British Cyber Security - New Threats Call For Action

Uploaded on 2023-03-16 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW

On Monday 13th March, leaders from the UK cybersecurity industry gathered in Parliament to discuss the UK’s readiness to defend itself against the growing threat posed by ransomware. The summit came in the wake of significant recent ransomware attacks against UK organisations including Royal Mail, The Guardian, and the NHS.

It discussed: protecting businesses from hackers and ransomware attacks, the steps required to protect the UK’s critical national infrastructure, and the threat the UK’s chronic cyber skills shortage poses to national security. 

Following the Summit, Cyber Security Intelligence spoke to three cybersecurity experts about what they believe the government needs to include in their updated advice and regulation to ensure better security in the future.

Authentication Needs A Rethink

“The bottom line is you can't have truly effective security if you are using passwords, which for most organisations is still the case,” argues Jasson Casey, CTO at Beyond Identity. “Security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%). The US’s 2022 Zero Trust mandate called for the use of phishing-resistant and passwordless Multi-Factor-Authentication (MFA), which is designed to remove a glaring hole and significantly increase the cost of an attack for nation-state adversaries. With the recent attacks on the Royal Mail, The Guardian, and the NHS, it’s time the UK government caught up and fixed its major vulnerability.”

Casey adds that a conversation that is direly needed is a clarification of the distinction between good and bad MFA. He explains: “The government needs to understand this and then implement strong regulations for businesses. The FIDO Alliance (Fast IDentity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. If you want to eliminate the risk of a breach, you need these foundational systems in place. The government needs to update their prehistoric advice and push for a new focus on passwordless authentication and phishing-resistant MFA.

“The security industry has focused on and invested billions in threat detection and incident response (TDIR). This made total sense because adversaries were gaining undetected access to networks and staying there for months and even years. But what if we could leverage the detection and response tech stack to make authentication even better? The journey to strong authentication of identity starts with passwordless, phishing-resistant MFA. But that will not be enough. Leveraging risk signals from the significant investment organisations have made in TDIR, and continuously monitoring this wider collection of risk signals, will enable a new class of strong authentication - Zero Trust.”

Ensuring Understanding At All levels & Adopting A New UEBA Approach

“The government needs to understand that criminals are shifting their target focus,” highlights Matt Rider, VP of Security Engineering EMEA at Exabeam. “Whereas previously, they tended to adopt a broad-brush approach, hitting as many victims as possible, the ease and speed with which they can create ransomware attacks, allows the choosing of targets much more carefully, focusing on organisations that have the most to lose and are therefore the most likely to pay quickly. Unfortunately, this includes critical industries such as healthcare, which are already stretched to the limit.”

“It’s vital that we remember that a first line of defence in any organisation is its users,” he continues. “Nearly every successful cyber-attack begins with social engineering and/or an unaware staff member clicking on a compromised email link. Therefore, a key focus of any cybersecurity discussion should be the regular training, testing and jargon-free education of every member of staff - no matter their seniority or role - ensuring we all become cyber-accountable. In addition, planning for ransomware attacks, implementing and regularly testing playbooks for threat triage and attack prevention is imperative. With the right focus and effort, any business can implement an effective ransomware defence programme within 12 months.
 
One technology that is accelerating this is the growing adoption of User and Endpoint/Entity Analytics (UEBA) solutions. Rider explains: “Good UEBA gives vital, real-time visibility of any and all assets (be they human or machine) behaving suspiciously. Furthermore, it can highlight those whose behaviour makes them especially vulnerable to attack, enabling such teams to bridge technology, process or knowledge gaps that attackers aim to exploit. 
 
“When implemented effectively, I’ve seen a comprehensive UEBA approach virtually eliminate the zero-day threat (where new vulnerabilities are not yet patched or even known). Since malware has to deviate from established user/system benchmarks to achieve its goals, an effective and intelligently automated UEBA solution will detect this immediately, allowing security teams to isolate any such threat before it takes any harmful action within the organisation’s network - exactly what is needed to counter today’s ever-increasing and evolving ransomware threat.”

