Viewing entries in
cyber security

Securestorm to Work with UK Supreme Court

Comment

Securestorm to Work with UK Supreme Court

 
SecureStorm_Logo_MSW-02.jpg
1200px-Supreme_court_crest_(official).svg.png
 

Securestorm wins 'Security Services' contract with the UK Supreme Court

Securestorm Ltd., the provider of pragmatic Security services and solutions, is pleased to announce that it has been awarded a contract to deliver a managed ‘Cyber Security’ solution and services package tailored to boost the overall Security efforts of its client the UK Supreme Court.

AWARD WINNING FULLSTACK VULNERABILITY &  SECURITY TESTING MANAGEMENT

AWARD WINNING FULLSTACK VULNERABILITY &  SECURITY TESTING MANAGEMENT

GCHQ ACCREDITED - UNIFIED CYBER SECURITY TRAINING & AWARENESS

GCHQ ACCREDITED - UNIFIED CYBER SECURITY TRAINING & AWARENESS

The work will consist of providing an award winning Continuous Security Testing and Vulnerability Management system called Edgescan. Another key solution provided will be the GCHQ Accredited - Unified Cyber Security Training & Awareness Platform called Cybsafe. Part of the work will also include provision of Cyber Essentials accreditation, which is an NCSC and Government-backed, industry-supported scheme to help organisations protect themselves against common online threats.  

The Securestorm Cyber Security Package will ensure that the Supreme Court will be able to use a full-stack assessment engine to identify any vulnerabilities or risks to their website and applications while improving cyber security behaviour, visualising human factor vulnerability, and reducing cyber risk with a unified security training programme. The added Cyber Essentials consultation and accreditation will reassure the public that the Supreme Court is working towards securing IT against cyber-attacks and have security measures in place against cyber risks.

Tony Richards, Director of Securestorm, commented:

"We are delighted to have won the work to deliver this crucial cyber security project for the UK Supreme Court and are confident that we can contribute to the creation of a digitally secure and connected environment as we have done with our other Government clients. The Supreme Court, plays an important role in the development of United Kingdom law. As an SME, it is a testament to our expertise, experience and capabilities in that we are able to support the nations crucial legal system at a security level."

 
About: Securestorm® are leading security experts who deliver pragmatic advice, practical solutions and solve security challenges across the Digital, Cloud, Cyber and Data Protection (GDPR) domains. With a combination of experience, expertise and strategic awareness, Securestorm offers technical and strategic consultancy, managed security services and solutions to clients across both Public and Private sectors. Securestorm holds several certifications, notably being NCSC Certified Cyber Security Consultancy, Crown Commercial Suppliers, and Cyber Essentials. Furthermore, Securestorm are also industry prominent for its proven delivery capabilities.
bar.png

Comment

Malicious software used to illegally mine cryptocurrency

Comment

Malicious software used to illegally mine cryptocurrency


compromise of the third-party JavaScript library ‘Browsealoud’


*Image for illustration only

During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance by National Cyber Security Centre (NCSC) below:

 
Advice for members of the public
  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
Advice for website administrators
  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.
In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:
  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.
We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
Advice for third-party JavaScript developers
  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
 
 

we can help...


SecureStorm_Logo_MSW-02.jpg
Certified Service - 56902444 Risk Management Mini Mark copy.png

Securestorm Director & Advisor to Public Sector, Tony Richards said "This is likely a result of improper security controls put in the place. That is why we insist the organisations that we work with to know exactly what is running on their systems, especially using when procuring third-party services or features. In addition to NCSC guidance on the matter, organisations need to consider the overall security maturity of the third-party service provider at that initial phase which helps to assess the level of risk that they may be exposed to at the outset".

If your organisation needs help risk assessing third-party services, give Securestorm a call. As NCSC Certified Cyber Security Consultants, we focus on advising our clients with a pragmatic lists of actionable solutions that allow organisations to make big changes, fast and most importantly remain Cyber Secure.

 

 

Comment

UK industries:"Boost Security or Face Fines!"

Comment

UK industries:"Boost Security or Face Fines!"


new Government ANNOUNCEMENT to protect essential services from cyber attack


The UK Government issued a press release that warned British industries to boost cyber security or face hefty fines for leaving themselves vulnerable to attack. Here are the key-points from the press article.

