Protecting networks, systems and users isn’t getting any easier. Whether it’s nation states looking for intellectual property to steal; criminals looking for ways to make money through ransomware or scamming users; or students launching denial of service attacks in the modern equivalent of setting the fire alarm off to get out of an exam, the security landscape is getting more and more challenging. Mitigating and defending against cyber security threats has always been a team effort – your organisation will have certain controls in place, you will have staff and students that have had information security awareness training, and you will have technical staff as part of IT or dedicated security roles all working together to defend as well as you can. But Jisc is also part of your team – we have skilled incident responders, threat analysts, defenders, penetration testers, product professionals and more, helping to protect the Janet network, protect your organisation and helping you to increase your security posture.
One way we are helping with all three areas is by updating the Janet Security Policy. Bear with me. A policy may not have the same appeal as a multi-million-pound DDoS mitigation system or an elite team of penetration testers trying to break through your defences, but in our most recent update we have introduced three new principles that we believe will help protect Janet, protect you and help you to protect your users.
The Janet Security Policy describes the responsibilities of organisations connected to the Janet network and Jisc’s responsibilities as owner and operator of the Janet network – the UK’s national research and education network – to mitigate the risks that security incidents and misuse will damage the effectiveness of the Janet network and organisations connected to the network.
Principle: GeoIP location blocking for certain high-risk protocols for traffic inbound to Janet
Paragraph 17.3 explains that Jisc is authorised to: “implement such technical measures as are required to protect the network or its customers against breaches of security or other incidents that may damage the network’s service or reputation.” One such control is the restriction of certain high-risk protocols for traffic inbound to Janet. In response to the multiple highly disruptive and damaging ransomware incidents experienced in the sector we started restricting RDP traffic inbound to Janet on TCP port 3389 for organisations that asked us to, as exposing RDP publicly is a massive security risk and is a known threat vector used in ransomware attacks. Later this year we are looking to move from the opt-in Foundation GeoIP service as described at https://www.jisc.ac.uk/ddos-mitigation to being on by default unless Connected Organisations request to opt-out. This will add an extra layer of defence and mitigate against accidental exposure of RDP to the internet.
Principle: Jisc CSIRT will perform more proactive scans to detect vulnerabilities in systems connected to the Janet Network.
Scanning for vulnerabilities is a key activity to help protect the network and connected organisations. The authorisation to undertake scans has been part of earlier versions of the Janet Security Policy, however the old wording suggested that this was done on an exceptional basis. Given the increase in serious attacks and the large number of vulnerabilities impacting connected organisations it was felt that the exception was becoming the rule so this principle is us being more open about how we are scanning and that we will be scanning more often due to the changes in the security landscape.
Jisc will only run scans that have a high level of confidence of not causing serious impact to organisations connected to Janet. Jisc will also be cognisant of the timing of scans, particularly avoiding the period of confirmation and clearing unless operationally essential. It is worth bearing in mind that threat actors are unlikely to be as sensitive when looking for vulnerable systems to exploit, it is far better for us to scan promptly so we can let you know before you get attacked. We’ll always inform your security contact if we detect you may be vulnerable, so you need to ensure your contact details are up to date (see paragraph 11) and you can also see where we will be scanning from by visiting the Jisc Cyber Community Group: https://www.jisc.ac.uk/get-involved/cyber-security-community-group.
Principle: Annual security posture review
The last principle we have introduced is for organisations to undertake an annual self-assessment of their security posture. Many organisations already undergo some sort of risk assessment or certification, and given the variety of types of organisations connected to Janet we are being deliberately non-prescriptive as to how a self-assessment should be undertaken. The aim of this principle is to help you understand where your strengths and weaknesses are to help you become more secure.
As everyone is starting from a different place, we didn’t want to exclude anyone. We know from feedback from some connected organisations that achieving formal certifications such as Cyber Essentials or ISO27001 can be problematic, but we also know that many institutions are making good progress with these, or use CIS controls or the Cyber Assessment Framework (CAF) or a range of other tools. We would encourage you to share what tools or frameworks you are using to assess your security posture on the Jisc Cyber Security Community Group: https://www.jisc.ac.uk/get-involved/cyber-security-community-group.
More policies
The Janet Security Policy has had the biggest update, but we have also reviewed the Janet Acceptable Use Policy, Janet Network Connection Policy, Terms for the provision of the Janet Network and the Janet Peering Policy to ensure they are all up to date and have coherent terminology and a common appearance.
The updated policies can be found at https://community.jisc.ac.uk/library/janet-policies or at the more memorable short URL of http://ji.sc/policies. We have also produced an FAQ that covers the questions raised during and following the consultation we undertook on the Janet Security Policy update last summer.