Viewing entries tagged
cyber threats

Malicious software used to illegally mine cryptocurrency

Comment

Malicious software used to illegally mine cryptocurrency


compromise of the third-party JavaScript library ‘Browsealoud’


*Image for illustration only

During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance by National Cyber Security Centre (NCSC) below:

 
Advice for members of the public
  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
Advice for website administrators
  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.
In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:
  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.
We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
Advice for third-party JavaScript developers
  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
 
 

we can help...


SecureStorm_Logo_MSW-02.jpg
Certified Service - 56902444 Risk Management Mini Mark copy.png

Securestorm Director & Advisor to Public Sector, Tony Richards said "This is likely a result of improper security controls put in the place. That is why we insist the organisations that we work with to know exactly what is running on their systems, especially using when procuring third-party services or features. In addition to NCSC guidance on the matter, organisations need to consider the overall security maturity of the third-party service provider at that initial phase which helps to assess the level of risk that they may be exposed to at the outset".

If your organisation needs help risk assessing third-party services, give Securestorm a call. As NCSC Certified Cyber Security Consultants, we focus on advising our clients with a pragmatic lists of actionable solutions that allow organisations to make big changes, fast and most importantly remain Cyber Secure.

 

 

Comment

UK industries:"Boost Security or Face Fines!"

Comment

UK industries:"Boost Security or Face Fines!"


new Government ANNOUNCEMENT to protect essential services from cyber attack


The UK Government issued a press release that warned British industries to boost cyber security or face hefty fines for leaving themselves vulnerable to attack. Here are the key-points from the press article.

  • Organisations risk fines of up to £17 million if they do not have effective cyber security measures
  • Sector-specific regulators will be appointed so essential services are protected
  • National Cyber Security Centre publishes new guidance for industry

Link to the full article here.

GETTING STARTED

1. GET YOUR GUIDANCE FROM THE NCSC:

The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply. These are based around 14 key principles set out in the NCSC consultation and government response, and are aligned with existing cyber security standards.

2. FOLLOW A CYBER-SECURITY LED APPROACH

Cybersecurity is everyone's problem, not just the responsibility of IT departments.
Companies have to accept the fact that security has to be planned and implemented in to all business processes. Most organisations that deal with numerous consumer data may need to appoint, outsource or train key responsible personnel like CISOs, Information Security Officers and Data Protection Officers (DPOs).

3. TALK TO AN EXPERT!

By now most companies have build up a 'cyber-awareness', that they must protect and invest in information security and IT assets to reduce the risk of breach, loss or exposure of data, theft of resources, and overall brand reputation with addition to the hefty penalties that they might incur. The recent breach reports and news articles like the popular TALK-TALK incident are examples of why.  However, the challenge is how, particularly when most businesses lack the key skills to do so.

Looking for the right security partner can be a daunting task especially in a crowded marketplace. But there are some key factors to consider while looking for consultants that fit your purpose:

  • Trust: Find out if they have relevant industry accreditations. For example, being an NCSC certified Cyber Consultancy would be good start. It is not always about certifications over experience, but your selected security partner should hold relevant qualifications that suit your industry type.
     
  • Pragmatic:  It is essential that your security partner provides practical advice and solutions that are carefully analyzed and chosen to reflect the right balance of benefit and costs. That is why going for a 'one-size-fits-all' solution does not work. Depending on your organisation, a degree of flexibility is required due to factors such as firm’s size & strength, matrix, cyber-security culture and maturity.
     
  • Experience: It is important to know that you are getting the skill-set you paid for. Many large and reputed IT security vendors most often have the best online-presence but when it comes to experienced talents to actually fulfil clients responsibilities, they fall short. Our advice would be to get to know the team and look into their experience and client-delivery records.
     
  • Industry Exposure: Each industry has its own information security protocol to follow. Furthermore, there are also different security group of guidelines such as NIST, ISO:27001, etc that apply to different organisations. This is why choosing a partner with relevant industry exposure makes a difference in your security goals.
    - Are you a Government Body or SME/Large Private organisation ?
    - Or are you a regulated industry like Banking, Finance or Telecommunications ? 

why securestorm ?


