Janet Broadband Policy Watch

Last updated: 
5 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
This blog monitors and reports on broadband policy and marketplace developments in the UK, Europe and worldwide that are likely to be of interest to the Janet community. Posts here may also reference my Broadband Policy Watch blog and you can also find me on Twitter.

Group administrators:

Recent members:

Cyber security news roundup October 2017

Wednesday, November 1, 2017 - 09:34

Policy developments:

The National Cyber Security Centre (NCSC) celebrated its first anniversary of operations with the publication of its 2017 Annual Review detailing the threat landscape it has faced so far and the work it has done to date. The NCSC responded to 590 significant attacks, ranging from attacks on key national institutions like the National Health Service and the UK and Scottish Parliaments, through to attacks on large and small businesses and other organisations.

The Government marked the first anniversary of the National Cyber Security Strategy (NCSS), launched in response to the growing cyber security challenges and threats faced by the UK and to define the Government’s ambitions for the future. Also see this related speech.

Writing in the Telegraph, Director of GCHQ  Jeremy Fleming described the importance of the organisation, which houses the NCSC, to UK cyber security and ensuring that the UK is the best place to do business online. The NCSC draws on GCHQ’s data, analytical capabilities, skills and partnerships to prevent and respond to cyber-attacks.

Minister for Digital Matt Hancock delivered a speech to the Association of British Insurers' Insurance in the Digital World 2017 conference, describing the steps Government is taking to keep UK consumers and businesses safe and secure and the importance of the insurance industry in raising the overall cyber resilience of the UK economy. Also see commentary from Out-Law.

PublicTechnology reported comments by Home Secretary Amber Rudd on encryption, in relation to law enforcement and the use of encrypted communications for criminal purposes. BBC News reported remarks on encryption by US deputy attorney general Rod Rosenstein to the Global Cyber Security Summit in London.

The European Commission published a fact sheet describing the measures and  proposals set out in September 2017 to equip Europe with the right tools to deal with cyber-attacks.

Out-Law reported that the European Commission had endorsed the EU-US Privacy Shield following the first annual review of the framework. The review found that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, and made a number of recommendations for further improvements.

Research & analysis:

The National Audit Office (NAO) published the report of its investigation into the WannaCry ransomware cyber-attack on the NHS earlier this year. The findings underline the importance of patching policies and procedures for end user devices and firewalls, as well as using the most current versions of supported software and operating systems, to protect against such threats. Also see NHS Digital’s response to the NAO’s report.

PwC’s Global State of Information Security Survey 2018 found that more than a quarter of UK organisations do not know how many cyber-attacks they suffered in the past year and a third do not how the incidents they faced occurred. Only two in five UK respondents (44%) formally collaborate with others in their industry to improve security and reduce the potential for future risks, compared with 54% across Europe and 58% globally. Just over half of UK respondents (53%) have a cross-organisational team in place, including leaders from finance, legal, risk, human resources, and IT/security, which meets regularly to coordinate and communicate information security issues.

A study by the Ponemon Institute commissioned by identity and access management provider Centrify found that less than half of global IT professionals are confident they have the ability to prevent, detect and resolve data breaches. Forty-three percent of IT practitioners said their organization had suffered a data breach involving sensitive customer or business information in the past two years, equating to more than one in five organizations suffering a serious breach each year.

The 2017 CBI/AECOM Infrastructure Survey reported that almost all businesses (98%) believe that strengthening Britain’s cyber resilience is vital. There are concerns about the UK’s approach to cyber security with just under a third (32%) of businesses feeling confident in the current strategy.

NSS Labs published findings from a cross-platform test of leading web browsers, exploring their effectiveness in protecting users from socially engineered malware (SEM) and phishing attacks. A series of tests focused on block rate, consistency of protection and early protection against new threats. The tests found that regardless of platform, browsers are more effective at blocking SEM than phishing attacks.

Check Point reported a massive increase in worldwide Locky ransomware attacks during September, powered by the Necurs botnet, which released an updated version of Locky containing new detection avoidance techniques In June 2016. Locky spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, which then downloads and installs the malware that encrypts user files.

Malwarebytes published its Cybercrime Tactics and Techniques report for the third quarter of 2017, highlighting the continuing ransomware threat and major breaches including the one suffered by Equifax.

Cybersecurity researchers at the Georgia Institute of Technology have developed a new software system to automate the assessment of the extent and impact of network or computer system attacks. Known as Refinable Attack INvestigation (RAIN), the system allows investigators to pinpoint quickly and accurately how intruders entered a network, what data they took and which computer systems were compromised. It will provide forensic investigators a detailed record of an intrusion, even if attackers attempted to cover their tracks.

New threats and vulnerabilities:

The KRACK (key reinstallation attacks) WiFi vulnerability was identified by researchers; the UK NCSC published guidance on how to address this for enterprise, small business and home users. The NCSC also noted how this vulnerability again underlines the importance of patching policies and procedures as a “business as usual” activity to protect against threats. Also see BBC News.

A vulnerability, known as ROCA (Return of Coppersmith’s Attack) was also identified in the generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG. Again the UK NCSC offered guidance on how to address this.

Check Point warned of a new botnet “IoTroop” (also known as Reaper) based on devices such as IP wireless cameras which could pose a greater threat than the Mirai botnet of 2016. Also see coverage from Ars Technica. CCS Insight reported on ARM’s development of Platform Security Architecture (PSA), a common industry framework for building secure connected devices.

BBC News reported that a new strain of ransomware nicknamed "Bad Rabbit" has been found spreading in Russia, Ukraine and elsewhere, with similarities to the WannaCry and Petya outbreaks earlier this year. Also see this advisory from US-CERT, an overview from ZDnet and blog posts from Anomali and Check Point.

Logicalis warned that cybercriminals are increasingly targeting higher education, a consequence of the amount and diversity of information they gather and store, in relation to both research and personal data. Ways for HE institutions to strengthen their defences include audits of data security and the adoption of a common security framework.

Advice & guidance:

October 2017 was National Cyber Security Awareness Month, an annual campaign to raise awareness about the importance of cybersecurity. Also see the US Department of Homeland Security, the Federal Bureau of Investigation (FBI) and StaySafeOnline. The European Commission as part of Cyber Security Month ran a Facebook live chat on the steps it is taking to raise awareness of cyber security and coordinate responses to cyber-attacks.

The UK NCSC published new cyber security guidance for small businesses and also previewed its forthcoming guidance on risk management for cyber security. It also published an interesting analysis of the steps involved in setting up a spear phishing attack, as well as some insights in how to spot such an attack.

The US Internet Crime Complaint Centre (IC3) published advisories on DDoS-for-hire services (also known as booters or stressers) and the risks posed by insecure Internet of Things (IoT) devices.

CSO offered advice and guidance for schools on protecting against ransomware attacks.

Writing in Computer Weekly Jisc’s Danny Moules described how criminal hacking has shifted away from the traditional stereotype of the hacker, towards a much more diverse cross-section of wider society.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo