Channel Islands Cyber Security Conference & Event Guide

#CYBERISLES23

Thank You

Channel Islands Information Security Forum: admin@ciisf.org

Dave Cartwright, Chair CIISF

Dave Carney, Vice Chair & IDGF

Stephanie Luce, Events co-Ordinator & IDGF

Sarah Holland, Secretary for CIISF.

Paul Neal, Treasurer

Peter Lescop

Bruce McDougall

Richard Field

Alex Sparrow

Arthur Mainja

Alan Riney

Jersey Cyber Security Centre: hello@jcsc.je

Matt Palmer

Paul Dutot

James McLaren

Morgan Franklin

Stephanie Luce

Cyber Security Awareness Month Steering Group:

Matt Palmer (JCSC)

Lynne Capie (Soteria Communications)

Stephanie Luce (JCSC)

David Cartwright (CIISF)

Peter Lescop (JT Group)

James McLaren (JCSC)

Samantha Gardner (JOIC)

Paul Dutot, (JCSC)

Nathalie Andersson (Jersey Finance)

David Carney (IDGF)

Media:

Jersey Evening Post

Channel Eye

Channel 103

Delivery Partner: Soteria Communications

Venues: Radisson Blu Waterfront Hotel, Pomme D’Or Hotel

Audio visual: Delta Events

Media production: Switch Digital

Gold Sponsors: Defence Logic, Recorded Future

And with thanks to all our volunteers, speakers, panellists, sponsors and partners.

If you would like to support, sponsor or contribute to the 2024 programme please speak to one of the steering group.

This programme is dedicated to the people and cyber defenders of Ukraine. If you have found this event valuable please consider making a donation to the Bailiff’s Ukraine Appeal: sidebyside.je

Introduction

In the last 12 months, Russia’s invasion of Ukraine has extended to all-out cyber war in addition to kinetic warfare. Hybrid attacks, with cyber often as a precursor or distraction, have impacted government services, communications, transport, finance and civil society. We are isolated from much of this in Jersey, but it is no less real and no less destabilising. It is increasingly difficult to separate activity hackers and organised crime from nation state activity in cyberspace. Even the lines between physical space and cyberspace are themselves blurring: Artificial Intelligence presents new threats, but also new opportunities. We don’t know yet what this means for us, but we do know that this is the beginning of an historic shift in how we use and depend on technology - so we must try to be prepared, and to see this change as an opportunity as well as a threat.

At JCSC we have spent much of the last year preparing. In between responding to incidents and supporting attacks on local organisations including schools, Government, financial services providers, hotels, retailers, voluntary groups and (yes) even teenagers, we have been busy standing up technical and operational capabilities that will allow us to begin to defend Jersey effectively. We are now at the basic operational readiness we promised. One example is the launch of our Jersey Cyber Shield. A year in planning and development, this brings together large numbers of data sources, systems and platforms to obtain, analyse and respond to global threat intelligence in order to protect local people and organisations. We have also launched the first iteration of our Jersey Cyber Benchmark to better understand our collective strengths and weaknesses, providing an input to Government’s cyber strategy as well as our operational priorities and understanding of island risks.

We have been working closely with the Government of Jersey on issues from cyber security legislation to telecoms security rules, and undertaking a public consultation on proposed legislative change to provide a strong platform for effective cyber defence. We look forward to that legislation being brought forward in 2024.

We have also been working with colleagues both around the world and closer to home: JCSC is now part of TF-CSIRT, a European network of national CERTs, and is applying for membership of FIRST – a global body. These provide great opportunities for collaboration and information sharing. We are also working with UK NCSC and with the other Crown Dependencies, the Isle of Man and Guernsey. Later this year we will carry out our first ever Channel Islands incident response exercise working with governments in both Jersey and Guernsey.

Last year, I said it takes an island to secure an island. This has never been more true, and none of this would be possible without the support of Government and the States, of Ministers (notably Deputies Kirsten Morel and Alex Curtis), of the Department for the Economy, of the huge range of local partners we work with on a daily basis, of the voluntary sector, and of course of the Jersey community. We can now begin to see the impact of that support in the work we do to help islanders prepare, protect and defend themselves and their organisations, but this is no time for complacency: we all have much more to do if we are to be ready for tomorrow’s challenges.

Introduction

Welcome to the Channel Islands Information Security Forum (CIISF) Conference 2023. Thank you for taking the time to support what I hope you’ll find to be an enjoyable, rewarding and educational event.

When we resumed the conference schedule in 2022 after the Covid-19-induced period of downtime, we were uncertain of how keen everyone would be to come along into a room full of people – not least because we had all become used to electronic meetings and presentations and had kicked the habit of meeting people in real life. Our uncertainty was, I’m pleased to say, unfounded – we were just shy of 200 EventBrite registrations and a fair number of delegates simply rocked up on the day. The event was a tremendous success, and my colleagues and I were delighted; hopefully this year will be similarly lively and popular.

We have a wide range of great speakers this year, both local and from afar, but I can’t resist a shoutout for our star keynote, FreakyClown (also known as “FC”). Those among you who’ve seen his videos or read his excellent book will know that we’re all in for a treat, and I for one am eager to hear what he has to say. He’ll be joining us electronically for the simple reason that although he’s a Brit, these days he’s based in Nevada – and it’s a long (and budget-busting) way to come to a small rock in the English Channel. I know for certain that distance won’t detract from the experience.

You may be interested in our approach to putting together the schedule. We try to find as wide a variety of speakers as possible, and we set two simple rules. First: if you’re a commercial organisation (as many are), you’re not here to do a sales pitch – by all means tell the audience what you do for a living, but then move on and focus on non-salesy topics. Second: try to use your

experience to tell people something that they didn’t know, or hadn’t previously thought of. Our mission is for everyone attending the conference to go home at the end with the feeling that they’ve found stuff out over the course of the day, and that they’re leaving with more knowledge and ideas than they arrived with. I’m sure, given our range of speakers and subjects, that this will be the case.

I’m personally looking forward to the talks from our two Gold sponsors, Recorded Future and Defence Logic. And I’m saying that not through any obligation to do so, but because I had most entertaining Teams meetings with James and Anthony, the two speakers, where we batted their suggested subjects about and came up with a novel angle in each case. We work closely with all the speakers, in fact, to decide what they’ll talk about – which helps us make sure there’s not too much overlap between talks. One of the things I enjoy about working with my fellow Cyber, IT and Risk professionals in the Channel Islands is that we’re not shy about voicing an opinion or questioning the norm, and we encourage our speakers not to be shrinking violets and to tell it how it is; let’s hope they do so!

In my introduction to last year’s conference, I described the cyber security industry in the Channel Islands as “fascinating” and “challenging”. Nothing has changed in this respect except, perhaps, that the range of threats we face is becoming more and more challenging by the day. We need, as a cyber security community, to work together as much as we can and to help each other defend against attacks and react when something unfortunate happens.

I wish everyone attending the conference, physically or virtually, a fascinating and informative day.

Conference - Morning Schedule

Opening

So What Actually is the Dark Web?

James Mason - Intelligence Consultant, Recorded Future Prof. Simon Hepburn - CEO, UK Cyber Security Council

Break Trends from the Trenches: Ransomware Patrick Start, Caroline Honeycombe, Sarah Simon

Predictions, Presumptions, and Planning. How Forward Thinkers Build Their Security Defences

Emily Nowlan - Account Director, Tessian

William Wilson - Head of Threat Protection & Governance, Altum

Conference - Afternoon Schedule

Welcome Back David Cartwright - CIISF Chair

Opening Remarks

Gold sponsor - Defence Logic

The language of information and cyber security Steve Sands - Chair, BCS Information Security Specialist Group

Inside Jersey’s CERT: threats, attacks, and what you need to do about it

Matt Palmer - Director, Jersey Cyber Security Centre

Paying the Ransom

Anthony Flemmer - CEO Defence Logic

Break

The Man Who Used To Rob Banks FC, aka Freaky Clown

Are nation states really a threat to us and what can we do about it?

Panel led by Damon Greber - Head of Advisory, C5/BDO

Going Backwards to Go Forwards

Daniel Oxley - CTO, Armadillo

Closing Remarks

Dave Cartwright - CIISF Chair

Networking Reception after the Conference

Rocco Foyer, Radisson Blu, 17:00 - 19:00

Sponsored by Recorded Future and Armadillo

Speakers & Panelists

Keynote Speaker: FC Co-Founder - Cygenta

FC is a renowned ethical hacker and social engineer, as well as global keynote speaker and author. He has been working in the cyber security field for over 25 years and has helped thousands of banks, governments and other organisations advance their security. FC is Co-Founder of the cyber security company Cygenta, where he tests weaknesses in physical, personnel and digital controls to help organisations be more secure.

