Security; the rising need for complex multi-layered solutions and why a “trusted 3rd party” should never be fully trusted.

Security issues, Distributed Denial of Service (DDoS) attacks, system exploits, data breaches along with good old fashioned hacker attacks are a daily occurrence and there probably isn’t a company globally, with a web presence, that hasn’t been the victim of one of these, even if they didn’t realise.  I know from talking with friends and colleagues that their businesses have had attacks, whether they are sole traders, SMEs or multi-national corporates.

The recent hacks on Co-Op and Marks & Spencer in the UK have brought this more into the public view, with shelves in the Co-Op stores literally being empty because of the breach.

My background in IT has always had a heavy security bias, right from my first role writing decryption systems for satellite communications.  I have also worked in financial services, banking, mobile communications and the movie industry.  All of which have huge security requirements.  Bizarrely, I think the movie industry may be on a par with banking and financial services for security requirements.

The ’Security first’ way of thinking was brought with me to Hurricane, and security was key part of the architecture design and was written into our systems from the ground up.  Hurricane’s Technical Director Tom Lee, who heads up engineering, also shares this passion for security, so I can be confident that this ethos is fully played out.

We are platformed on Amazon Web Services (AWS) which came with a suite of security tools that gave us a base level of security within our architecture.  Over the ensuing eight years, we have modified and enhanced our security approach, and our service currently comprises, amongst other tools:

  • AWS Web Application Firewalls
  • AWS GuardDuty for Intrusion Detection
  • AWS Shield for DDoS protection
  • AWS Inspector for Vulnerability Scanning
  • AWS Cloud Security Posture Management
  • AWS CloudTrail which gives us a live log of everything happening on the platform.

While this may feel like a great set of tools, this is only part of the solution we utilise.

Traditionally web systems and applications enforce passwords.  Back in the early days of the internet, passwords were only really secured loosely, and users chose their own, no matter how silly they were, like “password” or “12345” for example, these were typically hacked or cracked by a person or simple scripts.

This led to the frankly silly system of “minimum of 8 characters, including a number, a lower case and capital letter and a special character”.  Complexity of password has pretty much zero bearing on its ability to be cracked by a machine or automated script, the ONLY thing that really matters for protecting a password being cracked by an automated system is the length of it.

As an example, the password “hurricane.marlin#orange!4876159” is about 1.14E35 (that’s 1.14 with 35s zeroes after it) times harder to crack than “dyY53Gvu!tr”.  Also it’s a hell of a lot easier to remember!

The issue is now passwords are typically phished for, by using lookalike web pages to get you to input your details or leaked as part of a wider hack.

So now we have MFA – Multi Factor Authentication.  There are several ways of doing this, most of which involve you receiving a code, which you then input to prove it’s you.

  1. Code via email
  2. Code via SMS
  3. Code via an authenticator App on your mobile device

While all of these provide a much greater level of security, Hurricane uses an even more secure approach to accessing both our internal applications including our Compliance Management System (CMS), and our AWS systems.

We use a hardware dongles.

These are Department of Defence approved two-factor (2FA) and passwordless authentication devices, using FIDO protocols and other standards like U2F and FIDO2. They are built with a focus on hardware-based security, incorporating cryptographic processors and secure key storage to protect against unauthorized access.

The ones we use are from Yubico, and each user is assigned a unique device, tied into their account.

Additionally, before our users even get to login to AWS or our CMS and use the dongle, they must access the service from either a whitelisted fixed IP, or via our own private VPN.

This approach to security, not only provides peace of mind to our clients, but also means we are ready when we do come under attack.

Whilst the battle against malicious actions is continuous, we have had two attempts on our services that have warranted actual human intervention.  One was a DDoS attempt on our corporate www site, where you are reading this article, this was almost immediately shut down by automated systems, with a follow up by the tech team.

The other was more recently where an unauthorised access attempt was made onto our AWS account.

This was carried out using keys obtained from an exploit on an external trusted third party.  However, our own systems alerted key personnel as soon as the attempt happened, and as part of our break-glass lockdown protocol we reset key user access, swept the servers and performed our own scans to confirm we were secure.  This was completed within 30 minutes of the alert being raised.

Needless to say, the trusted third party is no longer a trusted third party, and they are looking at their own internal security to find out how the breach happened.

