CS Mar-Apr 2020

Computing
Security
Secure systems, secure data, secure people, secure business
Nightmare Visions
2020 in deeper focus
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Outmanoeuvred!
Breached and unaware
No ducking the issues
CEOs in the firing line
Enigma variations
Film plots with a powerful twist
Computing Security March/April 2020

comment
COVID-19: A NEW LEVEL OF THREAT
We are all well aware of the 'enemies at the gate': the hackers and attackers looking
for every opportunity to seize data by exploiting weaknesses in your defences. Breaches
have reached new heights, with no organisation, however large or small, immune from
such assaults.
Now the cybercriminals have been joined by a powerful ally in the quest to drive
home their advantage - COVID-19. With more and more people working from
home/remotely, the threat that the Coronavirus poses has also become a double-edged
sword. Isolation helps to limit the virus's impact, but also opens the doors to the
cybercriminals intent on getting through poor security systems.
"Cybercriminals are taking advantage of this pandemic, especially when people are at
their most scared and vulnerable," says Thorsten Kurpjuhn, European security market
development manager at Zyxel. "Your computers become the most obvious target."
He advises three steps that should be taken, in order to safeguard your organisation
and employees:
Block it. "Multi-Layer Protection from a default bundled security service can block
malicious and suspicious traffic, ensuring the well-being of your business network."
Learn it. "Cloud Intelligence identifies every incoming threat, so the Cloud Threat
Database keeps learning, evolving and growing stronger after each attack."
Prevent it. "Cloud Intelligence extracts top-ranked threat information and gives all ATP
firewalls constant updates. This global-sharing synergy empowers ATP firewalls to
prevent all hidden threats."
In ordinary times, staying safe is challenging enough. In these extraordinary times,
only constant vigilance, with the appropriate defences in place, will get you through.
Meanwhile, we hope that all of our readers, along with their families and friends,
stay safe and secure, in every sense, during these challenging times.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2020 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Mar/Apr 2020 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security March/April 2020
contents
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Nightmare Visions
Outmanoeuvred!
Breached and unaware
2020 in deeper focus
No ducking the issues
CEOs in the firing line
Enigma variations
Film plots with a powerful twist
COMMENT 3
COVID-19: A NEW LEVEL OF THREAT
ARTICLES
EDITOR’S FOCUS 6
Big moves on finger vein recognition and
Identity-as-a-Service technologies.
CYBERSECURITY & GDPR UNITE 8
Regulation and technology will underpin
data security in the years ahead, argues
Robert Allen of Kingston Technology
CEOs IN THE FIRING LINE 14
You can't rely on others to get your Public
Key Infrastructure in order, states Andrew
Jenkinson, Cybersec Innovation Partners
THE PLOT THICKENS 16
CORONAVIRUS SPOOF ATTACKS 24
What are the chances that secure data
Coronavirus outbreak fuels new levels of
cyber-attacks and defence breaches
management might have changed the
outcomes of several landmark films?
BREACHED - AND UNAWARE 26
Charlotte Williams, marketing & PR
47.6% admit they wouldn’t know, were a
manager at total information management
breach to occur within their organisations,
company Shredall SDS Group, offers her
QUANTUM CRYPTO REVOLUTION 28
thoughts from the front row
Encryption systems offer huge promise,
despite many issues still to be overcome
BATTLING THE BREACHES 29
A glut of breaches is prompting many to
seek Cyber Essentials audits
WORLD-WIDE MALICE 20
The impact of indiscriminate malicious
CYBER THREAT INTELLIGENCE 30
activity online is soaring and estimated to
Thornton-Trump, Cyjax, on vulnerability,
hit a global price tag of $6 trillion by next
exploitation and attacker motivation
year. Four actionable principles have been
HOMING IN ON COVID-19 31
identified as successful in preventing
More and more employees are working
malicious activities reaching their targets
from home. But dangers lurk there as well
A CYBERSECURITY EDUCATION 32
Despite the GDPR, businesses may still not
be taking cybersecurity seriously enough
ATTACK STATS 'TIP OF ICEBERG’ 22
ESSENTIAL BUILDING BLOCKS 34
New figures that report a fall in 'computer
A more secure network architecture is
misuse' and a rise in fraud show the
vital, states Myles Bray, Forescout
authorities are failing to grasp the true
PRODUCT REVIEWS
impact of cybercrime, according to a
• Cloud Protection for Salesforce
leading cybersecurity expert.
from F-SECURE 32
• Flowmon ADS 33
computing security March/April 2020 @CSMagAndAwards www.computingsecurity.co.uk
4
MORE 20/20 VISIONS 10
As cyber anxiety shows itself everywhere,
Part 2 of our top predictions for 2020
looks at the many challenges that lie
ahead. Now, with the emergence and
global impact of COVID-19, that task has
been made a whole lot tougher

Ransomware: Are you aware
of the cost of an outbreak?
Ransomware is the most expensive form of malware to hit organisations worldwide
IT-professionals understand the productivity,
revenue loss and disruption that a ransomware
outbreak can cause, when it passes the
perimeter and Endpoint Protection Platforms
(Anti-Virus).
However, it can be a struggle for professionals
to communicate and visualise the critical
nature of this threat at decision making- and
board level, particularly when several solutions
have already been purchased to mitigate this
threat.
In past years we have all seen several large
organisations with large IT and security teams
and sizable security budgets, invest in several
best-of-breed solutions at perimeter and
endpoint level, only to still be penetrated and
hit by a ransomware outbreak.
Not many organisations understand the
full financial and organisational impact of a
ransomware outbreak. To aid organisations we
have made it easy to overcome this struggle and
justify why a ‘Last Line of Defence’ is needed.
Historically, the Cybercriminals have always
been one step ahead, resulting in prevention
solutions not being able to cope with all threats
and having the inherent weakness of not
fully protecting, particularly against the latest
threats.
When ransomware has already by-passed all
other defenses, there is nothing left in your
environment to stop it from encrypting 7.000
files per minute.
The solution is Bullwall’s Last Line of Defence
- RC, which is a 24/7 automated containment
solution, which is laser-focused on stopping a
ransomware outbreak immediately, thereby
minimising any disruption, downtime, and cost
to the business to an absolute minimum.
Schedule a demo with Brookcourt Solutions to learn
about our Last Line of Defence solution, which has a
proven record of stopping Ransomware outbreaks.
contact@brookcourtsolutions.com
You can try our Cost of Downtime
calculator based on your numbers:
Please visit bullwall.com/cod
www.brookcourtsolutions.com

editor's focus
RICH VEIN OF POSSIBILITIES
HITACHI AND UBISECURE ARE JOINING FORCES TO INTEGRATE THEIR FINGER VEIN RECOGNITION
AND IDENTITY-AS-A-SERVICE (IDAAS) TECHNOLOGIES. WILL SIMILAR COLLABORATIONS FOLLOW?
Isee that the move into the deeper levels
of recognition technology is showing
no signs of letting up. Indeed, two of
industry's heavyweights are stepping into
that ring as a formidable 'tag team', looking
to deliver a knock-out blow to any other
contenders, if they can.
The twosome are Hitachi and Ubisecure,
with the former looking to integrate its
finger vein recognition technology as a
biometric authenticator within Ubisecure's
Identity-as-a-Service (IDaaS) solution.
According to the new alliance, the new
partnership will provide "an unrivalled
frictionless biometric experience that delivers
high quality usability and reduces the risk of
data breach - making it ideal for customerfacing
use cases". So, what's it all about? In
a nutshell, Hitachi's finger vein biometrics
solution, Hand Gesture Technology, can be
used at the user authentication stage for
onboarding and subsequent logins. It can
be activated quickly and easily, it is reported,
through Ubisecure IDaaS, an SaaS product
that allows developers to plug in the latest in
identity management functionality - such as
single sign-on and multifactor authentication
- to apps and services.
What Hand Gesture Technology does is to
enable fast and secure user identification
through the unique vein patterns in fingers.
This way, identity can be verified via a simple
hand gesture to a camera in a standard
laptop or desktop.
By delivering the benefits of biometric
authentication, while sidestepping the usual
requirements for specialised and expensive
reader equipment, the offering is seen as
especially suitable for mass adoption.
According to Simon Wood, CEO at
Ubisecure: "We're committed to providing
customers with a range of secure
authentication options, including biometric
technology. For biometrics to be adopted
at scale, they must be easy to use and,
preferably, require no additional hardware.
"In this sense, Hand Gesture Technology is an
ideal way of implementing the security and
convenience of biometrics without the
common deployment challenges."
For his part, Ravi Ahluwalia, general
manager, Security Business Group at Hitachi
Europe, identifies one clear advantage: finger
veins are non-replicable and cannot be lost
or stolen. He cmments: "While the solution
is now pervasive in the banking sector, our
collaboration with Ubisecure will help us to
expand that reach into other verticals."
06
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus
ACTIVE BREACHESCHES
Elsewhere, all has not been as it should be at
the offices of the United Nations. In fact, the
UN's offices in Geneva and Vienna came
under attack recently, compromising more
than sixty of their servers. Interestingly, we
know that the attack was explicitly aimed
at the Active Directory component; and
worryingly, the sophistication of the attack
indicates it may have been state sponsored.
The Active Directory is a known weak point
in most organisations' security stance, plus it's
essentially the only way a hacker can move
around an organisation once inside - as they
did in this hack. In fact, as Jérôme Robert,
a director at Active Directory cybersecurity
specialist Alsid, points out, it's pretty much
the Holy Grail of access. And he is fairly
sanguine about this particular breach.
"No less an authority than the UN is the latest
organisation to fall victim to a serious cyberattack,
proving that it really can happen to
anyone. We don't know how long they were
in the UN's systems, but we do know that
a total of 67 servers were deemed as
compromised or suspicious by the UN's
security team.
"That volume points to some serious lateral
movement over a chunk of time, which is
how we can be certain the Active Directory
was compromised in this case. The attackers
would have used AD access to jump from
machine to machine, looking for data
and access to further internal systems to
strengthen and prolong the attack while
they hunted for their targets."
No one can say with any real accuracy how
long the attackers were 'active' in the UN's
systems, but with 67 servers in the equation,
that suggests serious lateral movement over
a chunk of time, "which is how we can be
certain the Active Directory was compromised
in this case", Robert continues. "This attack
reinforces that security teams have to
win every time they are attacked and
cybercriminals only need to get lucky once
to gain access to the AD, at which point they
already have their hands in the cookie jar and
you're in big trouble."
For anyone who thinks bitcoin might be
losing its appeal, not a word of it. A Dutch
university has paid nearly 200,000 euros
worth of the cryptocurrency to Russian
hackers after 267 servers were compromised
in December last year. "Ransomware is certain
to remain a key threat to all organisation's
networks globally throughout 2020," warns
Carl Wearn, head of E-Crime at Mimecast.
"The latest indication from Mimecast's data is
that threat actors are now almost certainly
re-concentrating their efforts to focus on
ransomware attacks and have been doing
so since last year." As research from the
Netherlands' National Cyber Security Center
illustrated last year, something like 1,800
organisations globally were thought at that
time to have been subject to ransomware
attacks. "As with any piece of crime-related
research, we should expect that this is in fact
a gross undercounting of the problem as it is."
Ransomware is making criminals a lot of
money. "Ransomware can be delivered by
electronic communication, exploit kit or other
means," Wearn continues. "Ensuring nonnetworked
backups are in place, and that a
comprehensive solution to provide fallback
email and archive capabilities is in place, are
the key solutions to ensuring business can
continue as uninterrupted as possible, should
a ransomware attack take place.
Relying on the threat actors to restore your
data in the case of attack is obviously riddled
with issues, not least of which is that they are
prone to errors themselves and may not even
be able to restore your data once they've
encrypted it. Paying any ransom is also likely
to make you a future target of choice,
through proven willingness to pay. I would
urge all organisations to plan for this threat
to be realised, if adequate steps are not taken
to provide a suitable fallback or recovery
solution now."
Carl Wearn, Mimecast: paying any
ransom is likely to make you a future
target of choice.
Jérôme Robert, Alsid: cybercriminals only
need to get lucky once to gain access to
the Active Directory.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
07

expert insights
WHY CYBERSECURITY POLICY & GDPR
COMPLIANCE AREN'T SO DIFFERENT
THE COMBINED FORCES OF FURTHER REGULATION AND NEW
TECHNOLOGY WILL UNDERPIN DATA SECURITY IN THE YEARS AHEAD,
ARGUES ROBERT ALLEN - EUROPEAN DIRECTOR OF MARKETING
& TECHNICAL SERVICES AT KINGSTON TECHNOLOGY
Over the last decade, data has
become the world's most precious
commodity. The largest technology
organisations have grown into empires and,
following this shift, regulators and
governments have now awoken to the value
of data and begun to treat it accordingly.
New data security laws, such as GDPR,
affect companies and individuals across the
world. And as organisations adopt further
digital technology, the cybersecurity threat
has grown, as the rewards for gaining
unlawful access to data become more
lucrative. Historically, the emergence of new
technology in other industries has always
been followed by regulation, usually
because it quickly becomes obvious that
without clear standards, those industries can
create products that could cause serious
risks. But until only recently (arguably, still)
there has been a 'wild west' attitude to
digital technology. Risk is still tricky to
quantify, let alone manage, and many
companies still do not treat data security
seriously, even with the threat of regulatory
fines in place.
Cybersecurity threats are similarly not
taken seriously or even well understood in
companies. If they were, password reuse
wouldn't be prevalent, nor would reliance
on outdated software or the widespread use
of unencrypted devices. We all know there
are multiple threats to digital security that
require multiple solutions. But it's clear the
companies that consistently maintain a clear
approach to data management have been
able to meet regulatory compliance better
than those who had to scramble to meet
the 2018 regulation date. GDPR has
demonstrated that, by long-term prioritising
of data security and data protection,
a firm will be in a better shape to meet the
regulation that will surely follow further
down the line. Prioritising and investing
in both together is simply good business
practice.
A combination of further regulation and
new technology will drive data security
over the next decade. David Clarke, CTO
at GDPRUK.EU and founder of the GDPR
Technology Group on Linkedin, agrees.
"Cybersecurity technology will need to adapt
to the many global regulatory environments
to protect data and manage the appropriate
and fair use of personal data, protect the
vulnerable in our society, from managing
dataveillance and preventing online harms.
Data is already regulated; the next big
challenge is the regulation needed to
manage and monitor behaviours in a
world of zero-knowledge identification."
With a workforce as likely to be working
with sensitive company data when travelling
or at home as in the office, transporting
data to and from these locations is a key
security weak point. But when a business
deadline needs to be met, it's all too easy to
quickly transfer crucial documents to the
first USB stick you find in a drawer. Rather
than outright banning USB storage, there
are secure products, such as Kingston
Ironkey D300, that can mitigate this risk,
with on-device hardware encryption that
ensures that, if a device is lost or stolen,
the thief will not have access to any of the
data, which may be more valuable than the
hardware itself. Designed from the ground
up with security in mind, attack vectors
have been carefully considered, from
tamper-evident materials to a secure
password input method designed to foil
key loggers.
However, it seems that even our own
government isn't sending the right message
on security. Recently, it was revealed that
the UK government lost 2,004 mobiles
and laptops in 12 months 1 , from critical
government departments. Many were stolen
and 200 of these devices were unencrypted,
with potentially sensitive data accessible to
all. If security is best led by example, then
more joined-up thinking from above would
encourage better practices across the board.
1 https://www.bbc.com/news/technology-51572578
8
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

Cyjax constantly monitors the internet looking for data
relevant to your organisation’s security posture and
reputation.
ADVANCED THREAT INTELLIGENCE
Accurate, Timely and Actionable. Our threat
information is augmented and processed by security
cleared analysts. Bespoke information on the risks
unique to your business displayed in a comprehensive
threat intelligence dashboard.
Put our eyes on your risks. Speak to us today.
+44 (0)20 7096 0668 info@cyjax.com www.cyjax.com

2020 predictions
MORE 20/20 VISIONS
AS CYBER ANXIETY MANIFESTS ITSELF EVER MORE WIDELY, PART 2 OF OUR
TOP PREDICTIONS FOR 2020 LOOKS AT THE MANY CHALLENGES THAT LIE AHEAD
With four generations working
alongside each other for the first
time, organisations will need a new
approach to protecting data in 2020 and
beyond, advises Jon Fielding, managing
director, EMEA Apricorn. "They'll be dealing
with a range of different attitudes to security,
as well as evolving working practices - in
particular a continued increase in mobility and
flexibility. A complex security strategy that
attempts to address this diverse workplace
with copious models and technologies will
only create more risk."
There's no 'one size fits all' when it comes to
securing the multi-generation enterprise - but
encrypting all data as standard, both at rest
and on the move, will bring us as close as it's
possible to get, he suggests. "Encrypting data
end-to-end renders it unintelligible to anyone
not authorised to access it. This is especially
valuable when employees are mobile working
- and the use of hardware encrypted storage
devices will eliminate an element of the
'human risk' of data loss entirely." With the
cybersecurity skills shortage biting hard, and
an increasing expectation that IT will help
drive the goals of the business, enterprises
must look outside the industry to recruit
the right people. "The most effective way to
defend a modern business against cyber
threats is to build a diverse security team,
equipped with a range of different skillsets
and experience - including business acumen,
and the ability to communicate, collaborate
and lead," adds Fielding.
"It may seem counter-intuitive to recruit
non-specialists to a specialist role, but, when
it comes to cybersecurity, an understanding
of the basic, best-practice fundamentals is
most important. If somebody has a solid
foundation in good security hygiene,
and they're willing to learn, the technical
knowledge they need can be built from there."
NEW MINDSET
Richard Walters, CTO of Censornet, points out
that every year Artificial Intelligence (AI) bags
a top spot in the list of security trends and
predicts that this year will be no different.
"However, whereas 2019 was heralded as the
year of AI, 2020 will see businesses take a
shrewder approach towards the technology.
The widespread hype around AI in the
industry has made it harder to determine just
what it can and can't deliver. While projections
indicate budgets for AI in cyber security will
increase, the industry itself will have a much
more critical role in deciding how AI will be
applied."
The industry is shifting away from the
mindset that AI will be the silver bullet in the
war against cybercrime, he adds. "As with
any technology, AI has its limitations. It also
won't be viewed as a 'crystal ball', capable
of foretelling every single attack before it
happens. Despite exaggerated claims, no
AI tool can predict a Black Swan event; a
completely unknown attack. That's not to say
that AI has no role in cyber security, as long
as the tool itself is well suited to the task at
hand.
"Using AI to address some of the more
common information security problems is like
taking a sledgehammer to crack a walnut,"
he comments, "so it should only play a part
where the situation dictates. A company's
security posture should be judged by how
10
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

2020 predictions
effectively its strategy is aligned with its
objectives, rather than how much of the latest
technology it has."
BEWARE MALWARE
Stuart Reed, VP cyber - redesign - malware &
CISO roles, Nominet, believes this year will see
the cyber industry redesigned in some key
areas. "Malware will undoubtedly evolve and
ransomware will become more sophisticated,
potentially even teaching businesses new
ways to take payments and create customer
service that encourages the victim to part
with their money. That said, it will still be the
simple attacks that cause the most damage,
because organisations have a lot of work to
do on ensuring they are utilising every layer of
defence within their reach.
"We'll also see the role of the CISO
redesigned in 2020, as the imbalance of their
work-life worsens and the role needs to
change to meet the demands of the modern
cyberscape; for example, becoming more of
a strategic resource for the business on
mitigating risk and facilitating business
transformation safely," he says.
Mark Burdett, Nominet's head of product
delivery - ML & AI enhanced cyber-attacks,
believes machine learning and artificial
intelligence will be used to create distributed
and targeted malware and attacks. "An
attacker using machine learning algorithms
can create a suite of botnets or worm-style
malware that gathers data from multiple
attempts to breach commercial sites,
ultimately generating more sophisticated
attacks that could be targeted at critical
national infrastructure or governments,"
he warns. "Using data from breaches,
vulnerabilities, successful and failed attacks -
the 'next generation' of malware can be
created. It will make fewer obvious attacks,
but be more successful by using tactics
proven to work. This would make pattern
matching or DOS/brute-force security
measures less and less effective." Protecting
against this style of attack requires analysis of
network patterns, command and control, and
a large-scale dataset of attacks to see these
attempts happening across multiple sites and
networks, rather than a single instance or
victim, he concludes.
AREAS OF CONCERN
Dean Coclin, senior director, Business
Development at DigiCert, highlights several
areas of concern for businesses this year:
Certificate Automation - with shorter
validity periods on the horizon for TLS
certificates, organisations will need to
start embracing automation in order to
make cert management easier
Consumers will have to heighten their
security awareness, as threat actors take
advantage of free Domain Validated TLS
certificates to show the padlock on their
websites. It's no longer sufficient to "look
for the lock", one must look "beyond the
lock"
IoT Security - hackers will continue to find
vulnerabilities in consumer devices, since
security is not top of mind when these
devices are developed. Industrial IoT
security has improved, especially for
critical systems such as automotive,
SCADA and healthcare.
"This year, we have seen the adoption of the
CCPA (California Consumer Privacy Act) and
the failed NYPA (NY Privacy Act)," states Coclin
"There is impetus for a national privacy act,
similar to GDPR, but the likelihood of that
happening in the current administration
is low. Nonetheless, consumers are very
concerned about recent privacy breaches.
States are filling the hole by adopting their
own acts, but this will make compliance very
difficult for companies, due to the patchwork
nature of adoption," he cautions.
PROTECTION TO BE RAMPED UP
"After years of haplessly watching technology
race ahead of regulation, governments
around the world have started to enact
regulations to protect consumers and
mitigate security risk, says Mike Riemer, chief
Jon Fielding, Apricorn: to defend a
modern business against cyber threats,
you must build a diverse security team.
Azeem Aleem, NTTS: Security
Orchestration, Automation and Response
(SOAR) will rocket as attacks demand an
AI-based approach to security.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
11

