The latest news from SWCRC

Welcome to our latest edition of the SWCRC newsletter. If the budget was bad or the deliveries are still stuck somewhere, consider us a high point in your week.

This note aims to keep you safer, and wealthier. Cybercrime costs people money, but if you read and avoid the latest warnings, you’re a lot less likely to fall victim. So in that vein, we are offering once again the most recent news on scams, vulnerabilities, trends and training, to help you and your team to be more cyber resilient. Also in this edition, we’re setting out an interesting case study about how to avoid falling victim, and sharing a thought-provoking perspective from one of our trusted partners, about how training contributes to your security. And finally, we’re providing details of a national ransomware summit next year, at which SWCRC has been invited to be an informed contributor. Our members can access a discount, so if you want to learn more and see us in action, details are attached.


Stay safe, and if you need us, please don’t hesitate to get in touch. 


Mark Moore, Director, SWCRC 

Monthly threat assessment

Welcome to this month’s list of things to do, things not to do, and things just to be aware of. First up, we wanted to flag the National Cyber Security Centre’s new online training for small businesses, which works as standalone e-learning or can be incorporated into your company platform. It takes about half an hour to complete and is a very good guide to many aspects of cyber security in the workplace. Since 85% of breaches are down to human factors, we hugely recommend that you put your teams through it, and take a look yourself too.  

We often say this: one of the best and quickest ways to get safer is to turn on two-factor authentication, which means that a breached password alone won’t let a cyber criminal into your account. Only 20% of Microsoft enterprise customers enable so-called 2fa, and Microsoft have recently gone even further and allow you to dispense with a password altogether. See here for details. And while you’re at it, follow this guide and do the same with your Google account? Google regularly scans clients who are being targeted and sends them alerts advising them to do so. Get in beforehand, and avoid the risk.

Did you update your systems recently? Microsoft released over 70 patches this month, covering Office, Exchange and Edge products. Apple has also released critical updates for iphone and ipad. But if you’re a system administrator, you also need to be updating windows powershell, which at present requires manual updating. Powershell is a product which facilitates system management, and if you’re a small business you may not have it. But if you do, you need to update to the latest version to deal with a recently-identified vulnerability, which you can do via the Microsoft store. Details here.

Have you installed VLC to play your media? It’s just been discovered that over the last year, on some unofficial sites, this has been bundled with malware called BazarLoader, which can be used to deploy ransomware and to steal sensitive data. If this could affect you, we advise running a malware scan of your system, and only downloading via the site of the authorised publisher, Videolan. 

Securing your mobile devices

Two things to look out for this month. First one for those with Apple phones. The ‘find my’ phone function is being used to compromise devices. Normally, when you put your phone into lost mode, it really only has parts value. But many people also use this function to display contact details on the phone, so the finder can get in touch. Recently, one such person received a text message on their work mobile, purportedly from Apple Support, advising that their phone had been found, and asking them to log on to iCloud via a fake link to get more details. If they’d done so, the thief would have had a fully functional iphone, and access to all of their accounts.

The second issue affects Android phones, and has used over 200 different apps to spread – including one, called Handy Translator Pro, which amassed over 500,000 downloads. After downloading one of the products, users are sent a number of alerts which tell them they’ve won a free gift, and they’re directed to a webpage that requests their phone number for verification. If they do so, they’re actually subscribing for a premium SMS service that would cost around £30 per month; and over 10 million users are estimated to have been infected so far. Be aware: don’t give your details, and uninstall anything that looks suspicious.
 
Breaches this month

A few breaches to be aware of. As ever, if you’re affected, beware of unsolicited approaches purporting to be from the companies concerned. If a password was compromised, change it, and if you’ve re-used the same password on another site (surely not), change it there too. Also, as above: turn on two-factor authentication wherever you can, so that a breached password alone doesn’t let others into your accounts.

Brewdog have exposed details of 200,000 shareholders and customers. Data includes names, dates of birth, email addresses, gender, previous delivery addresses, phone numbers, and details of any share holdings.  

FarFaria, an online platform which provides children’s stories, has exposed data of 3 million users through an insecure database. It’s unclear whether this was fixed before anyone took advantange. The data included IP addresses, email addresses, and authentication tokens.

A schools marketing company with a misconfigured website may well have exposed usernames, passwords and email addresses for over one million school staff. The ICO have been made aware and the provider is currently claiming that information has not been compromised. This may become clearer in coming days, but we think you’d want to be forewarned.

Thingiverse, a design sharing site, has reportedly leaked details of 228,000 users. Data includes IP addresses, full names, dates of birth, usernames, and physical addresses.

Trends in cyber

A quick summary of some recent headlines and reports which might be interesting.

An interesting report on password psychology suggested that 92% of people know that it’s a risk to re-use the same or similar password across sites, but 65% do it anyway. If that’s you, your SWCRC intro pack includes tips on better ways, or drop us a line and we can chat. Also, less than half of people think it’s their email account that needs a stronger password. (It’s your most important account).

Google’s Virustotal ransomware report showed that 95% of ransomware affected Windows, with 2% affecting Android. Whether this is because Apple are safer or simply less widely-used, we couldn’t say, but it’s notable that there were still over a million breaches on Apple systems.

Cybercriminals often used to claim that they wouldn’t target infrastructure that might harm people in real life. In Israel this month, a group called DeepBlueMagic directly targeted a medical centre, causing the cancellation of surgery. Worth being aware that no-one seems to be off-limits.

And looking forwards: some of our national partners are anticipating trends for the next year, and expecting that phishing and stolen credentials will remain the main attack vector.

Two answers: good password hygiene, and not clicking on links. Expect us to be saying that lots in future newsletters.
Information Security Awareness Vs Information Security Appreciation

Now we all should be very aware about Cyber Security, right? We currently live, breath and digest everything that’s digital, consuming and creating data on platforms and systems at a speed that for many businesses is the only thing keeping them afloat. It was “relatively” easy before the pandemic, for most we kind of knew where our ‘stuff’ was, our assets were here, our servers were over there, I can almost follow my data… but now, not so much. We work with people we may never see; the IT department issues equipment it may never physically touch anymore; the business model has changed and for many this is the new normal.

Whilst this operating model has changed, fundamentally the risk from that dreaded phrase ‘Information Security hasn’t, all that has happened is the risk has got bigger, the footprint of the business has got bigger, therefore the data has altogether got significantly bigger. So, what do we need to do? We need to identify these risks and ultimately decide on what to do with them. One area that should be at the top of that list, is us, the people, because all services interact with us at some point. Normally what do we do? We get them some awareness training, watch some videos, have a go at spotting a basic phishing email. Do they really know why? Probably not, but it meets a tick box somewhere, we can move that risk from ‘High’ to ‘Low’.

But and it’s a big but… our staff work in sales, they work in finance, they work in marketing, they work in a plethora of different departments interacting much more with technology… Do you know where they don’t work??? We shouldn’t expect them to know everything about cyber security. So why do we insist on thinking that sending them a generic phishing email on a Friday afternoon is going to turn them into Cyber Professionals? We want our staff to drive our business, the salespeople need to answer sales enquiries that’s what we employ them for. It used to be quite easy to spot a phishing email… bad grammar, bad spelling, etc.. attackers are far more advanced now… they use spellcheck for start. Creating a convincing phishing email with a malicious attachment that an unfortunate sales employee will open isn’t hard anymore and they will click on them, why because we want them to do their job. Security Awareness just doesn’t do enough anymore, as we said they are not cyber professionals, they don’t know the latest techniques, they don’t know the latest threats, and this is where the business must really step in. They must appreciate information security and understand the full implications of what this really means.

We must look at stopping the phishing email from even getting into the salesperson’s inbox, and if it does prevent it from doing anything malicious. We need security ambassadors, security champions who understand the latest techniques, who understand the latest threats who can be an extension of the security team who speak the same language as those they are interacting with. We need to create a community defence, so the company is excited about cyber security or at least appreciate the importance of their role. The culture of the organisation needs to create trust and transparency, so when an employee clicks on the link, and they will, its fully reported and all necessary actions are completed. There must be the appreciation that Cyber Security is not an optional extra, but one of a necessity to compete in the new digital world.

Ben Franklin

Chief Technology Officer

BluescreenIT

(The opinions expressed in this article are the authors own and do not reflect the view of BluescreenIT Limited).
Hackers responsible for a cyber attack on Scotland's environmental watchdog tried to sabotage efforts to fix the problem

 
The Scottish Environment Protection Agency (Sepa) have publicised they had more than 4,000 digital files stolen in a cyber attack on Christmas Eve last year, planned no doubt to blunt the response times. The hackers then tried to sabotage efforts to fix the system. It has also been revealed Sepa's cyber incident response plan was inaccessible during the incident as it was stored on the servers affected by the attack and there was no offline version or hard copy available, according to independent consultants Azets. Staff initially responded to the attack at about 00:01 on 24 December but attempts to escalate the problem to other Sepa officials were not successful until about 08:00.

