Cyber-criminals are still attacking decades old vulnerabilities

The National Cyber Security Center (NCSC) has since its inception in 2016 grown into a well recognised brand, and a resource for organisations of all sizes, government departments and the public.

The NCSC is part of GCHQ and therefore also works with law enforcement, defence and intelligence agencies as well as international partners.

Chris Ensor, Deputy Director for Cyber Growth for the NCSC, speaking to delegates at the Computing IT Leaders Summit, explained how the frequently expressed concerns about the impact of emerging technologies – predominantly AI - on cybersecurity – sometimes seem at odds with cybersecurity reality.

“TCP/IP was invented in the mid-seventies, and DNS in the early eighties. They’re still used today, as is border gateway protocol which was invented in 1989 and 2G in 1991. They aren’t due to be phased out until 2033 and none of it was built with security in mind because nobody could imagine it being used maliciously.

“The first documented instance of a buffer overflow attack was about fifty years ago but they’re still prevalent today.”

The message of course, is that when examining your cybersecurity posture, it’s sensible to start with the basics. Anything else is spending lots of money on state-of-the-art window locks and alarm systems when you have left the front door wide open.

“The most exploited vulnerabilities are unpatched bugs and badly configured internet connections. Multi-factor authentication can be a pain, but it can also save you.”

Cyber Essentials

The NSCS helps organisations to secure and maintain their infrastructure by means of strengthening the UK cyber ecosystem as a whole – and this is very much Ensor’s focus.

He shared with ITLS delegates that it was he who built the Cyber Essentials program, which is a government backed scheme to help organisations reach a minimum standard in cybersecurity. Cyber Essentials is a useful starting point for SMEs unsure of their cybersecurity posture. Drawing attention to the continually growing threat from supply-chain attacks Ensor said:

“St James’s Place has publicly stated that it requires all of its partners to have Cyber Essentials Plus certification. As a result there has been a significant reduction in the number of security incidents.”

Ensor also pointed out the difficulty for small businesses of obtaining cyber insurance if they couldn’t show a Cyber Essentials certificate.

Ther NSCS also has an advisory role for companies trying to recruit their own cybersecurity staff.

“How do you know who to employ? How do you know they know what they’re talking about? We use our expertise and badge to help,” he said.

The NCSC also works with multiple partners to provide advice on risk management, security architecture and incident response.

The organisation is continually developing new schemes, certifications and services.

“Cyber adversity simulation which we are building at the moment is all about red teaming,” Ensor said.” If you're an organisation that could be targeted by a sophisticated threat actor you need to know where your gaps are. Historically, we’ve done penetration testing but penetration testing just produces a report that tells you where your vulnerabilities are - not whether they’d be any use to an attacker.”

The NSCS is also beginning to address the elephant in the cybersecurity room which is the huge shortfall in skilled cybersecurity professionals. According to Ensor:

“50% of the organisations we speak to said they don’t have the basic skills to configure their systems securely. We are working on that and it's a big challenge. “

The result is programmes like CyberFirst and CyberSprinters but Ensor acknowledged that none of this was going to be quick.

As part of this ongoing effort, the government has also set up the UK Cyber Security Council which is the self-regulatory body for cyber security professionals, who, adfter all, could have a variety of specialisms. Enser explained more:

“The government has set this up to set the standards for competence in a number of cybersecurity specialisms. It will oversee the assessment of those specialisms to make sure they’re assessed properly and will hold a register.”