JCSC News: Cyber Benchmark survey, and going the last mile

JCSC - It's Cyber Security Awareness Month! #CYBERISLES23

Plus: saying goodbye to CERT.JE, events, advice, jobs, and and introducing the Jersey Cyber Benchmark

CERT.JE - Cyber Jobs Special Edition

Plus Cyber Security Awareness Month events, Valid Access attacks, and more

CERT.JE - its been busy!

CERT.JE - New Year, New Action!

Dear all,Let's cut to the chase as a whole day of the year is already gone, and time is short. So I recommend putting patching in 14 days, two-factor authentication for everything, and hardening to the CIS level 1 benchmark on the top of your new years resolutions list. Then do Cyber Essentials Plus with a local supplier to make sure you've got the basics right. If we all do that, we'll be the most cyber safe place on the planet. So what's stopping us? There's no time like the present!If on the other hand you're having new year's day off before starting those resolutions tomorrow, there's plenty below to get you thinking.Happy new year, and thank you all for your support for improving our cyber security in 2022.Regards,MattWhat does a hyperspace bypass have to do with Island cybersecurity?Well when it came to helping to navigate through a much-needed new law on cyber defence, where else to look for guidance but the Hitchhiker's Guide to the Galaxy:“But the plans were on display...”“On display? I eventually had to go down to the cellar to find them.”“That’s the display department.”“With a flashlight.”“Ah, well, the lights had probably gone.”“So had the stairs.”“But look, you found the notice, didn’t you?”“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”Whilst these proposals are by no means as dramatic as a hyperspace by-pass, they do make meaningful impact - requiring operators of essential services to report incidents within a maximum period, and giving CERT the ability to share and protect information in similar ways to other equivalent bodies internationally, so people feel able to share with us.Now some consultations can be quite quick and streamlined - done and dusted in a few weeks. And a quick consultation was attractive, as we're on a tight timeline: without this law, we can't properly do the job we've been asked to do. However, the price of rushing things through could be missing out on important improvements and changes, and winning valuable support the hard way. After all, this is about improving our resilience together.So we spoke to our colleagues in Government Policy and were pleased to find that they agreed with us. Hiding the proposals behind an abandoned toilet was never really on the shortlist, and they were (of course) published on the gov.je website shortly before Christmas. A short consultation period was discounted, and a month long window allowed for comment. Rather than quietly leaving the consultation to gather dust, we've actively promoted it in local media and online. We've also chosen to consult now on what's called 'drafting instructions' rather than on the legal wording, so we get input before it's written, not after. And finally, we've elected to run a series of workshops for the public and interest groups to find out more and share their thoughts with Government directly.It a lot more work than anyone asked us to do, and I know there's not really a lot of optionality in many areas if we want to be effective. However we'll be there with a notepad, because to be sure we're getting it right for Jersey, we have to be sure we're listening to Jersey.We hope you agree this is important and come along to learn more.Regards,MattPS. As a result of Revue shutting down we will be moving our newsletter in January. If you have whitelisted the email to make sure it gets through you may need to do so again, and any unsubscribes processed during transition may need to be resubmitted. Thanks for understanding.PPS. missed the bit about patching, 2FA and hardening? It must have been a late night welcoming in the new year - feel free to read this as many times as you like, or send it to a colleague or family member to read for you :-)PPPS. All your systems patched within 14 days? go right ahead and find useful info, global insights, and lots of local cyber jobs and events below.

CERT.JE - What are you unwrapping this Christmas?

Dear all,At CERT.JE we’ve been putting a lot of effort into security this year – yours as well as ours. After all, we don’t want cyber criminals breaking in to our computers this Christmas and leaving unwelcome gifts of viruses, worms or ransomware.Other gifts of course can be warmly welcomed, but if you unwrap a new phone, laptop, or connected device this Christmas please bear in mind that whilst these can be wonderful tools (or toys!) they are not free of risk, and taking some basic steps can protect you and your family. So as our gift to you, we’re sending you our very own digital Christmas cards – 10 tops tips for a safe and secure Christmas, shared via social media between now and the end of December. Follow CERT.JE on LinkedIn, Twitter, Facebook or Instagram to unwrap them.On a personal level, my family life as well as my professional life over the last year have been very much affected by Russia’s war in Ukraine. This final newsletter of the 2022 is therefore dedicated to those whose most basic security has been taken away, and who have nonetheless proven their personal resilience in the most trying of times. Please do consider supporting them at Side By Side, Jersey | Bailiff's Ukraine Appeal.We move into 2023 with a much stronger cyber capability in Jersey. During Cyber Security Awareness Month we welcomed to CERT.JE Paul Dutot as Head of Cyber Defence, James McLaren as Senior Analyst and Morgan Franklin our Digital Apprentice.We still have a long way to go, and next year will for us be a year of action. I will be hoping it is less eventful - but whatever the world throws at us, this year has shown that we can rise to the challenge and deliver together as one island, and with the support of our partners both locally and internationally.Thank you to everyone who has helped us on this journey so far – we look forward to working with you all in the new year and beyond.Regards,Matt

CERT.JE - Cyber Security Awareness Month was a success!

