10 months ago


cyber security MIGHTY

cyber security MIGHTY BATTLE OF WITS A MASSIVE STEP FORWARD HAS BEEN TAKEN IN THE BATTLE TO OUTWIT THE CYBERCRIMINALS - IN THE SHAPE OF THE NEW NATIONAL CYBER SECURITY CENTRE. BRIAN WALL REPORTS for more of the same. At our best, our collaboration can be awesome. Let's move into that new era of hard outcomes, innovation and collaboration." TEN VITAL STEPS TO SAFETY Meanwhile, the NCSC stresses that an effective approach to cyber security starts with establishing an organisational 'Risk Management Regime'. This regime - and the 9 steps that surround it - make up its '10 Steps To Cyber Security'. See also the infographic, with the Risk Management Regime at the centre: Her Majesty The Queen and Deputy Director for Digital Government at the NCSC launch On 14 February, the much vaunted National Cyber Security Centre (NCSC) was officially opened by Her Majesty The Queen - and there are high hopes for its crucial role in tackling cybercrime. Commentators have mostly welcomed its launch, although many have mixed feelings about its remit and whether it's enough to put the UK at the forefront of the fight to keep the cybercriminals at arm's length. More from some of those observers later, but first it's worth taking in some of the thinking behind the new centre, revealed in a speech made by Ciaran Martin, NCSC chief executive, at the opening: "We're here to build a lasting national asset, supporting the No1 digital economy in the world. We want to write the next amazing chapter in the history of GCHQ, a world-class organisation. Let me tell you what I think success looks like. It doesn't mean we have no cyber attacks. We're a prosperous, digitally advanced, important country, so people are going to attack us. That's a fact of modern life. But when someone attacks the UK, I want them to think of us as the hardest of targets. We're good at cyber security in the UK. But we need to get even better." Martin wants to establish the NCSC as a force to be feared. "That means you'll be able to do less harm," he warns the attackers. "The hardest target for adversaries. Making us the best place to live and work online. That's our mission. It's ambitious. We will make mistakes. Initiatives will disappoint. Things will go wrong. Bear with us, because we'll make it work for the whole country. "As well as bearing with us, please work with us. All our government, security, military, law enforcement and international supporters will have a critical role to play. But, in particular, this will be about business and the private sector. At our worst - and, if we're honest, both government and industry can be as bad as each other sometimes - we can sit around at conferences, meetings and dinners admiring the problem and calling 1. Risk Management Regime Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. 2. Secure configuration Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. 3. Network security The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). 22 computing security March/April 2017 @CSMagAndAwards

cyber security 4. Managing user privileges If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that user's account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. 5. User education and awareness Users have a critical role to play in their organisation's security, so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise, as well as helping to establish a security-conscious culture. 6. Incident management All organisations will experience security incidents. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. 7. Malware prevention Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach. 8. Monitoring System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential, in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. 9. Removable media controls Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use. 10. Home and mobile working Mobile working and remote system access offers great benefits, but expose new risks that need to be managed. You should establish risk-based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in. REACTIONS TO THE NCSC Roger McArdell, CTO and partner at Ashton Bentley, welcomes the opening of a new centre. "It demonstrates that as a nation we are taking this issue seriously and implementing steps to reduce the problem. But this can only have a real impact, if businesses also take on the responsibility and do their best to combat the evergrowing challenge. "We know that today's young professionals want to use the apps they use in their private lives, in their place of work. Especially for communication and collaboration. It makes sense, given that businesses are increasingly affording employees more flexibility and responsibility in their working lives. But this sense of empowerment is increasingly encouraging staff to make decisions that put the company in jeopardy - even if they don't realise it. "As employees choose to use apps that aren't 'company approved' on the business network, they are opening up unexpected holes in the safeguarding processes. And this is made all the more dangerous because IT teams are not empowered with systems to administer and manage apps, and therefore don't necessarily have visibility of the problem until it's too late. This Shadow IT challenge must be addressed by decision makers; investing in platforms Stuart Davis, Mandiant, FireEye: online crime now constitutes half of all crime in the UK. Roger McArdell, Ashton Bentley: businesses must also take on the responsibility. @CSMagAndAwards March/April 2017 computing security 23