Key Points in the New UK National Cyber Security Strategy
The new National Cyber Security Strategy (PDF) released by The UK Chancellor Philip Hammond outlines the government’s plan to protect their economy and privacy by securing their technology, data and networks from threats and cyber attacks.
According to the World Economic Forum’s 2016 Global Risks Report cited by Gov.uk, the global cost of online crimes is estimated at $445 billion. The UK government is investing £1.9 billion (nearly double the amount of cybersecurity funding in 2011) over the next five years in three areas - defense, deterrence and development to shore up their national security.
Here’s a few of the key points made throughout their strategy document, with a focus on the current troubles at hand:
An Expanding Range of Devices
When it comes to addressing software vulnerabilities, the security strategy document outlines caveats around an expanding range of devices, referring to the Internet of Things (IoT) which both connects devices to public networks while increasing our exposure to attacks.
The increase in interconnectedness affects the industrial control processes of critical systems in many industries as well, which can lead to catastrophic damage in the energy, aviation, mining and other sectors.
A recent example of attackers exploiting Iot devices is the string of DDoS attacks against the DNS provider, Dyn that brought down popular websites like Twitter, Reddit, Spotify, Soundcloud and more for users on the U.S. East Coast. Traffic sent from compromised Internet-connected devices like security cameras and DVRs overwhelmed the provider, keeping sites offline for hours.
The attackers were able to compromise the IoT devices using the Mirai botnet and by scanning the Internet for connected devices using default usernames and passwords, showing the importance of always using unique credentials and the need for IoT manufacturers to design their products with security in mind.
Poor Cyber Hygiene and Compliance
The strategy document states that cyber attacks aren’t necessarily sophisticated or inevitable. Rather, they’re often the result of exploited vulnerabilities that can be easily prevented.
This echoes the U.S. National Security Agency (NSA)’s statements that attribute most high-profile breach cases to poor security hygiene - in each incident, attackers leveraged poorly patched and managed systems, a problem that could be solved by implementing basic security technology.
Here’s a few tips for better security hygiene:
- Use two-factor authentication and strong identification
- Encrypt data at rest and in motion with secure transport protocols like SSL/TLS and FIPS 140-2 encryption
- Know what’s connected to your network, and identify critical data
- Limit and manage users with administrative privileges, and restrict access to your critical applications
- Implement key security settings and proper configuration to protect your systems
Legacy and Unpatched Systems
Another major problem is that many UK organizations continue to use legacy systems with old, unpatched software versions that suffer from vulnerabilities.
Many also use unsupported software which as reached end-of-life, meaning the software vendor no longer issues security patches for these old versions. An example of this is the Microsoft web browser, Internet Explorer, versions 8, 9 and 10.
In our latest Trusted Access report, we found that 20 percent of devices running IE were running these unsupported versions, leaving them exposed to vulnerabilities without any recourse.
Yet another 65 percent of Windows devices are running a seven-year-old version of the operating system - Windows 7. Get more statistics like these and our security recommendations by downloading The 2016 Duo Trusted Access Report: Microsoft Edition.
Investing in Security
One of the actions outlined in their plan include an emphasis on emerging industry standards for authentication, including Fast IDentity Online (FIDO) U2F (Universal 2nd Factor) standard which uses a USB device authenticator to complete two-factor authentication.
The USB device, known as a U2F authenticator, protects the user’s private keys with a tamper-resistant component known as a secure element (SE). This can provide greater security than other methods that may be prone to man-in-the-middle attacks, like SMS-based passcodes.
The strategy document states that FIDO doesn’t rely on passwords for user authentication, but in fact, the FIDO U2F standard does work in conjunction with your primary authentication, which is typically a username and password.
Defense Approach for UK Businesses
The strategy document stresses that organizations and company boards are responsible for:
- Ensuring secure networks
- Identifying critical systems
- Regularly assessing their risk levels
- Investing in tech and staff to reduce vulnerabilities in current systems
Meanwhile, the UK government will:
- Share threat information w/the industry
- Provide cybersecurity advice and guidance
- Help provide training facilities, labs, security standards and consulting services
- Create a regulatory framework for cybersecurity
For security recommendations on protecting against current vulnerabilities and keeping your users, devices and applications secure, download The 2016 Duo Trusted Access Report: Microsoft Edition.