On Monday we the saw news that the University of Edinburgh’s ARCHER, along with similar supercomputers across Europe, had been infected with cryptocurrency mining malware. A sobering announcement. While the world responds to Covid-19, viruses of a different kind continue to pose a threat to public sector organisations.
The hack is reported to have also infected research and academic supercomputers in Germany, Switzerland and Spain. It has been put down to compromised SSH credentials. Many of these computers were being prioritised to conduct research relating to Covid-19 meaning that the incident not only misused academic resources but has hampered the response to the ongoing crisis.
While public agencies work towards addressing Covid-19, organisations must remain vigilant to these threats. Good hygiene isn’t just about face masks and washing your hands for 20 seconds. It’s also about safeguarding credentials and systems against other threats.
This week’s incident highlights the importance of good cyber security. A recent survey of 1000 public sector employees reveals a continuing lack of awareness:
- 77% had no training on how to recognise ransomware
- 16% have had no cybersecurity training
- 11% were still using Windows 7 and 6% still using Windows 8.
Insider threats are also more apparent now. With employees working at home and switching between personal and work use, the probability of data unintentionally being shared and harnessed for misuse is ever-increasing.
Good cyber security starts with knowledge, which is crucial to limit your organisation's attack surface. Beyond reputational damage, which is vital to uphold and ensure public compliance, failures can have a damaging effect on citizens, staff and your bottom line. The public sector leads on fines issued by the ICO, all for data breaches and representing almost a third of all fines issued.
How best to tackle this threat? In the first instance, there is a clear-cut need to give cyber security the importance it yearns for and make it a priority at a board level. This can be achieved by embedding its importance into an organisation’s operating model and approach. A sensible and beneficial intervention is to place cyber security at the forefront of all software/system development. It can provide an effective vaccine to cyber threats and will pave the way to a safe system estate that will reap significant benefit across the organisation. This approach is commonly known as DevSecOps. BJSS Chief Engineer Dan Bettesworth has led on BJSS’ approach and implementation across several client engagements:
“Security testing is fundamentally no different from the use of automated testing throughout the SDLC and can be integrated into CI/CD pipelines. In conjunction with Threat Modelling, security testing can be implemented to address relevant security concerns. This is not just a one-off penetration test at the end of a project when everyone crosses their fingers. It needs to be automated and integrated into pipelines, so they are executed regularly.”
He adds: “These DevSecOps practices significantly reduce the risk of vulnerabilities being found late in the delivery process. Finding the vulnerabilities late can cause increased costs and delays to launch. Even worse, the system could be found by hackers during production.
It's also important to remember that security testing doesn't stop once the product is live. New vulnerabilities are found in software every day, so it's important to regularly scan not only your infrastructure but also the software libraries that you use, for known vulnerabilities. This can also be automated with alerting of potential issues. These are just some of the techniques used to stay cyber-safe.”
As the public sector continues to respond to Covid-19, BJSS will also be keeping aware of the ongoing response both to coronavirus and cyber security and sharing our thoughts and work.