The recent cyber attack on Australia’s Bureau of Meteorology (BOM) has raised fresh concerns about the ability of government departments to withstand sophisticated cyber attacks.
According to ABC news reports quoting multiple official sources, the attack has raised fears that potentially sensitive national security information may have been compromised. Details of the extent of the attack are yet to be confirmed by the BoM.
The concerns have been amplified by the fact that the BoM operates one of the country’s largest supercomputers and has direct data network links with other government departments and agencies. Authorities fear that, because attackers gained access to BoM computers, this may have provided them with a gateway into other parts of the wider government IT infrastructure.
As well as providing weather forecasts, the BoM uses sophisticated software to undertake complex climate modelling and long-range analysis. This data is used by other areas of government including the Department of the Environment and the Department of Defence. The BoM also provides climate information to commercial airlines and shipping companies as well as conducting analysis of Australia’s water supplies.
The BoM attack is the latest in a string of high-profile security breaches affecting government computer systems around the world. In another recent case, hackers gained access to the United States Office of Personnel Management which holds sensitive data such as the personal details of government employees and their families. Concerns were raised that attackers could use this illegal access to potentially give security clearance to individuals who had not been properly vetted.
Cyber Attacker motivation
While the identity of those responsible for the BoM intrusion is yet to be confirmed, motivation for the attack could have come from a variety of areas.
Data stored on BoM servers, or on those of other departments with which it has network links, could be deemed valuable to foreign governments or criminal organisations. The sophisticated software applications and algorithms used for analysis could also be worth money on the black market.
Motivation may also have come from wanting access to other areas of government. Once BoM servers had been compromised, attackers may have had the potential to send phishing emails to staff in other departments that would have appeared to have come from a legitimate source. If successful, such emails may have resulted in illegal access to other systems and databases, blackmail or successful acts of espionage.
Potential attack vectors
Attacks of this type, whether conducted by nation states or criminal groups, usually follow one of two attack vectors but compromised privileged accounts are the common denominator in nearly all devastating breaches. Once attackers gain control of a privileged account – they can escalate privileges and move laterally throughout the network - undetected.
One strategy used is phishing emails which are directed at staff working in the target agency. Usually carrying an attachment containing malicious code or links to an infected website, if triggered these will allow the attackers to gain access to the agency’s systems and networks. This type of attack is often a means to gaining access to privileged credentials with attackers hopping from endpoints to servers to find the valuable information they want.
Another strategy is to seek out servers at the edge of the agency’s networks that are somehow deficient in their security precautions. These could be systems that have not received the most recent software patches or those with flawed access requirements. Once an attacker has access to one of these servers, it is possible for them to rapidly reach into other parts of the target infrastructure.
Thwarting future attacks
The BoM and OPM breaches are just two examples of a long list of cyber attacks carried out on government departments and agencies around the world. They provide compelling evidence that governments need to make a fundamental shift in their overall security strategies.
While debate often centres around the need for more investment in IT security, the bottom line is that many governments are simply failing when it comes to the basics – they can’t pass Security 101.
These basic but critical steps include patching servers, implementing regular system updates, and tightening controls around privileged accounts and administrator credentials.
However, a recent survey by Dimensional Research* found that 43% of executive teams in government don’t receive regular security reports and metrics to evaluate the effectiveness of their programs. At the same time, 75% of IT security professionals cite budget as a barrier to proper security.
In almost every breach that occurs whether in a government agency or in the private sector, it is eventually revealed that, once they had gained initial access, attackers exploited privileged credentials that enabled them to move laterally across the network. This process often includes conducting undetected reconnaissance for long periods of time, and the theft of sensitive data.
Because these behaviours are seen time and time again, tightening policies and practices for managing, monitoring and securing privileged users and accounts, and accelerating the implementation of multi-factor authentication are important places to start when it comes to shoring up security. Indeed, most organisations typically have three to four times more privileged accounts than employees and agencies must first start by working to identify these accounts and then focus on monitoring, managing and securing them.
Some experts argue that proper data encryption is the best way to prevent these kinds of cyber attacks. However, close analysis of how the criminals operate shows that this would be too narrow a view.
To be successful at warding off future cyber attacks, government departments and agencies need to design their security strategies from the inside out, taking the view that attackers may have already found their way into the IT infrastructure.
The bottom line is that powerful, privileged credentials, sometimes termed the ‘keys to the IT kingdom,’ must be securely locked down, controlled and continuously monitored. This will limit lateral movement within the network, thereby containing the attack and lessen damage.
By taking this proactive, inside-out approach to network security focused on securing access to the organisation’s most sensitive data and information, departments and agencies can be more confident about mitigating the risk of a devastating breach that could potentially bring every day operations to a grinding halt.
“The Gap Between Executive Awareness and Enterprise Security” survey was conducted by Dimensional Research.