We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites. We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.
This update includes Information Security, Environment and Health & Safety.
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes
We are not aware of any recent legislative changes that directly affect Information Security that have been published since the last update.
Other updates
Microsoft
Autopatch is live – After its announcement in April, Autopatch functionality went live shortly after our last update. The functionality allows administrators to automate roll out of patches across their estate in a series of ‘rings’. A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks. It requires some initial configuration, but greatly simplifies the controlled roll out of patches to endpoints.
Passwordless authentication is in public preview – Microsoft, Apple and Google have all committed to working to improve sign-on security, recognising the inherent weaknesses in the traditional password method. In late September, Microsoft announced that Azure Virtual Desktop support for passwordless authentication had entered public preview. The
functionality is currently available on Windows 10, Windows 11 and Windows Server 2022 session hosts.
Tamper protection for Defender for Endpoint
Tamper protection has been a default setting for new users of Defender for Endpoint since 2019. Microsoft has announced that it will force-enable it for all other users who haven’t yet enabled it. Anti-tamper blocks changes to key security features and prevents disabling of antimalware or deletion of security updates.
Enhanced phishing protection for Windows 11
Microsoft have included a tool in the latest version of Windows 11 (22H2) to check when users enter a password into an app or website. If the site is untrustworthy; it warns the user to change their passwords and alerts system administrators through Defender for End point.
Microsoft 365 patches for Windows 7 to end in 2023
Apple
Updates to address exploited vulnerabilities – Apple released updates to address exploited vulnerabilities in Safari, macOS, iOS, iPadOS, tvOS, and watchOS on 12th September.
Other information security news
LastPass got hacked and revealed the cause – Hackers gained access to the password vault provider’s developer environment by compromising a developer’s endpoint device and had access to the environment for four days before they were discovered. An investigation revealed that source code had been stolen, but confirmed no malicious code had been
injected and the product was unaffected. Customer data was unaffected as it is held in encrypted containers accessible only by the customers.
Developers are increasingly the targets of phishing
GitHub and Circleci were targeted in September in the latest in a trend targeting developers. Hackers are attempting to steal credentials as a way to breach the software development supply chain.
***As a reminder PCML Consultants can offer tailored phishing simulation tests to check your team’s ability to correctly identify deal with phishing attacks. Contact us to find out more***
Ransomware down, malware up globally, but not in Europe, and the relief may be short lived – SonicWall’s latest threat report indicated a global decline in ransomware but an increase in malware attacks in the first half of 2022. Worldwide, ransomware declined by 23%, but was up by 63% in Europe. Their prediction for the next 12 months suggests that ransomware will be back with a vengeance though.
NCSC guidance on selecting better authentication models
Passwords are weak. The NCSC has published some guidance on better alternatives.
Log4j – it hasn’t gone away – The US Department of Homeland security reckons the risks associated with Log4j vulnerabilities could persist “for a decade or longer”.
Atlassian fixed their hard-coded Confluence password flaw, but the password is out there, and it warned users of a number of other vulnerabilities too.
LinkedIn fakery
Krebs on Security reports that a recent proliferation of phony executive profiles on LinkedIn is raising concerns. A huge number of fake profiles are being created for senior roles, including CISO roles. It seems unclear what the motive is at this time and they don’t seem to be doing very much, but it’s causing confusion.
EU proposing Cyber Resilience Act for network-connected devices – The proposal would require manufactures deal with security vulnerabilities affecting their devices for five years, and report actively exploited vulnerabilities to Europe’s cybersecurity authority ENISA within 24 hours of them becoming aware of the exploit.
Environment
Legislative changes
We are not aware of any recent relevant legislative changes.
Health & Safety
Legislative changes
The Regulatory Reform (Fire Safety) Order 2005 has been updated to reflect amendments imposed through the Building Safety Act 2022, reflecting lessons learned from the Grenfell Tower disaster. The Order previously only applied to certain non-residential buildings. The amendments bring some additional buildings that are, or which include residential dwellings under the act. They modify some of the pre-existing requirements under The Order and add further requirements with specific relevance to buildings that are defined as ‘Higher-Risk’ buildings. The changes have been incorporated into an update to The Order on the PCML InfoSec Legislation portal
Updates and information from the Health and Safety Executive
The HSE has published its 2021-22 Workplace Death statistics. In the period from April 2021 to March 2022, 123 workers and 80 members of the public were killed at work. The most common causes of workplace deaths were falls from height, being struck by moving vehicles or objects, coming in to contact with moving machinery, being trapped under collapses or overturning. Despite the apparently high number; death rates per 100,000 workers have remained fairly constant. A summary of the report and the full report is available on the HSE website.
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch
