The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here
Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.
The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.
Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.
Please have a look at our presentation on the topic, you will need sound…
Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.
When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can
apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing.
According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.
The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story
Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.
So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts. But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.
A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight.
So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.
It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first. An old vulnerability being enabled in a new way – language.
Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff. This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.
Looking at the Threat Landscape
In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. . However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.
The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour. In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs; car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.
The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind. In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted. For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do. The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.) A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.
Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act. The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed. This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.
In any organisation, loss creates cost and this is something each and every Trust is currently facing. A recent Daily Mail article highlighted theft from the NHS as a serious issue. Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives. The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience. These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data? If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.
During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.
- The Threat environment has changed and security needs to be approached as a cyclical, on-going process. It needs to be reviewed and tested regularly.
- The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled. Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different. A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
- Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
- Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
- A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.
Advent IM Senior Security Consultant – Paul Smith MSc MSyI
Our very own Mike Gillespie will be speaking at this event at both the morning and the afternoon session.
It will be an interesting day looking at innovation and news in building technologies, discussing various topics around a holistic view of security systems in the morning, plus some more focused discussion on key specific systems such as CCTV in the afternoon and examining the holistic approach to integrating systems.
Gallagher have lined up some great speakers for both sessions.
If you are interested in attending or would like more information, you can contact Kate Hutchins of Gallagher by clicking the link. firstname.lastname@example.org
Or you can get in touch with us and we will get an invite for you. Places are limited so don’t hesitate. email@example.com
We are delighted to announce that our very own Mike Gillespie has been invited to speak at series of events next week (WC 14.11.11).
Gallowgate Suite, Newcastle United Football Club, St James Park, NE1 4ST
Birmingham – 16.11.11
Pavillion Suite, Hilton Metropole Hotel, Birmingham NEC, B40 1PP
London – 17.11.11