Case studies around the effectiveness of Cyber Essential Controls

The Cyber Essentials scheme was developed by the UK Government. The scheme provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common Internet-based threats. The Government believes that implementing these measures can significantly reduce an organisation’s vulnerability. Many companies, however, do not implement these controls, and in the past, this has led to serious security breaches.

(1) Boundary firewalls and internet gateways

“Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.” – Cyber Essentials Scheme Requirements: Control 1

In February, the Central Bank of Bangladesh was the victim of a $81 million cyber heist. The attackers targeted $951 million, however, $850 million worth of transactions were blocked and $20 million worth of transactions succeeded but has since been recovered.

According to investigators, the bank didn’t have a firewall in place and “used second-hand switches bought for $10 to network computers connected to the SWIFT global payments system”. The lack of a firewall made it easy for the system to be hacked and has also made it difficult for investigators to trace how the hackers executed the robbery.

For more information, see here.

(2) Secure configuration

“Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.” – Cyber Essentials Scheme Requirements: Control 2

One of the aspects that this control highlight is the need to change any default passwords. Earlier this year, one of NASA’s drones was allegedly hacked by Anonsec (a hactivist group). “The hack was executed through brute-forcing an administrator’s SSH password left with a default password, which led to root access to three network-attacked-storage devices.”

The hackers were able to obtain data on over 2,400 employees as well as flight logs and aircraft videos.

For more information, see here.

(3) User access control

“User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.” – Cyber Essentials Scheme Requirements: Control 3

In 2015, an employee accessed 10% of Morgan Stanley’s customer files in an investment database. The employee also exposed hundreds of these details on Pastebin. “Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage”, said Eric Chiu, president and co-founder of HyTrust.

The employee was found to be a mid-level wealth advisor who somehow had access to thousands of records. In companies such as Morgan Stanley, mid-level financial advisors are usually only allowed access to the entire aggregation of a dataset. Only a few select high-level managers should be able to access the actual records.

This incident is a good example of the consequences of giving special access privileges to individuals who do not need them.

For more information, see here.

(4) Malware protection

“Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.” – Cyber Essentials Scheme Requirements: Control 4

Malware refers to a variety of forms of intrusive software including viruses and trojan horses and has been used in cyber-attacks for the last 30 years. One cyber-attack on a small N.Y. marketing firm in 2010 highlights the importance of being protected against malware. Little & King LLC faced bankruptcy from a loss of $164,000 online-banking loss.

Just before the fraud occurred, the owner, Karen McCarthy, “found that her Windows PC would no longer boot and that the computer complained it could not find vital operating system files.” It was confirmed that her computer had been infected with the ZeuS Trojan that steals passwords and enables cyber-attacks to control computers remotely.

For more information, see here.

(5) Patch management

“Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.” – Cyber Essentials Scheme Requirements: Control 5

In 2015, Adobe Systems patched a vulnerability in Flash Player. Within 4 days of the patch, cyber-attackers began exploiting the vulnerability on systems that had not yet deployed the patch. “Flash is commonly viewed as one of the most insecure pieces of software by security professionals and has been targeted by numerous state and criminal hacking groups”.

The exploit was discovered by China-based hackers known as APT3. They targeted victims using generic phishing emails and when someone clicked the link, they were served malicious SWF and FLV files exploiting the Adobe Flash vulnerability. APT3 attacked organisations in the following industries:
• Aerospace and defence
• Construction and engineering
• High tech
• Telecommunications
• Transportation

For more information, see here  and here.