Holding knowledge to ransom

The British Library has been the target of a ransomware attack that has persisted for most of November. The attackers are reportedly demanding £600,000 for the stolen data, including employee information which has been seen being bid for a similar amount. Those who use the library frequently have been told that disruption to services after the serious ransomware attack was likely to continue for months.

The group claiming responsibility, Rhysida, was also responsible for attacks on the University of the West of Scotland, the Chilean army, and the city of Gondomar in Portugal. This trend ultimately feeds into growing concerns about the security and resilience of public sector systems. 

The investigation into the root cause is still ongoing, but Rhysida has been known to gain access to systems by exploiting old vulnerabilities, such as ZeroLogon, as well as using phishing and stolen credentials to authenticate to VPNs of organisations that lack Multi-Factor Authentication (MFA) by default. 

This emphasises the need for organisations to prioritise using MFA, as systems are increasingly at risk without it. 

Warnings around critical infrastructure and connected systems

The resilience landscape is appearing more at risk, with concerns both of public sector and critical infrastructure systems. The National Cyber Security Centre (NCSC) published its seventh annual review this month, in which it warned that the UK needs to accelerate the development and deployment of its cyber capabilities to keep pace with the changing threat landscape, particularly in relation to enhancing cyber resilience in the nation’s most critical sectors.

The review flagged that it had seen the emergence of state-aligned actors that are more ideologically motivated and are often sympathetic to Russia’s invasion of Ukraine. 

More recently the NCSC released a joint advisory with the Republic of Korea (South Korea) on the targeting of software providers by attackers backed by the People’s Republic of Korea (North Korea), flagging the attackers’ use of zero-day vulnerabilities. The advisory contains technical details about the malicious activity, case studies of recent attacks emanating from the DPRK and advice on how organisations can mitigate supply chain compromises.

Hacks for business

Vikas Singla, the former Chief Operating Officer of Atlanta-based Securolytics, a network security company providing services to the healthcare sector, has pleaded guilty to hacking two hospitals, which are part of the Gwinnett Medical Center (GMC), to boost his own company’s business.

He pleaded guilty to hacking into the systems of GMC Northside Hospital hospitals in Duluth and Lawrenceville on 27 September 2018. He disrupted the health provider’s phone and network printer services, stole the personal information of more than 200 patients from a digitising device connected to a mammogram machine in the hospital and used more than 200 printers in a hospital in Duluth to print the stolen patient information with “WE OWN YOU” messages.

This serves as an example of the importance of being alert to bad actors, limiting the access of suppliers and employees to what is necessary. Sometimes it could well be that the call is coming from inside the house. 

The further professionalisation of cyber security

The Cyber Scheme, together with The Chartered Institute of Information Security (CIISec), revealed their new status as the inaugural Licensed Bodies for Cyber Security Chartership in the UK. This follows the UK Cyber Security Council’s acquisition of a Royal Charter last year, which granted them the authority to issue licences, aiming to professionalise the cyber security field. 

At time of writing, the Cyber Scheme has the power to evaluate and recommend people for Chartership in Security Testing. The Scheme is also developing an Incident Response specialism for Chartered and Principal levels. 

CIISec will also now be able to assess and endorse individuals for Chartership at Chartered, Principal, and Associate levels in three areas: Secure System Architecture and Design, Cyber Security Governance and Risk Management, and Cyber Security Audit and Assurance. Alongside these new assessments it also published its latest iteration of the skills framework earlier in the month to reflect their new Royal Charter. 

Got an interesting cyber story for us? Email techfac@icaew.com.

AI guidelines from the NCSC

The NCSC published guidelines for providers of AI tools to inform their decision making during the design, development, deployment, and operation of a model. The guide touches on a number of areas, including the development of risk and threat modelling, supply chain security, incidence management processes and information sharing.

The guidelines follow the principle of ‘secure by default’ by being purposely aligned to the NCSC’s Secure development and deployment guidance, NIST’s Secure Software Development Framework, and ‘secure by design principles’ published by CISA.

These guidelines will be a crucial resource when developing, deploying and operating AI models. If you are considering using generative AI, the ICAEW guide also considers the risks, opportunities and suggestions for prompt engineering in the accountancy profession.