DAVE WATERSON, CTO & Founder, SentryBay
We could be forgiven for thinking we’re back in the early eighties, in the latter stages of the Cold War, when everything about Russia represented a threat.
In recent weeks, the White House has warned of the potential that Russia could conduct malicious cyber activity against the US and urged organisations to strengthen their cyber defences.
The UK’s NationalCyber Security Centre (NCSC) meanwhile says companies here should follow its guidance on the steps to take to bolster online defences following Russia’s attack on Ukraine.
Despite happening in January, it seems a long time ago that Russia’s FSB intelligence service publicly announced that it had dismantled the ransomware crime group Revil at the request of the US, showing an apparent example of cooperation between the two countries. So much has happened since then, that it’s difficult not to recall this event with scepticism. Where are those hackers, one of whom was said to be responsible for the cyberattack against Colonial Pipeline, now?
What stands out most clearly is that war, particularly with Russia, is no longer fought just on the ground. The concerns being displayed at national and international levels about the cyber-threat indicate just how devastating the impact of malware can be. President Biden’s statement specifically pointed out that key targets will likely be critical infrastructure such as pipelines, water systems and the electrical grid.
All forms of malware represent a threat to organisations both public and private, but in the current context one in particular stands out – keylogging. It’s worth remembering that in the 1970’s what was probably the very first keylogger was built by the Soviet Union and installed on IBM typewriters used in theUS Embassy. The lessons learned then are still very much applicable to the situation we find ourselves in now.
There are a variety of keylogger types, but one of the most dangerous is a kernel-based keylogger which sits at the heart of a computer system and records every keystroke as it is entered on the keyboard. This is not malware for the fainthearted, it is difficult to create, and even more difficult to find and eradicate.
Examples of where cyber-criminals have used keylogging include the attack on British Airways in 2018 when customer card payments were compromised and personal and financial details were stolen. 380,000 passengers were affected, and the airline received a fine of £183 million. Possibly more alarming was the discovery of a keylogging code in software drivers pre-installed on new HP laptops to help the keyboard work.
Because it is one of the original forms of malware, it is easy to dismiss keylogging, but organisations do so at their own peril, particularly if they operate a BYOD model. Unsecured endpoints need to be protected against keylogging as a priority.
With a keylogger installed, it makes no difference how secure the data of an organisation is, a breach can happen from the moment a user logs in. Therefore a layered approach using multiple security controls to complement and reinforce each other, ensures that although a specific attack may bypass one security measure, it will be thwarted by another. The most precious asset – data, and the specific applications which handle sensitive data – should be placed at the centre, with security layers wrapping it protectively. Detection is not the goal.
The list of applications being used by organisations today is extensive: online office tools; SaaS application access; enterprise applications such as accounting, personnel andCRM; SAP or Oracle applications and remote access solutions such as Citrix, VMware and RDP. Even if they include a keylogger block, as in the case of VMware Horizon, will it work on all platforms?
The key to defending against keylogging, whether it comes from a state-sanctioned attack or not, lies in securing the data that is entered into these applications. With this in place, even a kernel-level keylogger will find itself unable to breach the defensive wall to steal information and put an organisation at risk.
