What is the correlation between internet facing security and breaches?

This is a really interesting question and one that we have researched and studied in depth over the last two years. Our findings have seen us assisting the FBI when we discovered a Korean DNS in the central voting system, presenting reports to the Senator Intelligence Committee re the Solarwinds breach following their domain hijacking, and assisting numerous companies improve their perimeter and overall security posture. It has culminated with CWE Mitre acknowledging and recognising our findings and addressing them. In case you are unaware, CWE Mitre are supported and backed by the US Department of Homeland Security and acknowledged as thought leaders in global security. We are hopeful a new CWE listing will be created on the back of our work and accredited accordingly with the adoption of our internet security gold standard.

In this article I wanted to address the clear, unequivocal correlation between the lack of basic internet security and breaches. Why certain governments are reluctant to adopt and share such intelligence and vastly improved security and what good, and bad really looks like as a snapshot.

Let's take the top screenshot of the NCSC. We all know the NCSC are part of GCHQ and that they have the UK's, indeed the worlds security as their core function... It is pleasing then to see their internet facing domains rated with a very respectful B+ and a score of 80/100. The one single thing that would give the NCSC a perfect rating of A+ and a 100/100 would to be to have a valid Content Security Policy (CSP). However, this rating and score is certainly representative of a very good score.

The above, Harris Federation, a group of numerous Colleges were breached on the 23rd March 2021 with a Ransomware attack rendering systems locked and data exfiltrated until a ransom payment is made. In a statement last week the NCSC stated that the education sector was witnessing many more such attacks and informed the DfE and colleges of the danger. Interestingly, the warnings and information came a full six months after we had alerted the AOC, JISC and the DfE... A copy of a letter to the UK Minister for Education The Rt Hon Gavin Williamson was cc'd to the NCSC several weeks ago.

In January 2020 easyJet suffered a major breach and called in the NCSC to assist them along with a major Cyber Security firm. It was not until several weeks later that easyJet announced the breach in the spring at which time we became very interested and researched the organisations internet facing security. What we found, several weeks post breach, was a systemic plethora of insecure domains due to invalid SSL/TLS digital certificates with a raft of CVE's and dozens of easily exploitable positions. It was like a car crash in slow motion and yet, as the screen shot above shows, easyJet have retained their incredibly poor F rating and a score of 0/100. Put simply, like the Harris Foundation above, their security could not be worse.

Scott Morrison Australia's Prime Minister has been very vocal of late accusing the Chinese predominantly of continuous cyber attacks. Last weekend the Australian government were literally shut down due to a cyber attack at the very heart of Australia's government which has caused major disruption and chaos. We have been in conversations with the Australian government via their Department of Defence, who the government initially passed us on to over six months ago. We have provided case after case and the DOD totally agreed with our research and findings. Their head of cyber finally said after we alerted the DOD themselves of personally falling foul of internet insecurity, they could only advise, not enforce... The reason Australia is being bombarded and successfully being hit with cyber attacks is, as the screenshot above shows, they dropped their guard and are totally insecure.

I could literally share hundreds of other organisations that have been breached and that have the same or very similar ratings of F's and scores of 0, I will leave you with Solarwinds current rating of F and score of 0 as a exactly where you do not want them to be. In other words, still woefully vulnerable and totally exposed.

Why might the NCSC and other intelligence communities want to dismiss the blatant, obvious correlation and negligence of lacking internet security and breaches? Even when called in to assist companies such as easyJet, BA, Travelex, Harris Foundation, DfE and hundreds more? If I was taking any advice, pre or post a breach with such intelligence, I would personally ask my team to ensure security that has a rating and score like the NCSC as opposed to one of the above breached entities. Why might the NCSC not educate these and every other company, what might the motive be?

To conclude, and although I know it is the 1st April, this is certainly no joking matter. All the time insecure websites rely on invalid SSL/TLS expired certs, or have fundamental and easily exploited vulnerabilities and weaknesses, successful cyber attacks will continue to exponentially increase. As the Australian DOD, said, we cannot enforce, we can only advise. How much advise companies and boards, pre and post breach they require is entirely up to them, I know there is a much easier, simpler and more cost effective method ...

[email protected]