Viewing entries in
data protection

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Countdown to GDPR

Anybody who is involved in cyber security or data protection will be acutely aware that the General Data Protection Regulation - better known simply as GDPR - comes into force on Friday (the 25th of May). We have worked very closely with the Information Commissioners Office (ICO) to develop a set of a set of GDPR Security Outcomes, which we published last week. 

GDPR and cyber

If you have tried to read and understand the relevant articles described in the Regulation, well done. I personally have found it really hard work to break it apart, summarise what security measures it really seeks, and then overlay good cyber security practice to meet those requirements. Thankfully, the ICO really do understand the detail, and so we have worked together to describe what the regulation requires and provide an overview on what sorts of cyber security measures we expect those organisations processing personal data to have in place. We have published this work as a set of Security Outcomes required for GDPR, together with some relevant overarching GDPR information. Whilst we have a shared interest with the ICO on cyber security, of course they are the lead for the GDPR and you should consult their website for any general GDPR questions or needs that you might have.

What GDPR says about cyber

Now I'm going to quote parts of the Regulation here  - so bear with me - but I will give some context as well.

There is an overarching requirement that basically says that you need to protect personal information. It states that personal information must be:

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

The key thing to note here is that personal information being correct and available is in scope - not just protecting its confidentiality.

One thing that I personally like in the GDPR (OK so it's a little bit nerdy to have a favourite part of data protection legislation) is that it specifically requires organisations to think about security as you design services as well as at the point when processing happens. It means that services must be designed with security in mind from the outset, and that you have to keep them secure through the whole lifecycle. You can't just develop services and allow security debt (when security corners are cut to meet to meet business delivery) to accumulate.

The Regulation refers in a number of places to:

"appropriate technical and organisational measures"

It emphasises that you need to take a risk managed approach to security that is influenced by the risk to the individuals whose data you are processing, the state of the art (of technology) and cost. 'Appropriate' really does depend; we understand that saying 'it depends' can be really frustrating and people need a bit more certainty than that. Whilst the GDPR takes this 'it depends' approach, we have worked with the ICO to develop Security Outcomes that we would jointly expect any organisation to meet.

What are Security Outcomes?

As the name suggest these are outcomes that any organisation should seek to achieve with regards to cyber security. They do not themselves carry mandatory status, although they are our joint approximation of what appropriate means under the Regulation. You'll find that the outcomes do not say precisely what to do with regards to cyber security. That's deliberate as it's not for us (neither the NCSC nor the ICO) to tell you what technologies to use, nor to limit your choices in how you chose to protect them. Equally we need the outcomes to work for organisations of many sizes and complexity. Overall this was probably the hardest challenge and we'd like to hear your feedback if there are areas that don't quite work (and the reasons of course).

As we wrote the outcomes, we attempted to define the minimal set of measures that represent decent practice with regards to security. We do not believe we have described anything that is unreasonable, or should be surprising to you. Again let us know if you feel this isn't the case. Defining what we believe to be good practice means that existing guidance remains appropriate and can help you design measures that meet the outcomes. There is a lot of existing material  - including our own Small Business Guide and ICO's guidance on GDPR - which you may find helpful.

We know that good security isn't just about putting technical mitigations in place. The outcomes are aligned to 4 top level aims which cover how you manage security, protecting personal data from cyber attack, detecting incidents and minimising the impact if an incident does happen. 

Existing schemes and certifications

I'm asked a lot whether having Cyber Essentials means you are compliant with the GDPR cyber security requirements. Certainly having Cyber Essentials certification is a good thing and it will show that you take protecting yourself from cyber attack seriously. I wholeheartedly recommend it but there are other areas, outside the scope of Cyber Essentials, where you need to protect personal information too. A good example might be protecting data at rest on a laptop. The same logic applies to other certifications you might have; they are part of the picture, but you must still ensure that you are comprehensively protecting personal data.

If something goes wrong

Occasionally even the most diligent organisation might experience a security incident. The whole approach of the GDPR is based on managing risk, not avoiding all risk. The fact that some of our Security Outcomes describe detecting events and minimising the impact should underline this. If you are (or think you are) subject to an incident that involves personal data then you are likely to be obliged to report this to the ICO. They have published guidance on their website to help you understand what you should report, and by when.

Ian M

Principal Technical Director, Risk Management Capability

Comment

.author-name { display: none; }