Monthly Archives: September 2014

October 1st – Government Suppliers will be required to have Cyber Essentials

From 1 October 2014, Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services. This will not be mandatory for suppliers through G-Cloud or the Digital Services Framework. Further guidance for suppliers will be issued later this year. (GOV.UK)

Cyber Essentials Badge Small (72dpi)      Regular readers of this blog will know that not only have we recently gained Cyber Essentials certification, we have also been mentoring clients through the process to enable a painless and swift certification. Whilst we don’t normally ‘sell’ via the blog, given the tight deadline and the apparent confusion around this Government requirement, we thought it would be a good idea to provide a link to our Cyber Essentials consulting in case readers need it. You may require a little you may require a lot or you may want to do most of it yourself and just want some reassurance from a consultant that your submission is right. If you have ISO27001 you will be well prepared, if you haven’t then you may well already have a lot of what you need but don’t yet realise it.

iStock_000016426779SmallDon’t worry, just ask. http://www.advent-im.co.uk/cyber_essentials.aspx

Successful Cyber Essentials and IASME Certifications for Advent IM!

Successful Cyber Essentials and IASME Certifications for Advent IM

The independent holistic security specialists gain successful certifications to both schemes

Advent IM Ltd, the UKs leading independent holistic security consultants today announced their successful certification to both Cyber Essentials, the UK Government’s cyber security assurance scheme and IASME  Information Assurance standard for SME’s.

Operations Director, Julia McCarron said, “We are delighted to have gained these two worthwhile certifications. It was a natural step for Advent IM as we already have ISO27001 and were keen to embrace the UK Government’s schemes. It is a great way of continuing to assure our supply chain partners of how seriously we take Information Security and having ISO27001 meant we were already very well placed for success.  We walk the walk as well as talk the talk! We are already helping our clients through Cyber Essentials with great success.”

Some further information on the Cyber Essentials Scheme

The UK government’s Cyber Essentials scheme was developed earlier this year with the IASME Consortium, a local Malvern company, representing small companies on the drafting panel. The development of this scheme resulted from a review of the successful cyber attacks over the last few years. They found that the majority would not have been successful if 5 simple technical controls had been implemented. These controls are quite detailed and so plenty of companies who have the international cyber standard, ISO27001, may not actually have all these technical controls in place.  Cyber Essentials is also available as a self assessment or audited version, called Cyber Essentials PLUS.

The  Government has announcement that, from 1st October 2014, all new Government contracts associated with personal or sensitive data will only go to companies with Cyber Essentials certification. Large companies will also be encouraged to enforce this down through their supply chains.

 Some further information on the IASME Standard

A recent call for evidence by the UK Government concluded that the best governance standard for small companies was the IASME standard developed and run by a local small Malvern company.  The standard itself was developed using government funding with the aim of finding a small company alternative to the international standard (ISO27001). The IASME standard focuses on both governance and technical security. It includes aspects like a security policy, staff awareness, risk assessments, business continuity plans and back-up processes. These ensure that you understand your risk and are managing your security effectively. Accreditation is available either as a self assessment or a fully audited assessment

 Cyber Essentials Badge Small (72dpi) IASME selfcert badge

 

 

Issued:  26.09.14                             Ends                                                    Ref: CE/IASME/1/ Advent

 

 

 

 

NOTES TO EDITORS

 

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Targeting of “Western” Critical National Infrastructure and how we all play a part in its defence.

I have read several opinion pieces that suggest ISIS is planning a cyber-geddon style attack on “the West’s” Critical National Infrastructure (CNI). Given the current nature of warfare and the growth of cyberwar/terrorism this seems like a logical opinion.

From the inaugural FT Cyber Security Summit in June this year:

Countries are having to defend themselves against an increasing number of attacks on their information and communications systems from unfriendly states, terrorists and other foreign adversaries. NATO, for example, in June adopted an “Enhanced Cyber Defence Policy”, outlined
in a public information document circulated by the 28-member intergovernmental military alliance at the conference.
“The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry,” states the document. Key aspects of the policy were discussed at
the event including the fact, reiterated by a member of the audience, that a digital attack on a member state is now covered by Article 5 of the treaty, the collective defence clause, meaning that NATO can used armed force against the aggressor.

We can all play a part in securing our CNI by securing our own networks and businesses to make them less likely to get used as mules or zombies to deliver this threat to our CNI. Back in 2011, Chatham House issued a report on cyber Terrorism and one of its recommendation back then was,

Training and development of staff in cyber security
measures should be seen as an integral part of risk
mitigation strategies.

This says staff, not IT staff or security staff just staff and this is because ‘cyber’ is a part of everyone’s day with very few exceptions. Behaviour and culture have an impact on CNI security. Through supply chains, we are all connected and through our IP enabled devices both at home and work, these connections become ever more complex and exploitable. Part of the problem as I see it is a bit of a disconnect with security at the top of many of our organisations.E&Y visuals security survey 2012 2

 

This is where culture is driven from and addressing this worrying knowledge gap is vital. Evidence for this lack of understanding comes from businesses themselves.

 

Board Compliance visual

 

The U2 Album and some phishing

GrrOpinions vary on the success and indeed the ethics of Apple’s decision to place a copy of U2’s new music in iTunes libraries. Some people have welcomed it, though I assume these are the ones who did not have their personal preferences overridden. Apparently, it appears many people had not selected the auto download option in their settings but this seems to have made little or no difference. (These may or may not be some of the contributors to the Twitter hashtag #IblameBono currently occupying a space in my recommended trends. I hasten to add Advent IM has not contributed)

It has also become apparent that the album is not too easy to remove either… indeed the news today includes an update from Apple, who have now created a remove U2 with one click tool after the clamour from iTunes users. They do say that there is no such thing as bad publicity but I can’t help but wonder if invading people’s privacy in this way would ever be good news for a brand. Knowing that your wishes can be overridden with impunity is not reassuring. Realistically, I would think that regular reassurance and demonstration of privacy and security being respected would be a far better approach.

ID-10067364One of the unintended consequences of this has been a massive increase in the number of iTunes and Bono-based phishing emails. Some have offered a ‘delete the U2 album link or tool’ (either carrying or linking to malware). Others have capitalised on the fact that Apple have given something away by purporting to carry a link to a free film from Apple. Users who were suitably impressed by being given the free U2 album have been ‘softened’ into thinking it was perfectly believable Apple would now be sending them links to free movies. 

So users who were less than happy with the sneaking of U2 into their library may get caught by the first kind and those who were thrilled and were then happy to have more free Apple stuff may be caught by the second…

Whatever way you look at this, the U2 album has been a bit of a nightmare from a security perspective. #IMightBlameBono…