CS1907

Computing
Security
Secure systems, secure data, secure people, secure business
CYBER FACE-OFF
Hidden forces behind the
espionage explosion revealed
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
THE YEAR OF
MAGICAL THINKING
But has the new regulation
actually delivered yet?
DETECTION & RESPONSE:
How knowledge is the real key
BRAIN WAVES
Intelligence-driven
response is a must
after a data breach
Computing Security July/August 2019
GDPR SPECIAL
INSIDE

On-site Media Destruction
Security-savvy businesses don’t think twice about having paper records securely
shredded, but many fail to apply the same philosophy when it comes to hard disk and
media sanitization.
CDL offer a full range of data sanitization services, culminating with our on-site media
destruction vehicle, where clients can witness their data being destroyed on their on
their premises. Our vehicle is equipped to destroy all forms of media to the highest
recognized standards.
For a competitive quote from an award winning business, please contact our sales
team on 01925 730033.
www.computerdisposals.com
T: 01925 730033
CDL House, Davy Road, Runcorn, Cheshire, WA7 1PZ.

comment
NATION IN TRANSFORMATION
Inote that a new report (yes, I know - how many more can there be!) is claiming to serve as
a reality check on digital transformation by outlining where organisations actually are in
the process. It must be said this is a topic that's both timely and 'of the moment', as many
enterprises are either already submerged in digital or building up to embrace it.
"So ubiquitous is digital technology in enterprises, that some commentators think the initial
process of digital transformation is nearing fulfilment," says Nominet, which has published the
report, 'Cyber Security in the Age of Digital Transformation' - https://bit.ly/2O99TO2. However,
the digital transformation of industry and enterprises also brings major challenges with it, one
of the most pressing being security.
States Nominet: "A greater exposure to digital technology means a greater exposure to
system vulnerabilities, as the tools being used by businesses to innovate, like AI and machine
learning, could be vulnerable to attack and are also being used by hackers."
Key findings to emerge from the survey of more than 270 CISOs, CTOs, CIOs - and other
professionals with the responsibility for overseeing the cyber security of their organisation -
include acknowledgement that cyber security is the top 'threat' to digital transformation (53%),
while also confirming that many businesses were leaving it to the pre-implementation stage
(28%), implementation stage (27%) or even post-implementation of the digital transformation
strategy (9%) - suggesting a perception gap of when 'early enough' actually is.
Commenting on the report, Cath Goulding, CISO, Nominet, points out the following: "With
digital transformation, you have to be sure that, when you're bringing in new applications,
security is considered from the outset. More than this, though, in a digital transformation
project the real trick is to manage the security considerations of legacy and new applications
simultaneously."
What's most worrying, however, is this other stat: 85% said their security was highly effective,
despite the fact that 86% had experienced a breach in the past 12 months. How blinkered can
an organisation be to see itself as both breached and safe? I 've never been a great fan of the
much overused cliché, which states: 'It's not a matter of if, but when'. Yet I'm beginning to feel
anyone in so much denial deserves to see that mantra carved on their corporate door.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Louise Hollingdale
(louise.hollingdale@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2019 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk July/August 2019 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security July/August 2019
contents
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
CYBER FACE-OFF
THE YEAR OF
MAGICAL THINKING
Hidden forces behind the
But has the new regulation
espionage explosion revealed
actually delivered yet?
DETECTION & RESPONSE:
How knowledge is the real key
BRAIN WAVES
Intelligence-driven
response is a must
after a data breach
COMMENT 3
Nation in transformation
GDPR SPECIAL
INSIDE
EDITOR’S FOCUS 6-7
Twenty fast-growth cyber scale-ups have
been accepted onto their first national
cyber security growth programme
ARTICLES
FULLY IN THE FLOW 8
Document Logistix uses DAST to ensure
security of sensitive customer data
GDPR BARES ITS TEETH 10
With the one-year anniversary of GDPR
having come and gone and the first few
hefty fines now imposed on organisations
by the regulators, we look at what it all
means for the future of the industry
WHO CAN YOU REALLY BANK ON? 16
Those who rely on their online bank to
keep their money safe might be alarmed
to hear that last year 54% of these
institutions allowed attackers to steal
THREAT OR TREAT? 22
money. And their customer data may
be equally at risk
How organisations should set about the
management, detection and response to
EDUCATION, EDUCATION,
a data breach is proving to be an on-going
EDUCATION! 19
question. But whatever the approach
Cybersecurity needs to be a priority for
taken, an intelligence-driven strategy is
the education sector, argues Adrian Jones,
CEO of Swivel Secure
an essential part of that process
GDPR: OPPORTUNITY, NOT THREAT 22
GDPR has increased demand for data
protection processes that are flexible,
autonomous and easy to use. Debbie
Garside, Group Chief Innovation Scientist
at Shearwater Group and CEO of Geolang,
THE STATE WE’RE IN 26
explains how the regulation is helping
The energy sector, communications and
industrial organisations are all at risk of
MASTERCLASS 28
attack from nation states and other
The spotlight this issue falls on Paul Harris,
malicious actors. But it goes much deeper
CEO, Pentest Ltd, A Shearwater Group plc
company, who explains the many benefits
than that. The economy itself is vulnerable,
that Open Source Intelligence (OSINT) can
with UK banks right in the firing line
deliver in the on-going battle against
cyber attacks
ENDPOINT DETECTION & RESPONSE 33
Keith Maskell, Titan Data Solutions, takes
a close-up look at what he sees as an
CRITICAL MASS 30
important new concept in distribution -
Critical asset owners increasingly have to
EDR and Packaged SOC Services
protect their ICT infrastructures against
cyber attacks. It's no longer enough for the
supplier of a single machine component or
PRODUCT REVIEWS
subcomponent to claim it is cyber-secure -
Webroot Business Endpoint Protection 15
the entire machine must be so
Safetica Data Loss Prevention 18
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
4

p ent est
INFORMATION SECURITY ASSURANCE
think outside
the tick box
Information security professionals know that a tick box
approach isn’t going to keep their organisation safe.
The job of protecting an organisation is never done and
it requires long-term strategies, as well as constant
improvement efforts.
At Pentest we think outside the tick box, that’s why our
services are designed to not only uncover your IT security
vulnerabilities, but to support ongoing information security
efforts, to pass on our years of expertise and ultimately
to increase the digital resilience of your organisation.
So, are you looking for more than just a tick in the box
when it comes to your information security?
./penetration_testing
./red_teaming
./security_consultancy
call us today on 0161 233 0100
or email contact@pentest.co.uk
www.pentest.co.uk

editor's focus
LEADING SCALE-UPS BOOST CYBER SECURITY FUTURE
TWENTY FAST-GROWTH CYBER SCALE-UPS HAVE BEEN ACCEPTED ON TO THEIR FIRST
NATIONAL CYBER SECURITY GROWTH PROGRAMME - AND THEY MEAN BUSINESS
Funded by the Department for
Digital, Culture, Media and Sport
(DCMS) and supported by global
cyber security market-leaders Tessian,
Digital Shadows, Darktrace and
CensorNet, the newly launched 'Tech
Nation Cyber' project is aimed at
helping to accelerate the growth of the
UK's most promising cyber security
businesses.
Jeremy Hendy, RepKnight.
Andrew Martin, Dynarisk.
It must be said that the breadth of
innovation and application amongst
the 20-strong cohort is testament to
the UK's cyber security and broader
technology sectors. From machine
learning and blockchain, to biometrics
and cloud solutions, these companies
are utilising advanced technologies to
offer clients what they regard as
important new ways to improve
security, and protect businesses and
individuals online.
The companies will benefit from a
series of workshops held across the UK,
led by industry leaders such as Digital
Shadows co-founder James Chappell,
Darktrace co-founders Emily Orton and
Dave Palmer, and Deep3 co-founder
and CEO Richard Yorke. The six-month
programme will also include meet-ups
and networking support to help the
scale-ups navigate common barriers to
growth, with guidance on everything
from how to recruit the right talent
to meeting goals for international
expansion. It will also provide them
with a powerful network of peers,
investors and potential clients.
Ollie Bone, Tech Nation.
Joe Boyle, Salt DNA co-founder and CEO.
Following the call for applications
earlier this year, the successful cohort
was chosen by a panel of expert judges
06
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus
from the public and private sector. The
judges assessed applicants against their
growth record to date, current scaling
plans and expertise, and long-term
business potential (both nationally and
internationally).
Of the 20 businesses joining the
programme, 45% are based outside of
London, with cohort headquarters
located in nine different cities across the
UK. Kicking off at the Farncombe Estate
in the Cotswolds from 2-3 May, the
programme was launched by marketleading
experts within the cyber security
space, with speakers including Dave
Palmer, director of technology at
Darktrace, James Chappell, founder
and chief innovation officer at Digital
Shadows, and James Hadley, CEO of
Immersive Labs.
Margot James, Minister for Digital and
the Creative Industries, points to the
depth of tech talent right across the
country represented by this select group.
"This important scheme will not only
allow promising cyber security start-ups
to access world-class expert advice, but
also help us achieve our aim of making
Britain the safest place in the world to
be online."
Karen Bradley MP, Secretary of State
for Northern Ireland, comments: "I am
delighted that Belfast-based companies
SaltDNA and RepKnight will be joining
the Tech Nation Cyber programme.
Cyber security is one of the fastestgrowing
digital tech sectors in Northern
Ireland and attracts record levels of
global investment. There is tremendous
talent on offer and world-class
universities, which make Northern
Ireland the ideal location for fast-growth
tech companies. I look forward to seeing
SaltDNA and RepKnight go from
strength to strength and help cement
the UK as a world leader in
cybersecurity."
David Mundell, Secretary of State for
Scotland, has this to say: "Scotland's
reputation as an innovator in technology
is world renowned and I'm delighted to
see us leading the way in cyber security.
Finding ways to fight cyber threats
is one of the world's most pressing
problems and Glasgow's tech sector has
the innovation and experience to be on
the front line. The UK Government has
even chosen the city to host its CyberUK
2019 conference. I am pleased to see
this recognised by Tech Nation and
I offer my congratulations to My1Login
on being chosen to join their first
national cyber security growth
programme."
Kevin Foster, UK Government Minister
for Wales, states: "Cyber security
represents an increasingly important
part of our daily lives, and Wales already
plays a leading role in keeping our data
and systems safe while training up
the next generation of experts. This
programme will initially support two
Welsh companies in Caerphilly and
Cardiff in developing their potential
and I look forward to seeing other
companies from across Wales getting
involved in the future."
Ollie Bone, cyber programme lead at
Tech Nation: "In recent years, the success
for a handful of UK Cyber Security
innovators is more than could be
imagined. They have enhanced the
nation's reputation for producing worldclass
technology, while also helping to
pave the way for many more start-ups
hoping to follow suit. Concurrently, the
market for cyber security is continuing to
grow at a rapid pace and this conspires
to make our cohort of scaleups exciting
ones to watch."
Poppy Gustafsson, CEO and cofounder,
Darktrace, states: "Cyber
security is one of the biggest challenges
facing modern society. Cutting-edge
innovations are the only way to protect
our digital infrastructures and safeguard
the services we rely on."
Tim Sadler, CEO, Tessian: "There is a
tremendous amount of cyber talent in
the UK - made clear by the breadth of
innovation represented in this cohort.
The cyber industry is, however, a noisy,
competitive space. To stand out and
succeed, cybersecurity start-ups need
to demonstrate credibility and clearly
communicate the problem their
technology solves."
Alastair Paterson, co-founder and CEO,
Digital Shadows: "Cyber security is
critical to the UK's future success and
prosperity and an area we can excel in
as a country. As such, I'm proud to
be using my experience with Digital
Shadows to help others to scale up
globally."
Douglas Orr, CEO and founder,
Novastone Media, comments: "The
opportunity for Novastone to scale up
and become a future leader in UK Cyber
Security with the support of Tech Nation
is absolutely fantastic. We're looking
forward to building relationships and
learning from other experts that will
no doubt be crucial to our success."
Jonathan Pope, CEO and co-founder,
Corax, states: "As a UK cyber security
start-up seeking to scale, the timing and
intent of the programme is perfect for
Corax and we're looking to benefit from
the advice and reach of Tech Nation and
fellow programme participants."
Peter Szyszko, CEO and founder, White
Bullet Solutions, also chips in: "Following
a strong start-up period, we are ready
to scale, and excited to take advantage
of the vast opportunities that the
programme offers for growth and access
to investment, as well as to learn from
experts and peers."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
07

industry leaders
FULLY IN THE FLOW
DOCUMENT LOGISTIX USES DAST TO ENSURE
SECURITY OF SENSITIVE CUSTOMER DATA
Tim Cowell, Document Logistix:
customers understand we are serious
about protecting their data.
Document Logistix provides awardwinning
workflow software that
manages the lifecycle of
information from capture, through rulesbased
workflow, retention automation
and, finally, destruction.
Historically, software security was not a
topic that was often raised by potential
purchasers. However, today enterprises
and compliance-conscious buyers are
asking for detailed testing information in
their RFTs.
Tim Cowell, Document Logistix CTO, says:
"We invested in dynamic testing to give us
added credibility with customers by raising
the question of security first. It becomes
a non-issue, because they understand
we're serious about our duty to protect
their data."
Document Logistix document
management software powers the
operations of some of the world's most
demanding, high-volume businesses,
including major logistics companies like
DHL, CEVA and Fedex/TNT. Customers
entrust Document Logistix with handling
their sensitive information, so security is
a high priority.
Document Logistix looked for a higher
level of confidence in its application
security testing, and appointed WhiteHat
Security to secure its DevOps environment
and automate its processes. Document
Logistix uses WhiteHat for static
application security testing (SAST) and
dynamic application security testing
(DAST). Cowell explains: "Our application is
basically a portal for sharing documents.
It's not a banking application - we don't
store credit card information - but
document management can be equally, if
not more, vulnerable to people trying to
gain access to things they shouldn't see."
Document Manager is highly
customisable for a large range of business
processes. This could be for something
as simple as proof of delivery or for more
sensitive information, like HR records,
where there is potential for people to see
records they should not be viewing. The
issue has been heightened since the EU's
General Data Protection Regulation (GDPR)
came into effect.
While protecting customers' data has
always been a priority for Document
Logistix, through encryption, permissions
and redaction, it has now implemented
a true solution for testing its application's
security. In the past, some clients
performed their own penetration testing
and submitted any issues to Document
Logistix. The company also did manual
code checks for security vulnerabilities,
which was intensive and costly.
"The biggest problem was the huge
unknown. Our customers are high profile
and high risk. We needed a solution that
gave us a better process," says Cowell.
"With DAST, we have confidence in saying
to our customers: 'This is what was done
to make your information more secure,'
and they know that, every time there's a
new application build, it gets a new test.
We do three to four releases a year and
testing is very expensive, so performing
testing on each release isn't practicable.
This is a cost-effective solution, because
the testing process is ongoing."
ABOUT DOCUMENT LOGISTIX
Document Logistix won the prestigious Document Manager publication's award for the 2018 Product of the Year: Workflow and
BPM. Since 1996, Document Logistix has supplied its uniquely flexible and scalable Document Manager software to diverse SMEs
and blue-chip clients around the globe. The company's UK and EMEA operations are headquartered in Milton Keynes, UK, which
is also the central point of product development, technical support and training. The US branch of the company is headquartered
in Austin, Texas, and has major contracts with the Texas Department of Public Safety, the Virginia State Police, attorneys and
various agencies in other states.
Tel: 01908 366 388 www.document-logistix.com
08
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

True multi-factor authentication
with AuthControl Sentry ®
A choice of ten methods of authenticating
Single sign-on and risk-based authentication
as standard
Scan the QR code
to see how easy it is
to create a custom
MFA chain.
Available for on-premise or cloud environments
Uses patented PINsafe ® technology for unparalleled
security
Deployed in over 52 countries and implemented across enterprises including finance, government, healthcare, education, and
manufacturing, AuthControl Sentry ® provides organisations with true multi-factor authentication, delivering an intelligent
solution to prevent unauthorised access to applications and data. swivelsecure.com

GDPR
GDPR BARES ITS TEETH
WITH THE ONE-YEAR ANNIVERSARY OF GDPR COME AND GONE - AND THE FIRST FEW HEFTY FINES NOW
IMPOSED BY THE REGULATORS - WE LOOK AT WHAT IT ALL MEANS FOR THE FUTURE OF THE INDUSTRY
The General Data Protection Regulation
(GDPR) shook things up in a way that
hadn't been seen in a long time. More
specifically, it signalled the biggest overhaul of
EU data protection law in more than 20 years.
The GDPR replaced what had been the current
EU Data Protection Directive to create a unified
data protection legislation covering all
individuals in the European Union. It affected
any business which had access to, or
processed, the personal data of an EU
resident, regardless of where the business
was located, inside or outside the EU.
It arrived more 'softly, softly' than with a snarl,
perhaps suggesting that its teeth had been
pulled before it was ever liberated from the
cage. Indeed, many thought the GDPR was
more about handbags at dawn, rather than
real action. Administrative fines for companies
may, in the most serious cases, go up to a
maximum of 20 million or 4% of annual
global turnover (whichever is greater), which
may amount to billions of euros for the tech
giants, in addition to other sanctions such as
orders to halt data processing.
"While the fines issued during the GDPR's
first year have been much less than such
maximum amounts - for example, Google was
fined 50 million by the French CNIL, far
below the maximum of approximately 3
billion - data protection authorities, such as
that of Ireland, have warned of fines to come
being "substantial," says TBS Business School
Law Professor Gregory Voss. "That we haven't
seen more large fines to date is due in part
to the GDPR fines only applying to data
protection violations since May 25, 2018,
and the fact that it takes time to conduct
investigations." However, with a couple of big
hitters now in the stocks over breaches of
GDPR, the tide may be turning. First up to be
targeted was British Airways. The ICO's
announcement on 8 July that it plans to fine
the company £183.39m in relation to its
high-profile data breach has sent a very clear
message that the data enforcement landscape
has well and truly changed. The fine relates to
a cyber incident notified to the ICO by British
Airways in September 2018 - and would be by
far and away the largest fine handed out by a
European data protection authority (at least as
I write now! - Ed).
HITTING THE SPOT
"It is interesting to note that British Airways
owner IAG released an announcement to
the market and the ICO has issued its press
release, despite the fact the ICO's intention to
10
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

GDPR
fine is preliminary," states Ashley Hurst, partner
and head of tech, media and comms at
international legal practice Osborne Clarke.
"Historically, fines were announced once the
final decision regarding the amount of that
fine was reached. It may be that the size of
the proposed fine and the listed status of
British Airways was such that there was no
choice but for IAG to publicly announce the
size of the intended fine."
The proposed fine will also provide
encouragement for a rapidly growing group
of claimant personal injury lawyers looking
to bring post-data breach claims for
compensation, he adds. "It is often difficult to
attribute a data breach to a breach of the
GDPR and even more difficult to prove that
such a breach has led to damage and distress,
so it will be interesting to see whether the ICO
will make any comment about this."
Over the last year, speculation has been rife
regarding the approach that the ICO will take
to fines. "It is now clear that the ICO will not
be gradually scaling up from its previous
£500,000 maximum: the proposed
£183.39m penalty is equal to 1.5% of British
Airways' worldwide turnover of £12,226m in
2017," adds Hurst. "This is substantially less
than the possible maximum GDPR fine of 4%
of worldwide annual turnover, but still
startling and demonstrates more than ever
that cybersecurity needs to stay on the board
agenda." Prior to this announcement, the total
value of all fines issued under the GDPR across
all EU member states had amounted to 56
million euros. This includes a 50 million euro
fine by the French DPA (CNIL) against Google
for what the CNIL considered to be a lack of
transparency, inadequate information and
lack of valid consent, in relation to Google's
use of personal data for the purposes of
personalising advertisements.
And Osborne Clarke’s Hurst adds: "When the
decision is finally published, this case should
provide some long-awaited clarity regarding
the ICO's exercise of its enforcement powers
and, in particular, what it considers to be
'appropriate technical and organisational
measures' to protect personal data, which is
the key technical standard littered throughout
the GDPR."
ANOTHER BIG TARGET
Following on from the BA debacle, Marriott is
next up, as it also faces a huge data fine: £99
million for allegedly failing to protect customer
data. The hotel chain acknowledged in a
regulatory filing in July this year that Britain's
Information Commissioner's Office intends to
impose the fine under the GDPR.
Jake Moore, Cybersecurity Specialist at ESET,
had this to say in the wake of the news
breaking: "Well, the snowball has surely
started to gain momentum now and this just
highlights that it's not just UK companies at
risk of eye-watering fines either. Other firms
who suffered from large breaches post-May
25, 2018, better start saving, because the ICO
Gregory Voss, TBS Business School: the
relatively low levels of GDPR fines is a
reflection of the time it takes to conduct
investigations.
Jake Moore, ESET: other firms who suffered
from large breaches post-May 25, 2018,
better start saving, because the ICO clearly
means business.
FALLING SHORT
For Jason Hart, cybersecurity evangelist, Thales, GDPR hasn't improved data
protection to the extent many in the industry had hoped. "With the number of
breaches being reported dramatically increasing, it's clear the threat of fines and
a potential hit to their reputation is only having a small impact on how seriously
businesses take their cybersecurity. Worse, just a tiny percentage of the attacks can
be considered 'secure breaches', where the stolen data is encrypted, rendering
it useless to cybercriminals. Unless businesses are made to adhere to GDPR
recommendations such as encrypting data directly it will continue to have minimal
impact in the UK."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
11

GDPR
clearly means business." Interestingly, these
firms' attacks were by no means the largest, in
terms of numbers for 2018. "This could, in
fact, be the tip of the iceberg of what is to
come," he warns, "but let's hope others are
taking copious amounts of notes as to how to
handle a breach or, better still, evade the
attacks as best they can in the first place."
ENSURING CONSENT
As Rob Allen, director marketing & technical
services at Kingston Technology Europe, rightly
points out, the only noticeable effect of the
EU's General Data Protection Regulation
(GDPR) legislation for most people has been
having to click through tedious popups about
data sharing and cookies on just about every
website. "There's a good reason why they're
appearing," he says.
"One aspect of GDPR is that it compels
organisations to notify users about how their
personal data is handled, which very much
includes all the information that modern web
browsers hoover up. Consent is required for
that data to be shared externally, and all
possible technical measures must be otherwise
taken to safeguard personal information
stored on the organisation's network - or
there's the potential for extremely strong
financial penalties."
So, the news that British Airways was hit by
a potential £183 million fine by the ICO
comes as a sharp reminder that GDPR will be
enforced and failure to comply does have
consequences. "So far, this is the largest GDPR
fine that a UK company has faced. But
although the fine is bad news for BA,
the managers and bosses of other UK
organisations that have been scrambling to
meet the requirements of the legislation may
breathe a little easier, knowing that the time,
effort and cost they have invested into data
security has been done for a good reason," he
states. "And, let's face it, before the changes to
GDPR, many of us had acquired some dreadful
habits when it came to handling data, and
tightening things up wasn't exactly a priority
for many firms."
If you're not paying attention, it's all too easy
for data to end up in the wrong hands,
perhaps because a device is lost or a third
party gets unrestricted access to it, Allen
adds. "Any improvement requires both
organisational and technical changes to keep
data secure. Improving company mindset by
educating a workforce, better information
management and risk management play as
much of a part in secure handling of data as
technological solutions. Ultimately, though,
the use of strong encryption is the foundation
that ensures data is always protected, whether
it's stored on the firm's own devices or
otherwise. That applies to business networks,
company servers, removable devices, and all
internal storage on company laptops."
For an IT manager to sleep well at night,
suggests Allen, they need to be certain that
the next time a company laptop is inevitably
left in a hotel, or a USB stick is misplaced,
it's near impossible that mission-critical
information can be prised from it. "They need
to know that no passwords are stored
anywhere in plain text. They need to know
that employees understand not to email
company documents back home using
personal email accounts, store them on an
unencrypted laptop or rely on unsanctioned
third-party cloud services.
"These examples of changes to business
behaviour aren't necessarily complicated, so
complying with GDPR doesn't have to require
moving heaven and earth. Arguably, the
examples we've suggested are merely good
practice anyway and GDPR is rewarding
organisations that already had solid data
management measures in place, before it
became law to do so," he concludes.
BREACHES RACKING UP
"Hefty fines and reputational damage haunted
businesses in the build-up to the passing of
the General Data Protection Regulation,"
recalls Martin Warren, cloud solutions
manager, EMEA at NetApp. "We all know by
now that data security and privacy are, in fact,
two different, complementary issues and, with
the number of data breaches racking up this
year, we are facing the evolving reality of data
security in a world where we essentially live
digital-first lives.
"In a world in which our data and its privacy
are paramount, data security ensures the front
door is bolted shut; data privacy, meanwhile,
requires data management processes with
privacy-by-design at its core." While data
security is certainly important for businesses,
encryption and data masking will not help a
business become GDPR compliant, he adds.
CULTURE CHANGE
"GDPR has succeeded in increasing the profile of data protection within most organisations," says Robert O'Brien,
CEO MetaCompliance. "Changing the culture of privacy by design and privacy by default will take organisations
a significant time to deploy. There is still a long way to go for most companies.
"It's still early to comment on the impact of GDPR in delivering enforcement. There has not yet been the flurry of
financial sanctions that many people feared. The ability of the regulator to stop an organisation processing data might
become a more powerful and effective tool than fines in the future." However, he does see GDPR as the gold standard
for privacy worldwide. "This can be seen in the construction of the Brazilian and the Californian privacy directives."
12
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

case study
"Equally, it does not help companies if they
secure data they are not legally allowed to
have. Therefore, GDPR is not just an IT issue.
The compliance process needs to be led from
the C-suite down, as a legal and business
concern before a technology one - we might
have hoped that this massive shift in mindset
would be more evident almost a year on."
Large-scale data breaches from trusted
companies are now perceived with more
clarity by consumers, who are awake and
more aware of their data rights, suggests
Warren. "This only makes the reputational risks
of non-compliance more significant."
WIDER IMPACT
What is happening with GDPR and its
growing influence though punitive action in
Europe is one thing - but how has it impacted
other national data protection regulations?
"GDPR has emerged as the new standard for
data privacy and has directly influenced similar
regulations in other parts of the world, such as
LGPD in Brazil and CCPA in the State of
California," says Jonathan Deveaux, comforte
AG. "In addition, the European Commission
has reached an agreement of reciprocal
adequacy with Japan, meaning that data
subjects in the EU enjoy the same protections
in Japan and vice versa.
"Most recently, Thailand passed their own
Personal Data Protection Act, which will go
into effect in May 2020. "As this global trend
continues, more and more organisations will
be looking into cross-regulatory compliance
strategies, in order to synergise their
investments into complying with overlapping
data privacy laws around the globe."
RULES OF THE GAME
It's a theme that Wim Nauwelaerts, privacy
and cybersecurity partner at Sidley Austin,
expands on. "Under the GDPR, EU data
protection law applies when personal data
is processed in the context of the (business)
activities of a controller's or processor's
establishment in the European Union (EU).
This rule applies, regardless of whether or not
the data processing takes place in the EU. For
example, a pharmaceutical company with
headquarters in France sponsors a clinical trial
in Bangladesh and receives (coded) study data
from the Bangladeshi site. Although the data
processing takes place in Bangladesh, it is
carried out in the context of the activities of
the sponsor/controller established in France.
Therefore, the provisions of the GDPR apply
to such processing."
Even if a company is not established in the
EU, the GDPR can still apply, if the company
(a) 'targets' individuals in the EU by offering
them products or services; or (b) 'monitors'
their behaviour, in as much as that behaviour
takes place in the EU.
TARGETING AND MONITORING
"Since the GDPR came into effect last year,
there has been confusion around the
targeting and monitoring criteria, and how to
apply them in practice. For companies that
have no physical presence in the EU, but are
receiving personal data relating to individuals
in the EU, it is not always clear whether their
data processing activities fall within the ambit
of the GDPR," Nauwelaerts states.
"On November 23, 2018, the European Data
Protection Board (EDPB) published draft
guidelines, with a view towards addressing
the lack of clarity around the territorial scope
of the GDPR (Guidelines). The guidelines
explain, for instance, that a key element for
the application of the targeting criterion is
whether the conduct of the controller or
processor demonstrates its intention to offer
goods or services to an individual located in
the EU. In other words, the targeting criterion
can only apply, if controllers/processors outside
of the EU have manifested their intention to
establish (commercial) relations with
individuals - mostly consumers - in the EU."
Regarding the monitoring criterion, the
guidelines consider that a broad range of
monitoring activities through various types of
Jonathan Deveaux, comforte AG: GDPR
has emerged as the new standard for data
privacy and has directly influenced similar
regulations in other parts of the world
Martin Warren, NetApp: data security
ensures the front door is bolted shut.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
13

GDPR
Rob Allen, Kingston Technology Europe:
GDPR is rewarding organisations that
already had solid data management
measures in place.
Wim Nauwelaerts, Sidley Austin: even if
a company is not established in the EU,
the GDPR can still apply.
networks and technologies could bring data
processing under the scope of the GDPR, as
long as the monitored behaviour takes place
within EU territory. "The guidelines provide the
example of an Indian pharmaceutical
company without a business presence or
establishment in the EU, which sponsors
clinical trials carried out by sites in Belgium,
Luxembourg, and the Netherlands. Since trial
participants in these EU countries are being
'monitored', the sponsor in India is arguably
subject to the GDPR."
It's a highly complex issue, no better
demonstrated than by the fact that the
guidelines were open for public consultation
until January 18, 2019 and expected to be
finalised shortly afterwards. "However, during
the public consultation, many stakeholders
raised questions about the interaction
between the provisions in the GDPR around
territorial scope and Chapter V of the GDPR,
which deals with data transfers outside of the
EU," explains Nauwelaerts.
"For instance, whether data transfer
safeguards, such as model contracts that have
been pre-approved by the European
Commission, should be put in place vis-à-vis
controllers/processors outside the EU that are
subject to the GDPR, because the targeting or
monitoring criterion is met. The guidelines
currently fail to address these questions. At
this point, it is still unclear when the EDPB will
publish its finalised guidelines and to what
extent they will include guidance on the
GDPR's data transfer restrictions."
ABOVE AND BEYOND
GDPR alone will not keep personal data
secure, of course, as Richard Blanford, chief
executive, Fordway, emphasises. "GDPR
may be part of every organisation's business
practices, but has it really made personal data
more secure? In my view, the answer is no.
I believe GDPR is a business issue. It has
ensured organisations know where they hold
Personally Identifiable Information (PII), and
have controls in place for how they store, use
and delete that data through what should be
a clearly defined and well-understood policy,
with appropriate business processes to ensure
compliance.
"However, GDPR does not address the actual
security of an organisation's networks and the
devices on which they store and access PII. So,
if their perimeter is breached, GDPR is
meaningless. And with data increasingly going
outside an organisation as employees and
partners tunnel through or bypass network
perimeters, good cyber security discipline is
more vital than ever."
KEY DISCIPLINES
According to Blanford, data security really
requires four key disciplines: identity and
authentication management; information
lifecycle management; network security; and
business continuity planning. "To develop an
effective data security policy, organisations
need to take a holistic look at their entire
infrastructure, from how data is created or
acquired to how it is valued, stored, accessed
and disposed of," he advises.
"This includes data that comes in from
customers, partners and suppliers as well as
data created internally. They also need to
consider their users. No technology or
regulation will be effective, unless all
employees adhere to security procedures.
"This means educating users on why security
matters, the consequences of getting it wrong
and what to do, if the worst happens. They
are much more likely to comply, if they
understand the risks, rather than simply seeing
security as a set of annoying rules which
prevent them working as they wish. Achieving
recognised security standards such as Cyber
Essentials, ISO27001 and ISO20000, will help
an organisation improve its security and,
importantly, reassure its customers that it has
done so."
See page 20 for another expert take on GDPR
and its impact.
14
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

product review
WEBROOT BUSINESS ENDPOINT PROTECTION
Webroot takes data security to
the next level, as its Business
Endpoint Protection teams up
multi-vector protection with cloud-based
machine learning. It delivers real-time
threat detection and prevention for
physical and virtual endpoints, while its
SaaS (software as a service) model allows
multiple sites to be cloud managed from
a single pane of glass.
Deployed as a small-footprint agent, it
uses embedded deep learning intelligence
to analyse end user activity to detect
threats and block them. The agent
functions as a sensor and sends back all
information to the cloud service as data
points, allowing it to adapt instantly to
zero-day threats.
It's very easy to install and we had
no problem deploying it in the lab on
our physical and virtual Windows
workstations and Windows Server
systems. The agent is preconfigured for
your account and we found it could be
installed and providing full protection
in minutes.
The agent runs an initial endpoint scan,
links up with your cloud account and
takes its settings from the default policy,
so there's nothing more to do on each
one. Other features we like are that the
agent can be run transparently and it
won't conflict with other endpoint security
solutions - many competing products
insist on uninstalling them before their
agent can run.
The cloud console is well designed and
MSPs will approve of its site view, as they
can manage all their customers from one
console. It provides a complete overview
of all detected threats, along with direct
access to Webroot's optional DNS
protection and security awareness training
services.
The endpoint protection console is
equally informative and presents a status
overview, clearly showing detected threats
and the affected endpoints where you can
drill down deeper for more information.
The left pane provides a quick link to all
current threats where we could view
associated endpoints and run quick
one-click clean up jobs.
If the agent detects a new executable,
it'll class it as unknown, track all the
changes it makes and send back data
points to the cloud where the results are
analysed in real-time. A valuable feature is
Webroot's journaling as, if it determines
the threat is real, it'll roll back all changes
made on the endpoints automatically.
Custom polices can be easily created
and even a quick glance at their features
shows where Webroot's strengths are, as
they offer remarkable levels of protection.
Along with setting agent behaviour and
self-protection, these provide access to
scan schedules, automatic remediation,
threat analysis heuristics, real-time,
behaviour and core system shields, and
much more.
The web shield protects against
malicious and phishing web sites, while
the identity shield offers features such as
denial of malicious tracking cookies,
DNS verification to prevent man-in-the
middle attacks and even screen capture
prevention. We created custom policies
for our Windows workstations and an
agent is also available for Mac systems,
which uses the same policies, so there's
no need to create separate ones. Groups
allowed us to organise our various
endpoints for easier management, and
policies can be assigned to groups or
individual endpoints on-demand.
Threat detection alerts are assigned
to email distribution lists, which can
also be used to send out regular threat
summaries.
Webroot provides a good range of
reporting tools and MSPs will love its
web-based API, as they can
extract endpoint protection information
and use it in other third-party remote
management tools.
Webroot's Business Endpoint Protection
gets our vote of confidence, as it is easy
to deploy and delivers the toughest
of security measures. Its slick cloud
management console is perfect for
MSPs and SMEs alike, while its flexible
per-device monthly and yearly
subscriptions offer unbeatable value.
Product: Business Endpoint Protection
Supplier: Webroot
Website: webroot.com/ComputingSecurity
Tel: +44 (0)800 804 7016
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
15

financial focus
WHO CAN YOU REALLY BANK ON?
THOSE WHO RELY ON THEIR ONLINE BANK TO KEEP THEIR MONEY SAFE MIGHT BE ALARMED
TO HEAR THAT LAST YEAR 54% OF THESE INSTITUTIONS ALLOWED ATTACKERS TO STEAL MONEY.
AND THEIR CUSTOMER DATA MAY BE EQUALLY AT RISK
In its recent report, 'Vulnerabilities in
online banking applications', Positive
Technologies experts assessed the
security levels of online banks in 2018
and found that 54% allowed attackers
to steal money. Equally concerning is
that all online banks carry the risk of
unauthorised access to personal data
and other sensitive information,
according to the findings.
The analysis shows that most online
banks are worryingly exposed. "A security
assessment of online banks revealed
that every reviewed system contained
vulnerabilities that could have major
consequences if exploited. For instance,
fraudulent transactions and theft of
funds were possible in 54 per cent of
applications," says the company.
Threat of unauthorised access to client
information and company sensitive
information, such as account statements
or the payment orders of other users,
was present in every studied online
bank, and, in some cases, vulnerabilities
allowed hackers to attack the bank's
corporate network.
According to Positive Technologies'
experts, the average cost of the data of
16
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

financial focus
an online banking user on the darkweb
is $22. Additionally, analysis showed that
77% of online banks had security flaws
in their two-factor authentication
mechanisms.
Positive Technologies' cybersecurity
resilience lead Leigh-Anne Galloway
comments that some online banks do
not use one-time passwords for critical
operations (such as authentication) or
allow old passwords, which are more
likely to be compromised. Experts believe
this is because banks want to strike the
right balance between security and
comfort of use.
"Foregoing security measures in favour
of customer convenience increases the
risk of fraud," she states. "If there's no
need to confirm a transaction with a
one-time password, the attacker no
longer requires access to the victim's
smartphone, and an old password
increases the chances of it being brute
forced. With no limit applied to it,
a one-time password of four symbols
can be cracked within two minutes."
READY-MADE PROVES UNREADY
As well as issues of authentication,
comparative analysis showed that readymade
solutions developed by vendors
had three times fewer vulnerabilities
than those developed in-house. The
number of vulnerabilities in the test
and production systems, on the other
hand, is equal.
Statistics suggest that, in 2018, both
types of systems in most cases contained
at least one critical vulnerability. Experts
think that, after developers have tested
a security system once, they tend to
postpone further analysis once changes
hve been made to the code, causing
vulnerabilities to 'accumulate'. This
means that, before long, the number of
flaws is the same as that found during
initial testing.
The main positive trend to emerge
regarding the security of online financial
applications in 2018 was the reduction
of high-risk vulnerabilities in the total
number of all flaws identified. According
to Positive Technologies' specialists, "the
percentage of critical vulnerabilities
dropped by more than half, compared
to the previous year - from 32% in 2017
to 15% in 2018". However, the overall
security level of online banks remains low
- and that has to change fast.
Solutions have a platform
At the leading international trade fair for
IT security, experts will answer all questions on
artificial intelligence and IT security.
Get your free ticket for it-sa 2019!
it-sa.de/it-security4U
Nuremberg, Germany 8 -10 October 2019

product review
SAFETICA DATA LOSS PREVENTION
Data leak prevention (DLP) is now
an essential security measure for
businesses, but a major concern
for many is the lengthy deployment
processes for some products. Safetica's
DLP solution avoids these problems, as
it's designed to be easily installed and
fully operational in as little as one day.
Safetica generates detailed security
audit reports, revealing potentially
unwanted or unsafe activities, who is
accessing sensitive data and what they
are doing with it. You can see how and
where files are being transferred, the
most active apps and users, potentially
risky apps, IT resource usage and an
analysis of web activity, all accompanied
by security advisories.
It uses a client-server architecture
where the backend management
services can be installed on a Windows
Server host in less than an hour. These
services are resource light, so Safetica
doesn't require a dedicated host system
and, once up and running, you can go
straight to endpoint agent service and
client deployment.
Active Directory (AD) structures are
imported into Safetica and Group Policy
can be used to push the agent service to
endpoints, after which they'll appear in
the main console, ready to receive the
client software. Once loaded, the clients
passively monitor endpoints and send
back information about user activity to
the Safetica server.
The amount of detail is remarkable, as
the Safetica Auditor can show storage
and removable device usage, active
applications and their traffic, web site
accesses, along with data usage and
visit durations, plus all printing jobs.
Trends show areas such as web
browsing and social network habits,
while advanced monitoring reveals all
email and file activity.
Two consoles are provided where the
WebSafetica browser version displays
daily overviews of activity and provides
basic admin access. The desktop console
facilitates access to advanced settings,
the Auditor, DLP policy creation and the
Supervisor access controls.
The Supervisor module manages user
activity and allows you to decide
precisely what they can and can't do.
Policies control areas such as removable
device access permissions or web
content filtering where you can choose
from a range of URL categories, block
or allow them and add multiple rules
for more granular browsing controls.
Data access is controlled by the DLP
module where you create policies
to protect sensitive data against
unauthorised access and ensure users
with access granted don't abuse their
privileges. Along with context-based
rules, the module offers content rules,
which are easy to use as they identify
sensitive data using algorithms,
dictionaries, keywords and regular
expressions.
Content rules dynamically detect
specific information inside files, emails,
attachments, within apps such as IM
and more. These are applied in data DLP
policies, but you can also use others to
define applications and communication
channels, such as email.
Zones group resources together, which
can be external devices, storage areas,
emails, network paths or a list of IP
addresses, and are referenced by a
policy as a single entity, so you can
easily define trusted and untrusted
zones. Disk Guard controls read and
write access to local, network, plus
cloud storage, and Safetica has
management of Windows BitLocker
for encrypting USB flash drives.
Templates streamline DLP policy
creation, so it's possible to create one
and deploy it in as few as three clicks.
Controls are highly granular, as you
can even stop users taking screenshots
of an application, if the view contains
confidential information or using
keyboard cut and paste commands.
Safetica shows that implementing and
enforcing DLP doesn't need to be timeconsuming
or complex. It can show you
everything you need to know about your
data security posture in a few hours and
easily achieve regulatory compliance.
Product: Data Loss Prevention
Supplier: Safetica Technologies
Web site: www.safetica.com
Tel: +44 (0)203 846 8416
Sales: safetica@datasolutions.co.uk
18
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

inside track
EDUCATION, EDUCATION, EDUCATION!
CYBERSECURITY NEEDS TO BE A PRIORITY FOR THE EDUCATION SECTOR,
ARGUES ADRIAN JONES, CEO OF SWIVEL SECURE
Adrian Jones, CEO of Swivel Secure.
Education institutions need to make
cybersecurity a priority. Despite the
sector facing major challenges,
such as a lack of staffing, funding and
resources, cyberattacks are no less
frequent or less severe in education. In
fact, they seem to be gaining ground in
prevalence year-on-year, as instances of
breaches in schools and higher education
are widely reported.
THE CHALLENGES EDUCATION IS
FACING
The JISC report also investigates the
challenges facing IT professionals when it
comes to protecting education networks.
When asked to rate how well their
institution is protected on a scale from 1
(not at all) to 10 (very well), further
education scored lower overall than
higher education. The mean score for
further education institutions was 5.9,
while higher education scored 7.1.
The rationale behind lower scores
included:
A lack of resources and budget -
potentially pointing to the lack of
finances to invest in cybersecurity, be
it software or staff
Cultural issues - a 'Bring Your Own
Device' culture is common in
educational institutions and can
present difficulties in securing the
wider network, particularly with IT
staff already facing stretched resources
An absence of policy - setting out
policies for using the network and
making sure they're adhered to can be
difficult in large institutions with a
dynamic user population.
Despite these challenges, the education
sector is still expected to secure their
networks against unauthorised access and
cyber threats, especially when the
repercussions can be as severe as the
examples discussed earlier.
But there are some critical steps every
institution should undertake to lay the
foundations for a secure IT network.
TOP TIPS FOR SECURING YOUR
EDUCATION IT NETWORK
With the challenges of poor funding and
a lack of resources, the Education sector
should focus their efforts on minimising
the risk of a cyberattack, rather than a
reactive attitude after one has happened.
Training: providing basic training for all
users of your network is one way to
mitigate the effects of a lack of funding
and resource. This can be something as
simple as sharing a handbook with staff
and students, including information about
what to look out for and tips for
practising good cybersecurity hygiene.
Giving people the necessary information
to protect the network at all access points
could reduce the number of incidents
caused by human error.
Authentication: another cost-effective
way to protect the safety of your
institution and its students is to
implement a user-friendly multi-factor
authentication (MFA) tool. Including that
extra security step for users who are
logging onto the network will help
prevent unauthorised access. An easy-touse
platform should be high on your list
of things to look for in an MFA provider.
If users can use a platform self-sufficiently,
there's less likely to be a need for
administrative support, so education
facilities can save on overheads, without
compromising network security.
These are just some of the cost-effective
ways to protect your school, university or
college from any form of unauthorised
access. With the increasing frequency and
potential severity cyberattacks pose to the
education sector, it's crucial that IT
professionals can work to find a solution
to challenges like a lack of funding.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
19

data-centric economy
GDPR - OPPORTUNITY, NOT THREAT
GDPR HAS INCREASED DEMAND FOR DATA PROTECTION PROCESSES THAT ARE FLEXIBLE,
AUTONOMOUS AND EASY TO USE. DEBBIE GARSIDE, GROUP CHIEF INNOVATION SCIENTIST
AT SHEARWATER GROUP AND CEO OF GEOLANG, EXPLAINS
Debbie Garside, Group Chief Innovation
Scientist at Shearwater Group and CEO
of Geolang.
Since GDPR came into force,
businesses handling personal
data have turned their attention
to processes that protect sensitive
information by design and by default.
This was a key innovation in the
legislation and has extended data
protection from a technical issue to
a matter of process and psychology
at all levels of the business; including
every employee by default.
In a data-centric economy, identifying
and categorising different types of data
is an enormous task. The Information
Commissioner's Office (ICO) expects
enterprises to know where sensitive data
is located and to take steps to prevent
its theft, loss or unauthorised access;
yet, over a year on, and still many
organisations are failing to implement
even the simplest 'technologies' to assist
with the task.
Reportedly, 96 per cent of data
breaches are accidental; however,
breach-reporting deadlines and
potential fines apply, regardless. With
the reported £183 million penalty
indication for the BA data breach from
the ICO this week, these penalties are
no longer a figment of what might be,
but indicate, rather, what will be, if
organisations do not take care of
their data - board-level culpability will
undoubtedly ensue. This will serve
as the much-needed catalyst to fully
support those CISOs, CTOs and CIOs
who are still having difficulty persuading
boards of the risk not just to their data,
but to the business as a whole.
As a data discovery and data protection
company, GeoLang has seen increased
demand for our systems, because we find
and categorise data both autonomously
and in real time, with the flexibility to
apply different policies to different data.
This prevents - for example - the emailing
of a client contact list to the wrong
recipient or alerts if any proprietary
information is copied to a USB drive. In
addition, flexibility and ease to search for
personally identifiable information (PII)
across the enterprise is key to servicing
Subject Access Requests (SARs) and we are
seeing a plethora of requests for GeoLang
technologies to assist in such cases.
Each client has a different set of
requirements, with many different
operating systems and repositories making
up the average enterprise. A flexible, agile
approach is a necessity and we work hand
in hand with clients in the development
and deployment of our solutions; there
is no 'one size fits all' or a 'silver bullet'
solution, and our personalised service
is proving to be both an asset to our
customers and to us, as it supports our
product development lifecycle.
One of the fears in the lead-up to GDPR
was that the regulations would decrease
productivity, tying up businesses with
extra administrative work. The reality
is somewhat different. Increased
opportunities for innovations around
technologies that protect sensitive
data and clients' rights are offset by
organisational and digital resilience that
future-proofs the enterprise, leading to
increased competitiveness and growth.
20
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

Webroot empowers businesses with predictive technology, and simplifies IT
admin life with single-pane-of-glass management. Our integrated next-gen
cybersecurity solutions cover endpoints, networks, and end user education
to help businesses and MSPs close security gaps, so they can focus on what
they do best: growing profitably.
We can easily manage 5000+ endpoints with
Webroot. The low footprint and cloud-based
management make this our security platform
of choice.
Sam Reed, CTO, Air IT - UK
Visit webroot.com/ComputingSecurity to try next-gen
Webroot ® Business Endpoint Protection free for 30 days.

threat intelligence
THREAT OR TREAT
HOW ORGANISATIONS SHOULD BEST MANAGE,
DETECT AND RESPOND TO A DATA BREACH IS AN
ON-GOING QUESTION. BUT AN INTELLIGENCE-DRIVEN
STRATEGY IS AN ESSENTIAL PART OF THAT
Security vendors should be applauded in
many ways for their ability to take
technology and security best practice
that has been around for a long time, give
it a fancy new name, and sell it as the new
magic bullet, says David Peters, CTO,
ANSecurity.
"Cyber Threat Intelligence is one such
instance that, although it offers some
benefits, is not a new concept and can be
accomplished in more than one fashion.
Even the most basic security controls, such as
desktop anti-virus, use threat intelligence in
the form of signature updates, URL blacklists
are the same, even the regular advisories to
patch applications and operating systems are
effectively threat intelligence messages."
Many of the new breed of cyber threat
intelligence (CTI) offerings are rather
expensive, he adds, but there are alternatives
that are effectively free. "For example,
AlienVault open threat exchange, when
coupled with Palo Alto's Minemeld, can
create a potent threat intelligence platform
that can take both open source alerts and
paid-for services to be fed into an effective
system. This combination can feed dynamic
firewall rules that can block known IP
addresses which are host threat actors.
Building your own is feasible for most IT
professionals and does not need a deep
infosec background."
FIRING ON ALL CYLINDERS
Where some of the CTI systems can shine is
in the more specialist areas, such as Critical
National Infrastructure, very large enterprises
and organisations that use SCADA. "However,
this is a realm where CTI should be used
alongside a dedicated SoC and analyst as an
aid, rather than a replacement for skilled
infosec professionals, Peters advises.
"Even in this space, there are national
resources, such as GCHQ, which do sterling
work in providing threat intelligence that
both these more critical groups and other
enterprises would be wise to regularly
consult."
ATTACK TOOLS AT LARGE
"With the increased availability of highquality,
open-source attack tools, cyber
aggressors can constantly evolve and utilise
automated attack tools, points out Chris
Doman, security researcher at AT&T Alien
Labs. "For an organisation trying to defend
itself from a barrage of these assaults, it can
all become too much to handle, especially
when you consider that security teams are
already understaffed and overstretched.
So, what can security professionals and
organisations alike do to defend against
these attacks?
First, Doman advises, start by fighting
fire with fire. "If cybercriminals are using
automation to their advantage, then so
should organisations. Some tasks remain the
preserve of humans - but there are still many
simple time-consuming tasks that can be
automated. This can alleviate the strain for
security personnel who can fixate their time
on more concerning matters." Secondly, share
threat intelligence. "The last few years, we
22
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

threat intelligence
have seen an improvement in governments,
vendors and companies being more open to
sharing threat information. By sharing
intelligence, we are seeing faster detection
and better prevention of known threats.
In addition, for those without the in-house
expertise, seek a dedicated team or a SOC
to continuously monitor the organisation's
environment. This will give the business
insight into what is happening across the
entire network. The threat intelligence
developed with each investigation will assist
the security team in making the correct
decisions when it comes to preventing future
attacks."
By building a united front and utilising near
real-time threat data, he says, "businesses
can strengthen their own defences, while
also helping others to make life more difficult
for hackers, which is what sharing threat
intelligence is all about".
INTELLIGENCE-DRIVEN ACTIONS
Cyber security has certainly become a high
priority for senior management, according to
78% of businesses that responded to the UK
government's 'Cyber Security Breaches Survey
2019'. While it is encouraging that this figure
has risen year on year, generating awareness
of cyber security is only one part of the issue.
"The next step for organisations to take is not
only understanding, but intelligently acting
on the risks presented," argues Andy Pearch,
head of IA Services at CORVID. "Despite the
heightened awareness, many organisations
are still focusing on mitigating assumed risks,
rather than real risks, without a robust
security strategy in place."
The 2019 breaches survey revealed that, in
the last 12 months alone, almost one third
of UK businesses identified cyber security
breaches or attacks. "What's more, the
research also showed that just under half
of these companies identified at least one
breach or attack per month," says Pearch.
"While these figures should be enough to
make a business refocus its strategic security
thinking, it is the use of the word 'identified'
that is significant: many more attacks could
have occurred, but not yet been discovered."
Indeed, global figures reveal that the
median dwell time - the time a criminal can
be on a company's network undetected - is
more than 100 days. "And, in many cases,
the breach is not revealed by the security
team itself; it is a call from a supplier, a
customer or business partner that brings the
problem to light, typically following the
receipt of a diversion fraud email requesting -
for example, that future payments should
be sent to a different bank account."
Such breaches not only have the ability to
undermine business relationships, but, in
some cases, can also incur significant
financial liability. "These frauds usually follow
one of two forms: either impersonation,
where a criminal masquerades as the
business, using a very similar domain name
and email address; or, following a successful
compromise, the email comes from the
company's own system. It is the latter case
that raises the issue of liability for any
financial losses a business partner may have
suffered."
ATTACK MINDED
In the battle against sophisticated
cyberattacks, defenders must innovate, if
they wish to remain one step ahead of the
latest threats. To do so, cybersecurity
professionals need real-time, actionable
intelligence about the threat landscapes they
face, says Nilesh Dherange, CTO of Gurucul.
"Threat intelligence solutions provide data
that lets security personnel make informed
decisions about their defences. With threat
intelligence technology, organisations can
know who is attacking them, what their
motivations are and what they are trying to
accomplish. With this knowledge, they can
remedy the threat."
Moreover, to make informed decisions,
context is key. "Without proper context,
David Peters, ANSecurity: creating
a potent threat intelligence platform
doesn't have to be expensive.
Nilesh Dherange, Gurucul: with threat
intelligence technology, organisations can
know who is attacking them, what their
motivations are and what they are trying
to accomplish.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
23

threat intelligence
threat intelligence is an unruly cascade of
alerts that no human can effectively monitor.
Too many alerts lead to alert fatigue, not
answers. Some conventional threat
intelligence systems, like security incident and
event management (SIEM), don't generate
the data required for delivering actionable
intelligence. The result is too many 'false
positives' - urgent security warnings that turn
out to be empty threats. According to our
survey at RSA Conference 2019, false
positives are the biggest hurdle in maximising
the value of a SIEM solution."
Dherange references a study produced by
Enterprise Management Associates that
revealed 79% of security teams are
overwhelmed by the volume of threat alerts.
"Like the fable about the boy who cried
wolf, too many false positives can result in
warnings simply being ignored. A famous
example of alert fatigue leading to a
cyberattack is the infamous 2013 Target
breach that affected more than 40 million
customers. According to post-breach analysis,
the security group kept seeing the same, false
malware alert before the attack. Eventually,
those warnings were ignored, even as the
real intrusion occurred." To remedy the
situation, he adds, a solution is needed that
can provide the proper context by quickly
analysing new alerts, removing false positives
and generating real-time data about current
threats. "Modern threat intelligence solutions
use behaviour analytics, powered by machine
learning, to automate data collection and
provide risk-prioritised intelligence. Advanced
machine-learning algorithms provide a
holistic view of all log data and expose
suspicious activity.
"These machine-learning models can predict
insider threats, account compromise and
data exfiltration by identifying users and
entities that are acting in risky 'abnormal'
ways, compared to peer-group behaviour.
Most organisations already use multiple
security tools, which produce meaningful log
data. Applying behaviour analytics and data
science to those sources to examine user
access and behaviour is the logical next step."
HUMAN EXPERTISE
To become relevant and actionable,
intelligence must be customised. It's not just a
case of switching on a few threat data feeds.
"Intelligence needs to be developed over time,
with human expertise playing a key role
in this," comments Azeem Aleem, VP
Consulting, NTT Security. "It is an intelligencedriven
holistic security process that may result
in a few mistakes along the way, but that
should not distract you from the ultimate
goal."
The five steps he suggests to attain the Holy
Grail of actionable intelligence are:
Business and risk alignment -
understanding the mission, scope
and authority needed to mitigate risk
Visibility - define the visibility required
to achieve mission readiness
Content - build enablement for detection,
including use cases, situational awareness
and baseline
Security operations - respond, contain
and hunt to achieve the mission of
rooting out known and unknown threats
Applied intelligence and analytics -
analyse, attribute and predict threats to
refocus the mission.
"The key is to first understand what your
organisation's key assets - or 'crown jewels' -
are via a risk analysis," adds Aleem. "Then
filter out the 'noise' to prioritise intelligence
relevant to your business. You can then move
forward to proactively hunt for threats, map
attack patterns and outline the black hats'
tactics, techniques and procedures (TTPs). By
pre-empting the bad guys, you can take the
initiative back to manage cyber and business
risk on your own terms."
MOBILISING YOUR DEFENCES
As more of our daily interactions move to mobile and other handheld devices, our cyber risk is growing exponentially.
"Even Gartner has predicted that, by 2020, 80% of work tasks will take place on mobile devices," points out Tom Davison,
pictured right, EMEA technical director at post-perimeter security companyLookout. "Today, the deployment of mobile
devices, across the enterprise, has introduced a host of new cyber threats and led to the disappearance of the perimeter,
as employees are able to access the corporate network from anywhere."
Threat intelligence is a must for any organisation, of course. "However, to truly have confidence in the defence of the
business, there needs to be visibility across the entire asset base, including mobile devices," argues Davison. "A dedicated
mobile endpoint security solution can contribute directly to the overall threat intelligence picture, while also protecting sensitive
assists when accessed by devices outside the business perimeter. This is particularly crucial in our now post-perimeter security world.
"With humans often regarded as the weak link in security, fortifying technology with education is also paramount to give employees within the
organisation a truer understanding of the mobile threat landscape," he adds. "With a number of hackers and cybercriminals groups operating, its
time businesses upped their resilience levels and post-perimeter security is key to efficiently protect the corporate border, while still giving secure
access to critical data. "
24
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

12th edition of the most recognized and influential
cyber security business forum in Scandinavia.
2019 Main Focus Areas
Cybersecurity
Data Protection and GDPR
Identity and Access Management
IoT and Network Security
Mobile and Cloud Protection
Hacking Democracy by Hacking Minds
60 Nordic and international speakers presenting on 5 stages in 9
agenda streams and 5 C-Level industry panel discussions
Is 14th of November 2019 marked in your schedule?
Registration is now open!
For more information, visit our website at www.nordicitsecurity.com
or email us at info@itstechbook.com

cyber espionage
THE STATE WE'RE IN
IT ISN'T JUST THE ENERGY SECTOR, COMMUNICATIONS AND INDUSTRIAL ORGANISATIONS
THAT ARE AT RISK OF ATTACK FROM NATION STATE AND OTHER MALICIOUS ACTORS.
THE ECONOMY ITSELF IS VULNERABLE, WITH UK BANKS RIGHT IN THE FIRING LINE
Malicious actors are targeting critical
national infrastructure (CNI) sites
and energy distribution facilities on
a growing scale. Interconnected systems in
the energy industry are greatly increasing
vulnerabilities, while cyber-attacks often go
undetected for some time.
As energy companies save costs against the
backdrop of lower oil prices, consolidating
operations can weaken business resilience
and redundancy levels. This gives rise to new,
single critical points of failure, with any
disruption across the supply chain potentially
having increased consequences.
"Espionage and sabotage attacks against
CNI organisations have increased over the
years and I don't think we have seen it all
yet," says Sami Ruohonen, labs threat
researcher at Finnish cyber security company
F-Secure.
Connecting Industrial Control Systems (ICS)
to the Internet is increasing, and many CNI
systems in use today were installed and built
before 24/7/365 internet connections were
the norm - and the advent of Stuxnet. Many
Operational Technology (OT) components
have built-in remote operation capabilities,
but are either partly or entirely lacking in
security protocols such as authentication.
Moreover, cyber security was not a realistic
threat when these systems were
manufactured, and legacy protocols and
systems never had the built-in security
controls that we take for granted today.
Transitioning these systems to the Internet
has opened them up to attacks from a
myriad of angles.
"Critical infrastructure, due to its nature, is
an interesting target for a foreign nationstate,
even during peacetime," Ruohonen
adds. F-Secure's report makes the following
points:
A variety of adversaries, each with
their own motivations and tradecraft,
constantly strive to compromise
organisations that operate critical
infrastructure
Attackers have more time than their
targets and will take months to plan
their attack
People are the weakest link in production,
with company employees seemingly
being criminals' go-to target
Attackers continue to succeed, mainly
due to organisations' lack of mature
cyber security practices
Nation-state sponsored Advanced
Persistent Threat (APT) groups are
relentless, and continue to seek network
foothold positions on CNIs and espionage
opportunities, in the interests of
exercising political leverage
Nine attackers/malwares/techniques
targeting the energy industry stand out,
with spear phishing being the most
common initial supply chain attack
technique
Keeping a small attack surface in the
energy industry - while often pitched as
the best way to mitigate the risk of a
cyber-attack - is simply not possible.
While breaches are a certainty, Ruohonen
advises organisations to carefully review their
cyber security posture to implement latest
technologies, such as an endpoint detection
and response (EDR) solution.
"EDR is a quick way to tremendously
increase capabilities to detect and respond to
advanced threats and targeted attacks, which
might bypass traditional endpoint solutions,"
he explains. "Managed EDR solutions can
provide monitoring, alerting, and response
to cover the needs 24/7. This means
organisations' IT teams can operate during
business hours to review the detections,
while a specialised cybersecurity team takes
care of the rest."
IRANIAN CONNECTION
Iran looms large as a source of such attacks,
with a large-scale coordinated cyber assault
on UK infrastructure, which took place in
December last year, attributed to that
country. In the campaign, personal details
were stolen from thousands of employees,
including those working at the Post Office,
major banks and local government.
David Atkinson, CEO of Senseon and ex
cyber operative, describes the incident as
26
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

cyber espionage
a "sobering story" that demonstrates how
wide the scope is when we talk about nation
state cyber-attacks. "The temptation is to
think of one government's agency fighting
another," he says. "However, as this story
demonstrates, the reality is that the
battlefield extends beyond that to businesses,
public services and other organisations. In
this case the Post Office, local government
and banks are the victims that were caught
in the crossfire.
"This attack also shows that we need to
change awareness of what constitutes critical
infrastructure. Again, we are not just talking
about the energy sector, communications
and industrial organisations. Threat actors
will also target the economy and, if a largescale
attack is launched against the UK's
banks, you can bet the situation will quickly
become critical. The government has a
responsibility to ensure a good standard of
security and defence across all major
organisations to safeguard the UK."
MASSIVE INVESTMENT
Andy Barratt, UK managing director of
cybersecurity consultancy Coalfire, argues
SOFTWARE: A SOFT TARGET
that Iran's effort to steal sensitive data from
UK public sector organisations "is another
example of a surge in nation-state backed
cyber espionage in recent years". Even a
cursory look at the cyber strategies of
countries around the world - both in Asia
and the West - shows that there is massive
investment in offensive digital capabilities,
he points out.
"It's interesting that Iran is seeking to extract
data, rather than bring down core
infrastructure like other nation-state attacks
have done - North Korea's WannaCry hack,
for example, brought parts of the NHS to a
standstill. It's possible that Iran is being
careful, given the West's penchant for
military activity in the Middle East. But it's
also possible that this was an intelligencegathering
exercise to collect the data needed
for more targeted espionage in the future."
Public sector employees are a good target
for accessing data, if the end goal is to access
government infrastructure, he warns. "The
attack costs are relatively low and a huge
database of potential targets can be built up
quickly."
David Atkinson, Senseon: the battlefield
extends beyond that to businesses, public
services and other organisations.
Andy Barratt, Coalfire: Iran is another
example of a surge in nation-state
backed cyber espionage in recent years.
State hacking campaigns, such as Cloudhopper, that target software
supply companies are incredibly dangerous. "By breaching one company,
you can create a backdoor into thousands of others," cautions Simon
Whitburn, SVP Cyber Security Services at Nominet, pictured above. "The
information gathered from these types of attacks can then be used for
spear phishing attacks on high value individuals, which is where serious
damage can be done.
Defending against this type of campaign can be very tough, he adds. "There is a
feeling amongst users that, if lots of people trust and use a service, then it must be secure.
This can result in companies downloading software without checking it themselves first.
Cloudhopper demonstrates that this is a dangerous assumption. Whenever a company uses
an outside service, even from a reputable source, they need to check that there is nothing
malicious lurking in the code. This will add to the deployment time, but could help protect
organisations against this type of malware spreading. One way of noticing if third party
services have been compromised is to measure DNS traffic, which could flag if a programme
is calling out to a command and control centre."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
27

MASTERCLASS
SOCIAL ENGINEERING AND RED TEAMING:
RISKS, REWARDS AND APPROACHES THAT WORK
PAUL HARRIS, CEO, PENTEST LTD, A SHEARWATER GROUP
PLC COMPANY, EXPLAINS THE BENEFITS THAT OPEN SOURCE
INTELLIGENCE (OSINT) CAN DELIVER IN THE ON-GOING
BATTLE AGAINST CYBER ATTACKS
The report is unequivocal: "Cyber
attackers are increasingly focusing
their attention on people, not technical
defences." Automated or AI-driven
technologies are conducting monitoring
and incident-response with unprecedented
power and speed, yet human users remain
the entry point into networks that most
cyber attackers exploit.
The prevalence of malicious social
engineering means that its inclusion in red
teaming exercises is a standard offering.
The objective is to assess the integrity of a
company's defensive mechanisms, and to
then use these findings to improve overall
security culture and incident response.
But what can mock social engineering
actually reveal about a company's staff?
Performed unethically, or without clear
objectives, mock social engineering could
undermine employee confidence or trust in
management. A certain percentage of staff
will consistently click malicious links or install
misrepresented programs; there's nothing
new to learn here.
ALL COMPANIES CAN BE SOCIALLY
ENGINEERED…THE QUESTION IS HOW?
For some companies, revealing the scenarios
a malicious actor could employ may be a
more valuable exercise. A successful social
engineering campaign is, after all, the result
of research conducted by the attacker into
key business partners, technology stacks,
current deals, or staff changes; everything
that could be used to establish a believable
pretext, gain trust or create a sense of
urgency. Open Source Intelligence (OSINT)
replicates this process, and combined with
expert knowledge of active threat groups,
OSINT analysts can specify the ruses that
attackers might present, or the areas of
corporate policy (social media use, for
example), that need to be tightened.
Companies can take these findings and alert
their employees to emails, phone calls, or
network breaches that attackers (may) have
attempted; pre-emptively warning security
teams and keeping good security policy
(eg, do NOT enable macros) at the forefront
of employees' minds, without an unnecessary
game of 'gotcha'.
SIMULATION, NOT HUMILIATION
The inevitability of social engineering prompts
other companies to focus upon the efficacy
of incident response. Pentest (a Shearwater
Group plc company) has conducted
simulations with selected employees
consenting to be mock-phished and
reporting the incident to internal security.
This approach highlights failures in network
segmentation, communication channels,
or technical ability. After conducting such
exercises, Pentest clients have created new
email addresses (suspicious@company.com),
implemented data backup procedures, or
placed assets behind an internal VPN. If the
worst should transpire, the network and its
first-line defenders can contain the impact
of an attack.
Paul Harris, CEO, Pentest.
KNOWLEDGE IS ALWAYS VALUABLE
Standard social engineering tests may reap
valuable data. Identifying the percentage of
vulnerable employees can inform company
training programs - or evaluate previous
security investments. In these circumstances,
anonymising the results of such tests is the
basis of ethical practice. A company like
Pentest has extensive experience in red
teaming and social engineering, while they
are also adept at presenting the results in
such a way as to protect the identity of
affected employees.
Overall, when considering the inclusion of
social engineering in a red teaming exercise,
identifying the informational outcome that
the company is seeking should be the
primary step. A red teaming provider who
seeks to understand the end goal and design
an exercise appropriately is ideally placed to
conduct mock social engineering in an ethical
manner that maximises its rewards.
28
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

CYBER
SECURITY
europe
9-10 October 2019,
ExCeL London
PART OF
DIGITALTRANSFORMATION E PO
PROTECT
DETECT
MITIGATE
REGISTRATION IS NOW OPEN
www.dt-x.io

industrial cyber security
CRITICAL MASS
CRITICAL ASSET OWNERS INCREASINGLY HAVE TO PROTECT THEIR ICT INFRASTRUCTURES AGAINST
CYBER ATTACKS. IT'S NO LONGER ENOUGH FOR THE SUPPLIER OF A SINGLE MACHINE COMPONENT
OR SUBCOMPONENT TO CLAIM IT IS CYBER-SECURE - THE ENTIRE MACHINE MUST BE SO
Quite recently, hacking group
Xenotime reportedly started to probe
industrial control systems of power
grids in the US. Xenotime are the group
behind the infamous Triton malware,
designed to disable safety systems at
petrochemical plants. This malware was
used in December 2017 to attack the safety
systems of an unidentified power station in
Saudi Arabia. Dragos, which specialises in
industrial control system (ICS) security, found
evidence of Xenotime collecting open source
research on targeted electric companies,
externally scanning those companies'
networks and attempting to gain access
through either credential stuffing or stolen
credentials.
"The Trisis malware used in the attack on
Saudi Arabian petrochemical plants and now
recurring in probes conducted against US
industrial control systems is just one example
of the increasingly complex threats posed by
modernising legacy software," says John
Titmus, director EMEA, CrowdStrike. "Across
many of these facilities, previously air-gapped
systems are now being connected to public
internet, in order to make use of internet of
things (IoT) technologies.
"This news highlights the critical importance
of leveraging threat intelligence to mount a
proactive, rather than a reactive,
cybersecurity defence. For groups like
Xenotime, who have proven their capability
at acquiring, reverse engineering and
developing attack packages for industrial
control system equipment, reactive measures
are insufficient to address critical
infrastructure threats," he states.
As supply chain attacks from nation-states
and other cybercriminals persist in plaguing
organisations and government agencies,
the effectiveness of current cyber-security
methods is called into question. "While
individual components may be labelled
as cyber-secure, it only takes a single
vulnerability to compromise the entire supply
chain. To remedy this and improve OT
(Operational Technology) hygiene,
continuous monitoring and enhanced
detection below the OS-level is essential.
Today, most security products remain
blind to attacks that attempt to leverage
vulnerabilities in, for instance, BIOS
firmware. Accessing endpoints in this way
compromises the entire system and can even
persist across reboots and reinstallation of
the operating system."
Titmus believes that firmware and
hardware-level visibility into these
vulnerabilities and attacks is the best option
for protecting the supply chain - and can
even prevent attacks before they have a
chance to take off. "Importantly, this level
of visibility allows cyber security teams to
discover dormant threats that have not yet
been detected. Industrial networks are
particularly at risk to these types of attack,
since their security has often been neglected
for years; malware can spread rapidly from
individual infected devices to the whole
office, to plants in other countries."
30
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

industrial cyber security
MULTIPLE CHALLENGES
How do you stop a wave of innovation from
becoming a tsunami? Cyber security
specialists will know this dilemma well,
acknowledges Mike Nelson, VP of IoT
Security, DigiCert. "The IoT promises to
revolutionise not just how we live at home,
but how we do business and, more
importantly, how we provide those critical
resources that society runs on: gas, water,
electricity and so on. Given the opportunities
that are being offered to seemingly every
level of society - who could say no? Then
again, a cyberattack on a Fitbit is a very
different thing to a cyberattack on a water
treatment facility."
Securing each, he adds, will take very
different efforts and before we even start
doing that we're presented with several
problems. "First, critical assets were built for
failure, not attack. The legacy systems that
run those facilities have often been doing
so for many years and were never created
to withstand a cyberattack, let alone an
attempt to penetrate their pitiful security by
the concerted effort of a nation state. As we
fill in the decades-old airgap between critical
assets and the internet, we are introducing
them to a whole environment full of threats
that they are largely unprepared for."
Secondly, there’s the simple, well-known
fact that the IoT is insecure. Just behind the
rapturous applause for the IoT's arrival has
been a quieter, but no less impassioned,
warning about its vulnerabilities, Nelson
states. "Throughout this period, there has
been little oversight - government or
otherwise - as manufacturers have produced
insecure devices and retailers have sold them
on to an eager public. That insecurity could
have to do with the whole device or it could
have been inserted along the often long and
labyrinthine supply chain that these devices
are assembled on. Even if a manufacturer
says their product is secure, there are plenty
of potential points of failure from the factory
floor to the customer's hands."
And we are only beginning to address
these problems now, he says. "A variety of
governments and industry bodies are
attempting to introduce regulation and
standards that seek to protect this wave of
innovation. Though these efforts are
encouraging, they are not going to patch
over mistakes already made and they won't
pay the security debts that have already been
racked up by the over-eager adoption of
insecure technology. Hopefully, the
regulation stick will lead to better, more
standardised, approaches to IoT security."
That insecurity is not going to be solved
soon and new vulnerabilities will always crop
up, but device manufacturers can use
technology available now to protect devices,
suggests Nelson. "Public Key Infrastructures
[PKI] with digital certificates, for example,
are already being used to secure IoT
devices from the factory floor to use
across distributed networks. PKIs' ability to
authenticate device identities, protect the
integrity of code and firmware updates, and
encrypt data are proven to be scalable and
are interoperable. Well-run PKIs can police
the connections between large networks of
devices and that makes them a good fit for
industrial IoT."
MULTIPLE CHALLENGES
The supply chain for IoT products is often
so complex that it's hard to trace - let alone
make reasonable security judgements about.
"Just because a vendor can vouch for the
integrity of its supplier and that supplier can
vouch for the integrity of its manufacturers,
it doesn't mean that trust, or even security
considerations, are present at all of the
critical stages of development," says Scott
Gordon, CMO, Pulse Secure. That problem
becomes bigger when we're talking about
the IIoT (Industrial Internet of Things) - "not
because the supply chain is less trustworthy,
but because human safety is inextricably
linked to cyber security".
Defending these often undependable
devices is just as much of a problem for the
Mike Nelson, DigiCert: critical assets were
built for failure, not attack.
John Titmus, CrowdStrike: firmware and
hardware-level visibility is the best option
for protecting the supply chain.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
31

industrial cyber security
supply chain, as it is a more general problem
about our outdated security mindset. "For
years, we've thought that, if we only build
perimeter walls that are strong enough, we'll
be safe. Then again, 12-foot concrete barriers
don't count for much, if they come with an
unlocked door. Considering the herculean
task of trying to police every device, let
alone components within that device,
organisations are thinking about defence in
new ways. Zero Trust architecture is just one
of them."
Knocking down the tired inside/outside
dichotomy of traditional network security,
Zero Trust does not automatically trust any
device, system or user, states Gordon. "Any
that want to gain access must be verified
according to the resource they want to use
or communicate with, leveraging factors like
user and location to authenticate.
Instead of one wall around the city, Zero
Trust builds walls - and, perhaps more
importantly, watchtowers - around each
Nigel Stanley, TUV Rheinland: to build
cybersecurity into the supply chain, it needs
to be written into contracts with suppliers.
constituent building, further complicating
an attacker's job, providing visibility and
preventing the lateral movement that is so
critical in the cyber kill chain."
This matters more when we realise how the
perimeter is changing, he continues. "New
ways of working, such as BYoD [Bring Your
own Device] are making the perimeter line
on which older generations of security
depended less and less clear. We can no
longer say that a network perimeter ends at
the office door, so it makes sense to employ
strategies which accommodate these new
realities."
Moreover, he points out, we are just now
getting regulations that will force security
into the design stage for many of these
devices. "The UK government, for example,
will finally make its 2018 IoT guidelines
mandatory. While commendable, they won't
necessarily secure those supply chains
entirely and the insecure components that
are already floating around the IIoT will
continue to pose threats. It will never be
good enough to have insecure components
within a device; but it's almost impossible to
make sure of. Trying to wish away that reality
is another version of the security wall fallacy:
'If I can stop it from getting into my
environment, I'll be safe'."
For the moment, IIoT users simply have to
accept that there will always be a risk with
these devices and start thinking about how
they're going to respond, once that insecure
component is already in their environment.
"Until IoT users can rely on these complex
supply chains, "enterprises can look to
concepts like Zero Trust to tackle these
unfortunate realities within the supply
chain, " Gordon concludes.
SECURITY MYTH
The number of cybersecurity- related
incidents in industrial control networks has
risen in every region in recent years, and
there have been well publicised reports of
sophisticated malware and threat actors
disrupting safety instrumented control
systems. On the back of this, says Nigel
Stanley, CTO - Global OT and Industrial Cyber
Security CoE at TÜV Rheinland Group,
organisations operating industrial facilities
have a responsibility to "monitor, detect and
mitigate cybersecurity attacks in order to
maintain the safety, integrity and availability
of their site which, if compromised, may
have a severe and detrimental impact on
society".
HOW SAFE IS ‘SAFE’?
But this is no straightforward task, he
concedes, given that safety-critical systems
can contain thousands of hardware
components and millions of lines of software
code. "When it comes to securing individual
components, there is no such thing as
absolute security. In terms of cybersecurity,
products cannot be proven to be secure, or
measured against an industry accepted
Safety Integrity Level (SIL). Therefore, if
a manufacturer claims their product is
'cybersecure', this should be taken with
a large pinch of salt.
"To satisfy cybersecurity concerns, the most
astute manufacturers or operators tend to
seek security assurance - for example, three
levels down their supply chain. While a good
idea on paper, in reality this is a complex and
time-consuming process for all parties. A
detailed questionnaire can confirm whether
suppliers are compliant with cybersecurity
guidelines, but this is never the full picture."
To really build cybersecurity into the supply
chain, it needs to be written into contracts
with suppliers, states Stanley. "Obliging
software code or a piece of hardware to
undergo official certification against an
accepted standard - such as IEC 62443 - can
be helpful. However, this still doesn't
guarantee that a product is secure; just that
it has met the requirements of a particular
standard at a particular time."
32
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

endpoint detection and response
GETTING TO GRIPS WITH ENDPOINT
DETECTION AND RESPONSE
KEITH MASKELL, HEAD OF CYBERSECURITY, TITAN DATA SOLUTIONS,
TAKES A CLOSE-UP LOOK AT WHAT HE SEES AS AN IMPORTANT NEW
CONCEPT IN DISTRIBUTION - EDR AND PACKAGED SOC SERVICES
As companies of all sizes come to
grips with the responsibilities
defined by GDPR, as well as the everworsening
threat landscape in IT security,
the conversation inevitably moves to
'EDR' - endpoint detection and response.
No longer can antivirus protection be
considered a sufficient solution on the
endpoint - on workstations, servers, mobile
devices. When a company realises it is time
to be able to detect the IT security breaches
which may happen at any time, regardless
of the layers of defence implemented,
then it is time for them to consider an
EDR solution. For very many companies, of
many different sizes, that time is right now.
But the world of EDR is not simple to get
to grips with. At the heart of the problem
is the fact that EDR is often dealing with
complicated technical situations which may
be the work of very capable individuals
who have possibly, so far, outwitted the
network and endpoint defences that were
put in place. An EDR solution typically
gathers large amount of highly detailed
event data from the monitored endpoints
and uses analytic processes to extract
combinations of events that, when taken
together, are suspicious. Then the race
is on, to determine whether this particular
alert is really an attack, or perhaps else
a 'false-positive'. No-one wants to be
responsible for shutting down services
or raising alarms, which may cause the
business substantial cost, based on
a false-positive alarm.
ISSUES IN EDR MONITORING
So, there are two tough requirements for
EDR monitoring: firstly, having the right
technical expertise available at the right
time, to make the right decision based on
the EDR alert, and secondly, having people
with the courage to take responsibility for
making the decision, within a suitable work
process framework. Especially taking into
account that this cover has to be on
a 24/7/365 basis to be effective, this
challenge is one step too far for the vast
majority of companies to solve in-house.
If these problems are not truly solved, then
EDR is relegated from being a monitored
alarm system that can help see off attacks,
possibly before any real damage is done, to
being a forensics tool that can help analyse
what happened weeks or months ago,
when an attack took place that was missed
at the time. This is the difference between
stopping the burglar before he can open
the office safe and arriving after the event
to take fingerprints.
One potential solution is the use of
managed services of an external,
independent 'SOC' - security operations
centre. Experts at the SOC can monitor
your EDR system and alert you when
potential breaches are detected.
This may solve the monitoring problem,
but there are three questions: how do you
select the SOC, is it too expensive, and how
do you manage incident response activity
when an alert is received?
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security
33

endpoint detection and response
MANAGING THE COST
The key to obtaining SOC services at the
right price is to have the choice between
alternative suppliers, or MSSPs - managed
security service suppliers. If an EDR solution
does not provide the possibility of this
customer choice for SOC services, then the
element of competition for the services
element may be lost.
Titan Data Solutions is an IT security
distributor with a difference, because it
believes that its key role is to take the hard
work out of sourcing SOC services for EDR.
Titan Data Solutions works with multiple
SOCs and selects the best options, to
supply Titan packaged SOC services via
its partner base to all types of end-user
organisation. These SOC services include
threat monitoring, remote incident
response by SOC experts, and on-site
incident response.
By sourcing and integrating SOC
packaged services with EDR solutions at the
distributor level, and taking responsibility
for them under its own brand, Titan Data
Solutions provides unique added value.
This translates to affordable pricing for
end users.
For resellers, it is easy to sell these
advanced services like other types of
product, and let Titan Data Solutions, with
its SOC provider, implement the standard
service packages. For 'MSPs' - IT managed
service providers - it can be an impossible
challenge to upskill and increase resources
to provide SOC services on a 24/7 basis,
to meet customer requirements. So,
MSPs can also find Titan Data Solutions'
packaged SOC services an invaluable asset,
to enable them to supply a working EDR
with affordable services, increase their
footprint in the customer and increase
customer loyalty.
AN INTEGRATED FUTURE
Titan Data Solutions believes that, as a
distributor, it is in the perfect position to
source and supply these SOC services. Both
MSPs and resellers may fear that, if they
bring in an MSSP with a SOC directly to
provide these services, then the MSSP may
take over their relationship with their enduser
customer. Titan Data Solutions, on the
other hand, is a distributor and is 100%
committed to its relationships with its
partners - it uses carefully selected SOCs to
provide the services under its own brand,
but Titan Data Solutions will be the supplier
of the services.
So, with the emergence of affordable
packaged SOC services, companies of all
sizes can look afresh at the possibility of
implementing an EDR solution that will
function as a monitored alarm with timely
alerts - including a packaged incident
response service, to assist in analysing
and countering any detected threats.
The future direction of EDR will be for
increased integration with other layers of
IT Security defences, such as antivirus, so
that automated responses to suspected
breaches can become more commonplace.
While many triggered responses are already
available, this can only deal with a limited
subset of use cases for the foreseeable
future. The ingenuity and creativity of
human attackers will require the ingenuity
of human defenders for a significant time
yet to come. Nevertheless, the drive for
cost-competitiveness is likely to strengthen
the trend to increased automated response.
DRIVING FORCE
Consequently, any strategy for EDR should
embrace the future requirement for
increased real-time automated incident
response, driven by the EDR system.
This implies that the EDR system which is
selected should be capable of triggering
defensive responses in the antivirus
endpoint threat prevention system and on
other security layers in the network, to
demonstrate that this facility exists and
can be developed further for the future.
Titan Data Solutions addresses this need
by offering the 'Enterprise Inspector' EDR
system from ESET, together with Dynamic
Threat Defence, to its partners and their
end-users. This EDR system works in
concert with the ESET antivirus system for
endpoint threat prevention. Titan Data
Solutions' packaged SOC services are
supplied for this ESET platform. By tuning
the SOC services to this platform, Titan
Data Solutions can ensure the SOC services
have optimum efficiency and affordability.
EDR is a chameleon: either it is a
monitored alarm that can save your
company, or it is a post-event forensics
tool. Affordable packaged SOC services,
that meet your specific requirements, could
make the difference.
With the right strategy, this will be the
gateway to a future of increased
integration and automated response.
34
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk

Brookcourt Solutions (A Shearwater Group plc Company) delivers
cyber security, network monitoring technologies and managed
security services to help secure and protect your organisation’s
critical infrastructure.
Brookcourt sell leading high-end technology and services to leading
Fortune 250 companies – including the largest telecommunications
providers within the UK, high street banks, global retail enterprises
and the largest oil companies across the world.
Brookcourt can help defend your business against todays advisories
and cyber threats whilst helping you with your data protection and
control. Our leading-edge cyber threat intelligence technologies are
provided to leading global institutions as well as smaller enterprises
as a complete managed service.
Get in touch today: contact@brookcourtsolutions.com
C y b e r S u r v e i l l a n c e • S e c u r i t y • N e t w o r k i n g • C o n s u l t a n c y • M a n a g e d S e r v i c e s
A Shearwater Group plc Company - Multi Award Winning - shearwatergroup.com
For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com