Cyber attacks are inevitable, regardless of the size of a business or the sector it operates in. Cyber criminals will try their luck with any business connected to the internet. But as Andy Pearch, Head of IA Services, CORVID explains, there are steps that businesses can take to keep them as safe as possible from danger. As we stand in the last quarter of 2019, it's time for businesses to address 10 common security mistakes.
1. Assuming a Cyberattack won’t happen
Any business could be attacked. It’s important for businesses to prepare their IT estate for compromise, so in the event of an attack, they’re able to limit the damage that can be done to their operations, finances and reputation. There’s an assumption that cybersecurity is a problem to be dealt with by the IT department but in reality, every user is responsible. The more aware users are of the risks, the more resilient a business can become.
2. Poor Password Management
Passwords aren’t going away any time soon, but there are additional measures that can be taken to avoid them being compromised. Use strong, unique passwords and ensure all users do the same – the NCSC’s guidance encourages using three random words. Additionally, implement two-factor authentication (2FA) on internet-facing systems and all remote access solutions, and for privileged users and requests to sensitive data repositories. For both professional and personal life, making use of a password manager requires remembering only one strong, unique password instead of lots of them.
3. Inadequate Backup
If the IT estate is compromised and data lost, can it be retrieved? Implement a rigorous backup regime to ensure business-critical data can be recovered if the business is attacked. Store this backed up data in multiple secure locations, including an ‘offline’ location where infected systems can’t access it. Regularly test that backups are being done correctly and that data restoration procedures work as intended.
4. Reactive rather than Proactive Strategies
Some attacks bypass firewalls and anti-virus programmes, so businesses need to proactively hunt their systems for signs of compromise that haven’t been picked up by these traditional methods. The longer an adversary sits on a network undetected, the more damage they can do. Email is the single biggest attack vector, so implement the same level of proactive security for the email client too. Firewalls and email security solutions can block known malicious senders and strip certain types of file attachments that are known to be malicious before they have the chance to reach a user's inbox.
5. Generic User Privileges
Users should only be permitted access to the information they need to do their job. Limit the number of privileged user and admin accounts. For IT admins, adopt a least-privilege approach and consider using a privileged access management solution to restrict access throughout the network. The more users who have access to privileged information, the more targets there are for cyber criminals, and the more likely they are to succeed as a result.
Additionally, all accounts should be monitored for unusual activity. If a user is accessing files or drives they have no reason to be interacting with or have never interacted with before, such activity should prompt a review. Keep a record of all accounts each user has access to, and remove their permissions as soon as they leave the company.
6. Poorly Configured and Out of Date Systems
Environments that are not configured securely can enable malicious users to obtain unauthorised access. It’s therefore imperative to ensure the secure configuration of all systems at all times. Regular vulnerability assessments should be scheduled to identify weaknesses in the IT infrastructure that would leave an organisation open to exploitation. The results should be used to define detection and response capabilities and ascertain if an outsourced managed security provider is needed. To avoid allowing malicious access through unpatched vulnerabilities, apply security patches regularly and keep all systems and applications up-to-date.
7. No Remote Working Policy
If users in the business work on the move or from home, it's important to have policies in place that will protect any sensitive corporate or personal data in the event of a mobile device being lost, stolen or compromised. Many corporate mobile devices – laptops, phones and tablets – not only contain locally saved sensitive data but are also connected to the company's internal network through VPNs and workspace browsers, giving attackers a direct route to the heart of a business. To enforce secure remote working practices, employ a suitable and robust enterprise mobile management solution and policy, applying your secure baseline and build to all devices.
8. Inconsistent Monitoring
By not monitoring their systems, businesses could be overlooking opportunities that attackers won’t miss. Continuously monitor all systems and networks to detect changes or activities that could lead to vulnerabilities. Consider setting up a security operations centre (SOC) to monitor and analyse events on computer systems and networks.
9. Creating an Incident Response when it’s too late
There is a simple answer for businesses that don’t have an incident response plan: write one! Make it specific and ensure it accurately reflects the company’s risk appetite, capabilities and business objectives. Being adequately prepared for a security breach will go a long way towards minimising the business impact. This incident response plan should be tested on a regular basis, using a variety of different scenarios, to identify where improvements can be made.