SecureStorm_Logo_MSW-02.jpg

Securestorm® are leading security experts who deliver pragmatic advice, practical solutions and solve security challenges across the Digital, Cloud, Cyber and Data Protection (GDPR) domains. With a combination of experience, expertise and strategic awareness, Securestorm offers technical and strategic consultancy, managed security services and solutions to clients across both Public and Private sectors.

Securestorm are a NCSC Certified Cyber Security Consultancy with demonstrable experience and proven delivery capabilities. Advanced security solutions and services include: Nol-ij® - Continuous Risk Management, Edgescan® - Full Stack Vulnerability Management, CybSafe® - Unified Cyber Awareness Platform, and Falanx MidGARD™ - Advanced Monitoring Platform.

 
bar.png

Comment

You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.

Comment

You Are Only As Strong As Your Weakest Link… MSPs Under Cyber-Threats.

The following news story is result of an uncovering report as presented by the NCSC:


Advice on managing enterprise security published after major cyber campaign detected


  • Third parties who manage large organisations’ IT services attacked
  • NCSC leading investigation in partnership with Cyber Incident Response partners
  • Advice urges enterprise security teams to discuss risk with Managed Service Providers

TARGETED expert advice aimed at Managed Service Providers and their customers has been published after a global cyber attack was uncovered by a multi-organisation collaboration led by the National Cyber Security Centre (NCSC).

The attacks are against global Managed Service Providers (MSPs), which are third parties who help to manage large organisations’ IT infrastructure and services. MSPs are particularly attractive to attackers because they have privileged access to other organisations’ systems and data.

Due to the incident affecting mainly larger organisations, the NCSC believes the risk of direct financial theft from individuals is unlikely.

The attacks provide a reminder about the importance of organisations choosing and monitoring their outsourcing partners carefully, so the NCSC has posted a range of advice on their website about what people should be done to mitigate against risks.

Ciaran Martin, CEO of the government’s National Cyber Security Centre Said:

“This scale of hostile activity is significant and our intervention is aimed at giving the UK the ability to tackle this threat head-on by giving organisations the tools and information they need.

“We always encourage enterprises to discuss this threat with their MSP, even if they have no reason to believe they have been affected. This incident should remind organisations that entire supply chains need to be managed and they cannot outsource their risk.

“The response to this attack is an example of the new NCSC at work with our partners. It would not have been possible to uncover the scale and significance of this incident as quickly without our close partners in Cyber Incident Response (CIR) initiative, including PWC and BAE Systems.”

The guidance reflects the technical advice and mitigation measures offered to U.K. industry and government departments on the Cyber-security Information Sharing Partnership (CISP) platform.

Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.

The NCSC recommends that MSPs who are unwilling to work closely with customers or are unwilling to share information should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.

The NCSC, which is part of GCHQ, is the UK’s technical authority on cyber security. The NCSC was opened by HM The Queen in February 2017 and provides a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. 

The UK government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. A five year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9billion of transformational investment.


Finding Reliable, Trusted & Assured Experts Through NCSC Seal Of Approval

The NCSC, set up in October 2016, is part of GCHQ and amalgamates government agencies dealing with cyber security. The NCSC was set up to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations. Their vision is to help make the UK the safest place to live and do business online. NCSC certification serves as seal of trust, assurance and reliability for procuring services.

Certified Cyber Consultancies will have demonstrated to NCSC that they have;

  • a proven track record of delivering defined cyber security consultancy services
  • a level of cyber security expertise supported by professional requirements defined by NCSC
  • the relevant Certified Professional (CCP) qualifications

And that they;

  • Manage consultancy engagements in accordance with industry good practice
  • Meet NCSC requirements for certified professional cyber services companies

Certified Cyber Security Consultancies commit to:

  • Complying with a code of conduct (see Section III of the Professional Cyber Services Application form)
  • Maintaining their cyber security expertise

SECURESTORM: PROVIDING CERTIFIED EXPERTISE

Securestorm as an NCSC certified Cyber Security Consultancy, are 1 of 3 companies who specialize in IA Audit and Review. Securestorm can undertake the Independent Security Assurance Reviews and IA Audits of Managed Service Providers as advised by the NCSC in light of this new attack. Additionally, Securestorm are also certified to carry out Risk Assessment & Risk Management with experience across Central government, Digital services for Government, Wider Public Sector.

bar.png

Comment