Security Newsletter

The latest news from the sector sees the ICO fine a sacked council employee for using privileged access to help his girlfriend find a job, GCHQ is getting worried about the use of Chinese “tech” in big infrastructure, the latest on Microsoft’s February patch updates and more …

Sacked Council Officer Fined by ICO for Sending Personal CV Info To His Girlfriend

A formed Nuneaton and Bedworth District Council officer, in charge of building control services, was fined nearly two thousand pounds by the ICO for accessing confidential local authority recruitment data and emailing it to his partner via a free to use email account.

The former officer, Kevin Bunsell, was trying to ‘help’ his partner who was applying to the council for a job. Bunsell accessed confidential recruitment information before emailing them to himself and his partner’s free email accounts.

The ICO’s response to the case:

“People who supply their personal information to an organisation in good faith, such as when applying for a job, have a legal right to expect it will be treated lawfully and ethically.

Not respecting people’s legal right to privacy can have serious consequences, as this case demonstrates. Not only might you face a prosecution and fine, along with the attendant publicity, but you may also lose your job and severely damage your future career prospects.”

GCHQ Wants to Better Understand the Chinese Tech “Threat”

The intelligence agency GCHQ wants to better understand the threat situation surrounding Chinese technologies – like Huawei – within infrastructure and how they could impact businesses and society.

In a rare speech, the head of GCHQ, Jeremy Fleming, stated:

“As we made clear last week: the UK has not made a decision about 5G security supply chain rules. GCHQ is at the heart of the policy consideration underway and we already have a role managing Huawei’s presence in our existing networks. We think this is probably the toughest oversight regime in the world. It’s revealed significant problems with their cyber security practice … which have caused them to commit to a multimillion-pound remedial programme. And as I’m sure you will have seen, we’ve been crystal clear that with Huawei we will not compromise on the improvements we expect. But … and it’s an important one … 5G security is about more than just Huawei … that’s what the three pre-conditions for 5G security are all about. The final thing I’ll say here is that China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company … it’s a first order strategic challenge.”

As Britain’s intelligence services grapple to understand the burgeoning Chinese tech threat, businesses are also facing uncertainty about deploying Chinese brands like Huawei within their own organisational critical infrastructure planning.

It’s That Time Again – Microsoft Patch Updates

February has come and gone, and with it a new round of Microsoft patch updates. The serially buggy Windows 10 has a rather love / hate relationship with IT managers – especially IT ecosystems with Windows 10 which was missed whilst legacy Win7 and 8.1 was patched up with a weird unknown patch.

Some argue this is because Microsoft wants to really make sure it hits all the right patch update chords but some argue it could be a hodgepodge repair job.

Computer World articulates:

“There’s a smattering of new bugs introduced by the Patch Tuesday patches, and subsequently fixed by Third Tuesday patches. The most entertaining of the lot is the Internet Explorer backslash bug. Of course, you don’t use IE, but for those who do… February’s Patch Tuesday patches for Win7 and 8.1 contained this weird, acknowledged, bug: After installing this update, Internet Explorer may fail to load images with a backslash (\) in their relative source path. That bug, and several others, were fixed in the Third Tuesday Monthly Rollup preview patches – but those aren’t distributed through normal channels. You have to wait until later in March, when the Monthly Rollup Preview patches will (presumably) be added to the March Monthly Rollups. Got that? A bug in the February security update is fixed by a patch in the next month’s (presumably non-security) monthly rollup.”

To find out more about Microsoft’s patch update cycle and to understand more about the importance of updating patches on Windows systems, Microsoft has a support website that can help you plan and execute patch updates for your business.

Alphabet Launches New Cybersecurity Tool To Help IT Managers ‘Google’ Their IT Systems For Potential Hackers

The new service, entitled Backstory, will help website owners to literally search the inner workings of their website to help identify vulnerabilities caused by hacking-related activities. The Chronicle cyber security business owned by Alphabet will help provide what the company calls internal security telemetry – in short it can search inside your web services and infrastructure for problems.

Chronicle released a press release:

“Backstory is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

How does it work? Chronicle built a new layer over core Google infrastructure where you can upload your security telemetry, including high-volume data such as DNS traffic, netflow, endpoint logs, proxy logs, etc., so that it can be indexed and automatically analyzed by our analytics engine. Your data remains privateit isnt scanned by or available to anyone for other purposes.

Backstory compares your network activity against a continuous stream of threat intelligence signals, curated from a variety of sources, to detect potential threats instantly. It also continuously compares any new piece of information against your company’s historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats.”

Whether you are happy about giving Google access to so much of your own unique data is another question entirely. But for companies worried about their own lack of ability to scrutinise and analyse their own organisation’s security data with any meaning, Chronicle’s Backstory could be a useful addition to your cyber-security experience.

Massive Shortage in Cyber-Security “Experts” Could Cost Companies More In The Longer Term

As more and more companies start putting cyber security at the heart of their entire IT management approach, there has been a greater push towards recruiting cyber security practitioners. However, there is one slight issue. There are more cyber security jobs than cyber security professionals. This is a ticking-time-bomb that could hurtle millions of companies towards cyber attack outcomes that could end up costing them hundreds of thousands if not millions.

As the world of business continues to move into the cloud, and embrace the Internet of Things along with “Bring your own Device” rules on employee smartphones, there is a whole load of problems being stored that requires proactive and professional cyber security support to help manage.

CNBC articulates further on this point:

“While hands-on, technical skills are the most sought-after by employers, many schools lack trained teachers or course materials in cybersecurity — depriving students of the opportunity to pick up critical skills required of cybersecurity professionals today. For years, cybersecurity was not a common area of study and there weren’t a lot of programs focused on it, Ricciuto explained. “

In fact, a 2016 survey from Raytheon found that 62 percent of students from 12 countries said that a career in cybersecurity had never been mentioned to them by their career advisor or teachers. A lack of cybersecurity staff can also increase the risk of other employees’ errors — which has long been touted as one of the largest cyber risks for businesses. What we hear from experts is that the human is the weakest link in cybersecurity. Humans are not perfect and they can easily be tricked,” said Cassy Lalan, a spokeswoman for IBM Security. That is, experts say the easiest way for hackers to access a company’s systems is from the inside, through untrained employees.”

Therefore, if you’re looking to hire a practitioner and want to help change your business’s cyber crime culture, you might have to dig deep both financially and culturally to help drive change that could help improve your overall cyber security experience

Until next time …