10. Putting Users as the First Line of Defence
Humans make mistakes, and no amount of training will negate that. Most users can’t be trained in complex IT processes, simply because they’re not IT experts. It’s unrealistic and unfair to expect otherwise. Invest in cyber security solutions that remove the burden of being on the frontline of email security defence, allowing users to get on with their day jobs.
Conclusion
These ten cyber security mistakes might be common, but they don’t have to be accepted as the norm. By taking the first step of assuming that all organisations are vulnerable to an attack, businesses can consequently focus on putting cyber security strategies in place that are proactive and consistent and that use technology to keep the business resilient against a backdrop of a constantly evolving cyber landscape.
A UK view on Cybersecurity & Information Security, Everything Computer Security from the very basics to the advanced. A blog with a focus on the latest Cyber Security developments & issues in the UK, including Hacking, Privacy (GDPR), Data Breaches, security standards such as NIST, PCI DSS, Cyber Essentials & ISO27001, all will be simply explained.
Thursday, 24 October 2019
Tuesday, 22 October 2019
Think before you Click
From regulatory compliance to safeguarding Intellectual Property (IP), companies are increasingly concerned about the risk of inadvertent data loss as a result of employee mistakes. And for good reason: with so much communication reliant upon email, human error is now the primary cause of data breaches. Indeed, growing numbers of organisations have introduced a ‘one strike’ policy; accidentally sending an email to the wrong person, or adding an incorrect attachment, has become a sackable offence.
While understandable, to a degree, this is hardly a supportive strategy. Humans make mistakes – and stressed, tired employees will make even more mistakes. Adding the pressure of losing your job, is potentially counterproductive. Employees already spend almost two days of each working week reading, deleting, responding to and creating emails – what they need is a way to avoid mistakes, a chance to check before they send. Andrea Babbs, Head of Sales, VIPRE SafeSend, explains how a simple second check for users will help to keep personal and sensitive data more protected with a layered approach.
Employee Threat
Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing attacks. Email is the number one threat vector in organisations and the cause of nearly all data breaches, as confirmed by the Identity Theft Resource Center. It will come as no surprise to those who have experienced the stress and fear of mistakenly sending an email to the wrong person, or adding the wrong attachment, that the Center’s March 2019 breach report[i] cited employee error as the number one cause of data breach or leakage.
Given the sheer volume of email, mistakes are inevitable. According to McKinsey, the average worker today spends nearly a third of their working week on email[ii]. Employees are increasingly trusted with company-sensitive information, assets, and intellectual property. Many are permitted to make financial transactions – often without requiring any further approval. Given the data protection requirements now in place, not only GDPR but also industry specific regulation as well as internal compliance, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.
But is a strategy that simply imposes stringent penalties – including dismissal – on employees for mis-sent emails without providing any form of support going to foster a positive culture? What employees require is a way to better manage email, with a chance for potential mistakes to be flagged before an individual hits send.
Imposing Control
While businesses now recognise that any employee, at any time, is a cyber security threat, few recognise that there is a solution that can add a layer of employee security awareness. Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check. Essentially, before any email in Microsoft Outlook is sent, the user gets a chance to confirm both the identity of the addressee(s) and, if relevant, any attachments. Certain domains – such as the company and/or parent company – can be added to an allow list, if the business is happy for users to email internally without checking. Or the solution can be deployed on a department by department, even user by user basis. A business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails. Similarly with financial data, even marketing data at certain times – such as in the run up to a highly sensitive new product launch.
In addition to confirming the validity of email addresses and attachment(s), the technology can also check for key words within the email. Each business will have its own requirements – in addition to common terms such as confidential or private, or regular expressions to cover broader terms such as credit card numbers or National Insurance numbers, a company may opt to set key product ingredient names as keywords to prevent data loss. Any emails – including attachments – containing these key words will be flagged, requiring an additional confirmation before they are sent, and providing users a chance to double check whether the data should be shared with the recipient(s).
Reinforcing Good Practice
This simple chance to check before you send provides an essential opportunity to minimise accidental data loss, whilst reinforcing compliance credentials. Accidentally CCing a customer rather than the similarly named colleague will be avoided because the customer’s domain name will not be on the allow list and therefore automatically highlighted. Appending a confidential marketing document to an email, rather than a product list, will be flagged. And with a full audit trail, the IT security team has full visibility of the emailing decisions made by employees.
This is key: rather than an overtly punitive approach, companies can reinforce a security culture, building on education and training with a valuable tool that helps individuals avoid the common email mistakes that are inevitable when people are rushing, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.
Indeed, in addition to providing a vital protection against email mistakes, this approach can also help users spot phishing attacks – such as the email that purports to come from inside the company, but actually has a cleverly disguised similar domain name. If an employee responds to an email from V1PRE, for example, as opposed to VIPRE, thinking it genuinely comes from inside the business, the technology will automatically flag that email when it identifies that it is not an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.
Conclusion
Accidental data leakage is a significant yet apparently inevitable risk when business communication is so reliant upon email – with serious implications of reputational damage, IP loss, compliance breach and the associated financial costs. When it comes to minimising such errors, user education is important. Email culture is essential. But there is only so much humans can do.
Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing potentially sensitive information about the organisation, its customers or employees – not only minimises errors, it helps to create a better email culture. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made.
By enabling users to make an informed decision about the nature and legitimacy of their email before acting on it, organisations can now mitigate against this high risk area, while reinforcing compliance credentials.
While understandable, to a degree, this is hardly a supportive strategy. Humans make mistakes – and stressed, tired employees will make even more mistakes. Adding the pressure of losing your job, is potentially counterproductive. Employees already spend almost two days of each working week reading, deleting, responding to and creating emails – what they need is a way to avoid mistakes, a chance to check before they send. Andrea Babbs, Head of Sales, VIPRE SafeSend, explains how a simple second check for users will help to keep personal and sensitive data more protected with a layered approach.
Employee Threat
Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing attacks. Email is the number one threat vector in organisations and the cause of nearly all data breaches, as confirmed by the Identity Theft Resource Center. It will come as no surprise to those who have experienced the stress and fear of mistakenly sending an email to the wrong person, or adding the wrong attachment, that the Center’s March 2019 breach report[i] cited employee error as the number one cause of data breach or leakage.
Given the sheer volume of email, mistakes are inevitable. According to McKinsey, the average worker today spends nearly a third of their working week on email[ii]. Employees are increasingly trusted with company-sensitive information, assets, and intellectual property. Many are permitted to make financial transactions – often without requiring any further approval. Given the data protection requirements now in place, not only GDPR but also industry specific regulation as well as internal compliance, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.
But is a strategy that simply imposes stringent penalties – including dismissal – on employees for mis-sent emails without providing any form of support going to foster a positive culture? What employees require is a way to better manage email, with a chance for potential mistakes to be flagged before an individual hits send.
Imposing Control
While businesses now recognise that any employee, at any time, is a cyber security threat, few recognise that there is a solution that can add a layer of employee security awareness. Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check. Essentially, before any email in Microsoft Outlook is sent, the user gets a chance to confirm both the identity of the addressee(s) and, if relevant, any attachments. Certain domains – such as the company and/or parent company – can be added to an allow list, if the business is happy for users to email internally without checking. Or the solution can be deployed on a department by department, even user by user basis. A business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails. Similarly with financial data, even marketing data at certain times – such as in the run up to a highly sensitive new product launch.
In addition to confirming the validity of email addresses and attachment(s), the technology can also check for key words within the email. Each business will have its own requirements – in addition to common terms such as confidential or private, or regular expressions to cover broader terms such as credit card numbers or National Insurance numbers, a company may opt to set key product ingredient names as keywords to prevent data loss. Any emails – including attachments – containing these key words will be flagged, requiring an additional confirmation before they are sent, and providing users a chance to double check whether the data should be shared with the recipient(s).
