Mastodon Kuan0: Things cyber security, Q4 2024

Monday, 13 January 2025

Things cyber security, Q4 2024

Selected things cyber security, mostly from Q4 2024, are listed below in reverse chronological order, some with descriptions. See also Things AI, Oct 2024, and Data protection & cyber security, Oct 2024


28 Dec 24

  • Software code, provenance: a thoughtful, telling post, Why it's hard to trust software, but you mostly have to anyway: "...the situation is fairly dire: if you're running software written by someone else—which basically everyone is—you have to trust a number of different actors. We do have some technologies which have the potential to reduce the amount you have to trust them, but we don't really have any plausible venue to reduce things down to the level where there aren't a number of single points of trust... Open source, audits, reproducible builds, and binary transparency are all good, but they don't eliminate the need to trust whoever is providing your software and you should be suspicious of anyone telling you otherwise" 

21 Dec 24

  • International collaboration, critical infrastructure: the Critical Five (5 Eyes) countries reaffirmed their "vision of fostering collaboration across the private and government critical infrastructure communities in our five nations" (see the June 24 summary on how they plan to modernise their approach to critical national infrastructure security and resilience). CISA links

20 Dec 24

  • Consumer IoT: the UK Department for Science, Innovation & Technology (DSIT) will be undertaking an interim Post-Implementation Review of the Product Security and Telecommunications Infrastructure Act (PSTI), to be published by October 2026. To support this, DSIT has commissioned a consultancy to condcut preparations for evaluation and research projects on the product security elements of the PSTI Act

19 Dec 24

  • Training: the UK updated its webpage on cyber security training for business - this has links to many useful resources, such as free online staff training, a free online incident response exercise and personalised cyber action plan for SMEs/individuals, many from the UK National Cyber Security Centre

18 Dec 24

  • Supply chain, vendors, defence, national security: the UK Ministry of Defence wrote to Defence Industry CEOs/leads, asking them to review their organisations' performance against the Cyber Assessment Framework (CAF, developed by the UK National Cyber Security Centre (NCSC) for NIS Regulations assessments) particularly the areas of Govern, Identify, Protect, Detect, Respond and Recover; adopt Active Cyber Defence (ACD) with the NCSC and its tools including Early Warning (see 3 Dec); implement the March 24 Cyber Security Standard for Suppliers; and deliver Secure by Design

17 Dec 24

  • Cloud, SaaS, Microsoft 365: the US Cyber & Security Infrastructure Agency (CISA) issued a web-friendly verions of its directive Implementing Secure Practices for Cloud Services for US federal agencies, requiring deployment of its SCuBA tool - mentioned here because this open source tool, downloaded >30k times as at 13 Nov, automatically assesses Microsoft 365 (M365) configurations for security gaps (against CISA baselines): reportedly, misconfigurations were the initial access point for 30% of cloud environment attacks in the first half of 2024. "ScubaGear rapidly and thoroughly analyzes an organization’s M365 tenant configuration. It then delivers actionable security change insights and recommendations that allow the tenant administrator to close security gaps and attain a stronger defense within their M365 environment". So Microsoft 365 users could do worse than use this free tool!
  • Cybercrime, UN Convention: this Convention's privacy and security issues (law enforcement access to data) have been raised by many, including by the EDPB, referring to its Statement 5/2024 on the Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement
  • Mobile comms: the US Cyber & Security Infrastructure Agency (CISA)issued Mobile Communications Best Practice Guidance after "identified cyber espionage activity by People’s Republic of China (PRC) government-affiliated threat actors targeting commercial telecommunications infrastructure, specifically addressing “highly targeted” individuals who are in senior government or senior political positions and likely to possess information of interest to these threat actors". While intended to assist highly-targeted individuals, its recommendations are obviously also relevant to everyone else who values their security and privacy (there were also iPhone and Android-specific recommendations, not reproduced here, see the link above):
    • Use only end-to-end encrypted communications (free messaging apps mentioned include Signal "or simlar apps")
    • Enable Fast Identity Online (FIDO) phishing-resistant authentication like hardware-based security keys
    • Migrate away from Short Message Service (SMS)-based MFA
    • Use a password manager
    • Set a telco PIN (for login etc)
    • Regularly update the operating system and other software (i.e. patch)
    • Opt for the latest hardware version from your cell phone manufacturer
    • Do not use a personal virtual private network (VPN): "Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider"

