INC Ransom claims to be behind 'cyber incident' at UK city council The cyber skids at INC Ransom are claiming responsbility for the ongoing cybersecurity incident at Leicester City Council, according to a post caught by eagle-eyed infosec watchers. A post made to INC Ransom's leak blog in the late hours of April 1 mentioned Leicester City Council as a victim of the ransomware group – the …
What isn't clear (and probably never will be) is whether the council was actively targeted or merely feel victim of a scatter gun attack because its "security" wasn't adequate. I strongly suspect the latter, as was the case when the UK NHS fell foul of NotPetya. The biggest mistake we currently make is to assume that security is a technology problem. Almost all the big breaches that have been sufficiently reported to judge have been fundamentally down to sloppy management and poor decision-making. Out of interest, that's also been the root cause of the large number of near misses (and indeed some accidents) involving Western nuclear weaponry1, so it's not an IT problem -- it's a cultural one.
1: Eric Schlosser, Command and Control, USA, the Penguin Press 2013 [ISBN 987-1-59420-227-8]
.
I suspect that most incidents are one of two reasons:
1. The bad guys constantly scan IP addresses looking for insecure kit, if they get a hit on an easy vulnerability (and there have been loads recently)
or
2. someone opens then wrong email attachment and/or link
and then they are in.
Technology can protect against the first (patch patch patch) , the second is the weakest link
"2. someone opens then wrong email attachment and/or link"
Technology can largely protect against that too, if you take the trouble (I've done it -- over a decade back). Email attachments from outside the enterprise should be actively AV scanned (e.g. by a sandboxed executor proxy) and any that can't be scanned should be dropped. Active links in emails that do not exactly match their text representation should never reach the desktop, all links in external emails and all web pages should be actively tested by a comparable proxy before delivery to the desktop. Our common reliance on the end user who is "the weak link" makes no sense at all. They're the last folks to have the expertise to make decisions about what is a legitimate or malicious link or content -- even we as security "experts" would have a hard job to do that consistently, particularly if tested under pressure of carrying out another unrelated job at the same time.
To become even reasonably secure we've got to move on from "someone to blame" to there being nothing much to blame anyone for, and a lot of that can be accomplished using appropriate technologies.
Training users has become the easy catch-all excuse to underinvest in technology but more inportantly skills.
Public sector is usually pretty good at finding capital funding for new toys but very bad at funding the bodies to run and maintain those toys.
So you get the boardroom able to talk big words about investment in security, meanwhile that investment is never properly configured or maintained or the guy that did do it leaves and is never replaced. The £300k security wonder become a black box that just uses up electricity and collects dust.
Been seeing the same problem for close to 30yr. Beancounters can never see value in people. If they'd paid £40k for a skilled admin they might never have needed the £300k box.
They may have chosen the wrong target. If my council contacted me and requested an urgent additional council tax payment, they would be cordially invited to piss off.
Councils do nothing quickly, don't phone residents and are as respected and popular as a fresh cow pat at a picnic site.
Try harder, 'skids'.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
