Organisations have been urged to follow National Cyber Security Centre advice and take action to improve their resilience with the cyber threat heightened.
Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call on organisations in the UK to bolster their online defences.
In a release they say:
“While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been a historical pattern of cyber attacks against Ukraine with international consequences. HermeticWiper, a wiper malware used against Ukrainian organisations, also has the potential to impact organisations outside of Ukraine. Wiper malware can erase data from the hard drive of an infected computer.
UK organisations are therefore strongly encouraged to follow the actionable steps in the NCSC guidance that reduce the risk of falling victim to an attack.”
The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.
Sensible stuff.
My own experience of this, as a CEO, is that coders pay too little attention to security and expect to ‘add it later’.
I was banging on about this way back in 2012 and forcing people to code with a full security suite enabled so we didn’t end up with a massive pile of security work arounds………
Even so I found some gems. ‘Oh so you do know how to code XYZ language?’ – I can read it…….
The thought process, too often, is that security is a pain rather than an absolute business necessity.
I think big business are very different to that these days .
Cyber Security is seen as a must with whole departments whose only purpose is to track Vulnerabilities and make sure critical platforms are security patched and applications configured to ensure minimum exposure.
Theres a whole industry certification program around it , bit of a a boring job tbh .(well the patching and application configuration aspects of it are) but hey someones got to do it.
You mean like the famous Talk Talk hacks?
There are some outfits that got the memo and others where massaging the P&L takes precedence over all else.
To the latter class IT is only a cost…..
don’t disagree , its just a lot better than it was.
Do not leave the decision of implementing security to coders, there should be a high level management technical person like a CTO or System Architect. it is their job to identify the latest security threats and ensure your organisation coders deliver a practical solution
You would hope so!
That all depends on the CTO understanding the technology……..not always a given as I’ve discovered……
The issue is more sloppy process than anything else in my experience.
CTO appoints Architect who defines everything really well. There will be amazing documentation.
Coders then get to work and produce a great functional package sans security. Then security is applied + kludges + workarounds…..at which point ever being able to understand the security ramifications is crazy hard.
Then you collide with the reality of deadlines and budgets……
God help you if any of the coding was offshored.
If the CTO struggles to understand technical detail or fails to keep up with industry trends and events, then they are unworthy of the position/salary. A good CTO/Architect is always on their game.
I theory yes.
I suggest you try and recruit one and see what is offered up.
The architect role is easier to fill than the CTO.
I have worked with many good CTOs and System archtects.
Our current architect knows TLS (SSL) encryption, ciphers, and certs tech inside out and is very aware of world events and security threats.
He formulates the solutions into a Kanban system of use case stories which are implemented by coders. he also checks by regular retrospectives that what the coder delivered meets the requirement …and if not watch out coder !!!
Maybe you need to tighten up your interview/screening tests, make sure the CTO knows what they say they can do on their CV.
More the point is what happened in the past.
That sort of coding was very common until recently.
It is then a security nightmare to try and sandbox away.
It should not be a nightmare. it should be easily manageable.
How are you scheduling/managing business/tech requirements vs implementation?
and as a coder my experience of upper management is usually they dont understand/care what it takes to code something properly and ususally push for unrealistic deadlines with little thought to cyber security being a priority ;P
more recently this has started to change, but yea….. also depends entirely on whether said company is tech oriented or not…. and usually the bigger the company the worse the upper management view on caring about it till its a problem seems to be… :/
Totally agree with your “fearlesstunafish”. Often the management have some lame arts degree and daddy put them in charge of the company. Seen too many “wash out” managers with zero understanding of what it takes to bring software to market. Any detractors yes I have delivered software in a range of languages ranging from C++, Java, modern fortran, python, R etc plus I do a lot of parallel coding using libraries like MPI, OpenMP, CUDA, OpenACC etc. But someone in management always like to cascade down crap processes they didn’t really think about properly. Seen too many people say stupid things like don’t let the engineers/coders run things they don’t see the big picture or they don’t do strategy….utter crap…we often do but as with all organisations they often promote the dim witted to avoid looking stupid themselves or to get rid of incompetent people from positions by promoting them out of the division all with a dash of nepotism added on for good measure…
I tend to find when working for very large companies, something always gets lost in communication between senior management and people doing implementation work.
In this instance the security was being pushed from the top down……hard…..
