Cyber Defense eMagazine April 2020 Edition

Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES


Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Cyber</strong>criminals Exploit Coronavirus with<br />

Wave of New Scams<br />

WatchGuard’s RSA Conference <strong>2020</strong><br />

Recap<br />

<strong>Cyber</strong> Leads Global Business Risks for First<br />

Time: Allianz Risk Barometer <strong>2020</strong><br />

Facebook’s $550 Million Settlement: A<br />

Warning to Companies Collecting<br />

Biometric Data<br />

How to Avoid Being Breached In <strong>2020</strong><br />

…and much more…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 1<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Welcome to CDM’s <strong>April</strong> <strong>2020</strong> --------------------------------------------------------------------------- 6<br />

<strong>Cyber</strong>criminals Exploit Coronavirus with Wave of New Scams ------------------------------- 22<br />

By David Ruiz, Malwarebytes Labs<br />

WatchGuard’s RSA Conference <strong>2020</strong> Recap -------------------------------------------------------- 29<br />

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies<br />

<strong>Cyber</strong> Leads Global Business Risks for First Time: Allianz Risk Barometer <strong>2020</strong> --------- 32<br />

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz<br />

Global Corporate & Specialty<br />

Facebook’s $550 Million Settlement: A Warning to Companies Collecting Biometric<br />

Data ----------------------------------------------------------------------------------------------------------- 36<br />

By Billee Elliott McAuliffe, Member, Lewis Rice<br />

How to Avoid Being Breached In <strong>2020</strong> --------------------------------------------------------------- 39<br />

By Randy Reiter CEO of Don’t Be Breached<br />

What You Need to Know About DDoS Weapons Today ---------------------------------------- 42<br />

By Ahmad Nassiri, Security Solutions Architect at A10 Networks<br />

Better Network Visibility: Removing the Security Blindfold ----------------------------------- 45<br />

By Cary Wright, VP Product Management, Endace<br />

Enabling Agility to Accelerate Incident Response ------------------------------------------------ 47<br />

By John Attala, Vice President of Worldwide Sales, Endace<br />

Economic Efficiency in <strong>Cyber</strong> <strong>Defense</strong> ---------------------------------------------------------------- 50<br />

By Mark Evans, VP Marketing, Endace<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 2<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Does SASE Tick the Box for The Future of Network Security? --------------------------------- 53<br />

By Yair Green, CTO at GlobalDots<br />

Achieving Effective User Lifecycle Management Through Automation -------------------- 55<br />

By Jeff Stein, Information Security Architect, Reputation.com<br />

Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk ---------------- 58<br />

By Kevin Landt, VP of Product Management at Cygilant<br />

The Cost of <strong>Cyber</strong>crime Is Constantly Rising: How to Combat Ransomware Attacks on<br />

SMBs ---------------------------------------------------------------------------------------------------------- 61<br />

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security<br />

How To Manage Your Small Business In Time Of Crisis ----------------------------------------- 65<br />

By Milica D. Djekic<br />

What the Latest Enterprise Endpoint Security Survey Shows Us: Big Concerns but Hope<br />

for The Future ----------------------------------------------------------------------------------------------- 68<br />

By Jeff Harrell, Vice President of Marketing, Adaptiva<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 3<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


From the<br />

Publisher…<br />

New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />

Dear Friends,<br />

Looking back at RSA Conference <strong>2020</strong>, the view in our rearview mirror suggests that<br />

convention may have been among the last of the “live” conferences for a while. On<br />

behalf of <strong>Cyber</strong> <strong>Defense</strong> Media Group, we are fortunate to be able to build on our<br />

very positive experience there and use that foundation to provide support to others<br />

during this challenging time resulting from the corona virus COVID-19 pandemic.<br />

With this disruptive set of circumstances, we must consider ourselves to be on a battlefield of<br />

asymmetrical warfare. <strong>Cyber</strong> criminals have access to nearly all of our communications and educational<br />

materials, giving them valuable intelligence on how to defeat our best security practices. On the other<br />

side, we are in the less advantageous position of waiting for their next move to become visible.<br />

While this imbalance may appear to tip the scale against us, it also emphasizes the importance of keeping<br />

each other informed and up to speed on all known attack vectors. Only this way can we hope and expect<br />

to prevail and maintain steadiness and security in the many critical activities in our society and economy.<br />

From our own point of view, this leads us to double and redouble our efforts as both a media participant<br />

and a committed organization to provide the tools to assure a favourable outcome.<br />

With that background, we commit to continuing our monthly magazines as well as daily (or more<br />

frequent) updates on the <strong>Cyber</strong> <strong>Defense</strong> Magazine home page. As always, your participation and sharing<br />

from your own experiences are welcome.<br />

Warmest regards,<br />

Gary S. Miliefsky<br />

Gary S.Miliefsky, CISSP®, fmDHS<br />

CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />

Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

P.S. When you share a story or an article or information about CDM, please use #CDM and<br />

@<strong>Cyber</strong><strong>Defense</strong>Mag and @Miliefsky – it helps spread the word about our free resources even more<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 4<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

quickly<br />

InfoSec Knowledge is Power. We will<br />

always strive to provide the latest, most<br />

up to date FREE InfoSec information.<br />

From the International<br />

Editor-in-Chief…<br />

The current dynamics of the COVID-19 pandemic would seem to<br />

demand more international coordination, as opposed to a crazy<br />

quilt of national, regional, and local actions.<br />

Statistics are showing very different national and regional<br />

patterns of infection and mortality, even within geographic<br />

regions. Whether it’s the European Community, or the Asian<br />

region, or the Americas, there is a vast difference in the extent of<br />

diagnosed cases, and also of recorded deaths.<br />

In our world of cybersecurity, it’s possible to be both more and<br />

less challenging to seek and effect global solutions. In some ways,<br />

the interconnectedness of the cyber world carries with it a<br />

homogeneity of applications and programs. In contrast, the<br />

cultural diversity and role of national governments tend to<br />

emphasize our differences. As these developments play out, we<br />

will have an opportunity to take the lead in creating cybersecurity<br />

defenses to protect all aspects of IT in our lives, including (but not<br />

limited to) medical, financial, social, and government functions.<br />

In the days ahead, let us agree to put our differences aside in favor<br />

of responding to our common enemies: the COVID-19 itself and<br />

those who would take advantage of this crisis to perpetrate<br />

criminal schemes.<br />



Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />

distributed electronically via opt-in Email, HTML, PDF and Online<br />

Flipbook formats.<br />


Stevin Miliefsky<br />

stevinv@cyberdefensemagazine.com<br />


Pierluigi Paganini, CEH<br />

Pierluigi.paganini@cyberdefensemagazine.com<br />


Yan Ross, JD<br />

Yan.Ross@cyberdefensemediagroup.com<br />


Marketing Team<br />

marketing@cyberdefensemagazine.com<br />


<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Toll Free: 1-833-844-9468<br />

International: +1-603-280-4451<br />

SKYPE: cyber.defense<br />

http://www.cyberdefensemagazine.com<br />

Copyright © 2019, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />

276 Fifth Avenue, Suite 704, New York, NY 10001<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />


Gary S. Miliefsky, CISSP®<br />

Learn more about our founder & publisher at:<br />

http://www.cyberdefensemagazine.com/about-our-founder/<br />


Providing free information, best practices, tips and<br />

techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />

magazine is your go-to-source for Information Security.<br />

We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />

To our faithful readers, we thank you,<br />

Pierluigi Paganini<br />

International Editor-in-Chief<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 5<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.<br />



Welcome to CDM’s <strong>April</strong> <strong>2020</strong><br />

As the <strong>April</strong> issue of <strong>Cyber</strong> <strong>Defense</strong> Magazine reaches publication, we find ourselves in a state similar to limbo,<br />

awaiting the next announcement of a cancelled event, a cyber vulnerability exploited by crooks, or a government<br />

initiative imposed under crisis conditions.<br />

Crisis, like necessity, can serve as the mother of both invention and opportunity. In the case of cybersecurity, it’s<br />

clear that there are new vulnerabilities arising from the new patterns of working remotely from locations with less<br />

robust cyber security than the main workplace of the organization.<br />

Anecdotally, only a relatively small percentage of affected organizations had adequately prepared for this<br />

eventuality. Most of the reports reflect “quick-and-dirty” arrangements for office and HQ workers to work remotely.<br />

From a cybersecurity POV, effective preparation would usually be the responsibility of an internal or outsourced<br />

CISO. In concept as well as practice, this would or should include pre-emergency activities and red-teaming<br />

exercises.<br />

Outside the 17 areas of critical infrastructure (see www.dhs.gov for more detailed information) there do not appear<br />

to be standardized procedures to be followed in such events as a pandemic. Even listed sectors of critical<br />

infrastructure have shown lapses; a notable example would be commercial air transport.<br />

Consider how different the health and financial impacts on our nation might have been if there had been pandemic<br />

emergency plans in place on a broad scale to deal with the cybersecurity challenges we face today.<br />

Although not well documented (at least so far), again anecdotally, there have been success stories. Accordingly,<br />

we invite CISOs and others who have been successful to share their experiences. We hope to share this important<br />

body of knowledge in both feature articles on the CDM home page and the May issue.<br />

We trust this information will be of great value to our over 5 million individual reader inquiries each month, as CDM<br />

maintains its position as the leading publication for cybersecurity professionals.<br />

Wishing you all success in your cyber security endeavors,<br />

Yan Ross<br />

US Editor-in-Chief<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

About the US Editor-in-Chief<br />

Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & US Editor-in-Chief for <strong>Cyber</strong><br />

<strong>Defense</strong> Magazine. He is an accredited author and educator and has provided<br />

editorial services for award-winning best-selling books on a variety of topics. He<br />

also serves as ICFE's Director of Special Projects, and the author of the<br />

Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As<br />

an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy,<br />

and cyber security for consumers and organizations holding sensitive personal information. You can reach him via<br />

his e-mail address at yan.ross@cyberdefensemediagroup.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 6<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 7<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 8<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 9<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 10<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 11<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 12<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 13<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 14<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those<br />

vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep<br />

understanding of your web application vulnerabilities, how to prioritize them, and what to do about<br />

them. With this trial you will get:<br />

An evaluation of the security of one of your organization’s websites<br />

Application security guidance from security engineers in WhiteHat’s Threat Research Center<br />

Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well<br />

as share findings with internal developers and security management<br />

A customized review and complimentary final executive and technical report<br />

Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/<br />

PLEASE NOTE: Trial participation is subject to qualification.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 15<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 16<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 17<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 18<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 19<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 20<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 21<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong>criminals Exploit Coronavirus with Wave of New<br />

Scams<br />

By David Ruiz, Malwarebytes Labs<br />

With no vaccine yet developed, and with much of the world undergoing intense social distancing<br />

measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed<br />

promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails<br />

are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of<br />

keyloggers, ransomware, and data stealers.<br />

Click here to open a new tab with extensive graphic information on the 4th Quarter of 2019 DDoS<br />

Weapons<br />

The problem expands beyond pure phishing scams.<br />

On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and<br />

COVID-19-related hostnames that sprang up in just 24 hours.<br />

On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at<br />

ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just<br />

click the link and watch possible scam sites get registered every minute.<br />

Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last<br />

weekend, and more than 35,000 domains the next day, too.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 22<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Here are some of the many email scams that our Malwarebytes threat intelligence team spotted in the<br />

wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying<br />

to install on your machines.<br />

Impersonating the World Health Organization<br />

Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World<br />

Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which<br />

pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That<br />

download is just the first step in a more complex scheme.<br />

GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in<br />

encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its<br />

simplicity and its wide range of capabilities, including swiping content from the Windows clipboard,<br />

keylogging, and stealing browser data. Stolen data is sent back to a command and control server<br />

maintained by the threat actors.<br />

Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO<br />

professionals as a way to trick victims into downloading malicious attachments.<br />

Agent Tesla Keylogger Campaign<br />

On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an<br />

invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent<br />

increase in activity across three months in 2018, can steal a variety of sensitive data.<br />

As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent<br />

Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and<br />

clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail,<br />

Facebook, etc.) attacks.”<br />

The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line:<br />

Covid19″ Latest Tips to stay Immune to Virus !!<br />

The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of<br />

“sarah@who.com.” Notice that the sender’s email address ends with “.com” when legitimate WHO email<br />

addresses instead end with “.int.”<br />

The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected<br />

with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 23<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

A quick online search reveals that the WHO has a public website for contacting its media relations<br />

representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr.<br />

Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based<br />

phone resulted in an error message from the mobile service provider.<br />

The above scam is just one example of an email campaign that both impersonates the<br />

WHO and attempts to deliver Agent Tesla.<br />

Agent Tesla Campaign 2<br />

On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its<br />

tactics and payload.<br />

The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health<br />

Organization/Let’s fight Corona Virus together”<br />

Savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and<br />

“Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we’ve seen<br />

previously.<br />

The entire body of the email reads verbatim:<br />

We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we<br />

want to take a moment to reassure you that your safety and well-being remains our absolutely<br />

top priority.<br />

Please be assured that our teams are working hard and we are monitoring the situation and<br />

developments closely with the health and governmental authorities of all countries we operate in.<br />

See attached WHO vital information to stay healthy.<br />

we personally thank you for your understanding and assure you that we will do our utmost to limit<br />

disruptions this event brings to your travel plans while keeping your well-being our top priority.<br />

This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with<br />

the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of receiving trustworthy information,<br />

victims are infected with Agent Tesla.<br />

While this campaign does not include as many smoke-and-mirror tactics, such as a fake media<br />

representative and a fake phone number, it can still do serious damage simply by stoking the fears<br />

surrounding COVID-19.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 24<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

NetWire Remote Access Trojan<br />

Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT).<br />

RATS can allow hackers to gain unauthorized access to a machine from a remote location.<br />

These types of Trojans can have devastating effects. If Remote Access Trojan programs are found on a<br />

system, it should be assumed that any personal information (which has been accessed on the infected<br />

machine) has been compromised. Users should immediately update all usernames and passwords from<br />

a clean computer and notify the appropriate system administrator of the potential compromise. They<br />

should also monitor credit reports and bank statements carefully over the following months to spot any<br />

suspicious activity on financial accounts.<br />

The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO<br />

logo inside the email’s body, and plenty of typos.<br />

Sent from “Dr. Stella Chungong” using the email address “brennan@caesars.com,” the email subject line<br />

is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text<br />

reads:<br />

To whom it may concern,<br />

Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.<br />

Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.<br />

Regards.<br />

Dr. Stella Chungong<br />

Specialist whuan=virus-advisory<br />

The litany of misplaced “=” characters should immediately raise red flags for potential victims. These<br />

common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to<br />

operate under the mindset of “Send first, spellcheck later.”<br />

Other Malspam Campaigns<br />

Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email<br />

campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware<br />

delivery. Here are a number of malspam campaigns that our threat intelligence team found since March<br />

15.<br />

First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes<br />

from the vague sender “Marketing,” with an email address of “info@bcsl.co.ke.” A Google search reveals<br />

that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 25<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The short email reads:<br />

Hello,<br />

We have been instructed by your customer to make this transfer to you.<br />

we are unable to process your payment as the SWIFT CODE in your bank account information is<br />

wrong,<br />

please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP<br />

before bank close.”<br />

Again, scrutinizing the details of the email reveals holes in its authenticity.<br />

The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates.<br />

The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003.<br />

What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax<br />

registration number,” but think about the last time anyone signed an email with the US equivalent—their<br />

tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are<br />

meant to be private, and not shared in email signatures. We can assume that the threat actors included<br />

this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.<br />

The email’s attached invoice, once again, pushes GuLoader to the potential victim.<br />

HawkEye credential stealer<br />

Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick<br />

users into downloading a malware called HawkEye, a credential stealer that has plagued users since at<br />

least 2013.<br />

According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various<br />

hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”<br />

The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR<br />

CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a<br />

short message. The entire email body reads:<br />

Dear Sir/Ma,<br />

Kindly read the attached file for your quick remedy on CORONA VIRUS.<br />

The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL<br />

ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 26<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

UK email scam pushing GuLoader<br />

On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader.<br />

This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the<br />

United Kingdom.<br />

The malicious email comes from the sender “PHE” with the email address paris@mfa.go.ke, which, like<br />

one of the examples above, appears to come from Kenya.<br />

Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—<br />

the content of the email is simple and short. The email reads:<br />

Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.<br />

Find out how many cases have been reported near you.<br />

There is no email signature, and not even a greeting. Talk about a lack of email etiquette.<br />

Campaign Targeting Spain<br />

Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The<br />

email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-<br />

19,” pushes GuLoader.<br />

The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93<br />

784 50 17.<br />

Protect Yourself<br />

Threat actors are always looking for the next crisis to leverage for their own attacks. For them,<br />

coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing<br />

availability, and best practices during social distancing makes for a fearful public, hungry for answers<br />

anywhere.<br />

The best places for information are the WHO and the US Centers for Disease Control and Prevention<br />

(CDC). You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation<br />

reports here. You can also find information on coronavirus myths at the WHO’s Myth Busters webpage,<br />

along with its Q&A page.<br />

This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider<br />

that, right now, banding together as a global community is our best shot at beating this. That advice<br />

extends to the online world, too.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 27<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best<br />

across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with<br />

ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their<br />

contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user<br />

decompiled the malicious app and posted the universal passcode to defeat the ransomware. The<br />

passcode was then shared on Twitter for everyone to use.<br />

About the Author<br />

David Ruiz is a writer and reporter for Malwarebytes Labs, an online blog<br />

about cybersecurity, online privacy, hackers, data breaches, and digital<br />

rights. David primarily covers online and data privacy issues, along<br />

with US and global regulation. David can be found on Twitter<br />

@davidalruiz and at https://blog.malwarebytes.com/author/davidruiz/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 28<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

WatchGuard’s RSA Conference <strong>2020</strong> Recap<br />

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies<br />

Every year, tens of thousands of IT and information security professionals gather at Moscone Center in<br />

downtown San Francisco to take in the latest security trends and technology from hundreds of exhibitors<br />

and speakers at RSA Conference. In just a few short days, it’s almost impossible to see and learn<br />

everything a conference of this magnitude has to offer, but I did my very best.<br />

Here’s a brief recap of several key happenings, trends and takeaways from my time at RSA Conference<br />

<strong>2020</strong>:<br />

COVID-19 Concerns Were Front and Center<br />

Taking place amid the growing global unease over the spread of COVID-19, the show went on as planned<br />

despite the fact that big industry names like IBM, AT&T and Verizon pulled out of the conference and<br />

banned their employees from attending entirely. With the specter of a global pandemic hanging overhead,<br />

many attendees practiced heightened, borderline obsessive personal hygiene and settled for distanced<br />

hand waves in lieu of handshakes as we walked the expo floor and attended various sessions discussing<br />

the latest security trends, threats, technologies and best practices. It’s still early, but very clear at this<br />

point that we’re only just beginning to get a sense of how this outbreak will impact the security industry<br />

itself and world at large.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 29<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

A Focus on The Human Element in Security<br />

This year’s theme was “The Human Element,” a fitting premise given that individuals play just as<br />

important a role in securing the digital world (or failing to) as any emerging technology, vendor product<br />

or service, or new research finding. The RSA Conference opening keynote addresses played to the<br />

theme by calling for changes to better harness the strengths and potential of the human behind the<br />

computer.<br />

RSA President Rohit Ghai advocated that a shift toward publicly celebrating cybersecurity wins, instead<br />

of only focusing on cybersecurity losses or failures will help inspire security professionals and move the<br />

industry forward. Wendy Nather, head of advisory CISOs at Cisco’s DUO Security, followed up with calls<br />

to democratize security with the goal of enabling buy-in and personal ownership of security from end<br />

users. Almost everywhere you went at RSA Conference this year, the human element of security was a<br />

topic of discussion.<br />

The Cryptographers’ Panel<br />

Rounding out the opening keynotes was a staple of RSA Conference – the Cryptographers’ Panel, where<br />

several prominent cryptography and security experts took the stage to answer questions about a wide<br />

range of industry topics. They covered problems with facial recognition, increasingly popular “right to be<br />

forgotten” laws and much more. The panelists didn’t always come to the same conclusions, but all agreed<br />

that there are realistic concerns with advanced technology like AI and Machine Learning that will need to<br />

be resolved before these tools become more widely adopted.<br />

IoT Security Insights<br />

Beyond the human element, Internet of Things (IoT) security was major trends across speaking sessions<br />

throughout the week. From securing healthcare IoT products to creating baseline IoT security standards,<br />

adoption and security concerns continue to grow worldwide in this slice of the industry. In one talk late in<br />

the week, Gary Hayslip of SoftBank Investment Advisers used his previous experience as CISO of the<br />

city of San Diego to discuss the concerns of deploying IoT and other technologies in smart cities, covering<br />

topics like increased complexity, patch deployment issues and limited security budgets leading to the rise<br />

in breaches impacting municipalities in recent years.<br />

Privacy Considerations<br />

Privacy was another major focus at RSAC Conference <strong>2020</strong>. I saw Daniel Ayoub and Dean Winert of<br />

Lexis Nexis Risk Solutions present fascinating research on web browser fingerprinting and its privacy<br />

and security implications. They started and ended their session by weighing the benefits of browser<br />

fingerprinting in fraud prevention against the drawbacks (which I personally found enlightening as digital<br />

privacy has always been a passion of mine). Daniel and Dean made several good points about the<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 30<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

enefits of identifying anomalies in metadata from user authentications to identify potential account<br />

compromises that could give credit to keeping the privacy-invading information available to websites.<br />

When all was said and done, this year’s RSA Conference squeaked through right before San Francisco<br />

enacted a ban on events at city-owned facilities like the Moscone Center. Even though the event was<br />

overshadowed at times by concerns about the spread of COVID-19, the content and takeaways from it<br />

were compelling and quite important for industry participants to consider in today’s threat landscape. IoT<br />

adoption continues to skyrocket, bringing with it increasing security risks for organizations. The tradeoffs<br />

between privacy and security are still very much open to discussion and debate. And of course, the<br />

humans responsible for addressing these challenges and improving our collective security aren’t going<br />

anywhere.<br />

About the Author<br />

Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies.<br />

Specializing in networking security protocols and Internet of Things<br />

technologies, Marc’s day-to-day responsibilities include researching and<br />

reporting on the latest information security threats and trends. He has<br />

discovered, analyzed, responsibly disclosed and reported on numerous<br />

security vulnerabilities in a variety of Internet of Things devices since<br />

joining the WatchGuard team in 2012.With speaking appearances at<br />

industry events including RSA and regular contributions to online IT,<br />

technology and security publications, Marc is a thought leader who<br />

provides insightful security guidance to all levels of IT personnel.<br />

Marc can be reached only at @XORRO or via http://www.watchguard.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 31<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> Leads Global Business Risks for First Time: Allianz<br />

Risk Barometer <strong>2020</strong><br />

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz Global<br />

Corporate & Specialty<br />

For the first time ever, <strong>Cyber</strong> incidents (39% of responses) ranks as the most important business risk<br />

globally in the ninth Allianz Risk Barometer <strong>2020</strong>, relegating perennial top peril Business Interruption (BI)<br />

(37% of responses) to second place. Awareness of cyber threats has grown rapidly in recent years, driven<br />

by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven<br />

years ago, cyber ranked 15th with just 6% of responses.<br />

The annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS)<br />

incorporates the views of a record 2,718 experts in over 100 countries, including ceos, risk managers,<br />

brokers and insurance experts.<br />

Here are some of the reasons why cyber has overtaken the top spot and is likely to remain a leading<br />

business risk for the foreseeable future.<br />

Data breaches larger and more expensive<br />

As companies collect and use ever greater volumes of personal data, data breaches are becoming larger<br />

and costlier. In particular, so- called mega data breaches (involving more than one million records) are<br />

more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 32<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach<br />

is by no means the largest in recent years.<br />

Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to<br />

have involved the personal data of over 300 million and 140 million customers respectively. Both<br />

companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data<br />

protection regulator intends to fine Marriott $130mn for the breach, among the earliest and largest fines<br />

under the EU’s new privacy laws to date.<br />

The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will<br />

likely bring further fines in <strong>2020</strong>. The European Data Protection Board (EDPB) released a preliminary<br />

report stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine<br />

months of its implementation, the national data protection agencies had only resolved around 50% of<br />

them.<br />

A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of<br />

nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn<br />

(11% higher than in 2018).<br />

Ransomware brings increasing losses<br />

According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime<br />

threat.<br />

Already high in frequency, incidents are becoming more damaging, increasingly targeting large<br />

companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware<br />

demand would have been in the tens of thousands of dollars. Now they can be in the millions. The<br />

consequences of an attack can be crippling, especially for organizations that rely on data to provide<br />

products and services.<br />

Extortion demands are just one part of the picture. Business interruption brings the most severe losses<br />

from ransomware attacks, and in some cases ransomware is a smoke screen for the real target, such as<br />

the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to<br />

be highest for law firms, consultants and architects, for which IT systems and data are their life blood.<br />

Bec attacks result in billion-dollar fraud<br />

Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have<br />

resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.<br />

Such attacks typically involve social engineering and phishing emails to dupe employees or senior<br />

management into revealing login credentials or to make fraudulent transactions.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 33<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Litigation prospects rising<br />

Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected<br />

consumers, business partners and investors. When they do, legal expenses can add substantially to the<br />

cost.<br />

Data breach litigation in the US is a developing situation. A number of large breaches have triggered<br />

class actions by consumers or investors. Outside the US, a number of countries have expanded group<br />

action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy<br />

breach to seek legal redress.<br />

In addition, claimant law firms and litigation funders are actively looking to bring class actions for data<br />

breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach<br />

was recently given the go- ahead in the UK courts. Consumer groups are also looking to test the GDPR<br />

and challenge some organizations’ interpretation of the new law.<br />

M&A can bring cyber issues<br />

<strong>Cyber</strong> exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data<br />

breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel<br />

group it acquired in 2016.<br />

Even the best protected companies will be exposed if they acquire a company with weak cyber security<br />

or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which predate<br />

the merger.<br />

Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority<br />

for businesses during M&A, as many companies are not doing enough due diligence in this area. At the<br />

same time, once a deal has been completed many companies do not address any weaknesses in<br />

acquired systems quickly enough.<br />

Political factors play out in cyber space<br />

The involvement of nation states in cyber-attacks is an increasing risk for companies, which are being<br />

targeted for intellectual property or by groups intent on causing disruption or physical damage. For<br />

example, growing tensions in the Middle East have seen international shipping targeted by spoofing<br />

attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware<br />

campaigns.<br />

Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation<br />

state involvement is providing increased funding to hackers. Even where companies are not directly<br />

targeted, state- backed cyber-attacks can cause collateral damage. In 2017 the notpetya malware attack<br />

primarily targeted the Ukraine but quickly spread around the world.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 34<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Risk mitigation<br />

Preparation and training are the most effective forms of mitigation and can significantly reduce the<br />

likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be<br />

mitigated by training, especially in areas like phishing and business email compromise, which are among<br />

the most common forms of cyber-attack.<br />

Training could also help mitigate ransomware attacks, although maintaining secure backups can also<br />

limit the damage from such incidents. Business resilience and business continuity planning are also key<br />

to reducing the impact of a cyber incident, although response plans need to be tested, practiced and<br />

regularly reviewed.<br />

More information on the Allianz Risk Barometer <strong>2020</strong> is available here:<br />

• Top 10 global business risks<br />

• Full report<br />

• Individual country and industry sector results<br />

About the Author<br />

Kelly B. Castriotta is the Regional Head of Product Development in<br />

North America for Financial Lines at Allianz Global Corporate Specialty.<br />

Ms. Castriotta develops new products for all Financial Lines in North<br />

America, including cyber, directors and officers liability and all<br />

professional liability offerings. Most recently, Ms. Castriotta led the<br />

company’s initiative to address non-affirmative cyber across nearly 100<br />

discrete product lines.<br />

She can be reached online at https://www.agcs.allianz.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 35<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Facebook’s $550 Million Settlement: A Warning to<br />

Companies Collecting Biometric Data<br />

Facebook’s significant settlement could incite future class action lawsuits, further emphasizing the need<br />

for companies to comply with biometric privacy laws.<br />

By Billee Elliott McAuliffe, Member, Lewis Rice<br />

Thanks to a class action suit filed against Facebook under the Illinois Biometric Information Privacy Act<br />

(BIPA), Facebook users in Illinois may receive part of a $550 million settlement. The settlement<br />

compensates users for Facebook’s utilization of facial recognition technology known as “tagging” without<br />

the user’s consent. If approved by the California district court, this settlement could spur others to bring<br />

similar lawsuits, putting businesses throughout the country at risk.<br />

So, what are biometrics and biometric privacy? Biometrics is the measurement and analysis of unique<br />

physical or behavioral characteristics, such as fingerprints or voice patterns, especially as a means of<br />

verifying personal identity. Hence, biometric privacy is an individual’s right to keep his or her biometric<br />

information private and to control how that information is collected and used by third parties.<br />

Biometric privacy laws, including BIPA, are like many new privacy laws that have promulgated over the<br />

last few years. All are informed consent laws, which generally require third parties gathering the biometric<br />

data, including fingerprints, facial scans, retina scans, DNA, gait analysis or voice recordings, to provide<br />

notice of their collection and use, the reason for the use, and how the data will be destroyed. Additionally,<br />

third parties must obtain permission from individuals to use their biometric information. Failure to provide<br />

both notice and control could result in liability for the data collector and users.<br />

In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled the mere failure to<br />

comply with statutory requirements of BIPA by any entity that collects, maintains, stores or transfers<br />

biometric data is enough injury to allow the affected consumers to sue for damages and injunctive relief.<br />

This means no data breach, wrongful disclosure or actual injury to the consumer is required for a business<br />

to be subject to civil liability under BIPA.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 36<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

To avoid potential liability, all businesses handling information subject to BIPA should review their<br />

policies, procedures and methods for collecting, using, storing and protecting biometric data.<br />

And it is not just Illinois companies that need to comply. In Patel v. Facebook, the case resulting in the<br />

$550 million settlement, Facebook argued that if any BIPA violations did occur, they did not primarily<br />

occur in Illinois, as Facebook’s servers are located in California. However, the California federal district<br />

court hearing the case disagreed, suggesting that a consumer’s mere use of Facebook in the State of<br />

Illinois was enough to make BIPA applicable. This extraterritorial holding in Patel, along<br />

with Rosenbach’s ruling that statutory non-compliance is sufficient injury to bring suit, means all entities<br />

must be aware of these laws and the restrictions on the use of biometrics.<br />

In order to ensure compliance with BIPA, every business should audit its operations to understand if it<br />

collects or uses any biometric data through systems such as time clocks that require fingerprints, security<br />

access systems utilizing palm prints or facial recognition, or even surveys gathering biometric data for a<br />

wellness program. If your business does collect or use biometric information, then it must determine<br />

whether it is protected under any biometric privacy law.<br />

While Illinois’ BIPA was the first and remains the most robust, Texas and Washington also have specific<br />

biometric privacy statutes. Additionally, many states include biometric information within their data breach<br />

notifications and other privacy and employee protection statutes. Certain biometric data is also protected<br />

under the federal Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information<br />

Nondiscrimination Act (GINA) and the Fair Credit Reporting Act (FCRA), which imposes requirements<br />

and restrictions on employers conducting background checks.<br />

Unfortunately, as with many other privacy laws, the types of biometrics that are protected and the<br />

requirements that must be implemented are different under each law. Therefore, understanding what is<br />

protected and the steps that must be taken to ensure full compliance may require a consultation with<br />

legal counsel.<br />

After the business has determined what laws apply and the requirements of those laws, it will need to<br />

review and appropriately revise its policies, procedures, and methods of collecting, using, storing and<br />

protecting biometric information. Generally, revisions include giving notice to individuals, obtaining their<br />

consent for the collection and use of their data, and including documented retention schedules and<br />

guidelines for the destruction of the information.<br />

The Facebook settlement shows that failure to comply with biometric privacy laws can result in substantial<br />

liability for companies. Under Illinois’ BIPA, individuals can receive more than $1,000 for negligent<br />

violations or $5,000 for intentional violations. Under Texas’ Capture or Use of Biometric Identifier Act<br />

(CUBI), violations could result in civil penalties of up to $25,000 per violation. In Washington, the attorney<br />

general has the right to seek up to $500,000.<br />

Because these lawsuits can be quite costly, businesses must review the information they collect and<br />

determine if any actions need to be taken to comply with biometric privacy laws. If they don’t, they may<br />

get “tagged” like Facebook.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 37<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm’s<br />

corporate department. Although she focuses on information technology,<br />

Billee also has extensive experience in corporate law, including<br />

technology licensing, cybersecurity and data privacy, and mergers and<br />

acquisitions. She is a member of the American Bar Association and the<br />

Bar Association of Metropolitan St. Louis. Billee can be reached online at<br />

bmcauliffe@lewisrice.com and at https://www.lewisrice.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 38<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

How to Avoid Being Breached In <strong>2020</strong><br />

By Randy Reiter CEO of Don’t Be Breached<br />

Recent Data Breaches Disclosed in <strong>2020</strong><br />

In February, <strong>2020</strong> the United States Department of <strong>Defense</strong> (DOD) disclosed a data breach that occurred<br />

at its IT and telecom agency the <strong>Defense</strong> Information Systems Agency (DISA). DISA does the IT and<br />

telecommunications support for the White House, diplomats and military troops. The breach exposed<br />

Personally Identifiable Information (PII) of its employees between May and July 2019. DISA has about<br />

8,000 civilian and military employees. The employee personal information breached is believed to include<br />

social security numbers.<br />

Other major <strong>2020</strong> data breaches include:<br />

• January, <strong>2020</strong>. Wawa who has 850 US convenient stores reported that Hackers put up the<br />

payment card details of more than 30 million Wawa customers for sale on Joker’s Stash on the<br />

Dark Web where cyber criminals buy and sell payment card data.<br />

• January, <strong>2020</strong>. 250 million Microsoft "Customer Service and Support" (CSS) records were<br />

exposed online. The leaked database contained data on customers including their email<br />

addresses, IP addresses, locations, case numbers and internal notes marked confidential.<br />

Hackers potentially could try to trick users into paying for support solutions by impersonating<br />

Microsoft support representatives.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 39<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

• March, <strong>2020</strong>. UK telecommunications provider Virgin Media reported that the personnel<br />

information of 900,000 customers was exposed in a data breach. Customer names, home<br />

addresses, email addresses, phone numbers and date of birth were leaked.<br />

• March, <strong>2020</strong>. US telecom giant T-Mobile suffered another data breach. <strong>Cyber</strong> Hackers gained<br />

unauthorized access to sensitive information on customers and employees.<br />

How to Protect Confidential Database Data from Insider Threats and Hackers?<br />

Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing,<br />

law enforcement, defense, homeland security and public utility data. This data is almost always stored in<br />

Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server<br />

and Sybase databases. Once inside the security perimeter a Hacker or Rogue Insider can use commonly<br />

installed database utilities to steal confidential database data.<br />

Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from<br />

a network tap or proxy server with no impact on the database server. This SQL activity is very predictable.<br />

Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or<br />

SQL commands that run millions of times a day.<br />

Advanced SQL Behavioral Analysis of Database Query and SQL Activity<br />

Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database<br />

activity is. Then from a network tap or proxy server the database query and SQL activity can be nonintrusively<br />

monitored in real-time and non-normal SQL activity immediately identified. Non-normal SQL<br />

activity from Hackers or Rogue Insiders can be detected in a few milli seconds. The Hacker or Rogue<br />

Insider database session can be immediately terminated and the Security Team notified so that<br />

confidential database data is not stolen.<br />

Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum<br />

amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to<br />

10,000 unique SQL queries sent to a database. This type of data protection can detect never before<br />

observed query activity, queries sent from a never observed IP address and queries sending more data<br />

to an IP address than the query has ever sent before. This allows real-time detection of Hackers and<br />

Rogue Insiders attempting to steal confidential web site database data. Once detected the security team<br />

can be notified within a few milli-seconds so that a data breach is prevented.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 40<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools<br />

company. He is the architect of the Database <strong>Cyber</strong> Security Guard<br />

product, a database data breach prevention product for Informix,<br />

MariaDB, Microsoft SQL Server, MySQL, Oracle and Sybase databases.<br />

He has a Master’s Degree in Computer Science and has worked<br />

extensively over the past 25 years with real-time network sniffing and<br />

database security. Randy can be reached online at<br />

rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/<strong>Cyber</strong>-Attacks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 41<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

What You Need to Know About DDoS Weapons Today<br />

By Ahmad Nassiri, Security Solutions Architect at A10 Networks<br />

A DDoS attack can bring down almost any website or online service. The premise is simple: using an<br />

infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its<br />

introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and<br />

sophistication. That makes DDoS defense a top cybersecurity priority for every organization. The first<br />

step: understanding the threat you face.<br />

To help organizations take a proactive approach to DDoS defense, A10 Networks recently published a<br />

report on the current DDoS landscape, including the weapons being used, the locations where attacks<br />

are being launched, the services being exploited, and the methods hackers are using to maximize the<br />

damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study<br />

provides timely, in-depth threat intelligence to inform your defense strategy.<br />

Here are a few of our key findings.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 42<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Reflected Amplification Takes DDoS to the Next Level<br />

The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued<br />

in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in<br />

an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the<br />

third most common source of DDoS. The shift is due in part to the growing popularity of attacks using<br />

misconfigured IoT devices to amplify an attack.<br />

In this key innovation, known as reflected amplification, hackers are turning their attention to the<br />

exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to<br />

support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications<br />

protocol used to automatically discover web-connected services. Critically, WS-Discovery does not<br />

perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at<br />

which point the victim will be deluged with data from nearby IoT devices.<br />

With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly<br />

effective—with observed amplification of up to 95x. Reflected amplification attacks have reached recordsetting<br />

scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of<br />

DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702<br />

as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has<br />

been found in Vietnam, Brazil, United States, the Republic of Korea, and China.<br />

DDoS is Going Mobile<br />

Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch<br />

point. While these weapons are globally distributed, the greatest number of attacks originate in countries<br />

with the greatest density in internet connectivity, including China, the United States, and the Republic of<br />

Korea.<br />

A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs),<br />

or collections of IP address ranges under the control of a single company or government. With the<br />

exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries<br />

hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and<br />

Korea Telecom.<br />

In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the<br />

end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication<br />

Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 43<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The Worst is Yet to Come<br />

With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter<br />

a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting<br />

Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed<br />

and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever<br />

for any bad actor to launch a lethal targeted attack.<br />

The A10 Networks report makes clear the importance of a complete DDoS defense strategy. Businesses<br />

and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat<br />

detection, to defend against DDoS attacks no matter where they originate. Methods such as automated<br />

signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers<br />

can help organizations proactively defend themselves even before the attacks starts.<br />

For additional insight, including the top IoT port searches and reflector searches performed by attackers,<br />

download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons,” and see the<br />

accompanying infographic, “DDoS Weapons & Attack Vectors.”<br />

About the Author<br />

Ahmad Nassiri is the security solutions architect for A10 Networks’<br />

Eastern region. Nassiri is responsible for supporting pre-sales efforts of<br />

A10 Networks’ security solutions portfolio. He is also focused on<br />

providing visibility to market, trends and developments within the<br />

security field to help A10 Networks expand its security solutions<br />

offering. Before joining A10 Networks, Nassiri was asystems engineer<br />

at Arbor Networks, focused on network security and monitoring solutions for global networks. In this role,<br />

he assisted with the pre- and post-sales engineering support for Arbor’s service provider-focused account<br />

teams. Nassiri has also held sales/systems security engineering roles with Verisign’s Network<br />

Intelligence and Availability (NIA) division. During his tenure, he was focused on security intelligence,<br />

cloud-based DDoS protection, and managed DNS services. Earlier, he held numerous security and<br />

engineering roles with BT Global Services.<br />

Ahmad can be reached online at (anassiri@a10networks.com) and at our company website<br />

https://www.a10networks.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 44<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Better Network Visibility: Removing the Security<br />

Blindfold<br />

By Cary Wright, VP Product Management, Endace<br />

Recent research shows that enterprise teams are very concerned about the ability to protect their<br />

networks from cyber threats. Concerns run the gamut: insufficient insight into network activity, lack of<br />

integration between security tools, inability to respond to threats quickly enough, resource constraints,<br />

and obsolete solutions. Enterprises are frustrated with existing security solutions that don’t provide<br />

sufficient visibility, agility and economic efficiency. This article is the first of a three-part series from<br />

Endace, and looks at the issue of network visibility.<br />

Without the right tools in place, detection and resolution of security events is cumbersome and often<br />

inconclusive. Lacking sufficient visibility into network activity, organizations are left vulnerable.<br />

A recent enterprise survey conducted by Enterprise Management Associates reveals that only 31% of<br />

incursions were identified and stopped at the earliest two stages of the Lockheed Martin Kill Chain model.<br />

This indicates that most threats proceed to the dangerous exploitation phase. A key reason for being<br />

unable to stop a compromise early enough is the overflowing backlog of issues that are never<br />

investigated. 89% of enterprises surveyed by ViB say a lack of visibility into network activity prevents<br />

them from reacting promptly, with confidence.<br />

At first glance, you might think lack of network visibility is caused by a lack of data. But the issue often<br />

isn’t a lack of data, but an inability to correlate data collected in order to provide useful insights. It’s like<br />

trying to assemble a collection of scattered jigsaw puzzle pieces when you don’t have a picture of the<br />

final result. Enterprise teams are overwhelmed by the sheer volume of data to analyze from multiple,<br />

disparate sources: log files, SNMP traps, monitoring tools, etc. Often this data is scattered across the<br />

infrastructure, hard to correlate, and incomplete because of blind spots in network coverage, which make<br />

seeing the full context of security threats difficult or impossible.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 45<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

When teams efficiently collate data sources to provide full context around detected issues, then data<br />

becomes “actionable information” used to investigate and resolve problems quickly and accurately.<br />

Network metadata and full-packet capture data together give teams the perfect combination of evidence<br />

for investigating and resolving security threats.<br />

Network metadata delivers a summary of activity across your infrastructure that provides insight into the<br />

behavior of users, devices, applications and threats. This summary can be easily stored and correlated<br />

with other data sources from endpoints, applications, AAA, firewall logs and other key elements. Having<br />

diverse datasets in one place helps investigators triangulate on potential issues rapidly. Since all this is<br />

a summary of what happened, access to full packet data is often needed to confidently understand the<br />

breadth of a security event. Fortunately, metadata provides an index into full packet capture data that<br />

enables teams to quickly and accurately reconstruct events, in context, to see exactly what has occurred<br />

and respond at once.<br />

This combination of network metadata with full packet history facilitates quick and confident investigations<br />

and threat resolutions. Analysts can query and mine the metadata, then quickly get definitive evidence<br />

by drilling down to the packets. The combination of network metadata and packet data also provides the<br />

all-important context for data from other sources – such as log files and alerts from monitoring – by<br />

providing a timeline and record of affected hosts against which these data sources can be correlated<br />

easily.<br />

Access to the right data at the right time with the combination of metadata and full packet capture<br />

facilitates end-to-end visibility, and enables enterprises to detect, triage, investigate and respond to<br />

threats and incidents with speed, certainty and confidence. It lets teams efficiently assemble the pieces<br />

of the data puzzle to create a clear picture of precisely what’s happening on their network.<br />

The second article in this series will address how to increase agility and accelerate incident response.<br />

About the Author<br />

Cary Wright, VP Product Management at Endace, has more than 25<br />

years’ experience in creating market-defining networking, cybersecurity<br />

and application delivery products at companies including Agilent, HP,<br />

Ixia and NEC. sales@endace.com, www.endace.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 46<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Enabling Agility to Accelerate Incident Response<br />

By John Attala, Vice President of Worldwide Sales, Endace<br />

In the first article in this series, Endace VP of product management Cary Wright discussed the importance<br />

of end-to-end network visibility in protecting valuable enterprise data, and how the combination of network<br />

metadata and full packet data provides definitive evidence of network activity. To leverage this data<br />

effectively, however, it is crucial to make it available to the tools and teams throughout the enterprise for<br />

examining and resolving issues more quickly and accurately. Which brings us to the topic of this article:<br />

agility.<br />

Agility, as it relates to cyberdefense and performance management, can mean two things:<br />

1) faster, more efficient investigation of, and response to, threats/issues (“agile incident response”); and<br />

2) rapid installation and deployment of new solutions to address these threats and issues (“agile<br />

deployment”).<br />

Agile Incident Response<br />

Research published last year revealed that SecOps, NetOps and DevOps teams are buried in alerts,<br />

each of which typically requires a resource-intensive investigation and resolution process involving<br />

multiple personnel. Sadly, the norm is that there simply isn’t sufficient time to triage, prioritize and<br />

investigate all the alerts.<br />

In addition, many of the tools SecOps and NetOps teams use don’t integrate well with each other, so<br />

beleaguered teams must switch from tool-to-tool ( “swivel chair integration”) to determine actual network<br />

activity – resulting in time delays, stress, and organizational risk.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 47<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Integrating network metadata and full packet information into security and performance monitoring tools,<br />

so analysts and teams can pivot directly to the related packets, can dramatically simplify and accelerate<br />

investigations, reducing alert backlog and analyst fatigue. The end result is streamlined investigation<br />

workflows, more efficient and productive teams, richer contextual information for dealing with threats and<br />

– crucially – faster, more accurate incident response.<br />

Agile Deployment<br />

The same research report cited above found that 90% of respondents reported the process of acquiring<br />

and deploying security, network or application performance platforms is challenging. It’s a fact: selecting<br />

and deploying new security and performance monitoring tools can take months to years when an<br />

organization must consider budget, evaluation, selection, purchase, installation and integration. It’s a<br />

slow process.<br />

Further compounding the acquisition problem is that once purchased, these security and performance<br />

monitoring solutions are expected to last their full depreciation cycle – even though security threats and<br />

network standards frequently change and evolve. The end result is organizations are often stuck with<br />

solutions which are no longer fit-for-purpose, requiring a “rip-and-replace” to meet new threats or resolve<br />

performance issues.<br />

The lack of ability to quickly evolve systems to meet new threats or address new requirements is<br />

hampering organizations’ ability to protect and manage their networks effectively. Attackers, on the other<br />

hand, aren’t constrained by the same CAPEX and budget issues – often using the victim’s own<br />

infrastructure to host their attacks – enabling them to be extremely agile in staging their attacks.<br />

To counter this, organizations need more agile deployment. One solution is to adopt a standardized,<br />

open hardware platform as the foundation for security and performance monitoring: a platform that can<br />

provide full packet capture, metadata indexing and deep storage, allow standard RESTful API<br />

connections to existing toolsets, and enable virtualized hosting of the network security and performance<br />

analytics applications that best suit the organization’s environment.<br />

Adopting a standardized platform ensures a good foundation (accurate, time-stamped, quickly<br />

searchable data), the RESTful API ensures existing workflows are maintained and minimizes training,<br />

and virtualizing monitoring and analytics solutions enables the speed and flexibility to deploy required<br />

solutions on-demand.<br />

The standard, open platform approach allows for maximum agility and has the potential to deliver the<br />

same benefits enterprise datacenters have realized through virtualization: rapid deployment, massive<br />

flexibility, operational efficiencies, and huge cost savings.<br />

The next article in the series will discuss the economics and cost savings in more detail.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 48<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

John Attala is vice president of worldwide sales at Endace. He has more<br />

than twenty years’ experience in providing network visibility, forensic<br />

solutions, and security services to global enterprise, service providers and<br />

government agencies.<br />

John Attala can be reached online at www.endace.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 49<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Economic Efficiency in <strong>Cyber</strong> <strong>Defense</strong><br />

By Mark Evans, VP Marketing, Endace<br />

The previous two articles in this series addressed Visibility and Agility as key requirements for<br />

stronger cyber defense. This last article in the series looks at the third leg of robust cybersecurity:<br />

Economic Efficiency.<br />

According to recent research, gleaned from more than 250 global enterprises, organizations use, on<br />

average, ten different security management tools. In large enterprises, that number jumps to between 10<br />

and 18 different security solutions.<br />

The research also showed that even though organizations have deployed numerous security solutions,<br />

at great cost, they:<br />

• Don’t have enough tools in the right places to detect and investigate security events (80% of<br />

respondents!)<br />

• Find the challenge of constraints caused by Capital Expenditure (CAPEX) “significant” (75%)<br />

• Take 6-12 months OR LONGER to acquire and deploy new solutions (budget, testing, product<br />

selection, deployment) (90%)<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 50<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Additionally, organizations said they “lack visibility into network activity”, have “difficulty responding<br />

quickly enough to threats” and “find it hard to integrate tools and correlate data”<br />

It’s clear then, that despite considerable investment in security, organizations are still not achieving their<br />

desired objectives. They are constantly on the back foot, unable to keep ahead of a rapidly evolving<br />

threat landscape. And, as covered in previous articles in this series, teams are overwhelmed by alert and<br />

platform fatigue due to lack of visibility and inefficient workflow processes that constrain productivity.<br />

Reducing Cost and Increasing Efficiency<br />

Network security functions typically rely on specialist hardware that can capture network traffic at high<br />

speed for analysis, therefore many solutions are appliance-based. As a result, organizations must deploy<br />

many different appliances to deliver the range of required security functions (IDS/IPS, data leakage<br />

prevention, malware detection, email scanning, etc.)<br />

This has a number of cost and budget implications:<br />

1. Hardware-based appliances are expensive to purchase and maintain.<br />

2. Organizations pay for packet capture capability in each appliance they purchase.<br />

3. Hardware purchases consume so much budget that organizations can’t afford to deploy solutions<br />

everywhere they need them, leaving blind spots.<br />

4. Functionality is inextricably tied to appliance hardware - upgrading functionality often means a<br />

“rip-and-replace”. Without CAPEX budget for replacements, organizations must make do with<br />

solutions that are well past their “use by” date.<br />

Virtualization has delivered significant benefits in the datacenter: lower cost, simpler infrastructure,<br />

efficient hardware utilization, greater flexibility and rapid deployment. However, organizations have been<br />

unable to virtualize their network security solutions to realize these same benefits due to the lack of a<br />

common hardware platform.<br />

What’s needed is a hardware platform that provides high-performance, hardware-based packet capture<br />

and recording that can be shared by all the tools and teams that need to analyze packet data. This<br />

approach eliminates unnecessary functional duplication and allows security and performance monitoring<br />

tools to be consolidated onto a common platform.<br />

The cost of this common infrastructure can be shared across SecOps, NetOps, DevOps and IT teams,<br />

reducing Operational Expenditure (OPEX) and CAPEX costs and facilitating closer collaboration. New<br />

functionality can be deployed without replacing hardware.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 51<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Increasing Productivity<br />

With packet history integrated into all their tools, analysts can more efficiently detect, investigate and<br />

resolve security threats; moving from an alert or suspicion directly to evidence quickly and accurately.<br />

This is vastly more productive than the current swivel-chair integration resulting from managing multiple,<br />

non-integrated hardware appliances.<br />

This series looked at three key issues facing enterprises in protecting and defending their networks:<br />

Visibility, Agility, and Economic Efficiency. By addressing all three issues together organizations can<br />

gain the clarity, confidence, and certainty necessary to effectively protect against cyberthreats.<br />

About the Author<br />

Mark Evans has worked in the technology industry for more than 30 years,<br />

starting as a developer and moving into CIO and CTO roles prior to joining<br />

Endace as Vice President of Marketing. He has also written extensively as<br />

an expert columnist for many technology publications. www.endace.com,<br />

@endace.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 52<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Does SASE Tick the Box for The Future of Network<br />

Security?<br />

By Yair Green, CTO at GlobalDots<br />

The enterprise of today works with an upgraded portfolio which can be viewed as the result of an overall<br />

digital transformation. This in turn has brought about the need to rethink and enhance the consequences<br />

for the network. In response, Gartner introduced the concept of Secure Access Service Edge (SASE) as<br />

a new enterprise networking technology, whereby organizations could ditch time-honoured networking<br />

and security designs by merging network and security point functionality globally into a consolidated,<br />

cloud-native service.<br />

There is certainly a shift these days where we are seeing organizations transitioning all of their users,<br />

applications and data (currently located on-premise), to a general move into the cloud, towards edge<br />

applications and a workforce that is spending more of its time working out of the office - ‘on the road’.<br />

Together, the forces of cloud, mobility and edge have all brought pressure upon the enterprise’s old and<br />

weary network and security architecture. It doesn’t help to have data spread out all over SaaS<br />

applications, or across the increasing number of cloud applications. Whilst there is no doubt that such a<br />

digital transformation can improve overall agility and competitiveness, it will also require a rethink with<br />

respect to how the enterprise connects and secures their connections. As the landscape evolves, so<br />

must technology. Perhaps it was inevitable then that something like SASE should make an appearance.<br />

The digital transformation has forced the enterprise to evolve by running more applications in the cloud<br />

as SaaS rather than on-premise - more of their data and workloads live in cloud data centers and more<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 53<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

of their workforces are mobile - mobile users routinely accessing the cloud and increasing numbers of<br />

employees working off-site. The two main challenges for organizations as they ponder how to network<br />

and secure offices, users and resources, will be the cloud and mobility. When the data center is no longer<br />

at the core of enterprise activity then where do you inspect traffic and where do you apply policy?<br />

Similarly, if the networks are going to be built by connecting resources and users that exist in large part<br />

outside of physical buildings, then how will the business deliver optimal network experiences? Of course<br />

it can be done - it does require though, binding together a potentially disparate range of security<br />

technologies so that enterprise is satisfactorily protected; this could prove both costly and timeconsuming<br />

for most businesses. In an ideal world, there should be one way to network any kind of<br />

resource, location or user, without leaving the business vulnerable to the wide array of security threats.<br />

Organizations have been all too busy trying to use additional services as a stopgap, as a way to paper<br />

over the cracks; but this just complicates things and drives costs upwards. This approach won’t work in<br />

today’s digital landscape. By pushing security as close to the user as possible, SASE helps to reduce<br />

cost and complexity by focusing on the users that are accessing the applications; it can all be done<br />

through one single service now. Also, SASE ensures that all connections are inspected and secured, no<br />

matter what. Bear in mind the unique challenges of risk whereby both users and applications are so<br />

widely spread apart. In addition, where you have security enforced close to the users, SASE delivers a<br />

much better user experience overall. Traditionally, the old model brought the user to the security, but<br />

that’s not such a great UX scenario.<br />

Whilst some might argue that SASE’s primary focus IS user experience. There’s no doubt that SASE will<br />

be a major disruption to both network and network security architecture. Ultimately businesses will need<br />

SASE if they wish to continue their adoption of cloud-native computing and increase their adoption of<br />

edge computing platforms. Lessons will have to be learned regarding specific security and risk<br />

management actions that will need implementing as SASE adoption picks up. When we see a truly full<br />

competitive solutions marketplace, then big business will be in a position to gauge more accurately how<br />

capabilities are delivered. In the meantime, businesses will require a converged, secure and clouddelivered<br />

access to the edge in order to adopt this shift. Digital transformation is shifting the focal point<br />

away from the data center, to the identity of the user.<br />

About the Author<br />

Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web<br />

Performance Evangelist.<br />

www.globaldots.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 54<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Achieving Effective User Lifecycle Management Through<br />

Automation<br />

By Jeff Stein, Information Security Architect, Reputation.com<br />

When considering the security of an enterprise, a key area ripe for automation should be user lifecycle<br />

management. The topic is important not only to the security of an organization but also to the overall<br />

function of an enterprise. By achieving effectiveness through automation in your user lifecycle<br />

management process you will not only increase the productivity of your operational teams through the<br />

reduction of work required to manage the user lifecycle, but also add effective security controls to your<br />

information security program.<br />

User lifecycle management covers the full array of activities executed during the lifetime of a user at an<br />

enterprise. It begins with the initial contact of a prospective employee or business partner to the eventual<br />

onboarding of the user into their defined role at the organization. Any changes to user access or status<br />

and role at the organization are also covered in the lifecycle. The lifecycle management then comes full<br />

circle and is completed through the offboarding process when the user ends their responsibilities at the<br />

enterprise.<br />

From a security prospective, user lifecycle management should be an important domain to include in your<br />

security program. While many of the operational tasks related to the lifecycle management are associated<br />

with Human Resources or Information Technology business units, the need to instill security controls into<br />

the related workflows and processes is paramount. This is because, one of the core functions of user<br />

lifecycle management pertains to access control which is fundamental to a security program because it<br />

deals with the identity, authentication and authorization of users in the enterprise.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 55<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The need to automate the provisioning (creating) or deprovisioning (removal) of tasks related to the user<br />

lifecycle management process is derived from ensuring that there is better accountability in the<br />

operational tasks associated with access control. To not only have a well-defined lifecycle management<br />

process but also to ensure that those processes are initiated through automation, reduces the number of<br />

administrative controls required to validate proper completion of tasks and replaces them with more<br />

reliable technical controls.<br />

In my previous experiences as a Security Engineer, as well as my current role as an Information Security<br />

Architect for Reputation.com, an industry leader in online reputation management providing customers<br />

with a full range of solutions to handle their presence online, I have found that any time you replace a<br />

reliance on a human task with an automated technical one, the likelihood of a breakdown in process is<br />

reduced. It also frees up the human element to be leveraged in the process in a more intelligent way than<br />

previously utilized. Once repeatable tasks can be replaced with automation, the person can be used as<br />

a means to validate on a regular basis that the automated technical control has not failed. This is done<br />

through measures such as auditing and approval reviews for sensitive circumstances or types of access.<br />

Another simple way of looking at this is to use your human staff for intelligent processes and automate<br />

the mundane repeatable processes that do not deviate from the norm.<br />

When looking to automate the user lifecycle at an enterprise there are numerous technical tools at your<br />

disposal. Whether you choose to leverage internal scripts or programs, or utilize a managed technical<br />

solution, is a personal preference pertaining to your available budget and technical skill sets on staff.<br />

However, if you implement the tooling to automate user lifecycle management, in my opinion, it is more<br />

important to ensure you include a number of key components in your automated lifecycle strategy and<br />

technical design, which will support your tooling.<br />

The first component to ensure you incorporate into your lifecycle management should be an allencompassing<br />

source of truth for your user records. Whether this is a directory service or a human<br />

resource information system (HRIS), the key is to ensure that it is accurate and continually maintained.<br />

Your source of truth should be the foundation to building out user lifecycle management and automate it<br />

because it will serve as the starting point for the overall process. In essence, until the user is in your<br />

source of truth the lifecycle has not yet begun.<br />

Additionally, access control should be properly built in to your strategy. As mentioned above, access<br />

control is a key security process and having proper controls in place will ensure you have security baked<br />

into your design and automation process. Consider using role-based access control (RBAC) or attributebased<br />

access control (ABAC) as a model for designing your access control component. When I have<br />

personally rolled out user lifecycle management automation, I have done a combination of the two.<br />

However, relying primarily on RBAC will be easier to implement or at least serve as a starting point for<br />

your design.<br />

The final component, which should be included into the lifecycle management strategy should be<br />

ensuring that data between your source of truth and any source of records that are utilized by various<br />

applications in your enterprise are updated as a part of your automation. This is again important in<br />

keeping your source of truth accurate as well as ensuring aspects such as deprovisioning or a status<br />

change in the user’s role, function properly. Once these three key components have been worked into<br />

your lifecycle management design, the tooling you choose will layer on top and function efficiently. It will<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 56<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

also offer a higher level of implementation success and a holistic approach to your workflow and<br />

processes.<br />

Automation provides an excellent means to layer repeatable and scalable security controls into an<br />

organization. By automating the user lifecycle management process you can ensure better accountability<br />

into the operational tasks associated with access control in the enterprise. Proper tooling combined with<br />

a well-maintained source of truth, an effective access control model and baking in the updating of<br />

information between sources allows you to add effective security controls to your information security<br />

program.<br />

About the Author<br />

Jeff Stein, is currently the Information Security Architect at Reputation.com,<br />

an industry leader in online reputation management. His prior experience<br />

includes the FinTech space and both the United States House of<br />

Representatives and the United States Senate. In addition to holding<br />

numerous security and IT certifications, including his CISSP, he received a<br />

Master of Science in Information Security and Assurance from Western<br />

Governors University. Jeff can be found online on his blog,<br />

https://www.securityinobscurity.com and reached at both jeff@sioblog.net or on twitter at<br />

@secureobscure and at our company website https://www.reputation.com and on twitter at<br />

@Reputation_Com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 57<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Credential Stuffing: Why It’s on The Rise and How to<br />

Decrease Your Risk<br />

By Kevin Landt, VP of Product Management at Cygilant<br />

Reports of high-profile data breaches like Equifax’s, LinkedIn’s or Yahoo’s always cause an initial,<br />

widespread panic -- and for good reason. But after having massive amounts of their sensitive information<br />

exposed such as usernames and passwords, many consumers and organizations move on far too<br />

quickly. Whether it’s because they assume there’s nothing they can do to rectify the situation or due to a<br />

lack of understanding of their risk level, too many individuals and companies remain dangerously<br />

oblivious to what happens after a data breach.<br />

Post-breach, many cybercriminals turn to the Dark Web to purchase data stolen from high-profile data<br />

breaches. For instance, recently eight hacked databases containing data for 92.75 million users were put<br />

up for sale on the Dark Web Marketplace "Dream Market" for 2.6249 bitcoins (about $9,400 USD at the<br />

time). Hackers will then use their newly acquired, stolen data to fuel credential stuffing attacks, i.e. attacks<br />

that leverage stolen account credentials to gain unauthorized access to user accounts through largescale<br />

automated login requests directed against a web application.<br />

Unlike credential cracking, credential stuffing doesn’t rely on brute force or attempts to guess passwords.<br />