Security should not be an afterthought once systems have been designed and development is under way.  Security has to be designed in from the start, must be key to everything you do.  The quickest way to lose clients is to have insecure systems and compromise their data.

At Hurricane security is at the forefront of everything we do, enabling us to be confident in our services, and ensuring that our clients are confident when they trust us to process their information.

/ian

Scroll to Top

David SpoTtiswood
Co-founder

Interesting Fact: I am an amateur baker, but I still have no idea how sourduogh starter actually works, and am intrigued how it all reacts together to produce an incredible taste.

Favourite Music: November Rain by Guns ‘n’ Roses.  Going to Wembley with my wife our go to fun thing in our early years, our youth with long hair and rock clothing and not a care in the world other than getting the best spot in the house.

Favourite Quote: “Insanity is doing the same thing over and over again, and expecting different results ” – Albert Einstein

Harry Reilly
Non-exec

Interesting Fact:  I learned Arabic for five years!.

Favourite Music:  A Long December by Counting Crows.  Memory of best family time together in California.

Favourite Quote: “Don’t forget execution, boys. It’s the all-important last 95%”

Tom Lee

Technical Director

Interesting Fact:  I am completely self-taught from a technical skills persepctiuve, and left formal education at 18.

Favourite Music:  Blink 182 – Aliens Exist.  Brings back fond memories of stickly floors and cheap beer.

Favourite Quote: “He sprayed water in my face – thta’s not allowed” – James Haskell.  The whole event surrounding it is hilarious and shows the power of a good wind up

Martin Palmer
Co-Founder

Interesting Fact: I started my working life training to be an accountant but decided I hated numbers. (Ironically I now love them!). I really wanted to join the Hong Kong Police force but couldn’t do that until i was 24. I took a temporary job in Imports and 47 years later here I am.

Favourite Music: There only was one choice. Harry Chapin. Meant a lot to me in my early years as an import broker. We played Chapin for hours and this one seemed to cover so many modes.

Favourite Quote: “No man is an island”

Neil Harmer

Operations Director

Interesting Fact:  As a Geologist my idea of the perfect beach holiday is going to the beach and investigating the rocks in the cliffs behind.

Favourite Music:  Broken Stones – Paul Weller, I’m a huge Paul Weller / The Jam fan; Broken Stones is a very relaxing song, I love the use of the electric piano in it

Favourite Quote: “Don’t put off until tomorrow what you can do today”. This is a great quote by Benjamin Franklin, to have in your head when working through a series of tasks to help keep focused.

Robert Dundas
Sales Director

Interesting Fact:  One of my life goals is to be able to speak French, I’ve been doing Duolingo every day for the last five years, and I’m still rubbish! 

Favourite Music: Where do I even start! Tom Petty Running Down a Dream, this is my top-down driving next to the ocean song

Favourite Quote: “This time will pass”

ASHLEY DEXTER
CFO & Co-founder

Interesting Fact: I was nearly named Battle Dexter (I would have probably now been residing in one of His Majesty’s establishments)

Favourite Music: Even though I spent a few years in the music industry my taste of music was always a cause for concern with my colleagues, so to surprise them all my current favourite is Kids by MGMT (absolute belter)

Favourite Quote: “Quitters never win and winners never quit”

Ian Venner
CTO & Co-founder

Interesting Fact: Runs Red Lantern Records, a not-for-profit, ethical label as a side project, whose artists have regular national BBC radio airplay.

Favourite Music: Tom Waits, pretty much all of his work.  Beautifully observed avante-garde vignettes of life.  Oh, and anything really loud!

Favourite Quote: “It’s not the mountains we climb, but the grit in our shoe that grinds us down” – which sums up taking a business from start-up to enterprise.

Martyn Noble
CEO & Co-founder

Interesting Fact: Played a high standard of semi-professional rugby union (too many years ago now!)

Favourite Music: Led Zeppelin – Stairway to Heaven…my first live gig – Knebworth 11th August 1979, the track never grows old and is the iconic song of ‘hope’ whatever mood you are in when listening too it…and I’m still trying to work out what the lyrics mean!!

Favourite Quote: “Know your customers, Know your People, Know your Numbers” – plagiarised from Sir John Harvey Jones when I met him very early on in my career and values I stick to in my business life.