
☐ ☆ ✇ Security – Cisco Blog

The Upcoming UK Telecoms Security Act Part Two: Changing Mindset from Stick to Carrot

By Richard Archdeacon — December 13th 2022 at 19:10

In our last blog, we gave a rundown of what the Telecommunications (Security) Act (TSA) is, why it’s been introduced, who it affects, when it starts, and how firms can prepare. Here, we take a closer look into the themes introduced by the Act, explore how the telecoms industry can explore zero trust to further improve its security posture, and outline the benefits that can be gained when complying.

When the Telecoms Security Act (TSA) was introduced, it was labelled as ‘one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry’ by Matt Warman, former Minister of State at the Department for Digital, Culture, Media, and Sport. The industry is certainly feeling the impending impact of the act – with one industry pundit at an event we ran recently describing it as a ‘multi-generational change’ for the sector.

One of the headline grabbers stemming from the Act are the associated fines. With the new powers granted to it by the Act, Ofcom now has the responsibility to oversee operators’ security policies and impose fines of up to 10 percent of turnover or £100,000 a day in case operators don’t comply or the blanket ban of telecoms vendors such as Huawei. Sounds like the typical ‘stick’-based costly compliance messaging that no-one particularly wants to hear, right? But what if the TSA had some ‘carrot’-based business benefits that are much less discussed?

The TSA introduces a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately. ny of the themes introduced in the code of practice can be aligned with the themes in a zero trust security model, which are also a focus for CISOs.

Zero trust security is a concept (also known as ‘never trust, always verify’) which establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. At Duo, our approach to zero trust is:

  • First, accurately establish trust – to verify user and device trust and increase visibility
  • Second, consistently enforce trust-based access – to grant the appropriate level of access and enforce access policies, based on the principle of least privilege.
  • Third, change is inevitable, especially when it comes to risk, so continuously verify trust by reassessing trust level and adjust access accordingly after initial access has been granted
  • And fourth, dynamically respond to change in trust by investigating and orchestrating response to potential incidents with increased visibility into suspicious changes in trust level.

A crucial point to note here: much like a solution that claims to help with all aspects of the TSA, telecom providers should be wary of any vendor who claims to have a zero-trust product. Both are far much bigger than any ‘silver bullet’ solution purports to offer. But there is a good reason a zero-trust framework has been mandated by the US White House for all federal agencies, and recommended by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).

As well as helping to mitigate the significant cyber risks presented to the telecoms industry, a zero-trust strategy provides many business benefits. Our recent Guide to Zero Trust Maturity shows that:

  • Organisations that reported a mature implementation of zero trust were more than twice as likely to achieve business resilience (63.6%) than those with a limited zero trust implementation.
  • Organisations that achieved mature implementations of zero trust were twice as likely to report excelling at the following five security practices:
    • Accurate threat detection
    • Proactive tech refresh
    • Prompt disaster recovery
    • Timely incident response
    • Well-integrated tech
  • Organisations that claimed to have a mature implementation of zero trust were 2X more likely to report excelling across desired outcomes such as greater executive confidence (47%).

A robust zero-trust security program includes phishing-resistant multi factor authentication (MFA), access controls for devices and applications, risk-signalling, dynamic authentication, firewalls, analytics, web monitoring and more. As I said previously there is no one answer to zero trust, or indeed the TSA, but getting the basics right like strong MFA, single sign on (SSO) and device trust are an easy and effective way to get started.

The TSA will be a huge undertaking for industry, but it is important to focus on the benefits such a wide-reaching set of regulatory rules will inevitably result in. As another guest from our recent event put it: ‘the TSA is full of the latest and modern best practice around security, so the aim really is to raise the tide and all ships, which can only be a good thing.’

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


☐ ☆ ✇ The Hacker News

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

By Ravie Lakshmanan — December 8th 2022 at 07:59
An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is
☐ ☆ ✇ Naked Security

Number Nine! Chrome fixes another 2022 zero-day, Edge patched too

By Paul Ducklin — December 5th 2022 at 20:58
Ninth more unto the breach, dear friends, ninth more.

☐ ☆ ✇ The Hacker News

Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability

By Ravie Lakshmanan — December 3rd 2022 at 04:41
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion
☐ ☆ ✇ The Hacker News

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, & Windows Zero-Days

By Ravie Lakshmanan — December 1st 2022 at 14:32
A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018. "Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to
☐ ☆ ✇ Naked Security

Chrome fixes 8th zero-day of 2022 – check your version now (Edge too!)

By Paul Ducklin — November 28th 2022 at 19:42
There isn't a rhyme to remind you which months have browser zero-days... you just have to keep your eyes and ears open!

☐ ☆ ✇ The Hacker News

Millions of Android Devices Still Don't Have Patches for Mali GPU Flaws

By Ravie Lakshmanan — November 24th 2022 at 11:17
A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung,
☐ ☆ ✇ Naked Security

How to hack an unpatched Exchange server with rogue PowerShell code

By Paul Ducklin — November 22nd 2022 at 19:54
Review your servers, your patches and your authentication policies - there's a proof-of-concept out

☐ ☆ ✇ Naked Security

Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!

By Paul Ducklin — November 9th 2022 at 19:58
In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?

☐ ☆ ✇ The Hacker News

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

By Ravie Lakshmanan — November 5th 2022 at 06:00
Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments. The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that
☐ ☆ ✇ Security – Cisco Blog

Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

By Jackie Castelli — November 2nd 2022 at 08:00

Going beyond the hype, passwordless authentication is now a reality. Cisco Duo’s passwordless authentication is now generally available across all Duo Editions.

“Cisco Duo simplifies the passwordless journey for organizations that want to implement phishing-resistant authentication and adopt a zero trust security strategy.”
—Jack Poller, Senior Analyst, ESG

We received tremendous participation and feedback during our public preview, and we are now excited to bring this capability to our customers and prospects.

“Over the last few years, we have increased our password complexities and required 2FA wherever possible.  With this approach, employees had more password lock outs, password fatigue, and forgetting their longer passwords due to password rotations.  With Duo Passwordless, we are excited to introduce this feature to our employees to keep our password complexities in place and leverage different Biometric options whether that is using their mobile device, Windows Hello, or a provided FIDO security key. 

The Duo Push for passwordless authentication feature is simple and easy and introduces a more pleasant experience overall.  Using Duo’s device insight and application policies, we are able to leverage and verify the security of the mobile devices before the device is allowed to be used.  To top it off, Duo is connected to our SIEM and our InfoSec team is able to review detailed logs and setup alerts to be able to keep everything secure.”
—Vice President of IT, Banking and Financial Services Customer

As with any new technology, getting to a completely passwordless state will be a journey for many organizations. We see customers typically starting their passwordless journey with web-based applications that support modern authentication. To that effect, Duo’s passwordless authentication is enabled through Duo Single Sign-On (SSO) for federated applications. Customers can choose to integrate their existing SAML Identity provider such as Microsoft (ADFS, Azure), Okta or Ping Identity; or choose to use Duo SSO (Available across all Duo editions).

“Password management is a challenging proposition for many enterprises, especially in light of BYOD and ever increasing sophistication of phishing schemes. Cisco aims to simplify the process with its Duo passwordless authentication that offers out-of-box integrations with popular single sign-on solutions.”
—Will Townsend, Vice President & Principal Analyst, Networking & Security, Moor Insights & Strategy

Duo’s Passwordless Architecture

Duo Passwordless Architecture

Duo offers a flexible choice of passwordless authentication options to meet the needs of businesses and their use cases. This includes:

  1. FIDO2-compliant, phishing-resistant authentication using
    • Platform authenticators – TouchID, FaceID, Windows Hello, Android biometrics
    • Roaming authenticators – security keys (e.g. Yubico, Feitian)
  2. Strong authentication using Duo Mobile authenticator application

No matter which authentication option you choose, it is secure and inherently multi-factor authentication. We are eliminating the need for the weak knowledge factor (something you know – passwords) which are shared during authentication and can be easily compromised. Instead, we are relying on stronger factors, which are the inherence factor (something you are – biometrics) and possession factor (something you have – a registered device). A user completes this authentication in a single gesture without having to remember a complex string of characters. This significantly improves the user experience and mitigates the risk of stolen credentials and man-in-the-middle (MiTM) attacks.

