CSLATEST

johnjageurs

Computing

Security

Secure systems, secure data, secure people, secure business

REMOTE & AT RISK

Ransomware soars

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

LAW ENFORCER

GDPR is two years’ old. How

well are the regs working?

STAYING MOBILE

New assault on malware

FRAUD FRENZY

Attackers go on rampage

during virus lockdown

Computing Security May/June 2020


FREE CISSP

WEBCAST SERIES

Get a Look Inside the CISSP Domains.

Watch Now!

isc2.org/Certifications/CISSP/Webcast-Series

Inspiring a Safe and Secure

Cyber World


comment

LOW-LIFE TACTICS

By any measure, the recent revelations that cyber scammers have been using SMS

alerts to wrongly inform people they have been in contact with someone who

has tested positive for coronavirus is shocking, though hardly surprising. The

story, carried in The Guardian newspaper, goes on to detail how the text then directs

them to a phishing site where any personal information they put in is harvested.

As Chris Ross, SVP, Barracuda Networks comments: "Cyber criminals do not miss

a trick when it comes to preying on people's fears, insecurities or even their goodwill.

More recent efforts to trick people out of their money has seen scammers move away

from the traditional email-based phishing attack to an SMS-based phishing attack, or

'smishing'. The most recent smishing attack, which uses an SMS alert to trick people

into thinking they have come into contact with the deadly coronavirus, is "one of the

most immoral, yet sophisticated, smishing campaigns we've seen since the start of the

outbreak," he adds.

"It is a reminder to the general public that cyber scams infect all messaging and

communication platforms, and you should always verify information you are sent

before taking any action or complying with written instructions. If unsure on the

legitimacy on some information you have been sent, seeking advice from a specialist

or security expert is always advised, particularly in the current climate."

Meanwhile, there has been strong industry reaction to the news that low-cost airline

easyJet has allowed the personal details of nine million customers to be accessed by

what are described as highly sophisticated hackers. "This is a difficult time for airlines

and a data breach isn't going to help with regaining customers' trust," says Matt

Aldridge, principal solutions architect at Webroot. "Airlines can be a lucrative target

for hackers, as they are a treasure trove of personal information. They are very wellknown

brands, with critical missions of safety, compliance and keeping to schedule,

so attackers would see them as likely to pay out large sums in a ransomware or

other extortion scenario."

As Aldridge advises, robust security measures need to be put in place across the

industry, if the risk of future attacks being successful is to be greatly reduced. In the

age of this pandemic, vigilance must be redoubled and reinforced continuously,

because even the slightest weakness will be mercilessly exploited.

Brian Wall

Editor

Computing Security

brian.wall@btc.co.uk

EDITOR: Brian Wall

(brian.wall@btc.co.uk)

LAYOUT/DESIGN: Ian Collis

(ian.collis@btc.co.uk)

SALES:

Edward O’Connor

(edward.oconnor@btc.co.uk)

+ 44 (0)1689 616 000

Abby Penn

(abby.penn@btc.co.uk)

+ 44 (0)1689 616 000

PUBLISHER: John Jageurs

(john.jageurs@btc.co.uk)

Published by Barrow & Thompkins

Connexions Ltd (BTC)

35 Station Square,

Petts Wood, Kent, BR5 1LZ

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22

SUBSCRIPTIONS:

UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2020 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

3


Secure systems, secure data, secure people, secure business

Computing Security May/June 2020

contents

CONTENTS

Computing

Security

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

REMOTE & AT RISK

LAW ENFORCER

GDPR is two years’ old. How

Ransomware soars

well are the regs working?

STAYING MOBILE

New assault on malware

FRAUD FRENZY

COMMENT 3

Virus scam and easyJet breach

Attackers go on rampage

during virus lockdown

ARTICLES

VOICE OF HOPE 5

Fight against online harm is stepped up

SITTING TARGETS 8

Attackers exploit home working flaws

OFF THE BEATEN TRACK 9

Contact tracing raises privacy concerns

PROFITS AND PITFALLS 10

How to make social media work for you

SHEDDING NEW LIGHT 6

Addressing the need for cybersecurity

training and preparedness during the

on-going lockdown and beyond is critical,

as Deshini Newman, managing director

EMEA, (ISC)2, explains

DOING IT RIGHT 12

Staying secure in lockdown

CLEAR THINKING IN A CRISIS 14

ATTACK - NO RETREAT! 16

Getting it right in the time of Covid-19

The extent of cyber security threats has

not diminished. In fact, quite the opposite,

THREAT ACTORS ON THE MARCH 15

warns the government in a new survey.

Exploitation soars to new heights

Almost half of businesses (46%) report

having cyber security breaches or attacks in

NHS BOLSTERS DEFENCES 19

the last 12 months.

Critical systems get top protection

ACCESS ANGST 20

How to look after corporate credentials

UNDER FIRE 24

LAYING DOWN THE LAW 21

Business operations paralysed during crisis

The General Data Protection Regulation

DOUBLED-EDGED THREAT 25

(GDPR) laws are two years' old, but are

People’s physical safety can also be at risk

they having the impact expected in forcing

organisations to protect their data to the

STAYING ON GUARD 28

highest standards? Brian Wall reports

Vigilance and good practice are key

PROTECTING THE EXPOSED 30

Opting for the best strategic approach

A CYBERSECURITY EDUCATION 31

A look back at two years of the GDPR

YOU'VE GOT MAIL! 26

Working from home, by all accounts, really

RANSOMWARE SOARS 32

is here to stay. The big challenge is how

IT systems far more susceptible to attack

you stay connected securely, safely and

effectively in what many businesses are

MALWARE MENACE 34

now describing as the 'new normal'

New browser offers built-in VPN

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk

4


online safety

First OSTIA meeting in early 2020, with Caroline Dinenage,

Minister of State for Digital and Culture, centre front (in red).

Ian Stevenson, OSTIA chair and Cyan

Forensics CEO and co-founder.

VOICE OF HOPE

WHAT IS HAILED AS A SIGNIFICANT STEP FORWARD IN THE UK'S

FIGHT AGAINST ONLINE HARM HAS BEEN TAKEN WITH THE LAUNCH

OF THE ONLINE SAFETY TECH INDUSTRY ASSOCIATION (OSTIA)

The industry body OSTIA has been

launched with the aim of bringing

together companies operating in

the field of online safety, who believe the

UK is at the forefront of safety tech, and

the development of products and

solutions that will make a significant

contribution to online safety.

The concept of OSTIA emerged at a

roundtable event in 2019 organised by

Cyan Forensics and PUBLIC, chaired by

Baroness Shields OBE. The event brought

tech companies, government and charity

organisations together to share ideas and

to discuss collective issues and solutions

to many of the online harms-related

problems faced today. As we went to

press, 14 tech companies had joined

the association, whose key aims are to:

Provide a voice of hope by informing

policy makers, technology providers

and the general public about online

safety technologies

Create collective influence on policy,

regulation and broader support

for the sector

Provide a forum for companies

contributing towards the goal of

online safety.

The association has received backing

and support from across government,

campaign bodies and charities, as well

as organisations including the Internet

Watch Foundation (IWF) and NSPCC.

Organisation representatives will be

meeting up regularly with government

representatives to explore ways to

support innovation and growth in UK

safety tech.

As Ian Stevenson, OSTIA chair and

Cyan Forensics CEO and co-founder,

comments: "The topic of online safety

is wide ranging and hugely complex.

Unfortunately for regulators and

providers, it is made up of many

individual problems; there is no silver

bullet that will solve the whole issue.

That's why we wanted to establish

this industry association - to create

a powerful collective voice to enact

change. By focusing on specific,

actionable areas, we can work together

to demonstrate how the thriving safetyrelated

products and services market

will play a significant role in helping

companies protect the most vulnerable

from accessing harmful content, while

driving digital growth. Together, we

can ensure that the public, technology

companies and policy makers are aware

of these lifelines."

Caroline Dinenage, Minister of State

for Digital and Culture, adds: "We are

determined to make the UK the safest

place in the world to be online and have

set out world-leading proposals to put

a duty of care on online companies,

enforced by an independent regulator."

Traditionally, debate in online safety

has been between those who seek

change, and those who fear it will be

costly and difficult to implement. OSTIA

means to represent new voices, it points

out, identifying these as the companies

that have built the technology to deliver

the much-needed transformation.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

5


training & education

SHEDDING NEW LIGHT ON VIRUS IMPACT

ADDRESSING THE NEED FOR CYBERSECURITY TRAINING AND PREPAREDNESS DURING THE ON-GOING

LOCKDOWN IS CRITICAL, AS DESHINI NEWMAN, MANAGING DIRECTOR EMEA, (ISC) 2 , EXPLAINS

The COVID-19 outbreak has caused

unprecedented disruption for individuals

and organisations alike. The acceleration

to a global pandemic reaching the UK

arguably caught many off-guard, leaving little

time to prepare for the wholesale shift of the

economy to working-from-home, and the

temporary suspension of many businesses

and services we take for granted.

To keep the economy working as much as

possible, organisations and governments put

business continuity plans into action at short

notice, developed new approaches to deal

with an unprepared scenario and pushed

remote working capabilities to previously

untested levels. The result has been a distinct

shift in the responsibilities of cybersecurity

professionals and the challenges of workload

that is being experienced.

Keen to understand the extent of the

impact, we recently surveyed cybersecurity

professionals globally to understand exactly

how things have changed and how they are

being affected on the cybersecurity front

line. The (ISC)² COVID-19 Cybersecurity

Pulse Survey's findings shed light on the

adjustments that organisations and their

cybersecurity professionals have made in the

last two months, in order to maintain their

business operations and mitigate the impact

on cybersecurity.

UNDERSTANDING THE CYBERSECURITY

IMPACT OF COVID-19

The survey revealed that 81% of respondents,

all responsible for securing their organisations'

digital assets, indicated that their job function

has changed during the pandemic. On top of

that, 90% indicated they themselves are now

working remotely full-time, while trying

to address the cybersecurity needs of their

organisations. Added to this, a third stated

they had confirmation of someone in their

organisation having contracted COVID-19,

further illustrating the impact the virus has

had on society.

As expected, almost all of the organisations

surveyed (96%) have closed their physical

workplaces, moving to remote working to

maintain as much operational capability as

possible. That 96% is comprised of 47% that

said all staff from closed facilities were now

remote working, while 49% said that some -

but not all - employees are working remotely.

The sudden change in circumstances has

resulted in a marked effect on cybersecurity

threats, with a quarter reporting that

6

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


training & education

incidents have increased since the change in

working practices. Some organisations are

tracking as many as double the number of

incidents, compared with pre-lockdown

times. It is not a surprise that four out of

every five respondents view security as an

essential function at this time.

The need to adapt to the sudden change

in operations and workplaces has seen almost

half of cybersecurity professionals being taken

off some or all of their typical security duties

to assist with other IT-related tasks, such

as equipping a mobile workforce, and

implementing new applications and

platforms to enable mass remote working

and communication. The sudden and

sometimes improvised solutions that have

enabled businesses to transition so quickly

to remote working have caught 15% of

respondent organisations off-guard, as

they suggested their teams do not have the

resources they need to support the sudden

appearance of a remote workforce. A third

said they are managing - for now at least!

Some 40% are making use of security best

practices, even while compromised by the

lockdown conditions. Meanwhile, 50% said

they could be doing more than they are

to maintain security standards.

MAKING CYBERSECURITY TRAINING

AVAILABLE DURING THE LOCKDOWN

The industry has responded by realising that

more needs to be done to ensure a safe

and secure cyber world. The sector needs to

remain on top of new and changing threats

and challenges. This is motivating the industry

to provide more options and support to the

professional community.

