Cyberattacks

[PaulSB]

I'm sure we're all aware of the increasing number of cyberattacks on business. M&S, JLR, Kido nurseries, etc.

A news item made me wonder why these companies are not better prepared or why is it these attacks have such a devastating impact.

I presume any major business will have a very robust backup method for the company's systems and data. If this is correct how is it these attacks bring everything down. Does the attack get into the hardware in some way? Why isn't it, to be simplistic, just a matter of rolling back and importing the most recent backup?

I realise these are hugely complex systems and the above is very much a layperson's comment.

 

[markemark]

I'm sure we're all aware of the increasing number of cyberattacks on business. M&S, JLR, Kido nurseries, etc.

A news item made me wonder why these companies are not better prepared or why is it these attacks have such a devastating impact.

I presume any major business will have a very robust backup method for the company's systems and data. If this is correct how is it these attacks bring everything down. Does the attack get into the hardware in some way? Why isn't it, to be simplistic, just a matter of rolling back and importing the most recent backup?

I realise these are hugely complex systems and the above is very much a layperson's comment.

Because the malware attacks everything. They may well be able to restore a previous version of a service which just gets attacked again. It would be thousands of compromised systems, most of which are back end, which would be compromised. The hackers would create all sorts of entry points to counter any restoration. They’ll be in everything and cleaning it all out would be hurrendous task or constantly battling the hackers who are very likely to be highly skilled.

The next issue isn’t so much the encryption of data but the theft and release of it.

 

[Regular.Cyclist]

A lot will depend upon when the last backup took place, was it 10 minutes ago, a day or last week? And how confident are they that the backup is uncompromised? It is one server or 100 / 1,000 / 10,000 / 100,000 servers and systems that need to be considered?

They also need to assess how the attacker got in and can they prevent that immediately upon restoring good data (and obviously before opening the firewall to the outside world). Is that something that they can easily do themselves or do they need to wait on a patch or update from a software provider? It is their processes that are at fault?

What has happened with the business between the backup happening and the time that they have had to roll back from? Does that need to be manually re-entered? If so how? Is the data available, possibly in paper form, call logs, postage receipts, etc etc.

During all of that they may be engaging with law enforcement.

All that takes time and resources.

 

[bikingdad90]

Usually systems are brought down because someone is a flipping idiot and opens the front door to a hacker and lets them in:

E.G clicking accept on a MFA request, sometimes by accident or in an effort to stop an MFA spam.

Opening a PDF “with your signature on” but really they didn’t sign anything and it’s a malicious file.

Opening a link on a jokey email or a positive action email (such as see who liked you) which is malicious.

Phishing emails asking for details in return for a fake offer - loads of people fall for that!

There was a logistics company that failed recently because an employee used their sign in details on a spoof website and the credentials were used to access the system. It killed the business off all because 1 of circa 100 employees made a simple error of judgement.

The second issue is that although there are backups, each backup needs to be forensically analysed before it can be restored into a clean new build system as otherwise you are opening the door to a second attack.

The third issue is that you need to identify the source and date of the hack to be able to work on a fix. Some malicious activity can take place months and years before attacking a system.

 

[classic33]

Not all such attacks start on the outside. An employee leaving with a grudge/under a cloud, may have left something behind as a "present" long before they left.

 

[Jameshow]

Foreign actors???

 

[Drago]

Foreign actors???

I think Gérard Depardieu is in enough trouble.

 

[oxoman]

Working in industry I've seen the birth of data tracking systems go from individual paper systems and computer systems to everything seemingly intertwined and working seamlessly. So we advertise something ( say a car ) various options available. Customer chooses spec that splits off to multiple suppliers to supply said item at a required time in a required place. The invoicing, materials, build plans, delivery schedules and also the equipment actually building said items are seemingly all connected. If one fails they all fail. I've seen car manufacturers crawl to a stop, coffee plants shutdown due to software upgrade failures down or to servers overheating. Somebody pulling a fibre connection or malicious programing in robot operating systems. All of these happened between roughly 1999 and 2016. I've seen utilities sabotaged physically. It's so easy to turn thing off and go back to the dark ages its frightening. One thing all these companies had was robust strategies to cover all possibilities, sadly it never covers what hits them. Take JLR, they send an order for JIT parts to be delivered to trackside via Internet link. That order could quite easily be to supply individual parts or sets at trackside within 90 mins or less. That set has to potentially built from scratch, trimmed assembled and delivered trackside in the correct order because each car built is to a set spec or a customer spec. Really easy to sabotage. That's why I don't work in the car or food industry anymore, sometimes I believe in keeping things simple.

 

[Drago]

Apparently JLR didn't have insurance for a cyber attack. They'd been negotiating with an underwriter but hadn't actually got round to signing up.

Oops!

 

[markemark]

JLR are financially secure. It’s their suppliers who are in trouble.

 

[BigSid]

The third issue is that you need to identify the source and date of the hack to be able to work on a fix. Some malicious activity can take place months and years before attacking a system.

A company I worked for used Groupwise as its email client. They then decided to change to Outlook. I installed Outlook on one computer and it immediately started infecting all the other PCs on the system that had had Outlook installed. An Outlook virus had been downloaded at some stage but hadn't been able to replicate as Outlook wasn't available to do it. It could have been sat there for months. Nightmare to clean it up.

 

[PaulSB]

Apparently JLR didn't have insurance for a cyber attack. They'd been negotiating with an underwriter but hadn't actually got round to signing up.

Oops!

Yes, I heard this on R4 Today yesterday, it was what got me thinking about the whole issue.

Thanks everyone, I'm clearer now on broadly what's going on in the background.

 

[Illaveago]

Is it just this country that is being attacked or is it that ours are being publicised more?

 

[Drago]

Im on the list of ID's they wouldn't mess with, alongside Ross Kemp and Jason Statham.

 

[alicat]

JLR are financially secure. It’s their suppliers who are in trouble.

Slightly off topic but JLR will not be financially secure if their suppliers go bust and JLR can't get the parts any more especially when the manufacturing system is built on 'just in time'.