Phishing resistant passwordless authentication with FIDO2

Passwordless authentication using FIDO2

FIDO2 authentication is regarded as phishing-resistant authentication because it:

  1. Removes passwords or shared secrets from the login workflow. Attackers cannot intercept passwords or use stolen credentials available on the dark web.
  2. Creates a strong binding between the browser session and the device being used. Login is allowed only from the device authenticating to an application.
  3. Ensures that the credential (public/private key) exchange can only happen between the device and the registered service provider. This prevents login to fake or phishing websites.

Using Duo with FIDO2 authenticators enables organizations to enforce phishing-resistant MFA in their environment. It also complies with the Office of Management and Budget (OMB) guidance issued earlier this year in a memo titled “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo specifically requires agencies to use phishing-resistant authentication method.

We understand that getting the IT infrastructure ready to support FIDO2 can be expensive and is typically a long-term project for organizations. In addition, deploying and managing 3rd party security keys creates IT overhead that some organizations are not able to undertake immediately.

Alternatively, using Duo Push for passwordless authentication is an easy, cost effective to get started on a passwordless journey for many organizations, without compromising on security.

Strong passwordless authentication using Duo Mobile

We have incorporated security into the login workflow to bind the browser session and the device being used. So, organizations get the same benefits of eliminating use of stolen credentials and mitigation of phishing attacks. To learn more about passwordless authentication with Duo Push, check out our post: Available Now! Passwordless Authentication Is Just a Tap Away.



Beyond passwordless: Thinking about Zero Trust Access and continuous verification

passwordless authentication

In addition to going passwordless, many organizations are looking to implement zero trust access in their IT environment. This environment typically is a mix of modern and legacy applications, meaning passwordless cannot be universally adopted. At least not until all applications can support modern authentication.

Additionally, organizations need to support a broad range of use cases to allow access from both managed and unmanaged (personal or 3rd party contractor) devices. And IT security teams need visibility into these devices and the ability to enforce compliance to meet the organization’s security policies such as ensuring that the operating system (OS) and web browser versions are up to date. The importance of verifying device posture at the time of authentication is emphasized in the guidance provided by OMB’s zero trust memorandum – “authorization systems should work to incorporate at least one device-level signal alongside identity information about the authenticated user.”

Duo can help organizations adopt a zero trust security model by enforcing strong user authentication across the board either through passwordless authentication where applicable or thought password + MFA where necessary, while providing a consistent user experience. Further, with capabilities such as device trust and granular adaptive policies, and with our vision for Continuous Trusted Access, organizations get a trusted security partner they can rely on for implementing zero trust access in their environment.

To learn more, check out the eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to get started. And watch the passwordless product demo in this on-demand webinar .

Many of our customers have already begun their passwordless journey.  If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


☐ ☆ ✇ Naked Security

Chrome issues urgent zero-day fix – update now!

By Paul Ducklin — October 29th 2022 at 15:08
We've said it before/And we'll say it again/It's not *if* you should patch/It's a matter of *when*. (Hint: now!)

☐ ☆ ✇ Naked Security

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

By Paul Ducklin — October 28th 2022 at 18:04
Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

☐ ☆ ✇ The Hacker News

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

By Ravie Lakshmanan — October 28th 2022 at 10:40
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of
☐ ☆ ✇ The Hacker News

Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability

By Ravie Lakshmanan — October 25th 2022 at 03:35
Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild. The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges. Successful exploitation of
☐ ☆ ✇ Security – Cisco Blog

There’s no better time for zero trust

By Neville Letzerich — October 20th 2022 at 15:30

Security resilience requires strong, user-friendly defenses

The concept of zero trust is not a new one, and some may even argue that the term is overused. In reality, however, its criticality is growing with each passing day. Why? Because many of today’s attacks begin with the user. According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element — whether it’s stolen credentials, phishing, misuse or error.

Additionally, today’s businesses are hyper-connected, meaning that — in addition to your employees — customers, partners and suppliers are all part of your ecosystem. Couple that with hybrid work, IoT, the move to the cloud, and more emboldened attackers, and organizational risk increases exponentially.

Adopting a zero trust model can dramatically reduce this risk by eliminating implicit trust. It has become so crucial, in fact, that several governments including the U.S., UK and Australia have released mandates and guidance for how organizations should deploy zero trust to improve national security.

However, because zero trust is more of a concept than a technology, and so many vendors use the term, organizations struggle with the best way to implement it. At Cisco, we believe you should take a holistic approach to zero trust, starting with what you have and adding on as you identify gaps in your defenses. And while layers of protection are necessary for powerful security, so is ease of use.

Strengthen security resilience with zero trust

Zero trust plays a major role in building security resilience, or the ability to withstand unpredictable threats or changes and emerge stronger. Through zero trust, the identity and security posture of users, devices and applications are continuously checked and verified to prevent network intrusions — and to also limit impact if an unauthorized entity does gain access.

Organizations with high zero trust maturity are twice as likely to achieve business resilience.
– Cisco’s Guide to Zero Trust Maturity

Eliminating trust, however, doesn’t really conjure up images of user-friendly technology. No matter how necessary they are for the business, employees are unlikely to embrace security measures that make their jobs more cumbersome and time-consuming. Instead, they want fast, consistent access to any application no matter where they are or which device they are using.

That’s why Cisco is taking a different approach to zero trust — one that removes friction for the user. For example, with Cisco Secure Access by Duo, organizations can provide those connecting to their network with several quick, easy authentication options. This way, they can put in place multi-factor authentication (MFA) that frustrates attackers, not users.

Enable seamless, secure access

Cisco Secure Access by Duo is a key pillar of zero trust security, providing industry-leading features for secure access, authentication and device monitoring. Duo is customizable, straightforward to use, and simple to set up. It enables the use of modern authentication methods including biometrics, passwordless and single sign-on (SSO) to help organizations advance zero trust without sacrificing user experience. Duo also provides the flexibility organizations need to enable secure remote access with or without a VPN connection.

During Cisco’s own roll-out of Duo to over 100,000 people, less than 1% of users contacted the help desk for assistance. On an annual basis, Duo is saving Cisco $3.4 million in employee productivity and $500,000 in IT help desk support costs. Furthermore, 86,000 potential compromises are averted by Duo each month.

Protect your hybrid work environment

La-Z-Boy, one of the world’s leading residential furniture producers, also wanted to defend its employees against cybersecurity breaches through MFA and zero trust. It needed a data security solution that worked agnostically, could grow with the company, and that was easy to roll out and implement.

“When COVID first hit and people were sent home to work remotely, we started seeing more hacking activity…” said Craig Vincent, director of IT infrastructure and operations at La-Z-Boy. “We were looking for opportunities to secure our environment with a second factor…. We knew that even post-pandemic we would need a hybrid solution.”

“It was very quick and easy to see where Duo fit into our environment quite well, and worked with any application or legacy app, while deploying quickly.” – Craig Vincent, Director of IT Infrastructure and Operations, La-Z-Boy

Today, Duo helps La-Z-Boy maintain a zero trust framework, stay compliant, and get clear visibility into what is connecting to its network and VPN. Zero trust helps La-Z-Boy secure its organization against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.

Build a comprehensive zero trust framework

As mentioned, zero trust is a framework, not a single product or technology. For zero trust to be truly effective, it must do four things:

  1. Establish trust for users, devices and applications trying to access an environment
  2. Enforce trust-based access based on the principle of least privilege, only granting access to applications and data that users/devices explicitly need
  3. Continuously verify trust to detect any change in risk even after initial access is granted
  4. Respond to changes in trust by investigating and orchestrating response to potential incidents

Many technology companies may offer a single component of zero trust, or one aspect of protection, but Cisco’s robust networking and security expertise enables us to provide a holistic zero trust solution. Not only can we support all the steps above, but we can do so across your whole IT ecosystem.

Modern organizations are operating multi-environment ecosystems that include a mix of on-premises and cloud technologies from various vendors. Zero trust solutions should be able to protect across all this infrastructure, no matter which providers are in use. Protections should also extend from the network and cloud to users, devices, applications and data. With Cisco’s extensive security portfolio, operating on multiple clouds and platforms, zero trust controls can be embedded at every layer.

Map your path to zero trust

Depending on where you are in your security journey, embedding zero trust at every layer of your infrastructure may sound like a lofty endeavor. That’s why we meet customers where they are on their path to zero trust. Whether your first priority is to meet regulatory requirements, secure hybrid work, protect the cloud, or something else, we have the expertise to help you get started. We provide clear guidance and technologies for zero trust security mapped to established frameworks from organizations like CISA and NIST.

Much of our Cisco Secure portfolio can be used to build a successful zero trust framework, but some examples of what we offer include:

  • Frictionless, secure access for users, devices and applications through Cisco Duo
  • Flexible cloud security through Cisco Umbrella
  • Protected network connections and segmentation with the Cisco Identity Services Engine (ISE)
  • Application visibility and micro-segmentation via Cisco Secure Workload
  • Expert guidance from the Cisco Zero Trust Strategy Service

All of our technologies and services are backed by the unparalleled intelligence of Cisco Talos — so you always have up-to-date protection as you build your zero trust architecture. Additionally, our open, integrated security platform — Cisco SecureX — makes it simple to expand and scale your security controls, knowing they will work with your other technologies for more unified defenses.

Enhance security with an integrated platform

As Italy’s leading insurance company, Sara Assicurazioni requires complete visibility into its extended network, including a multi-cloud architecture and hybrid workforce. The company has adopted a comprehensive zero trust strategy through Cisco Secure.

“Our decentralized users, endpoints, and cloud-based servers and workloads contribute to a large attack surface,” says Paolo Perrucci, director of information and communications technology architectures and operations at Sara Assicurazioni. “With Cisco, we have the right level of visibility on this surface.”

“The main reason we chose Cisco is that only Cisco can offer a global security solution rather than covering one specific point…. Thanks to Cisco Secure, I’m quite confident that our security posture is now many times better because we are leveraging more scalable, state-of-the-art security solutions.” – Luigi Vassallo, COO & CTO, Sara Assicurazioni

Expand your zero trust strategy

To learn more, explore our zero trust page and sign up for one of our free zero trust workshops.

Watch video: How Cisco implemented zero trust in just five months 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


☐ ☆ ✇ The Hacker News

Researchers Detail Windows Zero-Day Vulnerability Patched Last Month

By Ravie Lakshmanan — October 14th 2022 at 17:34
Details have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines. Tracked as CVE-2022-37969 (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild. "
☐ ☆ ✇ Security – Cisco Blog

The Upcoming UK Telecoms (Security) Act Part One: What, Why, Who, When and How

By Richard Archdeacon — October 3rd 2022 at 16:31

In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK’s House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.

What is the Telecommunications (Security) Act?

The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).

Why has the Telecommunications (Security) Act been introduced?

Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:

  1. Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
  2. Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
  3. The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.

Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach – the UK’s largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen – showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.

There is no question the security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future’.

Who does the Telecommunications (Security) Act affect?

The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:

  • Tier 1: This applies to the largest organisations with an annual turnover of over £1bn providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects.
  • Tier 2 providers would be those medium-sized companies with an annual turnover of more than £50m, providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects.
  • Tier 3 providers would be the smallest companies with an annual turnover of less than £50m in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.

When do companies need to start adhering to the Telecommunications (Security) Act?

