British Cyber Security - New Threats Call For Action

Uploaded on 2023-03-16 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW

On Monday 13th March, leaders from the UK cybersecurity industry gathered in Parliament to discuss the UK’s readiness to defend itself against the growing threat posed by ransomware. The summit came in the wake of significant recent ransomware attacks against UK organisations including Royal Mail, The Guardian, and the NHS.

It discussed: protecting businesses from hackers and ransomware attacks, the steps required to protect the UK’s critical national infrastructure, and the threat the UK’s chronic cyber skills shortage poses to national security. 

Following the Summit, Cyber Security Intelligence spoke to three cybersecurity experts about what they believe the government needs to include in their updated advice and regulation to ensure better security in the future.

Authentication Needs A Rethink

“The bottom line is you can't have truly effective security if you are using passwords, which for most organisations is still the case,” argues Jasson Casey, CTO at Beyond Identity. “Security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%). The US’s 2022 Zero Trust mandate called for the use of phishing-resistant and passwordless Multi-Factor-Authentication (MFA), which is designed to remove a glaring hole and significantly increase the cost of an attack for nation-state adversaries. With the recent attacks on the Royal Mail, The Guardian, and the NHS, it’s time the UK government caught up and fixed its major vulnerability.”

Casey adds that a conversation that is direly needed is a clarification of the distinction between good and bad MFA. He explains: “The government needs to understand this and then implement strong regulations for businesses. The FIDO Alliance (Fast IDentity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. If you want to eliminate the risk of a breach, you need these foundational systems in place. The government needs to update their prehistoric advice and push for a new focus on passwordless authentication and phishing-resistant MFA.

“The security industry has focused on and invested billions in threat detection and incident response (TDIR). This made total sense because adversaries were gaining undetected access to networks and staying there for months and even years. But what if we could leverage the detection and response tech stack to make authentication even better? The journey to strong authentication of identity starts with passwordless, phishing-resistant MFA. But that will not be enough. Leveraging risk signals from the significant investment organisations have made in TDIR, and continuously monitoring this wider collection of risk signals, will enable a new class of strong authentication - Zero Trust.”

Ensuring Understanding At All levels & Adopting A New UEBA Approach

“The government needs to understand that criminals are shifting their target focus,” highlights Matt Rider, VP of Security Engineering EMEA at Exabeam. “Whereas previously, they tended to adopt a broad-brush approach, hitting as many victims as possible, the ease and speed with which they can create ransomware attacks, allows the choosing of targets much more carefully, focusing on organisations that have the most to lose and are therefore the most likely to pay quickly. Unfortunately, this includes critical industries such as healthcare, which are already stretched to the limit.”

“It’s vital that we remember that a first line of defence in any organisation is its users,” he continues. “Nearly every successful cyber-attack begins with social engineering and/or an unaware staff member clicking on a compromised email link. Therefore, a key focus of any cybersecurity discussion should be the regular training, testing and jargon-free education of every member of staff - no matter their seniority or role - ensuring we all become cyber-accountable. In addition, planning for ransomware attacks, implementing and regularly testing playbooks for threat triage and attack prevention is imperative. With the right focus and effort, any business can implement an effective ransomware defence programme within 12 months.
 
One technology that is accelerating this is the growing adoption of User and Endpoint/Entity Analytics (UEBA) solutions. Rider explains: “Good UEBA gives vital, real-time visibility of any and all assets (be they human or machine) behaving suspiciously. Furthermore, it can highlight those whose behaviour makes them especially vulnerable to attack, enabling such teams to bridge technology, process or knowledge gaps that attackers aim to exploit. 
 
“When implemented effectively, I’ve seen a comprehensive UEBA approach virtually eliminate the zero-day threat (where new vulnerabilities are not yet patched or even known). Since malware has to deviate from established user/system benchmarks to achieve its goals, an effective and intelligently automated UEBA solution will detect this immediately, allowing security teams to isolate any such threat before it takes any harmful action within the organisation’s network - exactly what is needed to counter today’s ever-increasing and evolving ransomware threat.”

