deepagopi2011 - Fotolia

NCSC rolls out four measures to boost public sector cyber security

Active Cyber Defence measures will immediately help to improve basic cyber security across UK business and government departments, says NCSC

The National Cyber Security Centre (NCSC) is rolling out four measures for government departments and “arms-length” public bodies to improve basic cyber security.

The measures are part of the Active Cyber Defence (ACD) programme, which is intended to tackle –in a relatively automated way – a significant proportion of the cyber attacks that hit the UK.

Endorsed by the government’s National Cyber Security Strategy, published in November 2016, the ACD programme is aimed at making infrastructure, products and services automatically safer to use.

Cyber security remains a top priority for the government in the new Parliament, the NCSC said, and improving basic defences is the key to reduce attackers’ return on investment.

The four measures are aimed at making it more costly for criminals to carry out attacks, but they require no additional money to implement and are not overly technically complex to implement, the NCSC said.

1. Blocking bad stuff from being accessed from government systems

The NCSC’s protected domain name server (DNS) service uses GCHQ and commercial partners’ data about known malicious addresses to provide automatic protection for public servants by blocking access.

2. Blocking bad emails pretending to be from government

Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cyber security. But much of it is preventable by the adoption of the Dmarc (domain-based message authentication, reporting and conformance) protocol which helps authenticate an organisation’s communications as genuine, the NCSC said.

In a 2016 pilot, HM Revenue & Customs blocked more than 300 million malicious or fraudulent emails. All departments can now do this, the NCSC said, which means citizens will not receive any spoofed government emails.

The most common way of introducing malware into victims’ systems are email spoofing and spear-phishing, where emails are tailored to increase the likelihood of the recipient clicking on a malicious link. Through this, attackers steal credentials, making identity fraud and theft easier.

The NCSC and the Government Digital Service (GDS) have been advocating the use of the Dmarc protocol to make email spoofing much more difficult. “In parallel, we have built the MailCheck service that monitors adoption of the standard and provides data on trends,” the NCSC said.

By the end of March 2017, there were 613 .gov domains registered with the service, an increase of 35% since January. More than 650,00 emails have so far been rejected by the service, ensuring that emails falsely purporting to come from government are not being delivered, the NCSC said.

MailCheck processes the Dmarc reports centrally to generate data that further enhances the NCSC’s knowledge of the threat picture.

3. Helping public bodies fix bad things on their website

The NCSC has built a free service known as WebCheck to scan the websites of public bodies and generate a report on what needs fixing, and how to fix it.

“We have built WebCheck because we know many organisations are still vulnerable to simple cyber attacks because of basic weaknesses in their web-facing services,” the NCSC said.

WebCheck scans websites looking for common vulnerabilities and returns an easy-to-understand report with risk mitigation advice.

Read more about the NCSC

The service, to be launched officially soon, is currently running as a prototype with 150 users from 114 different public sector organisations including central government, local government, the emergency services, health and the devolved administrations. According to the NCSC, users have fixed 20 urgent vulnerabilities, chiefly relating to security certificates, following WebCheck notifications.

The NCSC said government departments should be aware that out-of-date web “real estate” poses a risk to them by expanding the surface area for attack, including spoofing, and they should take whatever action they can to mitigate it.

4. Removing bad things from the internet

Since June 2016, the NCSC has been working with Netcraft, a private sector company, on a phishing and malware countermeasures service to protect the UK, including government brands.

The NCSC said this is a protection from which government departments benefit automatically without having to do anything, but departments can help augment the service by notifying Netcraft if they themselves discover they are the target of a phishing campaign, or that there are malicious emails purporting to be from them.

To date, the NCSC said the Netcraft service has taken down moren than 62,849 attacks, and the average “time to die” for phishing sites relating to government has fallen from 27 hours before the service’s introduction to under one hour and for malware from roughly 22 days to less than two days.

For attacks hosted outside the UK, the NCSC said 62.9% of advance fee fraud sites spoofing the government – where an email purporting to be from government asks for credit card details – are taken down within the first 24 hours, compared with 2.9% before the service was activated.

“The cyber criminals who are behind these scams are seeing a much reduced return,” the NCSC said. “The Netcraft service is being expanded over the coming months to cover deceptive domains and malware apparently delivered by government.”

Read more on Hackers and cybercrime prevention