Reinforcing Good Practice
This simple chance to check before you send provides an essential opportunity to minimise accidental data loss, whilst reinforcing compliance credentials. Accidentally CCing a customer rather than the similarly named colleague will be avoided because the customer’s domain name will not be on the allow list and therefore automatically highlighted. Appending a confidential marketing document to an email, rather than a product list, will be flagged. And with a full audit trail, the IT security team has full visibility of the emailing decisions made by employees.
This is key: rather than an overtly punitive approach, companies can reinforce a security culture, building on education and training with a valuable tool that helps individuals avoid the common email mistakes that are inevitable when people are rushing, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.
Indeed, in addition to providing a vital protection against email mistakes, this approach can also help users spot phishing attacks – such as the email that purports to come from inside the company, but actually has a cleverly disguised similar domain name. If an employee responds to an email from V1PRE, for example, as opposed to VIPRE, thinking it genuinely comes from inside the business, the technology will automatically flag that email when it identifies that it is not an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.
Conclusion
Accidental data leakage is a significant yet apparently inevitable risk when business communication is so reliant upon email – with serious implications of reputational damage, IP loss, compliance breach and the associated financial costs. When it comes to minimising such errors, user education is important. Email culture is essential. But there is only so much humans can do.
Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing potentially sensitive information about the organisation, its customers or employees – not only minimises errors, it helps to create a better email culture. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made.
By enabling users to make an informed decision about the nature and legitimacy of their email before acting on it, organisations can now mitigate against this high risk area, while reinforcing compliance credentials.
Tuesday, 15 October 2019
The Increasing UK Cyber Skills Gap
As organisations throughout the UK embrace Cyber Security Awareness Month, Intelligencia Training looks at why businesses are continuing to battle an increasing cyber skills gap.
Following an audit in 2018, the UK government recently announced plans to conduct its second audit into the state of the country’s cyber security workforce. The initial audit published last year found that more than half of UK businesses had a “basic technical cyber security skills gap”.
One report found that between April and June 2019, UK businesses faced an average of 146,000 attempted cyber-attacks.
The specialist training provider further explains that while some have taken action on increasing cyber security awareness, the assessments and training used are commonly ineffective.
Many organisations fail to recognise the true sophistication of professional attacks and monitor awareness levels through generic assessments, such as mass phishing tests based on click-rate, and limit training to more traditional programmes, which often become outdated the moment a learner completes the course.
Learning and development shouldn’t end on course completion and providing staff with a sustainable solution to cyber security awareness in an ever-evolving landscape is key. New threats evolve daily and it is essential that awareness is sustained to minimise the risk of a breach.
About Intelligencia 'Cyber Stars' Training:Intelligencia Training are cyber security specialists that operate within both the public and private sectors. They continue to deliver the leading Cyber Stars Initiative to a wide-range of high profile organisations to support them in increasing cyber security resilience.
For further information on the Cyber Stars Initiative, visit www.intelligenciatraining.com/cyber-stars or contact info@intelligenciatraining.com.
Following an audit in 2018, the UK government recently announced plans to conduct its second audit into the state of the country’s cyber security workforce. The initial audit published last year found that more than half of UK businesses had a “basic technical cyber security skills gap”.
These findings didn’t come as a surprise, as Intelligencia, whose qualifications consist of the UK’s highest levels of vocational training available in intelligence and the only cyber security awareness programme with an official UK Government regulated qualification attached, explain that many organisations are overlooking the key weakness in their security infrastructure; their staff.
With IT infrastructure becoming more robust and cyber threats from social engineering and spear phishing increasing, cyber security should be just as much the responsibility of the wider workforce, as it is those in IT and network security. Even more so when you consider that over 90% of successful cyber breaches are facilitated by human error and a lack of general cyber security awareness.
One report found that between April and June 2019, UK businesses faced an average of 146,000 attempted cyber-attacks.
So how do we counter the threat?
Intelligencia highlight that social engineering and phishing are responsible for over 85% of human error breaches and that businesses need to educate the wider workforce – the prime target for cyber criminals - to identify and prevent such attacks.