2020 predictions
Mike Riemer, Pulse Secure: A big focus
will be the increase in regulatory
requirements around IoT and IIOT
devices.
Stuart Reed, Nominet: this year will see
the cyber industry redesigned in some key
areas.
security architect at Pulse Secure. "A big focus
for 2020 will be the increase in regulatory
requirements around IoT and IIOT devices as
they proliferate in corporate networks and OT
systems. When organisations do not know
where a device is on their network, or who it
is communicating with, that poses severe
security risks."
And, as more organisations adopt IoT and
IIoT devices in the workforce, there need to be
security policy and controls in place. "In the
United States, much of this regulatory reform
has been spearheaded by the state of
California, which recently passed SB-327, the
first law to cover IoT devices. It took effect on
January 1 and regulators around the world
will certainly be watching to see how effective
the legislation is at minimising security risks
from IoT devices," he adds. "Since the
regulatory laws often have a cascading effect,
we can certainly expect to see similar bills
appearing across the country and eventually
at a federal level. Organisations will need to
make sure they, or any third-party security
vendors, are compliant to protect IoT devices
and the information they contain."
SOAR POINT
In terms of trends that will shape the
cybersecurity landscape in 2020, Security
Orchestration, Automation and Response
(SOAR) will rocket as attacks demand an AIbased
approach to security, believes Azeem
Aleem, VP Consulting Security, NTT. "Cyberattacks
are happening at machine speed,
not human speed. To keep up, organisations
will need the help of machines - and data
scientists - and SOAR will be the hottest area
in cybersecurity. It enables organisations to
predict when an attack is going to happen -
and fast. We don't talk about proactive
security anymore, but predictive security,
which will become essential for delivering an
active cyber-defence in 2020."
There are four other key trends that Aleem
identifies for the security industry in 2020:
Applications are becoming the new attack
vector: Application-specific and webapplication
attacks now account for a third
(32%) of hostile traffic - according to the NTT
2019 Global Threat Intelligence Report (GTIR).
"Now that infrastructure is more cloud-based
and software-defined, we're entering a world
where the application is the easiest way to
compromise data," he states. "The number
of attacks on applications will increase, so
organisations need to regularly evaluate the
security hygiene of applications across their
business and apply necessary patches - an
exercise that can no longer be neglected."
Security goes to the cloud: "While
organisations still buy on-premises
equipment, largely for compliance reasons,
more is being created and hosted in cloud
environments," says Aleem. "However, if
organisations are using multiple hosting
centres or hyperscalers, it's more difficult to
apply standardised, software-based security
controls across the entire infrastructure.
Applying security to the application or
workload will enable them to monitor and
implement the appropriate controls."
Hyperscaler patterns continue to be elusive:
Fixed infrastructure tends to have standard
traffic patterns that make it relatively easy to
identify anomalies. "This is not the case with
hyperscalers, which also make hundreds of
thousands of high-speed updates to their
platform on any given day. This will make it
very difficult for organisations to monitor the
interactions between humans, machines, data
and applications in order to identify patterns
and anomalies. Information, context and
intelligence therefore need to be applied for
a robust security posture."
Data lakes and data wallets: Data lakes will
enable new models of predictive analytics, he
says. "What's more, we will see data wallets
that put data in the hands of the person who
owns it and making it completely secure for
them. Nobody can access that data without
certain permissions being in place and, if the
user is under threat, can be locked down."
12
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

Maintaining secure access during an emergency
When freak weather hits, transport strikes disrupt commuters, or a global health pandemic
ensues; the need for secure, immediate access is at its greatest. Users need to maintain access
to business-critical data and applications in a secure environment; providing access with a
password alone simply is not secure enough.
In the event of an emergency, many organisations allow remote users to authenticate with a
standard username and password. But this is when the need for secured access is at its
highest: during emergency situations corporate defences are often at their weakest and the
threat from attack at its greatest.
SecureIdentity SecurICE
SecurICE from SecurEnvoy is a revolutionary approach to the
age-old problem of providing secure access to corporate
systems in the event of an emergency - without the need for
fobs, tokens or smartcards.
SecurICE provides clients with the ability to turn on robust,
multi-factor authentication for users in the event of an
factor, and a passcode sent to the user’s mobile phone is the
second. There is no need for the user to enrol and
remember an additional PIN, and no need for extra tokens or
smartcards - the ideal, emergency two-factor authentication
system.
Part of the new
SecureIdentity
Platform by
SecurEnvoy
passcodes, can be sent via SMS to an entire organisation, or a
Why use our SecurICE solution
• Rapidly deploy multi-factor authentication in an emergency
• Keep users informed with status updates
• Provide users with instructions of what to do during an emergency
• Users are free to select their preferred authentication
• Enhance your business continuity strategy
Identity Beyond Boundaries
T: 44 (0) 845 2600010 E: info@securenvoy.com
www.securenvoy.com/en-us/securice

expert view
CEOS IN THE FIRING LINE
WHY YOU CAN'T RELY ON OTHERS TO GET YOUR PUBLIC KEY
INFRASTRUCTURE IN ORDER - AND WHAT HAPPENS IF YOU
DON'T. ANDREW JENKINSON, GROUP CEO, CYBERSEC
INNOVATION PARTNERS, OFFERS HIS INSIGHTS
In the past months, no fewer than three
US government agencies have put out
warnings about the Microsoft Windows
10 vulnerability and still no one seems to
be aware how long the vulnerability was
there before those alerts were issued.
CVE-2020-0601 can exploit and
undermine Public Key Infrastructure (PKI)
trust. According to Neal Ziring, technical
director of the NSA Cybersecurity
Directorate, "this kind of vulnerability
may shake our belief in the strength of
cryptographic authentication mechanisms
and make us question if we can really
rely on them". The problem that creates
such a weakness with Windows 10 is that
attackers are able to disguise a malicious
executable binary, so that it appears like
a Windows system binary; worryingly, it
could remain undetected by anti-virus
and other perimeter defences. This allows
attackers to install it, and potentially
achieve command and control.
Unequivocally, PKI can never be assumed
to be trustworthy. Without constant
and continuous monitoring, it will
unquestionably cause business continuity
issues, and enable infiltration and
nefarious activities. Service outages,
malware and data breaches are as a result
of weaknesses in PKI management and
controls, and used as easy access.
The Windows 10 situation is serious, due
to its magnitude and the ubiquitous use of
the software. It has been a shocking start
to the new decade for Microsoft, as one
global issue is disclosed by the NSA and
now hot on its heels is a second, in the
form of a critical browser Zero Day issue
identified by the CISA.
The CISA warning is of a zero-day
vulnerability that is being exploited
without a fix in Microsoft's Internet
Explorer and, although IE represents a
small percentage of overall internet use,
it can corrupt memory, so that an attacker
can gain the same user rights as the owner
- ie, take over command and control.
And it doesn't stop there. This gives rise
to huge opportunities for cyber criminals.
14
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

expert view
The past, and a possible future, of
cybercrime:
1978 Ralph Merkle develops Public Key
Infrastructure
1990s PKI is adopted as global core
security for digital communication
2000s various 'agencies' manipulate
and 'encourage' back doors to enable
spoofing
2000s various agencies develop cyber
intelligence and cyber warfare this
included Malware such as Flame
and Stuxnet
2000s cyber warfare and Malware is
obtained by criminal and create a new
wave of criminal activity (cyber criminals)
2010s various agencies develop Cloud
technology to enable secure access to
the mothership
2010s Numerous Tier 1 Tech firms
develop cloud technology in conjunction
with the agencies and start to roll out
to global clientele
2010s Cloud providers see more attacks
and vulnerabilities on a larger scale
2010s GDPR is announced and massive
fines are levied for cyber and privacy
breaches
2010s Ransomware increases in line with
the rise of cryptocurrency as it is easy to
pay ransom monies without being traced
2020s Quantum computing becomes
more widespread with faster and greater
computing capability
2020s Quantum computing is used by
cyber criminals for greater and faster
cyber-attacks and breaches.
We can see that technological
advancement is quickly followed by, and
used by, the new breed of criminal, the
cybercriminal, be they State Nation or
otherwise. Equally, the very same
governments that conceived backdoors
and developed malware to attack their
enemies are the very same governments
that levy massive fines for being breached
with a strain of the viruses they created in
the first place.
One could say the writing is on the wall,
unless a massive realignment occurs
between all parties at the very top level. It
seems completely unreasonable that the
creation of backdoors and malware that is
blighting all organisations, creating massive
global losses, funding and fuelling further
criminal activities to the further detriment
of the world socially, can then be used to
penalise these organisations with massive
fines, jeopardising not just their profitability,
but their survival.
In the past three decades, we have
witnessed a situation that has simply got out
of control and we are suffering at ground
level with the lack of privacy and threat of
our personal details being stolen, lost,
manipulated or worse.
So, what could happen, if you suffer a
breach? Let's look at a typical scenario.
Your organisation is going really well,
business is great, your parent owners
recently undertook an IPO on the back of
the success of the business, share prices
have continued to increase, as have the
revenues and profits, everyone is delighted.
Then, BANG, your entire systems are
bought to their knees from an unknown
infiltration that has been going on for
months, culminating with a ransomware
demand. To make matters worse, numerous
partnered banks have also been affected;
lawyers will be looking at liability and seeking
damages and compensation. Your company
has fallen, and from a pretty great height,
in the space of weeks.
There's clearly been a disconnect between
the cyber team, the risk appetite of the
business and you. No one could foresee
this happening - or could they?
Preparation for such events are typically
lax and aren't rehearsed as they should be.
The chairman is pacing up and down and
looking for answers to the potential loss of
Andrew Jenkinson, Cybersec: PKI can
never be assumed to be trustworthy.
several hundred million, massive brand
and reputation damage and litigation,
and all because of being ill-informed, poor
decisions, incorrect risk profile and
inadequate cyber posture.
Heads will, of course, roll. As the CEO,
there's no chance of you avoiding being in
the firing line. This has happened under your
watch and your control; and no matter what
your trusted advisers and security provided
you with, you are ultimately responsible.
Tough it may be, but that's reality.
If this seems hard hitting and resonates
with you, it's meant to. This is happening
all around us and in far too many
organisations. Protecting the business, the
staff and shareholders is your responsibility
as a CEO. Being ignorant of the facts and
relying on experts, who may not be as
expert as you think, is no excuse.
CEOs need to ask better questions about
the security of their businesses. And they
need to do it now.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
15

data management
THE PLOT THICKENS
WHAT CHANCE SECURE DATA MANAGEMENT MIGHT HAVE ALTERED THE OUTCOMES OF CERTAIN LANDMARK
FILMS? CHARLOTTE WILLIAMS, MARKETING & PR MANAGER AT TOTAL INFORMATION MANAGEMENT COMPANY
SHREDALL SDS GROUP, OFFERS HER INSIGHTS
What would have happened to
the Allies, if Alan Turing had
failed to crack the Enigma code
in 'The Imitation Game'? And would the
National Security Agency's nefarious
schemes have been exposed, had it
protected its sensitive data and
prevented Edward Snowden from
publishing its secrets through WikiLeaks?
Based on real-life stories of data
infiltration, these films could have ended
very differently, if more effective data
protection measures had been put in
place. But before you dismiss this as
nothing more than a light-hearted
exercise in procrastination, just think:
what can we learn from the cinematic
universe about secure data management
practices?
We'll cover a range of films - fiction and
non-fiction - over the course of this
article. As well as dissecting their plots
to determine how they might have been
changed with proper data management,
this feature will also provide practical
tips on how you can avert similar data
mismanagement mishaps in the future.
THE HOBBIT &
THE LORD OF THE RINGS
Admittedly, these two film series are
unlikely candidates for the first item on
a list of data misman-agement movie
plots. As you're probably aware, the
story centres on the One Ring, a
mysterious artefact created by the Dark
Lord Sauron that grants the wearer the
power of invisibility. Bilbo steals the ring
from Gollum during a fateful turn of
events in 'The Hobbit: An Unexpected
Journey'.
Following his adventures over the
course of the next two films, Bilbo
returns to the Shire with the ring still in
his possession. At a later point, Gollum
is captured by the minions of Sauron,
revealing the name and location of the
unfortunate hobbit. This sparks the chain
of events that makes up the rest of the
16
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

data management
trilogy, with Sauron's forces attempting
to return the ring to their master, as
Frodo embarks on a journey to destroy
it in the fires of Mount Doom. Had
Gollum kept the ring in a secure location
or protected the vital information of
Bilbo's whereabouts more carefully, the
rest of the series could have turned out
differently.
But what can we learn from Gollum's
critical act of data mismanagement?
The key takeaway is this: if your business
holds sensitive commercial data, then it's
vital - in the immortal words of Gandalf
the Grey - to "keep it secret, keep it safe".
Hard copies of files should be stored
in a secure location, whether you keep
them on-site or employ a third-party to
look after them. Some companies even
choose to store their critical legal
business files in a high-security vaults
with specialised access mechanisms!
Digital copies are even more susceptible
to interception and should be stored
using a secure data management
platform. It's best to look for data
storage software that requires multifactor
verification before allowing users
to access files.
SNOWDEN
Based on the true story of Edward Snowden,
this film follows the protagonist as he works
for the NSA and finds out disreputable
government agency secrets. One shady
secret he discovers is that the NSA has
planted malware in the computer systems
of foreign governments, allowing them to
be disabled in the event that these foreign
nations were to oppose the US.
Eventually, Snowden, pictured below left,
becomes disenchanted with his work at the
NSA. He smuggles sensitive data out of the
agency in a microSD card hidden inside a
Rubix cube and releases it to the press. Had
the NSA protected this information in a
more secure manner, Snowden would not
have been able to expose their perverse
practices to the world.
Although the details of how Snowden
actually managed to produce a copy of the
NSA data are not known, it's somewhat
astonishing that he was able to extract data
from the NSA system using nothing more
than a microSD card in the film.
In reality, data breaches of this kind are
completely preventable with the right
software. There are many programs out
there that can stop users from copying data
to any form of external device, unless they
are given explicit authorisation. If your
business holds sensitive data and isn't already
using some data loss protection software,
you should really look into this.
It's also worthwhile having policies in place
regarding remote workers. Businesses should
specify that work laptops are only to be used
while connected to a secure network - using
an unsecured network opens you up to data
breaches that could potentially be costly.
Monitoring the activity of remote workers is
also advisable.
JURASSIC PARK
Jurassic Park is another film that could
potentially be deemed an unusual choice on
this list. Data security may not be the first
thing that comes to mind when you think of
Jurassic Park and indeed the data security
element in this film is more subtle than in
the other examples.
Yet one plotline involves Dennis Nedry -
pictured below - a computer programmer
employed by the Park, using his hacking skills
to disable the security systems and steal
dinosaur embryos. He intends to sell these
on to the highest bidder - with potentially
disastrous consequences - but never makes it
out of the park and is eaten by a dinosaur.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
17

data management
All of this potential danger could have been
averted, if Jurassic Park's cybersecurity system
had been better protected against this kind
of attack. The take-home data security
message from this film is clear: even if your
data doesn't pose the same threat as stolen
dinosaur embryos, invest in decent
cybersecurity systems or prepare to be
infiltrated! Protecting your systems should
start with doing the basics right - ensure that
employees set secure passwords that are
different for each type of software they use.
Your company should also invest in
sophisticated anti-malware software. If your
resources allow, you could even think about
hiring a hacker to test your defences and
ensure your cybersecurity is up to scratch.
THE GIRL WITH THE DRAGON TATTOO
The frequent cyber-attacks and data
breaches that occur throughout this film
make it one of the more obvious choices
for this list. The film focuses on Mikael
Blomkvist, a former journalist who was
disgraced by the corrupt media mogul
Hans-Erik Wennerström after failing to make
libel accusations against him. Blomkvist
temporarily retires from journalism and
decides to help Henrik Vanger discover the
murderer of his granddaughter, Harriet.
During the course of the film, Lisbeth
Salander, a talented computer hacker
(pictured top right) and the eponymous 'Girl
With The Dragon Tattoo', helps Blomkvist to
get to the bottom of the mystery. Once the
murder case has been solved, Salander uses
her hacking skills to acquire sensitive
information about Wennerström.
This information enables Blomkvist to get
revenge against Wennerström, publishing
an exposé article and book to destroy his
reputation. Blomkvist's magazine, Millenium,
becomes popular and well respected as
a result. If Wennerström had succeeded
in protecting his data from Salander's
cybersecurity attack, then Blomkvist might
never have got his revenge.
The data protection lesson to take from
'The Girl with the Dragon Tattoo' is similar to
that of Jurassic Park. While your company's
computers won't contain data that's sensitive
in quite the same way as Wennerström's,
it's important that you put money into your
cybersecurity systems and prioritise the hiring
of skilled cybersecurity personnel.
THE IMITATION GAME
Now we come to the final instalment in
this list of data mismanagement films.
'The Imitation Game' (shown directly above)
is based on the true story of Alan Turing
cracking the German Enigma code. As such,
the data infiltration at the heart of this film
has implications for 20th-century history.
If Turing had failed to crack the Enigma
code with his machine, then German military
messages could not have been decoded and
the outcome of the war might have been
different. The British would have been
unable to divert supply convoys around
German U-boats by cracking their naval
communications, which could have had
catastrophic consequences for the war
effort as a whole.
Of course, your business doesn't rely
on a system of encoded messages to
communicate. There are, however, modern
parallels. It's likely that emails and messages
are sent between members of staff that
contain data which would be of interest to
your competitors - your business can't afford
for these to be intercepted.
Particularly for high-level business
discussions that refer to commercially
sensitive information, it's wise to utilise a
secure, encrypted messaging platform. Many
of these are freely available, so there's really
no excuse for a lax approach when it comes
to securing your business communications.
18
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

Automate your
most critical
PCI DSS checks
with Nipper
Firewalls | Switches | Routers
Evidence PCI DSS
compliance
Perform best practice
security checks
Detect & analyse
vulnerabilities
Get your 30 day free trial today
titania.com/trial

cybersecurity and ISPs
WORLD-WIDE MALICE
THE IMPACT OF INDISCRIMINATE MALICIOUS ACTIVITY ONLINE IS SOARING
AND ESTIMATED TO HIT A GLOBAL PRICE TAG OF $6 TRILLION BY NEXT YEAR
While certain cyberattacks focus on
specific organisations, the majority
actively target the largest number
of internet users possible. Such attacks are
often relatively easy for cybercriminals to
undertake and can cause serious harm. The
impact of indiscriminate malicious activity
online can be significant and carries an
estimated global price tag of $6 trillion in
2021 (see panel text).
The World Economic Forum Centre for
Cybersecurity brought together a group of
leading ISPs and multilateral organisations to
develop new ways to protect and prevent
these attacks from reaching consumers.
Following a year of development and testing,
four actionable principles were identified as
successful in preventing malicious activities
from getting "down the pipes" to consumers,
set out in the report, 'Cybercrime Prevention:
Principles for Internet Service Providers'. With
a collective aim to protect up to 1 billion
consumers in 180 countries in the process,
BT, Deutsche Telekom, Du Telecom, Europol,
Global Cyber Alliance, Internet Society, Korea
Telecom, Proximus, Saudi Telcom, Singtel,
Telstra and ITU all endorsed those principles,
namely to:
Protect consumers by default from
widespread cyberattacks and act
collectively with peers to identify and
respond to known threats
Take action to raise awareness and
understanding of threats and support
consumers in protecting themselves
and their networks
Work more closely with manufacturers
and vendors of hardware, software and
infrastructure to increase minimum levels
of security
Take action to shore up the security of
routing and signalling to reinforce
effective defence against attacks.
"Cybersecurity is becoming a public safety
issue," says Amy Jordan, delivery lead,
Platform for Shaping the Future of
Cybersecurity and Digital Trust, World
Economic Forum. "As more and more devices
are connected and physical infrastructure
becomes increasingly connected, no one
company can do it alone. The community
needs to come together, and these principles
can accelerate and scale impact."
In the report, each principle is considered
from the perspective of the challenges it is
seeking to address, as well as providing
demonstrable evidence from service providers
of the benefits of implementation. Further,
more technical detail on how each principle
could be implemented is also provided in
related recommendations.
"This initiative represents a fantastic example
of the World Economic Forum's ability to
20
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

