By Alan Zeichick and Mark Fox
The United Kingdom is under attack. Not from a single large adversary, but from dozens or hundreds of cybercriminals, some large and well-organized, others small and opportunistic. Some attackers wants to cripple the U.K.; others want to turn a quick profit.
The brand-new report, “The cyber threat to U.K. business,” issued in April 2018 by the National Cybre Security Centre (NCSC), describes many of those threats in painful detail. The report talks about the biggest incidents of 2017 in a number of categories, including ransomware, distributed denial of service (DDoS), data breaches, supply chain compromises, and fake news. It also looks at business email compromise (BEC) fraud, major security vulnerabilities, targeting of the financial sector, targeting Parliament, and even cryptojacking – that is, using malware to mine digital currency.
And yes, they call it the “National Cybre Security Centre,” and then use “Cyber” in the report’s title. Go figure.
Protecting the Supply Chain
Let’s look at one area that’s very specific to businesses – compromises in the supply chain. As the report describes,
Supply chain compromises typically seek to introduce security flaws or other exploitable features into equipment, hardware, software, or services, prior to their supply to the target (or make use of a compromised supplier organisation’s connections to the target). Operations or activities are usually designed to breach confidentiality and integrity, but they may also be designed to affect availability (such as supplying defective equipment). Ongoing servicing, support or updates to equipment, hardware or software may also provide opportunities for threat actors to interfere with the supply chain.
As the NCSC explains, supply chain compromises are difficult, if not impossible, to detect, unless the criminals make a serious mistake: “Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers – or indeed to prove that any potential access has been exploited.”
What can businesses do to mitigate against supply-chain tampering? The NCSC recommends working with suppliers that have been certified as having good security, and allow vendors and suppliers the bare minimum access to your data and systems. In particular, “Follow the principle of ‘least privilege’, especially for external parties that may need remote access into your networks for specific administrative tasks.”
Protecting the Internet of Things and the Cloud
The NCSC report discusses the Internet of Things (IoT), an area of concern to many businesses today. Unfortunately, the discussion is too brief, highlighting Gartner research that shows there will be 11.2 billion things connected worldwide by 2018. The NCSC accurately notes that, “Many internet-connected devices sold to consumers lack basic cyber security provisions. With so many devices unsecured, vulnerabilities will continue to be exploited and used for activities (such as DDoS attacks) without the user’s knowledge.”
Sadly, there’s nothing useful in there for business IoT users, obstensibly the target audience for this report.
Similarly, the report is vague to the point of uselessness when talking about cloud security. Here’s what the NCSC says:
Only 40% of all data stored in the cloud is access secured, although the majority of companies report they are concerned about encryption and security of data in the cloud. As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored. This could lead to high profile breaches involving UK citizen information.
Protecting the Financial Sector
The NCSC report is more helpful when it comes to protecting the financial sector, primarily banks. After describing a breach against the SWIFT global financial transfer system in Asia, the NCSC says, “This incident (and numerous similar ones) happened due to weaknesses in local security of the targeted banks, which allow the attackers to compromise the local network, probably obtain valid credentials and initiate fraudulent SWIFT messages.”
That said, the report points out that despite multiple attempts to exploit SWIFT, “there is currently no credible evidence to suggest that the fundamental integrity of this international payment system has been compromised by a hostile state or criminal actor. However, sophisticated state and criminal organisations pose a significant and persistent threat to payment systems.”
Overall, the NCSC says that early reporting of cybercrime to law enforcement can help mitigate attacks. Writing in the report, Donald Toon, a director of the U.K.’s National Crime Agency, writes, “By working together at all levels, we can become even better at protecting ourselves against the cyber crime threat. We still have much work to do, but we can make the UK the safest place in the world to do business.”