CYBER SECURITY Contains public sector information licensed under the Open Government Licence v3.0
! TalkTalk itself, who claim that the hack cost them £42 million, was fined a record £400,000 for security failings which allowed customers’ data to be accessed ‘with ease’, with the situation raising concerns about the safety of customers and members of the public entering personal information onto websites, with many websites not offering the opportunity to do so, with ‘security’ given as the reason. In January 2017, a blog post from the NCSC offered some advice on the debate, suggesting that organisations should stop preventing customers and users from pasting their passwords into the required bars on their websites, because the positives of pasting passwords outweighed the risks. The blog post, titled ‘Let them paste passwords’, read: “We think customers should be allowed to paste their passwords into forms, and that it improves security. We believe [stopping password pasting] is one of those ‘best practice’ ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn’t make sense.” The NCSC argue that password pasting improves security because it helps to reduce password overload. Additionally, it urges that password managers can be a beneficial tool because it makes it much easier to have
different passwords for each website site used, without the frustration of typing errors or forgetting passwords. Prevention of using password managers means that customers are far more likely to re-use the same passwords on different websites, choose very simple (and so easy to guess) passwords or write passwords down in places that are easy to find – each hindering personal security. CYBER SECURITY GUIDANCE Updated in August 2016, NCSC’s 10 Steps: Executive Summary sets out what a common cyber attack looks like and how attackers typically undertake them, and offers an effective means to help protect organisations from attacks. Here, we look at the 10 steps in detail. NCSC encourages organisations to embed a clearly communicated and appropriate risk management regime, that ensures that all employees (including governance), contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries. Additionally, having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Therefore, companies should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching.
EXECUTIVE SUMMARY SETS OUT WHAT A COMMON CYBER ATTACK LOOKS LIKE AND HOW ATTACKERS TYPICALLY UNDERTAKE THEM, AND OFFERS AN EFFECTIVE MEANS TO HELP PROTECT ORGANISATIONS FROM ATTACKS The connections from your networks to the Internet, and other partner networks, expose company systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, UK organisations can reduce the chances of these attacks succeeding or causing harm. Rather than focusing purely on physical connections, companies should consider where their data is stored and processed, and where an attacker would have the opportunity to interfere with it. Concerning the managing of user privileges, companies should provide users with a reasonable, but minimal, level of system privileges and rights needed for their role. The granting of highly elevated system privileges "
ISSUE 30 | COUNTER TERROR BUSINESS MAGAZINE
65