Cybersecurity starts with the basics

Blogs
(Source: Stockfresh)

12 September 2014

Yesterday saw the Convention Centre in Dublin host the annual CyberThreat Summit run by the not for profit International Cyber Threat Task Force (ICTTF).

The ICTTF is a grass roots security body that aims to bring together all aspects of the cyber world, even journalists, to share information, experience and best practice in tackling everything from international cybercrime to cyber bullying — with no small amount of success.

It is always scary sitting through presentations by those at the coalface of cybercrime, as they relay what is happening in the real world. But one particular presentation was very worrying.

This was not because the presentation contained technical information on new exploits that were going undetected around the world like ghosts in the machine. Nor did it contain dire warnings of nation states turning black hats into secret agents to steal secrets from all and sundry — though there was lots of this elsewhere. No, this presentation by the incomparable James Lyne of Sophos, a rock star of the industry, was about the fact that people are still using things like default log-ins and ‘1234’ passwords for devices that are not only networked, but internet connected.

Two wireless networks in one neighbourhood were titled “Stop stealing our paper” and “We don’t even read it” respectively

Lyne, in his usual style that would not go amiss at the Edinburgh Fringe Festival (as he is a mix somewhere between Dave Gorman, Thom Yorke and Weird Al Yankovic) presented the results of his war-driving in various cities around the developed world and showed that some of the devices he was picking up were not only unsecured, but many had log-in credentials set by the manufacturer, such as ‘admin’, ‘admin’ and passwords that could have been cracked with an ABC spelling book, instead of a dictionary attack. While the humour was there too in the form of two wireless networks in one neighbourhood were titled “Stop stealing our paper” and “We don’t even read it” respectively, the more serious aspects were baby monitors and IP cameras that were equally open to the world.

Why, Lyne rightly asked, would someone buy a baby monitor that has a microphone, and in many cases a camera too, that is internet enabled, put it in their child’s room and then fail to secure it from outside hijack? It beggars belief.

But this is a malaise that goes beyond the well-heeled suburbs of our developed cities. Lyne warned that many organisations are leaving themselves just as open as they introduced Internet of Things (IoT) devices to their networks without doing the basics of locking down extraneous ports, features and capabilities.

This was something that was echoed by event organiser and chair, Paul C Dwyer, himself a major international figure in the world of cybersecurity, advising governments, law enforcement agencies and multinationals alike. Dwyer said that the high profile cases of retailers being hacked and many millions of records being compromised were often characterised by a complete lack of understanding of risk.

He said that some organisations may have looked at a vulnerability to attack and thought that in the run up to a busy period, such as Black Friday or the Christmas rush was not the time to tackle an issue and that when things quietened down something could be done. When such lack of understanding of risk is coupled with lax security measures, the results have been shown to be catastrophic.

So while the vendors were lined up to sell the latest and greatest in technology to protect organisations, the advice from the experts was clear: do the basics first and make sure that the simple measures have been taken. Change default log-ins, ensure passwords are of suitable strength and turn off what is not needed or of questionable use — now. Then look further for the sophisticated, nearly self-aware cybertools to protect against advanced persistent threats from state-sponsored black hats — after you’ve locked the backdoor.


Back to Top ↑

TechCentral.ie