CS1901

Computing
Security
Secure systems, secure data, secure people, secure business
EYE ON THE FUTURE
What challenges await in 2019?
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
THORNY ISSUES
Not everything is rosy
on the passwords front
HEALTH WARNING
Sports and leisure clubs
come under attack
FLIGHTS OF FANCY
Hackers seize
BA client data
Computing Security January/February 2019

Dates for your diary
CDL will be exhibiting
at the following events
20-21 Feb ‘19
5th Mar ‘19
21 Mar ‘19
in 2019...
Come along and see
3-4 Apr ‘19
16 May ‘19
4-6 Jun ‘19
what we can do for
your business.
19-20 Jun ‘19
11-12 Sep ‘19
9-10 Oct ‘19
Secure IT Disposal
from an award winning service provider
• Secure disposal of IT and WEEE
• Data sanitised to the highest
recognised standards
• Collections using only CDL vehicles and
drivers
• ISO 9001, 14001, 18001 & 27001
• ADISA accredited with distinction
• On site media destruction
• EU GDPR compliant service
• Full UK coverage
CDL House, Davy Road, Runcorn, Cheshire, WA7 1PZ.
www.computerdisposals.com
T: 01925 730033

comment
HACKERS EXPLOITING SIMPLE OVERSIGHT
Security web scans and analysis on over 80,000 European Magento websites - the most
popular e-commerce platform globally - reveal 80% are at risk from cyber criminals. That
is a startling and worrying figure, and should leave those at the sharp edge deeply
concerned for their own safety.
Recent research by global cybersecurity experts Foregenix examined more than 170,000
Magento websites in total, revealing that 1.5% of these (2,548) were infected with malware.
Some 1,591 were compromised by credit/debit card stealing malware, actively harvesting their
customers' sensitive data for subsequent sale and/or fraud
A further 2.3% of all websites were found to be susceptible to Magento Shoplift. What is
particularly concerning is that this vulnerability was disclosed, and patches made available, way
back in January 2015. Effectively, Magento Shoplift allows hackers to completely administer
the website remotely, steal sensitive data and even order items for free through a single exploit
command - something that is publicly available.
The cybersecurity company, which is renowned globally for its work on payment security, has
an active threat intelligence team researching and analysing attack trends, with a strong focus
on the e-commerce sector.
Unveiling the research, Foregenix's CEO Andrew Henwood said: "The issues highlighted are
a truly global problem, which threatens to undermine confidence in e-commerce, especially
in markets leading the way in online sales, such as the UK. Repercussions as a result of
compromises are heavy penalties by card providers and these put many smaller traders at risk.
Magento and other e-commerce platforms release regular software updates in response to
vulnerabilities. These security patches, if not used, can leave websites highly vulnerable to
hacking and loss of sensitive data."
Online businesses often assume web developers, agencies and hosting providers take care of
security, he adds, cautioning. "Design agencies are great at producing beautiful, transactional
websites that sell their wares, but their expertise on security issues generally isn't as well
developed. Agencies and their clients need to be aware of e-commerce security issues, as
even a single breach can be devastating for a small business."
The simple fact is that simple precautions can make a real difference to reducing a company's
risk from criminals, such as regularly patching, changing default settings on the administration
interface and using stronger passwords with multi-factor authentication.
"Risk can never be entirely eliminated," concedes Henwood, "so companies should also
consider investing in a partnership with a cybersecurity specialist organisation and cyber
insurance policy."
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Louise Hollingdale
(louise.hollingdale@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2018 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Jan/Feb 2019 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security January/February 2019
contents
CONTENTS
Computing
Security
EYE ON THE FUTURE
What challenges await in 2019?
HEALTH WARNING
Sports and leisure clubs
come under attack
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
THORNY ISSUES
Not everything is rosy
on the passwords front
FLIGHTS OF FANCY
Hackers seize
BA client data
COMMENT 3
Hackers exploiting simple oversight
EDITOR’S FOCUS 6-7
Is it possible that Cloud is sinking down
2019: WHAT MAY LIE AHEAD 12
the popularity charts and losing its grip?
Computing Security asked those in the
ARTICLES
know to do some future-gazing and give
us their top predictions for cybersecurity in
TRACKING DOWN THE WEAK LINKS 8
2019. Here's what they had to say
Sometimes it's just basic human error
that can result in a costly breach
DRIVING UP THE MARKET 10
Mergers and acquisitions are on the up,
much of it driven by security issues
POWERFUL ALLIANCE 18
CYJAX has been working closely for some
THE LURKING THREAT 20
time now with Oxford University and
Quantum computing's ability to work
the Centre for Doctoral Training in Cyber
outside the linear processes that we are
so familiar with can also pose a threat
Security - and these 'Deep Dive Days' are
really paying off for all involved
MASTERCLASS 22
Cloud can still be the most secure
environment for business, argue Nigel
Hawthorn, data privacy expert at McAfee,
DO NOT PASS GO! 24
and Charlotte Gurney, marketing manager
at Brookcourt Solutions
Passwords are a never-ending headache for
most organisations and a boon for hackers
SPORTING CHANCE 23
looking for easy access to someone's data.
On-line attacks on volunteer-run sports
and leisure clubs appear to be soaring
THE CYBER KILL CHAIN MODEL 29
BROUGHT DOWN TO EARTH 26
Advanced Persistent Threats (APTs) have
been wreaking serious damage. But how
Cybercriminals who carried out a hack on
do you detect and prevent them?
British Airways compromised the data of
around 380,000 passengers, seizing billing
TIPS FOR MANUFACTURERS 30
details and addresses, bank and credit card
Here are three top tips for manufacturers
numbers, and CVV codes.
that will help to keep their sensitive data
out of grasping hands
INCIDENT RESPONSE PLANNING 31
Why do organisations use processes and
procedures for incident response
PRINTER HACKING IN IOT AGE 32
planning? So that everyone knows exactly
Analyst and research firm Quocirca have
what to do and when to do that
released findings that show more than
60% of organisations have experienced at
PRODUCT REVIEW 17
least one data breach, due to insecure
AlienVault USM Anywhere
printing practices
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
4

Brookcourt sell leading high-end technology and services within
the Security, Monitoring, Network Management and Compliance
marketplace for leading Fortune 500 companies – including the
largest telecommunications providers within the UK, high street
banks, global retail enterprises and the largest oil companies
across the world.
Brookcourt can help defend your business against todays
advisories and cyber threats whilst helping you with your data
protection and control. Our leading-edge cyber threat intelligence
technologies are provided to leading global institutions as well
as smaller enterprises as a complete managed service.
Get in touch today: contact@brookcourtsolutions.com
C y b e r S u r v e i l l a n c e • S e c u r i t y • N e t w o r k i n g • C o n s u l t a n c y • M a n a g e d S e r v i c e s
Multi Award Winning
Trusted Partner of the Cyber Defence
Alliance (CDA). Working collaboratively
to fight cyber threats and crime
ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001
For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com

editor's focus
CLOUD SINKS LOWER
'CLOUD' HAS BEEN ALL THE RAGE FOR SOME TIME NOW, BUT ITS PREDOMINANCE HAS
BEEN CHALLENGED OF LATE. MIGHT ITS STATUS HAVE TO BE RE-EVALUATED SOMEWHAT?
"To meet increased demand and evolving
expectations of citizens for effective and
efficient services, government must continue
to enhance its digital maturity," Howard
states. "Government CIOs clearly recognise
the potential of digital government and have
started developing new digital services, but
now need to take digital beyond a vision to
execution through digital leadership."
Data analytics and cybersecurity pushed
cloud out of the top spot for increased
technology investment by government
CIOs in 2019, according to a survey from
global research organisation Gartner. This
increased focus on data reflects CIOs'
acknowledgment that artificial intelligence
(AI) and data analytics will be the top "gamechanging"
technologies for government in
2019.
Gartner's 2019 CIO Agenda Survey gathered
data from a total of 3,102 CIO respondents
in 89 countries and across major industries,
including 528 government CIOs. Government
respondents are segmented into national or
federal; state or province (regional); local; and
defence and intelligence, to identify trends
specific to each tier.
"Taking advantage of data is at the heart of
digital government - it's the central asset to
all that government oversees and provides,"
says Rick Howard, VP analyst at Gartner.
"The ability to leverage that data strategically
in real time will significantly improve
government's ability to seamlessly deliver
services, despite increased strain on finite
resources."
DIGITAL MATURITY ADVANCING
When it comes to strategic business priorities,
the survey found that 18% of CIOs across all
levels of government have prioritised digital
initiatives again this year as key to achieving
mission outcomes, compared with 23% from
all other industries. The next three business
priorities for government are industry-specific
goals (13%), operational excellence (13%)
and cost optimisation/reduction (8%).
The survey data indicates that governments
are making deliberate progress toward
designing and delivering digital services,
achieving comparable maturity to other
industries overall. When asked what stage
their digital initiative was at, 29% of
government respondents say their
organisations are scaling and refining their
digital initiatives - the tipping point at which
a digital initiative is considered mature. This is
up from 15% in the 2018 survey. However,
government is still lagging other industries
(33% overall) in scaling and refining digital
initiatives. The gap is particularly marked in
defence and intelligence, where just nine
percent of respondents have scaled digital
initiatives.
Despite the focus on digital, only 17% of
government CIOs plan to increase their
investment in digital business initiatives,
compared with 34% of CIOs in other
industries. While government CIOs
demonstrate clear vision in the potential
for digital government and its emerging
technologies, 45% report they lack the IT
and business resources required to execute.
AI JUMPS AHEAD
AI has taken the lead as the top gamechanging
technology for government CIOs
for 2019. AI (27%) is followed by data
analytics (22%) and cloud technologies
(19%). Cloud dropped from first across all
levels of government last year, to third overall
in this year's survey. "AI introduces new
insights and delivery channels that will enable
governments to scale in magnitudes not
previously possible," Howard adds. "This
will allow reallocation of valuable human
resources to more complex processes and
decisions."
Among government respondents, 10% have
already deployed an AI solution, 39% intend
to deploy in the next one to two years, and
an additional 36% intend to deploy an AI
solution within the next two to three years.
Among all levels of government, business
intelligence (BI) and data analytics (43%),
06
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus
cyber/information security (also 43%)
and cloud services/solutions (39%)
are the most common technology
areas for increased technology
investment in 2019. Cloud dropped
from first place last year to second
overall for 2019.
According to Howard, the fact that
cybersecurity remains an area of
projected increased spending reflects
government's recognition of its role
as the steward of public data, with
secure transactions now table stakes for
governments in a digital world.
"In today's digital world, cyberattacks are
highly visible, increasingly malicious and
costly, and they erode the public's trust," he
states. "Government CIOs have steadily
increased their prioritisation of cybersecurity
over the years and have gained executive
commitment to vigilance in ensuring that
ever-evolving malicious attacks and threats
are mitigated to the greatest extent possible."
According to McAfee: "Cloud computing
presents many unique security issues and
challenges. In the cloud, data is stored with
a third-party provider and accessed over the
internet. This means visibility and control over
that data is limited. It also raises the question
of how it can be properly secured. It is
imperative everyone understands their
respective role and the security issues
inherent in cloud computing.
SHARED RESPONSIBILITY
Cloud service providers treat cloud security
risks as a shared responsibility, it points out.
"In this model, the cloud service provider
covers security of the cloud itself and the
customer covers security of what they put in
it. In every cloud service - from software-as-aservice
(SaaS) like Microsoft Office 365 to
infrastructure-as-a-service (IaaS) like Amazon
Web Services (AWS) - the cloud computing
customer is always responsible for protecting
their data from security threats and
controlling access to it."
Most cloud computing security risks are
related to data security. Whether a lack of
visibility to data, inability to control data, or
theft of data in the cloud, most issues come
back to the data customers put in the cloud.
Taking software-as-a-service (SaaS) as just one
instance, McAfee offers 10 cloud security
issues:
Lack of visibility into what data is within
cloud applications
Theft of data from a cloud application by
malicious actor
Incomplete control over who can access
sensitive data
Inability to monitor data in transit to and
from cloud applications
Cloud applications being provisioned
outside of IT visibility (eg, shadow IT)
Lack of staff with the skills to manage
security for cloud applications
Inability to prevent malicious insider theft
or misuse of data
Advanced threats and attacks against the
cloud application provider
Inability to assess the security of the cloud
application provider's operations
Inability to maintain regulatory
compliance.
GARTNER DATA & ANALYTICS SUMMIT
As McAfee goes on to conclude:
"Developments such as the rise of
XcodeGhost and GoldenEye
ransomware emphasise that
attackers recognise the value of
software and cloud providers as a
vector to attack larger assets.
“As a result, attackers have been
increasing their focus on this
potential vulnerability. To protect
your organisation and its data,
make sure you scrutinise your cloud
provider's security programs,” it advises. “Set
the expectation to have predictable thirdparty
auditing with shared reports and insist
on breach reporting terms to complement
technology solutions."
Rick Howard, Gartner: Government CIOs
now need to take digital beyond a vision
to execution through digital leadership.
Gartner analysts will provide additional analysis on data and analytics trends at the
Gartner Data & Analytics Summit 2019, taking place 18-19 February in Sydney, 4-6
March in London, 18-21 March in Orlando, 29-30 May in Sao Paulo, 10-11 June in
Mumbai, 11-12 September in Mexico City and 19-20 November in Frankfurt.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
07

cardwave
ARE YOUR EMPLOYEES THE WEAKEST LINK
WHEN IT COMES TO YOUR DATA SECURITY?
By Emma Charlton -
Security & Authentication
Division Lead
Cardwave Services Ltd
Data security has always been a hot
topic, but things got even hotter
last year thanks to the GDPR.
Despite new legislation and hefty fines,
breaches continue to be a daily
occurrence. Businesses invest significant
time and money implementing
sophisticated security measures, but
sometimes it's basic human error that
can result in a costly breach.
We all know the importance of creating
and protecting complex passwords, but
with the average person needing to
remember around 20 account passwords
per day, it's no surprise that corners get
cut and mistakes are made.
Passwords get written down, shared,
simplified. Workstations get left
unlocked when someone just 'nips' to
the photocopier to grab something, only
to be abducted into an impromptu
meeting. Our intentions are good, and
we don't mean to put valuable company
information at risk, but it happens and
the ramifications of a data breach go
beyond a monetary fine. Business
disruption, reputational damage, staff
and customer churn…
PROXIMITY-BASED IDENTITY AND
ACCESS MANAGEMENT TO
MITIGATE INSIDE SECURITY THREATS
Cardwave launches GateKeeper
Enterprise to the UK market
Break free from insecure practices and
move beyond passwords with
GateKeeper Enterprise
GateKeeper Enterprise brings security
and convenience to employees by using
wireless keys to simplify the login
8
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

cardwave
process, remove the need to remember
complex passwords, and enable access to
computers and websites based on their
physical presence.
Furthermore, the GateKeeper Enterprise
wireless authentication system allows
organisations to enhance workflow and
achieve higher levels of security without
inconveniencing the user.
From five workstations to 5,000,
GateKeeper Enterprise provides pain-free,
centralised management of every person,
password and computer on your
network.
Wireless auto lock and unlock
2-factor authentication
Military grade AES-256 encryption
Centralised password management
Eliminates internal breaches
Easy installation and support
Audit logs and reporting
Increase user productivity
We've all experienced the frustration of
needing to quickly access a document
or some data, only to be scuppered by
a bout of 'fat-finger' syndrome or an
inability to remember a password that
you've entered a million times already.
And if you're really unlucky after
numerous failed password attempts,
you'll be locked out of the system and
end up in a queue waiting for assistance
from IT support. With GateKeeper
Enterprise your workstation automatically
unlocks as you approach, and locks again
as you move out of range.
All GateKeeper Enterprise users can be
managed via the Enterprise Hub, through
which security policies can be deployed,
access rights managed, and usage
tracked and audited.
To find out more or to become
a reseller, please contact Emma at
sales@cardwave.com / 01380 738395
or visit www.safetogosolutions.com
Emma Charlton - Security &
Authentication Division Lead
Cardwave Services Ltd
Interesting facts:
On average, a user spends 6-8 hours
a year typing passwords at different
places.
Gatekeeper Enterprise eliminates
the need to remember complex
passwords and allows employees to
work without interruption.
81% of office employees have access
to sensitive workplace information
through unlocked computers.
Gatekeeper Enterprise prevents
workstations from being left unlocked
when unattended.
80% of IT support requests stem from
passwords. The average business
employee must keep track of
191 passwords.
Gatekeeper Enterprise eradicates the
requirements to remember any
passwords - even domain access -
freeing up valuable IT resources.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
9

mergers & acquisitions
WAGING WAR AGAINST CYBERATTACKS
IDENTITY AND ACCESS MANAGEMENT, ANTI-MALWARE SOFTWARE, NETWORK AND MOBILE SECURITY, IT
SECURITY SERVICES AND FINANCIAL TRANSACTION SECURITY - THESE ARE ALL DRIVING SECTOR
GROWTH
The Cybersecurity M&A Market
Report from international
technology mergers and acquisitions
advisors Hampleton Partners outlines
how high-profile hacks, the global
digitisation of business and new
regulations are driving record transaction
volumes and valuations, with 141
completed transactions by October this
year, surpassing 2016 and 2017 levels.
"2018 saw nine big ticket deals in excess
of $500m from buyers such as Thoma
Bravo, Cisco, RELX, AT&T and Francisco
Partners, which have generated attention
to the sector, helping overall market
valuations reach a new record of 5.6x
sales (trailing 30-month median)," states
Hampleton Partners. "There have been
426 acquisitions in the cybersecurity
sector since 2016. Of the top 40
transactions since 2016, 27% were
made by private equity buyers. A median
consensus of industry analysts forecasts
that the overall cybersecurity market will
grow from $132 billion in 2018 to £212
billion by 2022."
Identity and access management
continues to grow and remains the
cybersecurity subsector with the highest
total disclosed deal value, says the firm.
"One key example of this was Cisco
Systems' big bet on the two-factor
authentication provider Duo Security
for $2.35b at 18.8x sales. As the threat
of security breach through weak user
passwords continues to grow, Cisco sees
a user-friendly dual authentication
solution as a growth opportunity.
"As for the anti-malware sector, we see
that government and defence agencies
tend to fall victim to phishing scams, as
they are highly valuable targets. They
also make attractive clients for companies
like Watchguard Technologies, which
acquired Percipient Networks, to increase
its expertise in preventing email phishing
attacks through DNS."
Henrik Jeberg, director, Hampleton
Partners, further comments: "Hacking
is the newest form of warfare against
businesses, as well as nation states. The
average cost of a single data breach is
now 3 million, up by six per cent in
a year, plus the reputational damage,
which can be catastrophic. Given the
increasing market demand for
cybersecurity solutions due to regulation,
digitisation, high-profile hacks and new
technologies requiring security, we are
not surprised to see a highly active M&A
market for cybersecurity assets at high
valuations. I expect cybersecurity to
remain a hot topic in M&A, even if we
go into a period of more volatile financial
markets."
RANSOMWARE ATTACK
In one high-profile example that is cited
of a cyberattack, container shipping
company Maersk was forced to reinstall
4,000 servers and 45,000 computers
after a 'NotPetya' ransomware attack.
The company reported an indirect cost
through profit loss of over 300 million.
When it comes to the prospects for
cybersecurity in the days ahead, Jeberg
has this to say: "Game-changing
cybersecurity technology is now entering
newer verticals, such as connected and
autonomous vehicles, cryptocurrencies
and digital payment services, presenting
new challenges and major opportunities
for start-ups and scale-ups that can help
businesses protect their valuable IP and
customer data."
10
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

04-06 JUNE 2019
THE LEADING EVENT
IN EUROPE FOR INFORMATION
AND CYBER SECURITY
SECURE YOUR PASS NOW
“Walking through the halls
of innovation to shape
what I do for the next year,
amazing! If you work in
tech and you weren’t
there, you missed out”
Infosecurity Europe 2018
Visitor
KEEP IN TOUCH WITH
EVERYTHING INFOSECURITY
@Infosecurity #infosec19

2019 predictions
THE CERTAINTY OF UNCERTAIN TIMES AHEAD
COMPUTING SECURITY ASKS THOSE IN THE KNOW TO DO SOME FUTURE-GAZING AND GIVE US
THEIR TOP PREDICTIONS FOR CYBERSECURITY IN 2019. HERE'S WHAT THEY HAVE TO SAY
Most of us start a new year with a
number of resolutions - maybe to
drink less, be healthier, go to the
gym more often, be nicer to our fellow
beings etc. For many, those good intentions
have already been abandoned by the end
of January. But at least some kind of effort
has been made, hopefully, before that
happens. We also tend to wonder what the
next 12 months might hold in store for us.
In the world of security, similar thoughts
have probably been going through the
minds of those whose goal is to protect
their organisations from the ravages of the
attackers, as they seek to breach their
defences and steal their most precious
data. The big question to which everyone
will want an answer is: "Will I be hit by
a damaging attack in the months ahead?"
The truth is that far too many organisations
suffered a harmful event in 2018 - see page
26 - and the prospect of even more cyberattacks
in 2019 is in the minds of most
businesses. Here are the thoughts of a
number of people whom we asked to
pinpoint what the threat landscape might
look like as we weave our way warily
through the coming months.
NUVIAS GROUP
GDPR - the pain still to come. The GDPR
deadline has come and gone, with many
organisations breathing a sigh of relief that
it was fairly painless. "They've put security
processes in progress and can say that they
are en route to a secure situation - so
everything is okay?" queries Ian Kilpatrick,
EVP Cyber Security, Nuvias. "We are still
awaiting the first big GDPR penalty. When
it arrives, organisations are suddenly going
to start looking seriously at what they really
need to do. So GDPR will still have a big
impact in 2019."
Cloud insecurity - it's your head on the
block. "Cloud insecurity grew in 2018 and,
unfortunately, will grow even further in
2019," says Kilpatrick. "Increasing amounts
of data are being deployed from disparate
parts of organisations, with more and more
of that data ending up unsecured. Despite
the continual publicity around repeated
breaches, the majority of organisations do
12
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

