ISSUE 38
In print and online interactive publication | www.iese.org.uk
2024 CYBER THREAT LEVEL IN UK IS HIGH 2024 SET TO BE YEAR OF DEMOCRACY WITH THE MOST ELECTIONS BEING HELD GLOBALLY IT IS MORE CRUCIAL THAN EVER FOR LOCAL GOVERNMENT TO HELP PROTECT THE INTEGRITY OF OUR ELECTIONS!
Bricking it: building strong cyber defences How to build a cyber barrier brick-by-brick Prepare to fail well in a cyber incident Why planning ahead can limit the damage
Also inside: • A year of the Cyber Centre of Excellence (CCoE) • Grow your cyber team with a company-wide culture • Groundbreaking endpoint protection closes ‘detection gap’ • Facing the future of evolving cyber risk
C O N T E N T S
I N T R O D U C T I O N
Page 2 Introduction from Kurtis Toy, Convenor of the CCoE, news on vulnerability scanning and upcoming CCoE events Page 3 Feature: Cyber security as a brick wall. Page 4-5 Feature: How to fail a cyber-attack well. Page 6 In Focus: Spotlight on training as a cyber defence. Page 7 Feature: Focusing on the endpoint. Page 8 In Focus: What the future holds for cyber. EDITORIAL CONTACTS TRANSFORM IS PRODUCED BY: iESE www.iese.org.uk Email: enquiries@iese.org.uk @iESELtd CREDITS: Designed by SMK Design (Aldershot) Editorial by Vicki Arnstein Views expressed within are those of the iESE editorial team. iESE Transform is distributed to companies and individuals with an interest in reviewing, remodelling and reinventing public services.
CCoE celebrates successful first year he Cyber Centre of Excellence (CCoE) is now T celebrating its first birthday after a hugely successful and busy inaugural year. The organisation launched at the District Councils Network (DCN) annual conference in February 2023 with a vision of making the UK the safest place to live, work and play online.
It has been a fantastic year and we have made strides towards our ambition. We have an excellent advisory board in place made up of the most knowledgeable and well-respected people in the industry who are keeping the CCoE abreast of cyber developments. The board has identified a range of best-of-breed products and services and negotiated to bring these to UK organisations – large or small, public and private – at reduced collective rates. The cyber threat level in the UK is high and unfortunately it is a case of when, not if, an organisation will be attacked. With 2024 set to be the ‘Year of democracy’, with the most elections being held globally in history, the need for cyber security in local government is more crucial than ever to help protect the integrity of our elections. While no single solution exists, a layered defence can help build a strong defensive wall around an organisation. In this issue, members of the CCoE advisory board will talk through 12 key bricks that the CCoE has identified as being key to building strong barriers. We need to collectively face the growing and persistent threat head on to keep our businesses, public organisations, and communities safe. We hope you enjoy the issue. Please contact us to find out how the CCoE can help: www.ccoe.org.uk or contact us directly at enquiries@ccoe.org.uk
© Copyright iESE 2024
N E W S
O N
Kurtis Toy, Convenor of the CCoE
V U L N E R A B I L I T Y
S C A N N I N G
C C o E
E V E N T S
Download council vulnerability report CCoE in action THE CCOE HAS COMPILED INDIVIDUAL REPORTS FOR EACH OF THE UK’S 382 LOCAL AUTHORITIES TO HELP THEM IDENTIFY VULNERABILITIES THAT COULD LEAVE THEM OPEN TO CYBER ATTACK.
THE CYBER CENTRE OF EXCELLENCE (CCOE) HAS BEEN CREATED TO HELP ALL ORGANISATIONS ACROSS THE UK ACHIEVE MILITARY-GRADE CYBER SECURITY AT HIGH STREET PRICES.
