Government Depts Wake Up to Special Operation Centers and Phishing

Introduction

With an ever increasing number of breaches within corporate and government networks, government departments are starting to realise that they need to follow best practice from other industries who store high-risk data.

The HM Revenue and Customs (HMRC) is one of the first to move towards the setup of a Special Operation Centre (SOC) along with a new phishing training programme for its staff. The infrastructure will integrate all the related data in one place, and then use Hadoop analysis for analysing threats against the HMRC.

Overall they are following the setup of 24x7 SOC setups which are typical in the finance sector, and where events are gathered and analysed from across the network. Also the HRMC aim to recruit a cyber-security senior analyst, to add to the recruitment of a number of new cyber-apprentices. The difficulting faced by the HMRC is to recruit specialist skills, who are often in high-demand, so that many companies are turning to the recruitment of cyber-apprentices instead, as it is almost impossible to recruit the right level of cyber security staff. 

Overall the HMRC have some of the most sensitive information around, and the recent hack of HR details in the US shows that data is now the target for many intruders. It would be a major embarrassment for the UK Government if details of tax affairs, business accounts, pensions and payroll were released on the Internet, and even worse if it related to their customers.

Executives are pin-pointed

When its reaches board-level that the executives could actually go to prison, it wakes them up, and loosens the purse-strings.

Overall the increased focus highlights the requirements of the Commissioner Revenue and Customs Act, and that the Director of Security at the HMRC (Jonathan Lloyd-White) would be held responsible for any major breach. 

The increased risks around executives responses to data breaches is highlighted at JPMorgan Chase & Co, with Greg Rattray, the former US Air Force commander and cyber security expert at the National Security Council, being reassigned from his chief information security officer role to a non-front-line role as the head of global cyber partnerships and government strategy.

Greg had previously been in charge of the security of the company's computer networks, and which has been involved in controversy over a massive data breach, and where many of the security team had left their posts. His post has now been filled by Rohan Amin, who was a cyber security lead at Lockheed Martin Corp.

This week Katherine Archuleta, the director of the US Office of Personnel Management (OPM), resigned after a data breach involving more than 20 million people. At present, it is being pinpointed at Chinese-based hackers (but this has not yet been proven). The breach was first announced with a scope of 4 million affected people, but has now reached 20 million (including current and previous employees).

As yet, two months after the discovery of the hack, the individuals involved in the May 2015 breach have not been informed of that they have been involved, and it is likely to be a few weeks before they are. Most of the people involved in the previous hack in April 2015 (4.2 million people) have been informed, though, and each has been invited into an identity protection program.

The Target breach has been well documented, where more than 40 million customer credit and debit cards used with Target's stores were compromised. In the end the buck ended with Target’s CEO Gregg Steinhafel, who resigned on the back of the breach, and their CIO was quickly replaced by Bob DeRodes - an executive with a strong background in information security. Shareholders have since put significant pressure on the company, including trying to oust many of the existing board members.

The responsibility focusing on Director level is highlighted too by the hack of 13,000 email addresses in Edinburgh Council. It was up to Alistair Maclean, Director of Corporate Governance, to report to the citizens involved, and he was also the source of flack around the security breach. There was no talk about sloppy practices in the support company who run the Web systems for the council or any employee not setting things up properly.

And last week, Darren Grayson, chief executive of the East Sussex NHS Trust, announced that they had lost non-encrypted memory stick containing the details of over 3,000 patients. There was no mention of the person involved, and the reasons that had led to the breach of policy. With health care data worth at least ten times the value of credit card data on the black market, the Chief Executives of health trusts have other things to worry about than their budgets, their staff and their patients. 

Malware ... a bit problem for the HRMC

Figure 1 shows some of the main classifications for malware. In times gone past you switched your computer on, and if someone on the network had been infected, there was a good chance that you were too. But, it’s not really like that now, as the vector of infection tends to be through a phishing email, where there’s a link to follow, or that you install a piece of software that has a trojan in it. So the ransomware people will try and scare you with messages that say your system has been locked in some way.

Figure 1: Malware classification

Figure 2 shows one of the easiest ways to extort money from the user, and uses the method of authority. You will see that they have captured an IP address which makes it look like it is a serious method of detecting criminal activity. Then we see pictures of a senior police office and the Queen, with links to pay with a direct payment (kash and paysafecard). It almost feels like some Big Brother world, where Big Brother is watching, and you must pay a fine for every crime you commit.

The other method that the scammers use is to send you an email with a link that you click on. Many users now are aware of attachments, and tend to avoid these. A link, though, such as for a PDF document or Web page, is now the vector of choice within a phishing email. As we will see in the next section, the three main culprits here are unpatched systems, which allow a script to be run on the computer and thus download the bot through a backdoor connection. Once in, it keeps itself resident by adding itself to the start-up registry key.

The unfortunate thing is the type of scam used in Figure 2, is that it is known that it has caused at least one suicide in the UK, and whom thought they were in trouble in accessing the content.

Figure 2: You’ve been bad!

Spear phishing

You can have the best security in the world, but if someone clicks on a spear phishing email, and enters their login credentials, there's not much you can do about it. Often the spear phisher use the real graphics from the sites, and trick the users into thinking they are valid (go to 4:10 to see the HMRC one):

Users also get targeted with messages that put pressure on them, such as where there is an issue with a payment in Paypal. Users immediately become stressed that there is problem, and click on the link without checking:

Conclusions

Finally ... it is happening ... Government departments are realising that the data they have is important, and we hope that others will follow HMRC's led. In this case the investment seems small in terms of what the finance industry is investing, but it's a start.