Draytek Security Notification – DNS Web Interface Attacks

Users of Draytek routers are vulnerable to a Zero-Day attack unless updating to the latest firmware release which addresses the security flaw. DrayTek announced that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers.

Clients using Draytek routers should get in contact to arrange firmware updates on their equipment – clients on our managed IT service contracts have already had these firmware updates applied and need take no further actions.

Further information can be found at www.draytek.co.uk

EU General Data Protection Regulation (GDPR)

An Introduction to the GDPR

The EU General Data Protection Regulation (GDPR) will be enforced from 25 May 2018. It affects all organisations that hold personal data on EU citizens, regardless of where the organisation is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital. GDPR contains a whole range of new rules that companies may need to enact for proper compliance, as there are strict fines for non-compliance. Your business may be fined up to 4% of global annual turnover for your previous financial year or 20 million, depending on the larger amount.

How will GDPR affect my business?

Whether you’re a family bakery storing a list of local delivery addresses, or a multinational selling globally online, the EU’s General Data Protection Regulation almost certainly applies to you.

Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply.

GDPR was adopted as an EU law in April 2016 but will take effect in May 2018. Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply. Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in.

GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply.

GDPR applies and will continue to apply in the UK even post Brexit as the current UK government plans to pass a legislation that will essentially mirror the EU GDPR.

What do I need to do?

    1. Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
    2. Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
    3. Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
    4. Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
    5. Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
    6. Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
    7. Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
    8. Process children’s data carefully. Organisations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
    9. Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
    10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
    11. Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
    12. Get educated on the internal organisations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organisations operating in EU member states. Multinational organisations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

You can read the full legislation text here – NB 261 page PDF.

When the chips are down…. Intel processor security flaws – what you need to know!

F**CKWIT, aka KAISER, aka KPTI, Meltdown & Spectre – Intel CPU flaw needs low-level OS patches.

A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to resolve the chip-level security bug. Similar operating systems, such as Apple’s 64-bit macOS, will also need to be updated – the flaw is in the Intel hardware and the only was to fix it is at the Operating System level – or worst case to be totally sure you can go buy a new processor without the design fault.

Microsoft have already released an update which will automatically be applied to Windows 10 machines. For users running any other Operating System we recommend you manually check and apply any pending system updates to ensure you are protected. Antivirus providers are also reacting by releasing software updates to combat any potential risks from the newly discovered flaw.

If you run Sophos (our recommended security software) then you are already protected as updates were released on January 5th. You can read more here – https://community.sophos.com/kb/en-us/128053

Ransomware cyber-attack threat escalating – customer guidance for WannaCrypt attacks.

There have recently been a huge increase in ransomware and cryptolocker attacks. This is rapidly becoming one of the most significant threats to UK organisations.

Friday’s high profile cyber-attack has affected more than 200,000 victims in 150 countries as of Sunday PM 14/05/17.

It is imperative if you are running an affected system that you apply the latest security patch from Microsoft as there are reports of a new version of the ransomware already in circulation.

Microsoft have released guidance for those that may be affected.

Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.

For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010. Customers running Windows 10 are not affected by this attack and need take no action.


Three easy things you can do to protect yourself online:

1, Install security patches – keeping your operating system up to date with the latest security hot-fixes and patches is one of the most effective ways to stay safe online.  Automatic updates are enabled by default on the latest Microsoft operating systems.

2, Don’t open unexpected attachments – if you don’t expect to receive an attachment don’t open it. Also do not click on links from within an email. Instead type the website address manually into your web browser if you are unsure.

3, Update to the latest operating system – running older operating systems such as Windows XP means you are more vulnerable to these sorts of attacks. Upgrade where possible to the latest operating system for the most secure experience.

As a silver Sophos partner we have the expertise and experience to plan, deploy and manage your security solution. To find out how boxportable can help secure your business contact us today or to find out more about our recommended security solutions click here.