  • Organisations risk fines of up to £17 million if they do not have effective cyber security measures
  • Sector-specific regulators will be appointed so essential services are protected
  • National Cyber Security Centre publishes new guidance for industry

Link to the full article here.

GETTING STARTED

1. GET YOUR GUIDANCE FROM THE NCSC:

The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply. These are based around 14 key principles set out in the NCSC consultation and government response, and are aligned with existing cyber security standards.

2. FOLLOW A CYBER-SECURITY LED APPROACH

Cybersecurity is everyone's problem, not just the responsibility of IT departments.
Companies have to accept the fact that security has to be planned and implemented in to all business processes. Most organisations that deal with numerous consumer data may need to appoint, outsource or train key responsible personnel like CISOs, Information Security Officers and Data Protection Officers (DPOs).

3. TALK TO AN EXPERT!

By now most companies have build up a 'cyber-awareness', that they must protect and invest in information security and IT assets to reduce the risk of breach, loss or exposure of data, theft of resources, and overall brand reputation with addition to the hefty penalties that they might incur. The recent breach reports and news articles like the popular TALK-TALK incident are examples of why.  However, the challenge is how, particularly when most businesses lack the key skills to do so.

Looking for the right security partner can be a daunting task especially in a crowded marketplace. But there are some key factors to consider while looking for consultants that fit your purpose:

  • Trust: Find out if they have relevant industry accreditations. For example, being an NCSC certified Cyber Consultancy would be good start. It is not always about certifications over experience, but your selected security partner should hold relevant qualifications that suit your industry type.
     
  • Pragmatic:  It is essential that your security partner provides practical advice and solutions that are carefully analyzed and chosen to reflect the right balance of benefit and costs. That is why going for a 'one-size-fits-all' solution does not work. Depending on your organisation, a degree of flexibility is required due to factors such as firm’s size & strength, matrix, cyber-security culture and maturity.
     
  • Experience: It is important to know that you are getting the skill-set you paid for. Many large and reputed IT security vendors most often have the best online-presence but when it comes to experienced talents to actually fulfil clients responsibilities, they fall short. Our advice would be to get to know the team and look into their experience and client-delivery records.
     
  • Industry Exposure: Each industry has its own information security protocol to follow. Furthermore, there are also different security group of guidelines such as NIST, ISO:27001, etc that apply to different organisations. This is why choosing a partner with relevant industry exposure makes a difference in your security goals.
    - Are you a Government Body or SME/Large Private organisation ?
    - Or are you a regulated industry like Banking, Finance or Telecommunications ? 

why securestorm ?


SecureStorm_Logo_MSW-02.jpg

Securestorm® are leading security experts who deliver pragmatic advice, practical solutions and solve security challenges across the Digital, Cloud, Cyber and Data Protection (GDPR) domains. With a combination of experience, expertise and strategic awareness, Securestorm offers technical and strategic consultancy, managed security services and solutions to clients across both Public and Private sectors.

Securestorm are a NCSC Certified Cyber Security Consultancy with demonstrable experience and proven delivery capabilities. Advanced security solutions and services include: Nol-ij® - Continuous Risk Management, Edgescan® - Full Stack Vulnerability Management, CybSafe® - Unified Cyber Awareness Platform, and Falanx MidGARD™ - Advanced Monitoring Platform.

 
bar.png

Comment

Beyond Tick-Box Training...

Comment

Beyond Tick-Box Training...

Securestorm, the NCSC Certified Cyber Security Consultants are proud to have officially partnered with CybSafe, the GCHQ-accredited cyber security awareness training solution to deliver an intelligent and constantly-evolving training software platform that gives organisations a level of expertise, insight, research and understanding that goes above and beyond traditional tick box training.

CYBSAFE-social media announcement-Twitter.png

Tony Richards, CTO, Securestorm said, "We are delighted to tie-up with CybSafe. As cyber security advisors working alongside multiple organisations across Government to Private sectors, we have always expressed how security awareness and training is not a 'tick-box' activity. With our partnership we are able to provide innovative and engaging security training helping organizations to really embed and sustain better behaviours when it comes cyber security. The goal here is to embed a resilient security culture throughout organisations."

HUMANIZE YOUR TRAINING

Most businesses know that the human aspect of cyber security is important. They also know that they aren’t doing enough to address it and worry that they carry too much unnecessary cyber security and data protection risk as a result.

