Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

NCSC

NCSC outlines data breach roles

960 640 Stuart O'Brien

Data breach roles have been outlined to help victims of cyber incidents and form an improved approach between the UK’s technical authority for cyber threats and its independent authority for data protection. 

Speaking at the second day of the National Cyber Security Centre (NCSC) annual conference CYBERUK, Chief Executive Ciaran Martin and Information Commission Office (ICO) Deputy Commissioner James Dipple-Johnstone outlined the understanding between the organisations.

The NCSC manages cyber incidents of national importance to reduce harm caused to victims and to the UK, help with managing the response and learn lessons to help deter future attacks.

The ICO is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the competent authority for Digital Service Providers under the NIS Directive, meaning breached organisations should notify them of incidents, cooperate and take remedial action.

Amongst the commitments outlined were a greater clarity of the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right authority/organisation at the right time.

The NCSC outlined plans to engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath; encourage impacted organisations to meet their requirements under GDPR and the NIS Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned and help the ICO expand their GDPR guidance as it relates to cyber incidents.

The ICO stated it would focus its early stage engagement to the vital steps required to help ensure impacted organisations mitigate risks to individuals and stand up an effective investigation and establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.

Both organisation should share duties, including the sharing anonymised and aggregated information with each other to assist with their respective understanding of the risk and commit to amplify each other’s messages to promote consistent, high quality advice to ensure the UK is secure and resilient to cyber threats.

Discussing the roles outlined,NCSC Chief Executive Ciaran Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.

“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues.

“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”

ICO Deputy Commissioner – Operations, James Dipple-Johnstone, said: “It’s important organisations understand what to expect if they suffer a cyber security breach.

“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.

“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

The NCSC will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.

National Audit Office raises cyber security concerns

960 640 Stuart O'Brien

The National Audit Office (NAO) has revealed failings in the way the Cabinet Office established its current cyber security programme, with the government unclear whether it will meet programme objectives along with issues surrounding its cyber-attack strategy after 2021.

The UK has one of the world’s leading digital economies, the report asserts, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks.

The National Cyber Security Strategy 2016 (the Strategy) outlines how the government aims to make the UK more secure online. The £1.9 billion Strategy includes £1.3 billion of funding for the National Cyber Security Programme 2016-21 (the Programme) and the NAO report assesses progress just beyond the mid-point of the five-year Programme.

The Programme provides a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre (NCSC).

The Programme has also reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years.

However, despite agreeing an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the NAO says the Cabinet Office did not produce a business case for the Programme before it was launched.

The NAO says it is unclear whether the Cabinet Office will achieve the Strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved.

The NAO recommends that, going forward, the Cabinet Office establishes which areas of the Programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.

“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services,” said Amyas Morse, Head of the NAO. 

“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”

NCSC beta website unveiled

960 640 Stuart O'Brien

The National Cyber Security Centre (NCSC) has launched a redesigned version of its website, which the body says will enable businesses and individuals stay better informed about cyber threats.

The NCSC, which is part of GCHQ, says the redesign will help people of all cyber expertise through its new site, creating new sections designed around the specific needs of those using it, meaning users will spend less time looking for the guidance they need, and more time reading it.

Stuart T, the NCSC’s Digital Product Manager, said: “We want our website to become the UK’s homepage for cyber security.

“Cyber risks pose a real threat to us all, and we have tailored a site to help all users, from FTSE 350 giants to family businesses – as well as individuals and families who want to know a bit more about how to secure their devices around the home.

“We’re aiming to create a community and are asking for feedback on the new site, so we can continually improve our offering and ensure our site is always user-centred. This is not the end of our improvements – it’s the beginning.”

The NCSC says the website was created after extensive user research, which has been used to develop concise guides tailored to each audience, multi-page articles for complex topics and an alert banner on the homepage with important advice and guidance during live cyber security incidents.

The NCSC says it remains committed to demystifying cyber jargon, and will continue to explore innovative ways to present content in a way that appeals to each audience.

While security and risk management were central to every stage of the website’s design, another key decision the NCSC made was to make it as secure as necessary, rather than as secure as possible.

Richard C, the NCSC’s Chief Security Architect, said: “The National Cyber Security Centre has always said organisations should invest in an appropriate amount of security – and that’s what we’ve done with our new website.

“There is often a tendency amongst the cyber security community to set the bar as high as possible. We want to show that the vital thing is sensible risk management, so we’ve focused on making our user experience fantastic and our security good enough.

“When designing computer systems, we always tailor our approach to the system in question. Our website is intended to openly share content with the public so has quite different controls to systems that handle information we need to keep private.”

Under lock and key: how can the public sector keep data safe?

960 638 Stuart O'Brien

Dan Panesar, VP EMEA, Certes Networks

The public sector faces intense public scrutiny, especially when it comes to cybersecurity.

However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online.

And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should.

On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules. 

Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task. 

Keeping up with digital change 

The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed. 

In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.

Don’t shy away from new technology

The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out. 

If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (AI). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.

An organisation’s biggest asset

Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data. 

And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across. 

For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach. 

Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind. 

Universities invited to apply for NCSC certification

960 640 Stuart O'Brien

Universities across the UK now have a further opportunity for their cyber-security related degrees to gain certification as part of the National Cyber Security Strategy.

After a rigorous process, the National Cyber Security Centre (NCSC) – a part of GCHQ – has already certified 23 Master’s degrees, three Integrated Master’s and three Bachelor’s degrees from 19 universities over the last four years.

With applications now open the NCSC is looking for fresh candidates to increase these figures, with degree apprenticeships now also eligible.

NCSC-certified degrees are designed to help universities attract high quality students from around the world, employers to recruit skilled staff and prospective students to make better informed choices when looking for a highly valued qualification.

The degree certification programme is part of a range of programmes which the NCSC and its government partners have initiated across UK academia designed to address the knowledge, skills and capability requirements for cyber security research and education.

The other programmes include Academic Centres of Excellence in Cyber Security Research (ACEs-CSR), Academic Research Institutes, and Centres for Doctoral Training in Cyber Security.

Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth, said: “I’m really pleased that we’ve now launched a programme for certifying degree apprenticeships.  This will be a valuable addition to our certified undergraduate and postgraduate degree programmes.

“Degree Apprenticeships offer a flexible option for both students and employers, as we have seen from our own Degree Apprenticeship programme.

“I’m really looking forward to seeing some more successful applications, and strongly encourage any interested universities to get in touch and find out more.”

Universities Minister Chris Skidmore said: “The fast-paced world of technology is constantly evolving and it is vital that young people have the option to study high quality courses in cutting edge industries, such as cyber security.

“We want to maximise choice and flexibility for people wanting to study in higher education, whether that’s as part of a traditional course or a degree apprenticeship.

“Not only will these certified degrees provide a benchmark for future cyber security professionals, but also help to ensure they are ready for the world of work and prepare them for an exciting career.”

Institutions who are interested in applying for certification can find out further detail via https://www.ncsc.gov.uk/information/ncsc-degree-certification-call-new-applicants-0

Government wants to ‘design out’ cyber threats

960 640 Stuart O'Brien

Business Secretary has announced measures for the UK to become a ‘world leader’ in the race against cyber security threats.

The government says businesses and consumers will benefit from increased security and protections built into digital devices and online services with the help of up to £70 million in government investment through the Industrial Strategy Challenge Fund, backed by further investment from industry.

This investment will support research into the design and development of hardware so that they will be more secure and resilient from the outset.

The ambitious aim is to ‘design out’ many forms of cyber threats by ‘designing in’ security and protection technology/solutions into hardware and chip designs, ultimately helping to eradicate a significant proportion of the current cyber risks for businesses and services in future connected smart products.

Clark said the best defence in the future is seen as developing innovative solutions that can work independently and protect against threats even during attacks and that the government wants to ensure that every UK organisation is as cyber secure and resilient as possible.

A further £30 million of government investment will aim to ensure smart systems, such as doors and central heating systems, are safe and secure, with more than 420 million such devices in use across the UK within the next 3 years.

The government is aiming for R&D investment to reach 2.4% of GDP by 2027.

