View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 23, 2015updated 19 Aug 2016 4:02pm

5 lessons to be learned from the Gemalto NSA/GCHQ hack

The NSA and GCHQ intelligence agencies have allegedly been hard at work, but what can businesses learn from the hack?

By Ellie Burns

Last week news broke on The Intercept alleging that the UK’s GCHQ and the US’s NSA had hacked the Dutch SIM card manufacturer called Gemalto.

By hacking into the emails of Gemalto’s employees, the UK and US spies allegedly gained access to the company’s internal computer networks, stealing encryption keys embedded onto millions of SIM cards.

If true, there will be major repercussions stretching to the very core of major intelligence networks, in addition to the inevitable ignition of the debate surrounding privacy.

As investigations continue, CBR has asked security experts to outline what businesses can take away from this breach, outlining what steps businesses must take in order to be secure.

1. Learn from it

Wolfgang Kandek, CTO, Qualys, says: "CISOs can use attacks, such as the one on Gemalto, for the positive purpose of internal security planning and review. The question becomes: How would my organisation fare against such an attack?

"While it is unrealistic for a company to be able to withstand a nation-state driven attack, we know that even advanced attack technology quickly becomes mainstream. Yesterday’s nation-state techniques become today’s tools for cybercriminals. It is vital then to mine the information about the attack to close down the weaknesses before they are exploited.

"In Gemalto’s case the attackers first looked at unencrypted communication of their desired data that. Transmitting the key data through FTP or simple e-mail gave the attackers a straightforward way to reach their goal.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"As soon as an encrypted file exchange service entered the scenario, it became apparent that the difficulty in accessing the data would increase substantially.

"This should make CISOs question how they communicate with their business partners: do they have an easy to use, secure mechanism or are they driving employees to find their own, often insecure, solutions?"

2. Make your employees learn from it

Keith Bird, UK MD for security vendor Check Point, said: Like so many other cyberattacks, such as the recent Carbanak banking heist, it seems the Gemalto hack started with social engineering – using phishing emails to get access to the email and other accounts of key employees at the company. This then gave access to other systems at Gemalto.

"To protect against this type of exploit, employee education about social engineering and what to watch for – such as misspelled emails, unexpected email attachments or links – can make a big difference in reducing the risks of a hacking attempt being successful."

3. Deal with the inevitable

Erik Driehuis, VP EMEA at Digital Guardian, said: "It is now widely accepted in IT security circles that network and system breaches are inevitable, largely because IT budgets simply aren’t big enough to address every single security vulnerability in the network.

"But just because cyber criminals are making it through the door, it doesn’t mean they should be able to walk out with the crown jewels tucked under their arm."

4. Deploy another layer of encryption

Andrew Conway, research analyst at Cloudmark, commented: "The ease with which the NSA and GCHQ were able to compromise all mobile communications is shocking but there are other nation state actors with just as much determination and sophisticated hackers.

"In particular, China’s Axiom Group has shown remarkable abilities to penetrate targets in the West. Is it possible that China or some other nation states also managed to obtain the same private keys from Gemalto? Last year, mobile security company ESD revealed that they had detected a network of fake mobile phone towers intercepting communications near US military bases. It was assumed that whoever was responsible was just collecting metadata, because 3G and 4G communications are encrypted.

"Could it be that this was some foreign espionage agency with the ability to listen to US mobile phone calls? Or perhaps it was the NSA monitoring all civilian phone calls near military bases for possible terrorist activity? Regardless, it is clear that mobile communications have been badly compromised.

"In the short term organizations requiring secure voice communications can consider deploying mobile devices with another layer of encryption, such as Blackphone or Cryptophone. In the long term, we need to do a better job of end to end encryption of all mobile and fixed line communications – which will include not relying on a single master key for all communications."

5. Enter the sandbox

"Phishing emails often contain malware which has been obfuscated by the hackers to conceal its identity from traditional signature-based antivirus solutions." Advised Check Point’s Keith Bird.

"To mitigate this risk, organisations can add an extra layer of defence against malware using a technique known as threat emulation or ‘sandboxing.’ This analyses the files carried in emails for virus-like behaviour, and isolates any suspicious files before they arrive in employees’ email inboxes and risk infecting networks."


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.