Cyber Awareness in the Age of 'Track and Trace'
09 Jul 20
Collective Training and Services OBU
09 Jul 20
Collective Training and Services OBU
I think that we can all agree that Covid-19 came as a bit of a shock and I can’t think of anyone who predicted how much the measures the government put in place to protect us all from this virus would have on impacted our lives and our jobs. Many commentators have jumped on Taleb’s ‘Black Swan Event’ theory to say that there was no reasonable way to prepare for a very high impact, very low probability event and that it is only with hindsight that the missed opportunities become clear.
Before joining the RAF I had been studying for a PhD in microbial genetics. I remember one of my professors was part of a group of academics back in the 90’s who had a long term sweep stake on which years would be the one where the world would be hit by a pandemic from a previously unknown virus with high mortality rate and high transmissibility, so it turns out that maybe the current pandemic wasn’t entirely unforeseeable. In Feb 2018 the WHO started work on a plan to manage an outbreak of ‘Disease X’, a hypothetical, unknown pathogen that could cause a future epidemic. Which to me means that you have to remember one of the caveats Taleb put on Black Swan events – they are dependent on the observer’s experiences and access to information.
No one in Europe had ever seen a swan that wasn’t white until 1697, when Dutch explorers led by Willem de Vlamingh became the first Europeans to see black swans, in Western Australia. This means that the black swans had probably been there for longer than western civilisation but no one in Europe had had access to that information. In much the same way, academics and health organisations around the world understood the very real risks posed by a global pandemic but the information wasn’t widely known, understood or acted on.
I was originally employed by the RAF as a navigator flying Nimrods out of Kinloss, but due to the vagaries of RAF manning I then became a Cyber specialist and spent 6 years evangelising the risks and opportunities of cyber in military operations. One thing we learnt along the way is that at management level it is easier to get people who deal with how their business functions and how they manage risk to understand cyber than it is to get people with a predominantly technical cyber background to understand the real world impact of issues in cyberspace. We also learnt how difficult it is to recruit, train and retain really talented technical people – often traditional human resource don’t provide the appropriate motivation and incentives which can be very challenging in a field where there are far more jobs than there are suitably qualified and experienced people to fill them.
An RAF Nimrod over the North Pole. MoD Crown Copyright 2002.
But why did I start off talking about Covid-19 in what is about to turn into a blog about Cyber? Simply because the same issues around low probability, high impact events apply to both pandemics and the disruption that a cyber-attack can cause. There are a lot of cyber security experts who can tell you risks that are posed by cyber-attacks, but often organisations struggle to understand what these - often low probability - risks mean to them. So what can you do to make your organisation more robust in the face of cyber-attacks?
It’s important to look at the problem as a whole; you want both cyber security and resilience. I’ll discuss cyber security later in the blog because my personal beliefs based on my experience of real and exercise cyber-attacks is that investing in resilience has a better return on investment and mitigates far more risks.
Lots of organisations are using homeworking as a mitigation against the disruption caused by Covid-19. But it also works as a mitigation against a site being flooded or power outage at the office. Another sensible precaution is to take regular backups of your data, this will offer resilience against a user accidentally deleting data, a hard drive or a server failing or a ransomware attack against your systems. In the military we called this sort of resilience ‘Mission Assurance’ – work out what the essential tasks are that you have to be able to carry out and then come up with a plan that lets you assure that output no matter what the cause of the disruption is. Over the past three years Inzpire has taken our experiences from military operations and has been successfully training and exercising organisations in this methodology. Our satisfied customers include Critical National Infrastructure providers, UK and foreign militaries, intelligence services and police from across Europe, Asia and the Middle East.
Throughout all of this training and each of the exercises we’ve ensured that we keep people at the heart of training because your personnel provide both the greatest vulnerability for cyber-attackers and offer your best chance of defeating them and defending your systems. As a contemporary of mine from the RAF Pete Cooper said “the value of a technical cyber security product goes down over time. The value of an empowered team with a great cyber security culture goes up over time.”
A strong cyber security culture within a business is a powerful tool. MoD Crown Copyright 2015.
But what can you do to stop the cyber-attack being successful in the first place? A really good place to start is by having a look at some of the excellent infographics that NCSC have on their website (https://www.ncsc.gov.uk/information/infographics-ncsc). If you are running any sort of network it is also worth having a good read of the NCSC’s anti-patterns (https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns) - these are six ways that you absolutely should not configure your systems. People have even gone as far as to suggest that if you are guilty of having fallen into one of these anti-patterns and suffer a data breach then you should automatically be fined the maximum amount possible by the ICO – currently the greater of £17.8 million or 4% of annual global turnover.
It appears that Covid-19 has thrown up a lot of new social engineering scams that cyber-attackers are using to target individuals and companies. However, the scams themselves are the same but as is always the case the scammers pick current topics to increase the likelihood that the victim will click on a link or open a file. Every year there is a spike in the number of scams involving tax returns and refunds around the time people expect to receive legitimate messages about them. Right now one of the most prevalent social engineering attacks is mandate fraud and there is growing concern that criminals will use the national Covid-19 Track and Trace system as the basis for scams.
Mandate fraud
Mandate fraud is when criminals attempt to get you to transfer money to their account. They may impersonate a senior manager and order a subordinate to transfer money to an account or pay a bill, or they could impersonate a supplier and try to persuade you that their bank details have changed and invoice payments need to go to this new account. Scammers are trying to exploit the fact that many business processes have had to change to accommodate homeworking and that financial authorisation that may have previously taken place face-to-face now has to be done remotely.
Track and Trace scams
All of this advice is taken directly from the Ofcom website where there is plenty of information on what to expect from a genuine test and trace call.
The only website the service will ask you to visit is https://contact-tracing.phe.gov.uk.
On a genuine call, contact tracers will never:
If you receive a call from somebody claiming to be from the NHS, and they ask you to do any of these things, hang up and report the call to Action Fraud, by calling 0300 123 2040 or by visiting its website.
Contract tracers will never ask you to set up passwords or pins over the phone.
There are also an increased number of social engineering attacks starting with emails or phone calls offering assistance with gaining access to Universal Credit payments and Furlough payments
Trying to cover all the different ways that you can be targeted through cyberspace and all of the ways you can defend yourself and your organisation would take up many books rather than a blog but here are a few tips that may be of use.
Attackers may try and direct you to a lookalike website. The contract tracing website is a gov.uk domain and only government departments can use these addresses. However, a similar address of ‘contact-tracing.phegov.uk’ (note the missing ‘.’ between phe and gov) is a normal ‘.uk’ address which could be used by anyone. At the time of writing this blog this website does not exist but I still wouldn’t suggest clicking on the link just to find out. Facebook has recently resorted to gaining court orders to take down two lookalike web addresses which had been set up deliberately to target their users.
If you think that you have received a phishing email (a fraudulent email purporting to be from a reputable company in order to induce individuals to reveal personal information or navigate to a fake or compromised website) then you shouldn’t click on any leaks but you should report it. Who you report it to depends on your circumstances. If you receive it on a personal email address then you can report it to Action Fraud and forward it to [email protected]. If you do send it to this address then you’ll get a reply thanking you for forwarding the email but there won’t be any direct benefit to you. However, it will help out everyone in the country – the system is operated by the NCSC and they will seek to block the address the email came from, so it can no longer send emails, work with hosting companies to remove links to malicious websites and raise awareness of commonly reported suspicious emails and methods used which will makes everyone safer. If you are part of an organisation that is big enough to have an IT specialist or department then you should have a method of reporting suspicious emails internally so that they can automatically block and similar emails from coming in to your systems.
Attackers often try to hide the identity of the email account that the message has come from or the address of the site that they are trying to direct you to. Forcing all your emails to be displayed as plain text (doing this is different for every program but there are lots of guides on the internet to walk you through it) can make it easier to spot the truth. If you hover your cursor over a link then you should be shown what site it actually links to. For example if you hover your cursor over this link then you’ll see that everything is not what it seems: https://contact-tracing.phe.gov.uk/. While I’d never recommend that you click on a link where the website it sends you to isn’t the same as the one it says it will I can confirm that this link is safe and will take you to the homepage of the Inzpire website.
If you want to know more about how to protect your company or train your individuals in cyber then contact us.
This blog is written by Graham 'Baz' Basnett. Baz is Inzpire's cyber lead and works in the company's intelligence and cyber division. Baz served in the RAF for 16 years, initially as a maritime Nimrod navigator and gained operational experience over Afghanistan, Kuwait, Iraq and the North Atlantic. After gaining a Master’s Degree in Aerospace Systems, Baz spent the last 5 years of his RAF career within the Air Warfare Centre helping to bring cyber into the mainstream of military exercises and operations. He also become one of the RAF’s top experts in countering the hostile use of drones and small UAVs.
28.03.24
GECO
Find out what it’s like to be part of our award-winning Mission Systems team.
Our team are here to help. If you have any questions, no matter how big or small, please get in touch.