Security issues, Distributed Denial of Service (DDoS) attacks, system exploits, data breaches along with good old fashioned hacker attacks are a daily occurrence and there probably isn’t a company globally, with a web presence, that hasn’t been the victim of one of these, even if they didn’t realise. I know from talking with friends and colleagues that their businesses have had attacks, whether they are sole traders, SMEs or multi-national corporates.
The recent hacks on Co-Op and Marks & Spencer in the UK have brought this more into the public view, with shelves in the Co-Op stores literally being empty because of the breach.
My background in IT has always had a heavy security bias, right from my first role writing decryption systems for satellite communications. I have also worked in financial services, banking, mobile communications and the movie industry. All of which have huge security requirements. Bizarrely, I think the movie industry may be on a par with banking and financial services for security requirements.
The ’Security first’ way of thinking was brought with me to Hurricane, and security was key part of the architecture design and was written into our systems from the ground up. Hurricane’s Technical Director Tom Lee, who heads up engineering, also shares this passion for security, so I can be confident that this ethos is fully played out.
We are platformed on Amazon Web Services (AWS) which came with a suite of security tools that gave us a base level of security within our architecture. Over the ensuing eight years, we have modified and enhanced our security approach, and our service currently comprises, amongst other tools:
- AWS Web Application Firewalls
- AWS GuardDuty for Intrusion Detection
- AWS Shield for DDoS protection
- AWS Inspector for Vulnerability Scanning
- AWS Cloud Security Posture Management
- AWS CloudTrail which gives us a live log of everything happening on the platform.
While this may feel like a great set of tools, this is only part of the solution we utilise.
Traditionally web systems and applications enforce passwords. Back in the early days of the internet, passwords were only really secured loosely, and users chose their own, no matter how silly they were, like “password” or “12345” for example, these were typically hacked or cracked by a person or simple scripts.
This led to the frankly silly system of “minimum of 8 characters, including a number, a lower case and capital letter and a special character”. Complexity of password has pretty much zero bearing on its ability to be cracked by a machine or automated script, the ONLY thing that really matters for protecting a password being cracked by an automated system is the length of it.
As an example, the password “hurricane.marlin#orange!4876159” is about 1.14E35 (that’s 1.14 with 35s zeroes after it) times harder to crack than “dyY53Gvu!tr”. Also it’s a hell of a lot easier to remember!
The issue is now passwords are typically phished for, by using lookalike web pages to get you to input your details or leaked as part of a wider hack.
So now we have MFA – Multi Factor Authentication. There are several ways of doing this, most of which involve you receiving a code, which you then input to prove it’s you.
- Code via email
- Code via SMS
- Code via an authenticator App on your mobile device
While all of these provide a much greater level of security, Hurricane uses an even more secure approach to accessing both our internal applications including our Compliance Management System (CMS), and our AWS systems.
We use a hardware dongles.
These are Department of Defence approved two-factor (2FA) and passwordless authentication devices, using FIDO protocols and other standards like U2F and FIDO2. They are built with a focus on hardware-based security, incorporating cryptographic processors and secure key storage to protect against unauthorized access.
The ones we use are from Yubico, and each user is assigned a unique device, tied into their account.
Additionally, before our users even get to login to AWS or our CMS and use the dongle, they must access the service from either a whitelisted fixed IP, or via our own private VPN.
This approach to security, not only provides peace of mind to our clients, but also means we are ready when we do come under attack.
Whilst the battle against malicious actions is continuous, we have had two attempts on our services that have warranted actual human intervention. One was a DDoS attempt on our corporate www site, where you are reading this article, this was almost immediately shut down by automated systems, with a follow up by the tech team.
The other was more recently where an unauthorised access attempt was made onto our AWS account.
This was carried out using keys obtained from an exploit on an external trusted third party. However, our own systems alerted key personnel as soon as the attempt happened, and as part of our break-glass lockdown protocol we reset key user access, swept the servers and performed our own scans to confirm we were secure. This was completed within 30 minutes of the alert being raised.
Needless to say, the trusted third party is no longer a trusted third party, and they are looking at their own internal security to find out how the breach happened.
Security should not be an afterthought once systems have been designed and development is under way. Security has to be designed in from the start, must be key to everything you do. The quickest way to lose clients is to have insecure systems and compromise their data.
At Hurricane security is at the forefront of everything we do, enabling us to be confident in our services, and ensuring that our clients are confident when they trust us to process their information.
/ian