“SEXTORTION” – I Have Been Hacked!

Imagine my surprise when I received an email in my Inbox containing my password in the Subject line – “ Your Password is xxxxxxxxx”!

The email goes on to say that you have been watching Porn, they have filmed you, have all your contacts & will distribute if you don’t pay a Bitcoin Ransom. Luckily I don’t have a penchant for pornography & never visit dodgy sites on any of my devices, so immediately recognised the Scam & reported to Action Fraud.



I was still left with a sick feeling in my stomach at the intrusion, the nature of the email & more importantly that somebody had stolen one of my passwords. On consideration the email & password combination had only existed on a Google Account that I had since changed many times.

A few weeks ago I made a Linkedin Post on the importance of password selection – number & type of characters etc. This however has led me to focus on something that lacked from that post – the number of your Passwords, variance & the frequency you change your passwords? My password was stolen some time ago but has only just been used, so you may have to assume that all of your passwords have been stolen unless you really know otherwise?? To mitigate this I would suggest –

• Have multiple but varying Passwords

• Change your Passwords frequently

• Use 2 Step or Multi-Factor Authentication

Remember if you only have a one Password fits all policy – they will steal from the weakest account & use it to access all of your accounts!

Controversial but……If you have so many complex passwords & feel you have to write them on a piece of paper & store safely, what is the chance someone will break into your house or office looking for Passwords, or steal your purse/wallet in order to obtain passwords rather than Cash or Credit Cards – just don’t keep the 2 together ????. Besides Passwords can be changed quicker than you can cancel Credit Cards & we wouldn’t be without them. I am a systems rather than an IT Tech person, so seek out good advise….

Stay Safe People

Full Article on This Scam

Don’t Pay The Cost of Data Loss….

Key to Carphone Warehouse being fined £400,000 for placing customer and employee data at risk was the inability to demonstrate Due Diligence –

“The law says it is the company’s responsibility to protect customer and employee personal information. “There will always be attempts to breach organization’s systems and cyber-attacks are becoming more frequent as adversaries become more determined. “But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.” – Information Commissioner’s Office

Use the guidance of ISO 27001 to appraise your company & use subsequent Certification to demonstrate your Due Diligence

The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018 & outlines further responsibilities & liabilities for handling information.

Don’t leave yourself vulnerable – HELP & GUIDANCE

So What Is ISO 9001, ISO 27001, 14001 etc?

The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations.

Founded on 23 February 1947, the organization promotes worldwide proprietary, industrial and commercial standards. It is headquartered in Geneva, Switzerland and as of 2013 worked in 164 countries.

There is only one National Standards Body recognised from each country and they in turn must be recognised by their Government. UKAS is the only ISO recognised Body in the UK.

The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the United Kingdom, appointed by government, to assess organizations that provide certification, testing, inspection and calibration services. There are many UKAS Approved ISO Certification Bodies, the most commonly recognized being BSI & Lloyds, but there is a full list on their website

Gaining UKAS Certification to an ISO Standard demonstrates a company or organization has achieved and operates to a certain standard, been verified by an independent & recognized body. Ongoing audits by the Certification Body evidences they consistently meet these standards.

ISO 9001 is the internationally recognized Quality Standard. It defines the elements of organization required by a company to systematically deliver quality products, services or advice.

ISO 9001 Certification is verification that you systematically deliver quality services or products. It is a benchmark for potential customers & helps you review and fine tune your own operations ongoing.

ISO 27001 is the internationally recognized Information Security Management Standard. It defines the elements of control required by a company to protect all information it holds.

In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to the standard is increasingly winning both confidence & new contracts.

ISO 14001 is the internationally recognized Environmental Standard. It defines the elements of organization required by a company to control the impact of their activities, products or services on the environment.

14001 Certification demonstrates to an increasingly aware public & business community – a commitment to minimize your impact on their environment. It gives confidence that customer’s environmental credentials & good names won’t be tarnished by their suppliers operations

In general companies & organisations that can demonstrate their operational standards are UKAS certified, gain more confidence in the Market Place.

ISO 9001 & ISO 27001 in 60 Days – UKAS!