As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource intensive measures’ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.

Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms ‘must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations’.

How can firms prepare for the Telecommunications (Security) Act?

The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations.  An area of high focus for example will be on Third Party controls and managing the relationship with them.

However there are more common security requirements as well.  From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are is  a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizon’s 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisation’s systems.

Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.

Where can you find more insight on Telecommunications (Security) Act?

We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industries’ and jurisdictions’ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.

We are also running an event in London on 13 October: ‘Are you ready for TSA?’ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please register here.

Register to attend the discussion on the new Telecom Security Act:

Are you ready for TSA?


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


☐ ☆ ✇ Naked Security

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

By Paul Ducklin — October 1st 2022 at 14:05
Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

☐ ☆ ✇ Naked Security

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

By Paul Ducklin — September 30th 2022 at 18:25
Double-play 0-day in Exchange - what you need to know, and what you can do

☐ ☆ ✇ Krebs on Security

Microsoft: Two New 0-Day Flaws in Exchange Server

By BrianKrebs — September 30th 2022 at 16:51

Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.

Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.

“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”

GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.

In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.

Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.

Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.

Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.

In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.

If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.

☐ ☆ ✇ The Hacker News

State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

By Ravie Lakshmanan — October 1st 2022 at 06:36
Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory
☐ ☆ ✇ The Hacker News

WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation

By Ravie Lakshmanan — September 30th 2022 at 04:25
Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems. The advisory comes from Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022.
☐ ☆ ✇ The Hacker News

Why Zero Trust Should be the Foundation of Your Cybersecurity Ecosystem

By The Hacker News — September 21st 2022 at 12:00
For cybersecurity professionals, it is a huge challenge to separate the “good guys” from the “villains”. In the past, most cyberattacks could simply be traced to external cybercriminals, cyberterrorists, or rogue nation-states. But not anymore. Threats from within organizations – also known as “insider threats” – are increasing and cybersecurity practitioners are feeling the pain.  Traditional
☐ ☆ ✇ Naked Security

LastPass source code breach – incident response report released

By Paul Ducklin — September 19th 2022 at 18:59
Wondering how you'd handle a data breach report if the worst happened to you? Here's a useful example.

☐ ☆ ✇ Naked Security

S3 Ep100: Browser-in-the-Browser – how to spot an attack [Audio + Text]

By Paul Ducklin — September 15th 2022 at 18:50
Latest episode - listen now! Cosmic rockets, zero-days, spotting cybercrooks, and unlocking the DEADBOLT...


☐ ☆ ✇ The Hacker News

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

By Ravie Lakshmanan — September 14th 2022 at 04:42
Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks. Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its
☐ ☆ ✇ The Hacker News

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

By Ravie Lakshmanan — September 14th 2022 at 01:51
A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence
☐ ☆ ✇ The Hacker News

Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw

By Ravie Lakshmanan — September 13th 2022 at 03:36
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may
☐ ☆ ✇ The Hacker News

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

By Ravie Lakshmanan — September 9th 2022 at 08:19
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. BackupBuddy allows users to back up their entire WordPress installation from within the
☐ ☆ ✇ Naked Security

Chrome and Edge fix zero-day security hole – update now!

By Paul Ducklin — September 5th 2022 at 15:12
This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

☐ ☆ ✇ The Hacker News

Apple Releases iOS Update for Older iPhones to Fix Actively Exploited Vulnerability

By Ravie Lakshmanan — September 1st 2022 at 03:24
Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild. The shortcoming, tracked as CVE-2022-32893 (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. WebKit is the
☐ ☆ ✇ Naked Security

URGENT! Apple slips out zero-day update for older iPhones and iPads

By Paul Ducklin — August 31st 2022 at 18:42
Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.

☐ ☆ ✇ Naked Security

S3 Ep97: Did your iPhone get pwned? How would you know? [Audio + Text]

By Paul Ducklin — August 25th 2022 at 15:37
Latest episode - listen now! (Or read the transcript if you prefer the text version.)

