UK NCSC scanning all internet-accessible systems to search for vulnerabilities

The UK National Cyber Security Centre (NCSC) is scanning all UK internet-connected devices/systems to detect vulnerabilities and help owners better understand their security posture. The NCSC said its scanning operations are designed to build a “data-driven view of the vulnerability of the UK” reflecting the government’s aim of making the UK the safest place to live and do business online. The activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact, although owners can opt-out of scanning if they wish, the NCSC added. Collected data is used to create an overview of the nation’s exposure to vulnerabilities and to track their remediation over time.

How UK NCSC scans systems for vulnerabilities, collects and records data

In a posting on its website, the NCSC gave a summary of how scanning is performed, along with an outline of what information is collected and stored. “To identify whether a vulnerability exists on a system, it first needs to identify the existence of specific associated protocols or services. We do this by interacting with the system in much the same way a web browser or other network client typically would and then analysing the response that is received.” By repeating these requests on a regular basis, the NCSC can maintain an up-to-date picture of vulnerabilities across the whole of the UK, it added.

As for data collection, the NCSC said it collects and stores any data that a service returns in response to a request, which are designed to collect the smallest amount of technical information required to validate the presence/version or vulnerability of a piece of software. “For web servers, this includes the full HTTP response (including headers) to a valid HTTP request. For other services, this includes data that is sent by the server immediately after a connection has been established or a valid protocol handshake has been completed. We also record other useful information for each request and response, such as the time and date of the request and the IP addresses of the source and destination endpoints,” the NCSC wrote.

The requests are also designed to limit the amount of personal data within the response, and in the “unlikely event” that the NCSC discovers information that is personal or otherwise sensitive, it takes steps to remove the data and prevent it from being captured again in the future, it stated. “All our probes are verified by a senior technical professional and tested in our own environment before use. We also limit how often we run scans to ensure we don’t risk disrupting the normal operation of systems,” the NCSC added.

All activity is performed on a schedule using standard and freely available network tools running within a dedicated cloud-hosted environment. All connections are made using either 18.171.7.246 or 35.177.10.231 IP addresses. Owners who wish to remove IP addresses from future scan activity should contact NCSC by email.

Scanning could help build resilience to growing threats

Jake Moore, cybersecurity expert at ESET UK, tells CSO there are multiple internet access points in organisations that businesses may not even be aware of themselves. “This scanning offers a vital overlook from above into areas which may not even be considered a threat as many businesses do not realise their own threat level purely due to only viewing threats from the inside out,” he adds. Having the benefit from an outsider looking in on what may not even be known could be what it takes to mitigate a threat and reduce risk. “It won’t be a catch all approach, but if anything can limit an attack or slow it down, it helps build up resilience to growing threats on a larger scale.”