Category: The Authorities

The UK Gov Cyber Essentials Scheme

https://www.cyberessentials.ncsc.gov.uk/

The government says Cyber Essentials helps your business to guard against the most common cyber threats and demonstrate your commitment to cyber security

Self-Help for Cyber Essentials

The guide explains how to:

  • Secure your Internet connection
  • Secure your devices and software
  • Control access to your data and services
  • Protect from viruses and other malware
  • Keep your devices and software up to date

The Three levels of engagement

Not everyone has the time or resources needed to develop a full-on cyber security system. So we’ve designed Cyber Essentials has been designed to fit with whatever level of commitment you are able to sustain. There are three levels of engagement:

  1. The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT.
  2. Basic Cyber Essentials certification.
  3. Cyber Essentials Plus certification.

1.     Self Help

The self-assessment option gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.

2.     Certified Cyber Security

Cyber Essentials Certificate £300 approx. (+VAT)

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

In the process of obtaining Cyber Essentials Certification is simple, you can opt to buy as much or as little help as you need from the company you choose to certify you.

Cyber Essentials shows you how to address those basics and prevent the most common attacks.

  • Reassure customers that you are working to secure your IT against cyber attack
  • Attract new business with the promise you have cyber security measures in place
  • You have a clear picture of your organisation’s cyber security level
  • Some Government contracts require Cyber Essentials certification

3.     Cyber Essentials Plus Certificate

The cost for this is only available on application.

It has all the benefits of Cyber Essentials PLUS your cyber security is verified by independent experts.

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The advice is designed to prevent these attacks.

Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but this time the verification of your cyber security is carried out independently by your Certification Body.

The more rigorous nature of the certification may mean you need to buy additional support from your Certification Body.

Cyber Essentials and Government Contracts

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Phone-Paid Services Authority

https://psauthority.org.uk/

The Phone-Paid Services Authority is the UK regulator for content, goods and services charged to a phone bill.

Phone-paid services are the goods and services that you can buy by charging the cost to your phone bill or pre-pay account. They include directory enquiries, voting on TV talent shows, donating to charity by text, joke lines, chat lines, games or downloading apps on your mobile phone. They are referred to as premium rate services in law.

UK regulation is open, fair and robust, underpinned by a Code of Practice approved by OFCOM.

Ofcom. As the telecoms, internet and payments sectors continue to grow globally at an unprecedented rate, the Phone-paid Services Authority takes action to safeguard consumers and help cutting-edge providers of digital content and services to thrive.

Their vision is a healthy and innovative market in which consumers can charge content, goods and services to their phone bill with confidence.

The Mission of the Phone Pre-Paid Services Authority

To protect consumers from harm in the market, including where necessary through robust enforcement of our Code of Practice and to further their interests through encouraging competition, innovation and growth in the market.

They seek to do this through:

  • Providing clarity about the market for content, goods and services charged to a phone bill
  • Applying an outcomes-based Code of Practice
  • Delivering a balanced approach to regulation
  • Working in partnership with Government and other regulators
  • Delivering high standards of organisational support.

What are Phone-Paid Services and How Do They Charge You?

Phone-paid services is a generic name for goods and services that you purchase and are charged to your telephone bill or pay-as-you-go credit. Here are some examples of phone-paid services:-

  • Quizzes and competitions
  • Voting (e.g. X-Factor, Britain’s Got Talent, Strictly Come Dancing)
  • Charity donations (one-off donations or subscriptions)
  • Digital content (e.g. apps, in-app purchases, digital media,
  • one-off purchases or subscriptions)
  • Directory enquiries (e.g. 118 numbers)
  • Adult services (e.g. chat, dating)
  • Gambling

The job of the Phone Pre-Paid Services Authority is to look after the industry and ensure people are not cheated. But it’s everyone’s responsibility to behave sensibly and that includes not downloading unsafe APPS, checking all payments and not handing over confidential information to unknown people or APPS.

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

UK Gov Cyber Essentials 10 Step Plan

This is a summary of the UK Government 10 step plan for Cyber Essentials, which is designed for organisations looking to protect themselves in cyberspace.

1.      Risk Management

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2.      Secure Configuration

Identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities.

3.      Network Security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding. Your organisation’s networks may use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult.

4.      Managing User Privileges

All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed.

5.      User Education and Awareness

It’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6.      Incident Management

Invest in establishing effective incident management policies and processes to help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

7.      Malware Prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8.      Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies.

