Nicole Lee No Comments

Cyber Threat: NCSC New Guidance

Cyber threat has heightened due to the recent Russian attack on Ukraine. The National Cyber Security Centre has urged organisations to follow the guidance they put out.

The NCSC is not aware of any immediate specific threats to UK organisations in relation to the situation.  There has, however, been a historical pattern of cyber attacks on Ukraine with international consequences.

Balancing Cyber Threat & Defence

Threats may vary over time for organisations.  It is important to strike a balance between the current threat, the measures taken to defend against said threat, the implications and cost of those defences, and the overall risk this presents to the organisation.

Moving to a heightened alert can help prioritise necessary cyber security work, especially when cyber threats become greater than usual.  By doing so, it also offers a longer term boost to defences. Organisations would also have the best chance to prevent a cyber attack at the height of likeliness, and to recover quickly if it happens.

Affecting Factors

New information that the threat has heightened may change the view of cyber risk.  This might be due to active exploitation of a vulnerability in widely used service resulting in a breach.  It could also be specific to an organisation, sector, or even country, resulting from hacktivism or geopolitical tensions.

This means that organisations of all sizes could be affect and should be taking steps to ensure they can respond accordingly to these events. It is rare for an organisation to be able to influence the threat level. Organisations should follow the guidance to reduce their vulnerability and the impact in the case of a successful attack. 

Vulnerabilities, misconfigurations and breached passwords are just a few examples of what attackers would take advantage of.  To reduce the cyber threat, it would be best to reduce their ability to use these techniques.

Precautionary Steps

While it is unlikely an organisation can make widespread system changes quickly in response to a change in threat, it is important for your organisation to have the basics of cyber security in place.  The following steps proposed by the NCSC are to ensure basic cyber hygiene controls are in place and functioning correctly. 

  • Check your system patching: Ensure all devices and firmware are all patched.  Turn on automatic updates if possible.
  • Verify access controls: Verify staff passwords are unique to your business system and not shared on other systems.  Remove old or unused accounts and enable multi-factor authentication (MFA).
  • Ensure defences are working: Install antivirus and regularly check that it is active.  Check that firewall rules are as expected.
  • Logging and monitoring: Understanding what logging your organisation has in place, where and how long the logs are stored.
  • Review your backups: Ensure that backups are running correctly and have an offline copy of your backups.
  • Incident plan: Check that your response plan is up to date, including escalation routes and contact details.
  • Check your internet footprint: Records of external internet-facing footprint should be correct and up to date, including IT addresses your systems use or domain names that belong to your organisation.
  • Phishing response: Have a process in place to deal with reported phishing emails.
  • Third party access: Remove any third party access that is no longer required.  Make sure that you are in the know of what level of privilege is extended and to whom.
  • NCSC services: You can be informed quickly of any malicious activity when registered for the NCSC early warning service.
  • Brief your wide organisation: Brief your team and other teams within the organisation of the situation.  Make sure everyone knows how to report suspicious cyber threats.

Advanced Actions

The NCSC developed the Cyber Assessment Framework. It is intended for organisations that are responsible for services and activities that are of importance to the public. This guidance includes all the precautions listed above but also some of the more advanced actions you could take.

These actions include reviewing cyber security plans to see if they should be accelerated, consider a more aggressive approach to patching security vulnerabilities, consider delaying significant system changes that are not security related, and many more.

You can read the detailed NCSC guidance here.

Organisations In The US

For organisations in the United States, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint Cybersecurity Advisory.  You can read the detailed guidance here.


Here at it-QED, we have collectively donated to the local Ukrainian community centre.  Check out your local Ukrainian community centre to see how you can help out.

Contact us if you would like to know more about cyber threat and security.

Nicole Lee No Comments

SPAM & Phishing

What is SPAM?

If you spend most of your time on the internet, you would have heard of the terms ‘SPAM’ and ‘phishing’. But what is SPAM and phishing?

SPAM is unsolicited, unwanted junk, bulk messages sent to a wide audience. These are usually sent for commercial purposes as the cost of one email is extremely low.  Interestingly, the term ‘SPAM’ was thought to have come from a Monty Python skit where the menu becomes increasingly SPAM orientated (See here).

There are many different types of SPAM ranging from messaging SPAM to SEO SPAM. We will be discussing mainly email SPAM in this article.

How to distinguish SPAM and Phishing?

This image is an example of a phishing email, depicting how phishers will pose as well-known companies in order to gain your trust
Example of a phishing email

How can you tell if an email is genuine, especially if the phishers are imitating genuine large companies or even someone you know?

You can check the email address to make sure they are who they say they are. In the example above, you can see that the email address is @amazonmisconduct.com (this is not Amazon). And if you hover over the link they want you to follow, you will see that it does not take you to Amazon.

If an email seems suspicious, this is what you can do to protect yourself and your data:

  • Check the email address; does it match who they say they are?
  • If the email is suspicious, DO NOT click on any links or images.
  • Hover over links to see where they will actually take you.
  • Do not open attachments from unknown senders.

SPAM examples

SPAM comes in many different forms.  The most common types that you may find in your email junk folder (or inbox if your SPAM filter is not tuned well) are as follows:

  • Health and medical services; alternative medicines, dietary pills, or even a miracle cure.  These products are most certainly empty promises, but it still doesn’t stop the SPAM emails.
  • Tech and internet; software and hardware offers, electronics ads, internet, and mobile services, etc.
  • Service enrolment; long-term services like education programmes or insurance.
  • Financial services and investments; debt assistance, low-interest loans, or even free money!

As mentioned before, SPAM emails are mostly used by companies as commercial advertisements because the cost of one email is so low, but it can reach such a wide audience compared to the more traditional advertising on TV or magazines hence it is an economical way for companies to reach large audiences.

SPAM VS Phishing

But what’s the difference between SPAM and phishing?

They are both unsolicited, unwanted emails.  The main difference is the intent behind the emails.  Although irritating and unsolicited, most SPAM emails are not out to hurt you but rather intended to sell you a product or service; they are advertising legitimate businesses.

What is phishing?

Phishing, however, has a much more malicious intent behind it.  Phishers are looking to gain access to your device and personal information, and to use this knowledge for nefarious purposes. There are many types of phishing, including:

  • Email Phishing – The attacker can install malware or viruses on your computer if you click on the links, or open any attachments, and type in your credentials. These are often bulk emails to thousands of users.
  • Whaling – Often the attacker has researched the executives of a company and sends emails pretending to be them, these often require colleagues to send money transfers or voucher codes to the attacker.
  • Vishing – Voice phishing; scammers will call and try to obtain your personal information (no, the caller isn’t really from the HMRC, Microsoft, or Amazon!)
  • Spear Phishing – Attackers have done their research on the recipient via company websites, social media, etc., and can carry out targeted attacks. These campaigns can be very convincing in order to get your personal information, credentials, and other sensitive information.
  • Evil Twin – Attackers can setup WiFi hotspots that look like company or coffee shop WiFi and then steal data and credentials form people connecting to it.

How to recognise phishing?

Some of the points to look out for are:

  1. Does the email call look to good to be true or require immediate, urgent action?
  2. Hackers often disguise themselves as someone you can trust, e.g. the bank, a large well-known company, or a colleague. Does the email address and website link match what you would expect? Is the tone and grammar of the communication what you expect? (please see the example above)
  3. Were you expecting the email or communication? If suspicious, contact the sender by other means to check it is valid.
  4. Never put in your credentials to a site linked from an email unless you are sure it is genuine, if in doubt don’t do it!

Common tactics of spam & phishing

Have you ever received an email saying you’ve won a competition even though you never applied to one before?  Or perhaps you’ve received an email stating that your computer has been hacked and you need to download an anti-virus to prevent further damage. Have you had an email asking you to reset your password?  Have you heard of the Nigerian Prince?

These are common tactics of a phishing email.  They usually sound urgent so that you feel like you need to act quickly, but that’s how they get you.  These emails would entice you to click a link, download something, fill in a form, put in your password or even complete a payment. That is all they need to gain access.

The image shows two examples of phishing whereby they use the sense of urgency to make you feel like you need to act quickly
Examples of phishing

With the plethora of social media sites, and how much of an online presence the average person has, phishers have access to more personal information than ever.  This means that they can tailor their attacks to their target’s needs, wants, and life circumstances.  In turn, this would lead to identity or financial theft, even corporate espionage, or data theft.

Click here to watch how quickly a phishing attack can spread.

How can you help prevent SPAM and phishing?

SPAM and phishing emails do not have to be part of your daily life.  You can reduce the amount of SPAM emails you get and stop them coming into your inbox.  Here are some tips on how you could do that:

  • Mark unwanted emails as SPAM, try and avoid unsubscribe links, these just prove you are reading them.
  • Keep it private.  Spammers find contact information online so try to keep your online presence as private as you can. Attackers will use information like your phone number and physical address.
  • If someone you know sent you SPAM, let them know. Let a trusted contact know if you’ve received a SPAM email from them, as their account may have been hacked and used for spamming. Keep yourself and others safe.
  • Keep your software and security measures up to date and make it hard for Spammers to try and exploit any vulnerabilities.
  • Consider tuning the anti-SPAM and Anti Phishing rules on your email service.
  • Consider company wide user awareness training for phishing emails, we have a number of options that can help.

