We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites. We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.
This update includes Information Security, Environment, Health & Safety and Quality/General Business.
Information Security If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes We are not aware of any material changes to legislation relevant to information security since our last newsletter. However, two amendments that are likely to be inconsequential to clients were made:
An amendment was made to the Data Protection Act 2018 to give an exception for legacy automated processing systems used by law enforcement and the intelligence services
A correction was made to one schedule of the Communications Act 2003 to correct a minor typo describing other relevant legislation
Other updates Microsoft Patch Tuesday roundups – June – Included a fix for a critical bug in MS SharePoint Server that could be exploited by an unauthenticated attacker on the same network and a remote code execution vulnerability; May – Included fixes for three zero-day vulnerabilities including two that have been actively exploited (Win32k Elevation of Privilege Vulnerability, Win32k Elevation of Privilege Vulnerability and Windows OLE Remote Code Execution Vulnerability); April – Included a fix for one actively exploited zero-day vulnerability (Windows Common Log File System Driver Elevation of Privilege Vulnerability) in a fix addressing 97 flaws.
MS Authenticator enforcing number matching step – MS Authenticator users should by now have noticed that the app now includes a mandatory number-matching step as part of login authentication. The step has been introduced to try to prevent users falling victim to ‘MFA fatigue’, where attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications asking for login approval. Attackers hope that, by spamming the victim with requests, eventually they will just accept the login request in an attempt to stop the bombardment. Then the attacker gains access to their account. Introducing the number-matching step requires that the user not only approve the request, but also enters the correct number. The victim will not have sight of the number because they’re not legitimately trying to log in, so it is unlikely that they will enter the correct one and so cannot authorise the illegitimate login.
Teams vulnerability allows external attackers to bypass phishing safeguards – Any user with a Microsoft account can reach out to external tenancy and send messages that could allow attackers to put a malicious URL in to the recipients Inbox as a file, rather than a link. Thereafter the attacker could use social engineering tactics to convince the recipient to click on the malicious file.
June outages due to DDoS attacks – Microsoft has attributed outages affecting 365 in early June to DDoS attacks.
Windows 11 Win32 app isolation feature in preview – Developers will be able to update Win32 apps to isolate them using AppContainers, reducing the potential for compromised apps to access key Windows APIs.
Apple Key apple updates – June – Fixed zero-days used to deploy spyware via iMessage; May – Apple released its first rapid security response (RSR) patches for iOS 16.4.1 and macOS 13.3.1, however some users reported difficulties installing them. More from Apple on its RSRs here. It also issued fixes for three zero days, actively exploited on iPhones and Macs, and fixed a bug in macOS that allowed bypassing of System Integrity Protection (SIP) root restrictions; April – Apple released fixes for two exploited zero day vulnerabilities affecting iPhones, Macs and iPads and a fix for a WebKi zero day fix issued in March affecting older iPhones and iPads – More information can be found on Apple’s security updates page
New privacy and security features released – iOS 17 brings features to automatically remove tracking parameters from URLs, protecting internet users against unwanted third party trackers such as marketing trackers.
Android & Google Gmail spoofing vulnerability – Google fixed a flaw allowing scammers to impersonate the UPS delivery service with Gmail flagging the email as authentic.
Chrome to retire the padlock icon – it’s served its purpose – From Version 117, Chrome will no longer use the padlock icon to indicate websites secured via HTTPS as it now considers this should be the default. Chromium recognises that the lock icon could also lead to a false sense of security as nearly all phishing sites use HTTPS now, as well as legitimate ones. Instead, a version of their ‘tune’ settings icon will appear. Websites still using HTTP will continue to be flagged as ‘Not Secure’.
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
Cyber Risk Management – Refreshed guidance for cyber risk management – including an eight-step risk management framework to understand what ‘good’ looks like, introduction of the concept of a risk management ‘toolbox’ covering key techniques and methods and introduction of a basic risk assessment and management method for those new to the concepts.
Cloud Service Security – New advice for users of cloud services on implementing high-risk and ‘break-glass’ accesses in cloud services
Early Warning service Active Cyber Defence Service – The NCSC’s Early Warning Active Cyber Defence (ACD) service is moving to the myNCS platform. Early warning is a free service designed to inform organisations of potential cyber-attacks on their networks. Any UK organisation holding a static IP address or domain name can sign up.
