Cyber Defense eMagazine March 2020 Edition
Cyber Defense eMagazine March Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine March Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Data Protection Day <strong>2020</strong>: De-Risking in The<br />
Era of Transparency<br />
Building Your <strong>Cyber</strong> Talent Pool Early In <strong>2020</strong><br />
Why Zero Trust Isn’t So Trustworthy<br />
Devops ― Are You Risking Security for<br />
Agility?<br />
Time Is of The Essence<br />
Analysing Data Using the Intelligence Cycle:<br />
An Overview<br />
…and much more…<br />
1
CONTENTS<br />
Welcome to CDM’s <strong>March</strong> <strong>2020</strong> ---------------------------------------------------------------------------------------------- 6<br />
Data Protection Day <strong>2020</strong>: De-Risking in The Era of Transparency ---------------------------------------------- 22<br />
By Daniel Fried, General Manager (GM) and Senior Vice President (SVP), EMEA and Worldwide Channels,<br />
Veeam<br />
How The <strong>Cyber</strong>security Industry Can Stop Shooting Itself In The Foot And Solve The Skills Gap -------- 25<br />
By Rene Kolga, Head of Product, Nyotron.<br />
Building Your <strong>Cyber</strong> Talent Pool Early In <strong>2020</strong> ------------------------------------------------------------------------- 29<br />
By Karl Sharman, Vice-President, BeecherMadden<br />
The Importance of <strong>Cyber</strong>security Education in The Workplace---------------------------------------------------- 31<br />
By Aman Johal, Lawyer and Director of Your Lawyers<br />
Be Wary of <strong>Cyber</strong>criminals This Valentine’s Day ---------------------------------------------------------------------- 34<br />
By Claire Umeda, Vice President of Marketing, 4iQ<br />
The Benefits And Risks Of Modernizing Voting Technology -------------------------------------------------------- 37<br />
By Jenna Tsui, Freelance Writer<br />
Why Zero Trust Isn’t So Trustworthy -------------------------------------------------------------------------------------- 41<br />
By Benny Lakunishok, CEO and co-founder of Zero Networks<br />
Mastering Automation to Solve Data Security for Healthcare Practices --------------------------------------- 44<br />
By Anne Genge, CEO, Alexio Corporation<br />
Devops ― Are You Risking Security for Agility? ------------------------------------------------------------------------ 46<br />
By Morey Haber, CTO & CISO, BeyondTrust<br />
Juggling Your Clouds ----------------------------------------------------------------------------------------------------------- 50<br />
By Cameron Chehreh, Chief Technology Officer, Dell Technologies Federal<br />
Time Is of The Essence --------------------------------------------------------------------------------------------------------- 53<br />
By Filip Truta, Information Security Analyst, Bitdefender<br />
Drowning in A Sea of Threat Data? Consider A Curator ------------------------------------------------------------- 56<br />
By Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar<br />
2
Analysing Data Using the Intelligence Cycle: An Overview --------------------------------------------------------- 59<br />
By Alan Blaney Managing Director of Focus Training<br />
<strong>Cyber</strong> <strong>Defense</strong> and Cultural Heritage ------------------------------------------------------------------------------------- 64<br />
By Milica D. Djekic<br />
Tax Season Is Here. So Are the Scams. ------------------------------------------------------------------------------------ 68<br />
By Eric H. Perkins, Sr. Security Risk Analyst, Edelman Financial Engines<br />
Predicting the Direction of The PAM Market In <strong>2020</strong> ---------------------------------------------------------------- 71<br />
By James Legg, President and CEO, Thycotic<br />
Malware - A <strong>Cyber</strong> Threat for <strong>2020</strong> ---------------------------------------------------------------------------------------- 74<br />
By Pedro Tavares, Founder of CSIRT.UBI & Editor-in-Chief seguranca-informatica.pt<br />
VPNs - <strong>2020</strong> And Beyond ------------------------------------------------------------------------------------------------------ 77<br />
By Sebastian Schaub, Founder and CEO, hide.me<br />
The Gap in Security - Data Centric Security ----------------------------------------------------------------------------- 80<br />
By Eric Rickard, CEO, Sertainty Federal Systems<br />
A View of How DDOS Weapons Evolved In 2019 ---------------------------------------------------------------------- 84<br />
By Anthony Webb, EMEA Vice President at A10 Networks<br />
Network Security Must Keep Up with Video Surveillance Systems’ Rise in Criticality to Public Safety<br />
and Security in The Middle East -------------------------------------------------------------------------------------------- 87<br />
By Rabih Itani, the Middle East region security business head at Aruba, a Hewlett Packard Enterprise<br />
company<br />
Shadow Iot Devices A Major Concern for Corporate Networks --------------------------------------------------- 89<br />
By Ashraf Sheet, Regional Director Middle East & Africa at Infoblox<br />
The Hard Drive Secondary Market: The Sorry State of The Industry --------------------------------------------- 92<br />
By James Mannering, Hard Drive Product Manager at NextUse<br />
Smart Buildings ------------------------------------------------------------------------------------------------------------------ 95<br />
By Andrea Carcano, Nozomi Networks Co-founder and CPO<br />
What the Latest Enterprise Endpoint Security Survey Shows Us: Big Concerns but Hope for The Future<br />
---------------------------------------------------------------------------------------------------------------------------------------- 98<br />
By Jeff Harrell, Vice President of Marketing, Adaptiva<br />
3
@MILIEFSKY<br />
From the<br />
Publisher…<br />
New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />
Dear Friends,<br />
On the heels of our very successful participation in the just-concluded RSA<br />
Conference <strong>2020</strong>, we are now positioned to take the next steps in our development<br />
plans for <strong>Cyber</strong> <strong>Defense</strong> Magazine and the <strong>Cyber</strong> <strong>Defense</strong> Media Group.<br />
As we had projected, we are now delighted to confirm completion of our InfoSec<br />
Awards for <strong>2020</strong>, as well as our program of interviews, which are now live on<br />
https://www.cyberdefensetv.com and https://www.cyberdefenseradio.com. They include active<br />
participation by market leaders, innovators, and others offering some of the best solutions for cyber<br />
security in the global marketplace.<br />
Our team of over 20 professionals will be returning home to consolidate and evaluate the substantive<br />
information and perspectives of the many RSA Conference participants who are now becoming more<br />
active with our organization.<br />
In this <strong>March</strong> <strong>2020</strong> issue of <strong>Cyber</strong> <strong>Defense</strong> Magazine, and going forward the year, we continue to bring<br />
you thoughtful and valuable articles by industry leaders.<br />
It is both a pleasure and an honor to bring our readers and subscribers this new issue, and to look forward<br />
with great anticipation to serving you in the future.<br />
Warmest regards,<br />
Gary S. Miliefsky<br />
Gary S.Miliefsky, CISSP®, fmDHS<br />
CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />
Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
P.S. When you share a story or an article or information about CDM, please use #CDM and<br />
@<strong>Cyber</strong><strong>Defense</strong>Mag and @Miliefsky – it helps spread the word about our free resources even<br />
more quickly.<br />
4
@CYBERDEFENSEMAG<br />
CYBER DEFENSE eMAGAZINE<br />
Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />
distributed electronically via opt-in Email, HTML, PDF and Online<br />
Flipbook formats.<br />
InfoSec Knowledge is Power. We will<br />
always strive to provide the latest, most<br />
up to date FREE InfoSec information.<br />
From the International<br />
Editor-in-Chief…<br />
Based on reported developments of the past month, as well as<br />
some of the excellent information shared at the <strong>2020</strong> RSA<br />
Conference, we continue to observe and discuss the challenges of<br />
conducting effective cybersecurity measures in the international<br />
environment.<br />
One theme seems to stand out in this marketplace of ideas:<br />
“Compliance does not assure security.” From my perspective, this<br />
means that all the efforts to secure compliance with the many<br />
legal and regulatory provisions will still not result in an effective<br />
cybersecurity program without implementing a results-oriented<br />
protocol.<br />
In particular, the continuing (even accelerating) proliferation of<br />
standards and regulations adopted by different jurisdictions, from<br />
supranational to State and local governments, places a great onus<br />
on organizations with multi-jurisdictional operations. In case this<br />
does not sound an alarm, it affects all but the smallest local<br />
businesses.<br />
We will continue to study and seek input from those who are most<br />
knowledgeable in this field, and will endeavor to share them with<br />
our readers as they come to light. At <strong>Cyber</strong> <strong>Defense</strong> Magazine, we<br />
are grateful for our writers and sponsors for sharing their<br />
expertise with our staff and readers.<br />
We invite you to read and consider the thoughtful presentations<br />
in this issue. As always, we welcome your comments on your own<br />
experiences in dealing with the growing complications in<br />
international cybersecurity practice.<br />
To our faithful readers, we thank you,<br />
Pierluigi Paganini<br />
International Editor-in-Chief<br />
PRESIDENT & CO-FOUNDER<br />
Stevin Miliefsky<br />
stevinv@cyberdefensemagazine.com<br />
INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER<br />
Pierluigi Paganini, CEH<br />
Pierluigi.paganini@cyberdefensemagazine.com<br />
US EDITOR-IN-CHIEF<br />
Yan Ross, JD<br />
Yan.Ross@cyberdefensemediagroup.com<br />
ADVERTISING<br />
Marketing Team<br />
marketing@cyberdefensemagazine.com<br />
CONTACT US:<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Toll Free: 1-833-844-9468<br />
International: +1-603-280-4451<br />
SKYPE: cyber.defense<br />
http://www.cyberdefensemagazine.com<br />
Copyright © 2019, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />
CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />
276 Fifth Avenue, Suite 704, New York, NY 10001<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
PUBLISHER<br />
Gary S. Miliefsky, CISSP®<br />
Learn more about our founder & publisher at:<br />
http://www.cyberdefensemagazine.com/about-our-founder/<br />
WE’RE TURNING A CORNER INTO<br />
8 YEARS OF EXCELLENCE!<br />
Providing free information, best practices, tips and<br />
techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />
magazine is your go-to-source for Information Security.<br />
We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />
CYBERDEFENSEMEDIAGROUP.COM<br />
MAGAZINE TV RADIO AWARDS<br />
5
Welcome to CDM’s <strong>March</strong> <strong>2020</strong><br />
From time to time, it’s necessary to look back in order to go forward with confidence. In our <strong>March</strong> issue,<br />
you will notice a few articles that may seem out of place – mainly because they refer to dates or<br />
celebrations which have already passed. The point is that annual recognition may emphasize a once-ayear<br />
focus on a particular event or concept, but the thrust of that recognition must be maintained all year<br />
long in order to reach the desired outcome.<br />
Two examples in this issue are the 14 th edition of Data Protection Day, which was celebrated globally on<br />
28 January <strong>2020</strong>, and Valentine’s Day, celebrated on February 14 th . Both of these dates are past, and<br />
the celebrations complete for this calendar year. However, we are well advised to pay attention to the<br />
admonitions in the two articles in this issue on the respective topics.<br />
In this issue, we also continue analyzing and projecting the needs and fulfillment of the market for<br />
cybersecurity professionals. In an age of questionable ROI on the cost of many academic degrees and<br />
certifications, cybersecurity stands out as an exception to the trend of graduating with burdensome debt<br />
and finding the job market will barely provide enough income to live while retiring student debt.<br />
Another leading topic now and continuing over the next several months is election technology and<br />
security. No other cyber application is so intimately involved with our very democracy as the integrity of<br />
the voting process. Even paper-and-pencil/pen solutions are subject to manipulation in the collection,<br />
storage, transmission, and interpretation of election results.<br />
With over 5 million individual inquiries per month, CDM maintains its position as the leading publication<br />
for cybersecurity professionals.<br />
Wishing you all success in your cyber security endeavors,<br />
Yan Ross<br />
US Editor-in-Chief<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
About the US Editor-in-Chief<br />
Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & US Editor-in-Chief for <strong>Cyber</strong><br />
<strong>Defense</strong> Magazine. He is an accredited author and educator and has<br />
provided editorial services for award-winning best-selling books on a<br />
variety of topics. He also serves as ICFE's Director of Special Projects,<br />
and the author of the Certified Identity Theft Risk Management Specialist<br />
® XV CITRMS® course. As an accredited educator for over 20 years, Yan addresses risk management<br />
in the areas of identity theft, privacy, and cyber security for consumers and organizations holding sensitive<br />
personal information. You can reach him via his e-mail address at<br />
yan.ross@cyberdefensemediagroup.com<br />
6
7
8
9
10
11
12
13
14
Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those<br />
vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep<br />
understanding of your web application vulnerabilities, how to prioritize them, and what to do about<br />
them. With this trial you will get:<br />
An evaluation of the security of one of your organization’s websites<br />
Application security guidance from security engineers in WhiteHat’s Threat Research Center<br />
Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well<br />
as share findings with internal developers and security management<br />
A customized review and complimentary final executive and technical report<br />
Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/<br />
PLEASE NOTE: Trial participation is subject to qualification.<br />
15
16
17
18
19
20
21
Data Protection Day <strong>2020</strong>: De-Risking in The Era of<br />
Transparency<br />
By Daniel Fried, General Manager (GM) and Senior Vice President (SVP), EMEA and Worldwide<br />
Channels, Veeam<br />
The issue of data protection and privacy was, until recently, a conversation confined to a specific group<br />
of people within an organisation. Unless you were an IT consultant or a corporate lawyer, privacy<br />
compliance was something somebody else took care of. So, how have we reached the point where many<br />
organizations are bound by law to employ a Data Protection Officer (DPO)? Why are CEOs now so<br />
interested in their company’s data protection and privacy policies?<br />
You could be easily fooled into thinking data privacy as a field has only existed since 2018, but nothing<br />
could be further from the truth. From an anthropological perspective, human beings have longed for<br />
privacy for over 3,000 years. The use of internal walls within buildings which started to become<br />
commonplace in 1500 AD proves this. The concept of the ‘right to privacy’ as we know it is indeed younger<br />
– eventually being formalised as an international human right in 1948. Sweden became the first country<br />
to enact a national data protection law in 1973. Even this, the first tangible effort to regulate data privacy,<br />
22
happened in response to public concern over the increasing use of computers to process and store<br />
personal information.<br />
While our understanding of the current data privacy conversation must operate within this context, there<br />
is no denying that 2018 was a watershed moment. The General Data Protection Regulation (GDPR) may<br />
be less than two years’ old, but its impact has been significant. As well as its very specific nature which<br />
makes the regulation enforceable, GDPR regulators have not been frightened to flex their muscles. To<br />
date, it has collected almost €429 million in fines – serving as a constant reminder to any business<br />
processing the data of European citizens that there are penalties for not adhering to data privacy<br />
requirements.<br />
The privacy skills gap<br />
As well as providing a clearer framework for appropriate data handling practices, GDPR has made data<br />
protection and privacy more about people. Rather than talking in terms of technical standards and<br />
software requirements, it is based on fundamental citizens’ rights and how people within an organization<br />
can uphold them. One of the most specific lines of the GDPR is Article 37, which states that certain<br />
companies must appoint a Data Protection Officer to be compliant. More specifically, any public authority,<br />
a company whose core activities require large-scale monitoring of individuals or consist of large-scale<br />
processing of criminal data.<br />
Wherever appointing a DPO is not required under GDPR, it is advised as best practice for companies<br />
who need to ensure they have the right data processes in place. Given that the latest Veeam Cloud Data<br />
Management report shows that organizations across multiple industries will spend an average of $41<br />
million deploying technologies to boost business intelligence, experienced DPOs have become hot<br />
property. In 2018, when GDPR was passed, as many as 75,000 vacancies for DPOs needed to be filled<br />
– with Europe and the USA accounting for around 28,000 of these roles.<br />
Especially during this period of transition, organizations across the board must foster a culture of<br />
transparency in terms of how data is used. Not every person in the business can be a data protection<br />
expert, but all employees must appreciate and understand the basic principles. Furthermore, while the<br />
ownership of GDPR compliance lies with the DPO, the buck ultimately stops with the CEO. Data<br />
protection is a business conversation as well as a technology one. With that said, businesses must have<br />
an IT strategy in place which enables solid data protection practices.<br />
Minds over matter<br />
Veeam research shows that three-quarters of IT decision makers globally are looking to Cloud Data<br />
Management as a means of creating a more intelligent business. Cloud Data Management brings<br />
together disciplines such as backup, replication and disaster recovery across an organizations’ entire<br />
cloud and data management provision. It ensures that data is always available, recoverable and<br />
protected at all times. But like data privacy, IT is a people industry too. In a world where businesses need<br />
to protect their data more than ever before, CEOs, CIOs and DPOs alike are looking for trusted partners<br />
23
to help de-risk their data management. This support may take the form of configuring data management<br />
systems, providing technical training for administrators, or basic data privacy training for end-users.<br />
Data Protection Day is an appropriate time for us to reflect on how we use and view data.<br />
Moreover, as we begin a new decade, it’s an apt moment to acknowledge that we are still in the midst of<br />
transformation. The impact of GDPR will continue to be profound as businesses adapt to its demands<br />
and its enforcers become less patient with those who fail to comply. More fines and reputational damage<br />
will only add to the demand for DPOs – people with the expertise and appetite to take on the data privacy<br />
challenges of an organization. While investing in technologies like Cloud Data Management will be<br />
fundamental to the DPO’s strategy, privacy is now a people business. Therefore, the shrewdest<br />
investments will be in trusted partners who can guide people at every level of the organization through<br />
the rigours of remaining compliant and help create an authentic culture of data transparency.<br />
About the Author<br />
Daniel Fried is General Manager and Senior Vice President EMEA.<br />
In this position he oversees the strategic direction of the EMEA<br />
organization and expansion across all segments and all<br />
geographies, drives the partner ecosystem and increasing growth in<br />
emerging markets.<br />
Daniel can be reached online at (Daniel.fried@veeam.com) and at<br />
our company website https://www.veeam.com/<br />
24
How The <strong>Cyber</strong>security Industry Can Stop Shooting Itself<br />
In The Foot And Solve The Skills Gap<br />
By Rene Kolga, Head of Product, Nyotron.<br />
It’s no secret that enterprises struggle to find the skilled personnel they need to properly secure their IT<br />
systems and protect sensitive information like intellectual property, personally identifiable information(PII)<br />
and protected health information (PHI). The cybersecurity industry needs to understand that this talent<br />
shortage is, to some extent, self-inflicted. Whatever the causes, we as an industry need to figure out a<br />
solution before it comes back to haunt us more than it already has.<br />
One cause is the fact that companies want to hire candidates with the “perfect” mix of experience and<br />
skills in the industry. However, in a field that is still evolving and growing exponentially, this has become<br />
virtually impossible.<br />
That’s not to say the challenge is the same across the entire industry or even across different locations.<br />
In some regions such as Silicon Valley, the pool of candidates is obviously larger, so it may be easier to<br />
put up an ad for a security analyst role and have it filled with a quality applicant in no time. However, the<br />
same thing isn’t likely to happen if you’re trying to fill a similar role in Montana, for example.<br />
So, how do we force the industry to evolve, as so many other fields have transformed in the past? The<br />
first step, as with most programs, is acceptance. The industry needs to accept that there is a hiring<br />
problem.<br />
25
Here are some strategies that organizations should consider when grappling with the cybersecurity skills<br />
gap:<br />
Strong Leadership and Sense of Purpose<br />
There are probably a million different overused expressions when it comes to leadership, including “Lead<br />
by example” and “A leader is nothing without his or her team.” However, there’s one good one that<br />
perfectly encapsulates the reality of the situation: “Employees don’t leave a job; they leave a manager.”<br />
Next to money, culture is probably the top factor most people value when looking for a new job. This<br />
culture directly stems from the leaders in charge. If managers aren’t providing acceptable vision and<br />
motivation or treating their employees with respect, they’re going to have high turnover rates.<br />
Beyond the basic idea of “treating others as you would like to be treated,” the cybersecurity industry<br />
should consider itself part of the same category as police officers or doctors. That might sound strange,<br />
but when you think about it, what do all three have in common? The idea of wanting to do good in the<br />
world. Employers should provide a clear and transparent mission statement about the company’s<br />
purpose and articulate how security personnel leads the charge in protecting the organization and its<br />
employees and customers, making the world a safer place.<br />
Finally, employees want to know that they're valued and that their bosses are willing to invest in them.<br />
Paying for employees to go back to school, attend credited webinars, or speak at cybersecurity<br />
conferences (like a local BSides event) is a great way to demonstrate that the company wants its<br />
workforce to grow their skills.<br />
Pay Up and Recruit Better<br />
One of the biggest factors in the job search process is compensation. Of course, this isn’t college sports;<br />
there isn’t a debate about whether or not security personnel should be paid. However, there is significant<br />
confusion and disagreement on how much to pay infosec employees. But make no mistake: underpaid<br />
employees won’t last long. The reality is that we live in a world where the concept of supply and demand<br />
reigns supreme. With so many unfilled jobs, companies need to bump up the pay for these roles in order<br />
to fill them. On the bright side, higher salaries will incentivize students to switch their focus from<br />
engineering or computer science to cybersecurity, leading to more potential applicants.<br />
The recruiting problem isn’t limited to the cybersecurity industry, but it’s one we see time and time again.<br />
A company will post an overly specific job advertisement that limits the potential talent pool. Sure, if you<br />
find a hire this way, you’ll probably get exactly what you wanted. But it prolongs the process and wastes<br />
your time. Instead, open up the pool. Write up an ad that identifies your minimum requirements and start<br />
the interview process.<br />
26
Also, headhunting is becoming antiquated. Many companies offer an internal employee referral program,<br />
compensating workers for each successful hire they recommend. Even if this compensation is $10,000,<br />
an outside recruiter is likely to charge you double or triple that. By sticking to an internal referral program,<br />
you’re getting recommendations from people you trust to know what your skill requirements are.<br />
Upskill Internally<br />
Until recently, cybersecurity was not an accredited major at many universities. Think about the<br />
percentage of engineers or computer science majors in the workforce that did not have the option to<br />
study cybersecurity in school. It’s much easier to train those that have relevant industry experience than<br />
it is to train a recent graduate with a cybersecurity degree. Heck, it’s even possible to train employees in<br />
roles you wouldn’t necessarily associate with cybersecurity. Think of the natural transition from Customer<br />
Support to level one security analyst. They’re still taking support calls and guiding customers through<br />
solutions, only this time with a dash of cyber added in. Similarly, your IT administrator has a lot of the<br />
necessary, hands-on knowledge that you so desperately need on the security team, combined with an<br />
in-depth understanding of your environment. Perfect background for a threat hunter or an analyst.<br />
By implementing a culture where you upskill internally, you might find the talent you didn’t even know you<br />
had. Right resources might be just one week-long bootcamp away. Overall, internal upskilling probably<br />
offers the fastest path to closing your security team human resources gap.<br />
Other, Longer Term Solutions<br />
● Start ‘Em Young: Once you’ve thrown the incentive of a great salary on the table, you’ll have<br />
plenty of younger applicants willing to make the leap into cybersecurity. Enterprises need to<br />
capitalize on this and hold job fairs at universities to ensure they’ll have a steady stream of young<br />
talent applying.<br />
● Diversity: Don’t just focus on hiring security majors, and make sure your security staff doesn’t<br />
look like clones. Consider hiring veterans that have plenty of experience working through a crisis,<br />
or communications majors who can help security staff work with the internal PR team or media<br />
when needed.<br />
● Get Involved in the Community: The cybersecurity community is a close-knit one. Employees<br />
that attend extra classes or industry events have a better chance of improving their skills by<br />
sharing war-stories and learning tips they never would’ve thought of, than those who treat the job<br />
like a 9 to 5. If you have sufficient internal resources, considering hosting a security MeetUp.<br />
While these solutions aren't going to have the most immediate impact on your organization, in the longrun<br />
they'll help foster a more positive and efficient environment that your employees will want to work for.<br />
27
Solving the Problem<br />
These are just a few strategies that enterprises should consider when hiring security staff. Obviously,<br />
every organization is different and one solution does not fit all. The tactics used should be determined by<br />
the immediate needs and available resources of the department. However, implementing even one of<br />
these strategies is a step in the right direction for the industry.<br />
About the Author<br />
Rene Kolga, CISSP, serves as Nyotron’s VP of Product Strategy and Head<br />
of Product Management. Prior to working at Nyotron, Rene was Head of<br />
Product at ThinAir. Rene also spent eight years at Symantec where he<br />
managed multiple enterprise security product lines in the areas of encryption<br />
and endpoint security. Additionally, Rene led dozens of endpoint<br />
management, backup and business intelligence product teams at SolarCity,<br />
Citrix and Altiris. Earlier in his career, Rene run Customer Support and QA<br />
teams. Rene earned his Computer Science degree from Tallinn University<br />
of Technology. He also received an MBA from University of Utah.<br />
28
Building Your <strong>Cyber</strong> Talent Pool Early In <strong>2020</strong><br />
Start early to win the war on talent<br />
By Karl Sharman, Vice-President, BeecherMadden<br />
As we near the end of the first quarter in <strong>2020</strong>, you should have a strong idea of what you can hire or<br />
what you must hire during the year.<br />
The next step is to understand the following:<br />
- Budget<br />
- Skill Location<br />
- Availability<br />
Firstly, budgets need to be secure and at the correct range to attract the best candidates possible. It is<br />
linked to skill location and candidate availability in that market however, with no intention of budget it will<br />
be hard to attract the right candidate and may cause an awkward conversation when you do find the right<br />
candidate. We have our own salary report which is personalized to our clients to support their<br />
understanding in this subject, every report includes competitor analysis as well as candidate<br />
requirements in the market which helps company’s bypass the challenges around asking salaries.<br />
Secondly, the locations you choose are only as good as the skilled professionals there. I have recently<br />
seeing more intelligent approaches to working such as remote working, partnering with universities or<br />
picking up the workforce when a company departs a location. This is another reason to do competitive<br />
analysis for example, with majority of companies heading to India for their talent is that a sensible decision<br />
to set up your team there. It may seem cheap, but it isn’t long term if your employee leaves every 3<br />
29
months which will cause an increase in cost and increase the organizations risk. Recently,<br />
BeecherMadden has done 19 company reports analyzing countries such as Poland, Romania, Lithuania,<br />
Singapore, North America, UK, Switzerland and Spain to name a few.<br />
Third, availability is crucial. Many companies will invest a lot of money into a market especially from a<br />
standing start position and to get this part wrong could be damaging for you and the company especially<br />
as risk can increase dramatically. Availability should be defined as having 10 times the number of<br />
candidates with the correct skills and experience you need within that location. Employee turnover is<br />
increasing in many markets and seems to be an accepted way of working as candidates have a lot of<br />
choice.<br />
In cybersecurity it is a candidate led market, so you have to be ready to compete. Building your pipeline<br />
continuously and early will allow you to move faster compared to your competition. The lack of urgency<br />
or long hiring processes can damage how attractive the opportunity is for the candidate. For this to be<br />
successful, you must do your research and planning, continuously build your talent pool and hire quickly<br />
and efficiently. This will increase the candidate experience which is the only way to win the war against<br />
talent in cybersecurity.<br />
About the Author<br />
Karl Sharman is a <strong>Cyber</strong> Security specialist recruiter & talent<br />
advisor leading the US operations for BeecherMadden. After<br />
graduating from University, he was a lead recruiter of talent for<br />
football clubs including Crystal Palace, AFC Wimbledon &<br />
Southampton FC. In his time, he produced and supported over £1<br />
million worth of talent for football clubs before moving into <strong>Cyber</strong><br />
Security in 2017. In the cyber security industry, Karl has become<br />
a contributor, writer and a podcast host alongside his full-time<br />
recruitment focus. Karl can be reached online<br />
at karl.sharman@beechermadden.com, on LinkedIn and at our<br />
company website http://www.beechermadden.com<br />
30
The Importance of <strong>Cyber</strong>security Education in The<br />
Workplace<br />
By Aman Johal, Lawyer and Director of Your Lawyers<br />
In the last few years, we have seen unprecedented levels of data breach activity, with cybersecurity<br />
attacks compromising the personal data of hundreds of millions of people globally.<br />
Modern technology provides businesses with a revolutionary and sophisticated infrastructure for data<br />
access and sharing. However, with this increase in accessible data comes the need for increased<br />
responsibility, and the key priority for businesses should be to properly protect the personal information<br />
they hold.<br />
Why cybersecurity training must be a priority for businesses in <strong>2020</strong><br />
Employees must be sufficiently educated and upskilled in the area of data protection, including<br />
understanding how best to avoid errors that can lead to a data breach, and what to do in the event of a<br />
cybersecurity attack. The importance of educating staff must never be underestimated – if they are not<br />
31
provided with adequate training on how to protect data and avoid leaks, they are liable to end up causing<br />
one themselves.<br />
In 2019, US home-security camera provider Wyze Labs suffered a data breach, where camera<br />
information, Wi-Fi network details and email addresses of 2.4 million customers were exposed. The<br />
breach, which lasted a staggering 23 days, was caused by an employee’s mistake. Equifax is another<br />
data breach that was entirely preventable due to human error; another example of a clear lack of<br />
awareness for even the most elementary security procedures.<br />
Research has shown cybercrime costs UK businesses an estimated £21 billion per year, while also<br />
finding that email security and employee training are listed as the biggest issues faced by IT security<br />
professionals. Upskilling employees through cybersecurity training may appear to cost a significant<br />
amount of resources in the short term but it is likely to pay dividends in the long run. Businesses must<br />
implement strategies and recruit skilled personnel to ensure the entire company is adhering to data<br />
protection regulations. The introduction of the GDPR not only makes their duties more stringent, but it<br />
also gives the public greater awareness and clarity as to how their data should be securely stored and<br />
treated.<br />
The risks of a data breach and how to negate them<br />
The legal and financial implications of breaching data privacy laws can be cataclysmic. If a business is<br />
found to be in breach of the GDPR regulations, it could be liable for compensation claims and regulatory<br />
fines. Competition across a range of markets could be shaped by such breaches – the 2018 BA scandal<br />
could see an estimated combined pay-out figure of £3bn, and a provisional intention to fine the sum of<br />
£183m has been issued by the ICO. Those who are subject to financial and reputational damage that<br />
arises as a result of poor data protection practices and a lack of staff training could lose market share<br />
and even run the risk of going out of business.<br />
If a business experiences a data breach, it needs to consider the severity of the incident and whether it<br />
will have a significant impact on those affected. If there’s a big enough risk and impact, the offence must<br />
be reported to the ICO, who then has the power to prosecute for breaches of the law. ICO investigations<br />
can even lead to staff losing their jobs and facing serious criminal charges for deliberate or reckless<br />
breaches, and the impact of such breaches can also be felt by the employer.<br />
The impact of the misuse or exposure of information for the victims can be life-changing, and it is<br />
important that people’s rights are clearly understood. If impacted by a data breach, the victim may be<br />
able to claim compensation for any emotional distress caused, as well as for any financial losses incurred<br />
too. However, the recent Google ruling means that there’s now the ability to claim purely for the being<br />
victim of a data breach.<br />
Moving forward, businesses must do all they can to protect the personal data they hold, and this starts<br />
with ensuring that their staff are sufficiently trained in data protection and cybersecurity. The increasing<br />
reliance on cloud technology and accessible data means there are even more vulnerabilities to<br />
cybersecurity attacks. When employees feel confident through training and are completely aware of the<br />
32
isks, they’ll be less likely to make the kind of mistakes responsible for the Wyze Labs and Equifax<br />
breaches.<br />
About the Author<br />
Aman Johal, Lawyer and Director of Your Lawyers.<br />
Aman founded consumer action law firm Your<br />
Lawyers in 2006, and over the last decade he has<br />
grown Your Lawyers into a highly profitable litigation<br />
firm.<br />
Your Lawyers is a firm which is determined to fight on<br />
behalf of Claimants and to pursue cases until the best possible outcomes are reached. They have been<br />
appointed Steering Committee positions by the High Court of Justice against big corporations like British<br />
Airways - the first GDPR GLO - as well as the Volkswagen diesel emissions scandal, which is set to be<br />
the biggest consumer action ever seen in England and Wales.<br />
Aman has also has successfully recovered millions of pounds for a number of complex personal injury<br />
and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in<br />
the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of<br />
law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic<br />
data leak and the Ticketmaster breach.<br />
33
Be Wary of <strong>Cyber</strong>criminals This Valentine’s Day<br />
<strong>Cyber</strong>criminals See Red<br />
By Claire Umeda, Vice President of Marketing, 4iQ<br />
Valentine’s Day is here, and as many of us make plans with our better halves, many others will<br />
increasingly turn to dating sites or dating apps in search of love. These services regularly report spikes<br />
in usage near Valentine’s Day – Tinder alone saw a 20 percent surge on February 14, 2017. The nature<br />
of these sites and apps necessitate that users input basic background information – age, location, likes<br />
and dislikes, etc. It is for this very reason that dating services are often treasure troves of personal data.<br />
In other words, if no one else finds you attractive this Valentine’s Day, just know that a cybercriminal<br />
surely will.<br />
Hacking in the dating world has become increasingly common. 2015 saw the infamous Ashley Madison<br />
data breach, two years ago Grindr was revealed to have exposed millions of users’ data, and last year<br />
OkCupid ran into trouble. And don’t expect it to end there – according to a WhiteHat security report, 85<br />
percent of mobile apps contain cybersecurity flaws in data storage, communication, or authentication<br />
practices (and after all, everything is mobile these days). Many of these services even lack basic twofactor<br />
authentication, which is one of the simplest measures a company can take to help prevent such<br />
breaches.<br />
34
<strong>Cyber</strong>attacks have undergone a remarkable evolution over the years. In the past, they were most<br />
commonly associated with direct attacks on an individual’s personal computer – viruses copying files,<br />
locking you out of your account, or spamming the user with window popups, etc. As malicious as those<br />
were, they were rarely profitable. These days, the first thing people tend to think of is usually identity<br />
fraud, which is still a serious threat. Many of these online dating services require payments, meaning<br />
they might have credit card information. At the very least the services require passwords, which users<br />
often reuse between their various online accounts, including financial ones.<br />
That’s bad enough, but the trend with exploiting dating websites has grown much darker.<br />
Ashley Madison, a dating site marketed to those already in a relationship looking to have affairs, was the<br />
first large-scale hack of the new variety. The breach was not an exercise in financial fraud – they weren’t<br />
trying to get to your bank account. Rather, the hacker’s mode of attack was not ‘finance,’ but ‘trust.’ By<br />
threatening to publicize the identities of Ashley Madison users, the hackers were able to leverage the<br />
data breach in at least two ways. First, they did irreparable damage to the Ashley Madison brand, which<br />
the hackers castigated as being explicitly immoral. Second, they extorted certain users for monetary gain,<br />
and were able to do so over a longer period of time as victims were less likely to go to the authorities<br />
since that would have brought attention to the very extra-marital activities that they wanted to keep secret.<br />
Grindr was previously in hot water as well, notably for failing to encrypt much of its store of users’ personal<br />
data, including messages, location – and HIV status. What’s more, Grindr itself was found to have been<br />
sharing this data with various analytics companies, compounding the possibility of such sensitive<br />
information getting exfiltrated. Again, the threat is not that such information is financial in nature, but that<br />
it concerns trust. Knowledge of users’ HIV status could be used, much like with the data from Ashley<br />
Madison, for the purposes of harassment or extortion.<br />
Last Valentine’s Day, it came to light that a number of OkCupid users had complained of account hacks.<br />
As on most dating sites, the users on OkCupid are able to privately message each other, often for the<br />
purposes of exchanging contact information and, ideally, meeting up in the real world. This offers a<br />
convenient avenue for hackers to gain access to phone numbers and even street addresses. Once the<br />
cybercriminals have such leads, they can engage in targeted harassment, with the ultimate goal of<br />
extorting money.<br />
Fortunately, there are some steps you can take to safeguard your personal information while on the quest<br />
for love. First, avoid providing too much personal information. If you want to establish contact with<br />
someone outside of the dating app, it’s better to give them something like your WhatsApp name rather<br />
than your cell phone number. Also, make sure to use unique, strong passwords. Alarmingly, 79 percent<br />
of passwords are weak or reused, and around 75 percent of individuals do not change their passwords<br />
unless the service they’re using either suggests it or forces them to do so. Finally, the Better Business<br />
Bureau has published a list of potential dating scams with tips on how to spot and avoid them – take a<br />
look to help keep yourself safe this Valentine’s Day.<br />
Lately, more and more people are finding love online. But finding a date shouldn’t come at the expense<br />
of getting hacked or scammed. Enjoy yourself this Valentine’s Day, but remember, (digital) protection is<br />
important.<br />
35
About the Author<br />
As VP of Marketing at 4iQ, Claire Umeda leads go-to-market<br />
strategies, product marketing, sales enablement and brand<br />
management. She is also the lead editor of the 4iQ Identity Breach<br />
Report.<br />
Prior to joining 4iQ, Claire has held senior and executive marketing<br />
and product positions for startups in the security, communications,<br />
data management and social gaming spaces. Companies include<br />
API.AI (now Dialogflow) seeing the company through acquisition by<br />
Google, Aerospike, AlienVault (now AT&T), Rivet Games, FooMojo,<br />
Inc., and enCommerce, Inc. (Now Entrust Technologies).<br />
Claire's greatest strengths are her curiosity, creativity and tenacity.<br />
She thrives on challenges to align marketing initiatives with company goals, emerging trends, customer<br />
desires and technical realities. As a full-stack marketer, Claire enjoys building a marketing team and<br />
infrastructure from the ground up, and scale into an efficient and effective lean and powerful machine.<br />
Claire holds a bachelor's degree in Journalism from San Jose State University with a minor in theater<br />
arts and is a SCRUM certified product owner. She lives in Silicon Valley with her loving partner and<br />
daughter where she races at a snail's pace to get to where she needs to be. She is also a first degree<br />
black belt in WuShu, a Chinese martial art.<br />
36
The Benefits And Risks Of Modernizing Voting<br />
Technology<br />
By Jenna Tsui, Freelance Writer<br />
The 2016 elections showed us what we’ve always known. Our voting system and election process can<br />
be and is vulnerable, not just to foreign interference but also to more direct tampering. It’s something to<br />
consider as the voting system is revamped to include more modern and digital solutions.<br />
There are many benefits to implementing digital voting technologies, but there is also a tradeoff, as it<br />
opens up the entire system to more risk. How secure is a digital poling platform? Are the benefits worth<br />
the security and tampering risks?<br />
37
Why Electronic Voting?<br />
Before discussing new technologies and what the future might be like, it’s vital to get the lay of the land.<br />
Why does it matter if we use paper ballots as opposed to digital solutions? Why even upgrade the system<br />
if it works?<br />
The reality is that the current voting system is incredibly burdensome. Many believe it’s why the United<br />
States is far behind other developed countries regarding voter turnout.<br />
In the 2016 elections, 56% of the U.S. voting-age population cast ballots. That number was a slight<br />
increase over the 2012 elections, yet it was lower than 2008’s record year.<br />
If you look at the inverse of that number, however, it’s quite alarming. An incredible 44% of the U.S.<br />
population did not participate in the 2016 elections.<br />
While there are many reasons why people don’t vote, one of the more prominent issues is that the entire<br />
process is much too involved. While voting is active, participants must visit a designated location, often<br />
at an inconvenient place and at odd hours. Depending on where the voting center is, there are usually<br />
long lines. It can make for a particularly unpleasant experience.<br />
The percentage of participants has been so low that it might be time we upgrade the entire process for<br />
good.<br />
The Future of Voting Technology<br />
Imagine voting for the next President, on your phone, in the comfort of your own house? You never have<br />
to leave, you don’t have to wait in long lines, and you don’t even have to socialize.<br />
That could very well be the future of voting. Or, at the least, just one of many, modern ways to participate<br />
in elections.<br />
A startup called Voatz already has an app that will allow users to participate in official elections via their<br />
mobile devices. It verifies the identity of voters with the help of biometrics, which involves scanning a<br />
fingerprint or using facial recognition. The technology has already been used in 54 elections across the<br />
country, including in West Virginia, Utah and Denver.<br />
Mobile voting isn’t just about convenience for the people back home, however. It will also allow active<br />
overseas military the chance to participate in the upcoming elections.<br />
Beyond mobile voting, the kiosks at voting centers may also see an upgrade to digital form. Electronic<br />
poll books and electronic voting hardware would significantly improve traditional operations.<br />
38
Part of what takes so long during voting is that participants have to collect their ballots, go to a kiosk and<br />
mark their votes, and then drop their ballots off at the appropriate area or counter. With modern voting<br />
technology, all of that is handled digitally. Voters are served a blank ballot immediately upon interacting<br />
with a kiosk. Then, when they’ve finished voting, the digital ballot is either sent or synced to the necessary<br />
server.<br />
In either scenario — mobile voting and digital kiosks — the waiting times are cut significantly at official<br />
voting centers. It’s also likely that many more people would participate because not as much effort is<br />
required to vote. Just open a mobile app, mark your choices and send it off.<br />
Counting votes digitally is much faster, for obvious reasons. It also allows for a more accurate real-time<br />
reporting opportunity for voting stats. You can see up-to-the-minute numbers as the votes come pouring<br />
in. No waiting around for ballots to be tallied up, and no missing or lost ballots which also means recounts<br />
are unnecessary.<br />
What Are the Risks?<br />
The problem with going digital, and bringing the voting system online — which is necessary for mobile<br />
voting solutions — is that it opens up the entire system to cyber-attacks. <strong>Cyber</strong>security is a major concern<br />
in just about every industry today, and it has everything to do with the adoption of new technologies.<br />
Could a mobile voting system be hacked? Are mobile devices and smartphones even secure enough to<br />
be used as voting access points?<br />
Imagine, for a moment, it’s election time and you have the mobile voting app installed on your device.<br />
You’ve already registered to vote, everything is set up and you’re merely waiting for the polls to go active.<br />
Just before you get the chance, you misplace your phone, leaving it at a local bar or perhaps even<br />
forgetting it at a restaurant. Someone else could pick up your phone and access everything on it, including<br />
the voting app. Is it possible to prevent such a thing from happening?<br />
With Voatz mobile app, the solution is to utilize biometrics to prevent unauthorized access. That means<br />
someone that either steals or finds your phone cannot merely log in and cast a vote. It’s an excellent<br />
start, but what about the phone and digital content itself? How secure is a smartphone?<br />
The NotCompatible virus infects over 10,000 cell phones per day in the United States. It’s a malicious<br />
hack that allows someone to seize control of the infected phone and remotely operate it. Symantec traced<br />
one of the hackers that utilized the virus and found they had taken control of over 200,000 cell phones,<br />
earning a profit of $1 million a year. The hacker achieved this by subjecting the infected devices to ads<br />
and paid videos.<br />
It shows that hackers can not only take control of mobile devices but also use them to turn a profit or<br />
accomplish a particular goal. Looking at voting solutions explicitly, hackers could absolutely seize control<br />
39
of the hardware and influence the results. They could do the same with on-site electronic voting tools and<br />
hardware, too.<br />
It all comes down to information security, and whether or not the solutions can be adequately locked<br />
down. No system or computer is unhackable. However, it’s entirely possible to slow down the process<br />
and eliminate most events with the right security measures. By using data encryption, for example, data<br />
can be securely transmitted even via wireless networks.<br />
It just means that as we upgrade our voting technologies, we must take precautions to protect not only<br />
the hardware but any related data, as well.<br />
About the Author<br />
Jenna Tsui is a cybersecurity and technology writer.<br />
Previously, her works have been featured on MakeTechEasier,<br />
Technology Networks, and TechnoFAQ. To see more by<br />
Jenna, visit her blog The Byte Beat or follow her on Twitter.<br />
My Name is Jenna and I’m a freelance writer for various<br />
publications. I manage The Byte Beat with my collegue, Caleb,<br />
where we create technology content for people interested in<br />
news about technology.<br />
Jenna can be reached online at https://twitter.com/jenna_tsui and at http://thebytebeat.com/<br />
40
Why Zero Trust Isn’t So Trustworthy<br />
By Benny Lakunishok, CEO and co-founder of Zero Networks<br />
Everyone agrees a zero trust network model is the optimal way to protect your network. But can you<br />
really reach that goal of having every single network connection in your organization to go through that<br />
zero trust network model? If so at what cost and effort?<br />
While we all want to lock down the network and implement zero trust, to date, it has been impractical to<br />
accomplish. Current implementations have forced you to make tradeoffs between airtight security,<br />
affordability and scalability. You can have one, maybe two, but not all three.<br />
For example, you can restrict access for each and every user and machine to achieve airtight security,<br />
but this requires either committing significant time and resources to deploy, manage and maintain, which<br />
is not affordable, or reducing the scope of that enforcement, by focusing on implementing zero trust for<br />
only specific, critical sections of the network or resources.<br />
41
If you want to minimize the amount of time and effort you have to spend to keep complicated router ACLs,<br />
firewall rules or other network access controls up to date for your entire network, you have to be okay<br />
with less granular, more lenient security. Either way, you have to give up something, which means you<br />
are not getting a zero trust model at scale that you can really trust.<br />
Requirements for a Sustainable Zero Trust Networking Model<br />
What’s needed is a way to automate the deployment, management and maintenance of network access<br />
policies, so there is no need for constant IT intervention. Consider an organization with 10 sites, 25,000<br />
clients and 2,000 servers. If they want to achieve a zero trust stance they need to restrict access for each<br />
and every one of these clients and servers. The process of manually creating network access policies,<br />
tailor-made for the needs of each and every user and device, simply doesn’t scale – the process needs<br />
to be automated. What’s required is an easy, automated self-service way for every user and machine in<br />
your network to get only the access they need, nothing more.<br />
Enter Zero Networks – Enabling Airtight, Affordable Zero Trust at Scale<br />
We built the Zero Networks Access Orchestrator to deliver the speed and ease of use you require to<br />
make an airtight zero trust stance achievable at scale. Our goal is to ensure all users and machines within<br />
the network are only allowed to access the resources they require to do their job, with the click of a button.<br />
How do we do it? The Zero Networks Access Orchestrator integrates with your existing IT, networking<br />
and cybersecurity infrastructure to observe and create an accurate map of all the communications within<br />
your network. After enough data has been gathered, the Access Orchestrator uses a patent-pending<br />
method to automatically create user- and machine- level perimeter policies that use your existing<br />
infrastructure to confine access to only what they need. There are no agents for IT to deploy or manage,<br />
no policies to continuously update.<br />
When a user needs access to new resources or assets they will only need on rare occasions, they can<br />
get it, using a standard two-factor authentication process that confirms their request is legitimate. The<br />
Zero Networks Access Orchestrator will then automatically incorporate the additional access requirement<br />
into the policies for that user or machine to ensure they can securely go about their business.<br />
In addition, the Zero Networks Access Orchestrator makes sure that if a user or machine stops using a<br />
given resource their permission to access that resource will be revoked after a configurable amount of<br />
time. There is no need for IT intervention. Zero Networks does it all for you.<br />
Prior to deployment, Zero Networks presents live simulations that give you an accurate readout of the<br />
effect the new zero trust network model will have on each user and machine in your network. This ensures<br />
you know exactly what will be implemented, so there are no disruptions.<br />
Malicious entities, on the other hand, will be prevented from moving freely inside the network. Zero<br />
Networks shuts down many of the internal attack vectors that plague organizations, such as network<br />
discovery, lateral movement, remote execution, commodity malware propagation, and ransomware<br />
42
propagation. Even if an attacker obtains credentials from the most privileged accounts, such as those of<br />
an administrator, they will be contained to only a limited set of resources.<br />
As a result, you finally have a way to quickly and efficiently establish and maintain an airtight zero trust<br />
network model at scale. For more information or a demo, please visit www.zeronetworks.com.<br />
About the Author<br />
Benny Lakunishok is the co-founder and CEO of Zero Networks,<br />
which is making an airtight zero trust model at scale a reality for<br />
enterprise networks. Lakunishok has been in cybersecurity for more<br />
than a decade. He was part of the leadership team of Aorato, which<br />
was a hybrid cloud security company, acquired by Microsoft. He<br />
went on to lead the product team in Microsoft responsible for the<br />
Aorato technology, as well as the team that integrated Microsoft’s<br />
acquisition of Hexadite into the portfolio. Prior to Aorato, he was a<br />
senior premier field engineer for Microsoft and in the security team of an elite intelligence unit within the<br />
Israeli <strong>Defense</strong> Forces. He holds a BS in computer science from the College of Management Academic<br />
Studies in Israel.<br />
43
Mastering Automation to Solve Data Security for<br />
Healthcare Practices<br />
If the Biggest Organizations Can’t Keep Our Data Safe, Then How Can a Small One?<br />
By Anne Genge, CEO, Alexio Corporation<br />
One of the greatest challenges of the 21st-century is cyber-security. Billions of personal records are<br />
already being sold on the dark web. Breach fatigue has already set in, at a time when it’s more crucial<br />
than ever for every citizen of the world to be paying attention.<br />
While people in general are indeed worried about having a breach, they are generally more interested in<br />
the security of their money than their information. When we look at personal health information - this is<br />
some of the most sensitive details about an individual, and yet it’s some of the least protected. In addition,<br />
it’s not like a credit card that can simply be replaced. Once your secrets are out there, there’s no ‘pull<br />
back’.<br />
44
Big Organization May Equal Big Budget, But That Doesn’t Equal Secure Data<br />
Hospitals and large organizations with big budgets, CISOs, and cyber teams still can’t keep personal<br />
health information safe, so what does that look like at – say - a dentist’s office? Healthcare practices such<br />
as dentists, physicians, and other ‘fee for service’ type clinics have a legal duty to protect health data the<br />
same as larger organizations, but they can’t. They don't have access to the same kinds of resources.<br />
Additionally, they score very low on security awareness.<br />
It’s not surprising, then, that when we do security risk assessments, these practices score very low; only<br />
9% pass minimum requirements. Some healthcare providers have under-skilled IT support, some are<br />
simply paralyzed, and others don’t understand the ROI.<br />
Automation Facilitates Efficiency, Better Protection, & Reduces Costs<br />
‘We are all patients somewhere and we all deserve to have our sensitive personal health information kept<br />
private. This is a basic human right. A healthcare organization cannot simply ignore this because they<br />
can’t find the budget. This needs fixing, and we’re doing it.” Anne Genge, CEO, Alexio Corporation.<br />
A solution was needed to fill this massive void. From inside VentureLab at IBM Canada emerged Alexio.<br />
Alexio started leveraging automation in every corner of its operations to solve the problem of cybersecurity<br />
in healthcare practices. Today, healthcare practices across Canada benefit from world-class<br />
cyber-security and training in a subscription-based model affordable to any size practice. Even healthcare<br />
practices with just one computer can protect their patient data with the same rigor as a bank.<br />
About the Author<br />
Anne Genge is the CEO and co-founder of Alexio Corporation.<br />
She and her team of certified privacy and security professionals<br />
help dentists, physicians, and other healthcare providers to<br />
secure their data & systems, comply with privacy laws &<br />
regulatory college mandates. She is a firm believer that good<br />
training in cyber-security is the key to protecting not just her family<br />
and clients, but also government bodies and major corporations.<br />
To this end, she has partnered with many organizations, including<br />
the Canadian Dental Association, to produce training in order to<br />
reduce the frequency of human error resulting in a security<br />
breach.<br />
Anne can be reached online at mailto:anne@getalexio.com and at our company<br />
website https://getalexio.com<br />
45
Devops ― Are You Risking Security for Agility?<br />
By Morey Haber, CTO & CISO, BeyondTrust<br />
By merging software development and IT operations ― two traditionally mutually exclusive functions ―<br />
DevOps has fundamentally transformed how today’s organizations develop, operate and maintain<br />
applications across their environment. It is easy to see the allure of DevOps ― through rapid iteration<br />
and automating processes at scale, DevOps teams can bring high-value applications to the organization,<br />
giving them the agility that is a critical success factor in today’s fast paced world.<br />
But in their haste to adopt DevOps, several organizations gloss over the security challenges that this<br />
methodology of application delivery introduces. As a consequence, DevOps practices often widen the<br />
attack surface and increase the enterprise’s risk of data exposure. So why is it so challenging then, for<br />
IT teams to secure DevOps environments? What makes DevOps security different from more traditional<br />
IT security?<br />
46
Prioritizing speed over security<br />
Speed and agility lie at the core of DevOps ― DevOps teams work incredibly fast to deliver applications<br />
in line with compressed, and often unrealistic, timelines. These teams thrive in an environment of ad-hoc<br />
tooling with an emphasis on intense code sharing and automation at every step. While these practices<br />
do allow teams to deliver business-critical applications quickly, they do also create a plethora of security<br />
shortcuts. It is a real challenge for security teams to integrate traditional security into the DevOps pipeline<br />
as traditional tools force developers to change the way they work and slow down their pipeline, resulting<br />
in low tool adoption.<br />
Excessive use of privileges<br />
To expedite the process of delivering code, DevOps teams often circumvent or even override critical<br />
security safeguards. For example, humans and machines within DevOps environments are afforded<br />
much higher levels of privilege compared to traditional development and operations environments. It's<br />
not unusual — and one might argue, it is even standard practice — for developers to share private keys<br />
and credentials with colleagues for quick access. This negligence vastly expands the attack surface ―<br />
primarily in the form of insider threats, whether malicious or accidental ― while also complicating the<br />
process of creating clean audit trails.<br />
Within applications, developers may hardcode passwords so they can easily be found locally or on<br />
repositories such as Github, Bitbucket, and others. Some of the other widely used practices for storing<br />
credentials include config files and excel spreadsheets, both of which are highly insecure. These risky<br />
practices have significantly increased secrets sprawl in the enterprise, creating dangerous backdoors for<br />
savvy hackers, and once again, expanding the attack surface.<br />
Cultural challenges<br />
Don’t get me wrong. My intent is not do dissuade organizations from adoption DevOps ― there's hardly<br />
anything wrong with this highly collaborative, iterative, and open approach to coding. In fact, given its<br />
high yield of valuable applications and features, I would argue that its certainly a culture that organizations<br />
should foster.<br />
But as the "shift left" practice, at the core of the DevOps philosophy, moves security to be considered<br />
earlier in the process, its painfully evident that traditional security tools are not capable of securing these<br />
DevOps environment. Developers need solutions that adapt to their workflows and highly collaborative<br />
environments. Lightweight applications that leverage code to deliver robust security, using developerpreferred<br />
UIs such as CLI and APIs, will see more successful adoption as compared to traditional<br />
security-minded GUIs.<br />
So, given that most organizations are ramping up investment in DevOps, how can they mitigate these<br />
challenges?<br />
47
Establish strict controls<br />
As organizations accelerate the adoption of DevOps, enterprise security requirements must evolve to<br />
ensure they cover all environments, including DevOps. The new requirements should mandate the<br />
creation of a centralized repository for management of credentials and secrets (more on that later) and<br />
control user ability to share credentials. They should also completely eliminate hardcoded credentials<br />
and passwords from scripts and prevent the storage of secrets or passwords in config files, excel<br />
spreadsheets or other repositories not explicitly built for security.<br />
Centralize secret management<br />
As I touched on earlier, it is imperative for security teams to implement a centralized system for secrets<br />
management that will serve as an intermediary between the user ― be it a human or machine ― and the<br />
application, process, or tool they want to access. Use the centralized system to store all secrets used by<br />
DevOps practitioners, tools, and applications in a password safe and provide enforcement for access,<br />
credential complexity, and other basic tenets of privileged access management.<br />
Support adoption and agility<br />
Automation is key to DevOps teams’ ability to accelerate application delivery and minimize pipeline<br />
delays. Their agile workflows may be impeded by traditional security tools that work counter to their<br />
practices. So to ensure robust security, without compromising developers’ efficiency, organizations must<br />
adopt security solutions that leverage automation. Providing out-of-the-box integrations with common<br />
DevOps tools — Puppet, Jenkins, Ansible, Chef, Docker, Git, etc. — that can be managed through the<br />
developers' preferred interfaces, will guarantee higher adoption rates and enable greater agility in the<br />
DevOps process.<br />
DevOps is no longer a buzzword — faced with the pressure of staying one step ahead of the competition<br />
and delivering unmatched experiences, organizations across the globe are making DevOps a central part<br />
of their IT strategies. However, unmanaged credentials and secrets sprawled across DevOps<br />
environments increases the number of attack vectors, creating easy targets for bad actors. Against this<br />
backdrop, what organizations need is a centralized administration solution — one that can address the<br />
requirements of complex enterprise environments but is also easy to adopt by DevOps teams.<br />
48
About the Author<br />
With more than 20 years of IT industry experience and author<br />
of Privileged Attack Vectors and Asset Attack Vectors, Mr.<br />
Haber joined BeyondTrust in 2012 as a part of the eEye Digital<br />
Security acquisition. He currently oversees the vision for<br />
BeyondTrust technology encompassing privileged access<br />
management, remote access, and vulnerability management<br />
solutions, and BeyondTrust’s own internal information security<br />
strategies. In 2004, Mr. Haber joined eEye as the Director of<br />
Security Engineering and was responsible for strategic<br />
business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye,<br />
he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta<br />
cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability<br />
Engineer for a government contractor building flight and training simulators. He earned a Bachelors of<br />
Science in Electrical Engineering from the State University of New York at Stony Brook.<br />
49
Juggling Your Clouds<br />
Managing the Federal Government’s Multi-Cloud Future<br />
By Cameron Chehreh, Chief Technology Officer, Dell Technologies Federal<br />
Driven by the recent Cloud Smart initiative, federal agencies are prioritizing cloud and on track to spend<br />
$7.1 billion on the cloud in fiscal <strong>2020</strong>. To better meet varying mission needs, agencies are adopting<br />
multi-cloud approaches that include a combination of clouds hosted on premises, in public clouds and at<br />
the edge.<br />
However, integrating public, private and edge solutions can seem like an impossible task—it’s one of the<br />
greatest IT challenges facing federal agencies. A recent study, “Juggling the Clouds: What Are Agencies<br />
Learning?” found three out of four federal IT decision makers say managing a multi-cloud environment<br />
will be one of their agency’s top challenges over the next five years. So how do we succeed?<br />
50
Multi-Cloud is Here<br />
The first step to successful multi-cloud adoption is for federal agencies to accept the model as the new<br />
normal.<br />
According to the report, the vast majority of federal IT decision makers (81%) say their agency already<br />
uses multiple cloud platforms. Still, agencies do not feel prepared to manage their current environments,<br />
largely because of added organizational complexity and silos, disparate M&O tools and inconsistent<br />
SLAs.<br />
Nearly half of the respondents agree their agency is not adequately preparing for their multi-cloud future.<br />
While some federal agencies are taking steps to prepare as they train their IT workforce for multi-cloud,<br />
implement access controls and establish a multi-cloud leadership team, there’s more work to be done.<br />
Hitting Roadblocks<br />
What is causing federal IT managers multi-cloud anxieties? Security concerns top the list at 41%, followed<br />
by data governance (38%) and interoperability issues (35%). As agencies begin their multi-cloud<br />
journeys, there is often a lack of in-house expertise that can add risk of misconfigurations or other critical<br />
errors. Further, as the cloud environment becomes larger, the attack surface can become even more<br />
complex.<br />
One way to address these concerns is to focus on consistency. Nearly all (89%) IT leaders say<br />
consistency is critical to connecting teams and processes across cloud platforms, but today just one in<br />
five rate the consistency of their multi-cloud environment’s operations and infrastructure as “very good.”<br />
HCI Helps Bridge the Gap<br />
As federal IT leaders consider the reality of their multi-cloud futures, many are looking for tools to help<br />
simplify and secure modern environments. Specifically, federal agencies want better integration with<br />
legacy infrastructures and advanced encryption/security features to further multi-cloud adoption. They<br />
need consistent infrastructure and operations to ensure a seamless experience across all platforms.<br />
Better integration is where hyper converged infrastructure (HCI) – consolidated compute, network, and<br />
storage in a software-defined solution – can help bridge the gap.<br />
While few have invested in HCI today (just 28%), those who have are reaping the benefits. Specifically,<br />
federal agencies mention improved backup and recovery capabilities (48%) and data sharing (45%).<br />
Most importantly, agencies using HCI feel significantly better prepared for multi-cloud.<br />
51
Team Mentality<br />
The study suggests that federal agencies focus on training, proof of concept systems and stakeholder<br />
communication for successful multi-cloud management. Federal IT leaders can mitigate risk and improve<br />
interoperability through connective, adaptive technologies designed to create a consistent experience<br />
across all cloud environments. With the help of HCI, agencies can create a modern, compound<br />
infrastructure that’s both secure and easy to manage.<br />
To learn more from other federal leaders managing multi-cloud, read the full report: Juggling the Clouds:<br />
What Are Agencies Learning? It provides additional insight and recommendations on how to balance<br />
multiple cloud solutions, putting your agency on the path to successful multi-cloud management.<br />
About the Author<br />
Cameron Chehreh, Chief Technology Officer, Dell<br />
Technologies Federal . Cameron Chehreh is the Chief<br />
Technology Officer, Dell Technologies Federal Cameron<br />
can be reached online at Cameron.Chehreh@dell.com<br />
and at our company website https://www.dellemc.com/enus/industry/federal/federal-government-it.htm<br />
52
Time Is of The Essence<br />
Combating False Alarms and Delayed Detection Is Key to Defeating Advanced <strong>Cyber</strong> Threats<br />
By Filip Truta, Information Security Analyst, Bitdefender<br />
Keeping your organization safe from cyber threats drains considerable resources if you don’t have the<br />
correct strategy. Surveys analyzing cybersecurity at companies big and small often conclude that IT<br />
departments are understaffed, budgets are tight, and that they lack the skills needed to combat advanced<br />
threats. But, while these hurdles are very real, it actually boils down to the solutions your organization<br />
invests in.<br />
Faced with sophisticated threats like APTs, fileless attacks, polymorphic malware and malicious insiders,<br />
your incident response team must be able to triage and investigate suspicious activities, responding<br />
adequately and rapidly. Studies show that, the longer IT takes to detect a breach, the more expensive<br />
the incident becomes.<br />
Traditional endpoint security solutions have a poor track record in prevention, and they are noisy and<br />
complex to operate effectively and efficiently. If your security operations center is forced to waste time<br />
constantly triaging alerts – half of which are typically false alarms – real threats eventually slip through<br />
the cracks, damaging your business and your reputation.<br />
53
Time is of the essence<br />
In a study by Bitdefender this year, 78 percent of infosec professionals said reaction time is the key<br />
differentiator in mitigating cyber-attacks. Asked how long it would take them to detect an advanced attack<br />
(i.e. one using a zero-day exploit), 28 percent of respondents said it would take a matter of days, 16<br />
percent said weeks, and 9 percent admitted it might take them up to six months.<br />
Security teams must not only identify the source of the attack, they must also be able to isolate it and<br />
stop it from spreading. An organization often needs to conduct a forensic investigation after a breach to<br />
meet regulatory requirements. So, how do we break down these barriers? More importantly, how do we<br />
cover all these weak spots without blowing our entire IT budget on security?<br />
The right people<br />
Today’s incident response teams are challenged by a dearth of resources and skills, which hampers their<br />
ability to address threats quickly.<br />
Three in 10 organizations have no dedicated security operations center (SOC). Of these organizations,<br />
81 percent said the biggest challenges created by the lack of an SOC are the ability to respond quickly,<br />
remediate potential threats, and investigate suspicious activity quickly. Meanwhile, 41 percent of those<br />
who lack a SOC find that reaction time and speed are the key differentiators for mitigating an attack.<br />
Companies with minimal IT resources and limited security expertise, should consider outsourcing their<br />
endpoint detection and response. The Security Operations Center-as-a-Service (SOCaaS) model is a<br />
managed threat-monitoring service staffed by an elite team of experts tasked with detecting intrusions<br />
and responding to malicious activities that may otherwise go undetected. An outsourced SOC works with<br />
you to accelerate detection, prioritization, and the response to threats.<br />
The right tools<br />
If we are to address every kind of threat – from malware to social engineering schemes to insider threats<br />
– we not only need the right people for the job, but the right technology as well. Using their current security<br />
tools, only 3 percent of IT professionals say they can efficiently detect and isolate every advanced attack<br />
directed at them.<br />
40 percent of infosec workers agree that network traffic analytics (NTA) is a powerful approach to<br />
detecting cyber-threats early in the attack cycle. NTA augments your endpoint protection, detection and<br />
response investments to give the IT department visibility into network-borne threats while also keeping<br />
tabs on malware. An ideal NTA deployment uses semi-supervised machine learning methodology to<br />
identify key patterns and trends in live data flows to spot anomalies that may point to a developing threat<br />
with little need for human input.<br />
Endpoint Detection and Response (EDR) is also instrumental in keeping cyber threats at bay. Advanced<br />
detection and response solutions can show IT teams precisely how a threat works and its context in their<br />
54
environment, produce up-to-the-minute insight into named threats and malware that may be involved,<br />
and indicate steps to remediate or reduce the attack surface.<br />
Decision makers prospecting vendors would be wise to also consider solutions that leverage rich threat<br />
intelligence with contextual, real-time insights into the cyber-threat landscape, including unique and<br />
evasive malware, advanced persistent threats, zero-day vulnerabilities, hard-to-catch command and<br />
control (C&C) servers, reputation of files, URLs, domains and IPs. This living database delivers a<br />
continuous flow of actionable intelligence, eliminating a long-standing blind spot for security analysts.<br />
Regardless of infrastructure or business model, companies of all sizes have a plethora of options to<br />
strengthen their cybersecurity posture. Using a layered approach, IT decision makers can fill any gap in<br />
their cybersecurity strategy, optimize IT spend, and free their IT teams of endless false alarms and<br />
headaches.<br />
About the Author<br />
Filip Truta is an Information Security Analyst at Bitdefender. He has<br />
more than twelve years of experience in the technology industry<br />
space such as gaming, software, hardware, and security. He likes<br />
fishing (but not phishing), basketball, and playing around in FL<br />
Studio.<br />
Filip can be reached online at https://www.linkedin.com/in/filip-truta/<br />
and at www.bitdefender.com<br />
55
Drowning in A Sea of Threat Data? Consider A Curator<br />
By Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar<br />
In the wake of increasing cybersecurity threats and data breaches, a whole host of network monitoring<br />
and threat intelligence tools have emerged to provide organizations with information on potential<br />
cybersecurity threats. However, many of these tools don’t effectively contextualize potential threats; they<br />
simply produce vast quantities of raw or general data that must then be analyzed.<br />
This creates huge inefficiencies, with security teams struggling to separate the important information from<br />
the noise. Drowning in threat data and faced with a constant barrage of false positive alerts, cybersecurity<br />
professionals are increasingly suffering from alert fatigue. In a survey of IT security professionals, the<br />
Cloud Security Alliance found nearly 32% admitted to ignoring alerts because so many were false<br />
positives. Additionally, more than 40% said the alerts they receive lacked actionable intelligence to<br />
investigate.<br />
Alert fatigue could not only lead to overlooking a genuine threat, but it can also lead to employee burnout.<br />
This is a concern not just for the cybersecurity industry which is already significantly understaffed, but<br />
costs the employer in time it invested in that employee training plus the additional cost of finding and<br />
training a replacement.<br />
56
Reducing alert fatigue and boosting job satisfaction<br />
A 2018 report from McAfee revealed that only 35% of respondents to a recent survey of global<br />
cybersecurity professionals were “extremely satisfied” in their current job, and 89% would consider<br />
leaving if offered the right incentives — and many of those “right” incentives related to workload: shorter<br />
or more flexible hours and a lower or more predictable workload. In addition, the survey found that<br />
security professionals tended to view threat hunting and resolving threats as the most rewarding part of<br />
their job, while day-to-day monitoring and analysis of logs ranked near the bottom.<br />
Considering the expanding threatscape and the serious shortage of qualified personnel to meet the<br />
industry’s needs, companies can take steps to offload the busywork of analyzing data and reorient their<br />
security teams to focus on more important tasks. A great way to alleviate these closely related problems<br />
— data overload, alert fatigue and burnout — is to improve quality control on security data. Better threat<br />
data allows security professionals to concentrate on high-value activities, making these individuals more<br />
efficient and effective as well as boosting their job satisfaction.<br />
Curated security threat data<br />
To properly defend against cyberattacks and block potential threats, organizations need security threat<br />
data that is timely, actionable, contextual to their industry and business— and that can provide the right<br />
insight into what is happening on their networks. In short, enterprises need curated threat data.<br />
Informed by a broad view of global networks, combined with behavioral analysis and pattern-based<br />
research, a data curator can provide highly contextualized, hyper-relevant and actionable insights into<br />
malicious activity via machine-readable threat data that can be ingested directly into an organization’s<br />
existing analytics platforms. By removing the grunt work of data contextualization, a curator removes<br />
much of the noise from the process, equipping network and application security tools with improved realtime<br />
awareness of active threats and enabling security analysts to direct their time and attention to the<br />
most relevant information.<br />
Minimizing risks such as spam and phishing attempts, strengthening brand protection through monitoring<br />
suspicious web traffic, and safeguarding against activities such as suspicious DNS tunneling attempts<br />
can all be mitigated with access to curated security data. Benefits include the ability to preventively block<br />
threats at the network and application layer; improved monitoring and alerting of true positive deceptions,<br />
reducing the time spent researching false positives; and limited dwell times of infiltrations, speeding up<br />
detection and remediation.<br />
Conclusion<br />
<strong>Cyber</strong>security professionals are drowning in threat data, suffering from alert fatigue and burning out at<br />
an unprecedented rate, even as the demand for their expertise continues to rise amid a growing skills<br />
shortage. In turn, organizations don’t have the time, resources or manpower to monitor the entirety of the<br />
threat ecosystem for potential security threats. In a threatscape in which malicious actors are constantly<br />
shifting their strategies and attack vectors, enterprises must have a way to achieve data reduction without<br />
losing fidelity. Rather than playing whack-a-mole by responding to false-positive alerts, enterprises must<br />
maximize the efficiency and effectiveness of their security teams and enable them to counter the threats<br />
57
that matter most right now. The key — and the future of threat intelligence — is curated, actionable threat<br />
data.<br />
About the Author<br />
Rodney Joffe serves as a Neustar Senior Vice<br />
President and is a Senior Technologist and Fellow. His<br />
accomplishments include founding the first commercial<br />
Internet hosting company, Genuity, as well as the first<br />
outsourced and cloud-based Domain Name System<br />
(DNS) company, UltraDNS, where he invented Anycast<br />
Technology for DNS. Joffe has served on a number of the U.S. government’s cybersecurity intelligence<br />
panels and was the leader of the groundbreaking Conficker Working Group. Joffe is also the chairman of<br />
