02.11.2020 Views

Cyber Defense eMagazine November 2020 Edition

Cyber Defense eMagazine November Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine November Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

4 Reasons Why Cyber Security Is

Important in Your Business

Changing Cybersecurity Culture One Habit

at A Time

Ransomware Is Evolving

Data Migration Security

…and much more…

Cyber Defense eMagazineNovember 2020 Edition 1

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


CONTENTS

Welcome to CDM’s November 2020 Issue ---------------------------------------------------------------------------------------- 7

4 Reasons Why Cyber Security Is Important in Your Business --------------------------------------------------- 21

By Gabe Nelson, Content Specialist, Bonus.ly

Changing Cybersecurity Culture One Habit at A Time ------------------------------------------------------------- 26

By George Finney, Chief Security Officer for Southern Methodist University and Author of Well Aware:

Master the Nine Cybersecurity Habits to Protect Your Future

In the Midst of the Pandemic, Cybersecurity Professionals Show an Uptick in Job, Salary Satisfaction

Despite High Stress Levels ------------------------------------------------------------------------------------------------ 29

By Samantha Humphries, security strategist, Exabeam

3 Educational Cyber Security Steps for The Protection of Your Personal Data ------------------------------ 34

By Ankit Rajpurohit

Why Cybersecurity Awareness is More Important During COVID-19 ------------------------------------------ 39

By Susan Alexandra, Contributing Writer

Ransomware Is Evolving--------------------------------------------------------------------------------------------------- 42

By Jeff Warren, General Manager, Products, Stealthbits Technologies, Inc.

How COVID Tests the Resilience of Your Cloud Data Infrastructure -------------------------------------------- 46

By Noah Johnson, Co-founder & CTO, Dasera

The Impact of Ransomware on Cloud Services and How to Stop Attacks ------------------------------------- 50

By Davit Asatryan, Product Manager, Spin Technology

Perfecting Your Cybersecurity Sales Process ------------------------------------------------------------------------- 53

by Katie Teitler, Senior Analyst, TAG Cyber

Data Migration Security --------------------------------------------------------------------------------------------------- 58

By Devin Partida, Cybersecurity Writer, ReHack Magazine

Has Your Data Been Leaked to the Dark Web? ---------------------------------------------------------------------- 61

By Randy Reiter CEO of Don’t Be Breached

No Meows Is Good News: Proactive Nosql Database Security in The Era of Meow Attacks ------------- 64

By Jack Harper, Director of Professional Services at Couchbase

Cyber Defense eMagazineNovember 2020 Edition 2

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Takeaway from the SANS Institute Attack: Without Proper Care, “Consent Phishing” Can Happen to

Anyone ------------------------------------------------------------------------------------------------------------------------- 68

By Chloé Messdaghi, VP of Strategy, Point3 Security

Behind the Scenes of AppSec’s Misalignment------------------------------------------------------------------------ 71

By John Worrall, CEO at ZeroNorth

Emotet Attacks Surge in 2020, but Could Be Prevented ----------------------------------------------------------- 74

By Dan Piazza, Technical Product Manager, Stealthbits Technologies, Inc.

Zero Trust Model Is Meaningless Without TLS Inspection -------------------------------------------------------- 77

By Babur Khan, Technical Marketing Engineer at A10 Networks

Automated Pentesting – Ready to Replace Humans? ------------------------------------------------------------- 81

By Alex Haynes, CISO, CDL

Mitigating the Pitfalls of Onedrive Security -------------------------------------------------------------------------- 84

By Veniamin Simonov, Director of Product Management, at NAKIVO Inc.

Emerging Technologies Create A New Line of Defense in The Fight Against Fraud ------------------------ 87

By Brett Beranek, Vice President and General Manager, Security and Biometrics, Nuance Communications

How to Adapt Financial Services to The Online Space Securely – And Still Sleep at Night --------------- 90

By Robert Capps, VP of Marketplace, NuData, a Mastercard Company

Cybersecurity Best Practices for End Users --------------------------------------------------------------------------- 94

By Jay Ryerse, CISSP, Vice President of Cybersecurity Initiatives, ConnectWise

The One-Stop Spear Phishing Defense Guide You Will Ever Need ---------------------------------------------- 98

By Jeff Penner, Senior Manager at ActiveCo Technology Management.

The Serverless Security Machine -------------------------------------------------------------------------------------- 102

By Art Sturdevant, Director of Operations, Censys

Unlocking the Promise of Packet Capture -------------------------------------------------------------------------- 105

By Kathryn Ash, President, IPCopper, Inc.

Intelligent Protection Against DNS DDoS Attacks is Critical Part of Cybersecurity Architecture ------ 108

By Ashraf Sheet, Regional Director, Middle East & Africa at Infoblox

NCSAM Provided an Opportunity to Reset Our Approach to Cybersecurity -------------------------------- 111

By Sam Humphries, Security Strategist, Exabeam

How Blockchain Is Helping Stop the Spread of COVID-19 ------------------------------------------------------- 116

Cyber Defense eMagazineNovember 2020 Edition 3

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


By Robert Galarza, CEO, TruTrace Technologies

Patched Minimizes Risk - But Opens the Door for Compatibility Problems -------------------------------- 119

By Egon Rinderer, Global Vice President of Technology & Federal CTO, Tanium

For Federal Agencies, Securing Internet of Things Devices Is A Growing Challenge --------------------- 123

By Katherine Gronberg, Vice President of Government Affairs, Forescout

Nations—Not Individuals—Are After Your IP ---------------------------------------------------------------------- 126

By Ryan Benner, Anexinet

Video Intercom Systems Reinvent Building Security ------------------------------------------------------------- 130

By Melvin Braide, Content Writer

Cyber Defense eMagazineNovember 2020 Edition 4

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


@MILIEFSKY

From the

Publisher…

New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com

Dear Friends,

Viewing, as I do on a regular basis, both public reports and other resources on developing trends in cybersecurity,

I see continued focus on the effects of and responses related to COVID-19.

I’d like to reiterate my observation from last month: “As the months go by with no apparent resolution of the

COVID-19 impact on business, employment, and our economy in general, the importance of cybersecurity

continues to grow in every sector.”

As demonstrated by the articles we publish in Cyber Defense Magazine for November, the authors and their

organizations continue to address cybersecurity implications at all levels.

In the main, this is good news for our readers, as we are fortunate to receive for publication the best thinking and

guidance from the best cybersecurity professionals in the field today. The effects of COVID-19 on nearly all

enterprises which depend on cyberspace for their operations are growing. The actionable intelligence Cyber

Defense Magazine provides is the first and best means of meeting these challenges.

On that note, we are looking for infosec innovators who are one step ahead of the next threat, so we’ve opened

up our 9 th annual Global InfoSec Awards for 2021, this month. Nominations at www.cyberdefenseawards.com.

In addition to the relevant articles in the November issue, we are pleased to continue providing the powerful

combination of monthly eMagazines, daily updates, and features on the Cyber Defense Magazine home page, and

webinars featuring national and international experts on topics of current interest.

Warmest regards,

Gary S. Miliefsky

Gary S.Miliefsky, CISSP®, fmDHS

CEO, Cyber Defense Media Group

Publisher, Cyber Defense Magazine

P.S. When you share a story or an article or information about

CDM, please use #CDM and @CyberDefenseMag and

@Miliefsky – it helps spread the word about our free resources

even more quickly

Cyber Defense eMagazineNovember 2020 Edition 5

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


@CYBERDEFENSEMAG

CYBER DEFENSE eMAGAZINE

Published monthly by the team at Cyber Defense Media Group and

distributed electronically via opt-in Email, HTML, PDF and Online

Flipbook formats.

PRESIDENT & CO-FOUNDER

Stevin Miliefsky

stevinv@cyberdefensemagazine.com

InfoSec Knowledge is Power. We will

always strive to provide the latest, most

up to date FREE InfoSec information.

From the International

Editor-in-Chief…

From the international perspective, we can see growth and

deepening of the challenges we face in this time of the novel

Coronavirus.

Although there do not appear to be reliable statistics on the

correlation between national reports on newly diagnosed COVID-

19 cases and the adverse influence on the economic sector,

common sense tells us that such a relationship must exist.

Social distancing and isolation, whether voluntary or mandated,

continue to impact both financial and emotional wellbeing of

national and international populations.

In that context, we can but hope that in our world of cybersecurity

and privacy, there may be room for both national and global

interests.

While we don’t formally take positions for or against individual

national policies, we can only encourage cooperation and

compatibility among nations on cybersecurity and privacy matters.

Let me re-post my query from last month: “Hypothetically: What if

there were a vaccine against cyber exploits? Would it be shared

among nations? Could our hope for positive results overcome our

fear of national competitive disadvantage?”

I’d still like to think so.

To our faithful readers, we thank you,

Pierluigi Paganini

International Editor-in-Chief

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER

Pierluigi Paganini, CEH

Pierluigi.paganini@cyberdefensemagazine.com

US EDITOR-IN-CHIEF

Yan Ross, JD

Yan.Ross@cyberdefensemediagroup.com

ADVERTISING

Marketing Team

marketing@cyberdefensemagazine.com

CONTACT US:

Cyber Defense Magazine

Toll Free: 1-833-844-9468

International: +1-603-280-4451

SKYPE: cyber.defense

http://www.cyberdefensemagazine.com

Copyright © 2020, Cyber Defense Magazine, a division of

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)

276 Fifth Avenue, Suite 704, New York, NY 10001

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.

PUBLISHER

Gary S. Miliefsky, CISSP®

Learn more about our founder & publisher at:

http://www.cyberdefensemagazine.com/about-our-founder/

8 YEARS OF EXCELLENCE!

Providing free information, best practices, tips and

techniques on cybersecurity since 2012, Cyber Defense

magazine is your go-to-source for Information Security.

We’re a proud division of Cyber Defense Media Group:

CYBERDEFENSEMEDIAGROUP.COM

MAGAZINE TV RADIO AWARDS

WEBINARS

Cyber Defense eMagazineNovember 2020 Edition 6

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Welcome to CDM’s November 2020 Issue

From the U.S. Editor-in-Chief

In receiving and reviewing the article submissions from over 30 authors for the November edition

of Cyber Defense Magazine, I am struck by the thoughtful and actionable information provided

by our contributors. They represent a broad range of professionals, from CISOs, to providers of

cybersecurity products and services, to commenters from other media. They do enjoy in

common a passion and willingness to share their knowledge and wisdom, all to our mutual

benefit.

To be sure, it’s not getting any easier. There are no cure-all solutions for the current challenges

of social distancing and isolation we are experiencing in the world of business, government, and

even personal use of cyber facilities.

My work in cybersecurity is grounded in my continuing study and writing on risk management.

Of particular note is the need to make informed decisions on the scope of risks to retain and

those to be laid off on others, such as through insurance and related resources. In that context,

I see the range of articles in the November issue as providing valuable information on meeting

the threats and risks we all face during this time of the COVID-19 pandemic.

May I commend your review of the Table of Contents first, so you can prioritize reading the

articles which most closely pertain to your own cybersecurity concerns. (I make this suggestion

with full confidence that all of the articles have value to all of our readers, just to differing

degrees.)

With that introduction, we are pleased to present the November 2020 issue of Cyber Defense

Magazine.

Wishing you all success in your cyber security endeavors,

Yan Ross

US Editor-in-Chief

Cyber Defense Magazine

About the US Editor-in-Chief

Yan Ross, J.D., is a Cybersecurity Journalist & US Editor-in-Chief for

Cyber Defense Magazine. He is an accredited author and educator and

has provided editorial services for award-winning best-selling books on

a variety of topics. He also serves as ICFE's Director of Special Projects,

and the author of the Certified Identity Theft Risk Management Specialist

® XV CITRMS® course. As an accredited educator for over 20 years,

Yan addresses risk management in the areas of identity theft, privacy,

and cyber security for consumers and organizations holding sensitive personal information. You can

reach him via his e-mail address at yan.ross@cyberdefensemediagroup.com

Cyber Defense eMagazineNovember 2020 Edition 7

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 8

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 9

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 10

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 11

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 12

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 13

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 14

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 15

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 16

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 17

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 18

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 19

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 20

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


4 Reasons Why Cyber Security Is Important in Your

Business

By Gabe Nelson, Content Specialist, Bonus.ly

Cyber-attacks are incredibly common and anyone can fall victim to them. Cyber-attacks can cause

electrical blackouts, failure of military equipment, and breaches of national security secrets. Entire cities

have been hacked and personal information is used maliciously.

While those might seem large-scale and unlikely to occur in your business understanding that no

computer or internet account is immune to the potential cyber-attack is key to having great cyber security.

Even small businesses run the risk of having valuable information stolen. Cyber-attacks are so common

it’s not a matter of if a data breach will happen but when because modern businesses rely heavily on

technology.

Smaller businesses are often easier targets for cyber-attacks because they lack the resources to set up

adequate cyber security. Don't let your business run the risk of being attacked; setting up a good defense

with cyber security is more important than ever. This can be ensured by hiring certified IT professionals

Cyber Defense eMagazineNovember 2020 Edition 21

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


who can be found using this State of It Jobs Map. Here are some reasons why cyber security is important

in your business:

1. Cyber-attacks Affect Everyone

Anytime your personal data can be taken by someone who is unauthorized to have it is considered a

cyber-attack. Data breaches are incredibly commonplace, which is why having adequate password

strength is crucial as a consumer. As a business owner, your customers and patrons trust you with their

information.

It’s not safe to assume you’re fine and no one would want to steal your business’ information. If you are

thinking about your business in terms of longevity, you want to stay on top of the cyber security trends

and protect the information.

As a business owner, the topic of cyber security might seem overwhelming and complex. However, a

basic understanding of technology is considered essential for running a business in today's world. It’s

also important that you are diligent in hiring certified IT professionals; especially if you have any kind of

online presence.

Cyber-attacks can be launched through email text messaging and voice phishing. And what may be even

worse, a reputational attack can be launched. This is where individuals post negative information on

social media websites and blog posts to harm your business’s reputation and brand image.

Cyber-attacks in security breaches can cause millions of dollars in damage to recover data and penalties

that need to be paid. All of these expenses can cause even large businesses to go under. Being prepared

with excellent cyber security could be the reason your business stays solvent. Protecting your financial

information allows your business to keep going forward.

Cyber-attacks cause downtime with businesses, meaning time spent where you will not be able to run

your business at all. The downtime your company endures could be hours, even days. The monetary

cost of each and operable hour might be devastating to your business.

Arming your business with cyber security not only protects your customer's information but also allows

your business to keep running as usual without interruption. What might seem harmless such as an

employee clicking a link in an email could open the doors to a complex cyber security attack disguised

as a bank notification.

Damages could include not only financial ramifications but also the possibility of job loss for employees.

If you want your business to succeed you need to be aware of cyber security issues. Unfortunately,

danger is literally lurking in every email unless you know what to look for. Don't let your business be at

risk for failure, stay on top of your cyber security.

Cyber Defense eMagazineNovember 2020 Edition 22

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


2. Reassure Your Customers

Your business reputation depends on you staying on top of cyber security. Your customers put their trust

in your business, and that you will keep their private information safe. To lose that trust could be

devastating for your company moving forward.

You need to reassure your customers that you are doing everything in your control to combat cyberattacks.

You may not be able to prevent cyber-attacks completely, but you can protect yourself from the

disastrous legal and public relations consequences of a data breach.

Staying on top of security updates is an easy way to prevent cyber-attacks. Many security hacks exploit

known holes in systems. Cyber security companies are often making updates in order to increase

security. But if you delay updates or even postpone them you leave yourself vulnerable to a cyber-attack.

Making cyber security a priority for your business is a smart move. You can reassure your customers that

you are doing everything in your power to keep their information safe and stay in business long term.

3. Security May Not Keep Up with Technology

There’s one thing for certain, technology

is updating frequently. And with a

change in applications, programs, and

even 5G capabilities comes changes in

how cyber security works. You need to

be sure that you’re following

recommendations and updating your

protections as you add new technology

to your business.

One way to limit cyber security issues is

to limit which employees can access

information. Most cyber-attacks are just

waiting for someone to slip up and make

an error. Limiting the number of people who can access data and information can help, but it probably

isn’t enough to prevent cyber-attacks altogether.

Because technology changes quickly malicious individuals are finding new and unique ways to attack.

Hackers can now utilize artificial intelligence to trigger automated cyber-attacks when they find an

opportunity to do so. Taking the time to educate your employees about cyber-attacks and your

companies’ risk is only the first step.

Cyber Defense eMagazineNovember 2020 Edition 23

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The world is moving into using cloud computing more and storing personal information not on their

computers but in internet databases. This gives hackers more potential hacking options.

The increase in cyber vulnerabilities is not just limited to software and emails. Don’t trust cloud storage

alone to keep information safe.

If your business is updating its technology your cyber security options should also be updating. Do not

let your cyber security lapse or become an afterthought especially if you're storing customer information

or data. Even if your business isn’t utilizing the latest technology, the hackers certainly are.

4. Cyber Issues May Lead to More Legislation

Because cyber-crimes are getting more attention, legislators have stepped in to demand public

disclosure. There are national guidelines from the Federal Trade Commission that can help you respond

to a data breach. Plus, many states have their own laws that businesses have to follow.

Keep your business away from the risk of both data breaches and the consequences that could result.

Being forced to disclose a data breach could open you up to lawsuits and other fines which could damage

your business beyond recovery.

Certainly harsher penalties should be placed on perpetrators of attack but that's simply the first step.

Being sure to stay on top of any laws passed as a business owner and following cyber security

recommendations can help protect your business from any negative fallout from a cyber-attack.

A Final Thought

The good news is that with vigilance, many

attacks can be avoided. Businesses are

vulnerable to cyber-attacks but preparedness

can help prevent them. Staying on top of security

updates and making sure you’re aware of the

technologies your business uses and that they’re

adequately protected is a great start to keeping

attacks at bay.

Cyber security will never stop being important; in

fact, it will likely become more important every

year. Keep your business strong and your customer’s information safe when you take cyber security

seriously.

Cyber Defense eMagazineNovember 2020 Edition 24

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Gabe Nelson is a content specialist of over 7 years of experience,

currently working with Bonus.ly. Bonus.ly is a company that helps with

employee recognition to bring teams together. Just out of high school

he set off crab fishing on the Bering Sea in Alaska. From there he went

back home to finish his college degree at the University of Montana. He

has a passion and keen understanding when it comes to Employee

Relations inside and out. He has written hundreds of content pieces in

numerous niches. Currently, he lives in Missouri with his wife and kids.

Gabe can be reached online at:

https://twitter.com/GabeBNelson

https://www.linkedin.com/in/gabrielnelson87/

and at our company website https://bonus.ly/

Cyber Defense eMagazineNovember 2020 Edition 25

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Changing Cybersecurity Culture One Habit at A Time

By George Finney, Chief Security Officer for Southern Methodist University and Author of

Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future

My first job out of college was at a call center doing tech support for an Internet Service Provider. This

was a long time ago, but one of the first things I learned were the phrases “ID10T Error” and “PEBKAC”.

Both were jabs at the sometimes-frustrating customers who would do weird things like use their CD tray

as a cup holder. We still use these acronyms today and have built them into our culture as though they

were a motto.

In cybersecurity, everyone knows our secret motto:” people are the weakest link.” We say this even

though it’s totally wrong. People aren’t the weakest link. As Lance Spitzner of the SANS Institute says,

“People aren’t the weakest link, they are the largest attack surface.” And this way of thinking is making

us less secure.

In the 1960s, Lenore Jacobson conducted an experiment. Jacobson was an elementary school principal,

and she had just read an study by psychologist Dr. Robert Rosenthal about how expectations can lead

Cyber Defense eMagazineNovember 2020 Edition 26

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


to higher performance. So she set out to give all the students in her elementary school an IQ test. Then

she shared this information with the teachers. But she lied to the teachers about the students’ scores.

The students that she said had the highest test scores were actually the lowest and vice versa.

At the end of the school year the students were tested again. The students that the teachers believed to

have the highest scores in the beginning made significantly more improvement than the students the

teachers believed to have the lowest scores. What mattered more than students innate intellectual ability

was the teacher’s belief that the students were “intellectual bloomers”.

If we in the cybersecurity community believe that people are the weakest link and always will be, then

our belief will ensure that this comes true. But what if we believed something different?

When I came into my role as a CISO, I did a monthly report to my executive team with lots of dashboards.

I was constantly searching for metrics that should show how effective our security program was. There

are lots of metrics you can report on, like the total volume of attacks, that are helpful to understand the

scope of the problem, but don’t reflect how good a job your team is doing. A large volume of attacks

doesn’t mean you aren’t good at your job, it just means that you are a large target.

We began sending simulated phishing messages to our users in 2014, and I started reporting on the

number of users that clicked on the phishing links. Over time this number went down, but I realized that

this metric didn’t tell the whole story. Focusing on how low the percentage got focused on the negative

aspects of my campaign and distracted from the positive. Instead of saying that we reduced our click

through rate down to 3%, I started saying that we increased our phishing recognition rate to 97%.

For me, this was a big change. Instead of normalizing bad behavior, I started sending the message that

the vast majority of our community was highly effective at recognizing phishing.

This approach was, for lack of a better term, infectious. In my security awareness newsletters, I began

using images that are of people, not random pictures of technology, to reinforce the message that people

are the ones we’re protecting. I began telling stories of how people were impacted by security incidents,

and more importantly how they responded. I wanted to show my community how to improve rather than

constantly telling them to improve.

But all this required that I let go of the belief that people are the problem and I had to start believing that

they were the solution. And one of the ways that I’ve changed my security program is to embrace what I

call “fearless learning”. When someone makes a mistake, whether or not they can learn from that

mistakes comes down to whether they’re afraid of changing afterwards. If they feel like they could me

made a scapegoat and be fired means, from a neuroscience perspective, that their cognitive capacity will

be reduced. We see this degradation of mental capacity effect in all kinds of stressful situations.

When a user clicks on a phishing message, I never report this information to anyone. I’ve gotten requests

from people who want to use this information to discipline employees. I’ve resisted this at all costs

because I want to create a culture where users have a safe environment to learn and practice before

there is an incident. I do this because I believe that they can change their habits. And I’ve seen that this

is possible.

Stanford Professor BJ Fogg believes the reason we fail at changing things in our lives is because we

start big. In his book, Tiny Habits, he describes habits as a rope with hundreds of knots. If you go for the

largest knot to unravel, you will fail. But if you loosen an easy knot, you will be able to work your way up

to the bigger challenges. And with each small knot, you build your own skill at mastering change.

Cyber Defense eMagazineNovember 2020 Edition 27

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Changing our cybersecurity cultures may seem like an insurmountable problem, but it’s not. We can start,

not just small, but tiny. We need to make it incredibly easy to get started. We need to celebrate even the

smallest successes rather than condemning mistakes. And over time, we can start to build momentum.

As I’ve researched the habits we use in cybersecurity, I distilled all of the advice and training we give to

people down to nine distinct categories of habits. The habits are: Literacy, Skepticism, Vigilance, Secrecy,

Culture, Diligence, Community, Mirroring, and Deception.

The nine cybersecurity habits are what Fogg calls constellations of tiny habits. Changing works best when

you focus on related habits all at the same time. If you miss a habit for a day because you went on

vacation, that’s ok. If you only do the minimum, you still celebrate because you’re building a lasting habit.

And you get the satisfaction of knowing that you’re not just protecting yourself, but you’re protecting those

around you as well.

Can making tiny changes really change the whole culture of an entire organization?

To be successful, we need to start small. We don’t need to change everyone all at once. But to start, we

do need a small committed group of people to be our vanguard. These will create a tipping point to

change our culture. According to Dr. Damon Centola at the University of Pennsylvania, the tipping point

for creating large scale change is only around 25% of the population of a group.

25% is still a large number, but we don’t need to start big. We can start by working with 10 people to

teach them how to change their cybersecurity habits. And if we deputize them to be cybersecurity habit

evangelists, each of them can teach 10 more. But it starts with believing people are the solution to our

cybersecurity challenges.

Changing culture won’t happen overnight. But it will happen if we change one habit at a time.

About the Author

George Finney is a CISO, author, speaker, professor, and consultant who

believes that people are the key to solving our cybersecurity challenges. He

has worked in cybersecurity for nearly 20 years and has helped startups,

global telecommunications firms, and nonprofits improve their security

posture. As a part of his passion for education, George has taught

cybersecurity at Southern Methodist University and is the author of Well

Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George

has been recognized by Security Magazine as one of their top cybersecurity

leaders in 2018 and is a part of the Texas CISO Council.

George can be reached via LinkedIn, Twitter @wellawaresecure, and on his

website where you can find more information about the nine cybersecurity

habits http://www.wellawaresecurity.com/

Cyber Defense eMagazineNovember 2020 Edition 28

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


In the Midst of the Pandemic, Cybersecurity

Professionals Show an Uptick in Job, Salary Satisfaction

Despite High Stress Levels

By Samantha Humphries, security strategist, Exabeam

Interested in a career in cybersecurity -- or are you wondering what your peers in the space are thinking?

Exabeam’s 2020 Cybersecurity Professionals Salary, Skills and Stress Survey, compiled from a survey

of 351 international security professionals has revealed some interesting findings:

Cybersecurity professionals are satisfied and secure in their jobs despite high-stress levels

● Ongoing education and automation are opportunities for positive change

● Diversity is still low, but moving in the right direction

Cyber Defense eMagazineNovember 2020 Edition 29

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Fifty-three percent of participants reported they felt their jobs were “stressful” or “very stressful.” Further

analysis results reveal that professionals in medium businesses with 251-500 employees are more

stressed than their peers in smaller and large enterprises. Based on respondents’ titles, SOC content

creation engineers and security engineers reported the highest stress (at 80% and 75%, respectively). In

terms of the type of work, participants with packet analysis and penetration testing responsibilities

reported the highest stress (57% and 58%, respectively). And respondents in Australia cited the lowest

stress levels compared to their peers in the U.S., Australia, Singapore, and Germany.

Yet, despite the high levels of stress, an overwhelming majority (96%) of cybersecurity professionals

stated they were happy with their role and responsibilities, and 89% reported being secure or very secure

in their careers. Seventy-seven percent cited a positive work/life balance.

Respondents were also satisfied with their salaries. Eighty-seven percent of respondents reported they

are pleased with their wages and earnings. Salary satisfaction was generally similar, regardless of

gender, industry, company size, or title. The one notable difference was a lower salary satisfaction

reported by respondents without a college degree.

Figure 1: Eighty-seven percent of cybersecurity professionals report satisfaction with their current

salaries.

The paradox between high job stress and high job satisfaction could be related to the inherent nature of

cybersecurity itself. Cybersecurity is just hard work. Security professionals accept and embrace this

reality.

Senior managers should be aware of their staff’s stress level and proactively reach out to their teams.

Fifty-four percent of respondents reported that frequently communicating with their managers about their

objectives is a primary method for managing heavy workloads. Managers should be empathetic in their

endeavor to understand and address factors contributing to their employees’ high-stress levels.

Cyber Defense eMagazineNovember 2020 Edition 30

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Senior leaders: Use ongoing education and automation as career levers for your team

Senior leaders should also take an active interest in their team’s career paths, including their ongoing

education. Investing in training would help employees develop advanced skills, open up new job

opportunities, and enable organizations to deal more effectively with new, emerging threats.

Many cybersecurity professionals are highly educated and value learning. Sixty-six percent cited being

self-educated. Ninety-six percent of respondents have a degree or have completed some college. Of

those with a degree, 43% hold a master’s degree. Regarding ongoing learning, 34% are participating in

continuing education, with 33% using their funds.

Figure 2: A significant number of security staff fund their own education leaving an opportunity for

employers to add training as a benefit.

Education and training are also critical, given the increase and importance of automation in cybersecurity.

Eighty-eight percent of respondents believe automation would make their jobs easier. Forty percent are

currently using artificial intelligence and machine learning. Eighty-six percent believe SOAR technology

can help security analysts and SOCs improve SOC response times.

Despite the use of automation and the view that it simplifies cybersecurity work, 47% of respondents also

believe it’s a threat to their jobs.

Cyber Defense eMagazineNovember 2020 Edition 31

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Figure 3: Forty-seven percent of respondents view automation including AI and machine learning as a

threat to job security.

Security leaders should reassure staff members that automation improves productivity and outcomes

rather than eliminate jobs. Leaders can discuss how automation provides security professionals with an

opportunity to transition from lower-valued activities to other high profile, strategic projects. Senior

security leaders may also consider partnering with their IT peers to share automation best practices

further to alleviate concerns.

Diversity is still low, but remote work provides an opportunity to accelerate change.

Last year, our survey highlighted the lack of diversity in the cybersecurity profession. This year, there’s

been some progress as 21% of respondents self-identified as women. However, our survey also revealed

that women in most countries are paid less than their male counterparts.

As remote work continues to take hold in most organizations, senior managers have an opportunity to

diversify their workforce further by recruiting talent from anywhere in the world. A diverse team can bring

creativity and new out-of-the-box ideas to cybersecurity. Studies have shown that diversity is a

competitive advantage. Another related study found diverse groups make better decisions 87% of the

time. In particular, women carry a high level of emotional IQ and empathy, which aids in facilitating team

collaboration. To protect users within an organization, cybersecurity teams should reflect a broader, more

diverse workforce to address threats that are continually changing. Fresh ideas, better teaming, and new

cybersecurity approaches will yield positive results for the business and professionals.

Download the full 2020 Cybersecurity Professionals Salary, Skills and Stress Survey report for further

insights from your peers.

Cyber Defense eMagazineNovember 2020 Edition 32

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Samantha Humphries has 20 years of experience in

cybersecurity, and during this time has held a plethora of

roles, one of her favourite titles being Global Threat

Response Manager, which definitely sounds more glamorous

than it was in reality. She has defined strategy for multiple

security products and technologies, helped hundreds of

organizations of all shapes, sizes, and geographies recover

and learn from cyberattacks, and trained many people on

security concepts and solutions. In her current role at

Exabeam, she has responsibility for EMEA, data lake,

compliance, and all things related to cloud. Samantha authors

articles for various security publications, and is a regular

speaker and volunteer at industry events, including BSides,

IPExpo, CyberSecurityX, The Diana Initiative, and Blue Team Village (DEF CON).

Cyber Defense eMagazineNovember 2020 Edition 33

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


3 Educational Cyber Security Steps for The Protection of

Your Personal Data

By Ankit Rajpurohit

1. Data protection on the Internet

Our data is collected, stored, analyzed, sold, and exchanged like never before. And we should not forget

that they are often stolen and abused.

Data has become a "currency" for many digital services that we receive "for free. Instead of currencies,

people pay by sharing their data across countless applications. This trend of data as currency concerns

every part of our lives - networked homes, connected cars, health and fitness management, map and

traffic tools, online shopping. Consumers do not trust companies in terms of their data, but they do not

know what to do about it.

Given the numerous excesses and cases of data leaks that filled the headlines, our position is that you

need to start an open conversation with your consumers about how you use and protect their data.

Cyber Defense eMagazineNovember 2020 Edition 34

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


That almost always triggers a bigger debate. How do we do that? What about data and privacy? How do

we strike a balance between openness and sharing too much information?

For many brands, this may be the first situation in which they will have to work deeply on reputation and

crises or problems. Companies may witness fans of their brand turn into "techruptors" - a pioneering

audience that research shows will be at the forefront of the demand for change in the way companies

operate and treat them. So we advise you to be proactive, inform yourself and prepare for the coming

changes, and thus increase the chances of keeping the "techruptors" as your allies and fans.

2. Misuse of personal data on the Internet

The expansion of social networks also has a "dark side" - there is a noticeable increase in criminal

activities aimed at users. We are witnessing a qualitative and quantitative expansion of social networks.

This expansion, however, also has a "dark side" - there is a noticeable increase in criminal activities

directed at users.

Privacy is the cancer-wound of online social networking. Although it is not possible to say that all services

on the Internet put privacy at the forefront, in social networks, privacy is most drastically, most concretely,

and most often violated. Users themselves post personal information, data, and material that belongs to

the private domain, and then share it with other users. In this way, they unknowingly and directly provide

an opportunity for their data to be misused.

The user's privacy is violated by the very publication of any information on the social website because it

automatically belongs to the company and remains stored on its servers even when the user closes the

account.

By accepting strangers as friends on social networks, the user risks that his data, which he shares only

with friends, will be used for various purposes. Private data such as e-mail addresses can reach spam

lists so that the user receives e-mail of his own free will, which is usually of a commercial or propaganda

nature. Visiting suspicious links on social

networks, for example, puts the user at risk of

becoming infected with "harmful" software,

exposing the data to the public, and becoming

a subject of fake multimedia content.

Bearing in mind that most, if not all social

networks are based on economic business

principles, the technical platform of social

networks is designed to collect from users the

data necessary to meet and communicate with

others, but also data that are segmented and

used in filtering. marketing purposes.

It is noticeable that personal data from social

networks are used to realize the initial stages

of a certain criminal activity, while the sequel is

realized classically, in the real world.

In this context, social networks are used to find collaborators and perpetrators of criminal activity, to

recruit victims to prepare the crime, to gather relevant information, to assist in carrying out certain

Cyber Defense eMagazineNovember 2020 Edition 35

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


activities, to provide funds and the like. With the advent of social networks and the spread of electronic

transaction services, criminals have, so to speak, begun not only to innovate methods for committing

fraud but also to automate personal data collection techniques to make as much money as possible.

Cybercriminals use social engineering and phishing techniques to access the victim's personal

information. In this way, victims can suffer significant financial losses or, in more serious cases, even the

loss of "electronic identity", which is used for criminal purposes. The damage caused by data theft,

therefore, should not be expressed only in financial loss but also in the loss of psychological integrity of

personality, reputation, and credibility.

Users of social networks, due to the lack of education regarding the dangers to which they are exposed,

recklessly leave information and multimedia content on their profiles that can be misused by differently

motivated Internet users. In addition to being at risk of violating personal privacy and abusing private

content, users are at risk of political or ideological manipulation.

The information posted on a social network can be misused by a criminal. Users, unaware of the dangers,

leave information about their residential address, telephone numbers, information on whether they live

alone or in a community, etc.

3. How to get more secure codes

When we think about the privacy of our data, the first thing that comes to mind should be the password.

Why? Because, in essence, the classic symmetric encryption is reduced to the code that the user enters

and the data to which that code is applied using a certain algorithm a finite number of times. Let's look at

where we rely on codes today to protect ourselves from attackers and preserve privacy. First, we all use

email, then social networks, maybe we are active on forums or use one of the cloud storage services,

there is also access to our computer or phone, wireless (Wi-fi) network to which we are connected, et

cetera. The list can be tediously long, and you have to take care of all these codes to access a particular

account.

The Internet user has more than 10 different accounts, that number of exact codes is not easy to

remember, and it can be especially difficult to remember which code is for which account. To make

everyday life easier for the average user, there are password managers in the cyber world.

Cyber Defense eMagazineNovember 2020 Edition 36

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


More importantly, there are those among them who are open source. Password managers, like Keeper

Password Managers, will generate a random password/phrase of the desired length and security for your

account, storing it in an encrypted database with other accounts. The database of all your accounts is

encrypted with one code that you must remember. The advantage of the Keeper Password Manager,

which you can read more about here, is that you remember one password instead of each account

separately. There are also network password managers who synchronize the encrypted password

database with a network server. That way, if you lose your device where you kept the passwords, you

can still access your passwords stored on the server. Redundancy of all your ciphers is really necessary,

especially if you are not good at remembering ciphers. How you generate and where you store the codes

is definitely up to you.

Cyber Defense eMagazineNovember 2020 Edition 37

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Using secure passwords is not difficult, and programs like password managers make it as easy as

possible. It’s definitely worth a little effort around your ciphers, not because we’re hiding something, but

so we don’t get a headache when some hacker breaks in.

About the Author

Ankit Rajpurohit is a tech lover and enthusiast who prefers to

write about security steps, internet protection, and how to prevent

your devices from hackers and potential harm. His main goal is

to help people, through his articles, to upgrade their online

protection.”

Cyber Defense eMagazineNovember 2020 Edition 38

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Why Cybersecurity Awareness is More Important During

COVID-19

Do you know the need for cybersecurity training for your organization? If not, learn more about the

importance!

By Susan Alexandra, Contributing Writer

Cyber-attacks, malicious activity, and phishing scams have significantly increased during this pandemic

of COVID-19. With that, it has highlighted the importance of cybersecurity more than ever before. There

have been reports of hackers and cybercriminals exploiting the pandemic with fake websites, money

scams, and emails being phishing scams.

So, we thought of spreading awareness about cybersecurity. That being said, here are some areas for

you to consider within your personal and organizational cybersecurity.

Phishing and the COVID-19 Pandemic

As the public seeks details on the global pandemic, coronavirus phishing attacks have targeted recent

trends in news and statements released by governments.

As a result of coronavirus-related phishing attacks, the National Fraud Intelligence Bureau (NFIB)

reported a 400% rise in scams.

Recent campaigns have also seen cybercrimes build emails masquerading and fake websites as official

authorities, like the HMRC and World Health Organization, to compromise accounts, steal personal

information, and hack malicious apps.

The most common scams are those which claim to share tips about how to prevent infection, access to

personal protective equipment, provide financial support advice, and offer updates about virus spread.

Cyber Defense eMagazineNovember 2020 Edition 39

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


According to a study, the click rate for phishing attacks has increased from less than 5% to more than

40% for COVID-19 scams. This number was increased significantly by provoking fear and curiosity

amongst individuals.

Remote Work Vulnerabilities

Work from home has now become the new standard; however, there is a rise in threats for several

businesses. Around 95 percent of Cybersecurity professionals claim they face additional challenges, with

new remote work demands and increased threats.

The sudden change in circumstances has changed the way employees access business applications

and increased the potential of future attacks.

To steal sensitive information, hackers exploit several vulnerabilities in unsecured Wi-Fi and to take

advantage of workplace disruption.To stay safe from such exploitation, you must download VPN to keep

your sensitive information safe.

