The UK’s National Cyber Security Centre (NCSC), has released a public statement on November the 1st, detailing their newly introduced vulnerability scanning process. In this statement, the NCSC announced that it will be carrying automated vulnerability scanning against all internet devices hosted in the UK.
We're not trying to find vulnerabilities in the UK for some other, nefarious purpose. We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it).
Ian Levy, National Cyber Security Centre
As scanning on this scale conducted by an intelligence agency is likely to gather attention and could lead to the public drawing the wrong conclusions, NCSC is attempting to be as open as they can about what they are doing as part of this program and how they will develop it in the future.
Regarding data collection and storage, NCSC have stated that any data returned by a service response will be stored. Additionally, other relevant data such as date & time of record and the IP address of the destination host will also be stored. Service scans are mentioned to be built for purpose and will not attempt to extract unnecessary data from the scanned hosts. In the event that personally identifiable information is collected (excluding source IP addresses), NCSC will follow a data removal/anonymisation process and will attempt to prevent this data from being captured by future scans.
Scanning done by NCSC as part of this campaign is currently stated to originate from two cloud-based hosts:
These hosts are assigned the domain name scanner.scanning.services.ncsc.gov.uk, and the scan probes attempt to identify
themselves as originating from NCSC, which are expected to show up in service logs.
NCSC allows UK individuals and organisations to opt-out of having their hosts scanned by this project. The process of opting out involves contacting scanning@ncsc.gov.uk with the range of public IP hosts to be excluded, and after a validation process to ensure ownership over the claimed IP ranges, the hosts will be removed from the automated scanning process.
This is a brilliant program incentive by NCSC, which will especially benefit sole traders and small size companies that cannot afford to budget for independent vulnerability scanning. NCSC has a proven track record of warning system owner about threats, such as the Log4j alert published by NCSC on the 10th of December 2021, only one day after the vulnerability was publicly disclosed. Warnings sent directly to owners of systems found to be vulnerable to zero-day vulnerabilities such as Log4j would be a great call to action, resulting in more rapid responses to zero-days in the future.
At our core, we believe in the power of personalised guidance. Whether you have questions or feedback, we're here to listen and support you every step of the way. Reach out via the form and we will be in touch as soon as possible.