Free Checks to Protect Against Cyber-attacks and Spoofing

New Resources for Multi Academy Trusts

The National Cyber Security Centre (NCSC) invites multi-academy trusts (MATs) to register to use two free services:

  • Web Check to find and fix common security vulnerabilities within your website
  • Mail Check to assess email security compliance and adopt secure email standards to stop criminals from spoofing email domains

After the testing phase with MATs is complete, the DfE will issue further information when these services become available to all schools.

Web Check

Web Check checks your websites for common web vulnerabilities and misconfigurations. The checks are designed to impose low load on sites and to avoid damaging them. Web Check tells you: what you need to worry about, when you need to worry about it and what you need to do about it. It is easy to use and doesn’t require a high level of technical skill. Potential security issues checked for include the following:

  • Whether a site’s server software is patched and up to date;
  • If using a Content Management System, whether this is patched and up to date;
  • Issues with the server’s certificate chains;
  • A range of TLS configuration concerns and implementation errors;
  • Whether site misconfiguration is suggested by inconsistency between the site loaded over HTTP and over HTTPS;
  • Use of third-party resources, and whether these are loaded over HTTPS; and
  • Whether cross domain policy and/or cross origin resource sharing controls allow interaction from other sites.

Benefits of Web Check

When you implement the web check standards you will be:

  • Web Check alerts organisations to the presence of a number of common website security issues and advises on how to fix these;
  • This in turn enables increased confidence in web-facing services and the reduced risk of damaging and costly cyber attacks; and
  • Web Check is free and easy to use; it does not require a high level of technical skill. Equally, organisations with good cyber security expertise have found the ability to initiate a regular checking programme to be of benefit

Mail Check

Email continues to be a significant part for a variety of cyber attacks, with many organisations unaware that attackers can send malicious spoofed emails using their email domain, or that there are vulnerabilities with the confidentiality of their email in transit.

Mail Check is the NCSC’s free platform for assessing email security compliance. It helps domain owners identify, understand, and prevent abuse of their email domains. In particular, Mail Check supports organisations in implementing the following controls:

  • Email anti-spoofing controls (SPF, DKIM and DMARC): These standards help prevent various attacks (for example, phishing and malware campaigns) that use an organisation's email domain to trick email recipients.
  • Email confidentiality (TLS): Keeping messages encrypted and private as they are sent over the internet.

Benefits of Mail Check

When you implement the email standards you will be:

  • Helping to protect your organisation, and the individuals and organisations you do business with, by making it difficult for cyber criminals to spoof your email address in order to conduct attacks like phishing or spreading malware.
  • Helping to protect the privacy of your information in transit and the information of individuals and organisations that you do business with.
  • Helping to protect your brand and reputation. Your staff, customers and partners must have confidence that emails from your organisation are not malicious fakes, and that privacy is treated seriously.
  • Reducing the costs of service down-time and time spent on dealing with the consequences of email fraud.
  • Reducing risks that your legitimate email sending systems are not trusted, placed on spam blocklists, and not read by recipients.

An Introduction to Configuration and Vulnerability Scanning Services

Website vulnerabilities result from misconfigurations or software flaws that might be exploited by an attacker. Web configuration and vulnerability scanning services offer a regular and cost-effective method of checking for common problems with websites. As such they complement penetration testing in which a specialist security tester can check for more complex security weaknesses, refining the strategy for later tests in response to their initial findings.

There are a number of reasons why organisations should take advantage of vulnerability scanning:

  • Automation: scanning can be run on a schedule, on-demand or in response to trigger events such as a new build of a software project or the deployment of a new server. This enables an up-to-date view of the vulnerability landscape to be maintained.
  • Speed: scanners typically perform hundreds or even thousands of checks at a significantly faster pace than would be possible with manual testing.
  • Cost-effectiveness: the benefits of speed and automation make it far more economical to perform vulnerability scanning against a target than testing it manually.
  • Scalability: modern cloud-based architectures mean that services can increase or decrease their resources to enable small or large environments to be scanned within similar timeframes.
  • Compliance: many vulnerability scanning solutions include bespoke checks to test compliance with common information security standards or an organisation’s own baseline control set.
  • Accuracy: by carrying out bespoke checks to confirm the presence of vulnerabilities, scanners can produce far more reliable results than simply referencing information held in Software Asset Management solutions.

Most importantly, vulnerability scanning affords an organisation the ability to keep pace with individuals and groups intent on compromising systems, many of which use similar tools and techniques to discover security flaws.

Eligibility

Web Check and Mail Check are available to:

  • Central Government;
  • Local Authorities;
  • Devolved Administrations;
  • Emergency Services;
  • NHS Organisations; and
  • Academia (universities, further education colleges, and all UK schools.)

Web Check and Mail Check are not currently available to the private sector. If your organisation is not in one of the eligible customer sectors above but you believe you should have access, please contact the NCSC at feedback@digital.ncsc.gov.uk.

Handsam Resources

Handsam have a range of useful resources regarding the use of computers in schools, including:

Example policies including:

  • Acceptable User Policy
  • Data Protection and Confidentiality for Staff
  • Data Protection for Pupils
  • Freedom of Information Policy
  • Social Media

Please contact our client support staff for information regarding policies.

More Information about The National Cyber Security Centre can be found HERE