CS1803

Computing
Security
Secure systems, secure data, secure people, secure business
Smart Cities:
Soft targets for a malicious breach
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
GDPR almost here!
Hefty fines and damaged
reputations await those who
fail to comply with the new
regulations
Crippling attacks on healthcare
The invaders who are
netting massive financial
cybercrime pay-offs
Deadly game of hide ‘n’ seek
How new advanced botnets
target and exploit their victims
Computing Security March/April 2018

IT Asset Retirement Specialists
Why Choose CDL?
Since 1999, CDL has evolved into one of the UK’s leading IT asset retirement
and data sanitisation specialists.
Our aim is simply to take away the hassles associated with IT disposal and provide
our customers with a complete peace of mind solution for the management and
retirement of redundant IT equipment.
Competitive pricing, an industry leading EU GDPR compliant disposal process
and the highest level of customer service are reasons why we have retained over
94% of our clients.
Legal Expo - London Exel
We are exhibiting at this years Legal Expo on the 21st & 22nd March. Come
along to stand 464 to discuss any aspect of IT asset retirement for your
business. We can also help ensure your business becomes EU GDPR
compliant in a few easy steps.
So what differentiates CDL from the competition?
EU GDPR compliant service
Full UK coverage with no minimum quantities
Use own tracked vehicles and security vetted drivers
Guaranteed collection within 5 working days
94% client retention rate since 1999
Multi award winning company
All staff security vetted
Data Sanitisation to the highest recognized standards
On-site media destruction service
ISO 9001, 14001, 18001 & 27001
ADISA accredited with Distinction
Investors in People Silver
Safe Contractor accredited
ICER member
Cyber Security Insurance
NHS IG Toolkit accredited
set RetirementSpecialists

comment
COUNCIL OF WAR
Anew and deeply disturbing report from Big Brother Watch reveals that UK councils
are severely unprepared for cybersecurity threats, with 25% of these authorities
experiencing a data breach in the last five years.
The report, 'Cyber attacks in local authorities: How the quest for big data is threatening
cyber security', reveals that, based on Freedom of Information requests made by Big
Brother Watch, UK local authorities have experienced in excess of 98 million cyberattacks
in that five-year timeframe.
"This means that there are at least 37 attempted breaches of UK local authorities every
minute," the civil liberties and privacy campaigning organisation reports. "In addition, at
least 1 in 4 councils experienced a cyber security incident - that is, an actual security
breach - between 2013-2017."
While some councils have taken measures to face the ever-growing threat from cyberattacks,
the areas of staff training and reporting of successful cyber-attacks especially
need urgent attention, it adds.
"Surprisingly, our current investigation reveals that little action has been taken to
increase staff awareness and education in these matters. We found that 75% of local
authorities do not provide mandatory training in cyber security awareness for staff and
16% do not provide any training at all. Considering that the majority of successful cyberattacks
start with phishing emails aimed at unwitting staff, negligence in staff training is
very concerning and only indicative of the low priority afforded to cyber security issues."
Big Brother Watch's findings further reveal that 25 local authorities experienced losses
or breaches of data in the past five years as a result of cyber security incidents. "Yet 56%
of councils who failed to protect data from cyber security threats did not even report the
incidents," it adds.
Clearly, if this situation continues, the consequences for local authorities and all those
whose information they hold are dire. What they need to do now, as a matter of
urgency, is review their policies with a view to mitigating the risks of cyber security incidents
that threaten the security of citizens' invaluable data. Anything less would be a
clear breach of trust between those councils and the millions of people they are supposed
to serve and whose sensitive personal data has been entrusted to them.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Louise Hollingdale
(louise.hollingdale@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2018 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk March/April 2018 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security March/April 2018
contents
CONTENTS
Computing
Security
Smart Cities:
Soft targets for a malicious breach
Crippling attacks on healthcare
The invaders who are
netting massive financial
cybercrime pay-offs
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
GDPR almost here!
Hefty fines and damaged
reputations await those who
fail to comply with the new
regulations
COMMENT 3
Council of war
Deadly game of hide ‘n’ seek
How new advanced botnets
target and exploit their victims
EDITOR’S FOCUS 6
• Evolving your security to the cloud
ARTICLES
PROTECTING DATA & PATIENTS 8
Cyber criminals are netting huge financial
returns from ransomware and other
crippling cyberattacks against healthcare
providers. Can they be stopped?
IT DISPOSAL: BEST WAY FORWARD 10
Legislation regarding IT recycling & disposal
is complicated. How do you select the best
disposal companies?
EVERYONE IS AT RISK 17
From spear phishing to ransomware and
the ever-present threat of bots, businesses
have good reason to lose sleep at night
DEADLY GAME OF HIDE ‘N’ SEEK 20
A botnet has been unearthed that uses
advanced communication techniques to
exploit victims and build its infrastructure
AN URGENT CALL TO ARMS 12
In Part 2 of our coverage on what might be
in store for businesses as 2018 gets into its
stride, Computing Security asked a number
of experts to do some more future-gazing
and to provide their top predictions for
cybersecurity across the rest of the year
RISK & REWARD IN THE BIG CITY 18
Back in the 1960s, Disneyland had a ride
called 'Utopia'. It was a glimpse into the
future of 'human cities' and gave us a taste
of just what smart cities might be like.
Alastair Hartrup, Global CEO, Network
Critical, takes up the story from there
TASTE OF THINGS TO COME 22
London-based technology start-up Red Sift
singles out three major trends it thinks will
dominate in the months to come
REVIEWS
• Titania Paws Studio 3.2.2 28
MASTERCLASS 30
Charlotte Gurney, group marketing
manager at Brookcourt Solutions,
provides key insights on a crucial issue that
challenges so many enterprises
4
IT’S TIME TO BE VERY READY! 24
The General Data Protection Regulation
(GDPR) comes into force this May and will
overhaul how organisations store, secure
and manage their customers' data.
Swingeing penalties await those who
fail to comply
DRIVING INTO THE UNKNOWN 32
THE DARK DESTROYERS 31
Connected cars are a reality; most modern
Over one million leaked and hacked
vehicles on the road nowadays have some
credentials found on the Dark Web
form of connectivity to the open world.
This raises important challenges on multiple
AI VERSUS A HUMAN HACKER 34
software integration and cybersecurity
How does machine learning and artificial
intelligence (AI) impact cyber security?
We find out from someone in the know
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

helping our customers do great things
we help our customers do great things
IPEXPO
manchester
25-26 April 2018,
Manchester Central
REGISTER FREE
• 95+ World-class speakers
• 100+ Industry leading vendors
• 9 Theatres
• Live Demos
• Everything you need
under ONE roof
CLOUD & IOT
CYBER SECURITY
MANCHESTER
NETWORKS &
INFRASTRUCTURE
DATA & ANALYTICS DEVOPS AI
www.ipexpomanchester.com
SPONSORED BY
helping you do great things

editor's focus
EVOLVING YOUR SECURITY FOR THE CLOUD
HOW DOES AN ORGANISATION MIGRATE TO THE CLOUD, WHILE KEEPING SECURITY TOP OF MIND AND
STAYING SAFE?
Maya Kaczorowski, product manager,
Google Cloud.
Global management consulting
firm McKinsey recently released
a report titled 'Making a secure
transition to the public cloud', the result
of interviews with IT security experts at
nearly 100 enterprises around the world.
Drawing on the expertise of Google
Cloud and McKinsey security experts,
the research presented a strategic
framework for IT security in cloud
and hybrid environments, and offered
recommendations on how to migrate
to the cloud, while keeping security top
of mind.
According to Maya Kaczorowski,
product manager, Google Cloud, the
research shows what many already
know: that public cloud adoption is
accelerating, thanks to increased
technical flexibility, simpler scaling and
lower operating costs. "What's exciting is
that the research also reveals that many
Chief Information Security Officers
(CISOs) no longer view security as an
inhibitor to adoption, but instead an
opportunity," she states.
In fact, the McKinsey report authors
write that… "In many cases, [CISOs]
acknowledge that cloud service
providers' security resources dwarf their
own" - and now these companies are
focused on how to best adopt and
configure cloud services for increased
security." It's a launch pad from which
Kaczorowski addresses several points
about the global cloud and specifically
the following:
When implemented properly, publiccloud
adoption can significantly reduce
the total cost of ownership (TCO) for
IT security
This requires enterprises, cloud
providers, and third-party service
providers to work together
collaboratively and transparently within
a shared security model. Google Cloud
has long believed in creating trust
through transparency, previously
releasing a detailed overview of our
infrastructure security, explaining our
shared responsibility model, and how we
already protect our users and customers
at the lower layers of the stack-and
we're thrilled to see McKinsey's detailed
endorsement of the same approach.
Common security approaches and their
trade-offs
Every company has different IT needs,
but the report found two common
security decisions companies take when
adopting cloud services: (1) defining the
perimeter, and (2) deciding whether to
re-architect applications for greater
manageability, performance and security
in the cloud (interestingly, only 27% of
companies surveyed actually do thischange
is hard).
The research identifies three common
archetypes for perimeter security, says
Kaczorowski: backhauling, cleansheeting
and adopting cloud provider controls
by default.
Backhauling allows companies to
continue managing IT security onprem,
with an external gateway
connecting the data centre to the
public cloud. Approximately half of
the companies surveyed currently use
this model, but only 11% plan to
06
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus
continue doing so, since it can keep
companies from realising certain
cloud benefits, such as agility.
Cleansheeting requires greater
investment and expertise, as it calls
for redesigning IT security around
a 'virtual perimeter', and leveraging
multiple cloud-native tools and
services.
Using cloud provider controls is the
most cost-effective solution, but -
depending on the cloud provider -
can limit autonomy and may offer
limited capabilities.
McKinsey uses these three models,
comments Kaczorowski, along with the
decision to re-architect applications for
the cloud, to identify six 'archetypes' for
cloud security. Each archetype has its
own trade-offs, she points out, adding
that there isn't a 'right answer' for
security when making a move to the
cloud-it depends on your company's
expertise, flexibility and cost decisions.
"And you don't have to use only one
archetype," she adds, citing as an
example how Evernote (the company
behind the app designed for note taking,
organising, tasks lists and archiving)
describes its migration story to the
Google Cloud platform thus:
"For most of our controls, we found
an equivalent, cloud platform version.
For data encryption at rest, we gained
a security control that we hadn't
engineered on our own. For some
controls, like IP whitelisting, we had to
adapt our security architecture to not
rely on traditional network controls."
(Rich Tener, director of security,
Evernote).
The economics of cloud security
Relying on cloud service provider security
controls is "the most cost-effective
approach," the authors write. "As
organisations move more and more
applications to the public cloud and
lean towards using native CSP controls,
a decrease in security operating and
capex costs is likely." Eighty per cent of
companies that choose to rely primarily
on the cloud provider's controls and rearchitect
their applications in parallel see
cost savings.
So, if you're planning a cloud
migration, where should you focus your
security efforts? That is the question
Kaczorowski then homes in on.
"McKinsey asked respondents about their
approach to applying cloud security
controls in several areas to find out what
companies are doing," she reports:
Identity & access management (IAM):
60% of enterprises are using onpremises
IAM solutions; in just three
years respondents expect that
number to be cut in half. At Google,
we provide a tool called Google
Cloud Directory Sync, which helps
users bring existing identities to
Google Cloud and manage cloud
permissions natively with IAM.
Encryption: The majority of
respondents encrypt data both at
rest and in transit - and even more
(upwards of 80% in both categories)
will do so three years from now.
Google Cloud already encrypts data
at rest by default, and in transit
when it crosses a physical boundary.
Perimeter security: Today, 40% of
enterprises are backhauling data
traffic and using existing on-premises
network security controls - but that
will decrease, with only 13%
expecting to be using the same
approach in three years' time.
"To help enterprises make the move to
cloud-based perimeter control, Google
Cloud lets users connect to their onpremises
environment using Dedicated
Interconnect, as IPsec VPN tunnel, direct
peering or carrier peering. Google Cloud
users can also control their perimeter
with a Virtual Private Cloud (VPC)," she
points out, offering these insights:
Application security: 65% of
respondents define security
configuration standards for cloudbased
applications, but less than
20% are using tools or templatebased
enforcement. To address this,
Google Cloud offers Cloud Security
Scanner, an automated way to scan
apps for common vulnerabilities.
Operational monitoring: 64% of
respondents use existing SIEM tools
to monitor cloud applications rather
than creating a new set for the
cloud. Google Cloud users can export
logs from Stackdriver to the SIEM of
their choice.
Server-side endpoints: 51% of
respondents have a high level of
confidence in their cloud service
provider's approach to server-side
endpoint security. Google Cloud
customers can use a variety of
partner tools for endpoint security.
User endpoints: 70% of respondents
believe public-cloud adoption will
require changes to user endpoints.
Google created the BeyondCorp
enterprise security model to allow its
employees to work from anywhere,
and our customers can do the same
with Identity Aware Proxy. In
addition, Chromebooks provide
automatic software updates and run
applications in a restricted sandbox.
Regulatory governance: When
adopting public cloud, companies
must navigate governance and
compliance requirements, with data
location and financial regulations
topping respondents' list of concerns.
Google Cloud has a broad spectrum
of compliance, including PCI, SOX,
and HIPAA.
For those interested in finding out
more, the report also includes a tactical
10-step plan for successful cloud
migration. Go to: http://bit.ly/2AnzWFh
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
07