Let Hackers Lend A Helping Hand

The number of cyber attacks of recent has grown worryingly fast with threat actors constantly taking advantage of outdated security measures that make it easy, and inexpensive, to breach systems. Laurie Mercer, Director of Security Engineering at HackerOne, argues that new methods are needed to tackle these issues and suggests the government adopts the following methods to tilt the scales back in businesses’ favour:

  • Enable ethical hackers: Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme (VDP).
  • Support ethical hackers: The Computer Misuse Act should be reformed to better define and protect good faith security research.
  • Incentivise ethical hackers: Vulnerability Rewards Programmes (VRPs) can provide a larger economic incentive to report vulnerabilities directly to organisations than the incentive to cyber criminals stockpiling vulnerabilities for a ransomware attack.

“It is the most risk-averse organisations that see the greatest value in working with ethical hackers,” Mercer elaborates. “The NCSC was a front runner in realising the need to have the outsider mindset protect national security. The MoD also uses hackers to protect their digital assets and support their secure by design mission.”

Cybercriminals can infect a network with ransomware via a variety of different attack vectors. The most common is taking advantage of unsuspecting employees with phishing emails, the second is a weak digital perimeter. As Mercier describes: 

“Shoddily written code, unpatched software and digital scaffolding left up long after projects complete are just a few examples of how vulnerabilities in your digital perimeter can enable ransomware attacks. Asking the same people who built the systems to check for loopholes is like asking students to mark their own homework. Having that outsider mindset to see where the gaps are is key to identifying any risks that ransomware actors could exploit. 

“Cybercriminals are known to use the CVE database to find vulnerabilities and target unpatched systems. Use their same tactics by engaging ethical hackers to find any vulnerabilities that could be a weak link. Beyond known CVEs, it’s your unknown assets that potentially pose a greater risk. One-third of organisations say they observe less than 75% of their attack surface and 20% say over half of their attack surface is unknown or not observable. Cybercriminals have a multitude of resources and man-power to find vulnerabilities in your unknown assets so, to keep up, engage ethical hackers to do the same thing but for your benefit, rather than the criminals.”

Listen Up

Getting breached or attacked is not a question of “if” but “when”. The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.

The UK government and organisations around the country need to realise that this problem is not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations.

Image: peterschreibermedia

You Might Also Read:

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« DoppelPaymer Hackers Caught
Why Cutting Cybersecurity Jobs Is Shortsighted »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

Kualitatem

Kualitatem

Kualitatem Inc. is an independent software testing and information systems auditing company

aeCERT

aeCERT

aeCERT is the national Computer Emergency Response Team for the United Arab Emirates.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

Digital Resolve

Digital Resolve

Digital Resolve delivers solutions that help companies maintain trust and confidence through proven and cost-effective fraud-protection and identity intelligence technology.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

ICS Cyber Security Conference

ICS Cyber Security Conference

SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity.

Cyber Range Malaysia

Cyber Range Malaysia

With Cyber Range Malaysia organizations can train their security professionals in empirically valid cyber war-gaming scenarios necessary to develop IT staff skills and instincts for defensive action.

Akito

Akito

Akito was set up to become a point of reference in the ICT market for issues related to Security and in particular Cyber Security.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

Cognna

Cognna

Cognna's innovative platform is designed to empower you and your team, providing the tools you need to detect, prevent, and resolve threats with ease.

Cynch Security

Cynch Security

Cynch Security are passionate about building a world where every business is resilient to cybersecurity risks, no matter what their size.

SecuCenter

SecuCenter

Secucenter is a trusted partner for SOC services, offering security expertise in a cost-effective way.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.

SafeAeon

SafeAeon

SafeAeon is a leading Cybersecurity-as-a-Service provider, offering 24x7 premium Managed Security Services with AI-powered and Human-driven 24x7 SOC.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.