Welcome to Police CyberAlarm
Helping organisations monitor and report the malicious activity they face from the Internet
Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.
Police CyberAlarm acts as a “CCTV camera” monitoring the traffic seen by a member’s connection to the internet. It will detect and provide regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. The data collected by the system does not contain any content of the traffic. The system is designed to protect personal data, trade secrets and intellectual property.
Members of Police CyberAlarm will become part of the wider UK cyber defence network, sharing collected data with Police for analysis at local, regional and national levels to identify trends, react to emerging threats and identify, pursue and prosecute cyber criminals.
Vulnerability Scanning can be added and used to scan an organisations website and external IP addresses, providing regular reports of all known vulnerabilities.
Police CyberAlarm members install a CyberAlarm Virtual Server on their premises which will be used to collect and process traffic logs from their firewall/internet gateway. Police CyberAlarm Virtual Server is easy to install using the downloadable virtual appliance, offering one-click installation.
Once a CyberAlarm Virtual Server has been installed it will securely collect, analyse and feed data back to the Police CyberAlarm Server. The data sent only includes metadata (logs) from internet facing gateways and devices such as External Firewalls.
Data received by the Police CyberAlarm Server is then used to create regular reports on potential malicious activity seen by individual members as well as reports containing threat trends seen across the member network. Members can then use this reported intelligence to update their defences to better protect themselves from cyber threats.
Finally, this data is also used by the Police Cybercrime Units to enhance the UK cyber crime threat picture, enabling them to identify, pursue and prosecute cyber criminals.
Members of Police CyberAlarm receive weekly or monthly reports detailing activity discovered on their devices. This report provides details of potential attacks for further investigation and also enables member organisations to minimise their vulnerabilities.
Police CyberAlarm data is used to provide feeds detailing the latest threats discovered giving Member organisations the ability to update blacklists and other security measures to include new IP addresses and other relevant information to strengthen security.
Police CyberAlarm Vulnerability Scanning can be used to scan an organisations website and external IP addresses for known vulnerabilities. These regular reports can help increase an organisations cyber security, helping protect from known suspicious activity.
Group IT, IG, Vendor Manager at Christchurch Group
The report we receive from the Police CyberAlarm has been invaluable, not only are we able to block IP’s attempting malicious attacks, it also helps inform our Board of Directors of the scale of the problem in a non-technical way. This ensures that resources within the business can be directed proportionately and appropriately.
LGSS at Northamptonshire County Council
Police CyberAlarm was implemented with ease and provides essential proactive intelligence of external cyber security threats. With the regular reporting received from Police CyberAlarm, we are now equipped to secure against any new vulnerabilities as they are detected.
How is Police CyberAlarm Installed?
There are two options available for the installation of Police CyberAlarm;
- VMWare Virtual Appliance - simply copy and paste the provided URL into VMWare's management console.
- As a software installation on a Linux device - requires CentOS 7 Minimal on either a physical or virtual device.
Full instructions are provided once you receive your code to join Police CyberAlarm.
What data does Police CyberAlarm collect?
Police CyberAlarm collects metadata (logs) relating to the suspicious activity from internet facing gateways such as Firewalls. They are simply logs about how data was sent/received through your internet gateway (IP Addresses for external connections, amount of data transferred and the port used to process the data, date and time).
These messages do not contain any of your organisation’s data. The system is designed to protect personal data, trade secrets and intellectual property.
What is suspicious activity?
Police CyberAlarm identifies suspicious activity as network traffic which is blocked by the member organisations firewall or that is believed to be unwanted. This will include activity where the suspect is attempting to scan for vulnerable ports or making repeated attempts to gain access to an organisation’s system using known attack methods.
Who has access to the data collected?
The data collected by Police CyberAlarm is viewable only by Police and may be shared with other law enforcement agencies including the NCA (National Crime Agency) and partners including the NCSC (National Cyber Security Centre).
What is done with the data collected?
Data received by the CyberAlarm sever is used to create regular reports on suspicious and potential malicious activity seen by individual members, as well as reports identifying threat trends seen across the member network. Members can use this reported intelligence to update their defences to better protect themselves from cyber threats.
This data is also used to evaluate and track trends in cybercrime. Helping Police to; Prepare and Protect Organisations, Pursue and Prosecute cyber criminals. Making the UK secure and resilient to cyber threats, prosperous and confident in the digital world.
What restrictions will be placed on the use of such data?
Only communications data pertaining to suspicious activity will be collected and, to the extent that any data is mis-identified, this will not be stored and will be erased as soon as possible. Restrictions will be imposed in relation to the use of data collected to ensure compliance with legal obligations.
What is included in the reports?
Police CyberAlarm reports summarise suspicious traffic and potential attacks, visible to your organisation, from the Internet. Details include the top sources of suspicious traffic and the ports that malicious users are trying to use for their attacks against your systems.
The data is split into two categories, suspicious activity originating from within the UK and suspicious activity from outside the UK.
Police CyberAlarm reports show member organisations how they are being attacked, and where from, so they can better protect themselves. We aim to work with member organisations to ensure they are making the most of the data collected.
How long will Police CyberAlarm store the data for?
Logs collected by Police CyberAlarm are analysed by the collector as they are received, to remove any obviously non-malicious logs, these events are not sent to the central server. Once logs arrive at the central server, they are analysed within minutes (even seconds) of the event being received by the collector to determine if these logs are malicious.
For example, a log which is a request to connect using port 3389 may be deemed as non-malicious. However, if the central server correlates that the same IP address made rejected requests to port 3388, 3387, 3386, etc. then this would become part of a potentially malicious port scan.
Any log which, following analysis, at both the CyberAlarm Virtual Server and the Central Server is still deemed to be non-malicious within a maximum of 24 hours (system up time) within arrival at the Central Server will be removed.
If a log file which has been deemed as suspicious has no further linked activity within a 9 month period the relevance of the data is reduced and its retention is no longer considered to be necessary or proportionate and as such is deleted.
Why does anything need to be installed onsite?
The log messages from internet facing devices are not encrypted. To ensure security Police CyberAlarm system installs a small collector on your network. Typically this would be installed within your DMZ to gather the data from suspicious and /or malicious traffic. The data is then encrypted and compressed before being securely transmitted to the CyberAlarm central processing servers.
Does Police CyberAlarm need to be installed on every device in the organisation?
No, Police CyberAlarm is a stand-alone system which sits in its own server environment. The collector gathers and encrypts the suspicious data from your internet gateway before sending it back to the central Police CyberAlarm processing servers. No software need be installed on any other devices and multiple gateways can feed data to a single Police CyberAlarm collector.
How does Police CyberAlarm handle VPN/encrypted bits of traffic?
As Police CyberAlarm does not collect the any of the transmitted data, encrypted data and VPN traffic has no impact on the ability of the Police CyberAlarm system to collect the Metadata of suspicious traffic.
Does the Police CyberAlarm system take any action to prevent attacks?
Police CyberAlarm is a monitoring system and as such does not interfere with any of the traffic on your internet gateways.
Police CyberAlarm does not take any automated action against any identified suspicious activity. It is a reporting and alerting system only, which enables UK Police to identify and take action against cyber threats and allows member organisation to better inform their cyber security posture.
Responsibility for decisions on how to action any reported data is solely owned by the member organisation.
How is the data transferred to the Police CyberAlarm (PCA) system?
Data on the Police CyberAlarm data collector is compressed and encrypted on the collector (256bit AES), then uploaded to the Police CyberAlarm servers over HTTPS, an encrypted web connection.
Does a Police CyberAlarm Member Organisation require a static IP address?
Member organisations do NOT require a static IP address. There is no requirement for communication from the Police CyberAlarm server to the Police CyberAlarm Collector and therefore no static IP address is required.
How is the Police CyberAlarm data collector updated?
When the Police CyberAlarm collector connects to the Police CyberAlarm servers the software updates itself automatically.
If updates are required to the operating system of the device the Police CyberAlarm collector runs on, an email is sent to the Member administrator with full instructions.
What are the system requirements for the Police CyberAlarm data collector?
Most recent business PCs are more than capable of independently running a Police CyberAlarm data collector. The most frequently used method is to install the Police CyberAlarm Data collector using a VMWare virtual appliance.
(Hardware spec for the appliance - 2 CPU Cores, 2GB RAM and 25GB Disk space)
Become a Member
If you would like to become part of Police CyberAlarm and start recieving regular security updates and reports to help you and others gain a better understanding of current threats, then register here