The issues preventing good cyber security behaviour from the everyday-technology-users within their organisations aren’t actually just knowledge and understanding. Many people are also Apathetic, Disengaged, Fearful or Confused.

These businesses want a cyber security awareness solution that demonstrably addresses the human aspect by changing behaviour, shows a demonstrable return on investment and marks them out as an organisation that can be trusted to take data protection seriously.

What is CybSafe?

CybSafe is Unified Cyber Awareness Platform. It is a data-driven, cloud-based software that addresses the human aspect of cyber security. In doing so it helps businesses to improve cyber security behaviour, visualise human factor vulnerability, and reduce cyber risk.

A Unified Cyber Awareness Platform

CybSafe is a Unified Cyber Awareness Platform that helps organisations intelligently address the human aspect of cyber security by focusing on ABC – Awareness, Behaviour & Culture.

It is advanced software that:

  • delivers GCHQ-accredited awareness training,
  • uses simulated multi-vector attacks and other methods to measure changes in behaviour, and
  • enables businesses to engage their people by keeping them informed and encouraging them to contribute their insight.

CybSafe helps organisations:

  • reduce their cyber risk,
  • build a positive cyber security culture,
  • meet their GDPR and other compliance requirements and
  • see a return on their investment.

It brings together (many of the aspects) a business needs address the human aspect of cyber security effectively.

  • Train & Educate
  • Change behaviour
  • Inform
  • Engage
  • Measure & Analyse
  • Visualise & Report

CybSafe is a platform that can either be delivered on its own (for businesses without the capacity to do more), or as a mainstay feature that is complemented by additional security awareness activity. It is the only GCHQ-certified training tool of its kind that delivers this.

An awareness programme should be an intelligently woven together series of activities that engage, educate, assess and inform Users. If done properly Users feel empowered rather than undermined. They also increasingly see the value in their understanding of cyber security and feel part of the collective solution. It’s a journey that takes many from ambivalence, disinterest and a feeling of inconvenience to interest, appreciation and sensible caution.

Most businesses don’t have the time, expertise or resource capacity to focus on the human aspect of cyber security as much as they should/would like.  CybSafe’s Unified Cyber Awareness Platform automates the provision of this activity making its delivery effortless on the part of busy professional people.

Who is CybSafe for?
  • For businesses that realise that they need no longer pay lip service to the ‘people component’.
  • For those that understand that they don’t have the staff, time or expertise to address this component effectively on their own.
  • Any organisation that would like to directly address the human factor in cyber security to reduce their chances of having a breach – and benefit from the insights and experiences of others whilst saving money in the process.

Like to know more ?

If you would like more information or advice on our range of Security Training and Awareness Programmes, get in touch here.

bar.png

Comment

'Trust in Cloud'

Comment

'Trust in Cloud'


Building Trust in the Security of Cloud


AIM & PURPOSE OF THE EVENT & PAPERS

tech-UK represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 900 companies are members of tech-UK. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK.

The event marked the launch of tech-UK's Building Trust in the Security of Cloud papers and a panel discussion with leading cloud industry figures on building trust in the security of cloud computing.

The series of papers are aimed at addressing common trust and security concerns, as well as misconceptions, surrounding cloud services. Despite many years of raising awareness of the benefits offered by cloud computing some negative perceptions remain about the security of cloud services that are holding back cloud adoption and its benefits. Given the importance of cloud computing to the UK’s digital future it is vital that the cloud security messages and advice being delivered today are relevant to how cloud services have evolved, address the concerns being raised by cloud users and are communicated to and understood by the right audiences.

To ensure this happens tech UK has been working with cloud computing and cyber security industry experts to develop a series of papers aimed at providing information and advice for consumers, SMEs and local government leaders that are looking to get the most out of cloud computing. The following papers will be launched and discussed at the event:


SECURESTORM WORKING WITH TECH-UK FOR TOPIC PAPERS & DISCUSSIONS

Securestom's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist at the Panel Discussion Committee for  Building Trust in the Security of Cloud

Securestom's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist at the Panel Discussion Committee for Building Trust in the Security of Cloud

As tech-UK Member organisation and industry experts, Securestorm directly worked with tech-UK and other industry members to discuss, research and build the cloud topic papers.

Securestorm's Tony Richards, CTO/CISO/Cyber and Cloud Security Strategist, was also involved in the event panel discussion on 24th April 2017 providing insights and answering audience questions on cloud security with relation to Government, Consumers and upcoming challenges such as Brexit and policy changes.

Securestorm are NCSC Certified Cyber Security Consultants with diversified interest in the Cloud Security domain working Public and Private sectors. With experience, knowledge and expertise Securestorm are actively working to champion Cloud Security best practices that enable Govt. & businesses to run more efficiently and cost effectively.

    Highlights from  'Building Trust in Cloud Session'

    Highlights from 'Building Trust in Cloud Session'

    Also launched is techUK’s “Cloud First. Policy Not Aspiration paper which focuses on the importance of the UK Government’s Cloud First policy being more than just an aspiration for ensuring effective public sector adoption and usage of cloud and how Government can become a loud and vocal cloud champion. The paper makes a number of recommendations that must be taken forward in order to build great trust in the security of cloud services and increase the adoption of cloud within the public sector. These recommendations and the importance of clear roles and responsibilities organisations for building greater trust and security in cloud computing across both the public and private sector and how to take forward tech-UK's work on this area.


    Access the Cloud papers here:

    bar.png
    About: Securestorm are dynamic cyber security experts that delivers practical advice with the aim of meeting and solving challenges across Cloud and Cyber Security domains. With a combination of experience, expertise and strategy, Securestorm offers guidance to clients across Public and Private sectors.
    Securestorm holds several accreditation, notably being NCSC Certified Cyber Security Consultancy, Crown Commercial Suppliers, and ISO:27001. Furthermore, Securestorm are also industry prominent for its proven delivery capabilities.

    Comment

    You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.

    Comment

    You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.

    The following news story is result of an uncovering report as presented by the NCSC:


    Advice on managing enterprise security published after major cyber campaign detected


    • Third parties who manage large organisations’ IT services attacked
    • NCSC leading investigation in partnership with Cyber Incident Response partners
    • Advice urges enterprise security teams to discuss risk with Managed Service Providers

    TARGETED expert advice aimed at Managed Service Providers and their customers has been published after a global cyber attack was uncovered by a multi-organisation collaboration led by the National Cyber Security Centre (NCSC).

    The attacks are against global Managed Service Providers (MSPs), which are third parties who help to manage large organisations’ IT infrastructure and services. MSPs are particularly attractive to attackers because they have privileged access to other organisations’ systems and data.

    Due to the incident affecting mainly larger organisations, the NCSC believes the risk of direct financial theft from individuals is unlikely.

    The attacks provide a reminder about the importance of organisations choosing and monitoring their outsourcing partners carefully, so the NCSC has posted a range of advice on their website about what people should be done to mitigate against risks.

    Ciaran Martin, CEO of the government’s National Cyber Security Centre Said:

    “This scale of hostile activity is significant and our intervention is aimed at giving the UK the ability to tackle this threat head-on by giving organisations the tools and information they need.

    “We always encourage enterprises to discuss this threat with their MSP, even if they have no reason to believe they have been affected. This incident should remind organisations that entire supply chains need to be managed and they cannot outsource their risk.

    “The response to this attack is an example of the new NCSC at work with our partners. It would not have been possible to uncover the scale and significance of this incident as quickly without our close partners in Cyber Incident Response (CIR) initiative, including PWC and BAE Systems.”

    The guidance reflects the technical advice and mitigation measures offered to U.K. industry and government departments on the Cyber-security Information Sharing Partnership (CISP) platform.

    Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.

    The NCSC recommends that MSPs who are unwilling to work closely with customers or are unwilling to share information should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.

    The NCSC, which is part of GCHQ, is the UK’s technical authority on cyber security. The NCSC was opened by HM The Queen in February 2017 and provides a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. 

    The UK government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. A five year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9billion of transformational investment.


    Finding Reliable, Trusted & Assured Experts Through NCSC Seal Of Approval

    The NCSC, set up in October 2016, is part of GCHQ and amalgamates government agencies dealing with cyber security. The NCSC was set up to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations. Their vision is to help make the UK the safest place to live and do business online. NCSC certification serves as seal of trust, assurance and reliability for procuring services.

