We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML Consultants are not responsible for the content of any external websites.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.
This update includes General Compliance, Information Security & Business Continuity, Environment and Health & Safety
General Compliance
New tool for checking ISO certificates
The UK’s National Accreditation Body – UK Accreditation Service (UKAS) – have launched a centralised ISO Management System certificate search facility ‘Cert Check’. Previously; individual certification bodies provided their own search facilities that only listed certificates that they had issued which made validating suppliers’ clams to hold ISO Management System certifications quite onerous. The new UKAS facility brings all certificates issued by all UKAS-accredited certification bodies together on one search facility. This will greatly simplify the certificate-validation task. It can be searched by company or certificate number.
UKAS Cert Check https://www.ukas.com/resources/latest-news/ukas-launches-certcheck/
Information Security & Business Continuity
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes
We are not aware of any recent legislative changes that directly affect Information Security, however the UK government published its response to consultation on its proposals to reform UK data protection laws on 23rd June ‘Data: a new direction – government response to consultation’.
Through its proposed new ‘Data Reform Bill’; the government intends to amend the Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulations (PECR) and the roles and structure of the Information Commissioner’s Office. It has stated that the aim of these amendments is to strengthen UK data protection standard while reducing burden on businesses and to modernise the Information Commissioner’s Office (ICO). The published response to consultation describes amendments to legislation that the government intends to bring forward as well as some proposed changes that will not be subject to legislation, such as codes of practice. We will publish a summary of those proposals shortly.
Other Updates
Microsoft
A few significant vulnerabilities have emerged since the last newsletter; however patches have been released for all of these. These serve as further reminders to ensure that they you effective and timely vulnerability and patch management strategies in place:-
Microsoft alerted users that the ‘Patch Tuesday’ released on 10th May was causing windows authentication failures on domain controllers. On 19th June, they announced that the patch had been patched and the issue resolved.
A strain of malware was identified that maintains a persistent presence on compromised Windows systems by creating hidden tasks via Windows Task Scheduler.
A zero-day vulnerability in the MS Support Diagnostic Tool (MSDT) was confirmed as being actively exploited. Nicknamed ‘Follina’ by the researcher who identified it; the vulnerability had been known about for some time but was not seen to be exploited until May where it was found in malicious Word documents spread through phishing emails. It was fixed on 30th May and the fix was included in June’s ‘Patch Tuesday’ roll-up.
Microsoft has been criticised for the time taken to fix some critical flaws in Azure, some of which persisted for months before Microsoft issued fixes.
On the positive side;
Microsoft has started to roll out Azure Active Directory security defaults to all customers who have not already enabled them. Secure defaults were first released in 2019 as a basic set of identity security mechanisms that today include Multi-Factor Authentication (MFA). Eligible users will be prompted to enable the security defaults, but they will be automatically enforced after 14 days if the users do not enable them manually. Microsoft claim this will help secure an additional 60 million users’ accounts. And it is introducing further security improvements for customers with Windows 10/11 Enterprise E3 or higher through its ‘Windows Autopatch’ service that is currently in public preview and is being rolled out through July. The service will automatically keep Windows and MS Office software up to date on enrolled endpoint devices. To minimise the risk of faulty patches causing disruption, the roll outs will be staggered, with 1% of endpoints (the ‘test ring’) receiving the updates first. If no issues are detected, it will roll out to a ‘fast ring’ comprising 9% of endpoints and finally to the ‘broad ring’ comprising the remaining 90% of endpoints. Rings are managed automatically to take in to account devices that are enrolled and unenrolled.
It is also rolling out the first of three Security as a Service (SECaaS) managed services that it plans to release in 2022. ‘Security Experts’ is effectively an outsourced service that analyses Microsoft Defender data for signs of online attacks and reports back to the customer with suggestions for remediation. A further service ‘Microsoft Defender Experts for Extended Detection and Response (XDR)’ will provide specific consultations e.g. to help resolve incidents. The final service ‘Microsoft Security Services for Enterprise’ offers to take on both overheads and combines threat hunting and extended detection and response. And GitHub (owned by Microsoft) announced that they will require all developers and other contributors to enable two factor authentication (2FA) by the end of 2023.
RIP Internet Explorer. After >25 years, Microsoft finally retired Internet Explorer on 15th June. And in April; Microsoft announced that it plans to enhance IE’s replacement, Edge, with a feature they have called ‘Microsoft Edge Secure Networking’, which appears to be a free VPN solution.
National Cyber Security Centre (NCSC)
The NCSC published updated guidance on enterprise device security in May. The guidance is aimed at manufacturers, but the changes are relevant to any user including moving away from traditional network security perimeters within which some devices may be trusted to a ‘zero trust’ approach for all devices, and using device health information as indicators to help identify when devices may have been compromised.
It also relaunched its cloud security guidance collection in the same month. This includes guidance on selecting cloud providers and evaluating different cloud service models.
In June it published advice and recommendations for reducing data exfiltration by malicious insiders that includes a simple flowchart to help visualise the decisions on where and when to apply technical controls.
Google
Google announced that it will expand its policy of allowing people to request removal of certain sensitive personally identifiable information (Pii) to allowing requests to remove other, less sensitive Pii, such as address information that might enable identity theft or other fraud. And it has taken steps to improve confidence in open source software dependencies by announcing a new service called ‘Assured Open Source Software’ that will go live later in the year. It will contain open source packages that Google will regularly vet and test for vulnerabilities. It will initially focus on Java and Python packages that Google themselves use, but will expand over time in response to customer demand.
It is also part of a consortium including Microsoft and Apple that is working toward a ‘passwordless future’ where simply unlocking your phone will unlock your online account, simplifying sign on across devices, websites and applications.
Atlassian
In early June; Atlassian advised that they had discovered a remote-code-execution flaw in the product that was being actively attacked. For a while they advised users to restrict or disable internet access to their Confluence collaboration tool. The vulnerability affected multiple versions. A patch was released within days. Users should ensure they have applied the patch.
Lenovo
Researchers identified vulnerabilities in UEFI firmware drivers on certain Lenovo laptops. Lenovo have published a list of affected devices and instructed users to update their system firmware.
And in other news…
Phishing is up 29% and it’s getting easier for criminals to deploy…Researchers from Zscaler claim that worldwide phishing attacks increased by 29% in 2021. Cybercriminals are adapting their approaches in response to general improvements in information security including wider use of multi-factor authentication. Cybercriminals are offering phishing kits as part of ‘Phishing as a service’ (PhaaS) that enable skilled and unskilled attackers to craft convincing and effective phishing pages with little effort. This is a timely reminder to ensure that your employees are aware of what to look for to.
Black Basta – the new kid on the ransomware block?
Another ransomware group surfaced in April and is thought to have exfiltrated and encrypted the data of around 50 organisations already across the US, UK, India, Canada, Australia, New Zealand, and UAE. Variants of Black Basta have been discovered that target virtual machines on Linux servers and on Windows and it has been seen to spread laterally across organisations. It creates a group policy object on domain controllers that disables Windows Defender and anti-virus solutions. Advice on protecting against this new threat is the same as that issued to protect against all ransomware and include secure offsite backups, ensuring systems are updated and patched in a timely manner, good password hygiene, encrypting sensitive data, disabling unnecessary functionality on systems and educating and informing staff about the risks and methods through which cybercriminals launch attacks and steal data.
Environment
Legislative changes
We are not aware of any recent relevant legislative changes.
Health & Safety
Legislative changes
We are reviewing a number of recent legislative changes and will provide updates in the next newsletter.
Other Updates
Updates and information from the Health and Safety Executive
Safety notice regarding tight fitting RPE and ear-loop type face masks – The HSE has published a safety notice to clarify that respirators and masks that rely on ear-loops do not provide adequate protection when used as tight fitting respiratory protective equipment (RPE). Where individuals are required to wear tight fitting RPE, the RPE should be fit tested by a competent assessor to ensure that it provides an appropriate seal on the individual’s face.
Change to risk assessment requirements for pregnant workers and new mothers in the workplace – The HSE has also changed its guidance with respect to protecting pregnant workers and new mothers in the workplace. It now requires that individual risk assessments must be carried out for a worker when they inform you that they are pregnant, or have given birth in the last six months, or are breastfeeding.
Heatwave guidance
As temperatures rise, the HSE sent out a reminder about the guidance information on its website about working in the heat.
If you would like to discuss any of the topics covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environmental, H&S and Business Continuity objectives, then please don’t hesitate to get in touch.