Lori Baker is an experienced attorney with expertise in data protection and regulatory compliance, as well as broad practice in commercial contracting. She is qualified in both the USA (in the states of New Jersey and Pennsylvania) and the UK, and is a Fellow of Information Privacy as certified by the International Association of Privacy Professionals.

Richard Field Partner - Appleby

Richard is a Partner in the Dispute Resolution team at Appleby, specialising in corporate, trust and commercial litigation and regulatory matters. His regulatory focus is on data protection (including cyber), AML and compliance, technology and eGaming. Richard is one of the global leads for Privacy and Data Protection at Appleby and is the Guernsey lead for the firm’s Technology and Innovation practice group. He was described by Legal 500 as “the go-to lawyer for data protection matters”.

Anthony Flemmer CEO - Defence Logic

Anthony Flemmer is a well-respected figure in the cybersecurity industry who currently holds the position of CEO at Defence Logic. His company is focused on providing state-of-the-art cybersecurity solutions and excels in penetration testing, SIEM, security operations centre, and incident response. Anthony has been awarded the prestigious ISO 27001 Lead Implementer designation, highlighting his expertise in implementing and managing robust information security systems.

David Carney

Channel Islands Information Security Forum, Islands Data Governance Forum and Director

- Grant Thornton

David is vice-chairman of the Islands Data Governance Forum and the Channel Islands Information Security Forum, and also leads the Risk Assurance and Data practice for Grant Thornton across the Channel Islands.

Dave Cartwright Head of Technology Operations & Risk, CISO - Santander International

Dave is based in Jersey and is CISO and Head of IT Operations in the banking industry, having previously worked in fields academia, defence, publishing, intellectual property and telecoms. He is Chair of the Channel Islands Information Security Forum as well as being co-founder of the Jersey Charitable Skills Pool and the Jersey Tech Awards, and sits on the judging panel for the UK Cloud Awards and the TechTrailblazer awards.

Damon Greber Group Head of Internal Audit

Damon has over 17 years experience in both consultancy with a leading professional services firm and as the Group Head of Internal Audit for a significant Hedge Fund Manager. His previous experience includes leading the global IT external audit of an investment bank, acting as Head of IT internal audit for two retail banks as well as managing the delivery of Service Organisation Controls Reports. Additionally, Damon led the computer forensic work on Jersey’s largest Trust dispute and has also managed the delivery of a variety of regulatory reviews.

Ibrahim Hasan Director - Act Now Training

Ibrahim Hasan is a UK qualified lawyer and director of Act Now Training www.actnow.org.uk. He is acknowledged as a leading authority on data protection law in Europe and the Middle East.

Ibrahim has delivered specialist training and consultancy to multi-national corporations, public authorities and government departments across the world. He is often called upon by the print and broadcast media, including the BBC, to provide comment and analysis on information law issues.

Speakers & Panellists

Prof. Simon Hepburn is the first Chief Executive Officer of the UK Cyber Security Council, the self-regulatory body for the UK’s cyber security profession that develops, promotes and stewards nationally recognised standards for the cyber security profession. Simon has more than twenty years’ experience working within the charity, education, careers and quality management sectors.

Emma Martins has overseen the rapid evolution of data protection in the Channel Islands for the past two decades. She became Commissioner for both Jersey and Guernsey in 2011 when a pan-island regulatory office was set up, then stayed on in Guernsey when the two offices separated at the start of 2018. She believes passionately that responsible data protection practices are about protecting people, and that behaviour change comes from a cultural shift, rather than enforcement alone.

James Mason is an Intelligence Consultant on the EMEA Public Sector Intelligence Services team at Recorded Future. James works with government departments across the UK and Europe, providing threat intelligence support for a range of projects. Prior to joining Recorded Future James worked as a Dark Web Analyst, providing intelligence services to law enforcement and government teams within the UK.

Peter Lescop is the Head of Risk and Security at JT and committee member of the Channel Islands Information Security Forum. Peter has worked in Technology for over 17 years, with much of that focused on Cyber Security.

Steph is Head of Legal and Governance for the Jersey Cyber Security Centre. Steph is also the Founder and Chair of the Islands Data Governance Forum and a committee member of the Channel Islands Information Security Forum.

Nic Miller

Virtual CISO - Aedile Consulting

Nic Miller is the owner and Director of Aedile Consulting, a bespoke cyber-security consultancy. The company was founded in 2017 to provide pragmatic and accessible advice to smaller and medium sized organisations. Its virtual Chief Information Security Officer (vCISO) service provides smaller firms on-demand access to cyber security advice and guidance and allows them to understand and manage their cyber security risk.

Dan Oxley

CTO - Armadillo

I have been breaking and then fixing computers since I was 8 years old, and doing it professionally since 1997. I possess many years of experience in technology and senior leadership roles ranging across every vertical and sector, from small start-ups through to the largest global organisations in the World.

Speakers & Panellists

Matt Palmer is Director of JCSC, the Cyber Security Centre for Jersey, where he is tasked with helping to prepare, protect and defend the Island against cyber threats.An experienced CISO, he has led cyber security functions for global financial services institutions including State Street, Willis Towers Watson (WTW), Brevan Howard and Skipton Group.

Steve Sands began his technical career as a Trainee Technician Apprentice with British Telecom in 1978 where he worked on three generations of public exchange switching systems before moving into a training role involving network and information security. He is now a risk and compliance professional with a background in information security, IT management and data protection.

Bradley

Director of Information Rights and Operations, - Gibraltar Regulatory Authority

Bradley Tosso is the Director of Information Rights and Operations at the Gibraltar Regulatory Authority (“GRA”). Mr Tosso has 15 years experience in the field of compliance and regulation, working in different jurisdictions and in both the public and private sector. Mr Tosso’s credentials include a BSc (Hons) in Computing and Management and Masters of Law degrees in European Union Law and Information Rights Law and Practice.

Patrick is a Director within Deloitte’s Cyber practice and leads the Cyber Incident Response and Wargaming team. Patrick helps clients across all Sectors prepare for, respond to and recover from major cyber events.

Caroline is a Director within Deloitte’s Cyber Incident Response practice and is based in Jersey. Caroline has over 16 years of experience, of which over ten years was working within the public sector as a senior intelligence lead specialising in National Security and Cyber.

Sarah has over 3 years’ experience in Cyber incident response and a history of working in the law enforcement industry. She has expertise in both mobile device and computer forensics. Sarah is based in Guernsey.

Mon, 16 Oct 2023 12:30 - 16:00 BST

Cyber Drop in Advice Session

Tue, 17 Oct 2023 08:30 - 12:00 BST

Mock Cyber Incident Response Exercise - Jersey’s Finance sector

Tue, 17 Oct 2023 12:30 - 16:00 BST

Cyber Drop in Advice Session

Thu, 19 Oct 2023 09:00 - 17:00 BST

Channel Islands Cyber Security Conference 2023

Fri, 20 Oct 2023 08:30 - 10:30 BST

Cyber Essentials Breakfast

Tue, 24 Oct 2023 13:00 BST

Vaiie Views - Journey to ISO27001

Tue, 24 Oct 2023 12:30 - 13:30 BST

Journey to ISO27001

Thu, 26 Oct 2023 13:00 - 14:00 BST

Networking Event for Jersey Women in Cyber Security

Thu, 26 Oct 2023 17:30 - 19:30 BST

Pints & Passkeys

March 2024

Mini Cyber and Data conference

Book via cert.je/events

How can Individuals and Families Stay Safe Online?

If you’re internet shopping or even just surfing the web, follow these tips to stay safe online.

1. Secure password policy

Using strong passwords with three unfamiliar words is a free and effective measure to help prevent unauthorised people from accessing your private information. Don’t forget to create a separate password for your email account. Hackers can use the ‘forgot your password’ feature to reset other passwords if your email account gets compromised. If you’re shopping, don’t reuse passwords across multiple websites. This will limit hackers’ access if any individual account is breached.

2. Multi-factor authentication (MFA)

Implementing an extra level of security is indispensable for accounts such as banking and email. This tip will protect you if your password is obtained by hackers. Some institutions automatically use MFA –also known as two-factor authentication (2FA). Others don’t. It’s well worth the time to check and manually turn on the facility at every opportunity.