As the world's largest non-profit association

of certified cybersecurity professionals, (ISC)²

has put a variety of measures in place to

support cybersecurity professionals through

the current situation. Being acutely aware of

the workload pressures facing some, and

the financial impact of furloughing and

shutdowns on others, we've made available

a variety of resources to help with education

and training to support people as they reenter

the workforce after lockdowns ease and

to support professional development during

the COVID-19 disruption period.

We have made available our award-winning

webinar series for free. It features expert-led

discussions on a wide range of security topics

and we are continuing to add new content

even during the current period. It means

there is both a wide range of knowledge

to tap into to help learn and deal with the

cybersecurity issues facing organisations

today, as well as boosting the opportunities

for members to meet their CPE needs without

having to travel or attend in-person meetings

or conferences.

(ISC)² has also taken the decision to offer

many of our certification training options

for online consumption at reduced cost.

We realise that some people will be looking

for a new role now and after the lockdown

period is relaxed. That is why we are making

recognised certification, such as the Certified

Information Systems Security Professional

(CISSP) and Certified Cloud Security

Professional (CCSP), available using online

self-paced training at a 33% discounted price.

This is intended to help IT and non-IT staff

alike develop and verify their skills and

knowledge, supporting them as they seek

new opportunities in the cybersecurity sector.

Online instructor-led courses are also

available for those who prefer a more

structured online learning experience.

Alongside this, we are making our

Professional Development Institute (PDI)

courses available to non-members at a

discounted rate, including free access for all

to the recently released 'Utilising Big Data'

course. The PDI library currently comprises

35 courses.

Expanding access to PDI courses is another

way we are working to help the community

Deshini Newman, managing director

EMEA, (ISC) 2 .

expand its collective knowledge and

understanding of complex and topical issues

and technologies. This is a challenging time

for many, inside and outside the cybersecurity

profession. The need for professional

development is more important than ever

as a result of COVID-19, and the unique

business and community conditions we

currently face. We hope these resources will

prove valuable to the larger cybersecurity

community and encourage them to continue

to develop their skills during this time.

Our heartfelt thanks goes to (ISC)² members

and the wider cybersecurity community for

the efforts being made to keep us all safe in

the digital world during the pandemic and

when we get to the other side.

For more details about how COVID-19

is impacting (ISC)² members and exam

candidates, and how the association is

responding to support members and

the wider community, please visit:

https://www.isc2.org/notice/COVID-19-

Response

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

7


phishing attacks

REMOTE WORKERS TARGETED

ATTACKERS HAVE BEEN QUICK TO SEEK OUT WAYS OF EXPLOITING

THE MANY VULNERABILITIES LAID BARE BY HOME WORKING

Cranfield University campus.

We're definitely seeing an uptick

in phishing related to the

coronavirus - for example,

malware masquerading as fake antivirus,

and VPN solutions all aimed at capitalising

on the change to remote working." That

is the warning from Dr Duncan Hodges,

senior lecturer in Cyberspace Operations,

Cranfield University.

"We can expect to see an increase in

attacks targeting remote desktop solutions

and video conferencing software. This is

particularly likely to be a problem where

products have laid dormant without being

updated or only used within a corporate

network for a period of time and are

now being made available outside the

traditional corporate network - the recent

BlueKeep attack vector is one we're likely to

see increasingly over the next week or so.

"Traditionally, a home network has been

considered a less secure part of a corporate

network. As well as your corporate laptop

on the network, there will also be your

family's personal computers, tablets and

phones, as well as a host of smart home

devices. Your network will only be as secure

as the most vulnerable of these devices."

Also, more of the corporate data will be

moved to cloud hosting solutions to allow

for remote working, Hodges points out.

"Whilst some of this will be within

corporate solutions, it would be naïve

to think that there won't be an increase

in data being moved to shadow IT

infrastructure. This is where data is moved

to other personal solutions outside a

corporate network, because an employee

'needs to get a job done' and the corporate

solutions don't work - for example, using

personal email accounts or accounts on

Dropbox. This move of data to external

cloud providers could increase the risk of

a data breach."

He also highlights the risk of increased

working on unsecured wireless networks

and advises that, whenever anyone is using

these public infrastructures, it's worth

considering using a virtual private network

(VPN). "These create an encrypted tunnel

over an insecure network, your network

traffic then flows down this tunnel and

protects your data from others. Your

employer may provide a VPN solution for

Dr Duncan Hodges, Cranfield University:

there’s been an uptick in phishing

related to the coronavirus.

you to use - alternatively, there are a

number of free products, such as Proton

VPN, which offer a good service."

If you're a business, consider the National

Cyber Security Centre's Cyber Essentials

programme. "This outlines a number of

simple steps to improve your cybersecurity,”

he advises. “You don't need to go through

the certification process, but there is some

really easy-to-follow advice."

Finally, as we move to Work 4.0, where one

change is the move to more flexible working

conditions, Hodges states that it is likely

businesses will need to adopt to these

changing responsibilities (and indeed the

changing responsibility of staff to their

employers). "What we're seeing in COVID-19

is an acceleration of that requirement. Lots of

businesses will now have to manage home

working on a larger scale than they have

done in the past, but the lessons we learn

over the next weeks and months will

hopefully help us critically look at how

businesses, and we as security professionals,

are going to support a wide variety of staff

who are working from home for extended

periods of time."

8

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


contact tracing

OFF THE BEATEN TRACK

CONTACT TRACING APPS COULD BE ONE OF THE KEYS TO DEFEATING COVID-19.

BUT USERS' DETAILS NEED TO BE SECURE AND SAFE FROM PRYING EYES

In the fight against Covid-19, contact

tracing apps will play an important role

in keeping us all safe from the disease.

The apps work by letting people know

if they have been in close contact with

someone who later tests positive for Covid-

19, helping to pinpoint exactly who needs

to be in quarantine and who doesn't. But

there are concerns about how this could

affect individual's privacy and whether the

data could be hacked.

Now, 'ContacTUM', an interdisciplinary

research team at the Technical University of

Munich (TUM) has developed a model for

a contact tracing app that, it says, protects

personal data. The concept is based on

an encryption process that prevents the

temporary contact numbers (TCNs) of

infected individuals from ending up on the

phones of their contacts. In 'ContacTUM',

researchers from the fields of physics,

informatics, law, mathematics and

medicine, anchored by physicist Prof Elisa

Resconi, are jointly working together.

Mobile phones on which a contact

tracing app is installed exchange constantly

changing, randomly generated TCNs

(temporary contact numbers) using

Bluetooth technology. These TCNs are

collected locally on the devices and stored

there for a limited period of around two

weeks. In case of a medically confirmed

diagnosis of a Covid-19 infection, the

individual's contacts are anonymously

notified using the contact tracing app.

The notification mechanism takes either

the centralised or decentralised approach.

In the centralised approach, the app

uploads the TCNs of every contact person

received by the infected individual's device

to a central server. The server then uses the

TCNs to despatch messages with the app,

in order to notify the corresponding

contact persons of a potential infection.

The risk of the centralised approach is

that all of the data is stored at a single

location As a result, there is a high risk of

abuse, because it becomes possible to deanonymise

and disclose personal contacts

as soon as the data on the server can be

accessed.

In a decentralised approach, however, the

infected individuals release only the TCNs

transmitted by their own device to a server.

These TCNs are downloaded from the

server by all devices where the app is

installed. The check to determine whether

any of these 'infected' TCNs were previously

received now takes place locally on the

individual devices. Consequently, the only

party with knowledge of possible contact

with an infected individual is the contact

person himself - and not the central server.

ContacTUM has been working to build

on this decentralised approach and make it

more secure. The cross-checking of TCNs of

infected individuals against those collected

on mobile phones takes place without

having to load the infected individuals'

TCNs onto the phones. This is possible

with an encryption process known as

private set intersection cardinality, which

does not require information to be

exchanged in plain text. "As a result," says

physicist Kilian Holzapfel, "the risk scenario

in which an attacker could combine the

received TCNs with other information

such as the date, time and location where

the TCN was transmitted - which would

endanger the anonymity of an infected

person - is minimised to a large extent."

Prof Elisa Resconi, initiator of the

ContacTUM group. (Photo courtesy

of Magdalena Jooss)

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

9


security strategies

PROFITS AND PITFALLS

WELL-CRAFTED SOCIAL MEDIA CONTENT CAN DELIVER A MULTITUDE OF BENEFITS. BUT THERE IS

A POTENTIAL DOWNSIDE, WARN THE CYBER THREAT INTELLIGENCE PROFESSIONALS AT CYJAX

Focusing on the use of social media

for business, our paper 'Social

Media for Business: Profits and

Pitfalls' begins with an exploration of

how companies can best harness the

opportunities offered by platforms

such as LinkedIn, Facebook, Twitter

and YouTube. Well-crafted content can

enhance a commercial footprint, attract

new customers and encourage brand

loyalty. As noted in a 2019 survey

by Social Media Today: "77% of

consumers are more likely to buy from

businesses/brands they follow on Social

Media." Intriguingly for businesses

building a social media strategy, the

same survey found that "Non-Customers

are three times more likely than

customers to visit retailers from Social

Media ads." i

Yet the use of social media also raises

questions about the responsibilities of

companies to keep customers informed

about problems. While clients now

expect early disclosure in the public

domain, communicating bad news can

impact client confidence. Companies

may consider it to be too great a risk

to publicise the problems, even though

failing to do so could result in serious

consequences for brand loyalty.

A recent example of social media being

used to announce a security incident

occurred in May 2020, when easyJet

announced on its Twitter account that

malicious actors had accessed the email

and travel information of around nine

million customers - including the credit

card details of around 2,000 of these -

10

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


security strategies

in a "highly sophisticated attack". ii

This, inevitably, led to questions from

customers about the data breach,

allowing easyJet to respond quickly to the

concerns and demonstrating transparency

over the incident. However, it also invited

criticism of the length of time taken

to inform customers about the breach:

despite having informed the Information

Commissioner's Office within 72 hours, as

required by the General Data Protection

Regulation (GDPR), it appears the incident

actually occurred in January - five months

before the news hit the media. iii It is still

too early to tell what reputational effects

this will have on the airline.

The paper continues with a brief

discussion of privacy, noting that many

people do not appreciate that the posts

they make on social media are essentially

open to public view: even if they have

implemented privacy settings, there are

no guarantees that the information they

post will remain private. For businesses,

difficulties can also arise when a member

of staff shares company information on

their private accounts or criticises their

employer openly. Can we all be certain

that the people we allow to view our

posts are as responsible with their privacy

settings as we are? Who knows if a friend

or other contact is sharing that post or

taking a screenshot of it and then having

it read by a competitor?

One other point here concerns the issue

of social media being used as a vector for

conspiracy theories. At first glance, that

may appear to be of little importance to

workplace social media. However, bear

in mind that the latest 'theory' consists

of allegations that 5G is behind the

coronavirus (COVID-19) pandemic.

This could have a detrimental impact

on companies that are involved in the

telecommunications sector, were 5G

conspiracy posts shared on their social

media accounts. Similarly, the furore

over President Trump's pronouncements

on his use of the anti-malaria drug

hydroxychloroquine could inspire people

to target pharmaceutical companies and

health facilities.

The next section of the paper comprises

an overview of phishing scams, detailing

the methods used by both cybercriminal

gangs and state-sponsored APTs, in order

to dupe individuals and employees into

inadvertently providing them with the

information that they need to hack into

a company's network.

According to research carried out

by KnowBe4, 91% of successful data

breaches start with a phishing attack,

meaning clear strategies to deal with the

threat are vital to the smooth running

of any business today. iv Further refining

the phishing attack, threat actors with

greater resources may spend significant

time - in some cases, months - studying

a business and its workforce, in order to

perpetrate a successful Business Email

Compromise (BEC) campaign. The FBI's

Internet Crime Complaint Center (IC3)

reported in 2019 that it had received

23,775 Business Email Compromise (BEC)

complaints, with adjusted losses of more

than $1.7 billion. An increase in scams

specifically targeting payroll funds was

also noted. v These attacks are only

expected to increase in 2020.

We conclude that it is essential for

companies to develop a specific social

media policy for all employees, with

clear guidance on the posting of both

personal and corporate information.

A small team of employees should also

be given responsibility for the operation

of corporate accounts. Suggestions are

also given about relevant cybersecurity

training for all staff in all organisations -

from the post room to the boardroom.

Social media can be a great resource for

business when managed properly and

deployed successfully.

Keywords: social media, phishing, BEC,

COVID-19, cybercrime, cybersecurity, 2FA,

Twitter, Facebook, LinkedIn, Instagram,

YouTube

If you would like a copy of our report,

please follow this link:

https://www.cyjax.com/download/socialmedia-and-business-profits-and-pitfalls/

i.https://www.socialmediatoday.com/new

s/8-social-media-marketing-stats-youshouldnt-ignore/557405

ii.https://twitter.com/easyJet/status/1262

802432872120321

iii.https://www.independent.co.uk/lifestyle/gadgets-and-tech/news/easyjetcyber-attack-hack-personal-data-creditcard-details-a9523731.html

iv.https://www.channelfutures.com/mssp

-insider/knowbe4-cybercriminals-settinglinkedin-phishing-traps

v.https://pdf.ic3.gov/2019_IC3Report.pdf

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

11


expert insights

REMOTE WORKING: DO IT RIGHT

HOW DO YOU ENSURE YOUR BUSINESS REMAINS SECURE DURING REMOTE WORKING?

PHIL UNDERWOOD, CHIEF INFORMATION OFFICER, SECURENVOY, AND CHRIS CASSELL,

TECHNICAL SPECIALIST, SECURENVOY, OFFER THEIR INSIGHTS

Over the years, there has been an

increase in remote working, as

organisations look to promote

flexible working. With technology

constantly improving, employees are no

longer restricted to working in a traditional

office space.

However, the current global pandemic

has forced businesses worldwide to rapidly

implement remote working across their

workforce while travel restrictions are in

place. In its current form of remote working,

few businesses were ready for supporting

the complete workforce remotely, in case

of an emergency such as the pandemic.

Even fewer conducted a readiness event

to understand, prepare and provide

remediation to cover the shortfalls and

problem areas that would impact their

day-to-day operations. In such situations,

hackers are fully ready to take advantage,

whether this is for financial gain, to damage

a company's reputation or steal sensitive

assets. Thus, the various security challenges

that remote working brings need to be

addressed to ensure business data is not

put at risk. Below are some of the topics

that need to be considered to ensure your

business remains secure during remote

working.

USE OF BYOD

With a surge in requirements to support

non-typical mobile workers, it is all too easy

to allow use of a home machine to fulfil

a need. Yet, this approach brings its own

issues, namely the integrity of the machine,

whether the OS type and patching are up

to date and supported, browser type and

support are allowed and secure, the firewall

is active or not, and if there is anti-virus

and malware capability. Home computers

are also more likely to have been used by

non-security trained people at some point.

Therefore, use of BYOD can increase

vulnerability to cyber threats.

PROTECTING YOUR ENDPOINTS

Now that you are discouraged from

allowing BYOD devices, securing your

endpoints is key. As users are using their

current corporate machines, most of this

can be managed remotely for firewall, antivirus,

malware and OS patching, in addition

to password management policies. When

we discuss endpoint protection, ideally

having a solution that provides data loss

protection is key, as now the corporate

12

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


expert insights

machine is most likely to be exposed to

threats upon the home network. Finally,

protecting the endpoint is not just about

cyber security, but also physical security.

Ideally, the same policies should be executed

at home, such as screen locking, invoking

MFA for laptop access and securely storing

the laptop when not used.

USER ACCESS

To enable remote working, users require

access to applications. Typically, access

is granted with a username-password

combination. However, multiple applications

require users to remember multiple

passwords which, if they forget, can lead

to locked accounts or end up with users

writing them down. A single sign-on

solution (SSO- identity provider) can resolve

most of these issues, but ideally multi-factor

authentication (MFA) should augment the

login process, as an SSO solution allows

a single password to access a plethora of

applications.

EMAIL SECURITY

All too often email security solutions allow

a phishing or similar bad email to be

delivered to a recipient. These may have

a bad payload or embedded link to a

compromised site. Hackers are getting

more imaginative on setting up new email

domain and locations, in order to send

their spam messages. The best piece of

advice is, if in doubt, delete the email. If it

is someone you do not know or conduct

business with, delete the email. If the sender

persists, pass it to your IT security team

who can check the message for validity.

Aside from the technical working

environment, the physical working

environment also needs to be considered.

The level of focus that employees have in

an office takes time to develop in a home

environment: patience, dedication and

routine are not achieved overnight. The

home environment can provide distractions

you might not otherwise have in the office,

which can lead to human error. You attach

the wrong version of a file, or send it to

the wrong person, and there is the breach.

That's how data leaks. It is a situation that

is less likely to happen in an office, as there

is less distraction. Hence, alongside antivirus

and endpoint protection, businesses

also need data governance and data loss

prevention solutions. Generally, employees

are not focused on security when doing

their job and that is understandable. Lack

of focus on security is even more prevalent

in environments when they are juggling

several other priorities at once.

This is why tools that can enforce and

educate the security policy interactively are

so much more important. By controlling

what users can access and then, in turn,

what they can do with that data once they

receive access, you can ensure that it is

not going to be subject to those minor

human errors. This can stop the accidental

attachment of the wrong version of a file,

provide a reminder to check the recipients

of an email and stop data transfer to

external media to work on it on home

devices, all of which can help prevent

breaches.

Finally, having clear, defined policies and

guidelines for staff ensures a smooth and

trouble-free remote working deployment.

Provide education sessions to reinforce safe

working practices from time to time and

support staff who are completely new to

this concept. Teach them about physical

security, as well as cyber security, as they

both go hand in hand with a successful

remote access strategy. Lastly, detail a simple

escalation path for when things may and

do go wrong. In this way, mitigation steps

can be applied quickly and any potential

damage is limited.

Remote working during the current time

is essential and highly beneficial, so the

need to ensure your business is secured

during this time is crucial.

Phil Underwood, Chief Information

Officer, SecurEnvoy.

Chris Cassell, Technical Specialist,

SecurEnvoy.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

13


masterclass

BUSINESS CONTINUITY AND CRISIS

MANAGEMENT IN THE TIME OF COVID-19

BY KEV BREAR, DIRECTOR OF CONSULTING; TECHNOLOGY RISK MANAGEMENT, AT XCINA CONSULTING

situations that require an extraordinary

response. The current Covid-19 crisis is

exactly the sort of unprecedented event

that requires such a response.

Kev Brear: appropriate leadership at

strategic management level is the key to

steering a path through the current crisis.

The Covid-19 pandemic crisis has

generated unprecedented challenges

and, whilst it is entirely correct that

the current focus is upon saving lives, life

carries on and that sentiment applies most

pressingly to global business operations and

economic activities.

The traditional approach used by many

organisations to manage the effects of

business disruptions has been to employ

business continuity solutions to ensure that

their critical business activities, or services,

continue to operate at acceptable levels.

However, it has been suggested in many

forums that business continuity solutions

are best designed to deal with operational

level disruptions, such as technology failures,

physical damage and supply chain

disruptions. These types of disruptive events

are often described as high frequency, with

low or medium levels of impact incidents.

Rob Treacey, MD; Co-Head of Xcina

Consulting and Shearwater Group DPO.

The response to these types of incidents can

often be effectively managed, following

predefined plans and procedures, with little

or no input from the strategic management

team of the organisation dealing with the

situation.

The potential limitations of business

continuity solutions become quite apparent

when responding to the challenges that

arise from life-threatening, existential or

reputational crises. By contrast, these types

of crises are low frequency and have high

or catastrophic levels of impacts. These

crises always require flexible and adaptive

responses that can only be provided through

appropriate leadership from the strategic

management level of an organisation.

It also seems quite apparent that it is

possible to deploy a hybrid response,

using both business continuity and crisis

management solutions to tackle those rare

The most obvious challenges that arise

in using a hybrid response strategy lie in

the areas of leadership, coordination and

communication, but these areas always

represent challenges in any adverse situation

and the organisation merely has to leverage

its proven arrangements, whilst bearing

in mind the additional complexities and

conflicting priorities of the highly dynamic

situation. Once the crisis management

team (CMT) has defined its objectives and

strategies, the CMT then has to convey the

correct information and requests for action

to the relevant members of the organisation,

whilst also conveying the appropriate

messaging to its wider group of

stakeholders.

The CMT must then work with the business

continuity function and put in place the

appropriate supporting business continuity

activities. All these coordinated activities

must then continue until the business is

ready to transition back to a stable operating

environment.

It is difficult to anticipate the outcome

or duration of the current crisis; however,

it seems reasonable to assume that the

recovery period may be protracted, before

a stable state of operations may be achieved.

It may also be reasonable to say that the next

few months could be quite transformational

for many organisations and lessons will

have been learned, and will continue to

be learned, as this global crisis unfolds.

14

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


threat intelligence

APTS AND COVID-19

A RECENT INTELLIGENCE REPORT REVEALS HOW ADVANCED

PERSISTENT THREATS ARE USING THE CORONAVIRUS AS A LURE

Since it first showed itself, Coronavirus

has had a catastrophic impact on our

lives, turning into a global pandemic

that has upended economies, livelihoods

and hospital systems - nearly every facet

of everyday life has been touched. Such

uncertainty and fear surrounding the

virus and its impact represents a golden

opportunity for threat actors to exploit the

situation, as Malwarebytes points out in one

of its latest Threat Intelligence Reports. "By

using social engineering tactics such as spam

and spear phishing campaigns, with COVID-

19 as a lure, cybercriminals and threat actors

increase the likelihood of successful attack.

From late January on, several cybercriminal

and state-sponsored groups have been

doing just that, using coronavirus-themed

phishing emails as their infection vector to

gain a foothold on victim machines."

In its white paper, Malwarebytes provides

an overview of several APT groups using

coronavirus as an enticement, as well as

a description of their varied attack vectors,

categorising the APT groups according

to the technique they used to send spam

or phishing emails: template injection,

malicious macros, RTF exploits and malicious

LNK files. Below, Computing Security looks

at just a few that are singled out.

TEMPLATE INJECTION

Template injection refers to a technique in

which threat actors embed a script moniker

in the lure document - usually a Microsoft

Office document - that contains a link to a

malicious Office template via an XML setting.

Upon opening the document, the remote

template is dropped and executed. Kimsuky

and Gamaredon are examples of APTs using

template injection. Kimsuky (also known as

Velvet Chollima) is a North Korean threat

actor group that has been active since 2013

and is known to be behind the KHNP (Korea

Hydro & Nuclear Power) cyber terrorism

attacks of 2014.

Gamaredon is a Russian APT that is known

for performing cyber espionage operations

primarily against Ukrainian military forces,

as well as individuals related to the Ukrainian

government. Gamaredon has been active

since 2013 and often uses spear phishing

as its initial infection vector.

MALICIOUS MACROS

Embedding malicious macros is the most

popular method of infection used by APTs,

warns Malwarebytes. In this attack vector,

a macro is embedded in the lure document

that will be activated upon its opening.

APT36 is another threat group that has

employed macro-embedded COVID-19

themes in its recent campaigns. The group,

believed to be Pakistani state-sponsored,

mainly targets the defence, embassies and

government of India. The primary targets

of this APT are organisations related to

diplomatic and government agencies in the

UK, China, Japan, the Middle East, the US,

Bangladesh, Sri Lanka and Pakistan.

Hades is the APT group behind the attack

against the Pyeongchang Winter Olympics.

"Evidence suggests that this group is

connected to the well-known Russian threat

actor APT288. In their recent campaign,

called Tricky Mouse, Hades targeted

Ukrainian users using COVID-19 lures."

The Malwarebytes Threat Intelligence team

is, it’s reported, "monitoring the threat

landscape and paying particular attention

to attacks trying to abuse the public's fear of

the COVID-19 crisis".

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

15


cyber threats

ATTACK - NO RETREAT!

THE EXTENT OF CYBER SECURITY THREATS HAS NOT DIMINISHED.

IN FACT, QUITE THE OPPOSITE, WARNS THE GOVERNMENT

In the Department for Digital, Culture,

Media and Sport's recently released 'Cyber

Security Breaches Survey 2020', one key

finding is how cyber-attacks have evolved

and multiplied (the full survey can be found

at: https://bit.ly/2QIyCHY). Almost half of

businesses (46%) report having cyber security

breaches or attacks in the last 12 months.

As in previous years, this figure is higher

among medium businesses (68%) and large

businesses (75%). The findings are in line with

2017 when the question was first asked.

Of some 46% of businesses that identify

breaches or attacks, more are experiencing

these issues at least once a week in 2020

(32%, against 22% in 2017). The nature of

cyber-attacks has also changed since 2017.

Over this period, there has been, among

those identifying any breaches or attacks,

a rise in businesses experiencing phishing

attacks (from 72% to 86%), and a fall in

viruses or other malware (from 33% to 16%).

Organisations have become more resilient to

breaches and attacks over time. They are less

likely to report negative outcomes or impacts

from breaches, and more likely to make

a faster recovery. However, breaches that

do result in negative outcomes still incur

substantial costs. Among the 46% of

businesses that identify breaches or attacks,

one in five (19%) have experienced a material

outcome, losing money or data. Two in five

(39%) were negatively impacted, for example

requiring new measures, having staff time

diverted or causing wider business disruption.

Where businesses have actually encountered

breaches with material outcomes, the average

(mean) cost of all the cyber security breaches

they have experienced in the past 12 months

is estimated to be £3,230. For medium and

large firms, this average cost comes in higher,

at a sum of £5,220.

Over the last five years, there has been much

greater board engagement in cyber security,

including increased action to identify and

manage cyber risks. These improvements

may well underpin the fact that organisations

have become more resilient.

Board engagement is clearly shown to have

increased substantially over time:

Eight in 10 businesses now say that cyber

security is a high priority for their senior

management boards (80%, up from

69% in 2016)

Half of businesses (51%) update their

senior management on cyber security at

least quarterly. The proportions that say

they never update them have steadily

declined for businesses (from 26% in

2016 to 17% in 2020)

Around two-fifths of businesses have

board members with a cyber security

brief (37%, up from 28% in 2016).

Improvements over time, when it comes to

identifying and managing risks, include more:

Businesses seeking out information and

guidance (54%, versus 44% in 2016)

Businesses (35%, versus 23% in 2016)

carrying out essential cyber security risk

assessments

Businesses (43%, versus 34% in 2016)

having staff whose job role includes

information security and governance

Businesses (38%, versus 29% in 2016)

having written cyber security policies

Businesses (69%, versus 58% in 2018,

when this was first asked) are backing

up their data on cloud servers.

Across all these findings, organisations

appear to have maintained, but not

necessarily enhanced, the technical controls

and governance processes they introduced

for the two-year-old General Data Protection

Regulation (GDPR). "While the overall trends

since 2016 are positive and significant, the

changes since the 2019 survey specifically are

relatively modest. However, there is still more

that organisations might do on a range of

diverse topics such as audits, cyber insurance,

supplier risks and breach reporting." The

report acknowledges that organisations may

be confused about how they should be

considering these topics and what best

practice is.

Half of businesses (50%) say they have

carried out an internal or external audit in

the last 12 months. "However, our qualitative

research indicates that the quality of these

audits varies greatly. In some cases, external

audits were broader financial audits that

covered aspects of cyber security but did not

focus on the topic." According to the survey,

a minority of businesses:

Report being insured against cyber risks

(this cover was in place for 32%)

16

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


cyber threats

Have reviewed the cyber security risks

presented by suppliers (15% of all

businesses, 43% of large businesses

specifically)

Have reported cyber security breaches to

anyone beyond their IT or cyber security

providers (27% of businesses, among

those that identified any breaches or

attacks).

The qualitative research also suggests that

current communications, both around

supplier risks and reporting of breaches,

can be confusing for organisations. Some

interviewees considered supplier risks only

in terms of IT providers, internet service

providers and other digital service providers -

not wider non-digital service suppliers. Also,

reporting meant different things in different

contexts:

Reporting to IT or cyber security providers

as part of incident response

Reporting financial losses to banks and

insurance companies, public declarations

to customers or suppliers

Reporting to wider authorities. It was

found that organisations were also

unclear on who to report to, and the

impact of reporting.

Finally, the government findings also

highlight opportunities and channels to

spread good practice. In the qualitative

interviews, banks, insurance companies and

accountants often played a major role in

guiding organisations on cyber security.

It was also discovered that organisations are

often primed to think about cyber security

during financial audits, when filing tax

returns, in meetings with insurance brokers

and when undergoing broader technological

changes - for example, upgrades to an

operating system or moving to a cloud server.

How has the security industry reacted to

the survey? Here are some of the reactions

gathered by Computing Security:

Jérôme Robert - director at Active Directory

cybersecurity specialists Alsid

"We welcome the overall conclusions of the

report, namely that organisations' IT estates

seem to be better protected than they were

a year ago. Likewise, it's good news that

UK organisations are more resilient today,

bouncing back from attacks more quickly

than shown in the findings of previous

reports. But there is still some cause for

concern. The report points out that successful

attacks and data breaches still cause

significant harm to businesses, and that

the battle is not won - and never will be.

"Positive progress is great, but it should not

be seen as a reason for companies to take

their foot off the accelerator when it comes

to IT security. Cybercriminals and threats are

constantly evolving, as is the landscape within

which they operate.

"Take the current COVID-19 pandemic,

which is gripping the world: massive changes

in workstyles, driven by remote working,

are a gift for hackers. Likewise, we talk a lot

about the rise of AI applications to boost

security, but don't forget that cybercriminals

also have access to AI, which they can use

to launch more dangerous, targeted attacks

in higher volumes, thanks to automation.

Ransomware is seen as a common threat

these days and it is downplayed in the report,

but daily headlines show how punishing it

can be.

"NetWalker is one of the latest strains of

ransomware, which is now being used to

target healthcare workers already under strain

from the impact of COVID-19. To protect

against all types of threats, security teams

need to keep moving forward, adapting

strategies to fit the current threat landscape

and making sure often forgotten, but crucial,

elements like Active Directory security are

taken care of. Hopefully, we'll see more

progress reported in the UK government's

2021 findings."

Continued on page 18

Jérôme Robert, Alsid: security teams must

adapt strategies to fit the current threat

landscape.

Margarete McGrath, Dell Technologies:

businesses should undertake regular senior

leadership war-gaming activities to build

awareness and readiness.

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

17


cyber threats

Ed Macnair, CensorNet: if organisations

think they have their email security under

control, they need to think again.

Jens Monrad, FireEye: by acting fast,

businesses can mitigate the consequences

of a ransomware infection.

Margarete Mcgrath, chief digital officer,

Dell Technologies

"The latest release of the Department for

Digital, Culture, Media and Sport Cyber

Security Breaches Survey suggests there is

more that must be done by businesses

to increase resiliency and preparations for

when - not if - they are targeted. In today's

evolving threat landscape, businesses must

take an holistic approach to building

business resilience, supported by investment

in cyber resilience and business continuity

activities, that will enable businesses to

further minimise their losses when they

suffer an attack. Areas that businesses

should prioritise include safeguarding critical

data, improving data isolation protocols,

investing in artificial intelligence (AI) and

machine learning (ML) tools that can keep

businesses one step ahead of malicious

actors and having automated disaster

recovery processes in place.

"Education and business readiness are also

vital. Businesses should undertake regular

senior leadership war-gaming activities

to build awareness and readiness, and

continually assess supplier and partner

risks. They also need to consider how they

protect emerging technologies. According

to the findings of our recent Global Data

Protection Index, 98% of businesses are

investing in technologies such as the

Internet of Things and AI, but 52% of those

reported a lack of data protection solutions

for these technologies. We predict that this

will be a huge priority in the months and

years ahead."

Ed Macnair, CEO of Censornet

"This year's Cyber Security Breaches Survey

from the DCMS demonstrates the increasing

sophistication and threat from email attacks.

The volume of phishing and impersonation

attacks continues to rise, showing that cyber

criminals are turning to social engineering

tactics in order to access organisation's

sensitive data. The statistics show plainly

that these attacks are far more prevalent

than the likes of ransomware attacks,

but they make the headlines far less.

Organisations may think they have their

email security under control, but they

evidently need to think again. It has been

especially worrying to see the rise in

fraudulent emails related to the coronavirus.

Although there is no doubt about the

importance of training employees to

recognise these more sophisticated

techniques, these scams are designed to

take advantage of emotions so it's absolutely

crucial that organisations put systems in

place to protect employees from even

receiving the emails. Organisations need to

use email security that combines algorithmic

analysis, threat intelligence and executive

name checking to efficiently protect

themselves against these evolving attacks."

Jens Monrad, head of Mandiant Threat

Intelligence, EMEA FireEye

"Although DCMS report that the number

of ransomware incidents has halved since

2017, our FireEye Mandiant ransomware

investigations increased 860% from 2017

to 2019. The majority of these attacks were

deployed out of hours. Cybercriminals never

switch off and so organisations should have

emergency plans in place, and ensure afterhours

coverage is available to respond

instantly in the case of an emergency

"From our investigations, we've seen

hackers become a lot more sophisticated

in their tactics, with careful planning and

execution. Most of the ransomware

deployments take place three or more

days after the initial infection. This means

that, even if an organisation does fall

victim to having their network and data

compromised, there is some leeway

between the first malicious action and

ransomware deployment. If initial infections

are detected, contained and remediated

quickly - before the ransomware is deployed

- businesses can mitigate the financial

and reputational consequences of the

ransomware infection," he concludes.

18

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


health service

NHS WALES BOLSTERS ITS DEFENCES

NHS WALES INFORMATICS TEAM HAS TAKEN URGENT STEPS TO PROTECT

CRITICAL SYSTEMS FROM A SURGE IN CYBER-ATTACKS

The National Digital Exploitation Centre,

or NDEC, is a world-class dedicated

technology hub situated in the South

Wales Valleys, co-developed by the Welsh

government, University of South Wales

and technology company Thales.

Thales is supplying its cyber security

capabilities to the Welsh Government

to protect NHS Wales free of charge

from now until September, in light of hackers

attempting to exploit the Coronavirus crisis.

As health services across the world battle

the pandemic, the new agreement will

enable the NHS Wales Informatics team to

protect vital systems from a surge in cyberattacks

by accessing Thales's technical threat

analysis service, a global centre of knowledge

about the latest and emerging threats. Thales

will be providing the service to NHS Wales

free of charge.

Thales's intelligence service makes available

its intelligence, identification, computer virus

spread monitoring, threat analysis and rapid

response skills to healthcare systems across

the world, now including NHS Wales. "In this

highly unusual situation, we all need to work

together to protect the vital services on which

patients and NHS staff rely," states Gareth

Williams, VP Secure Communication and

Information Systems for Thales UK.

TELEWORKING BREACHES

Thales also points to the many cybercriminals

taking advantage of the disruption caused by

the Covid-19 outbreak to infiltrate corporate

networks through loopholes created by the

large-scale introduction of teleworking.

"To minimise the risks of a cyber-crisis,

organisations and individuals need to be

especially careful to prevent cybercrime at

this difficult time," cautions Thales, which

offers these eight tips to help people to stay

vigilant when working from home.

Secure your home network. Keep your

home Wi-Fi access safe. Activate WPA2

(Wi-Fi Protected Access) encryption to shield

information sent on the home network,

change the password which came with

the device and make it a strong one

Hide your work laptop. To minimise the risk

of an intrusion, your work laptop should be

hidden from other computers on your home

network. Make sure the network discovery

function is turned off

Stay private. Cover your webcam and

deactivate your microphone after

teleconferences to prevent spying and

malicious listening. Don't discuss sensitive

information over unsecured networks

Click prudently. Avoid downloading apps,

unknown software, music or videos from

untrusted websites. Use official sources for

information on Covid-19

Beware of phishing. Even if an email or

text message appears to be from a familiar

source, always double-check details such as

spelling, grammar and the domain name of

the sender's address. If in doubt, alert your IT

security manager. Don't forward the email to

colleagues and do not open attachments or

click on links

Be careful with social media. As social

networks can be vulnerable to cyberthreats,

avoid using social media on business devices.

Ensure antivirus solutions are installed and

up to date

Use secured platforms. Switch to secure

authentication services and virtual private

networks to send sensitive information. Use

hacker-proof remote collaboration solutions

Go offline. Disable your Wi-Fi at night to

prevent cyberattacks. Switch off both your

VPN and your computer at the end of the

day to enable system updates.

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

19


phishing campaigns

ACCESS ANGST

WHEN COMPANY EMPLOYEES ARE FORCED TO START WORKING REMOTELY, THEY ARE OFTEN

LEFT WITH LITTLE TIME TO PREPARE FULLY - AND THAT CAN HAVE SERIOUS REPERCUSSIONS

François Amigorena, IS Decisions:

cybercriminals are targeting remote

employees.

Each time an employee connects to the

corporate network from home, they

create a new access point that can

often be exploited. What can companies do

to protect the remote use of these corporate

credentials? Windows Active Directory (AD)

is still the main identity and access platform

used by companies all around the world. "In

fact, 95% of Fortune 1000 companies use it,"

points out François Amigorena, founder and

CEO of IS Decisions. "Keeping that in mind, if

you want to secure your remote workers, you

are likely going to need to secure the remote

use of AD logins."

With the coronavirus outbreak, new

phishing email campaigns are a constant

concern. "Like the disease itself, the

cybercriminals are targeting the most

vulnerable - your new remote employees.

Public fear is the perfect opportunity for

them to attract their victims with links

or document downloads of safety

recommendations and infection maps. Now

more than ever, the probability of employees

clicking on a link or opening an attachment

is high, and hackers know it," he adds.

In such times, a poor security of Active

Directory logins can put your business at risk.

The threat surface is now bigger than ever,

considering that most companies have been

forced to work from home. "Most of them

didn't even have time to prepare for remote

working which increases the risk even more,"

states Amigorena. "They just rushed to allow

Microsoft remote desktop (RDP) access,

in order to let employees access desktop

resources without having to be physically

in the office. The focus has been the

continuation of operations, leaving little

attention for information security."

In order to help minimise the risk of remote

working, Amigorena advises the following:

Have a clear equipment policy for remote

workers: as much as possible, use the

devices available, secured and controlled

by your company. If you can't do that,

you have to give clear usage and security

rules and guidance to your remote

employees

Make sure to secure external access: the

best way is by using a VPN (Virtual Private

Network). To be even more secure, you

can limit VPN access only to devices

authorised by the company. This is a

great way to strengthen your security.

If an attacker tries to login from an

'unauthorised' device, connection must

be denied

Establish a strong password policy: to

be secure, passwords have to be long

enough, complex and unique. To address

the vulnerabilities of passwords, you can

enable two-factor authentication on your

remote sessions, especially for logins to

the corporate network

Have a strict security update policy: as

soon as a security update is available, you

need to deploy it on all device on your

network. Attackers can quickly exploit

those vulnerabilities

Ensure regular backup of data and

activities: backup is important. If your

organisation gets attacked, it might be

the only way to recover your data. You

have to perform backups regularly and

test them to be sure they are working

Install professional antiviral solutions:

antiviral solutions protect your company

from most common viral attacks, but

not only. Sometimer they also offer

protection from phishing or from some

ransomware attacks.

20

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


GDPR

LAYING DOWN THE LAW

THE GENERAL DATA PROTECTION REGULATION LAWS ARE TWO YEARS’ OLD,

BUT ARE THEY HAVING THE IMPACT EXPECTED IN FORCING ORGANISATIONS

TO PROTECT THEIR DATA TO THE HIGHEST STANDARDS? BRIAN WALL REPORTS

Personal data protection laws are now

springing up around the world, with the

EU's General Data Protection Regulation

(GDPR) to the fore. The regulations have

made organisations acutely aware of the

need to protect personal data placed in their

care. Not to do so can result in massive fines.

"Under General Data Protection Regulation

(GDPR), the Information Commissioner's

Office (ICO) can fine organisations up to 4%

of global turnover for any given personal data

breach," says Tim Stevenson, regional sales

manager UK, Ireland & Nordics, Verbatim.

"Quite apart from this, a breach can cause

reputational damage and great harm to the

individuals whose data is leaked, stolen or

lost. They may well sue, which will only add

to the expense, both reputational and

financial."

While the computer industry has enabled

sophisticated processing of personal data,

it has also facilitated its loss. Corporate IT

systems and networks have all manner of

measures in place to minimise the risk of

a data breach, but it's a different story when

data is physically on the move. How many

times have you heard of mobile phones,

laptops, USB sticks, portable hard drives or

optical discs being mislaid or stolen? "Quite

often, the data is readable, either straight

away or with a minimum of effort by a

suitably skilled and equipped individual,"

points out Stevenson. "And it's readable,

because, most of the time, it's not encrypted."

Some of the most horrendous cases have

been patient records, he adds, many

thousands of which could sit in a USB stick,

for example. "These usually contain sufficient

personal information about an individual to

facilitate convincing identity theft. A recent

example is the special educational needs

teacher who left a memory stick containing

sensitive information about hundreds of

children in a laptop in a Lincolnshire council

office. On her return, it was gone. It was

never recovered. The ICO fined the council

£80,000, largely because the data was

unencrypted."

Jérôme Robert, Alsid: it took Cathay

Pacific almost four years to uncover the

breach it suffered.

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

21


GDPR

Organisations of all kinds regularly move

confidential documents around, which would

cause severe problems if they fell into the

wrong hands. "It might be financial, legal,

trade secrets or intellectual property (IP), for

example. Every organisation will know what's

sensitive and what's not. When moving it

physically between venues, it would make

sense to encrypt it and keep the passcodes

secret and/or separate from the encrypted

device."

For its part, Verbatim offers a wide range

of portable storage devices, protected by

the AES 256-bit encryption system which,

it states, has never yet been cracked. The

devices, be they HDDs, SSDs, USB drives or

HDD enclosures, are protected by keypads,

fingerprint recognisers or conventional

computer password entry. "As long as the

passwords [or fingers] cannot be accessed by

the wrong people, the stored data is secure."

RANGE OF INFRINGEMENTS

What impact have the GDPR laws had, since

they came into force a little over two years

ago (25 May 2018)? In that time, more than

160,000 data breach notifications have been

reported across the 28 European Union

Member States, plus Norway, Iceland and

Liechtenstein. According to DLA Piper's latest

GDPR Data Breach Survey, data protection

regulators have imposed EUR114 million

(approximately USD126 million / GBP97

million) in fines under the GDPR regime for

a wide range of GDPR infringements, not just

for data breach. France, Germany and Austria

topped the rankings for the total value of

GDPR fines imposed, with just over EUR51

million, EUR24.5 million and EUR18 million

respectively. The Netherlands, Germany and

the UK topped the table for the number of

data breaches notified to regulators with

40,647, 37,636 and 22,181 notifications

each respectively.

The daily rate of breach notifications has

also increased by 12.6%, from 247

notifications per day for the first eight

months of GDPR (from 25 May 2018 to 27

January 2019), to 278 breach notifications

per day for the current year.

Weighting the results against country

populations, The Netherlands again come

top, with 147.2 reported breaches per

100,000 people, up from 89.8 per 100,000

people last year, followed by Ireland and

Denmark. From the 27 countries that

provided data on breach notifications, the

UK, Germany and France ranked thirteenth,

eleventh and twenty-third respectively on a

reported fine per capita basis. Italy, Romania

and Greece reported the fewest number of

breaches per capita. Italy, a country with a

population of over 62 million people, only

recorded 1886 data breach notifications

illustrating the cultural differences in

approach to breach notification.

GOOGLED

The highest GDPR fine to date (at the time of

going to press) was EUR50 million, which

was imposed by the French data protection

regulator on Google. This was for alleged

infringements of the transparency principle

and lack of valid consent, rather than for a

data breach. Following two high-profile data

breaches, the UK ICO published two notices

of intent to impose fines in July 2019

totalling GBP282 million (approximately

EUR329 million/USD366 million), although

neither of these was finalised as at the date

of this report.

Commenting on the report, Ross McKean,

a partner at DLA Piper specialising in cyber

and data protection, says: "GDPR has driven

the issue of data breach well and truly into

the open. The rate of breach notification has

increased by over 12%, compared to last

year's report, and regulators have been busy

road testing their new powers to sanction

and fine organisations. The total amount of

fines of €114 million imposed to date is

relatively low, compared to the potential

maximum fines that can be imposed under

GDPR, indicating that we are still in the early

days of enforcement. We expect to see

momentum build, with more multi-million

Euro fines being imposed over the coming

year, as regulators ramp up their enforcement

activity."

Patrick Van Eecke, chair of DLA Piper's

international data protection practice, points

to inconsistency: "The early GDPR fines raise

many questions. Ask two different regulators

how GDPR fines should be calculated and

you will get two different answers. We are

years away from having legal certainty on this

crucial question, but one thing is for certain -

we can expect to see many more fines and

appeals over the coming years."

CATHAY PACIFIC BREACH

One of the more high-profile fines imposed

by the Information Commissioner's Office

(ICO) of late was on Cathay Pacific Airways -

a total of £500,000 for failing to protect

the security of its customers' personal data.

Between October 2014 and May 2018,

Cathay Pacific's computer systems lacked

appropriate security measures, which led to

customers' personal details being exposed,

111,578 of whom were from the UK, and

around 9.4 million more worldwide.

The airline's failure to secure its systems

resulted in the unauthorised access to their

passengers' personal details, including:

names, passport and identity details, dates

of birth, postal and email addresses, phone

numbers and historical travel information.

Cathay Pacific became aware of suspicious

activity in March 2018 when its database

was subjected to a brute force attack, namely

where numerous passwords or phrases are

submitted with the hope of eventually

guessing correctly. The incident led Cathay

Pacific to employ a cybersecurity firm and

they subsequently reported the incident to

the ICO.

The ICO found Cathay Pacific's systems were

entered via a server connected to the internet

22

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


GDPR

and malware was installed to harvest data.

A catalogue of errors was found during the

ICO's investigation, such as: back-up files that

were not password protected; unpatched

internet-facing servers; use of operating

systems that were no longer supported by

the developer; and inadequate anti-virus

protection.

"Pretty much the only positive for Cathay

Pacific from this incident is that it took place

before the new GDPR penalties were

enforced, meaning that the maximum

possible £500,000 fine from the ICO is much

smaller than it could have been," states

Jérôme Robert, director at Alsid, an Active

Directory cybersecurity specialist. "After that,

though, everything else is bad news. It took

the company almost four years to uncover the

breach. When it did investigate, it found not

one but two separate attacks. Cathay Pacific

had not patched its internet-facing servers,

was relying on out-of-date operating systems

and had not password protected its back-ups.

ACTIVE DIRECTORY TARGETED

"Unfortunately, this is yet another example of

a major breach in which the Active Directory

was specifically targeted, with the hackers

only being uncovered when they tried brute

forcing the Active Directory via credential

stuffing. In reality, closer Active Directory

monitoring would have revealed the breach

long before this point. The hackers had

already been inside Cathay Pacific's network

for years, moving laterally around the

network to find and exfiltrate data. "Paying

close attention to Active Directory security is

always advisable, because the AD is at the

heart of so many different types of cyberattacks,"

says Robert. "Better AD security in

Cathay Pacific's case would have uncovered

the attackers much earlier and stopped the

attack before it managed to cause significant

damage to the airline's customers and the

brand itself."

As Steve Eckersley, the ICO's director of

investigations, indicates: "Under data

protection law, organisations must have

appropriate security measures and robust

procedures in place to ensure that any

attempt to infiltrate computer systems is

made as difficult as possible."

As ever with cyber security, the human is the

weak point. "They know logins and passwords

and, if they can be lured into sharing them,

the criminal's job is largely done," adds

Eckersley. "Everyone involved in sharing

sensitive data needs to be aware of the risks

they face and how to avoid them, and

organisations probably need to implement

stricter conditions on who can access what

data. When it comes to sensitive data, staff

need to know either that specific data has to

be encrypted or, to keep life simple, accept

that all mobile storage be encrypted."

BREATHING SPACE

Meanwhile, in what many organisations that

are yet to get to grips with the GDPR will see

as a welcome 'breathing space', the ICO is

easing back on its regulatory approach to

enforcement while the coronavirus crisis

persists. "Regulators apply their authority

within the larger social and economic

situation," says information commissioner

Elizabeth Denham. "We see the organisations

facing staff and capacity shortages. We see

the public bodies facing severe front-line

pressures. And we see the many businesses

facing acute financial pressures. Against this

backdrop, it is right that we must adjust our

regulatory approach.

"Our UK data protection law is not an

obstacle to such flexibility. It explicitly sets out

the importance of my office, taking regard of

the general public interest, and allows for

people's health and safety to be prioritised,

without the need for legislative amendment.

A principle underpinning data protection law

is that the processing of personal data should

be designed to serve mankind. Right now,

that means the regulator reflecting these

exceptional times and showing the flexibility

that the law allows."

Patrick Van Eecke, DLA Piper: ask two

regulators how GDPR fines should be

calculated and you will get two different

answers.

Tim Stevenson, Verbatim: under GDPR,

organisations can be fined up to 4% of

global turnover.

www.computingsecurity.co.uk @CSMagAndAwards May/June 2020 computing security

23


DDoS attacks

UNDER FIRE AT HOME

BAD ACTORS HAVE BEEN TAKING INCREASING ADVANTAGE OF THE CURRENT CRISIS

TO CREATE CHAOS, LOCKING OUT EMPLOYEES AND PARALYSING BUSINESS OPERATIONS

Rodney Joffe, Neustar: the dramatic

increase in VPN use has multiplied the

potential impact of a distributed denialof-service

(DDoS) attack.

Due to the sudden shift to a workfrom-home

model as a result of

the COVID-19 pandemic, nearly

two-thirds (64%) of companies have

experienced at least moderate disruptions

to their network security business

practices - and nearly a quarter (23%)

have suffered major disruptions.

INADEQUATE BUSINESS PLANS

The report from Neustar's International

Security Council, based on a recent

survey of cybersecurity professionals, also

reveals that 29% of companies did not

have a fully executable business plan in

place to keep their network secure, in

the event of a major crisis such as the

current pandemic. In addition, survey

responses indicate that only 22% of

corporate virtual private networks (VPNs)

have handled the work-from-home shift

with no connectivity issues, while 61%

experienced minor connectivity issues.

"Social distancing measures that call

for employees to work from home when

possible have dramatically changed

patterns of connection to enterprise

networks," says Rodney Joffe, chairman

of NISC, SVP and fellow at Neustar. "More

than 90% of an organisation's employees

typically connect to the network locally,

with a slim minority relying on remote

connectivity via a VPN, but that dynamic

has flipped. The dramatic increase in

VPN use has led to frequent connectivity

issues, and - especially considering the

disruption to usual security practices -

it also creates significant risk, as it

multiplies the potential impact of a

distributed denial-of-service (DDoS)

attack. VPNs are an easy vector for a

DDoS attack."

With many IT teams being stretched

particularly thin at the moment, bad

actors can take advantage of the chaos

to exploit any vulnerabilities and launch

volumetric attacks, network protocol

attacks or application-layer attacks -

locking out employees and paralysing

business operations. In addition to this,

volumetric attacks are increasing in size.

Quite recently, Neustar mitigated a 1.17

terabyte attack, which required a unique

and diverse set of tactics in order to

successfully fend off the attack. "In times

like these," continues Joffe, "an always-on

managed DDoS protection service is

critical. A purpose-built mitigation

solution like Neustar's cloud-based

UltraVPN Protect can keep remote

workforces connected and productive,

and ensure that business continues

without interruption."

SHARP RISE IN THREATS

The latest NISC report reveals a sharper

than usual uptick in threats over the

two months covered by the most recent

survey. In fact, the International Cyber

Benchmarks Index, which reflects

the overall state of the cybersecurity

landscape, reached a new high of 331

back in March this year. When asked

which cyber threats had caused the

highest level of concern over the previous

two months, the security professionals

who were surveyed ranked DDoS attacks

as their greatest concern (23%), followed

by system compromise (22%) and

ransomware (18%).

24

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


policing & terrorism

DOUBLE-EDGED THREAT

IT'S NOT JUST CYBER SECURITY THAT IS AT STAKE WHEN WORKING FROM

HOME. YOUR PHYSICAL SAFETY NEEDS TO BE TAKEN CARE OF AS WELL

In order to support businesses when

managing their security during the

pandemic, Secured by Design, the Police

Digital Security Centre and the National

Counter Terrorism Security Office have put

together a leaflet containing the 'Top 10

Cyber Security Tips for Working at Home'

and the latest counter terrorism advice.

The leaflet is aimed at businesses that have

either been instructed by the government to

close, in line with the Covid-19 guidance, or

have chosen to close, and provides advice

and guidance to assist them review both

their physical and cyber security to reduce

the chances of falling victim to criminals.

The top 10 tips for working at home offer

this advice on staying secure:

Strong password policy for all devices

and social media accounts: change

default passwords on all your devices

when initially installed (especially your

Wi-Fi router at home or any Internet

of Things devices you may have) and

consider using password managers to

store and protect your passwords

2FA: be sure to turn on the two-factor

authentication setting on all your

accounts and devices

VPN: use a Virtual Private Network (VPN)

to protect and encrypt the data you send

or receive. It will also scan devices for

malicious software

Software update: set all your devices and

apps to download and install updates

automatically to ensure that any crucial

fixes are not missed and the risk of your

devices being infected with malware is

reduced

Back-up: to safeguard your important

personal data and information, back

them up to an external hard drive or

cloud-based storage system

Phishing emails: cyber criminals are

targeting people and businesses with

fake emails about the coronavirus.

Phishing emails are embedded with a

virus that could compromise your device,

as well as manipulate you into sharing

personal or financial information

Install anti-virus: install and activate

anti-virus software on all your devices

and preferably you should set it so that it

updates automatically. This will help you

to run a complete scan of your system

and check for any malware infections

Safe online browsing: only visit trusted

websites. Keep an eye out for a padlock

sign in the address bar, showing that

the connection and your personal

information (eg, credit card information)

is encrypted and secure

Social media: it is important to review the

privacy, password and security settings

for all your social media accounts to

ensure they are as secure as possible

Communication: maintain contact with

your team, as it is easy to feel isolated or

lose focus when working at home.

Despite the current threat emanating from

Covid-19, it is still important to remain alert

and vigilant to terrorist activity. Live-time

information from counter terrorism policing,

plus all the very latest protective security

advice, is now available at your fingertips

24/7 - wherever you are.

Via your 'phone, you can keep updated

where and when it matters most - all

through the new easy-to-navigate Action

Counters Terrorism (ACT) app, which is free

for businesses and available from Google

Play or the App Store.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

25


digital mail access

YOU'VE GOT MAIL: A DIGITISED MAILROOM

THAT’S FIT FOR THE RETURN TO WORK

WORKING FROM HOME IS HERE TO STAY. STAY CONNECTED IN THE NEW NORMAL

technology platform. Very little software

installation is needed in a set-up process that

simply involves connecting a scanner(s) to

a workstation on customer premises and

connecting to an online application to scan

and deliver the documents.

Mail is scanned either by on-site staff or

Swiss Post Solutions mailroom staff, ensuring

a business can be serviced whatever their

social restrictions. Alternatively, post can be

collected from customer premises and

scanned at one of SPS' secure and certified

Document Processing Centres (DPCs).

The life-changing disruption of COVID-

19 has impacted all businesses,

employees and customers, and, whilst

so much of the future remains unknown, it's

clear that a more long-term plan is needed

to facilitate remote working as we start to

define the 'new normal'.

Swiss Post Solutions initially developed a

Crisis Management Solution, in response

to its clients' facing up to the challenge of

maintaining communications using the

traditional model of on-site mail. Suddenly,

complex, hybrid environments made up of

both the physical and digital, and that require

social distancing to be adhered to at every

stage, are here to stay, as the country awaits

the call to return to work.

"Meeting this challenge head on with a

simple, yet crucial, Return to Work Digital

Documents Solution means teams need never

miss an item of post or a piece of printed

communication whilst working remotely,"

states SPS. The solution is a web-based

application that is securely hosted within

the cloud and can be swiftly deployed within

seven days, delivering digital mail to a

homeworker or office-based worker's desktop

or mobile and offering guaranteed access

during extended working hours.

The centralised Digital Documents Portal

allows teams to create numerous digital

desks, with a user permissions hierarchy,

to ensure swift and accurate distribution

of mail and documents.

Users can:

Download and view mail

Take/relinquish ownership of mail

Add comments

Forward to colleagues or teams

Close or complete a mail item

Delete a mail item.

The system maintains a full audit log of

every mail item interaction by any user,

and is built on a tried and tested, highly

secure, fully compliant and pre-existing

Clients are reportedly already seeing

reductions in mail handling costs of 15%,

mail processing times coming down by 75%

and document management costs reduced

by 30%.

"These unprecedented times leave a lot

unknown, but, with Swiss Post Solutions, you

could not be in a safer pair of hands for the

return to work," it states. With more than

90 years' experience of managing mailrooms

for some of the world's most demanding

organisations, and currently operating over

500 mailrooms worldwide, it handles around

120 million items of mail for clients each year.

"And with a 96% contract renewal rate and

a 'World Class' customer satisfaction Net

Promoter Score of 78, it's fair to say that

these are happy clients," concludes Swiss Post

Solutions.

Do you need urgent digital access to mail

items, but have no current process in place?

Then it's time to talk to Swiss Post Solutions.

As soon as this time next week, you could

have peace of mind. Contact us for more

information info.sps.uk@swisspost.com.

26

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


success stories

LEADING THE CHARGE

HOW SAVVY BUSINESSES HAVE FLIPPED THE DIGITAL SWITCH

Efficient communications were an issue

for the insurance industry, even before

the COVID-19 crisis, where paper has

always been the dominant communication

channel. "For ERS Insurance, our mailroom

solution was off-site, replacing two traditional

mailrooms. It focused on converting mail

to digital at the earliest opportunity, before

processing it either to an individual or to a

'digital desk', which all team members can

access." The benefits were immediate: 87%

faster processing of incoming mail, along

with improved access and tracking, to create

vastly more efficient processes.

The Co-operative Bank was looking for a

new, digital solution for storing and accessing

correspondence, as access could take up

to five days to achieve. "The solution

implemented by us included a day forward

scanning operation and web portal,

based around our Document Management

software to provide instant access to all

correspondence." The result? The time to

access to correspondence was reduced to

an average of just five seconds, dramatically

improving efficiency, business continuity and

the customer experience.

A final example would have to be Zurich

Insurance Group. Zurich receives high

volumes of diverse forms of mail that

previously were handled as part of a labourintensive,

manual process. "We proposed a

Chris Blood,

Head of Business

Services UK,

Swiss Post

Solutions

Limited.

scanning solution that would centralise and

automate the scanning and processing of

FinOps mail. This technology allows users to

receive, view, process and archive digital mail

documents, essentially replacing the physical

delivery process." This new quick-toimplement

solution achieved a 6x faster

processing time and 5x faster access to

business-critical documents.

STAY CONNECTED TO YOUR

CUSTOMERS AND EMPLOYEES

Our document management solution supports your business

continuity as you return to work.

SPS’ proven digital mail solution enables your business to quickly




Fast roll out



24/7 Access

Employees are able to access

incoming mail and generate printed



Secure and Compliant

Service delivered in an SPS secure


cleared to BPSS and SC Government


Reporting




SPS TECHNOLOGY SOLUTION

CLIENT REMOTE WORKING

SPS PRINTING FACILITY

Contact us for more information


A0562A0320_HybridMail-DigitalMail Advert v5b.indd 1 05/05/2020 11:07:46


fraud frenzy

STAYING ON GUARD

FRAUD HAS SEEN AN UPSURGE. BUT VIGILANCE AND GOOD PRACTICE CAN HELP

SAVE YOU FROM BEING A VICTIM, EVEN AFTER THE CURRENT CRISIS HAS ABATED

Since February, the National Fraud

Intelligence Bureau (NFIB) has

identified 21 reports of fraud where

Coronavirus was mentioned, with victim

losses totalling more than £800k. Of the

21 reports, ten were made by victims that

attempted to purchase protective face

masks from fraudulent sellers. One victim

reported losing over £15k when they

purchased face masks that were never

delivered. "We have also received multiple

reports about coronavirus-themed

phishing emails attempting to trick people

into opening malicious attachments or

revealing sensitive personal and financial

information," says the bureau.

One common tactic used by fraudsters

is to contact potential victims over

email purporting to be from research

organisations affiliated with the Centers

for Disease Control and Prevention (CDC)

and the World Health Organisation

(WHO). "They claim to be able to provide

the recipient with a list of coronavirusinfected

people in their area. In order

to access this information, the victim

needs to click on a link, which leads to

a malicious website, or is asked to make

a payment in Bitcoin." Reporting numbers

are expected to rise as the virus continues

to spread across the world, so the advice

to all businesses is to ensure they are

properly protected against such scams.

"Watch out for scam messages. Don't click

on the links or attachments in suspicious

emails, and never respond to unsolicited

messages and calls that ask for your

personal or financial details," the NFIB

warns. "And always install the latest

software and app updates to protect

your devices from [such] threats."

Carl Wearn, who is head of e-crime at

Mimecast, concurs that, given the

constantly evolving policy changes by

governments across the globe in their

attempts to contain the spread of COVID-

19, it is almost certain threat actors and

criminals will seek to exploit this resulting

confusion and there will be an increase in

the observed cyber-attack methodologies

against vulnerable targets.

"Cybercriminals prey on the panic and

confusion caused by events such as this, as

they lead to an increase in victims clicking

malicious links," he cautions. "At Mimecast,

we have seen a significant increase during

the time of the coronavirus pandemic.

This includes increases in opportunistic

attacks (26%), impersonation attacks

(30%), malware detections (35%) and

URL clicks (56%)." The majority of online

scams rely on some form of human error,

28

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


fraud frenzy

as it is far easier to compromise a single

user than a whole system. "Threat actors

know this well and are continuing to exploit

the human factor by tailoring scams to

target current events and the fears of their

victims," states Wearn. "Coronavirus is a

perfect example of this tailoring and we

have seen scams purporting to be from the

WHO, the NHS, HMRC and even airlines

offering refunds. Cybercriminals are clever

and continuously adapting their tactics."

Wearn describes these latest findings as

shocking, but hardly surprising. "Moving

forward, people need to scrutinise every

email they receive and double check its

validity before taking action on it".

EXPERT ADVICE

Meanwhile, to support businesses in

managing their security during the

pandemic, three bodies have united to

help organisations cope with fraud and

terrorism. Secured by Design, the Police

Digital Security Centre and the National

Counter Terrorism Security Office have put

together a leaflet containing the Top 10

Security Tips for Closed Business Premises,

the Top 10 Cyber Security Tips for Working

at Home and the latest Counter Terrorism

advice. The leaflet is aimed at businesses

that have either been instructed by the

government to close in line with the Covid-

19 guidance or have chosen to close, and

provides advice and guidance to assist

them review both their physical and cyber

security to reduce the chances of falling

victim to criminals.

FALSE SENSE OF SECURITY

Even with restrictions being gradually

eased, they see the current situation as

one where vigilance has to remain at its

highest. In fact, the gradual unwinding

of the lockdown could create a false sense

of security that fraudsters and terrorist

groups will be quick to seize upon. What,

then, are the main recommendations they

have come up with?

Property maintenance. You should check

any unused/empty premises regularly, at

least once a week, to see if there are any

obvious signs of an attempted break-in

or damage. It is important that premises

continue to be well maintained during

this extended period of closure to prevent

the spiral of decline. Flammable and

combustible materials and substances

should be stored in a secure, lockable

container, cage or room. Bins should be

securely stored away from the building to

prevent arson.

Monitored intruder alarm system. This

serves as a deterrent to burglary, as it

increases the likelihood of being caught.

Make sure it is regularly maintained,

in good working order and is remotely

monitored for a police response by a

National Police Chiefs' Council-compliant

Alarm Receiving Centre (ARC). The advice

from the three organisations is to ensure

that staff are familiar with opening and

closing procedures to prevent false alarm

activations. Update your key holder list and

share it with third parties, where necessary -

eg, your intruder alarm company.

Security fogging system. Triggered by an

alarm sensor, it will instantly fill the area

you are trying to protect with a dense,

harmless fog that reduces visibility, making

it virtually impossible for an intruder to

access the items they want to steal. If you

already have such a system, check with your

supplier that it is still in good working order.

CCTV. If you have this installed, make sure

it is regularly maintained, in good working

order with sufficient storage capacity and,

as a minimum, is providing coverage of

the most vulnerable areas, including doors

and windows where access is likely to be

gained. The recording equipment should

be kept in a secure cabinet inside a lockable

room within the building. They also point

out that all CCTV should comply with the

guidance laid down by the Information

Carl Wearn, Mimecast: cybercriminals

prey on the panic and confusion caused

by events such as this.

Commissioner's Office. For full details on

this, go to: www.ico.org.uk

Doors and windows. Doors and easily

accessible windows should be in good

working order and have quality locks that

have a Kitemark showing that they meet

the relevant British Standard. There are

various types of doors and windows, such

as U-PVC, aluminium, timber etc, and

these may have multi-point or single-point

locking mechanisms. All external doors

should have a minimum of two locking

points with locks that meet the British

Standard. All doors and windows that are

not part of a designated fire escape route

should be closed and locked.

Glazing. All easily accessible glazing should

be laminated to resist forced entry. Double

glazed units only require either the inner or

outer pane to be laminated. Alternatively,

security film can be applied to the internal

glazed panel, ensuring it is fixed under the

beading, where possible.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

29


strategic planning

PROTECTING THE EXPOSED

WITH WORKING FROM HOME NOW SO WIDESPREAD, WHAT STRATEGIC APPROACH WORKS BEST? ROB ALLEN,

DIRECTOR MARKETING & TECHNICAL SERVICES AT KINGSTON TECHNOLOGY EUROPE, OFFERS HIS INSIGHTS

Rob Allen, director Marketing & Technical

Services at Kingston Technology Europe.

The workplace had already been

undergoing major changes, with typical

office roles shifting away from rigid

structures towards greater flexibility. But

now, due to the impact of the current global

situation and potential continued uncertainty

for the foreseeable future, changing

workplace attitudes are set to accelerate,

leading to further demand to perform roles

outside of the office environment wherever

possible.

For some time, work life for many of us

could be split between home and the office.

In a recent survey*, 63% of workers will want

to spend some of their working week at

home and 23% said that they will prefer to

work from home full time. It's also possible

that, even when the situation has calmed

down, more flexible working arrangements

may remain the norm in many companies.

This shift in attitudes will create IT problems.

Corporate environments are kept safe by

firewalls, enforced passwords, physical

security and carefully considered protocols,

intended to protect the firm's assets and

ensure it stays on the right side of all laws.

Outside, it's harder to manage employees'

IT use, enforce restrictions and ensure that

sensitive data is kept safe. But although

changes are necessary, the legal requirements

to protect customer and client information

remain. Working from home can expose

numerous IT security risks and taking steps

to mitigate them is crucial.

Typical issues arise from team members

sharing confidential documents outside of

company servers: for example, using personal

email accounts to send work between home

and the office. Similarly, devices are easily lost

and can end up in unknown hands. Working

from home may also see more teams relying

on their personal computers to complete

work tasks, which could pose a security risk.

There are different approaches to tackling

these issues. It's inevitable that some firms

may discourage employees from working

from home, but, in this environment, that

might create severe dissatisfaction, if staff

feel they are being put at risk. Some

companies have found the transition to

working from home easier than others.

There were early reports of some bosses

checking in on their team every 10 minutes

during the day, clearly not used to dealing

with staff working remotely.

Alternatively, IT departments may impose

restrictions, such as a ban on the use of

personal computers, USB and personal email

accounts for work purposes. This brings

a hammer down on many risks associated

with working from home and is certain to

solve some problems. A better approach is to

consider more long-term solutions, given that

the new work situation could be in place for

some time. A first step is offering the use of

corporate VPNs on remote personal devices.

Additionally, it's wise to either encourage or

enforce storage encryption in staff laptops

and computers. If devices are lost or stolen,

this prevents direct access to crucial

documents that may contain sensitive

information. In many cases, you may be

legally bound to ensure information does

not end up in the public domain.

Encrypting storage within an operating

system is a simple solution, but carries a

major performance penalty. That issue can

be mitigated, though, by using products

with built-in hardware encryption, such as

our encrypted USB & SED SSD, where the

hardware-based encryption is built into the

SSD controller itself.

But perhaps an understated aspect of WFH

security is the need to discuss these issues

with staff and encourage them to actively

think about security. For example, the

common problem of using a simple

password that's easy to guess is basic human

nature. Educating staff about why similar

practices are a bad idea is an inexpensive

investment that may pay off in the future.

*Survey of 1,550 British employees, conducted by

SentryBay, April 2020

30

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


GDPR update

A CYBERSECURITY EDUCATION

ALMOST TWO YEARS HAVE PASSED SINCE THE INTRODUCTION

OF THE GDPR AND IT SEEMS BUSINESSES ARE STILL FAILING TO

TAKE CYBERSECURITY SUFFICIENTLY SERIOUSLY, CAUTIONS

AMAN JOHAL, LAWYER AND DIRECTOR OF YOUR LAWYERS

While the Coronavirus continues

to dominate headlines

everywhere, the fact that the

General Data Protection Regulation

is now two years’ old warrants close

attention as well. Several businesses have

felt the impact of failing to comply with

its strictures, such as British Airways,

which has been issued with a notice of

intention to fine a record £183m for its

2018 data breaches, while several highprofile

data breaches affected thousands

of Travelex and Microsoft customers.

History will continue to repeat itself,

unless something is done, and a good

place to start is with educating staff.

The increased requirements for

businesses to store, manage and protect

customers' digital information leaves

them vulnerable to attacks from highly

skilled data hackers. This threat is not

being met with training, however. Too

often, employers are failing to educate

their staff on how to avoid simple data

leaks and the catastrophic consequences

they could have. The 2019 State of IT

Security Survey, for example, revealed

that the top issues faced by IT security

professionals included email security and

employee training. Despite this, a third

of employees reportedly don't know

what phishing or malware is - two basic

forms of cyberattacks.

