Good cyber security relies not just on individual firms but the collective getting the best advice and protection. Emily Moore talks to two directors of the Jersey Cyber Security Centre
IN an interview about cyber security, a lecture about the importance of smoke alarms may suggest that the conversation has wandered somewhat off topic.
However, there is a simple reason for this temporary detour into the world of fire safety, as it connects with Jersey Cyber Security Centre director Matt Palmer’s philosophy that ‘it takes an island to secure an island’.
‘Adopting good cyber hygiene is essential, not just for protecting your own business interests but for safeguarding the whole community,’ he said. ‘It is akin to somebody, in the days before smoke alarms became mandatory, deciding not to install one because they didn’t want the extra expense, only to leave a chip pan unattended and set fire not just to their own home but to all the other apartments in the building.
‘We all have an obligation to adopt good cyber security practices because only by reaching an acceptable minimum standard of security, will we be protected. As an island, we are only as strong as our weakest link.’
It is a message which Matt has been promoting since joining the JCSC, formerly known as CERT, two years ago, and one which Islanders will see and hear increasingly next month, as the Island hosts a range of events to mark Cyber Security Awareness Month.
But it is not only Matt whose voice and name people will hear, as the rebranded body has increased its team in line with its ever-growing remit.
‘The change of name was a ministerial-based decision, designed to better reflect what we do as an organisation,’ explained Matt. ‘CERT, which stood for Cyber Emergency Response Team, suggested that we only acted when something had gone wrong, whereas much of our work revolves around helping businesses to prepare for, and protect and defend themselves against, cyber threats.’
And these threats, as evidenced by the bank of screens on the office walls, are ever-present.
‘When I joined CERT last October as head of cyber defence for Jersey, none of this technology existed,’ explained Paul Dutot, who is responsible not just for the organisation’s technical services but also for leading the team of analysts managing and responding to threats and engaging with other cyber emergency response teams around the world.
Despite an initial setback to his plans to install the systems, this technology is now, he says, in the ‘maturity phase’ and helping the JCSC to gain ‘international status’.
‘I was only five and a half weeks into the job when we were called on to respond to a major ransomware incident, which meant the “day job” was put on hold for a while,’ Paul reflected.
‘However, we are now in a strong position and have achieved level-one listed status with TF-CSIRT already. We are hoping to move to level two before December and are aiming to achieve membership of the Forum of Internet Responders and Security Teams by the end of the year.’
While such organisations may be unfamiliar to anyone outside the cyber security world, in Matt’s words, such acceptance shows how far the organisation has progressed in the past two years.
‘A year ago, we laid the foundations and now we have built the house,’ he said. ‘The next step is adding a conservatory. And these steps are critical in enhancing our ability to identify threats. Specifically, the new technology includes an incident response system, which enables us to log incidents, track them and work with others to resolve them. Additionally, our information sharing portal gives us data from the National Cyber Security Centre, while achieving membership of FIRST will give us access to global data.’
As the interview progresses and Matt and Paul continue monitoring an attempted attack on an Island-based network, the value of having access to such information is brought into sharp focus.
‘We can see, in real time, who is attacking what and where the vulnerabilities are,’ explained Paul. ‘Supporting this are our honeypots, systems configured to be vulnerable so that they attract anyone intent on malicious behaviour to interact with them.’
‘While we don’t encourage attacks, the honeypots look interesting to anyone who is looking around,’ Matt added. ‘By simulating, for example, a mail server, it also helps to protect organisations’ mail servers by distracting the attacker and providing useful data about the attackers’ activities. That information can then be used to understand who is carrying out the attack, how they are doing it and what their next steps are likely to be.’
And those steps may not, says Paul, be the ones that people are expecting.
‘A lot of people talk about phishing and yet the evidence we have is that this is not the most common way for a company to be compromised,’ he said. ‘The trend is for cyber criminals to attack network devices, such as VPNs and firewalls, which are connected to the internet.
‘There is also a trend of buying access from dark web forums and a focus on hacking into messaging platforms such as Teams and Slack which are not generally as well protected as email systems.’
While many of these attacks can be mitigated by having protection in place, Matt says that several Island organisations are still falling short in this area.
‘The bar we need to hit to be secure is up here and yet the bar that people tend to understand is down there,’ he gestured. ‘Helping people on that journey is hard work. One simple step that companies should take to enhance their cyber security is two-factor authentication. I find it terrifying that a lot of companies – whether because they are working with a legacy system, don’t want to pay for it or don’t want a so-called block between their customers and systems – do not have two-factor authentication in place. Without this, your systems are essentially open to anyone, as practically everyone will have their password breached at some point. If I had the choice, I would take offline any system which didn’t use two-factor authentication.’
‘And even this is not foolproof,’ added Paul. ‘A much better weapon is a YubiKey, a physical token which you plug into your computer or phone to authenticate your log-in. That is a much more effective way to prevent phishing and secure online accounts.’
But while Paul and Matt can promote strong cyber practices, that is as far as their authority extends.
‘Our role is advisory. We don’t have the power to take systems offline; we can only try to explain best practice and show the vulnerabilities in the Island right now to help people understand why cyber security is so important,’ said Matt.
‘It would be better, though, if people learnt this through listening to us rather than by waiting until they become a victim of a cyber attack. That approach is very much like waiting for your house to burn down before realising that a fire alarm would have been useful.’
And while the challenges around cyber security are ‘significant’, Matt and Paul say that next month’s events can give people both an insight into the ‘proper controls that should be implemented’ and an assurance that, ‘if the worst does happen, support exists’.
The ‘headline’ event of the month is a cyber security conference, delivered in partnership with the Channel Islands Information Security Forum, on 19 October, which Paul says provides extensive information about how to reduce the risk of a cyber attack, the impact that such an incident can have, and how to deal with such an occurrence.
‘As well as being informative, this will be a highly entertaining day, with speakers including FC – otherwise known as Freaky Clown – who lives in Nevada and is a well-known ‘ethical hacker and social engineer’.
Having recently written a book called How I Rob Banks, FC’s talks often include an anecdote about how, through social engineering, he was able to break into a bank and steal a gold bar from a vault, just by convincing people to let him in.
Also at the conference, the JCSC team will introduce its new Cyber Shield, and explain how businesses can benefit from its protective qualities.
‘This is a conceptual shield, which highlights the various forms of attacks to which businesses may be susceptible and the different services which can help to safeguard against them,’ explained Paul. ‘This includes our advance warning service, a vulnerability advisory service and active scanning, which enables organisations to be scanned for weaknesses in their internet-connected systems.
‘The shield also supports vulnerability disclosure, so if a security researcher wants to report an issue with something that is public-facing but doesn’t want to report it directly to the entity involved, they can come to us and we will progress the matter,’ Matt added.
Also during the month, the team will be carrying out a benchmarking exercise of Island organisations to understand the level of cyber controls currently in place.
‘As part of this, we will be running some incident response exercises, giving people the opportunity to experience, in a safe environment, what it’s like to have to respond to a cyber attack,’ said Matt.
‘This means that if your organisation is attacked, you are prepared and know what to do and what support you can call upon. We are running four of these workshops, targeted at financial services, hospitality, charities/voluntary organisations, and small businesses.
‘Following these, we are also holding a series of drop-in advisory sessions, where people can arrange an appointment to talk to specialists from the JCSC, the Office of the Information Commissioner, JT and other providers to understand how they can address any security concerns they may have.’
For more details about all of these events, or to book a place, visit cert.je/events.