cybersecurity and ISPs
convene public and private sector
stakeholders to share and implement
industry best practice that helps not only the
organisations involved, but also the users
of the internet at large," says Kevin Brown,
managing director, BT Security. It's a view
that is backed in full by many of those
involved in the report. "EUROPOL
wholeheartedly supports the adoption of
these principles by Internet Service Providers
worldwide, because they have the potential
to significantly limit the harm caused by
malicious cybercrime actors," states its
executive director Catherine de Bolle.
Equally committed to the cause is Joseph
Lorenzo Hall, senior vice president, Strong
Internet, Internet Society. "The World
Economic Forum's ISP Principles are a superb
collection of actionable measures that
providers can use to reduce malicious
activity online," he comments, while Stefaan
De Clerck, chairman, Proximus Board,
believes that "by adopting these bestpractice
principles and working with
governments in a public-private partnership
to create a supportive policy framework,
RISKY TIMES
we will collectively boost trust in the digital
economy and significantly reduce
cybercrime".
Finally, Nasser Suliaman Al Nasser, Saudi
Telecom Group (stc) CEO, adds: "As a nation,
and as the digital-enabling company, we are
exposed to all sorts of attacks, which forced
us early on to heavily invest and build worldclass
cyber capabilities to become fully
resilient. Guided by these four principles,
we encourage other ISPs to leverage them in
defining their strategies and gain confidence
by joining other global partners."
The World Economic Forum will now use
its 'Platform for Shaping the Future of
Cybersecurity and Digital Trust' to drive
adoption of the principles and seek to
initiate a dialogue between public- and
private-sector stakeholders on how
governments can incentivise uptake and
establish clearer policy frameworks and
expectations. By working collaboratively,
it is argued, ISPs will be better placed to
protect their customers and defend their
own networks than if they work alone.
Amy Jordan, World Economic Forum: the
ISP community needs to come together
and the WEF's four principles can
accelerate and scale impact.
Kevin Brown, managing director, BT
Security: initiative shows WEF's ability
to convene public and private sector
stakeholders to share and implement
industry best practice.
The 'Global Risks Report 2019' - part of the World Economic Forum's wider 'Global
Risks' initiative, was published against a backdrop of what it described as worrying
geopolitical and geo-economic tensions. "If unresolved, these tensions will hinder
the world's ability to deal with a growing range of collective challenges, from the
mounting evidence of environmental degradation to the increasing disruptions of
the Fourth Industrial Revolution," states the WEF. The report presents the results of
its latest Global Risks Perception Survey, in which nearly 1,000 decision-makers from
the public sector, private sector, academia and civil society assessed the risks facing
the world. Nine out of 10 respondents expected worsening economic and political
confrontations between major powers this year. Over a 10-year horizon, extreme
weather and climate-change policy failures are seen as the gravest threats.
This year's report includes another series of 'what-if' Future Shocks that examine
quantum computing, weather manipulation, monetary populism, emotionally
responsive artificial intelligence and other potential risks. The theme of emotions is
also addressed in a chapter on the human causes and effects of global risks, with a
call for greater action around rising levels of psychological strain across the world.
To download a PDF copy of the report,go to: https://bit.ly/2VbSjuG
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
21

fraud & cybercrime
CYBERCRIME FIGURES 'TIP OF THE ICEBERG'
A REPORTED FALL IN 'COMPUTER MISUSE' DISGUISES A LINK WITH THE RISE IN FRAUD, IT IS CLAIMED
New figures that report a fall in
'computer misuse' and a rise in fraud
show the authorities are failing
to grasp the true impact of cybercrime,
according to a leading cybersecurity expert.
Tim Thurlings, of bluedog Security
Monitoring, a former 'ethical hacker' who
helped to develop the European TIBER threat
intelligence framework, says that the current
figures fail to show the full extent of the
problem and demonstrate the need for more
accurate ways to measure cybercrime.
The figures released by the Office of
National Statistics show that, according
to the National Fraud Intelligence Bureau
(NFIB), 'computer misuse crime' fell by 11%
in the year ending September 2019 to
21,471 offences, following rises in the
previous two years. The NFIB figures include
cases reported by businesses and other
organisations. Meanwhile, the Crime Survey
for England and Wales (CSEW) estimates
that, amongst the population as a whole,
there were just over a million offences -
unchanged from last year.
However, both sets of figures also show
significant rises in fraud over the same
period. According to the NFIB, the number
of reported cases rose by 19% in the year
ending September 2019 to 743,413
offences. At the same time, fraud offences
experienced by adults in England and Wales
increased by 9% to 3.8 million, according
to CFEW. The increase was driven mainly by
a rise in 'bank and credit account fraud',
which totalled 2.7 million offences.
"These figures demonstrate the difficulties
the authorities face in defining cybercrime,"
says Thurlings. "At present, we are failing to
capture the true extent of the problem. Socalled
'computer misuse' is just the tip of the
iceberg. I expect that cybercrime plays a role
in many of the fraud cases, even though they
may not be classed as such. For example, a
lot of payment card fraud is now caused by
attackers penetrating retailers' IT networks
and putting malware on their point of sale
systems to capture customers' card details.
"Meanwhile, 'authorised push payments' -
where victims are tricked into paying money
into a criminal's account - are often the result
of phishing emails or phone calls and are a
type of social engineering which is very much
part of cybercrime. It is clear that the police
and finance industry are lacking know-how
on what computer misuse is, and how these
attackers operate.
However, as cybercrime has become
complex and sophisticated, it is also very
difficult to place offences in one category or
another. In many cases, cybercrime is part of
the mix: for example, criminals may also use
phone calls to victims as part of the scam.
"Certainly, we need better ways to measure
cybercrime, and understand its impact on
business and society as a whole. Companies
need to be aware of the growing threat and
understand that security should not be left
22
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

fraud & cybercrime
to the IT department. "It is now everyone's
responsibility," he concludes.
MANY FACES OF FRAUD
Fraud has many faces, of course, as Rob
Otto, EMEA Field CTO, Ping Identity, points
out, "It is a broad category of crime that
includes fraud by false representation, fraud
by failing to disclose information, and fraud
by abuse of position. In all three classes
of fraud, it requires that, for an offence to
have occurred, the person must have acted
dishonestly and that they had to have
acted with the intent of making a gain for
themselves or anyone else, or inflicting a
loss [or a risk of loss] on another. One of the
fastest growing areas is cyber-related fraud."
According to The City of London Police
'Action Fraud" unit, £34.6 million was
reported to be stolen from victims between
April and September 2018, while around
a third of victims in that period fell prey
to the hacking of social media and email
accounts, he adds. "Cyber fraud can fall into
two broad categories. The first is fraud that
uses an electronic means, such as email,
website or even telephone calls that
attempt to trick a victim into paying for
something fake. Overdue TV licences bills,
software to 'fix' a hacked computer and
forged company invoices are a common
trio from a seemingly endless list of scams.
Identity theft is another common fraud
component that can lead to more complex
fraudulent purchases or financial
agreements," Otto continues.
In both instances, identity has a significant
role to play, he states. "The telephone call,
email or website claiming to be a 'Microsoft'
[or equally well-known tech company]
employee contacting you with a request for
payment may seem legitimate - but being
able to validate this identity can be difficult.
On the other hand, e-commerce payment
processors with a 'card not present'
transaction need to validate a purchaser's
identity beyond just a legitimate credit card
number." Assuring identity is the challenge,
he adds. "In the case of payment fraud,
many checks are happening in the
background that assess risk through
analytics, such as spending habits, geolocation
and merchant trustworthiness.
Banks are also instigating MFA [Multi Factor
Authentication] through one-time pass
codes to card owners' smartphones - and,
as a result, these types of 'card not present'
frauds are either not rising as fast or on the
decline in most markets."
However, the more challenging issue
remains around how individuals can assure
the identity of organisations they deal with
electronically. "Part of the issue is the need to
raise consumer awareness around cyber
security 'hygiene', but this must also extend
to how organisations legitimately contact
customers via digital means. We are
encouraging organisations to use modern
technology, such as smartphone apps
with strong authentication capabilities, to
establish secure communication channels
with their customers. This can help both
the organisation and the end consumer
to recognise a legitimate interaction and
mutually authenticate one another."
INTERNATIONAL BACKING
At a national level, several countries have
instigated government-backed platforms
that can help to assure digital identity, such
as Estonia's digital ID card, which is used for
securely accessing health and tax services
and, increasingly, third party providers.
"However, government-issued ID cards have
been politically toxic, so it's likely that, in the
future, banks may well offer this type of ID
assurance services," he concludes. "This will
become more likely, if a common standard
can be agreed and implemented. Initiatives
such as Open Banking can help to facilitate
dialogue between banks, but at present
the best advice is to use caution and use
secondary methods such as contacting the
listed details on a valid website, if an email
for payment arrives out of the blue."
Rob Otto, Ping Identity: modern
technology can help to establish secure
communication channels with customers.
Tim Thurlings, bluedog Security
Monitoring: we are failing to capture
the true extent of cybercrime.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
23

Coronavirus scam
SPOOF ATTACK UNLEASHED
THE CORONAVIRUS IS CONSTANTLY IN OUR THOUGHTS, AS ITS GLOBAL IMPACT SPREADS. AND IT'S PROVING
ANOTHER MEANS FOR HACKERS AND ATTACKERS TO GET INSIDE ORGANISATION'S SECURITY DEFENCES
Dr Hayleigh Bosher, Lecturer in
Intellectual Property Law at Brunel
University London. @BosherHayleigh
Sam West, Security Engineer, Libraesva.
@smljsphwst
The Coronavirus has received extensive
media attention, much of which has
been seen to strike fear and panic.
Now hackers, spammers and fraudsters
have used this as an opportunity to launch
new attacks. This article - authored by
Dr Hayleigh Bosher, a lecturer in Intellectual
Property Law at Brunel University London,
and Samuel West, a security engineer for
Libraesva - walks readers through a real-life
attack to show how and why they work,
what to look out for and what can be done
to stop the hackers.
Libraesva, a UK- and Italy-based security
software vendor, recently discovered
targeted phishing and whaling campaigns
based around the Coronavirus outbreak.
Phishing is, of course, the fraudulent
practice of sending emails that pretend
to be from recognisable companies, in
order to get individuals to reveal personal
information, such as passwords or credit
card numbers, and then siphon funds from
an organisation. Whaling, meanwhile, is a
specific type of phishing attack that targets
high-profile employees, such as the CEO
or CFO.
An email spoof, purporting to be a letter
written by the director of Milan University,
and sent from a University of Bologna
compromised account, is a clear example
of a whaling email received and blocked
by Libraesva. The email reveals how the
attackers pretended to be the director,
warning internal users of the outbreak
of Coronavirus and what steps to take to
prevent further spread. In this case, the
hacker was able to change the code of the
email to make it appear to be sent from
a trusted sender - the director himself.
Unlike a typical whaling attack that asks
immediately for transfer or funds, this
hacker, taking advantage of the fear around
Coronavirus, asks readers to download
a guide to stop the disease.
TRUSTED SOURCE
The interesting thing about this attack is
that the underlying sender of the email
is trusted by the university, gaining the
confidence of the receiving email server
technology. The email states, on many
occasions, the dangers of the virus 2019-
nCoV as a respiratory epidemic and makes
a call to action for readers to quickly look at
the attached document, which is a simple
docx file with a link. However, once a reader
clicks to access the document, the hacker
has set up a fake Office 365 login page,
which requires users' login and passwords
to see the document.
Once 'Download File' is selected, the
motivation of the hacker and the scam
becomes clear, asking for university user
login details and passwords.
The risks are very high. Hackers can sell the
credentials that they obtain or use them to
ex-filtrate even more data. They could also
log in as a staff member and use that to
send further malicious emails, which is how
this email was able to be sent in the first
place.
BUT ISN'T THIS ILLEGAL?
Yes, of course, this type of activity is illegal.
Most countries around the world have laws
against this type of cybercrime. In the EU,
there is the convention of Cybercrime and,
in the UK, we have the Computer Misuse
Act. These regulations make it illegal to
24
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