The best way to placate upper/middle managers is to regularly demo your progress to them. You should do this at least every 2 weeks. This is easier to do if you work with agile development methods and break up the required functionality into small implementable/demo-able pieces (Stories).
Thanks SB , with your stance on Security Protocols with coders , that’s how Bletchley Park first got into Enigma ,
I’m very aware of how BP got into Enigma – I used to play chess with one of the main code breakers as a nipper!
If the guy at the top doesn’t take security seriously nobody else will.
I’m unapologetic about making sure our sensitive and client data is secured as well as it can be. It costs nearly nothing to do the job really well and we have had zero problems over the last 20 years.
👍spot on SB
My internet keeps going down.
Is it Russia or is it Virgin Media?
I know who I blame.
Virgin reports no problems
https://downdetector.co.uk/status/virgin-media/
you might have a virus maybe??
Virgin always report no problems but then say there is an intermittent connection which means there is a problem. Anyway I’ve had my rant.
Think yourself lucky until last year we were with BT and getting 5Mbps ( yup that right) and it was just getting worse, had BT round twice couldn’t find anything wrong and even paid us £80 for the poor service, switched to virgin now on 100Mbps.
5mbs? You lucky so and so. Our village is all on one twisted pair copper line, fed into a single cabinet that can deliver up to 2mbs when everyone is at home. When it rains our broadband falls over. We will be getting Starlink as we don’t appear won’t the Openreach list of who is going to be upgraded in the next few years.
Get everyone in the village to sign up to say they will use fast fibre and get all businesses to request it.
A guy in our village did that – I am not saying every application was real 🙂 – and it was installed years ago.
Intermittants are the worst problems to solve – whenever you check the circuit you are quite likely to get a positive.
Mine also: probably just cock-ups. Whichever, it happens very rarely – this is the first time after my hub was updated: 1st time it was down for 7 hrs: 2nd time diagnostics sorted it out. The Virgin app gives you a diagnostic and a facility to register that you are down – works pretty well for me – no more phoning them up thank goodness.
There is a reason they are called Vermin Media.
Harder to fix, when faulty, than getting rid of rats.
A nice dose of full fibre often does the trick…….
“Computer says no”….whoops can’t say that these days as that programme has been banned by the thought police…
I guess there are some almighty number of nasties heading our way, from you know who?
The US, Germany and now Italy have informed their citizens to get rid of Kapsersky anti virus off their computers and replace it with a non Russian one.
Didn’t we do that sometime ago? I seem to remember something about it the news must be pre-COVID now. Perhaps it was a private security company talking about it?
Cheers CR
Obviously we have had the whole Huawei thing a couple of years ago. I could never understand why we let them into our 5G network, its a no brainer if we ever got into a conflict with China they would shut down whatever they could, same with Kapsersky. As for getting into our systems they can pretty much get into whatever they want, either by a direct or supply chain attack. Recent hacks in UK Government debts include the FCO in Feb this year and the MOD Academy last March, 2 organisations that should have a high rated security system.
Or bringing in the Chinese to run our Nuclear plants. Madness.
Yes, Mrs May (then prime minister) did a deal with CGN to take a 20% share (£6bn) in the Sizewell C project down in Somerset in 2016, thankfully the government had a change 9f heart and I believe they forced the Chinese to sell their stake and remove them from all future nuclear power projects in the future.
It’s mainly because the country is bankrupt (100% GDP debt) and the Chinese had money. If we stopped things like overseas aid, stop importing cheap labour that costs more in benefits, built more houses instead then maybe just maybe we might have the money for things like 5G and build it ourselves. However, changing the “I’m entitled to it” culture is nigh on impossibly now….
The US came out with that in 2017 after a NSA worker took work home with him downloaded it onto his home computer which was fitted with Kaspersky and then suffered a hack attack. The ensuring investigation found the the Kaspersky software flagged up the file (Zip file) as a possible new virus and sent the entire file back to Its Moscow servers for inspection. Kaspersky then went public stating that the entire zip file was destroyed.
just had a butchers apparently the U.K, EU expressed reservations regards the Anti virus, which has gone further with the Baltic nations. Damn I purchased a two year licence last year. So currently looking at Bitlocker,
Ah right, thanks Farouk,
That’s probably what I remembered. Not going completely ga ga it seems…
Thanks CR
Kaspersky moved its operation and infrastructure to Zurich in 2018.
Jaysus: only twerps ever used Kaspersky, for obvious reasons.
