NCSC Exercise in a Box – Cyber security resilience testing

NCSC Exercise in a Box – Cyber security resilience testing


Just how secure is your Video Conferencing service?

The National Cyber Security Centre (NCSC) has recently launched its Exercise in a Box online tool for organisations of all sizes, in all sectors, to test how resilient they are to a cyber attack. The free-to-use tool provides a range of exercises that give organisations the chance to practice how they would respond to a cyber attack in a safe environment.  As they develop their internal processes, they can repeat the exercises to see how their cyber resilience stance has improved.

How secure is your video conferencing service?

One of the exercises is: Securing video conferencing services. A key question to ask is;

Can your video conferencing service be separated from your existing communications infrastructure to ensure resilience? Will it work as a standalone system when a critical incident occurs and your communications infrastructure has been compromised?

Organisations should be aware that any mass-adoption messaging and collaboration tool is likely to be the target of malicious hackers itself, because it presents such a vast attack surface, and the spoils of a successful attack can be considerable. Often these mass adoption collaboration tools are part of the very infrastructure that is subject to a cyber attack, and once compromised the infrastructure can no longer be trusted for important communications with external suppliers, partners, customers or law enforcement. Ask yourself, what would happen if your email system went down?.  Also these tools don’t solve the issue of communicating with external parties securely which you need to do in the event of an incident.

Mass-adoption desktop platforms that include messaging and collaboration tools are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems were no longer working, how would the business operate?  What would be the ramifications for your employees trying to do their jobs and communicate with colleagues?

An organisation using a compromised service doesn’t need to be the subject of the attack, they can become collateral damage despite not being a target, simply by relying on the service and not having a secure alternative.

Therefore, for all organisations it is crucial to have a back-up comms channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.

What do we mean by ‘out-of-band’?

An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure. It is a system that can operate completely on its own as a standalone solution. It doesn’t rely on email, Microsoft Office/365, or any mainstream system to access the open internet. An out-of-band comms platform can work when all other systems are compromised.

As we’ve explained in some detail in our blog In the midst of a Cyber Attack who you gonna call – and how?, you can’t rely on a compromised system to communicate (assuming it still operates which is a big assumption), because your adversaries could be monitoring it, keen to see how the organisation is responding so that they can reap even more havoc. In addition an organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.

So when assessing your video conferencing service for security and resilience, what should you be thinking about?.

5 Questions you need to ask about your Video Conferencing service

1. Do you have a video conferencing platform that uses identity-based encryption to authenticate both end points?

If you rely on a mass-adoption collaboration platform then you almost certainly don’t!

2. Can you control who can initiate or join a video call?

Are you able to manage who joins your video conferencing platform? When there are only known users allowed, participants on a call can be sure who they are sharing potentially sensitive information with.

3. Do you know where your data is stored and who has access to it?

Do you retain complete control of your data, including chat, and files shared within a call?  Do you know where your data is stored, i.e. does it meet the requirements for data sovereignty and GDPR compliance? If you use a system that allows third party access to your users’ contact lists, it is unlikely to be GDPR compliant.

4. Can you be sure who you are communicating with?

Identity-based attacks are on the increase, with deepfake and AI-generated impersonation attacks hitting the headlines more often.  A video conferencing platform that uses the NCSC recommended MIKEY-SAKKE protocol for identity-based encryption authenticates users, so that you can be sure who you are communicating with.

 5. Do you have pre-arranged incident response secure federated call groups set up?

Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel. Groups can be internal and external, typically including suppliers, law enforcement, internal groups, employees and key stakeholders and the SOC team, etc. If your organisation relies on mass-adoption infrastructure for critical communications, it can be difficult to communicate with external parties without trusted, secure federated groups already in place. Indeed, NIST SP800.61 recommends having multiple back up communications solutions in place.

If the answer is NO to any of the 5 questions above, then you should be looking for an additional, out-of-band secure communications channel that your key people can use to communicate between themselves, and critically, with external third parties in the event of a serious incidents and cyber attacks.

How Armour can help

Armour Unity™ extends the highly successful Armour® ecosystem to provide secure, pre-defined or on-the-fly enterprise-level mobile video conferencing, screen sharing and in-app messaging for iOS and Android devices. Documents and chats associated with a conference call benefit from the trusted security of the Armour platform. This can be achieved as an on-premises or cloud solution to suit your business needs.

With the Armour Comms platform, organisations are able to create internal and external user groups and integrate them into business continuity processes.

In common with Armour Mobile™, Unity uses MIKEY-SAKKE identity-based encryption, which is recommended by the UK National Cyber Security Centre (NCSC).  This innovative approach means that participants on a call can be certain that only authenticated and invited attendees are able to join the conference.

Secure Communications Buyer’s Guide

For more comprehensive information about what you should be looking for in a secure communications platform, download our Buyer’s Guide:

Proof of Concept or Pilot Offer

For those undertaking the NCSC Exercise in a Box, Armour offers a free Proof of Concept or Pilot project, subject to conditions.  Contact us today for more details.

  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing
  • NCSC Exercise in a Box – Cyber security resilience testing