13 June 2019
We have the expertise, we're working on the data
The Cyber Essentials jury considers which technical controls the scheme should recommend
In my last blog I talked about the origins of Cyber Essentials. How we defined the risk scenario as, 'an internet-based attacker, with a modicum of technical knowledge, using publicly available tools and techniques'. I went on to discuss how the set of controls we chose were based on evidence from a number of attacks we were investigating at the time.
That was nearly five years ago and the world changes, doesn’t it? At the end of 2018, over 22,000 Cyber Essentials certificates had been issued, with more than half of those issued during the same year. It’s clear that the scheme is gaining in momentum and we are slowly raising the cyber security bar in the UK. But are we still facing the original risk scenario? Are there other risk scenarios we should include?
Over the last 6 months these are the questions we have been trying to answer. And more importantly, answer them using real data, rather than gut feel. What do I mean by “gut feel?" Let me give you an example. After a breach, how often do you hear it said that they, the victim, should have encrypted their data? This, despite the fact that encryption is an effective mitigation in only a very few cases.
'Why don’t you just add it anyway?' I hear you say. Belt and braces, and all that?
Well, that would go against the ethos of Cyber Essentials, which is all about keeping things as simple as possible, focusing on controls that would have a direct impact on an attack vector. The more controls that are introduced, the harder it becomes to manage them. And some controls - like encryption - can introduce a significant overhead.
So, Cyber Essentials should only introduce controls where they have a clear role in mitigating the risk, as defined by the scheme. That doesn’t stop an organisation adding additional controls, and we would encourage it where appropriate. But, we want to ensure we focus on the controls that will protect the majority of organisations, for the majority of the time, from the majority of attacks.
Getting the right data
I have to admit that getting our hands on good data has been a lot more challenging than I imagined.
“But the NCSC has been involved in over a thousand incidents,” I hear you cry. We have, but in the majority of cases it’s not possible to identify the root cause of an incident, or the subsequent actions that resulted in the breach.
Often, companies don’t want to divulge this information. Or they simply want to get back up and running as quickly as possible, so any form of detailed investigation just looks like it will slow that down. In many cases, there simply is no data available that will help analyse the breach.
Let me give you another example which illustrates how hard it can be to determine the exact means of compromise. Whilst we know that one of the main cyber risks is a spear-phishing attack on a system administrator, we often don’t know exactly how the attacker managed to gain a bridge-head in the system. Was the administrator enticed into giving away their credentials? Were they enticed to run some malicious software? Did they have an un-patched vulnerability on their machine? Was it a zero-day?
Of course, the main control to mitigate this kind of spear-phishing attack is not having the administrator browse the web and read email from the same machine they use for system administration. But for many other attacks, the controls will be much more tightly matched to the means of compromise. That's why, at the NCSC, we are looking to improve the way we receive and record data from incidents so hope to be able to produce richer information over time. Though that is always dependent upon the data being available at the compromised organisation.
Cyber Essentials Jury
What we see is a tantalising view of the underlying causes, but not the hard data that would allow us to assess whether the current controls are valid and whether we need to add more. So we have tried taking an expert-based rather than a data-based approach to the problem by forming what we have called the “Cyber Essentials Jury”.
This is made up of active practitioners from across the community that are engaged in the incident management business and have first hand experience of the attacks their customers see. We’ve had the first sitting of the jury with some interesting results.
Nothing was said that indicated any of the existing controls had become redundant. However, there was recognition that in some cases there were effective alternative controls that could deliver the same outcome. It was also agreed that there's still work to explain how the controls relate to PaaS and SaaS cloud offerings.
Our plan is to collate the input from the jury and publish the conclusions and proposed changes to Cyber Essentials for wider consultation. Watch this space…..
Chris Ensor, Deputy Director for Cyber Skills and Growth