Cyber security remains a top priority for the government in the new Parliament. Improving basic defences is the key, and the vast majority of cyber attacks are fundamentally about return on investment.
That’s why this month (June 2017) the NCSC has come up with four simple and free measures for government departments to improve basic cyber security, which are ready to be implemented immediately by departments and their arm’s-length bodies.
The government’s National Cyber Security Strategy, published in November 2016, endorsed a set of measures known as the Active Cyber Defence (ACD) programme. The programme aims to make infrastructure, products and services automatically safer and easier to use safely by organisations and individuals.
The four measures are described below, both in lay person’s terms and a more precise technical title. None of them require additional money to implement. Nor are they overly technically complex to implement.
1. Blocking bad things from being accessed from government systems (Protected DNS)
Domain Name Service (DNS) is the phonebook of the Internet. This new service takes the rich and voluminous data GCHQ and commercial partners have about known malicious addresses. It then simply blocks the user from going there. In this way it provides automatic protection for public servants visiting infected sites whilst using work systems.
The concept is simple. Cyber attacks commonly involve redirecting a user away from the domain that they intended to access and on to a domain or website that contains malware or is fraudulent. We have worked with a commercial partner to set up a Domain Name Server filtering service for public sector bodies that stops this from happening for registered users.
2. Blocking bad emails pretending to be from government (DMARC anti-spoofing)
Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cyber security. Much of it is preventable by the adoption of a protocol known as DMARC which helps authenticate an organisation’s communications as genuine. In the 2016 pilot HMRC (the UK’s single most spoofed brand) undertook with our support, they blocked over 300 million malicious or fraudulent emails. All departments can now do this. What it means for the citizen is that instead of being advised ‘not to open a dodgy looking email’ the ‘dodgy email’ does not arrive.
Again the concept is simple. The most common way of introducing malware into victims’ systems are email spoofing and spear-phishing where emails are tailored to increase the likelihood of the recipient clicking on a malicious link. Through this attackers steal credentials, making identity fraud and theft easier. The NCSC, together with GDS, have been advocating the use of the DMARC protocol which makes email spoofing much harder. In parallel, we have built the Mail Check service that monitors adoption of the standard and provides data on trends.
By the end of March, there were 613 .gov domains registered with the service, an increase of 35% since January. More than 650,00 emails have so far been rejected by the service, ensuring that emails falsely purporting to come from government are not being delivered. Mail Check also processes the DMARC reports centrally to generate data which further enhances the NCSC’s knowledge of the threat picture.
3. Helping public bodies fix bad things on their website (Web Check)
One thing victims and attackers both do is scan for vulnerabilities in Internet facing services so that they know what to defend, or attack. Commercial services are available to do this. But for smaller public bodies the cost of these services might proved prohibitive and they may not be able to afford to employ anyone who understands the results. So the NCSC has built a free service known as Web Check to scan the websites of public bodies and generate a report on what needs fixing, and how to fix it.
We have built Web Check because we know that many organisations are still vulnerable to simple cyber attacks because of basic weaknesses in their web-facing services. Web Check scans websites looking for common vulnerabilities and returns an easy-to-understand report with risk mitigation advice. Launched formally later this month, it is currently running as a prototype with 150 users from 114 different public sector organisations including central government, local government, the emergency services, health and the devolved administrations. Users have fixed 20 urgent vulnerabilities, chiefly relating to security certificates, following Web Check notifications.
As we prepare for formal launch a big focus is on signing up local government customers because our pilots have shown them to be the most likely immediate beneficiaries.
We are already looking at additions to the Web Check service and, at the end of last year, the NCSC funded an internal discovery project to understand the extent of the public sector’s web 'real estate'. Centrally-held statistics indicated that there were over 2,500 such websites but our project has identified at least ten times as many which belong to public sector organisations.
Many of these have not been used or updated for some time and potentially provide an easy way in for cyber criminals and others with hostile intent. We have secured investment this year to develop this work and tie it explicitly to Web Check so that we can inform public sector organisations of the websites they own so that they can either close them down or ensure that they are secure. We will issue further guidance on this in due course: in the meantime departments should be aware that out of date web 'real estate' poses a risk to them by expanding the surface area for attack, including spoofing, and take whatever action they can to mitigate it.
4. Removing bad things from the Internet (phishing and malware mitigation):
Since June 2016, the NCSC has been working with Netcraft, a private sector company, on a phishing and malware countermeasures service to protect the UK, including government brands. This is a protection from which government departments benefit automatically without having to do anything. But departments can help augment the service by notifying Netcraft if they themselves discover they are the target of a phishing campaign, or that there are malicious emails purporting to be from them. Netcraft will then issue takedown notifications to the hosts of the email and phishing sites.
To help this work, Departments and businesses should forward any the offending emails, along with any attachments, to email@example.com. Netcraft will then issue takedown notifications to the hosts of the mail and phishing sites. Similarly, if a department discovers a clone of their own site or online services, they should use the same email address to notify Netcraft of the URL of the offending site and they will initiate action for the site to be taken down.
To date, the Netcraft service has taken down over 62,849 attacks. The average 'time to die' for phishing sites relating to government has fallen from 27 hours prior to our service’s introduction to under one hour and for malware from 525 to 43 hours (roughly from 22 to less than 2 days). For HMG attacks hosted outside the UK, 62.9% of Advance Fee Fraud sites spoofing the government (where an email purporting to be from HMG asks for credit card details) are taken down within the first 24 hours compared to 2.9% prior to service activation. The cyber criminals who are behind these scams are seeing a much reduced return. The Netcraft service is being expanded over the coming months to cover deceptive domains and malware apparently delivered by government.