British Cyber Security - New Threats Call For Action
On Monday 13th March, leaders from the UK cybersecurity industry gathered in Parliament to discuss the UK’s readiness to defend itself against the growing threat posed by ransomware. The summit came in the wake of significant recent ransomware attacks against UK organisations including Royal Mail, The Guardian, and the NHS.
It discussed: protecting businesses from hackers and ransomware attacks, the steps required to protect the UK’s critical national infrastructure, and the threat the UK’s chronic cyber skills shortage poses to national security.
Following the Summit, Cyber Security Intelligence spoke to three cybersecurity experts about what they believe the government needs to include in their updated advice and regulation to ensure better security in the future.
Authentication Needs A Rethink
“The bottom line is you can't have truly effective security if you are using passwords, which for most organisations is still the case,” argues Jasson Casey, CTO at Beyond Identity. “Security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%). The US’s 2022 Zero Trust mandate called for the use of phishing-resistant and passwordless Multi-Factor-Authentication (MFA), which is designed to remove a glaring hole and significantly increase the cost of an attack for nation-state adversaries. With the recent attacks on the Royal Mail, The Guardian, and the NHS, it’s time the UK government caught up and fixed its major vulnerability.”
Casey adds that a conversation that is direly needed is a clarification of the distinction between good and bad MFA. He explains: “The government needs to understand this and then implement strong regulations for businesses. The FIDO Alliance (Fast IDentity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. If you want to eliminate the risk of a breach, you need these foundational systems in place. The government needs to update their prehistoric advice and push for a new focus on passwordless authentication and phishing-resistant MFA.
“The security industry has focused on and invested billions in threat detection and incident response (TDIR). This made total sense because adversaries were gaining undetected access to networks and staying there for months and even years. But what if we could leverage the detection and response tech stack to make authentication even better? The journey to strong authentication of identity starts with passwordless, phishing-resistant MFA. But that will not be enough. Leveraging risk signals from the significant investment organisations have made in TDIR, and continuously monitoring this wider collection of risk signals, will enable a new class of strong authentication - Zero Trust.”
Ensuring Understanding At All levels & Adopting A New UEBA Approach
“The government needs to understand that criminals are shifting their target focus,” highlights Matt Rider, VP of Security Engineering EMEA at Exabeam. “Whereas previously, they tended to adopt a broad-brush approach, hitting as many victims as possible, the ease and speed with which they can create ransomware attacks, allows the choosing of targets much more carefully, focusing on organisations that have the most to lose and are therefore the most likely to pay quickly. Unfortunately, this includes critical industries such as healthcare, which are already stretched to the limit.”
“It’s vital that we remember that a first line of defence in any organisation is its users,” he continues. “Nearly every successful cyber-attack begins with social engineering and/or an unaware staff member clicking on a compromised email link. Therefore, a key focus of any cybersecurity discussion should be the regular training, testing and jargon-free education of every member of staff - no matter their seniority or role - ensuring we all become cyber-accountable. In addition, planning for ransomware attacks, implementing and regularly testing playbooks for threat triage and attack prevention is imperative. With the right focus and effort, any business can implement an effective ransomware defence programme within 12 months.
One technology that is accelerating this is the growing adoption of User and Endpoint/Entity Analytics (UEBA) solutions. Rider explains: “Good UEBA gives vital, real-time visibility of any and all assets (be they human or machine) behaving suspiciously. Furthermore, it can highlight those whose behaviour makes them especially vulnerable to attack, enabling such teams to bridge technology, process or knowledge gaps that attackers aim to exploit.
“When implemented effectively, I’ve seen a comprehensive UEBA approach virtually eliminate the zero-day threat (where new vulnerabilities are not yet patched or even known). Since malware has to deviate from established user/system benchmarks to achieve its goals, an effective and intelligently automated UEBA solution will detect this immediately, allowing security teams to isolate any such threat before it takes any harmful action within the organisation’s network - exactly what is needed to counter today’s ever-increasing and evolving ransomware threat.”
Let Hackers Lend A Helping Hand
The number of cyber attacks of recent has grown worryingly fast with threat actors constantly taking advantage of outdated security measures that make it easy, and inexpensive, to breach systems. Laurie Mercer, Director of Security Engineering at HackerOne, argues that new methods are needed to tackle these issues and suggests the government adopts the following methods to tilt the scales back in businesses’ favour:
- Enable ethical hackers: Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme (VDP).
- Support ethical hackers: The Computer Misuse Act should be reformed to better define and protect good faith security research.
- Incentivise ethical hackers: Vulnerability Rewards Programmes (VRPs) can provide a larger economic incentive to report vulnerabilities directly to organisations than the incentive to cyber criminals stockpiling vulnerabilities for a ransomware attack.
“It is the most risk-averse organisations that see the greatest value in working with ethical hackers,” Mercer elaborates. “The NCSC was a front runner in realising the need to have the outsider mindset protect national security. The MoD also uses hackers to protect their digital assets and support their secure by design mission.”
Cybercriminals can infect a network with ransomware via a variety of different attack vectors. The most common is taking advantage of unsuspecting employees with phishing emails, the second is a weak digital perimeter. As Mercier describes:
“Shoddily written code, unpatched software and digital scaffolding left up long after projects complete are just a few examples of how vulnerabilities in your digital perimeter can enable ransomware attacks. Asking the same people who built the systems to check for loopholes is like asking students to mark their own homework. Having that outsider mindset to see where the gaps are is key to identifying any risks that ransomware actors could exploit.
“Cybercriminals are known to use the CVE database to find vulnerabilities and target unpatched systems. Use their same tactics by engaging ethical hackers to find any vulnerabilities that could be a weak link. Beyond known CVEs, it’s your unknown assets that potentially pose a greater risk. One-third of organisations say they observe less than 75% of their attack surface and 20% say over half of their attack surface is unknown or not observable. Cybercriminals have a multitude of resources and man-power to find vulnerabilities in your unknown assets so, to keep up, engage ethical hackers to do the same thing but for your benefit, rather than the criminals.”
Listen Up
Getting breached or attacked is not a question of “if” but “when”. The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.
The UK government and organisations around the country need to realise that this problem is not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations.
Image: peterschreibermedia
You Might Also Read:
Cyber Security Strategies Need To Evolve Alongside The Enterprise:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible