Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Ireland’s NCSC issues an advisory, as warnings continue about the elevated threat of cyber attacks due to the ongoing crisis in Ukraine. Also this week, how blind faith in an IT system led to one of the largest miscarriages of justice in the UK, and why the phrase ‘Too big to fail’ may soon be joined by the phrase ‘Too big to understand’.
This week’s action: Bí Ullamh: Consider the NCSC advisory’s recommendations.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.buzzsprout.com/1914497/10137325 or wherever you get your podcasts.
1: Ireland’s NCSC joins the US, UK, and others by warning of likely cyberattacks as the Ukrainian crisis deepens
A few weeks ago, I mentioned the warnings being issued by a number of government agencies around the world about the increased likelihood of a major cyberattack on Western nations. These warnings continue.
Ireland’s NCSC recently issued an advisory to highlight the potential impact on Ireland or Irish-based entities should the current situation continue to escalate.
It’s brief and to the point, so well worth a read. It also forms the basis of this week’s action, which I discuss in more detail later.
Alongside its recommended actions, the NCSC also points out an additional risk factor. It reminds us that many organisations rely on outsourced cyber security expertise and that their incident response plans assume access to the skills of these specialist companies at their moment of need. But when an attack is truly global, and these experts are trying to help a lot of organisations at the same time, there is a risk that they may not be able to help you in a timely manner. As a result, It may take you longer to contain the attack, respond to it and recover from it. It is therefore important to consider this risk and identify steps you can take now to mitigate this risk in the future.
If I was in this position, I would consider:
- Organising a tabletop simulation right now while the experts are available to me, so key internal staff can experience “incident response” in a safe environment and the organisation can spot gaps in the plan.
- Developing a ‘Plan B’ incident response plan that should be followed if the experts are not available.
- Seeing if I can identify or build up some basic skills in-house – For example, training someone on some of the basic things that need to be done to contain or limit the damage of an attack while we await the arrival of the experts.
Read more: https://www.ncsc.gov.ie/pdfs/TLP_WHITE_Heightened_Threats_Feb22.pdf
2: CISA’s Free Cybersecurity Tools and Services website
“The Cybersecurity and Infrastructure Security Agency (CISA) [has] launched a new hub that organizations can use to discover free public and private sector resources to strengthen their cybersecurity.
CISA Director Jen Easterly said in a statement,”‘Many organizations, both public and private, are target rich and resource poor. The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment.’”
The website starts with a list of foundational measures, including:
- Fixing known security vulnerabilities in software (i.e. installing patches),
- Implementing Multi-Factor Authentication, and
- Replacing software that is no longer receiving updates, or relies on known / default / unchangeable passwords.
The most interesting recommendation is to take steps so you identify and secure your internet-connected devices, especially those appearing on search platforms that provide lists of such devices, and which could be used to identify vulnerable doorways into your organisation. If you’ve never heard of device search platforms like Shodan.io, now is the time to learn about them.
Read more: https://www.cisa.gov/free-cybersecurity-services-and-tools via https://therecord.media/cisa-creates-new-online-resource-hub/
3: An extreme example of what can happen if we blindly trust an IT system
As mentioned in the Irish Times this week and reported in the Guardian at the time, “dozens of former post office workers in the UK had their convictions for theft, fraud and false accounting quashed by the court of appeal in April 2021 after one of the biggest miscarriages of justice in British legal history. [..] Campaigners believe that as many as 900 operators, often known as sub-postmasters, may have been prosecuted and convicted between 2000 and 2014 after the Horizon IT system installed by the UK Post Office and supplied by Fujitsu falsely suggested there were cash shortfalls.[..] Some of the convicted workers were sent to prison, others lost their livelihoods and their homes. Many went bankrupt – and some died before their names were cleared.”
“In an earlier ruling at the high court, Mr Justice Fraser found the Fujitsu-developed Horizon system contained “bugs, errors and defects” and that there was a “material risk” that shortfalls in branch accounts were caused by the system.”
However, the Post Office firmly believed the Horizon system was reliable, and “refused to countenance any suggestion to the contrary. [..] Defendants were prosecuted, convicted and sentenced on the basis that the Horizon data must be correct, and cash must therefore be missing.”
IT systems and outsourced IT services represent an accountability vacuum. Some systems are just so big and outsourcing contracts so complex that no one person feels accountable for ensuring things are not going awry.
We all know the phrase “Too big to fail”. But the phrase “Too big to understand” may become quite common as IT systems continue to become bigger, more complex, and more AI-driven.
Read more: Irish Times story at https://www.irishtimes.com/news/ireland/irish-news/it-was-horrendous-says-bankrupt-victim-of-post-office-horizon-it-error-1.4809966 and The Guardian report at https://www.theguardian.com/uk-news/2021/apr/23/court-clears-39-post-office-staff-convicted-due-to-corrupt-data.
There has been a 232% increase in phishing emails using LinkedIn as their hook, according to a report by Egress and published in Threat Post recently. “The phishing attacks are spoofing LinkedIn to target ‘Great Resignation’ job hunters [and are] attempting to trick job seekers into giving up their [LinkedIn] credentials.”
Read more: https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/ via https://securethevillage.org/news
The FBI received 25,000 romance fraud complaints in 2021, demonstrating that the victims who starred in Netflix’s “Tinder Swindler” series are just the tip of the iceberg.
It is likely that the true number of people who have been fooled into transferring money to these scammers is far higher.
After all, if you were fooled, would you report it?
Read more: https://eu.usatoday.com/story/news/nation/2022/02/16/romance-scams-rise-cost-americans-millions-fbi-ftc/6797616001/ via https://securethevillage.org/news
1: Follow NCSC’s advice
I mentioned NCSC’s advisory about the heightened threats arising from the current crisis in Ukraine. For this week’s action, I recommend you review this NSCSC advisory.
At a minimum, it recommends you do the following:
- Scan for unpatches systems and services, so you find vulnerabilities in your devices before the bad guys do.
- Fully assess your third party Managed Service Provider (MSP) and supply chain contracts, to reduce the risk that you are doing business with an organisation that is ignoring their role in your security
- Secure your Active Directory (with the advisory including a link to Microsoft’s guidance)
- Secure your email environment (and again, the advisory includes a link to Microsoft’s guidance on how to secure Microsoft 365)
- Review and update their incident response process and plan.
- Review and act on the recommendations contained in the NCSC’s Cyber Vitals Checklist, which I mentioned a few weeks ago.
Two things I would add at this point:
- Multi-Factor Authentication: Attackers seldom hack in. They usually log in. MFA makes this far more difficult.
- Backups: If they do get in, a reliable backup may be the only thing between you and oblivion. This is because many state-sponsored attacks do not seek payment in return for your data. They seek disruption, and delete your data so it is gone forever.
Read more: https://www.ncsc.gov.ie/pdfs/TLP_WHITE_Heightened_Threats_Feb22.pdf