CISA and NSA Publish BMC Hardening Guidelines

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs).

Published on Wednesday, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

Read more on similar attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure

For context, BMCs are essential components embedded in computer hardware that facilitate remote management and control. They operate independently of the operating system and firmware, ensuring seamless control even when the system is powered down. 

However, because of their high privilege level and network accessibility, these devices make them attractive targets for malicious actors.

The joint guidance emphasizes the importance of taking proactive measures to secure and maintain BMCs effectively, adding that many organizations fail to implement even minimum security practices.

These shortcomings could result in BMCs being used by threat actors as entry points for various cyber-attacks, such as turning off security solutions, manipulating data or propagating malicious instructions across the network infrastructure.

To address these concerns, CISA and NSA recommend several key actions. These include protecting BMC credentials, enforcing VLAN separation, hardening configurations and performing routine BMC update checks.

Further, the agencies said organizations should also monitor BMC integrity, move sensitive workloads to hardened devices, use firmware scanning tools periodically and treat unused BMCs as potential security risks.

Read the full story here.

Sussex PCC denies CCTV could be switched off

The Sussex Police & Crime Commissioner has denied the county’s CCTV could be switched off from April.

Katy Bourne was questioned during a meeting of the Police & Crime Panel about problems with the renewal of a contract with service provider BT.

According to a police spokesman, BT has only offered a one-year fixed price contract rather than the three-year contract which had been expected.

Ms Bourne said an inspector was working on the issue full-time and that “nobody’s going to get switched off”.

The meeting also heard a “significant price increase” was forecast on the £250,000 per year already being paid, due to upgrades being made to the circuit technology.

Ms Bourne said: “The contract is BT’s. If they decide they don’t want to renew, they don’t have to renew – we can’t force them.

“They’ve agreed a price. It’s their price and we can’t afford it, effectively.

“My understanding, having spoken with the team in Sussex Police, is that nobody’s going to get switched off, so let’s just allay that concern.”

Read the full story here.

Ransomware Attacks Are on the Rise, Again

Ransomware attacks tumbled in 2022, offering hope that the tide was turning against the criminal gangs behind them. Then things got a whole lot worse.

Amid a concerted effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.

Data from cryptocurrency tracing firm Chainalysis indicates that victims have paid ransomware groups $449.1 million in the first six months of this year. For all of 2022, that number didn’t even reach $500 million. If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million. This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.

The findings track with general observations from other researchers that the volume of attacks has spiked this year. And they come as ransomware groups have become more aggressive and reckless about publishing sensitive and potentially damaging stolen information. In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish “personal information and research” if the university didn’t pay up.

“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”

Read the full story here.

EchoPoint distributed acoustic sensors introduced for intrusion detection

FIBER SENSYS, itself part of the OPTEX Group, has launched EchoPoint distributed acoustic sensors for advanced intrusion detection across even the highest-level security sites.

Dubbed the latest evolution in fiber optic sensing technology, the new EchoPoint sensors make use of intelligent detection algorithms to provide point detection of +/- 6 metres in a range of up to 100 km. This highly accurate and reliable detection renders the sensors ideal for larger perimeters and high security sites, such as airports, logistics centres, railway networks and critical infrastructure, and to protect data conduits and pipelines, where being able to locate and identify the precise point of intrusion is critical.

Thanks to their highly advanced pattern-recognition classification algorithm, the sensors are able to distinguish between common causes of false and nuisance alarms, such as wildlife and environmental conditions, and genuine intrusion attempts. The system is also immune to electromagnetic interference, radio frequency interference and lightning.

The flexibility and versatility of the EchoPoint sensors is such that they can be operated across multiple applications and installed on fences, buried or commissioned in a hybrid layout. When mounted on a fence, the sensors can identify someone cutting the fence or attempting to climb it. When buried, the system can differentiate between footsteps, manual and machine digging and vehicle movements.

To meet the individual needs of every site, the EchoPoint sensors features intelligent software zoning. This means different detection zones can be configured. End users have the ability to independently adjust the sensitivity and output within each zone, thereby helping to provide maximum capture rates and minimise nuisance alarms.