The hackers made attempts to compromise Sepa systems as the team endeavoured to recover and restore back-ups, a separate review found.

Sepa rejected a ransom demand for the attack, which was claimed by the Conti ransomware group, and the stolen files were then released on the internet.

Sepa has restored the majority of its key services and is now building new IT systems to run them.

Sepa were keen to publicisce their review so as many organisations as possible were able to use their experience to better protect themselves from cybercrime.

Police Scotland were consistently clear that Sepa was not and is not a poorly protected organisation. They had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others. Recent attacks against Sepa, the Irish Health Service and wider public, private and third sector organisations are a reminder of the growing threat of international cyber-crime and that no system can be 100% secure.

 
Firstly Sepa should be congratulated for sharing this so like them we can all learn from their experience.

 
What is the learning to be derived from this attack?

 
  • Hackers may well seek to exploit a vulnerable time to attack systems such as in this case Christmas Eve when they could expect fewer members of staff on duty and therefore an immediate response to minimise the attack is likely to take longer.
  • Forming an Incident Response Team who can function if necessary out of hours. This cuts down the time that systems are at risk.
  • Your Recovery plan must be held remotely, in this study they were on the same servers that were attacked and therefore not available.
  • You must expect further attempts by the hackers seeking to sabotage attempts to minimise the damage they cause.
  • No system is 100% secure so you must have remote, recent system backups to enable your business to continue to function, if you are subject of a cyber attack.
Welcome Bamboo on board!

We're delighted to welcome Bamboo as our third Board member. Bamboo Technology Group Ltd (Bamboo) is a leading provider of connectivity, data, and cyber resilient IT solutions. Centrally located in the heart of the growing cyber community in Cheltenham the company has over 20 years’ experience working with SMEs and small corporates in highly regulated markets. The company mission is to shape and develop business futures and people’s lives by realising the full potential of ICT.
 
Lorrin White, CEO states “The technology landscape is constantly evolving, as is the continued threat of digital attack to operations. The Bamboo team have a thorough understanding of the digital threat and mitigation landscape and are already working with clients in Healthcare, Education, Justice and Professional Services sectors to advance their digital maturity plans.
 
Smaller companies are often left to fend for themselves, not always having the resources available to meet legal or regulatory compliance. Digital footprints are expanding, and the small business sector is no exception. We want to help keep our local economy on the front foot and able to confidently manage this risk. We see a huge amount of value in the free membership and education that is offered by SWCRC and want to use our own expertise to help support the growing base of micro-businesses in the Southwest. As a recognised regional business, we have the knowledge and connections to help, and we are looking forward to joining the board and directly contributing to and supporting the education and development effort.”

Dates for your diary


Feb 22 - 23 2022, London

.

Ransomware attacks have surged 311% in the past year with a business now being attacked every 11 seconds. From crippling the Irish healthcare system and shutting down 45% of the eastern United States’ fuel supply to stopping manufacturing and production lines globally, attacks are hitting hard.

Ransom demands have surpassed £50 million, and the average cost of recovery is around 10 times the size of the ransom demanded. The 2022 Ransomware Resilience Summit Europe will bring organisations and their expert advisors together to benchmark resilience and business continuity planning, share lessons learned and enable businesses to better protect themselves.

Are you fully confident in your organisation’s ability to detect and defend against a ransomware attack?

Join us alongside leading cybersecurity experts from Europol, Trainline, HMRC, Aston Martin and Barclays to learn how to identify cybersecurity threats and ensure strong mitigation plans; determine internal roles and responsibilities; practice cybersecurity hygiene as an organisation; and apply lessons learned from past victims.

Download full agenda

With tickets starting at just £499, you could potentially save your business millions of pounds if you register today. Apply your exclusive discount code ‘SWCRC20’ at checkout to save an additional 20% on your ticket price.

Register now

For more event information click here.
For sponsorship opportunities, please contact Ellis at ellis.fordham@kisacoresearch.com
For more information on our USA Ransomware Resilience Summit click here.


News from the Regional Cyber Crime Unit