"A government crackdown on British MSPs' security practices is drawing ever closer"
What have the Manic Street Preachers done to deserve that?
A government crackdown on British MSPs' security practices is drawing ever closer after the Department for Digital, Culture, Media and Sport (DCMS) floated plans to make Cyber Assessment Framework compliance mandatory. Digital Minister Julia Lopez said in a canned statement: "We are taking the next steps in our mission to help …
"difficult to obtain the necessary cyber security assurance from providers who are reluctant to provide information on their cyber security measures or standards they adhere to"
erm... if they claim to support cyber security then surely they should be able to say (and show) whose standards they are working to.
If I set myself up as 'Harry's Burglar Alarms' then I should be expected to show I'm a member of the Burglar Alarms Trade Guild and that my team are trained to BATG and relevant BS standards, otherwise trade will go elsewhere
Cyber Essentials Plus includes a vulnerability assessment which only cares about High or Critical rated vulnerabilities and the targets scanned only have to include those where end users log into them interactively. So you can have an unpatched domain controller which results in the next big WannaCry-style incident and still be certified as compliant by your assessor. Or even worse, you can patch your stuff but use HTTP with plain authentication or have a PPTP VPN without PEAP to secure the authentication packets and be fine for both self assessment and verification! Heck, feel free to NOT use full disk encryption while you’re at it!
But if you dare to have Windows Insider Preview on any of your computers you will fail, as it doesn’t meet the criteria of being supported by the software vendor, preventing IT from getting clued up about what’s around the corner in a meaningful way.
.....along the lines of "LOOK....WE ARE DOING SOMETHING!!!"
So called "certification" won't stop things like the Equifax hack....or the SolarWinds farago....or the torrent of ransomware incidents......or government actions to export medical records (see below).
On the same misinformation trail is the ongoing joke called GDPR......"LOOK.....YOUR PERSONAL INFORMATION IS SAFE!!!"
Sad so say, but Scott McNealy got it absolutely right (in 1999): https://www.wired.com/1999/01/sun-on-privacy-get-over-it/
And today the UK government is in bed with people like Peter Thiel: https://www.bloomberg.com/features/2018-palantir-peter-thiel/
Quote: "We are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses' digital footprint and protect their sensitive data."
.....and at the same time the government is planning to turnover 60 million individual UK medical records to someone like Peter Thiel!!! Talk about facing both ways at once!! Does the word "hypocrisy" come to mind???
when a Cabinet Minister stood up in the House of Commons and announced that all government departments would be certified to BS7799 / ISO 17799 / ISO 27001.
Then I went to HMRC and discovered that they had 24 (twenty-four) 'key' systems, and they wanted know how to get ISO certification for them all. Then the Chancellor announced that HMRC would not, in fact, become 'certified'.
Hello, Good Intentions, can I introduce you to Reality?
I am so pleased that the government, that is clearly world-leading in the arena of setting computer standards, and consummate at delivering computer systems that are on-time, on-budget and hugely successful, is going to create mandatory frameworks that we will all have to use and pay for - NOT!
If they go down this route there is a genuine risk that after you've paid all various minister's mate's companies for your audits, certifications, mandatory training and so on that there won't be any money left in the budget to pay for any actual security.
"the consultants who arr writing it."
Pirates the lot of them - us lot.
Cyber Essentials is quite a decent standard, short and to the point and relatively easy to understand. It is self-cert though but if you claim it and crap out then you will have real snags in a court. CE+ is again quite easy to follow but needs a bit more discipline and is externally evaluated.
CE is a great first start to aim for now with CE+ about two to five years later for any org of any size.
If you own a (UK) business, please get CE accredited and mean it (a bit). It's not hard and doesn't cost the earth.
> "appears to mean MSPs and other cloud service providers will have to comply with the NCSC-backed Cyber Assessment Framework (CAF)".
I did find a link to a "Cyber Essentials Requirements for IT Infrastructure" PDF document and a 3rd party IASME Cyber Essentials Self-Accessment Preparation Booklet. From looking at that preparation booklet some of the questions don't seem to relate well to the Linux world, e.g. regarding their questions around updates/auto-updates of applications I'm not sure what they'd make of answers like "the applications run as read-only docker containers so a new version of the container is built using newer version of the application, the old container is stopped and the new one is started".
CE+ is an absolute joke.
It's squarely aimed at Small Enterpise where the 'Security Team' is also the teamaker.
Working for a reasonably sized endeavour, where we have seperate Networks and Platforms Teams we *really* don't need it explaining to us that our "BT Home Hub is a router"
Additionally, the definition of 'supported software' used is complete bollocks, as apparently RHEL6 is unsupported, even if you can provide evidence that you have bought the Extended support package!
Load of old Crap