Out of a lot of nonsense about cyber attacks by foreign governments there comes a good article dealing with the key issue… poor privacy practices by individuals
February 20, 2019 |
There has been no shortage of breathless and generally meaningless articles about the Government’s statement that political parties and the Australian Parliament have been the subject of state sponsored cyber attacks. The Government boffins have come out with statements both highlighting the risk and claiming everything is under control. It has given rise to ponderous commentary about attacks on democracy and then spins out to truly odd dystopian pieces as Peter Hartcher did with Farewell tech utopia: how governments are readying the web for war which swallows the twaddle about the internet being balkanised and ruined.
The reality is that cyber attacks by state players, mainly Russia, China and North Korea have been a regular occurrence for a decade. Then there are the plethora of non state hackers in India, the various Stans and Africa who sometimes are engaged by instruments of state to create mischief. It is a feature of life in the age of the internet.
Rather than reading the Henny Penny the sky is falling reportage and the end of innocence blather the best article to get an understanding of what is going on and why is the ABC piece Cyber attacks by foreign governments, malicious companies and enterprising hackers are on the rise. And the biggest problem is you. It sets out in plain undramatic terms that most cyber attacks succeed because someone in an organisation or government agency is fooled by an email containing malware. And, as the article makes clear, that problem is one of poor data security practices within that body. In Australia the privacy practices of many organisations and agencies are poor. Sometimes they are just plain dreadful.
It provides:
Forget sequences from blockbuster films of gangs breaking into secure buildings, avoiding guards to attach a “tap” to a blinking server. Real hackers walk through the front door by sending you an email.
“Ninety per cent of cyber attacks worldwide begin with an email. Most organisations don’t really look at their email security that carefully,” said Michael Connory, chief executive of Security In Depth.
“Everybody is vulnerable. Australian organisations have no idea how vulnerable they are.”
After a cyber breach of the Federal Parliament’s computer network and a warning from one of Australia’s most senior military figures that the threat of similar attacks is on the rise, experts are pleading with Australian businesses to take the threat seriously.
“The easiest way for an attacker to get into an organisation is by phishing, by email,” Mr Connory explained.
It’s simple. Somebody in an organisation opens an email and are directed to click on a link, usually something that requires an action such as: “You need to update your details”.
When the person logs in, they inadvertently give their username and password to a hacker.
The information is then used to get into the broader computer systems of an organisation.
Consumers hit
Consumers feel the impact of breaches through the potential for identity theft.
Vast amounts of personally identifying detail is available online, and criminals don’t need much to get you in trouble.
“Your Tax File Number, your driver’s licence number, date of birth … from that small amount of information they could begin to set up companies, obtain credit, start to obtain loans, run up huge debts,” Mr Connory noted.
“A vast array of damage.”
For businesses, the danger goes beyond losing important data or confidential files.
Almost half of data breaches in Australia are in health and finance, where organisations risk losing the vital trust of customers and their ongoing business.
Patch, patch, patch
Cyber security expert Dr Suelette Dreyfus from the School of Computing and Information Systems at the University of Melbourne said Australian businesses could easily trim their exposure in two simple ways.
“Patch, patch patch! Upload all of those security updates from the operating system, and set it to auto-update,” Dr Dreyfus said.
“The other is to set up two-factor authentication … for all of your accounts; your Google, your Facebook, your Twitter, because now those things are your outward view to the world.”
Two-factor authentication is common in online banking products.
Entering your username and password on the website prompts a text message to your smartphone that includes a four or six digit code. Without submitting the code, you can’t get in to your accounts.
“The vast majority of threat that Australian businesses face, in a cybersecurity sense, is from criminal elements,” Dr Dreyfus added.
“But there’s also the risk of industrial espionage, stolen IP (intellectual property). This stuff matters”.
Few defences
Major General Marcus Thompson told AM the threat of cyber attacks on the military is on the rise, but it was the broader capacity for the Australian Government to respond to a big fight in cyber space that kept him up at night.
“I have a concern, and I know this concern is shared by many of my colleagues and mates throughout the national security community, that in the event of a significant incident on Australia in cyber space, the resources that would be required to respond might not exist at the scale that might be required,” Major General Thompson said.
Major General Thompson leads the Information Warfare Division, which was set up in mid-2017 with the aim of providing both defensive and offensive cyber capabilities.
The threat isn’t hypothetical. Organisations as varied as global shipping giant Maersk and the United Kingdom’s National Health Service have suffered losses and disruption from cyber attacks.
In Australia, our biggest banks are currently trying to contact 100,000 customers, whose personal data may have been affected by a major breach at valuation firm, LandMark White.
The breach, revealed in The Age and The Sydney Morning Herald, could include birthdates, personal contact information and property valuations.
As a result, the Commonwealth Bank, ANZ and NAB have suspended use of the stock exchange listed firm.
In January, the details of 30,000 Victorian public servants and contractors were stolen in a data breach, after a Victorian Government staff directory was downloaded by an unknown party.
Easy access
Mr Connory, who describes himself as an “ethical hacker”, says tens of thousands — if not hundreds of thousands — of people have the skills to break into an organisation (recently his 14-year-old daughter, having watched a YouTube video, gave it a go).
“It’s simple,” he said.
“It takes us about 22 minutes to get access inside a company.”
Security In Depth recently researched 119 organisations, and found that for more than third, usernames and passwords that would give a hacker access were available on the dark net — an anonymised network only accessible using specific software.
“Most of the time a hacker will just sit there, watching,” Mr Connory said.
