On September 21, SC Media UK reported Ian Levy, technical director, National Cyber Security Centre, telling delegates at Symantec's Crystal Ball event that a category one cyber event was expected. For context he explained that WannaCry was a category two incident – of which there have been thirty tackled by the NCSC since it was set up 11 months ago – with the majority of the 500 incidents dealt with put in the category three level.
Now more detailed information on the activities of the NCSC in its first year has been revealed in its annual report, with the industry responding to news that some 1,131 attacks were reported in the UK last year - thus two significant attacks per day, with 590 classed as significant and more than 30 requiring a cross-government response. NCSC CEO Ciaran Martin echoed Levy's warning saying that there could be more significant and damaging attacks in the near future.
Reactions varied, from Steven Malone, cyber-resilience expert at Mimecast describing the level of attacks as “shocking” and Rob Norris, VP head of enterprise & cyber security EMEIA at Fujitsu, calling the news “worrying', Lee Munson, security researcher at Comparitech.com noted the thousand attacks were, “an interesting statistic,” that provided a new baseline, whereas Mike Simmonds, CEO of Axial Systems commented, “Is that all?”
Simmonds went on to warn that this figure is likely the tip of the iceberg, with attacks expected to become more frequent over the coming months.
Munson, who described the 1,000 attacks as “an interesting statistic” went on to say that it could, however, be a misleading one.
“While an average of more than 20 incidents per week, many of which were classified as significant or serious, sounds like a damning indictment of security across the UK, it is more likely to simply be an interesting new baseline, given this is the first time such figures have been available.
“In reality, the number of cyber-attacks every day is huge, and growing, so the fact that none posed a credible threat to the democratic system, financial bodies or other critical infrastructure is a major plus point and one that should be celebrated, given how such attacks are most definitely on the increase in other countries,” concluding that despite the great support provided by GCHQ, “..even if the most optimistic of observers would have to concede that not every such threat can be thwarted."
Norris agrees, saying that “...the number of these threats continue to increase exponentially,” and adding, “a proactive approach to security is vital for the survival of small and big businesses alike. Moreover, with the GDPR around the corner, businesses need to think about what data they need to protect, how to implement contingency measures, and establish clearly defined processes in how to detect and react to data breaches.”
Norris says, “...cyber-crime is inevitable,” suggesting that it is how businesses plan for it that makes a difference, concluding, “ Ensuring a compliant business environment, that will help protect the company and its employees, needs to be the number one priority.”
Malone says that the news, “highlights why governments and organisations of all sizes need to focus on analysing their critical infrastructure and business systems for weaknesses,” continuing, “the problem is that many organisations rely on outdated security controls which aren't up to the task of providing protection from today's fast-evolving threat landscape.”
He adds, “It is imperative that both governments and organisations invest in a cyber resilience strategy that involves strong methods of protection and user security awareness, combined with a reliable business continuity, archive and recovery strategy for data and operational systems, to get back on their feet if something does get through.”
Mark James, security specialist for ESET emailed SC Media UK to comment, "With so many attacks happening in the digital world we live in, it's understandable that we are concerned. It's one of those things that's almost impossible to counter as an individual- yes we can patch, we can install security software and we can have in place policies and procedures to help combat opportunistic malware, but when it comes to targeted attacks fired from the minds of extremely intelligent people, the chances of stopping it solo are drastically reduced.
“The only way we are going to stand a chance is working together, pulling in resources from all fields of expertise in the cyber-security space, and having a resource like the National Cyber Security Centre can only be a good thing.” He agrees with the government message, saying that we all want the same thing, a safe place for people to do business, but notes how the bad guys have moved from the town square to lurking in shadows in the digital world, concluding, “...we are not going to stop them completely but we can limit their damage here in the UK."
For Csaba Krasznay, security evangelist at Balabit, the primary issue was tackling abuse of privileged access, noting how in many of the recent major attacks, “..companies were compromised by privileged credential theft or malicious insiders. If criminals are already in your network, perimeters alone will never be enough to keep them out. In the first instance, companies must ensure that they have firstly, a comprehensive and up to date list of privileged accounts. Secondly, a limited scope for each privileged account where every user has exactly the minimum rights to carry out their tasks. Next, ensure that all accounts that are no longer needed are deleted. Finally, companies with a mature security posture must implement a formal password policy for privileged accounts, this should include changing default passwords as a matter of course, and prohibiting sharing passwords across accounts.
By implementing monitoring tools that track privileged users' activity and notify security teams in case of a potential breach, based on user behaviour analysis, there is a much better chance of discovering such an attack. As we can see, digital forensics is also important and should be the part of incident investigation, as at the end of the day, many of Deloitte's major blue-chip customers will want to know how deeply they are affected in the breach.'
Martin, in a foreword to the NCSC report concludes, “The NCSC's first duty is to manage and mitigate against attacks. Our anniversary report shows the progress we have made working with government, industry and individuals to create a truly lasting national asset.
“We are proud of what we have achieved in our first 12 months, but there is so much more to do in the years ahead to counter this threat to our values, prosperity and way of life."
Among achievements of the NCSC in its first year, cited by the report are:
· Launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
· Led UK response to WannaCry
· Advice website with up to 100,000 visitors per month
· Three day Cyber UK Conference in Liverpool
· 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
· Produced 200,000 physical items fo r190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
· 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
· Worked with 50 countries, including signing Nato's MoU.