Contents

• Long-distance contactless payment details: notes f …

• Upcoming events

  • Monday 12 May: Lunch and Learn for Financial Servi …

  • CIISF Event: Jersey’s Cyber Policy Framework

  • Jersey Fraud Prevention Forum at Jersey Library

• Cybersecurity in the news

• Jobs in Cyber

• Learning and Tools of the month

Dear all,

You may have read in recent days about attacks on retailers in the UK, and of course about the continuing geopolitical tensions that drive concerns about cyber attacks. We’ve also seen power outages in Europe that were not cyber-related. Despite this, it was interesting how quickly media and others jumped to cyber as a possible explanation.

Cyber is not the first cause we would consider for something like this - it is much more likely to be something else, as indeed it was. Portuguese Prime Minister Pedro Sanchez made a good point in the aftermath: “We must not rush to (conclusions) and (commit) errors through haste.”

You may also be reassured to know that Jersey’s Emergency Planning team works constantly to ensure we have an Island-wide understanding of these risks. We’re currently working with the team and colleagues across Government to develop shared protocols for cyber incident response.

It’s important to put all the headlines in a local cyber context too: while cyber continues to be a key risk, the volumes of cyber incident volumes being reported to us in Jersey at the moment are consistent with recent quarters. In addition, many of those incidents could be avoided through basic cyber hygiene, most notably rapid patching and use of two factor authentication (also called two step verification).

Once you’ve got these actions in hand (and very few really do!), there’s still a lot you can do to reduce your risk through good configuration management. We’ve recently reviewed our own IT configuration against Microsoft’s Secure Score, and listed out actions we want to take to improve it. There are lots of other tools out there too - choose one that is right for you and see what you can improve.

A lot of these steps cost nothing but a little time, and can have a much bigger impact on risk that many large and costly cyber projects. Cyber is the plumbing on which our organisations rely: done well, it’s not meant to be exciting!

To prove the point, consider Cyber Essentials. Doing Cyber Essentials can reduce the risk of a cyber claim by more than 90%, just by taking simple steps that are designed with small organisations in mind. That’s why both the UK and Jersey Governments expect it from their suppliers. You can find someone to help you with Cyber Essentials here.

To make sure we can give you the right advice, we work hard to stay up to date with emerging issues and methods organisations can take to protect themselves - you will see an update from Paul Dutot’s recent technical conference below. And if you’re going to NCSC’s CyberUK next week let me know: I will be there, and giving a short update on what we are doing here in Jersey.

With the news that the Cyber Security Law is being progressed, we are working with our colleges in the Department of the Economy to prepare a full programme of engagement, consultation and guidance, with the aim of lodging the Law later this year. We’ll be sharing details shortly, so keep your eyes peeled.

Finally, our Operations Centre will be closed for the two Bank Holidays next week on Monday 5 May and Friday 9 May (Liberation Day). But you can still contact us on +44 (0)1534 500 050 or by emailing [email protected].

Until next month,

Matt

PS. The emerging interest from the retail sector attacks is around the request by the Coop for staff to turn their cameras on in remote meetings. That is of course good meeting etiquette anyway, and yes it may be helpful if you think you may have an impostor. To be clear though, remote working arrangements and WFH do not inherently make organisations less secure: rather it is important to have the right controls for the way you work. Underneath the headlines, many of these attacks actually come back to the same housekeeping issues I’ve highlighted above: patching, 2SV, and good configuration management. Dull but worthy - that’s where the real action is.

Long-distance contactless payment details: notes from FIRST

At the end of March, I attended the Amsterdam FIRST Technical Colloquium. These colloquia give a mix of training and lectures, and are aimed at techie people like me who want to dive deep into the latest threats, vulnerabilities and tools.   

The first training day focused on how and why JCSC can safely access the dark web to find information about emerging threats. Being able to use this information will allow JCSC to protect both individuals and businesses in Jersey before and after cyber security incident. 

