The cryptically-named Richard C, Chief Security Architect at the National Cyber Security Centre blogged about how he went about securing their web platform, not so people could copy what he’d done but rather to understand what choices he made and perhaps more importantly, why he made them.
Like us, you may have thought that to secure their web platform, they’d spend a king’s ransom to make it completely and utterly impregnable. After all, they are the NATIONAL CYBER SECURITY CENTRE. If they’re not going to have the most state-of-the-art, secure platform in the known universe, then who is, right?
According to Richard C, ‘Well, I’m sorry to disappoint you, but that’s not our approach.’
They do, of course, have a responsibility to set a good example in terms of cyber security (again, the clue is in the name), but ‘we’d much rather demonstrate proportionate risk management than over-the-top security. We’ve balanced security alongside other factors such as usability, functionality and cost.’
Here’s the killer line – the aim is to make the web platform as secure as necessary, not as secure as possible.
Advice we’d all do well to heed.
And here’s how they did it…
Risk Assessment – The Cost of Security Controls
Adding security controls to your web platform can often come at a cost, both financial and in terms of usability and functionality so you need to weigh up the benefits of having an intuitive, responsive and dynamic site versus security measures that may hinder the user experience.
First, you need to determine what risks are most important and for the NCSC, they were:
Defacement – unauthorised changes to content or assets on their websites could mislead users, or attack their devices
Availability – their websites being unavailable during a major cyber incident could hamper their ability to coordinate the incident, or advise the public
Reputation – by not following the advice of their own experts, their reputation and credibility could be undermined
Perhaps most importantly these days, they (and for they, read ‘all of us’) had to consider who they needed to defend against. Where to set the bar.
Here at Koncise, we offer a number of world-class solutions including Cymulate, ObserveIT, ESET, Mimecast and Netskope to prevent attacks from sophisticated hackers and these costs are justified but, says Rich C, ‘On the other hand, it would be disproportionately expensive to prevent a capable nation state from doing that – if they were determined to do so.’
He continues; ‘If groups beyond this level [of sophisticated hacker] are determined to attack us, chances are they’ll succeed. However, if that ever does happen, we will endeavour to detect the attack and respond effectively.’
Of course, the level of sophistication will only ever increase so it means constantly fine-tuning and revisiting their processes to try and stay as secure as necessary.
Sensible Security Architecture
This is based on user needs (what visitors to the website are trying to achieve), the non-functional requirements and mitigations to the risks we mentioned earlier and the decisions they made are to:
1. Reduce the attack surface of their internet-facing interface by moving the authoring tools used by their editorial team on to a private interface that can only be accessed via their enterprise devices
2. Reduce their operational security overhead by using higher level platform services in leading cloud providers who have a good track record of patching and operating their own services
3. Focus on automation to reduce the time it takes to patch software packages, with a goal of measuring the ‘time from patch release’ to ‘deployment into production’ in minutes (rather than hours or days)
4. Describe all infrastructure as code and storing it under version control, allowing identical reference environments to be created for testing, and to be able to recover to a ‘known good state’ very quickly (if needed)
5. Have an ability to quickly switch to a simple static website (for example if they were under a sustained DDoS attack, or experiencing an exceptionally heavy load during a cyber incident)
Sensible security architecture forms the basis for good system security but as well as designing a secure, robust service, it also needs to be easy to operate…
…And That Means Continuously Paying Attention
No business or organisation – whatever it is you do – can ever say ‘we’re done. We don’t have to do any more’ whether that’s the product or service on offer or, as we’re talking about, the security of computer systems.
There is an ongoing requirement to continually update and improve and there will always be work to do to keep everything secure, to monitor for attacks and to respond to incidents when (not if) they occur, because they will. One day.
The NCSC decided to assemble a single team that will follow a DevSecOps model.
Whilst they obviously strive to avoid making mistakes or being breached, they know this is a possibility. They are committed to learning from every mistake, and when there is an incident, they undertake to publish a public post-mortem in a format similar to that used by Google and others, so the whole community can learn from it too.
As a public body, there is a (moral, not legal) obligation to make their findings public but private businesses don’t have to.
They also run what’s known as ‘game days’ where their pen testers exercise different attack scenarios. This can determine situations including:
- How a third-party library used has been compromised
- How a CDN provider is unable to deal with the level of attack traffic
- A zero-day in their CMS has been exploited, and they no longer trust the integrity of the service
However, while some may consider it good business sense to keep security breaches a closely-guarded secret, in terms of company reputation we suggest that the opposite is true.
In 2016, the personal data of 57 million customers was stolen from Uber, a breach that was concealed for over a year and led to the departure of the company’s Chief Security Officer Joe Sullivan and another executive for their roles in keeping the hack quiet, including a $100,000 ‘hush payment’ to the attackers.
CEO Dara Khosrowshahi (who took over in August 2017) was quoted as saying ‘None of this should have happened and I will not make excuses for it. We are changing the way we do business.’
It’s fair to say that Uber didn’t cover themselves in too much glory during that episode and their reputation has been somewhat tarnished ever since but it begs a very important question – should you come clean?
In these halcyon days of ‘it’s virtually impossible to keep a secret from anyone’ we think that genuine transparency and being as open and honest with clients, customers and the market as a whole is far more prudent.
More and more people have an understanding of what a cyber incident is and what it entails and if they understand that the company has invested sensibly in controls and then those procedures are openly communicated, the repercussions are likely to be less severe than if they’d tried to hide, bury or even deny anything happened.
As a business, trying to balance functionality, user experience, cost and appropriate security isn’t easy.
To a certain extent, business owners rely on – and trust – companies like ours to make sound judgements where their information security is concerned and as the Home page of our website says, ‘We can dazzle you with science or we can tell you what we actually do that will make much more sense to you – by plugging into world-class cloud platforms we will make you way more secure, way more productive, way more efficient and way more profitable.’
What would you prefer?
Contact us today on firstname.lastname@example.org or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or who’d win in a fight, Thor or Loki?