9.      Removable Media Controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

10. Home and Mobile Working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security has further information.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

UK Gov Phishing Attacks

A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc.  They use the fake websites to get your confidential information.

Top 10 Government ‘Brands’

Brand                                                   No of phishing sites    No of attack groups    Phishing Site Availability                                                                            in hours

HM Revenue & Customs                     16,064                         2,466                           10

Gov.uk                                                 1,541                           241                              15

TV Licensing                                        172                              93                                5

DVLA                                                   107                              53                                11

Government Gateway                        46                                22                                6

Crown Prosecution Service                 43                                26                                15

Student Loans Company                     19                                11                                17

Student Finance Direct                       13                                3                                  3

British Broadcasting Corporation       8                                  7                                  35

Phishing

When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked  to take the site down. While some government departments do their own brand protection, most don’t and it is simpler and cheaper for this to be done centrally.

Example of a phishing site impersonating HMRC

The domain name that’s been used is onlinehmrctax @ gov.co.uk. That’s intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal. Phishing sites are also automatically added to a number of industry safe browsing lists that are consumed by the major browsers and so even if the hosting provider doesn’t respond, or it takes long time for the site to be removed, users of modern browsers with the default security settings are protected anyway

The availability of an attack is the total amount of time the phishing site is available from when the Netcraft service  first becomes aware of the attack through to when it is  finally taken down. This accounts for the

times when an attack is reinstated by the criminal after first being taken down by the provider, which can happen multiple times in some cases. It is also often the case that a single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider. Given a group of attacks are all hosted on the same `server’, we group these together taking the longest time any one of them is available as the availability for that group.

Over the last calendar year, we’ve taken down 18, 067 HMG-related phishing sites.

For comparison, in the previous 6 months 5, the volume was 19; 443 sites, also shown on the chart. It’s clear that we have performed fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.

However, it is very likely (in the opinion of the author) that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.

It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.

Fightback Ninja Signature

Scammer Targeting The Elderly Is Caught

A Canadian con man who was caught on video bragging about stealing from the elderly was among 200 people charged by US Authorities with defrauding seniors.

Andrew John Thomas boasted about his sweepstakes scheme at a conference for postal scammers in British Columbia.

“My ability to whore my beautiful talent to sell this s— to people who don’t need it. It’s hard to be, it’s hard to be proud of it, but well I’m good at it.” said Thomas.

Authorities say Thomas masterminded the swindle of more than $4.5 million annually by duping senior citizens into believing they had won large sums of money. He targeted elderly Americans typically notifying them via mail that they’d won a sweepstakes prize and all they needed to do to claim it was to pay a processing fee and money for taxes.

The mailings instructed recipients to return a response card with a processing fee in order to accept the bogus winnings. They received no money — only more solicitations. While many stopped sending money after realizing they had been duped, others continued to do so in hopes of claiming the prize.

U.S. law enforcement officials  announced what they labelled as the largest ever fraud enforcement action involving elderly Americans, charging more than 200 people and bringing civil actions against dozens more.

Agents from the U.S. Postal Inspection Service, (the enforcement arm of the U.S. Postal Service), executed search warrants at 14 locations that some of the same fraudsters have run for years.

Officers from the Vancouver Police Department in Canada served dozens of search warrants as part of the enforcement action.

This was a clearly a well organised and effective take-down of a lot of scammers by co-ordinated action between US agencies and the Canadian Police.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Police Report Common Phone Scams

The National Fraud Bureau reports that the most common phone scams are:

  1. False reports of a problem with your computer or device
  2. A fake fraud investigation
  3. An investment opportunity

Number 1 is better known as the Microsoft Support scam as most of the scammers cold call random people, pretending to be from Microsoft Support and warning of a severe computer problem. They offer to fix it and to do so they need access to your computer and will charge a fee for their time or for some software they supposedly have to install.

Since these scams became commonplace, most people know to put the phone down on any such call. A message to the same effect (you have a computer problem – call …) may pop up when you are on a new website and it will exhort you to phone a specified phone number – this will be to a scam call centre so do not call it.

Number 2 is the fake fraud investigation which can take many forms with the scammer pretending to be from your bank or the government or the Police etc. Usually, they warn you that your bank account has been hacked and they will assist you to save your remaining money – i.e. by taking it away from you. Any such callers should be ignored but if you want to check with your bank then use a different phone to call your bank on a known number.

Number 3 is scammers offering investments that have zero risk and give guaranteed returns are always fake and you should seek expert advice before making any investment.

Anything that looks too good to be true is almost certainly a scam.

Stay safe.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature