03.09.2019 Views

Cyber Defense eMagazine September 2019

Cyber Defense eMagazine September Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group

Cyber Defense eMagazine September Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

4 Industries Being Hurt by Counterfeit<br />

Materials (and How to Spot Them)<br />

5 Most Disastrous Ransomware Attacks of<br />

the Last Decade<br />

How to Protect Yourself While Shopping<br />

Online<br />

Top 5 Questions about the Capital One<br />

Data Breach<br />

Ways to Protect Sensitive Data Online<br />

5 Key Differences between Software and<br />

Hardware Vulnerability Mitigations<br />

…and much more…<br />

1


CONTENTS<br />

4 Industries Being Hurt by Counterfeit Materials (and How to Spot Them) .................................................... 13<br />

5 Most Disastrous Ransomware Attacks of the Last Decade .......................................................................... 17<br />

Better Safe than Sorry: How to Protect Yourself While Shopping Online ........................................................ 21<br />

Conversation Marketing Security Pitfalls and Best Practices .......................................................................... 25<br />

What Other Companies Can Learn from Facebook’s $5 Billion Fine ................................................................ 29<br />

Why “Cloud Security 101” Isn’t So Simple After All ....................................................................................... 32<br />

Anatomy of a Single Request Attack: The #1 Invisible Security Threat ............................................................ 36<br />

Adhere to <strong>Cyber</strong> Security Solutions to Protect Your System from a Diverse Range of Issues ........................... 39<br />

August Patch Tuesday .................................................................................................................................. 42<br />

Top 5 Questions about the Capital One Data Breach ..................................................................................... 44<br />

The Need of Automatics and Control in Incident Response ............................................................................ 47<br />

Preventing Business Email Compromise – a $300 Million Dollar Problem ....................................................... 50<br />

Security Research as an Anti-Malware Secret Weapon .................................................................................. 54<br />

Ways to Protect Sensitive Data Online .......................................................................................................... 57<br />

Artificial Intelligence-Driven Situational Awareness ...................................................................................... 61<br />

Attracting and Retaining Staff for a Fusion Center ......................................................................................... 64<br />

Have You Asked your eDiscovery Vendor ...................................................................................................... 66<br />

Understanding Application Risk Management .............................................................................................. 71<br />

Ransomware: A Municipality’s Achilles Heel ................................................................................................. 76<br />

Do You Know What That App Is Doing? ........................................................................................................ 80<br />

5 Key Differences between Software and Hardware Vulnerability Mitigations ............................................... 83<br />

Data Risk Report Shows Lack of Security across Industries ............................................................................ 86<br />

How the Internet of Things Could Compromise Online Security ..................................................................... 90<br />

2


Public Sector Beware: 3 Steps to a Better <strong>Cyber</strong>attack Prevention Strategy ................................................... 93<br />

<strong>Cyber</strong>security Checklist: How to Keep Your Business Secure .......................................................................... 96<br />

Ready Position - Proactive Teams are Helping Solve the <strong>Cyber</strong>security Skills Shortage ................................. 101<br />

Voice Commerce Calls for Built-in Security .................................................................................................. 105<br />

Protecting Your Business against DDoS Attacks Requires Simple Best Practices ........................................... 108<br />

Server less Security Analysis: The Best Practices on How to Enforce Them ................................................... 111<br />

Stop! Vulnerable Software ......................................................................................................................... 115<br />

The Dangers of the Integrated Home/Workplace ........................................................................................ 120<br />

How Real-Time Asset Intelligence Enables Full Posture Control ................................................................... 123<br />

Multi-factor Authentication Implementation Options ................................................................................. 125<br />

3


@MILIEFSKY<br />

From the<br />

Publisher…<br />

New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />

Dear Friends,<br />

Can you believe it’s <strong>September</strong> <strong>2019</strong> already. We’re almost into 2020 but we still have so much to<br />

accomplish this year. Don’t miss us at the Digital Transformation Expo in London this October https://dtx.io/europe/en/page/dtx-europe<br />

and at InfoSecurity North America in November<br />

https://www.infosecuritynorthamerica.com/ before we turn the corner into an early RSA Conference 2020<br />

in late February, in San Francisco, CA, USA.<br />

When you share a story or an article or information about CDM, please use #CDM – it helps spread the<br />

word about our free resources even more quickly. We’re tracking our results on various independent<br />

websites that track keywords across the global internet and here’s where we stand today:<br />

https://essentials.news/en/future-of-hacking. We also offer our own statistics that you are free to reuse<br />

anytime, from this page: http://www.cyberdefensemagazine.com/quotables/.<br />

I am so thankful and honored to each of you – readers, partners, customers, employees, consultants,<br />

supporters and so very importantly – Robert Herjavec and Dr. David DeWalt for joining in with me to<br />

judge the Black Unicorn Awards for this year with notable mentions, finalist and winners found at<br />

https://www.cyberdefenseawards.com/. Our Global Awards are now open and we hope to find more<br />

winners this year who are market leaders, innovators and those offering some of the best solutions for<br />

cyber security in the global marketplace. For those women who did not make our Top 25 Women in<br />

<strong>Cyber</strong>security for <strong>2019</strong> or missed out on the deadline, we have added Global Awards for Women in<br />

<strong>Cyber</strong>security as a new category this year.<br />

We have many new interviews going live on https://www.cyberdefensetv.com and<br />

https://www.cyberdefenseradio.com this month, so please check them out and share links to them with<br />

your friends and co-workers. Let’s all keep on innovating and finding ways to get one step ahead of the<br />

next threat!<br />

Warmest regards,<br />

Gary S. Miliefsky<br />

Gary S.Miliefsky, CISSP®, fmDHS<br />

CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />

Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

4


@CYBERDEFENSEMAG<br />

CYBER DEFENSE eMAGAZINE<br />

Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />

distributed electronically via opt-in Email, HTML, PDF and Online<br />

Flipbook formats.<br />

InfoSec Knowledge is Power. We will<br />

always strive to provide the latest, most<br />

up to date FREE InfoSec information.<br />

From the Editor’s Desk…<br />

As we wind up a beautiful summer and begin to<br />

look at new themes throughout the year, we still<br />

share our thoughts that training is a critical step in<br />

turning on the human firewall. From KnowBe4 to<br />

Hacker.House to InsiderThreat<strong>Defense</strong>.US we<br />

see a common thread – you can dramatically<br />

bolster your “Human Firewall” if you first, turn it on.<br />

With training by experts. Kevin Mitnick will teach<br />

you social engineering 101 and KnowBe4 will<br />

provide you with the most advanced antiphishing<br />

and compliance tools. Hacker.House will teach<br />

you how to be the best penetration tester, yourself.<br />

Why hire consultants who don’t care about your<br />

business every day of their lives? Also, with most<br />

breaches happening from the inside-out, it’s time<br />

to get vigilant and train yourself for insider threat<br />

mitigation at InsiderThreat<strong>Defense</strong>.US.<br />

Going into the fall, we will look to other areas in<br />

infosec for innovative ways to stop breaches and<br />

will share with you our findings in articles and<br />

updates through year-end.<br />

To our faithful readers,<br />

Pierluigi Paganini<br />

Editor-in-Chief<br />

PRESIDENT & CO-FOUNDER<br />

Stevin Miliefsky<br />

stevinv@cyberdefensemagazine.com<br />

EDITOR-IN-CHIEF & CO-FOUNDER<br />

Pierluigi Paganini, CEH<br />

Pierluigi.paganini@cyberdefensemagazine.com<br />

EDITOR-AT-LARGE & CYBERSECURITY JOURNALIST<br />

Yan Ross, JD<br />

Yan.Ross@cyberdefensemediagroup.com<br />

ADVERTISING<br />

Marketing Team<br />

marketing@cyberdefensemagazine.com<br />

CONTACT US:<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Toll Free: 1-833-844-9468<br />

International: +1-603-280-4451<br />

SKYPE: cyber.defense<br />

http://www.cyberdefensemagazine.com<br />

Copyright © <strong>2019</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />

276 Fifth Avenue, Suite 704, New York, NY 10001<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

PUBLISHER<br />

Gary S. Miliefsky, CISSP®<br />

Learn more about our founder & publisher at:<br />

http://www.cyberdefensemagazine.com/about-our-founder/<br />

WE’RE CELEBRATING<br />

7 YEARS OF EXCELLENCE!<br />

Providing free information, best practices, tips and<br />

techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />

magazine is your go-to-source for Information Security.<br />

We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />

CYBERDEFENSEMEDIAGROUP.COM<br />

MAGAZINE TV RADIO AWARDS<br />

5


6


SPONSOR OF THE MONTH…<br />

7


8


9


Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those<br />

vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep<br />

understanding of your web application vulnerabilities, how to prioritize them, and what to do about<br />

them. With this trial you will get:<br />

An evaluation of the security of one of your organization’s websites<br />

Application security guidance from security engineers in WhiteHat’s Threat Research Center<br />

Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well<br />

as share findings with internal developers and security management<br />

A customized review and complimentary final executive and technical report<br />

Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/<br />

PLEASE NOTE: Trial participation is subject to qualification.<br />

10


11


12


4 Industries Being Hurt by Counterfeit Materials (and How to<br />

Spot Them)<br />

By Kayla Matthews<br />

There are many industries with a lot to lose when it comes to counterfeit parts and materials. Today, we’ll<br />

talk about four of them.<br />

The dangers are impossible to ignore, and range from having our sensitive information intercepted or<br />

held for ransom to having our defense systems shut down at a critical moment. Specialists and decisionmakers<br />

in these industries and every other need to know why they’re at risk and what to look for. Only<br />

then can they protect themselves.<br />

1. Health Care<br />

The health care industry, and medical devices specifically, is a particularly worrisome hotspot for<br />

counterfeit materials. Medical devices can be pricey, even when reconditioned and sold on legitimate<br />

used markets. The definition of “medical device” expanded in recent years to include items ranging from<br />

syringes, glucose meters and blood pressure monitors to implants and digital pacemakers.<br />

13


The threats here range from making devices more susceptible to malware and remote hacking to<br />

distributing devices, like patient monitoring devices, with the intent to gather as much information on us<br />

as possible.<br />

The high asking price of modern medical devices means customers across the world often turn to illicit<br />

sources for some vitally important health equipment. To combat counterfeits and help protect the value<br />

of legitimate aftermarkets in the health care industry, manufacturers can make more widespread use of<br />

unique device identifiers and even turn to blockchain to ensure greater authenticity in the supply chain.<br />

2. <strong>Defense</strong><br />

The defense industry keeps lots of people around the world employed and currently has a value of $398<br />

billion globally. But this vertical unfortunately attracts a lot of counterfeiting activity. Apart from health<br />

care, it’s hard to imagine an industry with more significant potential for collateral damage.<br />

In 2017, the U.S. military estimated as much as 15% of their replacement parts pipeline consisted of<br />

counterfeit parts. This supply chain is the same one that keeps ground, air and sea vehicles functioning,<br />

ensures guidance systems work as expected and protects the integrity of countless other devices and<br />

assets at home and in the field.<br />

In a mission to stamp counterfeits out of the defense industry, the <strong>Defense</strong> Advanced Research Projects<br />

Agency began developing “chiplets” that military contractors and authorized manufacturers could begin<br />

incorporating into designs. These chips would identify when a device may have become compromised.<br />

Before these prevention programs came online, it wasn’t uncommon for U.S. Customs to seize millions<br />

of counterfeit microchips in a given year that would have found their way into defense systems.<br />

In some cases, the parts in question came from missile defense systems. But hiring employees for their<br />

attention to detail and training them to keep security a top-of-mind concern should help ensure counterfeit<br />

defense products don’t make it as far as customs before getting detected. This type of public-private<br />

collaboration is an essential tool as well.<br />

3. IT, Security and Networking Gear<br />

With a lot of the “front” and “back” doors covered at the commercial level with encryption, and at the<br />

consumer level with strong passwords, good email security hygiene and virtual private networks, hackers<br />

and counterfeiters are turning their attention to infiltrating the very structure of the “house” itself.<br />

Given that networking and IT hardware can perform checks of their own against cybercrime, this trend is<br />

especially worrying. Cisco and companies like it have, understandably, taken strong measures after<br />

discovering authorized and unauthorized sellers who appeared to knowingly distribute counterfeit Cisco<br />

products and pass them off as genuine. One suit by Cisco targeted defendants in New Jersey and<br />

California, making this a nationwide phenomenon.<br />

14


Local IT departments in small and medium-sized businesses need to know what they’re up against.<br />

Chasing discounted or shady “renewed” IT equipment can sound like an excellent strategy to scale your<br />

infrastructure affordably. But it can leave you vulnerable to any number of potential thieves and criminals<br />

who can use that fake IT gear to commandeer your whole digital footprint.<br />

Ask original manufacturers for a list of their authorized resellers. If they list the vendor you’re interested<br />

in, it means the original equipment manufacturer has a reasonably high degree of confidence in that<br />

reseller.<br />

And even if you’re careful about who and where you buy your IT gear from, it’s possible you might still<br />

get your hands on a fake network switch or router. Pay attention to the fit and finish of the product. See<br />

if the build quality, the labels, the colors and the functionality match what you expect or you’re used to.<br />

Don’t plug it in or install anything if you have concerns. Instead, take some photos and get in touch with<br />

the original equipment manufacturer.<br />

4. Construction Materials<br />

Over the years, several high-profile deaths have resulted from counterfeit construction materials. One<br />

case involved fake bolts, and the other was the result of a ruptured counterfeit cement kiln. A few years<br />

later, in 2003, the Construction Industry Institute issued a study citing the cost of counterfeit goods in<br />

construction at around $1 trillion per year.<br />

Counterfeit parts in the construction industry can be deadly — and there’s never been a more essential<br />

time to take it seriously now that electronic systems are making their way into construction equipment<br />

and the very structures of our buildings like never before.<br />

Companies sourcing raw metals, particularly steel, for the manufacture of nails, screws, beams and other<br />

materials, need to know their sources aren’t sneaking in inferior metals than what they claim in their<br />

specs. That’s how George Hedley puts it, anyway — he wrote “Get Your Business to Work!” and was a<br />

contractor and subcontractor in sheet metal and steel fabrication.<br />

Counterfeit steel is scary in one way, but counterfeit smart home components are frightening in a host of<br />

fresh new ways. The Internet of Things is now an integrated part of the construction process, as homes<br />

and buildings become smarter, greener and more self-sufficient. More systems have electronics and<br />

internet-connected control mechanisms built right in.<br />

Suffice it to say, builders right down to individual contractors and handymen need to know what they’re<br />

installing, and how and whether the homeowner can take precautions to protect it from intrusion. Even<br />

choosing a “smart” ceiling fan can’t be a throwaway decision.<br />

Companies and governments can take steps to ensure electronic devices destined for the construction<br />

industry pass muster and don’t mix with counterfeit doppelgangers. One way is to lobby for strong<br />

intellectual property protections on the global stage. Part of the reason why shipments of counterfeit parts<br />

are so common in some parts of the world is because not every region has taken appropriate measures<br />

to prevent and respond to IP theft.<br />

15


Because of this, counterfeit or lower-quality-than-advertised building materials keep putting our physical<br />

safety in jeopardy, while compromised smart HVAC and lighting systems put our digital systems at risk.<br />

As with other industries, blockchain could do the heavy lifting in the creation of a secure, immutable<br />

database of trusted manufacturers and service providers.<br />

No matter what, counterfeit goods are a stubborn problem and will stay that way for some time. But<br />

awareness and technology go a long way toward keeping our supply chains and customers safe. An<br />

ounce of prevention is worth a pound of cure and tons of regret, so consider suspected counterfeit<br />

products a case of “see something, say something.”<br />

About the Author<br />

Kayla Matthews, a cybersecurity journalist, has written for sites like<br />

Security Boulevard, the National <strong>Cyber</strong> Security Alliance,<br />

Information Age and more. Matthews can be reached via Twitter<br />

@KayleEMatthews or on ProductivityBytes.com.<br />

16


5 Most Disastrous Ransomware Attacks of the Last Decade<br />

In the past few years, we have seen a massive change in the hacking industry. Let’s take a look at the most<br />

dangerous ransomware attacks and how to stay safe from these type of attacks.<br />

By Susan Alexandra, Contributing Writer, None<br />

Sending malware to systems and asking for ransom is not a new activity for hackers. They are doing it<br />

since the 90s. Ransomware varieties have grown increasingly advanced in their capabilities for<br />

spreading, evading detection, encrypting files, and asking users to pay ransom against their data. It is<br />

now a prominent threat to enterprises, SMBs, and individuals these days. Take a look at the most<br />

significant ransomware attacks, and the after effects of these threats.<br />

1. TeslaCrypt (2015 - 2016)<br />

This ransomware made its presence in the market in March 2015. It is also called a variant of<br />

CryptoLocker. TeslaCrypt specifically targeted gaming industry by encrypting their saved game, profiles,<br />

maps, downloadable content, and user-generated files of computer games. This ransomware hit 163<br />

victims, netting $76,522 for the attackers behind it. After encrypting popular file types with the AES-256<br />

encryption algorithm, TeslaCrypt holds the files for a ransom of $250 to $1000.<br />

These encrypted files were backed up on the cloud, neither the external drive but stored locally. On the<br />

very next year, the creators of TeslaCrypt shared the decryption key with the public, and it was a<br />

significant relief to gamers whose data got compromised.<br />

17


2. SimpleLocker (2014 - 2016)<br />

In the past few years, we have seen a massive increase in the android industry. This change is in favor<br />

of people as well as the hackers who want to target Android users. SimpleLocker also created for android<br />

users as it was used to scan victim's SD memory cards for certain file types, including images, PDFs and<br />

other documents, and audio files, encrypts them and demands some money or ransom in order to decrypt<br />

the files.<br />

If the device is attacked, the victim gets a pop-up window to restore the data against some Ukrainian<br />

currency.<br />

3. CryptoLocker (2013 - 2014)<br />

This malicious program was to bring ransomware and its worst implications to the fore. CryptoLocker<br />

spread via attachments to spam messages and used the RSA public-key encryption to seal up targeted<br />

user files.<br />

While ransomware usually freezes the device of the user, CryptoLocker followed a different route. It<br />

allowed the users to run their systems and the downloaded software but encrypted their user files. The<br />

data was not lost, but the hackers were demanding cash (millions of dollars) in return for the decryption<br />

keys.<br />

4. WannaCry (2017)<br />

WannaCry ransomware was the most disastrous attacks that infected more than 250,000 systems around<br />

116 different countries. This ransomware was initially started with the European countries and regions<br />

and then spread into multiple countries. The prime target of this attack was hospitals, businesses,<br />

government organizations, and radio stations.<br />

This ransomware resulted in a massive loss of four billion dollars. Victims of this attack were the users of<br />

the Windows operating system. After the attack, the encrypted files were saved in a hard drive and users<br />

were forced to pay in bitcoins in order to get their data back.<br />

5. NotPetya (2017)<br />

Petya was a ransomware package that dated back to 2016, but just weeks after the WannaCry outbreak,<br />

an updated version began to spread. It not only encrypts files but also overwrites and again encrypts the<br />

overwritten files in Master Boot Record (MBR). Later, the cyber experts revealed that while the malware<br />

was a variant of Petya, it was not Petya.<br />

18


Ransomware Prevention - 5 Easy Steps to Protect Your System<br />

In this world, no one is safe from cyberattacks, ransomware, and malware attacks. No matter how expert<br />

you are, who you are, and what industry you belong to. You must keep your systems up to date because<br />

It is a matter of data and if you have the data that holds personal information, you must take care of it<br />

otherwise, your data can be gone into wrong hands. Below are some tips that can help you protect your<br />

data.<br />

1.Update Your System<br />

It is essential to keep your system up to date with the best anti-malware, anti-virus, VPN, and other<br />

encrypted tools that tighten your computer’s security. Systems running with outdated software are<br />

vulnerable to attacks, and hackers can easily target those systems.<br />

2. Regularly backup you’re Data<br />

Make it your habit to back up your data twice a month. Store, all the data on the cloud or external hard<br />

drive, would be the best option to store your data.<br />

3. Don’t Click on Suspicious Links<br />

Another way to prevent ransomware is to be extra vigilant about links on the emails. Many people click<br />

on the malicious links or attachments that can download the ransomware to their system. Always think<br />

twice before clicking so you can keep infected links and other malicious sources away from your computer<br />

and valuable data.<br />

4. Regularly Scan Your System<br />

Scan your system with the tools and keep the scan scheduled so that you can easily detect the threats.<br />

It will also help you in detecting real-time threats to your system.<br />

5. Educate, Educate, Educate<br />

If you are working in an organization, educate your employees and tell them all possible ways to avoid<br />

ransomware. Give them training every month and keep them updated with the security tools and the<br />

basics of online security.<br />

19


About the Author<br />

Susan Alexandra is an independent contributing author at Securitytoday and<br />

Tripwire. She is a small business owner, traveler and investor in<br />

cryptocurrencies.<br />

20


Better Safe than Sorry: How to Protect Yourself While Shopping<br />

Online<br />

By Bailey Newman, Content Team, CouponChief.com<br />

We may think nothing of filling out forms and providing data to ecommerce sites, social media sites, and<br />

public forums, but thieves and swindlers are ready to take advantage of our lapses. Online danger comes<br />

in all kinds of packages, from romance scams to phishing schemes.<br />

Even huge companies are not immune to security breaches. An example of such is the eBay attack,<br />

where cyber attackers stole names, addresses, even passwords from eBay’s entire database of over 145<br />

million users. Although the incident was reported in May 2014, the hackers were active for almost the<br />

entire prior year. Another example is the Yahoo Bust, where Yahoo lost the personal information of about<br />

1.5 billion user accounts between 2013 and 2016.<br />

So how do you stay safe online?<br />

The only way to make absolutely sure your data is safe online is to stop using the internet. That would<br />

be taking it too far, though. For most of us, the benefits of going online far outweigh the risks – we just<br />

have to be smart about what we do there.<br />

Here’s the root of the issue: When you’re at home using your computer, it feels like you’re safe – like it’s<br />

just you and the screen. The truth, though, is that while you’re looking at the internet, it’s looking back at<br />

you. You’re connected digitally to the billions of other internet users globally, and there’s a specific<br />

identifier – your internet protocol address, or ‘IP’ – that sets your machine apart from the rest. It is the<br />

basis of your digital footprint.<br />

21


To stay safe online, it’s important to understand the five primary areas of attack and the steps you can<br />

take to protect yourself from each.<br />

1. Antivirus software isn’t always effective, so getting a robust antivirus program is an<br />

essential.<br />

This is one of the biggest security mistakes online shoppers make. New computers typically come<br />

with antivirus software pre-installed. The new owner figures that means the machine is good to<br />

go, then proceeds to surf indiscriminately – figuring the software will act as a bodyguard and fight<br />

off any attackers.<br />

That’s now always true, though. One reason is that the antivirus software that comes on new<br />

computers is a trial version only (unless you specifically purchased it with the machine). Also,<br />

there are a number of ways antivirus software can get turned off. Whether you shut it down on<br />

purpose to install another program successfully, it gets turned off accidentally, or a cyberattack<br />

shuts it down – if it’s not on, it’s not protecting you. No tool is perfect, but a robust antivirus program<br />

is an essential. You should never go online without that first and persistent line of defense.<br />

2. Do you really know what you’re clicking on?<br />

Soldiers know one of the favorite tricks of the enemy is to bury explosives along the road or<br />

trail. It’s a 24/7 way to catch someone off guard and exploit the situation. <strong>Cyber</strong>crooks do the<br />

same thing. They don’t use artillery shells or high-explosive charges for their landmines, though,<br />

they use clicks… YOUR clicks.<br />

Common traps include pop-ups saying your computer has been infected with a virus and you<br />

must click (or call a phone number) to fix the issue, ‘Unsubscribe’ links in emails that really<br />

aren’t unsubscribe links, and pop-ups or emails saying you’ve just won a prize and must click to<br />

claim it. As with most things, if it sounds too good (or bad) to be true… it probably is.<br />

Threat levels have escalated with the rapid growth of internet speed capabilities. It may take<br />

only a few seconds for the crooks to push their code to your machine. Those few seconds could<br />

cause major upheaval to your life. Don’t risk clicking on risky links. Always hover to check that a<br />

link is going to a familiar, friendly website you trust.<br />

3. Every download is a potential landmine.<br />

You don’t always have to be tricked into downloading malicious files. Sometimes, you go looking<br />

for it. Special dangers are sites offering software, music, or videos for free. ‘Torrent sites’ are<br />

especially prone to deliver more than you bargained for in the way of headaches.<br />

22


When you click “Okay” to install a file, you’ve no control over what happens next. With many<br />

malicious files, you don’t even need to acknowledge the installation. It happens automatically.<br />

It’s also possible you won’t know anything’s going on at all.<br />

Play it safe. Be smart. If you need a program, pay for it… otherwise you may pay a whole lot<br />

more than you ever intended.<br />

4. Be careful of where you leave your digital footprints.<br />

Every post you make on social media, every website you visit, and every form you enter<br />

information into can be a collection point for thieves and scoundrels. If they can collect enough<br />

personal data from your posts, they may be able to ask for a password reset and access your<br />

secure locations. Identity thieves and neighborhood break-in artists love social media. You tell<br />

them everything they want to know there – including when your home is going to be vacant for an<br />

extended period, your mother’s maiden name, and the make of your first automobile.<br />

How can you protect yourself? That’s easy: stop doing that. Wait until you’re home from vacation<br />

to post those photos, and never respond to those chain letter inquiries that require you to reveal<br />

everything down to the color of your underwear.<br />

Your digital footprints are like your tracks in wet sand. They tell everyone exactly where you’ve<br />

been. The digital version doesn’t get washed away with the tide, though. They’ll be there for a<br />

long, long time. Not only does that give potential employers a candid window to check up on what<br />

you look like apart from a resume, your online tracks give marketers and cybercrooks an excellent<br />

means of finding out more about you.<br />

5. Your passwords say a lot about you.<br />

What’s the most common password used? Nope, it’s not “password.” That one now sits at<br />

number eight. Last year’s most-often chosen protector of the digital kingdom was “123456.”<br />

Running close behind, in second place, was “123456789.”<br />

How hard would that be to break?<br />

Computerized password cracking machines are relatively inexpensive and can allow thieves to<br />

access your account in seconds. And if you use the same password for multiple accounts, that<br />

means one key fits all. Don’t try to be cute with passwords. Be safe. You wouldn’t hand out keys<br />

to your home indiscriminately, and you hopefully won’t put a key under the doormat. Passwords<br />

pay a huge part in online security. Use them well.<br />

The internet is amazing. You can select goods from all around the globe and have them delivered to your<br />

door the next day. Few people want to return to pre-internet days, but most people do want to get rid of<br />

the crooks.<br />

23


About the Author<br />

Bailey Newman is part of the content team at CouponChief. She likes brisk<br />

walking in the morning with her dog Chichi. She loves the smell of nature and<br />

can’t imagine a life without it. Having pledged to reduce her environmental<br />

impact, she reduces, reuses, and recycles.<br />

Bailey can be reached online at bailey@couponchief.com and at our company<br />

website https://www.couponchief.com/guides/online_shopping_safety<br />

24


Conversation Marketing Security Pitfalls and Best Practices<br />

By Morey Haber, CTO & CISO, BeyondTrust<br />

According to Gartner’s recent ‘AI and ML Development Strategies’ study, 40% of organizations cite<br />

customer experience (CX) as the number one motivator for use of artificial intelligence (AI) technology.<br />

Not surprisingly, across the Middle East, we are seeing enterprises of all sizes and even several<br />

government entities, start rapidly deploying chatbots on their websites, all in an effort to provide<br />

customers faster responses to their queries. These chat applications are designed to field plain text<br />

requests from humans that are fed into an AI engine, which can provide “smart”, scripted responses to<br />

inquiries.<br />

As the machine learning technology that powers many of these chat applications gets smarter, it is going<br />

to get increasingly harder for users to determine if they are interacting with a real person or a machine.<br />

As a case in point, some services classified as “conversation marketing” may actually route you to the<br />

appropriate live person for a more in-depth conversation. But while we might never know the difference,<br />

with a little social engineering, a threat actor can easily determine what is behind the scenes and exploit<br />

any IT security vulnerability.<br />

25


Understanding the security implications of chatbots<br />

Irrespective of whether it’s a human or machine, there are some inherent security risks in chat-based<br />

services. Ironically, while there is a plethora of information available on how to deploy chatbots and the<br />

associated benefits, there isn’t the same level of attention and guidance around how keep it secure for<br />

both your organization and for the end user.<br />

As a case in point, consider an automated service that is either hosted by the company itself or connected<br />

to a cloud-based AI engine as a service. To effectively respond to queries, this service needs to access<br />

backend resources. This often means having a database fronted by middleware that allows queries via<br />

a secure application programming interface (API). The contents of the database will vary from company<br />

to company and may include anything from hotel reservation information to customer data—and it may<br />

even accept credit card information.<br />

Here's a checklist of basic security questions to cover before implementing a chatbot that is fully<br />

automated and AI-driven:<br />

• Is the API connecting your organization’s website and the chatbot engine secured using access<br />

control lists (ACLs)? You can accomplish this by using IP addresses, geofencing, etc.<br />

• How do you approach the management of authentications between the systems (webservice,<br />

engine, middleware, cloud, etc.)?<br />

• How do you apply vulnerability management best practices across the architecture supporting the<br />

chatbot? You should also find a way to implement routine penetration testing.<br />

• Have you adequately secured privileges/privileged access and enforced least privilege?<br />

• What data can the chatbot query—is any of it sensitive? Do any specific regulations apply to how<br />

this data is collected, stored, handled? For instance, do communications contain information that<br />

may warrant extending your scope of regulations, like PCI DSS? Also, will communications “selfdestruct”<br />

in accordance with certain regulations?<br />

• Is there a process for logging and detecting potential suspicious queries that may be designed to<br />

exploit the AI engine or leak data?<br />

• Can you mitigate or prevent malware or distributed denial of services (DDoS) that target your<br />

service?<br />

• Do you ensure end-to-end encryption for all chatbot communication and what protocols are you<br />

using?<br />

In addition to carefully considering these security implications, organizations should continuously<br />

inventory the supply chain based on assets and communications from chatbot, webservice, and provider<br />

to maintain a risk assessment plan. Any changes can easily affect some of the best practices listed<br />

above.<br />

26


Protecting your employees during conversation marketing<br />

In conversation marketing, a human is actually responding to the queries via the chat window. Several<br />

organizations try to make the experience really “authentic” and, as a consequence, do not use fake<br />

names or pictures for the human chat box representative.<br />

However, if a company displays the full name of their chat representative inside the chat box, with just a<br />

little social engineering, a bad actor can easily uncover data about the representative that can be used<br />

as part of an exploit. This is particularly easy if the representative has a social media profile. So to that<br />

end, if you do choose to use conversation marketing, it is critical that you follow a few key security best<br />

practices.<br />

• For one, never reveal the employees’ full name and instead use an alias. While this might seem<br />

counterproductive (remember the whole making the experience more “authentic”), using the full<br />

name or even just the first name and last initial poses a high risk as a little research could uncover<br />

personal information about the representative.<br />

• If the chat service displays a picture, photo, or avatar of the representative, use a unique image<br />

that cannot be found anywhere else on the internet. The reason―a simple search by the<br />

employee and company name will reveal their social media presence and, if the pictures easily<br />

match, you might as well use their full name anyway! You will have done very little to mask their<br />

identity and provide protection from a potential social engineering attack at home or at work.<br />

• Have a detailed manual in place that clearly states what information the employee can share and<br />

what he/she absolutely cannot—under any circumstances, irrespective of the inquiry―during a<br />

chat conversation. These guidelines will vary, and can include everything from license keys to<br />

password resets. Your business will have to establish this list based on the services the chat box<br />

provides and any local and industry regulations governing data exposure, particularly across<br />

country lines.<br />

• Create a formal support and escalation path for inquiries into potentially sensitive information.<br />

• Provide regular security training for all chat box representatives so that they know how to<br />

recognize a potential attack, how to respond to suspicious requests, and how to escalate a<br />

situation before it becomes a security incident for your organization.<br />

Let’s face it—when it comes to improving customer service, the benefits of chatbots and conversation<br />

marketing is undeniable, which means they are here to stay. But these tools do open up another attack<br />

vector―cybercriminals will always exploit the simplest way to compromise an organization and,<br />

unfortunately, humans are often the weakest link.<br />

But by assessing the key questions and implementing these best practices, you can enable a chat service<br />

that helps support your business initiatives, without opening up unnecessary risks.<br />

27


About the Author<br />

With more than 20 years of IT industry experience and author of Privileged<br />

Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in<br />

2012 as a part of the eEye Digital Security acquisition. He currently<br />

oversees the vision for BeyondTrust technology encompassing privileged<br />

access management, remote access, and vulnerability management<br />

solutions, and BeyondTrust’s own internal information security strategies.<br />

In 2004, Mr. Haber joined eEye as the Director of Security Engineering and<br />

was responsible for strategic business discussions and vulnerability<br />

management architectures in Fortune 500 clients. Prior to eEye, he was a<br />

Development Manager for Computer Associates, Inc. (CA), responsible for<br />

new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and<br />

Maintainability Engineer for a government contractor building flight and training simulators. He earned a<br />

Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.<br />

28


What Other Companies Can Learn from Facebook’s $5 Billion<br />

Fine<br />

Organizations need to view government demands as the floor rather than the ceiling when it comes to<br />

protecting consumer data<br />

By Jacob Serpa, researcher, Bitglass<br />

While Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade<br />

Commision (FTC), one must take into consideration that not every company is going to be on the same<br />

scale when it comes to penalties for mishandling consumer data. In Q2 <strong>2019</strong>, Facebook boasted 2.41<br />

billion worldwide monthly active users on its platform, not including Instagram, WhatsApp, or Facebook<br />

Messenger users. Additionally, the company is reported to have collected $16.9 billion in revenue for the<br />

three months ending in June <strong>2019</strong>, representing a 28% increase over the same period last year.<br />

Regardless of the massive scale, this settlement highlights the growing importance of data privacy<br />

moving forward. Companies will be held more accountable for securing user data and will need to<br />

demonstrate how they are using it. However, instead of viewing government demands as a ceiling and<br />

seeking to meet the minimum security requirements that they detail, organizations should view complying<br />

with government demands as a floor for security and go beyond them to ensure the highest level of<br />

29


comprehensive, proactive protection for user data - otherwise, they may find themselves faced with<br />

similar penalties as Facebook.<br />

The fact that Facebook was fined should come as no surprise. The social media giant has been under<br />

fire for several data privacy incidents for some time. Consider, for example, the Cambridge Analytica<br />

scandal wherein Facebook’s lax data controls were exploited in order to harvest user data (the debacle<br />

also violated a 2012 settlement between the FTC and Facebook). Despite this, the amount that Facebook<br />

was fined is fairly surprising. While the company can afford the $5 billion settlement (which represents<br />

one month’s revenue), others are unlikely to be able to survive fines of this scale. Additionally, the cost<br />

of a data breach typically involves a number of factors, including fines, cleanup and incident response<br />

costs, reparations for customers exposed, and litigation expenses.<br />

In light of the above (as well as other issues such as damage to brand reputation), it is not abnormal for<br />

enterprises to declare bankruptcy after suffering data breaches. In fact, the Retrieval-Masters Creditors<br />

Bureau, the parent company of the American Medical Collection Agency (AMCA), filed for Chapter 11<br />

protection after an eight-month-long breach exposed the personally identifiable information (PII) of 20<br />

million Quest Diagnostics, LabCorp and BioReference patients. The company spent $3.8 million mailing<br />

notices to individual breach victims, and another $400,000 on the consultants and IT professionals that<br />

were hired to assist with responding to the breach. In other words, there is no way that the AMCA could<br />

have afforded a settlement that amounted to one month’s revenue.<br />

Fines are supposed to have a material impact upon the companies against which they are issued;<br />

however, they are not necessarily supposed to drive them out of business entirely. This fine will serve as<br />

a warning to Facebook that mishandling users’ data in the future will have even more severe<br />

repercussions. Facebook and other companies that deal with massive amounts of user data should take<br />

this settlement as a lesson and proactively improve their cybersecurity efforts so that they are doing more<br />

than just complying with regulations or trying to stay out of trouble.<br />

The key to protecting customer data is to treat compliance as the floor for security rather than treating it<br />

like the ceiling. By simply adhering to government demands, organizations may maintain compliance;<br />

however, they are unlikely to be seen as champions of data protection, customer privacy, and corporate<br />

social responsibility. As such, proactively securing users’ data, being transparent about how it's used and<br />

who it may be shared with, as well as allowing users the right to be forgotten, will help establish any<br />

company as a leading, trustworthy organization. As the U.S. begins to think more about regulations at a<br />

state level, ensuring a robust cybersecurity posture will be the most effective way to ensure universal<br />

compliance.<br />

30


About the Author<br />

Jacob Serpa works for Bitglass, the next-gen CASB company. Serpa is<br />

passionate about helping others protect their personally identifiable<br />

information (PII) and earned his MBA at San Jose State University,<br />

where he graduated at the top of his class.<br />

31


Why “Cloud Security 101” Isn’t So Simple After All<br />

By Josh Stella, co-founder and CTO of Fugue<br />

The term “cloud misconfiguration” may not seem like an adequate term to describe the leading cause of<br />

cloud data breaches. It connotes a small, innocent mistake that is easy to fix. However, the recent Capital<br />

One data breach teaches three lessons about the vulnerabilities that cloud misconfigurations create:<br />

attackers can exploit them quickly without being detected, it’s become very difficult for enterprise security<br />

teams to find them before the bad guys do, and the consequences for losing that race can be devastating.<br />

Migrating IT systems from the data center to platforms like AWS and Microsoft Azure can improve<br />

collaboration and productivity among employees, even when they’re scattered across remote locations,<br />

and relieve IT teams of the dual financial and time management burdens of installing, maintaining and<br />

upgrading on-premises systems. Just as the cloud has revolutionized how people get work done every<br />

day, it’s also transformed the responsibilities of the security, risk management and DevOps teams. Cloud<br />

service providers like Amazon, Microsoft and Google clearly explain the shared responsibility model -<br />

they’re responsible for the security of the cloud, but the customer is responsible for their security in the<br />

cloud--including the secure configuration of cloud services they use. Ignoring this responsibility is a recipe<br />

for disaster.<br />

32


New thinking, new strategies, new tools<br />

It’s critical to understand that everything in the cloud—servers, databases, the network, security—is<br />

defined through software, specifically via Application Programming Interfaces (APIs) defined by the cloud<br />

providers. This provides tremendous flexibility, agility and power — including the power to know the state<br />

of all infrastructure at any point in time. However, it also means there is great risk and potential<br />

vulnerabilities stemming from what are effectively software errors—misconfiguration of the resources that<br />

make up the cloud infrastructure.<br />

The traditional approach to security of securing the network perimeter with antivirus, firewalls and other<br />

outward-facing solutions is not adequate in the cloud because there is no perimeter (if there ever was<br />

one). Instead of restricting inbound traffic, the focus must be mitigating cloud infrastructure<br />

misconfiguration through the entire stack, whether due to human error, a lack of policy controls in CI/CD<br />

pipelines, or bad actors.<br />

That’s easier said than done. Today’s hackers use automation to find and exploit these misconfiguration<br />

vulnerabilities before traditional manual remediation methods can fix them. In order to become more<br />

proactive and prevent these threats from doing any damage, organizations need to simulate real-world<br />

misconfigurations to identify security gaps before they are exploited.<br />

Information on the breach that impacted Capital One (and likely dozens of other organizations) drawn<br />

from the FBI complaint and the alleged attacker’s social media posts indicate she discovered a<br />

misconfigured firewall in the Capital One Amazon Web Services (AWS) environment, and used it to<br />

access more than 100 million Capital One customers' accounts in one of the biggest data breaches ever.<br />

It’s just the latest example of how the nature of the threat landscape has changed, due in large part<br />

because the bad guys have grown so adept at using automation technologies to find and exploit<br />

vulnerabilities. The process takes mere minutes, making traditional manual remediation methods too<br />

slow to be effective.<br />

Consider the amount of time it takes—once you’ve found a vulnerability in your cloud configuration—to<br />

create a ticket, get it assigned to an engineer and then have them fix it. Hours or even days could go by<br />

before the issue is fixed. We call this “Time To Remediation”, and your “Mean Time to Remediation”<br />

(MTTR) needs to be in the order of minutes.<br />

33


That’s why your organization also needs to leverage security automation for the cloud. Yes, past issues<br />

caused by security bots and other security automation tools that inadvertently brought down production<br />

systems - have bred an understandable aversion to them among application and IT teams. But we’ve<br />

reached a tipping point where the risks of potential harm are so great and advancements in automation<br />

make it the only viable solution.<br />

As a best practice, look for cloud security tooling that provides true automated remediation “out of the<br />

box.” Otherwise your engineers will have to write lots of tedious and error-prone code that, without the<br />

right application context, can cause destructive changes that can lead to costly downtime events.<br />

Additionally, implement regular testing to determine if security automation is working do not focus on<br />

whether compute resources reappear on deletion, but rather examines what happens if an IAM policy or<br />

Security Group definition is changed. The list doesn't stop there. Other things you should test are S3<br />

bucket configurations and VPC network configurations. Resilient security demands covering all<br />

vulnerabilities an attacker may try to exploit.<br />

Security’s “Shift Left”<br />

Developers use the term “shift left” to describe moving a particular function to earlier phases of their<br />

processes to make identifying and fixing bugs and other errors easier and less time-consuming. Security<br />

teams should embrace shift left and work with DevOps to implement procedures for identifying and<br />

remediating cloud misconfigurations early in the software development life cycle when making corrective<br />

change is faster and less expensive.<br />

This is not only a procedural change, it’s a cultural one. Developers typically relegate security and<br />

compliance considerations as afterthoughts implemented as a gate during the test phase. Then they<br />

grow frustrated when security forces them to perform rework in design, development, and testing, and<br />

blame the security team for delays moving applications into production. Automating the shift left of<br />

compliance and security into the design and development phases can eliminate these delays and<br />

frustrations, and make better systems.<br />

Shared security responsibility<br />

Another important difference in the cloud is that security teams do not have direct access to all network<br />

traffic to monitor for intrusions. This is something cloud providers do as part of the shared responsibility<br />

model. Therefore, the security team’s chief responsibility becomes protecting the service configuration<br />

layer.<br />

34


Cloud services talk to each other via APIs, and the newer ones use identity to configure access, as<br />

opposed to the older IP address space confirmation method. The network perimeter is defined via SDN<br />

and security group configurations. Unlike in the data center, configuration changes to your basic security<br />

posture are accessed via API and are subject to a lot of change for many reasons. IT’s goal is to establish<br />

a more resilient configuration of these services.<br />

This requires a mechanism to revert damaging changes to your cloud configurations back to the healthy<br />

ones. The most effective option is to implement self-healing configuration, i.e., capturing a known-good<br />

baseline and leverage an engine that knows how to revert all mutable changes. Automating the process<br />

relieves the security team of the burden of manually monitoring for and remedying any potentially<br />

damaging changes to the environment.<br />

Better security, fewer tradeoffs<br />

The good news is that your cloud infrastructure can be more secure than your datacenter ever was. The<br />

datacenters run by cloud services providers like Amazon, Microsoft and Google are more likely secure<br />

and more reliably operated than datacenters you are responsible for operating and securing. Additionally,<br />

security and compliance is fully programmable, and that provides you with complete, real-time visibility<br />

into your cloud environments, down to every configuration detail. That was not possible in the onpremises<br />

datacenter with its enormous collection of “black boxes” that require manual configuration.<br />

You no longer have to need to trade speed and agility for security and compliance. In the cloud, you can<br />

have both! Equipped with the right tools, developers can move fast and more securely than ever before.<br />

About the Author<br />

Josh Stella is Co-founder and CTO of Fugue, the cloud infrastructure<br />

automation and Security Company. Fugue identifies security and<br />

compliance violations in cloud infrastructure and ensures they are<br />

never repeated. Previously, Josh was a Principal Solutions Architect<br />

at Amazon Web Services, where he supported customers in the area<br />

of national security. He has served as CTO for a technology startup<br />

and in numerous other IT leadership and technical roles over the past<br />

25 years.<br />

35


Anatomy of a Single Request Attack: The #1 Invisible Security<br />

Threat<br />

By Kevin Gosschalk, CEO and Cofounder, Arkose Labs<br />

Hackers are employing a new type of attack that has quickly become the scourge of network<br />

cybersecurity systems, getting around even advanced detection tools by using techniques that allow them<br />

to impersonate authentic individual web requests. The attacks, in effect, hide in plain sight by posing as<br />

everyday users, opening the door to a wide array of fraud and abuse.<br />

Called Single Request Attacks, they are increasingly being used in the most advanced automated attacks<br />

conducted at scale, such as account takeover (aka credential stuffing), creation of fake users, spam, use<br />

of stolen account cards and denial of inventory. They’re also becoming common tools for hackers that<br />

cheat online marketplaces, generate fake accounts, and scrape valuable content from websites.<br />

Single Request Attacks, despite their name, don’t occur in a single instance, but are delivered through<br />

an organized network of automation as part of a flood of malicious requests. While they may appear to<br />

be a single request from one legitimate user, they are actually part of a large-scale coordinated campaign.<br />

The attacks employ a sophisticated protocol of tactics designed to convince a receiving network that the<br />

requests are coming from human users with authentic intent. Typically, the attacks are carried out using<br />

36


a headless browser—which uses command line rather than a graphical user interface—that can execute<br />

Javascript in just the way you’d expect from a legitimate user. They also use a dynamic fingerprint so the<br />

device origination can’t be identified, and similarly adapt their network fingerprint to prevent identification<br />

of the IP address.<br />

By taking this approach, they avoid the tell-tale signs of an attack that most fraud prevention and bot<br />

mitigation platforms look for, and thus can get waved into the network. They also get by defensive artificial<br />

intelligence and dynamic rule-based systems, which study observable patterns in order to identify<br />

anomalous behavior, because Single Request Attacks each appear to be unique instances.<br />

As an example, Hong Kong Express Airways (HKE), a low-cost Asian carrier, released its online ticketing<br />

platform and quickly began noticing a sharp increase in tickets reserved, but not purchased. This<br />

effectively made the available ticket inventory invisible to genuine customers looking for low-cost airfares.<br />

Despite increased reservations, the number of booking transactions decreased significantly with<br />

noticeable impact on the carrier's revenue. HK Express later discovered that the attacks were particularly<br />

sophisticated in that the reservations appeared to originate from unique users thanks to a multitude of<br />

client-side data disguises. Masqueraded as genuine customers, hackers used bots to overwhelm the<br />

online ticketing platform with seemingly legitimate reservations. Each bot in the attack was capable of<br />

generating and repeating a large number of reservation requests, and was programmed to occupy as<br />

much of the airline’s ticket inventory as possible.<br />

The most effective way to defend against Single Request Attacks is to meet them face to face by<br />

independently challenging suspicious requests that would otherwise not meet traditional risk thresholds.<br />

In addition, this approach neutralizes hackers and eliminates their ability to adjust attack techniques on<br />

the fly.<br />

The Arkose Labs Platform leverages adaptive step-up to shine a light on hackers, stopping them at the<br />

gate, while allowing genuine customers to pass. For authentic users, the process is seamless with no<br />

added friction to the customer experience. Meanwhile, it eliminates the economic incentive that hackers<br />

have by slashing the possible return on investment to such a point that their attack isn’t worth the effort–<br />

or financial cost.<br />

Single Request Attacks are the number one invisible security threat today because they undermine the<br />

long-term effectiveness of incumbent cybersecurity defenses. Single Request Attacks facilitate a<br />

dangerous blind spot in decisioning because they allow nefarious behavior to go unnoticed by enabling<br />

hackers to operate invisibly. Enterprises must prepare for this latent threat by implementing a<br />

continuously-validated approach that challenges suspicious requests without impacting the customer<br />

experience.<br />

37


About the Author<br />

Kevin Gosschalk is the CEO and Cofounder of Arkose Labs, where<br />

he leads a team of people focused on telling computers and humans<br />

apart on the Internet. Before Arkose Labs, Kevin worked on gaming<br />

hardware for the intellectually disabled at the Endeavour Foundation<br />

and built a unique device incorporating Microsoft’s Kinnect Camera<br />

technology. Noted for his involvement in interactive development and<br />

machine vision, Kevin then turned his expertise to automated abuse<br />

and human verification — often regarded as the Internet’s impossible<br />

problem. Today, Arkose Labs has transformed the irritating chore of<br />

comprehension into an SLA-guaranteed technology that prevents<br />

automated abuse for brands like Electronic Arts, Singapore Airlines,<br />

and Roblox. Kevin can be reached online at arkoselabs@10fold.com<br />

and at our company website http://www.arkoselabs.com<br />

38


Adhere to <strong>Cyber</strong> Security Solutions to Protect Your System from<br />

a Diverse Range of Issues<br />

By Pratik Kirve, Sr. Specialist - Content Writer, Allied Analytics<br />

Irrespective of the kind of business you are running, the importance of digital systems and the Internet<br />

for your daily operations can just not be ignored. And, that’s where IT security solutions appear as a<br />

significant weapon to combat against the potential threats looming large on the World Wide Web.<br />

<strong>Cyber</strong> security refers to those practices that are set in place to offer the much-needed protection from<br />

cyber-attacks which are meant to impose substantial damage on a network system. And, the best kinds<br />

of IT security for your venture would not only provide you with an all-inclusive solution to deal with an<br />

array of issues, but would also make sure that your network system is safeguarded from the threats of<br />

unauthorized intrusion.<br />

Let’s discuss the common types of threats to your business security-<br />

Spyware- One of the most malicious software, spyware is a typical cyber taint that is fabricated to scout<br />

on your important computer actions and then, spread the information back to the world of cyber criminals.<br />

Ransomware- Ransomware, on the other hand, is delineated to deny access to an individual’s system<br />

until a certain amount of money is debited from their account.<br />

39


Adware- Last but not the least; adware is a form of computer worm that unnecessarily fills your system<br />

with advertisements. At the same time, it can also let other viruses enter your computer once you have<br />

inadvertently clicked on them.<br />

The best security solutions would check these types of bugs from taking effect and make sure that all<br />

your important data are safe within your workplace.<br />

Following are the ways your business can actually reap benefits from a cyber security solution-<br />

Providing an overall digital protection to your business is perhaps the biggest advantage an IT security<br />

solution can provide your business with. With some best cyber security solution on board, your employees<br />

will be able to surf the Internet whenever they need. And, their actions will not be at any risk from the<br />

potential threats.<br />

Protecting personal information is again one of the main indices to consider. Once any personal<br />

information about a customer or an employee is obtained by a virus, it can easily be utilized improperly<br />

to snip money. A good cyber protection would certainly act as a savior in this regard.<br />

Also, there’s no doubt that cyber security solutions would perk up your employees’ productivity to a<br />

significant extent. Viruses can hold up computers to creep and, working on them practically becomes<br />

impossible. When it becomes a sheer waste of time for employees, it can also bring the entire business<br />

to cessation.<br />

A good IT security solution would definitely check your website from going down. As a business<br />

entrepreneur, chances are that you are hosting your own website. Once your system gets affected by<br />

some virus, your website can just be forced to shut down. It will not only make you incur significant loss<br />

from several missed transactions, but can also make you lose the confidence of customers. Viruses can<br />

often do permanent damage to a system. So, your system definitely needs to include an online content<br />

filtration, an anti-virus and a firewall.<br />

As for example, providing a consolidated protection, security solution like Fortinet’s FortiGate firewall,<br />

would make sure that all your employees’ actions are protected in the safest chest, thereby offering a<br />

robust solution against a plethora of different networking issues. And then, when it comes to digital crime,<br />

most of the cyber criminals happen to become much more experienced than any average employee.<br />

And, the best security systems will offer your team the much-needed support they need to effectively<br />

combat the gritty criminals.<br />

Finally, when you give your clients the confidence that your business is well protected from all kinds of<br />

cyber threats, you can actually infuse trust in them, which is highly important in running a successful<br />

business. The more confident they would feel while purchasing your products or using your services, the<br />

greater is the chance for you to pave the way for a strong profit margin.<br />

According to Allied Market Research, the global cyber security market is expected to grow at a<br />

significant CAGR from 2018–2025. Increase in phishing as well as malware threats among enterprises,<br />

surge in adoption of IoT & BYOD trend, and rising need for cloud-based cyber security solutions fuel the<br />

40


growth of the market. On the other hand, complications regarding device security and several budget<br />

constraints among organizations restrain the growth to certain extent. However, mounting adoption of<br />

mobile device applications, demand for strong authentication methods, and huge revolution in traditional<br />

anti-virus software industry have almost modulated the factors and created lucrative opportunities for the<br />

key players in the domain.<br />

Also known as Information Technology security, the cyber security market is expanding quite profusely<br />

and with cyber threats gaining immense importance these days, cyber security activities are getting<br />

prioritized day by day. With this drift on board, the market is expected to thrive yet more in the years to<br />

come.<br />

About the Author<br />

Pratik Kirve is writer, blogger, and poet. He holds a bachelor’s degree<br />

in Electronics and Telecommunication Engineering and currently<br />

working as a Content Writer at Allied Analytics LLP. He has avid<br />

interest in writing editorial articles, news updates, and blogs across<br />

different verticals ranging from technology to healthcare. He has<br />

published his articles in magazines such as Saffron Media and<br />

written for websites such as Genetic Literacy Project, Robotic<br />

Business Review, Sensors Online, and others. When he is not<br />

following updates and trends, he spends his time reading, writing<br />

poetry, and playing football.<br />

41


August Patch Tuesday<br />

Take Advantage of Your August Patch Tuesday Break<br />

By Chris Goettl, Director of Product Management, Security, Ivanti<br />

August Patch Tuesday was a pleasant relief after the massive release of updates in July. But don’t sit in<br />

your lawn chair and open that cold beverage just yet; you still have some things to do before you rest<br />

comfortably.<br />

Microsoft provided a light set of operating system and application security updates. On the operating<br />

system side, we see 35 CVEs addressed for Server 2008 up through 78 CVEs for the latest Windows 10<br />

updates. There are the updates for Office and SharePoint, but that’s about it. Microsoft has no Adobe<br />

Flash Player update this month either!<br />

Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR<br />

publicly disclosed vulnerabilities! It has been a long time since I remember that happening. Glancing<br />

through the list, I do see a lot of RDP vulnerabilities this month so make sure you apply these updates<br />

soon. Microsoft calls out two CVEs, in particular CVE-<strong>2019</strong>-1181 and -1182, in their Response Center<br />

this month which could be exploited via a worm attack. All of the operating system updates are rated<br />

priority 1 due to critical vulnerability ratings and the possibility of remote code execution.<br />

One vulnerability of interest is (CVE-<strong>2019</strong>-9506) titled Encryption Key Negotiation of Bluetooth<br />

Vulnerability. CERT/CC has issued CVE-<strong>2019</strong>-9506 and VU#918987 for this tampering vulnerability,<br />

42


which has a CVSS score of 9.3. It requires specialized hardware to exploit but can allow wireless access<br />

and disruption within Bluetooth range of the device being attacked. Microsoft provided an update to<br />

address the issue, but the new functionality is disabled by default. You must enable the functionality by<br />

setting a flag in the registry. Check out the KB for more details.<br />

Microsoft may have had a slow day, but Adobe released 8 updates. If you are a Creative Cloud or<br />

Experience Manager user be sure to review the bulletins because several are rated Critical. Adobe also<br />

released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41.<br />

This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important. There<br />

are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was also<br />

a non-security update for Flash, but it was not included with the release from Microsoft.<br />

With a light patch load this month, it may be a good time to revisit the asset inventory of systems you are<br />

patching. We often set up our patch groups of systems and go through the motions each month of<br />

applying the latest patches, but we may be missing the bigger picture. IT organizations are often<br />

dispersed and the systems they support are constantly changing. Without ongoing communication<br />

across the organization or dynamic settings in your patch products, you may be missing many machines<br />

that need updates. The good news is the patch tools we use each month have extensive discovery<br />

features and can help identify the latest systems on the network. Likewise, there are a whole host of<br />

network and system tools you can use. Don’t forget to coordinate with your security operations team. The<br />

vulnerability scanners they use have built-in discovery as well.<br />

Armed with a consolidated list of systems on your network from all these sources, you can confirm your<br />

patch groups are up-to-date and investigate any suspicious devices you may have discovered. Finally,<br />

with an updated asset inventory and your patches all applied, you can now relax, enjoy the sun, and open<br />

that cold beverage!<br />

About the Author<br />

Chris Goettl, is director of product management, security, Ivanti. Chris is a strong<br />

industry voice with more than 10 years of experience in supporting, implementing,<br />

and training IT Admins on how to implement strong patching processes. He hosts<br />

a monthly Patch Tuesday webinar, blogs on vulnerability and related software<br />

security topics, and his commentary is often quoted as a security expert in the<br />

media.Chris can be reached on Twitter @ChrisGoettl and at Ivanti's website:<br />

www.ivanti.com.<br />

43


Top 5 Questions about the Capital One Data Breach<br />

By Ilia Sotnikov, Vice President of Product Management, Netwrix<br />

Data breaches that affect financial institutions always become hot topics to discuss. The recent hack at<br />

financial giant and credit card issuer Capital One exposed records of almost 106 million people, which<br />

makes it one of the largest hacks in banking industry ever. This breach took place just a week<br />

after Equifax reached a $650 million consumer settlement related to the 2017 breach, which is a sad<br />

reminder that no one is safe against breaches and we still lack security.<br />

I would like to share the key facts about the hack to answer the most popular questions and provide<br />

recommendations that may help organizations mitigate similar risks.<br />

What happened?<br />

According to Capital One, the breach happened on March 22 and 23, <strong>2019</strong>, when an intruder exploited<br />

a weakness in a misconfigured web application firewall to gain privileged access to company data stored<br />

in an Amazon Web Services (AWS) database. Capital One learned about the breach from a tip sent via<br />

email on July 17, which said that some of the company’s leaked data was posted on the software<br />

development platform Github.<br />

44


Who is to blame?<br />

On July 29, FBI agents arrested the software developer and former Amazon Web Services (AWS) employee Paige<br />

A. Thompson. According to the criminal complaint, Thompson exploited a misconfigured firewall to<br />

access, copy and download nearly 30 GB of sensitive data from an AWS server, where Capital One<br />

stored this data. Later she posted on GitHub about her theft of this information.<br />

What was the damage?<br />

This hack exposed the records of almost 106 million people from the U.S. and Canada. All this personal<br />

information is related to credit card applications from 2005 to early <strong>2019</strong>. Among the data exposed were<br />

names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked<br />

bank account numbers. Specifically, Capital One mentions 140,000 stolen Social Security numbers and<br />

80,000 linked bank account numbers, as well as 1 million Social Insurance numbers for Canadian<br />

customers and applicants.<br />

How did Capital One handle the breach?<br />

Despite Capital One became aware of the breach several months after it happened, the company has<br />

demonstrated good cybersecurity practices during this breach. They appeared to know what data they<br />

store and were able to selectively protect the most sensitive. For example, although credit applications<br />

of millions of people were stolen, no credit card numbers and a relatively small amount of Social Security<br />

numbers were compromised due to the bank’s practice to tokenize these pieces of information. Capital<br />

One was also prepared to isolate and patch the vulnerability in under 10 days, once it was reported.<br />

Finally, Capital One is demonstrating clear and timely communications, which is extremely important in<br />

keeping the public’s trust in the aftermath of a breach.<br />

Why is this breach unique?<br />

This incident is different from most we hear about for several reasons. First, cybersecurity attacks are<br />

usually hard to attribute. In this case, the alleged hacker has been arrested just 10 days after the breach<br />

was discovered. While the defendant was trying to cover her tracks, she herself described the hack in<br />

several messages on Slack and Twitter. Second, it looks like the hacker was not looking for financial or<br />

political gain, but rather just enjoyed cracking complex puzzles. This leads us to believe the stolen data<br />

was isolated and is less likely to be used for fraud or other unlawful activity.<br />

Overall recommendations: how can you mitigate the risk of similar breaches?<br />

This data breach highlights the importance of user activity monitoring. The attacker gained access to data<br />

through a misconfiguration in web application firewall and likely compromised a privileged account. To<br />

45


mitigate the risk of such incidents, you need to automatically track the activity of users and set up alerts<br />

on both violations of security policy and deviations from normal patterns of behavior, such as attempts to<br />

copy large number of sensitive files. You also need to have controls to investigate the activity of any user<br />

across the IT infrastructure, especially when potentially suspicious actions are flagged.<br />

About the Author<br />

Ilia Sotnikov is an accomplished expert in cybersecurity and IT management.<br />

He is Vice President of Product Management at Netwrix, provider of a visibility<br />

platform for data security and risk mitigation in hybrid environments. Netwrix is<br />

based in Irvine, Calif.<br />

46


The Need of Automatics and Control in Incident Response<br />

By Milica D. Djekic<br />

The incident response as a cyber defense active measure could require the highly skillful IT security<br />

professionals who should get capable to detect, handle and mitigate the threat. The threat by itself is the<br />

likelihood that something could get wrong with your cyber infrastructure and if you believe into the<br />

Murphy’s Law – anything that can go wrong would go wrong. The similar situation is with the engineering<br />

systems that could also cope with the risk or the real presence of mistake in their operating. In control<br />

engineering, those potentials for some system’s inaccurate functioning are called the disturbances.<br />

In the both cases, those risks would come from the outside and sometimes some inner factors could<br />

cause so unpleasant working conditions. On the other hand, the experiences from the automatics and<br />

control would suggest that you need to compensate the disturbance somehow if you want to make your<br />

solution working accurately. The similar situation is with the incident response that would rely on the<br />

human workforce that would get the task to think hard and resolve any unexpected occurrence in the<br />

cyberspace. The cyberspace is so dynamic and complex ecosystem and similarly as in the physical<br />

reality – its rules could be far more complicated. The reason for that is if you apply mechatronics and<br />

control to your power plant – you can always expect that some external factors could disturb your control<br />

system or there could be the other reasons to any potential catastrophic event.<br />

The fact is the modern warfare would get transferred from the physical domain into the cyber<br />

environment, but the impacts of those operations could get so far reaching as well. In other words, there<br />

is the strong need to make your incident response team getting equipped with the cutting-edge solutions<br />

as their role in cyber defense is from the strategic importance to the entire cyber security chain. Finally,<br />

it’s so critical from the perspective of IT security to underestimate the significance of smart technologies<br />

that could support you in your intent to make the task to your incident responders getting so convenient<br />

and less difficult.<br />

47


Anything cyber analyst knows could get automated<br />

When we talk about the incident response – many would get the picture of ultra modern security operating<br />

centers with the teams of analysts and incident responders. Those guys would shift from time to time and<br />

do the great job, indeed, but the reality is far more different from that. In the practice, so many<br />

organizations would not deal with any security operating centers or at least they would cope with the only<br />

one IT security professional that would literally get overloaded with the plenty of heavy work mainly on<br />

ad hoc or part-time basis. So, the cyber analysts would deal with the highly sophisticated tools, but they<br />

would be the ones who would make a decision about any action being taken on. The good question is<br />

that how we could tech our software to automatically make some decisions on and make the work to the<br />

people getting much easier.<br />

The mechatronics and control is the field that would progress, so far, through the past few decades and,<br />

apparently, there would be so many autonomous systems that would manage the behavior and working<br />

process of, say, aircrafts, vehicles or space industry advancements. Well, the idea is that you could apply<br />

that adaptive algorithm to navigate your security tool to make so rational decisions as the real IT security<br />

analyst would do. In other words, anything your incident responders know should get automated primarily<br />

for their own convenience and secondly for the better usage of such intelligent equipment. Above all, the<br />

human workforce would, in such a case, serve to monitor and maybe resolve some unpredicted scenarios<br />

and the rest of the task would go into the hands of smart software. Further, as you have the self-driving<br />

cars on the roads today – you could count on the self-responding tools that would work under the human<br />

supervision, so far. Finally, it appears that the cyber industry got a lot of that to learn from the other<br />

branches of science and technology.<br />

Why incident response is a key pillar of defense<br />

As it’s quite well-known, the good security would include the prevention, monitoring and incident response<br />

into its practice. The incident response is any method of activities and actions that would give you an<br />

opportunity to resolve any incidental situation happening within your IT devices and networks. Sometimes<br />

in order to resolve some complications with your grid you need to disconnect your entire infrastructure<br />

from the web which could mean some discontinuity from your work and consequently recovery from such<br />

occurred disaster. The faster you respond to your incident – the better outcomes of your effort would be.<br />

The incident responders and analysts are so bright and knowledgeable guys who could handle almost<br />

any situation in the cyberspace, but the trouble is there is still the huge shortage for such a workforce. In<br />

addition, the ongoing marketplace would need more and more such professionals and in the future we<br />

can expect the big investments into that area of technology.<br />

The role of control engineering in cybersecurity<br />

As we would suggest through this effort, the modern self-driving systems would be the products of control<br />

engineering and they would mostly cope with the adaptive algorithms of control. In order to adapt to your<br />

environment you need to sense such a surrounding before you choose what you would do the next. The<br />

adaptive control is far more beyond the feedback loop and even if you need the sensors in both cases –<br />

you should figure out that in the both instances – the adaptive systems would get developed to deal with<br />

much more variations of the practical engineering concerns. It would seem that the adaptive control would<br />

offer us the quite robust solutions and that is the case, so only highly capable and experienced engineers<br />

could take part into research and development of such improvements. Finally, if we use only the smallest<br />

piece of brain getting with the good control engineers – we would realize that the software engineering<br />

48


got the chance to cope with the self-responding and self-resolving algorithms for the incident<br />

management.<br />

Sensory software as an imperative for accuracy<br />

The adaptive solutions would deal with a lot of sensors giving them the chance to develop some<br />

situational awareness about their surroundings. Those sensors are usually the devices that would<br />

measure some physical variable and send that information to the computing unit. In other words, just try<br />

to imagine what it would happen if we would measure some cyberspace variables such as IP address,<br />

password, traced route and so on. In such a case, we would get the heaps of findings and information to<br />

process using some programming algorithms. If your measurements are accurate, you would get the<br />

chance to cope with the trusted data and force your system operating in much more accurate manner as<br />

given through its adaptive algorithm. In other words, if your intended behavior is so close to your real<br />

behavior – you can trust to that system. Finally, your accuracy would go under the question mark if you<br />

are not able to mitigate your threat as you are doing the compensation of the disturbance in the control<br />

engineering.<br />

The ending notes<br />

It’s always good to deal with the diversity for a reason you would never know which area of science and<br />

technology could inspire you to make a breakthrough in another field of interest. It’s not the news that<br />

there would be the entire multidisciplinary teams of experts who would cope with a lot of brilliant ideas<br />

and suggestions getting so helpful for the rest of the researcher’s community. In conclusion, there is the<br />

obvious analogy between the cyber defense and control engineering and such a synergy could support<br />

us in discovering the new ways in both arenas.<br />

About The Author<br />

Milica D. Djekic is an Independent Researcher from Subotica, Republic of<br />

Serbia. She received her engineering background from the Faculty of<br />

Mechanical Engineering, University of Belgrade. She writes for some domestic<br />

and overseas presses and she is also the author of the book “The Internet of<br />

Things: Concept, Applications and Security” being published in 2017 with the<br />

Lambert Academic Publishing. Milica is also a speaker with the BrightTALK<br />

expert’s channel and <strong>Cyber</strong> Security Summit Europe being held in 2016 as<br />

well as <strong>Cyber</strong>Central Summit <strong>2019</strong> being one of the most exclusive cyber<br />

defense events in Europe. She is the member of an ASIS International since<br />

2017 and contributor to the Australian <strong>Cyber</strong> Security Magazine since 2018.<br />

Milica's research efforts are recognized with Computer Emergency Response Team for the European<br />

Union (CERT-EU). Her fields of interests are cyber defense, technology and business. Milica is a person<br />

with disability.<br />

49


Preventing Business Email Compromise – a $300 Million Dollar<br />

Problem<br />

Organizations Heavily Invested in Security Solutions Fall Victim to Social Engineering<br />

Attacks and Human Error<br />

By Ameet Naik, Director of Product Marketing, Armorblox<br />

A recent report from the Financial Crimes Enforcement Network(FinCEN), a division of the US Treasury,<br />

shows that Business Email Compromise (BEC) costs the US economy over $300 million each month.<br />

This is a staggering amount, especially considering that a large portion of this is borne by small and midsized<br />

businesses.<br />

FinCEN has issued an advisory to financial institutions alerting them to the scope of the problem. While<br />

banks can do their part in detecting and blocking suspicious transfers, information security practices also<br />

need to evolve to counter these threats. BEC scams don’t just steal money, they also steal data, which<br />

can then be used to perpetrate more sophisticated scams, and leave organizations exposed to liabilities<br />

and compliance penalties.<br />

50


Why BECs Work: Social Engineering Not Hacking<br />

Unlike malware, or phishing links, BEC attacks are simple textual emails that look just like any other<br />

email. Invoices, contracts and payroll documents are routinely shared over email both within an<br />

organization and with external parties, such as vendors, contractors, business partners, and former<br />

employees. An attacker with some knowledge of these workflows can inject a spoofed email into the flow<br />

with a fake invoice, or a request for gift cards for example. These emails often use social engineering<br />

tricks like pretending to be from an authority figure, or feigning urgency.<br />

The top method for BEC scams according to the FinCEN report is invoice fraud, followed by gift cards.<br />

The funds are usually first sent to an account within the US to take advantage of the high speed payment<br />

networks. By the time the organization realizes they have been scammed, the funds are usually wired to<br />

overseas accounts, or converted into hard-to-trace cryptocurrency.<br />

The victims often have little recourse once this happens. The FBI’s Internet Crimes Complaint Center<br />

(IC3), tasked with fighting BEC fraud, estimates that over $12 billion have been lost to such attacks since<br />

2013. If the attack is detected early, the FBI can work with financial institutions to block or reverse wire<br />

transfers. However, in majority of the cases the funds are lost for good.<br />

Email is a Truck-Sized Hole<br />

Email is a truck-sized hole in most organizations’ cyber defenses. It’s an open communication channel<br />

over which employees can exchange documents, invoices, contracts with almost anybody on the Internet.<br />

Email’s simplicity is very attractive to organizations that are more recent digital converts. Sadly, they’re<br />

the ones most vulnerable to BEC attacks. According to the FinCEN report, manufacturing and<br />

construction were the top hit industries in 2018, followed by real estate. BEC attacks not only cause<br />

financial loss to these organizations, but also poison the ecosystem by eroding trust in digital channels<br />

like email.<br />

Traditional email defenses have focused on inbound threats, such as spam and malware. However, BEC<br />

attacks are targeted, and contain no malware, which means they can sail past all legacy inbound email<br />

defenses. Email data loss prevention (DLP) solutions try to prevent data exfiltration over email, but suffer<br />

from a high rate of false positives, which clog up incident queues, and lead to alert fatigue. Hence most<br />

organizations don’t have effective outbound controls in place to prevent BEC-induced data leakage.<br />

Infosec teams are struggling to solve this problem since any restrictions on inbound or outbound emails<br />

risk throttling business processes, impacting productivity. Technical controls, like DMARC, DKIM and<br />

SPF, are blunt instruments that risk blocking vast swathes of legitimate emails. So most organizations<br />

that validate DKIM/SPF have a fail-open policy that lets in non-compliant emails. Metadata controls like<br />

these are ineffective in preventing BEC.<br />

51


The Need for Understanding<br />

Detecting and stopping BEC attacks requires thorough understanding of not just the metadata, but also<br />

the contents of emails and attachments. Some of the indicators of BEC emails are:<br />

• Impersonation: The email appears to be from a known party, but the email address is different.<br />

Sometimes these differences are difficult to notice; ex. açme.com, instead of acme.com.<br />

• Tone: The email has a tone of urgency, or it’s sent during busy periods, such as the end of the<br />

quarter, or tax season.<br />

• Writing Style: The email appears to be from a trusted party, but exhibits a different writing style.<br />

• Content: The email contains sensitive information, like wire transfer details, gift card numbers etc.<br />

Security awareness training can help users recognize signs of BECs, but human cognition has its limits.<br />

Social engineering has been highly effective in exploiting these limits. Even the best of us have days<br />

when we’re vulnerable to compromise.<br />

Security Powered by Understanding<br />

This is where machine intelligence can make a marked difference. Natural Language Understanding<br />

(NLU) is a branch of Natural Language Processing dealing with language comprehension. (If you ever<br />

used Siri or Alexa, you have already used NLU.) Using NLU, machines can actually understand the tone,<br />

content and writing style of emails. This is a brand new signal which, when combined with legacy<br />

metadata signals and an understanding of communication patterns, can accurately detect BEC attacks.<br />

Machines are immune to social engineering, and their comprehension does not change with the time of<br />

day or their workload. As a result, they can make objective observations and inform the recipient when<br />

an email is a potential threat.<br />

Armorblox has built the world's first natural language understanding (NLU) platform for cybersecurity to<br />

help information security practitioners and organizations defend against BEC attacks. Amorblox analyzes<br />

context, tone and writing styles across communications platforms, stopping today's biggest attacks by<br />

detecting and preventing inbound threats and outbound data loss.<br />

The Armorblox NLU-powered cybersecurity platform connects to your cloud-based or on-premises email<br />

platform such as Office 365, G Suite or Microsoft Exchange. Using the latest advances in NLU and deep<br />

learning, Armorblox analyzes emails to understand social interactions, writing styles, and conversation<br />

topics between users both inside and outside your organization. When new emails come in, or are sent<br />

out, Armorblox can detect if the email represent a BEC attack or data leakage. Depending on<br />

customizable policies, Armorblox can then alert the user using labels within the email, or quarantine the<br />

email and alert the security admin.<br />

For more information, read our whitepaper on Securing the Human Perimeter with NLU, or see the<br />

Armorblox NLU platform in action with a personalized live demo.<br />

52


About the Author<br />

Ameet Naik is the Director of Product Marketing at Armorblox, with<br />

more than 20 years of experience in information security and data<br />

networks. Having held senior solutions engineering roles for<br />

several of the leading networking and security vendors, Ameet has<br />

advised multiple global service providers and financial services<br />

organizations on best practices in enterprise security since the<br />

early days of the Internet. A nerd at heart, Ameet loves to write,<br />

speak at industry conferences and travel the world in search of<br />

clever ideas and good food. Ameet holds an MBA from the Kellogg<br />

School of Management, and a Bachelors degree in Computer<br />

Engineering from the University of Mumbai. Ameet can be reached<br />

online at Ameet@armorblox.com or @naik_ameet, and at our<br />

company website http://www.mycompany.com/<br />

53


Security Research as an Anti-Malware Secret Weapon<br />

By Milica D. Djekic<br />

Any malware being known to the cyber community or still getting the status of the advanced persistent<br />

threat is the potential risk to your IT asset. There are so many sorts of malware such as spyware, viruses,<br />

worms, Trojan Horses and so on and all of these malicious applications are created to make harm to<br />

some computer and its network. The malware is only about the piece of code that would cope with the<br />

capacity to multiple itself and execute on its host machine or environment. It can infect the entire files,<br />

folders and operating systems causing so many troubles and headache to its targets. So, this story could<br />

sound a bit of scary and in the practice, there are some prevention measures such as anti-malware<br />

software that can discover and destroy the malware literally occupying your system on.<br />

On the other hand, we would mention the advanced persistent threats that are also the malware in their<br />

basis, but they are not known to the cyber industry – so they can pass through any known way of defense.<br />

This is quite trickery – you would agree – because those malicious programs would just get the access<br />

to your surroundings and take a plenty of inappropriate actions that could confuse even the experienced<br />

IT professional who may wonder what has happened for real for a reason his anti-malware prevention<br />

would not signalize anything. Simply, the entire device and its network would start dealing in so crazy<br />

way and you would probably lose some of your data, but your anti-malware application would just claim<br />

everything is absolutely alright. As you can get, that is the quite inconvenient scenario and the fact is<br />

even if you run your scanning capabilities, you would get nothing as the outcome.<br />

In addition, the hackers would produce new and new bad software day by day and every single day in<br />

the world someone would get infected with them and that person would not even know that, so if we<br />

assume that the role of the defense community is to go at least one step in front of the threat – it’s quite<br />

obvious why we need the effective mechanisms to combat such a risk and keep the hacking underground<br />

under the control. In the essence, the modern Law Enforcement would cope with the capacity to answer<br />

54


to these trends and briefly after the bad guys spread some malicious product over the internet – the good<br />

guys would figure out that and through their hard work develop the certain procedures as well as solutions<br />

how to respond to such incidents.<br />

What is the security research?<br />

The most effective method to deal with the malware threats is to invest into the security research. Such<br />

an area of the interest is all about how to investigate what is happening in the cyberspace and attempt to<br />

find the possible countermeasures to those schemes. So, in other words, you need some kind of<br />

situational awareness about what could occur in your IT surrounding as well as find some ways of defense<br />

to those risks. This is not the easy task at all and so many security researchers would spend a lot of their<br />

time with the hacker’s spots either being on the Visible or Deep Web trying to realize what got new<br />

amongst the bad guys. Basically, it takes a heap of time and effort to invest every single day into your<br />

investigation and every single time you find out anything being novel you would need to prepare the<br />

skillful report about so and transfer your findings to the forensic lab where all of those information would<br />

get examined and tested.<br />

The security research is the good starting point to many Law Enforcement investigations and once<br />

someone reports that his IT asset got so strange behavior – the security analysts should deal with such<br />

information and try to identify which sort of the bad code got responsible for such an attack. On the other<br />

hand, the security research is about the hours being spent in front of the screen and investigating as well<br />

as discovering the places on the web where the cyber criminals like to spend their time and leave some<br />

trace. This sort of occupation needs the great skill and so patient professionals who would get capable<br />

to investigate everything in so rational and critical manner.<br />

Security research and malware identification<br />

The purpose of security research is to identify the malicious code that is not previously known to the rest<br />

of cyber community and try to include such a program into some anti-malware database. Once in such a<br />

database – the malware would get recognized every single time when it approaches some IT<br />

infrastructure that uses the adequate anti-malware system. In this case, we would mainly talk about the<br />

end user’s experiences and possible about some business implications and impacts of such a tendency.<br />

It’s not the rare occurrence that the hackers would attack some server or datacenter that would also deal<br />

with some anti-malware protection and try to infect as many internet users as they can in order to obtain<br />

some kind of sabotage and try to paralyze some business assets causing the total working discontinuity<br />

and consequently some financial losses. For such a reason, it’s so important to follow the best practice<br />

with the security research, because it’s quite obvious that the potential malware attacks could have so<br />

dramatic consequences to the entire society and in some cases to the good portion of economy.<br />

The purpose of anti-malware software<br />

The anti-malware software is the good method of protection to the both – personal and business needs<br />

and it’s quite clear why we need such a solution to remain cyber safe. Also, the anti-malware application<br />

is not the silver bullet and, in other words, if you get that piece of program getting installed on your<br />

machine you would be so far from being absolutely secure. In the practice, so many anti-malware<br />

applications could get downloaded from the internet for free and those software would use the standard<br />

updates as their security researchers and forensic laboratories are identifying new and new malware on<br />

55


the web. The point is your anti-malware solution could prevent you from being infected from the malware<br />

being known to the cyber industry, but it cannot protect you fully. In addition, so many web links could<br />

get uploaded the bad piece of code with them and those connections are mainly applied in the phishing<br />

campaigns, so the fact is there are some online applications that could support you in investigating such<br />

links before you make a click on them and potentially get infected with some malware.<br />

Forensic examinations of today<br />

The modern teams of the cyber security forensic investigators would usually deal with the high-tech<br />

equipment and get in position to cope with the security researchers’ reports doing some analyses and<br />

testings of once discovered code. The experience would suggest that those experts would try to isolate<br />

the malicious application trying to observe its behavior and if they get the chance to obtain its sourcecode<br />

– they would also investigate that. Never underestimate the power of the good investigative team<br />

for a reason those guys could be that skillful to find literally everything about some malware including<br />

their code in some programming language environment. In other words, the field of digital forensics and<br />

security research could offer us nearly limitless opportunities and it’s not surprising at all that the response<br />

to any new vulnerability would be such fast.<br />

The concluding remarks<br />

It would appear that the human factor in the security research as well as cyber forensics could play the<br />

crucial role in pushing a defense getting at least one step in front of the threats. As time is going on – the<br />

bad guys would cope with some activities in sense of producing the emerging malware software and the<br />

good guys would not stay without any response regarding such a situation. Apparently, they would also<br />

work so hard in order to figure out how to manage the risk and resolve anything being so concerning to<br />

some nation, business and economy, so far.<br />

About The Author<br />

Milica D. Djekic is an Independent Researcher from Subotica,<br />

Republic of Serbia. She received her engineering background from<br />

the Faculty of Mechanical Engineering, University of Belgrade. She<br />

writes for some domestic and overseas presses and she is also the<br />

author of the book “The Internet of Things: Concept, Applications and<br />

Security” being published in 2017 with the Lambert Academic<br />

Publishing. Milica is also a speaker with the BrightTALK expert’s<br />

channel and <strong>Cyber</strong> Security Summit Europe being held in 2016 as well<br />

as <strong>Cyber</strong>Central Summit <strong>2019</strong> being one of the most exclusive cyber<br />

defense events in Europe. She is the member of an ASIS International<br />

since 2017 and contributor to the Australian <strong>Cyber</strong> Security Magazine<br />

since 2018. Milica's research efforts are recognized with Computer<br />

Emergency Response Team for the European Union (CERT-EU). Her<br />

fields of interests are cyber defense, technology and business. Milica is a person with disability.<br />

56


Ways to Protect Sensitive Data Online<br />

By Ebbe Kernel, data mining researcher & writer<br />

The world has witnessed a number of high-profile data breaches over the last couple of decades. While<br />

the impact of these breaches on individuals has been seriously underreported – lives have been<br />

destroyed by identity theft and other intrusions made possible by massive data breaches – they have<br />

highlighted a serious issue.<br />

Many of the corporations involved in these breaches; Sony, Facebook, Equifax, and Target to name just<br />

a few, aren’t exactly small fish. The fines levied on them so far in punishment have amounted to the<br />

mildest of slaps on the wrist. They have not been effective deterrence and corporate complacency<br />

continues to keep cybersecurity professionals eternally frustrated.<br />

GDPR<br />

The General Data Protection Regulations were bought in across the EU last year in response to repeated<br />

incidents of corporate negligence resulting in data making its way into the wrong hands. GDPR fines are<br />

57


levied as a percentage of a business’s earnings, and everything so far suggests they are an effective<br />

deterrent.<br />

British Airways and Marriott<br />

In July <strong>2019</strong>, British Airways and Marriott found themselves on the receiving end of the largest GDPRrelated<br />

fine in history, by quite a considerable margin. The Information Commissioner’s Office (ICO), the<br />

UK body that deals with data protection laws, has fined BA $230 million for a breach of data involving<br />

500,000 customers. The fine relates to the actions of British Airways between June and <strong>September</strong> 2018.<br />

Meanwhile, hotel chain Marriott received a proposed $123 million fine for losing the information of 339<br />

million guests. The data loss was first reported in November 2018.<br />

Before a final decision is made, both of the businesses will be able to respond to the allegations before<br />

any final decisions are made. Predictably, both companies say they will appeal the fines. Researchers<br />

notice we’ll continue to see such a massive data breaches in <strong>2019</strong>.<br />

Keeping Your Data Safe Online<br />

Keeping your data safe and your identity secure online should be easy. However, the unfortunate reality<br />

is that no matter what steps you take, you need to trust a business to look after your data properly.<br />

Fortunately, there are some things you can do that will hugely reduce your chances of having your data<br />

stolen and will enable you to avoid the most obvious traps.<br />

Spotting a Fake Website or Email<br />

Phishing attacks are a type of cyberattack that direct victims towards a malicious page that looks<br />

legitimate. Targets enter their login information, thinking they can log in to the service, and this is then<br />

passed on to the criminals. The most sophisticated phishing attacks can be very difficult to discern.<br />

The most obvious sign that an email is a phishing email is that the address is spelled incorrectly or utilizes<br />

the incorrect suffix. You should avoid clicking links in emails, especially if you aren’t expecting them. It is<br />

very easy to set up a phishing email with disguised URLs. This means that even if you check the URL<br />

target before you click, you may find yourself redirected.<br />

You should still always check what URL shows when you hover your mouse over a link. If the website<br />

you are being directed to is clearly wrong, you can avoid it.<br />

The content within a website is another giveaway. If you are in doubt, navigate to the website you are<br />

viewing from the homepage in your browser and make sure that the page you are looking at matches the<br />

real thing.<br />

58


Finally, check for the trusty padlock in your web browser that indicates the website uses a using a secure<br />

https connection before you enter any sensitive information.<br />

Using a Proxy<br />

Whenever a device connects to the internet, it is assigned an IP address. By default, this IP address is<br />

easily viewable to any server that your devices connect to. Even worse, IP addresses can be traced back<br />

to specific physical addresses. An IP address is required to get online, there’s no getting around the need<br />

for one.<br />

However, by connecting to a proxy server before you connect to an internet server, you can ask the proxy<br />

to access the website for you. From the perspective of the website server, a proxy server is connecting<br />

to it and requesting websites in the same way a laptop or smartphone would.<br />

With this being said, you should avoid free proxy services like the plague – they are the perfect way to<br />

steal your data. If you choose to use proxies, stick to reputable paid-for services instead.<br />

If you want to improve your online anonymity, a proxy service will enable you to obscure your IP address.<br />

You can also connect via proxy servers around the world in order to circumvent region-blocking.<br />

Get a Password Manager<br />

Head on over to haveibeenpwned.com and enter your existing email address. Try a few of your previous<br />

addresses as well and see if any results come up. This website will inform you if your details are found<br />

in any hacked databases.<br />

If any results do turn up, immediately change your password for that account and any other accounts that<br />

might have used the same password. This is a neat illustration of how a single breach can reveal the<br />

login credentials for multiple accounts.<br />

The best solution to this problem is to use a password manager. There are lots of free and open-source<br />

options, and yes, in this case, you can trust the free options. Open source means that their source code<br />

is audited, vulnerabilities fixed, and minimal chance for any malicious activity.<br />

Two-Factor Authentication<br />

Two-factor authentication is an increasingly common security measure that you should take advantage<br />

of whenever you can. What this usually means is that an email or text will be sent to you with an activation<br />

code every time you log in. This means you need access to the code as well as the account password.<br />

Some 2-FA systems utilize a code-generating app like authy instead.<br />

Staying safe online is mostly a case of exercising common sense. As long as you steer well clear of any<br />

websites that you aren’t completely certain about, or which are being presented from unknown sources.<br />

59


If someone you know sends you a strange-looking email with an unexpected attachment or link, confirm<br />

it is genuine before letting your guard down.<br />

As long as you stick to the advice above, you can at least feel a little safer online.<br />

About the Author<br />

Ebbe is the data mining researcher & cybersecurity writer. He believes<br />

in data power and everyone’s freedom to become a self-starter. Also, he<br />

is here to help you stay anonymous online. Ebbe can be reached online<br />

at info@ebbekernel.com.<br />

60


Artificial Intelligence-Driven Situational Awareness<br />

By Milica D. Djekic<br />

Once you get into the new environment you would begin digging in the darkness trying to figure out what<br />

is happening there. Maybe you would cope with so many ups and downs before you learn the rules of<br />

such a surrounding. In other words, any new situation or event would seek from you to develop the certain<br />

level of situational awareness. The situational awareness is about knowing what is going on around you<br />

at some time and within some surroundings. In the security sector, there would be a plenty of education<br />

and training getting provided that would teach the defense staffs how to recognize and handle some<br />

situation. So, the people can learn such a practice and use their well-developed learning curve to cope<br />

with some situation.<br />

On the other hand, no situation is unique and it may take some time before you adapt to the ongoing<br />

circumstances. The security area is so wide and it would normally cope with the Law Enforcement, armed<br />

forces and intelligence community – so either you are gathering your findings for some investigation or<br />

the military operation it may take a while before you obtain enough such findings and make a decision to<br />

take the next step on. Sooner you develop the quite good situational awareness – better you would<br />

progress with your security campaigns and missions. On the other hand, in order to figure out what is<br />

happening within some zone you need to rely on some bases either coming from your training, everyday<br />

routine or simply the experiences, so far.<br />

The similar case is with the cyberspace environment. More you study, better you would do! From such a<br />

perspective, it’s quite clear that the accuracy is the top imperative to any situational awareness mission.<br />

Never let your situational awareness findings discourage you for a reason from time to time it may appear<br />

that you would deal with so heavy and sometime irresolvable set of the occurrences. The ancient proverb<br />

would say that the fortune favors the bold, so always believe in your bravery and some good luck getting<br />

the chance to happen on your battlefield. The battlefield is not only the matter of military operations. Even<br />

the entire investigation teams could feel as the warriors who got no opportunity to give up from their<br />

combat before they resolve their case. As many experts would figure out, it’s only about the never ending<br />

game between the cat and the mouse, so far.<br />

61


Communications protocols in computer science<br />

Let’s return to the cyber defense and try to explain how the communications between two devices<br />

functions. First, the both computing units would get set up to exchange the information, but only under<br />

the certain conditions. It’s quite well-known that anything within the electronics is about the low-voltage<br />

electricity, so two devices in the computer’s network would exchange the electrical signals before they<br />

provide the entire packets of the information. So, it’s all about the good programming and the way how<br />

you would design your machine to operate. The communications protocols are nothing else but the<br />

intelligently created quizzes that would make two machines questionize each other about some concerns.<br />

Such a quiz could deal with a lot of questions and only if all the answers are correct – you would get the<br />

permission to successfully exchange your data on.<br />

In so many cases, those communications protocols could deal with some encryption making them hard<br />

to get listened. That sort of cryptography could get recognized as the communications line encryption<br />

and so many Darknet browsers would count on that technology offering some level of privacy, security<br />

and anonymity to their users. On the other hand, we could see the developers as the key actors in making<br />

such a solution, but never overestimate the possibilities of the programmers because they need to cope<br />

with the subject matter experts in order to develop something that would get so useful and helpful in the<br />

practice. In other words, the majority of the professional programmers are so smart guys, indeed, but<br />

their daily routine would include the counting of the code’s lines and basically, they would cope with the<br />

great mathematical and logical skills, but they would not be overpowerful. Only in the team with the other<br />

experts – they would have the chance to make something getting so competitive and intelligent from the<br />

point of view of the end users. In addition, if you want to develop the reliable communications protocol,<br />

make your developer dealing with the engineers for telecommunications, electronics and computer<br />

engineering at the same glance and then expect such a multidisciplinary team of the professionals would<br />

resolve the majority of your concerns.<br />

Everyday's check in security<br />

Anyone serving in security business would know that there are some procedures, polices and protocols<br />

that should get followed in order to remain active with your service. For instance, if the higher officer<br />

wants to confirm something about his staff – he would so carefully make the questions on trying to gain<br />

the confidence about his apprentice. If the answers to those questions are satifactionary, the higher<br />

officer would give some piece of the information to that guy and afterward try to cover on the rest of such<br />

a communications. Not every single day such a quizzing would be the same. The security professionals<br />

would always make some changes in order to camouflage what they really know and do. Only the clever<br />

people would get capable to cope with those changes and remain in the service and in so many cases,<br />

such a way of thinking would get learned through the carefully prepared education and training courses.<br />

So, from time to time everyone would get updated about the new tendencies and the better you get – the<br />

higher you would go with your rankings.<br />

How to teach machines to deal like humans<br />

From the nowadays perspective, the machines are still many steps behind the humans, so the<br />

straightforward answer to the question how to make them dealing like the folks would not completely<br />

exist, so far. Our approach would suggest that any defense officer dealing with some checking skills<br />

would get in mind the combinations of so many different questions and if we figure out it’s only about the<br />

expert’s knowledge and the certain amount of accurate responses – we could get that such an approach<br />

62


could get so handy in the world of the machines as well. In other words, it’s only about the expert’s<br />

knowledge databases of questions and answers that should get appropriately matched with each other<br />

in order to make the good linkage and allow the transfer of the accurate suggestions going through such<br />

a communications channel. For such purposes, we can see the strong applications of the artificial<br />

intelligence and machine learning as the key factors of the cyber security and defense, in general.<br />

Get aware using artificial intelligence<br />

Our suggestion would be that it’s so necessary to try to make your neural network learning through the<br />

examples as it is the case with the today’s advancements, so far. So, if you put the expert’s knowledge<br />

against the expert’s knowledge into two separated databases and if you try to compare the results of<br />

those correlations – you would undoubtedly deal with the intelligent solution that would provide you some<br />

level of the confidence about someone responding to those concerns. More you are confident about<br />

someone’s knowledge, more credits that person would get. The similar scenario could get applied in the<br />

case of the information collection and situational awareness development. In other words, you need to<br />

compare so many stuffs with so many things in order to make the rational and objective conclusion about<br />

the certain situation, so far.<br />

The finalizing discussions<br />

In conclusion, the accurate situational awareness could be from the vital significance for dealing with<br />

some situation. Even if it would appear that there is no exit from some situation – just try to think twice! If<br />

you put more effort with your thinking process, maybe you would figure out that there are some methods<br />

to take even symbolic advantage over some condition. The point is to never give up and maybe if you<br />

are not in position to win the battle today – you may get the entire war even tomorrow.<br />

About The Author<br />

Milica D. Djekic is an Independent Researcher from Subotica, Republic of<br />

Serbia. She received her engineering background from the Faculty of<br />

Mechanical Engineering, University of Belgrade. She writes for some<br />

domestic and overseas presses and she is also the author of the book “The<br />

Internet of Things: Concept, Applications and Security” being published in<br />

2017 with the Lambert Academic Publishing. Milica is also a speaker with the<br />

BrightTALK expert’s channel and <strong>Cyber</strong> Security Summit Europe being held<br />

in 2016 as well as <strong>Cyber</strong>Central Summit <strong>2019</strong> being one of the most<br />

exclusive cyber defense events in Europe. She is the member of an ASIS<br />

International since 2017 and contributor to the Australian <strong>Cyber</strong> Security<br />

Magazine since 2018. Milica's research efforts are recognized with Computer Emergency Response<br />

Team for the European Union (CERT-EU). Her fields of interests are cyber defense, technology and<br />

business. Milica is a person with disability.<br />

63


Attracting and Retaining Staff for a Fusion Center<br />

The best way to collaborate talent within a security eco-system<br />

By Karl Sharman<br />

Fusion Centers were formed following the devastating 9/11 terrorist attacks in New York and now mainly<br />

form a way of analyzing and dissecting threat intelligence. It initially was started within government or<br />

federal organizations but has more recently been seen in primarily the financial services industry. This<br />

move has been seen with a lot of attention and is being seen both as a candidate attraction tool as well<br />

as more importantly a way of collaborating to help mitigate risks to the organization.<br />

Staffing within Fusion Center is an attractive space with salary growth outpacing the national average as<br />

the talent gap widens. This means further strain on budgets within security so thinking outside the box<br />

and understand how to attract a diverse pool of candidates are crucial within hiring for this area.<br />

Often recruiting for Fusion Centers means we get a stronger response rate due to the excitement and<br />

mystery it causes candidates. The collaborative approach and branding often interests people to want to<br />

pursue a move into a Fusion Center. A Fusion Center often has a range of skillsets required so often<br />

people with a range of skills are sought after, but more than that a person with soft skills are required with<br />

this eco-system.<br />

Soft skills in a Fusion Center are what is required for success. Skills such as critical thinking, knowing<br />

how to challenge, being pragmatic, a strong communicator and someone who has a real passion about<br />

64


the job. These skills are arguably the hardest to assess however, organizations should provide behavioral<br />

questioning, situational questioning and spend time with candidates face to face in order to see common<br />

trends in both body reactions and communication. Ultimately, a resume can only tell you so much, so<br />

begin to adopt video earlier in the process to assist in screening candidates.<br />

The range of skills required, and the widening talent gap means that organizations must look from<br />

traditional and non-traditional fields to identify talent. For this to be successful diversity is required, that<br />

is background, skillset, education, gender, experience and race in order to bring different views and ideas<br />

to the table.<br />

Retention across security is a real issue with 86% of people open to moving in <strong>2019</strong> (BeecherMadden,<br />

<strong>2019</strong>). Our research suggests that people mainly move for the following three reasons: career<br />

progression, increase in salary and the opportunity to join a new or growing function. This is a real<br />

challenge if you’re a 100-year-old bank to compete in an ever-developing market. Some companies are<br />

even entering a seller’s market in order to compete to attract and retain talent.<br />

Fusion Centers can be different, they can be marketed differently in order to retain talent. They can cause<br />

excitement, they can create a culture and they can develop people for the benefit of their career however,<br />

ultimately like any other area of the organization it comes down to leadership. Talent wants to be heard,<br />

see a pathway and have the opportunity to improve within this eco-system.<br />

To achieve this, leaders within security and the business need to pro-actively act and engage with the<br />

talent. This will include regular interactions, 1 on 1, recognizing achievements and providing education<br />

programmes in order to the talent to keep engaged and thriving for the greater good of the organization.<br />

About the Author<br />

Karl Sharman is a <strong>Cyber</strong> Security specialist recruiter & talent<br />

advisor leading the US operations for BeecherMadden. After<br />

graduating from University, he was a lead recruiter of talent for<br />

football clubs including Crystal Palace, AFC Wimbledon &<br />

Southampton FC. In his time, he produced and supported over £1<br />

million worth of talent for football clubs before moving into <strong>Cyber</strong><br />

Security in 2017. In the cyber security industry, Karl has become<br />

a contributor, writer and a podcast host alongside his full-time<br />

recruitment focus. Karl can be reached online<br />

at karl.sharman@beechermadden.com, on LinkedIn and at our<br />

company website http://www.beechermadden.com<br />

65


Have You Asked your eDiscovery Vendor<br />

These 6 Essential Data Security Questions?<br />

By Brian Schrader, Esq., president and CEO, BIA<br />

In today’s world of ever-increasing data theft, network hacks and other cyber threats, companies of all<br />

sizes are finally taking data security seriously. Even so, many overlook how their data can be<br />

compromised when situations require that data to exit the company’s custody. One such common<br />

situation where significant amounts of often-sensitive data must be sent outside the corporate domain is<br />

the eDiscovery process, which takes place when a company is involved in litigation, regulatory matters<br />

and internal investigations.<br />

During the eDiscovery process, your data — ranging from emails to financial reports and much more —<br />

is collected from your company’s various computer systems. It is then sent out to eDiscovery vendors,<br />

law firms, related consultants and potentially several subcontractors for all sorts of tasks. The data gets<br />

processed and catalogued, reviewed for legal needs, and produced to third parties, the government and<br />

others. What’s more, depending on your law firm and vendor’s workflows, throughout that process your<br />

data can be transferred multiple times between the various parties.<br />

Moving your data among and between so many parties outside your company’s firewalls substantially<br />

increases risk. It also increases the number of organizations you must vet to ensure that their security<br />

policies and practices are acceptable. While we encourage you to develop a full vendor vetting process<br />

that looks at things like data center security certifications (like SOC2 or ISO 27001), penetration testing,<br />

disaster recovery, physical security and more, here are six essential questions you must ask anyone or<br />

anything that touches, transfers or stores your data.<br />

66


1. Are systems and data encrypted at all times, both at-rest and in transit?<br />

All computer systems and mobile devices should be protected by device-level encryption. All data<br />

transferred using physical media (i.e.., disc media, external drives) or digital online data transfer solutions<br />

(i.e., SFTP, cloud transfer/storage systems) should be likewise protected by an encrypting system, which<br />

can be as simple as using a strong password-protected ZIP file, for example.<br />

Today’s constant stream of stories about law enforcement’s ongoing difficulties in accessing various<br />

mobile devices clearly illustrates how effective device encryption can be at keeping prying eyes from<br />

accessing your data. Simply put, encryption turns your data into a garbled pile of useless gibberish that<br />

can’t be used absent proper credentials or digital tokens. Thus, even if someone physically steals your<br />

device, the data is protected.<br />

Encryption is now available on nearly all modern computers, smartphones and other devices, and is so<br />

effective and easy to deploy that there’s simply no reason any vendor shouldn’t be encrypting them all.<br />

That’s especially true for mobile devices like laptops, tablets, smartphones, smart watches and the like<br />

that are even more vulnerable because they routinely travel outside the corporate firewall.<br />

While the other items below are very important, device and data encryption are two of the most important<br />

security steps any company can and must take. These steps are simple, cheap and effective. So, if your<br />

eDiscovery vendor isn’t doing those simple things to protect your data, it’s likely that they’re not doing<br />

much else, either.<br />

2. Is multi-factor authentication in use?<br />

Multi-factor authentication, commonly called MFA, is another extremely effective tool in the fight to protect<br />

your data from malicious actors. As such, it should be a central part of your law firm and vendor’s security<br />

profiles.<br />

With MFA in place, not only is a username and password required to access secure systems, but an<br />

additional step is required where a code is sent to a separate device, usually your cellphone, which then<br />

must be entered along with your username and password to complete the login or access process. Such<br />

solutions are becoming increasingly common even in our daily lives; your bank may encourage or even<br />

require MFA (sometimes called one-time codes), especially with more sensitive items like wire transfers.<br />

For example, here at BIA, we utilize MFA any time an employee logs on to nearly any company computer<br />

or system, especially if they are not physically in one of our offices and connected to our corporate<br />

network. If one of our employees works remotely from their home or the neighborhood Starbucks, they<br />

must always use MFA, which admittedly can be inconvenient at times, but undoubtedly worth it for the<br />

protection it affords. Encryption and MFA working together ensures that if a device or data is lost or<br />

stolen, the data will remain safe and secure, regardless of the thief’s skills.<br />

67


3. Are role-based access controls configured in place?<br />

Lately, we see almost weekly news reports of data breaches occurring not because of hackers, but<br />

because of employees stealing something they shouldn’t have had access to in the first place. This is<br />

especially common in departing employees. Indeed, the recent Capital One data breach that impacted<br />

over 100 million customers came from an employee’s internal system hack.<br />

Law firms and eDiscovery vendors should address this problem by adopting strong policies regarding<br />

role-based access using the concept of least-privilege to drive those policies. That means an individual’s<br />

access to various data stores and computer systems is limited based on their role and function within the<br />

company and gives them privileges to the minimum set of actions needed. For example, a vendor’s<br />

project managers may need access to key data shares, but only to read and edit files, not to delete them.<br />

Those same project managers, like most employees, may never need access to the accounting or HR<br />

department’s records. While many companies have put such controls in place for their own data, they<br />

often fail to do so when it comes to the data they hold for others, including their customers.<br />

Here at BIA, we use least-privilege role-based access across the organization, and we have systems and<br />

procedures in place to narrow that access even further on especially sensitive matters. The logic is<br />

simple: By limiting the number of eyes that can even see your data, we automatically reduce the<br />

possibility of an internal data breach.<br />

4. Are there written data security, acceptable use and other critical policies in place? Do<br />

employees know about those policies and where to find them?<br />

To paraphrase a certain web-shooting superhero, with great data comes great responsibility, and it’s<br />

critical that not just your vendor, but its employees as well, truly understand their responsibilities. Even<br />

with all the data security measures discussed here, those with proper credentials and sufficient need will<br />

have access to even the most sensitive of data. Thus, an essential piece of the data security puzzle is<br />

making sure that every person who legitimately has access to your confidential data clearly understands<br />

their responsibilities and is committed to protecting that data.<br />

Your law firm and eDiscovery vendor should have clear, written policies on data security and acceptable<br />

system use policies, and those policies must be accessible by all. Other information security policies,<br />

including data handling, employee conduct, confidentiality, disaster recovery, business continuity and<br />

crisis management, if available, should also be reviewed. But written policies alone, without action, are<br />

meaningless — management must show that employees know and follow those policies.<br />

Employees should be required to sign strong confidentiality and nondisclosure agreements as part of<br />

their initial hire onboarding, as well as whenever company policies are updated. Security review meetings<br />

and presentations, held at least annually, can also be helpful for providing continuing education and<br />

reminding employees of their data security responsibilities and how to be vigilant for the latest trends in<br />

hacking, phishing and other such security attacks. Policies are great, but your vendor should be able to<br />

prove that their employees know, accept and put those policies into practice.<br />

68


5. Is there a secure and tested business continuity and data backup plan?<br />

While data backup and business continuity (the ability to continue or quickly recover essential services<br />

after a natural disaster, for example), are critically important topics to ask of any vendor, in doing so,<br />

people often overlook the security aspect of those solutions, which must be at least as secure as the<br />

primary, live systems.<br />

Most backup and business continuity plans call for multiple physical locations for both data storage and<br />

critical systems, which means data is stored both in the vendor’s primary location(s) and copied offsite<br />

location(s). When asking your vendor about its data security policies and practices, make sure to include<br />

questions about any such secondary locations — and about how securely the data is transferred between<br />

those locations.<br />

6. How is data handled once a case is closed?<br />

Clients often ask about security before a new project starts or a new master services agreement is signed,<br />

but what happens to your data after a given eDiscovery project concludes? You might be surprised to<br />

learn that the case shutdown process at eDiscovery vendors varies widely, and it might not be as<br />

comprehensive as you’d assume. Many of the vendors you have used in the past for projects that closed<br />

long ago may still be storing copies of your data, which could expose you to further completely<br />

unnecessary risk and violate your data retention policies.<br />

Your vendor’s project shutdown process deserves as much focus as the kickoff process — if not more.<br />

Your eDiscovery vendor’s project manager should present you with a summary of all the data the vendor<br />

has — including not just the original data, but also copies stored in their data processing systems, review<br />

tools, analytics platforms, productions and the like. Only then can you decide whether you want the data<br />

returned, destroyed or stored for possible use later.<br />

If your decision is to destroy the data, your eDiscovery vendor must be able to certify the destruction of<br />

that data to industry acceptable standards. Hard drives should be fully overwritten so that the data is truly<br />

irretrievable. And once hard drives reach the end of their useful life, vendors should physically destroy<br />

them. The cost to do all of that is small and any credible vendor should have no problem providing those<br />

services.<br />

Data security is a job that never ends. If you’re serious about protecting your data while it’s on your<br />

servers, you should be equally serious about keeping it safe when it travels outside your protected space.<br />

You can start by making sure you ask the right questions through the eDiscovery process.<br />

69


About the Author<br />

Brian Schrader, Esq., is president & CEO of BIA (www.biaprotect.com), a<br />

leader in reliable, innovative and cost-effective eDiscovery services. With<br />

early career experience in information management, computer technology<br />

and the law, Brian co-founded BIA in 2002 and has since developed the firm’s<br />

reputation as an industry pioneer and a trusted partner for corporations and<br />

law firms around the world. He can be reached at bschrader@biaprotect.com.<br />

70


Understanding Application Risk Management<br />

By Haythem Hammour, Product Marketing Manager, Brinqa<br />

On April 25, Docker® 1 discovered a breach of unauthorized access to a single Docker Hub database<br />

storing a subset of non-financial user data. Usernames and hashed passwords for approximately 190,000<br />

accounts may have been exposed, as well as GitHub® 2 and Bitbucket® 3 tokens for Docker auto builds.<br />

However, the risk the Docker breach poses to organizations varies based on usage, integration, and a<br />

variety of business and environmental factors. How can organizations measure and respond to the<br />

vulnerabilities in their software infrastructure? This article discusses some crucial aspects of Application<br />

Risk Management that can help build a knowledge-driven, risk-aware application security process and<br />

deliver accurate and swift risk analysis, prioritization and remediation.<br />

1<br />

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers<br />

2<br />

GitHub brings together the world's largest community of developers to discover, share, and build better software.<br />

3<br />

Bitbucket is a web-based version control repository hosting service owned by Atlassian, for source code and development<br />

projects<br />

71


Defining Application Risk Management<br />

Application Risk Management is the utilization of fundamental risk management principles to identify,<br />

prioritize, remediate, and report security risks related to an organization's software infrastructure. This is<br />

accomplished by analyzing data from various application testing and monitoring tools and programs –<br />

Dynamic or Web Application Security Testing (DAST), Static Application Security Testing (SAST),<br />

Interactive Application Security Testing (IAST), Software Composition Analysis (SCA), and Penetration<br />

Testing – in context of relevant business metadata and threat intelligence to drive prioritized remediation<br />

actions in IT Service Management (ITSM) tools and processes. The scope of Application Risk<br />

Management is not limited to web or desktop applications but also covers all internally developed, third<br />

party, open source, commercial off the shelf (COTS), custom, business, and enterprise applications, as<br />

well as web services and APIs.<br />

The Need for Better Application Security<br />

In 2014 Verizon started analyzing breach trends and patterns through the Verizon Data Breach<br />

Investigation Report (Verizon DBIR) 4 . Noticeably, in the <strong>2019</strong> report the web application pattern (one of<br />

nine basic patterns used to categorize security incidents and data breaches) scored the highest for<br />

breaches, with a probability of one in five breaches attributed to web applications as the vector of attack.<br />

Moreover, by examining past years' reports, it is evident that web applications have consistently been a<br />

top breach pattern in recent years.<br />

Top Application Security Risks<br />

Open Web Application Security Project (OWASP) commenced a project that annually outlines the ten<br />

most critical web application security risks. To compile this list OWASP uses prevalence data in<br />

combination with the consensus estimates of exploitability, detectability, and technical impact.<br />

1. Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted<br />

data is sent to an interpreter as part of a command or query.<br />

2. Broken Authentication: Application functions related to authentication and session management<br />

are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session<br />

tokens.<br />

3. Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive<br />

data, such as financial, healthcare, and PII.<br />

4. XML External Entities (XXE): Many older or poorly configured XML processors evaluate external<br />

entity references within XML documents.<br />

4<br />

The Data Breach Investigations Report is a collaborative effort, developed by Verizon in cooperation with numerous<br />

agencies.<br />

72


5. Broken Access Control: Restrictions on what authenticated users are allowed to do are often<br />

not properly enforced.<br />

6. Security Misconfiguration: Commonly a result of unsecure default configurations, incomplete<br />

or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error<br />

messages containing sensitive information.<br />

7. Cross-Site Scripting (XSS): XSS attacks occur when malicious scripts are injected, generally in<br />

the form of a browser side script, into trusted websites. These can occur when a web application<br />

uses input from a user in the output it generates without first validating or encoding it.<br />

8. Insecure Deserialization: Object and data structure related attacks where the attacker modifies<br />

application logic or achieves arbitrary remote code execution to change behavior during or after<br />

deserialization.<br />

9. Using Components with Known Vulnerabilities: Components, such as libraries, frameworks,<br />

and other software modules, are often used in the development of web applications. Attackers<br />

finding security holes in these components can leave applications vulnerable to exploits.<br />

10. Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or<br />

ineffective integration with incident response, allows attackers to compromise systems further,<br />

maintain persistence, pivot to more systems, and tamper, extract or destroy data.<br />

OWASP, Verizon, and many other organizations have done remarkable work in collecting and analyzing<br />

data on cyber threats, vulnerabilities and attacks. However, when it comes to application security there<br />

is no one-size-fits-all solution. Each organization is unique, and so are the threat actors for that<br />

organization, their goals, and the impact of any breach. If a public interest organization uses a content<br />

management system (CMS) for public information and a health system uses that same CMS for sensitive<br />

health records, a vulnerability in the CMS software will result in very different risk exposure and business<br />

impact for each organization. It is critical to understand the risk to an organization based on applicable<br />

threat agents and business impact.<br />

Determining Risk Criticality<br />

Generally, risk is the combination of the probability of an event and its consequence (Risk = Likelihood ×<br />

Impact). Particularly, IT risk is the business risk associated with the use, ownership, operation,<br />

involvement, influence, and adoption of IT within an enterprise.<br />

The information security community relies on Common Weakness Enumeration (CWE) 5 and Common<br />

Vulnerabilities and Exposures (CVE) 6 organizations in standardizing severity, probability, and impact<br />

measures.<br />

5<br />

https://cwe.mitre.org<br />

6<br />

https://www.first.org<br />

73


The Common Vulnerability Scoring System (CVSS)<br />

CVSS captures the principal technical characteristics of software, hardware, and firmware vulnerabilities.<br />

Its outputs include numerical scores indicating the severity of a vulnerability relative to other<br />

vulnerabilities. CVSS is composed of three metric groups – Base, Temporal, and Environmental.<br />

1. The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics,<br />

which are constant over time and assumes the reasonable worst-case impact across different<br />

deployed environments.<br />

2. The Temporal Metrics adjust the Base severity of a vulnerability based on factors that change<br />

over time, such as availability of exploit code.<br />

3. The Environmental Metrics adjust the Base and Temporal severities to a specific computing<br />

environment. They consider factors such as the presence of mitigation in that environment.<br />

The Common Weakness Scoring System (CWSS)<br />

CWSS is part of the CWE project, co-sponsored by the Software Assurance program in the office of<br />

<strong>Cyber</strong>security and Communications of the U.S. Department of Homeland Security (DHS). It provides a<br />

mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. The CWSS<br />

scoring method relies on multiple metric factors clustered in three groups.<br />

1. Base Finding metrics capture the inherent risk of the weakness, confidence in the accuracy of<br />

the finding, and strength of controls.<br />

2. Attack Surface metrics represent the barriers that an attacker must overcome to exploit the<br />

weakness.<br />

3. Environmental factors capture characteristics of the weaknesses that are specific to a particular<br />

environment or operational context.<br />

For effective risk quantification and prioritization, organizations must build on these frameworks and<br />

enhance this technical information with threat intelligence (factors such as exploit availability, associated<br />

malware, zero-day, popularity, pervasiveness, etc.) and business impact considerations (operational<br />

status, data classification, supported business services, monetary impact, compliance requirements, etc.)<br />

to develop an accurate understanding of how these threats uniquely impact the business.<br />

74


About the Author<br />

Haythem Hammour Product Marketing Manager<br />

haythem.hammour@brinqa.com I ☎ (512) 372-1004<br />

8310 N Capital of Texas Hwy, Suite 155, Austin, TX 78731<br />

www.brinqa.com |Twitter | LinkedIn | Free! Webinars<br />

https://twitter.com/hammour_haythem<br />

75


Ransomware: A Municipality’s Achilles Heel<br />

By Russ Cohen, Vice President of <strong>Cyber</strong> Services, Chubb<br />

From large metropolitan cities like Atlanta to smaller communities like Key Biscayne, every city in America<br />

is vulnerable to cyber attacks.<br />

In fact, according to the Chubb <strong>Cyber</strong> Index SM , cyber incidents for public entities have tripled over the<br />

past three years. Further, the index data also shows that 77% of the cyber claims reported by Chubb’s<br />

public entity clients in 2018 were the result of external actors.<br />

What’s behind these numbers? During these attacks, bad actors exploit public entities’ employees<br />

through phishing emails—which then allow these adversaries to deploy ransomware into a municipality’s<br />

network. In turn, adversaries are able to bring an entire system to a halt. Fortunately, there are a number<br />

of risk mitigation steps municipalities can take to help safeguard their systems, which begins by<br />

understanding what makes municipalities the ideal target.<br />

76


Increasing Vulnerabilities in Dollars and Data<br />

While both the public and private sector are vulnerable to ransomware attacks, there are several<br />

characteristics specific to municipalities that lead adversaries to target them more nefariously.<br />

Like most local government debates, it generally starts with a question of funding. Particularly, cyber<br />

security funding for smaller municipalities is generally not as robust as other for-profit companies. Thus,<br />

cities and towns alike may lack the proper resources and expertise to upgrade equipment, install proper<br />

security software and perform adequate data backups.<br />

It’s not just citizens’ social security and tax information that makes municipalities ideal targets. If<br />

adversaries gain unfettered access to a municipality’s systems, they can alter everything from traffic lights<br />

and 9-1-1 systems to employee payments and official document records. In turn, if emergency systems<br />

are affected, adversaries often feel emboldened to demand a higher ransom—as a municipality will likely<br />

want to resolve the situation as quickly as possible.<br />

During any cyber event, it can be difficult to know the right move to make—how do you know when to<br />

pay a ransom or not? One critical element to keep in mind when weighing this decision is that, ultimately,<br />

the affected institution is responsible for any financial loss, safety issues, or wage disruption that might<br />

occur from a cyber incident—not to mention, there are also reputational and non-financial implications<br />

associated with these events. Often, the cost of paying a ransom can be less than the alternative.<br />

In March <strong>2019</strong>, a large county was forced to pay $400,000 in crypto-ransom after a ransomware event<br />

compromised its network, but also the entirety of its online backup. Because these information reserves<br />

were also compromised, they had little choice—it was ultimately less expensive for them to simply pay<br />

the ransom than it would have been to build a new system from scratch.<br />

Compounding this issue is that while ransomware attacks are becoming more sophisticated, bad actors<br />

now have the ability to destroy records instantaneously. This fact has the potential to permanently cripple<br />

city systems in the event that their files are not only compromised, but also erased. These newfound<br />

consequences have also led to a significant rise in costs associated with these attacks; and as a result,<br />

public entities now often face six and seven-figure payout demands.<br />

To make matters worse, municipalities’ cyber risks are not self-contained. As we get closer to having fully<br />

integrated smart cities, the increasingly interconnected nature of municipalities has led to a heightened<br />

cyber risk for all businesses. Ultimately, without proper cyber security protections in place, municipalities<br />

can be a weak link that allows bad actors the ability to infiltrate the larger business community,<br />

subsequently giving them access to vendor, supplier, and partner data. In essence, municipalities can<br />

form the center of a spider’s web, with the larger business network and local community branching off<br />

77


and expanding from that center—like a spider, ransomware attacks have the potential to travel across<br />

the entire “web” of this interconnected ecosystem through each and every silky branch.<br />

Pinpointing the Root Cause<br />

Once municipalities understand why they are prime targets, they should then turn to how adversaries<br />

penetrate their systems.<br />

Put simply, in order to deploy these calculated ransomware attacks, bad actors often exploit human<br />

vulnerabilities in city systems. For instance, these attacks can be triggered by an unsuspecting employee<br />

who opens a malicious email on a computer that is not properly protected. In doing so, these bad actors<br />

infiltrate the system and gather and hold vital data hostage until their demands for untraceable<br />

cryptocurrency payments are made.<br />

To make matters worse, once one device is infected with ransomware, the malicious code can spread to<br />

other unprotected devices on the network. Often, the virus can do so without being noticed, and may stay<br />

in the background for days, weeks, or even years—all the while, rooting itself deeper into a system—<br />

adding to the troves of hostage data and allowing adversaries to demand exponentially more for its<br />

release.<br />

Fighting Back<br />

While the threat can seem overwhelming, there are risk mitigation best practices municipalities can take<br />

to reduce their exposure.<br />

To start, city employees should be taught to recognize the warning signs of potentially malicious<br />

content—such as, the inclusion of suspicious links, emails sent at an unusual time, misspelled words or<br />

an unrecognized sender—and should know exactly who to contact if they suspect something is awry.<br />

Employees should also have comprehensive social media education sessions, focusing on the dos and<br />

don’ts of posting online and what type of content can make them a target.<br />

Beyond employee training, local governments should upgrade their email security practices to help block<br />

malicious emails at the perimeter. They should also install anti-malware protections and ensure the<br />

regular backups of all files and information. Backups should be scheduled (daily, weekly, monthly) and<br />

stored in a separate secure location (external drive, cloud) to prevent the backups themselves from being<br />

corrupted during a breach. Backups should also be tested from time-to-time to ensure they are usable<br />

and adequately protected.<br />

78


However, no prevention tactic is perfect, so in addition to the appropriate preventative steps, a broad<br />

cyber insurance policy can help offer additional peace of mind. If a ransomware attack does occur,<br />

insurers—like Chubb—provide policyholders with access to forensics providers, IT and security<br />

professionals, and legal counsel to recommend the best course of action for each unique scenario. In<br />

many cases, an insurer can also connect municipalities with cyber security software vendors whose<br />

products are specifically designed for their needs. Such platforms can offer municipalities another way to<br />

help prevent ransomware attacks and contain the spread of malware to connected devices, in the event<br />

of a successful attack.<br />

In an interconnected world where cyber security risks are ever evolving, threats will always be present.<br />

However, taking the right steps can afford you the knowledge that your community is protected, no matter<br />

what.<br />

About the Author<br />

Russ Cohen serves as Chubb Vice President of <strong>Cyber</strong> Services, managing all<br />

policyholder services associated with the company’s pre- and post-incident cyber<br />

services, as well as supporting innovations in underwriting, data analytics, and<br />

predictive modeling associated with enterprise cyber security risks. Russ can be<br />

reached at russ.cohen@chubb.com and our company website is<br />

www.chubb.com.<br />

79


Do You Know What That App Is Doing?<br />

The IT Security Risk of Third-Party Apps<br />

By Christopher Kennessey, CEO, NetMotion Software<br />

As mobile devices become more common in the workplace, IT departments need to understand and<br />

prepare for the security risks that these devices introduce. Beyond the security of the device itself (which<br />

is a significant issue in its own right), there’s a very real risk of third-party apps secretly accessing<br />

corporate data. In some cases, the app is a legitimate service gathering user data on the side for their<br />

own marketing purposes or to sell. Alternatively, many malicious apps will mimic real ones to trick users<br />

into downloading spyware and adware to steal passwords or financial information. Despite the best efforts<br />

of Apple, Google and Microsoft, data scraping remains an issue on iOS and Android devices as well as<br />

the major desktop platforms. Legitimate or not, IT needs the ability to track how third-party apps are<br />

accessing corporate data to protect their employees and keep that data secure.<br />

The normal barriers between work and personal devices don’t always apply here. With bring your own<br />

device (BYOD) policies being so common in the workplace, employees likely download apps, play<br />

games, access their social networks and visit potentially risky websites using the same devices that they<br />

80


ely on to access sensitive corporate data and applications. If they become the victim of malicious apps<br />

or websites, it doesn’t matter whether they or their employer is the intended target. Once a device is<br />

compromised, everything on it is at risk of being seen or stolen.<br />

There are several ways organizations can reduce the risk of third-party apps scraping sensitive corporate<br />

data. The first is training users to identify the telltale signs of a malicious app, email or website. Apps with<br />

strange or poorly rendered icons, suspicious imagery or inaccurate or misspelled names are all good<br />

indicators that something isn’t what it appears to be. Users should also be particularly cautious when an<br />

app asks for permission to access data that is not relevant to its task. It’s also good practice to prevent<br />

users from side-loading apps or going outside corporate approved app stores.<br />

Technical security controls also play a large role in protection corporate date. Organizations deploy<br />

hardware and software like firewalls and antivirus to protect their data, but employee devices are a new<br />

weak link that often reside outside the corporate network for long periods of time. In response, many of<br />

these organizations have added enterprise mobile management (EMM) or mobile threat defense (MTD)<br />

solutions that provide some measure of protection and control over what devices and their users can do.<br />

But even these solutions don’t provide real-time visibility into the behavior of devices, apps and data flows<br />

when they are connected to an external network. Like most security spending, EMM and MTD solutions<br />

are focused on protection – stopping malicious software from getting on devices. That is certainly<br />

important, but organizations also need to improve their monitoring and visibility into mobile devices to<br />

detect suspicious behavior that could indicate an infected device.<br />

Like most things in security, this is easier said than done. A recent survey by the Enterprise Mobility<br />

Exchange found that nearly half of mobile security professionals had no idea whether their organization<br />

had been the victim of a mobile security event in the last year. More than 35% can’t tell when a device or<br />

app is sending data to unwanted server locations at all, and an additional 30% can’t do it in real time.<br />

Even legitimate apps will often communicate with numerous servers around the world. And numerous<br />

apps and devices, either intentionally or as the result of poor design, have been shown to send data to<br />

servers in countries that lack the high standards of data security that we expect, for no discernable<br />

reason. At the end of the day, it’s impossible to tell whether a traffic pattern is potentially dangerous if<br />

you’re not paying attention.<br />

Once an organization understands its normal mobile traffic patterns, the next step is to implement policies<br />

that automatically prevent unwanted or questionable connections. By adopting higher standards for user<br />

and device authentication, data encryption and device control, IT and security teams have the power to<br />

ensure the integrity of an organization’s data by automatically stopping mobile devices from sending<br />

traffic through unapproved servers via unapproved connections. As always, full, standards-based<br />

encryption should be used to ensure the data remains secure in transit.<br />

Advancements in mobility have been an enormous enabler for enterprises and their employees over the<br />

last decade in particular, but these benefits come with their own distinct set of costs and risks. In order<br />

to maintain that high level of data security both inside and outside the walls of the office, companies need<br />

to do a much better job of managing how apps, users and devices interact with their data. The most<br />

effective approach is to employ a mixture of embedded software that can provide real-time, actionable<br />

information about devices operating on third-party networks, enforce automated policies that restrict<br />

81


dangerous activity and train users to become the front line of defense by recognizing threats from the<br />

outset.<br />

About the Author<br />

Christopher Kennessey is the CEO of NetMotion Software. Christopher has<br />

nearly two decades of cloud, data center and mobile networking industry<br />

experience, including ten years leading sales and operations for Cisco’s<br />

Intelligent Automation business unit. He holds a bachelor’s degree from the<br />

University of Illinois Champaign-Urbana, with additional courses at Harvard<br />

University and Complutense University Madrid. Christopher can be<br />

reached via our company website https://www.netmotionsoftware.com/<br />

82


5 Key Differences between Software and Hardware<br />

Vulnerability Mitigations<br />

By Anders Fogh, Senior Principal Engineer at Intel<br />

The software stack has long been a fruitful target for hackers looking to exploit organizations – and this<br />

is not likely to change anytime soon. As a matter of fact, according to the Common Vulnerability and<br />

Exposures (CVE) list, there were 14,760 known security vulnerabilities logged in 2018 alone (a record<br />

year). As the stakes continue to rise in this cat and mouse game, so too has the scrutiny of these systems,<br />

resulting in more robust software security development lifecycles, enhanced vendor collaboration, and<br />

increased mitigations that help combat malicious activity. If software vulnerabilities have reached<br />

adolescence (metaphorically speaking), one could say that hardware vulnerabilities are just entering early<br />

childhood. Take for example the nascent CPU exploits like Meltdown and Spectre, which were disclosed<br />

in early 2018. Both of these hardware vulnerabilities have had a significant impact on the security<br />

industry.<br />

As hardware vendors work to overcome new security challenges and create an ecosystem capable of<br />

properly disclosing, tracking and resolving these vulnerabilities, I wanted to share some of the key<br />

differences between software and hardware mitigations.<br />

1. The Flexibility Issue<br />

In today’s threat landscape, software is still orders-of-magnitude easier to handle than hardware. One of<br />

the most obvious reasons why is the simple fact that software can be updated frequently to deal with<br />

security vulnerabilities. For example, if there is a buffer overflow attack in software, once the root cause<br />

is identified, new code can quickly be pushed to address the issue. It’s even commonplace for some<br />

83


vendors to release patch updates in less than 48 hours. The agility that’s present in software just simply<br />

doesn’t exist in most hardware. And while there is some wiggle room built into hardware firmware – for<br />

example the ability to modify a CPU’s UEFI (commonly referred to as BIOS), or the ability to turn things<br />

on and off in hardware for mitigation reasons and product variants (what’s colloquially known as modifying<br />

chicken bits) – none of these compare to the ultimate flexibility of a completely software architected<br />

solution.<br />

2. The Development Cycle<br />

The software development cycle is dramatically different from that of hardware in many ways, and a<br />

primary reason is the manufacturing component. In CPU hardware, when you eliminate the ability to fix<br />

a problem through firmware or chicken bits, what’s left is a fundamental design change. This results in<br />

the need to evaluate the old hardware, identify the problem, formulate the updates, coordinate with<br />

ecosystem partners, and push to manufacturing for the new build. The challenges are complex and time<br />

consuming. On the other hand, software can modify a feature via code changes and pushing an update,<br />

hardware usually cannot. This is why with the advent of hardware vulnerabilities, security researchers<br />

play a huge role in helping to build the next generation of hardware systems that are not only more<br />

secure, but also architected in a way that can be updated or modularized for security mitigations.<br />

3. The Stack Problem<br />

Traditionally speaking, software sits on top of the system stack – meaning software depends on other<br />

components, and not the other way around. For developers and security professionals in software, this<br />

offers ultimate flexibility with other vendors and customers. But, the further down in the stack you go, the<br />

more the elements above depend on you to function properly. For example, if an operating system were<br />

to change its API significantly, the software running on top of it would likely break. But hardware is usually<br />

the lowest element in the stack. For instance, a CPU has to interface with an operating system, which<br />

interfaces with an application, and so on. Hardware changes in these complex relational environments<br />

are ultra-sensitive. It requires a depth in testing that can take substantial resource and time. And, the<br />

documentation and specification for usage have to be extremely comprehensive.<br />

4. The Product Lifecycle<br />

Very few things last forever. And in the world of hardware, there’s no such thing as partial replacement.<br />

Software on the other hand is often continually being updated via code to the next version. With hardware,<br />

it’s traditionally out with the old, in with the new. And unfortunately, hardware usually carries significant<br />

cost implications, so products like CPUs and hard drives tend to have a long shelf life. This also means<br />

that the number of models being supported in the wild are often much higher than with software. This can<br />

have a major impact on hardware mitigations and add to the design pressure. In essence, with hardware,<br />

you have to live with what you built ten years ago. As a result, today’s hardware vendors are transforming<br />

R&D processes to be more inclusive of security teams in hopes of making future products more flexible.<br />

84


5. The Update Challenge<br />

In general, a software update is simple. Push the patch, update the code, fix the problem (at least that’s<br />

the basic idea). In the world of hardware mitigations, it can be much more complex. Hardware is not often<br />

directly connected to the internet or a network. This means hardware vendors rely on OEMs to set up<br />

mechanisms to push or pull updates, or coordinate with software partners to push updates to customers.<br />

For example, Intel has made micro code updates OS loadable, meaning when a mitigation can be fixed<br />

via firmware, a micro code patch can be released through operating system partners. But, it’s much more<br />

complex than that. It requires an incredibly high level of coordination between the stack layers. For<br />

instance, the degree to which a CPU micro code update impacts a cloud provider versus a data center<br />

can vary dramatically. It’s not a one-size-fits-all mitigation, yet it’s expected to be, which means these<br />

partners need time to test the mitigation before they push it to their customers.<br />

Looking Ahead<br />

To help overcome the challenges of hardware vulnerability mitigations, there is a lot of great work<br />

happening in this space today. To cite just a few examples, we’re seeing more flexibility being designed<br />

into firmware, for example changes that give microcode more flexibility to fix potential security problems<br />

are being designed into next generation hardware. Updates are becoming more agile, for example Intel<br />

microcode updates are distributed as part of Microsoft’s patch Tuesday. And big vendors are participating<br />

in more open source projects, for example Intel heavily contributes to the Linux Kernel.<br />

The goal is to make hardware ecosystems of tomorrow more secure than today. While there are some<br />

early successes we can point to – such as the quick integration of hardware mitigations for the Meltdown<br />

vulnerability in Intel’s 8 th generation processor family (Coffee Lake) – our community must continue to<br />

drive toward the development of more formal methods and standards for disclosing, tracking and sharing<br />

hardware mitigations. This will ensure that research and education in hardware mitigations mirrors the<br />

maturity of the software security industry, and as a complete industry we more effectively tackle security<br />

mitigations.<br />

About the Author<br />

Anders Fogh is a Senior Principle Engineer at Intel. He has been involved<br />

in software development and information security for more than two<br />

decades, and in an expert in reverse engineering. Anders can be reached<br />

on Twitter @anders_fogh and through the company website<br />

http://www.intel.com.<br />

85


Data Risk Report Shows Lack of Security across Industries<br />

87% of companies lack data security<br />

By Rob Sobers, software engineer, Varonis<br />

When it comes to cybersecurity, one of the top concerns is the risk and vulnerability of sensitive data.<br />

Varonis has completed their annual risk assessment in efforts to provide organizations with guidelines<br />

for minimizing and reducing these risks.<br />

The <strong>2019</strong> Data Risk Report is an analysis of almost 800 risk assessments conducted on data that<br />

includes email, files, and folders across various organizations and companies. At risk and vulnerable data<br />

is identified, followed by recommendations to reduce these risks and vulnerabilities.<br />

The information within the <strong>2019</strong> Data Risk Report is just one way that organizations can gain more insight<br />

into their cybersecurity strategies and what more they can do to improve data security.<br />

Data Gathering Methods and Scope<br />

Here’s an overview of how data was gathered, and the scope of data analyzed. Reports were chosen<br />

from 785 security assessments – analysts went through data that focused on risk and exposure, stale<br />

data no longer required for daily business operations, and users and password use.<br />

86


The scope of the report covered over 30 different industries, including biotech, education, financial,<br />

government agencies, healthcare, and tech. Also examined included:<br />

• Over 54 billion files<br />

• 4.3 billion Folders<br />

• 54.58 petabytes of data<br />

• 12.7 million User accounts<br />

• Over 13.4 billion files with global access<br />

• 3,144 exposed and sensitive files per terabytes<br />

Report Conclusions<br />

The results of the <strong>2019</strong> Data Risk Report including the following key findings. This information can help<br />

your cybersecurity team come up with approaches and tactics for reducing your data security risks.<br />

Risk and Exposure<br />

Most organizations give users too much access to company files. Assigning global access gives<br />

employees access to all vulnerable and sensitive information, putting this data at risk. Global access also<br />

opens the door for cybercrime, giving attackers easy access to files that should be contained in tighter<br />

security.<br />

Report findings show that 17% of sensitive files could be accessed by all employees and that 15% of<br />

companies had over 1 billion files accessible to each employee. As an average across the organizations<br />

studied, each employee had access to 17 million files.<br />

Add to this that many of the files at risk were in violation of data privacy laws such as the GDPR (General<br />

Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), and HIPAA<br />

(Health Information Portability and Accountability Act).<br />

Sensitive data that is exposed and at risk can cost your company not just money and trust, it can also<br />

irreparable harm to your reputation.<br />

Stale Data<br />

53% of company data is stale. Even though this data is no longer used, it still contains private and<br />

personal information about clients and customers as well as other sensitive business information,<br />

including finances. As with data still being used by an organization, this information is subject to privacy<br />

laws.<br />

Other findings on stale data show that 87% of companies have over 1000 stale files that contain sensitive<br />

information and that 95% have over 100,000 folders that also contain private data. That amounts to<br />

15,511 sensitive files that are stale for each terabyte.<br />

87


The stale data an organization no longer needs should be dumped, otherwise, they open themselves up<br />

to liability if this data is obtained through a security breach.<br />

Passwords and User Accounts<br />

Many organizations are ignoring best practices for passwords and user accounts. In fact, 61% of<br />

companies have over 500 employees using passwords that never expire. And when it comes to user<br />

accounts, 40% of companies had stale user accounts that were still enabled.<br />

Not changing passwords on a regular basis presents cyber attackers with a great opportunity to break<br />

into user accounts, giving them access to an organization’s sensitive business and customer information.<br />

Unauthorized access to these active accounts also opens an organization up to disruption of service from<br />

a DoS attack.<br />

There is room for improvement across the board when it comes to reducing stale user accounts.<br />

Takeaways from the Risk Report<br />

The aim of the Risk Report is to give organizations tactics to increase security and keep data safe. Here’s<br />

what your company can do to up the ante when it comes to data security.<br />

Most At-Risk<br />

Organizations and companies most at-risk are ranked from highest to lowest based on the average<br />

percentage of sensitive files they have exposed:<br />

• 21% - Financial services and manufacturing<br />

• 15% - Biotech, healthcare, and pharma<br />

• 14% - Energy and utilities, and retail<br />

• 12% - Government and military<br />

Minimize and Reduce Risk and Exposure<br />

• Identify which users have been granted global access to sensitive data.<br />

• Grant global access only to users who need to access this information.<br />

• Apply controlled security access to users, minimizing their access to sensitive data.<br />

88


Manage Stale Data<br />

• Determine what is stale data and if it contains sensitive information.<br />

• Dump or archive stale data you’re no longer using.<br />

• Establish a schedule for retaining data before evaluating if it’s become stale information.<br />

Manage Passwords and User Accounts<br />

• Identify non-expiring passwords and change password policy.<br />

• Identify and delete stale user accounts.<br />

• Optimize your company’s ability to detect anomalies that don’t conform to security policies.<br />

As per the <strong>2019</strong> Data Risk Report, there’s a lot of room where organizations can improve the security of<br />

their business and customer data. Most companies have some areas where their data is at risk and<br />

vulnerable to a security breach. Also, a huge concern is the number of companies that are in noncompliance<br />

with privacy and security regulations of customer information.<br />

Your organization can use these security guidelines to strengthen your cybersecurity strategies so you<br />

can keep your data safe and secure.<br />

About the Author<br />

Rob Sobers is a software engineer specializing in web security at Varonis and is<br />

the co-author of the book “Learn Ruby the Hard Way.”<br />

89


How the Internet of Things Could Compromise Online Security<br />

By Chris Usatenko, Content Creator, EveryCloud<br />

The concept of an Internet of Things has been a dream held by many tech geeks. Up until a few years<br />

ago, though, the idea was one that just wasn’t practical to manage. Which company had the resources<br />

to maintain a network so that all the smart devices they manufactured could be brought online?<br />

As our tech has advanced, though, we’re a lot closer to having all of our devices and appliances<br />

online. We have smartphones, smartwatches, smart cars, and even smart appliances now. It’s<br />

convenient – just hit a button on your app on the way home, and you can start the coffee maker or<br />

kettle.<br />

Now, that’s just a small example of what’s possible. With IoT, we could end up controlling everything,<br />

from self-driven cars to the security systems of our homes remotely. It’s an exciting new world.<br />

Security Issues<br />

Unfortunately, it’s also opening the way for more cybercrime. 2017 saw a 600% increase in the<br />

incidences of IoT attacks. According to EveryCloud, <strong>Cyber</strong>crime netted $445 billion globally in 2018, so<br />

making things easier for cybercriminals by using IoT tech could well be a serious problem.<br />

90


What’s the Potential Harm?<br />

You might wonder what the big deal is. So what if someone takes control of your fridge? What are they<br />

going to do, put the ice maker into overdrive? It doesn’t really seem like much of an issue until you<br />

consider that all of your devices would be tied into a central hub.<br />

You’d have one hub to control them all. And, like with Sauron in the Lord of the Rings, one by one the<br />

last remaining free devices in your home or office would fall. Which, again, isn’t a huge issue when it<br />

comes to things like coffee makers and fridges.<br />

It becomes an issue when the hacker is able to use the hub to access your smartphone or computer.<br />

They could hack into your smart speakers and eavesdrop on private conversations. They could hack<br />

your security cameras and have a good look around your home.<br />

What about that driverless smart car you’ll have parked in the garage? It could be hacked and driven<br />

right to the thief’s location. Or, and here’s a scary thought, hacked while you or your kids are in it. Now,<br />

that might sound a little paranoid, but it’s something that we’ll have to consider in the future.<br />

Different Security on Different Devices<br />

Part of the problem here would stem from the fact that there’d be differing levels of security on the<br />

devices that we’re using. We’ve already seen this when it comes to different Android devices. The<br />

devices themselves are only as secure as their basic operating software. There could well be loopholes<br />

for hackers to exploit.<br />

And, while the security on a driverless car, for example, would be impeccable, the same is probably not<br />

true for your fridge or kettle. After all, who’d really want to hack those devices?<br />

What Can We Do About It?<br />

The safest bet would be to avoid using IoT devices. But who really wants to go to that length? Perhaps<br />

instead, it would be better to buff up on our security awareness training so that we better understand<br />

the concepts behind creating a completely secure system.<br />

Fortunately, there’s a lot that we can do to secure our home and office systems against hacking. You<br />

already know the basics like using a secure password and up to date anti-virus system. Now it’s time to<br />

take things up a few notches.<br />

You wouldn’t, for example, use the same password for both the hub and your car or other sensitive<br />

sites. You’d encrypt information stored on your system and create regular backups. You know the drill –<br />

by enhancing your online security, you can still enjoy the IoT.<br />

91


About the Author<br />

Chris Usatenko is the Content Creator & SEO Specialist of the EveryCloud. He<br />

is a Computer geek, writer, and gamer. Chris is interested in any aspects of the<br />

PC industry and videogames. Freelancer in his nature, he is willing to get<br />

experience and knowledge from around the world and implement them in his life<br />

Chris can be reached online at Email: chris@securitymedia.org, Twitter:<br />

https://twitter.com/CUsatenko and at our company website<br />

https://www.everycloud.com/<br />

92


Public Sector Beware: 3 Steps to a Better <strong>Cyber</strong>attack<br />

Prevention Strategy<br />

By Phil Richards, CISO, Ivanti<br />

Just as healthcare organizations were a popular target of ransomware attacks over the past two years,<br />

public sector organizations (including school districts, municipalities and local and state public agencies)<br />

– now seem to be active targets.<br />

Most recently, three school systems in the state of Louisiana were victims of malware attacks, which shut<br />

down phone systems and locked and encrypted data. The event was deemed serious enough that Gov.<br />

John Bel Edwards issued a state of emergency which allows the state to access resources from the<br />

state’s National Guard, technology office and state police to remediate the intrusions.<br />

School Systems and Local Governments are an Increasing Target<br />

But Louisiana school systems are not alone. In fact, according to CNN there have been as many as 22<br />

known public sector attacks to date this year, already outpacing 2018. Among them is a RobinHood<br />

ransomware infection on April 10 which impacted computers operated by employees in the city of<br />

Greenville, North Carolina; a Ryuk ransomware attack on April 13 which hit both Imperial County, Calif.<br />

and the city of Stuart, Fla. forcing websites to go dark and consumer service shut downs; and the stillunspecified<br />

malware that struck the municipally owned Cleveland Hopkins International Airport on April<br />

21 causing flight and baggage information to go down.<br />

93


Perhaps a more heavily reported municipal ransomware attack was just over a year ago when the city of<br />

Atlanta was crippled by SamSam ransomware. As a result of that attack the city ended up spending $2.6<br />

million in hard costs alone to respond to the attack – reportedly 52 times the amount of the $50,000<br />

ransom attackers demanded. Reports of the full cost to the city of Atlanta show an actual cost of more<br />

than $17 million. SamSam was also the cause of the attack the Colorado Department of Transportation<br />

experienced in February 2018 for which is also activated a state of emergency which helped to activate<br />

state resources to help with traffic, road management and transportation.<br />

But the state of emergency called by Louisiana is different. It centers more squarely on gaining assistance<br />

from cybersecurity experts across multiple government agencies to help speed the recovery process.<br />

While mitigating cost, like what Atlanta reportedly paid, may be one reason Louisiana called a state of<br />

emergency, it also signals to residents (and attackers) they are taking the breach very seriously and<br />

looking to recover as quickly as possible.<br />

Three Steps for <strong>Cyber</strong>attack Prevention<br />

While Louisiana works to get its impacted school systems back in action, the question is raised: “Can it<br />

happen in my local schools? Will an attack hit my city’s systems?” The answer is of course, “yes it can.”<br />

However, there are steps that can be taken to make the risk much lower. Consider these three steps:<br />

• Patch All Systems. For most organizations, patching should be the first line of defense. Ensuring<br />

that operating systems and third-party applications are up to date will limit or even prevent<br />

cyberattacks. Special effort should be made to ensure that all critical patches and updates for<br />

applications such as Adobe Flash, Java, Web browsers and Microsoft applications are kept<br />

current. Patches should be prioritized based on criticality and policy and applied so that they don’t<br />

disrupt users or operations.<br />

• Train Employees Regularly. Most ransomware is spread using phishing or spam emails. Thus,<br />

it is critical to train users to be savvy email consumers and careful web clickers. Criminals use<br />

many professional marketing and social engineering tools to improve their capabilities to trick<br />

users into opening fraudulent emails and increase their chances of success. It is likely that even<br />

the most educated user will be tricked. Education isn’t enough. Users need to receive periodic<br />

drills of phishing email campaigns that provide immediate feedback when they click on a<br />

link. When users see themselves getting “caught” is when they begin to change their behavior.<br />

• Minimize Computing Privileges. An important tactic to mitigate the damage caused by many<br />

types of malware, including ransomware, is to limit administrative privileges to only those that truly<br />

need them. For example, the Petya ransomware requires administrator privileges to run and will<br />

do nothing if the user does not grant those privileges. Removing administrator rights is easy, but<br />

balancing privileged access, user productivity and enterprise security is not. Effective access<br />

control protects organizations against malware and ransomware. Access control that focuses<br />

primarily or exclusively on privileged user access rights will likely prove less than<br />

94


effective. Generalized access control can be highly beneficial for protecting files located in on<br />

shared drives. Users have legitimate needs to access and modify files on shared drives. After all,<br />

those files are document files created by legitimate users. As a result of this generalized access,<br />

a ransomware attack that successfully infects the system of a user with legitimate access rights<br />

can encrypt and hold hostage all the files on all connected, shared drives and folders.<br />

In short, the recommendations of patching, user education and privilege management, are critical pieces<br />

to prepare for and prevent cyberattacks. These steps are particularly important for public sector<br />

organizations and school systems where budgets may be tighter and resources slimmer. However, taking<br />

these steps can be mad easier through best-in-class software solutions that use automation to apply the<br />

necessary protections. When properly implemented they can stave off risky, and costly attacks without<br />

placing undue burden on security and IT teams.<br />

About the Author<br />

Phil Richards is the Chief Information Security Officer for Ivanti and is<br />

CEO of an IT Security Consulting firm. He has held other senior security<br />

positions, including the head of operational security for a medical device<br />

manufacturer, Chief Security Officer for a financial services corporation<br />

and Business Security Director for an investment company. In his<br />

various leadership roles, he has created and implemented Information<br />

Security Policies, has led organizations through many local, US Federal<br />

and international compliance efforts, has implemented security<br />

awareness programs, and established comprehensive compliance<br />

security audit frameworks based on industry standards. He has<br />

implemented Enterprise Risk Management and global privacy<br />

programs to address compliance and privacy internationally as well as for specific regions such as<br />

European Union and Australia. Phil has been the recipient of multiple CISO of the Year awards, written<br />

and spoken extensively on a variety of security topics, and conducted training workshops for current and<br />

future CISOs, CIOs and Board Members. Transforming an organization requires focus on the objectives,<br />

clear communication, and constant coordination with executive leadership, which is where Phil has<br />

focused during his security career.<br />

95


<strong>Cyber</strong>security Checklist: How to Keep Your Business Secure<br />

By Lucy Manole, Content Writer, Right Mix Marketing<br />

Source: Freepik<br />

In this era of digitalization, businesses are moving online faster than ever, resulting in an explosion of<br />

data. Most companies have moved to a cloud-based platform, which helps facilitate business activities.<br />

As a result, without significant cybersecurity protocols in place, a business cannot function properly in<br />

today’s world. Every day, the data is increasing.<br />

96


In fact, according to statistics, by 2020, the universe will have 44 zettabytes of data. To put this into<br />

perspective, that is 40 times more data than the number of stars in the universe.<br />

The statistics further suggest that it is more a question of when, rather than if you are under cyber-attack.<br />

And no company is safe, even the giants like Yahoo. Three billion Yahoo accounts were hacked in 2013-<br />

2014.<br />

Statistics say that small to medium businesses are under greater threat of facing a cybercrime. Numbers<br />

suggest that 61% of data breaches happen in companies with less than 1000 employees.<br />

So how do you counter this? Well, for one, it always helps to build a checklist. A checklist ensures that<br />

you get things right, the first time, saving valuable time and money.<br />

Here is a brief checklist for cybersecurity that you can use to keep your business secure:<br />

1. Are Your Employees Prepared to Deal With a Potential <strong>Cyber</strong> Threat?<br />

No matter how many firewalls you have and how stringent your security protocol is, none of them will<br />

work unless you educate your employees about cyber-attacks.<br />

There is no graver liability than an untrained workforce. Your employees should be the first ones to be<br />

aware of all the security checkpoints and policies in place, as well as the technologies in use. Two of the<br />

97


most common cyber-crimes are in the form of phishing and malware. Designed to trick you in various<br />

ways, it is also easy to prevent them by simple attention to the finer details.<br />

For phishing, all you need is a keen eye for weeding out potential threats in the form of spammy links.<br />

This is where the training becomes essential, and your employees must be trained to spot a phishing<br />

attack from a mile away. However, the cyber-criminals are also getting smarter and using different<br />

techniques to lure your employees into a trap.<br />

An excellent way to put an end to this is mandatory employee phishing prevention training, whether at<br />

the time of joining or after every six months. That way, they can keep abreast of the latest developments,<br />

and avoid being duped by cybercriminals.<br />

2. Is Your Data Stored in a Secure Location?<br />

Another make-or-break question for you is the location where your data is stored. Irrespective of<br />

whether your business is in a small network or hosted on a cloud platform synced with an off-line<br />

center, it must be protected. There is no room for error in this case.<br />

Apart from the security of your data center, physical security is also an essential factor to be taken into<br />

account. In today’s world, data centers must have power and back-up service in the first instance.<br />

Another area of your emphasis should be the physical protection you are providing to your hardware.<br />

Physical barriers like door locks and biometrics to prevent old-school hardware tampering may sound<br />

redundant and passé. However, it is something you should look into.<br />

Graphically, you can imagine your data center as the center of all power, the nucleus in a human cell,<br />

which needs maximum protection. While monitoring the outer circumference of your security, the center<br />

should not be taken for granted and ignored. Data has already overtaken oil as the most valuable asset<br />

and resource in the world. You should protect your data at all costs and do whatever is necessary,<br />

whatever the price.<br />

3. Are You Keeping a Constant Check on Your System?<br />

“With great power, comes great responsibility.”<br />

And this is why, the bigger your network, the more vulnerabilities you have. As a result, you would have<br />

to be extra careful when it comes to keeping an eye on your system.<br />

It is not to say that all is rainbows and sunshine with small businesses. The underlying security<br />

checkpoints and protocol remain the same for all businesses.<br />

Devices like telephones, smartphones, PCs, laptops, and wifi tend to increase your liability and make<br />

you more vulnerable to cyber threats. A pre-determined and defined frequency of vulnerability scanning<br />

98


is a great method for selectively identifying and weeding out weak links in your network. Things like outof-date<br />

PCs, simple passwords and unsecured wifi networks are just the tip of the iceberg.<br />

A full vulnerability scan will inspect your entire network and flag all potential hazards. Again, that is just<br />

the start. Once you have identified potential loopholes, you need to get them fixed in such a way so as<br />

to avoid similar threats in the future.<br />

Hire a certified cybersecurity professional or a managed security services provider which will help you<br />

alleviate your worries regarding cyber threats. Standard services include managed firewall, intrusion<br />

detection, virtual private network, vulnerability scanning, and antiviral services, vulnerability scanning,<br />

and remediation to keep your system in check.<br />

With everything in place, you can now rest easy!<br />

These are highly professional services aimed at managing and monitoring your security devices.<br />

Seeking professional help to supplement your efforts is an excellent way to plug the gaps.<br />

4. Deploy 2-Factor Authentication<br />

You may think you are immune to cybersecurity mishaps, but only until it happens to you. More often<br />

than not, businesses become victims of cybercrime due to minor things like an unsecured password.<br />

Thankfully, there is a way to protect your password authentication systems, without going through any<br />

hassle yourself.<br />

You can simply use the two-factor authentication (2FA). Also known as MFA, this easy-to-use security<br />

method stops password theft even before it can take shape. The process is quite easy. When logging in<br />

to an account with 2FA, you type in your regular username and password combination, which is verified<br />

on your phone. This secondary code helps ensure that you are really who you say you are.<br />

Even big corporates like Google and Yahoo are using it to protect their system against potential cyber<br />

threats. A simple code keeps your data and accounts protected. Using your phone as your ultimate<br />

verifier is equivalent to a guarantee that a miscreant cannot merely hack your computer and gain<br />

access to your data. The best part about 2FA is that it is inexpensive, and the set-up is straightforward.<br />

If you haven’t got it, this should be your number one priority right now.<br />

5. Secure Your End-points<br />

By endpoints, we mean the devices that have become so prevalent in the 21st century. Here, an<br />

endpoint is any device that you use to access a network. From your mobile devices to your laptops, it<br />

can be anything!<br />

However, this is the most commonplace for a security breach to take place. Businesses today have<br />

understood that and that's why most of them have migrated to a model that uses technology outside of<br />

the office. If you haven't, then now is as good a time as any.<br />

99


Real-time protection and ensuring the continual and uninterrupted defense is the need of the hour. With<br />

the advances in the technology of hackers, simple anti-virus software is not enough anymore. And the<br />

automated systems can lead to countless false complacency that lulls your senses towards thinking<br />

that you are entirely secure. However, you need persistence and focus, along with a significant amount<br />

of skill to monitor your network all the time.<br />

Endpoint Detection and Response is always possible, no matter the size of the business. Endpoint<br />

security, though seemingly banal, has its uses. And as they say, better safe than sorry.<br />

Wrap-Up<br />

Having a cyber-security checklist is an outstanding practice that more and more companies are<br />

adopting. Not only does it ease your job, but it also helps in immediate and sufficient identification of the<br />

shortcomings of the protocols of your own business, which can help you take action quickly and<br />

decisively. With these regulations in place, you can efficiently counter cyber-crime menace and conduct<br />

your business without any hassle.<br />

About the Author<br />

Lucy Manole is a creative content writer and strategist at Right Mix Marketing<br />

Blog. She specializes in writing about digital marketing, technology,<br />

entrepreneurship and education. When she is not writing or editing, she spends<br />

time reading books, cooking and traveling. Lucy can be reached online at<br />

(https://twitter.com/rightmixmktg,https://www.facebook.com/RightMixMarketing/,<br />

https://in.linkedin.com/company/right-mix-marketing ) and at our company<br />

website https://www.rightmixmarketing.com/<br />

100


Ready Position - Proactive Teams are Helping Solve the<br />

<strong>Cyber</strong>security Skills Shortage<br />

By Aidan McCauley, Vice President of Technology Investments, IDA Ireland<br />

Some of the fans glancing toward the outfield at a baseball game may be recalling their own Little League<br />

days. If they were in the outfield and looked to be unprepared, they would hear, “Ready position!” Most<br />

likely this command would have been prefaced by yelling the young person’s name and come from the<br />

coach, parents, or both at once. The four-step response is to place legs apart, bend slightly at the knees,<br />

lean forward slightly, and look intently toward home plate. Should the next swing of the bat require them<br />

to run, spring up, or bend down, they’re now ready to field the ball.<br />

Good News Amid Grim Figures<br />

Firms who must protect their intellectual property along with their own data and that of their customers<br />

are heeding a “Ready Position” command that’s being expressed in numeric form: predictions that<br />

cybercrime worldwide<br />

101


will cost $6 trillion annually by 2021 and that more than three million cyber security job postings worldwide<br />

will go begging over the next 5-7 years; IT professionals reporting the cybersecurity skills gap 7 at their<br />

companies heads their list of worries for the fourth year in a row; a 300,000 worker shortfall of U.S cyber<br />

employees last year; 64 percent of respondents telling the Ponemon Institute in 2018 that “one or more<br />

endpoint attacks …successfully compromised data assets and/or IT infrastructure over the past 12<br />

months.”<br />

Yet for all these grim statistics, there is good news. Yes, the shortage of individuals to fill cybersecurity<br />

roles is a challenge. The chasm between cybersecurity positions and people to fill them is growing at<br />

triple the rate for other IT job shortages. 8 However, as with the steps Little Leaguers take to be versatile<br />

fielders, steps to meet the evolving cybersecurity challenge are available to businesses. Some regions<br />

and ecosystems offer more opportunity than others to leverage those steps.<br />

Earlier this year senior principal analyst at the Enterprise Strategy Group Jon Oltsik wrote that measures<br />

to address the severe worker shortage include: leadership at the governmental level; public/private<br />

partnership; and “an integrated industry effort.” 9 Actions corresponding to these steps are already well<br />

underway in Ireland, which has long had a tech-sector-supportive ecosystem.<br />

Part of this ecosystem is the expansive cybersecurity initiative <strong>Cyber</strong> Ireland, a cluster organization,<br />

created by Ireland’s foreign direct investment agency, IDA, and academic institute Cork Institute of<br />

Technology that also includes US businesses to find a solution to the worldwide problem.<br />

Representatives from U.S. businesses and the Irish government looked closely together at the key<br />

challenges facing enterprises in the cyber sector. Putting their heads together enabled IDA along with<br />

Google, Microsoft, Facebook, IBM, Dell, SAP, Cisco, and other firms with a commitment to ongoing<br />

cybersecurity to lay the groundwork for <strong>Cyber</strong> Ireland. <strong>Cyber</strong> Ireland made sure to form a board that<br />

includes representatives from industry, agencies including the National <strong>Cyber</strong> Security Centre and the<br />

Garda <strong>Cyber</strong> Crime Bureau, government, and academia.<br />

Joining a Robust Ecosystem<br />

A natural result of following the integrated industry effort, was the launch of the well-funded <strong>Cyber</strong>security<br />

Skills Initiative (CSI). CSI graduates have already joined the cybersecurity workforce in Ireland, most<br />

employed by US multinational firms, a trend expected to continue. These graduates become part of a<br />

thriving ecosystem that includes Forcepoint’s Cloud Security Centre of Excellence, the Hewlett Packard<br />

Enterprise (HPE) Global <strong>Cyber</strong> Defence Centre, and McAfee’s Centre of Excellence for Enterprise<br />

Security Solutions in Ireland, to name a few.<br />

7 https://www.esg-global.com/blog/the-cybersecurity-skills-shortage-is-getting-worse<br />

8 https://www.channelfutures.com/mssp-insider/cybersecurity-talent-shortage-intensifies-despitetraining-efforts<br />

9 https://www.esg-global.com/blog/the-cybersecurity-skills-shortage-is-getting-worse<br />

102


By 2022, CSI graduates will account for 5,000 new cyber security professionals joining this ecosystem.<br />

That’s an achievement that could not have been contemplated without the engagement of U.S companies<br />

with Irish locations. Firms such as Deloitte, IBM and Maxol collaborated with Skillnet, Ireland’s corporategovernment<br />

training agency, to design the curriculum. Cork Institute of Technology, Dublin City<br />

University and other colleges in Ireland deliver content both on-line and in classroom. Cross-training and<br />

up training for IT professionals from all sectors takes place in programs that range from 12-week courses<br />

to graduate programs. US companies can also access Europe’s working population of 250 million -<br />

countries in the European Economic Area (EEA) do not require individuals from these EEA nations to<br />

obtain work permits.<br />

The pace and the curriculum of CSI take into account, as was emphasized recently on forbes.com, that<br />

cyberattacks don’t come in just one flavor. Training, informed by industry, government, and academia in<br />

partnership, helps prepare graduates to fit specific expertise to specific threats.<br />

Conclusion<br />

The ecosystem these graduates will continue to enter is one where <strong>Cyber</strong> Ireland’s goal will continue to<br />

be encouraging and facilitating the unimpeded flow of R&D resources and knowledge among industry,<br />

cybersecurity agencies, and academia.<br />

Commitment to this goal is why Dr. Eoin Byrne, cluster manager of <strong>Cyber</strong> Ireland, explains, “It’s not only<br />

that we can address issues that the industry faces and will face beyond just security, it’s also that we<br />

have the advantage of building upon U.S. businesses, Irish government, and academia already having<br />

put their heads together to understand the key challenges for the tech sector.”<br />

Putting more cybersecurity professionals into ready position for defense of our connected world is already<br />

happening. With teams that include all the stakeholders, strong government support, and a successful<br />

cybersecurity history to draw upon, readiness, no matter what the bad guys throw at your enterprise, can<br />

be counted on.<br />

Caption for to-be-determined image: As the number of connected devices grows—25.1 billion in 2025,<br />

compared to 2017’s 7.5 billion 10 —the attack surface for threat actors expands too, making initiatives to<br />

rapidly increase the number of cybersecurity professionals vital.<br />

10 https://www.globenewswire.com/news-release/<strong>2019</strong>/06/28/1875952/0/en/The-<strong>2019</strong>-Cloud-Robotics-<br />

Market-25-1-Billion-IoT-Connected-Devices-are-Forecast-by-2025-Offering-a-Massive-Opportunityfor-Connected-Robots-Their-Platform-Market.html<br />

103


About the Author<br />

Aidan McCauley is Vice President of Enterprise Technology and<br />

<strong>Cyber</strong> Security investments for IDA Ireland based out of its Mountain<br />

View office, California. Aidan supports Bay Area companies looking<br />

to assess the best location to establish and grow their European<br />

operations. By providing critical data such as talent, productivity,<br />

property, ease of doing business, financial incentives and freedom of<br />

movement, companies can carry out thorough due diligence and be<br />

informed of the benefits of doing business in the fastest growing<br />

economy in Europe, Ireland.<br />

104


Voice Commerce Calls for Built-in Security<br />

By Julian Weinberger, NCP engineering<br />

In the mid-1990s, retailers embraced the Internet to increase customers and to introduce new service<br />

offerings. A new breed of online-only merchants quickly emerged to challenge traditional brick and mortar<br />

stores for Internet-based transactions. Since then, successive advances from eCommerce to<br />

mCommerce to omnichannel have forced retailers to make their virtual presence every bit as strong as<br />

their physical one just to stay relevant. Today, the ever-evolving retail industry shows no signs of slowing<br />

down. The latest phenomenon taking merchants by storm is voice-assisted shopping.<br />

Retail Talk<br />

As voice-activated IoT devices such as the Amazon Echo, Apple Homekit, and Google Home grow in<br />

popularity, consumers are starting to use them to order goods using simple voice commands. A study by<br />

Adobe Analytics showed that 22 percent of digital assistant owners use their devices for shopping.<br />

While the Artificial Intelligence (AI) powering these voice systems is presently limited to accessing<br />

automated customer services via voice-bots or repeat orders of items bought previously, the technology<br />

is quickly becoming more sophisticated and will soon be capable of delivering a highly personalized<br />

service. Walmart, for example, recently announced a new voice-ordering service available via Google’s<br />

many smart devices.<br />

Industry observers anticipate that, within a few years, consumers will be able to use voice-powered digital<br />

assistants to shop with the vast majority of retailers. Manufacturers are already designing everyday<br />

machines and appliances with built-in voice-powered technology. LG, for example, has demonstrated a<br />

105


smart refrigerator that uses Alexa to order food items, while some car makers have integrated voicetechnology<br />

into their vehicles to allow voice-shopping while driving.<br />

Analysts forecast that voice-assisted shopping will grow by 500% over the next three years with more than<br />

1.6 billion people regularly using the technology by 2021. OC&C reports that voice commerce spending will<br />

reach $40 billion by 2022 and that more than half (55%) of households will have at least one smart speaker.<br />

<strong>Cyber</strong>security Threats<br />

When it comes to security and data privacy, manufacturers of voice-assisted IoT devices still have a long<br />

way to go to reduce consumer fears. A 2018 Global Consumer Insights Survey by PwC found 13 % of<br />

study participants were concerned about the security of AI devices.<br />

Recent data breaches do little to help build trust – Amazon sent 1,700 Alexa voice recordings to the<br />

wrong person by mistake following a data request in 2018. Without proper security measures in place,<br />

digital assistants make attractive targets for cyber criminals looking to harvest personally identifiable<br />

information (PII) to sell on the dark web.<br />

Even though these devices are smart, they can still be triggered by random voices from TVs and radios<br />

and can be controlled by unknown users. For example, a prerecorded message on a random Spotify<br />

Playlist can easily say, “Alexa, buy me the new Mac Pro,” and the device will send orders to everyone<br />

who plays the playlist on a speaker. This is basically a formjacking attack on voice-controlled devices.<br />

Data Privacy<br />

To protect voice commerce, the makers of AI-powered voice-activated IoT equipment must first ensure<br />

that devices are designed with in-depth security and data privacy protection built-in.<br />

While authentication is available on some smart devices already, it’s based on a biometric authentication<br />

which, unfortunately, always has a false acceptance and rejection rate. Adding a second layer of<br />

authentication to the smart device will make it more secure, e.g. smart devices can only order<br />

merchandise when the user/owner is in the same room.<br />

Recommended layers of defense include certificate-based authentication plus a unique hardware<br />

identifier. Smart speakers should also feature multiple security mechanisms including authorization, virus<br />

protection, and remote access management for business environments.<br />

Finally, the best way to preserve the privacy of voice data exchanges is with end-to-end encryption, a<br />

technique synonymous with remote virtual private network (VPN) services. End-to-end encryption<br />

protects data at every stage of the communications process – at device-level, while in transit, and when<br />

stored at its destination – by scrambling the content to render it unintelligible to outside observers.<br />

In summary, smart speakers are quickly becoming a part of the average connected home. While the retail<br />

industry is responding by adding AI-powered voice technology to a multitude of machines and devices,<br />

manufacturers must ensure that security is built-in by design. Virtual private networks with end-to-end<br />

encryption will effectively protect the data privacy of consumers who purchase merchandise from their smart<br />

speakers.<br />

106


About The Author<br />

Julian Weinberger, CISSP, is Director of Systems Engineering for NCP<br />

engineering. He has over 10 years of experience in the networking and<br />

security industry, as well as expertise in SSL ‐ VPN, IPsec, PKI, and<br />

firewalls. Based in Mountain View, CA, Julian is responsible for<br />

developing IT network security solutions and business strategies for<br />

NCP.<br />

107


Protecting Your Business against DDoS Attacks Requires Simple<br />

Best Practices<br />

By Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar<br />

In the twenty years since a University of Minnesota computer came under attack from a network of over<br />

100 computers infected with a malicious script, three things have seemed certain in life – death, taxes,<br />

and that Distributed Denial of Service (DDoS) attacks would continue to steadily grow in size, scale and<br />

impact.<br />

From that first instance on, DDoS attacks seemed to adhere to a “grow always in all ways” philosophy.<br />

Attackers would exploit vulnerable machines – or, in recent years, insecure IoT devices – to launch a<br />

coordinated botnet against the target, the objective being to disrupt or block business traffic.<br />

Revered for their ability to deliver blunt force trauma, DDoS attacks are capable of overwhelming even<br />

the mightiest Fortune 500 company, causing untold impact to a business’ infrastructure and operations.<br />

As companies began evolving their cybersecurity mechanisms, a funny thing happened—DDoS attacks<br />

began to evolve, too.<br />

A recent analysis of DDoS attack patterns found a clearer and more pronounced affirmation of a few<br />

recent trends – a steady increase in the number of vectors being used by attackers, and an increase in<br />

the volume of small attacks sized 5 Gigabits per second (Gbps) and lower. For perspective, the kinds of<br />

massive attacks that make the news are typically above 100 Gbps.<br />

As counterintuitive as it may seem to go tiny, attackers have recognized that small, targeted DDoS attacks<br />

can evade an organization’s defenses by coming in below the threshold where defenses are triggered.<br />

By remaining below this threshold, an attack might continue on for a long time undetected. While it may<br />

seem like an oxymoron to some, the ability for bad actors to narrowly target their DDoS attacks is<br />

becoming more and more precise. As the target becomes smaller, less traffic is required to bring it down.<br />

Smaller DDoS attacks can narrowly target the weakest link in an organization’s infrastructure, degrading<br />

108


the performance of a specific business application or damaging a single API to harm an organization via<br />

the death by 1,000 paper cuts approach.<br />

The volume of attacks sized 5 Gbps and below increased by 158% in Q2 of <strong>2019</strong> compared with the<br />

same quarter last year – the single area with the highest percentage of growth. Additionally, over 75% of<br />

all attacks mitigated by Neustar last quarter were sized 5 Gbps or less.<br />

What’s more, a survey conducted this quarter by the Neustar International Security Council (NISC) found<br />

a staggering 72% of senior cybersecurity leaders and decision makers were not confident in their<br />

organization’s ability to notice a smaller attack. To protect against increasingly precise and inconspicuous<br />

DDoS attacks, businesses must deploy best practices to ensure that they are defending the infrastructure<br />

that is most valuable to their business. So how do you as an executive defend your business against<br />

these attacks?<br />

• Develop a Risk Register: This begins with an inward analysis of your company’s most critical<br />

business assets and working outward towards your internet presence. Throughout this process,<br />

your team should be asking, “If certain parts of our business were compromised or disabled, how<br />

destabilized would our entire enterprise become?” Such destabilization could range from<br />

intellectual property theft to compromised customer information or inhibited shopping cart<br />

features. For some, a blog is as critical to their enterprise as customer billing logs. This exercise<br />

helps you clarify between which parts of your business are valuable to your company’s existence<br />

(such as a blog or a shopping cart feature) and which are simply vulnerable by their very nature<br />

(such as routers or smart speakers). While valuable assets and vulnerable assets are not mutually<br />

exclusive, you may be surprised in how little overlap there is between the two. Creating this<br />

clarification will help your executive team deploy the right protection in the right place<br />

• Reevaluate Your DDoS Protection: As multi-vector attacks increase, it is increasingly important<br />

to ensure you are taking the right approach to DDoS protection. Between April-June <strong>2019</strong>, more<br />

than 82% of attacks mitigated by Neustar used two or more threat vectors – with 7% utilizing more<br />

than four. There are two types of mitigation services to consider for DDoS protection—always-on<br />

and on-demand. Because bad actors increasingly use multiple vectors for attacks, a best practice<br />

is to begin with always-on DDoS protection to gain an understanding of how much malicious traffic<br />

you are receiving, then moving to on-demand mitigation if necessary. By initially setting your<br />

default to the always-on scenario, you will gain a strong understanding for what should be<br />

protected and how much protection you need. Once you have a feel for your attack thresholds,<br />

you can then work with your cybersecurity provider to determine which type of mitigation services<br />

are needed to protect your critical assets.<br />

• Understand Your IoT Risk: As the use of IoT devices increase, the number of critical assets<br />

your company has will only compound the threat. Intel has projected that internet-enabled device<br />

penetration will grow from 2 billion in 2006 to 200 billion connected devices by 2020 – that’s about<br />

26 smart devices for each human on earth. IoT devices come with a unique set of cybersecurity<br />

and privacy risks, so it is important for organizations to establish best practices now, before<br />

connected devices with unknown vulnerabilities proliferate throughout the network. Ensure your<br />

executive team has a solid understanding of your organization’s existing IoT footprint. Once a<br />

database of connected devices is established, the IT and security teams must work together to<br />

perform routine checks of those devices to ensure cybersecurity hygiene. Since one of the<br />

greatest security risks to an organization is its people, taking the time to ensure employees<br />

109


understand cybersecurity basics – such as how to spot a phishing email and the importance of<br />

two-factor authentication – will help to build awareness and create a culture of security.<br />

Although super massive DDoS attacks that overwhelm a target with a tidal wave of network traffic aren’t<br />

going away, some attackers have traded in the sledgehammer and embraced subtlety. They have found<br />

ways to launch attacks that are small enough to evade standard DDoS protection and precise enough to<br />

target a single weak link in an organization’s infrastructure. Until we see drastic changes in the way<br />

communications are handled on the internet, DDoS attacks large and small will remain formidable. But<br />

by understanding where you are at risk around critical business operations, knowing how to protect them<br />

and maintaining an active awareness of what IoT devices are being managed, you will put your company<br />

in a strong position to weather DDoS attacks, regardless of size or complexity.<br />

About the Author<br />

Rodney Joffe, Senior Vice President, Senior Technologist and<br />

Fellow, Neustar.Rodney Joffe serves as a Neustar Senior Vice<br />

President and is a Senior Technologist and Fellow. His<br />

accomplishments include founding the first commercial Internet<br />

hosting company, Genuity, as well as the first outsourced and<br />

cloud-based Domain Name System (DNS) company, UltraDNS,<br />

where he invented Anycast Technology for DNS. Joffe has served<br />

on a number of the U.S. government’s cybersecurity intelligence<br />

panels and was the leader of the groundbreaking Conficker<br />

Working Group. He is one of the first civilians to receive the Federal Bureau of Investigation (FBI)<br />

Director’s Award due in no small part to his role in uncovering and taking down the Butterfly Botnet. He<br />

has also been honored with the Mary Litynski Lifetime Achievement Award from M3AAWG, the global<br />

Messaging, Malware and Mobile Anti-Abuse Working Group, and was most recently publicly recognized<br />

for his years of work and dedication in helping protect against cybercrime, winning The Computing<br />

Security Award for his contribution to <strong>Cyber</strong> Security in 2018.<br />

Joffe is also the chairman of the Neustar International Security Council (NISC), which is comprised of an<br />

elite group of cybersecurity leaders across industries and companies who meet regularly to discuss the<br />

latest cyberattack trends.<br />

110


Server less Security Analysis: The Best Practices on How to<br />

Enforce Them<br />

By Aaron Chichioco, content editorial manager/web designer, Design Doxa<br />

Even before companies started making the jump to go serverless, security has already been a concern<br />

in a world largely becoming digital. Now, with tech steadily turning towards the trends of serverless —<br />

everything from architecture to applications are growing in number by the day — and with related cloudbased<br />

operations, the question of security becomes even more prominent, as this form of structure may<br />

require more complex considerations.<br />

The Strength in Serverless<br />

Computing can be seen as an evolutionary process. It went from physical machines to virtualization<br />

before becoming cloud computing and containers, before finally making the jump to serverless.<br />

Serverless architecture has numerous benefits compared to traditional counterparts. Serverless is<br />

typically used for applications that require custom images and events, even fixed time triggers. It’s best<br />

used for applications with rapid and high fluctuations in traffic, as it’s capable of scaling to cope with<br />

rapidly rising and falling traffic.<br />

111


However, with these benefits come a different set of security protocols, especially against the expected<br />

standard of traditional. With no physical servers and processes running on ephemeral functions,<br />

serverless can cut down on the more common concerns. It’s even able to take on heavier attacks than<br />

traditional systems.<br />

Security Strains on Serverless<br />

Still, it’s not without faults. There are more areas to attack, data becomes at risk during transfers, and<br />

keeping an eye on its many functions is challenging. There are several good practices to remember in<br />

defending serverless architecture. Keep in mind that not all companies will need the same security<br />

protocols. Still, it’s imperative to know them to be able to prepare for any occasion.<br />

1. Add another layer of defense against a siege<br />

Serverless systems are typically stronger against heavy DDoS attacks. DDoS attacks are performed by<br />

overloading a website with repeated requests, taxing it to its limits and causing it to stall. Ultimately, the<br />

site crashes and users won’t be able to use it. Serverless architecture is typically less vulnerable to these<br />

types of attacks. Its scalable platforms can withstand heavy DDoSing.<br />

However, they still have limits, and it may cost a company a great deal of money to hold the fort against<br />

such an attack. In this end, using an API gateway adds another layer of protection. Rate limiting won’t be<br />

a problem any longer, and your resources won’t get exhausted.<br />

2. Partition the data during transfers<br />

One of the main risks with serverless structures is that data may be vulnerable during transfers and<br />

transmissions. Email, for example, is one such vulnerability. Most cybersecurity practices include email<br />

security, but in the case of defending serverless emails, data partitioning is a great way to ensure that<br />

the payload is transferred safely. The act of sending the email is separated into different partitions,<br />

ensuring that the entire email is not sent all in one go. This makes it far safer and less likely for the entire<br />

email to fall to anything malicious to extract data from it.<br />

3. Establish clear authentication and authorization controls<br />

Any cybersecurity expert will say that authentication and authorization protocols are some of the most<br />

basic and initial concerns. Ever since programmers developed accounts and passwords, it has been the<br />

pillar of digital security. The same is still true for serverless processes.<br />

There are numerous functionalities that could be going on in a serverless system. Authentication and<br />

authorization need to be heavily enforced, clear cut, and binding throughout all platforms. If an app can<br />

be accessed through mobile, computer, or other platforms, the same solid reinforcement must be there<br />

in each of the platforms individually. However, to avoid redundant checks and complexity, the API<br />

gateway could be another excellent method to use.<br />

112


4. Tie up the Dependencies and Third-Party Services<br />

Another area that may produce security vulnerabilities is if an application has dependencies or is linked<br />

to third party services. Payment gateways are some of the most common of them. In a traditional setting,<br />

patches aren’t a particular fit for serverless architecture. However, it is still a major concern, especially<br />

as third-party services such as payment gateways and platforms will have extremely sensitive user<br />

information that gives access to their finances.<br />

Security protocols used by the application and the third party must be rechecked to ensure that they<br />

remain up to date at all times. Automated tools can also aid in checking the dependencies so there are<br />

no vulnerable components being used as well. For third parties, security questionnaires can also meet<br />

the necessary safety requirements. It’s also essential to stay on top of things and audit the status<br />

whenever possible.<br />

5. Keep an Eye in the Sky<br />

Monitoring should be a regular part of security upkeep for serverless systems. There are numerous<br />

functions being triggered and deployed at any given time, many of them short-lived. They grow as the<br />

serverless application scales up.<br />

While it may be easy to lose sight of everything going on, it’s imperative that there’s still constant<br />

monitoring of the ongoing functions. This way, in spite of the increasing complexity of the system, you<br />

will still be able to stay on top of any malicious attacks or attempts to force any unsafe processes. The<br />

functions themselves need to be checked for any security vulnerabilities as they are developed and<br />

updated.<br />

What the Future Holds for Serverless<br />

Security concerns aside, the future seems to only get brighter for serverless. It’s currently the fastest<br />

growing cloud service model, growing at 97% a year. With its low cost, less complex operations, and<br />

increased efficiency, it only gets more and more popular for developers worldwide. The rising trend<br />

towards the next few years show the industry leaning towards innovation and improved performance.<br />

There is also an expected growth in testing options, to truly be able to audit and gauge what limitations<br />

serverless may have and how far it can still be taken.<br />

Security is also seen to improve further. With the rapid growth of serverless, the security must also rise<br />

with it. Cloud service providers are seen to be the next focal point in heightened security. Applications<br />

also need serious boosts in security, as one in five of them have critical vulnerabilities. This year and the<br />

next predicted that enterprises would be more likely to seek out the rest set of tools for protection. These<br />

even include policies that make use of the full visibility of serverless, along with the unique cloud<br />

deployments used.<br />

Serverless is starting to become adopted more and more throughout the world. The wave sees multiple<br />

application components as models, executed on triggers, providing greater speed, efficiency, and costeffectiveness.<br />

The traction continues to gain speed as the benefits of a serverless architecture, most<br />

113


especially all its important security benefits, continue to spread to d-evelopers who are looking for great<br />

solutions for new applications.<br />

As long as companies maintain a commitment to security, reinforcing cybersecurity protocols, and<br />

understanding where serverless’ vulnerabilities lie, serverless can only develop to become even more<br />

secure and efficient. In no time at all, serverless can fulfill the expectation of becoming the next great<br />

evolutionary iteration of computing.<br />

Stay up to date on the latest news and trends in cybersecurity, including vital knowledge about keeping<br />

serverless architecture safe by visiting <strong>Cyber</strong>defensemagazine.com<br />

About the Author<br />

Aaron Chichioco is the content editorial manager and one of the<br />

designers behind the creation of Design Doxa.com. His expertise<br />

includes not only limited to Web/mobile design and development, but<br />

marketing, branding and eCommerce Strategies as well. As a former<br />

operations manager, he used to oversee the day-to-day operations<br />

of several online businesses since 2011. You can follow Aaron on<br />

twitter at @Aaron_Chichioco and http://designdoxa.com/about-us/<br />

114


Stop! Vulnerable Software<br />

Know your vulnerabilities<br />

By Joe Guerra, M.Ed, CySA+, C|EH, <strong>Cyber</strong>security Instructor, Hallmark University<br />

Software is omnipresent, even in areas you wouldn’t envision<br />

Software is so effortlessly meshed into the cloth of modern life that it blends into our everyday existence<br />

without notice. We constantly work with software in everyday of our lives that has technology embedded<br />

in it, from our tedious everyday actions—as we drive to the job in our automobiles, as we purchase<br />

groceries at the local market, as we withdraw money from the local bank, and even when we listen to our<br />

tunes or call a friend. Therefore, software needs the attention of security in its development.<br />

Software security risks are ubiquitous. And in an age of cybersecurity risks, they affect everyone<br />

— people, organizations, nations, etc.<br />

I probably don’t need to devote much time convincing you that security flaws in software are normal, and<br />

that it is imperative to look out for them. However, many developers do not comprehend how prevalent<br />

the issue of insecure software really is.<br />

115


<strong>Cyber</strong>attacks have been in the news the past decade. Duqu and Stuxnet had the industry talking in 2010<br />

and 2011. And cyberattacks have only expedited since then. WannaCry struck vital systems in 2017,<br />

including Britain’s National Health Service. And GitHub was struck by a denial of service (DoS) attack in<br />

early 2018.<br />

These attacks were done with the revelation of exploiting a vulnerability in the software. A software<br />

vulnerability is a bug, error, or fault present in the software or in the Operating System. The issue of<br />

software vulnerabilities has advanced at an unstoppable rate as software/firmware is everywhere. Of<br />

course, all technology has vulnerabilities. The concern is whether or not they’re subjugated to exploits to<br />

cause harm.<br />

Software vulnerabilities are illuminated by three ultimate factors.<br />

These being:<br />

• Presence – The existence of a flaw in the software.<br />

• Control Access – The possibility that hackers acquire access to the flaw.<br />

• Exploitability (Risk) – The capability of the hacker to take gain of that flaw via tools or techniques.<br />

Every day, numerous organizations are seeing vulnerabilities in their code exploited.<br />

Software is at the origin of all collective computer security complications. If your software act ups, a<br />

quantity of miscellaneous sorts of difficulties can crop up: dependability, accessibility, security, and<br />

safety. The additional kink in the security condition is that an attacker is aggressively attempting to adjust<br />

your software to misbehave. This surely brands security as a tricky proposition.<br />

There are many software glitches out there and your software vulnerabilities will be different then<br />

someone else’s. So it is imperative to get involved and examine your own software that you are utilizing.<br />

In order to build or examine secure software, it is indispensable to have an understanding of software<br />

vulnerabilities. Here, are three examples of some of important, and dangerous, vulnerabilities.<br />

SQL Injection<br />

SQL injection is a technique in which SQL code is introduced or attached into application/user input<br />

constraints that are later executed to a back-end SQL server for implementation and execution. Any<br />

process that builds SQL statements could possibly be susceptible to this type of attack, as the assorted<br />

environment of SQL and the approaches available for building it provide a treasure of coding selections.<br />

The main form of SQL injection comprises of direct insertion of code into limits that are combined together<br />

with SQL code and implemented.<br />

In this instance, you are going to try to insert your own SQL commands by attaching them to the input<br />

parameter val. You can execute this by affixing the string ‘OR ‘1’= ‘1 to the URL:<br />

• http://www.targetvictim.com/products.php?val=100’ OR ‘1’=‘1<br />

116


The SQL command that the PHP code forms and performs will reveal all of the products in the database<br />

irrespective of their price. This is the result of you altering the rationality of the query. This happens<br />

because the attached command results in the OR operand of the query always returning true, that is, 1<br />

will always be equal to 1.<br />

Here is the SQL code that was built and performed:<br />

SELECT<br />

∗FROM ProductsTbl<br />

WHERE Price < ‘100.00’ OR ‘1’ = ‘1’<br />

ORDER BY ProductDescription;<br />

There are countless methods to exploit SQL injection vulnerabilities to attain numerous goals; the<br />

achievement of the attack is usually very dependent on the fundamental database and interrelated<br />

systems that are under attack. Occasionally it can takes a tremendous amount of skill and persistence to<br />

exploit a flaw to its full effect.<br />

Command/Code injection<br />

OS Command Injection flaws happen when software implements user-manageable information in a<br />

command, which is controlled under the shell command terminal. If the data is unrestricted, an attacker<br />

can utilize shell meta-characters to modify the command that is intended to be executed. This fault is<br />

programming language independent.<br />

There are a multitude avenues to exploit a command injection:<br />

• injecting the command enclosed in backticks, for example `id`<br />

• readdressing the result of the first command into the second | id<br />

• executing another command if the first one works: && id (where & needs to be encoded)<br />

• Executing another command if the first one flops (and making sure it does: error ||<br />

id (where error is just here to cause an error).<br />

It’s also feasible to implement the same value technique to operate this type of detection. For example,<br />

you can substitute 123 with`echo 123`. The command enclosed in backticks will be performed first, and<br />

return precisely the same value to be implemented by the command.<br />

Buffer Overflow<br />

In programming, a buffer is a zone that is utilized to stock data temporarily during the application<br />

execution. The size of the buffer is typically fixed. Once the application exits, the contents of the buffer<br />

are also cleared.<br />

117


In a buffer overflow attack, the buffer is occupied with additional data than it can hold or handle, producing<br />

the application to operate abnormally. Hackers implement this type of attack to acquire reverse shells<br />

into a target computer by inserting shellcode as the payload.<br />

Buffer overflows are usually implemented when the attacker figures out you have no controlled allocation<br />

of your memory.<br />

Lets’ look at a classic example in C programming:<br />

The program below gives a situation where an applications expects a password from the user and if the<br />

password is accurate then it applies “root privileges” to the user.<br />

The program runs as expected if you supply the correct credentials.<br />

However, in this program lies the undiscovered flaw of the possibility of a buffer overflow attack. The<br />

gets() function in C does not account for implementing checks for the array size. This means that we can<br />

write a longer string larger than the buffer size. Now, can you comprehend through this basic example of<br />

the damage that can arise with this type of loophole?<br />

118


The origins of software defects<br />

From where do these problems arise? Developers writing custom applications for corporations to utilize<br />

internally or on the web, programmers employed at software development firms that create moneymaking<br />

off-the-shelf programs, programmers employed in the public domain, and those freelancing<br />

coding and emancipating flawed code—all agonize from the same ultimate dilemma: They all suffer from<br />

the same human condition that “they don’t know any better “ because they were “never taught” how to<br />

write secure and resilient code for their applications.<br />

Software, are inherently insecure in various types of vulnerabilities, unless the developer makes a mindful<br />

effort to avert these vulnerabilities. If the programmer forgets to include suitable “output encoding<br />

procedures” and “input validation techniques”, the application will surely be vulnerable to certain exploits.<br />

The software may appropriate and suitable for its purpose just as the developer intended it to perform,<br />

but it may never have been verified and validated to see how it works when it’s being served malicious<br />

input or is directly attacked.<br />

About the Author<br />

Joe Guerra, M.Ed, CySA+,C|EH, <strong>Cyber</strong>security Instructor, Hallmark<br />

University .Joe Guerra is a cybersecurity/computer programming<br />

instructor at Hallmark University. He has 13 years of teaching/training<br />

experience in software and information technology development. Joe has<br />

been involved in teaching information systems security and secure<br />

software development towards industry certifications. Initially, Joe was a<br />

software developer/instructor working in C and Python projects. He is<br />

constantly researching attack techniques, forensic investigations and<br />

malware analysis. He is focused on training the new generation of cyber<br />

first responders at Hallmark University.<br />

Joe can be reached online at (Jguerra2@hallmarkuniversity.edu) and at our University website<br />

http://www.hallmarkuniversity.edu/<br />

119


The Dangers of the Integrated Home/Workplace<br />

Personal data breaches are one of the fastest-growing cybercrimes in the US. As IoT devices become<br />

increasingly common at home and in the workplace, measures must be taken to secure them at every<br />

point.<br />

By Damon Culbert, Content Writer, <strong>Cyber</strong> Security Professionals<br />

Personal data breaches are one of the most common and fastest-growing cybercrimes in the US,<br />

increasing by more than 60% between 2017 and 2018. While the issue of sensitive data is becoming<br />

much more commonplace in the media, the full extent of the issue is far wider than most people perceive.<br />

As more and more devices connect to the internet and each other, holes in the defences of both home<br />

and workplace security could be leaving thousands of personal data records exposed at all times.<br />

The Internet of Things is a phenomenon which is reaching into offices and homes across the world as<br />

tech companies test consumer imagination about what devices can be connected to each other and for<br />

what purpose. As smart thermostats, washing machines and light bulbs fill homes, integrated security<br />

systems, smart desks and intelligent A/C systems fill offices. But these devices have specific security<br />

concerns that are often forgotten about by consumers in the race to make their lives easier through<br />

integration.<br />

Workplace insecurity<br />

In the workplace, one of the biggest challenges comes from Bring Your Own Device (BYOD) policies<br />

where staff use external devices like laptops and phones to support their work. Enabling staff to access<br />

their work wherever they are and have a high level of connectivity with their workplace even when on the<br />

120


go is great for productivity but without the right security measures, devices from home could cost more<br />

than their worth.<br />

If a device is compromised outside of work and is allowed to connect to the office network, malicious<br />

software could break through the organisations’ defences and cause problems from the inside.<br />

Additionally, if not all devices are operating at the same level of security, the weak links could be exploited<br />

by cyber criminals and result in personal data breaches of staff or client data.<br />

The simplest way to avoid these kinds of issues is to ensure that all devices used by staff are approved<br />

by security experts and where issues are found the devices are properly secured or replaced. Having a<br />

consistent security policy which covers all devices that interact with the main organisation network is vital<br />

to protecting any personal data the company holds in its employees and clients.<br />

Integrated home devices<br />

At home, the rise in products such as Amazon’s Alexa and the Google Home assistant have seen<br />

integrated devices springing up everywhere, creating fully interconnected homes where everything can<br />

be controlled with voice commands or centrally from a mobile phone. In the rush to create so many IoTready<br />

devices, many suppliers have neglected to focus on security, meaning many devices are a risk to<br />

consumers’ personal networks.<br />

Some IoT devices store the wifi password insecurely; meaning hackers could break in through the weaker<br />

defences around an IoT device like a home security camera or even a pair of hair straighteners and gain<br />

access to the entire network from there. Manufacturers of IoT products need to make sure that measures<br />

are taken to secure their devices before marketing them but consumers also need to be aware of the<br />

potential issues a product may pose before they buy it and add it to their network.<br />

Home assistant breaches<br />

Given recent news about how Google Home assistants and Amazon Alexa devices have been sending<br />

recordings to human operators and even accidentally leaking recordings to other users, how companies<br />

use the person data we provide them with is also becoming an increasing concern. While users willingly<br />

bring these devices into their homes, many don’t consider the safety implications of having a machine<br />

that is constantly listening in their homes.<br />

Even if home assistants are only sharing the voice recordings between other employees, there is still<br />

always the possibility that these companies will be hacked and the personal data caught on the recording<br />

will be leaked or exploited by hackers. As Natwest plans to introduce ‘voice banking’ in partnership with<br />

Google in the UK, not only do the possibilities for integration seem endless, but also the possibilities for<br />

exploitation.<br />

Online security is becoming a much more popular concern as the ways we interact with the internet<br />

become more diverse and in many ways more complex. Not only is it the responsibility of manufacturers<br />

to ensure IoT devices are as secure as possible before marketing them, but those who introduce new<br />

121


devices to their home or workplace environment need to keep security in mind to tackle the personal data<br />

crisis emerging across the US.<br />

About the Author<br />

Damon Culbert is a Content Writer for <strong>Cyber</strong> Security Professionals. <strong>Cyber</strong><br />

Security Professionals is a specialist job site advertising vacancies in the<br />

information security industry around the world.<br />

<strong>Cyber</strong> Security Professionals can be found online at @cysecprofs (Twitter)<br />

and at our company website: https://cybersecurity-professionals.com/<br />

122


How Real-Time Asset Intelligence Enables Full Posture Control<br />

By Ellen Sundra, VP of Americas Systems Engineering, Forescout Technologies<br />

The massive growth of devices hitting our networks is not a secret or a new discussion. We have all seen<br />

the predictions of growth from Gartner – 14.2 billions devices today growing to 25 billion devices by 2021.<br />

Right along with device hyper-growth comes increased risk vectors, and the need for organizations to<br />

adopt a willingness to automate their cybersecurity strategy.<br />

The foundation of every well-planned security program is device visibility. Having intelligence on 100%<br />

of the devices across all aspects of your extended enterprise, inclusive of IT, IoT, Data Centers, Cloud<br />

and OT networks, helps prioritize risk and protect potential breach access points. Mind you, visibility isn’t<br />

a silver bullet, it is the enabler of the critical step to turn that intelligence into action by layering on tools<br />

like automation or network segmentation.<br />

Automation can allow organizations to quickly authenticate authorized devices on the network,<br />

and apply action controls and policies to devices which are unauthorized. The decision to automate is<br />

often a level of comfort for trusting that you truly do know what is on your network and that<br />

you don’t accidently block access to a mission-critical device or apply a patch to an older device that<br />

might break it or void its warranty. Automation forces better behavior across the organization and allows<br />

resources to focus on more strategic efforts when your security tools are configured to analyze device<br />

function and compliance.<br />

123


I see this every day within the industry, for example the Department of Homeland Security is one early<br />

leader in this practice of understanding the importance of visibility and turning it into action. The first two<br />

phases of its Continuous Diagnostics and Mitigation (CDM) program looked to discover what and who<br />

were on DHS networks. The next phase will look to use that intelligence to kick start more advanced<br />

cybersecurity conversations and capabilities, like automation and incident response. The Department of<br />

<strong>Defense</strong> is also in the process of launching a similar program, called Comply to Connect.<br />

Network segmentation is another tool that organizations can use to reduce risk using the information<br />

gathered by visibility tools. Once you can identify what devices are attached to the network and<br />

understand their context, network segmentation can limit what those devices can do and what they have<br />

access to. For example, you may not want medical devices and payment and finance systems on the<br />

same network. You may choose to segment those separately to reduce risk without eliminating<br />

functionality. This can also help with audits and compliance in regulatory-sensitive organizations.<br />

This is why visibility needs to serve as the foundation of automation and network segmentation. With full<br />

device visibility and context, you are able to say with confidence what devices are on the network and<br />

their specific attributes. That context allows for nuanced policies, which protects against these worries of<br />

broad-spread automation.<br />

We are living in the world of IoT, where billions of devices are coming online every year. There will always<br />

be new devices coming onto the corporate network. Visibility is a tool that gives critical cybersecurity<br />

intelligence into this rise, but it is just the building blocks for a sustainable and scalable enterprise<br />

cybersecurity strategy.<br />

About the Author<br />

With more than 20 years of experience in the cybersecurity industry, Ellen<br />

leads the Americas System Engineering team for Forescout Technologies.<br />

Together, Ellen and her team are responsible for designing customized<br />

security solutions for Commercial and Public Sector customers. Prior to<br />

joining Forescout, Ellen was a network architect and security advisor with<br />

iPass, UUNet and WorldCom. Ellen earned a Bachelor of Arts in computer<br />

science from Rollins College and is a Certified Information Systems Security<br />

Professional (CISSP).<br />

124


Multi-factor Authentication Implementation Options<br />

"2FA to 5FA - What are the options available?"<br />

By David Smith<br />

Independent Consultant at Smart Card Institute<br />

At some point of time we have all used an OTP (One-time password) along with our password to<br />

successfully complete an online banking or financial transaction. While the OTP has provided an added<br />

sense of security that no one else besides you can authenticate that transaction, it heavily relies on the<br />

fact that the mobile device or token is in your possession during the transaction. The use of password +<br />

OTP for authentication is an example of Two-Factor Authentication (2FA). In order to ensure the<br />

authenticity of the user performing any transaction online or in-person, service providers and governing<br />

bodies are now emphasising the use of multi-factor authentication mechanisms.<br />

Multi-factor authentication has become a necessity to avoid risk of identity theft caused by use of weak<br />

or stolen user credentials, possible vulnerability of systems and phishing attacks. As the name suggests,<br />

multi-factor authentication requires that a user provide 2 or more pieces of evidence as a proof of his<br />

identity. The evidence provided should usually involve a mix of the below categories of factors.<br />

• Knowledge factors - Something the user knows<br />

• Possession factors - Something the user possesses<br />

• Inherence factors - Something associated with the user’s body/personality.<br />

• Location factor – Somewhere the user is<br />

• Time factor – Time of the transaction.<br />

We will now proceed to explore what are the different types of evidence that can be used to satisfy each<br />

of the above factors to successfully implement a multi-factor authentication system.<br />

125


Knowledge Factors: Probably the most commonly used factor, something the user knows is usually his<br />

credentials like username, Email-Id, password, PIN etc. Using an ATM card with PIN is an example of<br />

2FA where one of the factors is the ATM card (which the user possesses) and the second is the PIN<br />

(which the user knows). Other examples for the use of knowledge factor include<br />

• Security questions which are usually used when some-body wants to reset their password.<br />

• CVV codes and expiry date on credit cards which are required during e-commerce transactions.<br />

• Random One time passwords sent via SMS or emails when the user accesses a service<br />

• Time-based one-time password generated by token devices based on a shared secret key and<br />

current timestamp using a cryptographic function.<br />

Possession Factors: The oldest example of the possession factor is probably the key to a lock. The<br />

same principle continues to be used today in the digital age to control digital access. Smart cards are a<br />

commonly used possession factor today for digital access. They come in many forms like magnetic stripe<br />

and EMV cards used in credit/debit cards. RFID or NFC cards used in physical access control etc. Similar<br />

technology may be used in key fobs, wrist bands etc. Hardware and software tokens are also used by<br />

many mobile banking applications to implement multi factor authentication.<br />

Inherent Factors: Biometric factors are commonly used to implement inherent factors. These include<br />

behavioural identifiers as well as physiological identifiers.<br />

Behavioural identifiers include voice recognition, key stroke and navigation patterns and engagement<br />

patterns. These rely on matching patterns of a person’s vocal characteristics, speed and pressure of<br />

typing and engagement with technology respectively. Voice recognition is typically used in call center/IVR<br />

applications while key stroke and navigation patterns are used when implementing remote multi-factor<br />

authentication.<br />

Physiological identifiers include fingerprint, face and iris/retina scans. These make use of the unique<br />

patterns formed by a person’s fingerprints, face structure or retinal blood vessels/iris colors. They are<br />

commonly used to authenticate people on airports during immigration. Biometric payment cards are<br />

proposed to be the next step in security in the online/in-person payments industry.<br />

Location factors: These usually check where the user is accessing the service from. Use of mobile<br />

phones has made it easier to track location. Example of implementation of location based authentication<br />

is, when user is within the office premise, he can connect directly to the corporate network through Wi-Fi<br />

or LAN. On the other hand to access the corporate network over a VPN, a soft token is usually required.<br />

Time Factor: Systems could have an inbuilt logic to check if the time of access is in line with the expected<br />

pattern. For example, a person may not be allowed to access a paid service from two geographically<br />

distant locations within a matter of minutes.<br />

2FA is the most commonly used type of authentication and relies mostly on any two of the first 3 factors<br />

of knowledge, possession and inherence. 3FA, 4FA and 5FA using 1 of each type of factors are also<br />

implemented in special cases. Finally it is important to note that reliability of the mechanism used depends<br />

not only on which type of authentication is used but also on how it is implemented. A balance must also<br />

126


e maintained to ensure that users don’t feel confused or overburdened by the number of steps required<br />

to get access.<br />

About the Author<br />

David Smith is a cryptographer with 12 years of experience in<br />

both the public and private sectors. His expertise includes:<br />

system design and implementation with contact and contactless<br />

smart cards, smart card personalization, mobile payments, and<br />

general knowledge and experience with APAC market trends and<br />

consumer preferences. David occasionally consults with smart<br />

card companies at websites like Cardzgroup.com and you can<br />

be reached David online at Linkedin<br />

127


128


129


130


131


132


133


134


135


136


137


138


139


140


141


142


143


144


145


146


147


148


149


150


151


152


153


154


155


156


157


158


159


160


161


162


163


164


165


166


167


Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS<br />

“Amazing Keynote”<br />

“Best Speaker on the Hacking Stage”<br />

“Most Entertaining and Engaging”<br />

Gary has been keynoting cyber security events throughout the year. He’s also been a<br />

moderator, a panelist and has numerous upcoming events throughout the year.<br />

If you are looking for a cybersecurity expert who can make the difference from a nice event to<br />

a stellar conference, look no further email marketing@cyberdefensemagazine.com<br />

168


You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />

At least a dozen exceptional interviews rolling out each month starting this summer…<br />

Market leaders, innovators, CEO hot seat interviews and much more.<br />

A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />

169


Free Monthly <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> Via Email<br />

Enjoy our monthly electronic editions of our Magazines for FREE.<br />

This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />

ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />

to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />

newsletters along with this month’s newsletter.<br />

By signing up, you’ll always be in the loop with CDM.<br />

Copyright (C) <strong>2019</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />

<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />

<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />

All rights reserved worldwide. Copyright © <strong>2019</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />

recording, taping or by any information storage retrieval system without the written permission of the publisher<br />

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />

marketing@cyberdefensemagazine.com<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

276 Fifth Avenue, Suite 704, New York, NY 1000<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

marketing@cyberdefensemagazine.com<br />

www.cyberdefensemagazine.com<br />

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 09/03/<strong>2019</strong><br />

170


TRILLIONS ARE AT STAKE<br />

No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES<br />

Released:<br />

https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH<br />

In Development:<br />

171


172


173


174


175


176


7 Years in The Making…<br />

Thank You to our Loyal Subscribers!<br />

We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />

What You Think. It's mobile and tablet friendly and superfast. We hope you<br />

like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />

around the Globe, Faster and More Secure DNS<br />

and <strong>Cyber</strong><strong>Defense</strong>MagazineBackup.com up and running as an array of live<br />

mirror sites.<br />

3m+ DNS queries monthly, 2m+ annual readers and new platforms coming…<br />

177


178


179

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!