Part One | Part Two
Given the breach at the UK Governments leader in all things cyber security, the National Cyber Security Centre, perhaps now is a good time to discuss cyber security again, especially ransomware backup protection? As a little background the NCSC was opened to much fanfare by Her Majesty the Queen, and is headed up by chief executive Ciaran Martin, Director-General Cyber at GCHQ. The centre was announced by then chancellor, George Osborne, with £1.9 billion being made available for tackling cyber crime by 2020. Interestingly, the budget indicated an undisclosed amount to launch cyber attacks against terrorists and other countries.
To sum up, they have the right people, they have plenty of money, they have the full backing of government and industry. So why exactly do they not have a clue? The deliverables of the Cyber Security Essentials are, in my opinion, woefully inadequate, with the assumption of an organisations IT being in the 20th Century and not the 21st Century. By way of a simple example, their infographic regarding Password Guidance is nothing short of laughable. Such as, “Only use passwords where they are needed?” Passwords are a minimum requirement for every single element of an organisational network. No ifs or buts, which I said in Password, encryption and good Practice in 2015. I can’t stress enough the importance of Multi-Factor Authentication alongside passwords.
Why use Ransomware Backup Protection?
Using the recent WannaCry Ransomware incident as an example of how ransomware backup protection should be used, in October 2016 the NCSC published the guidance Protecting your organisation from ransomware. In the original guidance they recommended:
“Backups should be considered a last resort only, as the adoption of good security practices will mean not getting ransomware in the first place.”
Where I agree wholeheartedly with good practice to begin with, ransomware backup protection must form part of that. In mid-December they received feedback that “this line could be misinterpreted by a busy reader as”
“the NCSC does not advocate keeping backups”
Which therefore precipitated clarification, almost a month later! Backing up a bit, proving the Technical Director for Assurance has a sense of humour at least, although falling short of recommending ransomware backup protection:
Just to be clear: the NCSC recommend organisations use backups as a way to help mitigate against a wide range of potentially catastrophic problems, such as fire, theft, flooding, and – naturally – ransomware. Our intention with this paragraph was to note that whilst a backup can help minimise the harm that a ransomware incident causes to an organisation (assuming the backup is current, and is not able to be compromised itself by the ransomware), backups shouldn’t be seen as the primary defence against ransomware. Backups are a last resort, rather than a primary protection. It’s better to design and operate your systems in such a way as to minimise the chances of ransomware gaining a foothold, and to use backups as a mitigation should this occur.
Right then. Ransomware backup protection is good, according to the NCSC. In part two I’ll dicuss what to backup, and how to backup, whilst still wondering that perhaps the undisclosed element of the £1.9 billion was the greater proportion of the pot. And constantly looking over my shoulder, as I’m probably on a list, because of Britain’s nuclear submarines at risk of same cyber attack that crippled the NHS say experts on 21st May. The 36 page follow-up report, released by BASIC last week, HACKING UK TRIDENT: A Growing Threat makes really interesting reading.