uk cert quarterly update
Post on 14-Jan-2015
117 Views
Preview:
DESCRIPTION
TRANSCRIPT
QUARTERLY REPORT Apr – Jun 2014
2
Contents Letter from the Director .......................................................................................... 3
Executive Summary ................................................................................................ 4
Trends per Sector................................................................................................... 7
What next? ...................................................................................................... 10
Tracking malicious activity in the UK ........................................................................ 10
Case Study: Heartbleed ......................................................................................... 12
Threats .............................................................................................................. 15
Gameover ZeuS and Cryptolocker ........................................................................ 15
Internet Explorer 0-day ...................................................................................... 16
Focus-on: Non-CNI incidents .................................................................................. 17
Defending your infrastructure ............................................................................. 19
CERT-UK was formally launched on 31st March 2014 and is the UK National Computer
Emergency Response Team. We work closely with industry, government and academia to
enhance UK cyber resilience and is funded via the National Cyber Security Programme (NCSP).
CERT-UK has four main responsibilities that flow from the UK’s Cyber Security Strategy:
National Cyber Security Incident Management.
Support to Critical National Infrastructure companies to handle cyber security incidents.
Promoting cyber security situational awareness across industry, academia, and the public sector.
Providing the single international point of contact for co-ordination and collaboration between national CERTs.
All data in this report applies to April – June 2014.
Report ID: CUK-QRPT-01-14
3
Letter from the Director
Welcome to CERT-UK’s first Quarterly Report.
In the first 100 Days since the formal launch of CERT-UK we have been
busy engaging with stakeholders across industry, government and
academia, building upon existing and developing new partnerships
within the Cyber-security Information Sharing Partnership (CiSP),
which now sits within CERT-UK and dealing with ‘malicious activity’ (as
you can see later in the report).
We have also celebrated the first anniversary of the launch of CiSP,
which was established in March 2013 and we are proud to say that during July we have
surpassed our ministerial target of 500 companies joining the platform, 5 months early. This
is a fantastic achievement and one that we are all very proud of at CERT-UK. We hope that as
member numbers continue to increase so will the consistency and value of the information
that is shared to the whole of the CiSP community.
Along with attracting new members to the CiSP platform, we have also increased our capacity
in the Fusion Cell with many industry colleagues interested, and lined up to join. Having this
wide variety of expertise, drawn from across industry and government, will allow us to push
out more information through the CiSP platform as well as providing more products and
services, like this Quarterly Report.
As this is the first in a series of reports, we are very keen
to get your feedback and hear your thoughts so that we
can build upon this start, and, continue to provide you
with content and intelligence that helps you protect
and secure your networks.
In this edition we look back at the Heartbleed vulnerability, review what sort of incident
activity we have seen over the last quarter (and CERT-UK’s first quarter of course) as well as
a threat update on various forms of malware, amongst much more.
Once again, I hope you find this Report useful and if you have any feedback or comments
please do email them to us at enquiries@cert.gov.uk.
Chris Gibson
Director, CERT-UK
CERT-UK is enhancing the
UK’s Cyber Resilience
4
Executive Summary
Since CERT-UK launched on 31 March 2014, we have handled a
wide variety of incident types, with many different root causes.
The type of incidents have generally been similar to those we
were seeing in the first quarter of 2014, where the vast majority
would have been prevented by following the UK Government’s
10 Steps to Cyber Security1. For the rest of the incidents, the
guidance would have helped to limit the impact across the organisation. It is important to
note that the information in this quarterly is based upon the incidents that have been
reported to CERT-UK and so does not represent a complete picture of UK cyber health.
Key points from this quarter include:
The Heartbleed vulnerability highlighted how important it is to have an accurate
inventory of software installed on devices – and to keep abreast of vulnerabilities in
that software
Malware related incidents accounted for over 25% of all incidents handled by CERT-
UK
Reports to CERT-UK relating to social media account compromises and data loss were
very low; presumably because these are normally reported to Law Enforcement and
the Information Commissioner's Office (ICO)
CERT-UK’s primary purpose is to support
the Critical National Infrastructure (CNI) –
yet the majority of incidents handled this
quarter are actually related to non-CNI
infrastructure2 (i.e. other infrastructure
and systems in the UK). The vast majority of
these incidents were ‘abuse’ reports (e.g.
relating to phishing websites, networks
sending spam emails, etc). Across the rest
of the sectors it was a fairly even
distribution of incidents, with the public
and finance sectors then comprising the
next largest proportion of incidents
reported.