3. Update your computer, phone and apps

Software is easier to hack if it is outdated. Companies release updates that fix these weaknesses. Regularly updating your devices and software, and making good use of automatic updates and reminders, improves your defence and helps to keep you safe online.

4. Keep your smartphones and tablets safe

Activating all possible security measures is essential for devices used outside the home or office. Switch on PIN and password protection. Use fingerprint or face recognition if it is available. Check that device tracking, remote wiping and remote locking are turned on in settings.

5. Back up your data

Creating a copy of your information and saving it to cloud storage or another device reinforces your security. This will enable quick recovery and minor damage if your data is lost or stolen. Test it first and utilise automatic back-ups to reduce the risk of forgetfulness.

6. Shop with a credit card rather than a debit card

Credit cards have built-in fraud protections to protect you against the risk of owing money to credit card companies. The claims process for debit card fraud is long-winded. Designating an online shopping credit card will reduce the potential impact of fraud and allow you to cancel the card easily if you need to.

7. Be careful where you click

Special offers, flashing pop-ups and deals within a limited time can be overwhelming. It’s often difficult to separate the legitimate from the malicious, but good practice is to visit the main website directly. Don’t click links and attachments.

8. Verify website security

A safe website should display a lock and/or “https” in your browser’s address bar. This will enable you to enter your personal information but only input the minimum required. Reputable shopping vendors will email a sales receipt after purchase, which should be kept alongside other paperwork.

9. Use an up to date browser

Use up to date web browser and avoid add-ins you don’t need. Use a keysafe such as 1Password, Bitwarden, Dashlane or those built into browsers and phones rather than reusing your passwords. Avoid creating accounts you don’t need, and turn off advertising tracking in your phone and browser settings.

10. Erase your old data

If you get a new device this often means you will be getting rid of an old version. Ensure you erase all your personal data and log out from all services and apps. Once you have done that, reset the device per the manufacturer’s instructions before you recycle it.

Jersey Cyber Benchmark

Jersey Cyber Security Centre is working with Government of Jersey and our partner Soteria to improve the cyber resilience across the Island’s critical infrastructure, business communities and citizens to reduce the risk and impact of major cyber incidents. To make sure we focus on the areas that will benefit you and your organisation the most, we need to understand where we already have good defences and where we have an opportunity to improve.

To do this, we are undertaking a short benchmarking survey to understand each sector’s level of cyber preparedness.

We are focusing particularly on the small business, financial services, hospitality and charity / not-for profit sectors where raised risk levels have been identified, however we strongly welcome participation from all organisations across the Island. This short survey will normally only take a few minutes to complete, and can best be completed by someone in a senior technology, operations or risk management role in your organisation. If you are a small business, this may be you or your IT provider. You can also start the survey and come back to it later if you need to. Survey results will be anonymised and used statistically only – we will not share your individual answers with Government, regulators, or with anyone apart from you.

Please visit smartsurvey.co.uk/s/5x0cyq to complete the survey now.

You can also scan the QR code below to complete the benchmarking survey:

As part of the programme for Jersey’s Cyber Security Awareness Month, we will be involved in a series of Mock Cyber Incident Response Exercises and Drop-in Advice & Support Sessions between 9 - 17 October. The exercises will be hosted by Soteria Communications and an advisory panel of experts from Jersey Cyber Security Centre, JT Group and The Jersey Office of the Information Commissioner. Each exercise is designed for specific industries and will create an environment where all participants are encouraged to share their experiences and develop plans to mitigate a fictitious scenario that will emerge during the event.

After these workshops, we will be hosting individual drop-in sessions, available to book. The drop-in sessions will be hosted by Jersey Cyber Security Centre, JT Group, Soteria Communications and The Jersey Office of the Information Commission and are an opportunity for organisations to ask questions about specific challenges or issues relating to their cyber security.

To find out more about these sessions and to register, please visit cert.je/events.

Thank you to our partners for their sponsorship and involvement in these sessions:

• Jersey Ch arities

• Soteria Communications

• Jersey Office of the Information Commissioner

• JT Group

• Jersey Chamber of Commerce

• IoD Jersey

• Jersey Business

• Jersey Hospitality Association

• Visit Jersey

• Jersey Financial Services Commission

• Appleby

• Jersey Finance

Cyber attacks can have a devastating impact on public services, on businesses, and on individual Islanders.

Why is Jersey’s Financial Intelligence Unit (FIU) Interested in Cybersecurity?

The regulated sector has stringent compliance responsibilities aligned to Anti Money Laundering (AML) and Counter Terrorist Financing (CTF). These risks are realised through the actions of criminals, organised crime, state threat actors and terrorists, all of whom exploit weaknesses and gaps in products, services, and businesses to launder their illicit gains. Of course, they also deliver their illicit activity through the exploitation of cyber related risks and vulnerabilities.

Criminals have traditionally focussed on specialist areas that they seek to exploit, more recently, a surge in polycriminality is being seen. This confidence to exploit numerous avenues to obtain and launder money means that cybercrime, ransomware, business email compromise and other such threats are equally relevant to the FIU as money laundering, kleptocracy, tax evasion or similar.

If cyber security is about preventing a range of IT threats, many of those will be monetarily related. As more financial activity occurs digitally, the lines between cyberattacks, fraud, and money laundering become blurred and attack vectors across one threat is likely further exploited for other purposes across the Cyber/Fraud/Money Laundering trio.

Currently, cyber-enabled attacks are increasing in sophistication at the same time that financial institutions are changing and growing activity and interconnectivity.

Our lives are becoming increasingly cyber enabled, and finance is at the forefront of this, therefore, it makes us all vulnerable, hence the growing use of two step verification methods and password security messages. For us, employing a holistic risk picture is now, more necessary than ever. The speed of risk identification and collaboration with other relevant stakeholders is critical. That’s why FIU Jersey is proud to be developing our relationships across the cyber community and in particular with Jersey Cyber Security Centre, as only an all-source fusion approach can enable the network to defeat the network.

A Business Guide to Critical Cyber Security Controls

Cyber attacks are hard to contain and can quickly impact any organisation — whether a target or not. These basic but essential steps reduce risk and ensure you can recover your organisation if your network is compromised.

1. Patch all your systems regularly

In cyber security, a ‘patch’ is a fix - an immediate solution to an identified problem. Businesses and organisations should regularly patch everything; that doesn’t just mean Microsoft Windows. Patch your website, your databases, and infrastructure such as firewalls and routers. Linux servers, mobile devices, CCTV systems and IoT devices need to be updated too. Consider that if a patch is released, the vulnerability may have existed for some time already and may have been exploited. If you then take a month to test and deploy a patch, that’s a long time during which the vulnerability could be used against you. Focus on building a simple, repeatable process for rapid testing and deployment – and have an emergency patching process for critical vulnerabilities with known exploits. Otherwise, aim to patch everything as quickly as you reasonably can. Cyber Essentials recommends within 14 days of release.

A warning: If you are not patching a system because it’s at the end of life, that’s not OK. It’s like driving a car without insurance or servicing — that accident will happen, and the impact will be worse when it does. Good organisations manage the lifecycle of their systems so that they are replaced before they are obsolete. If you have obsolete software or hardware that can’t be patched, you should isolate the offending system on your network. An early warning sign that your IT lifecycle management practices are inadequate and need review is if you are paying extended licensing agreements for old systems.

2. Implement multi-factor authentication (MFA)

Regardless of the system, a password should not be considered adequate on its own. Whilst there is lots of guidance on good passwords, many password complexity rules and forced resets can make life easier for an attacker and harder for the user, actually making systems less secure.

A good password provides some protection, but can easily be compromised. Multi-factor authentication (or 2-step verification) is essential to protect user accounts and information. By using two of something you know (such as a password), something you are (biometrics, such as a fingerprint), or something you have (such as a code to a mobile phone app) you can stop an attacker from gaining access even when they have obtained the password.

MFA should be used for network, device, and app access and personal services and accounts. Not all MFA is the same, and some techniques are better than others. Nevertheless, all methods significantly improve the security of a password used only by itself. Having a password plus a PIN code or a separate memorable word is not multi-factor. Having to remember multiple things does not make you more secure; it makes it harder for your team.

