UK Government Cyber Essentials Scheme

https://www.cyberessentials.ncsc.gov.uk/

The government says Cyber Essentials helps your business to guard against the most common cyber threats and demonstrate your commitment to cyber security

Self-Help for Cyber Essentials

The guide explains how to:

  • Secure your Internet connection
  • Secure your devices and software
  • Control access to your data and services
  • Protect from viruses and other malware
  • Keep your devices and software up to date

The Three levels of Engagement

Not everyone has the time or resources needed to develop a full-on cyber security system. So we’ve designed Cyber Essentials has been designed to fit with whatever level of commitment you are able to sustain. There are three levels of engagement:

  1. The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT.
  2. Basic Cyber Essentials certification.
  3. Cyber Essentials Plus certification.

1.     Self Help

The self-assessment option gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.

2.     Certified Cyber Security

Cyber Essentials Certificate £300 approx. (+VAT)

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

In the process of obtaining Cyber Essentials Certification is simple, you can opt to buy as much or as little help as you need from the company you choose to certify you.

Cyber Essentials shows you how to address those basics and prevent the most common attacks.

  • Reassure customers that you are working to secure your IT against cyber attack
  • Attract new business with the promise you have cyber security measures in place
  • You have a clear picture of your organisation’s cyber security level
  • Some Government contracts require Cyber Essentials certification

3.     Cyber Essentials Plus Certificate

The cost for this is only available on application.

It has all the benefits of Cyber Essentials PLUS your cyber security is verified by independent experts.

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The advice is designed to prevent these attacks.

Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but this time the verification of your cyber security is carried out independently by your Certification Body.

The more rigorous nature of the certification may mean you need to buy additional support from your Certification Body.

Cyber Essentials and Government Contracts

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

Fightback Ninja Signature

 

Are Your Phone APPS Tracking You

A surprising number of smartphone APPS ask on installation for permission to access your location.  For APPS such as the Automobile Association or Google Maps or Local weather or Find a Restaurant this makes sense but many APPS want to track your location for their own benefit – not yours.

Carnegie Mellon University carried out a study on Android phones. The researchers followed 23 Android phone owners for three weeks. In the first week, they were asked to use their apps as they normally would. In the second week, the participants used an app called App Ops to monitor and manage the data those apps were using. In the third week, the research team introduced a “privacy nudge” alert that would ping the participants each time an app requested location data.

The title of the study is: Your Location Has Been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging.

You can see what level of problem there is.

Why do APPS access your location so often? Quite often, the answer is Marketing – the APP transmits your location regularly back to base where it’s sent to one or more advert networks so they can track where you visit and try to fashion appropriate adverts to be shown on your device.

Apparently, the free APPS are the worst for this behaviour. You can see they need to make money and one way is to sell that user data including location.

Take Control of Your Device

If you want to know exactly what an app is allowed to track on your Android phone, open the Settings app then go to Apps & notifications, choose an app, and select Permissions. Over on iOS, launch the Settings app then pick an app to see the permissions it has. Most of these permissions can be revoked with a toggle switch on both Android and iOS.

On both Android and IOS you can disable location altogether, but that may be overkill as it is useful in some APPS.

Be aware of which APPS track your location and if you cannot see why one needs your location then consider deleting the APP and replacing it.

Fightback Ninja Signature

 

Regulator to Protect Victims of Payment Scams

Authorised Push Payment (APP) scams are where people are conned into authorising their bank to make payment to a fraudster.

The Payments Systems Regulator (PSR) is planning for new protections for consumers, from APP scams, to be in place from September 2018, as an industry code.

The Regulator ran a consultation from November 2017 to January 2018, to give people the opportunity to provide feedback on the regulator’s plans. It gathered opinions from the payments industry, consumer groups and individuals to make sure the PSR could understand how best to protect people from APP scams.

The Changes

Once the industry code is in place, it will be publicly consulted on, for refinement in early 2019 and the regulator expects that it will continue to evolve to ensure preventative measures are kept up to date.

The PSR is also bringing consumer and industry representatives together to establish a dedicated steering group. Led by an independent chair appointed by the PSR, the group will ensure the contingent reimbursement model is designed in the best way to minimise the number of scams in the future and protect victims of scams.

Paul Smith, Head of Policy at the PSR, said:

“This is about making a positive difference for people to protect them from APP scams – where people are tricked into sending money to a fraudster. The banks have already made some changes but, from September 2018, this industry code will see better protections available to everyone.  We expect the code to evolve over time to make sure methods of preventing APP scams are up to date.”

“This is a complex piece of work and we have set a challenging timeline, but it is essential we see, as soon as possible, a model that is effective in protecting people.”

Good progress by the regulator.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

MyFitnessPal Data Stolen

Sportswear brand Under Armour announced that its subsidiary MyFitnessPal suffered a significant data beach, compromising up to 150 million accounts.

The account information involved includes user names, email addresses and hashed passwords, but no financial information such as credit card numbers or identifiers such as social security numbers.

The breach has not exposed particularly sensitive user data, but it does affect a huge number of users and this has caused Under Armour’s stock to drop 4 percent. The breach occurred in February but was only identified in March. The company has been working to notify affected users and is expected to work with the police and data security firms to trace the source of the breach.

“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement. “The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.”

In this case, the data storage was robust and the hackers have 150 million email addresses to sell but there’s little else they can do with the data.

If you are a registered user of MyFitnessPal – change your password immediately and if any of your other accounts have the same login and password then change them as well as hackers will try to find other accounts in your name.

Users of MyFitnessPal should be wary of emails in the coming weeks as there are likely to be scam messages and in particular may be messages that appear to be from MyFitnessPal but are from scammers.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Scammers Targeting Elderly Are Caught

A Canadian con man who was caught on video bragging about stealing from the elderly was among 200 people charged by US Authorities with defrauding seniors.

Andrew John Thomas boasted about his sweepstakes scheme at a 2016 conference for postal scammers in Whistler, British Columbia, authorities said.

“My ability to whore my beautiful talent to sell this s— to people who don’t need it. It’s hard to be, it’s hard to be proud of it, but well I’m good at it.” said Thomas.

Authorities say Thomas masterminded the swindle of more than $4.5 million annually by duping senior citizens into believing they had won large sums of money. He targeting elderly Americans typically notifiying them via mail that they’d won a sweepstakes prize and all they needed to do to claim it was to pay a processing fee and money for taxes.

The mailings instructed recipients to return a response card with a processing fee in order to accept the bogus winnings. They received no money — only more solicitations. While many stopped sending money after realizing they had been duped, others continued to do so in hopes of claiming the prize.

U.S. law enforcement officials  announced what they labelled as the largest ever fraud enforcement action involving elderly Americans, charging more than 200 people and bringing civil actions against dozens more.

Agents from the U.S. Postal Inspection Service, (the enforcement arm of the U.S. Postal Service), executed search warrants at 14 locations that some of the same fraudsters have run for years.

Officers from the Vancouver Police Department in Canada served dozens of search warrants as part of the enforcement action.

This was a clearly a well organised and effective take-down of a lot of scammers by co-ordinated action between US agencies and the Canadian Police.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature