News

On 27 April 2022 the NCSC published an advisory on the most commonly exploited vulnerabilities in 2021. This results from a collaborative piece of work with other agencies in the USA, Australia, Canada and New Zealand. The advisory is published in full on the CISA website here: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

It’s no surprise that Log4j is in the mix, but what is interesting is that of the Top 15 Routinely Exploited Vulnerabilities in 2021 four of them date from before 2021, including one from 2018 and one from 2019. A further list of ‘Additional Routinely Exploited Vulnerabilities’ includes a couple of Microsoft Office vulnerabilities from 2017!

Rob Joyce, NSA Cybersecurity Director, commented on the advisory “This report should be a reminder to organisations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities. Getting a handle on patch management will go a long way in forcing adversaries to spend a lot more resources to even try and get in to targeted networks.” – well said!

If you would like assistance with any of you cyber security concerns, please contact us.

The Cyber Security Breaches Survey 2022 was published 30 March 2022 and the findings are a little surprising! The proportion of UK businesses reporting a cyber-attack in the last 12 months remained the same as for 2021 at 39%, that’s despite the suggestions that the move to working-from-home had significantly increased risk.

What is really interesting is that only 4% of businesses and only 4% of charities reported a ransomware attack in the last 12 months – that’s a fall from the 17% reported last year! Is it a fall in attacks or a fall in reporting?!

56% of UK businesses and 40% of UK charities have implemented a policy to say they will not pay any ransom. However, there were instances where those that had experienced a ransomware attack had paid a ransom, despite their stated policy. They clearly decided that they had to take the shortest path back to becoming fully operational as soon as possible – despite the inherent risk of the criminals not decrypting their data or releasing it to the Internet.

Consult MB Ltd provides ransomware awareness training. If you’re based in Bristol, Somerset or Devon and need help please contact us.

There’s been a lot of debate, and some disquiet, recently within the Cyber Essentials Certification Body community around the increasingly aggressive marketing tactics of some Certification Bodies. Those tactics range from attempts to poach existing customers with, for example, offers of ludicrously low CE+ assessment fees (with no knowledge of what needs to be assessed!), to offering ‘guaranteed’ passes (so long as you adhere to the unquantified pre-assessment, presumably paid-for, consultancy advice in advance!), to making unsubstantiated claims about other Certification Bodies.

Whilst from time to time we might reach out to potential new customers, most of our new work comes from referrals. We haven’t seen any clients poached yet, but our fees are already low, because our overheads are as well.

In complete accordance with the letter and spirit of IASME policy we never offer a guaranteed pass, but we do work with clients to try to avoid failure in the first instance. If failure does occur we provide the help and guidance to remediate any issues. Our guiding principle is that both Cyber Essentials and Cyber Essentials Plus, should never be a mere box ticking exercise, but a genuine effort to implement and demonstrate basic cyber security.

Here at Consult MB Ltd we prefer to respect our Certification Body colleagues, the overwhelming majority of whom are very supportive and professional in their approach.

So sorry, you’ll never get a free beer with a guaranteed pass from Consult MB Ltd, because we simply won’t ever offer ‘guaranteed’ passes. What you will get for free though is integrity.

In February the NCSC issued a joint advisory (with the FBI, CISA and NSA in the USA and the Australian Cyber Security Centre) which highlights the increased threat of ransomware.

The main trends should come as no surprise with an increase in the use of cybercrime-as-a-service with criminals gaining access to networks via phishing, stolen credentials, brute force attacks or exploitation of vulnerabilities.

The cyber criminals themselves have been sharing victim information with each other, shifted away from focussing on major targets (“big-game” hunting) and increasingly threaten to release stolen information, disrupt Internet access, and inform the victim’s stakeholders (“triple extortion”).

A growing trend is the targeting of cloud services, attacks on managed service providers, attacks on the supply chain, and attacks over weekends or holidays.

In terms of mitigation, much of the advice is in-line with the basic level protection defined by the NCSC’s Cyber Essentials scheme which was updated in January 2022. The NCSC provide specific Ransomware advice at https://www.ncsc.gov.uk/ransomware/home

As of 24 Jan 2022 Cyber Essentials (CE), and consequently CE+ also, have changed. The technical control requirements have been updated to be more Cloud and Multi Factor Authentication (MFA) aware, and the password requirement has also been updated to align with current NCSC guidance.

For CE+ two new tests have been introduced to verify effective use of MFA and to ensure account separation between day-to-day user accounts and admin accounts. For vulnerability analysis, CE+ is also now more stringent, but with simpler pass/fail criteria.

Checkout the NCSC blog for an overview of the changes.

With the technical changes, NCSC have also introduced a price increase for larger organisations. A sliding scale of charges will still see micro businesses/organisations paying the current £300 assessment charge, but larger businesses/organisations will be charged up to £500. It’s the first price rise in 7 years, but reflects the increased complexity of assessing CE submissions.

If you’re looking to invest in CE/CE+, which NCSC state is “the minimum standard for cyber security” and are located in Bristol, Gloucestershire, Somerset, Devon, or surrounding areas, please contact us.

The NCSC Cyber Essentials requirements for IT infrastructure has been updated to v3.0

Consequently, from January 24th 2022, an updated Cyber Essentials question set (known as ‘Evendine’) will come into play.

The IASME website has the updated requirements document and the updated question set, along with a blog which provides more detail about the changes and the reasons behind them.

Here at Consult MB Ltd, we conducted comprehensive covert open source intelligence to investigate the ‘Evendine’ code word for you. Whilst Evendine Spring is in the vicinity of IASME HQ, our first hit on Google was for a care home. Their website mentions ‘commitment’, ‘quality’ and ‘care’. Job done:)

If you’re planning to undertake Cyber Essentials or Cyber Essentials Plus please get in touch via our contact us page.

The IASME Charity Campaign week runs from 8-12 November 2021. Consult MB Ltd is a licensed certification body for Cyber Essentials, Cyber Essentials Plus and IASME Governance. Based in Weston-super-Mare we support organisations throughout Somerset, Bristol, Gloucestershire and Devon.
If you are a registered charity and you sign up and pay for Cyber Essentials during the campaign week you will pay the discounted price of £225 +VAT for Cyber Essentials certification.

Please check out the IASME website or contact us for more information.

We’re pleased to confirm that Consult MB Ltd will be supporting the IASME Charity Campaign week 8-12 November 2021. Consult MB Ltd is a licensed certification body for Cyber Essentials, Cyber Essentials Plus and IASME Governance. Based in Weston-super-Mare we support organisations throughout Somerset, Bristol, Gloucestershire and Devon.

If you are a registered charity and you sign up and pay for Cyber Essentials during the campaign week you will pay the discounted price of £225 +VAT for Cyber Essentials certification.

Please check out the IASME website or contact us for more information.

In August the NCSC reported the creation of a new service where the public can report scam websites directly to the NCSC, potentially leading to the NCSC requiring the hosting provider to take down the malicious site.

This new service is in addition to the NCSC’s  Suspicious Email Reporting Service (SERS) where the public can forward suspected scam emails to report@phishing.gov.uk.

We’re pleased to announce that Consult MB Ltd based in Somerset has qualified as an Internet of Things (IoT) Security Assured Certification Body.

The UK Government is planning to bring in legislation to compel IoT device manufacturers to provide basic security, and the ‘IoT Security Assured’ scheme is expected to be selected by the Government as the required standard.

IoT Security Assured certification is available in three tiers: Basic, Silver and Gold. The Basic level is aligned with proposed UK legislation and covers the top three requirements of the ETSI standard. The Silver level is aligned with the ETSI mandatory requirements and Data Protection provisions. The Gold level is aligned with the ETSI mandatory requirements as well as all the additional ETSI recommended requirements and Data Protection provisions.

The cost of the certification is the same (£500 + VAT) across the tiers. For more information please check out the IASME IoT webpage, or contact us.