Data Watch: Actions to Take When the Cyber Threat is Heightened

Next Article

A Spotlight On... Reducing Costs and Saving Energy

Article | Stuart Walsh, Chief Information Security Officer at Blue Stream Academy

In this issue, Stuart curates guidance from the National Cyber Security Centre to help BSA Today readers improve their information security practices and reduce the cyber threat for all health and social care organisations.

In response to Russia’s invasion of Ukraine, the National Cyber Security Centre (NCSC) has called on UK organisations to strengthen their online defences.

“While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient,” explains Paul Chichester, the NCSC’s Director of Operations, in a statement published alongside the latest guidance.

With this in mind, we’re strongly encouraging health and social care organisations to reduce their risk of becoming victims of an attack.

The following guidance from the NCSC explains in what circumstances the cyber threat might change and outlines the steps that organisations can take in response to a heightened cyber threat.

If you’re curious about what any of the technical terms in this article mean or you want to know what your data security team are talking about, read the Data Watch Glossary article in this issue.

Balancing Cyber Risk and Defence

The threat an organisation faces may vary over time. At any point, there is a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation.

There may be times when the cyber threat to an organisation is greater than usual. Moving to heightened alert can:

• Help prioritise necessary cyber security work.

• Offer a temporary boost to defences.

• Give organisations the best chance of preventing a cyber attack when it may be more likely, and recovering quickly if it happens.

Factors Affecting an Organisation’s Cyber Risk

An organisation’s view of its cyber risk might change if new information emerges that the threat has heightened. This might be because of a temporary uplift in adversary capability, if for example there is a zero-day vulnerability in a widely used service that capable threat actors are actively exploiting. Or it could be more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions.

These diverse factors mean that organisations of all sizes must take steps to ensure they can respond to these events. It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack.

Even the most sophisticated and determined attacker will use known vulnerabilities, misconfigurations or credential attacks (such as password spraying, attempting use of breached passwords or authentication token reuse) if they can. Removing their ability to use these techniques can reduce the cyber risk to your organisation.

Actions to Take

The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks and systems.

The actions below are about ensuring that basic cyber hygiene controls are in place and functioning correctly. This is important under all circumstances but critical during periods of heightened cyber threat.

An organisation is unlikely to be able to make widespread system changes quickly in response to a change in threat, but organisations should make every effort to implement these actions as a priority.

Check Your System Patching

• Ensure your users’ desktops, laptops and mobile devices are all patched, including third party software such as browsers and office productivity suites. If possible, turn on automatic updates.

• Check to make sure firmware on your organisation’s devices is also patched. Sometimes this is implemented in a different way to updating software. See the NCSC’s Device Security Guidance.

• Ensure your internet-facing services are patched for known security vulnerabilities. Internetfacing services with unpatched security vulnerabilities are an unmanageable risk.

• Ensure, where possible, that your key business systems are all patched. Where there are unpatched vulnerabilities, ensure that other mitigations are in place. See the NCSC’s guidance on Vulnerability Management.

• Also review existing business cases for known unpatched systems in view of the heightened threat.

Verify Access Controls

• Review user accounts and remove any old or unused accounts. If you have multi-factor authentication (MFA) enabled, check it is properly configured. Make sure it is enabled on systems and user accounts according to your policies.

• Carefully review any accounts that have privileged or administrative access and remove old, unused or unrecognised accounts. Ensure that accounts that have privileged access or other rights are carefully managed and, where possible, use MFA. Privilege can refer to system administration, but also to access to sensitive resources or information, so ensure resources are also adequately protected.

• Consider your overall system administration architecture to better understand your risk in this area. See the NCSC’s guidance: Secure System Administration.

Ensure Defences are Working

• Ensure antivirus software is installed and regularly confirm that it is active on all systems and that signatures are updating correctly.

• Check your firewall rules are as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.

• The NCSC’s Device Security Guidance can help with secure configuration of common desktops, laptops and mobile devices.

Logging and Monitoring

• Understand what logging you have in place, where logs are stored and for how long logs are retained. Monitor key logs and at a minimum monitor antivirus logs. If possible, ensure that your logs are kept for at least 1 month.

