Cyber Threat Weekly

Police CyberAlarm

April 23, 2021 WMRCCU Season 2 Episode 7
Cyber Threat Weekly
Police CyberAlarm
Show Notes Transcript

In this episode we talk to Ian about the Police CyberAlarm.  A fantastic new and FREE Cyber Security system.  Please listen to find out all you need to know.

 

After listening please visit National Cyber Security Centre, Action Fraud, Take Five and the West Midlands Cyber Protect websites for more guidance on all things relating to online security.  

 

Please forward any Phishing emails you receive on to [email protected] and text messages on to 7726.

 

Our hosts today were Patrick, a Detective and Cyber Protect officer Regional Cyber Crime Unit for the West Midlands (RCCUWM) part of the Regional Organised Crime Unit for the West Midlands (ROCUWM) and Demi the RCCUWM as an intern taking a year out from her University Studies.

 

You can contact us at [email protected]To sign up for our newsletter please visit www.wmcyber.org/subscribe

Patrick  0:04  
Hello and welcome to the cyber threat weekly your podcast by the police delivering you non technical Cyber Security Awareness. I'm Patrick, a detective and cyber protect officer within the West Midlands regional cyber crime unit.

Demi  0:17  
And I'm Demi, I work alongside Patrick on protect and also prevent.

Patrick  0:21  
So today we're speaking to Ian who is going to talk to us today about the Police Cyber Alarm, also known as PCA. This is a new and brilliant initiative, in my humble opinion, so Ian's gonna come and talk to us today about that. So do want to tell us a bit about yourself Ian? 

Ian  0:37  
Good morning Patrick yeah, thanks for inviting me along to this. I work for the National Police Chief Council I'm the National Coordinator for the rollout of Police Cyber Alarm. I've worked in the protect and prepare network for policing for several years, and I'm based in the East Midlands but have worked for other forces over the years as well. 

My background is in cyber security predominantly, for the last 20 years or so, I'm quite excited to be involved in this initiative to make businesses more secure, and enable people to conduct business more securely online.

Patrick  1:08  
You're certainly a good person for the job. Every time I talk to you, I hear more than the last time about where you've been and what you've done in terms of cyber and cyber security.

Ian  1:16  
It's been an interesting journey and certainly working with law enforcement the last few years, and it has been really fulfilling for me in helping to deal with victims of cyber crime, and help people just make themselves more secure. A lot of it is raising people's awareness is just what could go wrong, and a lot of it is quite easy to solve and help protect yourself. It doesn't involve investing vast sums of money in security, it's good processes, a little bit of knowledge, and having a good discipline and applying it to your systems and your work practices.

Demi  1:48  
Well, thank you so much for joining us today. It is great to have you on. I guess my first question would be what is the Police Cyber Alarm?

Ian  1:55  
It's a very good question, what is Police Cyber Alarm? It's a free tool that we developed to help Police Cyber Alarm members and any organisations who want to join and become a member will get advantage of this is and it enables them to have better understanding of what exactly is going on on their network on their firewall- how many times a day are they being attacked? What type of attacks are they where they're coming from? Not only do we do that sort of analysis and interpretation of the so that they can have a report which informs them. But we also do vulnerability scanning as well. 

Demi  2:25  
Great! So this might be a bit self explanatory. But I just want to hear, you know, your opinion on it. Why have the police launched the Police Cyber Alarm? Whats the goal behind it?

Ian  2:33  
Typically, we look at what's happening in the cyber world in terms of crime and we've got lots and lots of organisations that are providing threat intelligence. We've got that done at a high level of government level, we've got that done it industry level and typically the where people are getting their information was from the sort of organisations that can afford to implement systems that monitor their firewalls, systems that provide them with reports, systems that look and see who's getting onto their networks, and what's going on.

So we wanted to know, well hang on a minute, most of the businesses by volume are small/medium businesses in the UK, you know, there's far more small/medium businesses with a handful of employees up to about 100 or 200 employees that don't have that kind of expertise or access to that type of threat intelligence, or if it is, it's aimed at the big organisations. I'm sure to name a few, it's quite easy to look at the cyber threat intelligence as attacking critical national infrastructure, power companies, what's attacking local authorities, what's attacking banks and things like that, but what's attacking the small businesses? And those are typically the most vulnerable so the cyber alarm was developed in order to give providers intelligence around that, and to get people to be better informed about defending their own network.

