Introduction from Matt Palmer, JCSC Director

Dear reader,

After the last few months, you may be expecting another update on the draft Cyber Law (Jersey) consultation. But you would mistaken. The consultation has now closed, and after holding briefings for more than 90 people, we’ve had 40+ responses. All of this will feedback be worked through over the coming months, but expect an updated draft of the Law later this year.

Aside from that, it has been an eventful month. We’ve seen several high-profile vulnerabilities emerge, and several attacks on Jersey’s financial and legal sector. We’ve been supporting organisations to respond, and spreading awareness.

These events have demonstrated how vital it is that we each remain alive to the risks to our organisations. It also demonstrates that, in a world where many of us source technology solutions globally, we simply can’t assume that being in Jersey means we won’t be affected by these issues. The Palo Alto VPN vulnerability discussed in this newsletter is in a product managed by a California-based supplier, but it has still affected Jersey organisations.

As ever, we are here to offer support and advice. To get in contact, call us on 01534 500 050, email [email protected], visit our Operations Centre at 1 Seaton Place, Monday to Friday between 9am and 5pm.

You can also follow us on Facebook, Linked In, X (formerly Twitter), and Instagram.

Regards,

Matt

PS. Please do share this newsletter; the more people we reach the better we can protect the island, and the quicker we can let you know when things happen. If you’ve received this from someone else, you can sign up here.

We’re winners! : The Digital Jersey Tech Awards

We are thrilled to share that we have won the Cybersecurity Award at the 6th Digital Jersey Tech Awards, for our work on Cyber Security Awareness Month 2023. We were particularly proud to be nominated alongside our delivery partners Soteria Communications and Channel Islands Information Security Forum, reflecting our commitment to working with and supporting Jersey’s voluntary and commercial sectors. This was only possible because we all worked together. We’d like to thank everyone who supported this work.

Running events during Cyber Security Awareness Month allows us to reach hundreds of people and help them understand the cyber security risks they face, and how they can respond.

While we’re running more events throughout the year, Cyber Security Awareness Month will continue to be the focal point. Preparation is already underway for this October.

We were in a category with stiff competition: congratulations to SystemLabs and Defence Logic on your well deserved nominations. It’s great to see Jersey’s cyber security sector going from strength to strength.

You can find the full list of winners on the Digital Jersey website.

What is cybersecurity?

Over on LinkedIn, JCSC Director Matt Palmer cuts through the jargon to understand what we actually mean when we talk about cyber security.

Cyber security is often conflated with the term confidentiality, but that is not correct. Traditionally, professionals tend to define it as being about confidentiality, integrity and availability (known as the CIA triad), but that's not quite right either. So what is it?

In the process of advising on our new cyber security legislation, I've had to stop and reflect on what cyber security really is, and how we can explain it in simple but clear terms: putting to one side the semantic discussions about terminology that professionals often love to have, and focussing instead on what cyber security really means in practice.

The two additional terms are authenticity and non-repudiation: Authenticity means knowing who did something; non-repudiation means being able to prove it. They are not quite the same: I know my son broke my office window because he was the only one who plays football in the garden; I can prove it because his sister saw him kick the ball.

Free event: using open source data

Tuesday, April 30 · 5 - 7pm, JCSC Operations Centre

We’re partnering with the Channel Islands Information Security Forum and BCS Jersey for this event on open source.

Open source is often promoted as a flexible and cost-effective solution for companies. In this talk, Dave Cartwright (CIISF Chair) will ask: how many companies actually use open source solutions? Is open source a genuine alternative to proprietary applications?

The talk will also explore how we can ensure that any open source solution we do use are properly managed, patched, and secure.

You can attend this event in person at our Operations Centre at 1 Seaton Place, or via zoom. You only need to book a ticket if you want to attend in person.

Vulnerability: Global Protect VPN

If you use Palo Alto’s GlobalProtect VPN, you should be aware of this vulnerability (CVE-2024-3400) and take steps to act.

This vulnerability gives malicious actors a way into your network with no credentials. They can use their access to take control of your equipment, or move through your network to steal data or system information.

Palo Alto have released a hotfix which will patch the vulnerability to stop anyone new from getting in. However, this hotfix won’t remove any malicious actors from the system if they’re already in.

If you’ve established that someone is already inside your network, you need to get professional support to investigate it.

Data scraping and washing machines: AI for Good

Stephanie Luce, Head of Legal and Governance at JCSC, and Chair of the Islands Information Governance Forum reflects on the recent AI for Good event.

AI is by no means a new topic, but is discussed more widely since 2022, when Chat GPT, Midjourney, Stable Diffusion and other tools launched. 

This event was a good opportunity to explore the data privacy implications that are often missed in the public conversations about AI. Brent Homan (Data Protection Commissioner for Guernsey) noted that even though tools like Alexa, Siri, and ChatGPT are more advanced, they are still Artificial Narrow Intelligence: tools that can review a defined data sense and repeat what they find.

But we are still a long way away from Artificial General Intelligence; systems that can apply reasoning and research to solve complex problems. (This AI of science fiction, like Johnny5 in Short Circuit or HAL in 2001: A Space Odyssey).

Because we are still creating Artificial Narrow Intelligence tools, they need to be trained on data, and this has data privacy implications for all of us. From mass-scraping of data from social media without users’ consent; to how tools trained in facial recognition on predominantly white faces are inappropriately used to monitor and prosecute people of other ethnicities.

What was very clear was that good governance and ethics must be considered before it’s too late: the benefits of AI will only be realised if we have good quality, unbiased datasets.

But perhaps it’s not all doom and gloom if we do it properly.  David Carney, Brent Homan, Professor Sarah Morris (University of Southampton) and Stephen Green (Threat Intelligence Lead at Thomas Murray) gave some excellent examples of how AI can be used for good.

Stephen Green gave a thorough breakdown of how AI can to support every stage of cyber security.

And Professor Sarah Morris shared ways that AI tools can also be used in digital forensics to support the justice system, in sometimes unexpected ways. She helped convict a suspect who claimed they innocent because they was at home using his phone to control his smart washing machine.

By boarding the data chip and analysing the washing machine’s language, Professor Morris showed that the phone was used to turn on the washing machine, but from right next to the crime scene! Placing the suspect in the area helped to secure their conviction.

As the conversation around AI continues, this event was an excellent chance to think through some of the implications, good and bad.

Jobs in Cyber

Digital Degree apprenticeship
PwC

This apprenticeship would suit a career changer or school leaver looking to gain a BSc (Hons) in Digital and Technology Solutions alongside working.

Risk Assurance Services, Experienced Associate
PwC

You will have an active interest in one or more of the areas of: Data and Analytics; IT Audit; Process and Controls Assurance; and Cyber Security. You will also have a good general understanding of technology/ERP systems.

Cyber Manager, Risk Assurance Services
PwC

As a Manager, you'll work as part of a team of problem solvers, helping to solve complex business issues from strategy to execution.

Senior Network Consultant
System Labs

This client-facing role would suit someone with network engineering experience and knowledge of Microsoft Azure Services, Cisco, Fortinet, and Aruba.

Service Operations Technicians
BDO C5

These roles would suit some with customer-service experience and knowledge of Microsoft Products.

Learning and Tools of the month

Master Windows forensics artefacts

This guides provides information about the Windows forensics artefacts you can use as part of an investigation, and how to interpret the results. Find out more here.

Atomic Red Team

This tool can be used to test the effectiveness of your logging of Windows systems in your Security, Information and Event Management solution. You should also make sure that your logging is setup correctly. Find out more here.