Sophos’ John Shaw tells TechWeekEurope why government agencies need to sharpen up their defences
A recent Freedom of Information request revealed that the DVLA has been subjected to 264,484 attempted cyberattacks in the past three years, equating to more than 200 a day. Almost 6,000 incidents have been classed as structured query (SQL) attacks. Attacks such as SQLi (SQL Injection) are extremely frequently used by cyber criminals to insert malicious code to exploit computers, but also to extract sensitive information such as usernames, passwords or even more serious data.
Depending on where these attacks occurred, if successful they could have allowed attackers to distribute malicious code from their websites (as happened to Jamie Oliver only last week) or perhaps perpetrate even more serious criminal activity such as cloning vehicles, creating a false number plate, or manipulating qualifications. That said, given what has been revealed it is highly likely these attacks were against their more public assets. We should be clear that these categories of attack are extremely common, growing in volume and in SophosLabs we see them running into tens of thousands every day.
The same report also uncovered that the Student Loan Company (SLC) was the target of 930 attempted phishing attacks through spoof emails, and it also emerged that Ofcom and the Disclosure and Barring Service were also targeted by cyber criminals.
What this makes abundantly clear is the sheer volume of attacks that government organisations are being subjected to on a daily basis. What’s more, every day we see more and more businesses falling victim to cyber attacks, largely due to the commercial availability of high quality cyber crime tools, and organisations failing to put in place adequate(often not even basic) defences or update security protocols.
Though the DVLA has said that no cyber-attacks have been successful, the unfortunate truth is that many cyber-attacks on businesses go unnoticed. Often obvious indicators of compromise are missed, because organisations either have nothing in place to collect the right data or systems are so complex that it requires a team of individual with a specific skills set to analyse that data. For small and mid-sized businesses in particular, this is a major headache as they don’t have large teams of IT specialists, let alone security specialists. In today’s threat landscape, businesses need to have a security system in place that allows them to protect all attack surfaces but also to quickly detect a compromise in the event security is breached. Only in this way can they be confident, like the DVLA, that they were not a victim of a breach.
Data breaches are far more common than most people realize and as a business it is prudent to assume you may have already fallen victim and you just might not know it yet. This is what happened to the SLC. To protect your company and yours and your customers’ data, you should assume attackers are already on the inside and implement a security system which, if a hacker does manage to get through, can warn you of a breach and provide you with the intelligence to quickly track down where and how.
Below are 10 top tips on how businesses can protect themselves by building up layered security defences which focus on everything from the enduser to the network and cloud to increase the probability of prevention and detection.
How businesses can protect themselves:
- Ensure you have effective enduser, network and email protection that filters out spam, malware and dangerous file types.
- Train employees to be suspicious of emails, especially those that contain attachments, and to report any unusual emails or attachment behaviour to IT.
- Make sure your operating system and applications are up to date with the latest security fixes. Most exploit kits see success due to exploits in software for which a patch is already available and has not been deployed.
- Install endpoint protection software and/or a secure web gateway that can identify and block exploit kits before they infect your systems.
- Criminals want to capture more than just one user’s password and confidential files, they want access to your back-end databases, your PoS network, your testing network. Consider segregating your networks with next-gen firewalls that treat your internal departments as potentially hostile to each other, rather than having one big “inside” fenced off from the even bigger “outside.”
- Put in place a device control strategy to identify and control the use of removable storage devices – not only does this prevent bad stuff getting in,, but it can also help stop personally identifiable information (PII) and intellectual property (IP) data from going out.
- Implement full disk protection and file encryption to protect sensitive data stored on laptops, servers or removable media.
- Use Application Control to keep track of, and restrict, unnecessary software that reduces security without adding any needed benefit.
- Implement a data protection policy which guides employees on how to keep personal data secure and ensure they are properly educated. Having a policy isn’t enough, they also need to understand it
- If you move to the cloud make sure that the ability to encrypt the data – both in the cloud and also when being transferred- is on your core requirements list.
John Shaw is VP of product management at Sophos
What do you know about Internet security? Find out with our quiz!