29.07.2016 Views

CSLATEST

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

Claws into ransomware<br />

What it's like to<br />

be held hostage<br />

NEWS<br />

OPINION<br />

INDUSTRY<br />

COMMENT<br />

CASE STUDIES<br />

PRODUCT REVIEWS<br />

A world in turmoil<br />

Growing rift between well<br />

protected and vulnerable<br />

leaves no one safe<br />

Threatening times<br />

New hazards looming<br />

over the industry<br />

Getting the evil eyes<br />

Cybercriminals' levels of access<br />

and control are now off the scale<br />

Computing Security May/June 2024


Unlock a<br />

More Secure<br />

Future with<br />

V-Key MFA<br />

• As secure as hard tokens<br />

• Single Sign-On<br />

• Strong protection of crypto keys<br />

• Instant Backup and Restore<br />

• Seamless integration with IDM &<br />

PAM and migration<br />

• Digital Trust Platform<br />

• Jailbreak & Root Detection<br />

• Detection of malware<br />

• Brute Force Attack Protection<br />

• Threat Intelligence<br />

• Meets FIDO2 Standard<br />

• FIPS 140-2, CC EAL3+, SOC 2, OATH<br />

Featuring V-Key<br />

Enhanced Facial<br />

Authentication<br />

Test Drive<br />

V-Key Today<br />

sales@celestix.com<br />

+44 (0)203 900 3737


comment<br />

EC STEPS IN TO DRIVE SUPPORT FOR AI INNOVATION<br />

European start-ups and SMEs<br />

need all the help they can get<br />

to develop AI models, with<br />

more established and resource-rich<br />

organisations forging ahead.<br />

So, it is timely and encouraging to<br />

see that the European Commission<br />

has recently set up an AI office to<br />

enforce new rules on artificial<br />

intelligence systems and support<br />

innovation in AI, as part of a<br />

package of broader measures to<br />

assist those most in need of<br />

support.<br />

Equally importantly, the establishment<br />

of the AI Office signifies a<br />

clear commitment to ensuring that<br />

AI advances closely align with ethical<br />

principles, says Dr Ellison Anne<br />

Williams, pictured right, CEO and<br />

founder of cyber security and data<br />

privacy company Enveil.<br />

"The EU's initiative represents the decisive action needed to drive this technological<br />

advancement. Similar to the White House Executive Order on AI and recent actions by<br />

the G7, these efforts will help address risks, uphold privacy, and prioritise security in the<br />

development and utilisation of AI technologies.<br />

"This leadership includes promoting Privacy Enhancing Technologies (PETs), a family<br />

of technologies that exemplify a proactive approach to safeguarding data privacy and<br />

security, while leveraging the benefits of AI. The global recognition of the importance<br />

of PETs, and its support for entrepreneurs and startups in driving innovation forward, is<br />

commendable."<br />

Brian Wall<br />

Editor<br />

Computing Security<br />

brian.wall@btc.co.uk<br />

EDITOR: Brian Wall<br />

(brian.wall@btc.co.uk)<br />

LAYOUT/DESIGN: Ian Collis<br />

(ian.collis@btc.co.uk)<br />

SALES:<br />

Edward O’Connor<br />

(edward.oconnor@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

Daniella St Mart<br />

(daniella.stmart@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

Stuart Leigh<br />

(stuart.leigh@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

PUBLISHER: John Jageurs<br />

(john.jageurs@btc.co.uk)<br />

Published by Barrow & Thompkins<br />

Connexions Ltd (BTC)<br />

35 Station Square,<br />

Petts Wood, Kent, BR5 1LZ<br />

Tel: +44 (0)1689 616 000<br />

Fax: +44 (0)1689 82 66 22<br />

SUBSCRIPTIONS:<br />

UK: £35/year, £60/two years,<br />

£80/three years;<br />

Europe: £48/year, £85/two years,<br />

£127/three years<br />

R.O.W:£62/year, £115/two years,<br />

£168/three years<br />

Single copies can be bought for<br />

£8.50 (includes postage & packaging).<br />

Published 6 times a year.<br />

© 2024 Barrow & Thompkins<br />

Connexions Ltd. All rights reserved.<br />

No part of the magazine may be<br />

reproduced without prior consent,<br />

in writing, from the publisher.<br />

www.computingsecurity.co.uk May/June 2024 computing security<br />

@CSMagAndAwards<br />

3


Secure systems, secure data, secure people, secure business<br />

Computing Security May/June 2024<br />

inside this issue<br />

CONTENTS<br />

Computing<br />

Security<br />

NEWS<br />

OPINION<br />

INDUSTRY<br />

COMMENT<br />

CASE STUDIES<br />

PRODUCT REVIEWS<br />

Claws into ransomware<br />

A world in turmoil<br />

Growing rift between well<br />

What it's like to<br />

protected and vulnerable<br />

be held hostage<br />

leaves no one safe<br />

Threatening times<br />

New hazards looming<br />

over the industry<br />

Getting the evil eyes<br />

COMMENT 3<br />

EC support for AI innovation<br />

Cybercriminals' levels of access<br />

and control are now off the scale<br />

NEWS 6<br />

Fraudulent websites spreading malware<br />

New cybersecurity best practice advice<br />

Confidential data shared online<br />

Government taking 'ostrich strategy'<br />

ARTICLES<br />

THE EVIL EYE 14<br />

The vast amounts of personal details now<br />

freely available is giving cybercriminals<br />

untold levels of access and control<br />

A WORLD IN TURMOIL 10<br />

In an interconnected world, the growing<br />

rift between those who are well protected<br />

against attacks and those most vulnerable<br />

suggests that no organisation is entirely<br />

safe<br />

VIRTUOSO TO TAKE CENTRE STAGE 16<br />

Generative AI presenter and deepfake<br />

expert Henry Ajder will be a keynote<br />

THREAT OR TREAT? 18<br />

speaker at this year's Infosec<br />

Artificial intelligence is on course to increase<br />

the volume and heighten the impact of<br />

FACE OFF! 21<br />

cyberattacks over the next two years, warns<br />

When it comes to device-based and<br />

the National Cyber Security Centre, with AI<br />

server-based facial authentication, which,<br />

almost certainly making cyberattacks against<br />

if either, is the more secure?<br />

the UK more impactful<br />

THREATENING TIMES 26<br />

Computing Security zooms in on some<br />

of the latest hazards that the industry is<br />

coming up againsr<br />

INSIDE OUT 22<br />

THE IMPERATIVE FOR ZERO TRUST 29<br />

Embracing digital transformation to gain<br />

66% of organisations questioned believed<br />

access to the cloud's many benefits means<br />

that attacks from the inside were more<br />

computing environments must face<br />

likely than attacks from the outside,<br />

evolving into borderless IT ecosystems<br />

according to the latest research. What are<br />

the workable, effective solutions for<br />

DEMOCRACY UNDER SIEGE 34<br />

mitigating these threats?<br />

Electoral disinformation is expected to<br />

create muddied political landscapes<br />

throughout this year, which will be prime<br />

for exploitation<br />

BIRD'S EYE VIEW OF ATTACK 30<br />

What is it like to be held to ransom? We<br />

BOOK REVIEW<br />

asked several experts to talk us through<br />

TEN DAYS… SEVEN DEADLY SINS...<br />

what typically happens when an attack is<br />

ZERO RI$K 13<br />

carried out<br />

What's not to celebrate when your bank<br />

account gains an extra zero or two over<br />

the festive period?<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk<br />

4


Layers aren’t just for cakes; they’re<br />

essential in cybersecurity’s secret<br />

recipe for protection!<br />

Bake it happen with VIPRE Security Group. Secure your<br />

bytes before you take a bite with Email Security, Endpoint<br />

Security and User Protection<br />

www.vipre.com


news<br />

FRAUDULENT WEBSITES BEING USED TO SPREAD MALWARE<br />

Zscaler's ThreatLabz discovered a threat actor creating<br />

Himanshu Sharma,<br />

fraudulent Skype, Google Meet and Zoom websites to Zscaler.<br />

spread malware, beginning in December 2023. The threat<br />

actor spreads SpyNote RAT to Android users and NjRAT and<br />

DCRat to Windows users.<br />

"Our research demonstrates that businesses may be subject<br />

to threats that impersonate online meeting applications,"<br />

says Himanshu Sharma, senior security researcher at Zscaler.<br />

"In this example, a threat actor is using these lures to distribute<br />

RATs for Android and Windows, which can steal confidential<br />

information, log keystrokes and steal files.<br />

"Our findings highlight the need for robust security measures<br />

to protect against advanced and evolving malware threats,<br />

and the importance of regular updates and security patches."<br />

Darren Williams, Blackfog.<br />

CONFIDENTIAL PERSONAL<br />

DATA SHARED ONLINE<br />

Leicester City Council has revealed<br />

confidential personal data was<br />

shared online following a criminal<br />

investigation when it was forced to<br />

disable its phone and computer<br />

systems.<br />

"In the last two weeks, it's become<br />

evident that INC ransom [a multiextortion<br />

operation] have clear intent<br />

when it comes to targeting local<br />

services, with Leicester Council joining<br />

the victim list alongside NHS Dumfries<br />

and Galloway," comments Darren<br />

Williams, CEO and founder of Blackfog.<br />

"The intent of a group like this is<br />

clear: to cause maximum distress and<br />

disruption, with maximum rewards, at<br />

minimal effort. To prevent such attacks<br />

from happening again, councils and<br />

organisations alike must invest in<br />

the latest anti-data exfiltration tools<br />

to secure their data and prevent<br />

ransomware and extortion."<br />

NEW CYBERSECURITY BEST PRACTICE ADVICE RELEASED<br />

CISA and the National Security Agency (NSA) have<br />

Matt Muir, Cado Security.<br />

released five joint Cybersecurity Information Sheets<br />

(CSIs) to provide organisations with recommended best<br />

practices and/or mitigations to improve the security of<br />

their cloud environment(s).<br />

Following the advice, Matt Muir, threat research lead,<br />

Cado Security comments: "It's reassuring to see these<br />

agencies highlight the differences between cloud and onpremise<br />

security practices, along with providing tailored<br />

advice for securing the cloud in particular.<br />

"Hopefully, the advice will give organisations the nudge<br />

they need to recognise the wider threats and implications<br />

of cloud adoption. By taking heed of this advice and<br />

implementing appropriate controls, organisations can<br />

mitigate the pervasive threat of cloud attacks."<br />

THREATLOCKER UNVEILS MDR SERVICE<br />

ThreatLocker has launched a Managed Detection &<br />

Response (MDR) service designed to alert customers<br />

to suspicious or potentially malicious activity occurring<br />

in their environment - shutting down threats within<br />

seconds, the company claims.<br />

Danny Jenkins, CEO & co-founder of ThreatLocker,<br />

comments: "Not only will this provide customers with a<br />

faster response when they don't have 24-hour operation<br />

centres, but it also means that we are improving our<br />

product in a way that allows us to be responsible for<br />

so many customers and the management of their<br />

environments."<br />

Danny Jenkins,<br />

ThreatLocker.<br />

6<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


DON’T<br />

SaaSSS<br />

GET YOUR<br />

KICKED! !<br />

TAKE CONTROL NOW AND<br />

PROTECT YOUR SaaS DATA<br />

Global SaaS vendors like Microsoft, Google and Salesforce<br />

don’t assume any responsibility for your data hosted<br />

in their applications. So, it’s up to you to take control<br />

and fully protect your SaaS data from cyber threats or<br />

accidental loss. Arcserve SaaS Backup offers complete<br />

protection for your SaaS data, eliminating business<br />

interruptions due to unrecoverable data loss.<br />

Arcserve SaaS Backup<br />

Complete protection for all your SaaS data.<br />

arcserve.com<br />

The unified data resilience platform


news<br />

MICROSOFT RECENT EMAIL BREACH LABELLED "A STRATEGIC BLOW"<br />

Microsoft have admitted publicly that the recent<br />

Amit Yoran, Tenable.<br />

email breach the company suffered at the hands<br />

of Russian-backed Midnight Blizzard (the same group<br />

that was responsible for the SolarWinds breach)<br />

compromised certain unnamed source code, as well as<br />

customer "secrets" that were communicated via email<br />

with key executives.<br />

Amit Yoran, chairman and CEO, Tenable, has described<br />

the breach as a strategic blow. "By its own admission,<br />

Microsoft's source code and 'other secrets' have been<br />

compromised. Midnight Blizzard isn't some small-time<br />

criminal gang. They are a highly professional Russianbacked<br />

outfit that fully understands the value of the<br />

data they've exposed and how to best use it to inflict<br />

maximum harm. Given Russia's relationship with China<br />

and other strategic adversaries, the consequences get very troubling, very quickly."<br />

Trevor Dearing, Illumio.<br />

GOVERNMENT IS ACCUSED OF<br />

RANSOMWARE 'OSTRICH STRATEGY'<br />

Aparliamentary committee has<br />

accused the government of taking<br />

an "ostrich strategy" by burying its head<br />

in the sand over the national cyber<br />

threat posed by ransomware. The<br />

criticism follows the government<br />

publishing its formal response to a<br />

report from the Joint Committee on the<br />

National Security Strategy (JCNSS) that<br />

warned the government's failures<br />

meant there was a "high risk" the<br />

country faces a "catastrophic<br />

ransomware attack at any moment".<br />

States Trevor Dearing, director of<br />

critical infrastructure at Illumio: "While<br />

there is an obvious need to identify and<br />

remove ransomware, organisations<br />

need to focus on containing an attack<br />

to maintain services. Just as recommended<br />

by the NSA, the UK should<br />

promote a Zero Trust strategy and<br />

apply segmentation to prevent an<br />

attack becoming a catastrophe."<br />

63% OF KNOWN VULNERABILITIES ON HEALTHCARE ORGANISATION NETWORKS<br />

Anew report from Claroty has uncovered what it says is concerning data about<br />

the security of medical devices connected to healthcare organisation networks,<br />

such as hospitals and clinics. 'The State of CPS Security Report: Healthcare 2023'<br />

discovered 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on these<br />

networks, reports the company, and that 23% of medical devices - including<br />

imaging devices, clinical IoT devices, and surgery devices - have at least one KEV.<br />

LACK OF TECHNOLOGY INVESTMENT RESTRICTING BUSINESS GROWTH<br />

Almost half (48%) of UK mid-sized enterprises feel<br />

Richard Thompson, ANS.<br />

that not having access to the most advanced<br />

technology is limiting their business growth, according<br />

to new data from UK technology company ANS.<br />

Company CEO Richard Thompson comments on the<br />

report's findings: "All too often, mid-sized enterprises<br />

are left playing catch-up when it comes to accessing<br />

the best tech, while big corporations with greater<br />

financial resources continue to keep the advantage.<br />

Lacking budget, tech recruitment challenges and the<br />

need to keep prices competitive are just some of the<br />

barriers holding UK enterprises back.<br />

"Our mission is to level the playing field, so that all<br />

businesses, regardless of their size, can embrace the<br />

latest technology and take their business to the<br />

next level."<br />

8<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


global risks<br />

A WORLD IN TURMOIL<br />

IN AN INTERCONNECTED WORLD, THE GROWING RIFT BETWEEN THOSE WHO ARE WELL PROTECTED<br />

AGAINST ATTACKS AND THOSE MOST VULNERABLE SUGGESTS THAT NO ORGANISATION IS ENTIRELY SAFE<br />

Anew World Economic Forum report<br />

has provided a snapshot of the multifaceted<br />

challenges facing the global<br />

cybersecurity landscape - and it is alarming,<br />

to say the least. While increased geopolitical<br />

tensions and economic instability continue to<br />

concern industry experts, the report, released<br />

in January, spotlights widening cyber inequity<br />

and emerging technologies, such as artificial<br />

intelligence (see feature on pages ??), as key<br />

rising risks for the year ahead in the fastgrowing<br />

cybersecurity sector.<br />

The Global Cybersecurity Outlook 2024<br />

report, developed in collaboration with<br />

Accenture, distils insights of industry experts<br />

and global executives about key cyber trends<br />

that leaders will need to navigate in 2024,<br />

based on a series of surveys carried out<br />

between June and November 2023. Given<br />

the increasingly complex cyber threat<br />

landscape, the report also calls for concerted<br />

collaboration, across borders and industries,<br />

to counter these interrelated threats and<br />

build a more resilient environment.<br />

"As the cyber realm evolves in response<br />

to emerging technologies and shifting<br />

geopolitical and economic trends, so do the<br />

challenges that threaten our digital world,"<br />

says Jeremy Jurgens, managing director,<br />

World Economic Forum, Switzerland. "We<br />

urgently need coordinated action by key<br />

public-private stakeholders, if we are to<br />

collectively address these complex, everevolving<br />

threats and build a secure digital<br />

future for all." The increasingly stark divide<br />

between cyber-resilient organisations and<br />

those that are struggling has emerged as a<br />

key risk for 2024. The number of organisations<br />

that maintain minimum viable cyber<br />

resilience is down 30%, compared to last year.<br />

While large organisations have demonstrated<br />

notable gains in cyber resilience, small and<br />

medium-sized companies showed significant<br />

decline.<br />

This growing inequity is being fuelled by<br />

macroeconomic trends, industry regulation<br />

and, crucially, early adoption of paradigmshifting<br />

technology by some organisations. In<br />

addition, the cyber skills and talent shortage<br />

continues to widen at an alarming rate. Only<br />

15% of all organisations are optimistic about<br />

cyber skills and education significantly improving<br />

in the next two years.<br />

In an interconnected world, this growing<br />

rift means no organisations are completely<br />

safe. According to the report, external<br />

partners are both the greatest asset and<br />

the biggest hindrance to the cybersecurity<br />

of any organisation. In fact, 41% of the<br />

organisations surveyed that suffered a<br />

material incident in the past 12 months<br />

say it was caused by a third party.<br />

In 2023, the world faced a polarised<br />

geopolitical order, multiple armed conflicts,<br />

both scepticism and fervour about the<br />

implications of future technologies, and<br />

global economic uncertainty, points out the<br />

report. "Amid this complex landscape, the<br />

cybersecurity economy1 grew exponentially<br />

faster than the overall global economy, and<br />

outpaced growth in the tech sector. However,<br />

many organisations and countries experienced<br />

that growth in exceptionally different ways.<br />

A stark divide between cyber-resilient<br />

organisations and those that are struggling<br />

has emerged.<br />

"This clear divergence in cyber equity is<br />

exacerbated by the contours of the threat<br />

landscape, macroeconomic trends, industry<br />

regulation and early adoption of paradigmshifting<br />

technology by some organisations.<br />

Other clear barriers, including the rising cost<br />

of access to innovative cyber services, tools,<br />

skills and expertise, continue to influence the<br />

ability of the global ecosystem to build a more<br />

secure cyberspace in the face of myriad<br />

transitions."<br />

These factors are also ever-present in the<br />

accelerated disappearance of a healthy<br />

'middle grouping' of organisations, adds the<br />

report [ie, those that maintain minimum<br />

standards of cyber resilience only]. "Despite<br />

this divide, many organisations indicate clear<br />

progress in certain aspects of their cyber<br />

capability. This year's outlook also finds cause<br />

for optimism, especially when considering the<br />

relationship between cyber and business<br />

executives. These are the major findings from<br />

this year's Global Cybersecurity Outlook and<br />

the key cyber trends that executives will need<br />

to navigate in 2024."<br />

10<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


global risks<br />

In parallel, the population of organisations<br />

that maintain a minimum level of cyber<br />

resilience is disappearing. Small and medium<br />

enterprises (SMEs), despite making up the<br />

majority of many country's ecosystems, are<br />

being disproportionately affected by this<br />

disparity:<br />

The number of organisations that maintain<br />

minimum viable cyber resilience is down<br />

by 30%. While many large organisations<br />

demonstrated remarkable gains in cyber<br />

resilience, SMEs showed a significant<br />

decline<br />

More than twice as many SMEs as the<br />

largest organisations say they lack the<br />

cyber resilience to meet their critical<br />

operational requirements<br />

90% of the 120 executives surveyed at the<br />

World Economic Forum's Annual Meeting<br />

on Cybersecurity said that urgent action is<br />

required to address this growing cyber<br />

inequity.<br />

Emerging technology will exacerbate longstanding<br />

challenges related to cyber resilience,<br />

the report also points out. "This will, in turn,<br />

accelerate the divide between the most<br />

capable and the least capable organisations."<br />

As organisations race to adopt new<br />

technologies, such as generative AI,<br />

a basic understanding is needed of the<br />

immediate, mid-term and long-term<br />

implications of these technologies for<br />

their cyber-resilience posture<br />

Fewer than one in 10 respondents believe<br />

that, in the next two years, generative AI<br />

will give the advantage to defenders over<br />

attackers<br />

Around half of executives, according to<br />

the report, say advances in adversarial<br />

capabilities (phishing, malware, deepfakes)<br />

present the most concerning impact of<br />

generative AI on cyber.<br />

CYBERWARFARE 'A RECURRING THEME'<br />

Bernard Montel, EMEA technical director and<br />

cybersecurity strategist at Tenable, comments<br />

that the fact this year's WEF Global Risks<br />

Report, ranking 'cyber insecurity' in its top five<br />

of the most severe risks over the next two<br />

years, isn't surprising, with the threat of<br />

cyberwarfare a recurring theme throughout<br />

the report, as well as the 'rapid integration<br />

of advanced technologies' that are exposing<br />

more organisations and individuals to<br />

exploitation.<br />

He also points out that the widespread<br />

adoption of cloud computing introduces<br />

new levels of vulnerability and management<br />

complexity that can be targeted by bad<br />

actors.<br />

"Particular concern surrounds the use of<br />

Artificial Intelligence (AI) technologies to<br />

boost cyber warfare capabilities, with good<br />

reason," adds Montel. "While AI has made<br />

astronomical technological advancements<br />

in the last 12-24 months, allowing an<br />

autonomous device to make the final<br />

judgement is incomprehensible today.<br />

"While AI is capable of quickly identifying<br />

and automating some actions that need to be<br />

taken, it's imperative that humans are the<br />

ones making critical decisions on where and<br />

when to act from the intelligence AI provides.<br />

"It's also worth noting that AI has a major<br />

role to play in cyber defence. It can be used by<br />

cybersecurity professionals to search for<br />

patterns, explain what they're finding in the<br />

simplest language possible, and help them<br />

decide what actions to take to reduce cyber<br />

risk.<br />

"AI can and is being harnessed by defenders<br />

to power preventive security solutions that cut<br />

through complexity to provide the concise<br />

guidance defenders need to stay ahead of<br />

attackers and prevent successful attacks," he<br />

states. "Harnessing the power of AI enables<br />

security teams to work faster, search faster,<br />

Bernard Montel, Tenable: allowing an<br />

autonomous device to make the final<br />

judgment is incomprehensible today.<br />

Jeremy Jurgens, World Economic Forum: as<br />

the cyber realm evolves, so do the challenges<br />

that threaten our digital world.<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

11


global risks<br />

Jurgen Stock, third from left.<br />

analyse faster and ultimately make decisions<br />

faster. "As the report highlights, the threat<br />

of cyber insecurity is heightened with the<br />

evolving motivations driving these attacks -<br />

from monetised criminality all the way to<br />

geopolitical unrest. However, the manifestation<br />

of these threats remains unchanged.<br />

Threat actors are probing for the right<br />

combination of vulnerabilities, cloud<br />

misconfigurations and identity privileges that<br />

allow them to infiltrate and traverse cyber<br />

infrastructure. As defenders, we need to preempt<br />

this: to identify what attack paths exist<br />

and take steps to shut them down before<br />

they can be exploited. Organisations that can<br />

anticipate cyber-attacks and communicate<br />

those risks for decision support will be the<br />

ones best positioned to defend against<br />

emerging threats," he concludes.<br />

NO ONE IS SPARED<br />

"No country or organisation is spared from<br />

cybercrime, yet many are direly underequipped<br />

to effectively face the threats, and<br />

we cannot have effective global response<br />

mechanisms without closing the capacity<br />

gap," says Jürgen Stock, secretary-general of<br />

INTERPOL. "It is crucial that key stakeholders<br />

work collaboratively towards immediate,<br />

strategic actions that can help ensure a more<br />

secure and resilient global cyberspace.<br />

Emerging technologies, such as artificial<br />

intelligence (AI), are another key trend to<br />

watch in this year's outlook. Fewer than one in<br />

10 respondents believe that in the next two<br />

years generative AI will give the advantage to<br />

defenders over attackers and approximately<br />

half of experts surveyed agree that generative<br />

AI will have the most significant impact on<br />

cybersecurity in the next two years. Its rise<br />

is stoking fears among experts about the<br />

exacerbation of long-standing challenges,<br />

with around half of executives saying that AIdriven<br />

advances in adversarial capabilities of<br />

cybercriminals (phishing, malware, deepfakes)<br />

present the most concerning impact of<br />

generative AI on cybersecurity.<br />

Despite these concerns, experts also<br />

highlighted an encouraging increase in focus<br />

on the importance of cybersecurity globally,<br />

particularly at the executive and CEO levels.<br />

The incorporation of cyber resilience into<br />

organisational risk management is also<br />

becoming more common, as per the report.<br />

"Cyber resilience is increasingly dependent on<br />

a C-suite team that closely collaborates and<br />

communicates security priorities across the<br />

business and the industry," Paolo Dal Cin,<br />

global lead, Accenture Security. "This approach<br />

provides a clear view of cyber risks and allows<br />

security to be embedded from the start in all<br />

strategic business priorities as well as across<br />

third parties, vendors and suppliers."<br />

A stark divide between cyber-resilient<br />

organisations and those that are struggling<br />

has emerged. This clear divergence in cyber<br />

equity is exacerbated by the contours of the<br />

threat landscape, macroeconomic trends,<br />

industry regulation and early adoption of<br />

paradigm-shifting technology by some<br />

organisations. Other clear barriers, including<br />

the rising cost of access to innovative cyber<br />

services, tools, skills and expertise, continue to<br />

influence the ability of the global ecosystem to<br />

build a more secure cyberspace in the face of<br />

myriad transitions.<br />

Meanwhile, the population of organisations<br />

that maintain a minimum level of cyber<br />

resilience is disappearing. Small and medium<br />

enterprises (SMEs), despite making up the<br />

majority of many country's ecosystems, are<br />

being disproportionately affected by this<br />

disparity.<br />

KEY TRENDS TO NAVIGATE<br />

Key cyber trends identified in the report that<br />

executives will need to navigate in 2024<br />

include:<br />

The number of organisations that maintain<br />

minimum viable cyber resilience has fallen<br />

by 30%. While large organisations<br />

demonstrated remarkable gains in cyber<br />

resilience, SMEs showed a significant<br />

decline.<br />

More than twice as many SMEs as the<br />

largest organisations say they lack the<br />

cyber resilience to meet their critical<br />

operational requirements.<br />

90% of the 120 executives surveyed at the<br />

World Economic Forum's Annual Meeting<br />

on Cybersecurity said that urgent action is<br />

required to address this growing cyber<br />

inequity.<br />

Ultimately, the WEF concludes, "raising<br />

systemic resilience - all organisations closing<br />

the inequities that divide and improving the<br />

resilience of what connects - is not only the<br />

most pressing requirement; it is the greatest<br />

responsibility".<br />

12<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


ook review<br />

TEN DAYS… SEVEN DEADLY SINS... ZERO RI$K<br />

WHAT'S NOT TO LIKE WHEN YOUR BANK ACCOUNT GAINS AN EXTRA ZERO OR TWO AT CHRISTMAS?<br />

When customer complaints on<br />

Christmas Eve herald not a<br />

botched system upgrade, but<br />

the most sophisticated cyber-attack<br />

in history, new National Bank CEO<br />

Rob Tanner finds himself in the eye<br />

of a 'Black Swan' storm that no one<br />

predicted, but anyone could have<br />

anticipated.<br />

Tanner enlists the help of brilliant<br />

American computer security expert<br />

Ashley Markham, but the attacks only<br />

worsen: bank balances rise remorselessly<br />

and spread to all the nation's banks.<br />

The only clue to the hacker's intentions<br />

are cryptic emails that continually taunt<br />

Tanner and newly incumbent Prime<br />

Minister James Allen.<br />

With financial markets - and the very<br />

world as he knows it - on the brink of<br />

collapse, Tanner races against the clock<br />

to decode not just the bizarre emails,<br />

but also their deeper meaning, and the<br />

implications for whom he can really<br />

trust. All the while, his former boss,<br />

'The Toad', is seeking revenge... and<br />

answers of his own.<br />

This intriguing, multi-layered debut<br />

thriller follows the story of a disillusioned<br />

banker facing the unthinkable -<br />

where money no longer has any value,<br />

financial markets are meaningless and<br />

the economy is destroyed. Tanner must<br />

unravel the mystery of the hacker's<br />

obsession with Hieronymus Bosch's<br />

medieval representation of the seven<br />

deadly sins before modern society<br />

returns to the dark ages. This is<br />

definitely a page turner and perfect<br />

for fans of Dan Brown, Sam Bourne,<br />

Christopher Reich and Robert Harris,<br />

addressing many of the key issues that<br />

we are all now facing:<br />

Our dependence on technology in<br />

daily life<br />

The risks of cyber-terrorism<br />

Speaking truth to power<br />

A modern take on the seven deadly<br />

sins.<br />

The book moves between various locations<br />

from London, Tanzania and Switzerland.<br />

ABOUT THE AUTHOR<br />

Simon Hayes is a seasoned professional,<br />

with a diverse background spanning<br />

financial services, executive search and<br />

consultancy. With more than three<br />

decades of international experience,<br />

he has lived in the US, Tokyo and Hong<br />

Kong. He began his career with Bank of<br />

Boston, Morgan Grenfell and James<br />

Capel, before spending much of the 90s<br />

in Asia, serving as head of equity<br />

research for Warburg in Japan and later<br />

as managing director for Salomon Bros<br />

and UBS in Hong Kong.<br />

A law graduate of Trinity Hall,<br />

Cambridge, Hayes is recognised as<br />

a top-ranked securities analyst by<br />

Extel and II, and later as the 'Best<br />

Headhunting Executive' in Japan by<br />

Asiamoney. He has also been an<br />

executive coach, mentor and financial<br />

consultant, spending much of 2023 in<br />

Zimbabwe on a major fraud case.<br />

PRINT FACTS<br />

Publisher: The Rubriqs Press<br />

ISBN: 9781738462407<br />

Price: HB: 16.99; EB: £4.99<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

13


on-line exposure<br />

THE EVIL EYE<br />

THE VAST AMOUNTS OF PERSONAL<br />

DETAILS NOW FREELY AVAILABLE<br />

ON SOCIAL PLATFORMS - BACKED<br />

UP BY AI TOOLS - IS GIVING<br />

CYBERCRIMINALS LEVELS OF<br />

ACCESS AND CONTROL THAT NOT<br />

LONG AGO WOULD HAVE BEEN<br />

THOUGHT UNIMAGINABLE<br />

James Dyer, Egress: threat actors are now<br />

rubbing their hands with glee.<br />

New research warns that, in 2024, QR<br />

code hacks or 'quishing' will increase;<br />

use of AI to create content for spam<br />

emails including deepfakes will rise; highly<br />

personalised social media mining will grow<br />

further; and a wide array of file types and<br />

formats - especially EML - will be used to<br />

propagate phishing and malware attacks.<br />

Such is the warning from James Dyer, threat<br />

intelligence lead at Egress. How can we guard<br />

against such attacks?<br />

"As we share our lives on the internet, threat<br />

actors are rubbing their hands with glee," he<br />

says. "Concerns continue to grow about the<br />

volume of personal details readily available on<br />

social platforms, as well as how cybercriminals<br />

can use generative AI tools to exploit this<br />

data. Cybergangs have increasingly turned to<br />

open-source intelligence (OSINT) for cyber<br />

surveillance, using social media sources to<br />

deep dive [with very little time and cost] into<br />

an individual's job role, social connections and<br />

personal interests, with the intention of<br />

creating hyper-personalised phishing emails<br />

that persuade recipients to reveal sensitive<br />

information or transfer funds."<br />

Unequivocally, AI tools and chatbots have<br />

sped up the process between reconnaissance<br />

and attack, he adds. "Threat actors have<br />

been able to automate the analysis of data<br />

collected through OSINT and social media to<br />

quickly tailor phishing emails with convincing<br />

personalisation. Our recent research reinforces<br />

the concerns cybersecurity teams have,<br />

as 61% of cybersecurity leaders are losing<br />

sleep over AI chatbots being used to create<br />

phishing campaigns, plus 63% are specifically<br />

concerned about deepfakes."<br />

To safeguard data, a clear first step is to<br />

conduct a self-assessment through basic<br />

OSINT techniques. "Search your<br />

name, usernames and images<br />

online to gauge the extent of your<br />

digital footprint," advise Dyer.<br />

"Depending on your findings, consider<br />

adjusting your social media privacy<br />

settings to limit attackers' access to personal<br />

information. With the growing threat of<br />

deepfakes, it is also good to be cautious<br />

about sharing videos online to prevent<br />

potential exploitation of your voice.<br />

"When taking practical steps to minimise<br />

possible attack routes, it is sensible to reduce<br />

the number of email newsletters you sign<br />

up for and make sure unused social media<br />

accounts are deactivated. Ultimately, attackers<br />

can't use your data if there is less of it readily<br />

available to steal."<br />

ON THE DEFENCE<br />

John Scott, lead cyber security researcher at<br />

CultureAI, is in agreement that the rise of<br />

generative AI, deepfakes and QR phishing<br />

has undeniably diversified and evolved the<br />

threat landscape. "While the volume and<br />

sophistication of the attacks may increase,<br />

the underlying principles of these attacks<br />

remain unchanged. This means that defensive<br />

strategies can also equally stay largely the<br />

same. While it sometimes may feel like we are<br />

under siege, it's important to remember that<br />

this is the new normal.<br />

"The immense benefits the internet provides<br />

are not without cost. As new technologies<br />

appear, cybercriminals will seek to exploit<br />

them for their benefit. We are now all<br />

navigating a complex world where caution<br />

and vigilance are essential. As technical<br />

defences strengthen and are switched on by<br />

default, cybercriminals attack by exploiting<br />

our sense of urgency, pushing people for<br />

14<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


on-line exposure<br />

risk management platform becomes invaluable,<br />

integrating with your tech stacks<br />

and flagging workplace risks, such as<br />

sharing personal information in public chat<br />

channels or reusing passwords across SaaS<br />

applications. With these insights, security<br />

teams can deliver targeted education in the<br />

moment and either automatically fix risks or<br />

nudge employees to do so themselves with<br />

one click."<br />

hasty responses, which may lead to errors and<br />

security breaches."<br />

For individuals, the most effective defence<br />

strategy is to slow down, states Scott. "Taking<br />

a moment to question the logic behind a<br />

request and double-checking can confirm its<br />

legitimacy. It's almost always better to act<br />

safely, rather than swiftly to reduce the<br />

chances of being pushed into making an<br />

error. That said, we must also accept that<br />

mistakes are inevitable. We're only human,<br />

after all. "<br />

Our human response needs to be one part<br />

of a comprehensive, multi-layered approach<br />

to cyber security, he argues. "Each layer of<br />

defence might have vulnerabilities, but, when<br />

combined, they cover each other's gaps and<br />

form an effective barrier. For organisations,<br />

processes are vital. They provide structure and<br />

clarity, defining what each employee can and<br />

cannot do. While these processes might<br />

introduce some friction, it's a necessary<br />

inconvenience and a small price to pay<br />

for enhanced security."<br />

The 'security by design' concept is integral<br />

in this context. "It encapsulates the idea<br />

of building robust and failsafe systems,<br />

acknowledging that human errors are<br />

inevitable. This is where an effective human<br />

Remember, people alone cannot be the<br />

sole line of defence, he concludes. "While<br />

their awareness and actions matter, it's the<br />

combination of people, processes and<br />

technology that forms the most effective<br />

defence against all cyber threats."<br />

CODE ALERT<br />

"How often do you scan a QR code without<br />

a second thought? "They're now so integrated<br />

into our everyday lives for uses such as<br />

checking menus, parking our cars or getting<br />

into events," comments Edgar Zayas, director<br />

global advisory, BioCatch. "However, there's<br />

a dark side to QR codes becoming more<br />

commonplace - they're being exploited by<br />

fraudsters. The BBC recently found that there's<br />

been a nearly 50% increase in QR code scams<br />

in just three years."<br />

Scammers are creating fake QR codes and<br />

sneaking them into public spaces, he says,<br />

hoping that someone takes the bait. "Once<br />

scanned, webpages can look identical to<br />

the real thing, opening the door to phishing<br />

attacks, malware downloads, payment scams,<br />

or even data interception.<br />

"Over 80% of UK consumers buy products<br />

and services online, so it's safest to always<br />

approach scanning QR codes with caution.<br />

Confirm they're legit, check for alterations<br />

and scrutinise the URL. If you do fall foul<br />

to quishing, banks should have the right<br />

technology in place, such as behavioural<br />

biometric intelligence, to know when it's not<br />

you and protect your accounts. However,<br />

ultimately, prevention is better than cure."<br />

John Scott, defensive strategies can also<br />

equally stay largely the same.<br />

Edgar Zayas, BioCatch: how often do you<br />

scan a QR code without a second thought?<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