Review Your Backups

• Confirm that your backups are running correctly. Perform test restorations from your backups to ensure that the restoration process is understood and familiar.

• Check that there is an offline copy of your backup – and that it is always recent enough to be useful if an attack results in loss of data or system configuration.

• Ensure machine state and any critical external credentials (such as private keys, access tokens) are also backed up, not just data.

Incident Plan

• Check your incident response plan is up to date. See the NCSC’s guidance on Incident Management.

• Confirm that escalation routes and contact details are all up to date.

• Ensure that the incident response plan contains clarity on who has the authority to make key decisions, especially out of normal office hours.

• Ensure your incident response plan and the communication mechanisms it uses will be available, even if your business systems are not.

Check Your Internet Footprint

• Check that records of your external internet-facing footprint are correct and up to date. This includes things like which IP addresses your systems use on the internet or which domain names belong to your organisation. Ensure that domain registration data is held securely (check your password on your registry account, for example) and that any delegations are as expected.

• Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.

Phishing Response

• Ensure that staff know how to report phishing emails. Ensure you have a process in place to deal with any reported phishing emails.

Third Party Access

• If third party organisations have access to your IT networks or estate, make sure you have a comprehensive understanding of what level of privilege is extended into your systems, and to whom. Remove any access that is no longer required. Ensure you understand the security practices of your third parties.

NCSC Services

• Check your Cyber Security Information Sharing Partnership (CiSP) account works so you can access and share information about the threat with other organisations and see updates from the NCSC.

• Register for the Early Warning service so that the NCSC can quickly inform you of any malicious activity reported to them regarding your systems.

Brief Your Wider Organisation

• Ensure that other teams understand the situation and the heightened threat. Getting buy-in from the rest of the business is crucial in being able to complete the actions described here.

• Ensure colleagues in other areas understand the possible impact on their teams’ workloads and tasking. Make sure everyone knows how to report suspected security events and why reporting during a period of heightened threat is so important.

Advanced Actions

Large organisations should carry out all the actions outlined above, to ensure that the most fundamental security measures are in place.

Organisations and sector regulators using the Cyber Assessment Framework (CAF) to help them understand cyber risk should note that the CAF contains guidance on all the areas included in the actions above.

If your organisation has deprioritised these areas of the CAF, you are advised to revisit those decisions immediately when the threat is heightened.

In addition, those organisations with more resources available should also consider the following steps:

• If your organisation has plans in place to make cyber security improvements over time, you should review whether to accelerate the implementation of key mitigating measures, accepting that this will likely require reprioritisation of resources or investment.

• No technology service or system is entirely risk free, and mature organisations take balanced and informed risk-based decisions. When the threat is heightened, organisations should revisit key riskbased decisions and validate whether the organisation is willing to continue to tolerate those risks or whether it is better to invest in remediation or accept a capability reduction.

• Some system functions, such as rich data exchange from untrusted networks, may inherently bring a greater level of cyber risk. Large organisations should assess whether it is appropriate to accept a temporary reduction in functionality to reduce the threat exposure.

• Larger organisations will have mechanisms for assessing, testing and applying software patches at scale. When the threat is heightened, your organisations may wish to take a more aggressive approach to patching security vulnerabilities, accepting that this may have a service impact itself.

• During this time, large organisations should consider delaying any significant system changes that are not security related.

• If you have an operational security team or a Security Operations Centre (SOC) it may be helpful to consider arrangements for extended operational hours or to put in place contingency plans to scale up operations quickly if a cyber incident occurs.

• If you have systems in place that can take automated action or notifications based on threat intelligence, you might also consider procuring threat feeds that may give you information relevant to the period of heightened threat

This information is licensed under the Open Government Licence v3.0. To view this licence, visit www.nationalarchives.gov.uk/doc/open-governmentlicence © National Cyber Security Centre 2022

As the Chief Information Security Officer (CISO) for Blue Stream Academy, Stuart provides an article for each issue of BSA Today to highlight how we strongly believe that promoting better information security practices improves the threat landscape for all organisations that work alongside us.