16 Dec 24

  • Cybercrime, advanced persistent threats: a RUSI article points out that "...foreign government adversaries no longer have a monopoly on sophistication or persistence. Cybercriminals have just as much if not more of an impact on the Western world... Digital spying by foreign state adversaries is still important. However, in biasing themselves towards ‘APT versus cybercrime’, information security and cybersecurity practitioners create a false dichotomy that pushes resources, attention and support to areas that don’t always align with the greatest organisational or national risk and impacts"

13 Dec 24

  • CSAM, encryption: the EU Council agreed its general approach on the proposed CSAM Directive (this has notes on some amendments), based on which it can commence negotiations on the text with the European Parliament, but the Parliament hasn't agreed its own position internally yet, so it will be some months or longer before this Directive is adopted
    • Statements on the general approach by Austria, Austria and Slovenia, and Belgium, Finland, Ireland, Latvia, Luxembourg, Slovenia and Sweden
    • The age old debate continues about undermining encryption to allow checking of encrypted material for any CSAM, e.g. US litigation against Apple for dropping its planned CSAM scanning after privacy and surveillance concerns.
    • An excellent post about the planned "Chat Control" scanning under this Directive points out: "Chat Control is one example of mass screening for a low-prevalence problem — a dangerous mathematical structure. It requires breaking end-to-end encryption, the technological bedrock of digital privacy. Such a move would make mass surveillance cheap and easy again... false positives will overwhelm true positives in programs of this structure — mass screenings for low-prevalence problems under conditions of rarity, persistent uncertainty, and secondary screening harms. Under these conditions, even highly accurate such programs backfire by making huge haystacks (wrongly flagged cases, “false positives”) while missing some needles (wrongly cleared cases, “false negatives”)... when finite investigative resources are tied up processing CSAM possession tips from mass scanning, they cannot be used for other investigations... This is consistent with the possibility that children are endangered by such mass screening programs exhausting the investigative resources necessary to process tips that have a higher likelihood of being true positives and may otherwise be more relevant to current as opposed to past abuse. Curtailing targeted investigations that might stop ongoing abuse or bigger-fish distributors in favor of processing mass scanning tips that are overwhelmingly false positives does not serve the interests of vulnerable children or society... [but] it does serve the interests of those who would like a return to cheap, easy mass digital communications surveillance..."
  • Data, software, products: reminder from the US Federal Trade Commission (FTC) that to protect security it's important to have good data management (including enforcing mandated data retention schedules and mandating data deletion, so there's less unnecessary data that could be hacked), secure software development, and secure product design for humans (including least privilege, phishing-resistant MFA) 
  • Financial services, incident reporting, vendors: the UK Prudential Regulation Authority (PRA) issued a consultation paper CP17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting, on proposed "rules and expectations for firms to report operational incidents and their material third-party arrangements" (deadline 14 Mar 25), with reporting thresholds (quite subjective), and a phased approach to incident reporting: initial, intermediate, final, with certain minimum information
  • Product safety: the EU General Product Safety Regulation applies from this date. When assessing whether a product is a safe product, factors to consider include, "when required by the nature of the product, the appropriate cybersecurity features necessary to protect the product against external influences, including malicious third parties, where such an influence might have an impact on the safety of the product, including the possible loss of interconnection", particularly digitally connected products likely to have an impact on children (on top of sectoral laws on cybersecurity risks affecting consumers etc)
    • Detailed UK guidance, applicable to Northern Ireland summarises it as: "This Regulation requires that all consumer products placed on the NI and EU markets are safe and establishes specific obligations for businesses to ensure that safety. The Regulation applies to products placed on, or made available to, the market where there are no sector-specific provisions with the same objective"   

