Changes to UK government-backed Cyber Essentials scheme launched
It’s been seven years since the introduction of the UK’s Cyber Essentials scheme and a lot has changed in that time, let alone the last two years. For a while now there have been frustrations over gaps in the scheme’s coverage for cloud services, and inflexible approach to remote work.
This week the National Cyber Security Centre and their delivery partner, IASME, announced the first update to the scheme to address some of these issues and bring Cyber Essentials up to scratch.
The announcement has been met with more than a few raised eyebrows though: the go-live is just 36 working days from its announcement, on 24th January. That doesn’t give businesses up for their annual recertification in the first few months of the New Year much time to understand and demonstrate compliance with the new requirements.
And while those new requirements may be agreeable, that doesn’t make them easy, especially for larger organisations, as we posted about on the Cydea blog:
- Homeworking devices and all cloud services are now in-scope, and evidence is required if the cloud provider is responsible for implementing one of the controls (such as anti-malware)
- Multi-factor authentication ‘must be used’ for cloud services
- A new definition of ‘licensed and supported’ software as part of patch management, with high and critical updates applied within 14 days, and unsupported software to be removed
There are a few changes for which there is a grace period: while MFA applies immediately for cloud administrator accounts (hopefully already enabled!) there is a 12-month grace period for implementation on all user accounts.
All software that falls outside the definition of ‘licensed and supported’ is expected to be moved into its own ‘sub-set’ or zone, without internet access, by January 2023 to maintain compliance.
The changes will likely incur small businesses additional costs as the scheme has grown from a simple set of principles to a more comprehensive and complex compliance regime (the question set now runs to almost 30 pages). Things like multi-factor authentication (and single sign-on) for user accounts are often still bundled with premium plans for cloud services, leaving many SMBs below the ‘security poverty line’.
As the scheme matures it will be important for IASME and NCSC to edit, not just add, to the framework for it to maintain the fundamental principles of the scheme — to protect small businesses from common internet threats — that make it attractive to its intended audience in the first place.
The announcement can be found at NCSC (though not on their homepage, or the main CE homepage) with technical details over at IASME.
1,099 posts advertising access to corporate networks by ‘Initial Access Brokers’ (IABs) in 2021, up from 362 (3x increase) in 2020, according to an analysis of a selection of cybercrime forums by Group-IB zdnet.com
~65,000 ‘hands on keyboard’ ransomware attacks in 2020, according to Recorded Future therecord.media
An unknown actor, dubbed KAX17, is running ~500, and at times up to 900, Tor entry and middle relay servers in a suspected attempt to de-cloak users. At the peak, there was a 35% chance you would transit one of the middle relative servers therecord.media
Other newsy bits
How is the Security Profession doing?
Phil Venables was one of the headliners at the Chartered Institute of Information Security (CIISEC) annual conference recently and gave an interesting presentation on the current state and future needs of the profession. Now he’s written his thinking into this blog. There are some good points here and I’m a big fan of the ‘medicine’ analogy.
Not everyone that gets into medicine aspires to be a doctor, nor is each and every doctor interchangeable in their roles. Specialisms exist and there is a continuous focus on scientific methods and sharing information (amongst a lot of other parallels!) Check it out.
Changing conditions for cyber insurance
Joe Uchill has a piece on the cyber insurance market over at SC Magazine. Quietly tucked away last week was a suggestion from Lloyds of London, who carry approximately one-fifth of the cyber insurance market, discouraging members from taking additional business in 2022. Coverage is already becoming more expensive, as conditions and pricing increase while cover decreases as many cyber insurers reeled from the volume of ransomware attacks (and payouts).
Security metrics at Twilio
Harini Rangarajan and Yashvier Kosaraju from Twilio’s product security team have written up their experiences approaching and implementing meaningful security metrics at Twilio.
Attacks, incidents & breaches
- More than 5,700 voice-over-IP (VOIP) servers of AT&T were exploited using a suspected 2017-era vulnerability (meaning the servers hadn’t been patched) and root/default credentials to infect them with EwDoor malware therecord.media
- Panasonic has confirmed that it discovered a network compromise on 11th November that resulted in the unauthorised access to ‘some data on a file server’ zdnet.com
- Queensland, Australia electricity company CS Energy’s corporate network has been compromised by ransomware, generation operations were unaffected esdnews.com.au
- Ohio-based DNA Diagnostics Center has suffered a data breach affecting 2,102,436 people, though fortunately just names and payment card details, rather than health data bleepingcomputer.com
- Web skimmer planted on the website of the Principality of Sealand to steal payment card details of people buying nobility titles therecord.media
- A flaw in smart contract logic allowed an attacker to exchange one token for the same token, inflating its price before making off with $31M-worth of cryptocurrency from MonoX, a decentralised finance platform. There’s no resource or adjudication to ‘smart’ contracts and so if there are vulnerabilities in the contract’s code, there’s little recourse for victims arstechnica.com
- Estimated $120M (2,100 Bitcoin, 151 Ether) stolen from Badger DeFi platform by compromising Cloudflare CDN account and tricking users into providing permissions vice.com
- Planned Parenthood Los Angeles has notified 400,000 patients of a data breach as part of a week-long ransomware attack washingtonpost.com
- NSO Group’s Pegasus spyware used by one client to spy on at least nine US State Department officials vice.com
- NginRAT, related to CronRAT (vol. 4, iss. 48), found on e-commerce servers, hijacking Nginx installations to steal payment card information bleepingcomputer.com
- Banking trojans disguised as legitimate apps (like QR/PDF scanners, fitness monitors and cryptocurrency apps) continue to plague the Google Play store, with over 300,000 Android users having been infected, according to researchers from ThreatFabric zdnet.com
- Emotet now spreading using Microsoft ‘app installer’ function using forged certificates to appear like Adobe PDF reader bleepingcomputer.com
- Two vulnerabilities in HP’s M725z range affect over 150 models of multi-function printers using so-called ‘cross-site printing’ attack to download a malicious font and gain code execution on the printer (which, let’s face it, are often not subject to the same patching regimes as user devices) f-secure.com
- Vulnerability in Zoho ServiceDesk (CVE-2021-44077, versions up-to-and-including 11305) is being used to compromise servers and install a web shell bleepingcomputer.com
- Example of a race condition against a Verizon login page that could have allowed the researcher to brute force the PIN on any given account (that can be used for SIM swaps and other account actions) vice.com
Internet of Things
- US Transport Security Administration sets new rules for the rail industry, with companies required to appoint a cyber coordinator, complete a vulnerability assessment and incident response plan, plus report any incidents to the Department of Homeland Security within 24 hours cyberscoop.com
- UK ICO announces intention to fine Clearview AI £17M ($23M) for ‘serious breaches’ of data protection law, with the Information Commissioner, Elizabeth Denham, saying “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected” cyberscoop.com
- UK and Israel set to sign 10-year trade deal covering ‘cyber, tech, trade and defence’ theguardian.com
- UK Secret Intelligence Service chief warns of China’s “debt and data traps” (for example through belt and road infrastructure projects) that may be used for political coercion ft.com
- US Cybersecurity and Infrastructure Security Agency (CISA) has named 23 members to its new cyber advisory panel from public organisations, cyber and tech industries cyberscoop.com
- Australia passes legislation allowing sanction of individuals and companies for cyber attacks, human rights abuse, and more zdnet.com
- Russia bans more VPN servers, including Proton VPN and Cloudflare WARP, for not agreeing to provide information on connections and block access to certain websites, bringing the total to fifteen bleepingcomputer.com
- Former Ubiquiti ‘whistleblower’ employee (vol. 4, iss. 14) alleged to be the one stealing data and extorting the company cyberscoop.com, @campuscodi
- The FBI seized $2.3M from an affiliate of the REvil, GandCrab ransomware gangs bleepingcomputer.com
- Final member of a multimillion-dollar SIM swapping gang was sentenced this week techcrunch.com
- FIN7 group member gets suspended one-year prison sentence following a court trial in Russia therecord.media
Mergers, acquisitions and investments
- ‘Attack surface management’ company CyCognito has closed a $100M Series C funding round techcrunch.com
- Karamba Security extends $12M Series B round by a further $10M to develop their IoT security platform for fleet management and automotive industries techcrunch.com
Shapps sells smut sites by the cloud shore
H/t to Paul for this one, which didn’t make it into last week’s edition… A subdomain of the UK Grant Shapps’ Department for Transport was serving up a good helping of smut to transport chart aficionados.
Maintaining your DNS is an oft-overlooked task, but can avoid mishaps like this, where either a disgruntled admin has redirected one of your subdomains, or you turned off that AWS instance and released the IP address for use by another account.