British Cyber Security - New Threats Call For Action

Uploaded on 2023-03-16 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW

On Monday 13th March, leaders from the UK cybersecurity industry gathered in Parliament to discuss the UK’s readiness to defend itself against the growing threat posed by ransomware. The summit came in the wake of significant recent ransomware attacks against UK organisations including Royal Mail, The Guardian, and the NHS.

It discussed: protecting businesses from hackers and ransomware attacks, the steps required to protect the UK’s critical national infrastructure, and the threat the UK’s chronic cyber skills shortage poses to national security. 

Following the Summit, Cyber Security Intelligence spoke to three cybersecurity experts about what they believe the government needs to include in their updated advice and regulation to ensure better security in the future.

Authentication Needs A Rethink

“The bottom line is you can't have truly effective security if you are using passwords, which for most organisations is still the case,” argues Jasson Casey, CTO at Beyond Identity. “Security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%). The US’s 2022 Zero Trust mandate called for the use of phishing-resistant and passwordless Multi-Factor-Authentication (MFA), which is designed to remove a glaring hole and significantly increase the cost of an attack for nation-state adversaries. With the recent attacks on the Royal Mail, The Guardian, and the NHS, it’s time the UK government caught up and fixed its major vulnerability.”

Casey adds that a conversation that is direly needed is a clarification of the distinction between good and bad MFA. He explains: “The government needs to understand this and then implement strong regulations for businesses. The FIDO Alliance (Fast IDentity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. If you want to eliminate the risk of a breach, you need these foundational systems in place. The government needs to update their prehistoric advice and push for a new focus on passwordless authentication and phishing-resistant MFA.

“The security industry has focused on and invested billions in threat detection and incident response (TDIR). This made total sense because adversaries were gaining undetected access to networks and staying there for months and even years. But what if we could leverage the detection and response tech stack to make authentication even better? The journey to strong authentication of identity starts with passwordless, phishing-resistant MFA. But that will not be enough. Leveraging risk signals from the significant investment organisations have made in TDIR, and continuously monitoring this wider collection of risk signals, will enable a new class of strong authentication - Zero Trust.”

Ensuring Understanding At All levels & Adopting A New UEBA Approach

“The government needs to understand that criminals are shifting their target focus,” highlights Matt Rider, VP of Security Engineering EMEA at Exabeam. “Whereas previously, they tended to adopt a broad-brush approach, hitting as many victims as possible, the ease and speed with which they can create ransomware attacks, allows the choosing of targets much more carefully, focusing on organisations that have the most to lose and are therefore the most likely to pay quickly. Unfortunately, this includes critical industries such as healthcare, which are already stretched to the limit.”

“It’s vital that we remember that a first line of defence in any organisation is its users,” he continues. “Nearly every successful cyber-attack begins with social engineering and/or an unaware staff member clicking on a compromised email link. Therefore, a key focus of any cybersecurity discussion should be the regular training, testing and jargon-free education of every member of staff - no matter their seniority or role - ensuring we all become cyber-accountable. In addition, planning for ransomware attacks, implementing and regularly testing playbooks for threat triage and attack prevention is imperative. With the right focus and effort, any business can implement an effective ransomware defence programme within 12 months.
 
One technology that is accelerating this is the growing adoption of User and Endpoint/Entity Analytics (UEBA) solutions. Rider explains: “Good UEBA gives vital, real-time visibility of any and all assets (be they human or machine) behaving suspiciously. Furthermore, it can highlight those whose behaviour makes them especially vulnerable to attack, enabling such teams to bridge technology, process or knowledge gaps that attackers aim to exploit. 
 
“When implemented effectively, I’ve seen a comprehensive UEBA approach virtually eliminate the zero-day threat (where new vulnerabilities are not yet patched or even known). Since malware has to deviate from established user/system benchmarks to achieve its goals, an effective and intelligently automated UEBA solution will detect this immediately, allowing security teams to isolate any such threat before it takes any harmful action within the organisation’s network - exactly what is needed to counter today’s ever-increasing and evolving ransomware threat.”