A highlight of the second day was a talk on a Chinese threat actor called known as “Pepsi Dog.” They have taken a theoretical attack known as NFC Relaying and demonstrated that it can be done in real life. NFC Relaying allows attackers to relay contactless payment details anywhere in the world usually through malware. Previously, this attack required attackers to be close to a person, with access to specialist hardware, while the victim was making a payment. 

Currently, Chinese and Russian hacking forums are selling tools to enable bad guys to carry out this attack. Understanding these new trends in attacker behaviour allows JCSC to protect Jersey and inform partners such Jersey Fraud Prevention Forum.  

Another presentation was about the current attack trends against Microsoft cloud systems. It was interesting to see the correlation between attacks in South America and Jersey. This will provide valuable insight for my team as we help Islanders and business recover from these attacks. Furthermore, a forensic tool was showcased to help impacted organisations understand what occurred. 

These are just three highlights. Overall, there were sixteen lectures over two days plus a training day. 

Upcoming events

Monday 12 May: Lunch and Learn for Financial Services

Places are still available on our next Lunch and Learn session, on Monday 12 May at 12.00. Join us in person at 1 Seaton Place (or via Teams) for a whistle stop tour of how you can improve your cyber security. You don’t need to have any prior knowledge to attend, but you do need to book a place.

CIISF Event: Jersey’s Cyber Policy Framework

The Government of Jersey is updating the 2017 Cyber Security Strategy, and is asking members of the Channel Island Information Security Forum (CIISF) for their views.

You can join the roundtable discussion on Tuesday 13 May at 1pm (location to be confirmed). Attendance is free, but you should book a place.

Jersey Fraud Prevention Forum at Jersey Library

We’re partnering with other members of the Jersey Fraud Prevention Forum to run a series of monthly drop-in sessions at Jersey Library. Cyber crime and fraud are closely linked, and it’s vital we work with other members of the Forum to help protect the public.

We’ll be at Jersey Library on Wednesday 28 May (11:30am - 13:30pm) with JT and Citizens’ Advice Jersey.

There’s no need to book, simply drop into the Library and say hello to one of the team.

In the meantime, if your organisation could benefit from a bespoke talk or workshop from us, you can contact us via [email protected] to request one.

Cybersecurity in the news

Marks and Spencer confirm cybersecurity attack

Marks and Spencer’s recent cybersecurity attack is still affecting customers in Jersey, the UK and further afield. But it’s also a textbook example of ransomware attackers’ approach: breach, remain quiet, work laterally, and then launch the attack.

Iberian power outage demonstrates the value of communications

Power may have been restored in Portugal and Spain after wide-spread power outages earlier this week, but the investigation into the cause is ongoing, as is the speculation around it.

After CERT.PT said there was no indication this was a cyber incident, Portuguese energy company REN attributed the incident to an atmospheric event, They then went on to denying making a statement.

Whether or not the power outage was a cyber incident, the situation demonstrates the value of joined-up communication.

Jobs in Cyber

Senior Security Consultant - Prosperity 24/7

This role would suit someone with a strong technical background in cyber security, experience of consulting, and a relevant degree.

Head of Information Security - Clarity Limited

This role would suit someone with strong commercial experience, as well as extensive knowledge and experience of managing a team.

Cyber Security Consultant - Clarity Limited

This client-facing role would suit someone with a technical background, and at least 3-5 years experience working in cyber security roles.

Information Security Consultant - Resolution IT

This client-facing role would suit someone with commercial acumen, and an understanding of regulations, including GDPR, GFSC, Cyber Essentials and ISO27001.

Cyber Security Analyst/Engineer - Enso Solutions

This role would suit someone with relevant qualifications, and a minimum of 2 years’ experience in the field.

Are you recruiting for a cyber role locally? Tell us at [email protected] and we’ll share your job listing with the community.

Learning and Tools of the month

Each month, we provide a round up of tools that our team have found useful, and which could be useful to cyber security professionals. If you’ve found a helpful tool you’d like to share, please email us and we’ll include it in a future newsletter.