The information in the reports, which are only available to the individual authority, was gathered through a passive scan using a tool called FractalScan Surface. The technology scans the Internet to look for misconfigurations, security vulnerabilities and exposed data. Any Open Source information the tool finds could be seen by anyone online, including hackers. Kurtis Toy, vCISO and Convenor of the CCoE, said the reports had been well received by the local authorities which have already downloaded them. “The only feedback we have had about the reports is that they are valuable, with some local authorities asking for more details and a full report. What we are giving is a prioritized subset of results and the actions required due to the huge volume of data the scans have generated,” Toy said. The report received by each authority gives an overview of the council compared with their region, and they get a total number of vulnerabilities and a comparison to where that sits for the UK. The deep scan uses a domain name or IP address to discover an organisation’s online infrastructure, assets, and shadow IT. Vulnerabilities frequently found included badly configured services or out of date software. Besides providing local authorities with valuable data, the scan will allow the CCoE to assess common issues that could be addressed collectively. “It has been carried out to inform and
With its mission of making the UK the safest place to live, work and play online, the CCoE has already attended a wide range of events to spread the word and start achieving this aim. Here is a list of some of the events we will be attending this year. Come and visit us at these events to learn more about how the CCoE can help protect your organisation from cyber threats:
help the CCoE develop the right tools to move things forward in a more informed manner,” Toy said. The CCoE plans to run the scan again in June 2024 to get an overview of whether the situation has improved or worsened. Preferential rates to FractalScan Surface are now available through the CCoE which include daily, weekly, or monthly scanning. “If local authorities find the scan report useful, they can also secure discounted rates for FractalScan Surface through the CCoE. For more information about how to use passive scanning as part of your defense in depth then open the conversation with CCoE,” added Toy.
CYBER RESILIENCE FOR THIRD SECTOR 28th February, Edinburgh. DCN CONFERENCE 2024 14th – 15th March, St Albans. UK CYBER WEEK EXPO & CONFERENCE 17th – 18th April, London. CYBERUK 2024 13th – 15th May, Birmingham. LGA CONFERENCE 2024 2nd – 4th July, Harrogate.
• To learn more about FractalScan Surface, to request a copy of your organisation’s report or if you need support in securing identified vulnerabilities please email: enquiries@ccoe.org.uk The CCoE team at the CCoE/iESE conference in November.
2
In print and online interactive publication
w w w. i e s e . o r g . u k
i e s e Tr a n s f o r m i s s u e 3 8
C Y B E R
S E C U R I T Y
A S
A
B R I C K
W A L L
Bricking it: building strong cyber defences At one time, cyber security centred around anti-virus protection and firewalls and was seen solely as an IT department concern. Fast forward to 2024 and we understand that as the sophistication of the attackers has increased, so too must our defences.
Phishing & Ransomware Supply Chain
Secure Comms Vulnerability Scanning Response & Recovery
People & Culture 24 / 7 Monitoring
Compliance & Accreditation
Endpoint Protection
Network Security Data Protection
Training & Awareness
elying on one or two products to keep your R organisation safe is no longer enough. Instead, a layered approach is needed, taking into account a wide range of cyber security considerations. It must also be on everyone’s radar and not just the preserve of the technically minded. To help leaders understand what this layered approach looks like, Kurtis Toy, vCISO, Convenor of the CCoE and CEO of Onca Technologies, uses a castle and brick wall analogy: “Imagine your data is a treasure chest which you lock and put in a room. Only the people who need access to that data should have the key to that chest and only the people who need access to the chest have the key to the room. Imagine that your whole organisation is a castle, filled with these rooms with the data inside,” he says. Next, Toy explains more about the outside of the castle and what the castle walls should look like: “We talk about layered defences, but we don’t mean go out and buy three anti-virus solutions, what we mean is that you need to be looking at your entire attack surface and looking and re-looking for any gaps you might need to close. We need to make sure the brick wall around the castle is impenetrable and think about how tall it is. Each brick is important.” Once the wall is built, Toy says it is vital not to stop there: “You need to be regularly looking at your entire attack surface. Look at it and assess how good it is and consider what happens when someone climbs over the wall anyway and you need to respond and recover. In addition, look at your back up solutions, look at your wall and build a backup wall if you can behind it with a backup of those defences.” The CCoE believes there are twelve key initial bricks organisations should consider to help make their defences as strong as possible. The CCoE is well equipped to help any organisation – large or small, public or private – get these bricks in place and start building stronger defences whatever the foundations. Here are the initial 12 bricks the CCoE recommends considering in addition to your current stack and backups: 1. Endpoint Protection Endpoints such as computers and smart phones and