Patrick  3:51  
That's ideal that is. The first thing that springs to my mind, as well is- I have a bit of knowledge about this system so I'm sort of playing a little bit of devil's advocate, but I think it'd be quite good because I'm sure people listen to this and maybe screaming at the screen, well how does it help businesses?

Ian  4:05  
It's a very good question. Yes, if you have a firewall in your business, and something more than just a home router, it logs every piece of traffic that comes to the firewall, but it also logs and it protects you from it at the same time. So what Cyber Alarm does is collects that data around that suspicious traffic, and it collates it and it gives you a report on a monthly basis and says, "here you are you had 2000 attacks on this time trying to get into your network".

So you're getting, A- report which tells you what's targeting you, B- you're getting a report, which also tells you how they're trying to get in and you can then take that to your network manager or your IT security consultant or your service provider and go- how do we make sure that this then doesn't become a problem in the future? 

When traffic comes to a firewall it has a number of different ports or little doors that they can go through. Typical ports would be one for allowing email in and ones for allowing web traffic in when your web surfing but there's also lots of other different ports allow things like remote access and things like that. 

Are people trying to get into your remote access port because nowadays we have much more distributed, working people working from home logging in remotely, people working agile, those sort of things. So are people trying to get in that way and do you need to beef up that do you need to provide some sort of additional security around that. So if you're getting a report on a monthly basis of that, then that I think makes you better informed. 

The other side of it is that we do the vulnerability scanning, which will scan your external IP addresses, and also scan your website for vulnerabilities. One that we're doing at the moment is we're doing a scan to see- some people may have heard of the vulnerabilities in Exchange, it's a Microsoft zero day threat, and if you've got a certain types of exchange setup, going back to Exchange 2010, there is a vulnerability around it. Police cyber alarm scanning has a special scan within there to see whether you're susceptible to that. And that's something that we're obviously in the current climate, where that's becoming more of a feature, and is becoming more well known we want people to know that if they've got police cyber alarm, they can get a scan for that and it'll let them know whether or not they're vulnerable to that attack. 

So that sort of gives you more confidence that you're not going to be hacked through your firewall or hacked through your external IP addresses but also, when you put your website out there haven't got the right protection, you know, people can get in, they can deface websites, they can apply things like cross site scripting that can do SQL injection. Has your website been secured against all those known vulnerabilities, and we'll do a quick check on that for you as well. It's not a penetration test but it's just a scan to see whether you've taken all the basic steps to make sure that you can be as secure as you can.

Patrick  6:48  
It's pretty all encompassing by the sounds of it. The thing that I think that there will be one or two people wondering is how their reports are created. What would you say to somebody if they asked why isn't it just collecting lots of my personal data? Is it spying on us or our emails and keeping our data? What would you say if somebody had that fear?

Ian  7:08  
Oh absolutely not is designed with security in mind to protect that data, it doesn't look at the content of the data, it's not looking at emails, it's not looking at web traffic in that respect, or any of the information coming in, it's looking where it's coming from and where it's going to and maybe the size of the packet of data that's in there and going, is this suspicious? is it doing what it should do? If it's a simple page request on web? Is it simple page requests trying to come back through the natural port that it should do? Or is he trying to do something else, if he's doing something else, hang on a minute, that's a bit suspicious.

In which case, he then gets flagged as suspicious, and then goes into the little cyber alarm collector, for later analysis. We don't collect any personal data, there's no intellectual property or content of emails collected or anything like that. It's purely what's known as metadata for it. So it's the it's like looking at the outside of an envelope and going- it's got a from and its got a to address and you know, how big the envelope is? In real World terms that's what it is and it's saying, is it trying to go to the right address? Or is he trying to sneak off and do something else? 

Patrick  8:10  
It's a quite good analogy. Yeah, you're expecting a letter, and you expected it from this place and to that place and if that letter is actually a big parcel, it's gone from here and to there and it's obviously not quite right. So it's just that and like, obviously, people use WhatsApp and they accept that the end to end encryption, to an extent, it's a little bit similar to that you're not looking at the contents, you're just looking at the output activity.