healthcare
PROTECTING DATA TO PROTECT PATIENTS
CYBER CRIMINALS ARE NETTING MASSIVE FINANCIAL RETURNS FROM RANSOMWARE AND OTHER
CRIPPLING CYBERATTACKS AGAINST HEALTHCARE PROVIDERS. HOW CAN THEY BE STOPPED?
MARK SANGSTER, VP AND INDUSTRY SECURITY STRATEGIST WITH ESENTIRE, OFFERS HIS INSIGHTS
Healthcare providers, support
services and technology
manufacturers have emerged as
a favoured target of cyber criminals.
Beyond the headlines of NHS shutdowns
and delayed patient care, multiple
studies, from the Information
Commissioner's Office (ICO) to security
research institute Ponemon, confirm
healthcare as the industry's most
vulnerable to cyber-attacks.
Operational cyber-attack data generated
from 24x7 monitoring of healthcare
providers, insurers and equipment
manufacturers indicate that these
organisations face a significant exploit
every hour of the day, which is four times
more than financial services or law firms
(2018 eSentire Security Operations Data).
Such exploits vary in nature, but require
security expert intervention, after the
exploit evades standard prevention
technologies, such as anti-virus, firewalls
and intrusion prevention systems.
"Headlines about systems hospital
shutdowns only serve to paint healthcare
as a lucrative target and invigorate
criminal activities to develop industryspecific,
contextually-accurate lures that
yield higher success rates in network
infiltration and malware infections," says
Mark Sangster, VP and industry security
strategist with eSentire. "Attacks today
are more targeted and obtain payments
through extortive negotiations.
Ransomware attacks (malware that locks
and encrypts files and then demands
payment to unlock the files) have evolved
to become denial-of-service attacks to
threat medical service disruption and
patient care interruption."
CRIMINAL PROFITS
Stolen medical records also yield tidy
criminal profits. Whether public service
or private practice, medical records are
sold for 150% more than other personal
data.
"Healthcare organisations also face
financial losses and penalties for
mishandling confidential patient records.
In 2016, the ICO fined Brighton & Sussex
NHS Trust £325,000 for the loss of highly
sensitive data including HIV positive
patients. More recently in 2017, the ICO
fined Lister Hospital, a facility owned
by private health company HCA
International, after patients' fertility
records were not secured. Unencrypted
audio recordings were sent to an Indian
transcription company. The files, which
had been stored on unsecured servers,
were exposed to unrestricted internet
searches." The worrying factor is that
these sorts of fines and events will only
increase with the implementation of
8
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

healthcare
more stringent privacy laws, such as the
European Union General Data Protection
Regulation (GDPR) that comes into effect
in May this year (see page 24).
In the US, nearly £17 million was levied
against healthcare providers who failed
to meet the requirements of the Health
Insurance Portability and Accountability
Act (HIPAA) that provides data privacy
and security provisions for safeguarding
medical information, Sangster reveals.
"Most notably, 21st Century Oncology,
which operates nearly 200 treatment
centres across 17 US states, was fined
£1.6 million for exposing 2.2 million
records and further incurred an
additional £850,000 in Corrective
Action Plan (CAP) expenses. Recently,
a Washington area provider, MedStart,
suffered a massive cyber-attack that
crippled operations across 10 hospitals,
250 outpatient clinics, and affected
30,000 employees and hundreds of
thousands of patients."
The costs associated with cyber
breaches go well beyond the immediate
service disruption and clean-up costs.
Victimised or negligent healthcare
providers lose estimated millions to
resulting employee training, enhanced
security services, patient notifications,
public relations fees, solicitor fees and
potential legal actions. Fines and cleanup
represent the proverbial tip of the
fiscal iceberg.
PREVENTING DATA BREACHES
The collaborative nature of medical care
leaves the industry vulnerable to elegant
cyber attacks and data loss at the hands
of employees, adds Sangster. "Much
of this risk can be mitigated using
standardised technologies and practices.
The National Cyber Security Centre
(a part of GCHQ) recently introduced
Network and Information Systems
(NIS) guidelines and objectives and
frameworks for essential services."
Most notable in the NCSC frameworks
is distinction between security
monitoring (section C1) and proactive
event discovery (section C2). "Security
monitoring pertains to known threats
and compliance management through
web and traffic monitoring, and IP
connection reputation. Section C2
addresses the need to detect unknown
attacks through proactive event
discovery. Rightly so, the NCSC breaks a
common misconception that compliance
mechanism will detect all security
threats. Security operations data
commonly reveals billions of events that
are detected inside perimeter defences.
Cyber criminals employ techniques to
evade standard security monitoring
tools, such as anti-virus software or
signature-based intrusion detection
systems, which gives a direct indication
of compromise."
PROACTIVE DISCOVERY
Section C2 is critical to healthcare
providers who must defend against
determined and well equipped cyber
attackers. "Proactive discovery methods
scour indirect, non-signature based
indicators of compromise, including
unusual traffic patterns and deviations
from normal user activity," he further
comments. Other, less direct, security
event indicators may provide additional
opportunities for detecting attacks that
could result in disruption to essential
services. The HIPAA standard also
provides administrative, physical and
technical guidelines around the
protection of protect healthcare
information (PHI). Sangster offers the
following tips:
Assign a designated qualified security
practitioner to build a comprehensive
security programme
Conduct an annual risk assess to
identify vulnerabilities and attack
scenarios
Conduct regular security awareness
training for all employees and
Mark Sangster, VP and industry security
strategist with eSentire
conduct friendly phishing attacks to
test your defences
Encrypt mobile devices and
workstations to reduce the risk of
unauthorised access to data
Design and test an incident response
and service restoration plans.
Cyber criminals are netting massive
financial returns from ransomware and
other crippling cyberattacks against
healthcare providers. "This trend will only
escalate as criminal organisations focus
well-tested attacks on healthcare
organisations and their vendors, and
resulting breaches lead to punitive fines,
lost revenue, and crippled patient care,"
he warns. "Healthcare organisations must
recognise this trend and self-identify as
a cyber target. As the adage goes, an
ounce of prevention is worth a pound of
cure. It's time for the healthcare industry
to invest in prevention through
cybersecurity employee training,
programme development and defences
to extend beyond the identification of
last year's attacks."
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
9

IT recycling
I.T. DISPOSAL: SELECTING THE BEST
LEGISLATION REGARDING IT RECYCLING & DISPOSAL, NOT TO MENTION THE FORTHCOMING GDPR
REGULATION, IS COMPLICATED ENOUGH. JEAN-PIERRE NAYLOR, DIRECTOR, COMPUTER DISPOSALS LTD,
OFFERS HIS THOUGHTS ON CHOOSING THE RIGHT I.T. DISPOSAL COMPANY
Thankfully, with a little guidance, you can
make an informed decision and choose
a reputable IT disposal company from
amongst the myriad of so-called 'asset
retirement' companies. The following guide is
by no means exhaustive, but hopefully will
provide a basis to assist you in selecting the
right service provider.
Does the IT recycling company have
appropriate licenses and accreditations?
A waste carrier and environmental permit are
mandatory legal requirements. ISO 9001 and
14001 should be pre-requisites and ISO
27001 highly desirable, as are memberships
of governing bodies. Ask your prospective
recycling company for a list of their licenses
and accreditations.
Also check what measures your IT recycling
company have in place to ensure you both
meet the forthcoming GDPR regulation.
What documentation does it provide?
IT recycling companies must provide you with
both a Hazardous Waste Consignment Note
and a Duty of Care Transfer Note on the day
of collection, which covers you from an
environmental perspective.
Reputable IT recycling companies should
provide you with an asset report providing
you with a detailed breakdown of all
equipment collected, including data
sanitisation certification. Ask for sample
reports, so you can see the level of
information you will receive.
How is your data sanitised?
There have been a number of high profile
cases recently where organisations have fallen
foul of the Data Protection Act by allowing
sensitive and/or privileged information to
reach the public domain. In most cases,
this can be traced back to the IT recycling
company that simply did not take
appropriate measures to erase or safeguard
their client's information.
The only NCSC or CPA (formerly CESG)
approved data erase software is White
Canyon or Blancco. If your prospective
recycling company is not using one of these
software suites, look elsewhere.
Does it use its own vehicles and drivers?
In terms of sensitive data, your equipment
is at its most vulnerable between the point
of collection and return to the recycling
company, yet many companies continue
to use third party carriers to collect and
transport your equipment. Ask your
prospective recycling company to confirm
their transport arrangements. Desirables here
would be companies that use their own
satellite-tracked and CCTV-equipped vehicles
and security vetted drivers.
Does it offer on-site media destruction?
With the increasing number of high-profile
cases where large organisations are being
fined for data breaches, many companies are
finally realising the importance of protecting
their data and ensuring it is sanitised
correctly. An increasing number of companies
are requesting on-site destruction for all
forms of media. Check that your IT disposal
partner can offer this service.
Don't be fooled by a flashy website!
Insist on a site visit. You will be amazed at the
disparity in set-ups. A flashy website can hide
Jean-Pierre Naylor, director, Computer
Disposals Ltd.
a multitude of sins. If the IT recycling
company appears reluctant to offer a site
visit, look elsewhere.
Where should I look for a reputable IT
recycling company?
There are enough established and reputable
IT recycling companies to enable you to make
a safe and informed decision when selecting
your disposal partner. Accrediting bodies,
such as ADISA, are a good source, as
members have to pass strict criteria, in terms
of security and scope of service, although
please bear in mind that not all ADISA
members use their own transport and drivers.
Further information can be found at
www.computerdisposals.com and
www.adisa.global.
10
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

