Business not learning from past cyber security incidents

Cyber security incident after incident is demonstrating organisations are still failing in the basics, but they also show that few are learning from others’ past mistakes, according to Troy Hunt, Pluralsight author and security expert.

“A good example of this is the BrowseAloud compromise that hit thousands of government websites and organisations in the UK and around the world,” he told Infosecurity Europe 2018 in London.

“Despite the fact this had a fairly significant impact, many organisations have not learned the lesson and most websites are not applying a free and easy fix, including those belonging to some UK and US government departments and some major retailers.”

The problem was caused by the corruption of a file in the Browsealoud website accessibility service that was automatically executed in the browsers of visitors to the site.

In addition to running the BrowseAloud service in the browser, the corrupted file also launched cryptocurrency mining software to enable the attackers to tap into the computing resources of visitors to affected sites to mine Monero cryptocurrency for the benefit of the attackers.

“This can be stopped with the use of a content security policy (CSP), which is just a few lines of code organisations can add free of charge to their websites to ensure that only approved scripts run automatically when they use third party services like BrowseAloud,” said Hunt.

“Despite the incident highlighting this issue, barely anyone is using CSPs. In fact, only 2.5% of the world’s top one million websites currently use CSPs to defend against rogue content,” he said.

Hunt said a cryptocurrency miner was perhaps the one of the “most benign” forms of content attackers could have chosen to launch through the compromised BrowseAloud file. “In reality, we got off lightly this time around, but we have not seen any significant action by website owners in response.”

This incident underlines the fact that many websites use services and content from third parties, which represents a security risk because attackers could compromise this is the way that the BrowseAloud file was compromised and execute malicious code through millions of websites.

“An analysis of the US Courts website reveals that its home page represent 2.3Mb of data, which is the same size as the entire Doom game, and that almost a third of that is scripts, which is rather a lot of active content that is automatically loaded into visitors’ browsers, especially when you consider that you can do just about anything with JavaScript,” said Hunt.

Compounding the problem, he said, is that most organisations are poor at detecting malicious activity, which was well illustrated by the Sony Pictures cyber attack in 2014. “Various systems were compromised at the same time and different types of data stolen, but the first the company knew of it was when employees attempted to login and were greeted with a message saying: ‘You’ve been hacked’.”

According to Hunt, who runs the HaveIBeenPwned website that aggregates breached records and makes them searchable for those affected, most organisations either have no idea that they have been hacked, and even if they do, they have no idea what data may have been stolen.

“Many of them only find out when they get an email from me telling them that their data is available on the internet,” he said, adding that this underlines that fact that detection is often difficult. “But choosing a breach detection tool can be equally difficult. There are so many suppliers selling breach detection solutions, but it is difficult to work out what actually works.”