Let Hackers Lend A Helping Hand

The number of cyber attacks of recent has grown worryingly fast with threat actors constantly taking advantage of outdated security measures that make it easy, and inexpensive, to breach systems. Laurie Mercer, Director of Security Engineering at HackerOne, argues that new methods are needed to tackle these issues and suggests the government adopts the following methods to tilt the scales back in businesses’ favour:

  • Enable ethical hackers: Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme (VDP).
  • Support ethical hackers: The Computer Misuse Act should be reformed to better define and protect good faith security research.
  • Incentivise ethical hackers: Vulnerability Rewards Programmes (VRPs) can provide a larger economic incentive to report vulnerabilities directly to organisations than the incentive to cyber criminals stockpiling vulnerabilities for a ransomware attack.

“It is the most risk-averse organisations that see the greatest value in working with ethical hackers,” Mercer elaborates. “The NCSC was a front runner in realising the need to have the outsider mindset protect national security. The MoD also uses hackers to protect their digital assets and support their secure by design mission.”

Cybercriminals can infect a network with ransomware via a variety of different attack vectors. The most common is taking advantage of unsuspecting employees with phishing emails, the second is a weak digital perimeter. As Mercier describes: 

“Shoddily written code, unpatched software and digital scaffolding left up long after projects complete are just a few examples of how vulnerabilities in your digital perimeter can enable ransomware attacks. Asking the same people who built the systems to check for loopholes is like asking students to mark their own homework. Having that outsider mindset to see where the gaps are is key to identifying any risks that ransomware actors could exploit. 

“Cybercriminals are known to use the CVE database to find vulnerabilities and target unpatched systems. Use their same tactics by engaging ethical hackers to find any vulnerabilities that could be a weak link. Beyond known CVEs, it’s your unknown assets that potentially pose a greater risk. One-third of organisations say they observe less than 75% of their attack surface and 20% say over half of their attack surface is unknown or not observable. Cybercriminals have a multitude of resources and man-power to find vulnerabilities in your unknown assets so, to keep up, engage ethical hackers to do the same thing but for your benefit, rather than the criminals.”

Listen Up

Getting breached or attacked is not a question of “if” but “when”. The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.

The UK government and organisations around the country need to realise that this problem is not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations.

Image: peterschreibermedia

You Might Also Read:

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« DoppelPaymer Hackers Caught
Why Cutting Cybersecurity Jobs Is Shortsighted »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

CyberSource

CyberSource

CyberSource provides online payment and fraud management services for medium and large-sized merchants.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

SCIPP International

SCIPP International

SCIPP’s courses are based on internationally recognized best business practices for security awareness, for both technical and non-technical staff and to comply with regulatory mandates.

adaware

adaware

adaware is an award-winning security and privacy software provider, empowering users to connect with confidence.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

Horiba Mira

Horiba Mira

Horiba Mira is a global provider of automotive engineering, research and test services including services and solutions for automotive cybersecurity.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Hassans International Law Firm

Hassans International Law Firm

Hassans is the largest law firm in Gibraltar, providing a full range of legal services across corporate and commercial law including Data Protection and GDPR compliance.

Avertro

Avertro

Avertro helps leaders manage the business of cyber. We help explain cybersecurity to executives, forecasting outcomes, right-sizing your spend, and validating your cyber strategy.

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

du

du

du is a telecommunications service provider providing UAE businesses with a vast range of ICT and managed services.

ATSG

ATSG

ATSG is a global leader in transformational technology solutions for today’s digital enterprise. Cybersecurity ranging from Advisory & Assessment to Fully Managed Detection and Response Services.

We Hack Purple

We Hack Purple

We Hack Purple is a Canadian company dedicated to helping anyone and everyone create secure software.

CyberSG TIG Centre

CyberSG TIG Centre

CyberSG TIG Centre aims to propel Singapore as the world’s premier cybersecurity innovation hub for economic growth.