New Zealand businesses are horribly protected and still using extremely weak security standards, says a KPMG security analyst.
The damage to New Zealand businesses from security breaches reached into the hundreds of millions of dollars in 2013. But this country’s lack of any regulatory compulsion to tell the media about security breaches suggests the actual numbers could be a lot higher.
Most of the United States - and even privacy-conscious Europe - require companies to inform their customers of privacy breaches. However, there’s no obligation in New Zealand to report a private security breach, leaving customers in the dark about how secure their information really is.
New Zealand’s Privacy Commission is keen on plugging this gap and enforce more transparency, whether it be through compulsory disclosure, fines or other penalties.
Until that happens, business security in New Zealand probably won’t change radically. KPMG security advisor Philip Whitmore says generally, security isn’t getting better across almost any New Zealand business or government agency.
“Most of the time failure comes down to risk management and not understanding what the threats are and what controls are in place to protect the risks. Security isn’t about saying no. It’s about saying yes in a very secure and protective way.
“I’m not saying we need to make it like Fort Knox and lock everything away, but we need to know what’s of value in our organisation and what’s at threat and put the right security in place. Trying to do a one-size-fits-all approach often doesn’t work,” he says.
Mr Whitmore tests business’ security - both digital and physical – through penetration testing. The idea is for his team to access an organisation’s critical infrastructure using methods available to anybody.
He discovered some uncomfortable facts about how vulnerable New Zealand organisations are against even simple threats.
The vulnerabilities read like a horror show:
· 100% of the time he accessed critical networks while pretending to be an employee
· 71% of web applications had high-risk vulnerabilities to critical networks
· 32% had poor internet perimeter controls
· 100% of the time they gained physical access (89% to secure areas)
· 24% of wireless networks were vulnerable to unauthorised access
· 62% of mobile devices’ sensitive information was accessible to outside entry
Mr Whitmore says the protection of wireless and internet access points is not as bad as it used to be. But security is a full-spectrum issue, not limited to digital. When it comes to the physical and less-thought-of aspects, the numbers are damning.
“In pretending to be a disgruntled employee we were 100% successful gaining unauthorised access to key systems and information undetected. This was done by using the same skills and techniques that any of us - if we were so motivated - could learn easily. We gained access every time to financial systems, manufacturing or controls of a utility.”
He’s also worried about protections on web-based applications because they’re nothing new. ASB, for instance, went online in 1997. Nevertheless, the issues Mr Whitmore commonly sees haven’t changed since the late 90s.
“Whether it be an online banking or perhaps a retail application, 71% of the time the applications had high risk vulnerabilities. We could bypass authentication, access sensitive information – medical or financial – whatever it may be.”
Even when he stood outside a business trying to get in through the internet perimeter he was successful far too often. In this case, his team tried different combinations of passwords and usernames.
"We got all the way in without detection, without using anything overly technical. Things like finding a login screen for remote access and trying this name or that password.”
However, wireless networks are one of the areas where people are getting better at security.
“Ten years ago I would have gotten into wireless networks perhaps 70% of the time,” Mr Whitmore says. “Today, we’re still not managing it effectively. 24% of the time we sat down the road from an organisation and got in, so that’s your internet perimeter gone.”
Mobile computing - whether it be through smartphones, tablets or laptops - he says 62% of the time they could access all the information on those devices employing simple techniques.
This is all bad news for New Zealand business’ digital safety, but surely locking the front door at night isn’t a problem? Not so fast, says Mr Whitmore. We tend to forget about physical security too.
“When we tried to get into an organisation, or into a sensitive area in that organisation, 100% of the time we were successful using techniques most of us could pick up. And if you can get access to an IT central system, you can bypass the world’s strongest passwords.
“It’s taking actions like strolling in during the day or going up to the door at night, knocking on it and asking the cleaner to let you in. Or it’s getting a bit of fencing wire and popping open the lock on the door.
The top 10 security risks, it isn’t pretty
Mr Whitmore says he’s narrowed down the top 10 all-too-common security issues. Since security is a specialised topic most companies probably won’t employ anyone with the right set of skills, but spreading some knowledge as to how exactly we’re all at risk will help the decision makers.
And the decision makers clearly need a kick in the incentives to bolster their security because the simple things are letting them down. The two most common issues are using kindergarten-weak, garden-variety passwords.
“We simply sat down and guessed the passwords of 89% of organisations. Is it “password” with capital ‘P’ and the number zero instead of an ‘O’ at the end? Is it a username, or “welcome”, or even “Monday”? That’s something any of us can do.
“Of the organisations we looked at, 78% used a common password for new people joining the company. Of those 78% of organisations, 87% retained some of those accounts for a long time with exactly the same passwords.
“Some of those accounts are privileged accounts, with administrative accounts that give you access to everything. Common initial passwords cause problems and there’s generally no need for it.”
The third most common issue is giving every employee access to everything on a company’s critical network, regardless of their job position or responsibility. That’s incredibly dangerous, especially considering the ‘disgruntled employee’ scenario could happen at any organisation.
“In 92% of cases, everyone in the organisation had access to information they shouldn’t have had access to. By sensitive information I mean things like payroll information.
“People struggle to control access to sensitive information. And I think that’s partly because organisations don’t understand what information they have,” Mr Whitmore explains.
Companies also often fail to properly secure any written down passwords. For the average employee, writing down passwords is crucial because no one’s going to remember five or six key codes. That’s really not an excuse for an IT professional.
“Best practice says you don’t write down your passwords. But the IT guys will always have a need to document their passwords, the question is how well those administrator passwords are protected. When pretending to be a disgruntled employee we found those passwords 83% of the time.”
“We found passwords written up on whiteboards in the IT area. If you see some random word written up in the corner, it’s probably a password. If it looks like a password, it probably is a password.
“We found them in the IT manager’s top drawer, they usually write them in notebooks. So we came along and just pulled the drawer open really hard. Those drawers are designed to maybe protect your lunch not sensitive information.”
Next on the list are locks on the front door or access controls to the all-important server rooms. Unfortunately the average time to get through any locked door in an office was 60 seconds in Mr Whitmore’s experience.
“Weak physical security is a problem because 100% of the time we’ve tried to get in, we’ve been successful. Of that 100%, 89% of the time we got into sensitive areas using relatively simple means.
“By simple means I mean things like, when you see in the movies people going up to hotel rooms and getting the credit card out? That’ll probably work 25% of the time. Or using a bit of fencing wire to reach under the door and grab the interior handle and pull it down.
“Doors are locked for a reason, they’re protecting something.”
Sometimes a company does have very secure passwords - and that’s a good thing - but once a user is inside a web-based application the system stops asking whether they truly should have access to the section they’re trying to enter. System developers struggle with security, Mr Whitmore says.
“Here’s a couple of examples, 61% of applications didn’t validate user input. 42% didn’t check the user’s authority to do something. Once I’m inside the application it’s not really checking whether I have the authority to do what I want to do.
“Just because there’s no button saying “admin” doesn’t mean you can’t do admin tasks. You might see up in the URL bar: “user=admin=no”. Just change it to “admin=yes”. It often is that simple.”
Nope, still not getting it
Then there’s hunting an organisation’s cached passwords. On Windows networks when you log into your workstation, a copy of your network password is stored locally in your workstation – be that on a laptop or desktop.
“So if I can get access to your workstation, your network password’s on there. And not only your network password, but the last ten people to log on. And maybe the day before you took your computer to get fixed and the IT administrator logged on, so now I’ve got their password too.
“That’s designed by Microsoft in the event your network goes down, you can still log on. Do you really need to log into desktops when the network is down? 100% of companies had local storing of passwords when they probably didn’t need to.”
Poor checks for password reset is also a big vulnerability. Often the reception or IT people executing the resets simply aren’t trained in the arts of security challenges. All it takes is a sweet voice and a little pressure and, bang, you’ve got new password for the caller and you’re in.
“We phone up the helpdesk from outside the organisation and say, “Hi, it’s Fred Smith. I’ve forgotten my password, can you reset it please?” 86% of the time when we did that, there was no challenge.
“One challenge I had recently was, ‘Philip, when did you start with the organisation?’ I responded, ‘February this year’. He said, ‘Our records say it was December last year.’ ‘Oh, I was contracting then, I’ve come back in February this year.’ ‘Oh, Ok’, he said, and changed the password,”
This weak defence is tied to a general lack of security awareness among employees. Mr Whitmore’s not saying everyone needs to be James Bond, but they do need to know enough to do their jobs.
“If I knock on a locked door, should you let me in? Most of the time, the answer I get is: yes. Sometimes in the middle of the night, one of my team members will walk up to the door and people will let us in while we’re wearing jeans and a t-shirt!
“We see people getting up for lunch and leaving their computers unlocked. Well, I’ll sit down at your computer and maybe I’ll try to get a fake invoice through. I can enter it but I can’t approve it. So I just need to wait until the accountant gets up for lunch, sit down at their computer and approve it.”
The final problem is software patches. Updates and patches are often sent out to fix software security which the developers weren’t aware of. What was thought to be secure yesterday, isn’t secure today. That’s not the fault of software vendors, it’s just that technology inexorably evolves.
“However, 100% of organisations don’t apply patches to sensitive software in a timely fashion. This might be within a day for a very high risk, or it might be within a month for other risks. Of the top four mitigations against breaches, patching is two of them. Patching is very effective.”
Are you feeling sheepish?
Do you feel a tingling sensation running down your spine? That’s what everyone experiences after they see the results of a penetration test. The news isn’t very nice when you see all the holes.
Some companies might be looking at this list and feeling quite embarrassed right now. The truth is, almost every business will be vulnerable to one or perhaps all of these breaches during its lifetime. It might even have a few too many gaps open right now.
Unfortunately Mr Whitmore says there’s no easy fix as the best procedures can still be thwarted by a careless (or coffee-less) employee making a simple, human mistake. But that shouldn’t obviate the need to sit down and think about security on a regular basis. After all, the consequences of not doing so could be disastrous.
“What would have happened if the breach at ACC had occurred to a private insurer?” Mr Whitmore asks.
“With ACC we don’t have a choice, private sector we do have a choice. The customers would have picked up their policies and walked down the road. So this is an important business issue, it can kill us in nanoseconds.”
Every business has limited funds and it’s always going to be hard to allocate precious resources to get the greatest effect. There’s so many gaps that it’s hard to make the first move.
This can lead to paralysis and the assumption that because no attack has occurred yet, it probably won’t happen in the future. But this is folly, all companies are targets in the modern internet age.
The best thing to do is perhaps concentrate on the top threats and vulnerabilities. At least companies can start here.
“It’s tough convincing people. There isn’t an easy answer to convince people who have their blinders on. But over the last two years it’s become less tough. They’ve seen ACC, IRD and EQC and it has woken people up. They’re thinking that could have been them,” Mr Whitmore says.