The dos and don’ts of cyber-attack protection
By Nick FitzGerald, APAC Senior Research Fellow, ESET
Thursday, 28 April, 2016
Government bodies are ripe targets for cyber attackers, who’ll stop at nothing to get their hands on sensitive and potentially lucrative data.
The federal government said in its 2016 Defence White Paper that “new and complex non-geographic security threats in cyberspace will be an important part of our future security environment”.
Today, cyber attacks in Australia are growing, and over the next few decades, governments will encounter larger and more sophisticated threats.
The rise of cyber attacks in Australia marks an important challenge and cost for the government. In 2014, the cost of cybersecurity in Australia was estimated to be a whopping AU$1 billion. In 2015, the Australian Signals Directorate responded to more than 1200 cyber incidents — 28% more than in 2014.
Governments are facing increasingly complex threats, especially as their departments become more digitised. Government bodies need to identify the challenges, know what the attackers are looking for and finally, take action to protect their systems — thus preventing the attacks or minimising the damage from them.
Challenging road ahead for government
In 2015, an Australian Cyber Security Centre report defined a cyber attack against government as a deliberate act through cyberspace to manipulate, deny, degrade or destroy computers or networks, in cyberspace or the physical world, and which has the potential to seriously compromise national security or stability.
The unique challenge for governments concerns the sensitivity of the information these bodies store, as valuable data is collected and processed at all levels. Much of this data concerns private citizens, including their tax records, medical records, motor vehicle records and also personally identifiable information (PII) such as government assistance numbers, email addresses and dates of birth.
However, most government entities still have inadequate resources to address cybersecurity. Emerging technology, along with the increased sophistication of threats, can be a challenge for governments that lack the necessary knowledge, IT professionals and protection solutions. A lack of visibility and influence within the entity itself, as well as a lack of sufficient funding for cybersecurity, is another real vulnerability that can increase vulnerability.
The top cybersecurity risks
There is a wide array of cybersecurity risks and threats that government bodies are subjected to on a daily basis. There are more bad actors and attackers than ever and they are ready to try everything possible to acquire, disrupt or access sensitive information and data.
Governments can be victim to any kind of cyber attack, but targeted attacks seem likely to be the most common. Because of the nature of the data certain online government agencies need to collect, and because of the large amounts of money some government bodies generally have control over, the government sector should be especially wary of targeted attacks.
Targeted attacks generally take the form of email attacks such as spear-phishing and whaling, DDoS against entire online services, data ransoming and attacks against e- and/or i-voting. There is also a whole separate category of attacks that any government employee with a connected computer can face at any moment, such as mass-spammed malware links, attachments and phishing, and drive-by downloads from compromised external websites.
For example, if a government body were to get involved in an electronic voting process, cybersecurity risks would increase significantly, and attract attackers for many reasons.
The value of undetectably subverting the result of an election is clearly enormous, and there are well-placed concerns that poorly designed or implemented e- and i-voting systems could make achieving this much easier than in conventional voting systems.
For example, in the US in the last couple of decades, there have been many issues with the voting machines themselves, not to mention the vote collating processes and so on. There are many lessons to be learned there.
How should governments protect themselves?
Governments are facing these kinds of threats already. Having an established strategy to prevent risk of attack is essential. Here are some strategies all government bodies can implement to achieve success:
Assess the risk. Knowing the risks is the first step to knowing what you need to prevent. Extant risks that can potentially cost a lot of money, or even defeat a government entity and be a threat to public security, must be taken into account.
Strategise to address risks and threats. Starting from the inside of the entity, and having the best people to protect and assess risks, is key. Employ top-flight security specialists — they will harden operating system configurations, segment networks by functionality and security exposure, reduce the attack surface of any public-facing servers, use good security products, test (including ‘red team’ test) and monitor systems continuously.
Protect data. Data encryption — both ‘in-flight’ (while traversing all network links) and ‘at rest’ — is the key to full protection and security. It is crucial that access controls are implemented properly so that, based on the data a particular agency may have on an individual, only specific data fields relevant to an employee’s role are available to that employee.
It is very important that only the minimum amount of data necessary for any particular government function be collected and stored. Data retention should be carefully considered. The more data that is mindlessly warehoused, the more attractive compromising that warehouse will be to someone.
Invest in solutions and educate. Having a strong cybersecurity solution should make it easier for government agencies to fight against unauthorised access and prevent data breaches. The IT departments of these entities should have the freedom to plan and manage resources autonomously. Each system should have consistent and flexible protection that runs smoothly in the event of a cyber attack.
Finally, education of teams about cyber threats and targeted attacks must be taken seriously to ensure each employee knows the risks, understands preventive measures and will know what actions to take in the event of a cyber attack.
With data attacks becoming increasingly prevalent and attackers becoming more and more sophisticated, governments can’t ignore the importance of cyber threats and how to protect themselves from them.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...