    Certified Cyber Consultancies will have demonstrated to NCSC that they have;

    • a proven track record of delivering defined cyber security consultancy services
    • a level of cyber security expertise supported by professional requirements defined by NCSC
    • the relevant Certified Professional (CCP) qualifications

    And that they;

    • Manage consultancy engagements in accordance with industry good practice
    • Meet NCSC requirements for certified professional cyber services companies

    Certified Cyber Security Consultancies commit to:

    • Complying with a code of conduct (see Section III of the Professional Cyber Services Application form)
    • Maintaining their cyber security expertise

    SECURESTORM: PROVIDING CERTIFIED EXPERTISE

    Securestorm as an NCSC certified Cyber Security Consultancy, are 1 of 3 companies who specialize in IA Audit and Review. Securestorm can undertake the Independent Security Assurance Reviews and IA Audits of Managed Service Providers as advised by the NCSC in light of this new attack. Additionally, Securestorm are also certified to carry out Risk Assessment & Risk Management with experience across Central government, Digital services for Government, Wider Public Sector.

    bar.png

    Comment

    UK faces dramatic cyber-security skills 'cliff edge' and is chronically under prepared for hacker attacks, study finds

    Comment

    UK faces dramatic cyber-security skills 'cliff edge' and is chronically under prepared for hacker attacks, study finds

    "The study finds that only 12 per cent of the UK workforce is under the age of 35 and 53 per cent is over the age of 45"

    Tuesday’s survey follows a string of similar warnings and a slew of high-profile cyber-attacks that have cost companies both in terms of money and reputation Reuters

    A global survey of almost 20,000 security professionals across banks, governments and multinationals concludes that Britain is facing a cyber-security skills “cliff edge” and that companies are “chronically” under-prepared for attacks. 

    The survey, conducted by (ISC)² – a non-profit organisation that aims to educate people about the risks of being online – shows that the UK workforce is getting older which is exacerbating an already gaping cyber-security skills rift. 

    Only 12 per cent of the workforce is under the age of 35 and 53 per cent is over the age of 45, the study finds. 

    A mere 6 per cent of UK companies are recruiting graduates who would have the potential to plug the gap, and 66 per cent already face a cyber-security skills squeeze due to being unable to find qualified personnel. 

    The data also suggest that employers are largely refusing to hire and train inexperienced recruits. A whopping 93 per cent of UK companies that responded to the survey said that previous cyber-security experience is an important factor in their hiring decisions.

    The findings indicate that the skills deficit is already having an effect on British businesses.  

    Close to half of the UK companies questioned said that the shortfall of cyber-security personnel is having a significant impact on their customers. A similar proportion said that it is already causing security breaches. 

     “Industry is experiencing a talent shortfall because employers are too focused on recruiting people with existing cyber-security experience,” said Lucy Chaplin, a manager within KPMG’s financial services technology risk consulting group, commenting on the survey. 

    “[It] is like complaining that there’s a shortage of pilots but refusing to hire anyone who is not already an experienced pilot.” 

    Rob Partridge, head of BT’s Security Academy, said that “the findings confirm that graduates are being overlooked for cyber-security roles and it is now an economic and security imperative that we change this trend”.

    Tuesday’s survey follows a string of similar warnings and a slew of high-profile cyber-attacks that have cost companies both in terms of money and reputation. 

    Last month, a survey by job site Indeed showed that the chasm between supply and demand for cyber-security expertise is widening at an alarming rate. 


    JOIN THE MOST PROGRESSIVE CYBER SECURITY ORGANISATION IN THE MARKET ...

    Securestorm agrees with the Cyber Security shortage and deeply supports Cyber as part of educational curriculum and enhanced training and support networks to boost professionals levels as well as tackle skills shortage. This ethos is carried over in our approach of 'investing heavily in people'. We are on the lookout for bright and motivated talents to be join our progressive organisation and be inspired and grow within the Cyber Security Market. To visit our latest vacancies, visit: https://www.securestorm.com/careers/ or write to careers@securestorm.com for more information.

    Comment

       SECURESTORM on-board the ‘DIGITAL OUTCOMES & SPECIALIST 2’ framework

    SECURESTORM on-board the ‘DIGITAL OUTCOMES & SPECIALIST 2’ framework

    Securestorm, London based Cloud and Cyber security experts, Crown Commercial SuppliersCESG Certified and NCSC approved providers are to bring their expertise and experience to the new framework from the Cabinet Office and Government Digital Services - Digital Outcomes & Specialist framework from February 2017.