Hmm
I saw this request. Whomever wrote it clearly didn't have a clue what they were asking for.
Britain's local governments were hit by almost 100 million cyber attacks in the last five years, while one in four councils’ systems were successfully breached, according to research. Privacy campaign group Big Brother Watch sent Freedom of Information to all the UK's local authorities, asking for details of cyber attacks and …
If anyone asks me that I just give them the Fail2Ban stats for failed SSH login attempts (one every two seconds or so seems a bit low to me).Trawling through email virus logs, attempted access to PHP admin interfaces over HTTP and all the rest is a complete waste of time because the metrics thus created are meaningless when aggregated.
Of decent cyber security in many councils when too many jobs are obtained via who someone knows - " a good word put in on their behalf" rather than actual competence - far too often it is jobs for the boys (and girls) with the right connections rather than the best candidate.
Caveat, I'm sure there are some councils somewhere that are not a cesspit of corruption - just that I have never lived anywhere with a "decent" council
Not to mention pay, I have friends contracting to local authorities on a good day rate (let's not get into IR35) but the permanent rates of pay are dire, that seems to apply across the public sector when it comes to InfoSec roles.
They seem to be around 30% off the average salary.
I mean just look at all of those snakeoil companies peddling products anywhere from useless to harmfull.
I'm sure that if Microsoft would, for example, offer a version of Windows cut down to the functionality of Windows 2000, but with all the bugs removed, people would buy it, given the choice.
I wonder how many commentards who work in the UK actually know where you are supposed to report a "cyber" crime?
How many of you have heard of Action Fraud?
Just interested.
I was wondering that. If only there were some central agency where you could report such incidents with confidence that they'd be viewed by competent people, who wouldn't waste your time with stupid followup questions, expose your data to more risk...
A general-purpose police website doesn't really cut it. They'd be sifting through ten thousand emails a day from "Ukrainians" claiming to have installed Cryptolocker on my system - that's the level of cybercrime I see most days, and I guess millions more people are in the same boat. A dedicated helpdesk for IT professionals in government, local government, and quangos doesn't seem too much to ask for.
Create such a helpdesk, then make it a crime not to inform them of a known breach.
Most 'important people' in councils across the country have no clue what cyber attacks really are. These are the people who think a good, up to date copy of Panda on every machine that they remember to put it on is more than enough, and is of course, cheap.
They likely blame those young whippersnappers with those fancy I-Phone things. Never done a hard day's work in their life, you know...
I know exactly what you mean.
I used to work in a council IT department and when I suggested we look at security for one of the web services, was told "who would want to attack us? We're just a local council."
I was far from amused, and had to spell out for him that the contract he'd signed to this third party specified traffic by the megabyte*, which was coming from his departmental budget, and that anyone who could hack in could cheerfully host a site of a less-than-wholesome nature hidden in plain sight. After all, who would suspect a local council of hosting a porn site**?
* this was rather a long time ago.
** that was recent news at the time. I believe it was reported on The Register.
If you can't secure the data, then don't fucking collect it. .... Sir Runcible Spoon
If your exclusive and executive administrations are all SCADA Systems [Supervisory Control and Data Acquisition Systems] one has no choice but to collect in order to remain in charge of command and control/power/energy.
And it is an Achilles Heel for attacking with data that corrupts/perverts/alters the balance of power in status quo systems.
Local councils are so strapped for cash, they are steadily winding down all the things that they are not legally required to do - one has already crashed through the bottom and there are several hot on their heels. Unless the law says that somebody will go to prison for not "doing cyber security", nobody will do it.
Hate on councils all you like, the fact is the Tories have relied on the fact that people are unable to connect A -> B and reduced Council funding by up to 40% knowing people will blame the Council for any council tax hikes and service failures. Its slimy cynical politics but they are hardwired that way, they can't help themselves.
In a large number of councils anything not nailed down has be outsourced including IT (there are some outliers such as Bristol, that still own huge swathes of city property and have in-house IT).
Data security is important but its not top of a list of basic civilisation needs that includes things like closing unsafe food outlets, Special needs transport, waste, housing etc..
Expecting any in-house expertise in security under those conditions given they will be managed by outfits like Capita or Cap Gemini to the letter of the contract is daft.
Phishing lures will always be the biggest risk, even after quantum encryption and computing are deployed.
The best way to stop phishing lures would be to have a government run National Secure Email System {NATSEM}. It would be a single set of servers containing an account for everybody in Britain.
By containing email to a single set of servers, phishing can be monitored, reduce browsing and spying on your email by email advert bots and staff. Other countries (EU) might see the value of employing their own. Then secure exchange between known server sets could be facilitated.
Used for Fiscal, Legal Business and Work related email and only sent within the server set, not to other external email servers. Everyone would be known to the server via their own account. Increasing digital communication security required for tax and social security and council rates, gov services and the like.
People might still keep a google mail account for chat rooms or other less important email if they wanted.
Shame that Britain sold off their post office, which may have been the best roof under which to house a system like this, as they were handling snail post.
A NATSEM system is the way to bring business & email together, as many businesses are pushing customers onto the insecure internet but do not properly adopt it themselves. Business does not like email for all the junk via it, but would be more interested in Email once Britain's NATSEM is established where junk email could be banned.
Gov and Citizens must wake up - just look at your nations efforts in Cyber Security. Can you expect to do good Business & Government on an Internet in a wild world or do you need to provide some managed sanctuary for people to transact reasonably in peace ? Use a {NATSEM} !
'The best way to stop phishing lures would be to have a government run National Secure Email System {NATSEM}. It would be a single set of servers containing an account for everybody in Britain.'
Doubleplus ungood idea.
Putting all business / government / important email in one basket just means that more people will compromise the basket sooner, the data will be exposed forever, the accounts will be compromised and unreliable, and there will be no where to hide from cybercriminals and spies.
Instant identity theft / spoofing, instant stalking, instant blackmail and extortion - as a solution to privacy and security problems, it rates right up with pumping the Hindenberg full of hydrogen as a fire safety measure because it will push out all the oxygen.
Ok so let's say you are responsible for data/security breaches, what would you do to stop the breaches? - other than resign your post when after a failure, and sigh with relief you're not the patsy any more.
a NATSEM would put much in the same place, it could have 2 factor ID and be watched over economically by a team of efficient (one hopes) cyber security. Email would not be stored beyond collection on it and full Erasure of email once downloaded by clients would be recommended.
Provide people and business a better place to communicate electronically saves heaps and provides economical benefit .
I have not seen any better solution other than make the people at the top responsible, but then not accepting any action they propose.
well insert Fun Here >><<
As who would accept a job of sacrificial lamb/scapegoat for an ignorant but generally well meaning public insistent on launching off the proverbial cliff just to bury their head deeper in the sand.
That leaves everybody, not just the UK right back where they started, hacked or hacking.
All the PayPal notices I get urgently extolling me to log in and check my details, even though I don't have an account.
Agree with above posts it simply becomes a honeypot and .gov data sieve at the same time.
note: government never admits liability and will enshrine that in law if necessary - regardless of the level of idiocy or predictability..