1 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
2 This is how we currently categorise these incidents and will continue to refine this over time
Incidents by sector
Academia Defence
Energy Financial Services
Govt/wider public sector Professional Services
Supply chain Transport
Water Non-CNI Infrastructure
Malware related
incidents accounted for
over 25% of all
incidents handled
5
Malware continues to be a serious threat to
businesses, identified as the root cause in
over a quarter of all incidents that CERT-UK
dealt with in the period April – June. Most
businesses have anti-virus (AV) products
deployed, but that alone will not completely
protect businesses from adversaries. We
continue to see malware evolving in
sophistication to include advanced
functionality to evade detection by AV
products – which the AV vendors will swiftly
move to counter in this long game of cat and
mouse. Securely configuring end-point
devices, whether desktop, laptop, tablet or
mobile can go a long way in preventing malware from compromising your network. The UK
Government’s 10 Steps to Cyber Security3 provides an overview of this and other mitigation
steps that can be taken.
The Cyber-security Information Sharing Partnership (CiSP)4 has continued to grow, building
upon its successful first year with membership approaching 500 companies by the end of
June. A large amount of outreach work, particular to trade and membership bodies, has
assisted in this effort. The UK Engagement team in CERT-UK are continuously working to
enhance our existing relationships, as well as to establish new relationships needed to achieve
our responsibilities derived from the UK’s Cyber Security Strategy. We are always happy to
demonstrate CiSP membership to individual companies and most importantly, CiSP
membership has no annual cost. For more information visit our website,
https://www.cisp.org.uk
Following its integration into CERT-UK, CiSP has been able to take advantage of the access to
the CERT-UK incident handlers to provide a more seamless and effective response to
customers – and vice versa. By using information of incidents handled by CERT-UK as an
intelligence source, we are able to ensure that CiSP members are aware of new attacks as
3 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
4 https://www.cisp.org.uk
Malware27%All other
incident types73%
Malware vs all other incident
types
6
well as trends we may be spotting. In addition they may be given advanced notice of
operations to take down cyber-crime networks, like OP TOVAR which targeted the Gameover
Zeus botnet. Likewise, the ability for incident handlers to have a dedicated communications
channel, directly with our industry members, ensures that information flows freely between
Government and industry.
When the Heartbleed vulnerability was publically disclosed, CiSP provided clear messaging
regarding the vulnerability and what mitigation action to take. There was a huge amount of
discussion on CiSP, with members contributing to the overall understanding as well as
providing real-world views on its impact.
We have received evidence of many customers taking swift and effective action based on
information provided, including a large British transport organisation who described the
outputs from CiSP as ‘actionable and credible information that we used to support our
infrastructure.’
As well as working to establish and enhance our existing UK relationships, the International
Engagement team has been working to integrate themselves as part of the international CERT
community. High on the priorities list was building trusted CERT-to-CERT relationships –
membership of the Forum of Incident Response and Security Teams (FIRST)5 and to the
European Government CERTs (EGC) Group have helped us to accomplish this. These efforts
were conducted in parallel with bi-lateral discussions and representation at international
conferences on cyber-security. Working to strengthen the international relationships has
helped to ensure that CERT-UK is readily able to connect with cyber security experts around
the globe; helping us to do our part in keeping the UK safe in cyber space6.
5 http://www.first.org/
6 https://www.gov.uk/government/policies/keeping-the-uk-safe-in-cyberspace
7
Trends per Sector
As mentioned, this quarter, just over half of the incidents handled by CERT-UK have related
to non-CNI infrastructure. For the most part this takes the form of abuse reporting, which is
reported to CERT-UK by affected parties either in the UK or internationally. CERT-UK will then
verify that the reported abuse is occurring within the UK and work with the hosting provider
or Internet Service Provider (ISP) to rectify
the issue. The rest of the incidents handled
are then split fairly evenly, with the Public
Sector and the Financial Services slightly
ahead in the number of incidents reported.
All of these statistics are derived from information about the number of incidents reported to
CERT-UK directly and does not take into account incidents reported or handled through CiSP.
Incidents reported via CiSP are handled by the community on CiSP – augmented by the Fusion
Cell – allowing originators to solve the incidents themselves. This may help to explain why
some of the sector incidents are so low. As an example, the Defence sector represents a small
proportion of the incidents handled directly by CERT-UK, but are well represented on the CiSP
environment. This low reporting rate can also be attributed to the growing maturity of that
sector. Other sectors such as Retail and Health are currently under represented on CiSP and
we are working to further develop these links and associated situational awareness. To
address this, the UK Engagement team are now focussing on engaging with these sectors to
improve our knowledge of the issues they are facing.
Academia
4%
Defence
1%Energy
4%
Financial Services
11%
Govt/wider public
sector13%
Professional Services
5%Supply chain
7%
Transport
3%
Water
1%
Non-CNI Infrastructure
51%
Non-CNI infrastructure is how CERT-UK
currently categorises incidents that are
outside of our core mission, the CNI.
We will continue to refine this over time.
8
Incident Types
Malware reports made up the largest proportion of incidents that CERT-UK handled in May
and June, and was the third largest in April. A number of these relate to CERT-UK passing
information from one of our national, or international, partners to an infected organisation.
CERT-UK is then able to provide further advice and guidance to the victim depending on their
cyber maturity level. Some organisations are able to
handle the incident through existing capabilities, while
others decide to bring in a Cyber Incident Response
(CIR)7 certified company to assist them.
Throughout this quarter, Denial of Service (DoS) attacks have maintained a steady but low
level of reporting. CERT-UK believes that this indicates a maturing response to this type of
threat. DoS attacks have risen in prominence over the last few years, and the mitigation
advice relating to them is well established. The low level of incident reports received by CERT-
UK could be indicative that businesses are now well prepared to mitigate this attack, and so
7http://www.cesg.gov.uk/servicecatalogue/service_assurance/CIR/Pages/Finding-a-Service-Provider.aspx
39%
19%
10%
26%15%
14%
45%
36%
APRIL MAY JUNE
Vulnerability Website vulnerabilityAttacker infrastructure Network - compromise of infrastructureUnsecured infrastructure Abuse - credentialsDenial of service MalwareSocial media account compromised Spear phishingSPAM/Phishing Data loss
Malware reports made up the
largest proportion of incidents
9
no longer need to seek assistance if afflicted by a DoS attack. Whether this trend continues
through the next quarter remains to be seen.
Vulnerability reports accounted for a large
amount of the incidents recorded in April, but
dropped to a fraction of that amount during
May and June. Heartbleed was a primary
contributor to the spike in April, as CERT-UK
handled incidents associated to, or believed to be associated to, this vulnerability. Website
vulnerabilities includes reporting of sites vulnerable to, for example, Cross-Site Scripting (XSS)
and SQL injection. While reporting to CERT-UK accounted for 7% of the incidents in April, it
dropped to 0% for May before recovering slightly in June. It is important that all businesses
ensure that their external web-facing presences are securely coded and routinely tested for
vulnerabilities. Securely coding sites from the development stages ensures that security is
built-in, rather than an add-on. Routine tests for site vulnerabilities are important, as it
ensures that any third-party plugins used are not lowering the overall security of the site. It is
as important to ensure that any website plugins are patched and up-to-date as it is to ensure
that the host operating system is patched and up-to-date.
Attacker infrastructure (i.e. the website or IP address is hosting some malicious script that an
adversary is using to attack someone else, or perhaps, is serving as a controlling node for
infected clients) was reasonably consistent this quarter and the majority of reports related to
abuse notifications. Compromise of infrastructure showed similar consistency, but these
incidents relate to reports of websites hosting phishing webpages – either a legitimate site
compromised to host the phishing page, or a site dedicated to phishing activity. Unsecured
infrastructure had a low proportion of the incident reports, but was consistent across the
quarter; these are incidents where a vulnerability has been detected, but may not have been
exploited, such as an open mail relay or insecurely configured Network Time Protocol (NTP)
service.
Reports of credential abuse were consistent through May and June, although we handled no
incidents related to this in April. Where feasible, CERT-UK aims to ensure that if we receive
notification of compromised account information, it is passed to the affected organisation.
The volume of spear-phishing reports peaked in May, before completely disappearing in June.
It is not unusual to see spikes in activity coupled with a near absence of reporting following
the spear-phishing ‘wave’ as the attacker looks to exploit the successfully compromised
recipients further.
Nearly 40% of incidents in April
were related to vulnerabilities
10
What next?
Based on the information from April-June, over the next quarter (July – September) we would
expect to see malware continuing to be the most prevalent threat. Infrastructure and
credential abuse are likely to remain high on our activity list.
There are measures businesses can take to prevent (or at least limit) the frequency and impact
of these events. One important strategy is to ensure that board or senior executives are aware
of, and understand why, cyber security is important to their business. UK Government have
resources that can help with this, such as the 10 steps to Cyber security8,
Cyberstreetwise.com9 and the Cyber Essentials scheme10.
Tracking malicious activity in the UK
On CiSP, CERT-UK routinely publishes a
list of the ‘command and control’ (C2)
servers that we see being used by
malware. This list is produced by the
Fusion Cell and is aggregated from all of
our feeds of commercial and non-
commercial information. Using a
specialist tool, we are able to take in
over 250,000 reports of ‘abuse’
information that has been traced to the
UK, every day. The ‘abuse’ could be
anything from a botnet infected client to
an IP address in the UK launching
automated scans across the internet.
In addition to using this information to
produce a list of C2 servers that
businesses can use to identify malicious
activity on their networks, CERT-UK
provides an automated alerting system
8 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
9 https://www.cyberstreetwise.com
10 https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
11
for free to CiSP members. As the abuse reports are automatically processed by the system,
they are checked against the network information that members have provided to us. This
could be in the form of IP addresses, autonomous system number (ASN) or domain name.
Should the system correlate a report of abuse with a member’s network information, an
automatic email alert is sent to the listed point of contact. The email alert contains as much
information as we are able to provide, but as a minimum will provide sufficient basic
information to start an internal investigation to locate the ‘abuse’. Feedback from members
that are using this service has been very positive.
This service should not be used as a replacement for any internal security monitoring and best
practice though, as monitoring on your own networks should always provide superior
detection. This is an additional free service that CERT-UK offer to CiSP members that we hope
provides further assurance that their network defences are working as expected. If the system
does not match any abuse to a members network information, then no email is sent; however
if it does match, members can use the alert to quickly identify whether there is an issue.
CERT-UK processes over 250,000 reports of ‘abuse’ every day
12
Case Study: Heartbleed
On 7 April a vulnerability disclosure by the OpenSSL team quickly gained worldwide attention
in the technical press as well as significant coverage in the mainstream media. What made
Heartbleed garner such widespread attention, and was it justified?
OpenSSL is integrated into many different
operating systems and software applications. As
an open-source software library, OpenSSL is
maintained by a worldwide community of
volunteers who contribute their time and
knowledge to developing and supporting the
development of the OpenSSL library.
A small change to the code in December 2011 included an
unnoticed bug in the Heartbeat Extension for OpenSSL. The
Heartbeat Extension allows “the usage of keep-alive functionality
without performing a renegotiation”11, and is a defined part of the
Internet Standards. The bug introduced a buffer over-read
vulnerability, which allowed for anyone communicating with a
vulnerable device to request more information than would otherwise be
possible. The extra information returned was discovered to contain
information from the device’s memory. If enough requests were made
it was possible to reconstruct the memory fragments into their
original file. In a typical client-server exchange, as might
occur if you did online shopping for example, it would be
possible to retrieve files currently held in the server’s memory. This could include personal
information such as usernames and passwords – anything that had been communicated to
the server was potentially available.
Heartbleed was discovered independently by two different companies, both of which
responsibly disclosed it to the OpenSSL project so they could fix the code and issue a software
patch. One of these companies, Codenomicon, also registered the heartbleed.com domain,
designed to raise awareness of the issue and provide information on action to take. Within
hours, the online community was feverishly dealing with the implications of Heartbleed, and
11 https://tools.ietf.org/html/rfc6520
OpenSSL is a library that allows
developers to easily implement
some of the secure protocols that
underpin the operation of the
Internet – in this case SSL and TLS
13
reacting to the revelations that the bug had been present for so long without anyone noticing
it.
Websites were quick to react to the implications of Heartbleed by patching their servers in
quick succession and alerting their users. Due to this vulnerability, and how long it may have
been present, many websites (and later media reporting) advised users to change their
passwords. This response was only effective, of course, once the website had patched all of
their servers – otherwise users would need to reset their password again once the servers
had been patched.
Another impact of Heartbleed was that many vulnerable servers had also potentially exposed
the private key to the encryption certificate. This is the certificate that allows you to verify
that the website you are visiting is legitimate, and that your connection to it is secure. If an
attacker was able to gain a copy of the private key they would be able to impersonate the
website, or eavesdrop on your ‘secure’ interactions with the site. This saw the largest
simultaneous revocation and reissue of certificates the Internet had ever seen.