Join the IT leaders
taking the simply unified
route to cloud security.
IT Governance is getting more complex, the penalties more worrying
and your competition more cloud-based and agile. WinMagic’s
pervasive, everywhere encryption approach is the way forward.
By simply securing your IT environment from endpoints across any
cloud, you gain a low-cost, low-risk route to compliance and growth
supported by a unique new breed of intelligent key management.
Get in touch today!
Contact our specialists and see how simple securing cloud can be.
Email us today at sales@winmagic.com or call 01483 343020

2018 predictions
AN URGENT CALL TO ARMS
IN THIS SECOND PART OF OUR TOP PREDICTIONS FOR CYBERSECURITY IN 2018, SEVERAL EXPERTS
REVEAL WHAT MAY BE LYING IN WAIT. AND IT DOESN'T ALWAYS MAKE FOR EASY READING
Whatever we may have thought
of the many breaches, hacks
and ransomware attacks that
hit the headlines in 2017, do things look
any better, now that we have some
objective distance between us and those
turbulent 12 months? The truth is 2018
looks like being 'more of the same', with
the rhetoric regarding state-sponsored
cyber assaults only ramping up. Add in a
dusting of former spies being allegedly
poisoned on UK soil and the feeling that
we've slipped between the covers of a
John Le Carré novel only intensifies.
According to the latest research from
Gartner, spending on information
security services will reach $93 billion in
2018, an increase of eight per cent from
2017. Cybersecurity expert Simon Bain
from BOHH Labs suggests that this
increased investment will be required to
address a number of critical challenges
in 2018. This includes rising website
attacks, chatbot technology threats and
the need for greater cyber security
awareness at board-level.
All of which serves to remind us that
can go wrong, will go wrong in
cyberspace… unless, of course, we show
unstinting vigilance in our own
backyards to protect our organisations
from the meteor shower of attacks now
bombarding us across what seems to be
every moment of every day. Feeling safe
may be the outcome of ensuring every
conceivable precaution has been taken.
Being safe is a much different story,
which is only as real as for however long
that lasts.
Read on for our experts' predictions as
to where the greatest dangers may lurk
over the coming several months…
SIMON BAIN, CEO, BOHH LABS:
Addressing ongoing cyber security threats
represents a challenge for any
organisation both practically and
financially, and 2018 will unfortunately
be no different. Looking ahead, there will
be several notable issues that firms will
need to strongly prepare for.
One of the type of attacks that we will
see gain more traction in 2018 is the
website attack. With the growing use of
online services (checking accounts,
merchant accounts and Point-of-Sale
(POS) systems, etc. now going through
the web) the risk of attacks is large and
has the potential to affect any institution
using these services, as it opens access to
institutions' backend databases,
document stores and applications all
12
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

2018 predictions
within easy reach. This type of attack is
very hard to find, but it is incredibly easy
for attackers to undertake. Because an
attacker can gain access to the website
via high jacking a user's request, and then
by simply making a small change to the
code to redirect payment information
their way while not stopping the correct
path of the request, it makes it easy for
attackers to get access to critical data
without alerting any red flags.
Critically, the website is no longer just a
marketing tool. It has become a business
tool, and as such, it now needs to be
properly protected from attacks and
placed inside a firewall, and preferably
completely encrypted, so that attackers
are unable to change, manipulate and
delete code to their advantage.
MARKUS BRAENDLE, HEAD OF THE
AIRBUS CYBERSECURITY BUSINESS:
Social media platforms are regularly
being used for the spread of fake news
or the manipulation of public opinion.
But social media can also be used for
sophisticated social engineering and
reconnaissance activities which form the
basis of many attacks on the enterprise.
Criminals and hackers are known to use
these platforms to distribute malware,
push rogue antivirus scams and phishing
campaigns to lure their victims.
Social media provide the medium for
connecting people globally, in the rapid
exchange of ideas, discussions and
debates in our digital world. However,
from an attacker's perspective, social
media have become an easy target
because of the number of non-cyber
security savvy users, and the fact that
these platforms are easy and cost
effective to use. To protect themselves
against social media attacks,
organisations need to implement
enterprise-wide social media security
policies. This includes designing training
programs for employees about social
media usage and creating incident
response plans that coordinate the
activities of the legal, HR, marketing and
IT departments in the event of a security
breach. Attacks on Wireless networks will
increase, as attackers seek to exploit
the Key Reinstallation Attack (KRACK)
vulnerability, first made public in October
2017. The vulnerability can allow an
attacker to intercept and read Wi-Fi
traffic between devices and a WiFi router,
and in some cases even modify the traffic
to inject malicious data into websites.
It could also allow attackers to obtain
sensitive information from those devices,
such as credit card details, passwords,
chat messages and emails.
Concerns about data privacy, the
increasing use of cloud computing,
an increase in data breaches and the
introduction of General Data Protection
Regulation (GDPR) will all contribute to
the emergence of End to End Encryption
(E2EE) as the most effective way for
enterprises wishing to secure their data.
But E2EE will also represent some
challenges to law enforcement, as
criminals continue to use this technique
for espionage and subversion.
TRAVIS FARRAL, DIRECTOR OF
SECURITY STRATEGY, ANOMALI:
Widespread cryptocurrency mining
Cryptocurrency mining will become one
of the major monetisation avenues for
attackers, as more and more attacks and
malware include mining functionality to
generate revenue. In particular, a focus
will be on in-browser mining that will be
the result of website attacks. A simple
few lines of Javascript can cause visiting
browsers to 'mine' cryptocurrency while
on the affected sites. This has been
occurring previously, but not as
widespread as it likely will be in 2018.
An increase in DDoS attacks
The return of mega DDoS attacks via IoTpowered
botnets is likely in 2018. These
have been pretty silent, compared to last
year's attack against Dyn that took down
many commonly used services, but could
come back in a more nefarious way.
The next wave could potentially affect
large swathes of Internet services either
by design or as collateral damage from
another entity being hit, due to the sheer
size of the attack. The wide attack
surface of IoT devices makes them
particularly attractive for botnets.
Encouraging young talent into the
industry
The skills gap is definitely still holding the
industry back. As cyber warfare
increases, governments need to upskill
the next generation of defenders. Figures
around the cyber skills shortage make for
sobering reading.
A report from Frost & Sullivan and (ISC)
found that the global cybersecurity
workforce will have more than 1.5
million unfilled positions by 2020. Both
private and state schools need strong
cyber programs and academies should
look to develop cyber skills in children
from disadvantaged backgrounds. This
will hopefully prevent talented teenagers
being sucked into the dark side.
Stealthy 'fileless' attacks will increase
There is likely to be a move towards
more sophisticated 'fileless' attacks
(malicious scripts that hijack legitimate
software, without installing themselves).
There has already been a sharp rise.
Such attacks are very difficult to stop
with existing endpoint security and
organisations will need to move to the
next generation of defences. The focus
will likely be on other industries outside
of financial services. As the banks
become more resilient in their ability to
profile and learn from actors, less well
protected organisations could be
targeted, as we have seen with Forever
21 and the Jewson attacks in the UK.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
13

2018 predictions
Rik Ferguson, Trend Micro: executives
should prioritise vulnerability
management.
Tod Beardsley, Rapid7: cyber criminals
will continue to spend their efforts on
much softer targets.
More integrated collaboration is required
The likes of NSC and GCHQ are being
effective in their limited remits and are
busy disrupting many adversary groups.
But they need to move faster and cannot
be limited to cybercrime. There must also
be a focus on state-sponsored hacktivism
and other sophisticated attacks, and
levels of awareness and associated
education should be increased
concurrently.
TOD BEARDSLEY, RESEARCH
DIRECTOR, RAPID7:
In an online world dominated by FAMGA
(Facebook, Amazon, Microsoft, Google
and Apple), I expect to see very few
actively exploited vulnerabilities in newly
created and distributed software from
these mature technology vendors. The
hegemony of these companies will ensure
a highly secure operating environment
within each of their areas of dominance.
Occasional issues will surface, of course,
but, on the whole, the computing
environment for the average person will
have a marked lack of 'classic' software
vulnerabilities.
However, this lack of 'new' bugs will not
put cyber criminals out of business. They
will continue to spend their efforts on
much softer targets. These would include
older software stacks that rarely see
regular software updates - multifunction
printers, home and enterprise switches
and routers, and Internet of Things
devices that ship old and unpatchable
software. I also expect to see continued
sophistication on the part of attackers
in their ability to trick, scam and phish
credentials out of users, where either
no bugs, or old bugs, are required for
successful exploitation.
ANDY HARRIS, CHIEF TECHNOLOGY
OFFICER, OSIRIUM:
There were some near misses, in terms of
cloud side data breaches in 2017.Given
the speed of the development of clouds,
we predict a major cloud side breach in
2018. By this, we mean a breach that
happened within cloud security at the
virtual machine hypervisor level, rather
than the level of the operating systems
and containers that the customer
organisation provisioned.
With almost certainty, this breach will
have a pivotal insider element. The net
result will be that cloud employees will
be subject to greater screening and
better salaries. It's pretty obvious who
will pay, but the greater question is
when; our guess is that investmentdriven
land rush will prevail and cloud
prices will remain low until 2019.
As always, data security will revolve
around the people that have access to
privileged accounts. The Privileged Access
Management (PAM) market will continue
to grow, but in different areas; more
insourcing and more dedicated and
outsourced security operation centres.
The cloud market will wake to the need
for PAM and outsourcers in chains of
outsourcing will be reviewing their
contracts, in terms of security.
In our part of the market, tasks will
grow yet again. Privileged Robotic Tasks
already form a large part of security and
network operations for larger customers
and we predict we will see a roll down
effect to the mid-market, where those
with security responsibilities will want to
reduce the number of people that can
use unfettered privileged accounts.
CHARL VAN DER WALT, CHIEF
SECURITY STRATEGY OFFICER,
SECUREDATA:
The 2007 financial crisis brought to light
just how interconnected today's economy
really is. All areas of business were
affected, with exposure to debt being
shared. The cybersecurity industry is no
different. Security 'debt' is a liability or
obligation to pay or render something.
14
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

2018 predictions
Technical Debt is already a well
understood concept in software
development - the cost of additional
rework caused by choosing an easy
solution now, instead of using a better
approach that would take longer or
cost more.
This translates well into security; not
as the potential downside resulting
from a decision to compromise, but
as the direct, concrete, real-time and
quantifiable cost of a trade-off between
the best possible approach to securing
something and the more attractive,
practical, convenient or affordable
approach. Security debt can be compared
to monetary debt. If debt is not repaid,
it can accumulate 'interest' and grows
over time until it is repaid.
It sits on a business' balance sheet in
big red letters for all the world to see,
speaking to the very heart of the business
- its value. If business have more liabilities
in the form of security and other debt
than it has assets, then you're bankrupt
and eventually you must fail.
In 2018, we may see the damaging
effects of Security Debt that has been
stacking up in the form of legacy code,
third party libraries and dependencies,
and even architectures used by
companies. This has been building
up for the past 30 years and may
be catastrophic, if the right set of
circumstances come to pass. Companies
have been living on borrowed security
for too long and 2018 may the year
when those debts get collected.
RIK FERGUSON, VP OF SECURITY
RESEARCH, TREND MICRO:
We at Trend Micro are constantly
scouting out future threats that will have
the greatest impact for businesses and
we predict which vulnerabilities will make
the biggest waves in the coming year.
Many devastating cyberattacks in 2017
leveraged known vulnerabilities that
could have been prevented, had they
been patched beforehand. This trend will
continue next year, as corporate attack
surfaces expand and expose more security
holes. While this remains a challenge
for enterprises, executives should
prioritise vulnerability management
as they make 2018 cybersecurity plans,
particularly in the looming shadow of
GDPR implementation.
Ransomware will continue to be a
mainstay, due to its proven success.
There will be an increase in targeted
ransomware attacks, in which the
criminals go after a single organisation
to disrupt operations and force a larger
ransom payout. Business Email
Compromise (BEC) attacks will also
continue to gain popularity with
attackers, as the return on investment
for successful attacks is quite high.
PAUL MCEVATT, SENIOR CYBER THREAT
INTELLIGENCE MANAGER, FUJITSU UK
& IRELAND;
BRYAN CAMPBELL, SENIOR SECURITY
RESEARCHER, FUJITSU UK & IRELAND:
Cyber Threat Intelligence (CTI) can be
defined in many different ways and it can
simply be a threat feed. In the coming
year, it will be important to use threat
intelligence to provide an early warning
system to customers and context to
threats. In short, by doing the hard work,
so customers don't have to be dependent
on the service and level of access,
suppliers can actually block threats before
they have a chance to do any damage.
That threat intelligence, in most cases, is
simply providing guidance on 'protecting'
using basic defences such as patch
management. It's challenging in any
corporate environment expressing the
severity of a vulnerability not only as a
technical risk, but also a financial, human
and business risk. In a perfect world we
would patch all the things, but reality
dictates an alternative practical world.
More often than not, patching a financial
system for a critical vulnerability in Java
the day before end of the financial year
will not whet many appetites through
fear of breaking the system, despite
successful pre-production patching.
Combining vulnerability management
with threat intelligence is a great use case
for protecting corporate environments.
Customers are right to be worried about
the next strain of global cyber-security
incidents, but with last year's Petya and
Wannacry outbreaks, the malware used
an SMB vulnerability for propagation
known months earlier that simply needed
patching. For example, here at Fujitsu, we
actually provided a threat advisory on
that patch to CTI customers three months
before Petya spread. What's more, we
also provided our CTI customers with a
threat advisory of the Apache Struts
vulnerability Equifax was exploited with
several months earlier. We also observed
exploits in the wild for this attack, so
there was clearly a high impact.
The line between cyber security and
politics is distorted with continued reports
of election tampering or breaches of
government agencies and departments.
Investigations surrounding the US Election
will rumble on into 2018 with core
concerns around the manipulation of
security controls and 'sleight of hand'.
There were reports of similar inferred
disruptive activity during the 2017 French
election. In recent years, senior members of
political parties around the world became
all too familiar with concepts such as
'Phishing' and 'Incident Response'.
In the case of the Democratic National
Committee (DNC), the infamous
compromise, which Crowdstrike traced
back to Russia, the monthly cost of the
incident response to remove the attackers
from the DNC network was reportedly
$50k a month.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
15

2018 predictions
Markus Braendle, Airbus CyberSecurity:
criminals will continue to use end-to-end
encryption for espionage and subversion.
Travis Farral, Anomali: cryptocurrency
mining will become one of the major
monetisation avenues for attackers
Nation States continue to grow in cyber
security expertise with the skill, will
and resource to monetise from their
endeavours or disrupt their neighbours.
Not every threat model needs to protect
against adversaries that seek to
destabilise a nation, however, with the
increasing adoption of digital services
and frequent attribution of cyber-attacks
to Nation States, it is feasible to suggest
attacks against commercial entities to
support political objectives will only
continue to increase.
ADRIAN DROZD, FROST & SULLIVAN
DIGITAL TRANSFORMATION
RESEARCH DIRECTOR:
The managed security services (MSS)
market in Europe, Middle East and
Africa (EMEA) is experiencing significant
transformation. While new market
entrants with network-based MSS
propositions and remediation capabilities
are disrupting the MSS provider (MSSP)
landscape, mature technologies such as
cloud migration, enterprise mobility, and
always-on availability are boosting MSS
adoption. These factors have stoked
demand for expert security professionals,
who are in short supply. Partly in
response to this human resource crunch
and the need to ensure compliance with
Europe-wide General Data Protection
Regulations (GDPR), businesses and
public entities of all sizes are turning
to MSSPs.
Frost & Sullivan's research, 'EMEA
Managed Security Services Market,
Forecast to 2021', finds that the market
was valued at $4.27 billion in 2016 and
is expected to reach $8.26 billion by
2021 at a compound annual growth rate
(CAGR) of 14.1 percent during 2016
through 2021. The research analyses
current market dynamics, external
challenges, drivers, restraints, forecast
and trends. Market share and competitive
analysis of key players such as BT, Orange
Cyberdefense, IBM, HP Enterprise, Atos,
Telefonica, T-Systems and Verizon are
provided. Customers want solutions that
solve problems, rather than mere alerts to
a potential problem. Therefore, MSSPs that
offer consulting, professional and technical
services could well outpace the overall
market. The key to longevity and success in
an agile MSSP environment is staying
ahead of the competition by:
Capturing the next wave of highervalue
MSS. The two growth MSS
segments in the next five years are
threat intelligence, and research and
detection services
Growing the midsized market segment
with the right pricing strategy
Following a customer-centric approach
by delivering solutions that meet
evolving demands
Adopting technology-led approaches
to service delivery, such as unburdening
tedious tasks through automation and
a collaborative solution approach.
Although the media has extensively
covered security breaches, many
enterprises still believe that they will not be
subject to targeted attacks and, hence, do
not require protection against advanced
threats. This approach to security has
curtailed the adoption of MSS in the EMEA
region - and is one that will doubtless
change as the threat landscape evolves.
A FINAL THOUGHT… FROM RICHARD
PARRIS, INTERCEDE CEO AND
CHAIRMAN:
When are organisations, their customers
and regulators finally going to do
something about the parlous state of
information security? The black hats have
had it their way for far too long, but 2018
could well be the year that the pendulum
swings back. On the back of some truly
momentous incidents over the past 12
months, many stakeholders are now saying
"enough is enough", and that could spell
some big changes ahead, with the concept
of digital identity front and centre.
16
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

inside view
EVERYONE IS AT RISK
FROM SPEAR PHISHING TO RANSOMWARE AND THE EVER-PRESENT THREAT OF BOTS, COMPANIES OF ALL
SIZES HAVE REASON TO LOSE SLEEP AT NIGHT. ELIZABETH SHELDON, CHAIRMAN, EVIDENCE TALKS,
CONSIDERS WHAT THAT MEANS FOR ORGANISATIONS EVERYWHERE
Cybercrime targeted at small
businesses is increasing at an
alarming rate and it's a problem
that's not about to go away. What's
more, the threat is increasing in scope,
as well as size.
Gone are the days when having a
relatively unknown brand used to work
in favour of smaller organisations to
ward off hackers. These days, it would
be wrong to assume that hackers will
only pursue well recognised companies
with huge volumes of data.
As smaller businesses are far less likely
to have security personnel and
technologies in place that can efficiently
detect and respond to an attack, it's easy
to see why hackers are shifting their
focus. The reward may well be smaller,
if a SME is breached on an individual
basis and this perhaps explains why
many hackers are now leveraging attacks
against smaller businesses in their
multitudes.
According to recent data, almost 50%
of cyber attacks are aimed at the small
business - a number that's likely to
increase in 2018. For many small
businesses, cyber security competes with
other day-to-day concerns for time and
resource, but better measures must be
put in place to ensure they are less
vulnerable to attack.
As per their own structure and business
model, every business faces different
risks. Some will be heavily reliant on
their e-commerce systems, while others,
for example, may be more severely
impacted by the loss of customer data,
procurement systems or their intellectual
property. The onus for the SME,
therefore, lies in evaluating how cyber
risk can be mitigated by prioritising
spend in the areas that matter most to
them.
Long gone are the days when small
businesses can view themselves as too
small or insignificant for cyber security.
Defending your corporate reputation is
paramount and cannot be overlooked in
the ongoing drive to retain your
competitive edge.
While a lot of attention is focused on
external threats, it's now emerging that
one of the single, greatest causes of
information theft, loss or attack actually
comes from within business walls. Over
the past few years, data leaks and other
news events have brought insider threats
to the forefront of public attention and
yet most companies, both large and
small, seem to lack the motivation and
capabilities to protect themselves from
the malicious insider.
With a lack of appropriate internal
defences increasing exposure to fraud,
the opportunities for miscreants are now
more prevalent than ever before. For
example, for those intent on stealing
or causing damage, phishing has turned
into a relatively straightforward exercise,
due to the ease with which good
phishing kits can be purchased, often
Elizabeth Sheldon, Chairman, Evidence
Talks.
with the relevant technical support, on
the black market. It's even possible to
purchase ransomware-as-a-service in
underground markets.
Fortunately, the rise of analytics and
digital forensics technologies make the
identification of insider threats easier
and less intrusive. Alongside adoption of
the appropriate technologies, however,
businesses need to gain accreditation
to the Cyber Essentials (CE) scheme,
have an awareness of what to look for
and focus more on their security efforts
to achieve best outcomes and the
reassurance that robust cyber security
protocols will bring.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
17

smart cities
RISK AND REWARD IN THE BIG CITY
BACK IN THE 1960S, DISNEYLAND HAD A RIDE CALLED 'UTOPIA'. IT WAS A GLIMPSE INTO THE FUTURE OF
HUMAN CITIES AND GAVE US A TASTE OF WHAT SMART CITIES COULD BE. ALASTAIR HARTRUP, GLOBAL CEO,
NETWORK CRITICAL, TAKES UP THE STORY
Of course, everything on the
Disneyland ride Utopia, from its
stoplight-less streets and smooth
traffic control, was pre-programmed. It was
just a theme park ride, after all. However,
this shows that humanity has had the idea
of a smart city on its mind for a long time.
This idea is something we are only recently
able to make into reality. Just like the ride,
smart cities help to create a 'utopia' where
life is streamlined and less frustrating.
Unfortunately, as with most good things,
there are plenty of problems that could ruin
the dream for millions and these are caused
by the threat of cyber-attacks.
2018 is now well underway, but already
many are expecting it to be the year of smart
cities. Back in 2016, global city population
was at an all-time high and commute
congestion was as bad as it had ever been.
However, with the introduction of Internet
of Things (IoT) devices, within both the city
and vehicles themselves, we have begun to
slowly make driving in the city a much easier
experience, just like the way Utopia made it
feel all those years ago.
These devices provide everything from
navigational advice and real-time traffic
alerts to alternative route suggestions, based
on prevailing traffic conditions. We can
rideshare, bike share and plan public
transportation routes, and pay tolls with
smartphones. Internet connectivity via
personal devices is only the first step in a
new wave of intelligent urban transportation
technology.
Centralised urban technology hubs and
associated apps are being developed to
provide a wide range of services. One
example is the introduction of card scanners
on public transport, simplifying travel
payment and removing the issue of not
having exact change for the fare.
Centralising and synchronising traffic signals
helps to smooth traffic flow, provide quicker
response times for emergency vehicles and
keep buses on schedule. Parking sensors
have even been installed that will alert
smartphone users to open parking spaces.
To have IoT devices work to maintain a
18
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

