Archive | Cyber Security RSS feed for this section

The “NHS” Attack

15 May

The poor and inaccurate reporting of the NHS Ransomware incident over the weekend has irked CyberMatters into coming out of hibernation. With so much to say, it’s hard to know where to start.

WannaCrypt ransomware demand

Not targeted

First the NHS was not targeted by a Cyber Attack. The attack affected ANY system that was vulnerable; the sad fact is the NHS was vulnerable, as were many other global organisations thus the attack was able to succeed.

By Friday evening, and over the weekend, the media were taking interviews from various industry ‘experts’. Sadly, too many were using the opportunity to push their latest and greatest product feature that would provide protection. Let’s be clear, if any product supplier says their product would have prevented the incident, their comment should be taken with a pinch of salt. THERE IS NO MAGIC BULLET PROTECTION. (However, there were also some very good reports from proper experts).

Defence in Depth

A solution requires an organisation has a defence in depth strategy, as long promoted in this blog.

Protection measures are needed on all interfaces that can bring malware into the IT systems – email, web sites, CD & Memory sticks etc. These need to have multiple layers – e.g., both boundary and end point protection, and multi-faceted – e.g., anti-virus, sandboxing, limited user rights and advanced verification techniques.

A defence in depth strategy will then assume these measures have failed, and provide mitigations to prevent the spread. These typically include patching and network segmentation.

The next layer will then assume these have failed, and provide monitoring mechanisms to look for suspicious network behaviour, such as unusual network traffic.

If these protect and detect measures fail, you then need to enact pre-planned response measures.

The NHS scenario

NHS logo.pngIt is too early to tell, but it is my belief the NHS was so badly hit, as their defence in depth strategies were not effective.

Boundary protection systems let the malware in (and to be fair, this is likely in most organisations, unless excellent user training and advanced data verification tools are used), the lack of patching allowed the malware to spread.

Then, due to the lack of segmentation, the only response mechanisms were to shut all systems down until a more detailed assessment could be made.

Cyber Essentials

My first reaction on hearing of the way the malware was spreading is this would be a good advert for Cyber Essentials. To this end, I thought Amber Rudd, Home Secretary, presumably briefed by Ciaran Martin, head of NCSC, missed an opportunity to promote implementing Cyber Essentials as immunisation. But her detailed words reveal why…

She said there were three key mitigations, patching, anti-virus and backups. Cyber Essentials is a prevent strategy, and does not include the prepare element of backups. Maybe a lesson learnt that should feed into a revision of Cyber Essentials?

What went well?

Part of the NSCS’s £1.9bn is spent on the Cyber Information Sharing Partnership (CiSP) which incorporates information from the UK Computer Emergency Response Team. By 3pm, the incident was being discussed by experts, and by 4pm the relevant Microsoft patch identified. If you are not part of CiSP, I recommend including consulting CiSP as part of your incident response plans.

The NCSC were also quick to publish specific mitigation advice on gov.uk by Sunday.

Windows XP

Much of the press debate has centred on unpatched Windows XP systems. Irrespective of the rights or wrongs of Microsoft not providing updates, this issue has been known for a long time. For example, government departments running Windows XP would not be allowed to connect to the government public sector network, forcing departments to resolve the issue.

The NHS ‘defence’ is legacy applications do not work on newer Windows systems. Again, whether that is the full truth matters not. If you know this risk exists, then you MUST deploy defence in depth, and most importantly segmentation and isolation strategies to manage the risk.

Nexor – how did we react?

We became aware of the issue, via open source monitoring mid-afternoon on Friday. We convened an ad-hoc security incident response meeting, consulted CiSP to determine the nature of the issue, from where we were able to establish the March Microsoft patch provided immunity. Cyber Essentials demands we roll out the patches quickly, so we could be confident the immunity would be effective, but decided to double check our patch management records in any case. By 5pm we concluded we were OK this time.

Who to trust?

One of the hard parts of all this, is knowing who to trust. Who is given an accurate and balanced story, versus plugging a corporate position. This is hard to answer. The best I can come up with at the moment is other than word-of-mouth / reputation, check the person giving advice on the Trusted Security Advisors Register – not perfect, but the closest we have right now.

The last post: CyberMatters comes to an end

14 Mar

CyberMatters started almost 5 years ago, as a proof of concept blog platform for Nexor. Over that time, we’ve covered a wide range of topics from general security advice on passwords, commentary on topics of the day, and discussion of the latest technology concepts Nexor has been working on.

Over the last few months I’ve focused my efforts on looking at the issues of secure information exchange in the cloud – how can the concepts and architectures Nexor has applied to traditional environments morph and adapt to protecting cloud environments.

The infographic below is a summary of a white paper we’ve released at CYBERUK today discussing our views on how these techniques can be used to enable the Cloud for secure information sharing and exchange.

The Cloud is undoubtedly becoming a core technology we all use – CyberMatters has always run in the cloud using WordPress SaaS! Securing the cloud is becoming a specialist discipline, and I’ve been given the opportunity to build a specialist cloud security team at Nexor.

As part of this, Nexor has been consolidating our branding and web presence. The Qonex brand, built to focus our Cloud and IoT activities, will be rolled back into Nexor as core business, as will CyberMatters.

Consequently, this will be CyberMatter’s last blog post, my future mumblings will be posted on the Nexor blog.

I hope you’ve found the blog of value and interest over the last 5 years, and want to take this opportunity to thank you for your readership, comments, feedback and encouragement. I do hope we’ll meet again at https://www.nexor.com/blog.

PKI – is there a better way?

1 Mar

PKI is a technology that has stood the test of time, but it is let down by high running costs and poor implementation.
Continue reading

Li-Fi Security

10 Jan

Li-Fi has been widely talked about, largely due to its capability to deliver a high data rate wireless connectivity.

Li-FI has some very interesting security characteristics too.

Continue reading

Bah-Humbug

22 Dec

Having been on a customer site all day, I returned home to scan my email.

Over half the emails were festive greetings, with all sorts of creative content: embedded images, attached animated images, links to sites with festive messages and attached files with seasonal offers.

What could possibly go wrong? Continue reading

Out of Office Dilemma

13 Dec

As we approach the Christmas holiday period, I thought I’d share a cautionary tale on setting up your Out-of-Office auto-response. For quite a while now I have been building a relationship with a prospective customer. While I have had discussions with a person there – let’s call him Bob –  Bob has worked hard to keep his privacy. Continue reading

Payment Services Directive

29 Nov

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes…  Continue reading

Smart Home Project – HomeKit and LightwaveRF Integration

15 Nov

CyberMatters is a blog about security.  This article is NOT about security, there is a related security point related to this article documented in the blog Smart Home Project – Network Segregation

Continue reading

Smart Home Project – Network Segregation

15 Nov

Over the last few weekends I’ve rebuilt my smart home solution. It reminded me of how hard it is to build something that is secure.

Continue reading

S/MIME Re-trial

8 Nov

In the blog S/MIME on Trial in 2013, I outlined some challenges using S/MIME to send secure email.

I also posed the question, was I confident the issues would be solved in a 3-5 year timeframe?

Well, here we are 3 years later, let’s take a look.   Continue reading