With UK voters set to hit the polls this week, public sector cybersecurity is being thrust firmly into the limelight. Amid speculation that it’s only a matter of time before a political party falls victim to a hack, the UK’s new NCSC (National Cyber Security Centre) has announced that attempts to compromise data and systems belonging to political party staff are a top threat. The good news here is that the public sector is aware of such threats and is taking steps to guard against them – but like many sectors, more can of course be done.
Phishing is an increasingly popular method hackers are using to gain access to passwords and sensitive information. It has become a significant problem because of how easy it is to conduct on a mass scale, as well as the difficulties surrounding attribution to a specific entity. Often indiscriminate in nature, it forms the basis of a range of attack types such as credential theft, malware/ransomware infection, and exploitation of website vulnerabilities.
What’s the harm in a spot of phishing?
The effectiveness of this tactic is all too clear; commonly known as ‘CEO fraud,’ the FBI stated that over $2.3 billion was stolen via phishing email scams tricking corporate finance teams using an email appearing to come from the CEO. Proven in the business world, will this trick MPs?
Although the NCSC has made significant improvements by working with government departments to help them block fake emails, there are non-technical factors that make them difficult to defend against. For example, phishing emails targeting politicians are generally not aimed at their official, secure accounts, instead focusing on personal accounts and credentials.
As we become more connected through internet-enabled devices and the data they carry, meaning our personal and professional lives are unavoidably linked. What makes this dangerous is that once a hacker has access to one account, it becomes significantly easier to access others.
Although a politician’s social media accounts may seem far removed from private government information, they can reveal location history (usefully provided by GPS-enabled smartphones), public and private conversations with friends and colleagues, as well as other information which can be used to build up a surprisingly complete picture of an individual.
What is also concerning is that hackers do not necessarily need to target the politicians themselves. For example, data owned by a company providing air conditioning units to Downing Street may not be of specific interest to a hacker, but information acquired from their employees’ Facebook accounts could verify the location of a certain MP.
Everyone is responsible
Although large public sector organisations have defences in place to reduce phishing attacks, there are also some basic steps and principles that everyone can follow to protect themselves.
If you didn’t ask for it – don’t trust it
Unless you specifically went to a website to request information, a password reset or any other form of communication, don’t trust it. If you need to be certain, close your email, open a web browser and manually visit the site to check if there is anything you need to do.
Keep personal and work information separate
While technology exists that can sufficiently protect your mobile device from malware, adoption is limited. For now, this may mean carrying two phones everywhere you go, but at least if your personal device is compromised, the malware will not have access to corporate data.
Be aware that friends, family and co-workers may be your weak link
You may have taken all necessary steps to protect your data and devices, but this won’t matter if a relative or colleague is tricked into revealing credentials. This could lead to their accounts being hijacked to send fraudulent emails to you or your employer which could result in the disclosure of sensitive information.
Use multi-factor authentication
The use of a fingerprint or ‘token’ in combination with your password is referred to as ‘multi-factor’ authentication. It provides an additional layer of protection for your credentials, as without the second factor, the password is useless. Using something you are (e.g. a finger print) or something you have (e.g. a physical token), makes it much harder for criminals to gain control.
Ignore the padlock!
In years gone by, the padlock icon at the top of a web browser was a good indication of a secure and authentic site. With web server certificates now available cheaply, the padlock symbol means very little, as it is easier than ever for fraudsters to obtain one for a malicious site. The safest way to protect yourself is to avoid clicking on an unknown email link. Enter the website address manually – that way you can be sure you are visiting the site you intended to.
While education on the risks can go a long way to helping individuals identify fraudulent emails, the likelihood is that where there are humans, there will always be scams. Given the vast range of methods available to hackers, training alone cannot be the primary method of preventing phishing attacks.
From email systems and social media platforms to banks and media providers, service providers have a duty of care to their users. Robust technological defences to spot fraudulent transactions and unusual behaviour, combined with empowering users to take control of their own data, is the best way to keep sensitive information safe. As we approach the General Election, it is vital that government stakeholders are aware of the threats targeting them however small, to maintain the integrity of the UK’s political system.
Sourced by David Warburton, senior systems engineer, Government and Defence, F5 Networks