National Security Committee

Risk Ledger - Many UK Government departments and public bodies have increasingly looked to technology to support their understanding of the operational risk presented by their extended supply chain. Their goal is to establish fact-based views that inform their operating resilience by minimising the impact of cyber security events. Risk Ledger is one of the tools chosen with over 4,000 organisations already signed up. Experience shows that it typically takes less than 10 days to enter company information and this is then automatically reused across government. The organisational data is refreshed every 6-months or by exception on significant change or emerging vulnerability requests.

With several legislative and international standard overlays, compliance and audit reports can be generated in hours and not days allowing the correct focus on priority risk areas.

Cyber Essentials is a UK Government backed scheme overseen by the National Cyber security Centre (NCSC).  It seeks to demonstrate that an organisation has a minimum level of protection in cyber security through annual assessments to maintain their company certification.  By achieving at least this level of protection then an organisation:

• helps to safeguard the intellectual property stored on its own systems
• becomes eligible for government contracts that involve handling sensitive and personal information
• becomes eligible for the provision of certain technical products and services.

Cyber Essentials is a self-certification trademark.  It is recommended that independent, technical verification is conducted and that you therefore achieve Cyber Essentials Plus.  Support for the certification process is an area where other techUK members might be able to assist.

Introducing the technical controls

There are five technical controls:

1. Firewalls
2. Secure configuration
3. Security update management
4. User access control
5. Malware protection

As a Cyber Essentials scheme applicant organisation, it's your responsibility to make sure that your organisation meets all the requirements. You might also be required to supply evidence before your certification body can award certification at the level for which you’re applying.

What you should do first:

• Establish the boundary of scope for your organisation, and then determine what is in scope within this boundary.
• Review each of the five technical control themes and the controls they embody as requirements.
• Take the necessary steps to ensure that your organisation meets every requirement it needs for the scope you have determined

Getting certified?

NCSC’s Cyber Essentials Partner the IASME consortium can help you to get certified. We also have a number of techUK members who can provide coaching or further support.  For example:

• Rizikon is offering free access to its platform for a single-use assessment.

Threat actors have much success in crafting plausible content on SMS text, email or published media that less aware users may click on or through embedded links to access seemingly legitimate web pages and potentially enter sensitive details that are harvested and used against individuals and organisations. The introduction of Quick Response (QR) codes in 1994, enables users to simply scan 2-dimensional bar-coded images with a camera enabled device to interact with richer services and information behind the image. With the straightforward ability for tampering with published codes through stick on overlays having now become a prevalent technique to hijack the original intended purpose and harvest user information. According to one source, the QR phishing (Quishing) threat has increased by over 2400% since May 23.

Both email Phishing and Scanned Quishing techniques or combined approaches attempt to lead a victim to a malicious website where login credentials and personal information can be stolen. Commonly there is an urgency or request for help that does not follow normal business process. Once credentials are harvested, they may be sold on or used for criminal activity.

Common signs to watch out for are:

• Unexpected emails or messages
• Poor use of native language that may be generic and contain poor grammar and typos in any message text
• Poor image quality
• Unrecognizable URL
• Suspicious websites

Users should consider undertaking security awareness training to understand the risks, ensure their device software is kept up to date and has anti-virus software installed and should be encouraged to think before giving out personal information unless certain the webpages and need are legitimate. If in any doubt report to business security teams or law enforcement authorities.

Please remember that reputable companies do not send unsolicited mail requesting that you provide sensitive information!