CSLATEST

Computing
Security
Secure systems, secure data, secure people, secure business
KEEPING IT REAL-TIME
New digital landscape demands ever
faster response to risk
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
SAFE PAIR OF HANDS?
The goalposts are shifting in
pursuit of achieving
a Zero Trust outcome
LIGHTING THE WAY
New rays of hope may be
on the horizon as a fresh
approach to cybersecurity
starts to filter through
SHARK-INFESTED WATERS
Surge in ransomware attacks puts
the bite on more potential victims
Computing Security Sept/Oct 2024

DON’T
SaaSSS
GET YOUR
KICKED! !
TAKE CONTROL NOW AND
PROTECT YOUR SaaS DATA
Global SaaS vendors like Microsoft, Google and Salesforce
don’t assume any responsibility for your data hosted
in their applications. So, it’s up to you to take control
and fully protect your SaaS data from cyber threats or
accidental loss. Arcserve SaaS Backup offers complete
protection for your SaaS data, eliminating business
interruptions due to unrecoverable data loss.
Arcserve SaaS Backup
Complete protection for all your SaaS data.
arcserve.com
The unified data resilience platform

comment
QUANTUM RESEARCH HUBS: THE GOOD AND THE DISTURBING
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
David Bonner
(dave.bonner@btc.co.uk)
+ 44 (0)1689 616 000
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Five new quantum research hubs have been backed by more than £100 million of
government funding in the hope that they will deliver breakthroughs in healthcare,
cybersecurity and transport.
Announced by the Science Secretary Peter Kyle, the hubs will bring researchers and businesses
together to use their scientific expertise and talent alongside the commercial know-how and
resources to develop "groundbreaking quantum technologies that will directly impact people's
lives in areas like healthcare, security, and clean energy", states the government.
It's the sort of positive initiative that has been badly lacking of late in this area. However, Tim
Callan, chief experience officer at Sectigo, has some concerns: "It is impressive to witness the UK's
commitment to maintaining its position as a leader in the field of quantum technology. However,
we must not forget the security challenges associated with this advanced technology.
"In the event that a country does develop a quantum computer capable of breaking current
encryption methods, it is likely that they would keep it a closely guarded state secret, as the UK
did when it broke the Enigma code during World War II. For this reason, it is imperative that
businesses take their own proactive measures to prepare for this eventuality by transitioning to
quantum-safe algorithms before it is too late."
It's a warning that should be borne in mind and acted upon. Better to anticipate the possible
consequences now then try to react after the wheels have come off.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2024 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Sept/Oct 2024 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security Sept/Oct 2024
inside this issue
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
KEEPING IT REAL-TIME
SAFE PAIR OF HANDS?
The goalposts are shifting in
New digital landscape demands ever
pursuit of achieving
faster response to risk
a Zero Trust outcome
LIGHTING THE WAY
New rays of hope may be
on the horizon as a fresh
approach to cybersecurity
starts to filter through
SHARK-INFESTED WATERS
COMMENT 3
Inside quantum research hubs:
from the good to the disturbing
Surge in ransomware attacks puts
the bite on more potential victims
NEWS 6
AI is scammers' best buddy
Total Backup solution totally enhanced
Late disclosure earns rap on knuckles
Onslaught of new fraud campaigns
Critical VMware flaw detected
ICO steps up its wider powers
ARTICLES
KEEPING IT REAL-TIME 18
Managing security threats often hinges on
identifying and responding to risks in real
time. But how does 'real time' work and is
it an end game that’s always achievable?
AI HIGHJACKED 14
NEW ERA OF HOPE 24
With the helter-skelter rise of Artificial
Might the ushering in of a new government
Intelligence revolutionising how we do
signal a fresh approach to cybersecurity?
business and conduct our everyday lives,
fears are raidly growing that cybercriminals
A SUSTAINABILITY MANIFESTO 27
are likely to weaponise the technology to
Steve Mellings of ADISA makes the case
commit bigger, more sophisticated and ever
for why the default position should be to
more dangerous crimes.
promote re-use of redundant equipment
EASING THE MALWARE ANGST 28
Modern-day threats mean the old ways of
protecting against attacks are no longer
SHIFTING THE GOALPOSTS 20
enough. Change must come… and now
Implementing Zero Trust in a complex
RANSOMWARE RAMPAGE 32
infrastructure that includes a mix of legacy
When trying to prevent ransomware
systems, on-premises servers and cloud
strikes, keeping pace with the ingenuity of
services can be a huge challenge. Ensuring
those carrying them out is the challenge
seamless integration and consistent security
policies across all these components requires
PRODUCT REVIEW
constant effort and deep expertise.
BACKBOX NETWORK
AUTOMATION PLATFORM 23
CRIME GANGS AIM TO WIN WITH AI 30
In today's dynamic technological landscape,
BOOK REVIEW
the emergence of Generative Artificial
Intelligence (Generative AI) and its blend
AN HONOURABLE QUEST 26
with deepfake technology has affected
Cybersecurity needs an overarching code
voice, image and video. This amalgamation
of ethics and conduct, argue authors Paul
has opened up a whole new landscape of
J. Maurer and Ed Skoudis
opportunities and risks.
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk
4
BACKLASH ON COMPLIANCE FAILURES 10
Failure to adhere fully to the General Data
Protection Regulation could result in heavy
penalties. A new guide provides a detailed
commentary on the GDPR, explaining the
many changes that you need to make
to your data protection and information
security regimes, in order to comply.

Building cyber security
awareness together.
Leading the way in personalised
cyber security awareness.
Keep your staff engaged, cyber-secure, and compliant with our award-winning,
personalised cyber security training.
Designed with real people and teams in mind, our expertly crafted content transforms
cyber security into an informative and captivating experience. By making learning
fun and impactful, we maximise engagement and enhance staff security behaviour,
ensuring constant vigilance against cyber threats.
Our staff fully engaged with our
security awareness program, with
completion rates over 85%
Best cyber security awareness
platform available

news
TOTAL BACKUP SOLUTION TOTALLY ENHANCED
Hornetsecurity has released an
enhanced version of its 365 Total
Backup solution for Microsoft 365, now
including comprehensive backup and
recovery support for Microsoft Planner.
This upgrade extends Hornetsecurity's
data protection suite, ensuring critical
business data is securely backed up and
recoverable, it states.
The enhancement follows the roll-out of Microsoft's Planner function to manage tasks
and projects. The free update from Hornetsecurity is available for customers on both its
365 Total Backup products and 365 Total Protection (Plans 3 and 4).
The broader scope of protection supports GDPR compliance and adds to the existing
backup and recovery functionality across essential M365 applications, including Mailbox,
OneDrive, SharePoint and Teams.
AI IS SCAMMERS' BEST BUDDY
Anew report from VIPRE highlights the
ingenuity of cyber-criminals in using
AI to evade detection and maliciously
scam individuals and enterprises. The
company processed 1.8 billion emails
globally, detecting 226.45 million spam
emails and 16.91 million malicious URLs
to identify the email threat trends that
impact enterprises the most.
The Q2 2024 Email Threat Trends Report
identifies Business Email Compromise
(BEC) as a major scourge. Nearly half
(49%) of all detected spam emails were
attributed to BEC scams, with the CEO,
followed by HR and IT, being the most
common targets identified.
It takes on a more sinister complexion
when a full 40% of the BEC emails
uncovered were shown to be AIgenerated.
TARDY BREACH DISCLOSURE EARNS RAP ON KNUCKLES
The ICO has reprimanded the Electoral Commission for the
data breach it suffered in 2021, identified in 2022 and
disclosed in 2023. In response, Dominic Trott, director of
strategy and alliances, Orange Cyberdefense, Europe, argues
that, in future, swift public disclosure is crucial to maintaining
trust and allowing individuals to protect themselves.
"It is comforting that the Electoral Commission has
strengthened its security posture since the attack, including
implementing a plan to modernise their infrastructure, as well
as password policy controls and multi-factor authentication
for all users," says Trott. "We can therefore hope that, if it is
targeted again in future, the attack will come to light and be
Dominic Trott
communicated quicker than in this instance."
ONSLAUGHT OF NEW FRAUD CAMPAIGNS
Anew report, the result of continuous investigation by a team
of fraud analysts in the Transmit Security Research Lab, has
revealed how dark web marketplaces and fraud tools have
changed since the release of ChatGPT. Key findings highlight
the powerful capabilities of blackhat generative AI (GenAI)
platforms that fraudsters are said to be using to create new
fraud campaigns at unprecedented levels of sophistication,
speed and scale. "It's easy to find malicious GenAI tools like
FraudGPT and WormGPT, and it's just as easy to use them - to
probe for vulnerabilities, write malicious code, harvest data and
create highly deceptive fraud," says Ido Rozen, security researcher
team lead at Transmit Security. "These tools have no security
Ido Rozen
guardrails and require little to no skills. GenAI has dramatically
lowered the bar for novice fraudsters to churn out more advanced attacks on a global scale."
6
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

news
Sarah Pearce.
ICO STEPS UP ITS WIDER POWERS
Sarah Pearce, partner at Hunton Andrews
Kurth, has proffered her legal firm
expertise regarding the ICO's reprimand of
the Electoral Commission after a cyberattack
compromised its servers (see 'Tardy breach
disclosure earns rap on knuckles', page 6).
"The use of reprimands by the ICO has, in
the past, been controversial, with some
questioning whether in fact the ICO had
properly exercised the use of its powers in
certain instances. One point to note, Recital
148 UK GDPR clearly anticipates the use
of reprimands for "minor infringements,"
says Pearce.
"However, the infringements identified in
the reprimand issued to the Electoral
Commission would appear to be serious -
and with serious impact," she adds.
"The use of reprimands in this context, in
respect of a government agency such as
the Electoral Commission, is in line with
the ICO's revised approach to public sector
enforcement and ICO25, in which the UK
Commissioner John Edwards outlined his
plan to reduce impact of fines on the public
sector and to increase use of the ICO's wider
powers, including reprimands, with fines
being reserved for only the 'most serious
cases'.", she concludes.
DDOS ACTORS 'CAN WREAK HAVOC'
Donny Chong.
The recent Microsoft outage, caused by a DDoS attack
affecting 365 products and Azure, demonstrates the ease
at which DDoS actors can wreak havoc against critical business
services, warns Nexusguard director Donny Chong. "Anyone
can carry out an attack of this magnitude from their own
bedroom, if they have the right equipment," he coments.
"While no company can guarantee the always-on availability
of its cloud services, customers of these services have high
expectations today and that's exactly what attackers are
counting on." The tech community would benefit from
more transparency on how many DDoS attacks companies
thwart and how they mitigate them, adds Chong. "Our data
suggests that attack sizes increased by an average of 183%
last year and 81% of attacks are now shorter than 90 minutes. This shows both the scale of
the task at hand for stretched cybersecurity teams and that attacks are now more efficient
than ever when inflicting disruption on businesses."
CRITICAL VMWARE FLAW DETECTED
Microsoft researchers have found a critical vulnerability in
VMware's ESXi hypervisors. Ransomware operators are
using this to attack systems worldwide. "While the security
advisory for CVE-2024-37085 provided a moderate severity
rating, a CVSSv3 score of 6.8 and Tenable Vulnerability
Prioritization Rating of medium, successful exploitation can be
catastrophic for impacted organisations," says Scott Caveza,
staff research engineer at NASDAQ-listed Tenable. "Microsoft's
analysis of compromised hosts provided valuable insights into
the variety of methods that can be deployed to compromise
ESXi hosts." All new and existing attack methods appear
relatively simple and straightforward to exploit where conditions
exist that allow for exploitation in the first place, he warns.
Scott Caveza.
ONLINE FRAUD IS BATTERING BUSINESSES
Failing to tackle online fraud is increasingly damaging the
brand reputation and the bottom line for thousands of
businesses around the globe, new research reveals. Almost twothirds
of all ecommerce brands (61%) have found themselves at
the centre of highly damaging public media storms when fraud
hits, according to Ravelin's Global Fraud Trends 2024 Survey.
Of those polled, 40% (and 41% in the UK) say their brand image
has been affected by fraudulent activities. This varies by sector -
40% of retailers, 36% of those in travel, 45% in digital goods
and 38% in marketplaces.
"In a highly connected world where reputations can be globally
trashed with just a few keystrokes, brands must do more to
Martin Sweeney.
mitigate against fraud," states Ravelin CEO Martin Sweeney.
8
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

Want to
understand
how to sanitise
media?
Learn more about the NEW international
media sanitisation standard IEEE 2883 from
one of the authors - Jonmichael Hands
conference
conference
2024
2024
17TH OCTOBER 2024 , LONDON
USE PROMO
CODE:
CSMAG FOR
50% OFF!
WWW.ADISA.GLOBAL/ADISACONFERENCE2024/

legal focus
CLAMPDOWN ON COMPLIANCE FAILURES
FAILURE TO COMPLY WITH THE GENERAL DATA PROTECTION REGULATION COULD RESULT IN FINES OF
UP TO €20 MILLION OR 4% OF ANNUAL GLOBAL TURNOVER - AND THE SCREWS ARE BEING TIGHTENED
As most organisations will now be
aware, the GDPR - General Data
Protection Regulation - gives individuals
significant rights over how their personal
information is collected and processed, and
places a range of obligations on organisations
to be more accountable for data protection.
The Regulation applies to all data controllers
and processors that handle EU residents'
personal information. It supersedes the 1995
EU Data Protection Directive and all EU
member states' national laws that are based
on it - including the UK's DPA (Data Protection
Act) 1998.
Failure to comply with the Regulation could
result in fines of up to 20 million euros or
4% of annual global turnover - whichever is
greater. So, this timely guide is a perfect
companion for anyone managing a GDPR
compliance project. It provides a detailed
commentary on the Regulation, explains
the changes you need to make to your data
protection and information security regimes,
and tells you exactly what you need to do to
avoid severe financial penalties.
So, looking at the last completed calendar
year (2023), who was hit with the biggest
fines? In first place, by some measure, was
Facebook owner Meta, with Ireland's Data
Protection Commission imposing a record
$1.2 billion fine in May. "The mammoth
penalty related to the transfer of European
Facebook user data to the United States
without sufficient protection from
Washington's intelligence agencies," says
EQS, cloud provider in corporate compliance,
investor relations and ESG (Environmental,
Social and Governance). Meta was also
ordered to suspend the transfer of user d
ata between the EU and the US within six
months.
As Andrea Jelinek, chair of the European
Data Protection Board, commented at the
time: "The EDPB found that Meta IE's infringement
is very serious, since it concerns transfers
that are systematic, repetitive and continuous.
Facebook has millions of users in Europe, so
the volume of personal data transferred is
massive. The unprecedented fine is a strong
signal to organisations that serious infringements
have far-reaching consequences."
HEAVY HITTING
The Irish Data Protection Commission also
slapped Meta with the second-highest penalty
of 2023 when two fines were imposed on the
company, adding up to a total 390 emillion
euros. And the Irish regulator did not stop
there. It also fined TikTok 345 million euros
after an investigation found that the platform
improperly processed children's data.
TikTok was in the frame again in the UK,
with the Information Commissioner's Office
fining the company 14.5 million euros for
failing to comply with data protection
principles under the GDPR, after it was found
children under the age of 13 were allowed to
create accounts on the platform.
All in all, those who fail to comply with the
Regulation can expect to be held to account
and fined, although not everything in the
GDPR garden is held to be rosy. "In the past
few years, GDPR has also been criticised for
hindering innovation and technology," points
out Legit, a fast-growing EU-based regtech
company and one of the pioneers in the
newly-emerged privacy and personal data
protection area. "For data-driven innovation,
GDPR's restrictions can be particularly
challenging. Companies must be careful
about collecting and using personal data,
which can limit the amount of data
10
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

legal focus
available for research and development,
especially in fields like AI and machine
learning."
Obtaining explicit consent from users is
another hurdle that can complicate or delay
new technological developments. "Startups
and smaller businesses often feel the impact
more acutely, because they have fewer
resources to handle these compliance
requirements. This can create a competitive
disadvantage and act as a barrier to entry
for new players in the market," adds Legit.
On a global scale, GDPR can also
complicate data flows across borders,
hindering international business operations.
Companies outside the EU must also comply
with GDPR, if they deal with EU citizens,
adding another layer of complexity. "Despite
these challenges, GDPR also encourages the
development of privacy-friendly technologies
and the implementation of cybersecurity
measures, and fosters consumer trust,"
says Legit. "The key is balancing protecting
privacy and fostering an environment that
supports technological innovation and
protects individual's rights."
BUSINESSES STRUGGLING
UK businesses are clearly struggling to deal
with mounting data protection regulation
and many are being fined sizable amounts
for compliance violations, according to
Frank Catucci, CTO and head of Security
Research, Invicti. "In fact, the most recent
ISMS report - 'The State of Information
Security Report 2024' - shows that 70% of
those fines were over £100,000. To be fair,
trying to keep an organisation completely
safe and compliant is like trying to hold back
the tide. The unfortunate reality of modern
cybersecurity is that vulnerabilities and bugs
lie deep within the various software components
that businesses rely on. Many of the
challenges that the majority of businesses
face around regulatory and security considerations
are rooted in their software supply
chains," he comments.
Catucci singles out an increasing point of
concern for regulators everywhere. "UK GDPR
makes a point of saying that compliant
organisations must take account of the risks
within their software supply chain. The EU's
NIS2 will come into enforcement in a few
months and makes it clear that organisations
must take into account the security of suppliers
and service providers. Furthermore, the
incoming EU AI act will cement this deeper,
holding every party in the AI supply chain
accountable for failures.
"The UK government is now proposing the
Cyber Security and Resilience Bill, which will
grant new powers to regulators and expand
the scope of existing regulation to, as the
King's Speech announced, 'protect more
digital services and supply chains'. That same
speech cited a June cyberattack on the UK's
NHS, in which ransomware was spread
through a private software provider.
Regulations like these aim to underline the
fact that cybersecurity is an issue of public
safety, as well as private security."
Supply chain security has to be thought
about deeply, if organisations want to
remain compliant, he suggests. "That will
likely start with the thorough scanning and
penetration testing of internal software
systems, and the adoption of Zero Trust
practices when it comes to suppliers and
vendors. Regulators are increasingly focusing
on software supply chains and, if businesses
don't take this seriously, then regulatory
penalties will make them do so."
COMPLIANCE DEFIANCE
Over the past year, more than 99% of UK
businesses have received fines for data
breaches or violation of data protection
rules, according to research into the 'State
of Information Security', by ISMS.online,
the auditor-approved compliance platform.
The findings, if correct, highlight the complexity
of mounting legislation and equally the
challenges that arise from seeking to meet
multiple compliance requirements.
"This year has seen an influx in large scale
breaches and the UnitedHealth Group ransom
attack in April this year is one example of the
huge financial impact these breaches can
have," states ISMS.online. "This attack alone
resulted in the ChangeHealthcare platform
being suspended, with the BlackCat/ALPHV
group claiming it stole 6 TB of data and
resulted in a massive $872 million loss.
"As data breaches continue to surge,
government entities and trade bodies are, in
turn, trying to meet these challenges with
updates and implementation of regulations
and compliance mandates. Equally, businesses
are prioritising cybersecurity. According to the
UK Cybersecurity Breaches survey 2024, threequarters
of businesses (75%) reported that
cybersecurity is a high priority for their senior
management and many organisations have
continued to invest either the same amount
or more in cybersecurity over the last 12
months. This is in part a response to the
perceived increase in the number of cyberattacks
and their sophistication."
Despite continued investment, ISMS.online's
survey of 502 information security professionals
in the UK found that businesses are still
falling foul to data breaches. The average UK
fine for data breaches and violation of data
protection rules now amounts to £257,982.
"That said, only 19% of businesses cite that
their main motivation for compliance and
robust information security is to avoid fines
and penalties. Increased customer demand
(34%), protecting business information (33%)
and remaining competitive (30%) rank as the
top three motivations."
REPUTATION THE BEST ROI
Luke Dash, CEO of ISMS.online, comments:
"Businesses are failing to recognise that
compliance and security come hand in hand
and, if they want to protect their information
and maintain their custom, meeting regulatory
requirements will put them in a good
position to do so. It will also demonstrate
their willingness to put their customers and
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
11

legal focus
Frank Catucci, Invicti: 70% of those fines
imposed for compliance violations were
over £100,000.
Lorraine Mouat, Thistle Initiatives: with such
increased scrutiny, it's crucial that firms are
fully compliant.
their data first. Should a breach occur, this
should ease any financial repercussions, but
will certainly bode well for loyalty and reputation
to enable businesses to remain competitive,
despite any incident and setbacks that
may ensue."
This is supported by the findings, he says,
given that a mere 22% of respondents believe
that complying to avoid fines and penalties
has provided a decent return on their investment
in information security compliance
programmes. The majority cite enhancing
their business reputation as a secure reliable
entity was the best ROI.
"The landscape is certainly changing when it
comes to compliance and fines," adds Dash.
"It is staggering to see that over 99% of
businesses have received fines over the past
12 months, yet it seems that these penalties
are now seen as a small part of the compliance
story. Businesses previously saw
compliance as a way to sidestep hefty fines
and negative publicity; however, as our
research shows, competitive advantage,
reputation and protecting information are
now seen as the main benefits of
compliance."
On a positive note, he says businesses do
seem to be recognising that building effective
information security foundations is essential
for compliance "and it is encouraging to see
that 45% of the ISMS.online survey respondents
noted that their businesses plan to
increase their information security budget by
up to 25% in the coming year to do so. This
provides critical assurances to customers,
shareholders and regulators".
The research also found that current
compliance processes can be demanding
and time-consuming, with over 65% citing
that it took between 6-18 months to meet
compliance with GDPR alone. Similarly, 60%
took the same length of time to comply with
NIST and ISO27701, and 57% struggled to
meet ISO270001 and The Privacy Act,
needing as much as 18 months to do so.
"This is just a snapshot of the legislation
businesses are facing and these rising
regulatory fines, as highlighted by the
ISMS.online research, prove there's still some
way to go. But compliance doesn't need to
be as onerous. As auditors, it's our job to
identify conformity with standards and,
therefore, aid businesses in meeting the
mounting requirements within these to help
them reduce the risk of a breach."
Adds Warwick Tams, head of sales, Alcumus
ISOQAR: "There are solutions now that can
streamline and automate these conformity
audits, reducing manual tasks and enabling
successful audit engagements. Being able to
eliminate the frustration of sorting through
diverse and complex systems and making
audits more straightforward could be the
difference between saving thousands or
losing hundreds of thousands and your
reputation to boot."
MULTIPLE LINES OF FAILURE
Meanwhile, the Financial Conduct Authority
has been exerting increased scrutiny over
financial firms' regulatory compliance, in light
of firms such as AstroPay recently having
restrictions imposed, while operations are
improved.
"These types of restrictions are typically
imposed by the FCA for reasons such as noncompliance
with regulatory requirements,
including operational and governance
weaknesses, financial stability concerns,
consumer protection failures or previous
regulatory breaches," says Lorraine Mouat,
head of payment services at Thistle Initiatives,
the compliance consultancy for financial
service businesses. "It's worth noting that the
FCA has significantly raised the bar since the
requirement for payments firms to be
authorised first came into effect in 2018. As
a result of the supervision work the FCA has
been conducting, we're going to see more
intervention where firms are failing to meet
12
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

legal focus
these now enhanced standards. With such
increased scrutiny, it's crucial that firms are
fully compliant, if they are to avoid constraints
on operations like the ones imposed on
AstroPay."
There are several ways firms can stay on top
of compliance standards, advises Mouat. "For
instance, by actively engaging with regulators
and participating in industry forums, firms can
ensure they stay informed about regulatory
changes and expectations. Internally, it's
important to invest in a strong compliance
infrastructure - hiring experienced compliance
professionals and adopting advanced compliance
technologies. Conducting regular training
for staff on compliance requirements, risk
management and best practices in the
industry is also invaluable."
Additionally, partnering with a compliance
consultancy means firms can benefit from
tailored guidance and support aligned with
their specific business models, as well as
practical solutions that reflect their real needs.
"Partnerships like this are key to ensuring firms
are always moving forward with the everchanging
regulatory environment."
BIG CHALLENGES
All too clearly, data protection regulations
like the GDPR pose significant challenges for
businesses. "Despite Brexit, the UK adheres to
GDPR principles through its version, the UK
GDPR," says Gareth Owen, director, Redkey
USB. "Reports reveal over 99% of UK businesses
faced fines for data breaches or
violations of data protection rules last year,
highlighting the urgent need for robust data
protection measures. While this figure seems
exceptionally high and warrants scrutiny, it
underscores the critical importance of
compliance."
One effective way to ensure compliance is
by securely erasing data from storage devices
before they are sold or recycled. "Simply
deleting files or using free software is
insufficient for GDPR standards, as these
methods leave sensitive information
vulnerable to unauthorised access. Certified
secure data-wiping solutions are essential,
adhering to international standards and
providing a reliable method for completely
removing all data from a device. These
tools securely overwrite the data and verify
the erasure, ensuring no trace of the
original data remains."
For businesses with IT personnel, Owen
adds, it is crucial to avoid inadequate datawiping
methods. "Free software may seem
convenient, but lacks the necessary security
measures and certifications required for
regulatory compliance. Certified datawiping
solutions offer detailed erasure
reports, serving as vital evidence of compliance
for audits and regulatory reviews.
However, not all companies have dedicated
IT personnel. Small businesses often rely on
individuals with basic computer knowledge,
but without formal IT security qualifications.
There's a common misconception
that simply resetting the device or using
a restore function is sufficient for data
protection, but these methods do not
provide the thorough data erasure needed
to ensure regulatory compliance, leaving
sensitive information at risk of recovery."
Whether data erasure is performed inhouse
or outsourced, the key is to use
certified secure data wiping tools, he
argues. "When outsourcing, ensure the
third-party service uses certified tools and
processes. Implementing a secure data
disposal policy is not just about avoiding
fines; it's about protecting the integrity and
trust of the business. Customers and clients
need to be confident their data is handled
with the utmost care, even at the end of its
lifecycle.
"By using certified secure data-wiping
solutions, businesses can uphold their
commitment to data privacy and security,
maintaining their reputation in an
increasingly security-conscious market."
Gareth Owen, Redkey: certified datawiping
solutions offer detailed erasure
reports, serving as vital evidence of
compliance.
Luke Dash, ISMS.online: most respondents
said enhancing their business reputation as
a secure reliable entity was the best ROI.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
13

AI cybercrime
AI HIGHJACKED
UNEASE IS SPREADING THAT CYBERCRIMINALS WILL COMMANDEER AI TO
COMMIT BIGGER, MORE SOPHISTICATED AND MORE DANGEROUS CRIMES
With the rise of Artificial Intelligence
revolutionising how we do business
and conduct our everyday lives,
fears are growing that cybercriminals are
likely to weaponise the technology to commit
bigger, more sophisticated and more
dangerous crimes.
In new research, 78% of the chief internal
auditors who were questioned believe AI
will negatively impact cybersecurity and data
security, while 58% say it will exacerbate
fraud, underscoring the growing concern
amongst business leaders about the risks
associated with AI.
Organisations are being advised that, in
preventing AI-powered attacks, they will
increasingly need to deploy the same AI
tools as part of their cyber defences, with
the best defence against AI-powered
cybercrime often being AI-powered
cybersecurity solutions themselves. For
example, some AI cybersecurity tools
can detect ransomware in seconds.
Internal audit, it is argued, can play a key
role in supporting boards and senior
management to raise the AI cybersecurity
bar across the organisation by making
recommendations and advising on improving
cyber controls and defences. Anne Kiem,
chief executive of the Chartered Institute of
Internal Auditors, notes how AI, as with all
new technologies. can be used for positive
and negative reasons. "Our research has
shown that chief internal auditors are alert
to the threats and this should bring some
comfort to those organisations that have
a strong focus on risk control, risk mitigation
and having a well-resourced internal audit
function. Internal auditors remain a force
for good."
How much does this anxiety about the
weaponising of AI coalesce with the views
of those across the security industry?
Substantially, as far as Carlos Arnal, product
marketing manager at WatchGuard
Technologies, is concerned. "Despite efforts
by commercial generative AI tools like
ChatGPT to implement safeguards against
malicious use, hackers have found ways
to exploit these technologies," he confirms.
"Emerging alternatives, such as WormGPT, are
also being weaponised by malicious actors."
THREAT TECHNIQUES
The most common AI-supported threat
techniques he identifies include:
AI-generated phishing campaigns:
Generative AI has transformed phishing
campaigns, enabling hackers to create
more convincing texts that are harder
to detect, thus making these campaigns
more effective and time-efficient
AI-assisted target research: machine
learning algorithms analyse social media
and other online data to gather valuable
information about targets, such as their
interests, habits and vulnerabilities
Intelligent vulnerability detection:
AI-enabled reconnaissance tools can
automatically scan corporate networks
for vulnerabilities and select the most
effective exploits
Intelligent data filtering: during an attack,
AI selectively extracts only the most
valuable information, making it harder
to detect the breach
AI-powered social engineering: AI can
generate deepfake audios or videos that
mimic trusted individuals in vishing
attacks, increasing the credibility of the
attack and persuading employees to
disclose sensitive information.
"The complexity of AI-driven cyberattacks
necessitates robust defence mechanisms,"
advises Arnal. "Advanced endpoint security
is crucial in this defence and organisations
should implement solutions that incorporate
AI capabilities to prevent, detect and respond
to these threats." An advanced endpoint
security solution with AI technology can:
Detect emerging threats: utilise
behavioural analysis and machine learning
to identify and block new and evolving
malware. These solutions can also assist
with patching to eliminate potential
vulnerabilities within a network
Minimise the risk of data breaches:
prevent sensitive data leaks from
14
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

AI cybercrime
successful phishing campaigns or malware
attacks, thereby avoiding financial loss,
erosion of customer confidence and
reputational damage
Contribute to regulatory compliance:
many industries are legally required to use
advanced protection against malware.
Non-compliance can result in fines and
other legal repercussions.
While businesses thrive in the digital age,
with more organisations adopting hybrid
work environments to enhance employee
well-being and productivity, "cybersecurity
teams face significant challenges, including
heavy workloads and the risk of burnout,"
warns Stephen Amstutz, director of
innovation at Xalient. "The use of digital
transformation and cloud-based technologies
has made organisations more complex and
heavily reliant on their networks. Thus,
security breaches can dramatically impact
operations and productivity. The increase in
attack surfaces, along with a rise in AI related
cyberattacks, is putting immense pressure on
cybersecurity professionals. A recent report by
Hack the Box highlights the toll on mental
health and its cost to UK companies - $130
million in lost productivity, due to sick days
from work-related stress."
AI offers a promising solution for these
challenges, he states. "AI-powered software
that monitors networks using artificial
intelligence and analytics can detect issues
and potential threats before they become
apparent to employees and automatically
rectify low-level issues. This technology not
only frees up cybersecurity professionals to
tackle high-level threats and projects, but also
acts as a reliable team member that ensures
operational efficiency and higher productivity.
This supports existing teams in their workflow
and contributes positively to employee
experience."
As we continue to see advancement on
improving employee experiences, it's crucial
for companies to regard their cybersecurity
teams as valuable assets worth investing in.
"AI software emerges as a key player in this
context," adds Amstutz, "serving as both a
protective measure against cybersecurity
threats and a supportive colleague, with the
added benefit of enhanced cybersecurity and
supported career progression."
AI WINS WIDE ENDORSEMENT
Rather than being distracted by negative
headlines, a new survey conducted by Jitterbit
found that office workers see beyond the AI
hype. "Employees across the US and UK see
AI as a strategic tool that can be used for:
learning new skills, automating processes and
outsourcing routine tasks to focus on more
strategic efforts," says Bill Conner, the
company's CEO. "AI is changing the world.
However, its implementation remains an
evolution, not a revolution - with business
introductions needed to occur gradually, in
order to foster the best outcomes."
Many office workers are embracing the
potential for job augmentation and
optimisation - seeing AI as an enabler of
professional growth, he adds. "We are now
witnessing the majority of workers view AI
as a way to enhance their professional skills,
reflecting broad acceptance and excitement
about the technology. This sentiment is
particularly strong among younger workers,
who view AI as a valuable educational
resource, with top skills they want to learn
through AI including analytical and statistical
skills, financial management skills, and coding
and development."
However, it's notable that a significant
number of office workers are not concerned
about AI replacing human jobs, despite the
fears often aired. "This indicates a growing
understanding of AI as a tool that complements
human efforts, rather than competing
with them," comments Conner.
The top anticipated benefits of AI include
reducing time spent gathering information
from work systems and applications,
increasing time for thoughtful work and
providing more time for larger projects.
"While office workers seem often to get
caught up in the pursuit of AI, seeing it as a
'silver bullet' that promises maximum gains in
time, money and productivity, instead the
technology needs to be implemented within
their jobs strategically where it adds the most
value, in order to garner the biggest returns.
This approach mitigates risks and ensures a
smoother transition to a more efficient work
environment."
Overall, office workers are not only ready
to embrace AI, but also eager to harness
its potential for professional growth and
efficiency, he adds. "This pragmatic approach
to AI adoption ensures that it becomes a
valuable tool for job augmentation and
optimisation, paving the way for a future
where human ingenuity and AI capabilities
work hand in hand."
DEEP FAKES, DEEP CONCERN
Basil Philipsz, CEO, Distributed Management
Systems, believes the advancement of deep
fakes makes biometric authentication weaker,
due to the ability of sophisticated AIgenerated
media to convincingly replicate
physical traits, such as facial features, voices
and even behavioural patterns. "Deep fakes
can create realistic images and videos of
individuals, potentially allowing attackers
to spoof biometric systems that rely on facial
recognition, voice recognition or other
biometric data. This undermines the reliability
of biometric authentication, as the systems
may be tricked into granting access based
on these forged credentials."
Industry leaders and cybersecurity experts
have highlighted these concerns, he adds.
"Gaelan Woolham from Capco points out
that deepfake technology can mimic voices
and faces with high fidelity, making it
challenging for existing biometric systems to
distinguish between real and fake identities.
This technology can bypass voice biometric
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
15

AI cybercrime
Anne Kiem, Chartered Institute of
Internal Auditors: internal audit can play
a key role in supporting boards and
senior management to raise the AI
cybersecurity bar.
Stephen Amstutz, Xalient: an increase in
attack surfaces, along with a rise in AI
related cyberattacks, is putting immense
pressure on cybersecurity professionals.
systems used by financial institutions, as
demonstrated by a University of Waterloo
study, which showed that deepfakes could
fool such systems in a few attempts." He also
references security company Sensity, which
tested facial recognition systems and
demonstrated that deepfake technology
could easily bypass liveness detection-a
critical component of facial recognition
security. "Liveness detection typically relies on
recognising natural human behaviours, like
blinking and subtle facial movements, but
deepfakes can replicate these actions
convincingly," says Philipsz.
The recent significant development is the
easy deployment by non-experts; making it
easier for individuals to create realistic fake
videos and images, including those used
for biometric cloning. "The availability of
sophisticated yet user-friendly applications,
such as FakeApp, ReFace and DeepFaceLab,
has democratised access to deepfake creation
tools, allowing even non-experts to produce
convincing fakes."
Deepfakes can pose serious threats to
biometric authentication systems, especially
those that rely on facial recognition. "These
attacks can be categorised into presentation
attacks, where fake images or videos are
presented to a camera or sensor, and
injection attacks, where data streams or
communication channels are manipulated."
Examples of deepfake attacks include face
swapping, lip-syncing and gesture or expression
transfer, all of which can deceive
biometric systems.
ROBUST API SECURITY
APIs are the backbone of AI systems,
facilitating data ingestion, interoperability
and service delivery, says Jamie Beckland,
chief product officer at APIContext. "They
enable seamless integration with various data
sources, allowing AI models to access and
process large volumes of data in real time."
APIs also ensure AI systems can interact with
other services, databases and applications
effectively. This interoperability is crucial for
the scalability and flexibility of AI systems.
However, APIs also represent potential points
of vulnerability where cybercriminals can
launch attacks, making robust API security
indispensable. "Since APIs are so critical to AI
operations, they create choke points that
cybercriminals can exploit. The risk is
compounded by the fact cybercriminals are
now building and using their own AI tools to
automate and enhance attacks. These tools
can identify and exploit API vulnerabilities,
such as weak authentication, inadequate
encryption and insufficient input validation."
To mitigate these risks, application owners
must implement protective measures," states
Beckland. "Ensuring strong authentication
and authorisation, such as multi-factor
authentication [MFA] and OAuth standards,
is crucial to allow only authorised access.
Data encryption, both in transit and at rest,
protects sensitive information during API
communication. Implementing rate limiting
and throttling helps prevent abuse and
mitigates the impact of automated AI-driven
attacks. Comprehensive input validation and
sanitisation prevent injection attacks and
malicious data manipulation.
"Also, we recommend that teams use an
automated tool to ensure API conformance
to design specifications, as around 80% of
API attacks stem from misconfigurations."
AI tools are particularly vulnerable to Broken
Object Level Authorization (BOLA) attacks, he
adds. "In these attacks, cybercriminals exploit
insufficient authorisation mechanisms to
access or manipulate data that should be
restricted. Since so much personalised data
is available through AI tools, the risks of
unauthorised access is higher than with
other, more static, systems.
As cyber attackers increasingly leverage AI
to enhance attacks, securing APIs becomes
even more critical. "APIs can hold the
defensive line against malicious AI systems."
16
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

eal-time threats
KEEPING IT REAL-TIME
IN TODAY'S DIGITAL LANDSCAPE, MANAGING SECURITY THREATS OFTEN HINGES ON
HOW WELL ORGANISATIONS CAN IDENTIFY AND RESPOND TO RISKS IN REAL TIME
Identifying and responding to security
threats in real time is crucial. Organisations
often struggle with managing
these threats, due to the inevitability of
human errors. If unnoticed, these can lead
to substantial and punitive security incidents.
But how exactly does 'real time' work and is
it always achievable? And is real time as
'real' as some might argue when it comes
to achieving its lofty aspirations?
In today's digital landscape, managing
security threats often hinges on how well
organisations can identify and respond
to risks in real time. "While human errors
are bound to happen, with the right
technologies and processes, they don't
always have to pose a significant risk,"
says John Scott, lead security researcher at
CultureAI. "Unfortunately, when people make
mistakes, they often go unnoticed until they
result in an incident. This is where nudges
can help, filling a crucial gap by intervening
in risky behaviours
automatically and efficiently. A well-executed
security nudge can reduce Security Operation
Centre (SOC) interventions and remediation
times, while reinforcing security policies,
security culture and best practices."
What exactly is a nudge? "Nudge Theory,
popularised by Richard Thaler and Cass
Sunstein in 2008, gained prominence as
a cheap and effective method to influence
behaviour change," he continues. "The
premise of this concept is that shaping the
environment, known as choice architecture,
influences individuals' decision-making, and
allows them to maintain freedom of choice
and feel in control of their decisions, whilst
being guided towards the 'best' solution."
The term 'nudge' has become a buzzword
in cyber security over recent years, often
mistakenly equated with 'notifications'.
"While nudges can be used in different ways,
overreliance can lead to 'nudge fatigue',
overwhelming employees with dismissible
reminders and notifications to
complete training. To
make best use
of them,
nudges should aim to shift behaviours rather
than simply notifying an employee of their
actions."
Why do we need nudges in cyber security?
"When people are busy, they tend to be
reactive and reliant on system-one thinking,
which is automatic and intuitive, but more
prone to errors," says Scott. "By sending
a security nudge to employees at the point
of risk, they are alerted in real time and
prompted to shift to more logical, lower-risk,
system-two thinking. Incorporating nudges
as part of a human risk management (HRM)
strategy is an effective way to mitigate
risks in real time, empowering employees
precisely when it matters most. Nudges
encourage employees to pause and think
before making potentially risky security
decisions, making them aware of the threat
and empowering them to choose wisely."
However, nudging employees does come
at something of a cost. "Interrupting their
workflow can hamper productivity, so a
nudge must have a strong rationale. If you
interrupt, there should be a specific, actionable
step the employee can take to mitigate
the identified risk. If the security team can fix
the risk without interruption, they should.
Repetitive or intrusive nudges will lead to
nudge fatigue, causing employees to ignore
them," he advises.
To ensure a nudge isn't ignored,
Scott recommends delivering it
within the applications that
employees are already
using, such as Slack,
Teams or their browser.
"Over time, nudges
simplify decision-making
for employees, requiring
18
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

eal-time threats
minimal cognitive effort to execute decisions
without overthinking."
Also, rather than just leaving employees
to navigate the safe use of SaaS and GenAI
apps on their own, nudges can help
establish guardrails and provide guidance in
real time. "For example, if the organisation
has an approved GenAI solution, a good
nudge can not only dissuade employees
from using non-authorised sources, but it
can also guide them towards a preferred
solution," Scott adds. "Nudges can help
create a cultural shift towards proactive
and engaged participation in cyber security
practices. This approach not only streamlines
security operations, but also creates an
environment where employees are
empowered to make their own security
decisions."
POSITIVES AND NEGATIVES
Kennet Harpsoe, lead security researcher,
Logpoint, flags up how "real-time protection
sees the constant surveillance of systems and
networks to detect anomalies and suspicious
activities; automated detection, using AI and
machine learning (ML) to identify potential
threats based on patterns and behaviours;
and rapid response to contain and neutralise
threats. It can, for example, quickly detect
the active encryption of a machine by ransomware
or abnormal outbound traffic patterns,
indicating potential data exfiltration, and
trigger immediate response actions to stop
the data breach".
Human errors, such as misconfigurations,
oversight and delayed responses, can all
create vulnerabilities. "It can be complex to
manage across large disparate networks and
scalability issues often arise, complicating the
deployment of consistent security measures,"
he cautions. "Automated systems can also
generate false positives [benign activities
flagged as threats] and false negatives
[actual threats going undetected], which
can undermine trust in the system. While
advances in technology have made real-time
more feasible, it is not always achievable.
Latencies in detection and response,
integration issues and the sophistication
of modern threats can impede true realtime
protection. These systems also require
significant investment and resources, skilled
personnel and maintenance."
To achieve real-time protection, says
Harpsoe, a robust monitoring infrastructure
is needed, comprising advanced monitoring
tools capable of real-time data analysis and
threat detection over all network segments.
"Automated and adaptive systems are a
must, but consider also the human element
by training IT staff to recognise and respond
to threats. Keep security systems updated
with the latest threat intelligence. And
streamline incident response by developing
and updating IR plans, and conducting drills
and simulations to ensure readiness."
Where real-time can go wrong, he points
out, is through inadequate preparation,
an overreliance on technology and by
ignoring emerging threats. "Lack of thorough
preparation and planning can lead to gaps
in real-time protection and, while technology
is essential, so, too, is human oversight to
manage and mitigate unforeseen issues.
Failing to keep up with an evolving threat
landscape can also render real-time systems
ineffective. Many current real-time protection
systems rely upon simple Indicators of
Compromise [IoC], with all of their inherent
problems, which sees their usefulness decay
as rapidly as the IoC."
While achieving true real-time protection
is challenging, it's a worthwhile goal, he
insists, as implementing robust monitoring,
leveraging automation and maintaining
constant vigilance can greatly enhance an
organisation's security posture. "However,
it is crucial to recognise the limitations and
continuously improve processes to adapt
to the ever-changing threat landscape.
Real-time protection will probably never
be completely autonomous."
John Scott, CultureAI: nudges can help
create a cultural shift towards proactive
and engaged participation in cyber
security practices.
Kennet Harpsoe, Logpoint: real-time can go
wrong through inadequate preparation, an
overreliance on technology and by ignoring
emerging threats.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
19

zero trust
SHIFTING THE GOALPOSTS
SHIFTING FROM A LOCATION-CENTRIC MODEL TO A MORE DATA-CENTRIC APPROACH, IN PURSUIT OF
A ZERO TRUST SOLUTION, IS A COMPLEX UNDERTAKING, DEMANDING SIGNIFICANT EFFORT AND EXPERTISE
Digital environments are more complex
than ever and threats are becoming
increasingly sophisticated by the day,
warns Andy Syrewicze, security evangelist,
Hornetsecurity. "One framework to address
this is Zero Trust - an approach that follows
the mantra of 'never trust, always verify'.
However, it requires total buy-in from
everyone in an organisation and represents
a significant investment in cybersecurity
technology and training."
How does Zero Trust help bolster defences?
"It assumes that threats exist inside and
outside an organisation's network. Every
access request must be authenticated,
authorised and encrypted, regardless of
source. This ensures internal systems
remain protected, even if a network is
compromised."
The current threat landscape is volatile and
evolving, highlighting the importance of Zero
Trust, he says. "High-profile incidents, such as
the recent attack on Ticketmaster, illustrate
how even large, financially robust, companies
can be vulnerable. Advancements in technologies,
like generative AI, have also
expanded the pool of potential attackers,
making it increasingly difficult to stay ahead
of threats. Zero Trust limits the potential
damage from AI-enabled threats - as well as
ransomware and other traditional attacks -
by continuously verifying the legitimacy of
requests."
How can firms apply a Zero Trust approach?
"Organisations should start by verifying
everything, ensuring every authentication
request and connection is checked," advises
Syrewicze. "Implementing 'least privilege
access' means that, once a user is connected
to a service or data, they only have the access
they need. This involves mapping out all
sensitive information and deciding who
requires access. Multi-factor authentication
[MFA] can also be used to ensure only verified
users gain access, with regular audits, reviews
and updates to maintain this level of security."
Another key component he singles out is
micro-segmentation, which divides a network
into smaller, isolated segments. "This prevents
attackers from moving within a company's
network, containing potential breaches.
Advanced monitoring tools should be
implemented to track activity and identify
anomalies, with automated responses in
place to rapidly address issues."
Syrewicze stresses how organisations should
always be prepared for a breach and have
strong security tools in place to catch
intruders before they penetrate too far
into the network. "Employees are pivotal
in defending against cyber threats, and
comprehensive cyber-awareness training
solutions, such as Hornetsecurity's Security
Awareness Service, [which provides
automated ongoing training and phishing
simulations], are essential. Our recent
research revealed 25.7% of organisations
do not provide IT security awareness training
to end users."
Educating employees on recognising and
responding to phishing attempts and other
social engineering tactics is vital, he adds, and
education should be ongoing to keep pace
with evolving threats. "Training on recovery
processes is also crucial. Employees, IT staff
20
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

zero trust
and key stakeholders need to know how to
restore data efficiently from backups during
a cyber incident and bring critical business
processes back online."
EFFORT AND EXPERTISE
All too clearly, implementing Zero Trust in
a complex infrastructure that includes a mix
of legacy systems, on-premises servers and
cloud services can be extremely challenging.
Ensuring seamless integration and consistent
security policies across all these components
requires significant effort and expertise.
"Moving from a traditional security mindset
to a Zero Trust approach is often met with
resistance within an organisation," says
macmon secure. "Employees and stakeholders
may be accustomed to more lenient
access controls and may find the rigorous
verification processes of Zero Trust
cumbersome.
"The initial stages of implementing Zero
Trust can put a strain on an organisation's
resources. This includes the financial cost
of new technologies, the time required for
planning and deployment, and the need for
skilled personnel to manage the transition.
Achieving the level of visibility required
for effective Zero Trust can be difficult.
Organisations need to continuously monitor
and analyse data flows to ensure that access
controls are being enforced correctly and
to detect anomalies that could indicate a
security threat. Constantly verifying users and
devices can potentially slow down network
performance. This is particularly challenging
in environments where high-speed access to
data and applications is critical."
Adopting a Zero Trust posture requires
a fundamental change in the way an
organisation views cybersecurity. It means
moving away from the assumption that
internal networks are inherently secure and
instead treating every access request with
suspicion, the network security software
company advises. This shift requires:
Ongoing education and training: ensuring
that all employees understand the
importance of Zero Trust and are trained
in best practices
Executive buy-in: gaining the support of
senior management to drive the cultural
change required for successful
implementation
Ongoing adaptation: continually evolving
security policies and practices to address
new threats and vulnerabilities as they
emerge.
Says Heiko Fleschen, head of marketing,
macmon secure: "We have adopted a Zero
Trust Network Access approach to help
organisations achieve a robust Zero Trust
posture. Our strategy focuses on ensuring
that only authenticated and authorised users
and devices can access network resources,
thereby minimising the risk of unauthorised
access and potential breaches."
STRATEGY RETHINK
The shift towards Zero Trust architecture
represents one of the most significant
changes in recent years, confirms Denny
LeCompte, CEO of Portnox. "The US Cyber
Defense Agency's emphasis on a data-centric,
rather than a location-centric, approach
underscores the necessity of rethinking our
security strategies in a world where traditional
network perimeters no longer exist.
Zero Trust is fundamentally about enforcing
accurate, least privilege per-request access
decisions in information systems and services,
treating the network as if it is already
compromised. This paradigm shift requires
a comprehensive understanding of every user,
system, data point and asset within an
organisation."
To transition to a Zero Trust model, he
states, an organisation must first achieve
comprehensive visibility into its network. This
involves deploying advanced monitoring tools
that can continuously assess the behaviour of
users and devices and identify anomalies that
could indicate potential threats. "However,
the transition to Zero Trust is not merely
a technological upgrade; it demands a
fundamental change in an organisation's
philosophy and culture around cybersecurity.
Implementing Zero Trust also requires
collaboration across various departments.
IT, security and business units must work
together to identify critical assets, understand
their value and determine the appropriate
level of access needed for different users."
The journey to a Zero Trust posture involves
several key steps, saysLeCompte. "First, assessment
and planning are crucial, requiring
a thorough evaluation of the current security
posture to identify gaps and areas for
improvement. Implementing robust identity
verification processes, such as passwordless
certificate-based authentication, ensures that
only authorised users can access sensitive
information.
"Network segmentation is another vital
step, which involves dividing the network
into smaller segments to limit the lateral
movement of attackers, with each segment
having its own security controls and policies.
Continuous monitoring through tools like
Network Access Control (NAC) and application
conditional access is essential for realtime
visibility into resource access, device
posture and potential risk, and enables
prompt threat detection and response."
Developing and enforcing granular security
policies, based on the principle of least
privilege, ensures that users have only the
access they need to perform their tasks and
adapts to the changing environment.
FUNDAMENTAL SHIFT
Rich Hall, AVP technical sales, DigiCert,
says Zero Trust requires a comprehensive
understanding of the organisation's assets
and how they interact. "This visibility is crucial
for developing, implementing, enforcing and
evolving security policies. However, achieving
Zero Trust goes beyond technical changes -
it requires a cultural and philosophical
transformation within the organisation."
From DigiCert's perspective of 'Digital trust
for the real world', this cultural shift is
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
21

zero trust
Rich Hall, DigiCert: Zero Trust requires
a comprehensive understanding of the
organisation's assets and how they
interact.
Heiko Fleschen, macmon secure: the
objective is to help organisations achieve
a robust Zero Trust posture.
essential, he adds. "Digital trust extends
beyond merely securing transactions and
communications; it involves creating an
environment where security is integral to
every operation and interaction within
the organisation. To foster this environment,
organisations must commit to
transparency, continuous monitoring
and dynamic response strategies.
"The transition to Zero Trust begins
with educating all stakeholders about
the importance and implications of this
model. Employees, partners and customers
must understand that security
is not just an IT concern, but a shared
responsibility. Training programmes and
awareness campaigns can help cultivate
a security-first mindset across the
organisation."
Next, organisations need to re-evaluate
their existing security policies and access
controls to ensure the principle of least
privilege, in order to minimise the risk
of insider threats and lateral movement
by attackers within the network. "Implementing
Zero Trust also involves deploying
advanced technologies, such as multifactor
authentication [MFA], identity
and access management [IAM], and
continuous monitoring tools," Hall states.
"These technologies provide the granular
control and visibility needed to enforce
Zero Trust principles effectively. Also,
organisations should leverage artificial
intelligence and machine learning to
detect anomalies and respond to threats
in real time."
However, technology alone is insufficient.
"A successful Zero Trust strategy requires
ongoing collaboration between IT, security
teams and other business units. Regular
audits, policy reviews and simulations of
potential attack scenarios can help ensure
that the Zero Trust framework remains
robust and adaptive to new threats."
SOLID FOUNDATION
Cybercriminals are not new and often neither
are their tactics, comments David Morimanno,
thought leader at Xalient. "Despite this, phishing
attacks continue to be highly successful.
New technologies, such as GenAI, are further
improving these tactics and companies must
implement a strategic approach that’s built
on a solid foundation of identity security to
minimise risks. For this process, organisations
should first recognise pre-existing
vulnerabilities."
Human error represents the most significant
vulnerability within an organisation's cybersecurity
framework. "An employee's online
presence can provide adversaries with
sufficient data for sophisticated social
engineering attacks. These can manipulate
employees into divulging confidential
information or inadvertently granting access
to secure systems. Employees frequently
exhibit poor cybersecurity practices, such
as employing weak passwords, reusing
credentials across multiple platforms and
neglecting regular software updates."
"Although organisations implement robust
security measures, including multi-factor
authentication and regular mandatory password
changes, users often perceive these as
burdensome. Consequently, employees may
seek shortcuts, such as storing passwords
insecurely or using easily guessable credentials,
undermining the security controls in
place," he adds.
Zero Trust can be a compelling strategy to
address the multifaceted challenges of
cybersecurity, says Morimanno. "This approach
operates on the principle that every connection,
user and even device may pose a potential
threat, thereby eliminating the default
trust traditionally placed in employees and
machines. It requires rigorous verification of
identities and granting trust levels based on
thorough security assessments, Zero Trust
helps ensure that workflows remain
uninterrupted."
22
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

product review
BACKBOX NETWORK AUTOMATION PLATFORM
As enterprise networks grow in
complexity, businesses can no
longer afford to rely on inefficient
and error-prone manual processes
to manage and maintain critical
infrastructure devices. Network
automation is now an essential tool
for support departments and change
management teams, as it brings
operational efficiencies, not least in terms
of significantly reduced security risks.
This can be challenging in geographically
distributed, multi-vendor environments,
but BackBox's Network Automation
Platform (NAP) has you covered, as it
supports over 180 technology vendors.
It provides an impressive suite of tools
that include network vulnerability and
change management, automated device
configuration backup with five-step
verification, device updates, configuration
comparisons, a smart one-click restore
service and much more.
A key feature is the BackBox automation
library, which offers over 3,000 preconfigured
tasks for common use cases, such as
firmware and OS updates, vulnerability
management, compliance audits and
device backups. The beauty of this nocode
automation approach is that support
staff don't need to be versed in complex
scripting languages, as they can create
custom automation tasks using only API
commands or the CLI.
Installation is a breeze and the NAP
CentOS ISO or OVA/VHDX file can be
deployed on physical, cloud or virtual
servers. We loaded it on a Hyper-V host,
followed the quick start wizard and
had NAP all ready for action in only
twenty minutes.
The web console is easy to navigate and
you start by running an SNMP discovery
job on selected networks. An instant time
saver is the ability to assign a backup
task to these jobs, so, as your devices are
being discovered, they will also be backed
up for the first time.
Regardless of the type of device, all
configuration backups can be stored
in the same repository for consistency.
Alternatively, you can send them to
different local, remote or cloud locations
and ransomware protection comes into
play, as BackBox supports immutable
cloud storage.
For backup integrity and assured
recovery, BackBox applies five checks
on every backup, which include end of
file, file size, checksum matches and file
size comparisons with previous backups.
Configuration recovery is a swift process,
as you choose a device, view its log
history, pick a backup job and select the
restore option.
Remote sites are integrated into BackBox
by deploying agents, which take their
instructions from the central console.
These run distributed parallel executions
and perform backups locally, so there
are no overheads on the main server.
Furthermore, businesses can keep backups
at remote locations, if they need to
demonstrate regional compliance.
The Network Vulnerability Manager
component inventories network devices,
reports back on discovered vulnerabilities,
prioritises them and delivers full remediation
services. It follows all industry
standard benchmarks and provides
technical surveys during backups.
It works hand in glove with Intelli-Check
tasks, which monitor health and compliance
of all devices by regularly running tests
on them and optionally remediating out
of compliance devices. Using threat
intelligence from NIST and other bodies,
such as CISA, Backbox manages the entire
lifecycle of vulnerabilities by matching
inventory against all CVEs and using
configuration information to determine risk.
You can run tasks to find all vulnerable
devices on the network, see which CVEs
apply to specific devices and find out what
their risk level is. BackBox runs scheduled
remediation jobs and accelerates
remediation by performing multi-step
updates and applying them to high
availability pairs with one task.
BackBox's Network Automation Platform
takes the pain out of configuration
management, network security and
compliance. Easy to deploy, it can
streamline all essential backup and
update operations across multi-vendor
environments, and its smart zero-code
automations will appeal to busy support
departments.
Product: Network Automation Platform
Supplier: BackBox Software
Web site: www.backbox.com
Sales: info@backbox.com
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
23

SURGE IN EXTORTION ATTACKS
Orange Cyberdefense, the specialist arm of
Orange Group dedicated to cybersecurity,
has released its latest cyber extortion report,
Cy-Xplorer 2024. Examining data from a total
of 11,244 confirmed business victims, the
findings show a steep increase (77% YOY) in
the number of observable cyber extortion
(Cy-X) victims over the past 12 months, with
analysis suggesting the actual number to be
50-60% higher than what it has directly
observed, due to the dynamic and everhacker
attacks
NEW ERA OF HOPE?
HERE, WE BRING READERS ANOTHER ROUND-UP OF SOME OF THE
LATEST ATTACKS THAT HAVE BEEN WAGED AGAINST ORGANISATIONS
Significant change can bring hopes of a
significant new approach - and Spencer
Starkey, VP EMEA at SonicWall, points
to how the ushering in of the new Labour
Government has raised expectations for a
fresh approach to cybersecurity, especially
after a series of high-profile cyberattacks on
the UK's healthcare system, government and
schools.
However, he has some concerns. "Despite
the urgency, the absence of a comprehensive
cybersecurity strategy in the election manifestos
was alarming for experts who are
calling for detailed, actionable plans to tackle
the complex challenges of our digital age.
The new Labour government faces the
challenge of not only addressing these
immediate threats, but also setting a
benchmark for the private sector. Inadequate
regulations could leave both public and
private sectors vulnerable. Labour's commitment
to national security, as highlighted
in their manifesto, includes a focus on
economic stability, border integrity and
national security."
Starkey sees the announcement of a new
Cybersecurity Bill in the King's Speech
as a promising development, but effective
implementation will require strong
collaboration between government bodies
and industry experts, he states. "This
partnership is crucial to ensure that the
right practices are established to safeguard
against evolving threats. To navigate these
complexities, Labour must prioritise the
development of a comprehensive, futureoriented
cyber strategy that addresses the
risks posed by AI, enhances the security of
critical national infrastructure, and educates
citizens on cybersecurity risks and best
practices. Furthermore, international
cooperation will be essential to combat
global cyber threats.
"The effectiveness of the government's
cybersecurity strategy will definitely hinge
on its ability to balance immediate responses
with long-term planning, ensuring the UK
is well protected against the challenges of
the digital age."
WORRYING MOVE
Progress Software recently patched a high
severity authentication bypass in the
MOVEit managed file transfer (MFT) solution,
a matter of some concern, as MOVEit has
been a popular target for ransomware
gangs and other threat actors.
"CVE-2024-5806, the authentication bypass
vulnerability recently disclosed by Progress
Software, affects their MOVEit managed file
transfer (MFT) solution," points out Scott
Caveza, staff research engineer at Tenable.
"MOVEit was at the heart of a massive
ransomware campaign in May 2023 when
the ransomware gang known as CLOP began
mass exploiting a zero-day SQL Injection
vulnerability (CVE-2023-34362) affecting
MOVEit Transfer."
That attack had a major impact at hundreds
of organisations worldwide and, with a new
vulnerability affecting the product, it raises a
lot of questions and concerns for users of the
software," Caveza states. "CVE-2024-5806 is
a severe vulnerability. However, based on the
detailed analysis and exploit code from
researchers at watchTowr, it does appear that
this vulnerability is not easily weaponisable
and still requires an attacker to take
additional steps, in order to exploit a
potential target."
Although details on how this exploitation
works are publicly available, watchTowr
confirmed that Progress contacted affected
customers prior to publicly disclosing their
security advisory. "While this is not the first
time we've seen a vendor take measures to
protectively warn and secure customers prior
to public acknowledgment of a vulnerability,
it could have been a risky move. An unknown
individual tipped watchTowr off to the vulnerability
well before it was public knowledge. If
this individual had malicious intentions, this
information could have easily been given to
threat actor groups to develop an exploit and
abuse the flaw."
24
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

hacker attacks
changing nature of the cyber extortion
ecosystem.
Despite the takedown and disruption of
prominent cyber extortion groups such as
RagnarLocker, ALPHV/BlackCat, and LockBit
by law enforcement, there has been no
noticeable decrease in victim count. The
research highlights the general volatility of the
Cy-X actor ecosystem, indicating that one-third
of all actors tracked will 'disappear' each year,
while an equivalent number of new actors are
identified annually. It also suggests half of all
identified threat actors will disband or rebrand
in less than six months.
Comments Hugues Foulon, CEO at Orange
Cyberdefense: "We are seeing a measured
rise in the pace at which law enforcement is
responding to meet the Cy-X threat; but, as
victim numbers surge at an alarming rate,
with new tactics being deployed and moral
restraints dwindling, it's an ongoing battle
that's further complicated by the decentralised
and fragmented ecosystem. Small businesses
are increasingly falling victim to the crime and
we see a real need for all organisations to join
forces and play their part by working together
and taking actions that will increase the cost
for attackers."
DDOS ATTACKS SPIKE
Imperva, a Thales company, has released its
2024 DDoS Threat Landscape Report, revealing
a dramatic increase in Distributed Denial
of Service (DDoS) attacks during the first half
of the year. The report highlights key trends
and provides critical insights into the evolving
threat landscape, including:
Surge in DDoS attacks: Imperva mitigated
111% more DDoS attacks in H1 2024,
compared to the same period in 2023,
underscoring the escalating threat
Industry targets: the financial services sector
remains the top target, experiencing some
of the most forceful attacks. The telecommunications
and ISP sectors saw a staggering
548% rise in the volume of attacks overall
DNS attacks: DNS DDoS attacks surged by
215%, with amplification attacks increasing
in size by 483%
New attack vectors, such as HTTP/2 Rapid
Reset and HTTP/2 Continuation Frame
Attacks, have emerged, highlighting the
evolving threat landscape
Hacktivism: hacktivist groups, such as
NoName57(16), frequently employ DDoS
attacks to disrupt critical infrastructure,
especially during major events and
geopolitical tensions.
BREACHES AND DEVICE LOSSES
Apricorn has released further findings from
its annual Freedom of Information (FoI)
responses into data breaches and device
loss amongst 27 local councils. The results
highlight the significant number of breaches
occurring within just 17 of the councils
questioned and the threat to customer data,
with over 5,000 breaches recorded in 2023.
Worryingly, Kent County Council declared
734 breaches alone between Jan 2023
and Dec 2023, with Surrey County Council
amassing 665 and Norfolk Council not far
behind with 605. Other big losses included
Warwickshire County Council (495) and East
Sussex (490).
"We're familiar with the fact organisations
suffer data breaches, particularly those housing
valuable customer data," points out Jon
Fielding, managing director, EMEA Apricorn.
"That said, the excessive number of breaches
being declared is concerning. These government
organisations should be setting a
precedent, in terms of data protection. Whilst
we know there is no silver bullet for preventing
a breach, multiple steps and processes can
be put in place to limit the risks of a breach.
The councils should invest in comprehensive
training programmes to educate employees
about the importance of safeguarding data
and the proper protocols to follow, in case of
device loss or theft."
Scott Caveza, Tenable: although CVE-2024-
5806 is a severe vulnerability, it is not easily
weaponisable.
Hugues Foulon, Orange Cyberdefense:
a measured rise in the pace at which law
enforcement is responding to meet the
Cy-X threat, but there are still concerns.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
25

ook review
AN HONOURABLE QUEST
CYBERSECURITY HAS NEVER HAD AN OVERARCHING CODE OF ETHICS AND CONDUCT.
PAUL J. MAURER AND ED SKOUDIS WANT TO SEE THAT FAILURE FULLY ADDRESSED
Whilst other professions - such
as medicine, law, and indeed
engineering - have long
required their practitioners to embrace
and abide by an overarching code of
ethics and conduct, cybersecurity has
never had such a code. This absence
of an ethical standard is regarded as
a serious threat to the safety of consumers
and businesses around the world.
In 'The Code of Honor', authors Paul J.
Maurer and Ed Skoudis are focused on
delivering a comprehensive discussion
of the ethical challenges facing
contemporary workers, managers and
executives - both in the tech world and
in those companies which serve the
public. They explain and establish ethical
best practices and take a deep dive
into many of the high-stakes situations
commonly encountered. A series of case
studies-called 'Critical Applications' in
the book-included at the end of each
chapter demonstrate how to use the
hands-on skills being explored within.
'The Code of Honor' is the result of
a journey the authors began several
years ago "to address an expanding
ethical vacuum in our industry, where
critical decisions are often made without
regard to their ethical implications. At
the same time, the weight and financial
impact of our decision-making is rapidly
increasing", they state.
"As you will learn in the coming pages,
the crossroads of cybersecurity and
ethics aren't some philosophical 'pie in
the sky' discussion. Cybersecurity
professionals hold a great deal of power
and enormous levels of responsibility
in the workplace and the broader
economy. It is a high-pressure, fastpaced,
and exciting field where
ethical decision-making can make the
difference between success and abject
disaster, not only for your career but for
your organization, customers, or constituents,
and perhaps far beyond. The
topics we explore in this book are
integral to the daily operations of nearly
every industry and are essential to the
very stability of our modern world."
With the cybersecurity industry now
changing at light speed, we must truly
respond to the emergent ethical
challenges with a level of "hair on fire"
determination and precision, insist
Maurer and Skoudis. "Our offering in
'The Code of Honor' is a systematic and
thoughtfully constructed program for
building best practices regarding ethics
in decision-making in the tech industry,
with a specific focus on cybersecurity.
This book presents a concise, carefully
designed and timeless set of ethics that
will engage everyone from C-suite
leaders who work on the periphery of
the cyber world to the most seasoned
cybersecurity professionals and everyone
in between," they state.
MORE INFO
The Code of Honor: Embracing Ethics
in Cybersecurity
Authors: Paul J. Maurer and Ed
Skoudis (ISBN: 9781394275861)
Published June 2024 by Wiley
Hardcover and ebook, priced £30.99
26
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

the re-use route
DON'T LET FEAR HINDER YOUR SUSTAINABILITY MANIFESTO
STEVE MELLINGS OF ADISA MAKES THE CASE WHY THE DEFAULT POSITION
SHOULD ALWAYS BE TO PROMOTE RE-USE OF REDUNDANT EQUIPMENT
As individuals and businesses, we're
all examining our impact on the
environment with one area where
'wins' can be achieved being the management
of product lifecycles, states Steve
Mellings, CEO, ADISA. "At the end of life,
viable technology should be made available
for reuse by reselling or donating it. This
aligns with financial and environmental,
social, and governance [ESG] considerations,
but many organisations fear data breaches,
so adopt a 'destroy' mentality. But why
destroy when we can re-use?"
One explanation, he points out, lies in
the evolving nature of technology, which
makes logical sanitisation more difficult.
"Networking equipment, for instance,
holds data, and factory resets don't always
guarantee complete erasure. Our research
centre recently spent eight months testing
smartwatch sanitisation, uncovering a range
of challenges with this technology. Why is
this important? Smartwatches have nonvolatile
flash storage that retains copies of
texts and photos, and other locally stored
data saved when it was paired with a host
phone. A solution provider needed verification
of their product, which was used
to sanitise each device and create an audit
trail when it had done so. Following testing,
the solution can now allow the re-use of
android and apple watches to be done
with confidence," he adds.
For some technologies, says Mellings,
storage is shifting from being a separate
component within a device to being
embedded. "This blurs the traditional
host-component relationship and poses
challenges for sanitisation-especially in
the case of Apple MacBooks. Our research
centre has developed proprietary techniques
that took over six months to achieve
to verify successful sanitisation, with the
first products approved just last month."
So, amidst these technical challenges,
a critical then question arises: how do we
sanitise storage? "In the UK, many organisations
use Information Assurance 5 (IS5)
or Commercial Product Assurance (CPA)
schemes, both administered by the National
Cyber Security Centre (NCSC). Currently,
there are no approved products for data
sanitisation under the CPA scheme, leaving
IS5, and CAS-S, as only available
destruction."
So, where exactly should organisations
turn when creating a reuse sanitisation
specification? Mellings points to a new
standard called IEEE 2883, which was
released in November 2022, as providing
the best logical sanitisation specification
and serves as an excellent starting point
for all organisations to use. "The perceived
[or real!)] fear of GDPR-related actions has
often justified destruct-ion over re-use.
"To extend product lifecycles, the use of
third parties to perform data sanitisation
and remarketing becomes crucial. Unfortunately,
where the wrong type of vendor is
selected, we still observe significant noncompliance
with GDPR, leaving their
customers exposed."
But fear not! He continues: "If GDPR
concerns are primary for you, you should
use a company certified under the ICOapproved
UK GDPR Certification Scheme-
ICT Asset Recovery Standard 8. This
certification verifies compliance with GDPR,
as determined by the regulatory bodies
themselves. In addition, it incorporates
adapted versions of IEEE 2883 and NIST
800-88 as its primary specifications,
enabling vulnerabilities to be resolved and
build greater assurance. With technical
audits in place, compliance is more than
a tick-box exercise and provides assurance
that data is gone for good."
While it may not be the highest profile
process, he concedes, asset retirement
enables organisations to see redundant
equipment as a strategic resource.
"By not allowing fear to take over, organisations
can promote re-use and allow
other organisations and those users less
fortunate to benefit from technologies
which they very much need."
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
27

malware
EASING THE MALWARE ANGST
THE EVOLUTION OF MODERN-DAY THREATS MEANS THE OLD METHODOLOGIES FOR PROTECTING
AGAINST ATTACKS ARE NO LONGER ENOUGH. CHANGE HAS TO BE INTRODUCED… AND NOW
Palo Alto Networks Unit 42 research
team has been sharing some of the
current trends in malware and the
evolving threat landscape - and the picture
the company presents is a worrying one.
This includes an analysis of the most
common types of malware and their
distribution methods.
"With the growing volume and
sophistication of today's threats, it's critical for
network security professionals to understand
the landscape and how to defend against it
properly," advises Palo Alto Networks. Here
are some highlights from past findings:
A boom in traditional malware techniques,
taking advantage of interest
in AI/ChatGPT
The ratio of malware explicitly targeting
the operational technology (OT) industry
has increased by 27.5%
Exploitation of vulnerabilities increased
by 55% over one 12-month period
PDFs are rated the most popular file
type for delivering malware as email
attachments (66.6% of the total at
a recent count)
48.94% of network communication
generated during sandbox analysis
(including both malicious and benign
files) used encrypted SSL for its traffic;
12.91% of what is caused by malware
is SSL traffic.
Cryptominer traffic was found to
have doubled in 2022 alone.
NEW DEFENCE APPROACHES
We exist in a cyber security world
where anti-malware, firewalls and
IDS [intrusion detection systems]
are no longer enough to
defend against the latest
threats, comments Steven
Usher, security services
manager/senior analyst, Brookcourt Solutions,
a portfolio group company of Shearwater
Group. "Modern-day threats have evolved
far beyond the old norms. APT groups
create customised malicious code and even
infrastructure to support that code, simply to
attack a single organisation, making the old
methods of utilising known IOCs [Indicators
of Compromise] less than effective in this
evolved modern era. Threat groups are using
services specifically designed to ensure code
is not detected by commercial anti-malware
and constantly run code through those
services to ensure victims are targeted with
bespoke malicious code."
Usher offers some insights into the insider
threat category of dangers, from phishing
to rogue USB devices. "Continuing to ensure
that protecting a network is no longer simply
depending on detections; a change of
approach is needed - not to replace, but to
augment
the
security capabilities of an organisation. First,
let's consider AI, the current buzzword; this
does add something to the security program
of any company, whether augmenting the
anti-malware solutions they are using or
adding to the efficacy of the SOC team by
working through the most obvious alerts they
are receiving and providing a more curated
list of alerts that require a human touch. AI
could potentially greatly augment the entire
security program of a company. However, as
this technology is still being developed and
perfected, it should be used carefully in a very
considered manner."
Aside from AI, he identifies numerous other
things that can be done, ranging from minor
changes through to comprehensive
strategies. "Zero trust concepts are essential
for securing large environments in today's
'modern world'. Nevertheless, implementing
Zero trust strategies can be complex and time
consuming; their implementation usually
requires significant effort and considerable
ongoing maintenance to them, to a stage
where they provide adequate protection for
your environment. Micro segmentation is
another power tool for combating security
threats on networks. However, like zero trust,
implementation of this strategy also demands
substantial work both to deploy and to
maintain effectively."
There are various concepts and
changes that can be made to protect
against threats. "One of the most
fundamental steps is to maintain
a comprehensive inventory of all
hardware, software and users on
the network," he says. "Coupled
with a robust Configuration
Management Database
(CMDB), this provides the
28
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

malware
most solid foundation possible to help
address any network threat. In addition,
implementing concepts such as defence-indepth
strategy further strengthens security
by layering multiple measures for protection,
a concept that would make any attack
considerably more difficult for adversaries
carrying it out."
Finally, Usher points to what he sees as the
greatest weakness in any security landscape:
the workforce. "There are the obvious tools,
security awareness training and password
training; separated, as security awareness is
a huge topic, and often not really provided
in a useful manner [there is no consensus on
how to do this effectively]. Passwords are
a very specific topic and utilised across a vast
array of services and devices. It is considerably
more important to educate staff on password
security, then general security awareness
training."
"Sophisticated ransomware attacks pose
a pressing and immediate concern," warns
Aron Brand, CTO, CTERA. "With cybercriminals
not only encrypting critical data,
but also exfiltrating it, the pressure is on for
organisations to find the best, most up-todate
and most comprehensive solutions
available to beat these bad actors at their
own game - and frankly, not even give them
the chance to play."
TROUBLE IN STORE
According to Gartner, cyberstorage, by
definition, is about making data protection
an inherent part of how storage is designed
and delivered, focusing on active defence
beyond recovery, states Brand.
"Amid the proliferation of cyberthreats
targeting storage systems, cyberstorage
emerges as a promis-ing direction, especially
when providers leverage artificial intelligence
to detect anomalous and malicious behaviour
patterns at the storage level. AI-driven
cyberstorage solutions continuously analyse
data for unusual activities, providing real-time
monitoring that acts as a 24/7 sentinel,
always on the lookout for threats and armed
to take them down."
He also points to the manifold benefits of
AI-powered cyberstorage. "AI enables more
accurate and swift identification of potential
threats, continuously learning from new data
to improve detection algorithms over time,
much like an immune system that adapts
to recognise and combat new pathogens.
Continuous surveillance allows for the
detection of unusual activities as they occur,
enabling organisations to intervene promptly
and mitigate the impact of ransomware
attacks. In the event of a detected threat,
AI-powered solutions can respond rapidly,
isolating affected systems, alerting IT teams
Aron Brand, CTERA: sophisticated
ransomware attacks pose a pressing
and immediate concern.
and initiating protocols to minimise damage,
acting as digital antibodies that swiftly
neutralise invaders.
"As we advance more rapidly in our technological
evolution, you can bet that bad actors
are doing the same," Brand states, adding:
"There's never been a more pivotal time to use
AI and other human innovations to block
malicious threats."
BITDEFENDER PARTNERSHIP GOES UP A GEAR
Bitdefender has expanded its collaboration with Arrow Electronics to deliver a broader range of threat
prevention, detection and response solutions to managed service providers (MSPs) and their customers.
Through the extended cooperation, Arrow will shift to a subscription-based model, offering Bitdefender's
full MSP product portfolio on a pay-as-you-go basis to customers in the UK, France, Germany, Luxembourg,
Belgium and the Netherlands.
"Businesses must leverage every possible advantage to keep pace with the latest malware and techniques
cybercriminals use to exploit systems and breach environments," says Richard Tallman, senior director,
worldwide MSP and cloud at Bitdefender Business Solutions Group. "
Richard Tallman, Bitdefender.
Arrow has incorporated Bitdefender GravityZone Cloud MSP Security Solutions, designed for MSPs, into
ArrowSphere Cloud, the company's cloud delivery and management platform, which provides a range of
on-demand security solutions.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
29

deep fakes
CRIME GANGS CAN TRIUMPH WITH AI
GENERATIVE ARTIFICIAL INTELLIGENCE AND ITS BLEND WITH DEEPFAKE TECHNOLOGY
HAS AFFECTED VOICE, IMAGE AND VIDEO. WHAT PROTECTIONS CAN BE PUT IN PLACE?
In the past few years, artificial
intelligence technology has crossed
a threshold with the capability to make
people look and sound like other people.
A 'deepfake' is fabricated hyper-realistic
digital media, including video, image
and audio content. Not only has this
technology created confusion, scepticism
and the spread of misinformation,
deepfakes also pose a threat to privacy
and security.
"With the ability to convincingly
impersonate anyone, cybercriminals can
orchestrate phishing scams or identity
theft operations with alarming precision,"
says Stanford University IT. "In a recent
incident, cybercriminals posed as a
company's chief financial officer and
other colleagues in a Zoom meeting.
The elaborate scam led to the loss of
$25 million."
In today's dynamic technological
landscape, the
emergence of
Generative
Artificial Intelligence (Generative AI) and
its blend with deepfake technology has
affected voice, image and video. This
amalgamation has opened a landscape of
opportunities and risks.
"The recent spate of deepfake videos
targeting women celebrities results in
reputational and emotional damage and
privacy invasion," says Deloitte. "These
videos can also lead to trauma. Consumers
rely on digital multimedia content; there is
a significant increase in risks associated
with these new technologies. For example,
people working remotely and relying solely
on video/audio calls for their daily tasks,
are more vulnerable to attacks, such as
deepfake and phishing.
"To address these challenges, a proactive
approach towards safeguarding against
deepfakes is imperative. This point of view
aims to discuss the convergence of
Generative AI and deepfake technology,
illuminating the potential weaknesses and
risks they introduce to biometric authentication
systems [voice and video-based
authentication systems]. Once seen as
a robust security
measure, biometric
authentication faces
extraordinary
challenges, due to
the malicious use
of Generative AI, which can create
deceptively realistic voices/videos. As the
digital landscape continues to evolve,
understanding and addressing these
vulnerabilities is crucial to fortify the
foundations of digital security in an age
defined by Generative AI and deepfake
innovation," cautions Deloitte.
UNDERMINING THE DEFENCES
The advancement of deep fakes makes
biometric authentication weaker, due to
the ability of sophisticated AI-generated
media to convincingly replicate physical
traits such as facial features, voices and
even behavioural patterns.
That is the worrying verdict delivered
by Basil Philipsz, CEO of Distributed
Management Systems. "Deep fakes can
create realistic images and videos of
individuals, potentially allowing attackers
to spoof biometric systems that rely on
facial recognition, voice recognition or
other biometric data," he states. "This
undermines the reliability of biometric
authentication, as the systems may be
tricked into granting access based on
these forged credentials."
Industry leaders and cybersecurity experts
have highlighted these concerns, he points
out. "Gaelan Woolham from Capco points
out that deepfake technology can mimic
voices and faces with high fidelity, making
it challenging for existing biometric
systems to distinguish between real and
fake identities. This technology can
bypass voice biometric systems used
by financial institutions, as demonstrated
by a University of Waterloo
study, which showed that deepfakes
could fool such systems in a few
30
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

deep fakes
attempts. Moreover, Sensity, a security
company, tested facial recognition systems
and demonstrated that deepfake
technology could easily bypass liveness
detection-a critical component of facial
recognition security.
"Liveness detection typically relies on
recognising natural human behaviours
like blinking and subtle facial movements
is the easy deployment by non-experts:
making it simpler for individuals to create
realistic fake videos and images, including
those used for biometric cloning. The
availability of sophisticated, yet userfriendly,
applications, such as FakeApp,
ReFace and DeepFaceLab, has democratised
access to deepfake creation tools,
allowing even non-experts to produce
convincing fakes," adds Philipsz.
SERIOUS THREAT
Deepfakes can pose serious threats to
biometric authentication systems,
especially those that rely on facial
recognition, he continues. "These attacks
can be categorised into present-ation
attacks, where fake images or videos
are presented to a camera or sensor, and
injection attacks, where data streams or
communication channels are manipulated.
Examples of deepfake attacks include face
swapping, lip-syncing, and gesture or
expression transfer, all of which can
deceive biometric systems.
"The ease with which deepfakes can be
created and the increasing sophistication
of these technologies highlights significant
vulnerabilities in biometric authentication.
"As deepfakes become more realistic,
the challenge of detecting and preventing
such attacks grows, making traditional
biometric systems potentially less reliable
without additional security measures,
like liveness detection and multi-factor
authentication." These biometric
vulnerabilities have a direct impact on
other forms of Multi-factor Authentication
(MFA) like Authentication mobile Apps or
'Password-less' methods, he says. "The
often ignored, but most important, main
facilitator in this threat is that most MFA
installations are accomplished by selfprovisioning:
for example, by receiving an
email link to download the app that helps
installs the process."
PROFILE PROMOTING
Most CEOs have been encouraged to
extend their public social profile by giving
presentations or announcements in posts
on public platforms. "Eleven Labs can make
a passable cloned voice with 60 seconds of
any training audio, can refine pitch, rate
and add custom phonemes, and have text
input generate the appropriate audio.
"Consider a call from the attacker's text to
the generated cloned CEO voice made to
the help desk assistant requesting set-up
of new phone or wanting an email link to
re-establish their MFA. CIOs are mandated
to use MFA methods for privileged access,
but selecting what MFA methods are
appropriate and how best to deploy them
are crucial decisions and need considered
evaluation."
PULLING UP THE ANCHOR
Tim Callan, chief experience officer at
Sectigo, says it is alarming to see the
rise of deepfake technology now being
used to mimic news anchors to spread
misinformation. "People don't realise how
far AI-deep fake technology has come
and how democratised the technology
is. Unfortunately, anything about your
physical appearance can be replicated -
ie, eyes, face, voice.
"This is no longer something that only
exists in films, as more people are now
capable of creating convincing deepfakes.
As the landscape has dramatically changed,
people's mindset when consuming media
must shift with it. They must now exercise
Basil Philipsz: systems may be tricked into
granting access, based on forged
credentials.
more caution than ever in what they watch
and reconsider the validity of the source
and its trustworthiness." With the acceleration
of deep fake technology, people will
no longer be able to trust the authenticity
of a digital record, whether that be a photo,
video or voice recording.
"Given our current reliance on digital records
within our legal, security and digital systems,
without a solution people will no longer be
able to trust what they are seeing. This is
why, by 2100 [at a conservative estimate], all
forms of recording devices will have a built-in
encrypted timestamp, acting as a watermark
at the time of capture.
"These encrypted watermarks will separate
out authentic images from deepfakes to reestablish
digital trust in images, videos and
recordings." Already we are seeing high-tech
cameras having to include this in their tech,
with digitally signed photos, Callan
concludes. "Soon, all smartphones and
devices will follow suit, defending against
the deepfake surge."
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2024 computing security
31

ansomware
THE SHARKS STEP UP THEIR ATTACKS
WHEN TRYING TO PREVENT RANSOMWARE STRIKES, KEEPING PACE WITH THE INGENUITY
OF THOSE CARRYING THEM OUT IS THE CHALLENGE. HOW REALISTIC IS THAT TO ACHIEVE?
Ransomware attacks are increasing at
an alarming rate. The US government
estimates that companies are subject to
more than 4,000 attacks each day, resulting
in $1 billion in ransom paid each year.
"While ransomware attacks come in many
variants - Cryptowall, Locky Cryptolocker are
among the most common - they each follow
a similar pattern," says Mimecast. "A user
receives an email with an attachment that
looks like a Word document, an invoice, a
package notice or a fax report, along with
a message that convinces the user the
attachment is real. When the attachment is
opened, the ransomware virus runs a file
that encrypts files and documents on the
user's computer. The user receives a message
stating that they can get the encryption key
and regain access to their files only by paying
a ransom."
Mobile ransomware infects cell phones
through drive-by downloads or fake apps,
adds Mimecast. "Cyber attackers who gain
access to a user's contact list could have
access to names, addresses, phone numbers
and other protected information. Once
attackers gain access to your contacts list,
they can then use your contacts and
credentials to send text messages with
malicious links to malware to other users
and devices."
In June 2024, ransomware gangs listed 450
victims on their extortion sites, up from 328
in April, nearing the record of 484 attacks in
July 2023, according to The Record, which
tracks such events. LockBit was said to be
responsible for over a third of these attacks,
although that has been disputed. By the end
of March this year, there had been 54 publicly
reported ransomware attacks on state and
local governments, with incidents accelerating
early in the year. February and March saw
the highest number of recorded attacks,
with more than 20 seperate groups targeting
local governments.
DIGITAL TRANFORMATION
Jeff Gray, who is Americas Operations VP -
Xalient, has been focusing on the risks that
ransomware poses to digital transformation.
"Digital transformation is a hot topic in the
modern world: organisations in a diverse
range of sectors, such as finance, healthcare,
retail and manufacturing, are searching for
ways to drive innovation, increase connectivity
and gain a competitive advantage. With
technological advancements facilitating
global networks and increasing capacity
to collect and share an influx of fresh data,
organisations can enjoy faster connectivity,
agility and responsiveness," he says.
However, he points out that no growth
comes without risk. "As an organisation
becomes more connected, its network
becomes more complex, posing significant
challenges to identity and cybersecurity
measures. Adopting new technologies, such
as APIs, LLMs and the Cloud, increases an
organisation's attack surface. Across a vast
network, their individual machine identities
can be a challenge to monitor for anomalies."
When considering threats, Gray advises
organisations also to take stock of the risk of
human error. "In modern work, employees
operate in a blended environment, moving
seamlessly between work applications and
personal apps. This can result in a lot of freely
available open-source data, or OSINT, which
cybercriminals use for social engineering
purposes to customise phishing attacks.
All it takes is for one employee to click a link
in a phishing email, or one machine identity
to be exploited, and a bad actor can potentially
have access to an organisation's entire
database.
"The results from a ransomware attack,
as seen with the Ascension Healthcare
Incident and most recently CDK Global,
can have a devastating effect on business,
daily operations and consumer trust - not to
mention the costs incurred from downtime,
disruption and potentially paying the ransom."
If the risk in digital transformation is deemed
32
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

Layers aren’t just for cakes; they’re
essential in cybersecurity’s secret
recipe for protection!
Bake it happen with VIPRE Security Group. Secure your
bytes before you take a bite with Email Security, Endpoint
Security and User Protection
www.vipre.com

ansomware
Simon Hodgkinson, Semperis: criminal
gangs are leveraging many organisations'
vulnerabilities to detonate two, three or
four malicious attacks.
Jeff Gray, Xalient: adopting technologies,
such as APIs, LLMs and the cloud, increases
an organisation's attack surface.
too high to invest in, organisations can
potentially become outdated, which not
only poses cybersecurity risks, but can also
lead to them stagnating and falling behind
their competition. "As such, organisations
should strike a balance between digital
transformation and improving their
cybersecurity posture, without measures
that restrict and slow their workflow," states
Gray. "To stay ahead, organisations should
implement Zero-Trust strategies to support
growth, workflow and keep important data
safe and secure."
NEVER-ENDING
A global study recently released shows that
most organisations are facing a never-ending
series of breaches - a serious epidemic that
leaves them continuously in the crosshairs
of ransomware gangs. In fact, 85% of UK
companies said they were targeted. In 14%
of attacks, companies paid a ransom, because
they faced a life-or-death situation.
"Considering that there is a 24/7 threat
arrayed against today's organisations, you can
never say 'I am safe' or take a moment off. The
best you can do is to make your environment
defensible and then defend it," comments
Chris Inglis, strategic advisor and first US
national cybersecurity director at Semperis,
the company that published the ransomware
research.
The report, titled '2024 Ransomware Risk
Report: Essential Guidance for Building
Operational Resilience Against Cyberattacks',
found that 39% of attacked companies in the
UK, US, France and Germany paid a ransom
four times or more in the past 12 months.
Also, more than 80% of ransomware attacks
eventually compromise an organisation's
identity system, such as Microsoft Active
Directory (AD) or Entra ID, yet over one fifth
(22%) of UK companies don't have dedicated
AD or Entra ID recovery plan in place.
The findings indicate that ransomware
attacks are frequent, with one fifth of UK
respondents facing either simultaneous (20%)
or multiple (28%) attacks on the same day.
And 42% were attacked multiple times in the
same week. Globally, the healthcare sector is
most likely to be the victim of a simultaneous
ransomware attack (35%), whereas the
financial sector is more likely to be attacked
multiple times in the same week (40%).
"When multiple attacks happen, they
tend to happen in quick succession,"
adds Simon Hodgkinson, strategic advisor,
Semperis and former CISO at BP. "Data
points from the study suggest that multiple
criminal gangs are leveraging organisations'
vulnerabilities to detonate two, three or four
malicious attacks - frighteningly, some are
simultaneous."
WAR DECLARED ON RANSOMWARE
European Commission president Ursula von der Leyen (left) has
pledged to set out a plan to tackle ransomware attacks against
healthcare providers - "increasingly the target of cyber and
ransomware attacks" - within the first 100 days of her second
term in office. Her guidelines state: "To improve threat detection,
preparedness and crisis response, I will propose a European
action plan on the cybersecurity of hospitals and healthcare
providers in the first 100 days of the mandate."
Recent months have seen multiple hospitals and the healthcare
system across the European Union impacted by cyberattacks,
including in the UK, Romania, France, Belgium and Spain.
34
computing security Sept/Oct 2024 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.

ACCORDING TO JAMF 2024:
Security
Trends Report
39 % of
organisations
had at least one device
with known vulnerabilities
40 % of
mobile users
were running a device
with known vulnerabilities
9 % of
users fell for
a phishing attack
Manage and Secure
Apple at work
With Jamf Trusted Access, you ensure
that only authorised users, on enrolled
devices that are secure and compliant,
can access sensitive data.
REQUEST
Y O U R
F R E E
T R I A L
TODAY
www.jamf.com