CSLATEST

johnjageurs

Computing

Security

Secure systems, secure data, secure people, secure business

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

2022: INTO THE UNKNOWN

More uncertainty and upheaval await,

fuelled by Covid and soaring attacks

Unlocking a brighter future?

One company looking to

shake up the mortgage

market shares its vision

THE RISE OF APT

How do you respond when

threats run out of control?

WINNERS ALL THE WAY!

Night of triumph

and trophies

as awards

held live

Computing Security December 2021


Strengthen your data resilience with

Immutable Backup from Arcserve

Buy an Arcserve Appliance secured by Sophos,

and get OneXafe immutable storage!

Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve

brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat

ransomware and provide the best-in-class data management and data protection solution in the market.

Arcserve UDP Data

Protection Software

Unified data and ransomware

protection to neutralize

ransomware attacks,

restore data, and perform

orchestrated recovery.

Arcserve Appliances

All-in-one enterprise backup,

cybersecurity, and disaster

recovery, with multipetabyte

scalability.

StorageCraft OneXafe

Immutable Storage

Scale-out object-based NAS

storage with immutable

snapshots to safeguard data.

Get multi-layer protection!

SCAN HERE


comment

COMPUTING SECURITY AWARDS 2021:

A RAY OF HOPE IN THE FACE OF ADVERSITY

EDITOR: Brian Wall

(brian.wall@btc.co.uk)

LAYOUT/DESIGN: Ian Collis

(ian.collis@btc.co.uk)

SALES:

Edward O’Connor

(edward.oconnor@btc.co.uk)

+ 44 (0)1689 616 000

Lyndsey Camplin

(lyndsey.camplin@btc.co.uk)

+ 44 (0)7946 679 853

The 2021 Computing Security Awards were back live at a gala evening in London.

After what seems to have been an eternity, the Computing Security Awards made their

return to the 'live stage' on 2 December where the winners were announced at a gala

evening in London.

The sheer delight and enthusiasm of all those who had gathered together to celebrate what has

become an iconic event in the annual calendar were no doubt partly a reflection of the many

difficulties our industry has had to endure in the interim. Covid-19 has had a huge impact on

every aspect of our working and personal lives, and no doubt will continue to do so into the

future. For a few brief hours, that could be set to one side, though in no way forgotten.

Certainly, 2021 has been another extremely tough year for the cyber security industry, with

numerous high-profile attacks, an escalation of ransomware and data leaks all prompting grave

concerns for those on the receiving end. And things may well get even tougher, with the

likelihood of a renewed emphasis on remote working, prompted by the emergence of the latest

variant (Omicron).

Getting through this period has called on the tireless efforts of suppliers, software developers

and countless others, many of whom were at the awards. They have been resolute in their

determination to support their clients at every turn, as we all continue to engage with these 'new'

ways of working and the increasingly sophisticated attacks on our defences. None of this is likely

to change - the battles to stay ahead of the virus and cybercriminals will continue on all fronts.

So, congratulations to all those who emerged as winners on the night and to everyone who

made it into the finals. It was gratifying to see the best 'face' of our industry on show at the 2021

awards, namely those who continue to use their expertise and insights to keep our industry safe.

Brian Wall

Editor

Computing Security

brian.wall@btc.co.uk

Stuart Leigh

(stuart.leigh@btc.co.uk)

+ 44 (0)1689 616 000

PUBLISHER: John Jageurs

(john.jageurs@btc.co.uk)

Published by Barrow & Thompkins

Connexions Ltd (BTC)

35 Station Square,

Petts Wood, Kent, BR5 1LZ

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22

SUBSCRIPTIONS:

UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2021 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk December 2021 computing security

@CSMagAndAwards

3


Secure systems, secure data, secure people, secure business

Computing Security December 2021

contents

CONTENTS

Computing

Security

2022: INTO THE UNKNOWN

More uncertainty and upheaval await,

fuelled by Covid and soaring attacks

Unlocking a brighter future?

One company looking to

shake up the mortgage

market shares its vision

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

THE RISE OF APT

How do you respond when

threats run out of control?

COMMENT 3

The Computing Security Awards 2021:

moment of hope in the face of adversity

WINNERS ALL THE WAY!

Night of triumph

and trophies

as awards

held live

ARTICLES

TOP 8 SECURITY AND RISK TRENDS 6

Global analysis and research company

Gartner pinpoints where the greatest

dangers lurk as we approach 2022

SECURE PASSWORD RESET, WITH

COMPUTING SECURITY AWARDS

SECURENVOY SECURPASSWORD 8

HIT ALL THE RIGHT NOTES! 16

Michael Urgero, Senior Security Engineer,

December 2021 was a momentous month

SecurEnvoy, offers his insights on solving

for the Computing Security Awards - we

the problem of lost passwords for users

were 'back in the room' with a live gathering

and the support team

at a London hotel for this prestigious event,

with opera singer Alexander Wall ensuring

PERENNA - HELPING TO REDEFINE THE

the evening was on song all the way

FUTURE OF MORTGAGE LENDING 24

Xcina Consulting has been assisting the

future bank Perenna in several areas to

build a resilient organisation, and robust

processes and systems that can be trusted.

In this article, Colin Bell, Co-founder and

ASSESSING REAL-WORLD IMPACT

COO at Perenna, explains the journey on

which his company has been embarked

AS CYBER-ATTACKS ESCALATE 18

As the safety of all is increasingly put to

GDPR CERTIFICATION SCHEMES: DOING

the test, the National Cyber Security Centre

THE HEAVY LIFTING FOR YOU 26

lays bare, in a Computing Security special

Was GDPR all hot air or, three years on,

report, the spiralling threats we face and

are we sitting on a ticking timebomb?

how the NCSC is seeking to neutralise

Steve Mellings, Founder ADISA, weighs

them

up the evidence

NEW TRAINS OF THOUGHT 28

Ongoing investment in cyber training and

upskilling across the whole of a business

QUANTUM LEAPS AND BOUNDS 32

is essential to prevent a major data breach

Quantum computers will soon smash

through the mathematical cryptography

THE RELENTLESS RISE OF APT 30

we rely on as a society, it is forecast. When

Stealth attacks by groups with the time

and skill to infiltrate networks and steal

that happens, what actions do we then

data are soaring. How do you respond

take to keep ourselves safe?

when such Advanced Persistent Threats

are rife?

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk

4

2022: WHERE WILL IT TAKE US? 10

We asked several industry observers to give

us their top predictions for 2022 against

a background of ever greater uncertainty

and upheaval. From their feedback, next

year is likely to prove a tough one when it

comes to organisations staying ahead of

the security curve


esearch & analysis

TOP 8 SECURITY AND RISK TRENDS

GLOBAL ANALYSIS AND RESEARCH COMPANY GARTNER PINPOINTS

WHERE THE GREATEST DANGERS LURK AS WE APPROACH 2022

As cybersecurity and regulatory

compliance become the top two

biggest concerns of corporate boards,

some are adding cybersecurity experts

specifically to scrutinise security and risk

issues, says global analysis and research

company Gartner

This is just one of the top EIGHT security and

risk trends that Gartner it has singled out,

many of which are driven by recent events

such as security breaches and the ongoing

COVID-19 pandemic.

"Over the past two years, the typical

enterprise has been turned inside out,"

says Peter Firstbrook, VP Analyst at Gartner.

"As the new normal of hybrid work takes

shape, all organisations will need an alwaysconnected

defensive posture and clarity on

what business risks remote users elevate to

remain secure."

Trend No. 1: Cybersecurity mesh

This is a modern conceptual approach to

security architecture that enables the

distributed enterprise to deploy and

extend security where it's most needed.

Trend No. 2: Cyber-savvy boards

"With an increase in very public security

breaches and increasingly common business

disruptions due to ransomware, boards are

paying more attention to cybersecurity," This

is recognised as a huge risk to enterprises,

which are forming dedicated committees

that focus on cybersecurity matters, often led

by a board member with security experience.

Trend No. 3: Vendor consolidation

Gartner found in the '2020 CISO Effectiveness

Survey' that 78% of CISOs have 16 or more

tools in their cybersecurity vendor portfolio;

12% have 46 or more. "Having too many

security vendors results in complex security

operations and increased security headcount."

Trend No. 4: Identity-first security

Hybrid work and the migration to cloud

applications have solidified the trend of

identity as the perimeter. "Identity-first

security is not new, but it takes on fresh

urgency as attackers begin to target identity

and access management capabilities to gain

silent persistence."

Trend No. 5: Managing machine identities

becoming a critical security capability

As digital transformation progresses, there’s

been an explosive growth in non-human

entities that make up modern applications.

Therefore, managing machine identities has

become a vital part of security operations.

Trend No. 6: 'Remote work' is now just 'work'

According to the 2021 Gartner CIO Survey,

64% of employees are now able to work

from home and two-fifths actually are

working from home. "The movement to

hybrid [or remote work] is a durable trend,

with more than 75% of knowledge workers

expecting future hybrid work environments."

Trend No. 7: Breach and attack simulation

A new market is emerging to help

organisations validate their security posture.

Breach and attack simulation (BAS) offers

continuous testing and validation of security

controls, and it tests the organisation's

posture against external threats.

Trend No. 8: Privacy-enhancing computation

techniques

Privacy-enhancing computation techniques

that protect data while it's being used - as

opposed to while it's at rest or in motion -

enable secure data processing, sharing, crossborder

transfers and analytics, even in

untrusted environments. This technology is

rapidly transforming from academic research

to real projects, advises Gartner.

For more on these top trends, click here.

06

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


data management

SECURE PASSWORD RESET 'MADE EASY'

WITH SECURENVOY SECURPASSWORD

MICHAEL URGERO, SENIOR SECURITY ENGINEER, SECURENVOY, OFFERS

HIS INSIGHTS ON SOLVING THE PROBLEM OF LOST PASSWORDS FOR

USERS AND THE SUPPORT TEAM

In the complicated and technologically

diverse world we live in today, there are

many cybersecurity risks to mitigate. Most

are variants of well-known attacks and

breaches with a new twist. However, there is

one part of the tech landscape that goes

generally unnoticed: losing your password or

locking yourself out of a system. Everyone has

done it at least once and nothing is more

frustrating.

Over the years, countless calls to support

desks have cost IT organizations millions of

dollars in time, resetting passwords for users.

What's worse, and frankly more concerning, is

the finer art of social engineering where an

imposter calls the support desk, posing as

you, to have a password reset to your account

and gain access to valuable company systems.

HIGH-VALUE TARGETS

Some go as far as researching high-value

targets, gathering detailed information about

life, family and employment details before

making these calls. World-renowned hacker

Kevin Mitnick perfected this art back in the

90s and was successful breaching into several

US government systems as a result.

He even served time for it - yet this technique

still works in many cases today, leaving

systems vulnerable to the human desire to be

helpful.

SecurEnvoy SecurPassword solves this

problem. When the user registers their token

with our system, often a mobile device, they

are prompted for two secret questions. The

answers to these questions are stored with

the user object, ready to be used as a method

of final identification. These questions can be

customised to avoid the age-old mother's

maiden name commonality.

When a user has forgotten or locked

themselves out, they simply visit the password

reset site. Entering their username, 6-digit

token and answer to a security question

provides sufficient hack-proof validation,

which authenticates them to the passwordreset

system. Once there, they are able to

unlock their account and reset their password

themselves.

FAR SUPERIOR APPROACH

This method is far superior for several reasons.

It removes the responsibility from the support

desk and places it with the user directly, saving

cost. It is also the only method where

changing one's password can be completed

with an authentication process to assure that

the person changing the password is, in fact,

you.

To see this in action or for more information

about SecurEnvoy security solutions,

click here.

8

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


We can’t tell you how we

hacked the Samsung Galaxy

S21 at Pwn2Own Austin 2021

...yet.

But we can tell you how

malicious threats might

target your business today.

Information Security Consultancy

Penetration Testing

Red Teaming

www.pentest.co.uk

0161 233 0100


2022 predictions

2022: WHERE WILL IT TAKE US?

WE ASKED SEVERAL INDUSTRY OBSERVERS TO GIVE US THEIR TOP PREDICTIONS FOR 2022,

AGAINST A BACKGROUND OF UNCERTAINTY AND CHALLENGE. HERE'S WHAT THEY HAD TO SAY

Zero Trust has been one of the biggest

buzzwords of 2021, points out

Ashok Sanker, VP of product and

solutions marketing, ReliaQuest. "The

surge of recent high-profile cyber-attacks

has ushered this concept to the forefront

for many security leaders and

organisations. In 2022, we will see zerotrust

adoption speed up. However, mass

confusion will remain, unless we treat it as

a mindset shift and a concept versus a

product solution."

Almost half (48%) of security leaders say

they are prioritising implementing zerotrust

principles as part of their security

strategy. That number is expected to only

increase, but too many leaders still don't

understand it to its full extent. "Zero Trust

can't be thought of as a single-packaged

solution," he cautions. "It's essentially

rethinking enterprise security and cutting

across silos. It's an evolution of the security

paradigm that requires continuous

monitoring. The industry must do its part

over the course of the upcoming year to

educate organisations on the ins and outs

of zero-trust, as destructive attacks are not

slowing down."

2022 will be a defining moment in how

organisations reset the fundamentals of

their security programmes, adds Sanker.

"This must begin with standardising

security metrics. In fact, a majority of

security leaders (64%) state that the

primary obstacle for implementing an IT

security risk management program is a

lack of standardised metrics to measure

progress. What's more, only a third (37%)

believe their teams are tracking the right

security metrics. In 2022, it's expected that

organisations will prioritise standardising

key security metrics and tracking them

more effectively."

Meanwhile, the lack of enterprise-wide

visibility across security tools, combined

with the prevalence of tool sprawl, will

lead to greater need for and adoption of

Managed Detection & Response (MDR)

solutions in 2022, he continues. "A mere

13% of security leaders say they have

greater than 75% visibility across all

security tools - and on average,

organisations maintain a whopping 19

different security tools, with less than

a third of those being vital to security

objectives. This poor visibility across

numerous tools puts organisations at an

increased risk for cyber-attacks; this cannot

continue into 2022."

LUCRATIVE ATTACKS

"The success and rewards of ransomware

attacks have become so lucrative that

ransomware developers have emerged to

sell or lease their ransomware tools and

expertise, offering Ransomware-as-a-

Service (RaaS) in return for royalties from

the payments from victims," points out

Joseph Carson, chief security scientist,

10

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


2022 predictions

ThycoticCentrify. "Ransomware could even

evolve further into a subscription model in

which you pay the criminal gangs to not

target you."

Governments have decided they can no

longer stand by and watch their citizens

and businesses fall victims to cyberattacks.

"This means they must and will strike back,

and it could result in a full-on cyber war,

if the ripple effects spread out of control,

and more hackers join forces to

collaborate and respond. The result could

see a cyber treaty in 2022 that pushes

cybercriminals into fewer safe havens to

operate, with countries uniting to fight

back against cybercrime. Global stability

has been on the edge for several years.

The increase in cyberattacks and the

impact of cyberattacks are having on

society means the balance of the force

is tipping."

"For years, gamers and streamers have

been a growing trend on social media,

with audiences wanting to know their

secret techniques on how they get to the

next level. Popularity is continuing with

top gamers raking in millions in both

commissions and sponsorships. Hacking

is now following that same path with the

world's top hackers streaming their

hacking skills online, showing off new

techniques and methods on how to

bypass security and get the initial

foothold, and then elevating privileges."

Hacking gamification platforms are also

on the rise, as hacking teams compete for

L33T status on being on the top of the

leaderboard. "This new trend will continue

in 2022 and we will see hacking become

an EL3T3 Sport where viewers will pay to

watch hacker's hack."

Cryptocurrencies are surely here to stay,

Carson adds, and will continue to disrupt

the financial industry, but they must

evolve to become a stable method for

transactions and accelerate adoption.

"Some countries have taken a stance

that the energy consumption is creating

a negative impact and therefore face

decisions to either ban or regulate

cryptocurrency mining. Meanwhile, several

countries have seen cryptocurrencies as a

way to differentiate their economies, so

they can become more competitive in the

tech industry and persuade investment."

In 2022, more countries will look at how

they can embrace cryptocurrencies while

also creating more stabilisation, with

increased regulation only a matter of time.

"Stabilisation will accelerate adoption, but

how the value of cryptocurrencies will be

measured is the big question. How many

decimals will be the limit?"

A VERY 'INTERESTING' YEAR

It's hard to believe that it's now almost

been two years since COVID-19 forced IT

departments and businesses of all shapes

and sizes to adopt a remote first posture,

comments Andy Syrewicze, technical

evangelist at Hornet Security. "Despite

the best of intentions (as usual), many

organisations were exposed to security

threats as part of this rapid change. Add

to that an increase in highly complex

supply-chain attacks, ever-more-pervasive

ransomware infections and increased

targeting of remote users through cloud

services, and it all culminates in the last

two years of IT security being very…

interesting, to say the least."

With an increasingly evolving threat

landscape, what are IT teams likely to see

in the coming year? he wonders. "What

can technology professionals do to

prepare themselves for 2022? "Put simply,

IT pros need to prepare for more of the

same. More ransomware, more remote

user targeting and more breaches that

may be out of the control of businesses,

due to poor security within other

organisations." That's all not to say that

Andy Syrewicze, Hornet Security: the setup

of offsite air-gapped backups can save

a business from complete failure.

Ashok Sankar, ReliaQuest: mass confusion

will remain, unless we treat Zero Trust as a

mindset shift and a concept versus a product

solution.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

11


2022 predictions

David Bundock, NetUtils: there will be

tighter regulatory oversight for the public

sector.

David Hood, ANSecurity: 'Zero Trust' is a

poor descriptor for the concept and a better

way to engage with key stakeholders needs

to come to the forefront to propel what is

essentially a great idea.

businesses are powerless, he adds,

offering a number of steps that can be

taken in this coming year to help prepare

for future attacks.

"For starters, did you know that email is

STILL a top vector of attack for many

attackers? Email will continue to be a

massive area of focus for attackers in the

coming year, as it lends itself well to loweffort

spray style attacks. Attackers can

send out 50,000 emails and a few are

likely to make it through spam filters and

garner some user interaction. IT teams will

need to make sure they're using a trusted

email security provider to help ward off

these types of attacks.

"Next, IT pros and business leaders will

need to be aware of the cloud services

being consumed by end users and take

steps to secure them. Don't assume that

cloud services such as Microsoft 365 are

secure, simply because they're hosted in

the cloud!

"Finally, organisations that adopt a

posture of breach assumption will be

better off than those who do not. Zerotrust

security policies will help limit the

spread of damage, should the worst

happen and, for those situations where

data is impacted, the set-up of offsite airgapped

backups can save a business from

complete failure."

Taking these steps will help businesses

keep their data safe and organisations

running smoothly in the coming year,

despite the ever-changing security

landscape, he concludes.

THE ENDLESS BATTLE

Since the pandemic hit, bad actors

have preyed on the vulnerability of

organisations moving to remote working

models and IT departments have worked

tirelessly to overcome the challenges,

points out Entrust. In turn, technology

companies delivered new and improved

technologies to support the changes.

"While attacks on system vulnerabilities

continue to be a staple of nefarious

activities, there's been a renewed focus

on attacks against individual employees

via mobile devices. The upturn in BYOD

and IoT devices will create further

headaches for IT departments in 2022.

Authentication will be a huge challenge

and passwords will be combined with

other authentication methods, like smart

cards, three-factor authentication and

biometrics, in order to improve security."

NEW INTEGRATED SOLUTIONS

FOR SEAMLESS TRAVEL

Cybersecurity technology is being

developed to address specific issues and

problems caused by COVID-19 and this

will continue in 2022, Entrust predicts.

"New integrated solutions for seamless

travel will replace long lines at customs

with secure remote identity verification

via smartphone. Such solutions will make

travel easier and more contactless, and

allow border control agents to focus on

handling exceptions and possible risks.

The global pandemic has spurred an

urgent requirement for remote and

touchless services replacing manual and

high-touch self-service processes. Next

year is forecast to demonstrate the value

of digital travel documents, e-Passports

and electronic travel authorisations to

enable safer and more seamless travel

for post-pandemic recovery."

Zero-Trust also figures largely as an

approach where you trust nothing, verify

everything related to users and devices,

assume the network is hostile and only

give entities the least privileged access -

the minimum permissions they need to

fulfil their function. “This framework is

predicted to become essential in stopping

identity from being exploited through

various avenues in 2022, including

12

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


2022 predictions

compromised secrets, compromised data

perimeters and lateral threats."

BAD ACTORS GET BADDER!

Jenn Markey, Entrust's product marketing

director, Identity, is swift to emphasise

the fact that bad actors are getting

increasingly sophisticated, and it's

becoming more and more difficult for

users to discern valid communications

from credential-stealing attacks - reference

the recent MS Sharepoint attack. She

singles out nation-state attacks with very

real national security implications… "in

response, governments are starting to get

serious about the cybersecurity defence

(think Biden EO)".

Meanwhile, cloud migration can take

10-plus years for large enterprises, adding

cost, complexity and risk, she states.

"That's 10-plus years of trying to provide

seamless security and a seamless user

experience across disparate solutions."

Markey sees data privacy concerns going

"supernova", with increased regulation.

"Always a hot topic, but travel and health

credentials will add fuel to the fire -

whether for the workforce, consumer or

government use cases. As well, this is likely

to drive new compliance regulations

across jurisdictions to protect individual

privacy."

She also forecasts that MSP adoption

will skyrocket, driven by IT skills shortages,

complex hybrid/MC environments and

continued business uncertainty." Finally,

she states, it is time to get serious

about critical infrastructure protection.

"Proliferation of IoT devices and

connections in-between continues at

an exponential rate. Many/most of these

devices were never architected with

security in mind. This has huge

implications for the electrical grid and

other utilities, along with sectors like

healthcare where IoT devices have

been/are being widely deployed."

Cyber-attacks will, of course, continue to

target well-known weaknesses, with Jon

Fielding, Apricorn's managing director

EMEA, indicating how criminals will

exploit 'tried and tested' vulnerabilities,

such as unpatched systems, unchanged

default passwords and unencrypted data.

"They'll also continue taking advantage of

inadequate access controls that make data

freely available to employees and thirdparty

suppliers who don't truly need it," he

says.

"Attackers will specifically target

employees who are working remotely,

often using social engineering techniques

such as phishing emails to take advantage

of the fact that security awareness is

generally found to be lower in the home

environment." Ransomware will become

the technique of choice now that

organised crime is involved and it can be

easily monetised.

At the same time, companies will need to

urgently improve security awareness and

accountability of their employees, adds

Fielding, educating them in the changing

risks associated with remote and hybrid

working, and how control them. "This

means training the workforce in security

policies, and the proper use of security

tools and technologies. But employees

also need to understand the 'why', as well

as the 'what' and 'how': the specific threats

facing the organisation and the role they

need to play in mitigating them."

Apricorn expects to see a continued

increase in the use of data encryption,

which will keep information secure

whatever happens around it, Fielding

comments. "Mandating the encryption

of all corporate data as standard policy

also provides the ability to demonstrate

transparency and due diligence, in the

event of a breach." Backup strategies will

take priority, he predicts. "This year,

companies have comprehensively bought

Jenn Markey, Entrust's product marketing

director, Identity: she sees data privacy

concerns going "supernova" in 2022, with

increased regulation.

Jon Fielding, Apricorn: security awareness

and accountability of employees’ companies

must be urgently improved where remote

and hybrid working is involved.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

13


2022 predictions

Joseph Carson, ThycoticCentrify: government

supportive action in any fightback could

result in a full-on cyber war.

Richard Melick, Zimperium: many

organisations accepted mobile devices and

apps into their systems, but dedicated

insufficient thought to how these new

technologies impacted their broader

enterprise attack surface.

in to the need to hold an offsite copy of

their data, which is a really positive thing.

A solid backup strategy is an essential part

of cyber-resilience, which took centre

stage in 2021 as organisations recognised

that however well they protect their data,

a breach can never be off the cards. Many

have chosen to back information up in the

cloud - but, in 2022 we'll see more

instances of data being compromised,

stolen or lost as a consequence of relying

on cloud storage alone.

"The cloud offers a convenient and costeffective

way of storing information. It's

also 'low maintenance', with providers

taking care of tasks such as updates and

patching. However, this devolution of

responsibility also creates risk: when you

sign the contract, you're also signing over

the control you have over your data's

security. If this is your only backup

location, it creates a single point of failure

in the event of a cyber-attack, employee

error or tech failure," he cautions.

TIGHTER REGULATORY OVERSIGHT

Looking at 2022, and it seems clear that

there will be tighter regulatory oversight

for the public sector," says David Bundock,

chief operations officer, NetUtils. "The NHS

is already going through Data Security

Privacy Toolkit (DSPT) processes and several

recent tenders for large public sector

organisations have made compliance

to Cyber Essentials Plus a mandatory

requirement for every supplier. If the NHS

is a template, then more public sector

organisations will be required to adhere to

CE+ through to 2023. And I would expect

these requirements to spread to anybody

that supplies into the public sector.

"The framework is not onerous, but it is

audited, which means that organisations

need to do more than just a ‘check box’

exercise, so it's wise to start looking at

these optional processes now and before

they become mandatory."

He also points to the "meteoric rise in

the public consciousness" of ransomware -

and predicts that the coming year will

unfortunately be more of the same.

"However, the move by AXA, one of

Europe's largest insurers, to stop offering

new insurance policies that cover ransom

payments to criminals for French policy

holders may be the start of a wider trend

across the region during 2022. The logic is

that ransom payments encourage more

ransomware attacks and drive up the cost

of cyber security insurance policies.

Although UK companies can still gain

insurance policies that will pay ransoms -

assuming you can prove no liability - it's

likely that AXA's position might spread.

The whole market for insuring against all

forms of cyber-attack and outage is an

interesting area and I suspect that 2022

will be a year where its starts to get a lot

more attention from enterprises."

Bundock flags up, moreover, how the

'great return to the office' has just not

materialised as expected by most, with

more organisations opting to have more

staff working remotely as a permanent

option. "The first of the studies that have

looked at issues such as productivity and

mental well-being are starting to emerge

and, in many instances, home working

seems to be on parity with office working

and, in some cases, proving a benefit.

"However, organisations must now look

at the often-temporary measures rushed

out to support home workers that are

now becoming standard. Where masses

of laptops were hurriedly deployed, and

cloud based filesharing systems were

utilised to help teams collaborate, these

devices and platforms need to be audited

for security and compliance to standards

such as GDPR. This will inevitably trigger

more use of cyber security as a service -

especially as the current shortage of

skilled IT and Infosec staff grows."

14

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


2022 predictions

ATTACKS TO GO WIDER

While it's been mainly big oil pipelines

and national healthcare services hitting

the headlines as ransomware victims in

2021, the attackers are likely to expand

the net a bit wider next year, according

to David Hood, CEO, ANSecurity.

"Although seemingly a less lucrative

option, the four million small businesses

in the UK offer a tempting target and

often don't have the skills to deal with

these type of extortion attempts -

choosing to pay, rather than have their

businesses crippled. This will be partly

driven by the US (and likely soon to

follow many major western economies),

stating they will treat ransomware attacks

on key infrastructure as a terrorist attack,

leaving smaller organisations unlikely to

provoke any government response and

comparatively a 'safe' target."

The wave of supply chain attacks such

as SolarWinds and Kaseya are not over

yet and 2022 will undoubtedly see more

instances, Hood adds. "But these might

well shift from broad IT platforms to

more specialist supply chains in areas

such as logistics, healthcare and even

manufacturing.

The endemic supply chain cyber security

weaknesses might finally require

government scrutiny." This, he points out,

could be the equivalent of a PCI/DSS

regime, with an ASA and QSA style

auditing requirement. "This is very unlikely

to conclude in 2022 - although the

discussion might well start."

With the NHS currently working through

its own cyber security certification

scheme, in the shape of Data Security

Privacy Toolkit (DSPT), the success of this

project "may well see 2022 as the year

that other industries start their own

programmes, perhaps, starting with the

public sector and potentially expanding

to their suppliers. This seems very likely

and education may well be the next

sector to go through the process".

Hood also acknowledges how Zero Trust

has been a popular topic for vendors

and the media over the last few years.

"However, when speaking to clients, it's

becoming clear that there is a fundamental

problem with the concept… it is

an awful name! Hopefully, 2022 will be

the year when vendors realise that 'Zero

Trust' is a poor descriptor for the concept

and that a better way to engage with

key stakeholders needs to come to the

forefront to propel what is essentially

a great idea."

NEW TECHNOLOGIES EMERGING

For the past few decades, enterprises

have spent considerable time and

resources investing in traditional

endpoints and infrastructure security

solutions. The focus has been on the

devices their employees and customers

use to connect to their services or

workflows. But the modern workflow has

evolved and grown, with new devices and

enterprise apps introduced every day.

"In the context of the last two years,

many organisations, big and small,

accepted mobile devices and apps into

their systems, in the spirit of remote

work and productivity, but dedicated

insufficient thought to how these new

technologies impacted their broader

enterprise attack surface," points out

Richard Melick, director, Product

Marketing for Endpoint Security at

Zimperium. "This is because, historically,

malicious actors have focused more

attention on traditional endpoints. Thus,

when security teams needed to prioritise

the most significant risk areas to their

employees, data and organisations, it

resulted in more focus being paid to

traditional endpoints." Fast forward to

the end of 2021 and 2022, and mobile

endpoints are now critical components

of our daily workflows. "The threats

targeting both Android and iOS

enterprise-connected devices and

applications have increased massively

worldwide and it should be

no surprise. The 2021 headlines have

demonstrated these attacks are not

just small data leaks and stolen code.

Android and iOS had record years, in

terms of zero-day critical vulnerabilities

in 2021, accounting for 30% of all inthe-wild

exploits used in cyberattacks,

up from 10% in 2020."

Enterprises have discovered their apps

leaking critical user and investor data,

and mobile spyware has infected tens

of thousands of targeted, high-profile

individuals, Melick adds. "Large-scale

phishing and premium SMS scams have

plagued personal and corporate-owned

devices, stealing tens of millions from

unsuspecting victims. And this is just the

beginning of what is to come. 2022 will

be the year of mobile attacks.

Unfortunately, we will see enterprises

face an increased number of these

attacks, along with more zero-day and

zero-click vulnerabilities, designed to

target their mobile infrastructure to steal

or spy on unsuspecting employees and

their data. There will be more Pegasuslike

spyware revelations, mobile

ransomware and security breaches that

originate with the mobile endpoint."

Melick ends with this cautionary note:

"Until the mobile endpoints are brought

into the same enterprise security fold

and held to the same security standards

as traditional devices, thereby providing

them the tools and monitoring necessary

to keep enterprises secure, mobile

devices will leave enterprise attack

surfaces ripe and open to the increasingly

complex and varied mobile threat

landscape of 2022."

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

15


2021 CS Awards

https://flic.kr/s/aHsmXckhCZ

Computing Security Awards hit all the right notes!

DECEMBER 2021 WAS A MOMENTOUS MONTH FOR ALL INVOLVED IN THE COMPUTING SECURITY AWARDS -

WE WERE 'BACK IN THE ROOM' WITH A LIVE GATHERING AT A LONDON HOTEL FOR THIS PRESTIGIOUS EVENT

Those who were there at the Computing Security Awards 2021

could celebrate and circulate for the first time in something like

two (long) years. It was great to be there, after all of the setbacks

that have had to be endured in the interim. Indeed, it was those many

challenges overcome that made these awards even more special.

If the mood was already buoyant, it was made even more uplifting

by the remarkable voice and presence of English National Opera

singer Alexander Wall, who entertained everyone superbly.

It only remains for Computing Security magazine to offer our

warmest congratulations to the winners - and to each and every one

of the companies, organisations and individuals who made it to the

2021 finals. We look forward to seeing you all again in 2022!

16

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


2021 CS Awards

THE 2021 WINNERS:

Email Security Solution of the Year:

Libraesva - Email Security Gateway

Anti Malware Solution of the Year:

Watchguard - Panda AD360

Incident Response & Investigation Security Service

Provider of the Year:

Kroll

Network Security Solution of the Year:

Endace - EndaceProbe Analytics Platform

Encryption Solution of the Year:

Rohde & Schwarz Cybersecurity - R & S Trusted Gate

Advanced Persistent Threat (APT) Solution of the Year:

Hornetsecurity - Advanced Threat Protection

Data Loss Prevention Solution of the Year:

Veritas - Backup Exec 21

Cyber Security Compliance Award:

Xcina Consulting

AI and Machine Learning Based Security

Solution of the Year:

Heimdal Security - Heimdal Threat Prevention

Identity and Access Management Solution of the Year:

SecurEnvoy - SecureIdentity Identity and Access

Management

Anti Phishing Solution of the Year:

Metacompliance - MetaPhish

Secure Data & Asset Disposal Company of the Year:

Computer Disposals (A Restore Technology Company)

Cloud-delivered Security Solution of Year:

Swivel Secure - AuthControl MSP Cloud

New Cloud-delivered Security Solution of the Year:

Kroll - Kroll Responder

Mobile Security Solution of the Year:

Jamf - Jamf Threat Defense

Penetration Testing Solution of the Year:

Edgescan - Edgescan Professional Services

Breach and Attack Simulation Solution of the Year:

Picus Security - Picus Complete Security Control

Validation Platform

Remote Monitoring Security Solution of the Year:

StorageCraft an Arcserve Company - OneSystem

New Security Software Solution of the Year:

Sonicwall - Cloud Edge Secure Access

Security Education and Training Provider of the Year:

Metacompliance

Web Application Firewall of the Year:

Rohde & Schwarz Cybersecurity - R&S Web Application

Firewall

Threat Intelligence Award:

AT&T Cybersecurity - Alien Labs

Security Reseller of the Year:

NGS - Next Generation Security

Security Distributor of the Year:

Brigantia

Enterprise Security Solution of the Year:

Edgescan - Edgescan SaaS/Vulnerability Management

Suite Platform

SME Security Solution of the Year:

Swivel Secure - AuthControl Sentry

Individual Contribution to CyberSecurity Award:

Tim Ager, Picus Security

Cyber Security Customer Service Award:

Brookcourt Solutions

Security Service Provider of the Year:

Adarma

Security Project of the Year - Public Sector:

StorageCraft an Arcserve Company - StorageCraft and SDIS

62

Security Project of the Year - Private Sector:

Egress - Egress and Crawford & Company

Editor's Choice:

Veritas - BackUp Exec 21

Cyber Security Innovation Award: Countering Covid-19:

Pentest Limited - Remote Pentest and Vulnerability

Assessment via Drone

One to Watch Security - Product:

Metacompliance - Mycompliance

One to Watch Security - Company:

Adarma

Security Company of the Year:

Shearwater Group

www.computingsecurity.co.uk December 2021 computing security

@CSMagAndAwards

17


cyber-attacks surge

REAL-WORLD IMPACT AS CYBER-ATTACKS ESCALATE

AS 2022 BECKONS AND THE SAFETY OF ALL IS INCREASING PUT TO THE TEST, THE NATIONAL CYBER

SECURITY CENTRE LAYS BARE, IN A COMPUTING SECURITY SPECIAL REPORT, THE SPIRALLING THREATS

WE ALL FACE AND HOW IT IS SEEKING TO NEUTRALISE THEM

The cyber threat to the UK and its allies

continued to grow and evolve

throughout 2021: from indiscriminate

phishing scams against mass victims, to

ransomware attacks against public and

private organisations, to targeted hostile

acts against critical national infrastructure

and government.

In its annual report, the National Cyber

Security Centre (NCSC), part of GCHQ, has

been revealing how vulnerable we have

all become to attacks and the work

that is being carried out to try to keep

organisations and individuals safe from the

fallout.

While the threats came from a range of

actors using an array of methods, they had

one thing in common: they led to real-world

impact. "Life savings were stolen, critical and

sensitive data was compromised, healthcare

and public services were disrupted, and food

and energy supplies were affected."

In the past 12 months, the NCSC was

engaged, in partnership with law enforcement,

to monitor, counter and mitigate the

threat, whether committed by sophisticated

state actors, organised criminal groups or

low-level offenders. "Covid-19 continued to

shape the cyber security landscape.

HOSTILE STATES

Cyber criminals continued to exploit the

pandemic as an opportunity, while hostile

states shifted their cyber operations to

steal vaccine and medical research, and to

undermine other nations already hampered

by the crisis. The pandemic has also brought

about an acceleration in digitisation,

with businesses and local government

increasingly moving services online and

essential services relying ever more on cloud

IT provision.

"This has broadened the surface area for

attacks and has often made cyber security

more challenging for organisations. In

response the NCSC built on the experiences

of last year in protecting sectors responding

to the pandemic, including the NHS (across

all four nations), medical research, vaccine

manufacturers and distributors, encouraging

them to take up the services available to

respond to threats to their security."

The compromise of software company

SolarWinds and the exploitation of

Microsoft Exchange Servers highlighted the

threat from supply chain attacks. These

sophisticated attacks, which saw actors

target less-secure elements - such as

managed service providers or commercial

software platforms - in the supply chain of

economic, government and national security

institutions were two of the most serious

cyber intrusions ever observed by the NCSC.

"In March 2021, Microsoft announced that

four zero-day vulnerabilities in Microsoft

Exchange Servers were being actively

exploited with at least 30,000 organisations

reportedly compromised in the US alone,

affecting many more worldwide. In July, the

NCSC assessed this attack was highly likely

to have been initiated and exploited by a

Chinese state-backed threat actor, with the

objective of enabling large-scale espionage,

including the acquisition of personal data

and intellectual property."

The SolarWinds attack enabled the onward

compromises of multiple US government

departments, and the British cloud and

18

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


cyber-attacks surge

GCHQ headquarters, Cheltenham, widely known as the 'Doughnut'.

email security firm Mimecast, among

other victims. In April the NCSC assessed

that Russia's Foreign Intelligence Service

(SVR) was highly likely to have been

responsible for the attack.

DOUBLE EXTORTION

Ransomware became the most significant

cyber threat facing the UK this year, adds

the NCSC. "Due to the likely impact of a

successful attack on essential services or

critical national infrastructure, it was

assessed as potentially harmful as statesponsored

espionage. In 2020, the NCSC

observed the evolving model of criminals

exfiltrating data before encrypting victim

networks; data which they then

threatened to leak, unless the ransom was

paid [known as double extortion]."

Ransomware gained increased public

attention following attacks on Colonial

Pipeline in the US, which supplied fuel

to the East Coast, and against the Health

Service Executive in Ireland. In the UK,

there was an increase in the scale and

severity of ransomware attacks. "Hackney

Borough Council suffered significant

disruption to services - leading to IT

systems being down for months and

property purchases within the borough

delayed. Attacks this year were across the

economy, targeting businesses, charities,

the legal profession and public services in

the education, local government and

health sectors. "

Among other ransomware incidents

investigated was a major attack on the

American software firm Kaseya. In July,

the NCSC helped to identify and support

British victims after the Florida-based

company was infiltrated by a hacking

group, which seized troves of data and

demanded $70m (£51.5m) in

cryptocurrency for its return.

GLOBAL THREAT ACTORS

The NCSC welcomed international efforts

in tackling ransomware when it was

discussed at the G7 meeting of world

leaders in Cornwall, underlining the need

for co-ordinated multilateral attention.

The NCSC reports that it continued its work

with global partners to detect and disrupt

shared threats, the most consistent of these

emanating from Russia and China. In

addition to the direct cyber security threats

posed by the Russian state, it became clear

that many of the organised crime gangs

launching ransomware attacks against

western targets were based in Russia.

China remained a highly sophisticated actor

in cyberspace with increasing ambition to

project its influence beyond its borders and

a proven interest in the UK's commercial

secrets. How China evolves in the next decade

will probably be the single biggest driver of

the UK's future cyber security. While less

sophisticated than Russia and China, Iran

and North Korea continued to use digital

intrusions to achieve their objectives,

including through theft and sabotage.

Lindy Cameron, NCSC's CEO, says that she

is all too aware of the task that lies ahead.

"We will work with the FCDO [Foreign,

Commonwealth & Development Office' to

put cyber power at the heart of the UK's

foreign policy agenda, strengthening our

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

19


cyber-attacks surge

"The NCSC's Early

Warning service provides

organisations with

specialised alerts and

potential cyber threats

affecting their networks.

Says Eleanor Fairford,

NCSC's deputy director for

Incident Management:

'This will help them

resolve security issues

quickly and reduce the

risk of serious harm

being done.'"

CYBER THREAT CONTINUES TO GROW

The past year saw the cyber attack on Microsoft, linked to a Chinese state-backed threat

actor, and the SolarWinds attack, attributed to Russia's Foreign Intelligence Service. Two of

the most serious global cyber incidents we've seen in recent years. In the UK there was an

increase in the scale and severity of ransomware attacks, targeting all sectors from businesses

to public services.

"In response, the NCSC has identified and mitigated numerous threats, whether committed

by sophisticated state actors, organised criminal groups or lone offenders," says Sir Jeremy

Fleming, director GCHQ. "Of course, coronavirus continues to shape what we see. Cyber

criminals are still exploiting the pandemic, while hostile states shifted their cyber operations

to steal vaccine and medical research. The NCSC worked across the four nations to protect

those involved in the UK's response, including the NHS, medical research and the vaccine

supply chain."

The NCSC's impact has been substantial and far reaching at a time of global crisis, Fleming

adds. "The Government's investment in cyber security means we know much more about the

changing threats the country faces today than we did five years ago when the NCSC was set

up. And we are looking ahead, too. We can see technology leadership is shifting eastwards.

The key technology we will rely on for future prosperity and security won't necessarily have

democratic values at its core. We will work with partners around the world to help the UK

and allies face this moment of reckoning."

collective security, ensuring our

international commercial competitive

advantage, and shaping the debate on the

future of cyberspace and the internet.

"We will need to reinforce our core

alliances and lead a compelling campaign

aimed at middle-ground countries to

build stronger coalitions for deterrence

and counter the spread of digital

authoritarianism. This will involve better

connecting our overseas influence to

our domestic strengths, leveraging our

operational and strategic communications

expertise, thought leadership, trading

relationships and industrial partnerships

as a force for good."

And she also states: "Over the last 12

months, the NCSC has played a key role

in managing significant events and taken

action to make the UK a safer place to live

and work online. A particular highlight

has been the work that the NCSC did to

support the Covid-19 vaccine roll out.

The NCSC dealt with 777 incidents - an

increase on last year - of which 20% were

linked to the health sector and vaccines.

