Updated on 2022-11-07: NCSC scans internal IP space
The UK National Cyber Security Centre (NCSC) revealed details about an internal initiative through which the agency plans to scan internet-connected devices across the UK IP space to create an inventory of vulnerable systems and then attempt to warn the device owners. NCSC officials said they plan to use this information to be better prepared to respond to sudden waves of exploitation attacks targeting a particular vendor or device and warn affected organizations. Similar programs to what the NCSC is attempting have also been underway, typically managed by CERT teams, in multiple countries, to a larger/smaller degree. Read more: NCSC Scanning information
“All activity is performed on a schedule using standard and freely available network tools running within a dedicated cloud-hosted environment. […] Note that these IP addresses are also both assigned to scanner.scanning.service.ncsc.gov.uk with both forward and reverse DNS records. Scan probes will also attempt to identify themselves as having originated from NCSC where possible.”
Updated on 2022-11-06: U.K. scans IP space for vulnerabilities
Did you know that the U.K. National Cyber Security Centre scans the U.K. internet space for known serious vulnerabilities? Well now you do. The idea is to help to alert network defenders to vulnerabilities by determining if internet-facing systems are at risk of known flaws. The U.K. isn’t the only government to do this; still, the NCSC’s blog post has more if you’re interested. Read more: NCSC Scanning information
Overview: UK’s NCSC Will Scan Country’s Systems for Known Vulnerabilities
The UK’s National Cyber Security Centre (NCSC) plans to scan all Internet-connected systems hosted in the country for known vulnerabilities. In a blog post, NCSC Technical Director Ian Levy says the effort will be transparent, that NCSC will “publicly explain the purpose and scope of the scanning system, mark activity so that it can be traced back to the scanning system being used, audit scanning activity so abuse reports can be easily and confidently assessed, minimise scanning activity to reduce impact on target resources, and ensure opt-out requests are simple to send and processed quickly.”
- This points out part of the problem of intelligence agencies having responsibility for cyber defense, as well. The goals of intelligence agencies don’t always align with the rapid closing of vulnerabilities and even if the goals do align, history makes it harder to believe it is so. Seems like funding a third party to do the scanning and only provide NCSC with the aggregate data to meet their stated goals would be an alternative.
- While I applaud NCSC’s efforts, there are already a number of cybersecurity risk rating platforms that exist in the marketplace today. In fact, they also include capabilities to evaluate third party trust. Perhaps teaming with one or more of those vendors can achieve greater measurement of cybersecurity for UK based organizations.
- This is a double-edged sword. It is truly awesome to have another set of eyes cross checking for things you miss, but can be a true nuisance as you train them on accepted risks and minimizing disruptions caused by the scans. Do not use this as an excuse to not conduct your own scans. You want to be the one discovering issues on your systems. If faced with this scenario, make sure that you have clear information on contacts, scan schedules and intensity, then verify your team is detecting the activity. Make sure you have actively assigned response, remediation and tracking responsibilities.
- This actually sounds like a great idea. At the scale of the UK, this might be an effective campaign that finds and begins treatment of the worst vulnerabilities. And as the federal government, they should have the ability to find device owners and contact them credibly.
- Those who are proposing this program seem to have given a lot of thought to the unintended consequences. Surely the rogue hackers are scanning for your vulnerabilities. Rather than caution you about them, they will use them against you. Here, rather than have the state do the scanning, I would like to see the ISPs do it. While this may involve changes to their terms and conditions, they can promote it as a feature.
Read more in
- NCSC Scanning information
- Scanning the internet for fun and profit
- NCSC Implements Vulnerability Scanning Program Across UK
- UK Security Agency to Scan the Country for Bugs