The King is Dead, Long Live the King!
For the last few years, the cyber security commentary has been if you focus on the basics, and do the basics well, you will prevent 90% plus of cyber security attacks. To many this has been interpreted as doing the “Cyber Essentials”.
Then the SolarWinds / Sunburst attack occurred. Doing Cyber Essentials will not have prevented this. This was one of the 10% attacks. So, is Cyber Essentials dead?
The synopsis is a well-resourced hacker group, successfully hacked SolarWinds and modified their software with vulnerability referred to as Sunburst. This modified software was supplied to a large number of SolarWinds’ customers, including many government and military customers (including the US Nuclear Weapons Agency – a hack does not get a lot bigger than that).
The modified software allowed the hacker group to attack these customers directly. The full scope / success of the attack on government and military has not yet been declared – but the fact the NSA and NCSC have both broken cover and are providing public advisories very soon after the attack is a good indicator of the seriousness government agencies are giving it.
When the news of the attack was initially broken by FireEye, the security community’s response was one of empathy with FireEye & SolarWinds – it could have been any of us. Then as the details of the attack surfaced, this turned into shock as the community realised the game had changed, and such attacks now must be taken seriously by everyone. But worse, if we applied our best tools and techniques, this attack may still have happened. The King is Dead.
As pointed out by Ciaran Martin, former head of NCSC, protecting against Nation State Attack is hard…
I also agree with this. In a small number of important cases, a state will launch a sophisticated, targeted intrusion against a private organisation.
When that happens, Government must give all the support it can. A private company can’t be expected to take on a state’s A team https://t.co/hBiMycUK9d
— Ciaran Martin (@ciaranmartinoxf) December 28, 2020
So, if applying our best tools and techniques does not work, and you can’t be expected to defend against such a formidable enemy, what are you supposed to do Ciaran?
As someone who worked in cyber security in a Government I never issued a generic warning saying “Country X is about to attack: protect yourselves”. I did however have to deal with lots of incidents where state backed hackers had got into the equivalent of an unlocked car door https://t.co/tzBUHrr19V
— Ciaran Martin (@ciaranmartinoxf) December 28, 2020
In short, don’t make their life easy and lock your car door. Focus on the basics, this is what Cyber Essentials is for the scheme highlights the baseline of good security practice and helps to teach businesses how to protect themselves from online threats.
So, Cyber Essentials is not dead, long live Cyber Essentials.
Cyber Essentials is a government-backed scheme, operated by the National Cyber Security Centre. The scheme highlights the baseline of good security practice and helps to teach businesses how to protect themselves from online threats.
The assessment covers these 5 key areas, or ‘technical controls’:
1. A secure internet connection
2. Secure devices and software
3. Control access to data and services
4. Protection from viruses and other malware
5. Keeping devices and software up to date
You can read more in our Back to the Basics Blog.
Author Bio – Colin Robbins
Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Related Posts
Be the first to know about developments in secure information exchange
We value your privacy Find out more >