12 Dec 24

  • Passkeys: these are touted as more secure than using passwords, and are increasingly being supported (see my book and the free PDF). Microsoft published its UX design insights to boost passkey adoption and security

10 Dec 24

  • EU Cyber Resilience Act (CRA): this Regulation entered into force (published in OJ 20 Nov 24, news item), requiring minimum cybersecurity requirements for any "product with digital elements" before they can be made available on the EU market, with certain cybersecurity vulnerability handling obligations on manufacturers, including on vulnerability disclosure
    • A "product with digital elements" is any software or hardware product and its "remote data processing solutions", including software or hardware components being placed on the market separately (where "remote data processing" is remote processing designed by the manufacturer, whose absence would prevent one of the product's functions from being performed - such as essential cloud processing). So, CRA catches not just IoT / smart devices but also software (and is not limited to consumer IoT, unlike the UK's  Product Security and Telecommunications Infrastructure Act (PSTI))
    • CRA applies fully from 11 December 2027, but with some earlier applicable dates like 11 September 2026 for Art.14 on manufacturers' obligation to report any actively exploited vulnerability contained in such a product: with staggered deadlines of 24 hrs, 72 hrs etc.

9 Dec 24

  • Open source, malicious code, tools: open source code is increasingly incorporated into software, but open source packages can be malicious, or legitimate code can be accessed by attackers and "poisoned" to serve malicious purposes e.g. adding a backdoor for hackers. The Stack reported that a tool, DataDog, had been open sourced, termed as a [software] "supply chain firewall" that scans Python packages being installed, and blocks packages know to be malicious based on the tool provider's own observations or certain open source feeds 

5 Dec 24

  • Consumer IoT: the UK published a survey it had commissioned before the  Product Security and Telecommunications Infrastructure Act (PSTI) came into force, to map and analyse the market for consumer connectable products, and collect and analyse evidence on the compliance of manufacturers with the PSTI legal regime, as well as evidence on awareness and impacts of the legislation. It outlines well the PSTI compliance challenges (which many may be familiar with!). And see the related infographic. See also 25 Nov
  • Software patching, tools: one of the most critical security measures to take is patching, ensuring software is kept updated with new versions that address security vulnerabilities. Google released a new open source security patch validation automation tool Vanir, that helps Android developers "quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches". "While initially designed for Android, Vanir can be easily adapted to other ecosystems with relatively small modifications, making it a versatile tool for enhancing software security across the board" 

4 Dec 24

  • EU digital identity wallets: technical standards, adopted by the Commission on 28 Nov, for cross-border eID wallets under the European Identity Framework that was updated in 2024, were published in the OJ under 5 implementing regulations with rules on eID Wallets' integrity and core functionalities, on eID Wallets solutions' protocols and interfaces and on person identification data and electronic attestations of attributes of eID Wallets, plus reference standards, specifications and procedures for a certification framework for eID Wallets, and obligations for notifications to the Commission concerning the eID Wallet ecosystem
  • Measures, metrics: how can organisations measure to what extent their cyber security measures are effective? The US National Institute of Standards and Technology (NIST) published updated guidance on how an organization can develop 

