Several recent events have raised concern with some of our clients regarding Cyber Security. In early August the Institute of Directors website was breached, resulting in their website being taken down for several days. In late August the Ministry of Culture and Heritage’s website was also breached, resulting in the Government reviewing whether the supplier of their website was on the government’s Certified Supplier list.
As a result of these breaches, we thought it would be timely to remind Expert clients how we manage cyber security and how well protected our clients are using MoST.
The security of any system can only go so far, and usually any weakness in security is usually due to the user of the system having a weak or guessable username and password.
If a user has an obvious username and a weak password and has administrative privileges, then chances are this is how a potential hacker will have access to users’ data. To reduce the chances of this occurring, users should have defined roles setup to minimize the impact of what a user can access should their account be compromised.
MoST is not an opensource platform so is significantly less susceptible to being hacked as any potential security flaws are not published for general public to carry out research on how to exploit it. Furthermore, common exploitation applications will not work as they do not know how to interact with the product.
MoST utilises an SSL certificate with a three-month expiry date significantly reducing the chances of a certificate’s key and password from being extracted from it over time.
MoST has built in processes to prevent dangerous content from being submitted from the public facing website which is part of the Microsoft.NET framework, it is using strongly type variables so SQL injection via query strings or form data is not possible. All database query values are also escaped to prevent SQL injection attacks.
Login attempts via the administration system are tracked and will only allow for 5 attempts over a rolling 10-minute interval. The same is applied to password recovery. The password reset process sends a temporary password via email and will never send the original password. Passwords have complexity rules requiring them have a minimum length, contain a mix of UPPER and lower case characters, numbers and symbols, however passwords created prior to the introduction of the password policy will not adhere to these rules until changed.
Passwords are stored in an encrypted state in the database. Access to the database is limited to two people in order to provide support.
Error logs are monitored on a regular basis looking for potential hack attempts, which are constant.
The hosting environment has honeypot addresses defined that are designed to immediately block all access to all services for a period of 24 hours for a hacker when accessed and only specific firewall ports for specific IP addresses are opened to allow inbound data that is essential for providing service, such as port 80 and 443.
To date the system has never been compromised which we put down to our vigilance and periodic third party security audits.
Note: Expert created and hosts the NZData system which calculates all manner of benchmarks for NZFMA and RBNZ from the BKBM, NZTW, NZGS, NZSW, etc and distributes them globally to information vendors so we never treat security aspects lightly at any time.
We have an established DR System and so in the event of anything happening to our Wellington Data Centre, all servers are replicated in the Auckland site.
How the IOD breach might have happened
The most likely reason the Institute of Directors was exploited is that they use Dot Net Nuke which is an open source product. They probably haven’t been patching it when updates are released or couldn’t if they had modified the Dot Net Nuke base code to suit their purposes.
The problem with open source is security vulnerabilities are published on the internet. All that is required to find vulnerabilities is to compare the source code for the latest release against the previous release. Then you can easily compromise any website that hasn’t been patched to the latest version, or even better when someone publishes how to exploit a site, for example, exploit-db.com which gives step by step instructions on accessing a Dot Net Nuke website as a system administrator.
Depending on the security vulnerability you can potentially gain access to user data, regardless of how secure that database is locked down. The hacker can see whatever the user is permissioned to access.