With hackers attacking almost every government body, institution and business, organisations have to do more than hide behind technology -- they have to invest in people too, from the server room to the boardroom. That's the message from cybX, a new cybersecurity training scheme in North Yorkshire.
Cybx is a simulator for an organisation's technical staff to run through mock cyber attacks -- a sort of boot camp for those in the front line of cybersecurity. cybX begins its first mini training exercise next week, and full courses start at the beginning of August.
Training takes place at the Emergency Planning College, near York. The EPC is a crisis management training centre that teaches government departments and businesses how to cope when things assume the dimensions of a pear, whether it's a cyber attack, a terrorist incident or just crowd control at a major event. It's run by Serco, a British outsourcing company that does everything from managing airbases and hospitals to tagging criminals.
'Every organisation is under attack'
Hack attacks can come from rival governments, criminal organisations, hacktivists or even insiders. "Threats are coming from everywhere and have widely varying motives," warns Chester Wisniewski, Senior Security Advisor at cybersecurity firm Sophos. "Many cyber extortion and opportunistic money making schemes originate in Eastern Europe, while data theft and intellectual property-focused efforts largely come from Asia. And cyberactivism often originates in our own back yard."
Richard Preece, director of cybX, warns that cyber attacks are "happening constantly" and that "almost every organisation is under attack."
Indeed, a 2013 survey by anti-virus company Kaspersky found a whopping 91 percent of organisations had suffered cyber attack in the last year. "If you look at the National Risk Register," says Preece, referring to the Cabinet Office's annual report on civil emergency risks, "cyber attack is right up there."
"Businesses face a variety of threats," says ThreatTrack CEO Julian Waits, "often based on the type of industry they are in. For example, in the energy industry, hacktivism is a major concern -- it's playing out in the news right now. A hacktivist group called AnonGhost, for example, has announced its intentions to target the oil and gas industry worldwide. Other industries like the financial services sector are concerned about organized cybercrime syndicates. All organizations and government agencies possess data that criminals can profit from, so they are all targets."
Chester Wisniewski of Sophos is worried that organisations aren't properly prepared. "Governments and businesses are relying too heavily on certifications and expensive tools rather than experience and proven abilities. There isn't an easy way to solve that problem. The other issue is not taking the threat seriously enough. We have seen several businesses actually shut down over hacking attacks, like Code Spaces."
Fortunately, Preece believes the decision-makers in government and business are alive to questions of cybersecurity. "They're very aware of the threat," he says.
Organisations have to be proactive in anticipating attacks, Preece advises, and agile enough to react quickly when they happen. They must then be resilient enough to survive the consequences, flexible enough to come up with new ways of doing things, and adaptable enough to learn the lessons of the attack.
At cybX, cybersecurity staff are trained to recognise an attack, terminate the hack, and restore service. They're also trained to learn from the incident to move to a "new normal" that safeguards against a repeat of the problem.
The training replicates the traffic of a network to give a realistic simulation, teaching coders how to wade through the clutter and false positives of their network to find malicious code.
But the lessons learned take in more than just technology. "There is no amount of technology that will save an organization from human error," says ThreatTrack's Julian Waits.
And a big part of cybersecurity is communicating with non-technical staff. Preece points out that decision makers within an organisation have to understand the problems too. "A cyber attack very quickly moves from being a technical issue to an organisational issue," he says.
"Some will get through," says Preece, and the best any organisation can do is to be capable of "taking the hit."
Advanced persistent threats
Cybersecurity begins before an attack has taken place. There is an intelligence system behind the scenes, including briefings from UK spy centre GCHQ, keeping tabs of the latest hacking tricks and attacks so companies and government departments can pre-empt hackers. And a company or government body can also find out when they're in the firing line by simply checking Twitter, for example by following hacktivist groups like Anonymous.
But even then, one of the biggest problems with cyber attacks is that the hackers are always one step ahead. Preece believes that although many governments and companies are prepared, there is "nearly always a way in."
Attacks range from simple hacks like defacing a company's Web page to "advanced persistent threats" -- hackers attempting to gain control of a company's network, perhaps to steal confidential records or trade secrets. To illustrate the scale of the problem, Preece identifies SQL injection -- injecting a virus via an online contact page -- as a single type of attack suffered by a whopping 60 percent of organisations. Some took up to 140 days just to spot it.
Spotting the threat is frequently the hardest part of responding to a cyber attack. Attacks are even layered, with an attack on one part of the network as a feint to get cybersecurity teams looking the other way when the real attack goes after a different part of the network.
Preece also identifies an increasing trend for attacks involving social engineering, such as "spearfishing." That involves targeting a specific employee by sending an email that looks like it came from a "colleague."
"A poorly trained workforce is the Achilles heel for even the best prepared cyber defense," warns Julian Waits. "Cybercriminals are very skilled at tricking employees into becoming unwitting pawns in a data breach."
It's that kind of attack that demonstrates the role of every employee in defending a network. He emphasises the importance of securing information properly and following processes in place to ensure data is kept safe -- as well as testing those processes regularly to ensure they're still watertight. "Cybersecurity is the responsibility of everyone," he says.