smart cities
smart city, it needs to collect and analyse
personal data from the users, so that it can
tell what works and what does not. To be
as effective as possible, they need to collect
data from users about their movements,
peak traffic times, transportation mode
preferences, streetlight data, traffic camera
data, payment options and more.
All this information then needs to be
stored somewhere, whether this is a Cloud
server or under the control of a municipal
IT department. Doing this is a necessity,
but the centralisation of information and
control of an entire municipal
transportation system is putting a lot of
eggs in a single basket. As we've seen,
though, putting so much precious data in
one location is an invitation for trouble.
2017 saw a rise in cyber-attacks that
purposely target private data, whether
to use as ransom or to release online and
cause chaos. Uber and Forever 21 were
just two of the many companies to suffer
massive data breaches in 2017 and, in
recognition of the very real risks to people's
personal information, 2018 sees the
introduction of the GDPR [in May], a new
regulation that will force companies to
take more responsibility for the protection
of customer data [see page 24].
If enterprises want to continue the
upkeep of smart cities, then the basket that
holds all this information must be designed
for maximum security, controlled access
and limited information portability.
According to Von Welch, director of the
Center for Applied Cyber Security Research
at Indiana University: "We have a lot of
companies making new devices for the
urban Internet of Things that have not
made computers or written software
before." This is a critical warning to
intelligent urban traffic planners. Get the
IT security team involved early. There is
great technology available to help protect
and defend large centralised networks.
Robust security requires many specialised
appliances, so an intelligent connectivity
solution should also be part of the initial
plan.
Alastair Hartrup, global CEO, Network
Critical.
Without properly planned network
protection and rapid attack remediation, the
commerce, movement and safety of entire
cities could be vulnerable to a malicious
breach. Traffic signals could be manipulated;
electronic road signs could be hacked to
provide misinformation; emergency
responders could be blocked from trouble
spots; funds could be stolen; or bank
accounts compromised.
We've seen this already: in 2014, security
researchers at the University of Michigan
were able to hack traffic lights of nearly 100
intersections that they found to have no
security controls at all. This hack was just an
experiment to point out the flaws; imagine if
it was performed by someone with malicious
intent.
This is all scary stuff, but not impossible to
manage. If proper network visibility, threat
landscape reduction, data loss protection,
data backup and employee training are
planned and implemented early on, then
Utopia may, in fact, be possible, without
opening the door to a municipal apocalypse.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
19

otnets
DEADLY GAME OF HIDE 'N' SEEK
BITDEFENDER RESEARCHERS HAVE UNCOVERED AN EMERGING BOTNET THAT USES ADVANCED
COMMUNICATION TECHNIQUES TO EXPLOIT VICTIMS AND BUILD ITS INFRASTRUCTURE
Anew bot, dubbed HNS, has been
intercepted by Bitdefender's IoT
honeypot system, following a
credentials dictionary attack on the
Telnet service. The bot was first spotted
in early January this year, then faded
away in the following days, only to reemerge
10 days later in a significantly
improved form.
"The HNS botnet communicates in a
complex and decentralised manner, and
uses multiple anti-tampering techniques
to prevent a third party from hijacking/
poisoning it," explains Bogdan Botezatu,
senior e-threat analyst at Bitdefender.
The bot can perform web exploitation
against a series of devices via the same
exploit as Reaper and other
vulnerabilities against networking
equipment. It embeds a plurality of
commands, such as data exfiltration,
code execution and interference with
a device's operation.
The bot features a worm-like spreading
mechanism that randomly generates a
list of IP addresses to get potential
targets. It then initiates a raw socket SYN
connection to each host in the list and
continues communication with those
that answer the request on specific
destination ports (23 2323, 80, 8080).
Once the connection has been
established, the bot looks for a specific
banner ("buildroot login:") presented by
the victim. If it gets this login banner,
it attempts to log in with a set of
predefined credentials. If that fails,
the botnet attempts a dictionary attack
using a hardcoded list."
VICTIM EXPLOITATION
Once a session is established with a new
victim, the sample will run through
a 'state machine' to properly identify
the target device and select the most
suitable compromise method. "For
example, if the victim has the same LAN
as the bot, the bot sets up TFTP server to
allow the victim to download the sample
from the bot," adds Botezatu. "If the
victim is located on the internet, the bot
will attempt a specific remote payload
20
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

otnets
delivery method to get the victim to
download and run the malware sample.
These exploitation techniques are
preconfigured and are located in a
memory location that is digitally signed
to prevent tampering. This list can be
updated remotely and propagated
among infected hosts."
The samples identified in Bitdefender's
honeypots in early January revolved
around IP cameras manufactured by a
Korean company. "These devices seemed
to play a major role in the botnet, as, out
of the 12 IP addresses hardcoded in the
sample, 10 used to belong to Focus H&S
devices. The new version, observed on
January 20, dropped the hardcoded IPs."
Like other IoT bots, the newly
discovered HNS bot cannot achieve
persistence and a reboot would bring
the compromised device back to its clean
state. It is the second known IoT botnet
to date, after the notorious Hajime
botnet, that has a decentralised, peer-topeer
architecture.
"However, if in the case of Hajime, the
p2p functionality was based on the
BitTorrent protocol. Here, we have a
custom-built p2p communication
mechanism. The bot opens a random
port on the victim and adds firewall rules
to allow inbound traffic for the port. It
then listens for connections on the open
port and only accepts the specific
commands described below. Our initial
look at the sample revealed an elliptic
curve key inside the file that is used
to authenticate the command which
updates the memory zone where
configuration settings are stored, to
prevent infiltration or poisoning attempts
against the botnet."
CHATBOT MENACE
Meanwhile, a warning has been issued
about another kind of 'bot' - Chatbots.
According to security expert BOHH Labs,
they can also pose a serious security
threat. "Chatbots are quickly becoming
the interface of choice for many
organisations. In fact, a recent survey
conducted by Oracle revealed that 80 per
cent of businesses want chatbots by
2020. While the advances in Artificial
Intelligence (AI) and mobile technology
have created a new set of tools for
brands to communicate with, the
technology itself has yet to reach
a mature state and is consequently
strongly vulnerable to cyberattacks,"
cautions Simon Bain, cybersecurity expert
and CEO, BOHH Labs.
Current bot solutions are not entirely
secure and can create open passages
for cyber criminals to access the data
flowing through chatbot's interface. In
essence, this gives cyber attackers direct
access to an organisations' network,
applications and databases.
As Bain explains: "While bot technology
has improved drastically in recent years,
for maximum security, chatbot
communication should be encrypted
and chatbots should be deployed only on
encrypted channels. This can be easily set
up on an organisation's own website;
but, for brands that use chatbots
through third-party platforms such as
Facebook, the security features are
decided by the third party's own security
branch, which means the organisation
does not have as much control over the
security features on the chatbot. Until
public platforms offer end-to-end
encryption in their chatbots, businesses
should remain cautious."
One of the biggest advantages in using
chatbots is that they are a cheaper
solution to customer service. They can
serve and reach customers in a way that
would otherwise require a tremendous
amount of time and resources. This is
an area where chatbots are gaining
momentum, but instead of bots
Bogdan Botezatu, Bitdefender: the bot
can perform web exploitation against
devices via the same exploit as Reaper.
replacing entire customer service teams,
organisations are working with them in
tandem, in order to improve customer
satisfaction.
However, as chatbots seek to collect
information from users, the information
that is stored and the metadata must be
properly secured. "When running a
chatbot, organisations must consider
how the information is stored, how long
it's stored for, how it's used and who has
access to it," Bain says. "This is especially
important for highly regulated industries,
such as finance, that will deal with
sensitive customer information."
While there are clear advantages to
integrating chatbot technology as a new
communication tool, if companies aren't
made aware of the potential security
risks, confidential data will be accessible
by any determined hacker. "Additionally,
attackers may be able to repurpose
chatbots to harvest sensitive data from
unsuspecting customers." he concludes.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
21

tech trends
A TASTE OF THINGS TO COME
RAHUL POWAR AND RANDAL PINTO, CEO AND COO OF LONDON-BASED TECH START-UP RED SIFT,
SINGLE OUT THE THREE TECH TRENDS THAT THEY BELIEVE WILL DOMINATE IN 2018
Randal Pinto, Red Sift.
Last year saw wave after wave of tech
news hitting the headlines. Whether it
was documenting a huge technological
advancement, the publication of a high-risk
vulnerability or the announcement of a gamechanging
regulation, nowhere was this more
evident than in the cryptocurrency, Artificial
Intelligence (AI) and cyber security arenas.
Here is our forecast for how these trends will
come to fruition this year.
OPTIMISE BUSINESS PROCESSES WITH
ARTIFICIAL INTELLIGENCE
The Economist's World in 2018 predicts the
next twelve months to be a 'landmark year' for
Artificial Intelligence. Continued huge leaps in
innovation are without question. However,
what we will also see this year, is that AI will
lose some of its shine and become part of the
everyday technology toolbox all organisations
use to automate arduous data-driven tasks.
One key trend we'll see is AI starting to write
AI. This is the idea of deep neural networks
designing and optimising other deep neural
Rahul Powar, Red Sift
networks, and will become mainstream in
machine learning. We won't really be any
closer to general-purpose AI, but hyperbolic
industry commentators will no doubt spin
‘AI writing AI’ as the start of it.
CONSIDER CRYPTOCURRENCY
Cryptocurrency has shot to fame in the past
few years and certainly became part of the
business vernacular last year. However, this
digital currency remains at the mercy of
criminals - as 2017 came to a close, we saw
reports of a hack attack in which $64 million
in bitcoin had been stolen. Guidelines are few
and far between, and regulators will have to
play catch-up this year. However, putting a
leash on a global, decentralised mechanism
will not be a straightforward task and some
stakeholders may resist being locked down.
That said, we'll also see broader adoption
of blockchain in the enterprise - finance and
insurance companies have already started
adopting this digital framework. IBM and
Microsoft, too, have joined the fray, offering
Blockchain as a service (BaaS) solutions, which
will see wider adoption across other industries
including energy, retail, real estate and the
public sector.
SOLIDIFY YOUR CYBERSECURITY
Although everyone knows what they should
be doing for GDPR, reports are already
suggesting that not only are millions of SMBs
in the UK still not compliant but, even as we
start off the New Year, they haven't begun
preparing for the EU-mandated regulation.
Until we see a landmark GDPR case, with an
organisation facing a headline-grabbing fine,
firms will probably continue to keep the
status quo, with minimum measures in place.
Many firms cite massive costs and resources
required as barriers to making the necessary
changes.
2018 will see a raft of companies declaring
breaches and opportunistic hackers ramping
up their attacks on vulnerable organisations.
This year, we will also observe a maturity in
quantum computing which will threaten
encryption and computing security - the
concern being that this level of computing
power will crack previously 'unbreakable'
passwords and encryption.
ABOUT RED SIFT AND ONDMARC
Red Sift is a London-based Platform as a
Service (PaaS) startup founded in 2015 by
serial entrepreneurs Rahul Powar and Randal
Pinto. The cloud-based platform offers both
businesses and individuals a powerful
dashboard of tools, plugging into various
data sources in order to receive personalised,
actionable insights. OnDMARC is the first
product built on the Red Sift platform; it's an
intuitive cloud-based cybersecurity tool that
helps organisations of all sizes and specialisms
secure their email domains against
impersonation.
22
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

