Cert-UK deals with more CNI incidents in second quarter

Cert-UK is dealing with more incidents related to critical national infrastructure, according to its second quarterly report

UK’s national computer emergency response team (Cert-UK) is dealing with more incidents related to critical national infrastructure (CNI), according to the organisation’s second quarterly report.

In Cert-UK’s first three months, CNI-related incidents made up just 49% of incidents reported, compared with 62% in the quarter ended 30 September 2014.

Cert-UK’s main purpose is to support the CNI, which includes the government/public sector, energy, water, defence, transport, financial services, academia, supply chain and professional services.

In terms of CNI-related sectors, government (19%), academia and finance (11%) reported the most incidents, with academia increasing from just 4% in the first quarter to 12% in the second quarter.

“We continue to work in close partnership with Janet Computer Security and Incident Response Team (CSIRT) to further investigate and understand these incidents,” the report said.

The professional services and supply chain sectors reported fewer incidents in the second quarter, down to 1% from 5% in the first quarter, and the water sector reported none compared with 1% in the first quarter.

The public sector saw an increase from 13% to 19%, while the transport sector had a small (1%) increase in the number of incidents reported.

The second quarter saw the first reports of incidents affecting core communications infrastructure, emergency services and health sectors.

The proportion of incidents from the remaining sectors of defence, energy and financial services remained at the same levels as the first quarter.

Malware-related incidents

Malware-related incidents continued to account for more than 25% of all incidents handled by Cert-UK, which remains at the same level as the first quarter.

However, the proportion dropped in August 2014, when legitimate infrastructure being used for malicious purposes against other entities was the top incident type.

A significant proportion of this reporting was received from international partners that saw UK infrastructure used to distribute phishing emails, malware or as command and control infrastructure.

Cert-UK said it expects to see constant and steady reports relating to attacker infrastructure, compromise of infrastructure or credential abuse.

Cyber security best practice

But the quarterly report notes although these are common place events on the internet, they are relatively easy for businesses to protect themselves against by following cyber best practice.

Cert-UK said the big vulnerability of the past quarter was Shellshock, which again highlighted the need for organisations to apply information-assurance best practice around technical controls.

With Shellshock and other vulnerabilities reported, Cert-UK’s efforts were channelled into providing clear information for businesses to protect themselves.

This information was disseminated through Cert-UK’s public website and the government’s Cyber Security Information Sharing Partnership (CISP).

Membership of the CISP continues to grow and had reached 683 organisatons by the end of October 2014, well ahead of the 2014 target of 500, director of Cert-UK Chris Gibson told Computer Weekly.

“Interaction on the CISP remains good. On dedicated pages that were set up relating to Shellshock, there were more than 1,000 page views in the first 72 hours,” the quarterly report said.

Denial of service attacks

According to Cert-UK, there was an increase in denial-of-service reports in August and September 2014.

“This was mainly due to the increased levels of monitoring and reporting around infrastructure associated with the Nato summit, which meant we saw a predictable spike of attempted hactivist activity,” the report said.

Cert-UK said there were a number of distributed-denial-of-service (DDoS) attacks against businesses and locations associated with the event.

In addition, Cert-UK had some requests from international computer emergency response teams to assist with DDoS attacks affecting their countries where some of the internet protocol (IP) addresses involved had been attributed to the UK.

Data-loss incidents

Cert-UK said the quarter saw three distinct types of data-loss incidents.

First were incidents where internal network information had been posted on, or was accessible from, the internet.

The days of pure defence are over – it is now important to have a good plan in place for what you are going to do when you are breached, including the non-technical aspects such as legal and PR

Chris Gibson, Cert-UK

The second issue was accidental disclosure via the website. “It is important businesses understand what information is publicly available on their website,” the report said.

Third, Cert-UK handled an incident where a USB device was found abandoned/lost in a bank.

“Following excellent cyber best practice, the USB device was passed straight to the bank’s security team to analyse – rather than a staff member plugging it directly into the corporate network to have a quick look,” the report said.

The security team discovered the device was unencrypted and non-malicious, but it did contain a number of sensitive corporate documents appearing to be from a UK business.

The security team reported the discovery to Cert-UK, which contacted the business concerned and worked with them to resolve the incident.

“Businesses should consider the risk that such activity could entail – the 10 steps to cyber security government report is a good starting point for businesses looking to grasp the extent of their cyber risk exposure,” Cert-UK said.

The organisation expects malware to continue to be the most prevalent threat, and infrastructure and credential abuse to remain high on its activity list for the remainder of 2014.

Looking back over the past six months, Cert-UK said malware was visibly the largest proportion of incidents over the half-year period.

“The next largest incident types all related to infrastructure, and basic cyber best practice would have prevented the majority of incidents from occurring, or, greatly limited the impact of them.

“Likewise with denial-of-service attacks, having a robust incident response plan, and the right contact details of suppliers, can make the attack much easier to mitigate,” the report said.

According to Cert-UK, even if an anti-DDoS service is in place, good communication will contribute to ensuring UK businesses have the right situational awareness to understand if DDoS attacks are isolated events, or part of a larger attack.

Cert-UK on target

Reflecting on the first six months of operations, director Chris Gibson said Cert-UK has done well and is “on target”, although some areas have been more active than expected.

These include co-operation with the UK’s National Crime Agency (NCA) in things like Operation Tovar against the cyber criminals behind the GameOver Zeus Trojan.

“Cert-UK was the information aggregator to push that out to internet service providers and industry, but these types of operations were not in our original plan,” Gibson told Computer Weekly.

Cert-UK has also been much more heavily involved in incident response exercising than expected. This has been to help ensure UK organisations are well prepared for national cyber security incidents.

“In addition, we have been asked to be involved in exercising in government departments because we are the subject matter experts in exercising, but that was not on our radar when we started,” said Gibson.

Based on the first six months, Gibson said all UK organisations should plan based on the assumption they will be breached at some point.

“The days of pure defence are over – it is now important to have a good plan in place for what you are going to do when you are breached, including the non-technical aspects such as legal and PR,” he said.

Read more on Data breach incident management and recovery