Educating staff about cybersecurity

is crucial. If staff aren't adequately

trained, the business doesn't have a

viable defence. Even worse, your staff

could be the cause of a data leak

themselves. A recent example includes

the Virgin Media data breach which

stemmed from a member of staff not

following the correct procedures and

"incorrectly configuring" a database.

This led to the personal details of

900,000 people being left unsecured and

accessible online for ten months. With

each customer potentially eligible for up

to an estimated £5,000 in compensation,

this entirely avoidable incident could cost

Virgin Media a total pay-out of £4.5bn.

It's the responsibility of the employer

to ensure employees are educated about

data leaks and how to avoid them. Such

events are typically considered 'human

error' breaches. However, the reality is

that they arise from systemic failures

by organisations to protect themselves

and staff from data breaches. Educating

employees about data leaks and security

threats, including how they might look

and the necessary procedures to follow

to mitigate risks, will strengthen your

business against breaches and attacks.

It is now a legal requirement for all

organisations to have reasonable

defences in place, in order to prevent

cybersecurity breaches. There should be

a thorough defence strategy that starts

with the basics, such as encrypted

storage and processing, as well as the

implementation of professional tools

like firewall protection. Businesses

that fail to take reasonable steps and

experience a data breach can be issued

with significant regulatory fines. Since

the introduction of the GDPR, maximum

penalties can be up to 20 million euros,

or up to 4% of an organisation's global

annual turnover. As well as the financial

losses, businesses would also be wise to

consider the damage to their reputation

and loss of consumer trust that follows.

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

31


each analysis

RANSOMWARE SOARS

WORKING FROM HOME CAN MAKE I.T. SYSTEMS FAR MORE SUSCEPTIBLE

TO ATTACK WITHOUT THE RIGHT SECURITY MEASURES FIRMLY IN PLACE

systems more susceptible to attack without

the right security measures in place," states

Katherine Keefe, Beazley's global head of BBR

Services. "The coronavirus has forced many

more employees to work from home and,

in this pressured environment, it is very

important that companies take the right

steps to reduce the vulnerability of their IT

infrastructure. Always ensure employees can

access their computer using a virtual private

network with multifactor authentication. It is

important to whitelist IP addresses that are

allowed to connect via RDP, and make sure

that unique credentials for remote access are

in place - particularly for third parties."

Ransomware attacks skyrocketed in

2019, according to a newly released

breach report, an annual update on

cyber trends that is produced by cyber insurer

Beazley - and the shift to home working

has only heightened the risk of cyber breach

via remote desktop protocol and phishing

attacks, it states.

Beazley's in-house team of breach experts,

Beazley Breach Response (BBR) Services,

reported the number of ransomware attack

notifications against clients increased by

131%, compared to 2018. Alond with this

growth in frequency, the sums of money

demanded by cybercriminals also increased

exponentially, sometimes reaching seven or

even eight figures.

Cyber criminals' methods of attack continue

to evolve, too. The two most common forms

of attack to deploy ransomware are phishing

emails and breaching poorly secured remote

desktop protocol (RDP). RDP enables

employees to access their work computer

desktops or company's primary server from

home with the press of a button, but the

convenience also comes with added risks.

MORE SUSCEPTIBLE

"With the convenience of enabling employees

to work from home, using RDP can make IT

In 2019 and into 2020, BBR Services

recorded an increase in reported attacks by

policyholders whose systems were breached

via cyber-attacks against their IT managed

service providers. In some cases, these attacks

stopped the operations of hundreds of

customers downstream from the IT provider.

Keefe adds: "BBR Services handles thousands

of breaches every year and our data

demonstrates how ransomware has

developed into a more serious and complex

threat over the past four years. Early on,

ransomware was typically used to encrypt

data as leverage for a ransom demand.

However, more recently, attackers have been

using ransomware variants in tandem with

banking Trojans such as Trickbot and Emotet.

This two-pronged attack leaves organisations

not only with the debilitating impact of its

critical systems and data being encrypted,

but with the added risk of data being

accessed or stolen.

"Although these attacks can be damaging

and complex, some of the most effective

preventative measures are relatively simple.

32

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


each analysis

More than ever, organisations need to ensure

their IT security measures are a top priority

and up to date, that they have access to

authoritative, experienced risk management

advice, and, importantly that employees are

trained and alert to the potential threats."

ATTACK, ATTACK

The latest Breach Briefing provides detailed

information on the most common forms

of attack, including the two most common

forms of attack used to deploy ransomware:

phishing emails and poorly secured remote

desktop protocol (RDP).

Turning first to phishing, Beazley cites

how direct email of malware and links to

credential-stealing sites lead to a large

number of incidents. "There are a lot of

protections available, in the forms of email

filters and added layers of authentication,"

it says. "However, few of these solutions are

broadly implemented. People have access

to the information and technology that the

attackers want, and attackers will continue to

find new ways to reach people and exploit

them. It would be incorrect to view phishing

as the vulnerability; phishing just happens to

be the most effective way of getting to the

real vulnerability - people."

Exactly how do you mitigate phishing risk,

though? Beazley suggests the following:

Enable multi-factor authentication (MFA)

Force regularly scheduled password

resets, preventing recycled passwords

Train employees to recognise and report

suspicious email traffic.

Turning next to remote desktop protocol

(RDP), Beazley describes this as "a very

powerful tool that provides a lot of

convenience to its users. It is also extremely

easy to enable. If the computer you want

to access is on the public internet, you gain

immediate access to your work computer

from home or your company's primary file

server while you are on vacation with the

press of a button."

However, problems arise from these basic

facts: RDP runs on a standard port (tcp/3389)

and is easily identified while scanning;

companies have very poor password policies,

giving a brute force attack a high probability

of success; more than 20 vulnerabilities have

been identified within RDP, many of which

allow unauthenticated access to the target

computer; companies tend to have very poor

patching policies. "So, not only is it easy to

turn on, it is also very easy to discover and

break into." Ways of mitigating RDP risk it

recommends include requiring access via

a virtual private network (VPN) with MFA;

whitelist IP addresses that are allowed to

connect via RDP; and unique credentials

for remote access, especially for vendors.

RANSOMWARE

Ransomware can be devastating to an

individual or an organisation. Traditionally,

these attacks were designed to deny access

and interrupt business operations. However,

the recent shift towards ransomware paired

with banking trojans, and towards threats

to expose data, changes the landscape.

"Anyone with important data stored on

their computer or network is a target - from

municipalities or hospitals through to law

firms," warns Beazley. "Important data at risk

was traditionally thought to be personally

identifiable information (PII) and protected

health information (PHI), but it could also

include intellectual property, litigation

strategies, unpublished financials, and project

bids. It is a myth that attackers are not

interested in small companies. As our data

shows, small and medium-sized business

are often easier to exploit and therefore

very attractive targets."

VENDORS SINGLED OUT

Many organisations rely on vendors to

perform multiple services, which can help

reduce overall costs and administrative

burdens. But when you no longer control

all of your data or when you provide third

parties direct access to your systems, it

inevitably increases your exposure to data

Katherine Keefe, Beazley: using a virtual

private network with multifactor

authentication is crucial.

privacy and security risks. "Third-party vendors

were aggressively targeted by cybercriminals

deploying ransomware in 2019, and at least

17% of all ransomware incidents reported to

Beazley originated from attacks on vendors,"

says the cyber insurer. "These attacks caused

business interruption to many downstream

customers, ranging from the inability to

access data housed in a software application,

to a full-blown attack on the customer

systems as well."

Why are vendors targeted? Cybercriminals

have come to realise that interrupting the

dependent and deeply interconnected

relationship between vendor and customer

creates the most pressure. Hitting a single

vendor can cause catastrophic interruptions

for hundreds of companies, making it more

likely for the vendor to pay.

To read the Beazley Breach Briefing in full,

follow the link below:

https://www.beazley.com/news/2020/beazley_brea

ch_briefing_2020.html

www.computingsecurity.co.uk May/June 2020 computing security

@CSMagAndAwards

33


total encryption

MALWARE MENACE

A PRIVACY-FIRST BROWSER COMBINING A BUILT-IN VPN

WITH COMPLETE ENCRYPTION AIMS TO GIVE USERS

A FAST, SECURE AND DISCREET EXPERIENCE ON MOBILE

Scott Curtiss: there’s still a perception

that, on mobile, internet- and browser

based-threats do not exist.

In early March this year, Avast Threat Lab

researchers found that the increasing use

of mobile devices around the globe was

fuelling the growth of mobile-related

malware. To date, 131 COVID-19 related

apps have been detected as malicious

through Avast's apklab.io platform, as

cybercriminals look to exploit the pandemic

using social engineering tactics.

According to statistics gathered by the Avast

researchers between October and December

2019, adware (software that hijacks user

devices to spam them with malicious ads)

is responsible for 72% of mobile malware,

with the remaining 28% of threats linked to

banking trojans, fake apps, lockers and

downloaders. Now, Avast has released an

Android version of Avast Secure Browser,

extending its platform support beyond

Windows and Mac on desktop to mobile.

The introduction of a multi-platform browser

is part of Avast's ongoing focus to converge

security and privacy services to "enable a safer,

more private and faster browsing experience

across devices and operating systems",

sccording to the company.

Avast Secure Browser for Android was

developed following Avast's 2019 acquisition

of Tenta, a private browser backed by

Blockchain pioneer ConsenSys and has been

built from the ground up by privacy and

cybersecurity engineers focused on total

encryption. At its core is strong encryption,

including AES-256, ChaCha 256-bit and the

latest TLS/SSL cryptographic protocols for the

data transport layer. To ensure that user DNS

requests are kept private and secure, the

browser supports multiple DNS options

straight out of the box, such as DNS over

TLS, DNSSEC and decentralised DNS support.

"Avast's core mission is to make the world

a safer place by protecting the security and

privacy of every customer, says Scott Curtiss,

vice president and general manager of Avast

Secure Browser. "Our commitment to being

a privacy-by-design technology provider was

behind our acquisition of leading private

mobile browser Tenta, whose technology has

contributed to the development of our new

Avast Secure Browser for Android. We know

that our customers care deeply about security

and privacy, and want to be in control

of their own personal data, without

compromising the quality of their online

interactions. Our goal is to be the first all-inone

browser to secure our users' privacy,

along with a frictionless secure browsing

experience. Adding support for mobile is

another milestone in our journey towards

this long-term goal."

Additional built-in security and privacy

features that are available with Avast Secure

Browser for Android include:

A VPN that encrypts all inbound and

outbound connections to the VPN

location

An ephemeral user PIN code for device

access that is never stored on any server

nor on the device itself

Anti-tracking technologies used to

prevent websites, advertisers and other

web services from tracking online activity

Adblock integration to improve website

load time

An encrypted media vault.

Adds Curtiss: "There is still a perception

among many consumers that, on mobile,

internet and browser-based threats do not

exist. This is not the case. Mobile is a lucrative

platform for cybercriminals, because of its

majority market share versus desktop and

higher levels of internet traffic. In the past

twelve months, we've seen adware rise by

38% on Android."

34

computing security May/June 2020 @CSMagAndAwards www.computingsecurity.co.uk


more than

just a pen

test provider

Whether it’s for GDPR compliance reasons, concerns

surrounding a high-profile data breach, a desired move

towards remote working, a client request or a part of

your development / procurement sign off process. More

organisations are now being required to provide evidence

of testing for security assurance purposes.

As an established information security testing provider, we

can provide the high-quality testing you require and can

supply you with the vital evidence you need.

But we go further, and our services are designed to support

your improvement efforts, provide remediation advice and

pass on our wealth of expertise to your internal teams. To

act as a trusted adviser, not just a test provider.

It’s this detail that truly sets us apart and is why

clients work with us time and time again, year after year.

./security_consultancy

./penetration_testing

./red_teaming

0161 233 0100

contact@pentest.co.uk

www.pentest.co.uk

More magazines by this user