Resilience and Cyber Essentials Richard Bach Assistant Director Cyber Security
Talk outline Why Cyber Essentials: the Policy context What is Cyber Essentials: Scheme background How the Scheme works: accreditation, certification, badging Case study CES in the cyber ecosystm Questions
How many malwares are there? What is the average time for infect-detect?
Cyber Essentials policy context UK Cyber Security Strategy Objective 1: Tackling cyber crime and making the UK one of the most secure places in the world to do business Action 24: Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point. Government lead: BIS
What needs protecting Names Social network activity Presentations Addresses Customer records Dates of birth Games Intellectual property Documents Credit card details Telephone calls Spreadsheets Shopping patterns Music Facebook profile Databases Medical record Videos Bank account details TV
Who should it be protected from Nation State Everything else plus have the resources to introduce features or vulnerabilities they can later exploit. Develops bespoke exploits, finds new software bugs, exploits obscure features. Organised Crime Skilled Professional Hacker Physical element, massive scale, blackmail, bribery, forgery, etc Opportunistic. computers left unlocked, passwords on post its easy passwords, etc,. Amateur Hacker, Journalist Anyone Exploits known software bugs, weak passwords and published features. Uses commodity hacking tools.
Cyber Essentials Scheme What: Requirements document. Comprises five control themes: Firewalls; Secure configuration; User access control; Malware protection; Patch management Risks: implicit assumptions of threats and vulnerabilities Assurance Framework, defining two assurance tiers: Cyber Essentials: verified self-assessment Organisations completes self assessment questionnaire Responses reviewed as reasonable by assessor Cyber Essentials PLUS: independently tested Tests whether controls implemented are sufficient to defeat common Internet based attacks Who: Developed in collaboration with industry: IASME; ISF; BSI Endorsed by Government Principles applicable to all; design aim: accessible for SMEs Why adopt? Competitive advantage Client confidence: is their information being protected Supply chain security
Cyber Essentials Scheme What it is: A set of technical controls to achieve basic protection from Internet-borne commodity threats Aimed at enterprise IT The start of a journey; organisations should also consider other activities see Government s 10 Steps to Cyber Security for examples Based on analysis of adversary cyber attacks Adversary Victim Intent motivation Reconaissance Building capability Delivery Exploit Implant Command & Control Action: data exfiltration move laterally priv. escalation What it isn t: A cyber security silver bullet Aimed at operational systems, e.g. control systems, payment systems
Scheme structure Manage the Scheme Own and maintain the framework Authority One Manage the Certification Bodies Accreditation Body Accreditation Body Several Assess and award Certificates Certification Body Certification Body Certification Body Many Certified Companies
Scoping the enterprise
Cyber Essentials Scheme When: Launched on 5 June by Rt Hon David Willetts MP In Government procurement from 1 October How much: Costs Innovation Vouchers https://www.innovateuk.org/web/corporate1/programme-display-page/-/asset_publisher/b61wjfkpbeu8/content/innovation-vouchers Next: Adoption, including supply chains; international recognition Identify new Accreditation Bodies, Certification Bodies Proportionate use in Government procurement Define enduring ownership model
Cyber Essentials in procurement Why? Minimising risk in Government supply chains Leadership Guidance to be published in late summer Will likely include use cases Scope Application Some future requirements not retrospectively applied to existing Legal entity providing the product or service Characteristics: where sensitive is handled; provision of certain ICT products/services Proportionate; reasonable expectation When In tenders advertised from 1 October
Cyber Essentials adoption strategy Challenges Facilitating a step change in cyber security behaviours in the UK Encouraging use in adopters supply chains Scale: adopters; ABs and CBs to match Reducing barriers to entry
Case Study Breaching defences: the real cost
Target Company background Founded in 1902 Second largest discount retailer in the US after Walmart Ranked 36 th on Fortune 500 (2013) 1,916 stores Revenue (2013) US$72.6 billion (Source: Wikipedia) The timeline (and note the costs)
What of the vendor? HVAC supplier named as Fazio Mechanical Services Victim of a sophisticated cyber attack operation IT system and security measures are in full compliance with industry practices. BUT Primary threat detection method relied on a free AV program (Malwarebytes) Designed for on-demand use, not real time Designed specifically for personal use, licence prohibited corporate use Sequence of events: Fazio fell victim to an email phishing attack two months before the Target breach Citadel trojan: used to steal Target credentials Criminals used these creds to access Target and upload malware Consequences for company remain to be seen Consequences for Target more obvious. And all because: The vendor got the basics wrong And so did Target
Compliance vs maturity a maturity ecosystem Protect Prepare Detect Respond Asset identification Risk assessment IA CES Education Governance Contingency plans Incident management plans Business continuity Intrusion detection Signatures Heuristics Incident handling (tactical) Incident management (operational) Incident response (operational/strategic) Reported Threat intelligence
Further information Where: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview http://www.cyberstreetwise.com/cyberessentials http://www.cesg.gov.uk/servicecatalogue/cyber-essentials/pages/scheme-library.aspx Other guidance for small businesses https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know http://www.cyberstreetwise.com How to adopt: Identify a suitable Certifying Body by contacting one of the Accreditation Bodies: For small and medium companies IASME: https://www.iasme.co.uk/index.php/cyberessentialsprofile (IASME; questionnaire on free download) Organisations of all sizes CREST: http://www.cyberessentials.org/ Scotland and north England Quality Guild (QG) - http://www.qgbiz.co.uk/
Questions General queries: cyberessentials@bis.gsi.gov.uk AB/CB-related queries: cyberessentials@cesg.gsi.gov.uk
Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews