JCSC News: Cyber Benchmark survey, and going the last mile

Introduction

Dear reader,

It’s been a busy few months for the team, which is why it’s been a while since our last newsletter.

This is largely because we all were busy organising another successful Cyber Security Awareness Month (and recovering afterwards!) During October, we organised over 20 events attended by 460 people, and planning is already underway for 2024.

Since then, we’ve also been working on other major projects that will have a positive effect on our work.

The development of a Cyber Security Law, which will give us access to more expertise, as well as more independence and accountability. Before the Law is lodged for consideration by the States Assembly later this year, there’ll be a second consultation period. You can expect to hear more about this - and how you can take part - in the coming weeks.

The results of our Jersey Cyber Benchmark survey will give us clear data on the baseline of knowledge across different areas, and where we can provide more support. We’ve had over 100 responses from small businesses, financial services, hospitality and charity organisations. You can find out more below.

Lastly, we are the final stages of developing a new website, which will be live in the next six weeks. While our current website provides some basic information and signposting, the new website will serve as an information repository and knowledge hub for organisations and individuals. You should expect to see more useful content there in the coming months.

As well as these big projects, our day-to-day work carries on. We are still identifying threats, still working with organisations to support their preparations, and still working with colleagues both in Jersey and further afield.

Finally, I’m pleased to say that all of our work has become easier because we now have a full staff team in place. We’ve welcomed two new staff members: Matt D., who joins us as Cyber Risk Officer and Carla, who joins us as Communication and Engagement Officer.

All this means that you can expect to hear more from us over the coming months. So, if you don’t already, please do follow us across our social media channels, and share this email with anyone you think would find it useful.

Regards,

Matt

Matt Palmer, Director

Jersey Cyber Benchmark survey: what does it mean for me?

We launched the Jersey Cyber Benchmark survey in October 2023 to address a lack of knowledge about Jersey’s overall cyber resilience.

While individual organisations may have protective measures and plans in place, we don’t have any clarity on how this varies by sector. We also don’t have the evidence we need to identify specific areas where the Island can improve.

We’ve focused on getting feedback from small businesses, financial services, hospitality and the charity/not-for-profit sectors, although the survey is open to all organisations.

The individual results will remain anonymous, but we will share the findings more broadly. We’ll also use the results to target our work and provide the information and support that organisations need most.

You can expect to see the findings in a future newsletter, but you can also follow our social media channels (X/Twitter, Linked In and Facebook) for the latest updates.

JCSC in the JEP: Digital Day

Did you read the JEP’s free supplement to tie in with Digital Day on 30 January? As well as information from the many different disciplines under the broad heading of “digital,” the supplement also includes reflections from Matt on lessons we can learn from a recent cyber incident.

If you can forgive the use of our old CERT branding in the accompanying photo, the article definitely worth a read! The free edition is still available online.

Going the “last mile” from my living room: practical steps in cyber defence

By James McLaren, Senior Analyst

I’m a big fan of the Hitchhikers’ Guide to the Galaxy, which you could argue predicted Zoom. I may not be able to take an intergalactic cruise in my office like Zarniwoop does in the books, but two weeks ago, I was able to spend a day and a half at a conference in Brussels from the comfort of my own living room.

The Centre for Cyber Security Belgium (CCB) - the body that organised the conference - is recognised as an organisation that others strive to emulate. The conference also coincided with Belgium holding the EU presidency, so it was an opportunity for the hosts to signal that cybersecurity is a topic they take seriously.

Key themes and topics

One of the challenging – but important – themes of the conference was about committing to the “last mile”. The CCB’s Director, Miguel de Bruycker, noted that it isn’t enough for European cybersecurity organisations to develop abstract concepts: they also need to develop concrete mechanisms to combat threats.

For example, CCB produce targeted warnings to businesses that arrive in time to prevent serious malware from having an effect.

They are also able to authenticate Belgian-registered domains: this means that their locally-developed browser plugin can tell a user at a glance if it’s safe to hand personal data over to a website.

What we can learn from this event

These kind of events give us the chance to learn from best practice in the field, and identify what we can replicate here in Jersey.

But given that the focus of much of the conference was on developing practical measures, I’ll leave you with two concrete steps you can take to protect yourself:

• Keep up to date with the latest warnings. And act on them. If you’re reading this newsletter, you’re already halfway there. However, we also share vulnerabilities on our social media accounts as soon as we learn about them. Real-time updates will allow you to act quickly to protect yourself and your organisation.

• Have the right (free) tools to hand. That includes signing up to the JCSC’s Cyber Shield Service. Cyber Shield can help protect you by providing advance warning, vulnerability advisories and active scanning, as well a co-ordinated disclosure programme. You can also make use of the many tools that the National Cyber Security Centre (NCSC) have available. (However, you should be aware that some of these services require you to be an organisation registered in the UK.)

There’s also one final takeaway from me: that I should appreciate remote conference attendance whenever it’s available. I did attend another event this month in-person, but that one came with a 5am alarm!

Recent vulnerabilities

Google Chrome vulnerability

Google have identified three serious vulnerabilities in Chrome. Chrome should automatically update itself to the latest version, which is the version ending .140 for Windows, and .139 for OS and Linux.

If your browser has not automatically updated, you can follow these instructions from Google.

Wordpress vulnerability:
POST SMTP Mailer

Versions of the POST SMTP Mailer plugin prior to 2.8.8 are affected by a vulnerability.

A malicious actor who connects an app to the plugin via its API can gain unauthenticated access to all mail. They can then request a reset of the administrator password, pick up the link, and take control of the site.

If you run a WordPress website and use versions 2.8.8 or earlier of this plugin to send mail, you should talk to your IT support team and ask them to update it as soon as possible.

Ivanti vulnerability:
Ivanti Pulse Connect, Connect Secure or Policy Secure

There are two significant vulnerabilities in Ivanti Pulse Connect, Connect Secure or Policy Secure which affect users in Jersey. When used together, these two vulnerabilities allow malicious actors to get access and remotely interfere with operations.

All versions of these products are affected. Ivanti are working on patches, which should be available from February. However, there is a mitigation your IT team can put in place in the meantime. You can find out more details on this mitigation via the Ivanti website.

SSH vulnerability:
CVE-2023-48795

This vulnerability affects a wide range of systems that allow users to make a Secure Shell Handshake (SSH) connection.

This type of connection is secured through cryptographic algorithms. However, one of these algorithms doesn’t disconnect properly. This allows malicious actors the means to launch an attack.

There are over 40 systems that are affected by this attack and not all of them may be immediately obvious. For more on how this works, what to do, and why this attack is know as a ‘Terrapin’ attack, read the blog by Senior Analyist, James McLaren.

Jobs in Cyber

Security Solution Architect
JTGlobal

This role would suit someone with a degree or equivalent experience in Computing, IT or Cyber Security.

Cyber Manager, Risk Assurance Services, Advisory
PWC Jersey

This role would suit someone with a desire to work as part of a team to solve complex problems to support clients.

Professional Services Engineer - Network and Security
Sure

This role would suit someone with experience of supporting Cisco networking solutions, and a record of customer care.

Learning & Tools of the month

Github - Chainsaw

A tool to quickly identify threats, especially useful where an End Point Detection (EDR) solution isn’t installed.

Github - Yamato Security

Provides free open-source Digital Forensics and Incident Response tools.