The specialist training provider further explains that while some have taken action on increasing cyber security awareness, the assessments and training used are commonly ineffective.
Many organisations fail to recognise the true sophistication of professional attacks and monitor awareness levels through generic assessments, such as mass phishing tests based on click-rate, and limit training to more traditional programmes, which often become outdated the moment a learner completes the course.
Learning and development shouldn’t end on course completion and providing staff with a sustainable solution to cyber security awareness in an ever-evolving landscape is key. New threats evolve daily and it is essential that awareness is sustained to minimise the risk of a breach.
About Intelligencia 'Cyber Stars' Training:Intelligencia Training are cyber security specialists that operate within both the public and private sectors. They continue to deliver the leading Cyber Stars Initiative to a wide-range of high profile organisations to support them in increasing cyber security resilience.
For further information on the Cyber Stars Initiative, visit www.intelligenciatraining.com/cyber-stars or contact info@intelligenciatraining.com.
Monday, 14 October 2019
Network Security Observability & Visibility: Why they are not the same
Guest article by Sean Everson, Chief Technology Officer at Certes Networks
In today’s increasingly complex cyber landscape, it is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without network observability. Organisations can now see inside the whole network architecture to explore problems as they happen. Observability is a property of the network system and should not be confused with visibility which provides limited metrics for troubleshooting.
With observability, organisations can make the whole state of the network observable and those limitations no longer exist. Observability provides the contextual data operators need to analyse and gain new and deeper insights into the network. This enables teams to proactively make more informed decisions to improve network performance and to strengthen their overall security posture because context is now available to troubleshoot incidents and make policy changes in real-time.
Unfortunately, observability is often miscommunicated and misunderstood, as visibility is repackaged by some vendors and sold as observability, when the two are not the same. Visibility and monitoring have an important role to play but observability is different. Visibility and the metrics it provides limits troubleshooting, whereas observability provides rich contextual data to gain deeper insights and understanding based on the raw data collected from the network or system.
With research showing that the average lifecycle of a data breach is 279 days, it is clear that organisations are slowly putting observability into practice and adopting ‘observability as a culture’. In the case of some well-known breaches, however, the timescales were much longer than that. The Marriott International breach, which was discovered in November 2018, saw hackers freely access the network since 2014. During this time, no unusual activity was detected and no alerts of the hacker’s access were raised.
Additionally, in the British Airways data breach in 2018, data was compromised over a two-week period, affecting 500,000 customers. This resulted in the Information Commissioner's Office (ICO) announcing that it intended to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
These two examples alone demonstrate how essential it is for organisations to begin to value the ability to understand their systems and behaviour by making their network observable.
Understanding Observability
Simply defined, observability is a measure of how well something is working internally, concluded from what occurs externally. Observability is creating applications with the idea that someone is going to observe them with the aim of strengthening and making system access decisions. The right combination of contextual data can be used to gain a deeper understanding of network policy deployment and every application that tries to communicate across the network. With an observability capability, attackers will therefore have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in the data centre or across the WAN. In turn, observability can provide a global view of the network environment and visual proof that the security strategy is effective and working.
Unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. This means infiltrations are going undetected for longer and networks systems are more increasingly vulnerable. To effectively do this, all roles need to see inside the entire architecture. And, when this capability is built in, it is observability that enables greater insight into the overall reliability, impact and success of systems, their workload and their behaviour.
Conclusion
Research shows that companies who are able to detect and contain a breach in less than 200 days spend £1 million less on the total cost of a breach. That’s a figure no organisation can - or should - ignore. Organisations need a cyber security solution that can be measured and traced. Observability provides the contextual data so organisations can take measurable steps towards controlling system access of the network environment. With this type of observable analysis, organisations can gain deeper insights into how to enhance their security policy and detect unwanted access as it occurs.
In today’s increasingly complex cyber landscape, it is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without network observability. Organisations can now see inside the whole network architecture to explore problems as they happen. Observability is a property of the network system and should not be confused with visibility which provides limited metrics for troubleshooting.