NCSC offers a number of ACD services including Mail Check, Web Check, an ‘exercise in a box’ solution to help organisations prepare for cyber incidents and the Suspicious Email Reporting Service (SERS)
Training – Supply Chain Risk – The NCSC has published free e-learning tools to help organisations manage the cyber security risks across their supply chains.
Training – General Infosec Training NCSC offers a range of e-learning tools including those aimed at staff in general. These courses are helpful for smaller organisations with distributed workforces, but we’ve seen some of the content at PCML and it is a little generic. We feel that organisations should still consider creating tailored training courses for their own users that explain the organisation’s security dos and don’ts. If you’d like advice and support in building your own training course content, we’d be happy to help.
Accessibility In this blog post, NCSC discuss the need to ensure that security is accessible to all employees, taking in to account specific physical and mental issues that some staff may have, as well as working environments and systems used by employees in general. It identifies cases ranging from accessibility of training and awareness raising materials, through to usability of interfaces.
Roundup of recent blog posts by the Information Commissioner’s Office (ICO) Risks of business use of generative AI – The ICO called on businesses to address the privacy risks of using generative AI before rushing to adopt the technology. It reminded organisations to spend time at the initial stages to understand how AI uses personal information and ensure risks are mitigated. Some of the risks of using AI in business were highlighted in the last PCML newsletter.
Guidance for developers and users of AI – The ICO has also published guidance for use of generative AI in the form of eight questions that developers and users need to ask. With specific emphasis on ensuring compliance with privacy obligations.
Guidance on Privacy Enhancing Techniques (PETs) – PETs can help organisations share personal information safely, securely, and anonymously. The ICO has issued guidance for data protection officers and others who are using large personal data sets in finance, healthcare, research, and central and local government.
Guidance on Subject Access Requests (SARs) – SARs give individuals the right to request a copy of their personal information from organisations. This includes where they got their information from, what they’re using it for and who they are sharing it with. Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. The ICO has issued guidance on responding to SARs
Recent noteworthy cyber incidents Capita – Suffered two breaches, one in March and a second in May. The March incident was attributed to a cyber-attack. Embarrassingly, the May issue appears to have been due to a failure to appropriately secure an Amazon S3 (Simple Storage Service) bucket, apparently leaving data relating to hundreds of thousands of individuals exposed
MOVEit – An actively exploited zero-day vulnerability was discovered in the MOVEit Transfer secure file transfer application in late May. Ransomware gangs including CL0P successfully exploited the vulnerability and the number of organisations confirming they were affected continues to grow with employee and other data being exposed. Further vulnerabilities in MOVEit have been discovered since the original issue was discovered in May
Zellis – Payroll provider Zellis were a victim of the MOVEit breach. Employee details relating to a number of high-profile UK companies including the BBC, Boots and British Airways are believed to have been breached. CL0P have apparently denied that they were responsible in this case however, raising the possibility that other hacking groups have exploited the MOVEit vulnerability as well
Toyota – disclosed a data leak where a misconfigured cloud environment exposed vehicle location data. The issue has been around for almost a decade
New and emerging malware and techniques Barracuda Networks has taken the unusual step of recommending to its customers that they immediately remove and replace its Email Security Gateway (ESG) devices following the discovery of malware that the company can no longer contain via updates.
Other infosec news Guide to protect against BlackLotus bootkit malware – The US NSA published a guide to help organizations detect and prevent infections of BlackLotus UEFI bootkit malware.
KeePass password manager updated to fix password-leak – The vulnerability could allow attackers to extract the master password.
JP Morgan fined $4m for failing to retain information – The fine highlights the need for organisations to understand all their legal and regulatory obligations around retention and destruction of information and to put effective controls in place to secure evidence needed for investigations.
Gigabyte PC Motherboard vulnerability – Motherboards shipped with its update utility are at risk of infection. Users are advised to turn off App Centre’s download-and-install feature
Environment Legislative changes We are aware of four legislative changes since the last newsletter that may be relevant to some or all our clients. The first three are minor, but could apply to multiple clients, the fourth is specific to clients in the Merchant Shipping industry. **InfoSec clients; Please let us know if you require any of these to be added to your legislation portfolios:-
The Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment (Amendment) Regulations 2023 – Amends the list of hazardous substances whose use in electrical and electronic equipment is prohibited or restricted through The Restriction of the Use of Certain Hazardous
Substances in Electrical and Electronic Equipment Regulations 2012. This mostly supports the bans on sales of various fluorescent and compact fluorescent lamps that are being staggered through 2023. Some clients may find they have to replace lighting fittings because replacement lamps will no longer be available.
The Plastic Packaging Tax (General) (Amendment) Regulations 2023 – Amends the method of claiming tax credits in respect of the plastic packaging tax
The Value Added Tax (Installation of Energy-Saving Materials) Order 2023 – Amends the Value Added Tax Act 1994 to allow full or partial VAT relief on installation of energy-saving materials in Northern Ireland and extends some existing reliefs for energy-saving materials
The Merchant Shipping (Prevention of Air Pollution from Ships) (Amendment) Regulations 2023 – Replaces EU regulations with British law to implement aspects of the International Convention for Prevention of Pollution from Ships (MARPOL).
Health & Safety Legislative changes We are aware of two legislative changes since the last newsletter. The first may be relevant to clients in the Merchant Shipping industry. The second may be relevant to InfoSec clients in the domestic property sales, lettings or management industries. **InfoSec clients; please let us know if you require any of these to be added to your legislation portfolios:-
The Merchant Shipping (Fire Protection) Regulations 2023 – Replaces EU regulations with British law to implement aspects of International Convention for the Safety of Life at Sea, 1974 (SOLAS)
The Higher-Risk Buildings (Key Building Information etc.) (England) Regulations 2023 – Supports elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations specify types of buildings defined as ‘Higher-Risk Buildings’ and requirements for provision of information about those buildings to relevant authorities. It defines parties who may be Accountable Persons and Principal Accountable Persons with responsibilities for providing that information.
Other updates Roundup of recent posts and announcements by the by the Health and Safety Executive (HSE)
Asbestos – The HSE is seeking feedback on communications about asbestos safety. Survey here. And has released two new free resources for workers to test and enhance their knowledge about asbestos and asbestos risk.
Musculoskeletal Disorders ebulletin
LPG forklift truck fire risk safety notice – Warning and advice issued after a number of fires on LPG-powered forklifts during start-up
New online guide – introduction to managing health and safety – HSE has developed a new step-by-step online guide to help you quickly find and understand what your business must do to comply with health and safety law
Quality/General Business Legislative changes We are aware of seven legislative changes since the last newsletter that may be relevant to some or all our clients. The first six appear to be low impact and are modifications to, or commencement of existing legislation. The seventh one appears to a minor change relevant only to companies importing goods directly or indirectly from Developing Countries. **InfoSec clients; please let us know if you require any of these to be added to your legislation portfolios:-
The Export Control (Amendment) Regulations 2023 – Extends existing legislation that controls the export of ‘dual-use’ items (items that could be used for civilian or military purposes) to some specific regimes.
The Russia (Sanctions) (EU Exit) (Amendment) Regulations 2023 – Extends the existing sanctions to cover additional products including specific goods, ‘revenue generating goods’ and activities and makes remedial amendments to existing restrictions on oil and oil products, gold, coal and coal products.
The Russia (Sanctions) (EU Exit) (Amendment) (No. 2) Regulations 2023 – Amends the geographic coverage of the existing sanctions within Ukraine and allows for sanctions to be used to compensate Ukraine for Russian aggression.
The Nationality and Borders Act 2022 (Commencement No. 6) Regulations 2023 – Enacted aspects of the Nationality and Borders Act 2022 including rights to deprive persons of citizenship and judicial oversight
Public Order Act 2023 – Brings additional disruptive activities under the umbrella of public order offences. Some parts of the act have yet to come in to force. The offences relate to activities that are used as forms of protest. The act will also extend the powers of stop and search.
The Public Order Act 2023 (Commencement No. 1) Regulations 2023 – Commencement of the first parts of the above Public Order Act 2023
The Customs (Origin of Chargeable Goods: Developing Countries Trading Scheme) Regulations 2023 – Replaces EU regulations with British law. May be relevant to organisations importing goods from Developing Countries directly or via specified countries. In some cases, this includes where those goods are incorporated into other manufactured goods abroad, which are then imported.
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch
