National Cyber Securty Centre’s 2017 Annual Review

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The Annual Review highlights the work it has done to make the UK the safest place to live and work online.

While there is still much work to be done, the NCSC’s first annual report says it has prevented thousands of cyber attacks since its inception.

The NCSC received 1,131 incident reports, with 590 classed as “significant”, according to the agency’s first annual review.

Those “significant attacks” ranged from attacks on key national institutions such as the National Health Service (NHS) and the UK and Scottish Parliaments, through to attacks on large and small businesses and other organisations, said Ciaran Martin, chief executive of the NCSC.

But, he said, so much of the NCSC’s work aims to make successful attacks less likely, and to that end the NCSC has so far produced more than 200,000 protective items for military communications; supported the Cabinet Office in developing more secure communications for key government organisations; and supported the Home Office in ensuring the security of new mobile communications for emergency services.

The NCSC, part of GCHQ, brought together elements of its parent organisation with previously separate parts of government and intelligence to create a single, one stop shop for UK cyber security, with the aim of making the UK the safest place to live and work online.

A crucial part of the NCSC’s role is to help everyone in the UK operate more securely online.

“Through a pioneering partnership with the private sector, tens of millions of suspicious communications in the UK are being blocked every month,” he said.

Martin highlighted the fact that the NCSC’s Active Cyber Defence programme has developed capabilities, which have seen the average lifetime for a phishing site hosted in the UK reduce from 27 hours to less than an hour.

He added that the NCSC’s information-sharing platform with industry, the Cyber Security Information Sharing Partnership (CiSP), grew 43% over the year.

However, he said the NSCS still has much to do in the years ahead to “counter this strategic threat to our values, prosperity and way of life” in collaboration with GCHQ and the UK intelligence community, law enforcement, wider government, industry and the rest of the world.

Martin said cyber security is crucial to the UK’s national security and prosperity. “We’re incredibly proud of what we have achieved in our first year, bringing together some of the best cyber security brains in the country in a single place.

“But the threat remains very real and growing – further attacks will happen and there is much more for us to do. We look forward to working with our partners at home and abroad in the year ahead in pursuit of that vital goal,” he said.

According to the review, tens of millions of cyber attacks are being blocked every week by industry partners implementing NCSC’s Active Cyber Defence programme

The programme currently includes the NCSC’s protected domain name server (DNS) service built by Nominet to block bad stuff from being accessed from government systems; the use and support of the domain-based message authentication, reporting and conformance protocol (Dmarc) to block bad emails pretending to be from government; and a phishing and malware countermeasures service to protect the UK, including government brands.

Similarly, while the number of IP-addresses associated with phishing around the world is up 47% this year, the UK share of those has gone down from 5.1% to 3.3%.

 

UK firms still relying on perimeter defences for cyber security

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Some 96% of UK businesses feel as though their network perimeter security is effective at keeping unauthorised users out of their network, according to the fourth-annual Gemalto Data Security Confidence Index.

The global ransomware attack in May 2017 affected more than 200,000 computers in over 150 countries, including in the UK where the NHS was forced to restrict operations and turn away patients.

Across the 10 global regions surveyed, 94% of the more than 1,000 IT professionals said perimeter security is effective, but only 35% said they were extremely confident their data would be secure if perimeter defences were breached.

However, the survey also revealed that 46% of UK businesses are only protecting their customers’ data with passwords, and when considering their latest data breaches, 75% of the data stolen from businesses on average was not encrypted, with 11% of businesses not encrypting any of their data.

“As a security professional, it feels like I’ve been saying forever that basic perimeter security measures are no longer enough,” said Joe Pindar, director of data protection product strategy at Gemalto.

“So it’s worrying to see the UK is continuing to place ultimate faith in these systems, without thinking about what attackers actually want – their data,” he said.

Without a switch in mentality, and starting to protect the data at its source with robust encryption and two-factor authentication, the UK is like one of the three little pigs.

“Unfortunately, the one sitting in the straw house – not realising that when the time comes, passwords and perimeter security alone will not stand up to attackers,” he said.

The Gemalto report notes that many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyber attacks.

According to the research findings, 76% of global respondents said their organisation had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention, antivirus, content filtering, and anomaly detection to protect against external attackers.

Despite this investment, 68% believe unauthorised users could access their network, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations polled have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data.