2019 predictions
not have good housekeeping deployed and
enforced across their whole data estate in
the cloud."
Single factor passwords - the dark ages.
Single-factor passwords are one of the
simplest possible keys to the kingdom and
are the key tool for attack vectors, from
novice hackers right the way up to nationstate
players, he comments. "And yet they
still remain the go-to security protection for
the majority of organisations, despite the
low cost and ease of deployment of multifactor
authentication solutions. Sadly,
password theft and password-based
breaches will persist as a daily occurrence in
2019."
IOT - an increasing challenge. "The
technology is being increasingly deployed
by organisations, with minimal thought by
many as to the security risks and potential
consequences," Kilpatrick points out.
"Because some IoT deployments are well
away from the main network areas, they
have slipped in under the radar. IoT will
continue to be deployed, creating insecurity
in areas that were previously secure. For the
greatest percentage of IoT deployments, it
is incredibly difficult or impossible to
backfit security."
CYJAX
One of the key developments in 2018 was
the ascendance of cryptomining malware
to the top of the threat tree. Numerous
security researchers believed that it all but
heralded the end of the road for
ransomware. "However, as we noted in a
blog post earlier in 2018, this was not the
case," states Cyjax. "Instead, the emergence
of cryptomining malware merely
precipitated a recalibration of the malware
environment, in which ransomware was
still a prominent threat. A good example
of this is the GandCrab ransomware which,
over the course of 2018, evolved at least
five times to ensure it could stay ahead of
cybersecurity defences.
Cryptominers are arguably the story of
2018. In January, a series of pool-based
miners emerged, many of which had
botnets of millions of infected systems
that could have been used to generate
many millions of dollars a year. While an
organisation hit by cryptomining malware
would not lose any precious data, they
would nonetheless be at risk from
significantly decreased computing power.
"Perhaps the other most significant trend
in the malware landscape has been the rise
of mobile malware," adds Cyjax. "This threat
has grown, as more and more consumers
have turned to their mobile devices, instead
of desktops, for shopping, email and other
tasks. In most cases, threat actors have
looked to distribute malicious apps, with
a focus on stealing data from banking apps
or retail apps. The Google Play Store has
been plagued by these fake apps, which
users download believing them to be
legitimate."
This year will see significant developments
in the mobile malware sphere, Cyjax
believes - a 'professionalisation' of the kind
that was seen a decade ago in PC malware.
"This will see the threats become more
sophisticated as defences improve and
greater targeting is made necessary.
Cryptominers will continue to plague users
around the world, though their meteoric
rise will not be matched in 2019. And more
traditional malware, such as ransomware
and banking Trojans, while appearing to
have been eclipsed by cryptomining threats
in 2018, will nonetheless remain a serious
issue for the foreseeable future."
WEBROOT
As we prepare for what may lie ahead,
Webroot has been taking a look back at the
worst instances of malware and payloads
that hit users in 2018. "Botnets and
banking Trojans are the most commonly
seen type of malware, with Emotet being
the most prevalent and persistent seen to
date," says the company, before going on
to list the "three nastiest":
Emotet is this year's nastiest botnet that
delivers banking Trojans, states
Webroot. "It aspires to increase the
number of zombies in its spam botnet,
with a concentration on credential
gathering. Threat actors have recently
developed a universal plug and play
(UPnP) module that allows Emotet to
turn victims' routers into potential proxy
nodes for their command-and-control
infrastructure."
Trickbot follows a similar attack plan,
"but contains additional modules (with
more added each day) and has even
been seen dropping ransomware.
Imagine all of the machines in your
network being encrypted at once!"
Zeus Panda has similar functionality to
Trickbot, "but has more interesting
distribution methods including macroenabled
Word documents, exploit kits
and even compromised remote
monitoring and management services".
Webroot also cites cryptomining and
cryptojacking, saying that criminals are
quickly moving to these for faster, less risky,
ways of netting cryptocurrency. "However,
what some may call a victimless crime has
a significant impact for businesses and
consumers alike." The three nastiest it
highlights:
"GhostMiner's distribution method is the
scariest part for its victims, because they
don't know its entry point, similar to a scary
movie where you know someone's in the
house, but you don't know where.
GhostMiner is most commonly seen being
distributed via an exploit in Oracle
WebLogic (CVE-2018-2628).
"WannaMine's Windows management
instrumentation (WMI) persistence
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
13

2019 predictions
Jeremy Rowley, DigiCert: an area that is
likely to see more adoption is encryption.
Scott Gordon, Pulse Secure: a major change
for 2019 onwards is focused on the bigger
picture issue of trust.
technique is extremely nasty, allowing it to
remain stealthy and difficult to find and
remove.
"Coinhive, initially innocent, was quickly
added to the standard toolkit for attackers
compromising websites. Even legitimate
website owners are using Coinhive without
knowing the impact it will have on their
visitors. If your computer processing power
(CPU) spikes to 100 percent when simply
visiting a website, it might be Coinhive."
Ransomware, meanwhile, has taken a
backseat to the top threats in 2018, due
to the rise of cryptomining. "However,
ransomware has become a more targeted
business model for cybercriminals, with
unsecured remote desktop protocol (RDP)
connections becoming the focal point of
weakness in organisations and a favourite
port of entry for ransomware campaigns,"
adds Webroot.
Tyler Moffitt, senior threat research
analyst, Webroot, concludes: "In 2018, we
saw cyberattacks changing faster than ever,
evading traditional defences and wreaking
havoc on businesses and everyday internet
users alike. From gaping security holes,
such as unsecured RDP, to tried-and-true
tactics like phishing and exploits, to
stealing crypto in the form of CPU power,
cybercriminals are exploiting vulnerabilities
in increasingly malicious ways. Businesses
and individuals must be vigilant, stay
informed and focus on improving their
overall cyber hygiene to avoid the
devastating effects of these attacks."
GEMALTO
"2019 will see the emergence of the future
of security - crypto-agility," states Jason
Hart, CTO, Data Protection at Gemalto.
"As computing power increases, so does
the threat to current security protocols.
But one notable example is encryption, the
static algorithms of which could be broken
by the increased power. Crypto-agility will
enable businesses to employ flexible
algorithms that can be changed, without
significantly changing the system
infrastructure, should the original
encryption fail. It means businesses can
protect their data from future threats
including quantum computing, which is
still years away, without having to tear up
their systems each year as computing
power grows."
When it comes to AI, Hart has this to say:
"Up until now, the use of AI has been
limited, but as the computing power
grows, so too do the capabilities of AI
itself. In turn this means that next year will
see the first AI-orchestrated attack take
down a FTSE100 company. Creating a new
breed of AI powered malware, hackers will
infect an organisations system using the
malware and sit undetected gathering
information about users' behaviours, and
organisations systems.
"Adapting to its surroundings, the
malware will unleash a series of bespoke
attacks targeted to take down a company
from the inside out. The sophistication of
this attack will be like none seen before,
and organisations must prepare themselves
by embracing the technology itself as a
method of hitting back and fight fire with
fire."
Adds Gary Marsden, Cloud Security
Solutions, Data Protection at Gemalto:
"As organisations embrace digital
transformation, the process of migrating
to the cloud has never been under more
scrutiny; from business leaders looking to
minimise any downtime and gain positive
impact on the bottom line, to hackers
looking to breach systems and wreak
havoc. As such, 2019 will see the rise of
a new role for the channel - the Cloud
Migration Security Specialist.
“As companies move across, there is an
assumption that they're automatically
14
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

2019 predictions
protected as they transition workloads to
the cloud. The channel has a role to play
in educating companies that this isn't
necessarily the case and they'll need help
protecting themselves from threats. It's
these new roles that'll ensure the channel
continues to thrive."
INVINSEC
As many of us look ahead into 2019,
identifying what developments may
impact our personal and business
security, and how we can best prepare
for them, is essential, says CEO of
Invinsec, Andy Samsonoff, as he
pinpoints some key areas to keep a close
watch on:
Cloud application and
data centre attacks
"The ability of having faster and more
reliable internet connections has allowed
for the growth and expansion of cloud
applications and cloud data centres,"
states Samsonoff. "With every new
application that moves to the cloud, it
requires you to trust another vendor, their
software and their security to protect
your information. The inherent risk is that
users can access applications, as well as
your data from almost anywhere, as long
as they have the user's credentials. It
becomes a bigger risk when those users
connect to free or public wi-fi."
Shadow IT applications
"We are going to see an increase in
shadow IT applications being used.
We can see that over the next few years
these applications are going to cause
serious damage. Industry professionals
sometimes refer to them as renegade
applications, where employees download
non-corporate-approved (and potentially
insecure) applications to the same devices
used to access company data. Companies
should consider whitelisting applications
and restricting the ability to download
new software."
And one for 2020: AI
"Predicted security trends for 2019/20
show that AI is poised to help forecast,
classify and potentially block or mitigate
cyber threats and attacks," adds
Samsonoff. "One fundamental idea to AI
is machine learning. Over the past few
years it is being incorporated into many
security applications. Machines will
battle machines in an automatic and
continuous learning response cycle and
this is will continue to enhance security
postures."
PULSE SECURE
"Although we are at a point where new
technologies such as AI and ML are
grabbing a lot of the headlines, a major
change for 2019 onwards is focused on
the bigger picture issue of trust," advises
Scott Gordon, (CISSP), CMO for Pulse
Secure. "While there has been an
ongoing shift towards the acceptance
of a Zero Trust model becoming the de
facto standard for security architecture,
the next 24 months will see it accelerate
into the practice of many more
organisations."
Zero Trust moves away from the
traditional perimeter-based architecture
that assumed that anybody inside or
getting remote access to the internal
corporate network were trusted. "With the
rise of hybrid IT, employees, privileged
users, partners, guests and even customers
can and will be requesting access to
applications and resources that can be in
the data centre and/or the cloud," he adds.
"As such, the conventional perimeter
defence is more limiting, in terms of
ensuring protected access, as well as more
complex to provision and manage. Getting
a perimeter approach wrong can cause
frustration for users or leave potential gaps
in defences that attackers can exploit."
Zero Trust works on the principle of 'never
trust, always verify'. "With this method,
David Peters, ANSecurity: 2019 may well
bring another Wannacry-scale attack.
Jason Hart, Gemalto: 2019 will see the
emergence of the future of security -
crypto-agility.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
15

2019 predictions
organisations can dynamically establish
secure connectivity and compliant access
between the users, devices and the
targeted resource and applications, using
a least-privileged security strategy," says
Gordon. "In this approach, access is granted
based on satisfying pre- and post-connect
policy associated with user, device and
security state. By adding microsegmentation,
one can further limit
unauthorised means to discover and exploit
resources."
DIGICERT
One area that is likely to worsen is phishing
attacks, predicts Jeremy Rowley, chief of
product at DigiCert. "In 2016, less than five
per cent of phishing websites were found
on HTTPS. One year later, nearly one third
of phishing attacks were hosted on
websites with HTTPS and almost twenty per
cent were found on HTTPS-protected
domains. There are a couple of reasons
for the change in the way phishers host
their malicious content. First, there are
many more HTTPS websites, which means
there are more websites that can be
compromised. Secondly, browser security
messaging is ambiguous, and now there
are a significant number of HTTPS websites
hosted on domains registered by phishers.
"Hackers are also taking advantage of the
HTTPS designation, because the perception
is that the website is legitimate. While
standards groups, like the anti-phishing
working group, have acknowledged the
problem, they're not coming up with new
solutions to combat the issue. It's a case of
dodgeball, while the problem continues to
grow," he continues.
Another area that will see improvement
in some regions and decline in others is
privacy, Rowley suggests. "Some of the
factors that have led to improvement are
the EU's GDPR, which imposes fines of up
to 20 million euros, and the fact that there
is a strong recognition of the problem
among other countries. The United States
is considering similar laws. Some of the
factors that contribute to the worsening
conditions for privacy have to do with the
value of search data.
"Companies are willing to expose
themselves to fines, because the profit for
this data is worth much more than the
fines. For example, Google has a ninety
per cent share in the search market and
over 50 million user accounts. Google
discovered a flaw in its Google+ API,
with the potential to expose the private
information of hundreds of thousands
of users. Yet the company chose not to
disclose the vulnerability to its users or the
public. It's hard to solve a problem when
the problem itself is so profitable."
However, an area that is likely to see more
adoption is encryption, he adds. "There are
several reasons behind this prediction,
such as Google now requiring HTTPS
everywhere and the industry's commitment
to developing better post-quantum crypto
algorithms. NIST, Microsoft and the IETF
are all coming out with better encryption
technologies, and there are new regulatory
compliance requirements on the horizon.
The rapid increase in the adoption of
encryption is having a positive impact, with
approximately eighty per cent of all traffic
and half of all websites now encrypted,
with further growth expected during 2019."
ANSECURITY
"There is often a sense of déjà vu in the
world of cyber security and 2019 may well
bring another Wannacry-scale attack,"
warns David Peters, technical director,
ANSecurity. "Maybe not ransomware, but
a self-propagating malware that escalates
exponentially. In terms of attack vector, a
possible route could be via Remote Desktop
Protocol, as too many organisations still
expose Remote Desktop Services direct to
the internet, which are still commonly hit
with password stuffing and brute force
attacks that may become a surface area
to be exploited more efficiently with a
network worm."
Peters also feels that this year could be
the point where regulators or class action
lawsuits start to hit companies with
massive legal penalties, which may force
a wake-up call that will prompt more
investment in security technologies, human
resources and training. "Speaking of
which,” he adds, “user security awareness
training will need to become the norm for
most organisations; phishing simulation
and evaluation solutions have seen massive
growth in recent years, with great success
in educating users to evaluate email links
and attachments independently from IT
and security teams."
Microsoft's 14-hour outage within its
Multi-Factor Authentication (MFA) service
highlights the challenges major cloud
providers appear to be having with security
availability, he points out. "Although
multiple factors of authentication will
continue to grow, uptake is still a very low
percentage," he says. "As a result, 2019 will
see more vendors incentivising customers
to enable MFA by offering discounts.
Universal 2nd Factor (U2F) or FIDO2 may be
a popular choice, but issues still arise with
legacy apps and operating systems that
won't support SAML or other federated
authentication methods."
Botnets will continue to be a threat this
year, as the deployment of IoT increases,
making it a major challenge for information
security professionals. "IoT is becoming
a huge surface area for attack and 'hijack'
by attackers and we'll see lots of new
vulnerabilities being exploited to
compromise IoT devices," Peters concludes.
"Thankfully, traditional network segregation
for most enterprises limits compromise and
lateral movement, but this may not be a
scalable solution and is still not widely
deployed in the consumer space."
16
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

product review
ALIENVAULT USM ANYWHERE
Organisations that want their threat
detection, incident response and
compliance management centralised
in one place need look no further than
AlienVault, an AT&T company. Deployed as
a SaaS (software as a service) solution, its
USM Anywhere delivers everything they
could possibly need, all easily accessible
from a single web portal.
USM Anywhere provides a wealth of
security measures, including automatic asset
discovery, IDS, vulnerability assessment, event
correlation, endpoint detection and response
(EDR), compliance reporting and much more.
Its scalable, distributed architecture is built
around on-premises and cloud sensors, so
no network is beyond its reach, and it can
continuously monitor Amazon Web Services
(AWS) and Microsoft Azure cloud
environments.
AlienVault provides purpose-built sensors
for Hyper-V, VMware, AWS and Azure.
These collect data from on-premises and
cloud environments, and securely pass it to
the USM Anywhere cloud-hosted service,
which provides a centralised collection and
management point.
Deployment is simple, as we tested the
Hyper-V version and had our sensor VM
ready for action inside 30 minutes. The VM
requires five virtual network interfaces, with
the first used for management and internet
access, while the other four are assigned to
dedicated vSwitches, so they can passively
monitor network traffic from mirrored switch
ports to perform IDS.
An installation wizard quickly sorted out
the sensor connection to our secure cloud
account, created our first network scan for
asset discovery and offered to scan our
Active Directory server. It presented a status
view of the VM network ports to confirm
they were operational and provided details
for Syslog-enabled devices to send logs to
the sensor.
In under an hour, we were logged in to
our cloud portal and viewing all discovered
assets. Identification is accurate, as the scans
correctly surmised we were running
Windows Server 2012 R2 and Server 2016
hosts, had HPE ProCurve networking
switches and multiple storage devices
running various flavours of Linux.
USM Anywhere's dashboard puts everything at
your fingertips, with a default set of graphs
and charts organised neatly into sections for
SIEM alarms and events, asset discovery and
vulnerability assessment. These team up to
provide an instant readout on your security
posture and you can create multiple custom
dashboards from a big list of widgets.
The service runs scheduled standard and
authenticated asset scans where the former
probes network services, looking for
vulnerabilities. Authenticated scans require
administrative access to assets and provide
more accurate information about running
software and its configuration.
The AlienVault Agent can be deployed on
selected assets to gather more detail and
we used the predefined PowerShell script
to download the Windows agent to our
Server 2016 hosts. This also enabled the
EDR feature for continuous asset security
monitoring and compliance, plus file
integrity monitoring.
Alert fatigue is avoided, as rules analyse all
events for behavioural patterns and issue
alarms when the correlation engine has
established patterns, such as cyber-attacks.
Alarms provide a wealth of information
about associated events and the portal also
offers sage advice on remedial action.
USM Anywhere's correlation rules are written
and updated by AlienVault Labs Security Research
Team: through the crowd-sourced Open Threat
Exchange (OTX) community, according to
emerging and evolving threats they see in the
wild, and they use machine learning and human
intelligence to analyse and expand threat
scenarios. Along with extensive alerting facilities,
USM Anywhere provides great reporting features,
including templates for the PCI, HIPAA, NIST and
ISO 27001 security standards.
AlienVault's USM Anywhere is one of the
most complete security solutions on the
market, which we found surprisingly easy to
deploy and use. This all-in-one SaaS platform
presents all the information you need to
pinpoint cyber-threats or asset vulnerabilities
and represents excellent value for businesses
of all sizes.
Product: USM Anywhere
Supplier: AlienVault
Telephone: 353 21 206 3716
Web site: www.alienvault.com
Price: From £832 per month (ex VAT)
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
17

deep dive days
Students at the Centre for Doctoral
Training, Oxford University.
POWERFUL ALLIANCE
CYJAX HAS BEEN WORKING CLOSELY FOR SOME TIME NOW WITH OXFORD UNIVERSITY AND THE CENTRE
FOR DOCTORAL TRAINING IN CYBER SECURITY - AND THESE 'DEEP DIVE DAYS' ARE REALLY PAYING OFF
Mark Pearce, CYJAX: Deep Dive Days
breathe life into the real-world challenges
that students will be facing.
Over the last seven years, CYJAX
has been at the forefront of the
Cyber Threat Intelligence sector,
innovating and developing highly
advanced technology that serves to
protect governments and enterprise
alike. More recently, the CYJAX team's
association with Oxford University and
the Centre for Doctoral Training (CDT) in
Cyber Security has been proving a highly
regarded relationship on both sides.
Indeed, the programme that has
emerged during the last three years
has seen CYJAX take an active role,
alongside major industry players, in
shaping the future curriculum and
influencing the direction of those
studying for their PhDs. This is now
producing some of the world's leading
talents, as well as addressing the skills
gaps in one of the most important
facets of cyber security.
REAL-WORLD CHALLENGES
"Working closely with the University, CYJAX
has been able to produce a series of Deep
Dive Days, which breathe life into the realworld
challenges the students will be
facing," confirms Mark Pearce, chief
marketing officer, CYJAX. "The sessions have
evolved into highly proactive knowledge
exchanges and see students pitched into live
situations where they get the opportunity
not only to apply their own intellects, but
also 'flex the tech', utilising the most
advanced cyber threat intelligence tools
from CYJAX."
The sessions also bring together case
studies from major UK businesses and give
leading cyber security practitioners the
opportunity to share their experiences in
dealing with what is now an all too
common occurrence. As Pearce points out:
"The sessions throw away the text books and
get students to really apply what they know,
18
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

deep dive days
CYJAX Deep Dive Day in progress at Oxford University.
Katherine Fletcher, entering the Robert
Hooke Building, Oxford University.
and to think about creative solutions, rather
than just theories or some vague hypothesis.
"The whole idea of these sessions is to
get humans thinking about how they can
combine high intellect with advanced
technological tools to address what will
be facing them in the coming years."
As these sessions continue to evolve, the
need for innovation and the need for greater,
more cohesive, skills sets will see CYJAX and
the academic world striving to match the
pace and continue the battle against the
next generation of nefarious threat actors.
MULTIPLE BENEFITS
Katherine Fletcher, CDT industry liaison
officer at Oxford University, adds that
interaction with firms like CYJAX are hugely
important for the CDT, for several reasons.
"First and foremost, it helps us ensure that
our students are learning about the current
state of the field, from experts working
at the cutting edge. But there are other
benefits: helping our academics and
students build up networks of contacts,
building trust between the university and
the companies, which may turn into future
research projects, and generally keeping us
up to date.
"We integrate industrial connections into
our CDT course with a number of Deep Dive
days each year, as well as research seminars
given by industry practitioners. Some of
these develop into mini projects (short
standalone projects, undertaken in the first
year of the programme) or even a full thesis
project, and, in the case of CYJAX, it has also
led to several of our students doing freelance
work as analysts."
Every firm has different things to offer, but
CYJAX is always a highlight, she states. "They
make a real effort to tailor their Deep Dive
day to be useful for our students - including,
for example, an open discussion of career
progression and life as a CISO. They have
even taken the step of bringing along their
collaborators and customers to discuss their
perspectives, which is a real show of trust
and adds value to the discussion for all
participants."
INNOVATIVE TECHNIQUES
Often, it is the unguarded, off-the-record,
conversations that are most interesting,
she comments. Why is that? "Because this
is where we come across the tacit
knowledge about how the world works:
we can teach ourselves the innovative
techniques and latest systems; what we
really need is the understanding of how
real collaborations run and why X is
favoured over Y in the real world.
"The most successful Deep Dives happen
when the discussion goes both ways: our
students learn from the practitioners and
are also able to give something back.
One of my favourite examples of this was
at the 2017 CYJAX Deep Dive, where the
students were given some sample
exercises to learn how to conduct an
investigation. The cohort went through
the examples so quickly that the CYJAX
team decided to give them a live puzzle
to work on, which their own analysts had
not yet had time to crack, and the
students managed to find the answer
within a few minutes."
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
19

critical response
THE QUANTUM THREAT TO CYBERSECURITY
BY RODNEY JOFFE, SVP AND FELLOW, NEUSTAR, AND CHAIRMAN OF THE NEUSTAR INTERNATIONAL
SECURITY COUNCIL (NISC)
Jeremy Rowley, DigiCert: an area that is
likely to see more adoption is encryption.
Imagine being handed a phonebook
with 10 million entries and a slip of
paper with one phone number on it.
How long would it take you to match the
number on the slip to the entry in the
phonebook? For a human being - as for a
classical search algorithm on a traditional
computer - it would take an average of 5
million attempts to find the right entry. A
traditional computer, of course, can make
each attempt much faster than a person
could, but a search algorithm on a
quantum computer (which can hold vastly
more information at one time) could
perform the same feat 5,000 times faster
than a traditional computer, in just 1,000
operations.
This ability to work with huge datasets at
unheard-of speeds is why quantum
computing has long been held as a major
stepping stone for all kinds of sectors.
Medical breakthroughs, new frontiers in
chemistry and manufacturing innovations
might all be leveraged through the ability
to work with lots of information, all at
once - and the race is on to build the
machine capable of the task. In the last
budget, Chancellor Philip Hammond
announced £325 million of funding for
quantum computing research, contributing
to a global budget of billions coming from
governments and private industry.
However, amidst the excitement,
quantum computing's ability to work
outside the linear processes we are familiar
with also poses a key threat to the
cryptographic tools we rely on for our IT
security: in short, if it can find a phone
number, it can find a password.
THE POST-QUANTUM THREAT
At the moment, we rely on encryption,
which is possible to crack in theory, but
impossible to crack in practice, precisely
because it would take so long to do so,
over timescales of trillions or even
quadrillions of years. Without the
protective shield of encryption, a quantum
computer in the hands of a malicious actor
could launch a cyberattack unlike anything
previously seen.
Of course, a fully functioning and
practical quantum computer capable of
that kind of operation does not yet exist -
and there is no consensus over how long it
will be before it does. Nonetheless, we
have already started to see small-scale
quantum attacks in the wild, being used in
conjunction with more traditional attack
vectors, botnets and ports.
On a typical contemporary system, being
used by a company to run various
applications in the cloud, a traffic anomaly
of 300 Mbps would probably not be
noticed and therefore would not trigger
cloud failover. Clever attacks might exploit
this fact to open a window to the system,
bypassing security endpoints, without
triggering the system's mitigation
methods.
PLAN FOR TOMORROW'S QUANTUM
TODAY
For both today's small-scale threats and the
major attacks looming on the horizon, it is
vital that IT professionals begin responding
to quantum immediately. The security
community has already launched a
research effort into quantum-proof
cryptography, but information
professionals at every organisation holding
sensitive data should have quantum on
their radar.
As ever, an up-to-date security strategy is
key: systems must be updated and any
unnecessary services operating in the
infrastructure could provide a window for
quantum attacks and so should be
removed.
Beyond this, quantum computing's ability
to solve our great scientific and
technological challenges will also be its
ability to disrupt everything we know
about computer security. IT experts of
every stripe will need to work to rebuild
the algorithms, strategies, and systems
that form our approach to cybersecurity.
20
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

over 150 providers offering leading
covering key topics and meet
www.cloudsecurityexpo.com/ComputingSecurity1
and solutions at the UK’s largest cloud
cloud and cyber security services
200 expert speakers
Hear from over
and cyber security event.
Register for your free ticket today:
SECURING
DIGITAL
TRANSFORMATION
Security is not just for the IT team: it now impacts everyone, and is an imperative
consideration for the entire business. Join us on 12-13 March 2019 to gain
knowledge and insight from industry leading security experts on emerging
trends, tech deep dives, lessons learned and market forecasts.
Our 2019 speakers include:
JOHN
MEAKIN
Group Chief
Information
Security Officer
GSK
CHI
ONWURAH
Shadow Minister
of Industrial
Strategy, Science
and Innovation
UK
Parliament
JON
TOWNSEND
CIO
National
Trust
DAVID
DEIGHTON
Chief Architect
and CISO
University of
Birmingham
EMERIC
MISZTI
CISO
Motor
Insurers
Bureau
RAZVAN
TUDOR
Chapter Lead
ING
For more information contact
the team today on +44 (0)207 013 4997
CO-LOCATED
WITH:

masterclass
CLOUD ADOPTION: A BLESSING, NOT A CURSE, FOR IT SECURITY
NIGEL HAWTHORN, DATA PRIVACY EXPERT AT MCAFEE, AND CHARLOTTE GURNEY, MARKETING MANAGER AT
BROOKCOURT SOLUTIONS, CONSIDER HOW CLOUD CAN BE THE MOST SECURE ENVIRONMENT FOR
BUSINESS, DESPITE INCREASINGLY SOPHISTICATED THREATS AND GROWING CYBERCRIMINAL INTEREST
Charlotte Gurney, Marketing Manager,
Brookcourt Solutions.
Modern IT architecture is rapidly
evolving, with the cloud and a
range of connected devices
becoming the new anchors for enterprise
data. Organisations are recognising that
moving to Office 365 enables rapid
collaboration, while the likes of Amazon Web
Services (AWS) and Microsoft Azure can help
their IT infrastructure become more
responsive and flexible to drive further
innovation. However, theft of data or an
attacker gaining entry to corporate cloud
infrastructure can stop innovation in its
tracks.
VALUABLE DATA IN THE CLOUD
McAfee's recent Cloud Adoption and Risk
Report found that 21% of data stored in the
cloud is sensitive, such as intellectual property
or customer data. Today, cybercriminals are
turning their attention to this valuable data.
Possible threat scenarios include password
reuse from consumer to business cloud
services, cloud-native attacks targeting weak
APIs, hunting for poor cloud security
configurations, and using the cloud as a
springboard for cloud-native man-in-themiddle
attacks to launch cryptojacking
malware.
With the increased adoption of services like
Office 365, McAfee has pinpointed a surge of
attacks on the service - especially attempts to
compromise email. As just one example,
McAfee uncovered the KnockKnock botnet,
designed to target system accounts that
typically do not have multifactor
authentication.
We have also seen many high-profile data
breaches attributed to misconfigured
Amazon S3 buckets. This is clearly not the
fault of AWS. Based on the shared
responsibility model, the onus is on the
customer to configure IaaS/PaaS
infrastructure properly. However, many of
these misconfigured buckets are owned by
vendors in their supply chains, not the target
enterprises. This complicates matters for them
and makes it simple for bad actors to find
easy pickings amongst the thousands of
available open buckets.
Happily, the cloud can be managed and
controlled, and many policies, in place for
years on endpoints and on-premises servers
for example, can be migrated to the cloud, so
functions such as DLP, user behaviour
analytics, access control, integration with
global authentication systems can all be put
in place. The difficulty for organisations is that
this is not delivered by the security systems
already installed - a new computing system
needs new security tools, such as CASB
(Cloud Access Security Brokers). In addition,
cloud brings in new functionalities that need
managing - the ease of collaborating in the
cloud with external 3rd parties and cloud-tocloud
traffic. These can also be addressed but
not with the old-school network-based
security systems we have relied on in the past.
SECURING THE CLOUD
For organisations to adopt the cloud with
peace of mind, they not only need visibility
into data and applications, but consistent
data and threat protection policies across
their data and applications wherever they
reside. When managed correctly, the cloud
can be the most secure environment for
business.
Brookcourt Solutions delivers products and
professional services based around McAfee
MVISION cloud-native solutions - designed to
protect data, detect threats and correct any
new vulnerabilities quickly. With McAfee's
MVISION portfolio, the enterprise can mount
a powerful threat and data-centric defence,
spanning from device to the cloud. In this
way, IT security teams can unify threat
defence and data protection as well as
eliminating the silos that inhibit their ability to
manage and adjust security controls in
response to a changing operating
environment.
Security concerns should not be a barrier to
cloud adoption. Together with the native
security delivered by cloud providers such as
AWS, Microsoft Azure and Microsoft Office
365, McAfee aims to make cloud as secure or
more secure than on-premises alternatives.
With McAfee, organisations can securely
harness the power of the cloud to accelerate
business, drive innovation and gain a
competitive edge.
22
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

sports and leisure
SPORTING CHANCE
RECENT FIGURES SUGGEST THAT OVER THE LAST YEAR THERE HAS BEEN A 50% INCREASE
IN ONLINE ATTACKS ON VOLUNTEER-RUN SPORTS AND LEISURE CLUBS
Aspate of recent targeted attacks on
line against sports and leisure clubs
has put the industry on red alert.
The cyber-crimes are said to have cost the
clubs an average of £10,000 each.
Why have they been singled out? Sports
and leisure clubs hold a high volume of
data and are often too small to have a
dedicated team in place to look after their
online security. That makes them an ideal
target for hackers. According to cyber
security specialists DeCyber, cyber-security
products currently available on the market
tend to be structured in a way that large
organisations can adopt and afford, but to
smaller businesses, such as sports clubs,
are not as accessible.
The level of risk these organisations face is
what prompted DeCyber to partner with
international product innovation business
CPP Group UK, a leading cyber training
provider, CybSafe, and Lloyd's of London
(for the provision of cyber insurance) to
launch a suite of products that aims to
transform how clubs manage their online
security and that adapts to their needs.
BESPOKE SOLUTIONS
Given their limited IT infrastructure and
lack of specialist resource, clubs need
software packages that are easy to install
and manage, as well as being inexpensive,
they point out. For its part, DeCyber creates
bespoke packages to suit the requirements
of such organisations.
The partnership between DeCyber and
CPP Group UK has resulted in three new
products that are aimed specifically at
sports and leisure clubs:
Checking for online cyber risks often
involves users having to give specialists
access to their networks and systems.
With KYND, cyber risks can be checked
via a domain name and the results are
said to be instant, saving users valuable
time. A universal traffic light system of
red, amber and green is also a useful
quality to help monitor and explain
cyber risk through an easy-tounderstand
method
OwlDetect scans the web (including the
dark web) to detect if information
appears in places it shouldn't, as well as
highlighting the level of risk it poses
and advising next steps to ensure the
information isn't compromised
The third product, WardWiz, is
described as a comprehensive anti-virus
software, providing real-time
protection from online threats. As well
as detecting and removing threats from
a device, it can repair any damage
caused and mitigates against future
risks.
All three products can be packaged with
cyber insurance and training to provide
a complete solution, it is stated. DeCyber
was in the process of enabling the online
purchase of these products through its
health check process as Computing
Security went to press.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
23

inside view
DON'T PASS GO!
PASSWORDS ARE A NEVER-ENDING HEADACHE FOR ORGANISATIONS EVERYWHERE - AND A BOON FOR
HACKERS LOOKING FOR EASY ACCESS TO SOMEONE'S DATA. SAMANTHA HUMPHRIES OF RAPID7 OFFERS
HER INSIGHTS INTO THIS THORNY TOPIC
Samantha Humphries: we should be
using unique passwords/phrases across
the accounts that have the most risk
associated with them.
Last summer, as part of a company 'give
back' initiative, a group of us went into
a local secondary school to run a STEM
day. The room I helped with focused on
phishing - we took the students through a
game of phish spotting, which they were
unsurprisingly great at, given that schools
are teaching cybersecurity pretty early on
these days. Every single group scored a false
positive, though, picking up on Facebook's
head office address as a red flag. Ironies
aside, it was a fun day, and very pleasing to
see how switched-on the groups were when
it came to staying safe online.
Mostly for purposes of getting a cheap
laugh, I'd brought along a prop: security
underpants (https://amzn.to/2H2G8uX) to
help thematically cover recommendations
around passwords: don't share them, don't
leave them lying around, change them
frequently. We then got into the
conversation about re-use, which did go a
little sideways from an underpants analogy
standpoint, but we hit on something that is
true the world over. We asked the students
to put their hands up if they ever re-used
their passwords across different websites.
There was a lot of looking around the room,
to check if their friends were going to admit
to it. Slowly, hands started to go up, until a
full house was reached. Every. Single. Time.
Including the teachers. Followed by some
nervous giggling, some embarrassed faces,
and then something of a relieved silence
when everyone realised 'It Wasn't Just Them'.
Everybody does it. And I'll say it out loud
right now, I do it, and I've been in the
security industry longer than some of our
current interns have been alive. We all know
the rules, we hopefully all know the risks,
but we do it anyway. Why? Humans are,
well, human. It's pretty much impossible to
remember unique passwords for each
individual online account. At the very least,
24
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

inside view
we should be using unique
passwords/phrases across the accounts that
have the most risk associated with them:
banking, health info, work accounts, gmail,
social media, password managers etc.
Ideally combined with two-factor
authentication where it's available.
Some of us devise systems to help us
remember all the things. Horror story alert: I
recall once hearing a senior security
executive proudly announce that they
prepend their password with the name of
the website, eg: haveibeenpwnedpassword.
Guess what, Donald, this really isn't a great
system, if your credentials are harvested
from a breach, it doesn't take a '1337
h4ck3r' to determine what your gmail
password is, and every other account you
have for that matter, plus I would hazard a
guess that 2FA hasn't made it to your radar
just yet either. This is the physical security
equivalent of having identical locks for every
door in your house, your office, your car
and your safe, but using a different
coloured keyfob for each one. Please don't
do this.
So, let's assume you like your job enough
to use a unique password at work and your
IT/Security folks are enforcing some sort of
password policy. For a lot of organisations,
it goes like this: change your password every
90 days, passwords must include one
uppercase character, one lowercase
character, four numbers, one special
character, minimum password length of ten
characters, don't reuse the last sixteen or so
passwords. There are possibly rules around
not using repeated characters, or passwords
similar to previous ones, and ideally lasers
come out of the ceiling, if you include the
actual word 'password'. Sound familiar?
Okay, maybe not the lasers part, but I expect
at least some of the above is true for your
organisation. And I can guarantee you this:
some users have developed a system for
this, too, and it's not as foolproof as they'd
hope.
Arguably, the biggest problem lies with
one of the underpants rules - change them
regularly. I'm not saying this is a bad thing
per se, but where the policy often falls
down is around the 90-day part, because
it tends to drive a particular behaviour. In
many parts of the world, the seasons
change four times a year, so when pushed
to think up a new password at change
time, users pretty frequently include the
season, combine it with the current year
and everyone's favourite special character:
the exclamation mark! Ending up with a
variation on a theme of this: Spring2019!
You may just have experienced the horror
of reading your password in an article. If
that's you, please make sure to include a
password change on your to-do list today.
But don't feel too bad. I promise you that
you aren't alone. Many other people have
come up with the exact same system.
Despite what my kids sometimes think,
Sam isn't psychic, so how does she know
this truth exists?
Every year, Rapid7 produces a research
report on our learnings from the hundreds
of penetration testing engagements, the
wonderfully named 'Under The Hoodie'
https://www.rapid7.com/info/under-thehoodie.
It's a great read, whether you're on
the hook for security or not, and includes
some fascinating real-life stories from the
field.
Compromised credentials are an
attacker's favourite, used to gain access to
systems and to move around networks
undetected, therefore it's often that we're
SAMANTHA HUMPHRIES
asked to try and harvest credentials during
an engagement. We use various methods
to harvest passwords, one of which is the
very quick and very dirty option of
guessing. Not-shockingly, the dreaded "P"
word comes up a lot, sometimes with
numbers at the end, sometimes with a
zero instead of an o, but not exactly rocket
science either way. Variations of the
company name with the same devilish
trickery are fairly common too
(C0mpanyname1234). And time and time
again, when we're hunting around for user
accounts, we find they've set their
password to SeasonYear!
How to be (even!) better at passwords:
Include a rule in the password policy
disallowing the format of SeasonYear!
because it's all too commonplace. Get
creative about formatting and periodic
changes too
Implement a corporate identity
manager / single sign-on tool in your
organisation. There are plenty of good
ones available on the market - they
make life simpler for the users whilst
improving your security posture.
Password managers, although not
necessarily complete security nirvana, are
good practice in real life. They'll help you
avoid being 'Donald', with the horrible
websitepassword combo.
Also, please do check out the Under The
Hoodie videos at the bottom of the
research website to learn more about
what goes on in the world of pen testing.
Samantha Humphries is the senior product marketing manager for Global
Consulting Services at Rapid7. She has nearly 20 years' experience in infosec and
has worked in a plethora of areas, including product management, threat research
and incident response. She has helped hundreds of organisations of all shapes,
sizes and geographies recover and learn from cyberattacks.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
25

airline attack
BROUGHT DOWN TO EARTH
CYBERCRIMINALS WHO CARRIED OUT A HACK ON BRITISH AIRWAYS COMPROMISED THE DATA OF AROUND
380,000 PASSENGERS
The recent major hack on British
Airways' website and mobile
applications, putting at grave risk the
personal information and bank and/or credit
card data of some 380,000 passengers,
netted a haul that included passengers'
names, billing addresses, email addresses,
bank card numbers, credit card numbers,
expiration dates and CVV codes.
As Armor's Threat Research Unit (TRU)
team revealed in their 6 September Threat
Report, stolen credit cards are one of the
most highly sought-after products in the
underground hacker markets. Armor was
quick to track down nine separate hackers,
on both English-speaking and Russianspeaking
markets, who are selling the
credentials for hundreds of stolen credit
cards from the UK, Europe and the US.
And the price at which these are being sold
off might come as a shock to the BA victims
whose personal details were compromised
by a company in whom they had placed
such trust.
BATTERED AND BARTERED
"Current prices for UK credit cards (Visa,
Mastercard and American Express), with
corresponding CVV data and expiration
dates (similar to the data compromised at
BA), runs at $35 each, $30 for a European
Visa, Mastercard or American Express card,
and $15 for a single US Visa or Mastercard
and $18 for an American Express card,"
reveals Armor. Such are the bare statistics
to which personal, highly sensitive data is
reduced.
British Airways' boss Alex Cruz was quick
to apologise in the wake of the attack -
which took place between 21 August and
5 September last year - for what he said was
a "sophisticated breach" of the firm's security
systems. "We are 100% committed to
compensate them, period," Cruz told the
BBC's Today programme. "We are committed
to working with any customer who may have
been financially affected by this attack and
we will compensate them for any financial
hardship that they may have suffered."
Of course, apologies are one thing - being
hacked in the first place is really the problem.
It's all very well to refer to the hack as a
"sophisticated breach" of the firm's security
systems, but the difficulty with that statement
is, consciously or unconsciously, it could be
taken to harbour some underlying implication
that this level of complexity made the breach,
if not excusable, hard to defend against.
If that is true, what hope is there for
organisations when it comes to protecting
themselves? Was BA's security technology up
to the task? Ultimately, is there any solution
out there that can defend against ALL attacks,
known and unknown?
THE BOTTOM LINE
In some instances, breaches occur because
defences are lax and/or inadequate - although
this is in no way to suggest BA's defences
were not robust. In other instances, the
breached business believes that it had every
reason to assume it will not, even cannot, be
breached. Which begs the question: have we
all but reached the point where no one is safe
26
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

airline attack
and no solution can stop successful attacks
by the most determined and best armed?
These are issues that the industry - and
those who use their solutions - must be
pondering, openly or behind closed doors;
which is actually the right thing to do. It
has become the mantra of every solutions
provider to warn enterprises that a breach is a
matter of when, not if, but can they do more
than make a potential hacker look elsewhere
for easier prey? In which case, it is true that
no one is safe; just 'relatively' safe.
"It is inconceivable that British Airways did
not have significant cyber security systems in
place, and certainly they would have spent
a substantial amount of money to stop such
incidents occurring," insists Phil Beckett,
managing director at consulting firm Alvarez
and Marsal. "However, due to the increased
sophistication of attacks, traditional
approaches to cybersecurity have been found
wanting and, as a result, even the biggest
and most sophisticated of organisations can
be hit.
"As seen in this case, and many others
before it, the risks for organisations go well
beyond the fines regulators might issue.
Nonetheless, these fines could be hefty -
up to 4% of annual global revenue - under
the new GDPR regime. It is imperative that
cybersecurity is seen as a strategic business
priority and something no CEO can ignore,"
Beckett adds.
STEPPING UP
Mark Adams, regional vice president of UK
& Ireland, Veeam, credits British Airways for
reporting the breach so quickly, saying that
many others could learn from the handling of
this. "Unfortunately, breaches can happen to
any business and, while BA remain on the
backfoot to ensure this doesn't happen again,
it's important to highlight why all businesses
need to be far more proactive in managing
data and systems, and getting security and
monitoring of data right up front.
"To reduce the chances of breach complaints
and payment of heavy fines, businesses have
several steps they can take. First and
foremost, work to deliver a company-wide
employee training programme on data
protection and phishing attacks. Human-led
errors are still the weakest link in the security
chain for a business. No matter who you are
or who you work for, this must be right.
When the stakes are so high, employees have
to be more aware of their actions.
“From a technology standpoint,” Adams
points out, “implementing intelligent data
management tools that can monitor,
automatically spot irregularities and act
accordingly is critical, he adds. "Data collected
by an organisation the scale of an airline is
vast; and they are a prime example of the
type of business that needs to move from
a policy-based mindset of security and data
management to an automated, behaviour-led
approach that scan spot inaccuracies and
obscure patterns in data usage.
"For organisations of any scale, the old
school way of manually checking and
monitoring is no longer sufficient, especially
not for businesses of this size," cautions
Adams. "And, while it's near impossible to
prevent all data leakage and data thefts,
an intelligent data management approach,
combined with a strong and versatile incident
response process, can help significantly
reduce the complaints that naturally would
follow."
TOTAL VISIBILITY
The bigger the company name, the louder
the howls of protest after a breach, of course.
They are the ones expected to invest more
time, money and strategic thinking into
ensuring they keep our precious data out of
the hands of hackers. Yet too many are failing
in this regard.
"Large-scale data breaches seem to be
becoming all-regular-occurrence, and British
Airways is just the latest in the long line of
Randy Abrams, Webroot: mobile access
from a 'trusted' device, from an expected
location, can defeat certain types of
heuristics that otherwise would have
raised alarm.
Mark Adams, Veeam: businesses need to
be far more proactive in managing data
and systems, and getting security and
monitoring of data right up front.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
27

airline attack
Simon Cuthbert, 8MAN by Protected
Networks: personally affected, he has
issues with how the airline handled the
initial response to customers.
British organisations to fall victim," say Adams.
"As sophisticated and well-funded threat
actors adapt quickly to new security
measures, trying to protect customer data has
become an exhausting process. But the best
defence in cybersecurity is a proactive one. It's
simply not acceptable that any organisation,
especially one of this size, was not protecting
all of its data, so that it was secured against
any kind of attack, even one via third party
software.
"To protect customers, and their valuable
personal data, businesses must have
complete visibility and control over exactly
where their data resides, and adopt an
encrypt-everything approach, particularly in
this case when precious financial information
was involved. Data that is fully encrypted is
useless to hackers, after all."
With the GDPR in full force, he adds, it's no
longer just a lack of customer trust and a
tarnished reputation that organisations need
to be worried about. "…the risk of weighty
financial penalties means the perils of a data
breach have got a lot more serious."
NOT THE ONLY ONE
While British Airways has taken most of the
recent flak, this, as Randy Abrams, senior
security analyst, Webroot, points out, is not
the whole story. "Air Canada was hacked and,
between August 22 and August 24,
customer's passport details may have been
compromised. The overlapping dates are
probably a blessing, as the odds are small
that the same customers booked both airlines
in the two-day window of overlap."
He goes on to reveal: "In the case of Air
Canada's breach, customer's data, potentially
including passport numbers and expiry date,
passport country of issuance, NEXUS
numbers for trusted travelers, gender, dates
of birth, nationality and country of residence,
may have been compromised. In both cases,
this is data that now may be available to
cybercriminals to aggregate and correlate to
build significantly comprehensive profiles."
A commonality of the breaches is that they
both affected mobile app users. "While no
mention was made of iOS or Android, the
security of mobile apps financial, especially on
Android is questionable at best. Although
great efforts are made to secure the mobile
apps, credential theft is not uncommon,"
adds Abrams.
"In this case, mobile access from a 'trusted'
device from an expected location can defeat
certain types of heuristics that otherwise
would have raised alarm. The wisdom of
conducting financial transactions on an
Android device, in particular, is of question.
Mobile security products can be used to help
prevent malicious apps from compromising
devices. If a consumer chooses to conduct
financial transactions on a mobile device, the
additional security is effectively mandatory."
While BA notified affected customers, he
warns that the estimated number of affected
individuals may grow over time. "It is probably
best for all of the customers who booked
during this timeframe to talk to their banks
and set up 2-factor authentication."
TRUSTED BRANDS
Undoubtedly, the British Airways attack will
have been causing serious problems for many
affected customers, including damage to
their finances and credit ratings. "This
incident, the latest in an ever-growing string
of breaches of trusted brands, is likely to add
to a feeling that consumers are losing control
of their personal data," states Gerald Beuchelt,
CISO, LogMeIn. "Customers should also
mitigate any damage by changing their
passwords to something unique across all
accounts and turning on multi-factor
authentication where possible. Individuals
and businesses should also be extra vigilant to
phishing emails, as attacks like this provide
the perfect opportunity for scammers to use it
to their advantage."
However, there is another view of BA's
handling of the breach, other than
acknowledgement of its swift action in
revealing that it had been discovered. Simon
Cuthbert, head of international, 8MAN by
Protected Networks, was one of those BA
customers personally affected and he has
issues with how the airline handled the initial
response to its customers.
"The email received [from BA] was not well
written, nor did it give me as a customer any
comfort in the actions they claim to have
taken. I am sure I am not alone in reading the
email as 'Oops, someone broke in and stole
your personal information, but oh well, we
will try to stop it happening again. Go and
speak to your bank, they know what to do!'
Adds Cuthbert: “This should be seen as a
warning that no business, large or small, is
exempt from being a target to hackers and
they should ensure they have the necessary
strategies in place, not just to protect from
the risk of a breach, but also in how to handle
one, should it occur."
28
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

targeted attacks
UNDERSTANDING CYBER KILL CHAIN MODEL
TO STOP ADVANCED PERSISTENT THREATS
ALTUG ASIK, SENIOR SOFTWARE SPECIALIST, ICTERRA INFORMATION AND COMMUNICATION TECHNOLOGIES,
LOOKS AT APTS AND HOW TO DETECT AND PREVENT THEM
Altug Asik: automation and speed are of
the essence.
The term 'Advanced Persistent Threat'
(APT) was used to describe statesponsored
cyberattacks designed to steal
data and exploit infrastructures. Today, the
term is used to describe the attacks targeted
at organisations for monetary gain or
espionage.
Advanced Persistent Threat is a sophisticated
attack with the following characteristics:
Advanced: The techniques used to conduct
the stealthy attack require advanced skills and
knowledge in order to exploit the
vulnerabilities of victim organisation's systems.
Social engineering techniques are frequently
used to attack and infiltrate the organisation.
Persistent: Duration of the attack is rather
long (up to months), whereas the attack
involves an external command and control
server that monitors and extracts data from
the victim organisation.
Threat: The process is managed by people
rather than automated code. Organised and
well-funded attackers have specific objectives
and motives.
CYBER KILL-CHAIN
The attackers execute the following steps to
carry out their vicious plans:
Reconnaissance: Information is gathered
studying targets through their public
websites, following their employees on social
media and using other OSINT (Open Source
Intelligence) techniques.
Weaponisation: Attackers analyse the
information they have gathered and
determine their attack methods.
Delivery: Delivery is accomplished through
drive-by download from a website, targeted
phishing attack or infection through an
employee-owned device through a secure
VPN.
Exploitation: Once delivered, the malicious
code is triggered to start exploiting
organisation's systems.
Installation: Once a single system is infected,
the malicious activity has the potential to
spread rapidly and hide its existence from
security devices through a variety of methods,
including tampering with security processes.
Command and Control (C&C): To
communicate and pass data back and forth,
attackers set up command and control
channels between infected devices and
themselves.
Exfiltration: Captured information is sent to
attacker's home base for analysis, further
exploitation or fraud.
THE PROBLEM
The attack should be detected and prevented
before spreading over the whole
organisation. Starting with the initial
infection, attackers tend to leave tracks at
every single step, such as malicious
documents and executable files, which can
be found in the filesystem or several other
tracks in memory and registry in case of
fileless malware attacks. Anomalies in
network traffic can be detected while the
attackers are communicating with their C&C
servers as well. Following these tracks during
the attack and employing effective
protection, various attack methods can be
blocked. The key is using fast, machine
learning based security platforms that is
trained with parameters like these trails, as
early as possible in the cyber kill chain.
The problem here is to integrate detection,
prevention and removal phases of the attack.
The detection process can be achieved by
machine learning based platforms. However,
these platforms are not smart enough to
accomplish prevention and full removal of
the damage yet. Experienced human security
professionals are still needed for incident
response and recovery.
Automation and speed are required to cope
up with APT attacks. Therefore, security
systems are required which are not only
capable of detecting attack information in
automated fashion, but also capable of using
this intelligence to generate the right
response to stop malicious actions before
they cause substantial damage. Fully
integrated automation for detection and
handling is essential to enhance defence
against advanced persistent threats.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
29

industry insights
THREE CYBERSECURITY TIPS FOR MANUFACTURERS
ADRIAN JONES, CEO OF SWIVEL SECURE, OFFERS THREE ESSENTIAL TIPS FOR MANUFACTURERS THAT
WILL HELP TO KEEP THEIR SENSITIVE DATA OUT OF GRASPING HANDS
Adrian Jones, Swivel Secure:
unauthorised access could have
catastrophic consequences.
The last few decades have seen
numerous incidents where access
controls to sensitive data have been
compromised. Stolen consumer data has
been used by hackers for crimes ranging
from credit theft through to fraud and
blackmail and is well reported. However, the
scale and depth of corporate hacking activity
in manufacturing is less documented.
Here are three tips for manufacturers that
could make the difference between
protecting intellectual property and
unwittingly inviting unauthorised access that
could have catastrophic consequences.
1. Use a jump host
Due to the connected nature of
manufacturing supply chains, manufacturers
need to include security points to prevent
hackers gaining access to multiple systems.
For example, PLCs (programmable logic
controllers), which control hardware for
manufacturing, such as pick-and-place
machines and other automated machines in
manufacturing including computer
numerical control (CNC) machines, can easily
be hacked, if they aren't protected on the
network. PLCs need to be protected from
unauthorised access. A Jump Box or Jump
Server can help protect them from external
threats. This uses a computer on an
insulated network, which allows the PLC to
be accessed by authorised personnel. The
PLC and computer are linked externally when
it needs updating, but is protected at all
other times - closing the connection to
attackers.
The insulated network could also be
secured with multifactor authentication
(MFA). In addition, if your PLCs also support
RADIUS protocol, adding 2FA or MFA to the
RADIUS authentication can further protect
all the PLCs from cyberattacks.
2. Apply single sign-on to access your
separate networks
An infrastructure where hardware such as
PLCs sit on insulated networks, and are
separate to any external facing networks,
will help to prevent hackers gaining access
to the whole network.
But manufacturers may regularly need to
access systems seamlessly and without
compromising security. With so many
systems to keep separate, employees may
require separate log-ins for each, meaning
there's a multitude of usernames and
passwords to remember. This can slow
down or complicate working processes.
Although single sign-on (SSO) can provide
greater efficiency, giving employees access to
all platforms and systems (even if they are
on different networks), it's imperative that
risk-based authentication is utilised with SSO
functionality to ensure continued security.
3. Use multi-factor authentication
But it's not just enough to have a password
for SSO. All the applications, systems and
more on your network could also be secured
with multi-factor authentication (MFA). This
asks the user for a few pieces of evidence,
like a password and a numerical code,
before giving them access to the network.
Choose your MFA supplier wisely and be
aware that some two-factor authentication
applications can be prone to credentials
theft - they only update the code every 40
seconds, during which time a hacker can use
the code to access the network.
Dedicated MFA platforms offer more
secure authentication and are updated
frequently to stay one-step ahead of cyber
criminals, such as delivering a new security
string for each access request. Ensuring the
MFA solution integrates with hundreds of
applications will provide the flexibility for the
fluidity required in architecture to evolve and
grow, while staying protected.
Demanding a comprehensive range of
authentication factors will provide maximum
adoption throughout the organisation and is
a realistic request from any established MFA
provider in 2019.
30
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