One of the trends that the NCSC has seen

over the last year was a worrying growth in

criminal groups using ransomware to

extort organisations. In my view, it is now

the most immediate cyber security threat

to UK businesses and one that I think

should be higher on the boardroom

agenda."

RECORD YEAR FOR INCIDENTS

An international supply-chain data breach

emanating from a compromise of

SolarWinds was one of the most significant

incidents that the NCSC dealt with over

the last year.

"This attack involved one of the world's

most popular IT system management

platforms being breached by the Russian

Foreign Intelligence Service and is an

important reminder of the need for

organisations to be resilient, if one of their

suppliers is affected." It was a record year

for incidents dealt with by the NCSC. The

team managed 777 incidents, another

increase on the previous record, breaking

the 723 total from 2020. NCSC supported

the NHS during eight 'high severity alerts'

from April 2020 to March 2021.

This year's total means that, since the NCSC

commenced operations in 2016, the organisation

has co-ordinated the UK's response

to a total of 3,305 incidents (annual totals

of 590, 557, 658, 723 and 777). Several

incidents came onto the NCSC's radar

proactively, through the expert work of its

threat operations and assessments teams.

Many others were raised by victims of

malicious cyber activity. While the NCSC has

world-leading capabilities in identifying,

confronting and responding to cyber threats

and deterring those responsible for them, it

is just as important to improve defences to

stop attacks getting through in the first

place, and when they do, that organisations

20

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


cyber-attacks surge

many services that organisations can use to

protect themselves against ransomware or

mitigate the impact of an attack. As well as

implementing practical cyber security

measures and following advice, an

important defence against ransomware is to

understand the ever-evolving threat picture

and working with others to share

information and good practice.

Paul Chichester NCSC director of operations, with Lindy Cameron, NCSC's CEO. States

Chichester: "The attack on Microsoft Exchange servers was another serious example of

a malicious act by Chinese state-backed actors in cyberspace."

are better able to recover and limit the

impact. In the last Annual Review, the NCSC

set out how the ransomware model had

shifted from not only withholding data, but

threatening to publish it as well. This year,

the model has developed further into what

is termed Ransomware as a Service, (RaaS)

where off-the-shelf malware variants and

online credentials are available to other

criminals for a one-off payment or a share

of profits.

As the business model has become more

and more successful, with these groups

securing significant ransom payments from

large businesses who cannot afford to lose

their data to encryption or to suffer the

down time while their services are offline,

the market for ransomware has become

increasingly 'professional'.

The NCSC has observed that some victims

have been offered the services (from the

attackers) of a 24/7 help centre to quickly

pay the ransom and get back online.

'PAY THE RANSOM AND MOVE ON'

Everything is geared to make it as easy as

possible simply to pay the ransom and move

on. Organised crime groups spend time

conducting in-depth reconnaissance on their

targeted victims. They will identify

exploitable cyber security weaknesses. They

will use spoofing and spear phishing to

masquerade as employees to get access to

the networks they need. They will look for

the business-critical files to encrypt and hold

hostage. They may identify embarrassing or

sensitive material that they can threaten to

leak or sell to others. And they may even

research to see if a potential victim's

insurance covers the payment of ransoms.

This process can be painstaking and

lengthy, but it means that, when they are

ready to deploy, the effect of ransomware

on an unprepared business is brutal. Files

are encrypted. Servers go down. Digital

phone lines no longer function. Everything

comes to a halt and business is stopped in

its tracks. But it's not all bad news. There are

SECURE FORUM

The NCSC's Cyber Security Information

Sharing Partnership (CISP) service provides

a secure forum where companies and

government can collaborate on threat

information. CISP, which also gives access to

regular sensitive threat reports, is one of

many tools available. Indeed, the NCSC

provides a range of free cyber security tools

and services to eligible organisations as

part of the Active Cyber Defence (ACD)

programme. These initiatives help

organisations to find and fix vulnerabilities,

manage incidents or automate disruption

of cyber-attacks.

While there are numerous entry points

into a system, device or network, the NCSC

has observed that threat actors have been

increasingly exploiting vulnerabilities in

virtual private networks, unpatched software

and using phishing emails. The most

commonly used attack vectors by

ransomware actors targeting the UK include:

RDP: Remote desktop protocol attacks

are the most commonly exploited

remote access tools used by ransomware

hackers. Hackers use insecure RDP

configurations collected through

phishing attacks, data breaches or

credential harvesting to gain initial

access to the victim's environment

VPN: Since the shift in remote learning

and working since the pandemic began,

threat actors have been exploiting

vulnerabilities present in Virtual Private

Networks to take over the remote access

Unpatched devices: Attackers are

targeting unpatched software and

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

21


cyber-attacks surge

"In the first four months of 2021, the NCSC handled

the same number of ransomware incidents as for

the whole of 2020 - which was itself a number

more than three times greater than in 2019."

Jeremy Fleming, Director, GCHQ: "The key

technology we will rely on for future

prosperity and security won't necessarily

have democratic values at its core."

Lindy Cameron, CEO of NCSC: "In my view,

[ransomware] is now the most immediate

cyber security threat to UK businesses and

one that I think should be higher on the

boardroom agenda."

hardware devices to gain access to the

victim's network. One example of this is

the vulnerabilities in Microsoft Exchange

Server that are known to have been used

by persistent threat groups.

The NCSC released tools and advice

designed to help organisations prevent

ransomware attacks. These included

guidance on mitigating ransomware

attacks; a tool called Early Warning Service,

designed to help organisations facing cyber

attacks on their network; training for school

staff, and a range of Active Cyber Defence

services including Web Check - a tool that

provides website configuration and

vulnerability scanning services.

BUILDING RESILIENCE AT SCALE

The Active Cyber Defence (ACD) programme

is seen as one of the NCSC's most successful

ways to help bring about a real-world,

positive impact against threats. "The

programme seeks to reduce high-volume

cyber attacks, such as malware, ever

reaching UK citizens and aims to remove

the burden of action from the user." The

ACD programme's core services include Mail

Check, Web Check, Protective DNS, Exercise

in a Box, the Suspicious Email Reporting

Service and the Takedown Service.

The last of these, for example, finds

malicious sites and sends notifications to

the host or owner to get them removed

from the internet before significant harm

can be done. The NCSC centrally manages

the service, so departments automatically

benefit without having to sign up. "This

year, the UK's share of global phishing has

remained consistent at approximately 2%,

due to this service."

TAKEDOWN TAKEAWAY

This year the Takedown Service enabled the

NCSC to remove a total of 2.3 million cyberenabled

commodity campaigns, including

the following:

13,000 phishing campaigns which were

disguised as coming from the UK

Government

442 phishing campaigns which used

NHS branding, compared to 105 in the

same period in last year's report

80 instances of NHS apps (unofficial

mirrors) hosted and available for

download outside of the official Apple

and Google app stores.

Looking ahead to what can be expected

from the NCSC, in February this year it

launched MyNCSC, a new platform as

a single point of entry to its key digital

services, including Active Cyber Defence.

MyNCSC brought together in one place

access to tailored advice, services and alerts.

"The new platform, which is due to replace

the existing ACD hub, helps users reduce

duplication, save time and better

understand their security posture across

a range of services. MyNCSC users are

presented with service data, incident

information and guidance to help them

be more proactive in improving the security

of their organisations."

At the time of publication, the platform was

open to eligible users as part of the pilot.

22

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


Computing

Security

Secure systems, secure data, secure people, secure business

Product Review Service

VENDORS – HAS YOUR SOLUTION BEEN

REVIEWED BY COMPUTING SECURITY YET?

The Computing Security review service has been praised by vendors and

readers alike. Each solution is tested by an independent expert whose findings

are published in the magazine along with a photo or screenshot.

Hardware, software and services can all be reviewed.

Many vendors organise a review to coincide with a new launch. However,

please don’t feel that the service is reserved exclusively for new solutions.

A review can also be a good way of introducing an established solution to

a new audience. Are the readers of Computing Security as familiar with

your solution(s) as you would like them to be?

Contact Edward O’Connor on 01689 616000 or email

edward.oconnor@btc.co.uk to make it happen.


special focus

PERENNA - HELPING TO REDEFINE

THE FUTURE OF MORTGAGE LENDING

PERENNA IS CREATING A BANK WHERE MORTGAGES WILL BE FUNDED BY

COVERED BONDS, ALLOWING THEM TO CREATE 30-YEAR FIXED RATE

MORTGAGES AND GIVING CUSTOMERS RESILIENCE BY REMOVING

INTEREST RATE RISK FROM THEIR MORTGAGE. XCINA CONSULTING HAS

BEEN ASSISTING THIS FUTURE BANK IN SEVERAL AREAS TO BUILD A

RESILIENT ORGANISATION AND ROBUST PROCESSES AND SYSTEMS WHICH

CAN BE TRUSTED. HERE, COLIN BELL, CO-FOUNDER AND COO AT

PERENNA, EXPLAINS THEIR JOURNEY.

Q1. Could you provide us with some

background about Perenna before

you started this journey with Xcina

Consulting in February 2021?

A: Whilst the idea was being formed earlier,

the founders started working on the current

banking application process in 2017 with the

aim of creating the UK's first pure covered

bond bank. We started by presenting the

business plan to the regulators, obtaining

funding and started building the team which

now stands at around 40. We are well

progressed in the application process and look

to launch in 2022. Covered bond funding can

be used for any type of mortgage but we see

the UK as lacking in flexible long term fixed

rate mortgages.

Q2. What convinced you to seek external

advice?

A: When setting up a new organisation, you

have resource constraints and tight timescales.

Using external consultants gives us the extra

manpower needed for specific tasks. Since the

first engagement the skillsets, knowledge,

experience, and delivery that Xcina brought

was particularly good and therefore the

management team decided to expand the

mandate into other areas and the relationship

has been very fruitful and productive. We

achieved a lot in a short space of time which

would not have been feasible with the

existing team alone, appointing Xcina also

allowed the existing team to focus on building

the bank and obtaining the necessary banking

licence which can be a difficult process

especially for a new organisation. They

worked as an extension of our current team

and company, rather than an arm's length

external organisation. It's been fun at times,

too, which has been great for our culture.

Q3 From a practical perspective, what were

your top three objectives?

A: We had a requirement to get things done

quickly and efficiently, and needed the

expertise and wider market knowledge which

did not necessarily exist internally, at least in

the early days.

I. Gaining the banking licence

II. Ensuring Perenna is resilient and

sustainable when we are live. This is

extremely important for us as a business,

for the regulator, and fundamentally also

for the customers we will be looking after,

to ensure we have a long-term future as a

bank.

III. Delivering great products, a great service

proposition which ultimately will lead to

great customer satisfaction is at the heart

of what we aim to do. We are trying to

make mortgages more accessible and

safer for consumers and deliver great

customer experiences, removing the

challenges people currently face.

Q4. How did you find the journey with Xcina

Consulting?

A: When we've approached Xcina with a

piece of work, they very quickly provided very

good scoping documents giving good visibility

of costs, timescales and deliverables. The

journey has been great, they always delivered

to time and expectations, exceeding in terms

of quality of output, which is why we have

continued with further pieces of work with

the team. It has been very positive and we're

still on the journey.

Q5. What outcomes do you think have been

the most valuable?

A: The work we undertook with Xcina

around IT controls, setting policies and

standards was a very significant piece for our

banking application. This was achieved in a

very efficient manner and very short space of

time. The collaboration between both sides

got us to a good place, and we submitted all

these documents to the regulators to plan.

Drafting and bringing in wider knowledge

24

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


special focus

" When you are trying to obtain a banking licence, there is a

great deal to do with limited resources. Tactically, we therefore

brought in talented and experienced practitioners to maximise

our efficiencies and harness expertise. Xcina have assisted us in

several areas, including IT controls and operational resilience,

which is core to building a sustainable bank and one which

delivers for its customers throughout times. Lindsey and the

team at Xcina have proven expertise and continue to be

invaluable to Perenna, and we see them as part of our team."

Colin Bell, Co-founder and COO at Perenna

are where Xcina really excelled. The other

area was operational resilience. Again, there

is a lot of effort involved in getting the right

framework together, other organisations

have had longer to do this but we're still

working to the same tight timeline of March

2022. Xcina helped us in running the

workshops within Perenna, producing

output, putting things together, a really good

piece of work. In terms of our governance,

structures, policies, and procedures, we're in

a good place with embedding those and

that's certainly where Xcina has helped us.

Q6: Would you recommend Xcina

Consulting to others?

A: I have recommended Xcina, so that's the

best endorsement you can get. Reason being

is simple, they scope work well and deliver

very well on time, on budget and to a high

degree of quality. As I have said before, I

view it as a partnership.

That's a sign of a good consultancy business

where you can feel they're almost part of the

business rather than being an external

consultant. That is how I have found

everyone I have worked with at Xcina.

I am recommending them, have

recommended and will continue to do so.

Q7. Other observations worth highlighting?

A: Couple of things I've really enjoyed…

around Operational Resilience and

Outsourcing. Lindsey [Lindsey Domingo,

Senior Director of Consulting and Regulatory

Compliance Lead, Xcina] and I have had

some interesting debates outside of the

work, really because the regulations and

changes are quite new. As with new things,

some parts work well and some others don't

work as well. We have had some really good

chats and challenges about how we interpret

certain things and what we should do in

certain situations. These conversations have

been outside of the project work and I've

never seen it as being a consultancy thing.

Lindsey has always been open and willing to

discuss these things, and it's been really

good. He is very approachable, as are the

rest of the team. We've had some great

debates about some of these new policies

coming out, which is what happens when

new things are put into place: not everything

is necessarily right, not everything is as clear

as you want it to be, in terms of

interpretation, and some of it is quite

subjective - so that's been really good.

Lindsey, Domingo, Senior Director, Xcina:

Keep the questions coming!

Lindsey Domingo, Senior Director of

Consulting and Regulatory Compliance Lead,

Xcina Consulting.

Colin: It's useful. We're both gaining

knowledge from these debates. It's about

being approachable. Whenever we have

questions that need answers, you and the

team are always available. Sometimes these

things can be awkward when you deal with

consultants, but it hasn't been that way with

Xcina and as already mentioned it seems like

an extension of our business rather than a

third party.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

25


inside GDPR

GDPR CERTIFICATION SCHEMES -

DOING THE HEAVY LIFTING FOR YOU

WAS GDPR ALL HOT AIR OR, THREE YEARS ON, ARE WE SITTING ON A

TICKING TIMEBOMB? IN THIS ARTICLE, STEVE MELLINGS, FOUNDER

ADISA, WEIGHS UP ALL OF THE EVIDENCE

In the legal field, the consensus from those I

have spoken to is that GDPR has most

definitely had an impact, but many are still

frustrated at the distance between those who

understand GDPR and those at the

operational coalface. This leads to frequent

unconscious non-compliance, which could

easily be avoided. The response from data

controllers varies as well. There are those who

have viewed GDPR as a project to start when

they are told to, whereas, for others, the fear

of brand damage and threat to the balance

sheet has motivated them to act now. How

effective those actions are is an entirely

different story!

When GDPR was enshrined into

UK law in May 2018, businesses

were inundated with offers of

"guaranteed GDPR compliance" from

pop-up experts claiming to know how

to avoid the 4% of turnover fines which were

allegedly heading everyone's way. The reality

was the provision of GDPR compliance policy

bundles which, to this day, still sit careful

encased in the glass cubicle marked 'Break

glass. If ICO, knock on door'.

Of course, I am being facetious, but for

many businesses the burden of GDPR

compliance has been a painful cross to bear,

while for others the general confusion led to

pointless expenditure

on well meaning, but ultimately fruitless,

compliance projects. And so, the elephant in

the room must be addressed - was GDPR all

hot air or, three years on, are

we sat on a ticking timebomb?

The answer to this will vary, depending

on to whom you are talking

For many in the channel, GDPR has

provided a point of reference to highlight a

feature or benefit from a product being sold

and so has enhanced their own value

proposition. For others who offered 'GDPR

silver bullet products or services', their

embellishment of the capabilities of those

products has seen their credibility eroded by

buyers who were sold the dream, but ended

up with very little.

Of course, Brexit threw in a further spanner,

but with the release of the unofficial-looking

'Keeling Schedule', it is clear GDPR, whether

UK or EU, is still very much part of the

regulatory landscape. If we also consider the

UK Data Protection Act 2018 and the

National Data Strategy, it is hardly surprising

that, three years

on, businesses are suffering from data

protection fatigue, leaving many to park it in

the 'too hard' part of their to-do-lists.

There is some good news, however,

emanating from the Information

Commissioner's Office that can really help

businesses. In August 2021, ADISA was

delighted to be part of the first group of

companies to have a standard formally

approved by the ICO as a UK GDPR

Certification Scheme.

WHAT IS A UK GDPR

CERTIFICATION SCHEME?

In short, Certification Schemes are confirmed

as meeting UK GDPR require- ments,

as determined by the ICO itself.

The premise is that, by pre-approving

the scheme, the ICO is taking away the

burden that businesses have of trying to work

out what a compliant position looks like

within a specific business process.

This sounds simple enough, but when

26

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


inside GDPR

we consider that the law calls for both

the controller and processor to take

"appropriate technical and organisational

measures", we run into a problem: who

determines what is appropriate? Certification

schemes help answer that question, as

the ICO has determined what their view of

appropriate is within each scheme that they

assess.

'TAKING AWAY THE BURDEN OF

COMPLIANCE WITH FIVE SIMPLE

QUESTIONS'

I am, of course, going to be biased when

I say that Certification Schemes can really

help businesses who are looking to build UK

GDPR compliance into a specific process, as

this approval has pre-verified what

compliance looks like. This two-year process

has not been without challenges. During

discussions with the ICO, we needed to find a

way of empowering the data controller to

influence the treatment of 31 identified

operational risks to ensure the response was

'appropriate' for each specific data controller.

Other than getting the controller involved in

the transaction in minute detail, how could

we achieve this? The answer was to create a

five-step process called the Data Impact

Assurance Level (DIAL).

Outlined in an article that appeared in

Computing Security November 2021, this

new concept is crucial for empowering the

data controller to influence risk treatments to

ensure that they are commensurate

to their own business environment. By

undertaking the DIAL assessment and using

an ADISA certified company when disposing

of retired assets, data controllers create a

clear, defensible position in the eyes of the

law.

to the breach, and which could have been

mitigated.

This last point provides clear opportunity for

blame to be apportioned, unless the

mitigation is proportionate to the business

under investigation. Where certification

schemes prove useful is that by complying

with them the data controller is already

proven as meeting the expectation of the

regulator who has pre-approved the

processes being evaluated. This is of huge

legal significance, as it provides a clear

defensible position which would be very

difficult to overturn."

THE REAL QUESTION IS:

WHY WOULDN'T YOU USE

A CERTIFIED SCHEME?

Approved certification schemes are perhaps

the clearest way in which the ICO can provide

guidance on what it expects businesses to do

within a specific data protection process.

Our Asset Recovery Standard 8.0 is not easy

for industry to comply with, and provides a

real challenge for those companies who offer

asset recovery and media sanitisaton services.

However, this is a challenge many are willing

to take, in order to help their customers

comply with UK GDPR. With 54 companies

working towards certification, which will take

place when our own UKAS certification is

achieved in May 2022, this is one sector

determined to help lift the burden of GDPR

compliance for their customers.

As Anulka Claire, Acting Director of

Regulatory Assurance of the ICO, points out:

"This new concept is a significant step

forward in enabling organisations to

demonstrate their commitment to

compliance with UK data protection law."

So, with the ICO approval of ADISA

Standard 8.0, organisations that are

disposing of redundant IT assets can benefit

by avoiding having to fully understand the

law and determine what

is viewed as appropriate. All they are required

to do is use an ADISA-certified company, and

rest assured that the ICO, UKAS and ADISA

have worked to ensure the process is

confirmed as being UK GDPR compliant.

A leading data protection and cyber security

lawyer stated at the recent ADISA

conference: "When assessing data breaches,

we as a legal team look at factors

surrounding the incident which may have led

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

27


training & upskilling

NEW TRAINS OF THOUGHT

ONGOING INVESTMENT IN CYBER TRAINING AND UPSKILLING ACROSS THE WHOLE OF A BUSINESS IS

ESSENTIAL TO PREVENT A MAJOR DATA BREACH

Companies that haven't been investing

in cybersecurity upskilling and training

over the past few years are already on

the back foot, as attacks are becoming more

sophisticated and numerous. "New versions

of malicious software appear almost daily

and are always one step ahead of our antivirus

systems," cautions Phil Chapman, head

of Cyber Security Curriculum at Firebrand

Training. "The growth of the botnets alone is

currently being calculated to have risen to

over 80% in Q3 of 2021, according to

Internet-based monitoring agencies. Policy

therefore needs to be the first thing that a

company considers before tackling the

technology to defend it. Ongoing investment

in cyber training and upskilling across the

whole business is essential to keeping

everyone secure and prevent a major data

breach."

The weakest part of our defences are the

biggest assets - people. "Often, the weakest

link in the chain is the user who doesn't

understand the risk. Therefore, it's crucial

that those outside of the cyber security and

information security teams are educated

about the dangers of a cyber-attack and

what to look out for. A 'User Training &

Awareness Policy' needs to be a company

priority. Explaining these threats to all

employees enables them to better protect

themselves from potential harmful emails

and attachments, as well as identify phishing

or fraud.

"In the age of hybrid working, companies

should also be setting out processes for

working outside of the office, in order to

protect sensitive information and maintain

security protocols, such as ensuring that

people are working on a secure wifi network

and explaining the details of what this

should look like [ie, not a public shared wifi]

and making it standard for workers to set up

two-factor authentication on work devices."

Training programmes need to be robust

and adaptable to meet the changing needs

of security, cybercrime and technological

advances, so that organisations can layer in

the necessary forms of technical, physical

and procedural protection to keep the

business safe. "Without continued

development, businesses are putting a target

on their backs, and putting their company

and reputation at risk. Cybersecurity

apprenticeships are also an effective way to

introduce a wealth of talent into a business

who can hit the ground running, while

addressing the ever-growing digital skills

gap."

WHO IS RESPONSIBLE?

The cliché that the workforce is the frontline

of defence for cybersecurity is an easy one -

but who is actually responsible? asks Neil

Langridge, marketing director, e92plus.

"Recent research by Trend Micro found a lack

of consensus amongst business leaders over

who is responsible, with nearly half of all

survey respondents believing that the risks

around cyber-attacks are still treated as an IT

problem, rather than a bigger business

challenge."

Most people would agree it's something

that impacts the whole company - and

everyone can play their part, he adds. "So,

28

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


training & upskilling

what's the best approach for those not

sitting in the IT teams? Different

departments face different risks - the

marketing team will likely have access to

customer data, so could be at risk of

credential theft, while finance will be the

target of phishing, or spear phishing in

particular - using BEC [Business Email

Compromise] to attempt to extort money via

money transfer or spoofing suppliers."

Cybersecurity training needs to be built

from the start and then continually refreshed

- and part of the fabric of employee training

and enablement, no different from HR or

quarterly reviews. "As part of the e92plus

Cybersecurity 101 programme, we poll our

workshop participants on whether the

organisations they work with have refreshed

their training since the pandemic started,"

states Langridge. "Sadly, that number is often

under 50%, despite the fundamental shift in

potential risk. Our homes, our personal

devices, our own Wi-Fi network is now the

network perimeter, as once a company

laptop opens the VPN, then all devices

connected on that Wi-Fi network could pose

a risk. While your iPhone or Chromebook

may be fairly secure, what about the cheap

IP doorbell purchased from eBay?"

So, as with charity, cybersecurity best

practice starts at home. "Workplace training

can provide tips and advice to help

employees protect themselves and their

family better, and so a culture of

responsibility is built, and that's taken back

into their business - and that's something

now available from cybersecurity training

and education providers like Cofense," he

says. "And, without doubt, building that

positive cybersecurity culture is so much

harder with the distributed workforce when

you can't simply lean over to a colleague at

the next door for a gentle query about a

dodgy-looking email."

MORE THAN JUST A JOB

Training and experience are two different

things, states Steve Usher, senior security

analyst, Brookcourt Solutions. "The issues

currently are not so much the lack of

training, as there are an increasing number

of people moving into the cyber security

industry, but more the lack of experience.

Yes, there is still a lack of staff in general, but

I believe it is incorrect to assume the entire

issue lies with the actual number of people

in the cyber security industry. How do we

create cyber security experts? The real experts

in this industry are those with a passion for it

and a thirst for knowledge; people that see

cyber security as more than simply a job."

Usher believes the solution comes in two

parts. "The first being that companies start

looking at the potential of people, and not

simply the experience and certifications that

they offer. Having more in-depth

conversations, during the interview stage,

will allow more businesses to pick up a

person's passions and experience, as well as

knowledge of the field.

"The second part of the solution is to have a

solid focus on skills and knowledge transfer

in the workplace. A program that will

support people's skills growth and enhances

their current set of capabilities, exposing

them to people and situations that are

outside of their day-to-day responsibilities to

help promote experience and enhance

people's interests in areas that they are

passionate about, can go a long way. An

upskilling program of this nature will not

only benefit the business operationally, but

also contribute towards a stronger staff

retention for the business.

"There are, of course, alternatives to the

above, with numerous courses, certifications,

diplomas and degrees available to assist in

qualifying people to work in the cyber

security field, but qualifications and realworld

experience are not the same thing.

Experience cannot be materialised out of

nowhere; the opportunity to gain that

experience must be provided."

Neil Langridge, e92plus: cybersecurity

training needs to be built from the start

and then continually refreshed.

Phil Chapman, Firebrand Training:

companies failing to invest in cybersecurity

upskilling and training are already on the

back foot.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

29


data protection

THE RELENTLESS RISE OF APT

STEALTH ATTACKS BY GROUPS WITH THE TIME AND SKILL

TO INFILTRATE NETWORKS AND STEAL DATA ARE

SOARING. HOW DO YOU RESPOND WHEN SUCH

ADVANCED PERSISTENT THREATS ARE RIFE?

Is it too late? Do we just give up? Are the

attackers too far ahead? These are all

questions raised by Steve Usher, senior

security analyst, Brookcourt Solutions. "The

answer is no," he says. "As with many of the

big questions in cyber security, there is no

simple answer to this. Why data breaches

keep happening has no single answer; often,

but not always, the issue is either human error

or just bad operational security.

"While these are by far the most common

reasons for a data breach, there is the small

category of data breaches that are the

targeted data breach, usually carried out by

groups with the time and skill to infiltrate

networks and steal the data unseen. These are

usually, but not always, APT [Advanced

Persistent Threat] groups."

With the exponential growth in not only the

amount of data that is accessible from the

internet, but also the use of the cloud to store

that data, the opportunities for data breaches

have become even more numerous. "This, in

turn, leads to a larger requirement for cyber

security staff, in an already straining industry,

and those staff need not only cloud skills, but

security-focused cloud skills and experience.

Considering the speed at which the cloud is

being adopted, there is a serious mismatch in

the requirements for cloud security staff and

the availability of those staff. This then leads

to an exponentially expanding attack surface

and a lack of experienced staff to ensure that

the best operational security possible is

enforced. "

Is there a way back? Simply put, "yes", he

concludes. "The way back is for any company

that has data that is valuable to either the

company or attackers to take stock of that

data, to look at the configurations that are

linked to the access of that data, the

protections in place for that data and the

potential cost of a breach of that data and

act. If the appropriate staff are unavailable, a

managed service becomes a more costeffective

option; then the focus should be on

skilling up and training staff to properly

manage and consider data security."

NOT ENOUGH SECURITY ANALYSTS

Ruvi Kitov, CEO of Tufin, sees several

significant challenges in cyber protection

today. "First, there's a severe staff shortage of

qualified technical resources - there are simply

not enough security analysts and many

organisations are struggling to retain talent or

ramp it up to full staffing. Secondly,

cyberattacks are asymmetric in nature - an

attacker can patiently try to breach thousands

of organisations [or focus on particular

targets] for months and wait for a single

mistake, in order to gain access. For security

teams, closing every possible vulnerability is

mission impossible and there's always some

attack surface exposed. In addition, the

human element is frequently the weakest link

in the chain and can cause critical

misconfigurations through human error; or be

tricked into clicking on phishing links."

These challenges apply to all attackers and

organisations. "But there's another class of

attackers," adds Kitov - "nation states, whose

offensive capabilities are so advanced, from

zero day attacks to very sophisticated customwritten

malware, that most enterprises would

not be able to defend against them, even

with state-of-the-art security products and

processes. So, the challenge today is not

whether you will be breached - it's how to

minimise the exposure and impact."

30

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


data protection

ODDS STACKED AGAINST DEFENDERS

"The simple answer here is that, while

defenders have to succeed every time,

attackers only need to succeed once," states

Antti Tuomi, principal security consultant at F-

Secure. "When it comes to industries that are

traditionally not IT oriented, many companies,

of course, try to do their best, but are not

always sufficiently equipped to take into

account, and proactively protect, against all

attacks. The odds are stacked against the

defenders when the company is large enough

or significant enough to be targeted by

motivated attackers with ample skills and

resources."

That being said, 100% bulletproof defences

are impossible, but resisting attacks is definitely

not pointless, he adds. "Without the effort put

into defence so far, we would be seeing far

more breaches of a far bigger scale and

severity. The mindset of shifting from not only

securing the perimeter, but also preparing for a

potentially inevitable breach by the means of

detection and response, and hardening

internal assets as well, significantly helps

control the scope of a breach.

"I would argue that the defensive side now

has better tools than ever before to help stay

protected and make attackers' lives as hard as

possible - resistance is definitely not futile."

NOT BEYOND FIXING

According to Carolyn Crandall, chief security

advocate at Attivo Networks: "No matter how

hard organisations try to defend themselves

from adversaries, data breaches happen and

attackers still succeed." Amongst more recent

attacks to make the news, she points to the

following:

Defence officials inadvertently revealed

secret plans for a suite of enhanced

weapons, potentially for use by Britain's

Special Forces

BrewDog exposes details of more than

200,000 'Equity for Punks' shareholders,

plus those of many more customers

A cyber-attack costs the mining equipment

supplier Weir Group £40 million in profits

this year.

Despite the sobering headlines, it's not

beyond fixing, Crandall argues. "Organisations

must look at data differently and start

protecting what they don't normally view as

sensitive or critical, like enterprise identities.

CISA just released their draft 'Zero Trust

Maturity Model,' where Identity is the first of

five pillars. Attackers target Active Directory

and other identity services in almost every

attack and securing AD is one of the best ways

to start the Zero Trust journey. Government

guidance that incorporates more information

on identity services can also help minimise the

success of these attacks."

THE ESSENTIALS

Gartner also stated that 'Identity-First Security'

is one of its Top Security and Risk Management

Trends for 2021, yet many CISOs still only

focus on multi-factor authentication (MFA) as

a solution to their identity security challenges,

Crandall also comments.

"Multi-factor authentication (MFA) and single

sign-on (SSO) are essential and organisations

should implement them. However, they are

not the end all and be all for identity security.

MFA and SSO can help stop attackers initially

from getting on an endpoint, but that only

works for interactive logins and a determined

adversary will eventually break in."

The threat to identities is genuine and, given

the damages occurring with their misuse,

every CISO should prioritise it, she continues.

"According to the 2021 Verizon Data Breach

Investigations Report, credential data now

factor into 61% of all breaches.

"More broadly, the 'human element' factors in

to 85% of breaches, while phishing is present

in 36% of them. These stats highlight that

attackers consistently attempt to access valid

credentials and use them to move throughout

networks undetected."

Antti Tuomi, F-Secure: 100% bulletproof

defences are impossible, but resisting attacks

is definitely not pointless.

Ruvi Kitov, Tufin: many organisations are

struggling to retain talent or ramp it up to

full staffing.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

31


global intelligence

QUANTUM LEAPS - AND BOUNDS

QUANTUM COMPUTERS WILL SOON SMASH THROUGH THE MATHEMATICAL CRYPTOGRAPHY WE

RELY ON AS A SOCIETY, IT IS FORECAST. HOW DO WE KEEP OURSELVES SAFE THEN?

