?? Bulletproof Cyber & Compliance Newsletter (July 2024)

This edition we're talking about original research from our pen test/red team, the future of data protection in the UK, what to do if Cyber Essentials isn't enough - oh, and some big news about Bulletproof.

So dive right in!

NOTES FROM THE MD

Bulletproof joins the GRC group!

"I’m genuinely excited to tell you that, as you may have already seen, Bulletproof has been acquired and is now a part of the GRC group. You can read the Press Release here, but on a personal note I’m incredibly proud of everything we've accomplished together at Bulletproof (and that includes US entity Target Defense). I’m also excited about the new world of possibilities that open up to us as we move forward as part of the wider GRC group. There’s lots to look forward to: new services, territories and opportunities, and I’m equally enthusiastic for what stays the same: it’s the same great teams of people delivering our services, the same smart management, and the same relentless customer focus.

Outside of talking about ourselves, the big news of recent weeks is the Polyfill . io security flaws. Malware got into Polyfill's code libraries – which are used by over 100,000 websites – and in turn potentially affected those websites’ users.

A business’ modern digital supply chain is something that’s deeply complex, with myriad interwoven dependencies that are often poorly understood. Fixing supply chain security isn’t easy, but, as the news keeps reminding us, is increasingly important.

My recommendations for staying ahead of this cyber threat are always the same: make security a part of the fabric of your operations. Don’t try to ‘do security’ – do business securely.

As a starter for ten, get ISO 27001 under your belt, and don’t try to short-cut it. It’s there to help you. Give it the respect it deserves, and in turn it can really help you increase your security maturity. It doesn’t have to be a slog either, as I wrote about a few weeks ago in this blog that outlines a good tip for making it easy."

Nicky Whiting

Managing Director

?? Looking for more? Read blogs by Nicky or follow her on Linkedin.

NEW RESOURCE

The DPDI is dead... what next for UK data protection?

“It’s time to stop waiting and watching, and time to start doing the data protection essentials.”

The recent election has stalled the proposed legislation to replace UK GDPR with a new regulation (called the DPDI). It’s now extremely unlikely that the DPDI, in anything like its current form, will be resurrected by the new Government.

For business, this means just one clear thing: GDPR is still the king, and the data protection landscape isn’t changing any time soon. We asked our Data Protection Manager, Richard Bradley, about what this means for organisations who are trying to take an expedient approach to their data protection obligations. Read what he had to say over on LinkedIn. Of course, if you need a helping hand with data protection, take a look at our outsourced DPO service.

?? Get a helping hand with data protection

TECHNICAL SHOWCASE

Obfuscating Linux Symbols

As one of the biggest UK providers of penetration testing and red teaming, our amazing technical teams stay at the cutting edge of security research. Over the past few months we’ve been publishing their advanced security research in a series of ‘Tech Talk’ articles on our blog. Aimed at the more technical readers, these articles dive headfirst into the weeds of security vulnerabilities. Our most recent one is a novel approach to evade static malware analysis in Linux.

?? Read the technical deep dive

CYBER ESSENTIALS IS 10!

A decade of success

Back in 2014, the National Cyber Security Centre launched the Cyber Essentials scheme. A decade later, and it’s become the go-to standard for businesses needing the first step in security, and the ability to bid for public-sector contracts.

We’re big supporters of the Cyber Essentials scheme, and if your org is considering getting (or renewing) Cyber Essentials, head over to our website and take a look at our packages.

?? Get started with Cyber Essentials

NEW RESOURCE

Going beyond CE for critical operations

“It’s crucial to remember that Cyber Essentials is your start line, not your finish line”

Continuing the Cyber Essentials theme, we take a look at the other side of the coin. Sometimes, organisations dealing with critical infrastructure or processing highly sensitive data, need additional safeguards beyond CE in order to manage their significant risks.

?? Learn more about securing your operations

NEWS ROUNDUP

Meta training AI with UK users' posts

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset."

Meta were all ?set to start automatically training their AI data on users’ facebook and instagram posts. Thanks to a backlash from users and privacy advocates, they’re re-thinking this in the EU, having put their plan on hold. Stephen Almond, of the UK Information Commissioner’s Office (ICO), said:?

“We are pleased that Meta has reflected on the concerns we shared from users of their service in the UK, and responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI. We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of UK users are protected.”

However, despite the encouraging words from the ICO, Meta have confirmed that they’re still planning to go ahead with the data scraping in the UK, citing a legal basis of legitimate interest. A privacy advocacy group called the Open Rights Group have begun lobbying the ICO and Meta. Mariano delli Santi of the ORG said:

“The proposals appear to violate UK GDPR on a number of levels, and we urge the ICO to investigate thoroughly and stop them once and for all”

We'll keep you posted.

Grey-hat hacking on a national scale

The Indonesian Government was hacked, prompting (as you’d expect) much outrage. But this is where the story changes gear: the hackers swiftly backtracked, apologised, released the decryptors for free, and – get this – even asked for donations. They claimed it was intended as a wake-up call for the powers that be to sort out their security. This type of activity sits uncomfortably between the white-hat world of ethical hacking, aka penetration testing, and the black hat world of cyber criminals. You can read more about this curious tale here.

FREE WEBINAR

Building a strategic foundation

A few weeks back, we asked our LinkedIn audience which topic would be of most interest for an upcoming webinar.

We're delighted to share that our first webinar Unlocking Security Success - Building your strategic foundation is confirmed for the 10th September 10:30-11:30!

Keep an eye on the Bulletproof LinkedIn, as more details coming soon...

FEATURED SERVICE

Red Teaming

Red teaming is a tailored offensive security service that elevates your cyber defences. Go beyond penetration testing to simulate a real-world attack from a determined adversary, and verify your operational, procedural & physical security. Head over to our website to find out the difference between Red Team, Black Team, Purple Team, EDR/XDR Evaluation and Assumed Breach – and much more.

?? Discover red teaming services

Continuing the Red Team theme, here's an extract from the Fireside Chat we hosted that covers the basics (and a bit more) of red teaming. This one covers Assumed Breach - often a great entry point for red team activities

That's it for now - we'll see you in next month's newsletter! If you want to chat about anything cyber security, information security or data protection related, get in touch with us at Bulletproof.co.uk