Ian  8:34  
Have no worries about whether or not it's spying on you, or anything like that. We just want to collect what that suspicious data is because you've got lots of traffic going through your firewall that is quite legitimate and everything else, and quite right, and that needs to pass through. So it doesn't impact on the operation of the network. It's just looking at that suspicious traffic and say, hey, you're suspicious, the firewall has flagged it as suspicious, let's just take a snapshot of it.

And then if later you find that you've been the subject of a compromise, it does help in finding out what's going on, because you've not got to go in. If any business has ever been the subject of a ransomware attack or any data exfiltration on the cover of that, the last thing you want to be doing when you're trying to rebuild your data set, or trying to get your business back up and running and restore confidence and anything like that is to have to have somebody come along and say, "Oh, you can't do that because we need that for evidence". 

Well, please Cyber Alarm would silently collect that evidence there so it doesn't impact on that. So you can concentrate on restoring from your backup and getting your business back up and running as soon as possible.

Demi  9:33  
This sounds like a really good initiative. And I'm glad you touched on the sort of privacy aspect of it because I know that's a big concern for a lot of people, including myself. It was something you know that, even though I know it's not spying on me, it's just nice to have a you know, a little bit of reassurance. I know you mentioned small and medium businesses, but who specifically is the Cyber Alarm for and do these businesses have to meet any certain requirements to qualify for the police cyber Alarm.

Ian  9:57  
Any business has a firewall and you know, it will be the typical business that has this small network of a few people in a firewall that has a logging facility on it. And onwards from there, we have local authorities that use it, they also get access to certain facilities provided by the NCSC, as well that do a lot of security for those types of .gov organisations. But they might also implement cyber alarm so they can share the data with them about what's attacking them.

A typical, I would say, a medium size organisation, which is probably up to 1 or 2 hundred million turnover organisation, because the low that you don't really invest that much of your turnover into providing cyber security and comes in becomes a big overload. 

So this is something that's free, it gives you a good insight into how vulnerable you may become, how people are targeting you, and what steps you may need to take for that It's a good part of the process, I mean, there's many different things that are being offered by policing, law enforcement and NCSC that businesses can take advantage of and if you contact your local Cyber Protect team or your Regional Cyber Protect team, they'll be able to advise you there's free tools from the NCSC, there's Police Cyber Alarm that's free and there's also a police initiative with Cyber Resilience Centers. And all of this stuff is designed to make doing business in your region safe as possible. 

Patrick  11:18  
The next thing I was going to ask was, you've pretty much answered half of it, but we will mention it just to get some further clarification. It's sort of like a two point question, first of all how do people get hold of it? But also, how much does it cost is there different levels of service or access, or is there likely to be like, after two years, we'll start charging or anything like that?

Ian  11:39  
Well, first of all, it's free a point of delivery, there is an investment on the behalf of the member in that they obviously got to download and configure a collector, which can run on a virtual machine or any modern desktop PC is powerful enough to run it doesn't require a lot of processing power. And it would need to be set up if you have a network service provider, they may or may not- and we've worked with a number of them around the country, some of them charge a nominal amount, but they quite like their customers to have it because their customers can then see what they see and presented in a more readable format. And it helps them when they're talking to their customers about cyber security so a lot of them, they may well just include the cost of installing it as part of their ongoing maintenance. 

Others, you may have to pay them or your network managers for a couple of hours or so to come in and do the instal. That's your costs, but there's no cost for the service or anything like that. There's no plans to charge for that at all. It's funded by the home office and it's an initiative that's national, the intention is to keep offering that out to people free. 

If at a later date, there is a more sophisticated version offering lot more facilities, that may be something that goes into that chargeable realm, but certainly at this level, where we're talking about having a scan of your IP addresses and your websites, and having a collector there that gives you a monthly report that is free.

How do I get hold of it?- quite easy there's a website called cyberalarm.police.uk. If you go onto that website, there's a little video that explains exactly what Police Cyber Alarm is, there's a whole section of frequently asked questions on there, which cover some of these points in more detail about how long the data is stored, for what happens to the data when it reaches a certain date, etc, etc. What impact will it have on my network and all of those things, they're all that's all covered in the FAQ's on the website. There's also a security statement there as well.

