Some Thoughts from the NCSC 2020 Annual Review

The National Cyber Security Centre (NCSC) released its annual review of 2020.  If you are unfamiliar with the NCSC, part of their mission is that they are “dedicated to making the United Kingdom the safest place in the world to live and work online.”   This is a lofty goal, and since the first report, issued in 2016, the NCSC remains steadfast in its vision.

This year’s report, which spans the period from September 2019 through August 2020, contains many interesting insights.  Here is a summary of some of the more salient points:

A new CEO at NCSC

An interesting development, although unrelated to cybersecurity, is the appointment of a new CEO at NCSC.  This is a positive change, as having someone new at the helm of a security organisation opens up the potential for a different perspective from their predecessors. This can be seen in the way a leader responds to the tactics of attackers.

Cyber attackers prefer to exploit areas that are either easy targets, or that they understand well through their criminal research. For example, a cyber gang could research the operational processes of security organisations, observing the organisation’s response patterns. In doing this, they are able to create workarounds to avoid detection when they conduct a real attack against a potential target. Having someone new come into an organisation provides the ability for the new CEO to take a fresh look at the current measures and add or remove any systems that are either not being used effectively or are old and outdated. A shift in those systems would disrupt all the research that the cyber criminals have been collecting, potentially pushing any attack plan back to the beginning.

COVID-19 takes center stage

Of course, similar to all other reports of 2020, Coronavirus must be addressed.  How could an infectious disease have an impact on cybersecurity?  The NCSC states that there have been more threats than ever due to Coronavirus. Cyber gangs are always looking for new areas to exploit, and with the pandemic forcing major changes within organisations and the way their employees work, i.e., from home.  This has created more potential gaps in the security landscape. The emergent inclusion of more BYOD opportunities, as well as potentially weak network security (as compared to corporate restrictions), has opened up new areas to attack.

Diversity: helping you stay secure

Optimistically, the NCSC report states that there has been a major increase in the inclusion of young people within cybersecurity, and in particular, an increase of 60% in female participation. This is a very promising sign. One of the biggest factors when it comes to security organisations’ ability to protect themselves against a lot of different types of attacks depends on being able to leverage the diversity within the teams themselves.

NCSC helping support victims

An often overlooked aspect of cybersecurity is victim support.  Most, if not all effort and funds are spent focusing on areas to protect the organisations or their people from being attacked. What effort is spent on the entities that do fall victim to the attacks?  Organisations would most probably have some form of insurance against intellectual property theft or financial loss impact, but individuals would most certainly not have any recourse should they become the victim. (Merely offering free credit monitoring does little to make a victim “whole”.) The NCSC report highlights that they have provided support to over 1200 victims of a cyberattack, which, although encouraging, lacks specific details about what that support entailed.

Stopping advanced threats

The NCSC has highlighted that they were able to stop or thwart attacks that are usually very hard to detect, such as custom malware. Custom Malware is malicious code that has been altered to infiltrate a specific person or organisation by means of exploiting their individual and uncommon security flaws. These types of attacks are usually performed to either harm the reputation of a specific organisation or to steal the intellectual property of the organization.  This could have a huge financial impact, if the target is a pharmaceutical research company working on the coronavirus pandemic, for example.

Other areas where custom attacks would provide financial benefit to cyber gangs are industries that don’t necessarily affect an entire consumer base, but more focused on individual errors or financial transactions.  To clarify, organized sports have been targeted, potentially disrupting a large transaction between two clubs. Imagine the financial gains for any cyber gang should they be able to get a hold of any of the large transfer deals that have happened over the years. This type of attack would require a focus on a specific user or team, but would be massively detrimental to the sports industry. NCSC have stated that they were able to assist in stopping such attacks in the past.  With all the names given to attacks, such as Phishing, Spear Phishing, and Watering Hole, could an attack against a sports club be somewhat humorously named a “Goal Post attack”?

Phishing for scams

The topic of phishing is not overlooked in the annual review. A lot of the feedback and reporting provided within the NCSC report points back to one of the most common basic attack vectors utilised by cyber criminals, phishing. As phishing is still one of the most successful attack vectors, why would cyber criminals reinvent the wheel? Cyber gangs do however make alternate versions of the attack type, such as using celebrity names to falsely endorse certain scams. NCSC has reported the rise in these attempts, but has also reported to being able to shut most of them down within 24 hours in some cases. However, education is still one of the biggest tools in any organisation’s arsenal to combat phishing attacks.

Creating new frameworks and legislations

In a bold move, the NCSC worked alongside the Department of Culture, Media & Sport (DCMS) in the development of legislation to create a new security framework (EN 303 645), requiring manufacturers of connected consumer devices to create a uniform security standard for all internet-connected consumer devices, such as closed-circuit television (CCTV) cameras, and other home automation systems. A lot of unsuspecting consumers rely on the fact that as they are purchasing devices from well-known companies, and that those companies are doing their due diligence in terms of providing out of the box security measures on their devices. However, this is definitely not the case. The new legislation introduces specific measures to promote better default security for these devices

The NCSC acknowledges, and gives credit to the strong cyber community as well.  The success of the NCSC occurred with the assistance of multiple cybersecurity teams, all working in conjunction with one goal in mind, to stop the attacks. The teams were not only a combination of different teams within the NCSC itself but also with the assistance of allied nation-states and security communities found around the world. Having multiple teams available to test security best practices and particular applications such as the Nation Health Services’ (NHS) track and tracing apps, provided invaluable assistance in hardening and securing the application prior to being released to the public.

The information in this year’s NCSC report is well-worth reading.  At first glance, the report seems daunting, a full 128-page document.  However, its format is brisk, and the information is highly relevant to all cybersecurity disciplines.  I am hopeful that this summary has whet your appetite to read the entire report, enhancing your knowledge, and your ability to protect your organisation against the threats that continue to evolve.