Clark said: “This could be a real step-change in computer and online security, better protecting businesses, services and consumers from cyber-attacks resulting in benefits for consumers and the economy. With businesses having to invest more and more in tackling ever more complex cyber attacks, ‘designing in’ security measures into the hardware’s fabric will not only protect our businesses and consumers but ultimately cut the growing cybersecurity costs to businesses.

Nearly all UK businesses are reliant on digital technology and online services, yet more than 40% have experienced a cyber-security breach or attack in the last 12 months. Hackable home Wi-Fi routers can be used by attackers in botnets to attack major services and businesses. Moreover, consumers are often the worst affected by mass information leaks than the organisation that held their data. Businesses are having to spend increasing amounts on cyber security, up to 20-40% of their IT spend in some cases. And as more and more systems are connected, whether in the home or businesses, there is a need for security that is secure by design.

Digital Minister Margot James said: “We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks.”

Dr Ian Levy, National Cyber Security Centre’s Technical Director, said: “The National Cyber Security Centre is committed to improving security from the ground up, and we have been working closely with government to promote adoption of technology and practices to protect the UK.

“We hope this additional investment will drive fundamental changes to products we use every day. This is vital work, because improving hardware can eradicate a wide range of vulnerabilities that cause significant harm.”

UK businesses looking for more cybercrime support from government

960 640 Stuart O'Brien

Research has revealed that UK businesses are looking to the Government for greater support to safeguard them from the ongoing threat of cybercrime.

According to RedSeal, nearly three-quarters (68%) of IT bosses polled for the survey said that their business had suffered at least one attack in the past 12 months, while almost a third (31%) said that the Government didn’t offer enough support or guidance on best cybersecurity practices.  

Other statistics included 19% of businesses polled admitting to not having a plan in place to deal with a cyberattack, along with 65% of IT teams  suggesting that senior management needed to take more notice to cybersecurity in 2019.

“We commissioned this research to explore how prepared businesses are to continue operating during an attack,” said Ray Rothrock, CEO of RedSeal.  “The number of high profile breaches has meant that 2018 has become the year where businesses are left wondering what more they can do to protect themselves, how to remain resilient, to keep operating and minimise customer damage.

“Our research highlights the fact that that senior IT bosses want the UK government direct more attention, money and resource to supporting their businesses in the face of cyberattacks.”

The research follows recent revelations from the National Cyber Security Centre which found that only 30% of UK businesses have a board member with responsibility for cybersecurity and only 10% require their suppliers to adhere to any cyber standards.

UK Government cyber security efforts ‘lack clear political leadership’

960 640 Stuart O'Brien

The cyber threat to the UK’s critical national infrastructure (CNI) is as credible, potentially devastating and immediate as any other threat faced by the UK, according to the Joint Committee on the National Security Strategy.

The Committee’s latest report says the Government is not acting with the urgency and forcefulness that the situation demands, with the UK’s CNI a natural target for a major cyber attack because of its importance to daily life and the economy.

The Report on Cyber Security of the UK’s Critical National Infrastructure says that as some states become more aggressive and non-state actors such as organised crime groups become much more capable, the range and number of potential attackers is growing.

In fact, the head of the National Cyber Security Centre has said that a major cyber attack on the United Kingdom is a matter of ‘when, not if’.

The state-sponsored 2017 WannaCry attack greatly affected the NHS even though it was not itself a target and demonstrated the potential significant consequences of attacks on UK infrastructure.

Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published.

It set up the National Cyber Security Centre as a national technical authority, but the Joint Committee says its current capacity is being outstripped by demand for its services.

The Joint Committee added that while a tightened regulatory regime, required by an EU Directive that applies to all member states, has been brought into force for some, but not all, CNI sectors, it will not be enough to achieve the required leap forward across the thirteen CNI sectors (including energy, health services, transport and water).

Chair of the Committee, Margaret Beckett MP, said: “We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.

“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.

“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.

“My Committee recently reported on the importance of also building the cyber security skills base.

“Too often in our past the UK has been ill-prepared to deal with emerging risks.

“The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”

NCSC deals with 1,100 cyber attacks in first two years

960 640 Stuart O'Brien

The National Cyber Security Centre (NCSC) has defended the UK from an average of more than 10 attacks per week in the two years since it was set up.

The NCSC, a part of GCHQ, has published its second Annual Review, which highlights the sustained threat from hostile state actors and cyber criminals.

Since it became fully operational in 2016, the NCSC’s cyber security front line has helped to support with 1,167 cyber incidents – including 557 in the last 12 months. The report reveals the majority of attacks against the UK are carried out by hostile nation states.

The Annual Review gives detail about the tactics used by the NCSC’s Incident Management team, who work behind the scenes to co-ordinate defences to support UK victims when attacks do get through.

For the first time, the NCSC is giving a glimpse into the work against the ongoing cyber threat in a podcast, “Behind the scenes of an incident”, which features interviews with a range of staff who defend the UK from cyber attacks.

David Lidington, Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, said: As the minister with responsibility for overseeing the implementation of the National Cyber Security Strategy, I am proud of what NCSC has achieved in just two years of operations.

“Our National Cyber Security Strategy set out ambitious proposals for how this Government will defend our people, deter our adversaries and develop UK capabilities to ensure we remains the safest place to live and do business online.

“NCSC has more than risen to this challenge, defending the UK from over 1,100 cyber attacks and reducing the UK’s share of global phishing attacks by more than half.”

The NCSC takes a proactive approach to securing the UK’s online defences. The Active Cyber Defence (ACD) initiative aims to protect the UK from high-volume commodity attacks that affect people’s everyday lives.

Since its launch, ACD has reduced the UK’s share of visible global phishing attacks by more than half; from 5.3% to 2.4%. Between September 2017 and August 2018, the service has removed 138,398 phishing sites hosted in the UK.

Ciaran Martin, Chief Executive of the National Cyber Security Centre said: “I’m extremely proud that the NCSC is strengthening the UK’s defences against those who seek to harm us online.

“We are calling out unacceptable behaviour by hostile states and giving our businesses the specific information they need to defend themselves. We are improving our critical systems. We are helping to make using the Internet automatically safer.

“As we move into our third year, a major focus of our work will be providing every citizen with the tools they need to keep them safe online. I’m confident that the NCSC will continue to provide the best line of defence in the world to help the UK thrive in the digital age.”

Earlier this year, the government’s flagship cyber security conference, CYBERUK, was held in Manchester and attracted 2,500 delegates.

Following the success of CYBERUK 2018, the NCSC will widen its geographical footprint in year three as Scotland will, for the first time, host the 2019 event. Government and industry professionals will gather in Glasgow, one of the first UK cities to get 5G internet, on 24 and 25 April to share cyber security best practice in the face of complex problems and threats.

Director GCHQ, Jeremy Fleming said: “In just two years, the NCSC has become a world leading organisation. I’d like to thank everyone at the NCSC for the outstanding work they do every day.

“Whether that’s thwarting the growing cyber threat from hostile nation states, providing excellent incident management services to large and small businesses, or pushing the boundaries of research and innovation, the NCSC operates on the front line of efforts to keep us all safe online.”

The Annual Review 2018 can be reached here and you can also listen to the NCSC’s first podcast – behind the scenes of an incident.

NCSC outlines case against Russian military hackers

960 640 Stuart O'Brien
The National Cyber Security Centre (NCSC) says it has identified that ‘a number of cyber actors’ widely known to have been conducting cyber attacks around the world are, in fact, the GRU – the Russian military intelligence service.

It says the attacks have been conducted ‘in flagrant violation of international law’, have affected citizens in a large number of countries, including Russia, and have cost national economies millions of pounds.

The statement came as part of a joint message coordinated with the likes of the US and France.

Specifically, the NCSC says cyber attacks orchestrated by the GRU have attempted to undermine international sporting institution WADA, disrupt transport systems in Ukraine, destabilise democracies and target businesses.

It says the campaign by the GRU shows that it is working in secret to undermine international law and international institutions.

The Foreign Secretary, Jeremy Hunt said: “These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.  This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The statement from the NCSC used the strongest language possible, saying: “Given the high confidence assessment and the broader context, the UK government has made the judgement that the Russian Government – the Kremlin – was responsible.”

The body says the GRU are associated with the following names:

  • T 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • STRONTIUM
  • Tsar Team
  • Sandworm
  • 1
  • 2