Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More



Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More

In this special edition of the Cybersecurity Snapshot, we bring you some of the most valuable guidance offered by the U.K. National Cyber Security Centre (NCSC) in the past 18 months. Check out best practices, recommendations and insights on protecting your AI systems, APIs and mobile devices, as well as on how to prep for post-quantum cryptography, and more.

In case you missed it, here are six NCSC recommendations to help your organization fine-tune its cybersecurity strategy and operations.

1 - How to migrate to quantum-resistant cryptography

Is your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out the NCSC’s “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.

“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog.
 

U.K. NCSC logo


At a high-level, the NCSC proposes these three key milestones:

  • By 2028
    • Define the organization’s migration goals.
    • Assess which services and infrastructure need to have their cryptography upgraded to PQC.
    • Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.
  • By 2031
    • Execute the first, most important PQC migration steps.
    • Refine the PQC migration plan to ensure the roadmap will be fulfilled.
    • Ensure your infrastructure is ready to support PQC.
  • By 2035
    • Complete your PQC migration.

Organizations need to migrate to PQC because quantum computers will be able to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.

The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced in March of this year, should be available in 2027.

For more information about how to protect your organization against the quantum computing cyber threat:

2 - Why hardening your API security is key

After several high profile application programming interface (API) breaches, the NCSC published the guide “Securing HTTP-based APIs,” which urges organizations to update their methods for securing their APIs, including by using stronger authentication.

Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity,” reads a companion NCSC blog titled “New guidance on securing HTTP-based APIs.”
 

Image of blurry number ones and number zeroes illustrating binary code


Unfortunately, many organizations rely on outdated API-security practices, including:

  • Use of basic authentication
  • Lack of rate-limiting and user-throttling capabilities
  • Unprotected endpoints
  • Code-stored credentials
  • Use of URLs to transmit sensitive data
  • Lax input validation
  • Unencrypted API traffic via HTTPs
  • Weak logging and monitoring

NCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:

  • Development practices
  • Authentication and authorization
  • Protection of in-transit data
  • Input validation
  • Denial-of-service attack mitigation
  • Logging and monitoring
  • Exposure limitation

For example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.

Another recommendation is to develop APIs’ applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.

For more information about API security:

3 - Beware of global spyware campaign targeting mobile devices

The NCSC joined other cyber agencies to issue a warning about a spyware campaign aimed at infecting mobile devices of individuals and groups tied to causes that the Chinese government opposes. 

However, all mobile users should take heed because the campaign is global and aggressive, meaning anyone could become a victim, according to the NCSC and cyber agencies from Australia, Canada, Germany, New Zealand and the U.S. 

“The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims,” reads the NCSC advisory. 

Attackers are targeting supporters of various China-related movements with the BadBazaar and Moonshine spyware variants. Those targeted include journalists, non-governmental organizations, businesses and representatives of groups associated with:

  • Taiwanese independence
  • Tibetan rights
  • Uyghur Muslims
  • Hong Kong democracy advocacy
  • Falun Gong movement
     
Illustration of a spherical bomb with a lit fuse placed on a surface of ones and zeroes illustrating binary computer code


Moonshine and BadBazaar are two types of trojan malware, meaning attackers hide them in legit-looking mobile applications that users voluntarily download. In this particular campaign, attackers are embedding Moonshine and BadBazaar in applications designed to appeal to the intended victims, such as a Uyghur keyboard app and a Tibet-related app.

Once a user inadvertently installs a malicious app, attackers use it to obtain the mobile device’s location data in real-time; access its microphone and camera; retrieve stored messages and photos; and more.

 Mitigation recommendations include:

  • Don’t root or jailbreak your mobile device, as this leaves it more vulnerable to cyber attacks.
  • Only download apps from trusted app stores like those from Google and Apple.
  • Periodically review your installed apps and their permissions, deleting apps you no longer use and restricting excessive permissions.
  • Be careful with links, files and apps shared on social media sites, online forums and messaging tools. Scan links with a URL reputation service before clicking on them, and upload suspicious files or apps to a malware analyzer.

To get more information, check out these NCSC resources:

For more information about protecting mobile devices against spyware attacks:

4 - How corporate boards can boost their cyber governance

With cybersecurity governance now one of their main responsibilities, boards of directors need strong cybersecurity knowledge — but many are lacking in this area. That’s why the NCSC published a package of cyber governance resources for board members.

“From my experience of working with senior leaders across private and public sectors, I know that strong cyber governance is key to resilience, growth, and long-term success. Board members play a vital role in making this happen,” NCSC CEO Richard Horne wrote in a blog.
 

photo of a female executive presenting to the board in a conference room


The NCSC cyber governance resources for board members include:

  • The “Cyber Governance Code of Practice,” which outlines the board’s responsibilities in these five key governance areas:
     
    • Risk management
    • Strategy
    • People
    • Incident planning, response and recovery
    • Assurance and oversight
       
  • The “Cyber Governance Training” document, which provides five interactive training modules, each focusing on one of the “Code of Practice” principles
     
  • The “Cyber Security Toolkit for Boards,” which explains how to implement the five key cyber governance areas

For example, the risk management the toolkit unpacks how to identify the organization’s critical assets and how to collaborate with its supply chain partners. In the strategy area, it goes into how to embed cybersecurity into the organization and what cybersecurity regulations are relevant to boards.

For more information about cyber governance guidance for boards of directors:

5 - Why AI will boost the quantity and intensity of cyber attacks

The volume and impact of cyber attacks, including ransomware, will grow as malicious actors of all stripes incorporate AI into their toolboxes. 

Still, how the bad guys use AI and what benefits they get from it will depend on their level of skill and knowledge, the NCSC said in its January 2024 report “The near-term impact of AI on the cyber threat.”

Here’s a table with a nice breakdown of how the NCSC projects that AI will supercharge the cyber attack capabilities of cyber criminals with different levels of sophistication by the end of 2025.
 

Chart about AI impact on cyberattacks from NCSC report

(Source: NCSC’s “The near-term impact of AI on the cyber threat” report, January 2024)

In a companion statement, the NCSC highlighted how AI will likely heighten the already critical threat from ransomware by making it easier in particular for unskilled hackers to launch more effective cyberattacks.

“This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years,” the NCSC statement reads.

For more information about how to address AI-powered cyberattacks:

6 - How to secure network edge devices

The NCSC recently joined fellow cyber agencies to provide insights and best practices for preventing and mitigating cyber attacks against network edge hardware and software devices, which have become a major target in recent months.

“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” NCSC Technical Director Ollie Whitehouse said in a statement.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber attacks but also provide investigative capabilities require post intrusion,” Whitehouse added.

Devices at risk include routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems.
 

Photo of IT professional typing on a laptop inside a server room


These are the new guides:

For more information about network edge vulnerabilities, check out these Tenable blogs:


Cybersecurity news you can use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.