If you would like to discuss ways on improving your cyber security, please contact us.

Click here to read our previous article on cyber security.

Colin Weeks 1 Comment

Cyber Security Awareness

Did you know that it’s nearing the end of Cyber Security Awareness month?

ECSM (cybersecuritymonth.eu

We thought that this would be a good time to start a series of blog posts to help keep cyber security awareness high and discuss the common threats and steps that can be taken to help mitigate them.

Hacking and malware have been around since the dawn of computing. Initially, malware was written ‘just because it could be’ and was designed to disrupt users’ systems and delete data. This then evolved over time to systems being silently compromised and data being exfiltrated without users’ knowledge. Today, this has further evolved into multinational gangs encrypting users’ data and then demanding ransoms to give back access – it is not just big corporates being targeted, it’s everyone!

With the increase of these threats and the challenges posed by an increase in home working, it is more difficult than ever to stay secure. In this article, we will discuss several things that all users can do whether at work or home to help keep their data secure.

Passwords & Authentication

We use passwords to secure almost everything; this is the simplest form of authentication in order to get to your data. Having a difficult, hard to guess password will prevent many common attacks. Below, we have a number of points to consider when choosing a password.

  1. Never disclose your password to others or share passwords. Others may write it down, put it into fake webpages, etc. Your password is for you alone!
  2. Never write down passwords. If you lose the record, others may well find it and compromise your data. Many people use similar passwords across multiple websites. This means that if you lose one password it can be used to access many sites.
  3. Do not use the same passwords for home and work. If either are compromised, it won’t take long for the hacker to work out who you are, where you live, and where you work using sources such as Facebook and LinkedIn among others.
  4. Do not use passwords containing personal information or that are too easy to guess (again, it is easy to work out personal information from social media sites).

These are examples of what to generally avoid when creating a password:

  • Simple to guess passwords such as ‘Password1’
  • Passwords containing names, dates, sports teams, etc.
  • Simple words
  • Predictable keyboard sequences:
  • 123456
  • Qwerty
  • Your child’s name

DO, however, use a combination of characters. Passwords should involve a character from at least three of the following groups and be at least 12 characters long:

  • Uppercase
  • Lowercase
  • Numbers
  • Punctuation

Consider using pass phrases rather than single words, such as: I1Like2Climbing3Mountains!!*. You should also consider using four random 3 letter words (and some numbers and punctuation). A common misconception is that spaces are not allowed in passwords – this is not true!

  • Enable two factor or multi factor authentication. This is the type of authentication used by banks and now more widely across the Internet and is based on the principle that you gain access to systems using something you have and something you know. In general, the password is something you know, and your mobile phone is something you have; so in order to log on, you’ll need to remember your password and then type in a code sent via SMS or click an accept button within an app to prove that it is you logging on. For example, even if you have typed your password into a phishing email, or somebody has guessed it, they will still not be able to log on as you because they do not have your mobile phone. This is one of the best ways to enhance your cyber security!

  • One final consideration is to use a password manager that means all of your passwords can be completely different. The end result is that you can have passwords which are 15 to 20 characters long and completely randomised which you don’t have to remember as the password manager does that for you. You just need to ensure that you have one long and complex password that you will remember to access the password manager – again, utilising two factor authentication is a good idea as this will contain all your precious passwords! Another advantage to all the passwords being different is that if one is compromised, it will not give access to all the different websites you use.

Updates

Other methods of accessing your data involve security flaws in your mobile phone, your computer’s operating system, or the applications running on it. To help avoid this, ensure that you always apply the latest updates soon after they are released so that your computers, phones, and applications are up to date with security patches. It is also best practice to uninstall old programmes that you no longer use.

Administrative Accounts

It is always best to log onto your computers with an account that does not have administrative rights. Although this is less convenient, you can have a separate account that can be used to install software when required. Working like this means that if any malware affects your machine, or you click on links in webpages that try to infect your computer, the consequences are likely to be less serious because they will run in the context of a standard user rather than an administrator that has full control of your machine.

User Awareness

User awareness of cyber security is another great way to ensure you stay safe – whether it’s your work colleagues or your family, having awareness of the common attacks can help you avoid them. This will be covered further in a later blog, but the key piece of advice here is that when you receive emails or texts that seem too good to be true, that you’re not expecting, or that require you to do something urgently, then treat them with a healthy dose of suspicion!

If you would like to discuss ways to help improve your security please Contact Us