Cyber Security Managed Services
Brookcourt Solutions manage services across
Cyber Security and Networking Technologies to secure
companies across all verticals from vunerabilities and threats.
We consolidate multiple partner feeds from around the world
into a single platform, then provide skilled analysts in-house to
extract that data to provide timely, actionable cyber intelligence
for our clients.
How secure is your brand?
Contact us: marketing@brookcourtsolutions.com
C y b e r S u r v e i l l a n c e • S e c u r i t y • N e t w o r k i n g • C o n s u l t a n c y • M a n a g e d S e r v i c e s
Multi Award Winning
For more information contact Brookcourt Solutions
t: +44 (0) 1737 886 111 www.brookcourtsolutions.com

data regulations
IT'S TIME TO BE VERY READY!
WHEN THE GENERAL DATA PROTECTION REGULATION (GDPR) COMES INTO FORCE THIS MAY,
IT WILL OVERHAUL HOW ORGANISATIONS STORE, SECURE AND MANAGE THEIR CUSTOMERS' DATA.
SWINGEING PENALTIES AWAIT THOSE WHO FAIL TO COMPLY
When Cisco launched its first Privacy
Maturity Benchmark Study in
February this year, it found that
74% of privacy-immature organisations
experienced losses of more than £350,000
in 2017 caused by data breaches. The
countdown to GDPR has seen organisations
investing in resources and processes to meet
the new standards, states the report.
However, with an increasing number of data
breaches reported, vendors are asking more
questions about the products they buy and
the organisations they partner with, states
Cisco. "This is causing significant delays in
the buying cycle, due to concern about how
data is captured, transferred, stored, and
erased."
Cisco's research highlights the ways in
which privacy maturity not only causes
significant sales delays, but also its cybersecurity
effectiveness:
Two-thirds of businesses report sales
delays caused by customer data privacy
concerns - customers are increasingly
concerned about whether products
and services they buy will provide
appropriate privacy protections that
will meet GDPR standards
Privacy-mature companies experience
fewer breaches and smaller losses from
cyberattacks - 74% of privacy-immature
organisations experience losses of more
than £350,000 last year caused by data
breaches, compared with only 39% of
privacy-mature organisations.
GDPR DAY LOOMS
Data breaches are certainly having a massive
impact. As Ian Kilpatrick, EVP Cyber Security
for Nuvias Group, points out: "The General
Data Protection Regulation (GDPR) will
overhaul how organisations store, secure
and manage their customers' data. EU
citizens will have extended rights that
include the right to know what information
is held about them, the right for that data
to be removed, the right to data portability,
and the right to be informed if there is
a data breach. This data is known as PII
(Personally Identifiable Information)
"Alongside that, the Network and
Information Systems (NIS) directive applies
to operators of essential services, such as
water, energy, transport and health
providers and is aimed at ensuring they
safeguard data against cyber-attacks. Like
GDPR, the penalties for non-compliance are
extremely high."
Yet according to research published
recently by the Department for Digital,
Culture, Media and Sport (DCMS), only
38% of UK businesses said they had heard
of GDPR - and among those that were
aware of it, just a little more than a quarter
have made any changes in readiness for the
new regulations.
"However, it's not too late to do something,"
states Kilpatrick. "The authorities know
compliance is an ongoing process and want
to see organisations showing willingness to
comply. Understanding the data assets your
24
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

data regulations
organisation collects, holds and processes is
the essential step in the planning stages to
GDPR readiness. Once you have identified all
the data types and sources you hold, you
need to understand where it is stored and
who can access it. Printed copies should be
securely stored, with regular reviews to
ensure the copies are still required. If not,
securely destroy them."
Electronic storage within a structured
database should be relatively easy to
recognise, maintain and protect. "The larger
problem is unstructured data and knowing
where PII, or personally sensitive
information, is stored. Data discovery tools
can search all mappable drives to find
sensitive files (.docx, .xlsx, .pdfs etc) that
may contain the data that you are searching
for - email addresses, phone numbers, credit
card details, National Insurance numbers
etc," he points out. "Once you know where
your unstructured sensitive files are stored,
move them to a central repository from
which you can defend access," he advises.
"Set up processes and procedures to be able
to respond in a timely fashion to Data
Subject Access Requests (DSARs). Finding a
Citizen within your paper records will
require a physical search. Finding a Citizen
within your CRM or other database should
be accommodated from the application.
The same tool that helped your organisation
find sensitive files ought to discover specific
subjects within unstructured data, allowing
an organisation the ability to respond to
DSARs within the 30 days prescribed."
BALANCING ACT
Too often, companies have to balance data
protection risks with the pressure to move
fast. GDPR tips the scales towards data
privacy, meaning global businesses have to
rethink how they provide secure access to
data throughout their organisation,
according to Jes Breslaw, director of
strategy, EMEA at Delphix. "We recommend
the following tips for businesses when it
comes to securing data," he says:
Start learning about DataOps - companies
should be investigating the idea of DataOps.
This approach assigns dedicated people and
tools to manage and secure data across an
organisation. DataOps enables data
operators to know exactly what data is
where, to be able to secure (mask) data that
is sensitive and to ensure that data
consumers still have access to the data they
require, when they need it.
Govern data access - DataOps and Dynamic
Data Platforms enable you to centrally
control all non-production copies of your
data and mask data at the same time. Data
operators can manage who has access to
STARTLING LACK OF PREPARATION FOR GDPR
A recent survey of 118 professionals in North America by UBM showed that 98% of respondents view data governance as important, but only
6% said their firms were fully prepared for GDPR compliance.
Key articles within the GDPR include what to do if a data breach occurs and how quickly an organisation must report it, the requirement of
appointing a data privacy officer and that any organisation anywhere in the world that processes EU data must be GDPR compliant.
"For organisations that have embarked on becoming compliant, the key challenge is pulling together all of the disparate technologies and
systems that need to be integrated, in order to meet what the actual regulation states," says Juliet Okafor, SVP of Global Security Solutions at
Fortress Information Security. "Oftentimes, data resides in various systems with differing access policies. Organisations need to understand where
this data is, how they use it, and then track and monitor the controls they have in place as part of their overall GDPR compliance requirements."
The complexities involved with GDPR compliance mostly revolve around the shared risks that are across the organisation, and typically involves
procurement, legal, third party risk, cybersecurity, privacy and enterprise risk teams, as well as senior management. "All of those stakeholders are
a part of GDPR compliance and each has a shared piece of the GDPR mandate," she adds. "Collaboration across those groups solves GDPR
compliance and the need for agreement."
However, organisations tend to have issues with regard to what happens to a customer's data. "That is, what security controls can be put in
place that protect the data, but also allow the organisation to use the data to make decisions on future products. The organisation is typically
attempting to limit or remove the risk associated with either a compromise or breach of data they've collected."
GDPR compliance is complex and will impact many departments. Integrating multiple technology solutions and update internal processes and
procedures is vital. "Organisations should look for solutions and partners that will help to solve GDPR-related issues and find someone who can
articulate a clear vision to meet the implementation deadline," Okafor concludes.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
25

data regulations
Ian Kilpatrick, EVP Cyber Security for
Nuvias Group: it's not too late to do
something.
James Wickes, CEO and co-founder,
Cloudview: organisations with old
cameras or cameras not manufactured
in the UK should review their systems.
what data, for how long, and when. Data
consumers can access and use data
independently, while administrators retain
full control over masking, privileges and
physical resources.
Treat all data equally - most security teams
focus on the protection of data in a
production environment, but the same
budgets and security are often not afforded
to non-production copies of data that are
used in test, reporting, training and analytic
systems. The danger is that non-production
data represents approximately 80% of an
organisation's total data and their most
vulnerable attack surface. By treating nonproduction
data as you would production
data, then you can mandate policies that
reduce the risk of data breaches in all
environments - production and nonproduction.
Use technology shortcuts - the deadline for
compliance with GDPR is 25 May and you
will never protect all your sensitive data in
time by doing things the same way you
always have. Modern data masking
solutions have database profiling tools that
scan tables and fields to detect confidential
information, such as email addresses, credit
card numbers or patient records. Some even
recommend masking algorithms, which
dramatically cut down the time it takes to
build and enforce data masking.
Stop reinventing the wheel - define security
policies once, rather in siloes or at the
project level, and, if possible, apply them
everywhere. Set enterprise security policies
to ensure that the right data is protected,
using the right controls and masking
algorithms. Policies must then be applied
consistently, regardless of the data source,
to support compliance with regulations
such as HIPAA, GDPR and more.
QUICK WINS
Encrypting known sensitive data is
recommended as a 'quick win' by Colin
Tankard, managing director, Digital
Pathways. "This is the only technology that
is 'called out' in the GDPR rules. 'Awareness'
is vitally important. Decision makers and
key staff should be aware of GDPR. If not,
companies should quickly instigate an
awareness campaign to all staff. This
provides key evidence of GDPR compliance
by the organisation."
Ensure that subject access requests are
dealt with swiftly and efficiently. "There are
current rules with regard to individuals
and how companies should respond to
a request to show what information is held.
GDPR extends this to areas such as your
data retention periods and the right to have
inaccurate data corrected within 30 days,
at zero cost to the requestor," he states.
Other areas Tankard identifies that can be
handled with reasonable ease include:
Accountability: GDPR includes provisions
that promote accountability and
governance. Therefore, internal audits
on processing activities, assessments on
data protection policies and reviews of
HR policies, should be started again as
evidence that GDPR is being considered
Data handling: it is important to identify
sensitive data and control who has access,
especially if it is an outside agency or
processor
Consent: as part of GDPR there must be
a positive opt-in for data to be stored or
used for marketing. Consent cannot be
inferred from silence, pre-ticked boxes or
inactivity. It must also be separate from
other terms and conditions, and you will
need to have simple ways for people to
withdraw consent. Consent has to be
verifiable
Data breaches: a personal data breach
means a breach of security leading to the
destruction, loss, alteration, unauthorised
26
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

data regulations
disclosure of, or access to, personal data.
This needs to be reported within 72 hours
and so companies need to have plans in
place to meet this requirement.
As to the NIS (Network Information Systems
Directive, which takes effect from May 2019
next year), this is directed at the cyber
security requirements of essential services
and digital service providers, so that robust
security measures are installed, in order to
protect networks and data against serious
security breaches. "As a bare minimum," says
Tankard, "they must control who has access
to critical data and systems, and deploy
strong authentication techniques, such as
two-factor authentication, coupled with
encryption. And it would be prudent to
consider evidencing your security position
by obtaining accreditation."
AUDIO AND VIDEO
As organisations work towards GDPR
compliance, many may not realise that it
also applies to audio and video material,
if this allows individuals to be identified,
points out James Wickes, CEO and cofounder,
Cloudview. "This includes
recordings from the CCTV systems that
they use to protect people, property and
premises. These systems are often installed
without any involvement from the IT
department, so may not be identified
when assessing GDPR risks. Add in the
NIS Directive and the risks of breaching the
regulations escalate exponentially."
The first step is to understand what data
is being collected and how the risk arises, he
says. "Vulnerabilities in CCTV systems range
from use of port forwarding and Dynamic
DNS to a lack of firmware updates and the
existence of manufacturer 'back doors'
which are often revealed on the internet."
These back doors may be deliberate and
pose a significant risk. However, ensuring
compliance is relatively straightforward,
Wickes says, suggesting the following:
Carry out a Privacy Impact Assessment
(PIA) to identity and minimise risks, and
ensure there is appropriate signage and
information about recording of video and
audio data.
Limit data access to authorised personnel
only.
Check record-keeping: recordings must be
fit for purpose, accurately date and time
stamped, and organisations should be
able to access them easily to comply with
a subject access request or police
investigation.
Continually assess data security. This
includes simple precautions - ensuring
strong passwords, regularly updating
firmware, and ensuring CCTV data is
encrypted both in transit and when
stored, as recommended by the
Information Commissioner's Office and
the Surveillance Camera Commissioner.
Some cloud-based systems encrypt all
data at source and store it securely in
the cloud.
Limit data collection. This includes
confirming that all CCTV cameras serve
a legitimate purpose and the system
can be switched off, so recording is not
continuous. This is incredibly helpful when
it comes to finding events. Continuous
random recording makes it harder to find
anything.
Limit processing to the purpose for which
the data is collected and delete recordings
when they no longer serve a purpose. This
prevents data being used for purposes
outside those originally intended.
"In the medium term, organisations with
old cameras or cameras not manufactured
in the UK should review their systems,"
Wickes advises, "and consider whether
to retrofit secure adapters or implement
a more secure solution."
Colin Tankard, managing director, Digital
Pathways: encrypting known sensitive
data can serve as a 'quick win'.
Jes Breslaw, director of strategy,
EMEA at Delphix: companies should be
investigating the idea of DataOps.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
27

product review
TITANIA PAWS STUDIO 3.2.2
SMEs daunted by data protection
regulations and the looming
GDPR (General Data Protection
Regulation) can rest easy with Titania's
Paws Studio. Very keenly priced, it's
capable of auditing all Windows,
macOS and Linux systems, and offers
an impressive range of highly detailed
regulatory compliance and vulnerability
reports.
This latest version delivers a wealth
of new features, as, along with report
modules for SANS, NSA, NERC, STIG
and OVAL, it supports the PCI-DSS 3.2
standard. It now audits to the CIS
benchmark requirements and Cyber
Essentials best practices guidelines,
plus Titania includes a DCPP module
in the Enterprise version.
Paws Studio supports any host system
running Windows 7 upwards, macOS
Sierra or Linux. We loaded it on a
Windows Server 2012 R2 host and had
it licensed and ready for action in five
minutes.
The supported device list for auditing is
equally impressive and includes Windows
10 workstations. Furthermore, businesses
still running legacy Windows XP, Vista or
Server 2003 systems (and there's plenty
that are) can use Paws Studio to ensure
they aren't a major security risk.
On first contact, we could see the
console had received a design refresh,
making it even easier to use. Creating
a new audit was simple, as we chose
compliance modules from the list
presented or created our own custom
policies and applied them to selected
systems.
We could choose local and remote
target systems, and options are provided
for manually adding devices, running
a network discovery, scanning an IP
address range or importing multiple
systems from a CSV file. And that's all
there is to do, as Paws Studio now gets
on with auditing the systems.
It pushes a small footprint Data
Collector to each system, which gathers
the relevant information and sends it
back to the host for report creation.
For isolated systems, you can export
the Data Collector tool, along with the
required audit policies, run it locally and
import the results back into the host.
Paws Studio is quick, too, as a report
combining Cyber Essentials, SANS
and NERC audits on four networked
Windows 10 workstations took less
than a minute. The console displays
the completed report in the centre and
right-hand panes, making it even easier
to see which checks were passed or
which failed.
For our workstations, we could see
immediately from the SANS audit that,
although they all had anti-virus
protection, users were allowed to install
software on them, and our password
length and complexity policies were lax
at best. Choose an entry with a red
cross next to it in the right-hand pane
and it'll be loaded in the central pane,
along with details of why the check
failed and sage advice on remedial
action.
Yet another new feature is the option
to clear a failure from a report after
you've remedied the issue, so you don't
have to run the whole audit again.
Reports can be saved off, as Paws Studio
'blueprints' are exported to the host's
default web browser or saved in a range
of formats, including HTML, XML and
CSV - there's even an option to export
just the report page being viewed.
Along with accurate OS identification,
the Data Collector delivers detailed
hardware and software inventory.
Choose a system in the report and you
can view its BIOS version, CPU, memory,
hard disks, network adapters, installed
software, running programs and indeed
a whole lot more.
SMEs that want tight security and
compliance with the latest data
protection regulations will find Titania's
Paws Studio an ideal partner. It's very
easy to use, capable of delivering highly
detailed audit reports for a raft of
regulations and beats enterprise
solutions hands down on price. CS
Product: Paws Studio 3.2.2
Supplier: Titania Ltd
Telephone: +44 (0)1905 888785
Web site: www.titania.com
Price: 25 devices/3 years, £791 ex VAT
28
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

The first dedicated
Recruitment EXPO
for cyber security
professionals
Thursday 5th April 2018
UWE Conference Centre, Bristol
www.CyberSecurityExpo.co.uk
The Bristol Expo
is FREE to attend
Come and meet the
companies hiring within
Cyber Security.
Find out about
the latest hot jobs
100s of job vacancies
available on the day.
Free entry into
the Security
Cleared EXPO
Industry Partners:

masterclass
HOW TO UNDERPIN SECURITY TRANSFORMATION WITH
COMPLETE VISIBILITY OF YOUR ATTACK SURFACE
CHARLOTTE GURNEY, MARKETING MANAGER, BROOKCOURT SOLUTIONS, PROVIDES
KEY INSIGHTS ON A CRUCIAL ISSUE THAT CHALLENGES SO MANY ENTERPRISES
Charlotte Gurney, Marketing Manager,
Brookcourt Solutions.
There are many reasons why you may
be considering or engaged in a security
transformation programme tasked
with reducing the risk of cyberattacks. For
example:
You've appointed a new chief information
security officer (CISO) who wants to
implement a fast track programme
delivering immediate improvements
You've deployed many different security
technologies and are conducting regular
audits, but you're struggling to continue
to scale your IT security team
You've taken a highly tool-centric
approach to cybersecurity, but have too
much data, not enough people, your
processes aren't sufficiently mature or
your operational approach simply isn't
working
You've tried outsourcing your security, but
this isn't delivering the anticipated
benefits
You're struggling to answer questions
from senior executives, such as where are
we most at risk from an attack, what's
being done and what options do we
have to prevent this?
A familiar thread across all these issues is
the search for an improved approach and
processes to help you better utilise your
existing resources. But if you don't know
precisely what you're trying to defend, it's very
difficult to plan an effective security strategy
to achieve this. And without a central model,
and a clear and detailed view of your
infrastructure, the likelihood is that the
technologies and processes you're trying to
deploy are going to be badly instituted or
simply not work at all.
A common sense structure and approach is
needed to understand your attack surface,
achieve immediate results early in your
security transformation, and create a trusted
platform on which to mature and evolve your
processes over time. This helps address key
security challenges including:
Very poor context of the attack surface,
on account of its complexity, scale,
heterogeneous technology, use of cloud,
outsourcers, etc; historical data that is
often out of date.
The need to demonstrate a quick risk
reduction, which means identifying any
gaps in compliance and exposure, high
risk vulnerabilities, and all ingress/egress
points.
Improving security and compliance by
leveraging existing processes, such as
how to turn firewall change mangement
into a first line of defence, ensure the
patch process is serving your security
needs and embed compliance
management within normal day-to-day
operations.
Using security transformation to deliver
increased business value, by elevating
the security operations team from a
blocker to a strategic business enabler
that increases ROI.
How best to plan and manage the
transformation programme, to mature
your approach to security and avoid the
mistakes made by early adopters who
over-invested in technology.
Recommended phased maturity approach
Resilience Assessment
Start by focusing on discovery and high-risk
threat mitigation:
1. Build a model of your complete
organisational infrastructure, and provide
context around all of the ingress/egress
points and complexities of your network
and assets, to give you a detailed
understanding of what you're trying to
defend
2. This model should be automatically
updated on a daily basis, giving you an
ongoing and always current view of your
attack surface
3. The model can then be regularly analysed
to identify all of the opportunities to quickly
reduce risk, increase resilience and deliver
immediate results
4. Evolve and improving your existing
processes, or instituting new ones in areas
including automating compliance and
policy management, automating firewall
and change management, and improving
vulnerability management
5. Moving into more advanced use cases,
such as embedding Skybox into a SOC or
computer emergency response team (CERT),
using it to assist with outsourcing to a
managed security service provider (MSSP).
Brookcourt and Skybox Security will help
you deliver superior results from your
security transformation initiatives. Please
contact: www.brookcourtsolutions.com
30
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

hacked credentials
THE DARK DESTROYERS
OVER ONE MILLION LEAKED AND HACKED CREDENTIALS FOUND ON THE DARK WEB
hacked credentials. Even where
passwords aren't present, each of these
exposed email addresses represents a
potential attack on a company's network
for criminals via phishing or other scams.
NO ONE IS SAFE
Patrick Martin, cybersecurity analyst at
RepKnight, comments: "The truth is that
no company in the world is safe from
the threat of the dark web. The top 500
law firms RepKnight analysed almost
certainly haven't done anything wrong,
cybersecurity-wise, but all it takes for a
breach to occur nowadays is for a single
employee to accidentally fall for a
phishing email or send sensitive data via
email accidentally to the wrong person.
It's almost impossible to prevent.
More than a million leaked and
hacked credentials from the
UK's top law firms have been
tracked down to the Dark Web, leaving
the firms vulnerable to phishing scams
and the possibility of significant data
theft. The figures represent an average
of 2,000 email addresses per company,
with the largest firm having just over
30,000 email addresses on the dark web.
The email addresses, including nearly
80,000 from the legal industry's Magic
Circle, have been found by cybersecurity
specialist RepKnight as part of a
campaign to raise awareness of the huge
number of leaked and hacked credentials
circulating on the dark web.
Almost all of the credentials were from
third-party breaches, where a corporate
email address had been used on a site
like LinkedIn or Dropbox and that site
was subsequently compromised.
Worryingly, 80% of these email
addresses featured in breaches which
also contained passwords - often in
plaintext. Cybercriminals could
potentially use these password to gain
access to other private data, such as
employees' online banking or social
media, via 'credential stuffing' or spear
phishing attacks, because more than
80% of people tend to re-use their
password.
Using RepKnight's dark web monitoring
tool BreachAlert, RepKnight was able to
uncover each of the exposed email
domains across dark web, bin, dump
and data breach sites, which feature
almost five billion stolen, leaked or
"The data we found represents the
easiest data to find - we just searched on
the corporate email domain. A far bigger
issue for law firms is data breaches of
highly sensitive information about client
cases, customer contact information or
employee personal info, such as home
addresses, medical record and HR files.
That's why - in addition to securing
their networks - every firm should be
deploying a dark web monitoring
solution, so they can get alerted to leaks
and breaches immediately."
The research by RepKnight sheds light
on the importance of breach detection,
as well as prevention. On average,
European organisations take around
450 days to spot a security breach,
which means that cybercriminals have
a huge amount of time to access
a corporate network, steal sensitive data
and leave before the organisation even
realises that they've been there.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
31

