Bill Buchanan - When The Government Can’t Even Protect and Encrypt Our Data … What Chance The Rest?
ASecuritySite Podcast - A podcast by Professor Bill Buchanan OBE
Categories:
Lessons from the cybersecurity rule book for government: Lesson 1: If you have PII (Personally Identifiable Information), you should encrypt it. Lesson 2: Lock down access to encrypted data and require multifactor authentication for access. Lesson 3: All communications with citizens should be stored in an encrypted form. Lesson 4: The transmission of data between systems should be encrypted and authenticated. Lesson 5: All accesses to data should be logged, and restrict queries based on a policy. Lesson 6: Alerts on data access should be analysed — either automated or by a human. Lesson 7: Provide a strong identity governance framework and do not automatically assign rights. Lesson 8: Apply human checkpoints and tripwires on access control to sensitive documents. Lesson 9: Provide physical and virtual segmentation of data sources from access control. Lesson 10: Implement a dual-homed approach to the access to data — and where access to sensitive data sources is isolated from general areas through white-list firewalls. Lesson 11: Put a strongly authenticated API in-front of data and limit queries based on role. Lesson 12: Don’t use role-based security, and migrate to attribute-based systems based on time, location, hardware/software token access, and so on. Lesson 13: Don’t use a single key to encrypt all your data … use envelope encryption and where every data record and message can have a random encryption key. Lesson 14: Use a Hardware Security Module (HSM) to store your sensitive keys and restrict access to them. Lesson 15: Audit regularly and review access logs. Get external reviews from trusted entities. Lesson 16: Warn staff of tripwire approaches, and define HR procedures for breaches, eg three strikes, and you’re out! Lesson 17: Remove passwords wherever possible, and replace with multifactor authentication that includes tokens, time and location. Lesson 18: Implement file scanning processes and which aim to discover key identifiers of PII (including on work-based laptops). Lesson 19: Zero trust levels on access to citizen data. Lesson 20: Run only one service on one server, and minimise the surface area. It’s as simple as that. In fact, governments could learn a great deal about coping with cybersecurity in the Cloud. But now the Electoral Commission in the UK has revealed that information on around 40 million citizens was exposed from August 2021 to October 2022. This includes everyone who was eligible to vote between 2014 and 2022 and includes their names and addresses, along with information sent to the commission in the form for email and web forms. https://www.bbc.co.uk/news/uk-politics-66441010 Very few details of the “complex cyber-attack” are given, but I bet, in the end, that it was the good old standard method of gaining a foothold in a system. The risk of insiders leaking information is significant in this type of breach, and the best firewalls in the world will not protect us from insider threats. The banks have realised that they now need 24x7 SOC support, and this would be the case in government. While the information leaked is possibly not that serious, there is a basic trust issue here, and where data was exposed for over a year, and it was not detected. Conclusions In response, the Commission has said that it would lock out hostile actors, which doesn’t sound like a coherent plan to protect the data. I would hope encryption, and a zero-trust approach will also be used. Governments need to lead the way and not be stuck using the paper-based approaches of the 20th Century.