Janet Broadband Policy Watch

Last updated: 
1 week 2 days ago
Blog Manager
Log in to request membershipHide blog description
This blog monitors and reports on broadband policy and marketplace developments in the UK, Europe and worldwide that are likely to be of interest to the Janet community. Posts here may also reference my Broadband Policy Watch blog and you can also find me on Twitter.

Group administrators:

Recent members:

Cyber security update June 2017

Tuesday, July 4, 2017 - 11:41

Policy developments:

The National Audit Office (NAO) published a new report examining the nature and scale of online fraud, how the UK Home Office and others have responded to the threat and opportunities to tackle online fraud more effectively. Fraud is now the most commonly experienced crime in England and Wales and most takes place online: it is estimated that there were 3.6 million fraud incidents in the year to 30 September 2016, of which 1.9 million were cyber-related, with less than 20% of incidents being reported to the police. While the Home Office has started seeing online fraud as a priority, but it is not yet a priority for all local police forces, according to the NAO. In addition the response to online fraud is uneven across the banking sector. The NAO also suggest that more coordination and consistency is  needed in user education campaigns and that Government and industry need to do more to protect individuals and businesses.

Ofcom launched a review of its security guidance for telecoms providers, in the light of developments in the security threats to communications networks since the guidelines were last revised in 2014. Companies that provide public communications services and networks are required to take steps to ensure their offerings are secure and reliable. In particular, they need to ensure end customers are protected in the event of any security problems, and that networks are resilient to such problems or equipment failures, and can continue to operate. They also must report any significant security incidents to Ofcom.

BCS, the Chartered Institute for IT, launched a blueprint to help the National Health Service improve its cyber security, in the light of May’s WannaCry attack. The blueprint suggests that a lack of accountability and investment in cybersecurity measures were partly responsible for the attack.

New attacks & threats:

June saw a further global incident in the form of multiple attacks by what was at first thought to be ransomware, following on from May’s WannaCry incident; see coverage from BBC News. However, further analysis suggested that the intention of the attacks was to disrupt by permanently destroying data, rather than to seek financial gain through ransom payments. See alerts from the US Computer Emergency Readiness Team (US-CERT, more detail here), the UK National Cyber Security Centre (NCSC) and Action Fraud, as well as further coverage from BBC News and Ars Technica.

BBC News also reported that North Korea is believed to have been behind last month’s WannaCry attack; also see this related alert from US-CERT. Other attacks reported by BBC News this month included a ransomware attack on University College London (more detail here and here) and a hack on Parliamentary email accounts.

Research & analysis:

Which? published findings from an investigation into the security of connected devices in the home. Eight out of 15 appliances (including wireless cameras, a smart padlock and a children’s Bluetooth toy) were found to have at least one security flaw by SureCloud, which undertook the investigation. The study also identified that the Virgin Media Super Hub 2 router is supplied with a simple password, meaning access could be gained to it in a few days. Also see Virgin Media’s response to the findings. Which? also published findings from a study of the UK’s fraud hotspots.

A recent survey by Tech Pro Research found that almost half of respondents reported that their company’s cybersecurity readiness had improved in the past year. This improved readiness commonly took the form of greater awareness of risk, better control over security, improved employee training and education and better control over malware.

The US Health Care Industry Cybersecurity Task Force published its report to Congress on improving cyber security in the health care industry; see commentaries from Lexology and the Healthcare Information and Management Systems Society (HIMSS). The US healthcare sector experienced more cyber incidents resulting in data breaches in 2015 than any other critical infrastructure sector.

Other research and analysis this month:

  • PhishLabs published its Q1 2017 Phishing Trends & Intelligence report; findings included a surge in attacks targeting payment services and 3x growth in attacks targeting software as a service (SaaS) and social networking sites.
  • Authentication company Preempt reported that one in five enterprise passwords can be easily compromised, with an average of 7.34% of users  employing compromised passwords that have appeared in previous password breaches.
  • Cyber security company Positive Technologies reported that five of the most popular username and password combinations are enough to get administrative access to one in 10 devices, and that passwords for approximately 15 out of 100 devices have never been changed from their default values.
  • Asia Pacific law firm MinterEllison published Perspectives on cyber risk: implications for higher education, based on its second annual Cyber Security Survey to assess changes in Australian organisations' cyber resilience over the past 12 months.
  • The US Federal Bureau of Investigation Internet Crime Complaint Centre (IC3) published its 2016 Annual Report;  In 2016, IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion, relating to scams such as scams such as Business Email Compromise (BEC), ransomware, tech support fraud and extortion.

New cyber security resources , advice & guidance:

  • The National Cyber Security Centre (NCSC) launched four Active Cyber Defence programmes to help to improve basic cyber security across the public sector. These include a new protected domain name service (DNS) which blocks access to known malicious addresses, measures to address email spoofing and spear phishing via the DMARC protocol, a free Webcheck service to identify vulnerabilities in public sector organisations’ websites and a notification and takedown service for attempted phishing and malware campaigns.
  • The Software Engineering Institute at Carnegie Mellon University published a new blog post on best practices for preventing and responding to ransomware.
  • The National Institute of Standards and Technology (NIST) released the Digital Identity Guidelines document suite, offering technical guidelines for organizations that use digital identity services.
  • The US Federal Trade Commission (FTC) published a new cybersecurity advice website for small businesses.
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo