British Cyber Security - New Threats Call For Action

Uploaded on 2023-03-16 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW

On Monday 13th March, leaders from the UK cybersecurity industry gathered in Parliament to discuss the UK’s readiness to defend itself against the growing threat posed by ransomware. The summit came in the wake of significant recent ransomware attacks against UK organisations including Royal Mail, The Guardian, and the NHS.

It discussed: protecting businesses from hackers and ransomware attacks, the steps required to protect the UK’s critical national infrastructure, and the threat the UK’s chronic cyber skills shortage poses to national security. 

Following the Summit, Cyber Security Intelligence spoke to three cybersecurity experts about what they believe the government needs to include in their updated advice and regulation to ensure better security in the future.

Authentication Needs A Rethink

“The bottom line is you can't have truly effective security if you are using passwords, which for most organisations is still the case,” argues Jasson Casey, CTO at Beyond Identity. “Security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%). The US’s 2022 Zero Trust mandate called for the use of phishing-resistant and passwordless Multi-Factor-Authentication (MFA), which is designed to remove a glaring hole and significantly increase the cost of an attack for nation-state adversaries. With the recent attacks on the Royal Mail, The Guardian, and the NHS, it’s time the UK government caught up and fixed its major vulnerability.”

Casey adds that a conversation that is direly needed is a clarification of the distinction between good and bad MFA. He explains: “The government needs to understand this and then implement strong regulations for businesses. The FIDO Alliance (Fast IDentity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. If you want to eliminate the risk of a breach, you need these foundational systems in place. The government needs to update their prehistoric advice and push for a new focus on passwordless authentication and phishing-resistant MFA.

“The security industry has focused on and invested billions in threat detection and incident response (TDIR). This made total sense because adversaries were gaining undetected access to networks and staying there for months and even years. But what if we could leverage the detection and response tech stack to make authentication even better? The journey to strong authentication of identity starts with passwordless, phishing-resistant MFA. But that will not be enough. Leveraging risk signals from the significant investment organisations have made in TDIR, and continuously monitoring this wider collection of risk signals, will enable a new class of strong authentication - Zero Trust.”

Ensuring Understanding At All levels & Adopting A New UEBA Approach

“The government needs to understand that criminals are shifting their target focus,” highlights Matt Rider, VP of Security Engineering EMEA at Exabeam. “Whereas previously, they tended to adopt a broad-brush approach, hitting as many victims as possible, the ease and speed with which they can create ransomware attacks, allows the choosing of targets much more carefully, focusing on organisations that have the most to lose and are therefore the most likely to pay quickly. Unfortunately, this includes critical industries such as healthcare, which are already stretched to the limit.”

“It’s vital that we remember that a first line of defence in any organisation is its users,” he continues. “Nearly every successful cyber-attack begins with social engineering and/or an unaware staff member clicking on a compromised email link. Therefore, a key focus of any cybersecurity discussion should be the regular training, testing and jargon-free education of every member of staff - no matter their seniority or role - ensuring we all become cyber-accountable. In addition, planning for ransomware attacks, implementing and regularly testing playbooks for threat triage and attack prevention is imperative. With the right focus and effort, any business can implement an effective ransomware defence programme within 12 months.
 
One technology that is accelerating this is the growing adoption of User and Endpoint/Entity Analytics (UEBA) solutions. Rider explains: “Good UEBA gives vital, real-time visibility of any and all assets (be they human or machine) behaving suspiciously. Furthermore, it can highlight those whose behaviour makes them especially vulnerable to attack, enabling such teams to bridge technology, process or knowledge gaps that attackers aim to exploit. 
 
“When implemented effectively, I’ve seen a comprehensive UEBA approach virtually eliminate the zero-day threat (where new vulnerabilities are not yet patched or even known). Since malware has to deviate from established user/system benchmarks to achieve its goals, an effective and intelligently automated UEBA solution will detect this immediately, allowing security teams to isolate any such threat before it takes any harmful action within the organisation’s network - exactly what is needed to counter today’s ever-increasing and evolving ransomware threat.”

Let Hackers Lend A Helping Hand

The number of cyber attacks of recent has grown worryingly fast with threat actors constantly taking advantage of outdated security measures that make it easy, and inexpensive, to breach systems. Laurie Mercer, Director of Security Engineering at HackerOne, argues that new methods are needed to tackle these issues and suggests the government adopts the following methods to tilt the scales back in businesses’ favour:

  • Enable ethical hackers: Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme (VDP).
  • Support ethical hackers: The Computer Misuse Act should be reformed to better define and protect good faith security research.
  • Incentivise ethical hackers: Vulnerability Rewards Programmes (VRPs) can provide a larger economic incentive to report vulnerabilities directly to organisations than the incentive to cyber criminals stockpiling vulnerabilities for a ransomware attack.

“It is the most risk-averse organisations that see the greatest value in working with ethical hackers,” Mercer elaborates. “The NCSC was a front runner in realising the need to have the outsider mindset protect national security. The MoD also uses hackers to protect their digital assets and support their secure by design mission.”

Cybercriminals can infect a network with ransomware via a variety of different attack vectors. The most common is taking advantage of unsuspecting employees with phishing emails, the second is a weak digital perimeter. As Mercier describes: 

“Shoddily written code, unpatched software and digital scaffolding left up long after projects complete are just a few examples of how vulnerabilities in your digital perimeter can enable ransomware attacks. Asking the same people who built the systems to check for loopholes is like asking students to mark their own homework. Having that outsider mindset to see where the gaps are is key to identifying any risks that ransomware actors could exploit. 

“Cybercriminals are known to use the CVE database to find vulnerabilities and target unpatched systems. Use their same tactics by engaging ethical hackers to find any vulnerabilities that could be a weak link. Beyond known CVEs, it’s your unknown assets that potentially pose a greater risk. One-third of organisations say they observe less than 75% of their attack surface and 20% say over half of their attack surface is unknown or not observable. Cybercriminals have a multitude of resources and man-power to find vulnerabilities in your unknown assets so, to keep up, engage ethical hackers to do the same thing but for your benefit, rather than the criminals.”

Listen Up

Getting breached or attacked is not a question of “if” but “when”. The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.

The UK government and organisations around the country need to realise that this problem is not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations.

Image: peterschreibermedia

You Might Also Read:

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« DoppelPaymer Hackers Caught
Why Cutting Cybersecurity Jobs Is Shortsighted »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Snort

Snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

Ammune.ai

Ammune.ai

Ammune.ai (formerly L7 Defense) helps organizations to protect their infrastructure, applications, customers, employees, and partners against the growing risk of API-borne attacks.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

Cyber Security Challenge UK

Cyber Security Challenge UK

Cyber Security Challenge UK is a series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable more people to become cybersec professionals.

Cyber Covered

Cyber Covered

Cyber Covered provide complete website & data cover with market leading cyber insurance and powerful compliance software in one affordable package.

Conference Index

Conference Index

Conference Index provides an indexed listing of upcoming meetings, seminars, congresses, workshops, summits and symposiums across a wide range of subjects including Cybersecurity.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

PizzlySoft

PizzlySoft

PizzlySoft is a global company that is seeking convergence of network and security / software and hardware. We put our value on creating the best security.

BlueHalo

BlueHalo

BlueHalo is purpose-built to provide industry capabilities in the domains of Space Superiority and Directed Energy, Missile Defense and C4ISR, and Cyber and Intelligence.

LogicGate

LogicGate

The LogicGate Risk Cloud™ is an agile GRC cloud solution that combines powerful functionality with intuitive design to enhance enterprise GRC programs.

International Cyber Threat Task Force (ICTTF)

International Cyber Threat Task Force (ICTTF)

The International Cyber Threat Task Force is a not-for-profit initiative promoting the ecosystem of an International independent non-partisan cyber security community.

ECS Ethiopia

ECS Ethiopia

ECS Ethiopia provides Ethiopia’s leading institutions with top cyber-security expertise and technology to enable them to overcome risks and market barriers enabling them to grow their business.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Mondoo

Mondoo

Mondoo is a powerful security, compliance, and asset inventory tool that helps businesses identify vulnerabilities, track lost assets, and ensure policy compliance across their entire infrastructure.

ETI-NET

ETI-NET

ETI-NET is the worldwide leader in managing critical data for industries that never stop.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.