Weekly podcast: NCSC and Kaspersky, parliamentary passwords and macOS High Sierra (again)

This week, we discuss the NCSC’s warning to senior civil servants, the poor password habits of MPs, and a bug in the patch Apple rushed out last week.

Hello and welcome to the IT Governance podcast for Friday, 8 December 2017. Here are this week’s stories.

The chief executive of the UK’s National Cyber Security Centre, Ciaran Martin, has warned senior civil servants about using Russian antivirus (AV) software in government departments. He told permanent secretaries:

“The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central Government and the UK’s critical national infrastructure.” […]

“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.” […]

“As well as keeping this guidance under review, we are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market. In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state.”

Meanwhile in the USA, a former NSA employee pleaded guilty to ‘wilful retention of national defense information’, which was stolen by Russian spies via Kaspersky’s AV software after he took classified documents home “to help him rewrite his resumé”, according to the New York Times. The US Department of Homeland Security banned the use of Kaspersky products in US government departments in response to the incident. Kaspersky denies working with Russian intelligence agencies.

While the NCSC is right to be concerned about Russian cybercrime, another security threat to Westminster has garnered considerable media coverage this week: it’s become clear that members of parliament need to be much better educated about basic security practices.

Following allegations about thousands of pornographic images being found on Damien Green MP’s computer in 2008, Nadine Dorries MP protested that there was no proof Green was responsible because others will have had access to his login details – a habit that seems to be common practice in Westminster, in spite of guidance for MPs and their staff explicitly telling them to “Protect information held electronically by […] not sharing passwords”.

Dorries tweeted: “My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”

When she, understandably, came under fire from incredulous information security professionals for this admission, several other MPs chipped in in her defence, saying that they too shared their credentials with staffers. They included Will Quince MP, who said “my machine is usually on in the office, my team can use my machine, send emails and make diary appointments” and Nick Boles MP, who said “I often forget my password and have to ask my staff what it is”.

When the BBC’s technology correspondent, Rory Cellan-Jones, asked “a couple of MPs – one Conservative, one Labour – about their attitudes to cyber-security”, one told him: “Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don’t think codes of practice are for them” – as illustrated by Dorries’s dismissal of the criticism against her as unfair sexist trolling. (Because following security policies is something that only “geeky/tech/computer nerdy types” need to do, apparently.)

Following June’s brute-force attack on the parliamentary email system, which compromised nearly 90 accounts, this is particularly disturbing. To put it mildly, a culture of information security appears to be somewhat lacking in parliament – as it is in many workplaces.

When security policies are put in place without appropriate guidance, training or scrutiny, users are often unaware of the impact of their behaviour on risk management – or feel justified in finding workarounds, especially when they feel their productivity is hampered by security. Ironically, the end result is often increased, rather than reduced, risk.

That’s why staff education is a core component of a best-practice approach to information security – you can have all the policies you like, but if no one follows them, they’re useless. All staff need to understand that security is their responsibility.

The Information Commissioner’s Office is investigating. It tweeted: “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”

You’ll remember that last week I mentioned that Apple had rushed out a fix for a major security flaw in macOS High Sierra that allowed anyone to bypass locked settings simply by entering the username ‘root’ with no password and clicking ‘unlock’ twice. Well, it turns out that the patch was a little too rushed and has a problem of its own.

According to Wired, “Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the ‘root’ bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they’ve also tried re-installing Apple’s security patch after that upgrade, only to find that the ‘root’ problem still persists until they reboot their computer, with no warning that a reboot is necessary.”

On Monday, the company added more information to its release notes for the patch, saying:  “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly. Or if you see MRTConfigData 1.27 in the Installations list under Software in System Report, your Mac is also protected.”

Well, that’ll do for this week – and, indeed, this year. We’ll be back in 2018 with a full round-up of 2017’s information security news, but, until then, remember that as well as being the season to be jolly, the run-up to Christmas is the season for phishing scams and malware, so do be careful while shopping. As I mentioned last week, our book of the month for December is Security in the Digital World – an essential guide to protecting yourself from cyber criminals this winter. Save 10% if you order by the end of the month.

Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.