15


events<br />

VIRTUOSO TO TAKE CENTRE STAGE<br />

GENERATIVE AI PRESENTER AND DEEPFAKE EXPERT HENRY AJDER<br />

WILL BE A KEYNOTE SPEAKER AT THIS YEAR'S INFOSEC SHOW<br />

Henry Ajder, a leading generative AI<br />

presenter and deepfake expert, will<br />

be a keynote speaker at this year's<br />

Infosec. His opening presentation, which<br />

takes place on Tuesday, 4 June, will cover<br />

generative AI and the impact on the cyber<br />

security industry.<br />

Ajder will then be joined by Tope<br />

Olufon, senior analyst, Forrester, in a chat<br />

session, 'Wading through AI overload -<br />

where are we going and what are you<br />

doing?'. This will be seeking to address<br />

the sensationalism and speculation within<br />

the industry. They will discuss where the<br />

business needs lie for AI, how AI is being<br />

adopted and how to ensure AI-generated<br />

information is trustworthy.<br />

"I'm very much looking forward to<br />

sharing insights with leading cybersecurity<br />

professionals on the fastevolving<br />

deepfakes and GenAI landscape,"<br />

says Ajder, "helping them to<br />

understand the potential opportunities<br />

and challenges that arise with the<br />

integration of AI into cyber. AI's role is<br />

no longer theoretical or a small segment,<br />

but a critical part of the threat and<br />

defence innovation landscape. Learning<br />

how to navigate the GenAI paradigm<br />

shift is essential to excelling in the<br />

cybersecurity industry both now and<br />

for an increasing AI centred future."<br />

AI HOPES AND FEARS<br />

Meanwhile, Infosecurity Europe has<br />

launched its '2024 Cybersecurity Trends'<br />

report, which has uncovered findings<br />

into the current use of AI within<br />

organisations, expectations for future<br />

use and the risks that it presents. The<br />

research found that 50% of surveyed<br />

IT security decision makers admitted<br />

fearing that AI will lead to more<br />

attacks, a testament to the<br />

widespread impact of the<br />

technology for both security<br />

professionals and threat<br />

actors alike. Generative AI,<br />

ransomware and social<br />

engineering are the<br />

threats most likely to<br />

keep CISOs up at night,<br />

with over a third of<br />

survey respondents<br />

saying these issues were<br />

driving investment in cybersecurity.<br />

Despite the threat of attack, more than<br />

half (54%) responded that their organisations<br />

planned to integrate AI as part of<br />

their cybersecurity strategy in the next 12<br />

months. There was clear optimism that<br />

AI would have a positive impact on cyber<br />

professionals, with 42% agreeing that the<br />

technology would result in faster training,<br />

broader awareness and better education.<br />

With this in mind, generative AI could play<br />

a significant role in helping to bridge the<br />

skills gap in cybersecurity.<br />

According to the report, some 44% of<br />

respondents believe that AI will give their<br />

workforce the bandwidth to focus on<br />

future planning and business growth,<br />

which may be as a direct consequence<br />

of AI increasing automation within<br />

organisations. However, regulatory and<br />

ethical concerns could squeeze the brakes<br />

on some of this enthusiasm, with almost<br />

half of respondents stating that legislative<br />

challenges and moral dilemmas will slow<br />

their adoption of AI.<br />

Nicole Mills, exhibition director at Infosecurity<br />

Group, adds: "AI is completely<br />

transforming the way we do things in the<br />

workplace, but cybercriminals are also<br />

taking advantage of this evolving tech. Our<br />

survey highlights the AI risks to business,<br />

but it's great to see so many looking to<br />

integrate AI into their cybersecurity<br />

strategies over the coming year."<br />

You can Register here to attend<br />

Infosecurity Europe 2024.<br />

For more information about the event<br />

itself, visit here.<br />

16<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


Simplify work,<br />

protect devices<br />

and data<br />

with Jamf’s award-winning solution<br />

Trusted Access is Jamf’s vision for<br />

a zero trust experience that users<br />

love and organisations trust. Only<br />

authorised users, on enrolled devices<br />

that are secure and compliant,<br />

can access sensitive data.<br />

Visiting Black Hat Europe<br />

on 6–7 December?<br />

Join us at stand 513.<br />

www.jamf.com<br />

REQUEST<br />

Y O U R<br />

F R E E<br />

TRIAL<br />

TODAY


artificial intelligence<br />

THREAT OR TREAT?<br />

HOW ACCURATE MIGHT ELON MUSK, OWNER OF X AND TESLA, BE<br />

WHEN HE SAYS AI IS ONE OF THE "BIGGEST THREATS" TO HUMANITY?<br />

Artificial intelligence is on course to<br />

increase the volume and heighten the<br />

impact of cyberattacks over the next<br />

two years. That is the assessment of the<br />

National Cyber Security Centre (NCSC), which<br />

also concludes: "AI will almost certainly make<br />

cyberattacks against the UK more impactful,<br />

because threat actors will be able to analyse<br />

exfiltrated data faster and more effectively,<br />

and use it to train AI models."<br />

In the face of such dire predictions, are there<br />

any positives to be found that can rebalance<br />

the AI equation? Can the technology itself be<br />

used effectively to outsmart these dangers? If<br />

so, how is that likely to take shape and who<br />

will drive it? Might it even be an existential<br />

threat?<br />

FOCUS ON CYBERSECURITY<br />

What governments and organisations really<br />

need to engage with, rather than the<br />

existential question, is the many opportunities<br />

that AI presents to industry, comments Keiron<br />

Holyome, VP UKI & emerging markets,<br />

BlackBerry Cybersecurity. "We need to focus<br />

on the more immediate issues at hand. What<br />

are those immediate threats? Copyright<br />

infringement and spread of disinformation,<br />

yes, but - arguably - cybersecurity is the<br />

greater priority."<br />

Numerous examples show how AI-powered<br />

cybersecurity breaches can threaten national<br />

security, cripple national infrastructure, cause<br />

widespread panic and spread disinformation,<br />

as well as costing millions in recovery, he says.<br />

"We know that adversaries are deploying AI<br />

to make cyberattacks more sophisticated and<br />

successful, ramping up their volume, reach<br />

and efficacy. The latest BlackBerry Threat<br />

Report cited 3.7 new malicious samples<br />

of novel malware detected every minute.<br />

"The data indicates the use of AI by threat<br />

actors, meaning that, for effective defence,<br />

organisations now have no choice but to look<br />

well beyond human-only capabilities. In use<br />

against governments, businesses and citizens<br />

on a daily basis, AI is making cybercriminals<br />

more dangerous - and arguably more deadly -<br />

than ever before."<br />

But, as well as posing a significant threat,<br />

AI is also cybersecurity's greatest leveller, he<br />

believes. "It's a necessary technology for<br />

modern cyber protection and essential in<br />

the fight against malicious use - and it's<br />

critical that policy supports innovation and<br />

opportunity. AI protection takes cybersecurity<br />

to another level; enabling predictive, preventative<br />

action that stops would-be attacks at the<br />

door. It saves time and money, reducing the<br />

load on IT resources and helping to counter<br />

the growing shortage of cyber skills around<br />

the world."<br />

EMAIL ATTACKS<br />

"With social engineering attacks, like business<br />

email compromise (BEC), having already<br />

exposed losses of more than $50 billion<br />

over the past decade, it is clear that email<br />

continues to be a major threat vector in<br />

organisations today," states Mike Britton,<br />

CISO, Abnormal Security. "The proliferation<br />

of generative AI tools like ChatGPT have only<br />

catalysed modern phishing attacks, enabling<br />

threat actors to create personalised and<br />

seemingly authentic content that is often<br />

hard to distinguish from human-generated<br />

content."<br />

Not only are AI-generated email attacks<br />

more likely to deceive their recipients, they<br />

are also likely to bypass traditional security<br />

measures that rely on detecting known threat<br />

signatures. "To combat the threat of AIgenerated<br />

email attacks, organisations will<br />

need to amp up their own defensive AI<br />

capabilities," he adds. "We need to evolve<br />

beyond legacy systems like secure email<br />

gateways, which look for known-bad<br />

behaviours like malicious links, blocked<br />

senders or bad IP addresses, and instead use<br />

behavioural models to learn the known-good<br />

behaviours in an organisation's email<br />

environment-things like each user's typical<br />

communication patterns or sign-in activity."<br />

AI then acts as a key line of defence by<br />

detecting anomalous behaviour that may<br />

indicate a potential attack, automatically<br />

remediating those suspicious emails before<br />

they reach end users. "This means that<br />

security teams could block sophisticated email<br />

attacks, even if they are AI-generated, appear<br />

highly realistic and omit traditional indicators<br />

of compromise. Measures like password<br />

management, multi-factor authentication,<br />

and privilege and permissions management<br />

can provide a final safety net, helping to<br />

18<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


artificial intelligence<br />

reduce the attack surface and prevent further<br />

havoc, if attackers are able to infiltrate the<br />

network."<br />

ALTERED LANDSCAPE<br />

In 2023 alone, half of UK businesses reported<br />

suffering some form of cybersecurity breach,<br />

including the high-profile ransomware attack<br />

on the British Library, states Matt Frye, head<br />

of pre-sales and education at Hornetsecurity.<br />

"The recent research from the NCSC [National<br />

Cyber Security Centre], that Generative AI tools<br />

will aid amateur cybercriminals to launch more<br />

sophisticated attacks, is alarming - but not at<br />

all surprising for professionals in the sector.<br />

The rise of Generative AI has permanently<br />

changed the cybersecurity threat landscape<br />

for businesses in the UK. We've seen a rise in<br />

sophisticated attacks, such as phishing, which<br />

currently account for 43.3% of attacks.<br />

"The rise is partially due to the development<br />

of malicious kinds of widely used large<br />

language models (LLMs) such as DarkBERT<br />

and WormGPT. "These programs automate<br />

processes, which means that amateur<br />

cybercriminals can now execute sophisticated<br />

cyber-attacks more easily, faster and with more<br />

precision. They can create far more compelling<br />

and targeted attacks, based on social engineering,<br />

for instance," adds Frye.<br />

THE RACE IS ON<br />

He also says a race has emerged between<br />

malicious actors and cybersecurity specialists,<br />

who are both using AI for different reasons.<br />

"Cybercriminals, armed with sophisticated<br />

AI tools, aim to target organisations at an<br />

unprecedented pace by automating attacks<br />

and adapting new strategies to bypass<br />

traditional defences. On the flip side, cybersecurity<br />

specialists are using AI to enhance<br />

threat detection, response, and mitigation.<br />

"AI can be used as a force for good and it's<br />

essential for cybersecurity professionals to<br />

continue rebalancing the AI equation by<br />

utilising this technology within protection<br />

packages to bolster defences for organisations.<br />

This is something we have been doing<br />

for some years at Hornetsecurity for Advanced<br />

Threat Protection; and solutions like our<br />

Security Awareness Service, for instance, use<br />

machine learning to adapt and evolve per<br />

individual user. AI is valuable for cybersecurity<br />

providers like Hornetsecurity for threat<br />

detection and pattern recognition, which in<br />

turn helps keep organisations safe from cyberattacks."<br />

AI EXPLOITATION<br />

While Frank Catucci, CTO and head of security<br />

research, Invicti Security, doesn't believe AI<br />

poses an existential threat, relative to its<br />

opportunities for good, he recognises that it<br />

is a tool that will be - and already is - used by<br />

threat actors to increase the speed, volume<br />

and methods of attack in a number of ways.<br />

"Using AI tools to aid attacks and attacking AI<br />

tools themselves to poison code or otherwise<br />

inject harmful/malicious elements are both<br />

ways that AI poses a threat to organisations.<br />

Alternatively, AI also holds an unrealised<br />

promise to improve vulnerability detection,<br />

risk assessment, correlation and remediation<br />

of said vulnerabilities.<br />

"Just in the way criminal attackers can use AI,<br />

so can organisations, security vendors and<br />

practitioners use these tools to improve their<br />

defences. For example, using AI to prioritise<br />

vulnerability or risk data and direct teams to fix<br />

issues accordingly, or leveraging AI-enhanced<br />

security tools to speed detection."<br />

The primary issue in fully realising the<br />

opportunities will be in processes or rather<br />

the human element within companies to use<br />

these tools effectively to keep pace with bad<br />

actors. "Where organisations have policies,<br />

protocols and often siloed operations that<br />

can slow innovation," further comments<br />

Catucci, "hackers usually don't follow those<br />

rules, so until organisations can break down<br />

barriers-to-speed safely, they may always be<br />

a step behind."<br />

Keiron Holyome, BlackBerry Cybersecurity:<br />

we need to focus on the more immediate<br />

issues at hand - cybersecurity is the<br />

greater priority.<br />

Mike-Britton, Abnormal Security: to combat<br />

the threat of AI-generated email attacks,<br />

organisations will need to amp up their own<br />

defensive AI capabilities.<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

19


artificial intelligence<br />

Frank Catucci, Invicti Security: just as<br />

criminal attackers can use AI, so can<br />

organisations, security vendors and<br />

practitioners use these tools to improve<br />

their defences.<br />

Matt Frye, Hornetsecurity: the rise of<br />

Generative AI has permanently changed<br />

the cybersecurity threat landscape for<br />

businesses in the UK.<br />

DEEP TROUBLE<br />

AI-generated deep fakes are also fast causing<br />

havoc, says Jordan Avnaim, Entrust. "From<br />

allegedly doctored footage of Ukrainian<br />

President Zelenskyy urging soldiers to<br />

surrender, to falsified videos of Donald Trump<br />

being arrested and forged robocalls attributed<br />

to President Biden, the quality of deep fakes<br />

continues to advance.<br />

"As new, more powerful models like Sora<br />

from OpenAI hit the market, this content will<br />

become increasingly convincing. However,<br />

these techniques are being used for more than<br />

just misinformation. In Hong Kong, scammers<br />

recently orchestrated a video conference call,<br />

using deepfakes to impersonate executives of<br />

a multinational firm, convincing a finance<br />

worker to transfer approximately $25 million."<br />

Amidst these challenges lies hope, though,<br />

he adds. "Enhancing identity security is a key<br />

step in fighting AI threats. Decentralised<br />

identity systems can empower individuals by<br />

granting them sole ownership over encrypted<br />

personal data verified via digital keys, without<br />

exposing details to external parties. This type<br />

of set-up enables individuals to store sensitive<br />

attributes in a hardware-protected digital<br />

wallet, rather than databases vulnerable to<br />

breaches.<br />

FIGHTING OFF DEEP FAKES<br />

"Additionally, robust authentication of digital<br />

content is essential to combat deep fakes,"<br />

urges Avnaim. "Creators and publishers will<br />

need more sophisticated authentication<br />

methods to prove content is genuine. Using<br />

automated PKI certificates to digitally sign<br />

media, enabling audiences to verify<br />

authenticity through encryption, could<br />

facilitate this process.<br />

There are several advanced verification<br />

methods available to facilitate this transition.<br />

Today's facial biometrics can reliably match<br />

people to IDs and confirm liveness, ensuring<br />

authenticity while delivering smooth user<br />

experiences. Already seeing rapid growth in<br />

industries like banking and travel, biometrics<br />

can secure transactions and customer<br />

identification with minimal friction.<br />

ATTACK VERSUS DEFENCE<br />

Andrew Bolster, senior manager, research and<br />

development, at the Synopsys Software<br />

Integrity Group, sees cybersecurity, like every<br />

other form of crime, as fundamentally a game<br />

of economics: where the cost of attacking a<br />

valuable asset is less than the cost of<br />

defending it.<br />

"The explosion of Generative AI onto the<br />

security threat landscape has, so far, been an<br />

easier economic 'force-multiplier' for the<br />

attackers, but, as the technology matures, the<br />

pendulum is turning back to the side of the<br />

defender. Attackers are using GenAI to<br />

generate human-like content on a huge scale,<br />

flooding defenders; and they can either get<br />

'lucky' or use this smoke screen to slip in<br />

sophisticated attacks against critical<br />

infrastructure.<br />

"These technologies also apply in later phases<br />

of an attack profile, with attackers able to<br />

rapidly explore and horizontally spread within<br />

a compromised environment, leveraging the<br />

increasingly large context sized of new LLMs<br />

to learn more, faster," he adds.<br />

"But those same technologies are being<br />

deployed to counter this new scale and speed<br />

of threat, much like the arms race between<br />

ticket-bots and CAPTCHAs that precipitated<br />

this same generative AI wave; identifying<br />

'suspicious behaviours' at scale, using the same<br />

wide input space as the attackers."<br />

And, as Bolster points out: "Cybersecurity has<br />

always been an ever-escalating technological<br />

cat-and-mouse game, with the attackers<br />

rapidly adopting new technologies with<br />

abandon and the defenders taking some time<br />

to get off the starting block with a new tool.<br />

"Occasionally, the mouse has the upper hand,<br />

but not for long."<br />

20<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


facial authentication<br />

FACE OFF!<br />

WHEN IT COMES TO DEVICE-BASED AND SERVER-BASED FACIAL<br />

AUTHENTICATION, WHICH, IF EITHER, IS THE MORE SECURE?<br />

Device-based facial authentication<br />

and server-based facial authentication<br />

are two methods that are<br />

commonly used for authenticating users<br />

on mobile devices. While both methods<br />

serve the same purpose of verifying<br />

a user's identity, they differ in their<br />

approach and functionality.<br />

"Device-based facial authentication is a<br />

method that relies on the device's builtin<br />

hardware and software to capture<br />

and analyse the user's facial features,"<br />

says Majid Munir, senior cybersecurity<br />

consultant of Celestix Networks, the<br />

digital identity and secure access<br />

company. "When a user sets up facial<br />

authentication on their device, the<br />

device creates a unique facial template<br />

of the user, which is stored locally on<br />

the device. This template is then used<br />

for subsequent authentication attempts.<br />

With device-based facial authentication,<br />

the entire authentication process takes<br />

place on the device itself, without<br />

needing external servers or networks."<br />

One of the main advantages of devicebased<br />

facial authentication is its exclusivity<br />

to the device, he adds. "Since the<br />

facial template is stored locally on the<br />

device, external parties cannot access<br />

or tamper with it. This enhances the<br />

security of the authentication process,<br />

as there is no reliance on external<br />

servers or networks that may be<br />

vulnerable to cyberattacks."<br />

However, device-based facial authentication<br />

also has its limitations. "First,<br />

since the authentication process is<br />

exclusive to the device, users may face<br />

difficulties, if they need to authenticate<br />

using a different device. For example,<br />

if a user loses their device or upgrades<br />

to a new one, they will need to go<br />

through the registration process again<br />

to set up facial authentication on the<br />

new device. This can be inconvenient<br />

and time-consuming for users.<br />

"Another limitation of device-based<br />

facial authentication is that servers<br />

would not know the user's true identity.<br />

Since the authentication process occurs<br />

solely on the device, the server does not<br />

receive any information about the user's<br />

facial features or identity. This can pose<br />

challenges in scenarios where serverside<br />

authentication is required, such<br />

as accessing certain online services or<br />

platforms."<br />

On the other hand, adds Munir, serverbased<br />

facial authentication addresses<br />

these limitations by relying on external<br />

servers to store and process facial<br />

data. With this method, the facial data<br />

captured by the device is transformed<br />

into a Private Key, encrypted and<br />

securely stored on the server-side.<br />

The server then uses this Private Key<br />

to authenticate the user in subsequent<br />

authentication attempts.<br />

"One of the standout features of<br />

server-based facial authentication, such<br />

as the V-Key Smart authenticator, is its<br />

enhanced security and user experience.<br />

With V-Key facial authentication, the<br />

facial data is securely encrypted and<br />

stored in the V-Key cloud. This ensures<br />

the user's facial biometric information is<br />

protected from unauthorised access or<br />

tampering. Furthermore, users do not<br />

need to go through the registration<br />

Majid Munir, Celestix Networks: both<br />

device-based and server-based facial<br />

authentication have pros and cons.<br />

process again, if they change their<br />

devices or lose their device. The<br />

encrypted facial data is already stored<br />

in the V-Key cloud, allowing users to<br />

authenticate with their face again to<br />

regain access simply."<br />

Ultimately, both device-based and<br />

server-based facial authentication have<br />

pros and cons. "Device-based facial<br />

authentication provides a secure and<br />

exclusive authentication process, while<br />

server-based facial authentication offers<br />

enhanced security and a seamless user<br />

experience. The choice between the<br />

two methods finally depends on the<br />

specific needs and requirements of<br />

the users, and the applications they<br />

are accessing."<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

21


insider threats<br />

INSIDE OUT<br />

INSIDER THREATS HIT MORE THAN 34% OF COMPANIES WORLDWIDE EVERY YEAR. UNLESS ORGANISATIONS<br />

COME UP WITH A CLEAR AND FEASIBLE ACTION PLAN THAT FIGURE LOOKS AS IF IT WILL ONLY GET WORSE<br />

It is estimated that, every day, around 2,500<br />

internal security holes are found in US<br />

businesses, while insider threats hit more<br />

than 34% of companies worldwide every year.<br />

Worryingly, 66% of organisations questioned<br />

believed that attacks from the inside were<br />

more likely than attacks from the outside,<br />

according to the latest research. With the<br />

big losses that are likely to result from such<br />

incidents when it comes to a company's<br />

finances - and reputation - what are the<br />

workable, effective solutions for mitigating<br />

these threats?<br />

RISK MITIGATION<br />

"Insiders don't act maliciously most of the<br />

time," points out Ian Robinson, chief architect,<br />

Titania "That's why it's often harder to detect<br />

harmful insider activities than it is to detect<br />

external attacks. Insiders know the weaknesses<br />

of an organisation's cybersecurity, and the<br />

location and nature of sensitive data they can<br />

exploit. The statistics show that insider threats<br />

pose a significant challenge to businesses<br />

worldwide, highlighting the need for proactive<br />

and robust risk mitigation strategies. There is<br />

no one solution that can address all these<br />

threats; rather a combination of people,<br />

processes and technology working together."<br />

As part of this, adopting a Zero Trust model -<br />

which requires all internal and external users to<br />

be continuously authenticated and authorised<br />

before being granted access to applications and<br />

data - and implementing effective network<br />

segmentation is a proven way to reduce the risk<br />

associated with insider attacks, he argues. "By<br />

segmenting the networks, either physically or<br />

logically, and reducing the number of people<br />

who have access to the more critical segments,<br />

organisations can significantly reduce their<br />

attack surface. And by constructing a micro<br />

perimeter around the protect surface - critical<br />

segments that require special permissions to<br />

access - network architects can ensure only<br />

authorised users can access assets within, while<br />

all others are blocked."<br />

Then, vigilance is crucial to detect and<br />

address potential risks originating from within<br />

the organisation, states Robinson. "For<br />

example, an attacker might focus on nonrepudiation<br />

by disabling audit logging to<br />

conceal the next phase of their attack, which<br />

might be to manipulate firewall rules or create<br />

a new route to allow the attacker to move<br />

laterally across the network to access a critical<br />

segment - such as the Cardholder Data<br />

Environment, for example. They are likely to<br />

start with the first phase and then wait to see<br />

how effective an organisation's incident<br />

response is before proceeding." This is where<br />

proactive security comes in, seeking out and<br />

remediating network vulnerabilities to mitigate<br />

threats and threat conditions before they pose<br />

a risk to the organisation.<br />

UNWITTING BAD ACTORS<br />

While insider threats are a valid concern for<br />

companies, the number of intentional internal<br />

bad actors is relatively small; the real threat<br />

lies with unwitting bad actors who have been<br />

subjected to phishing attacks or dormant<br />

accounts that provide access to the<br />

organisation, states Dave McGrail, head of<br />

business consultancy at Xalient. "As such,<br />

companies cannot ignore the risk associated<br />

with this threat and should implement a zerotrust<br />

approach to reducing the attack surface<br />

and mitigating risk - with robust identity and<br />

access management being a key starting<br />

point."<br />

Over the years, many companies have<br />

neglected good housekeeping practices<br />

around effective identity and access<br />

management, which leads to poor identity<br />

hygiene within the environment, he adds.<br />

"This has a knock-on effect on security, as too<br />

many domain administrators, administrator<br />

accounts, service accounts and more are<br />

allowed untracked and uncontrolled logins,<br />

without the knowledge of who is using them,<br />

for what and why. This lack of knowledge and<br />

management results in the accounts<br />

remaining active as IT departments are too<br />

scared to delete them for fear of breaking<br />

something and yet these are exactly what<br />

threat actors are looking to attack. Through<br />

these attacks, outsiders can masquerade as<br />

insiders by attacking the identity of those from<br />

within the organisation."<br />

Apart from organisations implementing a<br />

zero-trust strategy, they must also balance<br />

prevention efforts/investment with detection<br />

and response capability - doubling down on<br />

identity, he argues, using Threat Detection and<br />

Response (ITDR) to detect and respond to<br />

identity-based attacks. "This approach involves<br />

improving the visibility of events from identity<br />

platforms, incorporating Identity and Access<br />

Management (IAM), Privileged Account<br />

Management (PAM) and Identity Governance<br />

and Administration (IGA).<br />

"Combining ITDR with Zero Trust principles,<br />

companies benefit from the added value of<br />

driving access based on identity, along with<br />

the additional benefit of the added context<br />

around identity [device posture, location, timeof-day],<br />

measured against normal behaviour<br />

for that user," says McGrail. "There is huge<br />

value in understanding what is being accessed,<br />

when and by whom. This understanding<br />

forms the basis for anomaly detection, alerting<br />

the team to potential threats, and enabling<br />

them to respond to threats in a timely and<br />

effective way."<br />

22<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


insider threats<br />

PROTECTIVE SOLUTIONS<br />

To adequately address insider threats,<br />

organisations need solutions that protect the<br />

core identity system itself - for example, by<br />

highlighting vulnerabilities and attack paths<br />

that insiders can abuse, detecting and<br />

automatically remediating risky changes,<br />

and providing post-breach forensics to close<br />

backdoors left by malicious insiders.<br />

"In particular, organisations that are in the<br />

midst of major transitions, such as consolidating<br />

business offices or reducing the overall<br />

workforce, need the ability to take action on<br />

suspicious activity from high-risk users," advises<br />

Semperis chief scientist Igor Baikalov. "This<br />

could include employees who are flagged as<br />

a flight risk or who are slated for upcoming<br />

termination. An insider with malicious intent<br />

could use their privileged access to compromise<br />

the organisation's system for a variety<br />

of reasons, from monetary gain to revenge.<br />

"It's important to bear in mind that anyone<br />

who has permission to access critical business<br />

assets can potentially abuse that privilege,<br />

whether that's through malicious intent or<br />

through carelessness. Employees, contractors,<br />

vendors and partners can all inflict devastating<br />

damage on organisations. Negligence can lead<br />

to system compromise in several ways, but<br />

the result is the same: because of a mistake<br />

someone made - for example, an end user who<br />

left their laptop unlocked or an Active Directory<br />

admin who failed to follow defined employee<br />

off-boarding policies - privileged credentials<br />

become easy picking for bad actors."<br />

Defending against insider threats requires<br />

a concerted effort, adds Baikalov: a comprehensive<br />

strategy that addresses every phase<br />

of the attack lifecycle, including prevention,<br />

remediation and recovery.<br />

CLOUDY OUTCOMES<br />

Chris Doman, CTO and co-founder, Cado<br />

Security, points to how insider threats can<br />

be even more difficult to detect and prevent<br />

in the cloud. "Business practices including<br />

employee training, clear policies and procedures,<br />

fostering a culture of trust and transparency<br />

and collaboration with security teams<br />

can help to reduce the risk of insider threats.<br />

"For security teams, fast investigations are key.<br />

The issue is that best practices for managing<br />

and detecting insider threats that work well in<br />

on-prem environments don't translate across<br />

into cloud environments.<br />

"The proliferation of cloud resources across a<br />

multitude of cloud providers and the addition<br />

of container and serverless capabilities create<br />

complexities around detecting suspicious<br />

activity such as excessive privilege use. The<br />

basics such as implemented and reviewed<br />

access controls, encryption, and monitoring<br />

for suspicious activity in general are key.<br />

"A proactive approach to breaches enables<br />

security teams to understand whether they are<br />

prepared to quickly investigate and respond to<br />

insider threats before an incident occurs. This<br />

ensures that when an incident is detected, the<br />

security team will have the ability to quickly<br />

identify the root cause and remediate the<br />

threat, " adds Doman.<br />

MALICIOUS VERSUS ACCIDENTAL<br />

Neil Langridge, marketing & alliances director,<br />

e92plus, draws a clear distinction between<br />

various insider threats - and first comes the<br />

malicious insider. "This can be a dangerous<br />

threat, as the user can leverage their<br />

understanding of a business and where their<br />

security posture may have weaknesses.<br />

A good place to start is often joiners, movers<br />

and leavers - a change of role can be the ideal<br />

point at which users can find the opportunity<br />

to exfiltrate data or compromise the defences<br />

of a business. Just like layers of defence is an<br />

established cybersecurity principle, layers of<br />

authorisation or authentication is also key,<br />

especially where confidential data is involved,<br />

or access to critical systems."<br />

Then there's the second type: the accidental<br />

or compromised insider threat. "This can be<br />

Ian Robinson, Titania: adopting a Zero<br />

Trust model is a proven way to reduce<br />

the risk associated with insider attacks.<br />

Chris Doman, Cado Security: a proactive<br />

approach enables security teams to quickly<br />

identify the root cause of a breach and<br />

remediate the threat.<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

23


insider threats<br />

Jon Fielding, Apricorn: The 3-2-1 rule is<br />

an effective means to facilitate recovery.<br />

Neil Langridge, e92plus: behaviour profiling<br />

can be essential, as the attacker won't fully<br />

know processes or the business culture.<br />

where a user has been unwittingly profiled<br />

and their user credentials have been obtained<br />

by an attacker - whether that's through social<br />

engineering [such as the MGM Casino attack,<br />

which leveraged a help desk engineer] or from<br />

a data breach [and the credentials hadn't been<br />

changed post-breach]. This is still a form of<br />

insider threat, as there's no attack as such -<br />

and it's increasingly common," cautions<br />

Langridge.<br />

"Such attacks allow bad actors to hide<br />

perfectly, understand an organisation and<br />

operate as an insider, so without drawing any<br />

unwanted attention. This is where behaviour<br />

profiling can be essential, as the attacker won't<br />

fully know processes or the business culture,<br />

and tools like UEBA [User and Entity Behaviour<br />

Analytics] can therefore highlight potential<br />

incidents that form a pattern of non-standard<br />

behaviour."<br />

For both forms of threat, as ever the first<br />

step before technology is process: just as<br />

authentication should be multi-factor with<br />

layers of approval, so should any business<br />

process (to avoid business email compromise<br />

or payment fraud) or access to critical data or<br />

infrastructure. "The next step is to review how<br />

their cybersecurity strategy can move towards<br />

a Zero Trust approach; this assumes trust must<br />

be earned, regardless of their status, and can<br />

help address the challenge of insider threat."<br />

ENFORCING THE '3-2-1 RULE'<br />

The insider threat has increased significantly,<br />

due to economic pressures and the way we<br />

work, with criminal groups now brazenly<br />

recruiting insiders. A recent study by Apricorn<br />

revealed that malicious leakage has doubled,<br />

with a fifth having suffered a breach<br />

attributable to a malicious employee during<br />

2023, and remote and hybrid working<br />

practices have almost certainly played a role,<br />

with 48% saying these workers had knowingly<br />

exposed data to a breach, up from 29% in<br />

2022. "Both factors have made it harder to<br />

counter the insider threat, requiring the<br />

business to reinforce the security culture<br />

through staff awareness training and the<br />

application of technical controls to protect<br />

data," says Jon Fielding, managing director<br />

EMEA at Apricorn.<br />

"Acceptable Use Policies (AUP) are well<br />

established, but these policies must be<br />

reinforced through regular staff training.<br />

Crucially, the AUP should extend beyond just<br />

seeking approval for a device, with controls<br />

implemented on sanctioned devices." The<br />

survey found that policy enforcement is either<br />

non-existent or weak.<br />

In cases of neglect or error, rather than<br />

malicious intent, encryption can be used to<br />

boost defences. "However, encryption of<br />

physical devices has nose-dived," adds Fielding.<br />

"Only 12% encrypt data on laptops today,<br />

compared with 68% in 2022 and only 17%<br />

desktop computers, down from 65%.<br />

Similarly, only 13% encrypt mobile devices<br />

versus 55% in 2022; 17% USB sticks, down<br />

from 54%; and 4% portable hard drives,<br />

down from 57%."<br />

If data is compromised or stolen, the business<br />

must be able to recover and so it needs a<br />

watertight backup strategy, he adds. "The 3-2-<br />

1 rule, which advocates at least three copies of<br />

data should be held on at least two different<br />

media with at least one held offsite (and<br />

preferably offline and encrypted), is an<br />

effective means to facilitate recovery, if the<br />

worst happens."<br />

INSIDER RISK MANAGEMENT<br />

Having an efficient and effective insider risk<br />

management (IRM) program can be challenging,<br />

due to several circumstances, states Kyle<br />

Kurdziolek, BigID's senior manager of cloud<br />

security. "IRM programs can be complex, due<br />

to the wide range of security technologies,<br />

monitoring solutions and behavioural analytics<br />

tools available. In a perfect world, all three of<br />

these solutions would mesh together and<br />

become the trifecta of an IRM solution. These<br />

all come together to deliver higher fidelity risks<br />

associated with insider threats and introduce<br />

24<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


insider threats<br />

capabilities to proactively eliminate known<br />

insider threats."<br />

From a technology perspective, data loss<br />

prevention (DLP) and data security posture<br />

management (DSPM) will aid and assist<br />

organisations in classifying their sensitive data<br />

and preventing unwanted exposure, he says.<br />

"Analysts spend a lot of unnecessary time trying<br />

to identify if a document was shared or<br />

whether said document contains confidential<br />

company information. A good starting point,<br />

if organisations are trying to mature IRM, is<br />

to establish DLP alongside DSPM to gain full<br />

visibility of what sensitive data is within the<br />

organisation and where it is at.<br />

"The next iteration would be combining<br />

this with user activity monitoring, which can<br />

provide additional telemetry to alerts captured<br />

by DLP or DSPM solutions. These tools can<br />

range from dedicated activity monitoring<br />

tools to applications embedded in security<br />

technologies or data from endpoints."<br />

However, as companies grow, the scale can<br />

become uncontrollable and requires higherlevel<br />

technologies, like behaviour analytics,<br />

to further drill down into true insider threats.<br />

"This would be the final iteration of your IRM,<br />

as this introduces machine learning capabilities<br />

to understand what is indeed normal and<br />

what are the anomalies that should be<br />

investigated," says Kurdziolek.<br />

Monitoring employee activity does not come<br />

without a degree of risk. "Before pursuing<br />

an IRM program, consider investigating the<br />

approved use of insider threat tools and<br />

services. Organisations can and should speak<br />

with legal counsel and human resources<br />

members to establish guardrails for the<br />

collection, storage, sharing and analysis related<br />

to employee activity. These guardrails are what<br />

can help enable an organisation to have a<br />

successful prosecution of insider threats."<br />

LIMITED SYSTEM ACCESS<br />

One pivotal aspect of mitigating insider threats<br />

means limiting system access, comments Tim<br />

Freestone, chief strategy and marketing officer<br />

at Kiteworks. "By ensuring that administrators<br />

do not have unnecessary access to the operating<br />

system, organisations can significantly<br />

reduce the potential for these insiders to<br />

manipulate or compromise sensitive information<br />

and its metadata. This approach includes<br />

the implementation of hardened environments<br />

where the separation of duties is strictly<br />

enforced. Such measures prevent a single<br />

individual from having excessive control over<br />

sensitive data, thereby limiting access to critical<br />

settings exclusively to those directly accountable."<br />

It's also crucial to adopt policies that restrict<br />

end-user access to sensitive data, he adds,<br />

adhering to the principle of least privilege.<br />

"Users should only have access to the data<br />

necessary for their specific roles, with automatic<br />

expirations on content access based on organisational<br />

policies to further curb unauthorised<br />

access. Advancements in digital rights management<br />

(DRM) technology offer further protections<br />

against insider threats.<br />

"Features that allow users to access and edit<br />

content in real-time, without the ability to<br />

download, retain or forward the content, are<br />

essential. Such capabilities ensure that sensitive<br />

documents are not stored on local devices,<br />

significantly reducing the risk of data leakage."<br />

Supporting these technological measures,<br />

organisations should also deploy<br />

comprehensive monitoring and auditing<br />

systems. "These systems provide real-time logs<br />

and reports that can be integrated with<br />

security information and event management<br />

(SIEM) systems," adds Freestone.<br />

"By monitoring user actions and access to<br />

files, organisations can quickly identify and<br />

investigate suspicious behaviour, gathering<br />

the necessary details for potential HR or legal<br />

actions." The implementation of an insider<br />

threat compliance report can further enhance<br />

an organisation's ability to track and analyse<br />

insider activities.<br />

Kyle Kurdziolek, BigID: monitoring<br />

employee activity does not come without<br />

risk.<br />

Tim Freestone, Kiteworks: limiting system<br />

access can prevent a single individual from<br />

having excessive control over sensitive data.<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

25


threats landscape<br />

THREATENING TIMES<br />

COMPUTING SECURITY ZOOMS IN ON SOME OF THE LATEST<br />

HAZARDS THAT ARE THREATENING THE INDUSTRY<br />

VIPRE Security Group, a global leader<br />

and award-winning cybersecurity,<br />

privacy and data protection company,<br />

today released its report titled 'Email Security<br />

in 2024: An Expert Look at Email-Based<br />

Threats'. The 2024 predictions for email<br />

security in this report are based on an analysis<br />

of over 7 billion emails processed by VIPRE<br />

worldwide during 2023. This equates to<br />

almost one email for everyone on the planet.<br />

Of those, roughly 1 billion (or 15%) were<br />

malicious.<br />

This research warns that, in 2024, QR code<br />

hacks or quishing will increase; use of AI to<br />

create content for spam emails, including<br />

deepfakes, will rise; highly personalised social<br />

media mining will grow further; and a wide<br />

array of file types and formats - especially EML<br />

- will be used to propagate phishing and<br />

malware attacks. There will also be a marked<br />

uptick in state-sponsored attacks.<br />

"When you take a look at the kinds of [email]<br />

threats we're seeing today, a lot of them are<br />

preventable," says Usman Choudhary, general<br />

manager, VIPRE Security Group. "It just takes<br />

the right tools, but most companies don't<br />

know they exist, because email doesn't always<br />

get the same kind of security attention as the<br />

rest of the network. Unfortunately, threat<br />

actors know this."<br />

ALPHV/BLACKCAT RANSOMWARE<br />

The ALPHV/BlackCat ransomware group<br />

recently claimed responsibility for major<br />

attacks on both Prudential Financial and<br />

LoanDepot, making a series of follow-on<br />

allegations against them both. Neither<br />

company seems to have had any of their<br />

stolen data leaked, although, if negotiations<br />

continued to stall, as ALPHV said they had,<br />

then a data dump could be the longer-term<br />

outcome.<br />

The advice from both CISA and the FBI is<br />

that victims should not pay ransom demands<br />

to cybercriminals, something that is frequently<br />

adhered to. However, when ransom demands<br />

aren't paid, victims can end up having their<br />

attacks made public knowledge, before<br />

continued non-compliance with the criminals'<br />

demands leads to data disclosure. That can<br />

have a serious impact on clients, as it is often<br />

their personal data that is affected.<br />

Stephen Robinson, senior threat intelligence<br />

analyst at WithSecure, says that ALPHV was<br />

ranked as one of the largest and most active<br />

ransomware groups in 2023. "Our research<br />

showed that ALPHV was responsible for<br />

8.82% of total leaks in 2023. Prudential<br />

Financial are a Fortune 500 company in the<br />

financial sector, so it's not surprising they were<br />

a target for ALPHV. Multiple organisations<br />

in the financial sector have been victims of<br />

ransomware attacks by ransomware gangs<br />

in recent months, probably at least in part,<br />

because the ideal victim for a ransomware<br />

attack is an entity with a high turnover, which<br />

holds sensitive data."<br />

ALPHV have been known to take part in<br />

what is known as 'big game hunting', striking<br />

well-known, high-valued targets, including<br />

several attacks against critical national<br />

infrastructure, such as the Canadian Trans<br />

Northern Pipeline. "So great is the threat of<br />

ALPHV's activities, and the disruption they<br />

have caused," adds Robinson, "that the US<br />

State department has offered a reward for<br />

information leading to the arrest of members<br />

of the group."<br />

DIGITAL SAFETY GAMBLE<br />

A survey across the UK by Bitdefender has<br />

uncovered a stark reality: more than half of<br />

smartphone users are gambling with their<br />

digital safety. The alarming findings reveal<br />

that a staggering 50% of respondents are<br />

navigating the digital world without any<br />

form of mobile security, leaving them wide<br />

open to cyber-attacks. The survey paints a<br />

disturbing picture of complacency in the<br />

face of escalating cyber threats and found<br />

the following:<br />

Despite 76% of respondents relying on<br />

smartphones for critical transactions,<br />

including banking and accessing sensitive<br />

accounts, 50.10% are neglecting basic<br />

security measures<br />

Reasons for this negligence range from<br />

blind faith in the assumed invincibility<br />

of iOS (Apple) or Android systems (23%)<br />

to an alarming lack of awareness about<br />

available mobile security solutions (21%)<br />

Additionally, 49% expressed genuine<br />

fears about being doxxed, a chilling<br />

practice in which hackers unearth and<br />

expose private information online. An<br />

issue made scarier by the unprecedented<br />

access that hackers now have to your<br />

most personal information stored on<br />

smartphones for billions of people<br />

Consequently, 17% of respondents<br />

have experienced one or more security<br />

incidents in the last 12 months.<br />

26<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


threats landscape<br />

These revelations underscore an urgent need<br />

for action as smartphones become prime<br />

targets for cybercriminals. With the proliferation<br />

of mobile devices and their central<br />

role in our lives, the risk of devastating cyberattacks<br />

has never been greater.<br />

GOING FOR BROKE<br />

CYJAX's latest research, 'Broken China', has<br />

some disturbing warnings, as it analyses the<br />

turbulent socio-economic situation in China<br />

and how this will likely lead to an increase in<br />

cyber espionage activities by the PRC to give<br />

Chinese businesses a competitive edge.<br />

The report finds that China is facing major<br />

economic pressures from all sides. Its economy<br />

is still suffering from the effect of COVID,<br />

its manufacturing industry is shrinking and its<br />

property sector is overleveraged, due to an<br />

aggressive borrowing strategy. There are also<br />

signs of growing dissent among its youth,<br />

driven by rising unemployment.<br />

Although there are remedies that could aid<br />

in China's economic recovery, its culture of<br />

nationalism and conservatism is inclined to<br />

make implementing them unlikely. There is<br />

also the threat of chillier US-China relations,<br />

if Donald Trump returns to the White House,<br />

which could mean even higher trade tariffs<br />

than today.<br />

With a bleak economic future looming,<br />

Cyjax predicts that the PRC will opt for more<br />

short-term solutions to grow its economy<br />

fast-and this will include more aggressive<br />

cyber espionage campaigns designed to steal<br />

foreign intellectual property (IP) and boost<br />

Chinese industry.<br />

The PRC employs various threat groups to<br />

conduct espionage campaigns and, over the<br />

next year, Cyjax expects to see a major uplift<br />

in activity from the following:<br />

The Gallium group: active since at least<br />

2012, the group is well known for being<br />

part of Operation Soft Shell which targets<br />

global telecoms and Microsoft Exchange<br />

servers. The group targets and steals IP<br />

from telecommunication, financial, and<br />

government entities in Southeast Asia,<br />

Europe, Africa, and the Middle East<br />

Sandman: the group targets<br />

telecommunication providers in the Middle<br />

East, Western Europe and South Asia. It<br />

uses a novel backdoor that abuses the<br />

LuaJIT platform to deliver malware<br />

MustangPanda: the group had been<br />

observed to be targeting Beijing's more<br />

local advisories mainly including Southeast<br />

Asian governments<br />

VoltTyphoon: believed to have been<br />

operating since 2021, the group targets<br />

critical US infrastructure for intelligence<br />

gathering purposes in alignment with the<br />

requirements of the PRC.<br />

"China is a far more complex and nuanced<br />

territory than generally portrayed," states Ian<br />

Thornton-Trump, CISO at Cyjax. "Its internal<br />

pressures are likely to lead to increased cyber<br />

espionage activity, rather than slowing it<br />

down. The PRC's approach to cyberspace has<br />

always been to use it to advance its business<br />

interests, extracting technologies from<br />

Western companies and creating a protected<br />

domestic market for these industries, giving<br />

them an advantage in the global market.<br />

With a better understanding of the country's<br />

internal forces, and how these relate to its<br />

cyber strategy, we can plan better defences<br />

against PRC cyber espionage."<br />

THE EMAIL THREAT FACTOR<br />

"With social engineering attacks like business<br />

email compromise (BEC) having exposed<br />

losses of more than $50 billion over the past<br />

decade, it is clear that email continues to be<br />

a major threat vector in organisations today.<br />

That is the warning from Mike Britton, CISO,<br />

Abnormal Security.<br />

"The proliferation of generative AI tools like<br />

ChatGPT has only catalysed modern phishing<br />

attacks, enabling threat actors to create personalised<br />

and seemingly authentic content<br />

that is often hard to distinguish from human-<br />

Ian Thornton-Trump, Cyjax: China's<br />

internal pressures are likely to lead to<br />

increased cyber espionage activity.<br />

Usman Choudhary, VIPRE Security: email<br />

doesn't always get the same kind of security<br />

attention as the rest of the network.<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

27


threats landscape<br />

Stephen Robinson, WithSecure: research<br />

showed that ALPHV was responsible for<br />

8.82% of total leaks in 2023.<br />

Ilia Kolochenko, ImmuniWeb: LLMs have<br />

a fairly narrow application in cybercrime.<br />

generated content. Not only are AI-generated<br />

email attacks more likely to deceive their<br />

recipients, they are also likely to bypass<br />

traditional security measures that rely on<br />

detecting known threat signatures.<br />

"To combat the threat of AI-generated email<br />

attacks, organisations will need to amp up<br />

their own defensive AI capabilities. We need<br />

to evolve beyond legacy systems like secure<br />

email gateways, which look for known-bad<br />

behaviours, like malicious links, blocked<br />

senders or bad IP addresses, and instead use<br />

to behavioural models to learn the knowngood<br />

behaviours in an organisation's email<br />

environment-things like each user's typical<br />

communication patterns or sign-in activity."<br />

AI then acts as a key line of defence by<br />

detecting anomalous behaviour that may<br />

indicate a potential attack, automatically<br />

remediating those suspicious emails before<br />

they reach end users. This means that security<br />

teams could block sophisticated email attacks<br />

even if they are AI-generated, appear highly<br />

realistic, and omit traditional indicators of<br />

compromise.<br />

"The AI arms race is on as organisations<br />

must realise that 'good' AI is necessary to<br />

detect and block 'bad' AI. Additionally,<br />

measures like password management,<br />

multi-factor authentication, and privilege<br />

and permissions management can provide<br />

a final safety net, helping to reduce the<br />

attack surface and prevent further havoc if<br />

attackers are able to infiltrate the network."<br />

Britton also recommend that security<br />

awareness training should not be neglected.<br />

"Employees need to know how to spot risky<br />

emails so they don't click on malicious links<br />

or rush to make suspicious transactions. Of<br />

course, phishing clues are harder than ever for<br />

people to identify, especially as generative AI<br />

enables threat actors to create hyper-realistic<br />

attacks. That's why it's critical to supplement<br />

security awareness training with sophisticated<br />

technology that reduces the number of email<br />

attacks that ever reach employee inboxes."<br />

PREDICTIONS EXAGGERATED<br />

Dr Ilia Kolochenko, CEO at ImmuniWeb, is of<br />

the opiion that the predictions about the<br />

unprecedented cybercrime surge, fuelled by<br />

GenAI and fine-tuned malicious LLMs (large<br />

language model-based tools), are somewhat<br />

exaggerated.<br />

"First, LLMs have a fairly narrow application<br />

in cybercrime, namely in phishing, smishing<br />

and vishing, BEC and whaling attacks - all of<br />

which rely on social engineering and human<br />

deception. GenAI provides little to no help<br />

with nationwide ransomware campaigns,<br />

disruptive attacks against critical national<br />

infrastructure (NCI) or advanced persistent<br />

threats (APTs) aiming at stealing classified<br />

information from the government or<br />

intellectual property from businesses.<br />

"Organised cybercrime groups already have<br />

all the requisite skills, such as spear-phishing<br />

email creation or state-of-the-art malware<br />

development, producing substantially superior<br />

quality of cyber warfare, compared to any<br />

LLM.<br />

"Secondly, cyberattacks that exploit human<br />

deception have been already quite efficient in<br />

the past," he points out. "Cyber gangs behind<br />

this will unlikely boost their success rate by<br />

a better-written email impersonating a CEO<br />

in a whaling attack. Moreover, an impeccably<br />

written email can rather trigger some doubts,<br />

as in business people frequently make typos<br />

or use jargon when communicating with their<br />

colleagues.<br />

"Having said that, any authentication<br />

systems - for example, in financial institutions<br />

- that are based on a client's voice or<br />

appearance are to be urgently tested for<br />

bypassability with fake AI-generated content.<br />

Employees who are susceptible to this kind of<br />

cyberattacks should also be regularly trained<br />

to spot red flags and require additional proof<br />

of identity to prevent fraud."<br />

28<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


zero trust<br />

THE IMPERATIVE FOR ZERO TRUST<br />

AS ORGANISATIONS EMBRACE DIGITAL TRANSFORMATION TO GAIN ACCESS TO THE CLOUD'S MANY BENEFITS,<br />

COMPUTING ENVIRONMENTS ARE FACED WITH EVOLVING INTO BORDERLESS IT ECOSYSTEMS<br />

As we continue to digitally<br />

transform organisations, so<br />

the importance of secure and<br />

reliable digital identities has grown.<br />

According to Scott Silver, CEO, Integral<br />

Partners, part of the Xalient Group,<br />

2024 is poised to usher in a multitude<br />

of innovations and trends in this area,<br />

ranging from advanced biometrics to<br />

the integration of artificial intelligence<br />

and machine learning to meet the<br />

changing needs of businesses,<br />

individuals and governments.<br />

"As organisations embrace digital<br />

transformation, computing environments<br />

are evolving into borderless IT<br />

ecosystems," he warns. "Digital identities<br />

are also evolving at pace and identity<br />

security is now a crucial aspect of<br />

cybersecurity. 2024 will usher in a<br />

multitude of identity innovations,<br />

ranging from advanced biometrics<br />

to artificial intelligence integration<br />

to meet the needs of businesses,<br />

individuals and governments.<br />

"Increasingly, cybercriminals are<br />

creating synthetic identities by combining<br />

stolen personal information from<br />

several people into a new false identity<br />

that doesn't rely on real person-al data.<br />

"They use these identities to build a<br />

shallow history that passes identity<br />

checks with banks and retailers.<br />

To counter these tactics, biometrics,<br />

such as facial recognition, fingerprint<br />

scanning and voice recognition, are<br />

becoming popular as a stronger means<br />

of identity verification."<br />

Despite these countermeasures,<br />

however, the threat is large and<br />

growing, driven by Cybercrime-as-a-<br />

Service (CaaS) that allows criminals to<br />

procure tools enabling them to easily<br />

carry out identity-based attacks.<br />

"This makes it even more important for<br />

businesses to prioritise identity security,<br />

employing policies and tools that also<br />

monitor employees and prevent insider<br />

incidents."<br />

AI and machine learning are important<br />

tools for organisations seeking to combat<br />

identity risk. "AI-powered pattern and<br />

behaviour recognition capabilities can<br />

identify anomalies and detect fraudulent<br />

attempts in real-time. Machine<br />

learning algorithms act as adaptive<br />

detectives, continuously evolving to<br />

recognise new identity fraud tactics,<br />

enhancing the overall accuracy of the<br />

verification process.<br />

"Zero trust architecture is the<br />

foundation of modern cybersecurity,<br />

with secure networking and identity<br />

security as cornerstones. Zero Trust<br />

involves the application of identity and<br />

access management capabilities to<br />

perform continuous risk assessment<br />

every time resources are accessed. It<br />

uses contextual identity information to<br />

optimise access policies, while enforcing<br />

the principle of least privilege."<br />

Zero Trust controls reduce insiders'<br />

ability to access systems and data that<br />

aren't part of their job, adds Silver.<br />

"Now, organisations are seeking<br />

AI-powered identity and access<br />

management in a single solution that<br />

Scott Silver, CEO, Integral Partners.<br />

integrates seamlessly with zero trust<br />

architecture, combined with professional<br />

support. These solutions enable<br />

fast, effective responses to potential<br />

breaches and, alongside identity, will<br />

play a pivotal role in the evolution of<br />

zero trust models."<br />

Identity is seen as the new enterprise<br />

perimeter, and managing interdependencies<br />

between identity, security and<br />

networking to adhere to true zero trust<br />

principles is a considerable challenge -<br />

one that the Xalient Group is addressing,<br />

he says, as a provider of IAM<br />

services and solutions through its recent<br />

acquisitions of Grabowsky and Integral<br />

Partners. "Together, we can develop the<br />

advanced, AI-powered identity management<br />

solutions that companies need in<br />

today's complex security environment."<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

29


ansomware<br />

BIRD'S EYE VIEW OF RANSOMWARE ATTACK<br />

WHAT IS IT LIKE TO BE HELD TO RANSOM? WE ASKED SEVERAL EXPERTS TO TALK<br />

US THROUGH WHAT TYPICALLY HAPPENS WHEN AN ATTACK IS CARRIED OUT<br />

How do the criminals who unleash<br />

ransomware demands set about<br />

targeting an organisation - right<br />

through from identification of a suitable<br />

target, the planning phase of the attack,<br />

the attack launch and finally capture of the<br />

victim's data? And what about the burning<br />

question that no one wants to grapple with:<br />

to pay or not to pay?<br />

"Ransomware attacks are well orchestrated<br />

acts that come in different forms to infiltrate<br />

IT systems and often are not random<br />

incidents," points out Justin Giardina, CTO<br />

of 11:11 Systems. "Ransomware groups<br />

carefully select high-value organisations and<br />

infrastructure to cripple until substantial<br />

ransoms are paid. Ransomware attacks<br />

use techniques that reflect a chilling<br />

professionalisation of tactics and leverage<br />

military-grade encryption, identity-hiding<br />

cryptocurrencies, data-stealing side efforts,<br />

and penetration testing of victims before<br />

attacks to determine maximum tolerances."<br />

They also often gain initial entry by purchasing<br />

access to systems from underground<br />

brokers (RaaS - Ransomware as a Service),<br />

then deploy multipart extortion schemes,<br />

including encrypting files, stealing data, he<br />

adds, threatening distributed denial-of-service<br />

(DDoS) attacks or releasing the data, where<br />

demands are not promptly met.<br />

"Adding to this, ransomware perpetrators tap<br />

into advancements like artificial intelligence<br />

[AI] to accelerate attacks through malicious<br />

code generation and underground dark web<br />

communities to coordinate schemes. Once an<br />

attacker breaches the system, the ransomware<br />

can lie undetected for days, weeks or even for<br />

months before it is revealed through a ransom<br />

demand."<br />

With ransomware attacks showing no signs<br />

at all of slowing down, companies must take<br />

proactive steps to protect their organisations<br />

and minimise the impact of a potential<br />

breach. "Protecting against ransomware<br />

requires a multi-layered, holistic approach<br />

encompassing people, processes, and<br />

technology," says Giardina. "To start,<br />

companies must focus on resilience and<br />

recovery. Cybersecurity infrastructure is the<br />

cornerstone of resilience, serving as the<br />

foundation for all other measures. This is<br />

followed by a well-rehearsed incident response<br />

plan that outlines clear procedures for dealing<br />

with an attack, including isolating infected<br />

systems, notifying stakeholders and restoring<br />

from backups.<br />

"Frequently test the backup and restore<br />

processes to ensure they work when needed.<br />

Regular immutable or tamper-proof data<br />

backups are a key part of the recovery process.<br />

Ensuring a recent and clean copy of vital data<br />

is always available can significantly improve<br />

the chances of a successful cyber recovery.<br />

But don't forget your business continuity<br />

plans! They need to be updated to allow your<br />

departments to continue to operate, using<br />

manual procedures, for as long as the<br />

ransomware event requires."<br />

The debate over ransom payments clearly<br />

highlights the complexities of cybersecurity<br />

policy, he acknowledges. "It underscores the<br />

need for a multifaceted approach to combatting<br />

ransomware; one that includes not only<br />

policy interventions, but also organisational<br />

practices. However, it makes one thing clear:<br />

there are no easy answers in the fight against<br />

ransomware, only informed choices." Such<br />

choices, whether they involve investing in<br />

employee training, implementing robust and<br />

modern backup systems, and developing a<br />

comprehensive disaster recovery (DR) plan,<br />

can significantly influence a company's ability<br />

to respond to, and recover from, ransomware<br />

attacks, he concludes.<br />

ALTERED LANDSCAPE<br />

Ten years ago, a ransomware attack was<br />

really obvious, states Bernard Montel, EMEA<br />

technical director and security strategist,<br />

Tenable. "The computer [PC] was bricked,<br />

with a ransomware demand displayed on<br />

the screen. Today, attacks are less obvious<br />

and can go undetected for a few weeks,<br />

as threat actors look to obfuscate their<br />

presence, allowing them to creep around<br />

infrastructure for nefarious purposes."<br />

The most popular way attackers infect<br />

organisations is through spam and phishing<br />

emails, he adds. "In the majority of cases,<br />

these messages include a malicious<br />

30<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


ansomware<br />

attachment, such as a Microsoft Word<br />

document or PDF file containing malware.<br />

Others, however, may contain a link to a<br />

webpage controlled by the attackers. The goal<br />

is to get the target to open the attachment<br />

and trick the victim to enable macros or click<br />

the link, which can then deliver a malicious<br />

downloader, leading to the final payload,<br />

which is ransomware.<br />

"Software vulnerabilities play a key role in<br />

facilitating ransomware attacks through<br />

several avenues. These include vulnerabilities<br />

used as part of malicious documents, vulnerabilities<br />

found in perimeter devices like Secure<br />

Socket Layer Virtual Private Networks (VPNs),<br />

as well as a plethora of flaws designed to<br />

elevate privileges, once inside an organisation's<br />

network."<br />

Prolific ransomware groups such as LockBit,<br />

Rhysida, Play and ALPHV/BlackCat make use of<br />

multiple exploits in their efforts to compromise<br />

organisations. "For illustration, throughout the<br />

last quarter of 2023, threat actors exploited<br />

CitrixBleed in attacks against a variety of organisations.<br />

Some notable examples include<br />

attacks against Boeing and Comcast."<br />

While initial access is how ransomware<br />

groups gain access to an organisation's<br />

network, once inside they will set their sights<br />

on Active Directory, says Montel. "Gaining<br />

domain privileges provides attackers with<br />

the necessary capabilities to distribute their<br />

ransomware payloads across the entire<br />

network. Once threat actors are inside,<br />

the game is fundamentally over. Today's<br />

ransomware gangs will look to extrapolate<br />

data silently and, once that's achieved, they'll<br />

prepare to encrypt systems and cripple the<br />

organisation's ability to function.<br />

"A further trend that has been seen is threat<br />

actors wiping data at rest. This is even more<br />

insidious and can be undetected, compared<br />

to encryption. Often, the first the organisation<br />

knows anything about the attack is a communication<br />

from the gang threatening to<br />

encrypt systems or publish the data on the<br />

dark web, if demands are not met. The added<br />

pressure from this type of extortion is what<br />

has helped make ransomware so successful."<br />

The question of whether to meet ransomware<br />

demands is complicated, he adds. "Only<br />

the organisation impacted will be able to<br />

determine the best cause of action. Given the<br />

financial impact from ransomware attacks,<br />

be it the inability to function from crippled<br />

systems or sensitive data exposed, prevention<br />

has to be better than cure. Gaining visibility<br />

into where the biggest areas of risk are -<br />

exposure management - is absolutely critical<br />

to knowing which doors and windows are<br />

wide open and need to be closed to stop<br />

ransomware in its tracks."<br />

14-STAGE ASSAULT<br />

A ransomware attack typically involves 14<br />

stages, according to Kennet Harpsoe, senior<br />

cyber analyst at Logpoint. "The first stage is<br />

reconnaissance, where the threat actor<br />

gathers information about the victim. The<br />

second stage is resource development to<br />

support targeting, followed by initial access,<br />

in which the attacker tries getting into the<br />

network. The fourth phase is execution,<br />

where the attacker tries executing malware."<br />

The next stage is persistence, he says, in<br />

which the attacker attempts to maintain a<br />

foothold in the victim's network, even if the<br />

system terminates the payload process or<br />

reboots. "Afterwards, attackers use privilege<br />

escalation to gain access to accounts with<br />

higher-level access and defence evasion by<br />

disabling security, clearing logs or obfuscating<br />

the payload. At the privilege escalation stage,<br />

attackers then retrieve logins.<br />

"The discovery phase allows attackers to<br />

identify other weaknesses within the network<br />

and plan and execute more advanced attacks,"<br />

continues Harpsoe. "Using lateral movement,<br />

the attacker moves to other hosts to establish<br />

a presence and access information. The collection<br />

stage is when attackers collate data<br />

Justin Giardina, 11:11 Systems:<br />

ransomware attacks reflect a chilling<br />

professionalisation of tactics and leverage<br />

military-grade encryption.<br />

from systems and the Command and Control<br />

(C&C) phase is where the attacker establishes<br />

control over the victim's systems."<br />

Exfiltration is where attacks extract data using<br />

various methods. The last stage is impact,<br />

where the attackers use techniques at a later<br />

stage to disrupt availability, compromise<br />

integrity or manipulate business and operational<br />

processes. Knowing these tactics is<br />

essential to detect an ongoing attack before<br />

the attackers deploy the ransomware.<br />

"Ransomware can result in downtime, data<br />

loss and ransom payments, but now the fines<br />

for non-compliance are an additional concern,<br />

as we saw in the case of BlackCat," he states.<br />

"It filed a complaint with the SEC over Meridian-<br />

Link's failure to disclose a cybersecurity incident<br />

to punish the company for not paying the<br />

ransom. This new extortion tactic will likely<br />

be used going forward, especially with the<br />

introduction of NIS2.<br />

"Compliance-driven extortion could diminish<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

31


ansomware<br />

Bernard Montel, Tenable: a further trend<br />

that has been seen is threat actors wiping<br />

data at rest.<br />

Iraklis Mathiopoulos, Obrela: the<br />

cybersecurity experts' consensus is that<br />

ransoms shouldn't be paid.<br />

the incentive to pay ransoms, with victims<br />

more likely to hesitate, if there's a risk of being<br />

reported to authorities, post-payment. We've<br />

seen a rise in double extortion attacks and<br />

pure extortion-based attacks. Now we see<br />

the commoditisation of Ransomware-as-a-<br />

Service, which offers individuals with minimal<br />

technical expertise the means to execute<br />

ransomware attacks and skip the first stages<br />

of the attack.<br />

"Automation is enabling initial access brokers<br />

to identify and offer more breach-ready environments.<br />

Consequently, expect a surge in<br />

attack frequency, driving the adoption of<br />

Managed Detection and Response (MDR)<br />

services to avert attacks."<br />

ROBUST PLAN ESSENTIAL<br />

When it comes to ransomware, we must stay<br />

ahead of the curve and know what to look<br />

out for, advises Iraklis Mathiopoulos, chief<br />

services delivery officer at Obrela. "Organisations<br />

without a robust security plan in place<br />

are more likely to suffer an attack. You need<br />

'always on' around-the-clock monitoring to<br />

identify, analyse and predict security threats,<br />

and prevent them from happening. At the<br />

very least, any system you have in place<br />

should be able to mitigate the consequences<br />

of attack - or attack attempt - quickly and<br />

effectively, limiting the damage to your critical<br />

operational processes and reputation, while<br />

also preventing successful ransomware<br />

attacks.<br />

"We have witnessed attacks evolve from<br />

single extortion [encryption]) to double<br />

extortion [data exfiltration] to triple extortion<br />

[attacking customers directly] to quadruple<br />

extortion [DDoS]. Today, ransomware gangs<br />

have added destructive wiper attacks to<br />

their arsenal and in 2024 we expect to see<br />

evermore creative attack methods emerging,<br />

including more cloud, AI and IoT-related<br />

attacks."<br />

Prevention is better than cure, of course,<br />

he cautions, and ensuring you have the best<br />

possible threat intelligence and protection<br />

in place will help avoid attack, rather than<br />

dealing with the response, remediation and<br />

ransomware issues. "We advise immutable<br />

backups, but even this sensible precaution<br />

is not without its problems. It does not, for<br />

instance, guarantee the immutability of<br />

data held in the past where attackers have<br />

penetrated the network weeks or months<br />

ago.<br />

"Virtually all ransomware attacks start with<br />

a compromised endpoint, typically a PC or<br />

server. Protecting these is vital, with the<br />

traditional defence being a security agent.<br />

Unfortunately, these will occasionally fail,<br />

which leaves most organisations relying on<br />

network security tools to spot anomalous<br />

traffic," states Mathiopoulos.<br />

One of the reasons ransomware attacks have<br />

become so severe is that attackers can lurk<br />

inside infrastructure for a long time. "With<br />

Managed Detection and Response, (MDR),<br />

though, incursions are detected sooner, rather<br />

than later. MDR integrates endpoint and<br />

network tools under one platform, allowing<br />

better detection and automated remediation,<br />

alert prioritisation and response."<br />

As for whether a ransom demand should<br />

be paid, he is quite clear. "The cybersecurity<br />

experts' consensus is that ransoms shouldn't<br />

be paid. Depending on jurisdiction, paying<br />

for ransomware is potentially illegal, because<br />

it might be a) funding criminal activity, b)<br />

transferring funds to sanctioned entities, c)<br />

supporting terrorist organisations.<br />

"We understand the potential reputational<br />

damage forces many decision makers to pay<br />

the ransom, but, as an industry, we must<br />

highlight that payment does not guarantee<br />

the return of data, may fund further cybercrime<br />

activities and could even make the<br />

organisation a 'softer' target for future attacks.<br />

The advice is simple enough: focus on<br />

prevention, backup strategies and incident<br />

response plans instead."<br />

32<br />

computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk


election threats<br />

DEMOCRACY UNDER SIEGE<br />

ELECTORAL MISINFORMATION AND DISINFORMATION ARE EXPECTED TO CREATE DISTORTED<br />

AND MUDDIED POLITICAL LANDSCAPES THROUGHOUT THIS YEAR, PRIME FOR EXPLOITATION<br />

More than two billion people<br />

across 50 countries will be<br />

going to the polls to elect<br />

representatives at local, national and<br />

intra-continental levels in 2024. This<br />

includes elections in some of the world's<br />

most populous countries, such as India,<br />

Brazil, Indonesia and the US.<br />

"While this election year will certainly<br />

be a milestone in the long evolution of<br />

democracy, many of these elections take<br />

place amid a backdrop of increasing<br />

divisions in international relations, an<br />

uptick in illiberal democratic practices<br />

masked as free and fair elections, and<br />

a widespread disenchantment with<br />

political representation in some of the<br />

world's most developed democracies,"<br />

cautions Beth Hepworth, director,<br />

Protection Group International. "All of<br />

these issues transcend real-world and<br />

online spaces, creating distorted and<br />

muddied political landscapes, prime<br />

for exploitation."<br />

Electoral misinformation and<br />

disinformation will likely remain highly<br />

prevalent. "Online threat actors, such<br />

as pseudomedia entities, will likely<br />

continue sharing content designed to<br />

sow distrust in the electoral process for<br />

both ideological and commercial gain,"<br />

Hepworth continues. "Right across<br />

geographies, false narratives are likely<br />

to target voting systems and the<br />

integrity of electoral institutions,<br />

particularly in closely contested<br />

elections. Far-right organ-isations<br />

and political parties-who often share<br />

egregious content in online spaceswill<br />

likely pose a significant risk."<br />

Foreign state-backed influence<br />

operations (IOs) targeting elections are<br />

also highly likely to be a persistent and<br />

significant threat, while "AI-generated<br />

content will likely play a greater role in<br />

elections in 2024 as threat actors and<br />

political campaigns continue to embed<br />

AI techniques within their contentproducing<br />

toolkits". However, the use of<br />

sophisticated AI-generated content and<br />

technically manipulated media aimed<br />

at sowing distrust in candidates and<br />

electoral processes will likely be limited,<br />

with the majority of AI-generated media<br />

being low-quality in nature and easily<br />

discernible by ordinary online users.<br />

As a result, the risk of AI to elections<br />

in the medium term is often overstated.<br />

Threat actors certainly have the ability<br />

to weaponise AI effectively, as shown<br />

over the past year in America where<br />

the Republican Party released an ad<br />

with AI-generated images visualising<br />

a 'dystopian world' with a re-elected<br />

President Joe Biden, and in Moldova<br />

where President Maia Sandu was forced<br />

to refute claims in a Russia-made<br />

deepfake video of herself.<br />

However, adds Hepworth: "AIgenerated<br />

content has yet to play<br />

a significant role in an election, and<br />

current disinformation campaigns are<br />

currently succeeding organically by<br />

exploiting societal rifts. At present,<br />

the risk of AI to elections is centred<br />

more on the intrinsic uncertainty of<br />

its potential, rather than on its current<br />

impact. Heightened levels of targeted<br />

harassment and 'doxxing' [revealing<br />

identifying information about someone<br />

Beth Hepworth, Protection Group<br />

International.<br />

online, without their permission] are<br />

likely in 2024, following a spike in<br />

threats against election workers and<br />

politicians over the past year in<br />

countries including New Zealand,<br />

Sweden, the US and Japan."<br />

These threats will likely entail the<br />

dissemination of Personally Identifiable<br />

Information online -such as targets'<br />

home addresses, family members and<br />

phone numbers-as well as online<br />

harassment campaigns designed to<br />

undermine their legitimacy. "In the year<br />

ahead, vigilance and critical thinking<br />

will be vital in democracies being able<br />

to navigate the nuances of these digital<br />

threats and knowing what these threats<br />

are is just the first step."<br />

www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security<br />

34


Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

e-newsletter<br />

Are you receiving the Computing Security<br />

monthly e-newsletter?<br />

Computing Security always aims to help its readers as much as possible to do<br />

their increasingly demanding jobs. With this in mind, we've now launched a<br />

Computing Security e-newsletter which is produced every month and is available<br />

free of charge. This will enable us to provide you with more content, more<br />

frequently than ever before.<br />

If you are not already receiving this please send your request to<br />

christina.willis@btc.co.uk and advise her of the best email address for the<br />

newsletter to be sent to.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!