Dear all,Wow that was a busy month! One event every 48 hours overall and fantastic feedback. I could spend the whole of this update talking about that – but we have news to share!We have completed the hiring of our technical team to provide a capability to prepare, protect and defend Jersey from a cyber attack. We had a huge number of amazing applications and thank you to everyone who applied.Paul Dutot, formerly of Defence Logic and Ports of Jersey, joins as the Head of Jersey Cyber Defence. James McLaren takes up the position of Cyber Security Senior Analyst after working at Logicalis and GCHQ. Morgan Franklin becomes CERT.JE's first-ever cyber apprentice.For Morgan, technology was always a big part of her life growing up. Focusing on IT and computing in school and maintaining that interest during early career opportunities enabled a passion for cyber security to flourish. Alongside working and her on-the-job development, Morgan is studying part-time towards a BSc in Digital & Technology Solutions (Cyber Security) from the University of Exeter, as well as a relevant professional qualification.James McLaren came to Jersey having worked nearly 20 years in the UK's intelligence, security and cyber agency, GCHQ, in Cheltenham, devising their first Internet security training course in 2001. He joins CERT.JE after eight years working for the managed security provider Logicalis, specialising in SIEM and security consultancy.Paul Dutot joins CERT.JE from being Chief Technology Officer at Defence Logic Limited. He previously managed the global provision of security services to a diverse range of clients including all forms of penetration testing, SIEM solutions and cyber security consultancy or governance services. Additionally, Paul developed custom SIEM implementations and response procedures to protect global clients from cyber security incidents. Over the last 12 months we have been working hard to lay the groundwork for CERT.JE, culminating in in a very successful Cyber Security Awareness Month in October. However, to deliver a lean and effective cyber emergency service that meets local needs, we need the right balance of skills and experience across a small team. With Paul, James and Morgan we now have the core capability to support local organisations and islanders in the event of a cyber attack. I am delighted to welcome them to the team, and look forward to working with them to deliver a secure and resilient island supported by a capable cyber defence.Regards,Matt

CERT.JE - Welcome to Cyber Security Awareness Month

Dear all,I’ll keep it short this month because I’ll see you all this Tuesday, October 4th, at the Channel Islands Cyber Security Conference.If you’re not yet going, now is the time to register for this and our other Cyber Security Awareness Month Events.Sign up here: http://cert.je/eventsSee you there!Regards,MattPS. Best be quick as there’s not long to go now!PPS. Great local cyber jobs below as usual :-)

CERT.JE - It’s a not a worst case scenario, it’s a realistic one.

Dear all,Laying the right foundationsRunning a CERT comes with a lot of complexities beyond the technical, from having the right mandate and authority to work with other governments and public bodies, to dealing with data protection, freedom of information and computer misuse legislation alongside national security requirements. Getting the foundations right is essential, and over the last 12 months we’ve been working closely with the Government of Jersey to define the right direction of travel. We don’t want to be reinventing the wheel or duplicating costs, but we do need the right degree of independence to deliver our mandate. Together we’ve found a good way forward that balances the two and learns from successful CERT’s around the world. This will require legislation, and therefore will be subject to consultation. It’s not the quickest route, but it is the right one. Once we get there we will be will able to fully deliver against our mandate to prepare, protect and defend Jersey from cyber threats.CERT RecruitmentWe made progress last week hiring for our Head of Cyber Defence, Senior Analyst and Apprentice and look forward to announcing these appointments soon. We’re enormously grateful to our candidates who put themselves forward. There was some wonderful talent on display who willingly put themselves through a practical cyber incident triage exercise, technical questions and a panel interview. Unfortunately we just can’t offer a role to everyone, no matter how much we’d like to. However we do want everyone seeking a career in cyber security in Jersey to find a role they will excel in and enjoy. A strong industry with good opportunities for local candidates makes all of us stronger. We are offering all those who applied 1:1 feedback and (should they want it) advice. If you are hiring, please tell us at [email protected] and we will include your role in our newsletter.Regards,Matt

CERT.JE - Neart Le Chéile: Strength Together

Dear all, I am just back from Dublin after 6 intense days of learning from some of the best brains in cyber and incident response at FIRSTCON22. 1,000 attendees from national and corporate cyber defence teams, with a series of hands-on workshops and presentations from both real world experience and original research.Some of the topics are confidential, but I’ll look to share some of what I’ve learned and how we will be applying it over the coming weeks.I met many other CERTs / CSIRTs from countries around the world who we will work with as we develop CERT.JE.Other countries are at different stages on the same journey, so lots of good practice to learn from that will help us on ours.The theme of the conference gives us the key to developing cyber in Jersey -"Strength Together", or in Irish "Neart Le Chéile".We don’t need to reinvent the wheel on the services we provide, and we don’t need to do what the U.K. or others will do on our behalf. We just need to apply lessons learned by others to deliver the right capability to meet Jersey's needs, and of course be willing to share and help others along the way.Regards,Matt

CERT.JE - It's time to step up

Dear all, Not only have reconnaissance attacks on Jersey increases following Russia’s invasion of Ukraine, but we see real evidence on a daily basis of the impact of cyber attacks on local organisations.Were you the company whose compromised computer was part of a botnet launching international attacks from Jersey last week? Was the denial of service attack we saw yesterday, yours? Was it you whose email account was compromised - because it didn’t use two factor authentication and cyber criminals found information on social media to guess your password? And did your company figure out that’s how they got in to the client portal, too? When you approved that controls exception last week, did the international cybercrime network kindly agree to leave it alone – or whilst you stood guard over the front door, did they find the window you left open and climb through?We may be an island, but cyber is a global threat. It does not respect borders or barriers. It respects only engaged people, strong business processes, and good technology controls. It's time for Jersey to step up - we have work to do.If you’d like to be part of this effort, there’s a lot you can do in your organisation, in your home, and in your community. CERT.JE are working with a number of bodies across the island to bring together our first Cyber Security Awareness Month in October, and we look forward to telling you more soon. In the meantime, every organisation can sign up for NCSC’s Active Cyber Defence Early Warning System to be notified of known vulnerabilities and compromises in your network so you can respond when they occur.Last week I spoke at a Chamber of Commerce event, where a speaker described cyber security as a ‘young man’s game’. Unfortunately he had a point: cyber as a profession is predominantly male and not sufficiently diverse, and that’s something we need to address. The number of cyber roles globally is projected to increase by a third over the next 5 years, and to have an effective workforce we need welcome all talents and skills. After all, hackers don’t care how you dress, how your brain works, how you identify, what your gender is, how old you are, or what you did before. And nor should we.With that in mind I’m particularly pleased to be advertising a Cyber Defence Apprenticeship for the first time in Jersey. We can all do our bit to bring more people into the profession, and to support islanders to develop their skills. This role provides the opportunity to work whilst studying for a degree from a top UK university. It’s a remarkable opportunity, and it’s open to everyone who meets the academic criteria (those have flexibility too). Prior experience is purely optional - selection is on capability and commitment, not what you have done before. School leavers are welcome to apply, as are those from other fields. Application is as simple as sending your CV. For information on this role, as well as two other crucial roles we’re hiring at Manager and Senior level, see the jobs section below or click here for details.Regards,Matt

CERT.JE - It's all about people

Dear all, Human actions are behind every security threat we face, and human action is also our first defence - it takes an island to secure an island.This month has been busy with meetings to develop collaboration and information sharing with organisations including Jersey Business, Bureau des Îles Anglo-Normandes, UK's NCSC, and our colleagues in Guernsey and the Isle of Man. In addition we held an informative and well attended round table discussion with local cyber security suppliers, looking at issues including Cyber Essentials, skills, and readiness.We have also begun recruitment for a new role as part of the new digital apprentice scheme initiative by the Government of Jersey – this is a great opportunity for a local person to join us and to help defend the island from cyber threats whist gaining a top degree in cyber security. Combining practical delivery with academic study, this is suitable for anyone seeking a career in cyber security regardless of their age, experience or professional background.Cyber security should be inclusive and open to everyone, and we’re aiming to do our part to make sure all islanders have these opportunities. Please share and apply via the links below.We have also progressed our response to the situation in Ukraine. This continues to evolve rapidly, and organisations should act now to ensure they are protected should these threats move westwards. Simple steps include introducing multi-factor authentication (both at work and at home), rapid and comprehensive patching (small biz? Turn on auto update), and registering for the NCSC’s free Early Warning System to get alerts if your organisation's systems are believed to be compromised. There's a role for everyone to play at home too - ensure your devices are set to auto update, be careful where you click, and be sure to turn on multi-factor authentication for all your email and social media accounts.Spoofed (fake) emails are increasingly common and we can all take simple steps to protect each other, so we are highlighting a useful tool below for organisations to check and improve their email security.We're also commencing planning for cyber security awareness month in October, alongside a number of local partners. Watch this space to find out what will be happening locally to help you at home and at work with your cyber security, and if you'd like to contribute please let us know.Regards,Matt