NCSC warns over ‘password spray’ attacks of council cloud services
Move to web-based software increases need for good password management, advises cybersecurity organisation
Credit: PA Images
The National Cyber Security Centre (NCSC) is seeing 'password spray' attacks against local authorities where automated attempts are made to access numerous accounts with common passwords, one of its senior officials told an audience of council IT executives.
Peter W, chief technical officer of NCSC Digital, said that the adoption of cloud computing services can boost security as software is updated and patched centrally by the supplier. But its use amplifies the need for good password management, given staff access systems online.
This means organisations should help staff to use strong passwords, rather than making arbitrary demands for ‘complexity’ such as insisting on the use of both letters and numbers. “You are forcing the user to fight that complexity,” said W, whose surname is not publicly disclosed by the organisation.
In April NCSC, a division of signals intelligence agency GCHQ, published a list of the top 100,000 passwords found through security breaches. Several of the most popular consist of a word followed by ‘1’, which would pass a rule insisting on letters and numbers but are insecure given they are so common. W pointed out that many cloud services have built-in security measures that can help tackle such attacks, but they may need activating.
- What happens during a cyberattack on critical infrastructure?
- Government criticised for ‘failure to coordinate’ on departmental cyber skills training
- Which government department suffers the most data breaches?
NCSC provides Active Cyber Defence services to public-sector organisations which aim to track and resolve common issues actively, mitigate known large-scale problems and fix systemic vulnerabilities in core systems. W said that its Web Check service, which looks for simple misconfigurations in websites, is being used by 97% of local authorities. But he warned that the service should be set to cover all URLs used by organisations rather than just the main ones.
The organisation’s Protective Domain Name System, which blocks public-sector users from visiting websites hosting malicious material, is now used by 222 local authorities, just over half. In the week ending 9 June it handled 2.6bn queries a week, blocking 2.1m attempts to connect to 5,629 malicious domains.
Stressing that most cyberattacks aim to achieve financial gain rather than notoriety, as they are a safer way for criminals to operate than physical action, W said: “Robbing a bank is frankly dangerous. There are guns involved. Someone might get hurt.”
He was speaking at a conference run by digital leaders’ professional network Socitm in Birmingham on 19 June.
Share this page
CONTRIBUTIONS FROM READERS
Please login to post a comment or register for a free account.
Sensitive data was left unsecured in prison holding area, according to data watchdog
Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk
Role comes with a remit to work with current and former military personnel, as well as officials and commercial suppliers
In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...
Related Sponsored Articles
The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...