incident response
THE IMPORTANCE OF EFFECTIVE INCIDENT
RESPONSE PLANNING
BY DAVID GRAY, SENIOR MANAGER INCIDENT RESPONSE PRACTICE LEAD EMEA, NTT SECURITY
David Gray, NTT Security.
Planning for Incident Response…. why
do we use processes and procedures? In
short, so that all our staff know what to
do, and when. Let's begin with an example.
John Volanthen famously and successfully led
the cave rescue of a Thai boys' football team
in July 2018. He recently gave a keynote at
NTT Security's ISW2018 conference in
London. He talked at length about the
importance of having procedures in place to
ensure that all of his team knew what it was
doing and to ensure that safety, which was of
the highest importance here, was achieved.
An example of just how effective prior
planning was in this situation can be seen in
the picture on this page, which shows all
John's personal dive equipment at Heathrow,
waiting to be boarded onto the aircraft. He
and the team received just two hours' notice
before leaving for the airport! Without
planning what would be required (including
equipment and permissions for gas tanks
etc), a two-hour turnaround would have
been impossible. This, albeit in a less dramatic
fashion, directly relates to what incident
response (IR) staff must do on a daily basis.
In information security, an incident response
plan is the high-level schedule that dictates
the actions to be taken, should an
information security incident occur. The NTT
Security 2018 Risk:Value Report highlighted
the lack of preparedness we continue to see
from companies across the board in
developing incident response plans, with less
than half (49%) saying that they had
implemented such a programme. An IR plan
should comprise, at a minimum, the
following:
Workflows - these are typically swim lanes
showing areas of responsibilities and decision
points for escalation, involving external
agencies, declaring breaches, gathering
intelligence and closing down completed
incidents.
Communication - quite simply, who to talk
to when something happens. This can be to
other members of the Security Operations
Centre (SOC) team, but more typically
involves IT operations (server team, gateway
team, architects etc), physical security, human
resources, the media team and, via the SOC
manager, senior management. There is
nothing worse than being in the middle of a
major incident and not knowing who to talk
to!
Sharing - any security team is going to be
constrained by the nature of the information
it is protecting, especially in the new world of
GDPR, so it is important that decisions are
made about what information (if any) the
response team wants to share with peer
groups, national agencies or other
organisations. Defining what information can
be shared and who is authorised to do so
ahead of time removes the risk of leaking
confidential data.
Incident response procedures (IRP) - when a
security incident happens, the response staff
have to know what to do at each point of an
investigation. An appropriate IRP gives the
analyst guidance for what steps they should
be taking to ensure that nothing is missed,
actions are taken rapidly, and all containment
and remediation activities are followed for a
given threat.
In addition, the IR team has to consider
additional components as well - related to
the deployment of equipment, visas, flights,
SLAs, site plans for customer
environment/network and, from a managerial
perspective, ensuring that enough staff are
located in geographical positions to support
ongoing IR activities.
So, stop and look to your processes. Do you
have everything covered? And do you have a
plan in place should an incident happen? If
not - what are you waiting for?
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
31

analyst insights
PRINTER HACKING IN THE AGE OF THE IOT
PRINT AND BE DAMNED? IF THE RIGHT SECURITY MEASURES AREN'T IN PLACE,
THAT COULD WELL BE AN ORGANISATION'S FATE
Louella Fernandes, Quocirca: while
connected printers and MFPs bring
convenience and productivity, they
also bring potential security risks.
Analyst and research firm Quocirca
released findings last year that showed
over 60% of organisations had
experienced at least one data breach, due
to insecure printing practices. Over the past
few years, there have been some widely
publicised network printer hacks, usually
pranks and in themselves not particularly
harmful, but they underline the potential
vulnerability of networked printers in the
age of the IoT.
It comes as no surprise, therefore, that 95%
of businesses surveyed by Quocirca reported
that print security was an important element
of their overall information security strategy
(55% said it was very important, while 40%
rated it fairly important). However, only 25%
reported that they are completely confident
that their print infrastructure is protected
from threats.
"While connected printers and MFPs bring
convenience and productivity, they also
bring potential security risks," says Louella
Fernandes, director, Quocirca. "These devices
capture, process, store and output
information, and run embedded software.
Information is therefore susceptible at a
device, document and network level. As well
as putting confidential or sensitive data at risk
of being accessible by unauthorised users,
network connectivity makes vulnerable print
devices potential entry points to the
corporate network."
Open network ports present a security risk,
enabling the MFP to be hacked remotely via
an internet connection, she adds. "Printers
can therefore be prime targets for DDoS
attacks. Hackers may install malware on
poorly protected printers and use them as
ingress points for broader network access or
recruit them to botnets." Indeed, when asked
what aspects about printers as IoT devices
concerned them most, the businesses
surveyed by Quocirca found that external
hacker threats came out top (52% said a
critical or big concern), followed by DDoS
attacks to print devices (44%). Internal
hacker, firmware updates and third-party
collection of data tied for third place (41%).
LONG LIVE PRINT
Nor is use of printers going away any time
soon," insists Fernandes. "Quocirca's
Print2025 study found that 64% of
32
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

analyst insights
businesses surveyed across France, Germany,
The Netherlands, the US and the UK expect
printing to still be important in 2025. That
number rises to approximately three-quarters
of millennials who expect it to be more
important than it is today (that may say
something about the current resurgence of
printed books over ebooks and reflect how
millennials' attitudes differ from their
predecessors in the workplace).
"While printing volumes will ultimately
decline, there are also some 'sweet spots' in
printer growth, most notably mobile printing.
Over half of the companies surveyed expect
mobile printing to increase by 2025 and over
40% have already implemented mobile
printing to one extent or another."
Clearly, as networked print devices continue
to be central to the way most organisations
operate, they need to have robust security
protection. "While more printer
manufacturers are embedding security in
their new devices, it only takes one rogue,
unsecured device to weaken security," she
points out. "Most businesses using printers
have a mixed fleet of printing devices - old
and new - and from different manufacturers.
This is why businesses need to include
printers within their wider enterprise-wide
security strategies, integrated into an overall
security policies and procedures, using a
proactive and multifaceted approach."
How can you step up your printer security?
Quocirca offers these seven steps:
A unified security policy for all printers -
should a date breach occur, an
organisation needs to be able to
demonstrate that appropriate measures
were taken to protect all networked
devices, so it is important to be able to
monitor, manage and report on the
entire printer fleet, regardless of age,
brand or model
Secure printer-network access - multifunctions,
like any other device connected
to the network, need controls that limit
access, manage the use of network
protocols and ports, plus take steps to
prevent potential viruses and malware
Secure the device itself - to secure data,
whether actively in use, sitting idle or
used by the device in a previous job, use
hard disk encryption as an extra security
layer. When the printer is moved or
reaches end-of-life, data overwrite kits
make sure that all scan, print, copy and
fax data stored on the hard disk drive is
destroyed
Secure who can do what - in common
with many other forms of Infosecurity,
user authentication helps to eliminate
the risk of unclaimed output being left
in trays. 'Pull printing' makes sure that
documents are only released physically at
the printer to the authorised recipient
Secure the document itself - digital rights
management (DRM) discourages
unauthorised copying or transmission
of sensitive or confidential information,
using features such as secure
watermarking, digital signatures and
PDF encryption.
Monitor and manage print security ongoing
- organisations need a centralised
and flexible way to monitor usage across
all print devices, at document and user
level, which can be achieved using either
MFP audit log data or third-party tools.
These provide a full audit trail that logs
the identity of each user, the time of use
and details of the specific functions that
were performed
Seek expert guidance - security
assessment services are something that
managed print service (MSP) providers
offer as part of the customer
relationship. Not all are equal. Obviously,
it makes sense to ensure that the risk
assessor has the credentials and
capabilities to fully evaluate the security
risks across device, data and users.
In addition, the most sophisticated
security assessments not only make
recommendations for device
replacement and optimisation, but also
offer ongoing and proactive monitoring
of devices to identify potential malicious
behaviour.
"The bottom line is that printers are no
longer dumb devices, but sophisticated
ingress and egress points in a connected,
increasingly IoT-centric world," Fernandes
concludes. "Businesses clearly need to
incorporate print into their overall security
strategies, help users to use printers safely
and also to work with their printer service
providers. After all, print will continue to
be part of the workplace for some time to
come and, while just one element of a multifaceted
threat landscape, print is an area of
risk that deserves more focus."
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security
33

fingerprint recognition
BIOMETRIC BREAKTHROUGH
BANK OF CYPRUS CUSTOMERS ARE SET TO BE FIRST TO ENJOY BIOMETRIC CONVENIENCE ON
A CONTACTLESS PAYMENT CARD, WHILE PROTECTING USERS’ DATA PRIVACY AT THE SAME TIME
biometrics for contactless payments is a
natural move, as it fits in naturally with the
gesture used to pay. It allows a better user
experience, enabling higher transaction
amounts without entering a PIN, while
benefiting from the convenience of
contactless."
Adds Stelios Trachonitis, card centre
manager from Bank of Cyprus: "In order to
bring seamless authentication to the
banking sector, Gemalto has leveraged its
extensive expertise from secure government
documents and leadership in biometric
applications. Our customers will benefit
from this innovative payment solution with
the peace of mind that their biometric data
never leaves their hands."
Gemalto has been selected by Bank of
Cyprus to supply what is said to be
the world's first EMV biometric dual
interface payment card for both chip and
contactless payments.
Using fingerprint recognition, instead of a
PIN code, to authenticate the cardholder,
the card is said to be compatible with existing
payment terminals that are already installed
in the country. When customers place their
fingerprint on the sensor, a comparison is
performed between the scanned fingerprint
and the reference biometric data securely
stored in the card.
The biometric sensor card is powered by the
payment terminal and does not require an
embedded battery; this means there is no
limit from battery life nor on the number of
transactions.
Gemalto's bionic sensor payment card is
based on the principle that biometric data
should always remain in the hands of end
users. Bank of Cyprus' customers will
complete the swift enrolment process at the
bank's branches, using Gemalto's tablet
designed for the solution. The biometric
personalisation and card activation process
has been designed to avoid transmission
of biometric data over the air to ensure
that users' data privacy is protected. The
fingerprint template captured during the
enrolment process is stored only on the card.
"Bank of Cyprus customers will be first in
the world to enjoy biometric convenience
on a contactless payment card. Gemalto's
biometric sensor payment card is designed to
provide maximum security and data privacy,"
claims Bertrand Knopf, Gemalto's executive
vice president Banking and Payment. "Using
Biometrics, such as fingerprints verification
or facial recognition, are massively used
today by government bodies; for electronic
ID and ePassport border control, for
example. Biometrics sources such as DNA
are also used for criminal investigations,
as they allow accurate identification and
can't be forged. Since 2013, with the
introduction of the first iPhone 5 with
TouchID fingerprint verification, commercial
biometrics entered into a new dimension,
with hundreds of millions of smartphones
equipped with fingerprint sensors.
The very first use case for fingerprint
technology was to unlock the phone. It is
also used to log in onto mobile apps and
perform mobile NFC payment at the store.
"Thanks to biometric CVM, contactless can
cover the full payments amount range and
offer an identical customer experience for
contact, contactless, for all amounts,"
comments Gemalto.
34
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk

ster
REGISTER
FREE
ipexpomanchester.com
manchester
3-4 April 2019,
Manchester Central
CO LOCATED AT
DIGITALTRANSFORMATIONE PO
INCORPORATING
CYBER SECURITY
AI-ANALYTICS
ster
manchester 120+
SPEAKERS
CO LOCATED AT
DIGITALTRANSFORMATIONE PO
10
THEATRES
100+
EXHIBITORS
LIVE
DEMOS
The North’s number ONE Enterprise IT event
> Stay up to date with trends & future predictions.
> Explore & experience new & emerging tech.
> Expand your professional network.
> Save time & meet with your existing & new suppliers all in one day.
Register FREE and find out more at ipexpomanchester.com

Lorem ipsum
or contact us
+44 (0)1784 448 444
Euroinfo@neustar.biz