• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

NCSC

UK holds Chinese state responsible for ‘pervasive pattern of hacking’

960 640 Stuart O'Brien

The UK is joining what it calls likeminded partners to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.

The attacks took place in early 2021, affecting over a quarter of a million servers worldwide.

The government says the attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.

At the time of the attack, the UK says it quickly provided advice and recommended actions to those affected and Microsoft said that by end of March that 92% of customers had patched against the vulnerability.

The UK is also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”.

Widespread, credible evidence demonstrates that sustained, irresponsible cyber activity emanating from China continues.

The Chinese government has ignored repeated calls to end its reckless campaign, instead allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught.

This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data and commercial interests of those with whom it seeks to partner.

The UK is calling on China to reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.

As part of a cross-Government response, the National Cyber Security Centre (NCSC) issued tailored advice to over 70 affected organisations to enable them successfully to mitigate the effects of the compromise.

In 2018, the UK government and its allies revealed that elements of the Chinese Ministry of State Security (MSS) were responsible for one of the most significant and widespread cyber intrusions stealing trade secrets.

Foreign Secretary Dominic Raab said: “The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.”

NCSC roleplay exercise educates home workers on cyber risks

960 640 Stuart O'Brien

Business owners are being urged to help keep their home working staff safe from cyber attacks by testing their defences in a roleplay exercise devised by the NCSC.

The ‘Home and Remote Working’ exercise is the latest addition to the National Cyber Security Centre’s Exercise in a Box toolkit, which helps small and medium sized businesses carry out drills in preparation for actual cyber attacks.

Launched last year, the toolkit sets a range of realistic scenarios which organisations could face, allowing them to practise and refine their response to each.

The latest exercise – the tenth in the series – is focused on home and remote working, reflecting the fact that for many organisations this remains a hugely important part of their business.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said: “We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.

“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.

“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”

The exercise follows a range of products developed by the NCSC – which is a part of GCHQ – to support remote working during the coronavirus pandemic, including advice on working from home and securely setting up video conferencing.

The new ‘Home and Remote Working’ exercise is aimed at helping SMEs to reduce the risk of data compromise while employees are working remotely.

The exercise focuses on three key areas: how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident remotely.

Some of the most popular exercises include scenarios based around ransomware attacks, losing devices and a cyber attack simulator which safely imitates a threat actor targeting operations to test an organisation’s cyber resilience.

As part of the exercises, staff members are given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end an evaluative summary is created, outlining next steps and pointing to NCSC guidance.

Exercise in a Box is an evolving tool and since it was launched the NCSC has continued to work on the platform. It has recently been given a new refreshed look to make it even more intuitive for users and soon micro-exercises – ‘bite-sized’ exercises that focus on a specific topic – will be added.

Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast, said: “This new NCSC tool is a fantastic measure and will be welcomed universally as the threat of cyber attack continues to rise. In fact, our State of Email Security shows that 91% of UK organisations believe their organisation volume of web and email spoofing will increase in the coming year, while 59% of UK organisations have observed an increase in phishing attacks over the last year. It’s important that organisations prioritise cyber security, especially at a time where remote working has become the norm and connecting corporate devices via the home router becomes commonplace. This provides greater opportunity for malicious actors to infiltrate and obtain sensitive corporate data through unsecured home devices, so it’s important that businesses educate their staff on the tell tales signs of compromise and the benefits of good cyber hygiene practices.

“Regular cybersecurity awareness education is also key. Our State of Email Security report found 56% of organisations don’t provide awareness training on a frequent basis, leaving organisations incredibly vulnerable. This is supported by further research which found that enterprises that didn’t utilise Mimecast awareness training were 5x times more likely to click on malicious links as opposed to those companies that did. Often such training and education exercises may be viewed as burdensome or tedious, but it’s crucial that organisations work to change this perception and using tools such as these provided by the NCSC and others can significantly help. Our research has identified that awareness training, which is fun, interactive, and done in intervals can significantly help with retention, in addition to bolstering cyber defence in depth.”

You can sign up for Exercise in a Box or find out more about it on the NCSC’s website.

The growing cyber threat facing the UK legal sector

960 640 Stuart O'Brien

Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.

Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017, 60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cyber crime is on the rise. It’s most likely a combination of both.

Andy Pearch, CORVID’s Head of IA Services, outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.

Andy Pearch, CORVID’s Head of IA Services, outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences...

Facing vulnerabilities

The legal sector is particularly vulnerable to cyber attacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.

Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.

Not only do law firms and their clients have to consider the financial impact of a cyber attack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack. 

