I would like to raise the question, does the new UK government security standard adequately address today’s and tomorrow’s cyberthreats?
While it is a step in the right direction, the UK Government’s Minimum Security Standard for government departments fails to safeguard public sector IT systems against today’s increasingly complex and sophisticated cyber-attacks.
The new Standard stipulates that government departments must "ensure that infrastructure is not vulnerable to common cyber-attacks". But this does not take account of the increasing sophistication and innovative nature of the new generation of targeted cyber-attacks.
Organised criminal groups (OCGs) often spend months planning and orchestrating highly complex targeted attacks on organisations under the Darknet’s cloak of anonymity.
One example is the current favourite attack vectors including the exploitation of supply-chain vulnerabilities by infiltrating the networks of trusted suppliers and third-party service providers and using them to access the target organisation’s IT system in "watering hole" attacks or otherwise exploit the weakest links in the supply chain.
Government departments often have less real control over their choice of third-party contractors than private sector companies as the European Union (EU)‘s over-riding procurement policy requirement is that public-sector contracts be based on free and open competition with the EU and the best value for money. This means that UK government departments are frequently obliged to accept tenders from companies in other countries with whom they are unfamiliar. Such contractors frequently offer OCGs an easy entry point into government networks as many are based in non-English-speaking European countries which have a lower level of awareness of cyber-crime than the UK and the US.
OCGs now orchestrate attacks that begin well outside the traditional cyber-security perimeter. Highly sophisticated social-engineering techniques and tools are used to trawl all forms of social media looking for information relating to a key employee or public servant prior to targeting them with an orchestrated attack. Government employees may overshare information which will be collected during an attack reconnaissance phase to enable targeted attacks against individuals.
Another threat that is, as yet, far from "common" but growing fast, takes advantage of the Internet of Things (IoT) to access connected devices such as security cameras and entry systems. As in the case of many industrial systems, these devices and systems were not designed with cyber-security in mind. Nevertheless, they are being used in increasing numbers in security-conscious government buildings. Aside from broader attacks such as forming botnets of compromised devices, there is a potential for IoT devices to be compromised and used as a bridgehead to move laterally within the target network.
Last year, for example, cyber-criminals are reported to have hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the building’s lobby.
As government departments are now being instructed to look to "the suppliers of third-party services" to comply with the UK’s Minimum Cyber Security Standard, they must take care to select suppliers capable of offering security well outside the usual perimeters.
Government departments must ensure that whoever they select has embedded sources within the Darknet to enable them to anticipate incoming attacks and the necessary skills to monitor the department’s entire digital footprint, including its staff’s use of social media.
While this is a new standard for the public sector, private companies may also soon be obliged to adopt higher security standards as, typically, regulations and policies at the government state level become applicable to the commercial sector before long.
*Note. Letters to SC Media UK are published at the discretion of the editor who reserves to right to edit letters before publication.
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast