This Information Age article forms part of a 7-part series on Ethics, covering artificial influencers, facial recognition, IoT, security and more. The series will culminate in an online panel on 11 December. Register to take part in the discussion and send your questions to the ACS Ethics Committee.
With the ongoing trend towards online platforms and services, which provide not only convenience, but can increase efficiency and value, the need to ensure appropriate and adequate security controls is critical to help reduce the success of a potential cyber-attack.
From April 1 to June 30, the Office of the Australian Information Commissioner (OAIC) said 242 data breaches had been reported on the Notifiable Data Breaches scheme quarterly report.
Of these, 29% (70) are a result of compromised credentials due to phishing, and 14% (34) due to brute force attack.
In, 2018, Verizon also reported phishing as the most common method of social attack.
Phishing is where an attacker tricks a target user into providing their username and password, usually by sending a crafted email that appears to be legitimate and enticing the victim to perform an action that involves them logging in.
The entered credentials are captured and used to login to the victim’s system by the attacker.
A brute-force attack involves guessing passwords, potentially attempting every possible combination of numbers, letters and symbols until a match is found.
While the use of encryption is now fairly common place in cloud platforms, as is the requirement for some level of password complexity (which makes a brute-force attack more difficult), the use of more sophisticated authentication mechanisms that can significantly reduce the risk of unauthorised access is not as common.
Common email platforms such as Microsoft Office 365 and Google G-Suite – and even the consumer targeted products such as Outlook.com, and Gmail – all have the ability to use multi-factor authentication (MFA).
This requires that in addition to a username and password, that the user has something physically in their possession in order to log in (such as a smart phone), yet this feature isn’t commonly turned on.
As a result, email inboxes are breached on a daily basis, with attackers gaining access to masses of information that could potentially be used to commit fraudulent activity.
With no end in sight, the question must then be asked, who is responsible for preventing a breach?
Is it up to the provider to provide adequate safeguards and enforce them as their default configuration?
Or is it up to the user of those services to ensure they protect access to their account, or part of the system, by enabling those safeguards?
Georg Thomas is National Security & Risk Manager, Corrs Chambers Westgarth.
Register to take part in our Ethics online discussion on 11 December.
Read our entire 2018 Ethics series:
Part 1: Artificial influencers
Part 2: Facial recognition unmasked
Part 3: When IoT goes wrong
Part 4: Who’s to blame for phishing breaches?
Part 5: Could encryption legislation increase risk of being hacked?
Part 6: Would you install a keylogger at your workplace?
Part 7: Do you abide by a professional code of ethics?