The arrival of war in Europe has both a professional and personal resonance for the head of Jersey’s key cybersecurity body.
Cyber Emergency Response Team Director Matt Palmer, whose wife is from Ukraine, wants the local community to ensure that both their support for Jersey’s Ukrainian community, as well as their cybersecurity protocols, are robust.
He says that Jersey businesses “don’t need to panic” about an attack at the moment, but, with the risk of future attacks rapidly increasing, they should take the time to ensure they are protected if and when one does hit.
“Whilst there are cyber attacks taking place in Ukraine and there is a raised level of risk, at the moment we don’t see evidence of attacks being carried out on the UK or Jersey,” he told Express.
“…What is true is that these type of attacks are increasingly part of the playbook for nation states such as Russia. They are going to be a part of our reality.
“…We don’t want anyone to panic, what we do want is for people to be prepared.”
The types of attacks that can be expected range from hacking to denial of service.
Our thoughts are with cyber defenders in Ukraine today as attacks continue on Ukrainian technology infrastructure. We continue to advise local firms to ensure systems are patched for security vulnerabilities and to follow essential housekeeping advice from @NCSC and @CERTJersey.
— CERT.JE (@CERTJersey) February 24, 2022
Increasingly common, according to Mr Palmer, are “hybrid” attacks where a misinformation campaign runs alongside the attack - such as a falsified text message from a bank or other 'trusted' entity.
Areas most likely to be targeted in any attack would be critical infrastructure, ranging from Government departments to telecoms, electricity, gas, water, and even the Ports.
CERT ran a table-top ‘simulation’ exercise of an attack to check how well the island’s key bodies would be able to respond to a politically-motivated attack.
While there were learnings and improvements to be taken away, it showed such services were generally in good health.
“Financial services are also known to have a raised risk profile,” Mr Palmer added, “But they’re often the most mature in terms of their controls.”
Pictured: Misinformation - such as in the form of false text messages - is now a common feature of the Russian cyber attack "playbook", according to Mr Palmer.
However, it’s not just public sector bodies and financial services firms that should take the opportunity to protect themselves.
He continued: “[Cybersecurity] is something that everyone should do something about. Whether small businesses or charities or large organisations, there are steps you can take.”
Mr Palmer explained that there are many things that can be done “relatively quickly” that can help, such as “ensuring systems are regularly patched and up to date”, which “does not require investment in new systems and capabilities.”
Even simpler, and free, is ensuring that systems are protected by two-factor authentication - a type of security where two steps are taken to verify a user’s identity, rather than asking for a single piece of information like a password.
For any businesses in need of support, there is “plenty of local expertise on-island” and Mr Palmer says CERT can help too.
Mr Palmer isn’t just having to keep an eye on the escalating Ukrainian situation on a professional level, however.
“This conflict is not far away from me, it affects me in my home, and the people I care about.”
His wife, Mariya, is from Kyiv.
Her sister, Olya, still resides in the city - where military aircraft are now flying overhead and citizens are now bracing for an offensive with reports that Russian forces have penetrated a northern suburb of the city.
My thoughts are with family and friends in #Ukraine today. Time to stop appeasing Russian military aggression and stand up for a country we committed to defend, and that stands for an open and democratic Europe. Time to fight fear with bravery and conviction. Step up, world.
— Matt Palmer (@signalfish) February 24, 2022
The scene Mr Palmer said she described yesterday was one of “very quiet streets” as people attempted to flee the city, but also of a quiet determination on behalf of many.
“Ukrainians are exceptionally resilient. They have said on numerous occasions they want to be a western-focused democracy. They care deeply about their country and intend to defend their country,” Mr Palmer said.
Just last week, his Palmer’s family were due to pay a visit to the country, but cancelled the trip amid strong warnings from the Foreign Office as Russia’s invasion loomed.
Now, they are having looking at ways of bringing Olya to safety, potentially in Jersey.
The couple's children are aged nine and 12 - old enough to be aware of what is unfolding in their mother's country, Mr Palmer says.
One message he wants to press - both to them and the wider island community - is of understanding and solidarity.
“One of the things that’s really important to remember is that disputes like this are political disputes - disputes between countries or leaders,” he said.
"At the moment, these are actions that are actions being taken by the Russian Government and the President, not actions that are being taken by the Russian people.
"That’s one of the things I’ll be looking to do personally to ensure my children understand this.
“We must try to understand different perspectives and find ways to get along even if we disagree… I would encourage the community of Jersey to show solidarity behind Ukrainians.”
CERT Director Matt Palmer shared his top tips for reducing cyber risk:
Patch all your systems regularly - Make sure your systems aren't vulnerable - and deal with it if they are. Mr Palmer adds: "A warning: If you are not patching a system because it's at the end of life, that's not OK. It's like driving a car without insurance or servicing - that accident will happen, and when it does, the impact will be worse. Good organisations practice renewal and manage the lifecycle of their systems, so they are replaced before they are obsolete. If you have obsolete software or hardware that can't be patched, that's a situation capable companies should never find themselves in."
More than a password - "Multi-factor authentication is where you have at least two of something you know (such as a password), something you are (biometrics, such as a fingerprint), or something you have (such as a code to a mobile phone app). This is more secure than a password because even when a password is compromised or guessed, it cannot be used."
Careful with accounts when browsing- Don't use accounts with 'privileged access' - that is to say, ones with access to directories, file systems, databases, etc - when you're browsing online, unless you really need to.
Deter opportunists - "Most opportunistic attacks will start with a scan of your perimeter. This is everything someone without special access can see. There's a lot you can do to minimise this and make sure it looks boring to an attacker. If it seems high risk and low reward, an opportunistic attacker will go elsewhere, and a targeted attacker will find it harder to get in. In addition to network firewalls that sit between your network and the internet, run application firewalls that sit between your application and the internet."
Back-ups - "Make sure your data is stored somewhere segregated from your primary network... [and] test your ability to restore data and run from the restored data. A backup is no good if you can't use it, and if it will take three weeks to download it from the cloud – best to find that out now rather than when you need it."
Spot anomalies - "Undertake security assurance on supplier to make sure they operate appropriate controls, notifying customers of issues and concerns, and passing on advice and alerts. Train staff to spot anomalies, and if companies you work with don't take security seriously, ask yourself whether they are worth the risk."
Check your monitoring and alerting processes - "It's essential to be the first to know when something goes wrong. That means logging the correct data and monitoring it for anomalies that suggest a problem."
Have a robust incident management process - "Ensure you have an incident or crisis management plan that sets out how you would respond. Who would do what, and when? Guidance is available from standards such as the NIST incident management framework, ISO standard 27035, proprietary services such as the ISF or Gartner, and online resources such as those from the UK's National Cyber Security Centre (NCSC).
You can read about all of these points in detail HERE.
Ahead of CERT's launch last year, Matt Palmer spoke to Express in more depth about cyber warfare and the role CERT has to play...
Subscribe to Bailiwick Podcasts on Spotify, Apple Podcasts, Deezer or Whooshkaa.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.