Categories: SecurityWorkspace

Businesses’ Easiest Targets: HR Vs. FOI Team

Britain’s new cyber crime cops won’t be subject to freedom of information requests. Indeed, the entire National Crime Agency is exempt from the FOI Act. That might upset people hungry for transparency, especially after all the furore surrounding secrecy over surveillance following the leaks of Edward Snowden.

But, as I suggested to Andy Archibald, who is heading up the National Cyber Crime Unit, this could be a good thing for the organisation’s security. If I were an attacker, my prime target for any public sector organisation would be the FOI team. I’d craft a malicious attachment that exploited much-used software – Internet Explorer perhaps – and send it in a fake FOI request.

Hopefully, the exploit code would get past the organisation’s email security protections, meaning it would almost certainly be opened by the unsuspecting employee. Then I could get malware on their machine before trying to find my way onto other bits of the network. I’d also use encryption on the communications going between that malware and my command and control systems, as that would make it rather tricky for the victim to see what’s going on. “You’re in the wrong profession,” Archibald tells me.

Attacking HR

Similar ideas came up in conversation the day before with former Symantec CEO and now FireEye board member Enrique Salem. For the majority of organisations FOI does not apply, but there are some departments that have to open attachments regularly, HR being one. Given the amount of sensitive data passing through HR systems, even if an attacker couldn’t escalate privileges to gain access across the target’s network, they could still glean vast amounts of valuable information just by infecting an HR worker’s client.

Any part of the organisation that has to open emails frequently throughout a working day is a prime spear phishing target. Even basic anti-phishing advice, like do not open emails that appear to come from dodgy sources, cannot really apply here. Those emails have to be opened.

What to do then? First, use the most current version of whatever software you’re running, especially oft exploited kit like Internet Explorer. That might be a problem for the UK government, which is still widely using IE6. Others who stick to old versions due to web application compatibility may also find this tricky. And getting away from Java, despite the many flaws that emerge on Oracle’s software, appears to be an impossibility for many.

After that, get as many layers of protection as you can and ensure you have some kind of advanced malware detection system if you can afford it, whether that’s a pureplay appliance or cloud-based tools. Even then, things will slip through, so data loss protection tools should surround your most valuable information.

And make sure you have a post-attack strategy, including not just technical measures but PR response too. Everyone can be breached.

Whatever you do, don’t just rely on antivirus. If you’re still in that mindset, there may be no saving you.

Try our security quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

10 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

12 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

14 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

14 hours ago