The Risks of Cyber Cat Flaps

So here we are in January 2021, and the significant hacks are already being reported, picking up where 2020 left off.

While the cyber industry is still managing the fallout of SolarWinds, Google has announced (with few details of the actual hacker group) they found two sophisticated exploit servers, and the subject of this blog – the Reserve Bank of New Zealand has suffered a breach too.

Information has become the lifeblood of businesses and sharing with business partners (within the scope permitted by law) has become an essential part of doing business.

We all know from Cyber Security education that we need to keep our doors and windows locked – otherwise hackers will break in. But if the doors and windows are locked, how is this vital information shared? It’s via the Cyber Security equivalent of a cat flap; designed to let cats in/out, but nothing else.

The cyber equivalent of a cat flap is a file sharing application. In the case of the Reserve Bank of New Zealand the application was a file transfer appliance (FTA) from Accellion.

There are problems with cat flaps though, they are designed to let cats in and out but aren’t necessarily designed to stop anything. The cat may bring in a rat, and the rat may do untold damage to your carpets and furniture.

This is what happened here, an unknown attacker, used an undisclosed method to send a security attack (rat) into the bank, and the “rat” leaked data.

This is not the first time a file transfer has been used as the attack point (see our blog on Sandworm and the report on WannaCry on the NHS attack in 2017) and will not be the last.

What can you do about it? How to enable safe file transfers

First and foremost, there is no single security magic bullet that will fix your security problem. You need to take an architectural approach: understand what data needs to be shared, what that data looks like and then design a “cyber cat flap” that only allows data that looks exactly like your cat through – but also attempt to detect if the cat has a rat in its mouth.

This may all sound complicated, but fortunately the NCSC has published guidance on how to do this:

Safely import data

This guidance identifies a set of technical controls which can be used to manage the risks associated with importing data over a network. [MORE DETAILS].

Safely export data

This guidance provides an architecture pattern which will help you to share data while maintaining the security of your core networks and systems. [MORE DETAILS].

These two patterns combined with an understanding of what you want to achieve will allow you to design a cat flap that won’t come back to bite you. For those of you that don’t have the experience or expertise, you are in luck. For over 30 years Nexor has been specialising in creating Cyber Cat Flaps that match your information exchange needs.


Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.


Be the first to know about developments in secure information exchange