3. Control privileged access

In addition to the customer and employeefacing systems you operate such as websites and email, you will have a lot of hidden infrastructure working hard for you. The directories, databases, file systems and routers enable your IT to work. Whether this happens on-premises or in the cloud, someone has to configure, manage, and maintain these systems. If an attacker gets access to the accounts used to manage these systems, it can be game over — they have access to everything on your network. When hotel giant IHG failed to do this in September, their systems were compromised for fun. Admin accounts should be very carefully controlled, with rigorous use of MFA, careful access management, and a record of when an account is checked out for use, why and who by. IT staff should not be able to use privileged accounts for email and web browsing. Solutions vary from costly enterprise tools and the functionality built into cloud solutions, to free key safes and online apps.

4. Manage your attack surface

Many attacks will start with a scan of your perimeter - this is everything someone without special access can see. You can do a lot to minimise this and make sure it looks boring to an attacker. If you’re network looks high risk and low reward, an opportunistic attacker will go elsewhere and a targeted attacker will find it harder to get in.

In addition to network firewalls that sit between your network and the internet, you should run application firewalls that sit between your application and the internet. It is important to ensure your systems are built to a consistent standard and hardened using a reference such as the CIS Security Benchmarks. Don’t forget to turn off ports and services you don’t need, and only have systems face externally if necessary.

5. Maintain segregated backups

How long would you survive without your data? Even if you operate primarily offline, how could you take payments? Pay staff? Produce the accounts? Buy supplies? File returns? And generally, manage your organisation? For most, it’s not long. If data is available but corrupted, recovery is often even more difficult.

Nothing will guarantee all attacks fail, so assume that one will succeed and ensure you still have your data. This includes both your business data and technical data on the configuration of your systems and network, so you can rebuild it if you need to. Make sure your data is stored somewhere segregated from your primary network. This could be offline, such as a dedicated computer, storage array or USB stick. It could also be an online backup service or a cloud computing platform. Wherever you store it, remember to ensure that if usernames and passwords are compromised, they cannot be used to access and damage your backup data.

Finally, test your ability to restore and run from the restored data. A backup is no good if you can’t use it or if it will take three weeks to download it from the cloud — best to find that out now rather than when you need it.

6. Manage risk in your value chain

We’ve recently seen attacks where a particular organisation was targeted by malicious emails from their customer or supplier. This is a lot of trouble for an attacker to go to, and they would only have done it if the target organisation could not be easily compromised directly. You can’t be completely responsible for your client’s — or even your supplier’s — security. However, you should recognise that the borders of your organisation are porous and take reasonable steps to reduce your risk. This would include undertaking security assurance on suppliers to ensure they operate appropriate controls, notifying customers of issues and concerns, and passing on advice and alerts.

7. Operate effective monitoring & alerting

It is essential to be the first to know when something goes wrong. That means logging the correct data, and monitoring it for anomalies that suggest a problem. Monitoring doesn’t have to be complicated or expensive.

If you know which of your systems are critical, you can often outsource elements to a security supplier. We have many highly capable local firms right here in Jersey and plenty of solutions to help. These include cloud-based firewalls and security monitoring services that keep an eye on your websites, or online services that keep an eye on your visible perimeter. There are also more advanced security monitoring systems such as SIEM (security incident and event management) solutions and security defence capabilities such as a SOC (security operations centre), which can monitor systems 24 hours a day, seven days a week.

8. Test incident management processes

When the time comes and the worst happens, you can significantly reduce the impact by managing the incident well. Bad incident management can quickly turn a drama into a crisis. Good incident management can improve your customers and stakeholders confidence in you after an incident. The first step is to ensure you have an incident or crisis management plan. Who would do what, and when? Guidance is available from JCSC and online from the UK’s NCSC.

9. Verify your controls

Many successful attacks result from controls we intended to apply, but didn’t fully — often because it was felt to be cost-prohibitive or inconvenient. Of course, it is then likely that the same system or process is compromised. Once you have implemented controls, make sure you know what exceptions you have — make them strictly timelimited, report them to the Board, and work over a few months to eliminate them.

If you’ve implemented all these controls, you should be in a good position. But don’t rest there: verify them regularly through technical security testing or certification against a standard such as Cyber Essentials Plus.

Look to practical, technical checks first and foremost. Some cloud services, such as Microsoft Azure, provide tools that can be used to compare your IT configuration against common standards and frameworks. That can be a great place to start.

10. Share incidents

There’s no need to be embarrassed about a security incident. They happen all the time. However, by sharing we can protect others, and help ourselves in the future. Notify incidentreports@jcsc.je so we can learn together as a community, and stay one step ahead of the threat.

The Channel Islands Information Security Forum (CIISF)

The CIISF is a Channel Islands-wide not-for-profit organisation whose members come not just from the pure cyber industry but from a wide variety of market segments. Some members have a cyber focus as their “day job”, for example risk managers, compliance officers and infosec professionals. Others have a secondary interest in cyber security, such as company directors, utility companies, health and Government.

Why we exist

The primary objectives of the CIISF are:

• To discuss and share ideas and experiences around cyber security and data privacy in the Channel Islands.

• To encourage development and growth of the cyber profession across the Channel Islands, and to promote and provide opportunities for members to grow their networks of contacts.

• To support members in enhancing their knowledge and understanding of cyber security matters.

Development and support

Over the years the CIISF has run study groups to help those working toward formal professional certifications –primarily ISACA’s CISA and ISC2’s CISSP – and we hope to run more in the coming years. We also run seminars and presentations throughout the year; we have recently joined forces with the Jersey branch of the British Computer Society to present on topics as diverse as: how to do Data Subject Access Requests; the value of professional certifications in the IT and cyber industries; and the challenges of recruiting IT and cyber staff.

Working with Government

The CIISF and its members are fortunate enough to be asked by the Government of Jersey for comments and opinions when they are proposing new concepts or laws. We took part in focus groups a few years back to discuss the Government’s proposed new Cyber Strategy, the introduction of the Jersey CERT, and more recently we have engaged in discussions on the proposed new Cyber Defence Law and Telecoms Security Framework. We are encouraged by the Government’s continued willingness to work with us and canvass our thoughts and ideas, and look forward to continuing this rewarding relationship.

Supporting the Not-For-Profit sector

We formed the Jersey Charitable Skills Pool (JCSP) to provide cyber security assistance and advice to charities and other Not-For-Profit (NFP) organisations who might otherwise not have the ability or the funding to ensure a basic level of understanding of cyber security, and a fundamental level of defence against attack. Find out more at: jerseycsp.org.uk

Be a part of the CIISF and what we do

We are always open to new members: you don’t need to be a cyber guru to join, just to have an interest – for whatever reason – in cyber security and data privacy. We’re particularly keen for new faces to join the committee and play a part in driving what we do and moulding the Forum to keep it relevant for the future. We’re delighted to have welcomed a new Secretary and Treasurer to the committee at the recent AGM, and if you think you can contribute to the Forum and help us keep it relevant for the coming years please make the most of the contact details below.

Join the forum

Subscri be at: ciisf.org

Twitter: @CISecure

Email: admin@ciisf.org

LinkedIn: channel-islands-information-security-forum

DSARs: The Practical Approach

Anyone working in data protection is likely to have received a Data Subject Access Request – a DSAR. In these enlightened days, it’s useful that we tend to use the term “DSAR”: the previous concept of a Subject Access Request, or “SAR”, had a tendency to send our financial crime friends into a tizzy because they think a Suspicious Activity Report has just found its way into their inbox.

Back in 2018 when the new data protection laws –GDPR across Europe but also the local equivalents in the Channel Islands – became active, there was widespread panic. We thought the Information Commissioner was going to be throwing thumping big fines at us for data protection transgressions, and we feared that if we took more than the requisite 28 days (in Jersey at least – other Bailiwicks’ laws are available) to respond to a DSAR we would be clapped in irons or at the very least subject to public flagellation and ridicule.

Now things have calmed down, we can be a bit more pragmatic about how to deal with DSARs. The rules haven’t changed, only the level of fretting about them. So, the approach we can now take is to think: how little do I have to deliver to the data subject asking for their information? To be fair, that’s the response we should always have taken, it’s just that logic took a bit of a time out for a year or two once the new law had arrived.

Data subjects, when making DSARs, will often ask for more than they’re entitled to. “I demand all the information you hold about my time as an employee of your company”, they may ask. And the answer is “no”: they’re entitled only to a copy of the data you hold about them. If something doesn’t have their name in, and there’s no reasonable way in which they could be identified from the data, those records are off the table. Yes, if you have (say) a tax form you sent to the Government about their pay and deductions then they can have that. But if you have a monthly wages spreadsheet in which they’re listed as one of 104 employees, they’re entitled to the bit about them, but you must redact the other 103 lines to protect

the other people’s personal data. Deliver what you’re obliged to, and nothing more: if you over-deliver you can never take it back, but if you under-deliver in good faith you can always make good, generally with no penalty, if the Commissioner insists you do so. But let’s wind the clock back for a moment and look at the point at which the DSAR lands in your inbox. What’s your first step? Email IT and get them to initiate the search of the corporate email system? Speak to HR and get them to start photocopying the individual’s CV?

No. You pick up the phone.

I’ve spoken to several people who’ve been on the receiving end of DSARs and their experience is the same as mine: if you pick up the phone to the Data Subject and ask them what they’re actually after, you can save yourself a lot of work. Yes, I’ve called the Data Subject and said: “What do you actually want?” and they’ve simply responded: “Everything” and stopped there. But similarly, I recall one instance where I called the Data Subject, chatted to him, sorted out the underlying customer service issue that underpinned his “I’m going to make waves” DSAR and heard the magic words: “Oh, thanks for that, you can disregard the access request”. Hours of work to zero effort in a single five-minute call.

So, then, DSARs are a part of a DPO’s life – and by implication that of the IT team, who inevitably have to do a lot of the search work. But by applying common sense and appealing to the human side of the Data Subject, you can often head ’em off at the pass.

Preparing your first cyber incident response plan

While attending our recent talks hosted by Bruce McDougall and Matt Palmer on the subject of incident response, it struck me that the overall maturity of businesses’ approaches to incident response can vary greatly.

Often, I speak to businesses regarding the overall maturity of cyber security posture assuming basics are in place – but that is often not the case. Cyber incident response plans are one of those basics that are generally missed. Most businesses generally focus on the avoidance of an incident – and while that is an envious position, generally it is not ‘if’ but ‘when’ an incident will happen. It is incredibly important to be prepared, have a plan, and ensure it is tested.

So where and how do you begin?

Don’t reinvent the wheel!

There are many frameworks, standards, and guidelines out there that provide detailed instruction in how to manage incident response. One of the most popular is NIST 800-61. The most important point here is that you do not need to start from scratch, there are even templates available for your business to download and adapt to suit such as the Incident Response Policy Template for CIS Control 17.

Utilising these ready-made templates will provide the basis for your plan, with the core steps required for the most basic forms of incident response.

Build a successful team

Your incident response team does not need to solely be made of security analysts, in fact it is recommended to not be a closed group. It is important for your response team to be made up of a cross section of resources across your business. Key roles to consider in the make up of your team are:

• Incident Response Lead – your IR lead manages the overall running of your incident, keeping each member working within the process defined on paper. This role often has a good understanding of Incident Management and can lead a group of people and keep level-headed.

• Security Analyst / IT Analyst – including a member of your Security or IT teams is a must. Often acting as a liaison between your more technical teams containing or remediating an incident, they will provide the much-needed subject matter expertise to the team.

• Communications – a key member of the team, ensuring your plan includes the necessary processes for communications both internally and externally. Have a plan and resource to enact quick and clear communication so you can focus on the incident management.

• Senior / Executive Leadership – ensure your incident management team has the necessary senior support to ensure quick escalation where necessary. This position can also provide support for specific roles, such as communication or spokesperson support.

• HR / Health & Safety – always consider the people aspect, as the safety of people always comes first. Ensure someone is in the room to consider this as a priority and have processes in place to ensure the rotation of staff during incidents that may required management over a long period of time.

Once your team is assembled, ensure your roles and responsibilities are clearly defined and awareness shared. A successful team will be the one who knows their roles well.

Know your stakeholders

It is important to know and understand your stakeholders during and after an incident. These are the individuals, entities or businesses that have an interest in your incident management status, such as regulators, insurers, customers, or suppliers. Have a clear plan for whom you need to communicate to and when, and be pro-active.

There are some stakeholders such as the Jersey Office of the Information Commissioner that may need to be informed under certain circumstances, within certain timescales.

Others such as customers and suppliers will want timely updates to alleviate concerns, if necessary. A proactive approach to communication can also support and avoid the potential floor of incoming communication that can cause issues with your incident response.

Post incident response

Don’t forget your post incident activities. When an incident is over and contained, and recovery is complete, we often want to take a sigh of relief and down tools. It is very important that post incident we take some time to complete activities that will greatly increase our response capabilities in the future: every incident is an opportunity to learn, so ensure you take your chance.

Ensure your have a lessons-learned process, review your incident response from a critical point of view. Include your team members within your lessons learned exercise and discuss what went right and what went wrong. Document your findings and implement a plan of action to improve.

Test, test test!

Don’t wait until a live incident to test your plan. Implement a schedule of testing, starting with the basics of a plan run-through. A plan run-through or review with all of your team present will give the option to raise awareness of the plan, and to include each individual’s role and responsibilities within. During this time each team member will have the opportunity to ask questions and prepare.

Once plan run-throughs are complete, progress towards a table top exercise. This type of exercise is a paperbased scenario that is created to role-play an incident, utilising your plan. There are a few ways to do this, the simplest being creating the scenario yourself and having a member of the team read through various prompts to similar an incident scenario. Another options available is the NCSC Exercise in a Box, which includes pre-built table top exercise for your teams to run through.

The important thing here is to test your plan, ensure it works. Any issues found, create an action plan to fix –then test again.

Summary

In summary, it may seem scary to begin the process of creating an incident response plan. However with a little bit of research there are many resources available online to support a speedy adoption of a simple plan. Your plan does not have to be complicated; anything is better then nothing. Create a plan, test and improve – then repeat the process.

Deterring spammers and phishers

We’ve seen an interesting attack recently. Some malicious actor set up a domain and an email account that was one letter different from the real domain, acquired a copy of an invoice, and sent it to a known customer attached to a note saying that their bank details had changed. Fortunately the attack was spotted…

We took a little look at this. There’s actually very little that a small business can do about this sort of impersonation beyond human vigilance (there are tools, but they’re primarily for larger businesses). However, there are a number of things that can be done that will suggest to malicious actors that this is a hard target and they should go elsewhere. Namely:

Account security: We won’t insult you by assuming that you haven’t got a good password and two-factor authentication on your email account and system access. To remind you, a good password is one that’s unique, easy for you to remember, but hard for a computer to guess: so a passphrase of three or four words (for a total of 20+ characters), maybe one capital letter and a number somewhere in it, is a good starting point. Store it safely and change it when you think it might have been disclosed. And if anyone is saying, “what is 2FA?”, please give us a call and we’ll explain why you need it!

SPF, DKIM and DMARC settings: These are three linked tools that help to prevent spam and phishing. Sender Policy Framework (SPF) allows domain owners a way to publish a list of IP addresses or email addresses that should be trusted for a specific domain. Domain Keys Identified Mail (DKIM) adds a signature to outgoing email that a receiver can verify, while Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on SPF and DKIM, first to report on which systems are sending mail from a domain, and later to quarantine any email being sent that’s not legitimate.

All three of SPF, DKIM and DMARC require that you have a public DNS record, and DKIM requires you to set up a public/private key pair. They are a little fiddly to get right, but the hassle is worth it. The two legitimate local businesses were some of the way there, but there were parts that were missing or misconfigured.

TLS settings: The current version of Transport Layer Security (TLS) is 1.3, and the previous version (1.2) is also viewed as providing satisfactory security. Anything below that is not (and both of the businesses were still allowing versions 1.0 and 1.1)

The problem here is that every time email is sent, a negotiation takes place. The sender says “I have mail for you.” The receiver says something like “OK, you can send me using TLS v1.3.” A normal sender might reply, “I can’t do 1.3, but will 1.2 do?” and the receiver should agree it. However, if the sender and the receiver can’t agree a level, the mail will be sent across unencrypted. So when you limit the number of acceptable versions of TLS for your email, you need something that will stop that happening. That something is MTA-STS, short for Mail Transfer Agent-Strict Transport Security. The simple upshot is that any mail where it isn’t possible to agree a satisfactory TLS connection is blocked. Most mail service providers – the likes of Microsoft and Google – provide it, but not out of the box. But neither of the local businesses had enabled it.

There are a number of other tools you can use – the next step after the basics might be DNSSEC, which allows you to put a cryptographic signature onto DNS records. It’s an attractive idea, but it does introduce rather more complexity, and a lot of .com domains do not use it. And there’s also one non-technical process that you should have: if you are going to change important details like bank accounts, ensure that you have a way to carry out an out-of-band check, where the recipient can communicate (say) via a secure messaging app like Signal or WhatsApp whose details are not known by anyone else.

Let’s be clear: we are not sticking the boot in on the victims of the attack. But the problem is that if people think that one Jersey business or organisation is a soft touch, more malicious actors will try attacks here – and that’s the last thing we want.

As our story shows, we are not immune: malicious actors do target Jersey. So… we really do need businesses and organisations in Jersey to do better and to be prepared for this sort of attack. And if you want us to check the status of your system (we have access to tools), we’re very happy to do so and to help you prepare for the next attacker.

Protect + Detect + Respond

We protect businesses like yours from cyber security attacks... everyday.

GOVERNANCE SERVICES

SECURITY TESTING

SECURITY MONITORING

Cybercrime is becoming more sophisticated and harder to detect. We can test, remove, improve and monitor weaknesses in your defences to reduce the risk of a breach and catastrophic loss of data. Let us find threats you could miss and stop attacks before they stop you.

Don’t assume you’ll be ok. Give yourself peace of mind and take the first step to securing your business. Find out more defencelogic.io

About the JCSP

The JCSP was created by the Channel Islands Information Security Forum (CIISF) to provide cyber security advice and consultancy to charities and other Not-For-Profit organisations (NFPs) who would otherwise not be able to afford it. Although there are many charitable funds that provide financial backing to help charities achieve their aims, it can often be difficult to obtain funding for tasks that aren’t considered core to a charity’s purpose – of which cyber security is one of the most critical areas.

How does the JCSP work?

We work with Jersey organisations that have employees with cyber security skills – technical or otherwise – to donate up to ten hours per year of at least some of those employees’ time. This time goes into a “pool” to which charities and NFPs can apply, and when an application comes in from a deserving cause, we connect the applicant with an appropriate specialist who can deal with the requirement.

Who can apply to the JCSP?

We welcome applications for help from any NFP that requires it – and do please note that we accept applications from across the Channel Islands, not just Jersey.

Can we make joint applications?

Absolutely! If there are several charities in search of, say, cyber security awareness training, it makes sense for you to club together and request a single session instead of putting in separate applications. And if we receive several similar applications where it would make sense to bring the clients together, we’ll suggest that to you.

Why would companies contribute staff time?

It’s understandable that companies might be reluctant to contribute their staff to do free work for a client when they could be charging them for it. But that’s the point of the JCSP’s model: the people your staff are helping out for free are precisely those who wouldn’t be able to afford your services anyway.

In addition to corporate recognition for contributions to the Pool, the individuals can also (subject to their professional bodies’ criteria) claim CPD credits for the work they do under the scheme.

What kind of request do you get?

It varies widely. We’ve been asked for, among other things: general advice on looking after sensitive data; technical hands-on assistance to check that a charity’s internet router was configured securely; and lots of security awareness training. Sometimes we are approached by NFPs that do have some element of understanding of cyber issues but who have a gap they believe needs to be filled. The wide variety of skills in the pool has enabled us never to have to turn down a request.

A recent piece of work for the Jersey Employment Trust prompted this testimonial from Sarah Boydens, their operations and quality assurance manager:

We contacted the JCSP to assist our organisation with cyber security awareness earlier this year. We had a prompt reply and were matched up with an expert in the field who was flexible to accommodate a number of sessions which we needed to ensure all our staff had awareness training. Our allocated expert worked with us to ensure our current policies were included as part of the training. The sessions delivered were interesting and informative and the trainer was open to follow up questions which has helped us to ensure staff understood the risks and security measures. The process of arranging the training was seamless and I would highly recommend contacting the JCSP for training. Our staff came away with a greater awareness of cyber security which assists our charity to be more secure. It has also had the benefit of cost saving to access the free services and therefore we can continue to use funds for the main charity purpose, supporting people with a disability and health condition to gain and maintain employment.

How do I get in touch?

If you’re a Channel Islands organisation that would like to donate some of your people’s time to the Jersey Charitable Skills Pool, please email us at members@jerseycsp.org.uk.

If you are a charity or NFP looking for help with your information security, you can apply via the web site jerseycsp.org.uk ; if you have any other queries please email us at applications@jerseycsp.org.uk.

Penetration Testing vs Vulnerability Scanning: What you need to know

We are continuously hearing how vulnerable organisations are to cyber-attacks. So, there is no better time to get yourself clued up about vulnerability scanning and penetration testing. Whether the data is personal or for a client, it is imperative, now more than ever, to make sure that your data is secure. Vulnerability scanning and pen-testing are two main ways to check that you are doing the right things to keep your data safe from online threats.

What is a Vulnerability Scan?

A vulnerability scan does as it states on the tin. It scans for vulnerabilities. Vulnerability scans can take place on any desktop, laptop, server, virtual machine, container, firewall, printer, and switch, so long as they are connected. The scans can identify operational details, such as the operating system being used, and any software installed. They can also identify other attributes such as user/host accounts and open/ closed ports. This allows organisations to see the vulnerabilities in their networks, systems, and software. Vulnerability scans provide insights into the severity of each vulnerability and recommendations on how to mitigate the vulnerability.

There are many different types of scans to choose from including:

Wireless Scans

A wireless network scan identifies wireless security issues and or rogue access points to validate that a company’s wireless network is secure.

Network-Based Scans

A network-based vulnerability scan identifies vulnerable systems on networks, unauthorised devices, unauthorised remote access servers, connections to insecure networks and possible security attacks. This scan identifies vulnerabilities in servers, workstations, and other network hosts. Whilst providing greater visibility into configuration settings and previous patch history of scanned systems, these scans can also provide insight into the potential damage done by outsiders and insiders, depending on the level of access granted or taken on a system.

Application Scans

An application scan identifies previously known software vulnerabilities and misconfigurations in network or web applications including websites and or internal portals etc.

Authenticated and Unauthenticated Scans

An authenticated vulnerability scan allows the tester to log in to a system as a user and see the vulnerabilities as a trusted user. An unauthenticated vulnerability scan does the opposite of an authenticated scan. An Unauthenticated scan puts the tester in the perspective of an intruder.

External and Internal Scans

An external vulnerability scan is conducted from outside an organisation’s network, targeting IT infrastructure that is exposed to the internet including web applications, ports etc.

An internal vulnerability scan is conducted from within an organisation. These scans allow the tester to scan systems that are mainly not covered in the external scan. An internal scan can detect issues such as threats posed by malware and identify “insider threats” posed by contractors and disgruntled employees.

What is a Pen-test?

A penetration test (or pen-test) can also be conducted to find known and unknown vulnerabilities in a system. Pen-tests are more hands-on and require very talented people to conduct them. A pen-tester will first try and find vulnerabilities within a system and safely try to exploit these vulnerabilities to see what data could be stolen. Pen-testers use everything from social engineering and phishing attacks to brute-force attack. This is to give a realistic example of how good an organisation’s security is. Examples of pen tests are web application tests, network security tests, internet of things security tests, cloud security tests and social engineering.

Risk Ratings

At Defence Logic, we use risk ratings to classify the risk of the vulnerabilities found inside an organisation. This is based on a CVSS score. (This stands for the common vulnerability scoring system.) This provides a numerical representation of the severity of the vulnerability found within the organisation. Scores range from 0 to 10. 0 – 0.9 represents a vulnerability that is extremely difficult to exploit, and no action is needed to make it secure; and 9.0 – 10.0 represents a vulnerability that needs to be resolved as soon as possible due to it being easy to exploit. It should be noted that risks are classified according to technical severity, which does not evaluate any compensating controls that may be present.

What is Better for My Organisation?

The simple answer is that it depends on the information about your security you are looking to get. Vulnerability scans, in its simplest form points out what is vulnerable in your system. Whereas pen-tests find the same vulnerabilities, they are also exploited to show what data can be gathered and how severe the vulnerability can be for your organisation.

Working With Jersey Cyber Security Center During a Cyber Security Incident

Who are Jersey Cyber Security Centre (JCSC)?

Cyber threats to Jersey are increasing in frequency and severity, which is why the Government of Jersey formed JCSC, Jersey’s technical authority on cyber security.

We prepare, protect and defend the Island against cyber threats, by undertaking threat analysis, providing defence against national cyber attacks, providing technical advice on cyber security, and supporting response to major cyber incidents to minimise harm.

We are not a regulator or a law enforcement authority, and operate at arms-length from Government, providing free and confidential advice on cyber security.

How we can help with your cyber incident

If you have experienced a major cyber incident, we can:

• Provide technical advice and guidance; in exceptional circumstances we may deploy incident response to provide direct technical support

• Use our access to global threat intelligence and partnerships with other national cyber agencies to understand the incident better – identifying the attacker, their likely motivations, if there are other victims, and if the compromise is likely to spread

• Co-ordinate any cross-government response, helping you to work with the relevant public bodies including government, regulators and law enforcement as well as international cyber authorities, and ensuring communications are aligned.

When should I contact JCSC

You should ask JCSC for help if your organisation has experienced a severe cyber incident which poses a risk to your organisation, customers or suppliers.

We appreciate reports of less severe incidents, for information only, to help us understand threat to the Island, improve our guidance, and potentially help protect other organisations. Please don’t use a compromised network to report to us.

You can contact us on 01534 500 050 or to hello@jcsc.je

For incident reports, call us if urgent or please email incidentreports@jcsc.je

To share phishing emails for information, send them to phishing@jcsc.je

What happens to information shared with JCSC?

Any information we receive from victims of cyber incidents is protected in the same way we protect our own confidential information, securely and with limited access.

We only share a victim’s information with other organisations if we have the victim’s permission to do so, or in exceptional circumstances with authorities and partners such as UK NCSC for a public interest reason such as national security.

Information held for national security and crime prevention purposes can be exempt from disclosure under the Freedom of Information (Jersey) Law 2011.

About Islands Data Governance Forum (IDGF)

IDGF is a not-for-profit organisation, founded to bring together the Data Community to discuss, debate and challenge ever changing data protection and cyber security regulations and what constitutes best practice. Our membership comprises of individuals who are resident or work in any one of the Islands. Membership is entirely free. Currently the Islands involved in the organisation are Gibraltar, Guernsey, Isle of Man and Jersey but we continue to expand our network into other jurisdictions.

What events are coming up and where?

Isle of Man, Woodbourne House and virtually

Data Protection Conference

Thursday 5 October

Co-hosted with BCS Isle of Man

Agenda Summary

• Kurt Roosen, Data, Data everywhere and not a drop to sync.

• Laura Van Gompel, Difficulties and loop holes in complying with GDPR with an overview of cases

• Panel, What is the key to successful collaboration across the islands. Moderator David Carney, Panellists: Steph Luce, Callie Loveridge, Dave Cartwright.

• Katherine Garrood, balancing competing regulatory obligations.

• Panel, all things DSAR. Moderator Sinead O’Connor. Panellists include Sarah Holland.

• Stewart Haynes, Insight 2 months into the role of Information Commissioner, priorities and roadmap.

• Panel, How does AI fit into Data Regulation. Stewart Haynes, Emma Martins, Bradley Tosso, Paul Vane.

• Speaker TBC, The role of ethics and professionalism in building thinking systems.

• Chris Stott, Data on the Moon, the boundaries of a jurisdiction.

• Blockchain – the good the bad and the ugly.

• Data Sovereignty

• David Carney, What does Data Protection have to do with ESG?

Guernsey, Les Cotils and virtually

Data Protection and Cyber Security Conference

agenda available at page 36.

Guernsey, Digital Greenhouse

Reflections by Emma Martins and Iain McDonald of their time as commissioners. Full details available at page 36.

Jersey, St Paul’s Centre

Half Day Data Protection Conference

Tuesday 24 October

Co-hosted with JCSC and JOIC

• Sarah Holland the Good the bad and the Ugly of Data Protection.

• Panel, what is the relationship between cyber security and data protection. Moderator David Carney, panellists Steph Luce, Sarah Holland, David Cartwright and Bruce McDougall.

• Anne King and Sammie Gardner, No nonsense guide to privacy.

How do I become a member?

Join our Linkedin Group – Islands Data Governance Forum or email us.

How do I get in touch?

Contact Steph Luce, founder and Chair

Email: islanddatagovernanceforum@gmail.com

Linkedin: Islands Data Governance Forum

With special thanks to

Our Annual Gold Sponsor:

Our Annual Silver Sponsor:

If you would like to find out more about any of these events please visit eventbrite.com/o/57894020053 or scan the QR code:

Guernsey Data Protection and Cyber Security Conference

Thursday 12 October at Les Cotils and virtually via Microsoft Teams.

Networking, teas and Coffees

Guests to be seated

Opening Steph Luce, Chair of IDGF, Head of Legal & Governance for Jersey Cyber Security Centre

What does ESG have to do with privacy?

David Carney, Vice-Chair of IDGF, Director Risk Assurance and Data at Grant Thornton.

What is REALLY happening in cyber?

Matt Palmer Director of Jersey Cyber Security Centre

Data Protection Laws Around the World Ibrahim Hasan, Lawyer and Director, Act Now Training

How AI and Automation drives CERT/SOC operations and how it can benefit your security team.

Peter Bassill, Head of CERT.Gib and CEO of Hedgehog Security

Panel Discussion with Regulators from across the Islands. Moderator: David Carney

Panellists: Emma Martins, Data Protection Commissioner Bailiwick of Guernsey. Bradley Tosso, Director of Information Rights and Operations, Gibraltar Regulatory Authority.

Ian Deguara, Data Protection Commissioner at Office of the Information and Data Protection Commissioner of Malta.

Paul Vane, Information Commissioner Bailiwick of Jersey

Break Lunch

Smart Cities and FRT

Bradley Tosso, Director of Information Rights and Operations, Gibraltar Regulatory Authority.

Borders in a borderless world – what localization does (or doesn’t do) to enhance cybersecurity, and how to achieve the same effect regardless of where it resides. Lori Baker, Vice President, Legal & Director of Data Protection Dubai International Financial Centre Authority.

That Friday Feeling – lessons learned from cyber incidents

Richard Field, Partner Dispute Resolution, Appleby Guernsey

Insights from Project Bijou

Emma Martins, Data Protection Commissioner Bailiwick of Guernsey

Closing remarks

David Carney Vice-Chair of IDGF, Director Risk Assurance and Data at Grant Thornton.

After the conference attendees are warmly encouraged to join us at Digital Greenhouse for 15:30 where Emma Martins, Data Protection Commissioner for Bailiwick of Guernsey and the former Information Commissioner for the Isle of Man, Iain McDonald will be reflecting on their time as Commissioners.

Emma Martins, Data Protection Commissioner for the Bailiwick of Guernsey.

Iain McDonald, former Information Commissioner for the Isle of Man.

Panel Discussion

Moderator: David Carney, Vice-Chair of IDGF, Director Risk Assurance and Data at Grant Thornton.

Panellist: Emma Martins and Iain McDonald.

Raise a farewell glass

Full details of the events may be found at this URL: eventbrite.co.uk/o/jersey-cyber-security-centre-37649483383 or by scanning this QR code:

About the Fraud Prevention Forum

We’re here to develop a coordinated and strategic approach to the protection of the Island’s general public from frauds and scams between the agencies concerned. Remember that if you are a victim of scam, or an attempted scam, however minor, there may be hundreds or thousands of other people in a similar position – so your information may form part of one big jigsaw and may be vital to completing the picture.

Who are we?

We represent a wide range of Government and private organisations. Some of us (like the Consumer Council) represent consumer interests. Some of us represent telecoms providers (after all, a lot of fraud uses digital networks); some are regulators. The group is convened by the States of Jersey Police.

What do we do?

The most obvious thing that most people will see is our newsletter – this comes out twice a year in April and November and is delivered to every home in the island. We run a website and a Facebook page. We also attend public events like the annual Boat Show to get the message out.

We also meet regularly to keep each other up to date with what we are seeing that fits the broad heading of fraud. That might be romance fraud, people trying to sell goods they don’t have, phishing, parcel delivery scams… and a whole lot of other things besides. After all, in the UK some 40% of all reported crime is fraud, and we doubt that it’s much different in Jersey. On top of this, we can – and do – contact each other if there’s a matter that needs to be responded to urgently.

How do you contact us?

You can check out our website at fraudprevention.je We’re on Facebook as @jsyfraudforum.

If you think you have been targeted by a scam

Please contact the States of Jersey Police on 01534 612612

If the breach/incident includes personal data

The Jersey office of the Information Commissioner is here to help, support and guide you. You may also be required to formally report the matter and if so, should do so within 72 hours after becoming aware of the matter if there is a risk to data subjects.

T: 01534 716530

W: jerseyoic.org/report-a-breach

If it is a cyber security related incident

There’s no need to be embarrassed, they happen all the time. However, by sharing we can protect others and help ourselves in the future. Notify jcsc.je using the email address below so we can learn together as a community and stay one step ahead of the threat.

E: incidentreports@cert.je

W: jcsc.je

If you wish to provide information about crime or criminal activity anonymously

T: 0800 555 111

Please call CrimeStoppers or use the online form at this link:

W: crimestoppers-uk.org/give-information/forms/give-information-anonymously

If you have more general concerns, contact one of our member organisations:

Jersey Cyber Shield

We receive alerts on vulnerabilities, breaches and disclosures from thousands of data sources every day, and analyse this data to help improve your defences. Jersey Cyber Shield provides an extra layer of defence to reduce the number of successful cyber attacks. Of course it doesn’t replace your own controls. However by combining this global threat intelligence with local knowledge we can tell you about issues we find for your organisation, so you can respond to them before an attacker does.

Advanced Warning Service

PreventedAttacks

Attacks on Jersey Organisations

Cyber Shield

Vulnerability

Advisory Service

Successful Attacks

Active Scanning

Co-ordinated Disclosure Programme

Jersey Cyber Shield is free to use for local organisations. Use the QR code or visit jcsc.je to find out more.

Analysis and Response

Local Cyber Risk Insights

Public Advisories

Targeted Information Sharing

What is Jersey Cyber Shield, and why should I join?

For the last 12 months the team at Jersey Cyber Security Centre have been working on new capabilities to defend Jersey from cyber threats. To find out more about the Jersey Cyber Shield we spoke to:

We know that users in Jersey are being targeted –either for reconnaissance to find out more about a system or an organisation, or for attack. How will the Cyber Shield help?

James: We are bringing together a series of different services, which together we call the Jersey Cyber Shield. The idea is that most vulnerabilities you can see from outside private networks will be detected by the shield and then addressed by participant organisations, so that the majority of attacks can be rebuffed.

Can you explain to us in simple terms what the services are that make up the shield?

Paul: The first is a Vulnerability Advisory Service. Vulnerabilities are just weaknesses like unpatched systems, and there are thousands in Jersey at any point in time. JCSC receives daily vulnerability information about systems in the Island from international organisations and from other national CERTs. This information comes from passive scanning of internet-facing devices. The security issues these scans find are communicated to the owners of the systems for them to action.

The second is Advanced Breach Detection. This allows selected organisations to install a variety of honeypots in their network. If you’re not familiar, a honeypot is a device that is designed to look like a vulnerable device or an enticing file.

If someone tries to get access to it, the honeypot will report to JCSC, triggering an alert to the owner to action. If we see lots of alerts, we can look at the patterns and that helps us spot coordinated attacks.

Thirdly, Coordinated Vulnerability Disclosure. This allows any security researcher or member of the public to report a vulnerability that they may have found with an internet facing system in the island. The report will be reviewed and passed on to the affected system owners in confidence. Finally, we are looking at strengthening the shield though Active Scanning. At the moment, malicious attackers can scan our address space to find vulnerabilities but we can’t look ourselves, so we need to level the playing field a bit or we will always be a step behind. However we also need to make sure we do this in a legal and compliant way, so we’re looking at bringing this in on an opt-in basis during 2024. That sounds complicated. Does it really work?

Paul: We started planning the Cyber Shield in 2022, so it has been a full year in development, and we have been testing with manual processes since May this year. This has already resulted in over 500 vulnerabilities being fixed, any of which could have led to a cyber attack. We’re now ready to being scaling up, and we will continue to develop the service over time.

What does it cost?

James: There is no charge to participate. However we won’t be able to offer all services to everyone. Everyone can access the vulnerability advisory service for example, but deploying honeypots is more complex and requires agreement, so that will be on a case by case basis.

Does the Cyber Shield replace my existing security measures?

Paul: No, it works together with them. You still need to maintain strong controls to protect your organisation. We are providing an extra layer of visibility to help you, but it’s up to you to make sure your organisation

What’s in it for me?

James: You will have a better picture of your security posture. And you will also have a nice warm feeling because you are not just helping yourself, but the rest of the island as well.

How do I sign up?

James: Go to smartsurvey.co.uk/s/F42FNF and fill in the form. It will help to have to hand your website address, contact details, and any fixed IP ranges you operate.

Do I need Cyber Essentials?

Why CyberEssentials could be right for you

Nobody wants to lose sleep at night worrying about cyber risk. Yet without the right independent assurance, it’s hard for board members, customers, partners or service users to know that they can count on you. A Penetration Test is important, but only tests a small part of your cyber defences. Traditional options for external assurance such as ISO27001 can be costly and are not right for everyone.

What if there was a framework for assurance that was sensible, cost effective, and endorsed by the Government? The good news is, there is. Cyber Essentials (CE) is the UK government’s baseline security standard designed to be accessible to even smaller organisations.

It’s also mandated by the UK and Jersey governments for public sector suppliers, and this basic Cyber Essentials self-assessment costs as little as £300. Some of the very smallest organisations may stop there; however, JCSC strongly recommend that all organisations that use technology to deliver a service or process confidential data undertake a Cyber Essentials Plus certification (CE+).

With pricing dependent on company size and requirements – CE+ is more than a self assessment and provides an affordable, effective baseline for cyber security competence.

By undertaking a CE+ certification, organisations can:

• Build trust with customers and stakeholders, demonstrating the resilience of their service and the security of data they hold.

• Ensure a set of generally accepted baseline controls are in place to contribute to Data Protection compliance.

• Access higher value public contracts and sub-contracts with other government suppliers.

• Provide management with confidence that the risk of cyber incidents is managed to a reasonable level.

• Obtain a badge that can be displayed on their website to demonstrate their cyber security status.

Several local suppliers in Jersey are already accredited to provide CE+ certification, giving you a trusted partner to enforce your cyber defences.

“All the requirements of Cyber Essentials Plus are sensible and reasonable. Like having a fire alarm in a hotel, food hygiene certificates in a restaurant or identity checks in a bank verified basic cyber hygiene should not be seen as nice to have, but as an entry ticket to operate. This is the case whether you are operating a regulated entity, an unregulated business, a charity or a public service provider.

Larger organisations can find CE+ difficult as it’s quite prescriptive, but that is also its superpower - because it has clearly defined controls, it is easy to assess against. Challenges are often due to poor legacy practices, obsolete technology, or slow patching cycles - all issues that can and should be addressed over time. Taking 60 days to patch vulnerabilities or running unsupported systems are no longer practices boards can accept.

Next Steps

The following local organisations are accredited by IASME to undertake Cyber Essentials assessments:

• Prosperity 24/7: prosperity247.com

01534 877 247

• CyberTec Security: cybertecsecurity.com

01534 715 260

• Resolution IT: resolutionit.com

01481 267 338

• Clarity: seekclarity.com

01534 618 624

Other local IT and cyber security providers may also be able to assist.

JCSC social media:

@CERTJersey

/company/certjersey

Attend our event: cert.je/events

@jerseyCERT @cert.je

Eventbrite: Cyber Essentials Breakfast

20 October 08:30 - 10:30 BST

Subscribe to the Jersey Cyber Security Centre Newsletter

Cyber Security Awareness Month is unsurprisingly a key month in our calendar. Since its inception, the mission of the JCSC has been to promote and improve the cyber resilience of the Island’s critical national infrastructure, business communities and citizens. This is a message we work hard to promote and in our monthly Jersey Cyber Security Centre newsletter you can access the latest news, events, tools and resources from the cyber security world all year round. The newsletter shares useful information on how to protect yourself, your family and your organisation from malicious hackers, aggressive nation states, and organised crime. We also share details on local job opportuntiies in the cyber field.

To subscribe, visit cert-jersey.beehiiv.com subscribe or scan the QR code:

Gold Sponsors

Sponsors

Contact us

Chair: David Cartwright

Email: admin@ciisf.org

Website: ciisf.org

Director: Matt Palmer

Email: hello@jcsc.je

Website: jcsc.je

Phone: 01534 500 050

Operations Centre: 1 Seaton Place, St Helier, JE2 3QL