i e s e Tr a n s f o r m i s s u e 3 8
any other Internet of Things devices that link to your systems are points where an attacker could gain entry. Read more on page 7. 2. Network Security Protecting your network from attack includes considerations such as segmenting and who has authorised access to which parts of the network. It might also include the physical protection of your network, such as access to routers and servers. Read more on pages 4 and 5. 3. Vulnerability Scanning It is possible to conduct a scan of your network to look for any public-facing vulnerabilities that could be exploited by would-be attackers. See page 2 for more information. 4. Training & Awareness Conducting regular staff training on cyber security can help protect your organisation from attacks by helping them to recognise suspicious activity and respond appropriately. Read more on page 6. 5. Phishing & Ransomware These attacks are prolific and ever-increasing in sophistication. Phishing emails are a primary delivery method for ransomware, a type of malware which may encrypt data and stop it being accessed and where the cyber-criminal then demands a ransom for the decryption key. Read more on pages 4 and 5. 6. 24/7 Monitoring Using a managed detection and response service can alert organisations to genuine threats and remove them from the system immediately, avoiding wasted time investigating unreliable alerts. Read more on page 7. 7. Compliance & Accreditation Public bodies need to adhere to some obligations,
w w w. i e s e . o r g . u k
such as holding a Public Services Network certificate. Other accreditations, such as Cyber Essentials and Cyber Essentials Plus, are voluntary but show good practice. The CCoE can help address your training needs – see page 6 for more information about our training partner. 8. Supply Chain A growing potential route of cyber-attack, organisations should do due diligence on suppliers and their cyber security. Read more on pages 4 and 5. 9. Data Protection Organisations have a legal responsibility to protect the data they hold and report any breaches to the Information Commissioner’s Office. Training must also be given to staff who process data in your organisation. Read more on page 6. 10. People & Culture Building a culture where cyber security is the responsibility of everyone within an organisation from the leaders and directors down is key. Whatever technical protection you have in place the human element will always remain a key factor. Read more on page 6. 11. Response & Recovery Having recovery plans in place that are regularly tested across the organisation is vital and should also be reviewed when an organisation undergoes any major transitions. Read more on pages 4 and 5. 12. Secure Communications There are technologies available to help protect the range of ways your employees communicate with clients, including WhatsApp. You can read more in a previous issue of transform here: https://issuu.com/ksagency.co.uk/docs/iese_transfor m_036_issue
In print and online interactive publication
3
H O W
T O
F A I L
A
C Y B E R - A T T A C K
W E L L
Six steps to failing a cyber incident well The unfortunate reality is that every organisation, whatever its size or type, is likely to fall victim to a cyber attack at some point. If the worst happens, the best-case scenario is limiting the damage and ‘failing well’. Here, we look at six steps that can help you prepare for the worst.
Step one: Get in the right mindset According to Irene Coyle, Chief Operating Officer at OSP Cyber Academy, a managed service provider of cyber, information security, data protection training and education programmes, the first step of failing well is adopting the mindset that you will be targeted and understanding that whatever data you hold is valuable to someone in some way: “A lot of organisations don’t think they will be a targeted because they don’t view the data they have as being valuable to anyone else. Getting away from the mindset of ‘I am not going to be a victim’ will already put you on a better footing,” she says. Data, unfortunately, is now a valuable criminal commodity. While getting into bank accounts used to be a target of criminal gangs, the monetisation of data is now a primary aim. While an organisation might think ‘so what?’ and ‘what are they going to do with it?’ trading personal information on the dark web has a value because it can be sold to other criminal groups to conduct fraud, identity theft and other crimes.
Step two: Know your data The second step in failing well is knowing where and what your data assets are so that you can identify what has been taken or potentially tampered with.
4
This is important information to have when reporting a data breach to the Information Commissioner’s Office, an obligation which organisations have to meet within 72 hours of a breach. “When a data breach occurs a lot of organisations don’t know what data they have, where that data is stored and who is accessing and processing that data. If you have not mapped that out then should you fall victim to a cyber incidence that can be quite catastrophic,” says Coyle. Dougie Grant, Managing Director Europe & Global Head Incident Management at Nihon Cyber Defence, agrees that this is a common issue: “Many organisations don’t know what data they have and that is something we find after a data breach. It is more common than not that they don’t know what data they hold, where it is stored and what the potential impact will be. We all like to retain data but trying to identify it is one of the biggest challenges so that is something to consider in our preparations and planning.”
