The practice of mandating regular password expiration is frequently adopted in various security policies. Nevertheless, in the Password Guidance released in 2015, we advised against this practice. This article outlines the reasoning behind our unexpected recommendation and presents our perspective on the best approach moving forward. To mitigate the risks associated with an attacker possessing…
The Secure Sockets Layer (SSL) protocol was initially launched in 1994 by Netscape. It has undergone several modifications, most notably rebranding to Transport Layer Security (TLS), and has emerged as one of the most widely utilized encryption protocols on the Internet. Initially designed to safeguard financial transactions and personal data for rising e-commerce ventures online,…
In recent years, researchers have developed groundbreaking mathematical techniques in Advanced Cryptography that allow users to manage, search, and compute with sensitive data while ensuring robust cryptographic security for that data. The NCSC has released a white paper on the applications of Advanced Cryptography. This document assists users in evaluating which techniques may be appropriate…
The role of AI in enhancing cyber intrusion operations is expected to continue evolving, leading to a rise in the frequency and severity of cyber threats. Cyber threat actors are likely already leveraging AI to improve their existing tactics, techniques, and procedures (TTPs) when it comes to victim reconnaissance, vulnerability research, exploit development, social engineering…
Preparation and resilience extend beyond simply establishing robust defenses against intruders. Despite the effectiveness of your security measures, there may be instances when attackers successfully breach your defenses. This approach involves not only identifying threat actors exploiting legitimate access to your employees, network, or cloud services, but also containing these attackers to mitigate damage. Additionally,…
Large-scale events are becoming increasingly dependent on digital technologies. Cyber attacks that threaten the confidentiality, integrity, or availability of these systems can lead to significant disruptions, resulting in both financial losses and damage to reputation. This guide provides a framework for integrating Cyber Risk Management processes into the planning of major events. While the focus…
In our 2023 white paper, the NCSC emphasized the necessity of preparing for the transition to post-quantum cryptography (PQC) in light of the risks posed by advancements in quantum computing on current cryptographic systems. Beyond the technical insights provided in that paper, we outlined our commitment to assist the UK government and our regulated Critical…
The transition to Post-Quantum Cryptography (PQC) mirrors many significant technology migration projects. The main objective is to seamlessly integrate PQC into existing systems while minimizing new cyber security threats. Hence, comprehensive planning at the outset is crucial. Organizations may adopt various models for successful technology migration, with each having its unique framework. Regardless of the…
In today’s digital landscape, accessing various online services including messaging, shopping, travel, social media, media streaming, and government resources typically requires managing yet another account and password. Concurrently, there is a rising trend of cyber criminals attempting to hijack online accounts for their illegal gain, often at the expense of users. Safeguarding these account passwords…
As the Director of National Resilience at NCSC, the announcement of a Cyber Security and Resilience Bill in July 2024 by the government was a pivotal step towards addressing the increasing cyber threats to essential services, including water, power, and healthcare. Today, we appreciate the publication of the Department of Science, Innovation and Technology’s (DSIT)…
