NCSC publishes latest annual ‘Cyber threat to UK business’ report

gchq_poppy_air_9233_large

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has published its annual cyber threat to UK business 2017-2018 report.

2017 will be remembered as the year of ransomware attacks and massive data breaches, supply chain threats and fake news stories, says the report.

The WannaCry ransomware attack in May spread rapidly and randomly due to its use of a self-replicating worm. 300,000 devices were infected, spanning 150 countries and affecting services worldwide, including the NHS. The attack demonstrated the real-world harm that can result from cyber-attacks. The report also highlights the enormous scale of the 2013 Yahoo breach4, the 2016 Uber breach5 and the 2017 Equifax breach6 which came to light this year, demonstrating that data is a valuable target for cyber adversaries.

Supply chain compromises of managed service providers and legitimate software (such as MeDoc and CCleaner) provided cyber adversaries with a potential stepping stone into the networks of thousands of clients, capitalising on the gateways provided by privileged accesses and client/supplier relationships. According to the report, it is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.

Cyber-attacks have resulted in financial losses to businesses of all sizes, says the report.

According to Ciaran Martin, Chief Executive at the NCSC: “The last year has seen no deceleration in the tempo and volume of cyber incidents, as attackers devise new ways to harm businesses and citizens around the globe. Despite these very real threats to the nation’s security, I am confident in the UK’s ability to combat the attacks that we face every day.”

The reported number and scale of data breaches continued to increase in 2017, with Yahoo finally admitting in October that all of its 3 billion customers had been affected by the 2013 breach. Groups assessed to have links to state actors – sometimes described as APTs (Advanced Persistent Threat) – were likely responsible for some of the larger breaches, according to the NCSC report.

The techniques used in most cases were not particularly advanced (including exploiting unpatched vulnerabilities and spear-phishing), further demonstrating the blurring boundaries between nation states and cyber criminals, making attribution more difficult.

NCSC Analysis indicated a large number of incidents were caused by third party suppliers failing to secure data properly. Some of the incidents also demonstrate that it takes more than basic cyber security posture to prevent large-scale data breaches.

2017 saw some significant examples of supply chain attacks, including the compromise of a large number of managed service providers (MSPs), enabling access to commercially sensitive data from them and their clients.

Supply chain compromises typically seek to introduce security flaws or other exploitable features into equipment, hardware, software, or services, prior to their supply to the target (or make use of a compromised supplier organisation’s connections to the target). Operations or activities are usually designed to breach confidentiality and integrity, but they may also be designed to affect availability (such as supplying defective equipment). Ongoing servicing, support or updates to equipment, hardware or software may also provide opportunities for threat actors to interfere with the supply chain.

When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect. Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers – or indeed to prove that any potential access has been exploited. Services of almost any sort can be affected, particularly if they involve electronic connectivity or data import.

The NCSC recommends that businesses mitigate against supply chain operations. It recommends that businesses work (where possible) with companies certified through the NCSC Cyber Essentials Scheme, or those that can demonstrate that they’ve followed the NCSC’s 10 Steps to Cyber Security and follow the principle of ‘least privilege’, especially for external parties that may need remote access into a business’s networks for specific administrative tasks.

Fake news and information operations

The NCSC report highlights that the UK benefits from a free, open and accessible media, but says that social media presents opportunities for those looking to cause reputational damage to a business.

For example, disgruntled employees, competitors or ‘pranksters’ can easily create fake news stories which can cause embarrassment or damage. Whilst most of the press coverage over the past 18 months has focussed on the effect of fake news stories on the electoral process in several countries, businesses are not immune.

Fake news is not strictly speaking a cyber threat, adds the report, but our adversaries regard it as one of the many tools available to them as part of a hybrid campaign. The unregulated nature of social media presents opportunities for those looking to cause reputational damage to a business. The spreading of fake news cannot only damage a company’s reputation but can affect the share price or sales. In extreme cases, smaller businesses could be forced to close.

The full report from the NCSC can be accessed here.