connected cars
DRIVING INTO THE UNKNOWN
TACKLING THE MANY CYBERSECURITY AND
OTHER SAFETY ISSUES AROUND CONNECTED
CARS HAS BECOME AN IMPERATIVE
Connected cars are a reality; most
modern vehicles on the road
nowadays have some form of
connectivity to the open world. This raises
important challenges on multiple software
integration and cybersecurity. To address
this challenge, Thales, through its German
company Sysgo, along with Vector, the
Stuttgart-based specialist for automotive
embedded electronics, founded a joint
venture to address the critical issue of
multiple software managing multiple,
often safety-critical, functions.
The volume and complexity of software
used to manage virtually every aspect of
a connected or autonomous vehicle, both
mechanic and electronic, could bear a
potential risk to people's safety. Each
software presents a potential attack surface
for security breaches, which could affect
the overall reliability of the vehicle. The
aim of this partnership is to co-develop an
integrated software platform for improved
performance and cybersecurity.
Through this joint-venture, Thales and
Vector will combine their respective
embedded systems expertise in aviation
safety and in automotive software
according to ISO 26262 to offer a single
platform to run the car's software and
applications. By simplifying the vehicle's
control systems, they aim to strengthen
its cyber-protection, while ensuring the
isolation of individual applications.
SINGLE SOURCE SOLUTION
To achieve this, the two experts will look to
co-develop the new platform by combining
two pre-existing products: MICROSAR,
Vector's AUTOSAR* Adaptive basic
software, and PikeOS, Sysgo's real-time
operating system. Through this integration,
coupled with further co-development, the
two companies are aiming to provide the
automotive industry with a single-source
solution. "Cybersecurity and Safety Critical
Systems are part of the Thales DNA. For us,
this joint initiative with Vector and Sysgo is
a natural step beyond what we already do
for the automotive industry in cybersecurity
services and consulting", says Laurent
Maury, vice-president, Critical Information
Systems and Cybersecurity, Thales.
Designed for the new generation of highperformance
Electronic Control Units
(ECUs), based on the AUTOSAR Adaptive
standard, a release of the joint solution for
prototype applications is planned later this
year and series releases for safety-relevant
control units are expected in 2019.
Meanwhile, Ansys, which develops and
markets engineering simulation software,
states that, while connected car technology
is a "bonus and a pleasure for car buyers", it
poses unprecedented new engineering
challenges regarding reliability, safety and
security for car manufacturers.
In its report on connected technology,
'Ensuring Reliability and Safety of
Connected Car Technology', it comments:
"As we rely more and more on connectivity
of cars, many potential problems could
emerge from faulty connected car
technology, including simple connection
interruptions, display malfunctions, signal
interference, and expensive failure of
sensitive electronic hardware under heat
and harsh conditions within vehicles.
"Imagine being lost while driving in an
unknown city, due to GPS signal loss, or the
frustration of being unable to operate the
air conditioner on a hot day, because the
car's touch screen interface has difficulty
recognising the touch of sweaty fingers.
Connected car technology also opens doors
to much more serious, unprecedented
problems, such as cyber security holes and
software bugs that could lead to potentially
fatal safety issues." Such problems can
quickly lead to consumer dissatisfaction and
brand depreciation. And there can be even
more serious consequences, if, for instance,
remote hackers use the connectivity to
32
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

connected cars
therefore trade off the desired level of
effectiveness (and the systems that can be
updated) against the costs. That calls for a
deep understanding of the architectures and
peculiarities of these systems."
Embedded software is in the focus of the joint venture between Vector and SYSGO
for autonomous driving. Image rights: Vector Informatik GmbH
exploit security holes for theft or to
jeopardise passenger safety, it adds.
COMPLEX WORLD
According to global management
consulting firm McKinsey&Company,
automotive products are becoming more
complex, with an increasing number of
electronic control units and lines of code.
"Connectivity is burgeoning, with dangers
at every turn. The supply chain is quite
fragmented, so policing security is hard.
And the integration of automotive systems
can also serve to compromise any specific
countermeasure.
Adds McKinsey&Company: "We believe
that the sector needs a holistic, two-front
approach to cybersecurity. On the first
front, solutions ought to address the design
of the product, the way it's developed,
and the maintenance-and-response
architecture.
"On the second, OEMs should focus more
effectively on the automotive environment
at the sector level (for instance, by
cooperating among themselves), on the
concerns of regulatory bodies and on the
mind-sets of final users, who must actively
protect their cars." A secure design, while
necessary, won't guarantee full security over
time. Solutions are effective only if they are
implemented consistently, and high-quality
components-software and hardware alikeimplement
the design.
"This requirement calls for a sound and
managed development process, including
reinforced collaboration between productsecurity
teams and corporate IT-security
teams. OEMs must thus create and enforce
strict guidelines to minimise the chances of
bugs and software-security gaps and to make
modifying or patching systems easier.
"That's why over-the-air (OTA) updates -
which have recently become available for
some cars, though often for limited parts of
software - are clearly essential for connected
systems: they help OEMs to counter attacks
quickly and to eliminate specific vulnerabilities
before malefactors can exploit them."
DEEP UNDERSTANDING
However, these benefits have a price,
McKinsey&Company concedes, in that
implementing support for OTA updates is
quite complex and expensive, both for cars
and the back-end infrastructure. "OEMs must
OEMs, which exclusively control the
relationship with customers and are usually
the final system integrators, bear the ultimate
responsibility for integration risk and for
ensuring that secure stand-alone systems
aren't vulnerable when connected, it insists.
"These companies must ascertain that security
practices have been implemented consistently
throughout the full value chain, including
suppliers. Procurement executives must
therefore learn to negotiate over the
cybersecurity features of components as
rigorously as they do anything else. OEMs
should also play an active role in shaping
the sector's future standards-both regulations
and best-practice guidelines."
McKinsey&Company points to how in many
sectors, including oil and gas, financial services
and aviation, alliances help companies to deal
with regulators and to share intelligence on
threats and vulnerabilities, both internally
(among OEMs and suppliers) and externally
(with regulatory bodies and the media). "Such
alliances also facilitate prompt responses to
novel threats. Some automotive companies
are already creating alliances; other OEMs and
suppliers should consider joining them."
Automotive OEMs face a unique challenge,
it adds, so they must complement their own
efforts to develop security strategies by taking
action on a higher level: the sector as a whole
must secure its products across the entire
supply chain by developing new ways to
collaborate and interact. "If it doesn't,
cybersecurity problems could irritate
customers or even generate regulatory
burdens that might well upend the cars of
the future before they hit the road."
*AUTOSAR (Automotive Open System
Architecture) is a worldwide partnership,
which develops the standardised software
framework for intelligent mobility.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
33

artificial intelligence
AI VERSUS A HUMAN HACKER
HOW DOES MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE (AI) IMPACT CYBER SECURITY?
type the words you see in the
image." Familiar? Yes, at some
"Please
point we have all completed a
'captcha' to prove we are human when
online. So, when a robot successfully
completed the test, the inevitable question,
says Jonathan Wilkins, marketing director
at obsolete parts supplier EU Automation,
was: "Are our computers secure?"
A captcha, or 'Completely Automated
Public Turing test to tell Computers and
Humans Apart', is designed based on the
Turing test. "Alan Turing, the founder of
modern computing, built a machine that
was capable of mimicking human speech
in letters, so that outsiders could not
distinguish between human and robotic
conversations," states Wilkins. "This
machine inspired the field of artificial
intelligence, bringing with it security tests
to distinguish between humans and
machines."
Technology is advancing rapidly, he adds,
meaning that computers can now solve
problems that could only be solved with
human intuition traditionally. "But what
does a robot beating a captcha have to do
with cyber security in manufacturing
facilities?
"As manufacturing becomes more
digitalised, connected machines collect realtime
data that is vital in keeping facilities
running at optimum capacity. As more
machines become connected, thanks to the
Internet of Things (IoT), they also become
more vulnerable to viruses that can be
introduced to the system.
"The growing use of AI in industry means
that manufacturers must do more to secure
information," he adds. "However,
manufacturers can look to similar AI
technology for help. If it can hack a system
by pretending to be human, could it
successfully block a similar threat from
a human hacker?"
IMPACT UNCERTAIN
Industrial viruses are traditionally introduced
from an external source, such as a USB or
incoming data file. "Both machines and
humans will find it difficult to predict
how this threat will impact the IT and
manufacturing system. However, humans
have the upper hand on computers, as they
can use past experience and knowledge to
deal with any system abnormalities."
Robots do not have the same intuition, he
states, but advancements in machine
learning allow computers to make decisions
based on collected data. Each time the
machine experiences something new, its
capabilities will increase.
"Some professionals argue that traditional
security protocols are reactive and only deal
with attacks when they occur. In the past,
human hackers have easily broken through
barriers such a passwords and firewalls.
Now, cyber security companies are offering
solutions to this, using AI and machine
learning technology to introduce more
preventative security for manufacturers."
OUT OF THE DARK
He singles out security company Darktrace,
which uses machine learning to create
unique patterns of encryption for each
machine and detect any abnormalities. "The
software can then detect emerging threats
that may have gone unnoticed and stop
them before the damage occurs."
Artificial intelligence is developing rapidly
and changing cyber security considerations
in manufacturing. "It is unclear how
much AI will be capable of in the future,"
concludes Wilkins, "but we need to rethink
how we distinguish between humans and
robots online."
34
computing security March/April 2018 @CSMagAndAwards www.computingsecurity.co.uk

2013

DETECT TARGETED ATTACKS AND ADVANCED
THREATS ON YOUR NETWORK
Protect your network with 360-degree monitoring from the
most recommended breach detection system 1 .
Achieve faster and higher ROI.
www.trendmicro.co.uk/xgen-cyber
1
Trend Micro Deep Discovery
100%
Breach Detection Rate
- 2017 -
RECOMMENDED 4 years in a row
©2017 Trend Micro, Inc. All rights reserved. Trend Micro, the t-ball logo and Deep Discovery Inspector are trademarks or registered trademarks of Trend Micro, Inc.