The Hackney Council cyberattack was first reported on Tuesday 13 October 2020. A full seven weeks later, as of 2 December, twenty one of the services usually provided on the Council’s website, covering births, death, marriage, education, transport and social services, are still not available. The council site confirms that it has been affected by a cyberattack but provides no further information, other than that the council is working with the UK’s National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident.
The general consensus is that the Council was hit by a ransomware attack — a serious one, judging by the length of time the website has been out of action. The question that concerns most Hackney residents, however, is not what type of attack it was or how it was executed, but rather what information has been accessed and compromised and whether it includes private and sensitive data.
Council systems hold the most sensitive personal data about their residents, including medical records, social information, payments, earnings and more. The true consequences and cost of the cyberattack are still unknown, since they depend on the impact of compromised data on Hackney Council residents and that of its service providers.
Early reports suggest that the attack involved a zero day exploit that penetrated an endpoint via a user’s browser when they browsed to an infected website, clicked a URL in a phishing email, or downloaded an infected file from an email or website. Or perhaps a hacker used compromised credentials to access council systems to deliver ransomware. Of course, until the council completes its investigations, we won’t know for sure.
This attack is a timely reminder to all organisations, especially local authorities, NHS providers, education authorities, and other local government bodies to complete an urgent review of their security risk posture and determine how well they will fare if an attack like the Hackney Council targeted them. What if tomorrow’s headline was not about Hackney Council but about your organisation? Pointing to limited budgets and stretched resources will not help as residents find themselves shut out of services or, worse, find their personal data has been compromised. Local authorities are responsible for the well-being of those in their care. Today, in addition to delivering traditional educational, civil, social and healthcare services, that means ensuring that modern data security architectures and controls are in place to protect residents’ sensitive and confidential data.
In the wake of the Hackney Council attack, every local council should have Audit, Risk and IT Security teams assessing their own systems’ vulnerability to cyberattacks and should be asking themselves if they have the right security protection and controls in place to avoid becoming the next victim. Additionally, business leaders should recognize the problem of general under-investment in IT security and challenge IT and security teams to identify and implement more effective solutions to the sophisticated advanced cyberattacks that do untold damage to organisations today.
The security industry knows that ‘browser-based exploits’, such as zero day web malware, email phishing attacks that can deliver ransomware or steal credentials, and infected file downloads are both the biggest and most common security threats they face. Unfortunately, ransomware and other hacks are available for purchase on the open market for minimal cost, enabling even the most basic hacker to launch successful attacks. Without recognising the known exposures and vulnerabilities of traditional browsers to the web and acknowledging that traditional web and email security solutions offer limited protection, local councils and other authorities are leaving their virtual front doors open, despite their legal obligation to protect their residents’ sensitive and private data.
Zero day exploits and ransomware are like ticking timebombs: The question is, “Which local authority, educational institution, NHS provider, or local government is next?” One could argue that if these organisations truly understood the ease with which a cyber security attack could circumvent their existing security controls and how debilitating it could be (just ask Hackney Council), and they still do not implement programs and tools to address their vulnerabilities, then they are being negligent, perhaps even legally negligent. They know — or they should know — the likelihood of an attack being successful, yet they are not addressing the issues. This is not good, to say the least.
Too many organisations, enterprises, and especially local authorities, NHS, education and local governments, depend on web browsing security solutions that use a legacy architecture designed over 15 years ago. Most of todays’ threat defenses, such as malware anti-virus and email phishing protection solutions, based on these legacy web browsing architectures, are no match for modern hacking techniques, giving hackers an easy path to deliver ransomware, exfiltrate data, and take down systems. Despite this reality, organizations keep pouring money into these ineffective web and email security solutions and the results are the same – they fail. Evidence will show Hackney and other councils are spending a significant amount on security defense, yet are still being compromised.
Continuing to tweak legacy web browsing security architectures is a losing proposition: It allows insecure access or, when tightened to keep “bad stuff” out, over-blocks access. But given the importance of web and cloud access to worker and overall business productivity, it is a problem that cannot be ignored. Indeed, web and cloud application access is more essential than ever. Over the past decade, the web browser has become the gateway to employee productivity, so it is inconceivable that any organisation -– from industry to local government services to healthcare to education – would seek to restrict, block, or prevent their users’ access to the internet locations they need to get their work done.
IT and security teams that depend on outdated web security architectures are left little choice: They can open up access to allow users to be productive, while knowing that it makes becoming the victim of an attack nearly inevitable. Or they can shut down access to prevent attacks — but also prevent work from getting done. This is the very definition of a lose-lose proposition.
Leading industry analyst firm Forrester, and more recently Gartner, have been promoting a new web browsing architecture based on a Zero Trust concept, advising that organisations should “never trust, always verify.”
My company, Ericom Software, has developed a solution that brings this Zero Trust concept to the web and email. Remote Browser Isolation (RBI) is a Zero Trust cloud-based secure browsing solution, leveraging a modern web browsing architecture that seamlessly moves browsing activity from the local endpoint to a cloud-based virtual browser located in an isolated container. Only safe rendering data and images get streamed to the endpoint browser, where users interact with websites and web apps exactly as they are accustomed to. Each browsing session runs in its own virtual container, and all content from the web, including potential exploits remains there and is deleted at the end of the session. Ericom’s RBI solution can be integrated with an organisation’s current Next Generation Firewall (NGFW) or Secure Web Gateway (SWG) proxies to improve their security risk posture, adding a zero trust web browsing architecture that will reduce or eliminate browser-based exploits.
If the Hackney Council attack was indeed caused by a browser-based exploit such as web delivered ransomware, a zero day triggered by a phishing URL, or an infected document download, remote browser isolation would have completely prevented it from occurring. Indeed, there would be no indication that an attack had even been thwarted, since the exploit would have been destroyed along with all of the content in the cloud-based container, with no one the wiser. The inconvenience of services being down, and the as-yet-unknown damage resulting from theft and potential exposure of personal data, could have all been avoided.
This sums up the business case for Zero Trust Web Browsing. You can close your eyes, cross your fingers, turn out the lights, and hope your organisation will not replace the Hackney Council as a cybersecurity headline for weeks and weeks. Or you can open your eyes and see that it is time to address legacy web browsing architectures prone to cyberattack. Adopting a Zero Trust web browsing concept using a Remote Browser Isolation (RBI) architecture enables the safe web browsing that all organisations need and, when implemented correctly, can eliminate – yes, eliminate — these increasingly common browser-based exploits.