Cyber Aware | 27 April 2021
On 28 March, Australian television network, Channel Nine, experienced the ‘largest cyber attack on a media company in Australia’s history.’
The attack took them off the air during Sunday broadcasts and interrupted scheduled programming over several hours.
Investigation found that the incident began Saturday night when computers in Channel Nine’s Sydney network started operating strangely. By Sunday morning, many of them ceased to function altogether.
The network had been targeted by hackers and significantly compromised, leading to broadcast disruptions.
Following current speculation and trends in cybersecurity, the ABC reports that the incident may be a result of recent security breaches on Microsoft Exchange Servers.
The Australian Cyber Security Centre (ACSC) also reports that a large number of Australian organisations were targeted and compromised in cyber attacks due to new vulnerabilities in Microsoft Exchange deployments.
Not only were Channel Nine systems affected, but unrelated intrusion attempts were identified at the famous wine company, Taylors Wines, and even among some systems of federal Parliament.
But where did the vulnerability come from? And how did it lead to this major Channel Nine cyber attack?
First, we need to define what a vulnerability is.
The ACSC defines a vulnerability as ‘a weakness in system security requirements, design, implementation or operation that could be exploited’.
When there’s a vulnerability in a system or application, cybercriminals can exploit system loopholes and security openings to steal or manipulate confidential information.
Or, in the case of Channel Nine, to significantly disrupt services.
Vulnerabilities are common in apps and digital environments, so they are a security concern for all businesses, big or small.
But how do we fix them?
A patch, simply put, is an update provided by a company to remove vulnerabilities in their products and software. Patches can be downloaded and used with little technical knowledge required and are often as simple as clicking ‘yes’ or ‘no’ on an update reminder.
Yet according to CSO Australia an alarming 60% of breaches in 2019 involved exploitation of unpatched vulnerabilities.
Without patches, hackers and cybercriminals have free reign to exploit vulnerabilities and cause massive damages to users.
In the case of Channel Nine, the network is reportedly experiencing ongoing issues in the fallout of the attack, almost a month after it was initially reported.
If the speculation that Microsoft Exchange vulnerabilities were exploited during the incident is true, a simple initial patch may have been enough to avoid the attack altogether.
But, still, many Australian organisations are yet to patch these Microsoft Exchange environments, leaving small businesses at risk of security issues.
This is where an update policy comes in.
Update policies, or ‘patch management policies’, govern when and how patching is done in an organisation. A strong patch management policy ensures that patching is systemised, and that relevant members of staff are held accountable to patching standards.
With a strong patch management policy, it’s less likely that crucial application updates get missed or repeatedly snoozed by staff – and less likely that high-risk vulnerabilities will remain open to attackers and cybercriminals.
When creating a patch management policy for your business, consider the following:
According to a survey by Voke Media, 80% of companies who suffer a data breach could have prevented it via patching and updating their systems. And current trends in ransomware are still largely exploiting the same known, patchable vulnerabilities from as far back as 2017.
While patching is easily neglected, it can also be as simple as the click of a button.
Simply setting a few expectations and standards for patch application in your organisation can be the key difference in surviving an attempted breach.
So don’t let it wait.
For more information on patch management, read the System patching chapter of the ACSC Guidelines for System Management.