Our first 2 clients operating in the Banking & Software Sectors engaging our fast track – UKAS ISO 9001 & ISO 27001 Certification in 60 Days, completed this week –

Redline Application Services:

Provides software and services to lenders to support the full end to end credit lifecycle from origination, through scoring, decision making, document production or e-signing, into account management and on to debt collection.

http://www.redlineapplicationservices.com

Reference for our Fast-Track Process can be obtained from Steve Toms (Managing Director) @ stevetoms@redlineapplicationservices.com

Bonafidee:

Specialises in real time, anti-fraud technology solutions which can be accessed instantly via the web or provided as an integrated solution.

http://www.bonafidee.com

Reference for our Fast-Track Process can be obtained from Francis Lang (Head of Development) @ francislang@redlineapplicationservices.com

Part of a small group, both companies proceeded simultaneously, which enabled us to fully utilise consultancy days & minimise costs. The full process from initial visit on 29th October, until conclusion of successful Assessment by a UKAS Approved Certification Body on 15th December took 49 days.

Proceeding at such pace took full commitment & dedication by Senior Personnel & wouldn’t have had the positive outcome otherwise. Without that commitment we wouldn’t advise such pace….

grant@qmuk.co.uk

Cyber Essentials or ISO 27001?

The official announcement is:

“From 1 October 2014, government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.”

In reality this is primarily for Central Government suppliers, i.e. Dept Heath, Transport, Education, Defence, etc but the unofficial word is that this will be rolled out to local government i.e. councils, hospitals, police, etc over the next few years.

Cyber Essentials covers 5 main areas of vulnerability:

1. Boundary Firewalls and internet Gateways

2. Secure Configuration

3. Access Control

4. Malware Protection

5. Patch Management

Which include the types of controls found in the ISO27001 SOA:

A.13.1 Network Security Management

A.12.1 Operational Procedures and Responsibilities

A.9.2 User Access Management

A.12.2 Protection from Malware

A.12.6 Technical Vulnerability Management

Therefore people with ISO27001 are part way there already, the main difference is that Cyber Essentials in prescriptive and not optional so there is no opt out for any of the questions in Cyber Essentials, and the requirement for control by the 34 questions is much tighter in Cyber Essentials. For example, all software must be licensed and supported – so any PC’s that still use windows XP cannot be included in the scope and would need updating/replacing (this is just one example).

The issues facing the take-up of the standard are:

Lack of awareness of the Standard

Lack of trained practitioners (only 100 or so in the UK)

The trained Practitioners may not be IT savvy enough to implement effectively

Big Headache for large business due to a lack of automated roll out tools to cope with the prescriptive requirements for each device within scope, causing resistance to implementation

Implementation systems/methodology is new and not as efficient as it needs to be yet due to the learning curve.

We do however now have one of our ISO 27001 Consultants fully trained & qualified as a Cyber Essentials Practitioner.

ISO 27001 will continue to be the most recognised & accepted Information Security Standard. However if you do deal in or wish to enter the Gov & Public Sector arena, we would advise you start looking at this.

ISO 27001 in 60 Days – UKAS

ISO 27001 is the internationally recognized Information Security Management Standard. It defines the elements of control required by a company to protect all information it holds

In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to the standard is increasingly winning both confidence & new contracts

Our service is to a structured process, but can be adapted to meet individual requirements. Providing you fully accept our guidance we GUARANTEE Certification. Our comprehensive process delivered by a dedicated consultant includes, but is not restricted to:

Initial meeting to instruct on identifying Information Assets, conducting a full Risk Assessment & completing a Statement of Applicability – all documents provided

Full online & telephone support to progress these documents

Produce bespoke documented System Manual & Policy Templates

Next meeting to explain remaining elements of System Implementation

Full online support to complete documents & fully implement System

Visit/Pre-UKAS Audit of your system & operations

Visit/Remedial Action Support/UKAS Preparation

Visit/Representation & Support during UKAS Assessment

For an SME you will need to appoint an Information Security Representative to liaise & be trained by us. This will take 12-20 days of their time, dependent on their background

Fixed Cost £4 300 QM.UK + £1130 UKAS Cert Fees = £5430 Total

Note: Most consultancies don’t quote UKAS Fees or their attendance to support – this is normally an unexpected “add-on”, raising costs by about 60%

These costs cover up to around 30 employees operating out of one location – for a full quote regardless of business size, just use the form or give us a ring – ENQUIRIES

For pre-Xmas Delivery, orders must be placed before 20th October 2015 🙂