Let Hackers Lend A Helping Hand

The number of cyber attacks of recent has grown worryingly fast with threat actors constantly taking advantage of outdated security measures that make it easy, and inexpensive, to breach systems. Laurie Mercer, Director of Security Engineering at HackerOne, argues that new methods are needed to tackle these issues and suggests the government adopts the following methods to tilt the scales back in businesses’ favour:

  • Enable ethical hackers: Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme (VDP).
  • Support ethical hackers: The Computer Misuse Act should be reformed to better define and protect good faith security research.
  • Incentivise ethical hackers: Vulnerability Rewards Programmes (VRPs) can provide a larger economic incentive to report vulnerabilities directly to organisations than the incentive to cyber criminals stockpiling vulnerabilities for a ransomware attack.

“It is the most risk-averse organisations that see the greatest value in working with ethical hackers,” Mercer elaborates. “The NCSC was a front runner in realising the need to have the outsider mindset protect national security. The MoD also uses hackers to protect their digital assets and support their secure by design mission.”

Cybercriminals can infect a network with ransomware via a variety of different attack vectors. The most common is taking advantage of unsuspecting employees with phishing emails, the second is a weak digital perimeter. As Mercier describes: 

“Shoddily written code, unpatched software and digital scaffolding left up long after projects complete are just a few examples of how vulnerabilities in your digital perimeter can enable ransomware attacks. Asking the same people who built the systems to check for loopholes is like asking students to mark their own homework. Having that outsider mindset to see where the gaps are is key to identifying any risks that ransomware actors could exploit. 

“Cybercriminals are known to use the CVE database to find vulnerabilities and target unpatched systems. Use their same tactics by engaging ethical hackers to find any vulnerabilities that could be a weak link. Beyond known CVEs, it’s your unknown assets that potentially pose a greater risk. One-third of organisations say they observe less than 75% of their attack surface and 20% say over half of their attack surface is unknown or not observable. Cybercriminals have a multitude of resources and man-power to find vulnerabilities in your unknown assets so, to keep up, engage ethical hackers to do the same thing but for your benefit, rather than the criminals.”

Listen Up

Getting breached or attacked is not a question of “if” but “when”. The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.

The UK government and organisations around the country need to realise that this problem is not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations.

Image: peterschreibermedia

You Might Also Read:

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« DoppelPaymer Hackers Caught
Why Cutting Cybersecurity Jobs Is Shortsighted »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Redscan Cyber Security

Redscan Cyber Security

Redscan Cyber Security is a Managed Security Services Provider (MSSP) that enables businesses to effectively manage their information security risks.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

Ubisecure

Ubisecure

Ubisecure provide Identity & Access Management solutions.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

Cyber Exchange

Cyber Exchange

Cyber Exchange provides a focal point for UK organisations connected with, or with an interest in, cyber security to connect, engage and collaborate.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Arc4dia Labs

Arc4dia Labs

Arc4dia have developed SNOW, a cyber security solution to combat the world’s most sophisticated cyber threats.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

Quantifind

Quantifind

Quantifind enables financial crimes/fraud analysts and investigators to make better decisions, faster, with intelligent automation.

TAG Cyber

TAG Cyber

TAG Cyber's mission is to provide world-class cyber security research, advisory, and consulting services to enterprise security teams around the world.

FYEO

FYEO

FYEO is a threat monitoring and identity access management platform for consumers, enterprises and SMBs.

National Academy of Cyber Security (NACS)

National Academy of Cyber Security (NACS)

National Academy of Cyber Security provides Professional Training Courses and Programmes in Cyber Security.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

Verastel

Verastel

Specializing in the niche space of proactive cyber-defense, and adaptive resilience, team Verastel is bolstering enterprise digital security like never before.

Kahootz

Kahootz

Kahootz is a highly secure cloud collaboration platform helping teams to work together across organisations.