Read the full story here.

Access Control Company in Berkshire and London

Rethinking Access Control for Today’s Flexible Workplace

OVER THE years, approaches designed to support employee well-being have evolved. Delivering job satisfaction, mental health support and flexible and hybrid working are just some of the measures adopted, but what about ensuring people feel safe and protected? Workers feeling vulnerable poses a significant risk to employee well-being, as Michel Roig discovers.

While security has always been a priority, one of the most recent approaches to facilitating employee well-being – flexible and hybrid working (or ‘Working from Anywhere’) – might have created new risks.

Despite most pandemic restrictions having now been lifted, it appears that ‘Working from Anywhere’ is here to stay. Surveys of UK employees have revealed that the proportion of ‘Working from Anywhere’ employees almost doubled between February and May of this year.

It’s easy to see why. Offering ‘Working from Anywhere’ as part of the job remit is now a significant factor in attracting candidates and retaining employees. Signs are emerging that it’s also the key to enhanced productivity.

However, ‘Working from Anywhere’ means that employers have to secure digital estates wherever and whenever employees are working. This represents a significant challenge as companies have to respond to increased digital threats and apply enterprise security for domestic settings.

There are also challenges in physical access that are worrying workers. Even before the pandemic, findings from the Society of Human Resource Management revealed that roughly one-in-seven Americans, for example, don’t feel safe in the workplace.

In essence, the scale of the challenge requires companies to critique their own current security solutions and consider carefully whether the existing regime provides a smart and secure workplace that supports employee well-being.

Read the full story

Sensors reduce student vaping, Kidderminster school says

A headteacher says sensors have reduced the number of students vaping.

Matthew Carpenter, from Baxter College, Kidderminster, had the sensors and also CCTV installed to tackle the use of e-cigarettes.

It comes as a group of students there admitted addiction to vaping.

The tech, Mr Carpenter said, had been used to “pinpoint” when and where the activity was happening to help lessen impacts on both students and the school environment.

The school had spent £4,000 installing CCTV outside plus sensors in toilet blocks, having seen an increase, it said, in the number of students asking to go to the toilet during lessons.

“We’ve got a CCTV camera outside so we can just use the timestamps to work out when it was happening,” Mr Carpenter explained.

“What the sensors allow us to do is really accurately pinpoint when students have been vaping.”

E-cigarettes have helped many thousands of people stop smoking by removing the dangerous and toxic tobacco smoke from their habit, giving a huge health boost.

But the e-cigarette vapour which is inhaled can still contain small amounts of chemicals, including nicotine.

Mr Carpenter said students who had not smoked previously had taken up vaping as a “lifestyle choice” and he was concerned it would lead them to smoke traditional cigarettes and a nicotine addiction.

Trading Standards says one in three vaping products may fall short of regulations monitoring nicotine limits.

It is illegal to sell e-cigarettes and liquid to under-18s.

Read the full story here.

Nick Ross elected president of the British Security Industry Association

THE BRITISH Security Industry Association (BSIA) has elected popular broadcaster and campaigner Nick Ross CBE to serve as the Trade Association’s new president. Ross replaces Sir Keith Povey QPM, who retires as BSIA president after 14 years in the role.

Ross assumed the post of president on Wednesday 19 April at the Trade Association’s Annual General Meeting in London. Going forward, his primary goal will be to continue the work focused on developing the relationship between the police service and the private security industry.

Starting out as a junior reporter while still at university, Ross covered the troubles in Northern Ireland for the BBC and then moved on to host programmes including Radio 4’s The World at One, PM and The World Tonight.

He became a TV reporter, documentary director and political correspondent and chaired live debates, but was perhaps best known for the crime appeals programme Crimewatch, which he presented for over two decades.

Ross conceived the new discipline of ‘crime science’, which focuses on practical, multidisciplinary and outcomes-focused approaches to crime reduction. He also founded the Jill Dando Institute at UCL, which has since grown into one of the largest academic crime prevention departments in the world.

‘Failure to prevent fraud’ offence brought forward by Home Office.

THE NEW ‘failure to prevent fraud’ offence proposed by the Home Office will make it easier to prosecute a large organisation if an employee commits fraud for that organisation’s benefit. If an act of fraud is committed by an employee of an organisation, that organisation must be able to demonstrate it had reasonable measures in place to deter the offending or otherwise risk receiving an unlimited fine.

The proposed legislation, to be introduced through the Economic Crime and Corporate Transparency Bill, encourages businesses to do more to deter offending, which will help in the bid to cut crime and protect consumers, investors, other businesses and the taxpayer from fraudulent practices.

The Home Office has tabled an amendment to introduce the failure to prevent fraud offence, which is actively supported by the Serious Fraud Office and the Crown Prosecution Service (CPS).

Security Minister Tom Tugendhat observed: “We are determined to crack down on unscrupulous companies that seek to defraud their customers. Our new ‘failure to prevent fraud’ offence will protect consumers from dishonest and misleading sales practices, and also level the playing field for the majority of businesses that behave responsibly.”

Further, Tugendhat noted: “This Government is committed to fighting economic crime, as demonstrated by our recently launched Economic Crime Plan 2, which sets out how we will give law enforcement more state-of-the-art resources to tackle high-level offending.”

Read the full story here.

Linx International Group acquired by Mitie in £1.2 million deal

MITIE HAS moved to further develop its security intelligence offer with the acquisition of the Linx International Group – itself a highly respected risk management consulting business, which also provides technical and management training to the security industry – in a £1.2 million deal.

The acquisition is on a debt-free, cash-free basis. For the 12 months ending in December 2022, the Linx International Group generated revenues of £2.5 million and a profit before tax of £0.2 million. The business lists gross assets of £3.6 million.

Underpinned by over 35 years’ experience of delivering unrivalled security consultancy and training services, the Linx International Group is formed of three service lines, which will now form part of the Mitie Security offer.

Linx Consulting provides a range of specialist security, risk management and investigative services to international clients. These include security risk assessments, security design, fraud and commercial malpractice investigations, contingency planning and crisis management.

The consulting team works with clients in all sectors and of all sizes and is retained as a specialist advisor by several household names in the fast-moving consumer goods, electronics and pharmaceutical sectors.

PerpetuityARC provides extensive security management training, covering everything from security risk assessments to kidnap and ransom management. It was also the first private company to offer a Master’s degree in International Security and Risk Management, which is delivered in partnership with the University of West London. Further, PerpetuityARC is the exclusive education partner for The Security Institute.

Tavcom provides award-winning technical security skills training, offering over 100 technical training courses for installers, operators, managers and designers of security systems. These courses cover a range of disciplines such as system design, installation and maintenance for video surveillance systems, fire alarms and access control solutions.

Tavcom also manages the Certified Technical Security Professionals Register for electronic security and fire systems practitioners.

Read the full story here.

Government plan puts UK at forefront of fight against economic crime

AGREEMENT HAS been reached on a new plan designed to crack down on money laundering, kleptocracy and sanctions evasion. The Economic Crime Plan 2 builds on the foundations of its predecessor with new actions to improve the system-wide response to economic crime through enhanced co-operation between Government, law enforcement, supervisory agencies and the private sector.

The response to economic crime will be bolstered by 475 new and highly trained financial crime investigators, spread across intelligence, enforcement and asset recovery at key agencies. This increased capacity will be targeted toward the detection and disruption of money laundering and the recovery of an additional £1 billion in criminal assets across the next decade.   

Building on the Government’s “unprecedented package” of sanctions in response to Russia’s invasion of Ukraine, the National Crime Agency’s Combating Kleptocracy Cell will be expanded to target more corrupt elites and their enablers, while consolidating the effectiveness of UK sanctions.   

As criminals seek new ways in which to launder their profits, the Government is investing £100 million in cutting-edge technology, including data analytics, to equip law enforcement with the tools they need to stay one step ahead.

A new multi-agency Crypto Cell will be established that combines law enforcement and regulators to pool expertise and more effectively identify, seize and store illicit crypto assets.

Read the full story here.