Coronavirus scam
interfere with the functioning of a
computer. There are also laws against fraud
and the GDPR, which protects data, and this
would come into play because of the data
the hackers obtained illegally. The problem
is that these hackers are difficult to locate,
as they often use technological measures
to ensure that they are not traceable.
WHAT ELSE CAN WE DO ABOUT IT?
This example was located and prevented
through Libraesva's email security software
and management. It was observed that
the spoofed sender of the email was on
a compromise protection list, known
in the industry as 'BEC - Business Email
Compromise', so additional checks were
undertaken.
The email was sent using an email address
of another university, after that person
was successfully hacked. Using Libraesva's
Adaptive Trust Engine's relationship
monitoring, we saw that the trust between
these two universities was quite high. But
the trust between the two individual users
was low; we didn't let the organisational
trust get in the way of understanding the
true nature of the email.
The third indicator was that the email
came externally to the Milan University
users, which doesn't make any sense, as all
emails from the director will 99% of the
time come via the internal route, meaning
this is obviously fake.
The coronavirus is an opportunity for
hackers to take advantage of the fear to
scam people, business and universities. It is
important to be aware of these risks and
take the necessary precautionary action.
Using the above indicators, Libraesva has
built a dedicated technology to halt these
kinds of attacks and make sure your IT team
employ some Email Security, as this is the
main way that threats and malicious activity
can get into your organisation.
Growth of the virus in China and
other countries (graph courtesy of
the World Health Organisation)
EMAIL LANDSCAPE AND THE CORONA VIRUS
Since 17 February, Libraesva have been carefully monitoring the situation with the
Coronavirus and the effect it is having on email, looking into the change of the
email content, the behaviour of users and even the changing threat landscape.
In the top graph, right, supplied by the World Health Organisation, can be seen
the growth of the virus in China and other countries. By paying close attention to
the ‘Other Countries’ graph, it is possible to compare the infection rate to the
second graph, showing the amount of legitimate communication around the virus
in a similar timeframe. When comparing the two data sets, it can be seen that the
curve is almost identical, with the more legitimate communication growing at the
same rate as the infections are. This clearly indicates that the concern and
communication between organisations is effectively rising at the same rate as the
infections are growing.
After looking at the clean email, in comparison to the infections, it's possible to
see how the malicious email and threat attempts are changing, too. The graphic,
bottom right, demonstrates how the malicious attempts on Libraesva users have
increased at the same rate, meaning not only are the threat actors using the
virus to their advantage, but also that end users are discussing the issue more.
One of the key aspects of a successful attack is the degree to which such incidents
are talked about and the anxiety they generate amongst other users - and this is
the perfect example of that happening.
Shown here is the growing communication
taking place, by email, about the Coronavirus.
Rising number of malicious attempts on
Libraesva users, as threat actors seek to
use the virus to their advantage.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
25

GDPR
BREACHED - AND TOTALLY UNAWARE
IF A CYBER BREACH WERE TO TAKE PLACE WITHIN ORGANISATIONS THAT TOOK PART IN A RECENT POLL,
A STAGGERING 47.6% CONCEDED THEY SIMPLY WOULD NOT KNOW IT HAD ACTUALLY HAPPENED
states Holt, with 30.7% stating they had
'some' - and only 24.7% said their grasp was
'comprehensive'.
Bev Allen, head of Information Security
Assurance, CISO, Quilter, says: "Many
companies don't know what or where all their
information assets are. They may think they
do; but, if they're wrong, this leaves them
vulnerable to breaches. Consistent knowledge
of your assets takes effort; you need tools and
systems to record what you have, you need
people to follow appropriate processes, and
you need to search to find out what you don't
know about and where it is. This search must
be done regularly."
Almost half of respondents to a recent
Twitter poll run by Infosecurity Europe,
Europe's number one information
security event, admit they would be
completely unaware, if a cyber breach
occurred in their organisation. The poll was
designed to explore incident response, an
area that has come under much scrutiny
following Travelex's reaction to its New Year's
Eve cyber-attack, which resulted in many of
its systems going down and impacted travel
currency sales.
In answer to the question, 'If a cyber breach
occurred, how quickly could you discover it?',
31.5% of respondents said they would
unearth the breach immediately, 14.3%
within 30 days and 6.6% within 200 days.
However, a shocking 47.6% conceded they
simply would not know.
According to Maxine Holt, research director
at Ovum, this reflects a widespread issue.
"Discovering a breach well after the event is
usual. Uncovering breaches is not easy, but
proactive threat hunting is an approach being
increasingly used by organisations. Regularly
scanning environments to look for anomalies
and unexpected activity is useful, but it can be
difficult to deal with the number of resulting
alerts. Ultimately, effective cyber hygiene
involves having layers of security to prevent,
detect and respond to incidents and
breaches."
GOOD RISK INSIGHT
Good incident response demands good risk
insight. The poll examined this by asking,
'What understanding do you have of your
information assets?' A worrying 44.7%
revealed they had 'very little' understanding,
Steve Trippier, CISO of Anglian Water,
believes the 'knowledge gap' is due to a lack
of awareness of the need for effective asset
management. "It often falls behind other
processes, in terms of priorities, as its value
can be less immediately obvious. As more
companies introduce automated vulnerability
discovery and management, the need for
effective asset management will become very
obvious, especially as cyber teams highlight
vulnerabilities on assets that the organisation
forgot it even had!"
The poll also uncovered potential evidence
of skewed priorities around post-breach
actions. Travelex released a series of
statements after its December 2019 attack,
but received criticism from customers for a
lack of information about when service would
return to normal and whether sensitive
customer data had been accessed, as the
gang behind the attack claimed.
REFOCUS NEEDED
In response to the question, "What is the key
priority when dealing with the fall-out of a
26
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

GDPR
major cyber-attack?", getting back to business
topped the list for 42.4% of respondents,
followed by customer communications and
PR (23.6%), engaging law enforcement
(19.4%) and ensuring compliance (14.6%).
This indicates that more time and energy
might need to be refocused on the
communication side of incident response.
"PR can make or break a breach," agrees
Maxine Holt. "Arguably, British Airways did
a decent job, whereas Equifax did not.
Ultimately, the 6-Ps mantra should be at the
forefront of organisations' minds: 'proper
preparation and planning prevents poor
performance'. Being ready for a cyber-attack,
security incident or data breach, in general,
means the organisation has a much better
chance of emerging out of it in a reasonable
state."
Becky Pinkard, chief information security
officer with Aldermore, also highlights the
need for proper planning. "Good incident
response requires attention across all areas -
from public relations management to deep
technical expertise, and everything in
between. However, companies largely fail, due
to two reasons: they lack any documented
incident response plan; and, if they do have
a plan, they've not 'stress tested' it."
Incident response is set to be a key
cybersecurity theme for 2020 and will be
covered extensively as part of the programme
at Infosecurity 2020 (2-4 June, Olympia,
London).
Nicole Mills, senior exhibition director at
Infosecurity Group, comments: "Working to
prevent breaches will always be imperative,
but the cybersecurity industry is increasingly
recognising that this is not always possible,
and that how organisations respond to and
recover from a breach is incredibly important.
The results of our poll indicate that
improvements need to be made in areas
including breach detection, the thorough
preparation and rehearsal of response plans,
and the discovery and classification of
information assets.
"They also highlight that, while having a
clear strategy to restore 'business as usual'
as quickly as possible, immediate and
transparent communication with customers -
and also partners, suppliers and regulators -
is necessary to preserve trust and protect
the brand's reputation. This means PR
departments should be part of the incident
response team."
Attracting 6,568 responses, the Infosecurity
Europe Twitter poll was conducted during the
week of 13 January. Infosecurity Europe also
asked its community of CISOs and analysts
for their views on incident response in
cybersecurity.
Maxine Holt, Ovum: layers of security
needed to prevent, detect and respond to
incidents and breaches.
Nicole Mills, Infosecurity Group: PR
departments should be part of the
incident response team.
A 'MUST BE THERE' EVENT
Infosecurity Europe, now in its 25th year,
takes place at Olympia, Hammersmith,
London, from 2-4 June 2020. The show
attracts more than 19,500 unique
information security professionals,
attending from every segment of the
industry, as well as 400-plus exhibitors
showcasing their products and services,
industry analysts, worldwide press and policy experts. More than 200 industry
speakers are lined up to take part in this year's free-to-attend conference, seminar
and workshop programme. To register, go to: https://bit.ly/2wodvDs
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
27

encryption systems
THE QUANTUM CRYPTO REVOLUTION
COMMERCIALLY AVAILABLE ENCRYPTION SYSTEMS ARE ALREADY WITH US AND THEIR POTENTIAL
IS HUGE, ALTHOUGH THE TECHNOLOGY STILL HAS MANY ISSUES THAT MUST BE OVERCOME
Imran Shaheem, Cyberis: quantum
computers provide benefits in
cryptographically significant ways.
Quantum computing technology will
"force a change to the landscape of
cryptography," according to Imran
Shaheem, cyber security consultant at Cyberis.
It has come a long way since scientific and
mathematical interest erupted in the 90s.
"Quantum computers have serious
consequences for classical cryptography
and the future standards for secure
communication," he states.
Successful trials of quantum cryptography
to secure communication through quantum
physics have been undertaken already and
progress in quantum technologies has been
swift over the last decade, he points out.
"Quantum Key Distribution (QKD) systems
have been tested by banks and governments,
while similar systems were deployed as far
back as the 2010 FIFA World Cup in South
Africa. In 2017, researchers held a QKDprotected
video conference between China
and Austria, using the quantum satellite
Micius."
Admittedly, while quantum computers won't
be able to change everything, they provide
benefits in cryptographically significant ways.
One of these is factoring large numbers.
"This is a technique central to the security
of several algorithms, such as RSA, in which
prime factors of large numbers underpin the
encryption. As a consequence, RSA's security
and other algorithms employing similar
techniques, will be compromised by
introducing disruptive quantum computers.
This leaves a space within classical
cryptography that its quantum counterpart
attempts to solve," adds Shaheem.
The benefits are numerous. "Information
cannot be unknowingly intercepted, due to
quantum principles, including the 'no cloning'
theorem and quantum superposition, which
provides natural resistance to eavesdropping.
The security provided stems from underlying
physical properties. It's baked into the universe
and therefore isn't something that can be
cracked through quantum computing power.
As security is on the physical layer, quantum
cryptography can secure the end-to-end
connection, without needing an SSL or VPN,"
he points out.
However, there are some issues, the cyber
security consultant concedes. "It's expensive,
because this is at cryptography's cutting edge.
R&D costs are high, as are the fabrication
costs of specialist components. There is also
a costly requirement for an independent
infrastructure capable of supporting quantum
cryptography. Many of these issues will be
overcome in time as the technology matures."
It's easy to think that quantum technology
and its effect on current infrastructure
is distant. However, there are already
commercially available encryption systems,
including ID Quantique's Cerberus3 system for
key distribution. Many of these systems are
based on the popular protocol, BB84. "Whilst
there is still life in classical methods, the focus
is shifting to next-generation technologies
addressing solutions to tomorrow's problems.
These don't always come with a quantum
flavour, but post-quantum cryptography is
seen as the answer to quantum computers'
potential for massive changes and the
associated cryptographic problems.
"With the solutions we have now, quantum
or classical, the biggest hurdle is their
deployment," says Shaheem. "Poorly thoughtthrough
implementations leave these systems
vulnerable, as seen through the light injection
attack, for example, which can defeat certain
applications of BB84. Like modern-day
systems, testing surrounding configuration
will be crucial against inherent and
implementation flaws."
Companies should think seriously about how
the transitionary process to quantum-secure
systems will affect their business, he advises.
"The time is now to look to the future and
ensure tomorrow's world doesn't break today's
encryption and expose sensitive data."
28
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

masterclass
BATTLING THE BREACHES
A GLUT OF BREACHES ACROSS THE UK IS PROMPTING MANY ORGANISATIONS TO SEEK CYBER ESSENTIALS AUDITS
According to the 2019 DCMS Cyber
Security Breaches Survey, around a
third of UK businesses fell victim to a
cyber breach or attack over the previous year
and, of those, nearly half had identified at
least one breach or attack per month. This
persistent threat may explain the surge in
companies asking Xcina IS, an information
services company based near Cardiff, for
Cyber Essentials audits.
Instigated by the UK Government's National
Cyber Security Centre, the Cyber Essentials
scheme evaluates participants' processes
against five cyber security controls: boundary
firewalls and internet gateways, secure
configuration, access control, malware
protection and patch management. Correctly
deployed, these will protect against most
common cyber threats, based on commodity
capabilities available on the internet.
Cyber Essentials certification has, since
2014, been mandatory for suppliers bidding
for public sector contracts involving the
handling of sensitive and personal
information, and provision of certain
technical products and services. It also
reassures clients, both current and
prospective, that security considerations
have been built into systems and processes.
Certification is awarded on successful
completion of a verified self-assessment
questionnaire, but Xcina IS also offers an
assisted version, as many SMEs lack the
technical expertise to complete the process
on their own.
According to Chris Benson, Technical
Director at Xcina IS: "A lot of people just
don't realise that security patching needs to
go beyond desktops and servers, for example.
Hackers can exploit any device that provides a
link between your network and the internet.
That could include printers, VPN appliances,
firewalls, switches, access points - anything
that can run code, basically. And once
someone has found a way into your network
through one of these, they can exploit other
internal security issues and, before you know
it, you've got a ransomware attack on your
hands," he says.
Benson and his experienced team of
engineers also conduct site visits to run the
system scans required for clients wishing to
take the next step: Cyber Essentials Plus
certification. This more stringent audit builds
on the foundations of Cyber Essentials and
includes both internal and external scans to
identify any areas requiring attention, as well
as a series of on-site malware tests and an
inspection of handheld devices.
As an IASME-accredited certification body,
Xcina IS also works with companies looking
to achieve the IASME Standard, an
information-security standard designed for
SMEs. Two levels of assessment are offered:
IASME Verified Self-Assessment, involving
a questionnaire relating to cyber security,
security governance and GDPR compliance,
and IASME Gold, which requires an
additional onsite audit.
The increase in requests for these services
may arise from increased awareness of the
risks of lax cyber security. Media stories about
the latest big name to suffer a data breach
come thick and fast. Maybe the penny is
finally dropping. The number of companies
reporting breaches or attacks in the DCMS
survey is still significant, but it does represent
a considerable drop on numbers in previous
years. The survey also indicates that
companies are increasingly prioritising cyber
security, with more written cyber security
policies, greater provision of cyber security
training for staff and regular updates to
senior management on actions taken around
cyber security.
Organisations which understand that cyber
security complements existing strategic
priorities (by protecting reputation and
finances, and keeping key services running,
for example), rather than competing with
them, are likely to be in a far better position
to anticipate, identify, prevent and deal with
potential attacks. As Benson says: "Ultimately,
if you're serious about protecting your assets,
you'll employ a company like us."
For further information about Cyber
Essentials, Cyber Essentials Plus and the
IASME Standard, call Xcina IS on 02922
671564 or visit https://is.xcina.co.uk/
www.computingsecurity.co.uk @CSMagAndAwards March/April 2020 computing security
29

expert insights
THE INTELLIGENT APPROACH TO CYBER THREAT INTELLIGENCE
SEEKING SOMEONE WHO CAN UNDERSTAND VULNERABILITY, EXPLOITATION AND ATTACKER MOTIVATION?
IAN THORNTON-TRUMP, CHIEF INFORMATION SECURITY OFFICER FOR CYJAX, MAY HAVE THE ANSWER
Ian Thornton-Trump, Cyjax.
As soon as you say the word
'Intelligence', everyone seems to
think 1960s East Germany. I don't
know why everyone seems to think that
the words 'Intelligence Analyst' are
exclusively reserved for nation states or
large organisations. I'm here to tell you
that tactical intelligence and strategic
intelligence are easily within the reach
of most organisations - no trench coats
required.
The reality is that an 'intelligence
Analyst Skill' is not learned in university;
it's generally the domain of law
enforcement, military or government
agency service. That's a travesty that
I am going to fix right now. It does not
require some sort of special person,
special forces qualified and of
exceptional intelligence. It does require
a person to be able to embrace a
different way of thinking and writing,
which moves beyond traditional
academic writing or journalism.
Intelligence analysis and the products
that process produces are all about
timely, accurate and actionable content -
a marked departure from 5,000 words
on the fall of the Prussian Empire or an
attempt to sensationalise the latest
celebrity misstep.
When you stick the Cyber word in front
of 'Intelligence Analysis', one may think
that this is even more esoteric profession,
but it is actually applying the 'world's
second oldest profession's' thinking to
a relatively new problem. Despite the
Hollywood and media stereotypes of
excessive gym-based activity 'Blackhat'
or nerdy computer skills 'CSI Cyber', the
actual "Cyber Threat Intelligence Analyst"
needs none of those marksmanship or
hacking skills - it's not to say they may
not help, but realistically it's unlikely to
be needed in day-to day-activity.
So, the question is: What is a Cyber
Threat Intelligence Analyst? An oracle?
A fortune teller? In simple terms,
it's someone that can understand
vulnerability, exploitation and attacker
motivation. An expert at threat
modelling with gifted communication
skills. Folks that have had to stand in
front of a class or defend a dissertation
are generally superior recruits for
executing analysis tasks to protect
organisations. If Park Rangers look for
fires through binoculars, Intelligence
analysts tell them where to look and why
they need to look. That's the essence of
the job.
One can easily understand that, if you
know where to look and why you need
to look, this is a huge cost savings and
a huge time saving - that's the value
of intelligence when it comes to your
organisation. Imagine if a person was
able to look at what you have and tell
you what bad guys have that may take it
away, and what you could do to thwart
them. A 'win', then, is getting in front of
an attack by knowing when, where and
how the attack might come.
Now, truth be told, I've had a lot of
training as an intelligence analyst
(Canadian Forces & RCMP - I was actually
trained by a ex-CIA instructor) and, in the
case of 'Eternal Blue', 'Blue Keep' and the
registration of a fraudulent typosquating
domain, along with issue of a certificate
for that typosquating domain, I'm
very confident that an attack on an
organisation is forthcoming - as that's
what bad guys do. My prediction based
upon analysis comes from experience,
but how I reach that conclusion is an
intellectual process - easily taught and
more accurate over time with analyst
experience.
Good intelligence can help direct a
spoiling attack - something that disrupts
the bad guys from successfully executing
an exploit against you. The information
to protect your organisation is out there
- you just need someone that is trained
in the art of listening and direct your
organisation to take action.
30
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

COVID-19
HOMING IN ON COVID-19
AS THE IMPACT OF THE COVID-19 VIRUS ESCALATES, MORE AND MORE EMPLOYEES ARE WORKING
FROM HOME. BUT DANGERS LURK THERE AS WELL AND URGENT ACTION NEEDS TO BE TAKEN
As the UK begins to embark on its
biggest ever deployment of homeworking
due to the spread of COVID-
19, there is a real risk of an imminent largescale
cybersecurity crisis, warns Phil Chapman,
Senior Cybersecurity Instructor at Firebrand
Training.
"Hundreds of thousands of people will soon,
if not already, be working from home for an
unspecified period of time, putting a huge
strain on IT departments who hold a lot of
the responsibility for keeping the business up
and running during this period. For many
companies and employees, it will be the first
time they have experienced home working
on such a magnitude and many will not be
sufficiently prepared for the security risks."
Three pieces of advice that Chapman offers
to organisations that are seeking to mitigate
the risk they face during what are challenging
times are:
Advise your employees to avoid using their
Wifi connection at home and rather connect
their laptops or workstations to the router
with a network cable. "Not only does this
provide a more secure connection, but it also
enhances speed, as it will be quicker than
wireless."
Make sure employees are using a VPN
[Virtual Private Network], with appropriate
encapsulation and authentication to the data
they are accessing. "If possible, use IPSEC or
SSTP (Secure Socket Tunnelling Protocol) as a
connection. You can suggest split tunnelling,
which allows a user to establish a secure VPN
for work-related connections, but use their
own Internet connect to do 'non-work' related
activities.
The most important thing is to ensure your
staff have sufficient cybersecurity awareness.
"At this time, there should be no reason why
a user is connecting to corporate resources in
public spaces as they should be at home," he
adds. "But they must be aware that other
people can still access their screens - although
the risk is smaller at home, users should lock
their devices when not in use. They should
behave as if they were in the office, applying
the same security mechanisms as they would
do at work. Acceptable usage policies [for
corporate and BYOD devices] should be robust
and apply at home equally as at work. This
also includes telephone calls and online
meetings."
MANAGING RISK
There are several things organisations can do
to better protect their corporate environment
from threats as they adapt to a remote and
distributed workforce, states Matt Shelton,
director, Technology Risk and Threat
Intelligence, FireEye. "Accessing corporate
resources remotely creates an opportunity
for attackers to blend in with the workforce.
Implementing multi factor authentication
(MFA) on all external corporate resources
significantly reduces this risk."
But organisations should not stop at MFA,
he adds. "Implement a single sign on (SSO)
platform to tie corporate and cloud resources
together with a common authentication
source. Employees will appreciate a common
set of credentials, while providing
administrators with the ability to centralise
credential management and monitor for
abuse." No one yet knows the likely scale of
the virus's impact or how long the pandemic
may last. Keeping safe from COVID-19 and
staying secure at home when working on-line
may become a long-term challenge that
most of us will have to face in the weeks and
months that lie ahead.
Phil Chapman, Firebrand Training:
ensure your staff have sufficient
cybersecurity awareness.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2020 computing security
31

product review
CLOUD PROTECTION FOR
SALESFORCE FROM F-SECURE
Cloud-based services have caught on
fast, offering a range of benefits to
organisations of every kind. Adding
security to these services has not always
been as swift and this is compounded by
the increased attack surface that cloud
deployments create, especially when
files and URLs are being frequently and
routinely exchanged within what is
considered to be a trusted community.
Cloud-based services increasingly means
that organisations place some of their
most valuable and critical data assets in
the cloud and this requires a focused and
highly tactical response, if data loss is to
be prevented, and legislative and
regulatory penalties avoided.
There is a generic way to deal with this;
Cloud Access Security Brokers (CASBs).
But, because this in essence imposes
additional network hops between service
providers and consumers, it won't suit all
use cases. F-Secure has addressed this
challenge specifically for CRM provider
Salesforce. Developed initially as an
internal solution to protect its use
of Salesforce, it has been well tested.
F-Secure is a Salesforce ISV partner
and Cloud Protection is an embedded
service, available from the Salesforce
AppExchange. Because it is an embedded
service, its deployment and operation
is Salesforce native, without external
network hops: installation is trivial.
The solution uses multiple AV engines,
Machine Learning and Artificial
Intelligence to scan files and URLs before
they can be opened and connected.
For Salesforce community users, this is
unlikely to be noticeable; that is, unless
an infected payload is intercepted,
in which case they will be prevented
from proceeding, keeping them and
the data safe.
Installing from AppExchange was
uneventful, with licence purchase
complete. Our first stop was the
Protection Dashboard to examine the
default settings for File Protection,
Notification, Exclusions and Advanced
options. As you would imagine, Cloud
Protection is working straightaway, using
its default settings, and one strategy is
to run this way, adjusting as required,
based on results.
To test and experience the solution in
action, we sent an infected attachment
from a bona fide account. On reception,
we could see the attachment from our
Salesforce account and clicked on it
when we received a standard message
(it can be tailored), announcing that
harmful content had been blocked.
This file would have been identified
by its signature as a known risk, but, if
required, files with no known reputation
are sent for Advanced Scanning by
F-Secure. This is, in turn, used to
community benefit, with the delivery
of a new signature into the eco system.
This may increase turnaround time, but
it's unlikely that the user will notice.
With the user alerted, a member of the
Security team can now consult the logs
and analytics to establish more. Based
on our test, we could see the attempt
to open the file and that it was blocked.
We could consult known data about
the payload, and as it was quarantined
(a default), we could manually delete it,
which could also be automated. A similar
test using a known bad URL produced
a comparable outcome.
User interaction with Cloud Protection
is minimal and, in fact, once set up to
suit organisational requirements, it seems
low on admin overhead. As you would
expect, alerts can be set so that user
support can be quick and insightful, and
reports can be produced both manually
and automatically. Because the solution
saves data into salesforce as custom
objects, salesforce reporting tools can
be used, which are by design more
extensive.
When combined with the appropriate
point solutions, real-time anomaly
detection and advanced cloud service
protection such as this, the attack
surface is reduced, risk contained and
the community of users can be left to
carry out its work with confidence.
Product: Cloud Protection for Salesforce
Supplier: F-Secure
Web site: www.f-secure.com
Email: cloudprotection@f-secure.com
Telephone: +44 845 890 3300
Price: From £2.35 per user, per month
32
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

product review
FLOWMON ANOMALY DETECTION SYSTEM
Traditional security tools, often
signature based, can be very effective
in defending against specific threats,
but many focus exclusively on North/South
network traffic. Thoughtfully deployed, they
can reduce, even eradicate, a threat vector
and reduce the attack surface. However
small, the residual attack surface - in
particular the zero-day element - remains
a significant risk, and successful attackers
will use it, relying on East/West movement.
With time on their side, they will exfiltrate
data in small, slow, undetectable stages.
NetOps have long since used monitoring
tools to examine network traffic, while, in
another silo far away, SecOps rely upon
specialist security tools. But network data
has been a problem for SecOps, as there is
so much of it, despite the fact that every
compromise is guaranteed to be detectable
from analysing network flow - if you can
only find the offending needle in that giant
haystack. This challenge has been ratcheted
up as networks become hybridised, on- and
off-premise, and at the network edge.
Flowmon Anomaly Detection System (ADS)
tackles this head on. With strategically sited
network probes collecting data and the
Flowmon Monitoring Centre analysing it,
ADS uses a range of techniques, including
signatures, AI and ML, to identify and rank
information of interest. The most effective
and scalable way of monitoring traffic relies
on NetFlow (layer 3), but Flowmon uses
enhanced NetFlow in the shape of IPFIX
(NetFlow v10), with visibility up to layer 7.
IPFIX is central to this solutions scalability
and avoids the problems associated with
Packet Analysis and SNMP. Flowmon is
confident that, when using a TAP/SPAN
connection, the 100 per cent of flow will
be captured on a 100GbE network.
Access to ADS functionality is browser
based, and a configuration wizard gets it
up and running in about 30 minutes.
Clearly, it takes time for flows to be
gathered and analysed, but we could
soon see events over time with a ranking
of severity (critical, high, medium, low),
which helps analysts to prioritise their
valuable time.
The dashboard can be customised
using standard (eg, top ten events) and
customised widgets to create a view
to suit a role and its objectives. A
combination of tabs displaying graphical
and tabular data, filters and drill down
allow rapid navigation to important flow
data, meaning that event visualisation
and evidence are never far away.
Some organisations will worry about
encrypted traffic and Flowmon suggest
this can be as high as 85%. Because
ADS is observing network behaviour,
an unusual event relating to encrypted
traffic can be alerted without examining
the content: exfiltration is exfiltration.
Use of the Flowmon suite and ADS
specifically can be tailored to suit team
structure, network and security focus, and
operational objectives to enable more
relevant alerting to traffic of interest.
NetOps and SecOps can carry out
their work from a consolidated tool
and common data: it might just break
down another unhelpful silo.
Flowmon does not claim to replace
traditional security measures, such as
NAC, Firewall or SIEM. In fact, for those
with a SIEM investment, the open API
can help it to work more efficiently, as
Flowmon can pass it processed data to
work on. It is in this way that ADS is able
to focus on narrowing and restricting the
attack surface and, critically, to reduce
threat actor dwell time in the network.
The contemporary, constantly changing,
mission-critical network cannot exist
without effective network monitoring
and security that offers 100% visibility of
every connection, at any time, along with
continual benchmarking.
ADS enables organisations to regain
real-time control of their networks and
identify information of interest, using
behavioural patterns, while they travel
through the constant and challenging
process of digital transformation.
Product: Flowmon ADS
Supplier: Flowmon
Web site: www.flowmon.com
Email: sales@flowmon.com
Telephone: 0203 858 6868
Price: Starting from £10k
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security
33

expert insights
ESSENTIAL BUILDING BLOCKS
FROM NETWORK ACCESS CONTROL (NAC) TO NETWORK SEGMENTATION, ADDRESSING THE NEED FOR
A MORE SECURE NETWORK ARCHITECTURE IS VITAL, STATES MYLES BRAY, VP EMEA AT FORESCOUT
Myles Bray, Forescout.
Over the last 20 years, Network
Access Control (NAC) has
become a fundamental
component for enterprises looking to
ensure a resilient cyber strategy. The
technique, which applies policy-based
rules to grant or deny devices access
to a network, allows for a general and
somewhat basic level of network
security: in simple terms, it's basically
a 'you're in or you're out' approach.
Recently, however, the volume and
diversity of internet of things (IoT) and
operational technology (OT) devices has
increased so much that NAC now must
provide a deeper level of insight into
the posture of each device to correctly
provide or deny access at varying levels.
As diversification of devices continues,
full visibility, classification and enforcing
policies become more difficult.
In brief, this increased diversity
emerging technologies, such as IoT and
OT devices, has exposed the limitations
of the previous NAC models. Therefore,
a threshold for innovation has been
reached and many devices are now
connected to networks ill-equipped
to deal with the related risks.
SEGMENTATION IS THE NECESSARY
BARRIER TO CONNECTION
For organisations with flat networks,
the ease at which intruders can pivot
laterally results in greater disruption
of, and damage to, both property and
reputation. For example, the WannaCry
ransomware attack hit shipping
company Maersk, resulting in it halting
its entire operations to ensure the
network was clear of the ransomware.
This caused critical disruption across the
business and could have been averted,
had its network architecture limited
mobility, once access was gained.
Flat networks are unable to provide the
same level of granularity that segmented
networks achieve. When IoT and OT
devices gain access to a flat network,
they have the freedom to move laterally,
if not properly segmented, limiting
full visibility and creating blind spots
that can later be exposed. Network
segmentation, however, can be
dynamic. For example, by providing
a Zero Trust approach across all
environments and to all devices, with
different policies for the computer at
the front desk and the CEOs laptop,
the risk that is posed by attacks is
automatically limited.
CISOs are having a difficult time in
providing this security. Maintaining
close control of their networks and
device ecosystem continues to become
more difficult as IoT and OT devices
increase. In order to achieve effective
security, the full context of connected
devices must be available to regain both
visibility and control. From the data
centre to cloud and OT environments,
devices can be given appropriate access,
rather than access to the entire network.
eyeSegment product, Forescout's
answer to the enterprise-wide network
segmentation riddle, enables exactly
these measures. By tying together siloed
segmentation policies by fragmented
enforcement technologies with a unified
policy approach and enabling a Zero-
Trust approach, granular security
controls can be achieved.
Attempting to implement new security
controls across the extended enterprise
is no easy task. Grappling with the
growing number of attack vectors, while
meeting more and more compliance
directives, CISOs have their hands
full. The advancements in network
segmentation have been designed to
allow businesses to automate threat
detection and isolation without
impacting operations. Through limiting
risks, maximising control and assuring
controls are effectively implemented
across a network, enterprises can more
effectively prepare and manage the
inevitable next wave of cyber threats.
34
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk

GLOBAL LEADERS IN
MANAGING RISK DURING
ASSET RETIREMENT
ADISA
CERTIFIED
ENTERPRISE
ASSET
RECOVERY
CERTIFICATION
WWW.ADISA.GLOBAL
WWW.ADISARC.COM
ADISA PRODUCT
ASSURANCE
INTRODUCING THE ADISA CERTIFIED ENTERPRISE (ACE)
Listed on the NCSC’s guidance for secure disposal, ADISA operates the leading
certification scheme for product and services for the IT Asset Disposal Industry and we
are now delighted to launch our Certified Enterprise scheme.
Our existing schemes provide assurance about the external and technical risk within
asset retirement and with the addition of ACE, we can help organisations manage
the final area of risk which is regarding their own internal performance. This scheme
reviews policies, business operations and performance to ensure that risk is identified
and mitigated before releasing assets. With a GDPR compliance oversight, ACE provides
organisations with assurance that they are managing the risk of data breach during the
asset retirement process in line with regulatory expectations.
To find out more information contact
ACE@adisa.global

Shearwater Group plc is an award-winning organisational resilience group
that provides cyber security, advisory and managed security services to
help assure and secure businesses in a connected global economy
www.shearwatergroup.com