To be fair, I did use Norton until last year, but they have started a new policy of having you input your credit card details before registration, (This is after you have bought the software) so I stopped using them and I remembered that Kaspersky was the one recommend by the UNI when I did my degree . I did check and found that as a big fat hairy civy I had very little to worry about, but things change (like my waist size) so will order a new one (AV not belt) later on.
I’ve been off Norton for 15 years, having once had to go through the procedure of manually uninstalling it.
It was like one of those faceplant beasties from Alien.
Norton and McAfee are rubbish, I have used both and still had trojan viruses infections. I hear Bitdefender is the rising star of AV.
We can all put a claim in against Putin, he will be able to pay us all out when just before he sits down at the Haig to face his war crime trials. Or then again he might just give us all the one fingered salute the same salute he is giving to the Haig.
The UK along with the US have robust cyber security, many no notice cyber training exercises are held not just with Government agencies but with commercial businesses as well.
The problem lies with the enemy within, vetting employees who work In sensitive areas whether it be financial, defence, Health and national infrastructure is the most likely weakness.
So a Russian newspaper has just said that the Ukrainian claim that 15,000 Russian soldiers have died is wrong saying that the latest figures for Russian casualties are 9,800 dead and 16,000 wounded before being taken down. These muppets can’t even get their counter propaganda right. If true they’ve lost 26,000 men in 4 weeks, that’s nearly 1000 casualties a day. Putin can’t hide physically missing people from society. The truth will out. Moreover what does he do now? Go into the cities and lose another 50,000? Pretty soon the entire Russian regular army will be 6ft under or in hospital. What then; General mobilisation? How many conscripts turn up to go to the meatgrinder then?
The Russians have also apparently lost three generals and a very senior naval officer. What were generals doing at the front line? I’m not a soldier but reckon very senior officers should be away from the front, directing the battle, not putting themelves in harm’s way.
I stand corrected, of course…
Rob,
That’s most interesting (I’ve read the same on 3 different news sites) as today I’ve read that Moscow is no longer physically able to maintain the momentum of its invasion, with its forces around Kyiv now having dug in behind minefields with an eye to using its artillery to presumably shell the Ukrainians into submission. This imparts a different take on how Moscow is scouring Libya, Syria and Chechnya for more foot soldiers (second lot arrived from Chechnya today) how it has started sending out call up papers to reservists , how the rebels in the Donbass region have started calling up school children (16 to 18 year olds) and how a large number of the armour showing up destroyed are old stock with no ERA armour fitted.
The above link takes you to the Institute for the study of war web page for the 20th March.
Hi Farouk,
Thing is the Ukrainians are volunteers whilst Ivan are mercenaries or conscripts and moral really matters. Also there are now 30K odd foreign volunteers to the Ukrainian military. Maybe a good proportion of those are war tourists but many will be combat veterans and / or SF types so it maybe that Ukraine can reinforce faster than Russia? We shall see.
I haven’t a clue what the Russian political elites were thinking when Putin asked them how quickly they could take the country. He now has to continue or else admit defeat and be quickly removed from power. You summed up the entire debarkle by the use of the word ‘meatgrinder. Even if Moscow’s losses are half as bad, that is still a lot worse than expected and they are still stuck in a quagmire of their own making with no sign of a way out. Other than blatt the other side into submission. If the reports that they have dug in behind minefields is true, it means they open themselves up to behind the lines strikes, not only with troops but with loitering munitions they have started receiving such as Switchblade (ok only 100) but they already had the Polish Warmate in service when Russia invaded. I also read an article which showed they had 3d printed fins onto RKG 3 anti tank stick grenades and then dropped them onto the Russians via the use of quadcopters . I don’t know how effective they will be, but I’m pretty sure Russian troops will quickly become demoralised by such attacks. Just found a US news video which reported that the RKG3 was one of the most effective weapons used in Iraq against US forces in 2008
RKG-3 in Project Reality
Here’s to a speedy end to this invasion with hopefully the removal of Putin from power and the Russia army from the Ukraine.
OT: is there any further information on the fate of the 331st guards airborne battalion?
A few lurid headlines, then silence. Have I missed anything, or do we just find out later?
Wow, seems like the Ukrainian forces gave them a right pasting with reports they wiped out the entire Regiment. If true that would really hurt Russian moral as it filters through the rest of the rank and file.
Given the report sources, I don’t believe it yet.
90% out of 2000 troops? Needs more than the Daily Express and a couple of others.