Credit: PA Images

The National Cyber Security Centre (NCSC) is seeing 'password spray' attacks against local authorities where automated attempts are made to access numerous accounts with common passwords, one of its senior officials told an audience of council IT executives.

Peter W, chief technical officer of NCSC Digital, said that the adoption of cloud computing services can boost security as software is updated and patched centrally by the supplier. But its use amplifies the need for good password management, given staff access systems online.

This means organisations should help staff to use strong passwords, rather than making arbitrary demands for ‘complexity’ such as insisting on the use of both letters and numbers. “You are forcing the user to fight that complexity,” said W, whose surname is not publicly disclosed by the organisation.

In April NCSC, a division of signals intelligence agency GCHQ, published a list of the top 100,000 passwords found through security breaches. Several of the most popular consist of a word followed by ‘1’, which would pass a rule insisting on letters and numbers but are insecure given they are so common. W pointed out that many cloud services have built-in security measures that can help tackle such attacks, but they may need activating.

Related content

• What happens during a cyberattack on critical infrastructure?
• Government criticised for ‘failure to coordinate’ on departmental cyber skills training
• Which government department suffers the most data breaches?

NCSC provides Active Cyber Defence services to public-sector organisations which aim to track and resolve common issues actively, mitigate known large-scale problems and fix systemic vulnerabilities in core systems. W said that its Web Check service, which looks for simple misconfigurations in websites, is being used by 97% of local authorities. But he warned that the service should be set to cover all URLs used by organisations rather than just the main ones.

The organisation’s Protective Domain Name System, which blocks public-sector users from visiting websites hosting malicious material, is now used by 222 local authorities, just over half. In the week ending 9 June it handled 2.6bn queries a week, blocking 2.1m attempts to connect to 5,629 malicious domains.

Stressing that most cyberattacks aim to achieve financial gain rather than notoriety, as they are a safer way for criminals to operate than physical action, W said: “Robbing a bank is frankly dangerous. There are guns involved. Someone might get hurt.”

He was speaking at a conference run by digital leaders’ professional network Socitm in Birmingham on 19 June.