So that's cyberalarm.police.uk if you want to go to that website there, and likewise, if you want to get hold of it, and you're interested in doing that, there's a contact button there, you can register to become a member for Police Cyber Alarm, and that will be passed out to your local force and they will then issue you with a unique code. You use that unique code to then go and register on the system asks you for basic details like your name of the company organisation where you are so that we know that you're connected to the right force in the West Midlands that could be Staffordshire, Shropshire, in East Midlands, Leicestershire, Lincolnshire, whatever. That then gives you the right then to have that installed, you have the collector on there. And then once you've registered the collector that updates itself and then starts sending the data across, and then you start to receive the reports.

Patrick  14:18  
Excellent. Rest assured that anybody listening to this doesn't have to scribble down the URL for the website or anything like that I'll make it very clear and all the links will be in the show notes for this episode. 

One of the best analogies that I've heard being made when talking about Police Cyber Alarm is well a couple of things. For one, it's a passive system, it's not interfering and, if you want to liken it to the real world example, it's like a virtual CCTV system for your firewall and I think that's a really good thing that it's not sort of stopping and starting anything that's going on or coming in or going out or just sitting in the background like a camera watching it. It's been recorded to an extent and that kind of helps to generate the report.

Ian  14:58  
I think the taking that a little bit further as well, Patrick. It's like in the olden days, if you had a business on a street, you and your local police officer may come along and if he saw that the door was open, or there was a light inside, it was unexpected, he could do something about it, you know, is that meant to be there? Can we contact the key holder? What's going on, you know. 

If somebody went down the street trying all the doors, you'd have their picture or where they were coming from, if you had CCTV, but it might be that they're doing every third door in this town and every third door in that town. But what Police Cyber Alarm does is when it collected all together regionally, you get a regional picture. So it may be that within your particular region, there is a specific type of activity that's going on or it may be, as we develop the system and get more and more members, we can start to divide that up and say, well, if you're a small business with less than 50 people, you're more likely to be attacked by this type of attack. If you're slightly larger, it's this one. I know as a protect officer is nice to go along if you're talking to a group of people from some sort of affinity group, whether it be the Master Builders, Concrete Association or Lloyds Bank grouping or one of the bank seminars or accountants or lawyers to talk about what specific threat they're seeing for that market because it's useful to know that. In Leicester they don't get too many shipping companies but if you go to Hull or Liverpool or somewhere like that, there are shipping companies- so the type of attacks may be different. And this is what we're trying to build up a picture of, so that we can give the right sort of advice to these people and go, "this is the way to make your business more secure".

Patrick  16:28  
When I made reference to passive its passive in terms of it doesn't interfere with anything. People don't have to worry about whether its going to slow things down, or is it going to interfere or put people like waiting while it gets checked type thing- no it's better than that. They  only get checked when they need to be checked as opposed to be checked on the way in to slow things down. I don't have any more questions. We're very grateful for you taking time out to talk to us and I think the system is fantastic and can be only a good thing.

Ian  16:54  
Well, thank you very much for inviting me along. Patrick, Demi. It's great to speak to you guys and hopefully people will hear this and we will have few more people wanting to take part in this. The more members we have the more people feeding that dataset in as well as taking part in the scans, the better we're prepared as law enforcement to deal with that type of cyber criminality and it is growing fast. Cybercrime is pretty much I think, on the whole vastly underreported, it sort of happens and unless it has a significant impact, people tend to go "Oh, well, there you go" you know. The better informed we are about it, the better protected we could be the safer it is for people to do business online.

Patrick  17:28  
I don't have any other questions. I'm not sure if you do Demi?

Demi  17:32  
No, I just want to thank Ian for coming on and sharing a bit more about the Police Cyber Alarm with us. I think it was really insightful.

Ian  17:37  
Thank you very much for this opportunity.

Patrick  17:39  
Thank you. So that's all we've got time for this week. More information on cybersecurity, please visit the National Cybersecurity Centre, Action Fraud, Cyber Aware and Take Five website. Don't forget we have our own website wmcyber.org. Anybody listening to this who would like to contact us for any guidance and education in the area of cybersecurity, how to protect and prepare yourself and your organisation whilst online please use the contact details in our show notes. Thank you and goodbye.

Demi  18:08  
Goodbye.