The UK’s National Cyber Security Centre (NCSC), has released a public statement on November the 1st, detailing their newly introduced vulnerability scanning process. In this statement, the NCSC announced that it will be carrying automated vulnerability scanning against all internet devices hosted in the UK.
As scanning on this scale conducted by an intelligence agency is likely to gather attention and could lead to the public drawing the wrong conclusions, NCSC is attempting to be as open as they can about what they are doing as part of this program and how they will develop it in the future.
Data Collection and Storage
Regarding data collection and storage, NCSC have stated that any data returned by a service response will be stored. Additionally, other relevant data such as date & time of record and the IP address of the destination host will also be stored. Service scans are mentioned to be built for purpose and will not attempt to extract unnecessary data from the scanned hosts. In the event that personally identifiable information is collected (excluding source IP addresses), NCSC will follow a data removal/anonymisation process and will attempt to prevent this data from being captured by future scans.
Source of Scanning
Scanning done by NCSC as part of this campaign is currently stated to originate from two cloud-based hosts:
These hosts are assigned the domain name
scanner.scanning.services.ncsc.gov.uk, and the scan probes attempt to identify themselves as originating from NCSC, which are expected to show up in service logs.
NCSC allows UK individuals and organisations to opt-out of having their hosts scanned by this project. The process of opting out involves contacting email@example.com with the range of public IP hosts to be excluded, and after a validation process to ensure ownership over the claimed IP ranges, the hosts will be removed from the automated scanning process.
This is a brilliant program incentive by NCSC, which will especially benefit sole traders and small size companies that cannot afford to budget for independent vulnerability scanning. NCSC has a proven track record of warning system owner about threats, such as the Log4j alert published by NCSC on the 10th of December 2021, only one day after the vulnerability was publicly disclosed. Warnings sent directly to owners of systems found to be vulnerable to zero-day vulnerabilities such as Log4j would be a great call to action, resulting in more rapid responses to zero-days in the future.