View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Email attack on Parliament, don’t blame passwords

UK Members of Parliament had an enforced email holiday last month when all their accounts were frozen in response to a sustained attack.

By John Oates

In an age of sophisticated malware, self-replicating worms, drive-by attacks and ransomware this is a useful reminder that email remains a key attack vector and a vital first line of defence for the enterprise.

The attack on Parliament was reportedly an old fashioned ‘brute force’ attempt to guess weak passwords. Although there are over 9,000 accounts, including the 650 used by MPs, less than one per cent were accessed. What information was lost is still being investigated.

The Parliamentary Digital Services blamed weak passwords for the breach. The PDS is also trying work out the source of the attack but initial suspicions are aimed at Russian hackers.

Lord Fowler told the House of Lords:

“On Friday, the Parliamentary Digital Service discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords and gain access to users’ emails. The Digital Service have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining further access.  IT systems on the Parliamentary Estate are now working as normal and remote access is being restored gradually. We are continuing to investigate the source of the attack and believe that fewer than one per cent of the 9,000 accounts on the parliamentary network have been compromised as a result of weak passwords.”

But many observers were surprised that such a tempting target as government email accounts are only secured using passwords.

The issues with password security are well known. Attempts to improve them, whether by forcing users to change them regularly or only accepting complex passwords, tend to have the opposite effect. They force users to write them down or use the same, hard to remember pass for several services.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

There are many alternatives which businesses already use to make life harder for hackers.  Although there issues with some of these like biometrics there is little doubt that some form of two factor authentication is now considered the base line for any secure system.

At its simplest this is how your bank card works.

To get money out of an ATM you need: something you have – your bank card, and something you know – your PIN.

Many online services use similar systems – Google has used two factor security since 2011 by sending users a unique code to their mobile phone to supplement their passwords.

Of course two factor authentication will not stop every attack. But it will make life an awful lot more difficult for hackers and hugely reduce their ability to quickly get into systems.

Just as importantly it is relatively easy for users to implement.

Too many security procedures fail because they do not think of the burden they put on the users. Get this balance wrong and it forces users to workaround the security put in place and see it as a barrier to their real work.

Asking people to memorise dozens of passwords and change them every week is not realistic.

But a user-friendly, two factor log-in process to access corporate networks and email accounts is a basic first step.

Unfortunately we’re not about to see the end of the password, but we should see the end of blaming passwords, and users, for security breaches.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU