News

Consult MB Ltd is pleased to announce that we have become licensed to assess the international IASME Cyber Baseline security standard.

IASME Cyber Baseline, available only for companies outside of the UK, covers fundamental but vital cyber security protection measures. The standard provides a means for international organisations to demonstrate that they take cyber security seriously and have implemented essential cyber hygiene measures.

IASME Cyber Baseline maps to international standards and best practice (e.g. Cobit, CIS v8) but, importantly, allows the organisation to be assessed as meeting the IASME Cyber Baseline Standard.

The scheme is an important first step for many organisations in proving that they are serious about cyber security. It is a pre-requisite to the next step of certifying to the comprehensive risk based and policy driven IASME Cyber Assurance Standard.

The cost for IASME Cyber Baseline Self Assessed (Level 1) is based upon the size of the business:

Micro organisations (0-9 employees)	£300 +VAT
Small organisations (10-49 employees)	£400 +VAT
Medium organisations (50-249 employees)	£450 +VAT
Large organisations (250+ employees)	£500 +VAT

If you’re an international organisation (non-UK) and would like to know more about the IASME Cyber Baseline Standard, please get in touch.

A few organisations I’ve worked with assume that because they use advanced cloud services for office automation that they don’t need to worry about how they backup and restore cloud resident data. Their assumption is that the cloud provider’s data resiliency features, checks and processes will always ensure a copy of the data is available come what may…even if the means to restore it isn’t a straightforward process. Microsoft, a major provider, state in their Shared Responsibility model (see https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility) that the customer always retains responsibility for information and data.

This week, the NCSC have issued some useful guidance around ransomware resistant cloud backups (https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-backups). Whilst they recommend considering ‘a breadth of technologies’ for backups, one of the key messages is to regularly test.

The IASME Cyber Assurance Standard states three copies of information should be kept (the day-to-day working original, an off-site main backup, a local backup for easy retrieval). Crucially, the Standard also requires that the backups be tested, at least monthly.

If you’re based in Somerset, Devon, Gloucestershire or the Bristol area and are interested in learning more about the IASME Cyber Assurance Standard, please get in touch.

This year’s report on the top routinely exploited vulnerabilities was published on 3 August 2023 by the NCSC. Somewhat depressingly, it highlights how threat actors are still exploiting older software vulnerabilities in systems that remain unpatched e.g. a high severity vulnerability in older versions of Office first announced in 2017 (CVE-2017-0199) – really?!

You can find the report at https://www.ncsc.gov.uk/news/ncsc-allies-reveal-2022-common-exploited-vulnerabilities

If you’re based in Somerset, Devon, Gloucestershire or the Bristol area and need any cyber security support or advice, please get in touch.

The past few months have been incredibly busy and this news page has been somewhat neglected. To put that right, this is a quick post to confirm that the Cyber Essentials ‘Montpellier’ question set will replace ‘Evendine’ on 24th April 2023.

The NCSC’s updated requirements (version 3.1) will also come into force on 24th April 2023. You can have a look at the updated standards for CE and CE+ here:

https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf

https://www.ncsc.gov.uk/files/Cyber-Essentials-Plus-Illustrative-Technical-Specification-v3-1-January-2023.pdf

Here at Consult MB Ltd we absolutely recommend keeping your anti-malware up to date and patching your operating system and applications as soon as you can. If news reports are to be believed, it seems that the Albanian Government is also keen on the idea…

https://slate.com/technology/2022/12/albania-cyberattack-iran-it-workers-arrested.html

There have been a number of articles recently that describe yet another hacking technique that relies on what is termed “MFA Fatigue”. This is where the hacker has the victim’s cloud service credentials and encounters the MFA challenge. Where ‘push’ notifications are configured the hacker will invoke multiple ‘push’ notifications in the hope that victim will eventually tire and just click ‘accept’ when the latest in a long series of notifications is presented.

The American CyberSecurity and Infrastructure Security Agency (CISA) have issued a couple of useful fact sheets aimed at defeating MFA fatigue.

https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf

Just a quick plug for the NCSC Subscription Centre.

You can sign up for mail alerts on any/all of the following:

• Threat Reports and Advisories
• The Weekly Threat Report
• NCSC Digital Lofts (Online seminars on cyber security topics)
• NCSC Small Organisations Newsletter
• NCSC Cyber UK (annual cyber security event)
• NCSC Annual Review

IASME have relaunched their flagship information security standard, the IASME CYBER ASSURANCE STANDARD, formerly known as the IASME GOVERNANCE STANDARD.

IASME state “Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that provides assurance that an organisation has put in place a range of important cyber security, privacy and data protection measures. It aligns directly with the UK Government’s 10 steps to Cyber Security with additional Data Privacy controls and offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.”

Consult MB Ltd is a licensed Certification Body for the IASME Cyber Assurance Standard. Please check out our webpage and contact us for more details.

NCSC have published an interesting report that was compiled to inform the Department for Digital, Culture, Media & Sport (DCMS) on the current threats associated with app stores.

The report found that a number of vulnerabilities within the app store submission processes have been exploited by attackers, allowing them to successfully distribute malware via apps.

Apple (4.3 million apps) and Google (2.9 million apps) host the largest app stores, but a number of third-party app stores also exist. Whilst the likes of Apple and Google have a vetting process before an app is accepted, malware still makes its way onto stores.

The report concludes that app stores across all devices share the same threat profile and that using mobile app stores is an attractive attack vector for criminals seeking to exploit as many victims as possible.

The report suggests that app store operators who adopt the DCMS Code of Practice for App Store Security will reduce the likelihood of malicious apps getting through the vetting processes. The unstated assumption is that some malicious apps will still find a way in.

If you’re located in Somerset, Bristol or the surrounding areas, please contact us if you need any cyber security advice. We don’t have an app for that right now, but we’ll be pleased to hear from you.

On 27 April 2022 the NCSC published an advisory on the most commonly exploited vulnerabilities in 2021. This results from a collaborative piece of work with other agencies in the USA, Australia, Canada and New Zealand. The advisory is published in full on the CISA website here: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

It’s no surprise that Log4j is in the mix, but what is interesting is that of the Top 15 Routinely Exploited Vulnerabilities in 2021 four of them date from before 2021, including one from 2018 and one from 2019. A further list of ‘Additional Routinely Exploited Vulnerabilities’ includes a couple of Microsoft Office vulnerabilities from 2017!

Rob Joyce, NSA Cybersecurity Director, commented on the advisory “This report should be a reminder to organisations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities. Getting a handle on patch management will go a long way in forcing adversaries to spend a lot more resources to even try and get in to targeted networks.” – well said!

If you would like assistance with any of you cyber security concerns, please contact us.