Acknowledging threats

Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.

Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyber attack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise. 

The use of multiple detection engines and threat intelligence sources transforms email securityand threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.

Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber securitymindset – notably, the threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.

It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.

Image by Steve Buissinne from Pixabay

New security laws proposed for internet connected devices

960 640 Stuart O'Brien

Plans to ensure that millions of items that are connected to the internet are better protected from cyber attacks have been launched by Digital Minister Margot James.

Options that the Government will be consulting on include a mandatory new labelling scheme. The label would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are. The move means that retailers will only be able to sell products with an Internet of Things (IoT) security label.

The consultation focuses on mandating the top three security requirements that are set out in the current ‘Secure by Design’ code of practice. These include that:

  • IoT device passwords must be unique and not resettable to any universal factory setting.
  • Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
  • Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.

Digital Minister Margot James said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.

“These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”

National Cyber Security Centre (NCSC) Technical Director Dr Ian Levy said: “Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers.

“This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”

UK businesses warned to take action to prevent cyber attacks

960 640 Stuart O'Brien

Stats from the Department for Digital, Culture, Media and Sport (DCMS) have shown a reduction in the percentage of businesses suffering a cyber breach or attack in the last year.

The 2019 Cyber Security Breaches Survey shows that 32% of businesses identified a cyber security attack in the last 12 months – down from 43% the previous year.

The reduction is partly due to the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR). 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.

However, of those businesses that did suffer attacks, the typical median number of breaches has risen from 4 in 2018 to 6 in 2019. Therefore, businesses and charities suffering cyber attacks and breaches appear to be experiencing more attacks than in previous years.

Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180. Business leaders are now being urged to do more to protect themselves against cybercrime.

The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.

Digital Minister Margot James said: “Following the introduction of new data protection laws in the UK it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before. However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.

“We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.”

Through the CyberFirst programme, the Government is working with industry and education to improve cyber security and get more young people interested in taking up a career in cyber.

The Cyber Discovery initiative has already encouraged 46,000 14 to 18 year olds to get on a path towards the cyber security profession, over 1,800 students have attended free CyberFirst courses and nearly 12,000 girls have taken part in the CyberFirst Girls competition. The Government’s initial Cyber Skills Strategy, published in December, will be followed by a full strategy later this year.

Business and charity leaders are being encouraged to download the free small business guide and free small charity guide to help make sure that they don’t fall victim to cyber attacks. This is available through the National Cyber Security Centre (NCSC).

Clare Gardiner, Director of Engagement at the NCSC, said: “We are committed to making the UK the safest place to live and do business online, and welcome the significant reduction in the number of businesses experiencing cyber breaches.

“However, the cyber security landscape remains complex and continues to evolve, and organisations need to continue to be vigilant.”

The NCSC has a range of products and services to assist businesses, charities and other organisations to protect themselves from cyber attacks, and to deal with attacks when they occur. These include the Board Toolkit providing advice to Board level leaders, and guides aimed at small businesses and small charities.

The threat of cyber attacks remains very real and widespread in the UK. The figures published today also show that 48% of businesses and 39% of charities who were breached or attacked, identified at least one breach or attack every month.

Cyber security is becoming more of a priority issue, especially for charities. Those charities who treated cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.

Small businesses and charities are being urged to take up tailored advice from the National Cyber Security Centre. All businesses should consider adopting the Ten Steps to Cyber Security, which provides a comprehensive approach to managing cyber risks. Implementation of the 10 Steps will help organisations reduce the likelihood and cost of a cyber attack or cyber related data breach.

Organisations can also raise their basic defences by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership available on the NCSC website.

New cyber security centre will have an ‘open door’ policy to advise UK businesses…

800 450 Jack Wynn
Based in London’s Victoria, the opening of the new National Cyber Security Centre (NCSC) will aim to protect the country from potential hackers after it was recently revealed that the government records an approximate 200 ‘national security-level cyber incidents’ a month. Overseeing 700 staff members, the centre is headed by the former director general for cyber at the Government Communications Headquarters (GCHQ), Ciaran Martin, and the current technical director for cyber security at the GCHQ, Dr. Ian Levy.  The NCSC’s first project is with the Bank of England to create guidelines in advising the financial sector on effective methods to handle such attacks. The centre will also look to introduce a national DNS filter, which will effectively produce a large firewall to block websites and content through major network partnerships in the UK.  Martin said in a statement made last month: “We’re exploring a flagship project on scaling up DNS filtering. What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”    Find out more about the National Cyber Security Centre here