The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.
In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.
However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.
“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.
Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.
The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.
The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.
Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.
1. There is still a need for organisations to get the basics right
“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.
2. Failure to get the balance right between usability and security
“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.
“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.
3. Legacy systems and equipment
The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.
“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.
“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.
In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.
“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.
5. Mergers and acquisitions
In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.