According to the Gemalto report, this means that, should the data be stolen, a hacker would have full access to this information, and could use it for crimes including identify theft, financial fraud or ransomware.

“It is clear there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice-president and chief technology officer for data protection at Gemalto.

“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data, which is a company’s most valuable asset,” he said, adding that it is important to focus on protecting this resource. “Otherwise, reality will inevitably bite those that fail to do so.”

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

People can be strongest link in cyber security, says NCSC

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.

The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.

“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.

“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.

“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.

An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.

Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.

Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.

“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”

The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.

While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.

Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.

“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.

“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”

End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.

“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.

Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.

“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.

“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.

Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.

For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.

Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.

 

What to do first when hit by a cyber attack

At some point, the chances are growing that your business will have to deal with a cyber security incident.

At some point, the chances are growing that your business will have to deal with a cyber security incident.
But when you are under pressure and your team is stressed, people make mistakes.

Crisis patterns over the past decade have changed dramatically. 10 years ago elements such as civil war and oil prices were the top global risks to take into account. Now we see water crisis and extreme weather events taking control of keeping us up at night.

Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.

There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.

However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.

Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?

You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack? Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?

Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.

Impact classifications defined by the National Cyber Security Centre’s (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.

Many minor types of incident can be capably handled by internal IT support and security. All events should be reported back to the information security team who will track occurrences of similar events. This will improve understanding of the IT security challenges and may raise awareness of new attacks.

It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.

The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.

Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?

The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.

Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.

Objectives for the incident response team could include:

Resumption of service as quickly as possible, where the affected system is critical in terms of availability for the business.
Rapid ring-fencing and protection of confidential information, where the affected system or network is critical in terms of confidentiality for the business.
Integrity checking of the affected systems, where integrity of data is critical for the business.
Preservation of evidential integrity, where criminal activity is suspected and prosecution is likely to be an outcome of the incident, or where culpability must be established definitively.
Identification of the origin of the threat and gathering intelligence about the activities being conducted during the incident.

For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.

Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

The National Cyber Security Centre officially opens for business

The Queen officially opened the National Cyber Security Centre (NCSC) yesterday- the single, central body for cyber security at a national level.

The Queen officially opened the National Cyber Security Centre (NCSC) yesterdayThe NCSC is core to the government’s National Cyber Security Strategy, which was unveiled on 1 October 2016.

Staff in Victoria, central London, will be joined by experts from GCHQ and the private sector to help identify threats.

At the time, Chancellor of the Exchequer Philip Hammond said: “The new National Cyber Security Centre will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.”

Hammond said the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK, and outlined the actions the government needed to take to secure the country.

According to the National Cyber Security 2016-2021 report, NCSC’s role will be to manage national cyber incidents, provide an authoritative voice and centre of expertise on cyber security, and deliver tailored support and advice to government departments, the devolved administrations, regulators and businesses.

“The NCSC will analyse, detect and understand cyber threats, and will also provide its cyber security expertise to support the government’s efforts to foster innovation, support a thriving cyber security industry, and stimulate the development of cyber security skills,” the report said.

There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.

And even though the UK has not experienced a Category One attack – the highest level, an example of which would have been the theft of confidential details of millions of Americans from the Office of Personnel Management – there is no air of complacency at the NCSC’s new headquarters.

Ciaran Martin, the centre’s chief executive, said “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”

As well as protecting against and responding to high-end attacks on government and business, the NCSC also aims to protect the economy and wider society.

The UK is one of the most digitally dependent economies, with the digital sector estimated to be worth over £118 billion per year – which means the country has much to lose.

It is not just a crippling cyber-attack on infrastructure that could turn out the lights which worries officials, but also a loss of confidence in the digital economy from consumers and businesses, as a result of criminals exploiting online vulnerabilities.

A sustained effort was required by government and private sector working together to make the UK the hardest possible target, officials say.

Russia has been the focus of recent concern, following claims it used cyber-attacks to interfere with the recent US presidential election.

“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Mr Martin said.

NCSC- National Cyber Security Centre for cyber expertise

NCSC- the National Cyber Security Centre for cyber expertise review.

NCSC- the National Cyber Security Centre for cyber expertise review.Following on from the Cyber Security Force’s news post yesterday outline NCSC- the National Cyber Security Centre, the UK government plans to make the NCSC the centre of its expertise on what is happening in cyber space, combining the knowledge gathered from incidents and intelligence with that shared with industry, academia and international partners.