Step three: Scrutinise your supply chain Step three is scrutinising your supply chain. Supply chain cyber-attacks are increasingly hitting the headlines. This is where an attack spreads from one organisation to another or uses one to access the other, such as provider to customer. A recent breach of the business process services company Capita, for example, which provides services to several public sector organisations, led to the data of some residents being compromised. In other cases,
In print and online interactive publication
attackers tamper with legitimate correspondence between supplier and customer which can lead to a malicious attachment or link accidently being opened and malware being activated. Major General Martin Smith CB MBE is Managing Director of Cyber Prism, a cyber security company which protects Operational Technology (OT). He says that in preparing to fail well, viewing your supply chain as a group of potential attackers is a reasonable precaution. He believes that in the future it could be mandatory to carry out due diligence on the cyber security of suppliers but for now it is just good practice. Policies and procedures should look at the supply chain, including aspects such as people visiting your estates, whether they are allowed to connect to your network and who sets this up for them. “When someone comes along to update systems, such as an engineer, who do they contact, who allows them in, who sets up an access point for them? And as much as you might have the policies and procedures, it is making sure they are being carried out on the ground, testing them and blind testing them,” he explains. Niall Burns, Chief Executive Officer at the specialist risk mitigation, loss prevention and security company Subrosa Group, agrees: “You can be as strong as you can be however, if your supply chain doesn’t also have security in place that is the same level or higher, then as well as being an attack opportunity, they are also a weakness within the supply chain,” he warns.
w w w. i e s e . o r g . u k
i e s e Tr a n s f o r m i s s u e 3 8
H O W
T O
F A I L
A
C Y B E R - A T T A C K
Step four: Have a rehearsed response plan Step four is ensuring that you have a regularly rehearsed response plan. While every organisation should be building up their brick wall of defences (see page 3) to the best of their ability and budgets, with an estimated 10,000 attacks launched at local authorities daily it is not surprising some result in cyber incidents. Grant from Nihon Cyber Defence explains: “The technology and capability of the cyber attackers is moving so quickly that we have to move at that speed too but that is really difficult to do so we have to prepare for the inevitable incidents that will occur because we can’t build the defences high enough, deep enough, quickly enough. For that reason, it is not just about having your defences, it is about your response as well, and if you don’t have the response ready, that is where the impact comes.” Importantly, a response plan should be a living document not one that is shelved away and forgotten about, and everyone has to be aware of the roles and responsibilities. “It has to be rehearsed because otherwise it won’t stand the first contact with an incident. If it is rehearsed, ready and available – not stored on your network – the impact will be reduced and you will be able to manage your way through the incident calling on the respective agencies and organisations that can come into help you and you will know what you are going to do,” says Grant, “Without that we have seen so many examples of an event turn into a crisis and a crisis turn into a catastrophe and it is very difficult to recover.”
W E L L
Step five: Act quickly
Step six: Seek help and protect staff
Step five is implementing your plans quickly. David Woodfine, co-founder and managing director at Cyber Security Associates, explains: “We have come across lots of companies that have been hit by ransomware and they say we will get around to fixing the vulnerabilities and they don’t realise that the attacker will come back or that they have sold on the information to another attacker.” If you are hit, then doubling down on your defences is a sensible move. OSP Cyber Academy’s Coyle advises that unfortunately if you have been attacked once then it is more likely to happen again as the attackers may believe you are unprepared. There is also a risk of ending up on a ‘hit list’ for other hackers. Iain Johnston, Managing Director at Blackwired, also warns that when rebuilding of systems does need to take place, it is important not to recreate the same vulnerabilities. “It is like being burgled in your front room and as the burglar leaves, he checks the house, checks that you leave a window open on a regular basis and the next time they will come back in through the exploit left open. When rebuilding, be prepared for rebuilding with a fresh architecture in mind.”
