In an age of sophisticated malware, self-replicating worms, drive-by attacks and ransomware this is a useful reminder that email remains a key attack vector and a vital first line of defence for the enterprise.
The attack on Parliament was reportedly an old fashioned ‘brute force’ attempt to guess weak passwords. Although there are over 9,000 accounts, including the 650 used by MPs, less than one per cent were accessed. What information was lost is still being investigated.
The Parliamentary Digital Services blamed weak passwords for the breach. The PDS is also trying work out the source of the attack but initial suspicions are aimed at Russian hackers.
Lord Fowler told the House of Lords:
“On Friday, the Parliamentary Digital Service discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords and gain access to users’ emails. The Digital Service have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining further access. IT systems on the Parliamentary Estate are now working as normal and remote access is being restored gradually. We are continuing to investigate the source of the attack and believe that fewer than one per cent of the 9,000 accounts on the parliamentary network have been compromised as a result of weak passwords.”
But many observers were surprised that such a tempting target as government email accounts are only secured using passwords.
The issues with password security are well known. Attempts to improve them, whether by forcing users to change them regularly or only accepting complex passwords, tend to have the opposite effect. They force users to write them down or use the same, hard to remember pass for several services.
There are many alternatives which businesses already use to make life harder for hackers. Although there issues with some of these like biometrics there is little doubt that some form of two factor authentication is now considered the base line for any secure system.
At its simplest this is how your bank card works.
To get money out of an ATM you need: something you have – your bank card, and something you know – your PIN.
Many online services use similar systems – Google has used two factor security since 2011 by sending users a unique code to their mobile phone to supplement their passwords.
Of course two factor authentication will not stop every attack. But it will make life an awful lot more difficult for hackers and hugely reduce their ability to quickly get into systems.
Just as importantly it is relatively easy for users to implement.
Too many security procedures fail because they do not think of the burden they put on the users. Get this balance wrong and it forces users to workaround the security put in place and see it as a barrier to their real work.
Asking people to memorise dozens of passwords and change them every week is not realistic.
But a user-friendly, two factor log-in process to access corporate networks and email accounts is a basic first step.
Unfortunately we’re not about to see the end of the password, but we should see the end of blaming passwords, and users, for security breaches.