data it is protecting, maintaining and storing, without knowing what information is held within it.

There is therefore a real issue surrounding data as a whole. It is envisaged that maintaining 500TB of this ‘dark data’ is wasting around £1 million of protection and storage costs. How can you start to look to exploit the opportunities afforded by big data if you are wasting time and money trying to both protect and extract useful information from it?

This challenge increases when you become reliant on Cloud services to store your information off-premises. Outages in Cloud services are becoming more common and data loss is now a real possibility (the recent example from 123 reg is a forewarning of what might happen with websites being deleted and some still not recovered over a week after the event).

Business continuity needs to look to continue key operations, but it is not always clear where information is situated or even if you are exposing your risk from suppliers using a single platform.

So, how can you start to look at the information in your organisation when the unstructured information within dark data is increasing at an alarming rate?

Looking at common attributes
One way of looking at uncovering the information hidden within data is to start to look at the attributes we require and standardise them. We often use common data formats to ensure compatibility, yet they are rarely recorded. Beyond this, we have common reporting requirements for things such as tax, organisational returns and medical records; yet we appear unable to capture these for reuse in other situations.

When we look at the myriad of questions that suppliers are asked to complete just to prove they are viable, there are improvements that can be made rapidly. Better still, when we start to look at attributes from a vendor‑agnostic standpoint, we often find easier ways to search for similar information types within our unstructured data.

Documenting flows
Once you know the types of information within your organisation, it becomes easier to understand and map where the information is created, and where it flows inside and outside the organisation.

Mapping the flows of information allows you to understand where ownership should lie, and this should rarely be a line manager. Officers of an organisation bear the legal responsibility for management of information and, whilst they can certainly delegate daily management to someone else, they cannot delegate accountability for how it is managed.

Summary
The management of risks in a cyber world are neither new or evolved from the information security approaches of the past, understanding the information within organisations is not only a legal obligation but is crucial to reducing the exposure from the use of digital and Cloud services.

The varied technologies being sold to manage cyber threat and incident management are only ever going to perform efficiently when you understand the information and where is stored, and what the requirements are for its protection, accuracy and accessibility.

The emergent benefit of this, of course, is that you then have the information at hand to transform your processes to take advantage of digital services; that has to be the key driver to any programme of work rather than merely protecting against cyber threats.

Further Information
www.innopsis.org