- Jersey Cyber Security Centre Newsletter
- Posts
- CERT.JE - New Year, New Action!
CERT.JE - New Year, New Action!
Dear all,Let's cut to the chase as a whole day of the year is already gone, and time is short. So I recommend putting patching in 14 days, two-factor authentication for everything, and hardening to the CIS level 1 benchmark on the top of your new years resolutions list. Then do Cyber Essentials Plus with a local supplier to make sure you've got the basics right. If we all do that, we'll be the most cyber safe place on the planet. So what's stopping us? There's no time like the present!If on the other hand you're having new year's day off before starting those resolutions tomorrow, there's plenty below to get you thinking.Happy new year, and thank you all for your support for improving our cyber security in 2022.Regards,MattWhat does a hyperspace bypass have to do with Island cybersecurity?Well when it came to helping to navigate through a much-needed new law on cyber defence, where else to look for guidance but the Hitchhiker's Guide to the Galaxy:“But the plans were on display…”“On display? I eventually had to go down to the cellar to find them.”“That’s the display department.”“With a flashlight.”“Ah, well, the lights had probably gone.”“So had the stairs.”“But look, you found the notice, didn’t you?”“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”Whilst these proposals are by no means as dramatic as a hyperspace by-pass, they do make meaningful impact - requiring operators of essential services to report incidents within a maximum period, and giving CERT the ability to share and protect information in similar ways to other equivalent bodies internationally, so people feel able to share with us.Now some consultations can be quite quick and streamlined - done and dusted in a few weeks. And a quick consultation was attractive, as we're on a tight timeline: without this law, we can't properly do the job we've been asked to do. However, the price of rushing things through could be missing out on important improvements and changes, and winning valuable support the hard way. After all, this is about improving our resilience together.So we spoke to our colleagues in Government Policy and were pleased to find that they agreed with us. Hiding the proposals behind an abandoned toilet was never really on the shortlist, and they were (of course) published on the gov.je website shortly before Christmas. A short consultation period was discounted, and a month long window allowed for comment. Rather than quietly leaving the consultation to gather dust, we've actively promoted it in local media and online. We've also chosen to consult now on what's called 'drafting instructions' rather than on the legal wording, so we get input before it's written, not after. And finally, we've elected to run a series of workshops for the public and interest groups to find out more and share their thoughts with Government directly.It a lot more work than anyone asked us to do, and I know there's not really a lot of optionality in many areas if we want to be effective. However we'll be there with a notepad, because to be sure we're getting it right for Jersey, we have to be sure we're listening to Jersey.We hope you agree this is important and come along to learn more.Regards,MattPS. As a result of Revue shutting down we will be moving our newsletter in January. If you have whitelisted the email to make sure it gets through you may need to do so again, and any unsubscribes processed during transition may need to be resubmitted. Thanks for understanding.PPS. missed the bit about patching, 2FA and hardening? It must have been a late night welcoming in the new year - feel free to read this as many times as you like, or send it to a colleague or family member to read for you :-)PPPS. All your systems patched within 14 days? go right ahead and find useful info, global insights, and lots of local cyber jobs and events below.
Proposed cyber law consultation launched
Government of Jersey is seeking your views on planned changes to the Cyber Emergency Response Team for Jersey (CERT.JE).
This proposes new legislation to ensure that Jersey can effectively prepare for, defend against and respond to cyber attacks.
The proposed changes include:
changing the Cyber Emergency Response Team’s name to The Cyber Security Centre for Jersey to better reflect its role and responsibilities.
moving it from operating on an interim basis within the Department for the Economy, and funded as part of the Government Plan, to being an independent grant funded advisory and emergency response body to operate at arm’s length from regulators, law enforcement and Government.
providing a clear legal basis for its activities and to ensure access to the right information at the right time.
providing for Operators of Essential Services to notify cyber security incidents within 48 hours.
You can review the proposals and provide your feedback online, or you can come along to one of series of events we've organised alongside Government to learn more, hear from others, and share your view.
The following briefings are to be held at CERT.JE:
for Critical National Infrastructure providers (CNIs) and Operators of an Essential Service (OESs) - Monday 9 January 2023 - 12pm to 1:30pm
for the public - Tuesday 10 January 2023 - 12pm to 1:30pm
for the public - Tuesday 10 January 2023 - 5pm to 6.30pm
for the Channel Islands Information Security Forum (CIISF) and cyber security professionals - Wednesday 11 January 2023 - 12pm to 1:30pm
for Information Technology and cyber security service providers - Thursday 12 January 2023 - 12pm to 1:30pm
for the Cyber Security Task Force (CSTF) - Friday 13 January 2023 - 12pm to 1:30pm
Threats and vulnerabilities
This past month CERT.JE have advised of threats and vulnerabilities that might affect islanders. This includes the need to take care when contributing money to fundraising appeals.
After the tragic incidents in Jersey in December malicious actors have targeted individuals with scams posing as local banks. We advise everyone to take time to remind yourself of the warning signs below.
Cyber insight from around the web
Help us!
Are you a cyber security professional?
Please help and send us a short clip of yourself so that we can show as many varied careers in our industry as possible.
To raise awareness of the exciting careers possible in cyber security we need video content that can be used repeatedly in schools. The first batch of these short videos will be played as a series in either computing and career lessons or assemblies.
The minimum to include is:
What do you do (day to day tasks)
Why you like it
Any qualifications (if needed)
Skills that make a difference
What subjects you/your team enjoyed (the more diverse the better)
Next steps to get started on their journey
Try to make the video short and not just sat at your desk. Multiple short videos can be used if you have lots to say.
For further tips Digital Jersey's Rory Steel has you covered in this short video - https://www.youtube.com/watch?v=eZ7SfwqxCDw
To upload a video, please place it in this folder: Cyber Security Video Uploads
Resources
Upcoming Events
Local: Briefings on proposed cyber defence legislation at CERT.JE - 9th, 10th, 11th, 12th & 13th January
As detailed above CERT.JE will hold meetings to brief various stakeholders on the proposed new law and receive feedback.
All meetings will take place at the CERT.JE Operations Centre, 1 Seaton Place, St Helier. You need to book your place to the meetings using the link above. If you’re unable to attend in person we can send you a link to MS Teams.
Local: Why are Charities a target for Cyber Criminals? Screening at CERT.JE - 18th January
CERT.JE will be screening the National Cyber Security Center and Charity Digital’s Cyber session. You can watch the livestreaming on Teams with a link provided, or come along to CERT.JE.
This comprehensive session aims to help charities of all shapes and sizes bolster their defences and protect themselves.
Attendees can expect to learn:
Types of cyber attack
How to prevent and react to cyber attacks
Cost-effective tools charities can use to help
Local: JT Business Health Check with JT Enterprise - 31st January
Business health checks are essential for understanding your company vulnerabilities and identifying opportunities and areas for growth.
JT invite you to join them for an informal Business Health Check workshop to assess your current business setup including an opportunity to discuss your security from cyber.
Jobs
Coming soon at CERT.JE
If your interest and expertise is in cyber risk management or industry engagement and you're driven to make a positive difference to our Island, keep an eye out for our final roles with CERT.JE.
Ogier - Senior Technical Analyst (Network & Security)
This is a hands-on technical role, you will need to be passionate about the ever changing environment of infrastructure services, particularly the shift towards Cloud computing, as well as technically expert in one or more key Ogier technologies. As a senior role within the IT Infrastructure Network and Security Team you will architect, implement and maintain highly-available and secure IT infrastructure services across the Group.
Standard Bank International - IT Security Head
Design, develop and deliver the IT Security and Logical Access Strategies for International Client Solutions (ICS), ensuring continuous alignment with SBG Group. A sound general knowledge of Information Technology and Cyber Security methodologies is required, alongside good judgement in relation to business and risk situations, specifically in relation to cyber and information risk.
Jersey Financial Services Commission - Cyber Security Officer
To provide day-to-day assistance to the support of the Cyber Security function within the ICT department.
PwC - Cyber Manager, Risk Assurance Services, Advisory
This career within Financial Markets Business Advisory services, will provide you with the opportunity to contribute to a variety of audit, regulatory, valuation, and financial analyses services to design solutions that address our clients’ complex accounting and financial reporting challenges, as well as their broader business issues.
The Government of Jersey - Technology Operational Risk Manager
The Modernisation and Digital Team are looking for a Technology Operational Risk Manager to join the team of risk and technology professionals who are integral to the successful delivery of key services across the organisation.
The Technology Operational Risk Manager has responsibility for balancing the risk of operational service requirement against security policies to ensure the establishment of an appropriate and effective operational risk management and control framework.
Tool of the month
Fastfinder is a tool to help with incident response, it can be used to find a potentially malicious file at scale across a network.
It also has some nice features such as YARA rule integration plus wildcard searches, and was designed to be used for CSIRTS.
If you’d like to share local resources, jobs or events related to cyber security please do let us know via email to [email protected].