CERT-UK issued a number of alerts about
Heartbleed, updating our advice as more
information became available. On CiSP, more
detailed technical information was shared and
a dedicated ‘Heartbleed’ section was
established to bring all of the information
together in one place. Members actively
exchanged information between themselves,
and one of the most popular discussions was
the exchange of IP addresses that had been detected scanning for servers vulnerable to the
Heartbleed vulnerability. This allowed our members to proactively monitor who was scanning
their networks; as well as blocking them if they choose to do so.
Even now, three months after Heartbleed was publicised, there are still a number of servers
out there which have not been patched. While the number will likely continue to fall over
time, the remaining unpatched servers are at a significant risk to attackers. As an example, an
international revenue collection agency was hacked shortly after Heartbleed was made public
with 900 social insurance numbers being stolen. National law enforcement quickly arrested
the perpetrator.
14
A unique combination of events made Heartbleed into the headline grabbing story that it was.
Combining a long-present vulnerability, with an immediate and widespread reaction from the
technical community made Heartbleed particularly newsworthy. There has also been
discussion around the impact the Heartbleed logo had on media reporting, as vulnerabilities
rarely have their own logo to identify them by. This is not to say that the attention was
unwarranted – but there are many other vulnerabilities being disclosed on a daily basis, each
with their own risks and mitigation actions. If you patched your systems for Heartbleed, are
you also patching for these other vulnerabilities?
15
Threats
Gameover ZeuS and Cryptolocker
Operation TOVAR was the international effort to
tackle the Gameover ZeuS peer-to-peer botnet,
which is also responsible for distributing
Cryptolocker ransomware. Gameover ZeuS is a
banking trojan that aims to steal banking and
other sensitive private information. If this fails to deliver significant financial information, the
criminals can deploy Cryptolocker, which encrypts your personal files on your computer and
then attempts to extort money out of you in return for the decryption key. Without the key
the files are permanently locked and the only way to recover the contents is from backup
files.
The global effort to disrupt the botnet saw the temporary disruption of the domains that the
criminals used to control the malware. This provided an opportunity for infected clients to be
cleaned and the systems updated to protect against reinfection.
The National Crime Agency led the UK effort in the global
operation. Partnering with Get Safe Online, a dedicated page
provided information and explanations, as well as links to
tools that would scan to determine if you were infected as
well as cleaning up infected hosts. Get Safe Online also
provided useful advice about how the malware spreads and
how you can defend yourself against it.
CERT-UK participated in the information sharing campaign, raising awareness of the event
and hosting a copy of the advice and links to the clean-up tools. Additionally we received and
processed the sinkhole data, which we then distributed to Internet Service Providers (ISPs) to
allow them to assist their customers who had been infected. On CiSP, we have a dedicated
area providing the latest information on the Gameover ZeuS malware, allowing members to
further protect themselves.
While this co-ordinated international action will no doubt have a significant impact on the
criminals behind this malware, it will do little to help those that have already fallen victim to
16
this and other 'crimeware’. For commercial organisations, the impact of ransomware cannot
be underestimated. User education about cyber risks, along with robust security controls and
a proven incident management capability, will help businesses to minimise the risk from, and
impact of, crimeware like Gameover ZeuS and Cryptolocker.
Incidents Internet Explorer 0-day
On 1st May 2014, Microsoft released a security update to
address a vulnerability impacting all versions of Internet
Explorer. Microsoft release their software updates on the
second Tuesday of each month, Update Tuesday, allowing
businesses to plan their testing and deployment cycles
accordingly. Microsoft will generally issue any other security
updates needed for vulnerabilities when a higher risk warrants
an exception to the existing monthly update schedule.
In this particular case, FireEye disclosed to Microsoft that they detected this vulnerability
being used in very limited targeted attacks, by a known and persistent cybercriminal group.
Within a short period of time, FireEye publically disclosed details highlighting this
vulnerability. Microsoft responded quickly to ensure customers knew that they were actively
investigating the issue and reviewing various options to help protect them.
Despite the much publicised end-of-support for Windows XP in April 2014, Microsoft took the
unusual decision to provide an update for customers still running on the unsupported
operating system, while encouraging them to migrate to a modern operating system.
On CiSP, members actively shared the information they had on any attacks using this
vulnerability, with CERT-UK providing additional information aggregated from across all of our
data sources and partners that we work with. This allowed members to act quickly in
protecting their own networks.
17
Focus-on: Non-CNI incidents
CERT-UK has a primary focus towards protecting the Critical National Infrastructure (CNI), but
from the statistics of the incidents that have been handled this quarter, over 50% were
deemed to be “non-CNI Infrastructure”. For us, this is any infrastructure (e.g. a website or IP
address) that does not belong to one of our customers on the list of CNI as defined by the UK
Government12.
As the international cyber point of contact for the UK, CERT-UK receives numerous reports
about abuse occurring within the UK. This could be identified by domain (e.g. something.co.uk
or badness.org.uk), or, by an IP address listed as originating in the UK (e.g. 62.172.97.230).
Many of these reports are passed
directly to the ‘abuse’ contact listed
in the WHOIS information for a
website. This can be the domain
registrar or the hosting provider,
who will act in accordance with their
terms and conditions. If the abuse
persists, follow-up emails may be
sent, but this time copied to CERT-UK
to inform us of the abuse. Where
feasible, CERT-UK will work with our
partners and industry contacts to try
and resolve the incident. This could involve working with the contacts that we have through
CiSP at relevant organisations, such as Internet Service Providers (ISPs) or domain registrars.
If the reported abuse is in relation to a crime, such as fraud, CERT-UK will advise the originator
to report it via Action Fraud (www.actionfraud.police.uk). Other national CERTs also contact
CERT-UK looking to work with us in tackling abuse originating in the UK which is affecting their
country. In one example of this, an international CERT engaged us seeking assistance with a
Distributed Denial of Service (DDoS) attack, where some of the attacking infrastructure had
been attributed to the UK. We were able to associate the activity to an organisation, and
identified a point of contact there who would be able to progress the incident investigation.
12 http://www.cpni.gov.uk/about/cni/
‘WHOIS’ allows the querying of detail about a
domain or IP address, and can also provide
information about the registrant, including
technical and abuse contact addresses.
Since the start of this year, ICANN (the body
responsible for co-ordinating the global
internet addresses) has instructed domain
registrars to validate WHOIS information in an
effort to combat spam and phishing.
18
Initial analysis indicated that the DDoS activity was the result of an insecurely configured NTP
server.
CERT-UK is not just the recipient of these reports – we work on behalf of the entire country
to ensure that other nations are similarly dealing with network abuse in their countries. The
type of work we engage with our counterpart national CERTs can range from sharing details
of abuse gathered from across the entirety of CiSP, to requesting specific action for a single
incident that has been reported to us. We have established a number of strong international
partnerships to help facilitate this work, as well as allowing us to explore other mutually
beneficial topics of work and improving our situational awareness by exchanging information.
Looking at the incidents we have dealt with relating to non-CNI infrastructure, we can see
that the majority of incidents are regarding ‘attacker infrastructure’ i.e. the website or IP
address is hosting some malicious script that an adversary is using to attack someone else, or
perhaps is serving as a controlling node for infected clients. The adversary could be anyone,
from the ‘script kiddie’ level right through to sophisticated cyber criminals .
Non-CNI Infrastructure incidents
Website vulnerability
Attacker infrastructure
Network - compromise ofinfrastructure
Unsecured infrastructure
Abuse - credentials
Denial of service
Malware
Spear phishing
SPAM/Phishing
19
The next two largest segments relate to malware and the compromise of infrastructure.
Incidents categorised as ‘malware’ indicate that the website is actively serving up malicious
software to visitors of the site – whereas a compromise of infrastructure incident could mean
that the site has been defaced or similar.
Defending your infrastructure
For many of these incidents it was found that attackers gained access to the server in
generally one of two ways:
1. Weak passwords on administrator accounts
2. Unpatched software, including website plugins
Defending against either of these is simple and straight-forward – use strong and unique
passwords for administrator accounts and ensure that all software is kept patched and up-to-
date, including any plugins that maybe used (e.g. WordPress Plugins).
The 10 Steps to Cyber Security13 provides an excellent reference for ensuring that you have
considered all the necessary points when trying to protect your network, whilst
cyberstreetwise.com has a 'business health check’ quiz which allows businesses to informally
assess themselves. The Cyber Essentials Scheme14 is a more formalised assessment, which
once completed, allows businesses to display a Cyber Essentials Badge, indicating compliance
with this government endorsed standard.
CERT-UK ensures that the latest information about attacker trends and patterns is shared on
CiSP, and we encourage members to share any new or emerging threat behaviours that they
observe with the whole community, so everyone can benefit.
13 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
14 https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
top related