The NCSC's Active Cyber Defence programme - a series of initiatives designed to tackle a range of commodity attacks - is now well into its second year. And in addition to making people objectively safer in cyberspace, we're continuing to analyse the data that the ACD projects generate.
What - if anything - can this data tell us about the state of IT across the public sector?
And more importantly, can we at the NCSC use this data to make decisions about how to best focus our efforts? That is, does the data provide us with any 'clear wins' that we can pass on to our public sector customers to improve their security?
One clear observation from the analysis is that many government Content Management Systems (like WordPress, Joomla and Drupal) are frequently not maintained - we found 593 sites that were out of date. Why should this be the case?
Why don't Content Management Systems (CMSs) get patched?
First of all, organisations may not know that they need to frequently patch their systems.
Assuming they do know this, there's still the following issues:
- They don't know how to patch.
- The website is contracted out and isn’t maintained in line with expectations of the public sector organisation.
- Patching can take an unreasonable amount of time, during which systems will be unavailable.
- Sometimes, when a CMS is patched, things break. More specifically, patching breaks the thing you were trying to patch, and sometimes things you weren’t trying to patch.
We’ve also observed that the type of update will dictate how keen people are to apply it. The graph below shows how long it takes (in days) for people using an existing version to update to the next version. The longer the bar, the longer the user is staying on that version. From the graph below it's clear that users are applying security updates (orange), and then not applying any updates for a long time.
In an ideal world, people wouldn't get 'stuck' on security updates; after applying a security update they would continue to keep their CMS up-to-date, by applying regular and minor updates.
Why patching is important for CMS systems
As the NCSC point out in its guidance, patching all systems is important because:
- patching prevents harm from ‘critical’ vulnerabilities (the problems in the code that can be exploited easily and have can cause serious damage)
- patching can prevent your organisation from being exploited and harm being done to your software - and reputation
For Content Management Systems, applying all types of CMS patch are also important, because vulnerable systems might result in your site might being defaced, or even taken offline altogether. We found 220 government websites that have been defaced in the past five years. It's worth nothing that this is not necessarily all due to out-of-date CMS, but it is highly likely to have been a factor in a majority of them.
Our analysis shows that the promptness of a CMS patch being applied will vary according to the type of patch. However, if an organisation only applies security updates, this means that once the major version goes out of support (eg Drupal 6) you will no longer receive any patches, security or otherwise. So don't ignore the non-security patches; applying them promptly will mean your system is ready to receive security patches as soon as they are available, and it will remain in support for a longer period of time.
How secure is your public sector website?
Web Check is a free-to-use website configuration and vulnerability scanning service, available to all UK public sector organisations. So if you manage websites including:
- local government
- emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
- central government
- the National Health Service
- devolved administrations
- Crown dependencies
- British overseas territories
- and haven't already registered, then why not create an NCSC Signin account at www.webcheck.service.ncsc.gov.uk? You can request access to the Web Check service from there.
Not public sector?
Take the time to understand if your website (or websites) use a CMS, and make sure you know who is responsible for keeping it up to date. You can then check if it's being updated regularly, and if it's not, find out what you need to do to make sure patches are applied as soon as possible.
Digital Data Analytics Team, NCSC