Step six is making sure employees are coping well with the incident, perhaps putting teams in place to work shifts until an incident it is resolved. “We often assume an incident is going to be over within 12 hours but actually it can last for many days, so we have to look at the health and wellbeing of our people and how we prepare to bring people in and out from leadership to cyber analysts,” Woodfine from Cyber Security Associates adds. Planning and recovery might include working with one of the excellent organisations that exist, such as the National Cyber Security Centre (NCSC) and the CCoE. While the advice in the UK is not to pay a ransom, Grant says using a trained intermediary to negotiate can be a powerful tool to find out what has been breached and infiltrated. “The information that can be gained it quite useful. In some cases, we have asked them to prove it was them who got in and what they have told us has been very useful in helping to find the attack vector,” he explains. Ultimately, being prepared for the worst is likely to pay dividends if your organisation is unlucky or targeted. “We wouldn’t recommend one solution, you need to look at your training of staff, your technology, your instant response plan – there are a whole range of affordable steps to take on the cyber security journey,” Grant from Nihon Cyber Defence concludes.
Case study: Gloucester City Council GLOUCESTER CITY COUNCIL WAS HIT BY A CYBER-ATTACK IN DECEMBER 2021 CAUSING DAMAGE TO ITS NETWORK AND ONLINE SERVICES, RESULTING IN A NUMBER OF SYSTEMS BEING TAKEN OFFLINE. Jon McGinty, Managing Director of Gloucester City Council and deputy spokesperson for digital leadership at SOLACE, now regularly visits other local authorities to talk about the experience. The ransomware attack was delivered in a targeted phishing campaign through an attachment embedded in an ongoing conversation between a supplier and an officer, which meant it was not an unexpected email and not considered suspicious. “We had hardened our protection, our firewall, our endpoint defenses, we had introduced multi-factor authentication, strong passwords, a good patching regime, we had gone onto the cloud at a very early stage. We had done lots in terms of resilience testing and exercises and had taken part in the Local Government Association’s penetration test pilots. All of that and they still got through. They only need to get it right once,” McGinty explains.
i e s e Tr a n s f o r m i s s u e 3 8
In terms of failing well, he says that staff are key in the recovery process but that leaders should be aware of the toll suffering an attack takes: “I believe as a leader you have to build up deposits in the bank of goodwill. In the immediate aftermath the staff were amazing, trying to get things up running again. Having to work with workarounds for months while you build and populate new systems is draining for staff. As leaders we must be cognizant and aware of that.” He added that another aspect of failing well had been embracing the help and advice available from others.
w w w. i e s e . o r g . u k
“As soon as we were hit, local authorities which had the same experience previously were on the phone – the local government family does come together at times like this. Some of our greatest friends in the response were the NCSC and the National Crime Agency, they held our hands amazingly. They go through this with organisations every week and they have an amazing response team. There is help if you are unfortunate, but we do need to prepare, and prepare for the when, not if.”
In print and online interactive publication
5
S P O T L I G H T
O N
T R A I N I N G
A S
A
C Y B E R
D E F E N C E
Grow your cyber team with a company-wide culture Cyber security used to sit firmly under the IT department but with the right training, awareness, leadership, and culture everyone can be part of the cyber team and help keep your organisation safe from attack. he organisations most vulnerable to cyberT attack are those which see it as an IT issue, don’t engage with anyone outside the IT department and believe their risk to be 100 per cent covered just from a technical standpoint, warns Irene Coyle, Chief Operating Officer at OSP Cyber Academy, a managed service provider of National Cyber Security Centre assured cyber, information security, data protection training and education programmes. The evolution of attacks and tactics developed by cyber criminals means that an organisation’s employees are unfortunately a key potential route into IT systems. If staff are untrained in cyber security issues, such as supply chain and phishing attacks, the likelihood of falling victim is increased. In fact, nine out of ten cyber data breaches are caused by human error according to figures from Cybsafe, a company which carried out an analysis on incidents reported to the Information Commissioner’s Office. There are a multitude of ways employees could unwittingly put an organisation at risk of a serious and costly security breach. A targeted attack could infiltrate legitimate email chains between customer and supplier and embed a link or attachment containing malware. They could unwittingly log onto an unsecured network to access work files, such as from a café or train station. They could accidently store personal and sensitive data on external or personal hard drives or install unauthorised apps and programmes. All of these scenarios are more likely if they haven’t been educated about the risks involved first. “The cyber attacker only has to get it right once but trying to defend against 10,000 attacks daily as a council is a big job. Leaders and IT departments are not going to be able to do it all, but your staff that you educate and train become part of your cyber team if you invest in them to do that,” explains Coyle, “Everybody in an organisation from the top down has to know what it is up against from a cyber security point of view. It is not an IT issue, and IT is not the only solution.” There is already a requirement for all staff who process personal data to undertake GDPR training. While this is a good starting point, Coyle says additional training should be given across the organisation and that this should be tailored to specific job roles and departments. “Many organisations go wrong by simply providing baseline training which is the same for everyone, but the risks are different depending on who is processing what across the organisation,” says Coyle, “There is nothing wrong with compliance
6
training to meet GDPR. It sets a base level of knowledge, so it is something, but what you are trying to achieve if you want to lead well in your organisation is a continuous and tailored education programme. If you are in the supply chain and you have procurement staff and finance staff who are dealing with the supply chain, there are different risks that they can be educated about opposed to someone who is an administrator or on reception in your building and doesn’t need that level of training.” A cyber security training programme also needs to be continuous rather than one-off and taken seriously by leaders and board members to breed a culture where cyber security is viewed as important: “Once a year training is not going to cut it for cyber resilience training. If I am told something once, am I going to remember it in more than three months’ time? We need to ensure that what is on offer is a continuous programme,” she adds. John Comber, iESE Associate and former Chief Executive of the Royal Borough of Greenwich Council, agrees that cyber security must be modelled by those at the top. “Organisations have far too many priorities and the attention of the organisation tends to be directed by the behaviour of leaders. The more attention leaders give something, the more the staff follow with their attention,” he says, “We need to get to where you are safe by behaviour and safe by habit and the only way you can do that is practice. You have to
In print and online interactive publication
know what it is that you need to do, put it into practice and keep your attention on it and that requires exercise after exercise which keeps lifting the attention back to the subject matter until it is a habit. The trouble with cyber security is it can be any authority, any email, any attachment – they all carry equal risk.” If the worst does happen, having the right culture around cyber security where staff know its importance is key so that they feel empowered to report a potential issue quickly. Coyle believes champions should also be appointed within an organisation who work to keep cyber front and centre and care should also be taken to engage people who simply don’t like training. “We need to mix it up and have some training they don’t know it is training such as an immersive session using games and activities. What we do well is go into organisations and ask about the risks and challenges and near misses, then we can tailor the training appropriately.” OSP Cyber Academy has partnered with the CCoE to offer subsidised access to a wide range of affordable training which can be tailored to meet the needs of any size organisation. Please contact us to find out more. • To find out more about our elearning and training offerings, visit: https://elearning.ccoe.org.uk/
w w w. i e s e . o r g . u k
i e s e Tr a n s f o r m i s s u e 3 8
F O C U S I N G
O N
T H E
E N D P O I N T
Mind the detection gap “
Now easier to create and procure as a service by criminals than ever, targeted neverseen-before cyber-attacks known as zero-day are on the increase. Worryingly, traditional cyber security protection solutions rely on a threat or similar threat having been seen before. This detection gap is a danger zone, but one that can be closed with groundbreaking technology offered through the CCoE.
ayered defences and a good patching regime L offers a level of protection providing that as an organisation you are not targeted by cyber criminals with a zero-day attack. When an organisation is the first casualty of a zero-day attack, traditional defences rely on a threat or similar threat having been seen before, resulting in the ‘detection gap’ and devasting consequences. While businesses and public bodies might believe they will not be specifically targeted by would-be attackers, all hold valuable data which could, and is, making them potential victims. “There is not a day that goes by without us seeing a new breach and it is not just the big organisations and the councils we are familiar with being attacked, it is also supposedly trustworthy applications that are being breached which is opening up the possibility of a supply chain attack too,” explains Colin Jupe, Director of Strategy at Assurity Systems Ltd, the European distributor of AppGuard. “Zero-day attacks are now easier to create than ever before and they are often polymorphic attacks where they change all the time, so they hit you and then they morph into something else and create a new zero-day making them extremely difficult to detect. Ransomware as a service is now prolific – you don’t need to be someone who is an expert on the dark web to get hold of it. It is big business,” says Jupe. David Woodfine, Managing Director at Cyber Security Associates, believes the situation is only going to get worse: “There have been plenty of attacks on councils over the last two or three years which reinforces the fact that we are targets and these attacks cost a lot of money to recover from. The attackers will have Artificial Intelligence at their disposal moving forward which will give them a bigger tool set. They will be able to reduce their investigation time to write exploits which they can deploy immediately against a specific vulnerability, so we are up against a bit of a tough evolving threat landscape.” The CCoE has partnered with AppGuard to bring the technology which was developed in the US defence environment to UK businesses and public bodies at preferential rates. AppGuard offers the required stepchange in endpoint and server defences because it
i e s e Tr a n s f o r m i s s u e 3 8
AppGuard should be your first and main line of defence in an increasingly dangerous cyber and human threat environment.
”
Mark Kelton, Former Deputy Director of the National, Clandestine Service for Counterintelligence, CIA.
“
AppGuard should be on every Windows system in the world.
”
Robert Bigman, Former Chief Information Security Officer, Central Intelligence Agency (CIA).
operates in a different way to traditional solutions. The patented technology monitors everything and trusts nothing, meaning it offers full protection without the need to detect previously known exploits. It has already been installed in several UK local authorities and is available of part of packages of protection being offered by the CCoE to councillors, sole traders, parish and town councils and small businesses as part of its goal to make the UK the saftest place in the world to live, work and play online. Unlike traditional systems, AppGuard has such a light footprint that it does not bloat or slow down systems, taking up only 1MB of space on endpoints. It also provides continual protection even when devices are not internet-enabled and does not rely on constant signature updates to remain protected against the latest threats. With AppGuard installed, all workers (even homeworkers) can carry on as normal. Even if they inadvertently click on a malicious link or open a nefarious email it can do no harm. AppGuard can be remotely installed in hours and is offered as a managed service, so has little or no impact on IT resources. It also offers invaluable protection for applications awaiting patches, some of which are critical and leave high-risk vulnerabilities and is designed to protect machines even during the booting up process. “AppGuard takes a zero-trust approach, it assumes everything is going to be compromised and if you start from that point, you’ve got a chance. If you trust things and then deny them, it makes it more difficult. AppGuard also protects unsupported software. As soon as software stops being supported by vendors you don’t get critical patching and updates,” adds Jupe. James Griffiths, technical director at Cyber Security Associates, explains that AppGuard offers a vital last line of defence: “The guidance is always going to be that you should always be on the latest version of an operating system, and you should always have everything patched, but that isn’t the real world. Organisations and local authorities often have legacy systems that can’t always live in the latest versions.
w w w. i e s e . o r g . u k
“AppGuard takes the pain away. It reduces alert fatigue because with traditional endpoint protection products you are dealing with potentials, so you get continuous alerts. With AppGuard you don’t get that. You only get an indicator of something which has been blocked because it is doing something it shouldn’t be doing.” • Find out more about AppGuard here: https://www.ccoe.org.uk/appguard • To download a case study on how AppGuard is being used in one Midland’s based council, visit: https://www.ccoe.org.uk/wpcontent/uploads/2023/08/iESE-Case-Study-Counc il-improves-cyber-security.pdf
AppGuard: the benefits • AppGuard is not reliant on giving specialised access to certain IP addresses, websites and applications (known as whitelisting), Host Intrusion Prevention Systems (which stop malware by monitoring the behaviour of code) or sandboxing (an isolated environment used to run suspicious code without risking harm to the network). • AppGuard does not need to scan libraries of files to work – it doesn’t even require internet connection. • It blocks malicious code at the kernel level, its Zero Trust Framework does not need to guess if there is suspicious activity, it shuts down malware before it detonates. • It only uses 1MB on a hard drive and 10MB of memory, resulting in virtually no degradation of processing power. • AppGuard can run for months without updates. There are no alerts for staff to prioritise because they are blocked in real time before they can cause harm. • AppGuard allows a reduction in the layers of edge defences, potentially saving money and reducing the volume of data analytics and burden of patch management.
In print and online interactive publication
7
W H A T
T H E
F U T U R E
H O L D S
F O R
C Y B E R
Facing the future of evolving cyber risk Cyber threat is continually evolving. As the attackers’ methods diversify, they continue to outpace the protection most businesses and public bodies are using, increasing the threat exponentially. The good news is that the CCoE has teamed up with groundbreaking technologies to help mitigate the risk.