3 Dec 24

  • Comms infrastructure: several US and other agencies published a joint guide Enhanced Visibility and Hardening Guidance for Communications Infrastructure, "that provides best practices to protect against a People’s Republic of China (PRC)-affiliated threat actor that has compromised networks of major global telecommunications providers. The recommended practices are for network engineers and defenders of communications infrastructure to strengthen visibility and harden network devices against this broad and significant cyber espionage campaign... Although tailored to communications infrastructure sector, this guidance may also apply to organizations with on-premises enterprise equipment"
  • EU cybersecurity, threats: EU security agency ENISA published its first NIS2 biennial report on the state of EU cybersecurity. This reported "substantial cyber threat level to the EU, highlighting discovered vulnerabilities exploited by threat actors targeting EU entities..." and made several policy recommendations on strengthening EU cyber skills/workforce and addressing supply chain security 
  • UK cybersecurity, threats: the UK National Cyber Security Centre (NCSC) published its Annual Review 2024. Its head stressed in an accompanying speech the "clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us... We need all organisations, public and private, to see cyber security as both an essential foundation for their operations and a driver for growth. To view cyber security not just as a ‘necessary evil’ or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose... Hostile activity in UK cyberspace has increased in frequency, sophistication and intensity... Actors are increasingly using our technology dependence against us, seeking to cause maximum disruption and destruction... And yet, despite all this, we believe the severity of the risk facing the UK is being widely underestimated... There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cyber criminals. The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve..."
    • The NCSC's incident management (IM) team issued 542 bespoke notifications to organisations of a cyber incident impacting them, providing advice and mitigation guidance (cf. 258 in 2023). Almost half related to pre-ransomware activity, enabling organisations to detect and remove precursor malware before ransomware was deployed.
    • Top sectors reporting ransomware activity into the NCSC were academia, manufacturing, IT, legal, charities and construction. "We received 317 reports of ransomware activity, either directly from impacted organisations, or from our partners (an increase on 297 last year). These were triaged into 20 NCSC-managed incidents, of which 13 were nationally significant. These included high-profile incidents impacting the British Library and NHS trusts"
    • The NCSC was made aware of 347 reports of activity that involved the exfiltration or extortion of data
    • The IM team issued ~12,000 alerts about vulnerable services through its Early Warning service (an automated NCSC threat notification service, free to UK organisations - do sign up!). Exploitation of zero-days CVE-2023-20198 (Cisco IOS XE) and CVE-2024-3400 (Palo Alto Networks PAN OS) also resulted in 6 nationally significant incidents which the IM team helped manage 

2 Dec 24

  • Cybersecurity measures: the US Cyber & Security Infrastructure Agency (CISA) updated its Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2, based on the new National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Version 2.0 mapping updates. TIC 3.0 SCC provides a list of deployable security controls, security capabilities, and best practices, intended to guide secure implementations and help US federal agencies satisfy program requirements within discrete networking environments, but is of more general use/interest 
  • Encryption: this was Global Encryption Day: the Global Encryption Coalition reported on the support of policymakers and others for encryption , including for the protection of children 
  • FS, DORA: the EU's DORA Regulation on digital operational resilience for the financial sector applies in the EU from 17 Jan 2025. Much secondary legislation on certain detailed requirements has been made under it (see list as at 4 Dec 24). On 2 Dec, an implementing regulation was published in the OJ on technical standards for standard templates for the register of information that in-scope financial entities must maintain in relation to their ICT services and ICT service providers, including providers' subcontractors in certain cases, such as details of their contracts 
    • Financial service entities' contracts with their ICT service providers should also be updated to comply with DORA's requirements, and some providers are directly regulated under DORA - not discussed here
  • Managed security services, certifications; EU: the Council approved a directly-applicable Regulation amending the EU Cybersecurity Act (CSA) to enable future adoption of European certification schemes for managed security services (MSS, like incident handling, penetration testing, security audits, consulting advice on technical support), increasingly important for cybersecurity incidents' prevention, detection, response, and recovery. Awaiting the CSA's broader evaluation by the Commission, this targeted amendment aims to enable establishment of such European certification schemes to help increase MSSs' quality, comparability and trustworthiness, and avoid fragmentation as some Member States have initiated national certification schemes for such services
    • Not law yet, to awaiting OJ publication
    • The Council also approved a Cyber Solidarity Act Regulation (also awaiting OJ) to strengthen EU/Member State cooperation and resilience against cyber threats, e.g. creating a cyber security alert system pan-European infrastructure comprising national and cross-border cyber hubs responsible for detecting, sharing information and acting on cyber threats including cross-border incidents. It also creates a cybersecurity emergency mechanism (including a EU cybersecurity reserve: private sector incident response services "ready to intervene" on significant/large-scale incidents if requested by a Member State or EU body as well as associated third countries, and incident review mechanism 

1 Dec 24

  • Cloud, access, MFA: previously, cloud service providers have tended to leave it to their customers to decide whether the customer wants to require MFA in order for its users to access its cloud service. A very positive trend is that providers are increasingly enforcing MFA, e.g. Snowflake will be blocking attempted sign-ins using single-factor authentication with passwords. It seems likely this move by Snowflake was influenced by >100 of its customers, who had not required MFA, being successfully attacked in 2024. While it would have behoved those customers to require MFA for access to their Snowflake services, these incidents did appear to lead to some negative comments about Snowflake 

29 Nov 24

28 Nov 24

  • Boards, directors: UK National Cyber Security Centre (NCSC)'s Cyber Security Toolkit for Boards: updated briefing pack released with insights on the ransomware attack against the British Library
  • EU NIS2 Directive: this Directive, updating and expanding the NIS Directive, should have been implemented by Member States by 17 Oct 24, but it wasn't (Europa list of those that have notified the Commission of their NIS2 transposition).
    • The Commission decided to open infringement procedures for not fully implementing NIS2 by sending formal notice to 23 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden). The Commission has given them two months to respond, complete their transposition and notify their measures to the Commission. Ireland hasn't yet transposed NIS2 officially, but it wasn't in that list, for whatever reason
  • UK Cyber Security & Resilience Bill consultation: consultation closed, on UK DSIT's call for evidence on proposals to inform the Bill

26 Nov 24

  • Awareness raising, NIS: EU security agency ENISA updated its guide on how to promote cyber security awareness to C-level (part of its AR-in-a-box DIY awareness-raising toolbox, "a comprehensive solution for cybersecurity awareness activities designed to meet the needs of public bodies, operators of essential services, and both large and small private companies. It provides theoretical and practical knowledge on how to design and implement effective cybersecurity awareness") - still relevant to NIS2 of course

25 Nov 24

  • IoT, smart devices, vulnerability handling, PSTI: the IoT Security Foundation published The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2024, including some coverage of the impact of the UK Product Security and Telecommunications Infrastructure Act (PSTI). "...the UK legislation has driven a bigger improvement [among UK retailers] than European and US retailers. Whilst the sample set maybe low, it is a consistent gauge moving faster in the right direction" 
    • The survey indicated an increase in the proportion of manufacturers checked that had a vulnerability disclosure policy, from 23.99% in 2023 to 35.59% in 2024. Only ~21% of companies complied with PSTI's vulnerability disclosure requirements, though that's "increased significantly" from the previous year. 
    • The picture's variable regarding proportion of retailers stocking products whose manufacturers support vuln disclosure. Over 50% of IoT products stocked by several UK retailers were from manufacturers that had vulnerability disclosure policies. John Lewis was the best, 93.33% of its products checked were from compliant manufacturers. The detail on specific manufacturers, their website statements of compliance and how some meet PSTI (or not) is worth a look
    • "There has clearly been some effect from the UK’s Product Security and Telecommunications Infrastructure Act (Part 1) requirements... but implementation seems fragmented and inconsistent. While some leading UK retailers are showing that around 90% of the IoT manufacturers they stock have vulnerability disclosure policies, there are some notable exceptions to this ‘dip test’ of the market and there are obvious differences in online marketplaces. The other regions showed less promising and variable data about the product manufacturers they stocked"  (the report covers manufacturers and retailers in the EU, US and Asia too - not discussed here)
    • And there remains a "..gap in practice between the consumer and enterprise sectors. Whilst the consumer sector is firmly heading in the right direction, there is a stark contrast in market practice levels and continues to justify the need for consumer regulation" (I'd suggest enterprise IoT security could still improve)".
    • On individual product categories, "notable laggards being Health and Fitness, Lighting and, somewhat paradoxically, Security. Those manufacturer report cards read “must do better”"
    • See also 5 Dec 

22 Nov 24

  • Fraud, data protection: the UK ICO emphasised that data protection is not an excuse when tackling scams and fraud, "warning that reluctance from organisations to share personal information to tackle scams and fraud can lead to serious emotional and financial harm. Data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way". It published "new practical advice to provide clarity on data protection considerations and support organisations to share data responsibly to tackle scams and fraud", aimed at any organisation seeking to share personal information to identify, investigate and prevent fraud, especially banks, telecommunications providers and digital platforms"
    • The same also applies to organisations disclosing potential personal data, like IP addresses and domain names, as indicators of compromise (IOCs) in threat sharing initiatives/platforms regarding cyber threats/breaches, whether sectoral or otherwise, and it would have been helpful if the ICO had also made that point.

21 Nov 24

  • Critical infrastructure, red teaming: the US Cyber & Security Infrastructure Agency (CISA) published its insights from a red team assessment of a US critical infrastructure organisation including lessons learned (technical controls, staff training, leadership/board: "Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation") and technical details

18 Nov 24

  • Passwords: it's interesting that, following notification of personal data breaches, the Romanian data protection supervisory authority ordered a company to take measures including (machine translation) "password complexity and history policy on all customer accounts with a pre-established expiration interval". That is a decades old practice, which is no longer considered good. Technical experts including the UK NCSC and US NIST recommend longer rather than more complex passwords, indeed NIST's latest draft update recommends not enforcing any password complexity rules like one lowercase, one uppercase etc. Similarly with forced password changes every few months or year, which is now deprecated (e.g. New Scientist article) as it reduces security by resulting in people writing down passwords, using bad passwords they can remember, etc! So it seems that some GDPR authorities could still benefit from more technical assistance/education on cybersecurity...

15 Nov 24

  • UK NIS Regulations, notified incidents: the ICO is the regulator for digital service providers under NIS (cloud, online marketplaces, online search engines). Responding to a freedom of information request, the ICO stated that 37 incidents were reported to the ICO as NIS incidents, including 18 incidents that were not in fact NIS incidents and 2 incidents (reported in 2020 and 2021) that did not meet the mandatory threshold following its assessment. The figures suggest many incidents are reported as NIS incidents when they are not, but it's possible there were some actual NIS incidents that were not reported as the final total of 19 seems quite low...:
    • 2020 - 2 (really 1, see above, but in fact the ICO did not consider it a NIS incident, so 0)
    • 2021 - 3 (really 2, but the ICO did not consider 1 a NIS incident, so 1)
    • 2022 - 4 (really 2, as the ICO did not consider 2 of those a NIS incident)
    • 2023 - 19 (really 18, as one was incorrectly reported to the ICO as well as to the correct competent authority, but several were not considered NIS incidents, so 8) 
    • 2024 YTD - 9 (but 5 were not considered NIS incidents, so 4) 

14 Nov 24

  • Product safety, IoT: in the first horizon scan report by the UK Office for Product Safety & Standards (OPSS), privacy, data loss and wider cyber security issues like distributed denial of service (DDOS) attacks were considered as part of harms or benefits a technology may present in relation to non-physical aspects, and the scan's taxonomy of technologies included cybersecurity and data platforms: "combination of data, policies, processes, and technologies employed to secure information, protect organisations, and protect individuals' cyber assets, including specific biological research through omics, and financial activities through blockchain, like new data technology and PETs. Health data was at greater risk of being compromised by cyber threats. Trends across technologies included security issues, with new vulnerabilities created by increased automation and connected technology with IoT, and new ways of compromise; most IoT devices' relatively limited computing power limits cybersecurity complexity and effectiveness, their interconnectivity increases vulnerabilities (specific IoT rapid review guidance). Social commerce normalises online money transfer enabling cybersecurity scams. "Blockchain can potentially offer some solutions to these challenges". Online marketplaces also need consumer protection against scams.
    • OPSS research on consumer attitudes/awareness indicated consumers are increasingly comfortable with manufacturers making changes remotely in the case of physical safety issues or cyber security vulnerabilities, but becoming less considerate of cyber security before initial purchase, particularly those with a low education level. Note that the OPSS is responsible for enforcing the UK's Product Security and Telecommunications Infrastructure Act (PSTI) 

12 Nov 24

  • Financial services, vendors: UK FS regulators Bank of England (Bank), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) issued PS16/24 FCA 24/16 – Operational resilience: Critical third parties to the UK financial sector, with final rules for FS use of critical third parties (CTPs) including operational risk and resilience requirements, and incident reporting and other notifications and enforcement
  • Security engineering, learning: all PDF chapters of the late, great Ross Anderson's seminal, very readable Security Engineering book (3rd edition 2020) are now available for free download via this link

7 Nov 24

  • NIS2, risk management: EU security agency ENISA issued a consultation on its detailed technical implementin gguidance (PDF no longer availabe on ENISA's website, but see Internet Archive) to support EU Member States and entities with  implementation of the technical and methodological requirements of NIS2's required cybersecurity risk management measures. The final version is awaited. (On the implementing regulation for certain types of entities, see my October post.)

4 Nov 24

  • QR code phishing: this is phishing by tricking people into scanning malicious QR codes to take them to malicious websites or install/open malicious apps/files, and it's an increasing attack vector. Microsoft explained how it updated its Microsoft Defender for Office 365 to address this 

31 Oct 24

  • Incident response, preparations, resilience: helpful lessons on the Jul 24 Crowdstrike outage from the UK Financial Conduct Authority (FCA) with its observations on how FS firms responded to the incident including infrastructure resilience, third party management, incident response and communications, with recommendations on what firms should be doing on these fronts    
  • Cybersecurity measures: ending Cybersecurity Awareness Month, Microsoft published 7 cybersecruity trends and (same old, same old!) its tips for SMEs:
    • 1in 3 SMBs have suffered a cyberattack (Microsoft tips: strong passwords, MFA, consider password manager, recognise/report phishing, keep software updated i.e. patching)
    • Attacks cost them >$250k on average and up to $7m (tip: risk assessment to understand gaps, determine measures to address)
    • 81% of SMBs think AI increases need for additional security controls (tip: data security & data governance when adopting AI)
    • 94% think cybersecurity is business-critical (tip: educate/train employees e.g. using Microsoft awareness resources)
    • <30% manage security in-house (tip: it's common to engage a Managed Service Provider (MSP) for security support)
    • 80% mean to increase cybersecurity spending, prioritising "data protection" [NB broader than in the GDPR sense] (tip: prioritise data protection, firewall, anti-phishing, ransomware & device/endpoint protection, access control, identity management e.g. via DLP, EDR, IAM)
    • 68% feel secure data access is a challenge for remote workers (tip: measures to protect data and Internet-connected devices, app store downloads; no credential sharing by email/text only phone in real time)

25 Oct 24

24 Oct 24

  • Web security, standards: a Princeton news item discusses a new security standard their researchers worked on. "The change centers on how web browsers and operating systems verify a website’s identity when establishing a secure connection. They rely on third party organizations known as certification authorities, who issue digital certificates of authenticity based on a website owner’s ability to demonstrate legitimate control over the website domain, usually by embedding a random value that the certification authority has provided. ...bad actors could easily sidestep those hurdles to obtain a fraudulent certificate for a website they do not legitimately control... it could target any website on the internet. Users had no way to spot the fraud since the certificates were real, even if their underlying facts had been forged. With a fraudulent certificate, criminals could attack users and route traffic to fake sites without anyone knowing... the fake site would look every bit as legitimate as the real one... By adopting the Princeton standard, certification authorities have agreed to verify each website from multiple vantage points rather than only one... [multi-perspective validation]", which will improve Internet/web security 