The NCSC will aim to use that knowledge to provide best practice advice and guidance and to tackle systemic vulnerabilities to enhance cyber security for all.

The NCSC will support the most critical organisations in the UK across government and the private sector to secure and defend their networks. This will include the provision of bespoke advice and guidance, help to design and test networks and exercise response arrangements.

When a serious cyber incident occurs, the NCSC will work with victims to minimise the damage, help with recovery and learn lessons to reduce the chance of recurrence and minimise future impact.

According to the prospectus, this help will include connecting victims with commercial companies that are recognised as being excellent at cyber incident response, and ensuring that the wider response of government and law enforcement is well co-ordinated.

In the case of very serious incidents, the NCSC’s response may include communicating publicly about consequences and the steps people and businesses should take to protect themselves.

The establishment of the NCSC will bring a new level of coherence and effectiveness to how government does cyber security. It seeks to partner with government agencies and departments, the devolved administrations, and the wider public and private sectors.

The NCSC will also work in close partnership with law enforcement to support their efforts to tackle cyber crime, and with the UK’s security and intelligence agencies and the Ministry of Defence to identify and counter the full range of threats in cyber space.

The NCSC will support the government’s wider security and prosperity agenda by engaging with international partners on incident handling, situational awareness, building technical capabilities and capacity and contributing to broader cyber security discussions.

For organisations that have their own networks, the NCSC will run the Cyber Security Information Sharing Partnership (CiSP). This is aimed at enabling organisations to share information with each other and the NCSC about what they are seeing on their networks, and provide a forum for discussion from beginner through to expert level.

The NCSC will produce tailored advice and guidance to identified sectors and proactively work with companies on this. However, it will initially focus on sectors which form the critical national infrastructure and those of strategic or significant economic importance or tied to the delivery of key public services.

The NCSC will not offer an enquiries line for the general public and Action Fraud will continue to be the first port of call for victims to report suspected cyber crime.

However, when there is a significant cyber incident affecting the UK, the NCSC will have the leading role for government in communicating to the public, to provide reassurance and guidance on what individuals and organisations can do to better protect themselves.

The NCSC’s specialist teams will work with the Ministry of Defence – and other users of very secure communications – to ensure that operational needs are met. It will also ensure the capabilities needed to operate both independently and with the UK’s allies are available in the future.

The NCSC will work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs.

UK gov’s plans for National Cyber Security Centre

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.The NCSC is set to open in October 2016 and will be based in London. The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ. The technical director for the NCSC will be Ian Levy, formerly technical director of cyber security at GCHQ.

Chancellor George Osborne announced the NCSC in November 2015 as part of the government’s National Cyber Security strategy for the next five years, supported with £1.9 billion funding.

The NCSC is at the heart of that strategy and will be the “bridge” between industry and government, said Matthew Hancock, minister for the Cabinet Office.

It will simplify the “current complex structures, providing a unified source of advice and support, including on managing incidents. It will be a single point of contact for the private and public sectors alike,” he wrote in foreward to the prospectus for the NCSC.

Hancock said it is “vital” that the NSCS works with industry from the very start, and called on UK businesses to give feedback on the centre’s proposed design.

NCSC CEO Ciaran Martin invited UK industry to engage with his team about what they would like to get out of working with the NCSC.

“The government has set out its intent to address the cyber threat, to put tough and innovative approaches in place, and to be a world leader in cyber security.”

“The National Cyber Security Centre will be at the heart of this approach, bringing together the capabilities already developed by CESG – the information security arm of GCHQ, the Centre for the Protection of National Infrastructure, Cert-UK and the Centre for Cyber Assessment.

“This will allow us to build on the best of what we already have, while significantly simplifying the current arrangements,” he said.

According to the prospectus, the NCSC will have four key objectives:

  • To understand the cyber security environment, share knowledge, and use that expertise to identify and address systemic vulnerabilities.
  • To reduce risks to the UK by working with public and private sector organisations to improve their cyber security.
  • To respond to cyber security incidents to reduce the harm they cause to the UK.
  • To nurture and grow national cyber security capability, and provide leadership on critical national cyber security issues.

Cyber Security Force will detail more information on the NCSC in our next news post.