The growing reliance on interconnected systems coupled with the failure to provide personnel adequate security training exposes many government and military organizations to serious security threats.
Cybercrime syndicates as well as so-called hacktivist groups continue to develop and fine-tune techniques aimed at extracting sensitive information using weak passwords and social media activities of personnel, warned Bryan Lillie, chief technical officer of United Kingdom-based defense technology company QinetiQ.
“Integration of systems means successful attacks against one system can provide access to another system,” Lillie explained during his presentation on the dangers of connected systems at the recently concluded Best Defense 2015 conference presented by the London Economic Development Corp. in London, Ont. “Systems that were once self-contained are now configured and controlled via Internet connected systems…Where are the boundaries in connected systems? There really isn’t one.”
He also said attackers often employ a combination of physical and cyber-attacks.
For instance, in 2011 the hacktivist group Anonymous carried out an online attack and stage a physical protest targeting San Francisco’s Bay Area Rapid Transit (BART) system. The result was massive disruption of the ground-based public transportation system that included the closure of four transit stations and the shutdown of cellular phone services in tunnels and stations.
While interconnected and interdependent systems have increased the vulnerability of organizations, insider threats posed by human behaviour and vulnerabilities to social engineering tactics remain a cause of concern even in work environments that are supposed to be highly-secured.
Recently, he said, cyber-spies created a fake Facebook page for United States Admiral James Stavridis, the supreme allied commander of the North Atlantic Treaty Organization (NATO). Several British military and government officials were duped into accepting a Facebook friend request from the bogus Facebook page.
Attackers find it easy to gain access to corporate and government networks and steal sensitive data because of:
- The prevalence of weak passwords
- Poor security procedures (unregulated social media use, I.D badges worn offsite)
- Staff that readily share company information over the phone even to unknown callers
- Personnel clicking on links and URLs that link to malware
- An underlying belief that security is part of the bureaucracy and not really necessary
Lillie said chief security officers (CSOs) can lessen the cyber-risk exposure of their organizations by asking themselves the following questions:
- What information about my organization can be found through online search engines?
- What online groups and sites do our personnel use?
- Is it possible to identify which technologies and systems our organization is using?
- Are staffers able to recognize potential security threats?
- Do our personnel know what to do when they encounter a potential security threat?
Lillie said organizations need to exert focus greater effort in educating staff on security, integrating physical and cyber security as well as continually measuring and testing system performance and protection.