the Neustar International Security Council (NISC), which is comprised of an elite group of cybersecurity<br />
leaders across industries and companies who meet regularly to discuss the latest cyberattack trends.<br />
58
Analysing Data Using the Intelligence Cycle: An Overview<br />
By Alan Blaney Managing Director of Focus Training<br />
When it comes to analysing different forms of<br />
intelligence, using a detailed and coherent process is<br />
crucial in order to determine the most accurate results<br />
possible. The intelligence cycle is a step by step process<br />
used by analysts to create intelligence and answer<br />
specific intelligence requirements. The cycle consists of<br />
collecting relevant information, analysing the information,<br />
interpreting it then providing an assessment and<br />
recommendations. The aim of using the cycle, is it acts<br />
as a tool which informs the decisions and planning of<br />
policy makers and commanders.<br />
59
Phase One: Direction<br />
The first phase of the cycle is ‘direction’. This initial particular phase is highly important as it gives the<br />
intelligence a starting point and provides the potential ways in which you can resolve or deal with any<br />
form of fraud or criminal activity, helping you to come up with a clear solution.<br />
Things to consider:<br />
Why? - Provide a clear background of the situation and why the intelligence is required.<br />
When? - You need to establish when the intelligence is required by.<br />
Importance - What level of urgency and importance does the situation hold? How much of a priority is<br />
the intelligence?<br />
How? How is the intelligence to be provided? For example, oral briefing, written etc.<br />
Phase Two: Collection<br />
Once you have clearly identified the intelligence required in the ‘direction’ phase, and considered the<br />
potential ways in which you can address the situation at hand, you then need to move on to the ‘collection’<br />
phase. This stage of the cycle is focused on establishing the priorities and collecting the intelligence<br />
required in order to achieve your desired outcome. Once you have set clear objectives in the direction<br />
phase, you can then focus on how you plan to collect your data and sources to support you in achieving<br />
the results needed.<br />
Steps to focus on in the collection phase are:<br />
• Research - The first step to take is to research into what data already exists that may be able to<br />
assist with your investigation. This data must be readily available and come with minimal cost.<br />
These are classed as your sources.<br />
• Identify - After identifying what data already exists, you should then search for any gaps or<br />
missing data.<br />
• Formulate - Based on the data you have already collected so far, and depending on what else<br />
you will require, you should then formulate a collection plan.<br />
60
The first data you should search for is your ‘sources’ which are readily available pieces of data/information<br />
that are free, quick and easy to access. If you are unable to formulate data from your sources, then you<br />
need to utilise resources. What resources can you use to help you gather the evidence you require?<br />
Bear in mind that resources are likely to cost money un like your ‘sources’. At this point, you should as<br />
yourself; what have you achieved with the knowledge and data you have so far? Provide a summary of<br />
the information and see where the data can be corroborated. Try to steer clear of obvious sources when<br />
looking for data as this information could easily be false. If you can’t corroborate the information, then<br />
you need to use a different strategy.<br />
The Triangulation of Intelligence Data<br />
Another process to consider during the collection phase, when it comes to analysing your data and<br />
sources is the triangulation of intelligence data.<br />
1. Someone provides you with brief information such as their name, job role etc.<br />
2. You can then go to the company’s registrations, verify that information. Where else can you get<br />
data to support and verify that this information is true?<br />
3. Follow this data footprint and search elsewhere to see if all of the information provided matches<br />
up.<br />
Phase Three: Evaluation<br />
Once you have collected the relevant data in the second phase of the intelligence cycle, you then need<br />
to obtain a measure of confidence in the data that you have collected. It’s important that you analyse how<br />
truthful, valid and reliable the source (person or system providing the information) to be, and how reliable<br />
the information being provided by that source is.<br />
The following stages are significant to through in the evaluation phase:<br />
1. Source evaluation - you need to evaluate the source to see whether they are reliable.<br />
2. Information evaluation - you need to then evaluate the information provided by the source, using<br />
a grading matrix.<br />
61
3. Data dissemination - you should then consider the handling and sharing of data once the<br />
previous two steps have been taken.<br />
Using ‘A,B,C,D,E’ you can put the source into different gradings to measure how reliable it is. Then go<br />
on to the information the source is supplying and follow a numbered scale to further test the validity of<br />
the data. As a result, you should then have two measures of how you can qualify/validate the source and<br />
data.<br />
Measure of source: A, B, C, D, E<br />
Measure of Information: 1,2,3,4,5<br />
Data dissemination is the next area to focus on. You need to consider the potential risks of sharing the<br />
data you now have that can be validated, quantified or qualified.<br />
Phase Four: Analysis<br />
Sometimes referred to as the ‘processing phase’; the analysis phase consists of the evaluation of the<br />
information you have collected, in order to understand it. This is when you should query the raw data and<br />
information you have collected in the previous steps, in order to come to a conclusion that fulfils the<br />
information requirement. In order to do so, analysts must understand the problem in detail and know<br />
exactly why the information is required, and how it will be used.<br />
This phase is focal to problem solving, as the more available information you have gathered, the stronger<br />
your understanding will be of the situation. During this phase, you need to spend time looking at all of the<br />
information available to help determine its meaning, and then analyse it applying different lenses to derive<br />
the meaning. This phase draws to a close by concluding assessments from the data you have collected,<br />
often in the form of recommendations or advice.<br />
Phase Five: Dissemination<br />
The final phase of the intelligence cycle is the ‘dissemination phase’. This phase is important as it focuses<br />
on the presentation and delivery of the intelligence, and allows you to form the intelligence and<br />
assessment together to answer your initial information requirement. Your main focus during the<br />
dissemination phase should be the one that gets the information across the most effectively. The<br />
intelligence is best disseminated in either:<br />
62
• An oral briefing - this enables the analyst to provide a more in-depth overview of the intelligence<br />
and findings providing much more detail through questions. It also means the information can be<br />
broken down in a more understandable way.<br />
• Written form - this form allows the intelligence can be disseminated to the client/customer to digest<br />
at their own discretion.<br />
Once all of these phases have been completed, you have covered every aspect of the intelligence cycle<br />
and should have come to a conclusion that matches up to the aims you set out in the initial direction<br />
phase. If you feel you haven’t achieved the objectives you set out, you need to figure out which phase<br />
needs to potentially be revisited to help you gain the result or information you require.<br />
About the Author<br />
Alan Blaney is the managing director of Focus<br />
Training and specializes in providing businesses<br />
worldwide with fraud prevention, intelligence and<br />
cyber security training. With over 20 years of<br />
experience within the cyber security industry, Focus<br />
Training have established themselves as the UK’s<br />
leading providers of fraud, theft and security training<br />
courses.<br />
Alan can be reached online at https://www.linkedin.com/in/alanblaney1/ and at our company website<br />
http://www.focustraining.co.uk/<br />
You can also view our infographic series on the Intelligence Cycle here - http://blog.focustraining.co.uk/<br />
63
<strong>Cyber</strong> <strong>Defense</strong> and Cultural Heritage<br />
By Milica D. Djekic<br />
Let’s look back several centuries in the past and try to imagine what technologies the people of that time<br />
might have used in their lives. If we inspect some representatrive archeological sites, we would notice<br />
that the common people of the period might have applied the dishes and tools typical for their area as<br />
well as their period of the history. Also, there would likely be other inidications about their habits, activities<br />
and routines, perhaps even in written form using some alphabet or characters.<br />
From that point of view, it may appear that humankind has led a vigorous and exciting life throughout<br />
history even if they did not know anything about the electricity or cyber technologies we know today. Even<br />
life illuminated by candles is not necessarily a dull one, but rather full of events, thoughts and emotions,<br />
as sometimes shared in someone’s diary or personal book. It would seem that folks who lived before us<br />
have left us the real treasure of valuable objects, witnessing and memories that would nowadays be<br />
widely used in historical movies and the other epic documentaries. Still, it’s widely believed that only<br />
today do we live at a fast pace and that’s the reason to see our predecessors as less active as we are in<br />
the present.<br />
The fact is that life has been both active and hard at all times. It is well-known through the history of the<br />
entire world that life has been turbulent and full of migrations, wars and conflicts. Sometimes it’s quite<br />
interesting to consider the weaponry of your fathers and figure out how skill-intensive their training must<br />
have been. Apparently, in comparison to today’s endeavors the activitties of the past could looked upon<br />
as funny and child like, but there could have been entire engineering teams of yesterday that would be<br />
capable of designing a wide range of tools, buildings and houses. As Charles Darwin would suggest the<br />
only thing that would separate us from the other primates is our mental evolution that would make us<br />
getting the most superior species on the planet Earth.<br />
On the other hand, if we observe these things from today’s perspective – we can realize that even now<br />
we are still in a phase of our development and there are a lot of questions in our surroundings that should<br />
get answered. The fact is every new answer would open up the new question and as we progress our<br />
Pandora Box would be bigger and bigger. Simply try to remember Arthur C. Clarke and his Space<br />
Odyssey giving such daring prognoses about what we can expect in the future. Maybe his brave<br />
predictions will turn out to be true in our own time, but if we try to deal with future millennium we would<br />
see that those times could bring us many more fascinating discoveries such as teleporting machine, time<br />
traveling devices as well as the abilities to cruise at the speed of light.<br />
64
With this perspective, try to compare your current tablet or Smartphone with those projections and figure<br />
out how the people of the future might see our rapid-pace lives and believe that we are living in such a<br />
progressive period of time. If we really get the capacity to create a time machine, everything we have<br />
today would seem as naive and child like as is now the case with our modern perspectives about our<br />
past. In other words, once we start conquering the Galaxy probably our third rock from the Sun would<br />
appear as one huge archeological site that would offer amazing cyber technologies as its cultural<br />
heritage. The imagination could lead us so far away and as we have the regions on our planet dealing<br />
with cultural and historical diversity – in few millennia ahead we could talk about our planets and satellites<br />
that would also offer us the world of the colorful nature. The human mind has limitless capabilities and<br />
it’s quite clear that nothing will remain static in the coming times, so that’s why we need to get prepared<br />
for the future.<br />
What is cultural heritage?<br />
If we talk about cultural property, we have in mind any object based on its historical and artistic value.<br />
Cultural heritage is an ongoing security topic and the big policing networks such as Interpol would fight<br />
against any crime against those priceless values. There would be entire organized crime groups trying<br />
to get possession of those objects and try to smuggle them all over the world. That’s quite a big challenge<br />
to the defense community, so those cases would usually be aubject to the applications of the emerging<br />
technologies that would provide us ways to better tacklethis kind of offense. Unfortunately, current<br />
punishments to deter anyone from committing such a crime are so weak that many people decide to take<br />
this very small risk, in comparison to a large potential profit.<br />
Even the objects from the World War II would have the high historical value and so many wealthy<br />
collectors would like to have them in their private collections. Such selfish collectors would expend time<br />
and money to obtain such a priceless piece of the history, leaving no chance for the rest of the society to<br />
enjoy those collections in their galleries, museums or exhibitions. In our opinion, that’s something that<br />
should be prevented by using an intelligent security strategy. So many people through the ages have<br />
taken part in building our history, and all human society deserves to have access to these historical<br />
artifacts.<br />
Looting or inside theft - what is the difference?<br />
The loss of valuable pieces of history from our communities tends to rely on two well-known methods:<br />
looting and inside theft. Looting is any violent or surreptitious way of stealing something, while insider<br />
threats are usually correlated with corruption and cybercrime.<br />
In many poor and developing regions, there appears to be a high level of corruption in almost every<br />
segment of their societies. The role of law enforcement is to recognize and consequently resolve those<br />
cases on behalf of the community. However, in many criminal justices the punishments for someone<br />
stealing cultural items may be only few years in prison, so the risk is minimal and the income from such<br />
activitiese can outweigh the risk of punishment.<br />
From another perspective, the point is not only to punish someone for illegal trading, but also to issue a<br />
stern warning to everyone who might consider this kind of illegal activity. Beyond that consequence, if<br />
there is no one who would purchase stolen objects, there would be a better chance to reduce and even<br />
prevent those criminal scenarios from ever happening.<br />
65
Could cybercrime drive those operations?<br />
Beyond using looting or insider tactics, thieves could well rely on cyber attacks to conduct fraudulent<br />
purchases and delivery of culturally significant items. However, once the theft is discovered, law<br />
enforcment entities would conduct the investigation by gathering as many clues as they can. Assuming<br />
those criminal activities are well-planned and intelligently coordinated, searching through cyberspace<br />
could bring some results. For instance, the typical scenario would suggest that many possible targets<br />
would be monitored from the outside before anyone decided to make any move on them. In turn, that<br />
could be the critical basis for findings by the investigators.<br />
Some Cases from Law Enforcement Practice<br />
Generally, careers in Law Enforcement mean a lifelong learning process. Modern times are flooded with<br />
stories the insider threats and cases where criminal actors get active in many cultural heritage institutions.<br />
Those criminals use a wide spectrum of tactics and strategies to obtain what they want to obtain. All<br />
those operations tend to be coordinated from the outside using emerging technologies.<br />
Basically, there are some recommendations and instructions how to handle such an investigation.<br />
However, in the opinion of this author, we still need more updates of the best practices in preventing<br />
those crimes. The law enforcement officers doing such a task are well-trained and specialized to manage<br />
this risk, but there is still a huge need for the resources and studies on how to do perform this law<br />
enforcement function in a less time consuming manner.<br />
Ways of Protecting Valuable Objects<br />
Every new crime seems to demonstrate something new. In many cases, it does not matter how much<br />
you know – you still need to start from the beginning and accept that there is strong need to learn about<br />
the unique aspects of the casea at hand. In our belief, the fundamental ways to assure the safety of<br />
cultural heritage include strict application of the provisions of the law and regulations. In addition, it is<br />
important to institute well-defined and highly tested physical security procedures and policies. Again,<br />
the dual objectives are to punish those who break the law and to deter those who may be considering<br />
criminal actions.<br />
Some final thoughts<br />
Through the perspective of cultural heritage, we can see the meaning of life in historical eras and also<br />
better understand the world we live in today. These physical properties belong to all of us and not only to<br />
some privileged individuals who are ready to pay well forpersonal ownership of a piece of the past. So,<br />
as our tablet might become a priceless part of today's history tomorrow, even someone's everyday dishes<br />
could keep the secrets of a housewife of the past who used them to feed her family. For such a reason<br />
we should figure out how our entire past should be appreciated and secured in order to bring light and<br />
appreciation to future generations.<br />
66
About the Author<br />
Milica D. Djekic is an Independent Researcher from<br />
Subotica, Republic of Serbia. She received her engineering<br />
background from the Faculty of Mechanical Engineering,<br />
University of Belgrade. She writes for some domestic and<br />
overseas presses and she is also the author of the book<br />
“The Internet of Things: Concept, Applications and Security”<br />
being published in 2017 with the Lambert Academic<br />
Publishing. Milica is also a speaker with the BrightTALK<br />
expert’s channel. She is the member of an ASIS<br />
International since 2017 and contributor to the Australian<br />
<strong>Cyber</strong> Security Magazine since 2018. Milica's research<br />
efforts are recognized with Computer Emergency Response Team for the European Union (CERT-EU)<br />
and EASA European Centre for <strong>Cyber</strong>security in Aviation (ECCSA). Her fields of interests are cyber<br />
defense, technology and business. Milica is a person with disability.<br />
67
Tax Season Is Here. So Are the Scams.<br />
By Eric H. Perkins, Sr. Security Risk Analyst, Edelman Financial Engines<br />
While two things are coined certain in life (death and taxes); one could argue there is also an<br />
overwhelming desire to separate fools from their money. This year, like every year, is no exception. In<br />
fact, the IRS continues to warn of scams targeting taxpayers via cyber related methods that range from<br />
conventional to cutting edge.<br />
Even if you take protecting your sensitive data seriously, the negligence of others may have inadvertently<br />
placed you in harm's way. Remember the Equifax breach in 2017? How about the record setting Capital<br />
One breach just last year? The underlying point here is that when data breaches (of any size) are<br />
combined, the data sets can merge to create “rich profiles” which provide a 360-degree view of<br />
individuals; including their employment and education history.<br />
This is significant because when leveraged by cyber criminals, the data (which includes scores of related<br />
accounts linked to each other) could be used for highly effective targeted phishing attacks, business<br />
email compromises, and the most cumbersome threat of all to remediate - identity theft.<br />
68
Identity theft, moreover, tax-related identity theft, is when a threat actor uses a stolen Social Security<br />
number to file a fraudulent tax return. While this is a straightforward process, unfortunately, there are no<br />
obvious early warning signs of the attack. However, to help protect you against such potential threats, a<br />
small list of the most popular tax related scams is highlighted below to help keep your tax return safe and<br />
secure this season.<br />
Phishing<br />
The most prolific solicitation of tax related scams stems from phishing related communications. Keep in<br />
mind, communications are not just limited to email. Threat actors now leverage Bluetooth, SMS (text<br />
message), and social media (Facebook, Twitter, etc.) as alternative and extremely viable solutions for<br />
distribution.<br />
How to protect yourself: Be critical of any electronic communications you receive purporting to be the IRS<br />
and never click on any links requesting you to take action. Remember, the IRS will never initiate contact<br />
for personal information and always communicate via mailed letters.<br />
Telephony<br />
Using sophisticated software, scammers call from phone numbers that appear to belong to the IRS and<br />
demand an immediate payment (for a variety of reasons) by intimidating you into making a rash decision.<br />
In addition to the unwanted pressure, they have been known to ask for funds via gift cards or wire<br />
transfers.<br />
How to protect yourself: Know that the IRS will never phone you or show up at your door to demand an<br />
immediate payment, especially via gift cards or wire transfer. If needed, you can either call the IRS directly<br />
or visit irs.gov/balancedue to review your account balance (if applicable).<br />
Identity Theft<br />
With troves of sensitive data waiting to be purchased from the dark web, threat actors can leverage your<br />
personally identifiable information (PII) and use it to apply for tax refunds; often times using fabricated<br />
income with regards to inflating the refund.<br />
How to protect yourself: Filing early is always recommended. By filing early, scammers will be unable to<br />
file a fraudulent return in your name. If you receive an IRS notice about a duplicate return, respond<br />
promptly but do so in a safe manner, i.e. do not click on links.<br />
In summary, the IRS doesn't initiate contact with taxpayers by email, text messages, and/or social media<br />
channels to request personal or financial information. If you know or think that you’re a victim of taxrelated<br />
identity theft; the IRS recommends you contact them immediately. The FTC also requests you file<br />
a complaint via their website, in addition to placing fraud alerts on all three major credit bureaus.<br />
69
About the Author<br />
Eric H. Perkins is currently the Sr. Security Risk Analyst for<br />
the largest independent investment advisory firm in the<br />
Nation. Before joining Edelman Financial Engines, Eric<br />
began his career in network security while serving as an<br />
active duty Information Security Officer in the US Army both<br />
in country and while deployed to Afghanistan. Eric holds<br />
numerous IT certifications to include CISSP and is a<br />
relentless advocate for security awareness. Eric can be<br />
reached at eperkins21@protonmail.com or online at<br />
https://www.linkedin.com/in/erichperkins/.<br />
70
Predicting the Direction of The PAM Market In <strong>2020</strong><br />
A Look at What is Next on the Horizon for Securing Organizations’ Privileged Accounts<br />
By James Legg, President and CEO, Thycotic<br />
As each year passes, we analyze the successes and failures of the cybersecurity industry, knowing full<br />
well that we can’t stress enough the importance of securing access to data. <strong>Cyber</strong>security is only going<br />
to continue to increase in criticality, and with each breach we are reminded how serious cyber incidents<br />
can be. The DoorDash breach affected nearly 5 million people. Almost 12 million people had their<br />
personal information accessed by a cybercriminal who infiltrated Quest Diagnostics. The average cost of<br />
a data breach is approaching $4 million, but some reports say the Capital One breach could cost the<br />
company upward of $100 million. These are just a few examples of the hundreds of data breaches that<br />
occurred in 2019.<br />
Even with the constant news of attacks and the growing cyber awareness in the IT industry, criminals are<br />
still successfully penetrating organizations of all sizes and sectors. Most of the time, they accomplish this<br />
by targeting the victim organizations’ privileged accounts. Analysts at Forrester Research say 80 percent<br />
of data breaches involve the theft of the credentials that access these privileged accounts. These<br />
accounts allow users the “privilege” of accessing them, and the various capabilities, systems,<br />
71
applications, etc. they control. This access is at the center of organizations’ networks, infrastructures and<br />
overall IT environments. As you probably expect, access to all this gives the user, authorized or not, great<br />
power within the environment — hence why it is the top target of cybercriminals.<br />
Since we know these accounts are the most powerful and frequent target of cyber attackers, the<br />
responsibility falls on us, the Privileged Access Management (PAM) providers, to offer solutions that allow<br />
organizations to secure their privileged accounts and the information and systems they access. With that<br />
in mind, let’s take a look at where the PAM space is heading in <strong>2020</strong>.<br />
2019 was the year of Cloud transformation as many companies and governments began or completed<br />
their shifts to Cloud environments. As a result, the market saw a major shift as the leading providers<br />
turned their attention to delivering Cloud compatible PAM solutions. What will the shift be this year? What<br />
trends can we anticipate for this crucial sector of cybersecurity in <strong>2020</strong>?<br />
Partnering with PAM<br />
A growing theme we’re seeing in several aspects of the security industry is an increase in collaboration<br />
from the various players of the market. While the PAM space is addressing the top target of cyber<br />
attackers, there are almost countless gateways into organizations that need to be protected. To adopt a<br />
common metaphor, securing an organization from cybercriminals is like securing a house from burglars.<br />
Just as a house has several ways in — doors, windows, chimneys, etc. — so does an organization:<br />
devices, the network, users and many more.<br />
This is resulting in strategic partnerships that are bringing together specialized vendors. These<br />
partnerships are producing toolboxes of products and services that secure multiple pathways and<br />
dramatically reduce cyber risk. This is consolidating cybersecurity and providing organizations with full<br />
lifecycle solutions. As budgets often remain tight, it’s critical for CISOs to find the most efficient<br />
combination of solutions when securing their organizations because unfortunately, there is no such thing<br />
as a “one and done,” “do it all” security product.<br />
Improving IoT security<br />
The Internet of Things (IoT) space is ripe for security innovation. While this technology is still relatively<br />
new, the security adoption for these devices is dangerously behind.<br />
In most cases, IoT devices, are largely ignored by organizations after installation. This means they<br />
typically rely on default passwords and configurations. Most often, when IT completes the routine updates<br />
of the company’s devices (computers, smartphones, etc.) they forget about the other internet-connected<br />
devices in their environments — such as smart TVs, which are located in many conference rooms. These<br />
are connected devices and thus are entry points for cybercriminals.<br />
This is a golden opportunity for PAM providers to lead the charge and develop the solutions to safeguard<br />
these devices. In particular, password managers need to be offered to include all of the devices within<br />
an organization’s environment. Until IoT devices are properly secured, the networks and other systems<br />
they are connected to will be vulnerable to malicious cybercriminals.<br />
72
Ransomware on the rise<br />
Unfortunately, we are likely going to see a continued increase in ransomware. Due to the effectiveness<br />
of these schemes, cyber attackers are recognizing that companies are often opting to just pay the<br />
demanded ransom. Ransomware has been particularly lucrative for culprits targeting governments and<br />
health care systems. Sadly, it’s easier for victim organizations to submit to the cybercriminal than to deal<br />
with the fallout of the threatened malware attack. It is incredibly expensive and time consuming for a<br />
company to deal with data loss, denial of service and other consequences. To make matters worse, even<br />
when victim organizations comply, they only get access back 69 percent of the time, according to a recent<br />
report from Proofpoint.<br />
Ransomware is most often delivered through phishing schemes via email, pop-ups, and other casual<br />
messaging. It’s relatively quick and easy for a cybercriminal to deploy and it only has to work (be *clicked*)<br />
once to penetrate an organization’s security perimeter.<br />
Looking ahead<br />
We know that credentials and privileged access are the top target of cyber attackers, and while the market<br />
has several solutions that can help organizations protect their credentials, criminals are only getting more<br />
sophisticated. Every day, they are developing more advanced strategies and launching new types of<br />
attacks. The challenge posed to us is to stay ahead of cybercriminals to reduce the risks to businesses.<br />
This also means that we need to keep pace with the rest of the IT industry, so that when an organization<br />
adopts new technology, the security for it is already available. There cannot be a gap that allows<br />
cybercriminals to penetrate organizations before they have deployed proper security to integrate with<br />
their new technology.<br />
About the Author<br />
James Legg, the President and CEO of Thycotic is<br />
responsible for the day-to-day operations at the company.<br />
He creates and executes growth strategies and initiatives<br />
designed to propel Thycotic to the next level. James has<br />
amassed over 25 years of managerial and sales<br />
experience in guiding technology companies to<br />
accelerated, sustained growth. Most recently, he served as<br />
EVice President and GM of Unitrends, Inc., after serving as CEO of PHD Virtual, acquired by Unitrends<br />
in 2013. Previously, he served as Vice President of worldwide sales for Idera Corporation, and was Vice<br />
President of sales at NetIQ Corporation, having come there via the acquisition of PentaSafe Security<br />
Technologies, a remote access, vulnerability assessment and intrusion detection solution<br />
James can be reached online at<br />
https://thycotic.com/<br />
thycotic@luminapr.com and at our company website<br />
73
Malware - A <strong>Cyber</strong> Threat for <strong>2020</strong><br />
By Pedro Tavares, Founder of CSIRT.UBI & Editor-in-Chief seguranca-informatica.pt<br />
We are facing a transition to a new decade. The maturity in the field of cybersecurity is growing, but a<br />
wave of new risks from the previous decade is carried over to this new cycle.<br />
<strong>Cyber</strong> threats have been continually improved by its operators, and increasingly using sophisticated<br />
techniques deceiving victims and also avoiding protection systems, such as antivirus, anti-malware<br />
agents and firewalls. I'm talking about malware as a cyber threat in <strong>2020</strong>.<br />
In this digital era, any professional designs and thinks about planning a product safely. However, if the<br />
company the professional works for experienced some challenges for aligning priorities over time with<br />
the market, the costs of a security incident can become catastrophic.<br />
Some of the biggest threats in 2019 will transition to <strong>2020</strong> with a fully consolidated malicious infection<br />
process. We can take a close look at the last quarter of 2019, where multiple security breaches were<br />
announced.<br />
74
A data breach is usually seen as the last step in a chain of malicious events that occur on specific<br />
targets within a given threat group scope.<br />
To corroborate this statement, we can look at the latest statistics for the third quarter of 2019, which<br />
highlights a notable absence of one of the most worrying threats today, the Trojan banker Emotet.<br />
However, this also made an opportunity for other less popular media malware.<br />
These threat agents exfiltrate sensitive data from the infected machines, jumping between machines,<br />
compromising organizations without leaving clues.<br />
Through these pieces of malware, operators gain access to corporate infrastructures via deployed<br />
backdoors. Since access is carried out with valid and legitimate access credentials (previously<br />
exfiltrated), these accesses are marked as trustworthy because they are performed based on trusted<br />
connections and devices - those devices that the protection and monitoring systems trust.<br />
After long weeks of compromise, undetectable in corporate networks of organizations, eliminating and<br />
corrupting backup systems, and others available there, in order to prevent successful data recovery, the<br />
ransomware is then implanted to close the infection chain.<br />
At this stage, operators are using ransomware if the target system offers information indicating that the<br />
organization can pay the ransom. During 2019 Ryuk was one of the many choices of operators. It was<br />
designed to change the ransom amount depending on how much it thinks the victim can pay.<br />
Threat agents and products with evolved threat detection technology are playing this cat and mouse war.<br />
The polymorphic and modular capacity presented by current malware makes the detection process<br />
difficult, and in this case, it is also a user task - to know how to face these challenges. So, this is not just<br />
a technology problem.<br />
This is a crucial issue for <strong>2020</strong>, as a threat of this nature could destroy a business with more than 20<br />
years in the market.<br />
Focusing on a doctrine of intensive training of company employees, including certifications within this<br />
context, workshops, and even corporate awareness can be a measure, in the short term, to keep<br />
professionals on the alert of the danger of these threats.<br />
The same applies to cyber users in general. The benefits of cyber-education should be one of the major<br />
focuses and goals for <strong>2020</strong>. Just think that the biggest vehicle for the proliferation of malware worldwide<br />
75
is still a simple email, where the responsibility is always on the side of the recipient and never on the side<br />
who sends the message.<br />
About the Author<br />
Pedro Tavares is a cybersecurity professional and a<br />
founding member and Pentester of CSIRT.UBI and<br />
Editor-in-Chief of seguranca-informatica.pt.<br />
In recent years he has invested in the field of<br />
information security, exploring and analyzing a wide<br />
range of topics, malware, ethical hacking (OSCPcertified),<br />
cybersecurity, IoT and security in computer networks. He is also a Freelance Writer.<br />
Segurança Informática blog: www.seguranca-informatica.pt<br />
LinkedIn: https://www.linkedin.com/in/sirpedrotavares<br />
Twitter: https://twitter.com/sirpedrotavares<br />
Contact me: ptavares@seguranca-informatica.pt<br />
76
VPNs - <strong>2020</strong> And Beyond<br />
By Sebastian Schaub, Founder and CEO, hide.me<br />
In the last 5 years, awareness to protect data, to encrypt communication and and minimise data collection<br />
has rapidly increased. Privacy and trust will be the main topics for <strong>2020</strong> - how do big corporations process<br />
data, store it and potentially abuse it? Regulation has certainly been lacking for many years now and the<br />
general public is playing catch up in the face of all the potential dangers. So what are some of the areas<br />
to consider with an eye on the horizon?<br />
Consumer Protection<br />
There are a lot of threats in privacy that have to be addressed. Some governments have mandated<br />
censorship, and having a device that is always connected requires the need for protection to be adopted.<br />
There is a lot at stake when you consider a digital future - not least of all your personal data. Perhaps<br />
this is the main reason that many people adopt a VPN; they want to secure all personally identifiable<br />
information (PII) that they transmit online. However, we should clarify that when people use social media<br />
and reveal information about themselves, this cannot be protected using a VPN; a the vpn can only give<br />
you an anonymous ip and encrypt your connection. Ultimately, the need for VPNs is increasing due to<br />
rising cybersecurity threats which has, in turn, created a need and a strong desire to protect the<br />
technology that consumers use today. In an internet era that’s ripe with vulnerable and unsecured<br />
hotspots, connecting to any Wi-Fi network presents a privacy issue and exposes much of a consumer’s<br />
77
data without their knowledge. With the now widespread use of hoax Wi-Fi to fool users into connecting<br />
to a network, hackers can have complete visibility over your browsing and data. There are currently<br />
hundreds of millions of hotspots spread around the world and it is estimated that more than half of all<br />
mobile traffic is being offloaded to Wi-Fi. This is music to a hacker’s ears because hotspots (think public<br />
Wi-Fi especially) are soft targets when hunting for unprotected users.<br />
This threat even exists on airplanes, in your home and on your employer’s Wi-Fi. The problem arises<br />
when you choose the network you connect to. The hacker’s fake Wi-Fi has the same network name and<br />
password, and once you connect, they can start attacking your device in less than five seconds. Millions<br />
of businesses and people turn to VPNs to protect themselves because the encryption VPN technology<br />
offers prevents prying eyes from seeing your data even if you are connected to a malicious network. As<br />
mobile internet usage will undoubtedly continue to climb, mobile VPNs will also play a more important<br />
role for consumers - the number of people using VPNs for their personal mobile devices is more than<br />
likely to rise as VPN awareness spreads.<br />
Privacy in The Future<br />
When you consider the future of VPNs, it is useful to consider the evolution of privacy overall. On a global<br />
level, it is clear that there is not much left in the way of privacy - perhaps the best example being, The<br />
Great China Firewall but also in the U.S. where there is a resolution to let ISPs share private data. The<br />
issue now facing the world is how to manage data privacy in the future, taking into account the need to<br />
prevent data being used in ways which consumers find objectionable. There is always regulation of<br />
course and we have already seen the introduction of GDPR, perhaps the most important change in data<br />
privacy regulation in 20 years - but will it be enough to prevent a massive data leak?<br />
Previous breaches, like those suffered by Equifax and also the Facebook/Cambridge Analytica scandal,<br />
effectively allowed the identities of millions to be illegally bought and sold. These types of hacks have<br />
driven considerable awareness to privacy and security, bringing consumer privacy to the forefront of<br />
media around the world. It has also been a welcome boon for the VPN industry with numerous articles<br />
outlining VPN technology and similar ways for consumers to protect themselves online. In this day and<br />
age, there is also the challenge of a proliferating number of devices which all collect data for different<br />
purposes. For example, where you are using the likes of Skype or Facebook, you are talking about the<br />
transfer of data to a third party. People, generally, are not comfortable with their personal data being<br />
compromised - they are interested in reducing any possible risk of data leakage. In light of all of this, the<br />
VPN industry will continue to make sure that using a VPN is affordable and easy for everyone - perhaps<br />
we will see devices coming off the shelves with a VPN built into the OS, automated and ready to go?<br />
Censorship Around the World Boosts VPN Usage<br />
In an age where governments are looking at ways to suppress and control their citizens, VPNs are<br />
becoming a popular way to bypass internet censorship under such regimes. Paradoxically, those<br />
countries that currently restrict VPNs (such as China and Russia) haven’t actually harmed industry growth<br />
- indeed, they have put VPNs in the spotlight. When you have countries that create legislation effectively<br />
78
outlawing VPN usage, this can backfire on the government - local citizens local citizens resist and it also<br />
sparks a huge rise in media coverage (anti-government, pro-net-neutrality). When a country does decide<br />
to introduce ‘online censorship’, the strategy is to block certain websites, news portals and popular social<br />
media sites.<br />
With the recent pro-democracy riots in Hong Kong for example, the authorities in question used tactics<br />
such as blocking websites and cutting off access to the internet in an effort to maintain their (China-led)<br />
regime. It is very likely that the authorities monitored the digital communications of those protesting - for<br />
example, via communication apps, and they could have also used meta data from ISPs to monitor and<br />
predict the activities of the protestors. Under such circumstances, protestors or concerned citizens, will<br />
look to take all measures possible to protect their digital privacy. Using a Virtual Private Network (VPN)<br />
is certainly a good way to do so. Since VPN services encrypt all data, the government can no longer<br />
censor that connection, allowing users to access sites that would otherwise be blocked.<br />
We live in a world where, increasingly, everyone (and everything) is connected. This digital future also<br />
gives rise to unique problems and challenges. With people becoming more concerned about their privacy<br />
and with some governments continuing to use digital censorship tactics, the growth of security platforms<br />
such as VPNs will undoubtedly continue in the same vein.<br />
About the Author<br />
Sebastian is the founder of hide.me VPN and he has been working in the<br />
internet security industry for over a decade. He started hide.me VPN, 8<br />
years ago to make internet security and privacy accessible to everybody.<br />
Sebastian Schaub can be reached online at seb@eventure.my and at our<br />
company website https://hide.me/en/<br />
79
The Gap in Security - Data Centric Security<br />
By Eric Rickard, CEO, Sertainty Federal Systems<br />
What do the Coronavirus pandemic, 9/11 terrorist attacks, Boeing 737 MAX crashes, and the OPM data<br />
breach have in common?<br />
First, their root causes were known and preventable. Second, they resulted in substantial human loss of<br />
life and privacy.<br />
In most cases, Presidential panels were convened to affirm the root cause of their failures. Similarly,<br />
Congressional hearings have or will be held to investigate why these disasters in-waiting were known but<br />
not prevented.<br />
Yet, the only catastrophe that has not been fully mitigated are the data breaches. The effects of Federal<br />
data breaches continue unabated.<br />
• 2015 - OPM data breach exposed PII of nearly 26M people, including biometrics and financial<br />
data.<br />
• 2018 - US Postal Service lost 60M customer records (1/5 th of the US population)!<br />
• 2 Feb <strong>2020</strong> – FBI arrests Raytheon Missile Systems engineer for giving laptop with sensitive<br />
missile defense technology to China.<br />
• 10 Feb <strong>2020</strong> - US DOJ just charged four Chinese military officers over the $800M Equifax hack<br />
80
• Perpetual - The Department of Veterans Affairs and Department of Health have had data<br />
breaches more frequently than other agencies in the Federal government.<br />
The root cause consensus for the data breaches was network penetration and data exfiltration. Incredibly,<br />
the experts missed the obvious. The actual root cause was the failure to employ self-protecting data<br />
technology to render stolen data unusable and inaccessible.<br />
Most experts agree that network cybersecurity protection does not guarantee data loss prevention and<br />
data loss prevention does not prevent data misuse.<br />
Over the past 4 years DHS has spent nearly $2B to protect Federal networks, but recklessly persists in<br />
failing to protect exfiltrated or lost data. Sadly, they are not alone. The DoD and industry are negligent as<br />
well.<br />
This National data loss epidemic, like the Coronavirus, is completely preventable if Congress and the<br />
Department Secretaries act now.<br />
Barriers to Entry<br />
Less than 15 years ago cloud computing was universally rejected as an immature and novel computing<br />
environment that was too insecure for the Federal government. Today, it is the preferred computing<br />
security solution, even for our nation’s most highly classified data. Similarly, the idea of self-protecting<br />
data technology is treated like an unproven novelty that is too good to be true. After 10 years selfprotecting<br />
data technology should be the nation’s preferred data security solution.<br />
The projected impacts of implementing a self-protecting data solution in the Federal, DoD and industry<br />
are staggering.<br />
Financial Benefits<br />
• $1T Industrial loss prevention over 10 years by permanently protecting industrial intellectual<br />
property from digital espionage by foreign adversaries.<br />
• $.5T DoD R&D loss prevention over 10 years from digital espionage.<br />
• $7B per year in DoD cost reduction by protecting DoD data at the time of origination<br />
Privacy, Regulatory Compliance and Audit Benefits<br />
• Empowers consumers and businesses to control their most private data (HIPPA, GDPR, FERPA,<br />
GLBA, ITAR, EAR, FIRRMA)<br />
o 25M Military, Civilian and Industry private records protected<br />
o 60M US Postal Service customer records protected<br />
o 15M VA health records protected<br />
• Assured universal financial regulatory compliance with automated audit enforcement.<br />
• Exposes personnel and actors who leak, steal, and proliferate stolen data.<br />
National <strong>Defense</strong> Benefits<br />
81
• Neutralizing China and Russia digital espionage – Protection of Federal and industry intellectual<br />
property at the time of data origination defeats Nation-state adversaries forever.<br />
• Defeat Insider Threat and Mistakes – accidental or deliberate data loss no longer poses threats<br />
to national security<br />
• Sustainable 1,000+% increase in DoD weapon systems resiliency<br />
• 3+K US Military Service Members lives saved<br />
Universal Business Benefits<br />
• The data snitches on personnel and actors who leak, steal, and proliferate stolen data.<br />
• Small Business Growth - Eliminates $100K per year of recurring regulatory compliance barriers<br />
to entry for small DoD businesses<br />
• Reduces businesses Data Loss insurance premiums and subsequent business risks<br />
1000:1 Return on Investment<br />
The estimated 10-year cost of deployment, refinement, testing and sustainment of a joint Federal and<br />
Industrial self-protecting data solution is less than $500M per year – less than 1/1,000th the value of<br />
the property and lives saved.<br />
Key Takeaways:<br />
All Data is Sensitive<br />
In December 2019 the New York Times used cell phone data to track President Donald Trump in Florida<br />
when he was with Japan’s Prime minister Abe. All members of the President’s Secret Service protection<br />
and advance team are known. No data is unimportant and all data needs permanent protection by its<br />
owner.<br />
Information is Power<br />
Data used to be just numbers and letters. Today, with advanced analytics data describes who we are as<br />
a person and a nation. It reveals our character, our loyalties, our secrets and our intentions. In the wrong<br />
hands our data becomes a weapon against us.<br />
<strong>Cyber</strong> Criminals Beware<br />
A self-protecting data solution does more than prevent information theft, it steals the advantage from the<br />
thief. By denying adversaries the ability to access sensitive data lives are saved, privacy is preserved<br />
and National prosperity through fair competition of commerce and ideas.<br />
82
About the Author<br />
Eric Rickard CEO, Sertainty Federal Systems<br />
www.Sertainty.com<br />
-A veteran <strong>Defense</strong> and Federal Systems executive, with two US<br />
Government appointments at the National Security Agency and<br />
the Office of the Director of National Intelligence.<br />
83
A View of How DDOS Weapons Evolved In 2019<br />
By Anthony Webb, EMEA Vice President at A10 Networks<br />
Throughout 2019, DDoS attacks continued to grow in frequency, intensity, and sophistication. However,<br />
the delivery method of using infected botnets and vulnerable servers to perform crushing attacks on a<br />
massive scale has not changed during that time. Unlike traditional security methods, where attackers<br />
leverage obfuscation to prevent detection, the loud distributed nature of DDoS attacks creates<br />
opportunities for defenders to take a more proactive approach by focusing on the weapon’s location.<br />
Winding back to the first DDoS attack which occurred in 1997 during a DEF CON event in Las Vegas.<br />
The culprit was notorious hacker Khan Smith, who successfully shut down Internet access on the Vegas<br />
Strip for over an hour. The release of some of this code soon led to online attacks against Sprint,<br />
EarthLink, E-Trade, and many more organisations.<br />
Fast forward to 2019 and AWS, Telegram, and Wikipedia were among the top victims of DDoS this year.<br />
In fact, in September Wikipedia suffered what appears to be the most disruptive attack in recent memory.<br />
The DDoS attack carried on for three days rendering the site unavailable in Europe, Africa and the Middle<br />
East. The size of the attack was not made public, but it is clear that it was an old-style volumetric flood<br />
designed to overwhelm the company’s web servers with bogus HTTP traffic. Given the protection that<br />
84
sites employ these days, this suggests that it was well into the terabits-per-second range used to measure<br />
the largest DDoS events on the Internet.<br />
Similarly, the largest DDoS attack in Q1 2019 was 587 GB/s in volume, compared to 387 GB/s in volume<br />
for the largest Q1 2018 attack. Also noteworthy is the fact that attacks above 100 GB/s increased 967<br />
percent in 2019 versus 2018, and attacks between 50 GB/s and 100 GB/s increased 567 percent. Indeed,<br />
Cisco estimates that the number of DDoS attacks exceeding 1 gigabit of traffic per second will soar to<br />
3.1 million by 2021.<br />
Here at A10 Networks, we have been tracking the state of the DDoS attack landscape and DDoS<br />
weaponry and what we have found over the year is that IoT is a hotbed for DDoS botnets. Likewise, with<br />
5G on the horizon, with its higher data speeds and lower latency, this will dramatically expand attack<br />
networks as it presents an opportunity to increase the DDoS weaponry available to attackers.<br />
In our latest Q4 report we found that the largest DDoS attacks have one thing in common – amplification.<br />
Reflected amplification weapons attackers leverage vulnerabilities in the UDP protocol to spoof the<br />
target’s IP address and exploit vulnerabilities in servers that initiate a reflected response. This strategy<br />
amplifies the attack by producing server responses that are much larger than the initial requests.<br />
Other notable weapons include DDoS botnet weapons attackers that leverage malware-infected<br />
computers, servers, and IoT devices that are under the control of a bot herder. The resulting botnet is<br />
used to initiate stateful and stateless volumetric, network, and application-layer attacks.<br />
To gather these insights, our researchers obtain weapons intelligence by closely monitoring attack agents<br />
under the control of botnet command and control, discovering malware innovations by deploying<br />
honeypots and scanning the internet for exposed reflected amplification sources.<br />
What we observed is that attackers have discovered a new IoT DDoS amplification weapon by exploiting<br />
hundreds of thousands of internet-exposed IoT devices running Web Services Dynamic Discovery<br />
protocol (or WS-Discovery) to amplify their attacks. In fact, nearly 800,000 WS-Discovery reflected<br />
amplifiers available for exploitation were discovered in Q4 2019. Less than half of the WS-Discovery<br />
hosts respond from port 3702 and the rest from high ports.<br />
Interestingly, China is the top drone hosting country, but Brazil hosts the most active attacking drones.<br />
SNMP topped our tracked weapons category with 1,390,505. The report also identifies the top sources<br />
of DDoS weaponry and although the nature of DDoS attacks is distributed, we have found valuable<br />
insights from where they originate. For example, we found higher concentrations where internetconnected<br />
populations are most dense, i.e. China – 739223, and USA - 448,169. The report highlights<br />
who the top Autonomous Systems Numbers (ASNs) are who are hosting DDoS weapons (Chinanet held<br />
the number one position with 289,601) and we also found that mobile carriers hosting DDoS weapons<br />
skyrocketed during this reporting period.<br />
As indicated, DDoS attacks will only grow, and our quarterly findings certainly point to this being the case.<br />
Organisations need to prepare themselves now before the next large-scale DDoS attack hits them.<br />
85
Sophisticated DDoS threat intelligence, combined with real-time threat detection and automated<br />
signature extraction will allow organisations to defend against even the most massive multi-vector DDoS<br />
attacks, no matter where they originate. Actionable DDoS intelligence enables a proactive approach to<br />
DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS<br />
botnets and available vulnerable services commonly used for such attacks. Take heed and ensure you<br />
match your attackers’ sophistication with even better and stronger defences, otherwise you might find<br />
that you are one of the ‘top’ DDoS casualties in <strong>2020</strong>.<br />
About the Author<br />
Anthony Webb is EMEA Vice President Sales at A10 Networks. He is an<br />
industry veteran with over 20 years of sales experience in the IT, Data<br />
Communications, and Telcom's industry having worked for companies like<br />
Ixia Technologies, Juniper Networks, Siemens Enterprise Networks and<br />
Cisco.<br />
Anthony can be reached online at (awebb@a10networks.com) and at our<br />
company website https://www.a10networks.com/<br />
86
Network Security Must Keep Up with Video Surveillance<br />
Systems’ Rise in Criticality to Public Safety and Security<br />
in The Middle East<br />
By Rabih Itani, the Middle East region security business head at Aruba, a Hewlett Packard<br />
Enterprise company<br />
The Video Surveillance market in the Middle East region continues to grow in double digit figures, driven<br />
by the rise of security concerns accompanied by strict government regulations. To keep up with the<br />
challenges imposed by these concerns and regulations, a reliable, always-on and secure network<br />
capable of delivering quality high resolution videos is imperative to keep organizations safe.<br />
The Middle East is one of the fastest growing markets for video surveillance systems. Research firm<br />
MarketsandMarkets reports that a big driver for the increasing use of video surveillance systems globally<br />
is in large part due to the increasing concerns for public safety and security, prompting deployment at<br />
airports, malls, schools, office buildings, public places and so on. Nevertheless, the market dynamics are<br />
rapidly changing with security cameras being more and more integrated with the IoT architecture to solve<br />
for business use cases alongside security use cases, while Artificial Intelligence continues to enable<br />
security capabilities related to behaviors and object recognition that have never been possible before.<br />
These dynamics are raising the criticality of the video surveillance systems and consequently the<br />
criticality of the network infrastructure that interconnects the ecosystem together.<br />
87
Gone are the days, where the video surveillance networks get the least attention during the design phase,<br />
but ironically the first to blame when the video streaming disconnects or suffers jitter or hackers get<br />
through. Organizations are beginning to realize the importance of connecting their video surveillance<br />
systems to secure and future-proof networks that they can simply trust.<br />
Aruba, a long term leader in providing secure network infrastructures, understands how to build mission<br />
critical networks, and as such it is aggressively positioning its life time warranted Aruba 2930 family of<br />
network switches to regional organizations who do take security seriously. Aruba 2930 family solves for<br />
current connectivity requirements and prepares for future ones with its smart rate ports, 40Gbps uplink<br />
options, and 60W Power-over-Ethernet as mandated by specific devices such as the PTZ cameras. In<br />
terms of security, this family of switches furnishes built-in secure-boot hardware and built-in network<br />
security capabilities and when additional network edge security and control is needed, these switches<br />
integrate bi-directionally with Aruba Clearpass Network Admission Control to authenticate the connecting<br />
cameras while authorizing the right access permissions for each. Moreover, Aruba Clearpass Device<br />
Insight can be plugged in to leverage Machine Learning in order to accurately profile the connecting<br />
devices, while continuously monitoring any profile changes. It is important to note that Aruba can enable<br />
trust to be adaptive, as trust can be revoked at any time based on how devices behave while on the<br />
network.<br />
Video surveillance cameras, which are essentially IoT devices, are a major target themselves for<br />
cybercriminals or are used by them as an easy door to access weakly secured networks. This pushes<br />
networks to move from being merely a connectivity provider for the cameras, to be first line defenders.<br />
This is where Aruba shines.<br />
About the Author<br />
Rabih is an ICT industry veteran with over 27 years of experience.<br />
Rabih enjoys a track record of leading many of the first and largest<br />
network and security deployments in the Middle East and has led this<br />
region’s first transformation effort towards mobility defined systems<br />
and processes. He joined Aruba in early 2012 as system engineering<br />
manager for the Telco sector across Middle East and Turkey and rose<br />
to manage the business in 2015. During this period, Rabih<br />
successfully engaged with leading telecommunication providers and<br />
positioned Aruba as a leader across the region in providing next<br />
generation seamless and secure public Wi-Fi hotspot services.<br />
Rabih can be reached online at (rabih.itani@hpe.com) and at our company website<br />
https://www.arubanetworks.com<br />
88
Shadow Iot Devices A Major Concern for Corporate<br />
Networks<br />
By Ashraf Sheet, Regional Director Middle East & Africa at Infoblox<br />
Infoblox Inc., the leader in Secure Cloud-Managed Network Services, today announced new research<br />
that exposes the significant threat posed by shadow IoT devices on enterprise networks. The report, titled<br />
“What’s Lurking in the Shadows <strong>2020</strong>” surveyed 2,650 IT professionals across the US, UK, Germany,<br />
Spain, the Netherlands and UAE to understand the state of shadow IoT in modern enterprises.<br />
Shadow IT devices are defined as IoT devices or sensors in active use within an organisation without<br />
IT’s knowledge. Shadow IoT devices can be any number of connected technologies including laptops,<br />
mobile phones, tablets, fitness trackers or smart home gadgets like voice assistants that are managed<br />
outside of the IT department. The survey found that over the past 12 months, a staggering 80% of IT<br />
professionals discovered shadow IoT devices connected to their network, and nearly one third (29%)<br />
found more than 20.<br />
The global report revealed that, in addition to the devices deployed by the IT team, organisations around<br />
the world have countless personal devices, such as personal laptops, mobile phones and fitness trackers,<br />
connecting to their network. The majority of enterprises (78%) have more than 1,000 devices connected<br />
to their corporate networks.<br />
89
The amount of shadow IoT devices lurking on networks has reached pandemic proportions, and IT<br />
leaders need to act now before the security of their business is seriously compromised.<br />
Personal IoT devices are easily discoverable by cybercriminals, presenting a weak entry point into the<br />
network and posing a serious security risk to the organization. Without a full view of the security policies<br />
of the devices connected to their network, IT teams are fighting a losing battle to keep the ever-expanding<br />
network perimeter safe.<br />
Nearly nine in ten IT leaders (89%) were particularly concerned about shadow IoT devices connected to<br />
remote or branch locations of the business.<br />
As workforces evolve to include more remote and branch offices and enterprises continue to go through<br />
digital transformations, organisations need to focus on protecting their cloud-hosted services the same<br />
way in which they do at their main offices,” the report recommends. “If not, enterprise IT teams will be left<br />
in the dark and unable to have visibility over what’s lurking on their networks.”<br />
To manage the security threat posed by shadow IoT devices to the network, 89% of organisations have<br />
introduced a security policy for personal IoT devices. While most respondents believe these policies to<br />
be effective, levels of confidence range significantly across regions. For example, 58% of IT professionals<br />
in the Netherlands feel their security policy for personal IoT devices is very effective, compared to just<br />
over a third (34%) of respondents in Spain.<br />
Whilst it’s great to see many organisations have IoT security policies in place, there’s no point in<br />
implementing policies for their own sake if you don’t know what’s really happening on your network.<br />
Gaining full visibility into connected devices, whether on premises or while roaming, as well as using<br />
intelligent systems to detect anomalous and potentially malicious communications to and from the<br />
network, can help security teams detect and stop cybercriminals in their tracks.<br />
In conclusion, awareness of the risk of shadow IoT devices has grown significantly, yet IoT devices<br />
remain an open portal for cybercriminals looking to attack a network. It’s clear that regional businesses<br />
are prioritizing safety, but they are still bogged down by a lack of skilled staff and the increasing number<br />
of shadow devices connecting to their infrastructure. Because of this, network and security professionals<br />
must actively manage the threat introduced by shadow devices and integrate new network security<br />
solutions.<br />
90
About the Author<br />
Ashraf Sheet is Regional Director Middle East & Africa at Infoblox. He<br />
has indepth knowledge of technical & strategic IT solutions, especially in<br />
the security and networking domain.<br />
Ashraf can be reached online at (asheet@infoblox.com) and at our<br />
company website https://www.infoblox.com/<br />
91
The Hard Drive Secondary Market: The Sorry State of The<br />
Industry<br />
Why NextUse Hard Drive Quality Surpasses the Competition<br />
By James Mannering, Hard Drive Product Manager at NextUse<br />
Remarketing, the reselling of end-of-life or retired IT assets like hard drives, is an extremely competitive<br />
and cost-sensitive industry. Thousands of companies all over the world buy and sell hard drives, including<br />
brokers that simply act as a middleman connecting buyers and sellers. Oftentimes these drives have not<br />
had the data wiped off them, have large amounts of bad sectors, or do not work at all. This is an industry<br />
defined by the term “caveat emptor” (let the buyer beware), and it requires the use of payment methods<br />
that can be refunded in case the product that received is not what was advertised.<br />
For example, we recently got a large shipment of hard drives that were supposed to be “tested, working.”<br />
But it turns out that our equipment couldn’t even recognize the hard drives because they had been<br />
degaussed and were essentially paperweights.<br />
Most remarketers are simply that: they don’t recycle, and some don’t even have any data security or data<br />
destruction capability, they just buy and sell drives. And in order to stay profitable in an industry with<br />
constantly changing drive values and tight profit margins, they don’t invest a penny more than they have<br />
to in hardware and software.<br />
92
Among companies that do offer “data destruction” services, most do so without any certification, training,<br />
oversight, or qualifications of any sort. Many simply drop the data-bearing drives into a shredder and<br />
physically destroy them, which unnecessarily burdens a broken and overloaded global recycling system.<br />
Although some vendors claim to “wipe,” “sanitize,” or “destroy” data, there is evidence that it isn’t done<br />
consistently across the industry:<br />
• In a Q3 2019 study, Blancco purchased 159 drives from professional sellers using eBay in the<br />
U.S., UK, Germany, and Finland. All of the drives were “guaranteed” by the sellers to be cleaned<br />
of all data. That wasn’t the case however: Almost half (42%) still contained data, with 15% of the<br />
information being personally identifying information (PII) and/or corporate data.<br />
• A Q1 2017 NAID study found PII, including credit card data and tax records, on over 44% of 250<br />
hard drives purchased in the secondary market.<br />
This gauntlet of shady, dishonest dealers pushing unpredictable and often unreliable product is what<br />
companies face when shopping for working, clean drives. If you are considering the purchase of<br />
remarketed drives (or selling your used SATA or SAS drives), make sure you work with a trusted provider<br />
who has the necessary credentials and a solid reputation to avoid disappointment.<br />
For your consideration, NextUse provides this information on our process and certifications. Simply put,<br />
we specialize in data security and data destruction, with a state-of the art lab containing cutting-edge<br />
systems and software that enable us to:<br />
• Verify drive integrity<br />
• Repair failed disks using the same equipment and methods as major OEMs<br />
• Overwrite drives with any combination of characters in any sequence<br />
• Verify that the original data is irretrievable<br />
• Degauss or physically destroy drives when resale is not an option<br />
NextUse holds a National Association for Information Destruction (NAID) AAA certification for sanitizing<br />
data off numerous hard drive types in our facilities and at client sites. We are certified for all outcomes,<br />
including leaving the drives reusable, disabling them from further use, and physically destroying them. At<br />
a time when reuse is far more preferable to recycling, we’re ideally positioned to produce top quality<br />
reusable drives.<br />
When dealing with brokers and resellers I’m frequently told that they can source drives cheaper than<br />
NextUse. I explain that our costs are slightly higher than the industry average due to our infrastructure<br />
investment, our NAID-defined protocols, and the time, power consumption, and manpower needed to<br />
achieve our standard: that no drive is resold unless it’s 100% working and wiped clean of data.<br />
Clients keep working with us year after year once they recognize the quality of our product and the<br />
positive impact on their:<br />
• Reputation<br />
• Revenue<br />
• Client acquisition and retention<br />
• Market share<br />
Want to explore how we can help you with the purchase and sale of your hard drives? Visit our website<br />
at nextuse.us to get started.<br />
93
About the Author<br />
James Mannering holds the titles of Data Security Specialist/<br />
Enterprise and Consumer Sales at NextUse.<br />
You can contact him directly at 603-601-8293 or<br />
james.mannering@nextuse.us with any questions.<br />
94
Smart Buildings<br />
Understanding the Security Risk<br />
By Andrea Carcano, Nozomi Networks Co-founder and CPO<br />
Smart Buildings: Understanding the Security Risks<br />
Today many of the world’s most forward-thinking workplaces are deploying smart technologies into their<br />
offices to help optimize functions, increase productivity and improve overall working life.<br />
These new ‘smart buildings’ boost smart thermostats, which can measure the temperature of the building<br />
and turn on the heating or the air-conditioning when required, as well as intelligent lighting, which can be<br />
controlled remotely and adjusted to suit the time of day. When turning a building into a smart building,<br />
one of the key attributes is taking the data from the technology deployed and using it to make intelligent<br />
decisions.<br />
Smart buildings can significantly improve the lives of those occupying them and can also play a key role<br />
in helping the environment, however, as we have seen time and time again, when internet-connectivity<br />
is added into any piece of equipment it makes it accessible to the outside and by intruders. This ultimately<br />
means that when offices turn their workplaces into smart buildings, attackers have an even larger array<br />
of entry points to attack the organization.<br />
95
A world of opportunity for attackers<br />
According to a report from IDC, Internet-of-Things spending is expected to reach $745 billion globally this<br />
year. This shows just how popular smart technology is becoming, and not just among consumers.<br />
Smart technology within buildings offers huge benefits and not just for occupants. It can also be used to<br />
significantly reduce costs and reduce the environmental footprint of the building, by intelligently analyzing<br />
data and understanding when, for instance, energy consumption can be reduced.<br />
An example of this was recently reported in Forbes when it was revealed that the New York Times head<br />
office in Manhattan managed to reduce its lighting power per square foot from 1.28 watts to 0.4 watts,<br />
which is an energy saving of 70 percent. This was as a result of the media powerhouse implementing<br />
smart technology to control lighting and sensor blinds, among other things.<br />
However, along with the many benefits smart buildings offer, the convergence between operational<br />
technology and IT systems this is required to support them also opens smart facilities up to an increased<br />
threat of hacking.<br />
If a hacker is able to gain access to a smart building it potentially presents a world of opportunities to the<br />
hacker. For instance, because these new smart technologies are connected to the building’s IT network<br />
they open up new entry paths into corporate networks. Attackers could use these new devices as new<br />
ways in to install malware on the corporate network or recruit the devices into botnets or even launch<br />
ransomware attacks against the organization.<br />
This ultimately means that security for every single internet-enabled appliance, from lighting to<br />
refrigerators, must be forethought before they are introduced into smart buildings.<br />
Making security a priority<br />
While most people would not look at their lighting or sensor blinds as attractive targets for attackers, the<br />
fact that these appliances are connected up to corporate networks, which also connect to sensitive<br />
information, means they are. Research and experience have shown repeatedly, when things are<br />
connected to the internet, they become a target for malicious hackers. As a result, it is imperative that<br />
smart building operators make security a priority.<br />
To reap the full benefits of connectivity within smart buildings it is important that all networks and devices<br />
are comprehensively accounted for and secured, as each device could be a potential entry point for<br />
attackers. In addition to maintaining an up-to-date and accurate inventory of devices on the network, it is<br />
also essential to ensure all software and hardware is updated with the latest patches and not hosting any<br />
vulnerabilities which could be exploited by attackers.<br />
Organizations should also train staff on the security threats and teach them about the dangers of email<br />
phishing campaigns, including how to recognize malicious emails and attachments.<br />
96
Finally, it is crucial for organizations to ensure that multiple levels of protection are in place – from<br />
securing the network itself to monitoring it in real-time for anomalies that could indicate a cyber threat is<br />
present.<br />
Today’s smart buildings are a variety of sensors, control systems, networks, and applications. While<br />
these technologies are being introduced into workplace environments to improve efficiencies, help drive<br />
down costs and of course improve our global environmental footprint, they also increase the attack<br />
surface. As a result, the security of all new internet-enabled appliances must be forethought before they<br />
are added to the network.<br />
About the Author<br />
Andrea Carcano is an expert and international leader in<br />
industrial network security, artificial intelligence and<br />
machine learning. He co-founded Nozomi Networks in<br />
2013 with the goal of delivering a next generation cyber<br />
security and operational visibility solution for industrial<br />
control networks. As Chief Product Officer, Andrea defines<br />
the vision for Nozomi’s products and is the voice of the<br />
customer within the organization. In this role he draws on his real-world experience as a senior security<br />
engineer with Eni, a multinational oil and gas company, as well as his academic research.<br />
With a passion for cyber security that began in high school, Andrea went on to study the unique<br />
challenges of securing industrial control systems. His Ph.D. in Computer Science from Università degli<br />
Studi dell’Insubria focused on developing software that detected intrusions to critical infrastructure control<br />
systems. His Masters in Computer Science from the same institution involved creating malware designed<br />
to take advantage of the lack of security in some SCADA protocols and analyzing the consequences.<br />
Andrea has published a number of academic papers, including one describing an early example of<br />
malware targeting SCADA systems.<br />
Andrea Carcano – Published Papers<br />
Andrea can be reached on LinkedIn at https://www.linkedin.com/in/andreacarcano/<br />
or on twitter @andreacarcano and at our company website www.nozominetworks.com<br />
97
What the Latest Enterprise Endpoint Security Survey<br />
Shows Us: Big Concerns but Hope for The Future<br />
By Jeff Harrell, Vice President of Marketing, Adaptiva<br />
More bad news when it comes to IT security. The fourth annual Enterprise Endpoint Security Survey was<br />
recently released, showing that just 17% of companies believe they have enough staff to handle security<br />
correctly, and vulnerabilities continue to take a remarkably long time to fix, particularly without solutions<br />
that meet their needs. These findings (and more) come as organizations face unprecedented threats.<br />
So what’s going on?<br />
Vulnerabilities on the Rise<br />
<strong>Cyber</strong>crime is predicted to cost $6 trillion annually by 2021, with new threats becoming the number one<br />
pain point for endpoint security buyers. Deloitte points out one reason for this is that as workforces<br />
become more distributed and organizations are responsible for securing more devices, it becomes harder<br />
and harder to secure the endpoint, calling it companies’ “weakest security link.”<br />
98
Shoring up the endpoint is critical, however, because that’s where approximately 80% of cyberattacks<br />
occur—and these attacks are increasing at a blistering pace. Research shows that between 2016 and<br />
2017 there was a 600% increase in attacks against IOT devices alone. Any Google search can turn up a<br />
multitude of other scary stats that underscore just how great today’s cyberthreat is and how it is expected<br />
to get worse. But the bottom line is vulnerabilities at the endpoint are a tremendous concern, one that<br />
must be addressed if organizations hope to protect their networks, IP, and customer data.<br />
Current Solutions Don’t Solve the Problem<br />
According to the annual Enterprise Endpoint Security Survey, IT professionals cited vulnerability<br />
scanning as their top cybersecurity challenge. One of the reasons shared was that current vulnerability<br />
management scanning solutions don’t solve their problems. In fact, they may increase frustration and<br />
stress by generating reports of hundreds of vulnerabilities that teams can’t address in a timely manner.<br />
Additionally, they suck up bandwidth and hinder network performance.<br />
It’s not as though IT teams are throwing up their hands and pretending that vulnerabilities don’t exist,<br />
however. Ninety-one percent of respondents indicated that “maintaining current, compliant security<br />
configuration” is very or extremely important; they want to improve the speed and scale with which they<br />
can address vulnerabilities—they’re just a bit hamstrung.<br />
Staff Can’t Handle the Surge—And It’s About to Get Worse<br />
But fixing the problem is not simple. In addition to the exponential increase in vulnerabilities and devices<br />
managed, and the fact that vulnerability management solutions can hinder more than help, teams simply<br />
don’t have the staff. Nearly two-thirds of respondents to the Enterprise Endpoint Security Survey<br />
indicated that they struggle to keep up as their teams are stretched to the max, often limiting their ability<br />
to handle security operations the way that they want or wish that they could.<br />
Unfortunately, in light of internal staff shortages, their work is about to get harder. The survey reveals that<br />
only 29% of companies will complete migration to Windows 10 before Microsoft ceases support for<br />
Windows 7 on January 14, <strong>2020</strong>. This means that potentially millions of endpoints will present openings<br />
for cyberattackers to take advantage of an outdated OS that is no longer monitored and supported by<br />
Microsoft and that also lacks the latest security features available in Windows 10. While 87% of<br />
companies reported that they will have more than half of their systems running Windows 10, close may<br />
not be good enough. It takes cyberattackers only minutes to wreak havoc. Given that it requires 52% of<br />
organizations surveyed more than a week—and 22% more than a month—to remediate vulnerabilities<br />
after they are discovered, this could spell big trouble.<br />
99
Automation Must Be Part of the Solution<br />
With staff being swallowed up trying to handle all of the threats and issues their organizations face, and<br />
those threats increasing each day, something’s got to give. Significant talent shortages make finding<br />
enough skilled IT workers to conquer these issues unlikely. And, even the best funded, best staffed<br />
organizations are fighting a losing battle against the clock. It would be nearly impossible for humans alone<br />
to write the code and execute remediations at the scale that they need to keep all endpoints up to date<br />
100% of the time.<br />
Automation has to be part of the solution. There have been knocks against it—from the time required to<br />
learn how to use new solutions to the limits of present capabilities—but solutions are improving rapidly.<br />
The next generation of vulnerability management solutions includes instant remediation capabilities.<br />
Even if a solution could automatically remediate only 50% of issues, that would be a vast improvement<br />
over the circumstances teams operate in today. It would not only accelerate the speed at which basic<br />
issues are fixed enterprise-wide, it would also open up considerable resources to address more complex<br />
issues in a timely manner.<br />
While enterprise IT security faces a difficult road ahead, all is not lost. The intense commitment of existing<br />
staff to fight cyberthreats coupled with exciting advancements in automation could ensure that the results<br />
of next year’s survey look markedly different. Winning modern cyberwars will require man + machine.<br />
About the Author<br />
Jeff Harrell, vice president of marketing at Adaptiva, manages the<br />
company’s marketing strategies and initiatives across a growing<br />
range of products designed to assist global enterprises with<br />
pressing endpoint management and security needs. With more<br />
than 20 years’ experience, Jeff is known for his domain<br />
knowledge, creativity, and vision as well as the ability to execute.<br />
In his free time, Jeff can usually be found looking for birds through a pair of binoculars. For more<br />
information, please visit https://adaptiva.com/, and follow the company on LinkedIn, Facebook, and<br />
Twitter.<br />
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS<br />
“Amazing Keynote”<br />
“Best Speaker on the Hacking Stage”<br />
“Most Entertaining and Engaging”<br />
Gary has been keynoting cyber security events throughout the year. He’s also been a<br />
moderator, a panelist and has numerous upcoming events throughout the year.<br />
If you are looking for a cybersecurity expert who can make the difference from a nice event to<br />
a stellar conference, look no further email marketing@cyberdefensemagazine.com<br />
123
You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />
At least a dozen exceptional interviews rolling out each month starting this summer…<br />
Market leaders, innovators, CEO hot seat interviews and much more.<br />
A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />
124
Free Monthly <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> Via Email<br />
Enjoy our monthly electronic editions of our Magazines for FREE.<br />
This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />
products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />
mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />
ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />
Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />
arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />
sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />
to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />
newsletters along with this month’s newsletter.<br />
By signing up, you’ll always be in the loop with CDM.<br />
Copyright (C) <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />
SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />
<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />
<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />
Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />
All rights reserved worldwide. Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />
newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />
recording, taping or by any information storage retrieval system without the written permission of the publisher<br />
except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />
the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />
no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />
the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />
and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />
marketing@cyberdefensemagazine.com<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
276 Fifth Avenue, Suite 704, New York, NY 1000<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
marketing@cyberdefensemagazine.com<br />
www.cyberdefensemagazine.com<br />
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 01/03/<strong>2020</strong><br />
125
TRILLIONS ARE AT STAKE<br />
No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES<br />
Released:<br />
https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH<br />
In Development:<br />
126
127
128
Nearly 8 Years in The Making…<br />
Thank You to our Loyal Subscribers!<br />
We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />
What You Think. It's mobile and tablet friendly and superfast. We hope you<br />
like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />
scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />
around the Globe, Faster and More Secure DNS<br />
and <strong>Cyber</strong><strong>Defense</strong>MagazineBackup.com up and running as an array of live<br />
mirror sites.<br />
5m+ DNS queries monthly, 2m+ annual readers and new platforms coming…<br />
129
130
131
132
133
134