“GCHQ we continue to see real threats to the UK on a daily basis, and I’m afraid the scale and rate of these attacks shows little sign of abating.“
Today the UK Government published its Common Cyber Attacks: Reducing the Impact report, which aims to help organisations understand what common cyber attacks look like and what basic controls all organisations should put in place to protect themselves.
The report was published alongside the updated 10 Steps to Cyber Security, which provides more detailed and comprehensive advice on how to protect networks and systems, and how to handle data.
Common Cyber Attacks: Reducing the Impact has been designed to provide further evidence of why organisations should adopt the advice in the Cyber Essentials scheme.
The report looks at:
- the threat landscape – the types of attackers, their motivations and their technical capabilities.
- vulnerabilities – what are they, and how are they exploited?
- cyber attacks, stages and patterns – what is the ‘typical’ structure of a cyber attack?
- reducing the impact of an attack – what controls are needed to reduce the impact of common cyber attacks?
- case studies – demonstrate how cyber attacks have caused financial and reputational damage to major UK businesses
The threat landscape
The take home message from this section is that everyone is a potential target. Cyber criminals are using ever more sophisticated tools to attack individuals, organisations and nation states. Threats can also come from industrial competitors, hacktivists and employees. Automated attacks look for vulnerabilities in systems and networks, so attacks can happen simply where weaknesses are found. The report notes that “You have no control over their capabilities and motivations, but you can make it harder for attackers by reducing your vulnerabilities.”
Common stages of an attack
The report identifies four common stages of the majority of cyber attacks
- Survey – investigating and analysing available information about the target in order to identify potential vulnerabilities.
- Delivery – getting to the point in a system where a vulnerability can be exploited.
- Breach – exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
- Affect – carrying out activities within a system that achieve the attacker’s goal.
At each of these stages controls can be implemented to reduce the exposure. For example, at the delivery stage the report identifies these controls: network perimeter defences, malware protection, secure configuration and password policy.
The good people who created the report have illustrated this in their Common Cyber Attacks infographic:
Common Cyber Attacks: Reducing The Impact provides three case studies that serve to demonstrate how basic cyber security controls can rebuff the majority of attacks:
- Case study 1: Espionage campaign against the UK energy sector
- Case study 2: Hundreds of computers infected by remote access malware
- Case study 3: Spear-phishing attack targets system administrator
Each case study looks at how the attack happened, what vulnerabilities were targeted, and how these could have been mitigated.
For example, an extract from case study 2:
The attackers used a combination of automated scanning tools, exploit kits and technology-specific attacks to compromise the organisation. They took advantage of a known software flaw and the trust relationship between the company and its supplier.
The intensive and costly investigation and remediation of the compromise could have been averted by more effective implementation of the following cyber security controls:
- patching – the corporate website would have not been compromised, nor would the malware
download script have succeeded, had patching on both the web server and users’ computers been up to date
- network perimeter defences – the malware could have been prevented from being downloaded and the command and control might not have succeeded with the use of two-way web filtering, content checking and firewall policies (as part of the internet gateway structure)
- whitelisting and execution control – unauthorised executables such as the exploration tools would have been unable to run if the company’s corporate computers were subject to whitelisting and execution control (this could also prevent applications from being able to run from the temporary or personal profile folders)
- security monitoring – may have detected the compromise at an earlier stage
Reduce your risk exposure with Cyber Essentials
As previously mentioned, this report has been designed to provide further evidence supporting adoption of the Cyber Essentials scheme. The controls in the report are taken directly from the Cyber Essentials scheme, and it is a great place for organisations with little cyber security to start.
Not only will implementing the Cyber Essentials scheme help organisations rebuff 80% of the most common attacks, it also provides a badge of assurance to customers and stakeholders that you take cyber security seriously; this is becoming ever more important when tendering for new business.
IT Governance is supporting the government’s request to make Cyber Essentials certification as easy and inexpensive to achieve as possible.
We offer unique solutions to help you meet the scheme’s requirements at a pace and for a budget that suits you. Visit our Cyber Essentials scheme solutions page to find out more about your options.