Reblog: How Do You Remain Savvy With Your Supply Chain

Reblog. Original (TechUK)

By now, we must all be aware that Cyber Security is a prominent issue – we recently heard mainstream news reports about Ransomware hitting the NHS and often hear about the latest data theft of millions of passwords or credit cards.

Home users should be starting to get the message about keeping our devices up to date, choosing good passwords, and even using two factor authentication where possible. But do we spend sufficient time thinking about the products or services we buy?

More…

The “NHS” Attack

The poor and inaccurate reporting of the NHS Ransomware incident over the weekend has irked CyberMatters into coming out of hibernation. With so much to say, it’s hard to know where to start.

WannaCrypt ransomware demand

Not targeted

First the NHS was not targeted by a Cyber Attack. The attack affected ANY system that was vulnerable; the sad fact is the NHS was vulnerable, as were many other global organisations thus the attack was able to succeed.

By Friday evening, and over the weekend, the media were taking interviews from various industry ‘experts’. Sadly, too many were using the opportunity to push their latest and greatest product feature that would provide protection. Let’s be clear, if any product supplier says their product would have prevented the incident, their comment should be taken with a pinch of salt. THERE IS NO MAGIC BULLET PROTECTION. (However, there were also some very good reports from proper experts).

Defence in Depth

A solution requires an organisation has a defence in depth strategy, as long promoted in this blog.

Protection measures are needed on all interfaces that can bring malware into the IT systems – email, web sites, CD & Memory sticks etc. These need to have multiple layers – e.g., both boundary and end point protection, and multi-faceted – e.g., anti-virus, sandboxing, limited user rights and advanced verification techniques.

A defence in depth strategy will then assume these measures have failed, and provide mitigations to prevent the spread. These typically include patching and network segmentation.

The next layer will then assume these have failed, and provide monitoring mechanisms to look for suspicious network behaviour, such as unusual network traffic.

If these protect and detect measures fail, you then need to enact pre-planned response measures.

The NHS scenario

NHS logo.pngIt is too early to tell, but it is my belief the NHS was so badly hit, as their defence in depth strategies were not effective.

Boundary protection systems let the malware in (and to be fair, this is likely in most organisations, unless excellent user training and advanced data verification tools are used), the lack of patching allowed the malware to spread.

Then, due to the lack of segmentation, the only response mechanisms were to shut all systems down until a more detailed assessment could be made.

Cyber Essentials

My first reaction on hearing of the way the malware was spreading is this would be a good advert for Cyber Essentials. To this end, I thought Amber Rudd, Home Secretary, presumably briefed by Ciaran Martin, head of NCSC, missed an opportunity to promote implementing Cyber Essentials as immunisation. But her detailed words reveal why…

She said there were three key mitigations, patching, anti-virus and backups. Cyber Essentials is a prevent strategy, and does not include the prepare element of backups. Maybe a lesson learnt that should feed into a revision of Cyber Essentials?

What went well?

Part of the NSCS’s £1.9bn is spent on the Cyber Information Sharing Partnership (CiSP) which incorporates information from the UK Computer Emergency Response Team. By 3pm, the incident was being discussed by experts, and by 4pm the relevant Microsoft patch identified. If you are not part of CiSP, I recommend including consulting CiSP as part of your incident response plans.

The NCSC were also quick to publish specific mitigation advice on gov.uk by Sunday.

Windows XP

Much of the press debate has centred on unpatched Windows XP systems. Irrespective of the rights or wrongs of Microsoft not providing updates, this issue has been known for a long time. For example, government departments running Windows XP would not be allowed to connect to the government public sector network, forcing departments to resolve the issue.

The NHS ‘defence’ is legacy applications do not work on newer Windows systems. Again, whether that is the full truth matters not. If you know this risk exists, then you MUST deploy defence in depth, and most importantly segmentation and isolation strategies to manage the risk.

Nexor – how did we react?

We became aware of the issue, via open source monitoring mid-afternoon on Friday. We convened an ad-hoc security incident response meeting, consulted CiSP to determine the nature of the issue, from where we were able to establish the March Microsoft patch provided immunity. Cyber Essentials demands we roll out the patches quickly, so we could be confident the immunity would be effective, but decided to double check our patch management records in any case. By 5pm we concluded we were OK this time.

Who to trust?

One of the hard parts of all this, is knowing who to trust. Who is given an accurate and balanced story, versus plugging a corporate position. This is hard to answer. The best I can come up with at the moment is other than word-of-mouth / reputation, check the person giving advice on the Trusted Security Advisors Register – not perfect, but the closest we have right now.

Cyber Essentials Plus and a Bit More

Cyber Essentials as a standard is now starting to mature, with almost 3,000 certifications now reported.

Cyber Essentials logoCyber Essentials is largely a one-size-fits-all. You are either compliant, or you are not (with a small bit of “comply or explain” wriggle room). This is good for the purpose it was intended, and serves a baseline for all businesses.

This is now mandated for UK Government procurement, but when assessed for use in the Ministry of Defence’s supply chain it was considered the essentials were not enough.

The challenge however is different elements of the supply chain needed greater or lesser security. The solution being trailed is called the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM).

The model describes 4 risk levels, from Very Low up to High (plus a Not Applicable). For each of these a set of mandatory security controls is defined. Even at the Very Low end, Cyber Essentials is required. The higher the risk, the tighter the expected level of control.

Referring to my blog “The importance of having an Asset List”, it’s interesting to note that only at the Medium risk grade is an asset list mandatory – in the blog I argue you find the lower levels hard to do without one.

At the highest end of the CSM, there are controls such as “Proactively verify that the security controls are providing the intended level of security”; i.e., implementing security is not enough – you need to be able to demonstrate your controls are working.

The CSM approach is very much a ladder, you move up rung by rung from Cyber Essentials.

For something more bespoke and comprehensive there is the ISO 27001 based approach, in which you:

  • identify the business’s security objectives;
  • determine the risks;
  • then select a set of controls to mitigate those risks.

Effectively an a-la-carte approach to customise a solution, all wrapped in a security management system.

Within your business, you need to take control and determine the appropriate level of security, but please don’t be paralysed by indecision – at the very least start a Cyber Essentials programme.

Cyber Essentials at UK MOD: the beginning of a critical mass?

The UK’s Cyber Essentials Scheme took a major step forward at the beginning of this year when the UK Ministry of Defence (MOD) mandated that its suppliers need to have obtained a Cyber Essentials certificate before they are able to undertake certain contracts.

This news has been coming for quite a while but judging by some reaction to this mandating of Cyber Essentials, it appears to have caught some by surprise. Continue reading “Cyber Essentials at UK MOD: the beginning of a critical mass?”

Cyber Essentials At Home

Our homes are becoming smarter. Lights you can switch on remotely, heating that learns about when you will be at home, refrigerators that add items to shopping list as you use them and electric cars that charge when fuel prices are low.

This exciting new world does not come without risks: risks to privacy; risks to security and risks to physical safety. Continue reading “Cyber Essentials At Home”

Cyber Essentials: going mainstream?

As I’m sure many of the readers of this blog will be aware Cyber Essentials is a UK Government scheme encouraging organisations to adopt good practice in information security. It includes an assurance framework, and a simple set of security controls, to protect IT.

It was launched in a big fanfare in June of last year; it became mandated for certain UK Government IT contracts in October 2014; but it has seen relatively low take-up. Or at least thus far. Continue reading “Cyber Essentials: going mainstream?”