☐ ☆ ✇ The first stop for security news | Threatpost

Google Patches Chrome’s Fifth Zero-Day of the Year

By Elizabeth Montalbano — August 18th 2022 at 14:31
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
☐ ☆ ✇ Threatpost | The first stop for security news

Google Patches Chrome’s Fifth Zero-Day of the Year

By Elizabeth Montalbano — August 18th 2022 at 14:31
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
☐ ☆ ✇ The Hacker News

New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild

By Ravie Lakshmanan — August 17th 2022 at 12:02
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents. Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on
☐ ☆ ✇ Naked Security

S3 Ep93: Office security, breach costs, and leisurely patches [Audio + Text]

By Paul Ducklin — July 28th 2022 at 15:47
Latest episode - listen now!

☐ ☆ ✇ The Hacker News

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits

By Ravie Lakshmanan — July 28th 2022 at 11:18
A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the
☐ ☆ ✇ The Hacker News

Pegasus Spyware Used to Hack Devices of Pro-Democracy Activists in Thailand

By Ravie Lakshmanan — July 18th 2022 at 15:50
Thai activists involved in the country's pro-democracy protests have had their smartphones infected with NSO Group's infamous Pegasus government-sponsored spyware. At least 30 individuals, spanning activists, academics, lawyers, and NGO workers, are believed to have been targeted between October 2020 and November 2021, many of whom have been previously detained, arrested and imprisoned for their
☐ ☆ ✇ The Hacker News

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

By Ravie Lakshmanan — July 13th 2022 at 04:15
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
☐ ☆ ✇ Naked Security

Google patches “in-the-wild” Chrome zero-day – update now!

By Paul Ducklin — July 5th 2022 at 15:55
Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

☐ ☆ ✇ Naked Security

S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript]

By Paul Ducklin — June 9th 2022 at 13:07
Latest episode - listen (or read) now!

☐ ☆ ✇ Naked Security

Atlassian announces 0-day hole in Confluence Server – update now!

By Paul Ducklin — June 3rd 2022 at 18:59
Zero-day announced - here's what you need to know

☐ ☆ ✇ Naked Security

Mysterious “Follina” zero-day hole in Office – here’s what to do!

By Paul Ducklin — May 30th 2022 at 23:01
News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

☐ ☆ ✇ Naked Security

Apple patches zero-day kernel hole and much more – update now!

By Paul Ducklin — May 17th 2022 at 09:30
You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

☐ ☆ ✇ Naked Security

GitHub issues final report on supply-chain source code intrusions

By Paul Ducklin — April 29th 2022 at 16:15
Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

☐ ☆ ✇ Naked Security

Apple pushes out two emergency 0-day updates – get ’em now!

By Paul Ducklin — March 31st 2022 at 23:38
More Apple zero-days - mobile devices, laptops and desktops affected. Update now!


☐ ☆ ✇ Naked Security

Google Chrome patches mysterious new zero-day bug – update now

By Paul Ducklin — March 28th 2022 at 14:18
CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!

☐ ☆ ✇ Naked Security

Firefox patches two actively exploited 0-day holes: update now!

By Paul Ducklin — March 5th 2022 at 19:06
Firefox just published a double-zero-day patch - "remote code execution" combined with "sandbox escape". Update now!

☐ ☆ ✇ Naked Security

Google announces zero-day in Chrome browser – update now!

By Paul Ducklin — February 15th 2022 at 19:17
Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

☐ ☆ ✇ Naked Security

Adobe fixes zero-day exploit in e-commerce code: update now!

By Paul Ducklin — February 14th 2022 at 22:38
There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

☐ ☆ ✇ Naked Security

S3 Ep68: Bugs, scams, privacy …and fonts?! [Podcast + Transcript]

By Paul Ducklin — February 3rd 2022 at 16:20
Latest episode - listen now!

☐ ☆ ✇ Naked Security

Check your patches – public exploit now out for critical Exchange bug

By Paul Ducklin — November 23rd 2021 at 14:36
It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.
