UK Government and ICO Cryptojacked

When it Comes to Information Security, Pobody’s Nerfect

When we think about security and vulnerability, it’s tempting to sometimes believe there is a ‘fix’ to security issues; that with enough energy and funding it is possible to banish even the possibility of an information security ‘incident’. Though there is certainly something to be said for proper funding, and indeed an energetic determination, we need only look around us to see how imperfect any effort will inevitably be.

A perfect example of this occurred early last year when it was discovered thousands of websites had been hijacked by a nasty bit of crypto-mining code, known as a "Cryptojacking" attack. Amongst them several UK government websites, including the Information Commissioner’s Office (ICO).

Hidden Cryptojacking Script

For the uninitiated, ‘cryptojacking’ in this case involved the insertion of script into a website via a plugin designed to help blind or partially sighted users. Once activated, the script essentially highjacks the user’s CPU power to ‘mine’ (perform complex mathematical computations) anonymous cryptocurrency.

This opportunistic piece of malware is thought to have affected over 5,000 websites; Student Loans Company, NHS services, councils and more, all website infected and used to execute perhaps the biggest attack of this kind ever seen.

Of all the potential targets of this fiendish plan, the ICO website is not the obvious choice, nor is it the kind of organisation that you would imagine to be susceptible to any sort of digital shenanigans. And though this particular exploit has been patched, just like every company, organisation or website – the UK’s data protection watchdog has weaknesses that can be discovered and exploited.

Secure Culture

Though not exactly the ‘fault’ of the ICO, this incident of malicious cryptojacking is an opportunity to consider the role that humility plays when it comes to information security and how we choose to defend ourselves from the persistent threat of digital criminality and exploitation.

Having engaged with information security, is not to say that an organisation is beyond the possibility of a security incident; though it is one of the best steps that can be taken to help mitigate the risk that faces us all.

An integrated view of cybersecurity is one that doesn’t merely view this threat as an issue of compliance, or even an occasional training session, but as an ongoing effort to continuously empower employees to propagate an information secure culture themselves.

No Longer Profitable

It’s clear that in 2019, a lax attitude towards information and data security is neither reasonable, nor sustainable. The viability of a company that neglects this integral element of security strategy will likely find themselves in hot water, not only from a GDPR perspective, but also with regards to their internal confidential information.

“Your organisation relies upon its intellectual property, reputation and finances to remain competitive”

Simon Fraser, Managing Director, Hut Six

With an estimated 77% of all UK employees not having received an form of information security training from their employer, a shocking proportion of UK organisations are taking a big risk in failing to minimise careless or negligent behaviour.

Given the prevalence and effectiveness of phishing attacks, as well as their increased potential impact, the avoidance of phishing emails, at very least, should be considered a basic by all UK organisations. With around 32% of all breaches still involving phishing, this kind of information security awareness training must be considered foundational for an organisation wishing to instil a secure culture mindset.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

What to do if you've fallen victim to spear phishing

Spear Phishing Series Part 3: What to do if You’ve Been Phished

Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.

Confirmation of Payee - APP Scams

Will Confirmation of Payee Reduce APP Scams?

Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.

Spear Phishing Indicators

Spear Phishing Series Part 2: How to Spot a Spear-Phishing Email

All businesses know it's a threat, but how can you spot a spear-phishing email? Blog by Information Security awareness training provider Hut Six.

The Surveillance Economy and Human Rights

Human Rights and the Growing Surveillance Economy

Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six

HP Firmware Self Destructs

Attention: HP's Self-Destructing Firmware

HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.

How a Spear Phishing Email is Created

Spear Phishing Series part 1: How a Spear-Phishing Email is Created

How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.

Information Security vs Cyber Security

Information Security vs Cyber Security: What’s the Difference?

How is it that information security and cyber security differ, and why is it that people frequently use these terms interchangeably?

The Cost of a Security Breach

The Cost of Poor Information Security

Facebook ICO fine and the cost of poor information security. Blog from information security awareness training provider Hut Six Security.

Cyber Security Awareness Month

Cyber Security Awareness Month: Once a year, all year.

Cyber security Awareness month creates a problem in focus for companies. Blog from information security awareness training provider Hut Six Security.

Branching Scenarios - Hut Six Product Update

New from Hut Six: Scenario-based branching Tutorials

Cybersecurity training modules that give the user the ability to test their skills. Blog from information security awareness training provider Hut Six.