23 Oct 24

  • Cybersecurity measures, certifications, supply chain: the UK's Cyber Essentials certification scheme, to encourage organisations to implement key essential cybersecurity measures (cyber hygiene), reached its 10 year anniversary.
    • It's great to hear it has been effective in improving cybersecurity: "Recent insurance data shows us that organisations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it". The NCSC noted, "This statistic underscores the scheme’s effectiveness in mitigating cyber risks". "Additionally, where organisations require their third parties to get Cyber Essentials, we know they experience fewer third party cyber incidents".
    • The full impact evaluation noted that Cyber Essentials:
      • is providing cyber security protection to organisations of all sizes, including larger organisations that use other schemes, standards and accreditations
      • helps to improve organisations’ awareness and understanding of the cyber security risk environment
      • has stimulated wider actions, good practice and behaviours among organisations that use it
      • is being actively used as part of supply chain assurance to inform the supplier selection process, instil confidence and demonstrate basic cyber hygiene to the market
    • The NCSC also added, "Cyber Essentials has played a crucial role in raising awareness about cyber security. An evaluation conducted as part of the 10-year review revealed that 85% of certified organisations reported a better understanding of cyber risks. This increased awareness has empowered businesses to take proactive measures in safeguarding their digital assets", and said "The data is clear, implementing the five controls significantly lowers the risk of experiencing a cyber incident. For organisations lacking the necessary in-house expertise, support is readily available through companies offering the NCSC-recognised Cyber Advisor Service"
    • Also, to improve supply chain securityprocurement efficiency, consistent minimum standards, UK financial entities Barclays, Lloyds Banking Group, Nationwide, NatWest, Santander UK and TSB have stated that they will promote and incorporate Cyber Essentials in their supply chain risk management and they encourage other businesses to incorporate Cyber Essentials into their supplier requirements. (This would also "Spread greater cyber insurance coverage across supply chains through the provision of free cyber insurance, and incident response services, included with Cyber Essentials certification to qualifying organisations")
      • Comment: Contractually requiring suppliers/vendors/service providers to be certified is a helpful move in the right direction. Cyber Essentials measures are the bare minimum that organisations should take, are not difficult to implement, and would go a long way towards preventing or reducing the impact of cyber incidents, so all organisations should be certifying, or at least implementing those measures even if they don't get certified! Unlike with ISO standards, Cyber Essentials measures are freely available, whether implemented through self-assessment or (Plus) third-party audit. 
      • Note: Cyber Essentials funding is offered to small organisations in certain sectors like AI, quantum, semiconductors etc., with certain criteria 

2 Oct 24

  • Ransomware: Counter Ransomware Initiative (CRI) guidance for organisations experiencing a ransomware attack and organisations supporting them
  • Scanning, testing: interesting study on how external cybersecurity scanning data can enhance underwriting accuracy for the (re)insurance industry. This compared companies’ security controls with actual insurance claims, identifying key predictive factors including the organisation's IP address count and patching cadence (the speed at which it updated software to address vulnerabilities), that help forecast claims. Single Point of Failure (SPoF) data also highlighted dependencies on third-party services like AWS (cloud) and VPNs
    • While aimed at (re)insurance, scanning/pen testing obviously is also helpful if not essential for insured organisations, and same issues obviously affect their susceptibility to successful attacks, so keep your number of IP addresses limited to reduce exposure, and (not a new recommendation) patch ASAP!  

25 Sept but UK press release 17 Oct 24

  • Quantum computing, encryption, financial services - risks to security & FS: G7 Cyber Expert Group's statement on planning for quantum computing's opportunities and risks (including to public key cryptography) and steps that financial entities should take

10 Sept 24

  • Cybercrime, data sharing: the UK ICO and National Crime Agency (NCA) signed a memo of understanding on how they'll collaborate to improve the UK's cyber resilience, including "The NCA will never pass information shared with it in confidence by an organisation to us without having first sought the consent of that organisation" and "We will support the NCA’s visibility of UK cyber attacks by sharing information about cyber incidents with the NCA on an anonymised, systemic and aggregated basis, and on an organisation specific basis where appropriate, to assist the NCA in protecting the public from serious and organised crime"
Posted by
Labels: , , , , , , , , ,