Defence Online

Prevention, Innovation and Response: why cyber security needs a 360 approach

November 21, 2019

Ezat Dayeh, Senior Systems Engineer for Cohesity  asks if  the defence industry is secure enough in the face of the modern cyber threat.

Many of us talk about cyber-attacks and cyber security as distant events with distant repercussions. But they’re not. A successful and severe enough cyber attack on the defence industry could damage an entire defence system – possibly irreparably. Security is inescapably fundamental for this sector and sits at the core of technologies developed within it.   

Is it secure enough? To answer that question, we need to look at the scale of change that has been happening within defence and compare it to the scale of change and advances in cyber threats. As with most industries, defence tends to move slowly, so the picture isn’t always flattering.   

Risk Assessments 

External defence suppliers today are often mandated to have a certain level of cybersecurity. Meanwhile, there is internal pressure for defence organisations to harden their own systems, improve monitoring and re-work slow and cumbersome legacy tech. Neither demands are easy with industrial IT. No ageing legacy system was designed to be monitored, interrupted and scanned by active defence solutions. And it isn’t about to get any easier.  

Rapid advances in technology have led to a more connected world and our modern society is built on automation, control systems and their management. With everyday objects becoming increasingly connected, the potential for attacks is growing. Everything from the power grids to planes and cashpoints are internet-connected. The defence industry is no different; new weapons with built-in surveillance and intelligence, growing levels of classified data and an increasing reliance on internet networks may be improving efficiency, but it will lead to further security vulnerabilities. And as AI systems become more capable, cyber attackers will seek to leverage the technology to commit more sophisticated attacks. There is no such thing as immunity. Look to lower the impact of an attack – if and when it does happen – by ensuring you can recover and get your systems back online quickly. Because your business will still be exposed if your backup isn’t secured too.  

Why backups?  

Backups have become a new prime target for cyber-criminals; any reasonably sophisticated attack would aim to find and destroy backups for maximum impact. This threat is exacerbated by two things: legacy solutions and data fragmentation.  

Firstly, many of the solutions used to protect and back up data haven’t kept up with today’s environments. The latest ransomware programs like WannaCry and Petya worked by encrypting data – gaining access to an organisation’s database and installing software that would silently encrypt data as it was written, which would then translate to the backup data being overwritten as the database changed. Then the attackers removed the keys, rendering both the database – and the backups – unusable. If the backups had been immutable (as opposed to mutable in the above scenario), this would not have happened.   

Data security requires stability. Immutable data, even in the cloud, cannot be overwritten or changed in any way without new copies being made — leaving the original untarnished. Backups, therefore, are always accessible (to you) and safe from would-be hackers modifying it.  

Second, the proliferation of massive volumes of non-mission critical data used for backup, testing and development, analytics, sat across different locations, various infrastructure silos, and management systems, is a constant headache for IT managers. It makes it that much more difficult to know what data they have, or whether it’s protected and compliant. 

Shoring your backups 

Prevention is better than cure. So, mitigating cybersecurity incidents with preventative actions like whitelisting approved/trusted programs, blocking macros, user application hardening, multi-factor authentication, patching operating systems and restricting administrative privileges, are sensible actions. But if these attempts are still breached, organisations must ensure they can restore a healthy backup in under a few hours, ideally a few minutes. Your backups need to not only be fast-acting, but easy to lock down and protect from an infiltration.  

• Deal with fragmentation. With visibility across your storage network, it’s easier to detect the early signs of suspicious activity. Remove the siloes and unnecessary copies to better understand your current infrastructure health status, storage utilisation, throughput and IOPS details. 
• Choose a backup system that will do the heavy lifting. Good backup security looks for daily change rates on logical data, stored data and historical data to form process and understand patterns. Don’t be afraid to put your backups to work – only by being scanned, analysed and monitored pre-emptively for anomalies can deviations be identified, flagged and swiftly dealt with before they turn into a full-blown attack.  
• Upgrade your software and install patches. It sounds basic but many prominent ransomware attacks could have stalled if patches had been current on all endpoints and servers.  
• Be vigilant! Using different credentials to access backups should be a bare minimum; the username context used to access the backup storage should be used exclusively for that purpose.  
• Finally, invest in your teams. How well prepared are your non-IT staff to spot and cope with potential attacks? Your employees are your first line of defence against cybercrime. Instilling good cybersecurity habits with them is the best investment you can make in battling breaches. An estimated 90% of cyber-attacks are caused by human error or behaviour. 

The ideal approach is a mixture of prevention, intelligence and rapid response. It’s also a good idea to have an immutable file system, with snapshots that are inaccessible to processes and software. This way, an attacker, at best, can delete a clone of the data – but never the true backup itself. An extra layer of protection is two-factor authentication for the ability to delete backup files – even if that someone is the systems administrator or log-in holder.  

No perfect solutions   

The more barriers there are between an infected system and its backups, the harder it will be for attackers to get to it. Cyber threats are constantly evolving and require a combination of innovation alongside the above best practice processes to adequately mitigate the risks. Cybercrime is a fact of life. The risk of industrial cyber espionage, warfare and state-led attacks is also very real. 

Resiliency is key here – assuming failures at various levels including from employees themselves. Because no matter how much is invested in security, the relentless nature of attacks and talented hackers almost guarantees that an organisation will fall victim at some point. The important thing is how well you’re able to recover when it does. Many businesses use criticality of data or workload to establish a recovery time objective, but you should also factor in the amount of time in which you need to recover a given data set. With data so fundamental to public and stat safety, backing up shouldn’t be pushed to the back-of-mind or put off due to costs.  

Backups are the only way to repair after cyber-attacks and themselves must have the highest standards of data protection applied to ensure they provide an out for the organisation. And when enabled by prevention at every stage, including an immutable file system, businesses can rest assured that they can face even the most formidable of attacks. The rhetoric around cybersecurity only becomes dangerous when it underestimates the challenge. 

To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.

If you would like to join our community and read more articles like this then please click here.

Post written by: Matt Brown