With observability, organisations can make the whole state of the network observable and those limitations no longer exist. Observability provides the contextual data operators need to analyse and gain new and deeper insights into the network. This enables teams to proactively make more informed decisions to improve network performance and to strengthen their overall security posture because context is now available to troubleshoot incidents and make policy changes in real-time.
Unfortunately, observability is often miscommunicated and misunderstood, as visibility is repackaged by some vendors and sold as observability, when the two are not the same. Visibility and monitoring have an important role to play but observability is different. Visibility and the metrics it provides limits troubleshooting, whereas observability provides rich contextual data to gain deeper insights and understanding based on the raw data collected from the network or system.
With research showing that the average lifecycle of a data breach is 279 days, it is clear that organisations are slowly putting observability into practice and adopting ‘observability as a culture’. In the case of some well-known breaches, however, the timescales were much longer than that. The Marriott International breach, which was discovered in November 2018, saw hackers freely access the network since 2014. During this time, no unusual activity was detected and no alerts of the hacker’s access were raised.
Additionally, in the British Airways data breach in 2018, data was compromised over a two-week period, affecting 500,000 customers. This resulted in the Information Commissioner's Office (ICO) announcing that it intended to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
These two examples alone demonstrate how essential it is for organisations to begin to value the ability to understand their systems and behaviour by making their network observable.
Understanding Observability
Simply defined, observability is a measure of how well something is working internally, concluded from what occurs externally. Observability is creating applications with the idea that someone is going to observe them with the aim of strengthening and making system access decisions. The right combination of contextual data can be used to gain a deeper understanding of network policy deployment and every application that tries to communicate across the network. With an observability capability, attackers will therefore have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in the data centre or across the WAN. In turn, observability can provide a global view of the network environment and visual proof that the security strategy is effective and working.
Unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. This means infiltrations are going undetected for longer and networks systems are more increasingly vulnerable. To effectively do this, all roles need to see inside the entire architecture. And, when this capability is built in, it is observability that enables greater insight into the overall reliability, impact and success of systems, their workload and their behaviour.
Conclusion
Research shows that companies who are able to detect and contain a breach in less than 200 days spend £1 million less on the total cost of a breach. That’s a figure no organisation can - or should - ignore. Organisations need a cyber security solution that can be measured and traced. Observability provides the contextual data so organisations can take measurable steps towards controlling system access of the network environment. With this type of observable analysis, organisations can gain deeper insights into how to enhance their security policy and detect unwanted access as it occurs.
Wednesday, 9 October 2019
NCSC Cyber Essentials Scheme to be Streamlined
The UK National Cyber Security Centre (NCSC) CyberEssentials Scheme is to be streamlined from 1st
April 2020, with IASME named as sole partner.
It will become easier for UK businesses to protect themselves from the most common
cyber-attacks as the UK government-backed cybersecurity scheme is streamlined.
- The Cyber Essentials
Scheme is supported by the UK government to help businesses guard against
the most common cyber threats.
- Over 30,000 UK
businesses have gained Cyber Essentials certification since its launch in
2014 and this number is growing year on year.
- Naming IASME as the sole
Cyber Essentials partner will streamline and grow the Scheme and ensure it
keeps pace with the changing nature of the cybersecurity threat.
Cyber Essentials Scheme launched in 2014
Since its
launch in 2014 the Cyber Essentials Scheme has helped to protect over 30,000 UK
businesses from the most common cyber-threats. NCSC and IASME are committed to
growing the Scheme, recognising its role in helping to make the UK one of the
safest places to live and do business online.
The Cyber Essentials Scheme was developed to protect
organisations against low-level “commodity threats”. It focuses on the five
most important technical security controls that businesses should have in place
to prevent malicious attacks. These controls were identified by the government
as those that, if they had been in place, would have stopped the majority of
the successful cyber-attacks over the last few years.
The
success of Cyber Essentials Scheme means that it remains at the heart of the UK
Government’s National Cyber Security Strategy, but an extensive
consultation process highlighted the need to evolve the Scheme.
Since
its launch, Cyber Essentials has been delivered through multiple Accreditation
Bodies and their respective Certification Bodies. In order to simplify the
customer experience and improve consistency, the NCSC have appointed a single
Cyber Essentials partner to take over running the Scheme from 1st
April 2020. This will make the Scheme easier to run on a day to day basis and
streamline the development process to ensure Cyber Essentials remains relevant.
From now until 1st April 2020 the Scheme will be very much
business as usual with organisations able to gain accreditation from all five
Accreditation Bodies.
The current Certification
Bodies have been instrumental in the success of the Cyber Essentials Scheme.
Existing Certification Bodies will be encouraged to apply to the new Cyber
Essentials Partner to continue to provide Cyber Essentials as part of the
revised scheme. The Scheme also welcomes new Certification Bodies or anyone
from the cyber security industry interested in promoting the Scheme.
IASME
Chief Executive, Dr Emma Philpott, MBE, said: “We are extremely excited about the prospect of working in
partnership with the NCSC to develop and grow the Cyber Essentials scheme. We have seen such a positive effect already over the last
5 years where Cyber Essentials has increased the basic levels of security
across all sectors. We are so pleased that we can be part of the future
developments, working closely with the excellent Certification Bodies, trade
bodies, police and other key stakeholders, to ensure further growth of the
scheme.”
Anne W,
NCSC Head of Commercial Assurance Services, added: “The NCSC is looking forward to working in partnership
with the IASME team to ensure that the scheme continues to evolve and meet the
cyber security challenges of tomorrow; a scheme that puts cyber security within
reach of the vast majority of UK organisations.”
Thursday, 3 October 2019
UK Youngsters seeking to Win the European Cyber Security Challenge
This October, ten of the UK’s sharpest young cybersecurity minds will head to Bucharest in Romania to compete against teams from 20 countries across Europe in this year’s European Cyber Security Challenge (ECSC). Managed by Cyber Security Challenge UK and led by Team Captain Sophia McCall, the team has spent the summer training with NCC Group and honing their skills using Immersive Labs. Now, they’re ready to bring home gold.
Cyber Security Challenge UK selects, nurtures and mentors young talent to build the UK team, and strives to include individuals with diverse backgrounds and experiences. The team, from across the UK, has a strong mix of different cyber skills and brings a broad range of experiences to the competition.
In a sector facing an acute shortage of fresh talent, competitions like the ECSC are crucial as they allow competitors to meet industry leaders, network with peers from across the continent and get a taste for working in cybersecurity. By taking part, the team set themselves apart as outstanding individuals, equipped with the skills they need to pursue a career in the industry.
Run by ENISA, the European agency responsible for cybersecurity for the European Union, the ECSC is a three-day competition that challenges competitors to complete a series of security-related tasks from domains such as web and mobile security, reverse engineering and forensics. This year, the competition will be held in Bucharest, Romania from 9th to 11th October 2019.
Sophia Mcall, UK Team Captain
Established in 2009, 'Cyber Security Challenge UK' is a non-profit
organisation backed by some of the UK’s leading public, private and academic
bodies with a longstanding mission to encourage more cybersecurity talent into
the pipeline.
Cyber Security Challenge UK selects, nurtures and mentors young talent to build the UK team, and strives to include individuals with diverse backgrounds and experiences. The team, from across the UK, has a strong mix of different cyber skills and brings a broad range of experiences to the competition.
Cyber Security Challenge UK - helping to encourage new talent
In a sector facing an acute shortage of fresh talent, competitions like the ECSC are crucial as they allow competitors to meet industry leaders, network with peers from across the continent and get a taste for working in cybersecurity. By taking part, the team set themselves apart as outstanding individuals, equipped with the skills they need to pursue a career in the industry.
Run by ENISA, the European agency responsible for cybersecurity for the European Union, the ECSC is a three-day competition that challenges competitors to complete a series of security-related tasks from domains such as web and mobile security, reverse engineering and forensics. This year, the competition will be held in Bucharest, Romania from 9th to 11th October 2019.
Team
Captain Sophia McCall: “I have the Cyber Security
Challenge and my lecturers in college to thank for the fact I’m pursuing a
cybersecurity degree. I had no exposure to cybersecurity when I was younger,
so without them I may never have ended up in the industry. It’s now my passion
to get other young girls and people from all backgrounds involved, and
competitions like the ECSC are an incredible way to explore opportunities in
the industry and find out if it’s the right career for you.”
Dr
Robert Nowill, Chairman, Cyber Security Challenge UK: “Our
mission is to be as inclusive as we can in order to increase the number of
people entering the cybersecurity industry, and competitions like the ECSC are
an integral part of our efforts to broaden the reach of cyber. We have always
looked to encourage participation by those who may not otherwise have
considered career pathways into cyber, and this year’s team represents an
incredible mix of ages, genders and backgrounds. We’re already extremely proud
of the team! They’ve been training hard all summer, and we can’t wait to see
how they fare in Bucharest.”
Colin
Gillingham, Director of Professional Services at NCC Group: “Our long-standing training partnership with the Cyber Security
Challenge is part of our mission to increase diversity in cybersecurity. Our
aim is to make society safer and more secure, but this will only be achieved
when the industry is as diverse and representative as the society that we are
working to protect. This year’s Team Captain, Sophia McCall, has just completed
a placement year at NCC Group, and we’re delighted to have supported her as she
blazes a trail for the female cyber professionals of the future.”
James
Hadley, Founder and CEO at Immersive Labs said: “We
believe strongly that challenge-based training exercises are by far the best
way for cybersecurity experts to keep themselves ahead of the latest threats.
We’re delighted to be supporting the UK team with access to our on-demand and
gamified cyber skills content. Their points haul from our CTFs and Malware
Analysis labs have been particularly impressive. We wish the team every success
not just as they head to Bucharest but in their bright futures as professional
cyber defenders.”
Wednesday, 2 October 2019
Cyber Security Roundup for September 2019
Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider.
Booking Holidays on Ceefax in the 1980s
Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.
Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website. Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.
Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."
CEO Fraud
The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.
Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.
Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter. Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.
UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."
Security Updates
'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.
On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited. The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.
Ransomware
Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.
BLOG
NEWS
- Teletext Holidays Data Breach Exposes 212,000 Customer Call Recordings
- Monster.com job applicants info Exposed on Unprotected Server
- FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime
- Millions of YouTube accounts hijacked through phishing and compromised 2FA
- Twitter CEO’s account was hacked via a SIM-swapping scheme
- 419 million Facebook Users Personal Information exposed, phone numbers and unique IDs
- Wikipedia took offline in Europe by a DDoS Attack
- DoorDash Breach Exposes Data of 4.9 Million Customers
- Microsoft Patches 78 Vulnerabilities, including 17 Critical for Windows RDP, Azure DevOps, SharePoint & ChakraCore
- Internet Explorer Emergency Patch for CVE-2019-1367
- Mozilla released Updates for Firefox 69
- Samba developers issued an update for CVE-2019-10197
- PHP Update Fixes Arbitrary Code Execution Flaw
- Apple Updates Software, Fixes Flaw affecting Third-Party Keyboard Apps
- Chrome Security issues Addressed with Stable Channel update
- Adobe Patches Two Critical Issues with Cold Fusion
- Cisco addresses Multiple Bugs in Network Operating Systems
- Cisco issued Advisories for Vulnerabilities in 7 products, including WebEx Teams
- Spoofing Emails: The Trickery Costing Businesses Billions
- Ryuk-like Malware targeting Law, Military and Finance Groups
- Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
- Notorious GandCrab Hacker Group 'returns from retirement’
- UK Universities targeted by Iranian Hackers, NCSC and Foreign Office says
- China’s APT3 Pilfers Cyberweapons from the NSA
- AT&T Cybersecurity Survey:: 40% of IT Security Pros Would Outlaw Ransomware Payments
- Enterprise Ransomware Report: Shines spotlight on Poor Patch Management
- Metasploit Project publishes exploit for Bluekeep bug