The latest news from SWCRC
Did you make any New Year resolutions for your business? We did, and they’re about you. 

Last year, we grew to over 500 members. We do want to keep growing, because protecting small businesses and charities is the whole point of us, and our plans for world domination are still relevant. But we also want to take a bit of time to make sure that we’re doing the right thing for you. We’ve always said that cyber can be confusing, and we need to make sure that we’re genuinely helping you with that. 

So we’re updating our website, looking at developing more bite-size information, and considering how we can meet your needs more directly. We’re already canvassing new members about what made them join us, so that we can check back and see whether we have delivered. One thing we’ll be doing in the near future is to schedule some snappy morning discussion groups: guest speaker, Q&A, chance to network. You know the sort of thing, and when we kick this off next month we hope you’ll consider joining us online. 

We’re also looking at pulling together a huddle of some of our cyber partners, so that we can better understand the threats out there, and keep each other informed. Those of you who are registered with us can expect a short note soon with more details, to gauge your interest. 

And lastly, in our own news: we just achieved our own Cyber Essentials certification. That’s the government-backed scheme to keep small businesses safer online, and with its free insurance and support, we thought it was important.  We want to talk a bit more about what it involved in future communications, and to start to provide you with help and information if you want to do the same. 

So that’s us for the next year. Trying our hardest to help. If you have any feedback or want to chat to us about your own needs, you know where we are: drop us a note at enquiries@swcrc.co.uk . We’d love to hear from you. And now, what about you? If you didn’t make any resolutions, or just let them slip already, we reckon that the Chinese New Year gives you a second bite of the cherry. We suggest ‘staying safer, and not losing a tonne of money’. And in that vein, do read on, and find out what to look out for this month.  

Mark Moore, Director, SWCRC 
Monthly threat assessment

1. Trends

First up, it being the New Year, there’s some interesting info out about trends in 2021 which give us a clue about what to look out for in ’22. Checkpoint have released a report showing the companies most impersonated to compromise your security. Worth looking at the report to see some of the screenshot examples, which would fool many people. The top ten companies impersonated, and % of global attacks to which their brand is linked, are


1.       DHL (23%)
2.       Microsoft (20%)
3.       Whatsapp (11%)
4.       Google (10%)
5.       LinkedIn (8%)
6.       Amazon (4%)
7.       Fedex (3%)
8.       Roblox (3%)
9.       Paypal (2%)
10.    Apple (2%)

One agency that doesn’t appear on the list is HMRC; partly because of the reach of the survey, but also because of its success in blocking scam sites, text and phone calls at source (down by over 90%). We spotted this good news story last month and though it worth a mention, if only to show that reporting fakes does work. As you know, dodgy emails can be forwarded to report@phishing.gov.uk (obviously, don’t open attachments yourself), and texts sent to 7726. This helps the authorities identify and take them down.
scam emails

2)  NCSC warning


CloudFlare has also reported on last year’s “denial of service” attacks, which often manifest as a wave of internet traffic bringing your website down. This tends to be a risk for larger companies, and it needs some expertise to prevent, but as ever the NCSC has a good basic guidance in place for technical teams. This type of activity rose by around a third last year, and the top five sectors at risk in the report are manufacturing, gambling, business services, IT, and then internet. Is that you?

This month, the government’s National Cyber Security Centre issued a warning to businesses about an expected increase in cyber crime. That’s unusual, and it’s because of the events around Ukraine, whose government agencies have already come under cyber attack. The expectation is that, as tensions rise, these attacks are likely to implicate others too, because we’re all connected. You can see the information here but the essential advice is to make sure you’re doing the basics: updating, backing up, ensuring that you and your staff are particularly careful with emails.

For bigger businesses, It’s also worth being aware that the American NCSC equivalent issued a corresponding alert to warn organisations of Russian state-sponsored cyber threats to critical infrastructure. They cite 13 current vulnerabilities which are particularly liable to exploitation. If you’ve got an IT team or provider, and use the products listed, pass them the details and ask if you’re covered?

CVE-2021-26855, CVE-2020-0688 (Microsoft Exchange); CVE-2020-4006 (VMWare); CVE-2020-14882 (Oracle Weblogic); CVE-2019-2725 (Oracle Weblogic server);  CVE-2020-5902 (F5 Big-IP); CVE-2019-9670 (Zimbra); CVE-2019-7609 (Kibana); CVE-2019-19781 (Citrix); CVE-2019-1653 (Cisco router); CVE-2019-11510 (Pulse Secure); CVE-2019-10149 (Exim SMTP); cve-2018-13379 (FortiGate VPN).

3)    IoT, QR codes and Excel


Other things to consider: the NCSC is citing an increasing number of Internet of Things attacks – where criminals get into your networks via connected devices. If you’ve just installed cameras, building systems, fridges – anything connected – make sure you’ve changed default passwords. Worth doing a quick audit.

 You’ll all be aware of QR codes, which have come back into vogue during the pandemic. They often take you straight to a website, which is convenient, unless it’s  a nefarious site. There have been reports of stickers being used, for example on parking meters (… pay here …) so the FBI have just released a number of pieces of sound advice. It includes checking that the site you land on looks authentic and has a valid URL; avoiding stickers; not downloading software via QR codes; being very careful about providing personal info via these codes, and avoiding bank payments altogether; and using your phone’s inbuilt QR scanner rather than a downloaded QR app.  

There is an increasing amount of Excel-based malware circulating at the moment on emails. When the file is opened, the malware automatically donwloads. An example is below. It often comes from sources that you might trust, because they look like companies you’re doing business with: but you’ll spot that the email address doesn’t tally.

 4)    log4j


Those of you in IT will know all about log4j, a utility that is embedded in lots of systems and which is now vulnerable to hackers. An update: the number of scans appears to have fallen back now, although of course this may be because activity is better targeted and some systems have already been compromised. In general terms, the advice has always been around patching/ updating, but a particular vulnerability seems to be VMWare Horizon servers which are exposed to the internet. The company are reporting that tens of thousands of installations remain exposed to potential attacks.
 
 

5)    Data breaches


Breaches of personal data were less noteworthy over the last month, with just two that we thought worthy of mention. As always, if you’re breached, beware of contact purporting to be from the company concerned. If your password was breached, make sure you don’t use the same one on other sites, and implement two-factor authentication (google it, or ask us, if you don’t know).

Firstly, Twitter. 100,000 logins from ‘high follower’ accounts were leaked last month. It is suspected this may be a repeat leak of previous breaches, but on this occasion, and for the first time, the passwords have been released in plain text. And FlexBooker, an online appointment tool to schedule appointments and sync employee calendars, has become victim of a significant data breach impacting on 3.7 million records. It includes email addresses, full names, and phone numbers.

Do you need a Cyber Plumber?

With thanks to PGI International, one of our Trusted Partners.


How much data is your organisation leaking without realising it?


Imagine you’ve forgotten your password. You’ve tried a couple of different variations of passwords you often use (we’ll talk about your password hygiene later) and neither of them work—the system or website you’re using comes back with: ‘Password incorrect for this account’ each time. That’s good to know, right?

So, you click the trusty ‘Forgot my password’ link and it takes you to a new page to enter your email address. On entering, the status comes back as ‘A password reset email is on its way’. Brilliant, you can now change the password.

But wait, in the battle of ‘user experience’ versus ‘security’, this system or website has now told anyone who put your email address in that you have an account. At that point, they could try to brute force the password or perhaps they already found your login details from another website on the dark web and they will just try that combination.

Of course, this is often fairly harmless (especially if you have good password hygiene), but what if an association with that website or platform wasn’t so harmless—let’s take the Ashley Madison example from a few years ago; whether it’s a malicious actor or not, just knowing that an account exists is more information than they should have, because the context is just as much of a problem as the actual leaking of information.

Fixing the leak


The first step in fixing this type of accidental data leakage (i.e. technical) to protect your customers (and by extension your own operations, reputation and bottom line), is identifying the holes. 

Security testing will help you achieve this, specifically penetration testing. While a vulnerability assessment may identify a problem, what an automated scan cannot do is provide context. A human can identify a security failing and has the capacity to apply context to be able to understand if this implies a problem. This is the sort of awareness that a computer is unable to provide, and why humans are part of an effective penetration test. 

An example of this is a Penetration Tester testing for business logic flaws as part of a web application test. So, business logic requires both an understanding of the technology and of its wider context; i.e. someone knowing that you have an account with Sainsbury’s is fairly low risk, whereas someone knowing you have an account with a more ‘discrete’ website may be problematic. It’s a bit like knowing that technically a tomato is a fruit, but it doesn’t really work in a fruit salad. 

In combination with testing for business logic flaws, Security Consultants will likely follow the OWASP (Open Web Application Security Project) Top 10 – an industry standard checklist that represents what are broadly considered to be the most critical security to web applications.

We’re the cyber plumbers you didn’t realise you needed


Like the pipe with a slow drip that seems to be impacting your water bill, sometimes data leakage can go unnoticed for a long time or until it’s too late. Our specialist Security Consultants can conduct a penetration test on your internal- and external-facing websites and other systems to ensure no data is finding its way into the hands of people who shouldn’t have it. Contact PGI to talk about how we can help you fix those leaks: sales@pgitl.com or 0845 600 4403

Dates for your diary


Feb 24th 2022, 10am

Simplifying Cyber - top tips for doing business securely in 2022

Hot topics and myth-busting with Chris Thomas of TechB, a webinar being hosted by the South West Growth Hub.

Register HERE.

Feb 22 - 23 2022, London



Join us this 22-23 February in London for the European Ransomware Resilience Summit, where cybersecurity expert advisors from the likes of Palo Alto, BUPA, Aston Martin, Mandiant and Europol will come together to discuss how to spot and respond to potential ransomware attacks early on, how to detect the latest techniques and inner workings of ransomware gangs and benchmark your cybersecurity hygiene standards to prevent future attacks.

Will you be joining us? Secure your place now.

Check out our full agenda here: View agenda here.