C
ybercrime is a profitable business for those engaged in it – it is estimated to have cost the world $8 trillion USD in 2023, making cybercrime the third largest economy in the world if it was a country. Ransomware as a service means criminals without the ability to develop an attack can purchase one, resulting in a situation where a piece of malicious code – a payload – could be used by thousands of different activist groups simultaneously. Where one company or organisation may previously have been patient zero to an unknown and newly developed threat, the chances of being hit by a zeroday attack has now massively increased. Add to that the geopolitical threat where geopolitical tensions are manifested into cyber threats, and it is clear the attack threat is greater than ever. One of the biggest issues with ransomware as a service, according to Dougie Grant, Managing Director Europe & Global Head Incident Management at Nihon Cyber Defence, is that when it was a smaller group of attackers deploying the malware there was an ethical code being followed. “When it was a small group targeting our organisations, they had ethics and morality. Some said they would not attack hospitals or government or critical national infrastructure, for example,” he explained. With this degree of morality now lost, one of the anticipated future threats is that attackers will tamper with the integrity of data. “Cyber threat has been evolving for more than a decade and they are looking for the next opportunities. One of our concerns is that they are going to interfere with the integrity of data next. Imagine you run a medical facility, a financial institution, or a council with access to data for all citizens. What if the actors go in and change some of the data and then blackmail you to say we have been into your network, we haven’t shut your systems down or taken anything, but we have changed something. How are you going to find out where it is? What is the change and its impact over a day, a week, a year – it could be significant,” Grant adds. While the advice in the UK is not to pay a ransom, the tactics being used to try to get organisations to pay are ramping up. “This is all about putting
8
pressure on the victims, pressure to access your systems and be able to operate as business as usual. What we are seeing now is the cybercriminals reporting the victims to the regulators who will then go and fine them. In most cases, we are not going to pay but we must be ready for those pressures because these pressures can damage our reputation and the confidence of our communities.” With this increasing threat, some cyber threat intelligence companies have understood that the only way to respond is to operate at the pace of the adversary. The CCoE has partnered with Blackwired, a next-generation threat intelligence company whose flagship offering Zero Day Live (ZDL) takes a fundamentally different approach to traditional detect and respond solutions. While anti-virus protection can stop known threats, zero-day attacks are new and unknown and therefore can breach security protection unseen, often resulting in devastating destruction, high recovery costs and extended business interruption. “The majority of organisations are reliant upon the aggregation of publicly available data,” explains Iain Johnston, Managing Director at Blackwired, “They are focused around patching the estate, sharing within the ecosystem about attacks and they are relying on systems designed for human intervention where a threat analyst team is reviewing what is happening daily and deciding what to do next. That is too slow. The key to this, and it is where we operate, is operating at the pace of the adversary. At BlackWired we provide
In print and online interactive publication
proprietary intelligence on the bad actors and provide intelligence on what is coming next opposed to what everybody else knows.” ZDL makes what is intentionally hidden in the dark web, open, indexed, and searchable through a combination of machine learning and input from specialised analysts. The intelligence provided by Blackwired to its customers, including governments, law enforcement agencies, global corporations, and providers of critical infrastructure, takes clients out of the zero-day cyber-attack victim pool. It does not consume, repackage, or replay secondary intelligence, instead it is a primary source of precision anticipatory intelligence on cyber weapons (Zero Days and Malware), and adversaries. Another key aspect of defence against increasing future threat is to build a well-planned response. “There will be more attacks. It is a case of what is going to happen and how often it is going to happen, not if it is going to happen. Emergency planning needs to be for the whole organisation from the Chief Executive down, not just your IT teams,” adds Grant, “If you have the right responses ready now, then whether it is a hacktivist or a ransomware group, your instant response, planning and rehearsals will work whatever the motivation.” • To find out more visit: http://blackwired.com or contact enquires@ccoe.org.uk • To find out more about Nihon Cyber Defence visit https://nihoncyberdefence.co.uk/ or contact enquiries@ccoe.org.uk
w w w. i e s e . o r g . u k
i e s e Tr a n s f o r m i s s u e 3 8