“In Australia, on average, a hacker will stay in an organisation for eight months before they’re even found. They’ve got access to emails, financial statements, to confidential company IP (intellectual property), they’ve got access to customer databases.
“By staying ‘in’ an organisation for such a long time they can start to see and read and be privy to a huge range of sensitive information.”
You might be the problem, but you’re also part of the solution.
Dr Dreyfus said companies need to train staff better in cybersecurity, to acknowledge that most problems begin through a seemingly innocuous email, and that a system is only as strong as its weakest link.
“They need to train their employees to understand, ‘Ah! This is the risk to the profitability of the whole company if we don’t come together and behave in better cybersecurity ways’,” she said.
“Herd immunity’ matters. If you can get your entire company up a little more, in their posture, it will be much better off as a whole.”
Another very good article which goes some way to explain why there is a poor data security culture and practice is the Australian’s Toothless regulators let bad businesses run wild. It is a detailed examination of how Australian regulators are so poor at doing their jobs. The obvious immediate context is the financial sector regulators with their history of softly softly approach to enforcement preferring warnings, weak enforceable undertakings and opting for the weakest rather than the strongest response to breaches. The same problems beset the Australian Information Commissioner but are more acute and longstanding. The past 30 years of regulation has been a sad and sorry history of timid and inept regulation. The Commissioners have either been ineffective or drawn from the public service with a concomitmant to process over action and caution over boldness. As a result it has been a regulator that has eschewed its increased powers in commencing civil penalty actions, does not seek injunctive relief, even though it has had those powers for 30 years, and works in the shadows wherever possible. The recent enforceable undertakings it entered into are weak by international standards. It is also a lax regulator in taking years to resolve complaints, where the office permits them to go to fruition.
This failure to properly regulate and enforce the Privacy Act has resulted in poor compliance. That has meant poor privacy and data security practices. This has passed by the commentariat who are more interested in the hyperbolic commentary of being cyber invaded by the usual suspects than the more prosaic but much more important issue of having adequate day to day data security and a competent regulator. Of which there is not much of either.
If there was proper data security compliance state sponsored hackers would get nowhere fast.
The article provides:
There is a clear lesson to be drawn from the Hayne banking royal commission final report: we’re not particularly good at regulation.
Quite correctly, Kenneth Hayne has sheeted home the blame for most of the atrocious behaviour of our banks to the banks themselves. He also has the regulators in his sights.
We have long had a cultural and systemic problem in our governance when it comes to regulation of industry and the community. Academic John Braithwaite identified it decades ago in his seminal work Of Manners Gentle, in which he revealed the softly-softly approach to regulation endemic to all our regulatory regimes.
Faced with the spectrum available to regulators — warnings, advertising and information, to self-regulation, licensing, penalties, jail terms, or revoking of licences — we have chosen the soft options. This has been apparent in relation to the banks, which any first-year economics student could recognise as one big oligopoly.
Regulators are government bodies and must serve the public interest. However, few of them try to define this. The legislation creating them usually assumes that the regulator will identify the public interest when they see it. The Australian Competition & Consumer Commission has developed a rough rubric to guide it, based on when competition has been reduced or eliminated, but clearly it did not work with the banks. Nor has it been much with the big supermarkets, who use their market power to exploit suppliers.
The financial regulators have similarly been sloppy in the conception and application of their role, as Hayne’s evidence attests. There is no sense in applying a doctrine of caveat emptor in a sector such as banking, so complex and jargon-saturated, and where the financial institutions have adopted loose arrangements with financial advisers they have failed to scrutinise properly.
All this casts light on the relationships between governments and regulators, both national and state, whether it be in relation to industry, health, education, welfare, or safety. It is not a pretty sight.
The funding of regulators has been badly handled for a start. Most are treated as just another line in the budget, rather than having their needs assessed in relation to their workload.
The ACCC is a case in point. For most of its life it has had to fund legal actions from its own budget but any wins must be returned to consolidated revenue, encouraging a risk-taking culture rather than a public-interest one.
It has only recently gained government approval for jail terms for executives, a most effective deterrent for bad behaviour. A few regulators are funded by a levy on the industry they oversee, a bad practice as it builds up resentment and attempts to game the regulator.
The staffing of regulators is another issue. Remuneration is usually set within the public sector industrial awards, rather than in relation to the industries they regulate. There is a strong temptation for an employee of a regulator to jump ship to the industry they’ve been regulating.
The expertise of regulators is usually inferior to that of the key players in industry, which can lead to regulator capture. A classic case is the state regulatory bodies in energy and the public utilities. It can be to the long-term detriment of consumers, as their inexperience leads them typically to try to regulate by price control alone. Hence they fail to consider the revenues that electricity, gas, or port authorities need to recover for future investment in crucial infrastructure. All of this is compounded by the politicisation of appointments to the board of state-owned enterprises and regulators, by both sides of politics.
Politics is also dangerous in the arena of regulating public safety, with governments often reluctant to come down hard on bodies guilty of serious offences.
Dreamworld is the quintessential case in point. It should have been shut down permanently and the company’s licence revoked after the tragic deaths at its premises and the evidence of neglect, despite the pathetic claims about the importance of tourism to Queensland and the Gold Coast.
It is important to remember the global financial crisis was caused in large part by the weaknesses of the US regulatory system, which many seemed to regard as the enemy of free enterprise.
Regulation should be preventive, not curative. It is better to have a fence at the top of the cliff than an ambulance at the bottom.
Governments themselves are fundamentally responsible for the public interest, and while it may be wise to explore self-regulation and consumer advocacy in the first instance, it behoves governments to take unpopular and punitive decisions whenever necessary