Instead, cybercriminals simply automate the logins for thousands to millions of previously discovered<br />

credential pairs using standard web automation tools or tools designed specifically for credential stuffing<br />

(e.g. services that manipulate login requests to make them look like they came from many different<br />

browsers and/or products that integrate with platforms designed to defeat Captchas). On average,<br />

hackers find matches between stolen credentials and a website about only one percent of the time,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 58<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

however with every new large-scale breach, the credential stuffing process becomes easier and more<br />

effective.<br />

To combat credential stuffing, both consumers and companies need to recognize the danger these<br />

attacks pose and adhere to the following four best practices:<br />

1. Monitor data breaches -- It’s critical to stay apprised of large-scale breaches so that if/when you<br />

have an account with a company that experiences a data breach, you can immediately change<br />

your password. Also, if you use the same username and password for other accounts, be sure to<br />

change those passwords as well. Keeping up with the near-daily occurrence of data breaches<br />

can feel like an overwhelming task, so consider leveraging tools like this to determine if any of<br />

your credentials have been leaked at any time.<br />

2. Improve your passwords -- One of the top factors driving the credential stuffing epidemic is poor<br />

password hygiene. Never reuse the same username and password across multiple sites, change<br />

your passwords regularly, make sure each password has no resemblance to the old, don’t use<br />

the same core word(s) and refrain from placing the same special characters in the same positions.<br />

Password managers can help by creating and easily managing the types of highly secure<br />

passwords that are impossible to remember.<br />

3. Implement two-factor authentication -- By turning on two-factor authentication whenever<br />

available, an additional authentication is requested when you enter your password. This provides<br />

another vital layer of protection in the event of a network attack and should always be turned on.<br />

4. Blacklist suspicious logins -- Companies should consistently track logins that result in fraud<br />

and then blacklist the associated IP addresses. Also, if users are located in a specific region, they<br />

can create geofences that block traffic that comes from elsewhere. Such tactics can make the<br />

proxy lists cybercriminals rely on to mask their mass login attempts far less effective, not to<br />

mention more complex and costly. Web-based security products can also be leveraged to block<br />

a single IP address or a range of IP addresses that result in too many unsuccessful login attempts.<br />

A recent report from Akamai found that an average of 4.15 billion malicious login attempts from bots were<br />

detected in both May and June of 2018, and that’s up from an average of 3.75 billion per month between<br />

November 2017 and June 2018. Credential stuffing attacks will continue to become even more prevalent<br />

in the years ahead, especially as data breaches expose hundreds of millions of usernames and<br />

passwords on a regular basis.<br />

By recognizing the credential stuffing problem head on and abiding by simple cybersecurity best<br />

practices, however, both consumers and companies alike can drastically reduce their risk and at the<br />

same time make cybercriminals’ jobs far more challenging.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 59<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Kevin Landt is VP of Product Management at Cygilant and has over<br />

a decade of experience helping Security and IT Operations teams<br />

increase efficiency and reduce risk. At Cygilant, he leads a team of<br />

PMs dedicated to providing enterprise-class security-as-a-service<br />

for companies of all sizes. Prior to Cygilant, Kevin held director and<br />

leadership roles at Opsgenie (now part of Atlassian), Kanguru<br />

Solutions, and Intel.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 60<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The Cost of <strong>Cyber</strong>crime Is Constantly Rising: How to<br />

Combat Ransomware Attacks on SMBs<br />

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security<br />

<strong>Cyber</strong>crime is an undeniable constant in the business landscape these days. The cost of cybercrime is<br />

constantly rising—it is estimated that by 2021, it will have reached $6 trillion worldwide. <strong>Cyber</strong>attacks on<br />

large companies tend to grab headlines all around the world because of their spectacular impact.<br />

However, there is one sector that, though it doesn’t normally generate headlines, suffers devastating<br />

effects of ransomware attacks: small- to medium-sized-businesses (SMBs).<br />

According to Beazley Breach Response Services, 71% of ransomware attacks target SMBs. The average<br />

ransom demand for this kind of attack is $116,234. In more general terms, 43% of all cyberattacks target<br />

this kind of company, while just 14% of these businesses are prepared to defend against their effects. In<br />

the business world, cybersecurity awareness is the main challenge: employees’ actions are often the first<br />

line of defense against a cyberattack. To ensure that a cyber incident does not cause serious damage to<br />

a company, it is important that its employees follow a series of vital tips:<br />

• Never open attachments from unknown senders. 92% of the malware in the world arrives via<br />

email.<br />

• Don’t plug in an unknown USB device. It may contain malware that could cause grave problems<br />

for the company.<br />

• Get into the habit of updating passwords. This way, even if a password is leaked in a data breach,<br />

it won’t become a security risk.<br />

• Updates for endpoints, devices and for third-party applications are an important barrier against<br />

security breaches.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 61<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

That being said, the best way to combat ransomware is by not becoming a victim in the first place. To<br />

that end, here are five immediate steps that SMBs can take to avoid ransomware attacks.<br />

Step 1: Set Operating Systems to Automatically Update<br />

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to<br />

the web works better when the OS is updated. Tech companies like Microsoft and Apple regularly<br />

research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a<br />

cybersecurity game of cat and mouse. <strong>Cyber</strong>thieves search for “holes,” and companies race to find them<br />

first and “patch” them.<br />

Users are key players in the game because they are the ultimate gatekeepers of their operating systems.<br />

If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs<br />

better with an updated OS.<br />

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows<br />

10 automatically updates (you have no choice), older versions don’t. But setting auto updates is easy,<br />

whether you’re on a Mac or PC.<br />

Step 2: Screenshot Bank Emails<br />

<strong>Cyber</strong>criminals use trojans or worms to infect your computer with ransomware. So, avoiding these will<br />

help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams,<br />

which trick users into opening email attachments containing viruses or clicking links to fake websites<br />

posed as legitimate ones.<br />

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing<br />

emails that look like they come from banks, credit card companies or the IRS. Phishing emails kickstart<br />

your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent<br />

action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn<br />

in your account”?<br />

<strong>Cyber</strong>criminals use this fear to distract people so they will overlook the telltale signs of the phishing email<br />

like misspellings or common fear-inducing subject lines.<br />

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others<br />

business that manage your sensitive information. Use these screenshots to compare with future emails<br />

you receive so you can spot phishing phonies and avoid ransomware.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 62<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Step 3: Bookmark Most Visited Websites<br />

The next step in your ransomware-avoidance journey is to bookmark all of your most visited websites.<br />

Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then<br />

they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or<br />

infect your computer with malware.<br />

Think twice before you visit a website by clicking a link in an email, comments section or private<br />

messaging app. Instead, bookmark your most visited or high-value websites and visit them through your<br />

browser.<br />

Step 4: Backup Data to the Cloud and a Hard Drive<br />

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable,<br />

then cyberthieves have the upper hand, but if you have multiple copies, you have taken away the power<br />

behind the threat.<br />

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available<br />

anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage<br />

are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.<br />

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed<br />

up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup<br />

at all.<br />

Step 5: Install <strong>Cyber</strong>security Software<br />

Ransomware is constantly evolving as hackers develop new, more dangerous strains. For users,<br />

preemptive steps rock, but unless you download and install comprehensive cybersecurity software, your<br />

data is still vulnerable to malware infection.<br />

Here’s a phrase worth remembering: ransomware is a nightmare. After cyberthieves encrypt your data,<br />

the chances of recovering it are slim to none…and slim just left town. The story of ransomware doesn’t<br />

have the Hollywood, happily-ever-after ending. It will definitely leave you teary-eyed…just for the wrong<br />

reasons.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 63<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Rui Lopes has spent the last 15 years working for Panda Security and<br />

currently heads up the Pre-Sales Engineering team in North America.<br />

A cybersecurity expert with extensive industry knowledge, he’s<br />

passionate about solving complex technical challenges for customers<br />

and educating them on the latest cybersecurity developments. He<br />

holds several technical certifications and has contributed to multiple IT<br />

publications as an IT Security columnist. Rui can be reached online at https://www.linkedin.com/in/ruilopes-6966161/<br />

and at our company website https://www.pandasecurity.com/en-us/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 64<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

How To Manage Your Small Business In Time Of Crisis<br />

By Milica D. Djekic<br />

It's always a challenge to manage your small business, but especially in times of crisis. Such a situation<br />

requires special skills, such as crisis management skills, pragmatism and critical thinking. How can we<br />

create the a new generation of the business leaders who are capable of responing to all these demands?<br />

Human psychology would suggest that the child is the parent of someone’s personality and it’s quite<br />

obvious that if we want to produce the new leaders we should try to teach them starting at the very<br />

beginning of the life. The fact is so many young individuals spend the majority of their time on the web<br />

and as it is quite well known that cyberspace is often the busiest spot of the people’s activities. It’s quite<br />

impressive how good the new generations deal with cyber technologies and, apparently, modern<br />

strategists should use such a finding in order to direct the youth into some sort of the usefulness to the<br />

entire society.<br />

The point is if we want the competitive human resources in the decades ahead, we should begin working<br />

hard on that project now. A good education system matters, but will that be enough to make the new<br />

generation of the people think, deal and make decisions in such a manner? The answer to this question<br />

could be quite unclear, but what we see at this stage is that, de facto, we need something both impactful<br />

and simple at the same time. In addition, we should study the psychology of the child’s development or<br />

probably try to cope with some habits being adopted early on and later used to define someone’s life<br />

choices.<br />

So, what would be such common to all kids worldwide and how would they build on their first habits? The<br />

quite obvious stuff is all kids anywhere would love to play games and in that way develop their first skills<br />

and social contacts. We all would remember Monopoly and the experiences about how some simple<br />

banking works in practice. Nowadays children would also love to play these games, but in cyberspace.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 65<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

So, if you offer them the chance to do so on their own or as a team – you would undoubtedly teach them<br />

thinking in this way.<br />

Kids often have very poor life experience, and the point is to make something so simple in order to<br />

motivate them to use their brains in order to resolve situations appearing on their screen. On the other<br />

hand, many of today’s army officers would select their current occupations just playing strategies and<br />

making decisions about how to manage their people and resources on some military basis.<br />

If you want your kid to learn how to be a good manager, you should lead him into the world of business,<br />

enterprises and management. First, many kids cannot imagine how it works spending your time in the<br />

office, and if you provide them the opportunity to see how it looks and make some kind of interactive and<br />

engaging communications, then those young people would definitely become capable of responding to<br />

tomorrow’s competitive marketplace challenges. Also, if you put some obstacles into such a scenario<br />

making the players deal with some critical situations, you would also make them develop problem solving<br />

skills in crisis management tactics and strategies coming from best practices and experts knowledge.<br />

So, let’s return to the beginning of our topic and let’s introduce some graphical representation showing<br />

how dealing with a crisis in your small business might look. Such an illustration would offer you some<br />

constructive insights and hopefully help you better understand how todeal with those problems. The<br />

diagram is given in the Figure 1.<br />

Figure 1. Crisis conditions in business<br />

As shown in the previous illustration, the small business crisis condition could depend on many factors.<br />

They could include social, environmental, technological and economic conditions, for example. In<br />

practice, the social elements could include political, religious, safety & security and ideological reasons,<br />

while the environmental conditions might include natural disasters, biological factors and even diseases.<br />

On the other hand, the technological and economic pillars could be positive, negative or neutral, for<br />

example.<br />

The fact is if we distinguish all these elements in such a manner, we could straightforwardly develop the<br />

algorithm or the decision making tree about how we could in operational, tactical and strategic way<br />

respond to these challenges. The point is once you figure out what got correlated with what you could<br />

easily recognize some rules of those correlations and realize how they could get applied in sense of the<br />

problem solving algorithms.<br />

In such a case, the cyber defense could be linked to the technological impacts and, in my opinion, anyone<br />

in that field can position himselfto prepare for resolving those concerns. Also, the crisis management skill<br />

is something that would come with experience and it takes some time to become confident in such a role.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 66<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Any empirical scenario would differ in some way from another and before you learn to recognize the<br />

similarities between them,you would need a lot of practice in your preofessional experience.<br />

The time of crisis can come at any time, so it’s important to remain rational and realistic in approaching<br />

such a situation from a calm perspective. The small businesses are certainly an importnat part of the<br />

critical infrastructure, and that’s why any economy needs plenty of good ideas and proposals about how<br />

to protect its strategically significant assets.<br />

Emerging technologies will play a valuable role in our everyday life and work, so they could serve us in<br />

making rational decisions and training a new generation of the workforce that will be more competitive<br />

and sophisticated than any generation before them. The task is challenging, but the results could be so<br />

far reaching.<br />

About the Author<br />

Milica D. Djekic is an Independent Researcher from Subotica,<br />

Republic of Serbia. She received her engineering background from<br />

the Faculty of Mechanical Engineering, University of Belgrade. She<br />

writes for some domestic and overseas presses and she is also the<br />

author of the book “The Internet of Things: Concept, Applications<br />

and Security” being published in 2017 with the Lambert Academic<br />

Publishing. Milica is also a speaker with the BrightTALK expert’s<br />

channel. She is the member of an ASIS International since 2017<br />

and contributor to the Australian <strong>Cyber</strong> Security Magazine since<br />

2018. Milica's research efforts are recognized with Computer Emergency Response Team for the<br />

European Union (CERT-EU) and EASA European Centre for <strong>Cyber</strong>security in Aviation (ECCSA). Her<br />

fields of interests are cyber defense, technology and business. Milica is a person with disability.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 67<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

What the Latest Enterprise Endpoint Security Survey<br />

Shows Us: Big Concerns but Hope for The Future<br />

By Jeff Harrell, Vice President of Marketing, Adaptiva<br />

More bad news when it comes to IT security. The fourth annual Enterprise Endpoint Security Survey was<br />

recently released, showing that just 17% of companies believe they have enough staff to handle security<br />

correctly, and vulnerabilities continue to take a remarkably long time to fix, particularly without solutions<br />

that meet their needs. These findings (and more) come as organizations face unprecedented threats.<br />

So, what’s going on?<br />

Vulnerabilities on the Rise<br />

<strong>Cyber</strong>crime is predicted to cost $6 trillion annually by 2021, with new threats becoming the number one<br />

pain point for endpoint security buyers. Deloitte points out one reason for this is that as workforces<br />

become more distributed and organizations are responsible for securing more devices, it becomes harder<br />

and harder to secure the endpoint, calling it companies’ “weakest security link.”<br />

Shoring up the endpoint is critical, however, because that’s where approximately 80% of cyberattacks<br />

occur—and these attacks are increasing at a blistering pace. Research shows that between 2016 and<br />

2017 there was a 600% increase in attacks against IOT devices alone. Any Google search can turn up a<br />

multitude of other scary stats that underscore just how great today’s cyberthreat is and how it is expected<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 68<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

to get worse. But the bottom line is vulnerabilities at the endpoint are a tremendous concern, one that<br />

must be addressed if organizations hope to protect their networks, IP, and customer data.<br />

Current Solutions Don’t Solve the Problem<br />

According to the annual Enterprise Endpoint Security Survey, IT professionals cited vulnerability<br />

scanning as their top cybersecurity challenge. One of the reasons shared was that current vulnerability<br />

management scanning solutions don’t solve their problems. In fact, they may increase frustration and<br />

stress by generating reports of hundreds of vulnerabilities that teams can’t address in a timely manner.<br />

Additionally, they suck up bandwidth and hinder network performance.<br />

It’s not as though IT teams are throwing up their hands and pretending that vulnerabilities don’t exist,<br />

however. Ninety-one percent of respondents indicated that “maintaining current, compliant security<br />

configuration” is very or extremely important; they want to improve the speed and scale with which they<br />

can address vulnerabilities—they’re just a bit hamstrung.<br />

Staff Can’t Handle the Surge—And It’s About to Get Worse<br />

But fixing the problem is not simple. In addition to the exponential increase in vulnerabilities and devices<br />

managed, and the fact that vulnerability management solutions can hinder more than help, teams simply<br />

don’t have the staff. Nearly two-thirds of respondents to the Enterprise Endpoint Security Survey<br />

indicated that they struggle to keep up as their teams are stretched to the max, often limiting their ability<br />

to handle security operations the way that they want or wish that they could.<br />

Unfortunately, in light of internal staff shortages, their work is about to get harder. The survey reveals that<br />

only 29% of companies will complete migration to Windows 10 before Microsoft ceases support for<br />

Windows 7 on January 14, <strong>2020</strong>. This means that potentially millions of endpoints will present openings<br />

for cyberattackers to take advantage of an outdated OS that is no longer monitored and supported by<br />

Microsoft and that also lacks the latest security features available in Windows 10. While 87% of<br />

companies reported that they will have more than half of their systems running Windows 10, close may<br />

not be good enough. It takes cyberattackers only minutes to wreak havoc. Given that it requires 52% of<br />

organizations surveyed more than a week—and 22% more than a month—to remediate vulnerabilities<br />

after they are discovered, this could spell big trouble.<br />

Automation Must Be Part of the Solution<br />

With staff being swallowed up trying to handle all of the threats and issues their organizations face, and<br />

those threats increasing each day, something’s got to give. Significant talent shortages make finding<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 69<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

enough skilled IT workers to conquer these issues unlikely. And, even the best funded, best staffed<br />

organizations are fighting a losing battle against the clock. It would be nearly impossible for humans alone<br />

to write the code and execute remediations at the scale that they need to keep all endpoints up to date<br />

100% of the time.<br />

Automation has to be part of the solution. There have been knocks against it—from the time required to<br />

learn how to use new solutions to the limits of present capabilities—but solutions are improving rapidly.<br />

The next generation of vulnerability management solutions includes instant remediation capabilities.<br />

Even if a solution could automatically remediate only 50% of issues, that would be a vast improvement<br />

over the circumstances teams operate in today. It would not only accelerate the speed at which basic<br />

issues are fixed enterprise-wide, it would also open up considerable resources to address more complex<br />

issues in a timely manner.<br />

While enterprise IT security faces a difficult road ahead, all is not lost. The intense commitment of existing<br />

staff to fight cyberthreats coupled with exciting advancements in automation could ensure that the results<br />

of next year’s survey look markedly different. Winning modern cyberwars will require man + machine.<br />

About the Author<br />

Jeff Harrell, vice president of marketing at Adaptiva, manages the<br />

company’s marketing strategies and initiatives across a growing<br />

range of products designed to assist global enterprises with pressing<br />

endpoint management and security needs. With more than 20 years’<br />

experience, Jeff is known for his domain knowledge, creativity, and<br />

vision as well as the ability to execute. In his free time, Jeff can<br />

usually be found looking for birds through a pair of binoculars. For more information, please visit<br />

https://adaptiva.com/, and follow the company on LinkedIn, Facebook, and Twitter.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 70<br />

Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS<br />

“Amazing Keynote”<br />

“Best Speaker on the Hacking Stage”<br />

“Most Entertaining and Engaging”<br />

Gary has been keynoting cyber security events throughout the year. He’s also been a<br />

moderator, a panelist and has numerous upcoming events throughout the year.<br />

If you are looking for a cybersecurity expert who can make the difference from a nice event to<br />

a stellar conference, look no further email marketing@cyberdefensemagazine.com

You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />

At least a dozen exceptional interviews rolling out each month starting this summer…<br />

Market leaders, innovators, CEO hot seat interviews and much more.<br />

A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.

Free Monthly <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> Via Email<br />

Enjoy our monthly electronic editions of our Magazines for FREE.<br />

This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />

ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />

to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />

newsletters along with this month’s newsletter.<br />

By signing up, you’ll always be in the loop with CDM.<br />

Copyright (C) <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />

<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />

<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />

All rights reserved worldwide. Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />

recording, taping or by any information storage retrieval system without the written permission of the publisher<br />

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />

marketing@cyberdefensemagazine.com<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

276 Fifth Avenue, Suite 704, New York, NY 1000<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

marketing@cyberdefensemagazine.com<br />

www.cyberdefensemagazine.com<br />


<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 04/02/<strong>2020</strong>



Released:<br />

https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH<br />

In Development – Hacking the Human Firewall (Q2, <strong>2020</strong>) and The Art of <strong>Cyber</strong>e War (Q1, 202):

8 Years in The Making…<br />

Thank You to our Loyal Subscribers!<br />

We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />

What You Think. It's mobile and tablet friendly and superfast. We hope you<br />

like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />

around the Globe, Faster and More Secure DNS<br />

and <strong>Cyber</strong><strong>Defense</strong>MagazineBackup.com up and running as an array of live<br />

mirror sites.<br />

Millions of monthly readers and new platforms coming…

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!