February 10, 2020
The new NCSC guidance recommends approaches to the design, development, and security assessment of products (and systems) capable of resisting “elevated threats”.
The NSCS explains that threats to digital systems come from a range of attackers with different capabilities. Much of the NCSC’s guidance is focused on defending organisations against “commodity threats”, which make use of tools and techniques that are openly available, cheap, and simple to apply. Regardless of their technical capability and motivation, attackers will often turn to commodity tools and techniques first.
Organisations that defend effectively against commodity threats present a very hard target for all attackers, and so any organisation attempting to resist elevated threats should start by ensuring they have the best security posture possible against commodity threat.
For targets that are of particular interest to an attacker (and where commodity threats have been resisted), attackers may seek to develop a range of more sophisticated methods, some requiring long-term investment and research. In such cases, the NCSC describes products as being subjected to “elevated threats”. These can only be realised by large, well-funded groups (such as high-end organised crime and state sponsored groups) as they require significant investment in skills, resources and capabilities.
The guidance contains a set of principles that can be used to set high level security objectives, which in turn can be used to guide design decisions and development processes.
It is written for organisations that are at risk from these elevated threats, or those seeking to develop products and systems capable of resisting these threats, specifically:
- buyers of these products (or independent assessors), to help them gain confidence that a product is capable of resisting elevated threats; and
- developers of product and systems that are intended to protect against elevated threats.
The guidance complements the NCSC’s existing technology principles (such as those for cloud security, cross-domain products, and secure communications), and may be used in conjunction with these to assess the extent to which products offer protection against both commodity and elevated threats. To access the guidance, click here.