The time to prepare for a safe quantum

computing future is now, argues Chris

Erven, CEO, KETS Quantum Security.

Why? "For the simple fact that, in today's

world, we don't go 30 seconds without

touching digital technology of some kind, all

of which is networked, none of which is

quantum-safe. We know that quantum

computers will be experts at breaking the

security of our current digital infrastructure.

We need to upgrade this to be quantum-safe

now."

He points to the 'Mosca equation' (posited

by Michele Mosca of the Institute for

Quantum Computing) to summarise when

we need to worry about upgrading our cyber

security.

This equation is given by:

x+y> z

where:

x = the security lifetime of our data

y = the time required to upgrade to

quantum-safe systems

and z = the time to build a quantum

computer.

"If it is going to take 10 years to upgrade

and you want, for example, your online

medical records to be secure minimally for

15 years - meanwhile a quantum computer is

built in the next 5-10 years - then it is already

too late! Best case, your sensitive data will

effectively be unencrypted and in the clear for

20 years. And this 'store now, crack later'

attack has been going on for years."

Soon, he says, we will be living in a world

where most of our current forms of

cryptography will be useless, because

investment and developments in quantum

computing are only accelerating. "What is

more, we likely won't know when this

happens, because a quantum computer

capable of doing this represents such a huge

advantage, those who own it will keep it

secret."

The good news, though, is that we are not

defenceless. "Computer scientists, physicists,

and engineers have been working hard on

new quantum-safe methods." Two of the

biggest tools he identifies for the new

quantum-safe toolbox are:

post-quantum cryptography (PQC)

algorithms - new algorithms conjectured

to be immune to a quantum computer's

processing capabilities

and quantum cryptography (QC) - new

quantum hardware that has been proven

to be immune to a quantum computer.

What difference will this make to

computing security? "Well, we will have to

upgrade," he points out. "Think the Y2K bug,

but less hype and more well-reasoned

concern. And this upgrade will need to occur

both at the software and hardware level."

What can be done to ward off this

apocalyptic scenario? "At the highest level,

we need our telecommunications

infrastructure to be upgraded. This is behind

the EuroQCI Initiative, which aims to build a

secure quantum communications

infrastructure that spans the EU. Similar

initiatives exist now in the US, UK, China,

South Korea and Japan."

FIRST ACTIONS TO BE TAKEN

At the organisation level, the first things that

need to be done are:

Recognise the problem

Put resource behind it

Perform a quantum-safe health check

And develop your organisation's quantum

readiness roadmap.

Lastly, get involved in early innovation

projects, he advises. "These new methods are

different. PQC algorithms generally require

more memory or are slower, while QC

methods involve new hardware - these will

have implications for your organisation. The

best way to figure out the implications is to

start experimenting with these new tools.

Conveniently, this is the number one aim of

the testbeds being built - to engage with

end-users!"

And you don't need a huge team of

scientists is Erven's reassuring message.

"A small team is more than enough to

partner with the cutting-edge start-ups and

SMEs pioneering quantum-safe solutions.

Together, we can ward off the digital security

apocalypse and continue to thrive as a

civilisation using a quantum-safe version

of the secure, connected, information

infrastructure that has contributed so much

to humanity's rapid developments of the last

35 years."

BLOODHOUNDS ON THE TRAIL

According to Roger Grimes, data driven

defence evangelist at KnowBe4: "Your

competitors or nation-states could be sniffing

your currently protected network traffic,

waiting for the day a few years from now

when they can use quantum computers to

crack your existing encryption. As we have

seen, various nation states have no problem

attacking every commercial company

possible, if it contains intellectual property

of interest or even simply to steal money.

It is going to take any organisation many

years to fully prepare for the necessary postquantum

transition.

32

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


global intelligence

"So, even if you started now, it would be

years before your data was protected. And

any organisation that either has sufficiently

capable quantum computers now or in the

near future, that wants your confidential

data, could have an incentive to sniff your

data now…or during the years of

preparation you will require to get to postquantum

protections."

Grimes' advice? "Every organisation should

begin immediately taking a data protection

inventory. It starts by identifying all

confidential data and the systems and

cryptography that protect it. That means

recording encryption, digital signatures and

hashing algorithms used to encrypt, sign

and verify content, along with key lengths.

This sort of inventory should have already

been done, but almost no one has done it.

"Creating it and maintaining it will be

useful and valuable for the post-quantum

migration and any other crypto migration

afterward. The hardest part is the original

data collection. Maintaining it is not nearly

as hard. But that original data collection is

likely to take many months, if not years, for

most organisations. And, regardless of the

quantum issue, simply understanding your

cryptography state will lead to better

crypto-agility and that will pay huge benefits

forevermore. But you need to get going

now. Data protection inventory and agility

is not easy, and it takes a long time. So,

get started now. Post quantum is your first

valid reason."

From the data protection inventory, what

happens next? "You then determine what

data needs to be protected more than a few

years, which is not protected with quantumresistant

cryptography," Grimes advises.

"In some cases, like with symmetric encryption

and hashes, it might mean simply

increasing key lengths. And in others, like

with asymmetric encryption, key exchanging

and digital signing, it will mean replacing it

with a quantum-resistant solution.

"Those solutions include post-quantum

encryption, physical isolation, quantum key

distribution and other quantum devices, like

quantum random number generators. There

is a coming Y2K-like problem…and really it is

already here, and people do not realise it."

NEXT MAJOR MILESTONE

There have been quite a few predictions

about how quickly quantum computing will

arrive. But whatever the exact date and time,

it's clear that not just one, but two races

have already begun, says Timothy Hollebeek,

industry technology strategist, DigiCert.

"The recent few years have exponentially

accelerated the development of quantum

computing, with a variety of breakthroughs

and a number of grandstanding announcements

from tech giants that they would be

heavily investing in the area. Even in 2020,

pandemic notwithstanding, quantum

technology was striding ahead. The breakneck

speed of quantum acceleration has kept up

through 2021, too."

For all those developments, Hollebeek

seesthe next major milestone will be when

someone solves a problem with quantum

that a conventional supercomputer simply

cannot. "But even when that day comes, it

won't mean that RSA or ECC encryption are in

direct threat. Although quantum can break

them, it would still require large quantum

computers to do so."

Even when they're commercially available,

quantum computers and technology will likely

be prohibitively expensive to most, he adds.

"What these ever-accelerating series of

developments are likely to do is act in the

same way that Moore's Law accelerated the

development of classical computing. Each

new development will further hasten the pace

towards quantum technology, driving

investment and innovation in the direction of

more powerful quantum computers."

That's one race between researchers,

scientists and organisations. "There's a more

Dave Bestwick, Arqit: not all forms of

encryption will be obliterated. Symmetric

encryption keys are not susceptible to

quantum attack.

Chris Erven, KETS Quantum Security: we will

soon be living in a world where most current

forms of cryptography will be useless.

www.computingsecurity.co.uk @CSMagAndAwards December 2021 computing security

33


global intelligence

Roger Grimes, KnowBe4: every

organisation should begin immediately

taking a data protection inventory.

Timothy Hollebeek, DigiCert: being ready

means getting to grips with Post-Quantum

Cryptography (PQC).

urgent race, too - between individual

organisations' cryptography and the quantum

algorithms which will be able to break current

cryptography. The reality is we don't know

exactly when quantum is going to become

a threat and, as such, organisations need to

start preparing."

That means getting to grips with Post-

Quantum Cryptography (PQC). "Indeed,

organisations can begin adopting hybrid

RSA/PQC certificates and, critically, testing

them in their own environments now."

But there's a more fundamental element that

Hollebeek singles out when it comes to being

ready for the arrival of quantum. "The threat

that quantum poses to current cryptography

won't just necessitate stronger algorithms, but

will likely mean that organisations have to

become a lot quicker on their feet when it

comes to cryptography. Crypto-agility is a

concept which organisations must start

working towards quickly. Quantum threats

will likely need a diverse array of algorithms

to protect against and organisations will

need to swap out encryption algorithms on

the fly as security demands. That will be a

significant task for most companies, involving

a fundamental reshaping of how they do

cryptography. Quantum threats, however,

demand it."

HUGELY DISRUPTIVE TO

OUR DIGITAL WORLD

A five-to-10-year timeframe for quantum

computing to become a reality is probably

overly pessimistic, given the monumental

investment by businesses, governments and

investors around the world, states Dave

Bestwick, CTO of quantum cryptography

specialists Arqit. "Only recently, we witnessed

another company, PsiQuantum, attain

unicorn status and raise huge amounts of

investment to bring a quantum computer

to market within the next few years."

Businesses therefore need to be considering

their options today, he cautions, because not

only are malicious actors busy stockpiling data

to decrypt as soon as quantum computing

emerges, but also swapping from PKI to

quantum encryption takes time.

"Quantum computing will be hugely

disruptive to our digital world, as it will

undermine the basic security foundations

of the Internet," Bestwick points out. "Most

internet communications are secured by

PKI and quantum computers can break this

method of encryption within minutes.

Companies that own valuable patents, highly

sensitive government data underpinning

critical infrastructure and defence will all be

vulnerable; as will bank details, health records

and even cryptocurrency."

However, not all forms of encryption will be

obliterated: symmetric encryption keys are not

susceptible to quantum attack, he confirms.

"This approach is endorsed by the American

Encryption Standard (AES). However, until

recently several barriers to adoption existed,

most notably the problem of secure key

sharing. Quantum key distribution can solve

this problem, but its use over fibre networks is

limited by signal absorption, which constrains

practical key distribution to distances of less

than about 150km."

This posed a problem for exchanging keys

over larger distances, but this challenge has

been eliminated recently with innovation

from companies like Arqit, he asserts, which

has "developed a way for quantum key

distribution to take place over satellite systems

to secure digital communications globally".

Bestwick is under no illusions that the

menace from quantum computers is a clear

and present danger, as it threatens to

undermine PKI, which today forms the

foundations for most secure digital

communications. "However, innovations in

the area of symmetric encryption mean that

there is a way to avert disaster, but businesses

need to act promptly to protect their data

today and in the future," he concludes.

34

computing security December 2021 @CSMagAndAwards www.computingsecurity.co.uk


PLAY IT

SAFE WITH

365 TOTAL

PROTECTION!


ADISA ICT Asset Recovery Standard 8.0

is formally approved by the UK ICO

(Approval ICO – CSC/003 and ICO – CSC/004)

Use an ADISA Certified company to be assured of UK GDPR compliance

when disposing of your IT assets.

Visit adisa.global to find out more

Want to know how to retire assets

so you can promote reuse AND meet

data protection legislation?

ADISA offers a range of training courses all presented by

leaders in the field, including a brand-new course which helps

data controllers write an asset retirement program to achieve

the objective of meeting sustainability and security targets.

Visit adisa.global/training to find out more

More magazines by this user