Weekly Podcast: Holyrood attack, NotPetya (again) and retail breaches double

This week, we discuss a brute-force attack on the Scottish Parliament, the ongoing costs of June’s NotPetya attacks, and a double in the number of data breaches affecting the retail sector.

Hello and welcome to the IT Governance podcast for Friday, 18 August 2017. Here are this week’s stories.

The Scottish Parliament’s computer systems have been subjected to a brute-force attack, barely two months since Westminster suffered a similar attack in which nearly 90 parliamentary email accounts were compromised.

In an email to MSPs and parliamentary staff on Tuesday, Sir Paul Grice, Holyrood’s chief executive, said:

“The parliament’s monitoring systems have identified that we are currently the subject of a brute force cyber-attack from external sources.

“This attack appears to be targeting parliamentary IT accounts in a similar way to that which affected the Westminster parliament in June. Symptoms of the attack include account lockouts or failed log-ins.

“The parliament’s robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational.”

Brute-force password attacks are an unsophisticated trial and error hacking method in which criminals use software to systematically try combinations of letters, numbers and symbols until they successfully match targeted accounts’ credentials.

With security measures such as those the Scottish Parliament presumably has – for example limiting the number of password guesses that can be made in any given period, locking accounts after a certain number of failed login attempts and blocking certain IP addresses – attacks can be stymied and legitimate users are barely inconvenienced.

It’d be a mistake to rely on these measures alone, though. Large numbers of people use common passwords, so many brute-force attacks use password dictionaries, and many people reuse passwords across multiple sites, meaning that all of their accounts are at risk should one of those sites suffer a breach. Sensible organisations should, therefore, also employ two-factor authentication and enforce a strong password policy.

Time for a bit of a ramble about password security for individual users, I think.

Traditional advice is to make passwords complex and unique, to use upper-and lower-case letters and numbers, and to change them regularly. However, the problem with this advice is that it’s almost impossible for the average user to follow. If, say, you have fifty online accounts and have unique, complex passwords for each of them, which you change every six months, what chance do you have of recalling them? I don’t know about you, but I struggle to remember what day it is some mornings.

That’s why modern advice is to use passphrases rather than passwords. Phrases are much easier for people to remember than random combinations of letters, numbers and symbols, and when it comes to password strength, length matters more than complexity: with every character you add to your password, its inherent security increases exponentially.

For instance, if a simple 8-character password comprising just lower-case letters takes five hours to crack, a 9-character password will take 5 days, a 10-character one 4 months, an 11-character one a decade, and a 12-character one 200 years to crack.

Still, this advice doesn’t really help you create tens if not hundreds of unique passwords. My advice? Use a password manager to generate strong passwords that you won’t have to remember and implement two-factor authentication just to be on the safe side. After all, password managers sometimes get breached too.

As I mentioned last week, the impact from June’s NotPetya attack is still being felt. Now, following Reckitt Benckiser’s estimate last month that the malware infection would cost it £100 million, the Danish shipping giant Moller-Maersk has stated that it will lose up to $300 million in the third quarter after its IT system was brought down by NotPetya.

According to the Financial Times, Maersk’s CEO, Soren Skou, said Maersk was “strengthening its IT security after the attack at the end of June that paralysed the company temporarily and led to lost bookings in July.” It was also investing in cyber resilience: “We have done a lot to harden our defences and we will do more. We will increase our ability to isolate hacker incidents and rebuild [systems] faster,” said Skou.

According to figures from the Information Commissioner’s Office, the number of retail firms that have reported data breaches has doubled in just one year, from 19 in 2015/16 to 38 in 2016/17.

The law firm RPC, which analysed the data, said that “the retail industry is beginning to feel the pressure to invest more heavily in cyber-security” as “the risks involved in data breaches are increasing”.

It’s worth remembering, however, that this is an increase in the number of reported breaches. As companies aren’t currently obliged to report incidents, the actual number will undoubtedly be much higher – something that will be significantly more noticeable from next March when the General Data Protection Regulation (GDPR) comes into effect. The new law mandates that organisations report data breaches within 72 hours of their discovery.

RPC Partner Jeremy Drew said: “Retailers are a goldmine of personal data but their high profile nature and sometimes aging complex systems make them a popular target for hackers.”

He added: “As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

“No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”

For more information about the GDPR, see our GDPR resource page.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.