With some workers forced to use personal devices for work tasks, the risk of malware finding its way on

devices has also increased, resulting in personal and work-related information being compromised.

These devices also lack the resources built into corporate networks, including custom firewalls, corporate

antivirus software, and online backup resources. The use of personal computers offers hackers many

chances to exploit.

Some organizations are also urging their staff to turn off voice assistants and smart speakers like Apple

HomePod, Amazon Echo, and Google Home devices to prevent fraudsters from listening to confidential

conversations and conference calls.

The Northeastern University study shows that smart speakers accidentally activate as many as 19 times

a day, recording as much as 43 seconds of audio each time. The latest research also shows that 59

percent of smart speaker consumers have concerns about privacy, with front and center undesirable

listening and data collection.

Even in regular times, remote working can make people vulnerable to attacks. The current environment,

however, has created the perfect storm where spammers, hackers, and scammers will thrive.

Zscaler researchers say they have seen a 15% -20% increase in hacking incidents every month since

January, and a rise in hacking threats using terms like "Covid-19" or "coronavirus."

Video Conferencing and COVID-19

Just like any other technology, video conferencing is also at risk for the privacy and security of personal

information if not appropriately handled. With organizations and individuals increasingly relying on video

conferencing, hackers have been targeting the opportunity quickly.

As a result, fraudsters and cybercriminals have managed to enter video conferencing calls as well as

eavesdropping on private conversations, hijacked screen controls, and launched many malicious attacks.

Security issues were posed earlier this year when a UK cabinet meeting's Zoom ID was posted in a social

media post. Some of the cabinet ministers' usernames were also identified along with the ID, which

allowed hackers to access the private meeting.

Cyber Defense eMagazineNovember 2020 Edition 40

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The Washington Post also revealed that thousands of Zoom meetings can be accessed online, including

financial meetings, counseling sessions, school classes, and telehealth calls that exposed children's

faces and other details.

While most applications for video conferencing have controls that can be programmed to minimize these

hazards, it also poses a variety of additional dangers, such as having sensitive data displayed in the

background of the video or unintentionally displaying confidential information on the screen. With saying

that, user education is essential for raising awareness about the risks of video conferencing and how to

alleviate them.

Combatting Business Email Compromise During a Crisis

With the significant increase in coronavirus-related phishing attacks around the world, business email

compromise attacks are now considered one of the biggest threats facing organizations.

BEC attacks are expected to double each year to over $5 billion by 2023, according to Gartner, leading

to major financial losses for companies by 2023.

Though relatively easy to execute and low-tech, these sophisticated scams not only cause devastating

financial losses but also affect organizational integrity, relationships, and the trust of stakeholders.

A study took place in February, and according to that, BEC attacks increased by nearly 25 percent,

ranging from fake invoices to CEO frauds and compromising employee email accounts. To further

leverage Covid-19 fears, fraudsters have been cashing in by asking companies to contribute to bogus

charities and invoicing for cleaning products and PPE.

Fraudsters and hackers are continually changing their strategies to take advantage of new

circumstances, and this pandemic is no exception. When cybercriminals increase their efforts, knowledge

of these emerging threats and tactics becomes the most effective tool against them.

Scammers will be swift to take advantage of any security lapses, and organizations should continue to

empower and educate staff to remain vigilant. Cybersecurity is the responsibility of all, and creating a

culture of cyber awareness with so many potential attack points is the key to improving security.

About the Author

Susan Alexandra is an independent contributing author at SecurityToday

and Tripwire. She is a small business owner, traveler and investor in

cryptocurrencies.

Cyber Defense eMagazineNovember 2020 Edition 41

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Ransomware Is Evolving

These attacks thrive on overprovisioned administrator access. Understanding where data resides, and

adopting zero standing privilege are key.

By Jeff Warren, General Manager, Products, Stealthbits Technologies, Inc.

When most people think of a ransomware attack, they probably imagine their company coming to a

screeching halt as the infection spreads across the network, encrypting everything in its path and leaving

a trail of ransom notes in its wake. This type of devastating event can take an organization down for

hours, days, or indefinitely. Regardless of whether the ransom is paid, however, the cost of these attacks

can be astronomical.

These days, companies are better prepared for catastrophic events, with detailed incident response and

disaster recovery plans in place. Increased cloud adoption also makes this more achievable and helps

avoid ransomware-related downtime. There is a growing community drive to help infected organizations,

with initiatives like The No More Ransom Project, which exists to help companies avoid ransom payments

and decrypt their data for free. Additionally, law enforcement agencies, including the FBI, are advising

victims not to pay these ransoms as the proceeds help fund further cybercrime.

Ransomware groups are aware of these trends and are responding with a renewed focus on the added

exfiltration of sensitive data, which they can use to extort companies into paying an even more exorbitant

ransom.

Ransomware’s New Tricks Are After Your Sensitive Data

The goal of ransomware has never been crypto-locking an organization’s IT network – that’s just a means

to an end. Ransomware is about extorting a ransom payment, by any means necessary. As organizations

become more prepared to recover from a crypto-ransomware event, attackers are pivoting into new ways

of putting the pressure on organizations to pay up.

The threat of a data breach is enough to get any organization’s attention. This has become a weapon of

choice for the Maze Ransomware Group, which has been involved in several high-profile ransomwareattacks-turned-data-breach

this year. At first, they will crypto-lock your systems, and then if the ransom

is not paid, they will leak compromised sensitive data to force their victim’s hand. They have even gone

Cyber Defense eMagazineNovember 2020 Edition 42

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


as far as hosting a “Name and Shame” site where they will expose a company’s private data to the world

to prove they have it.

This behavior is a logical extension of the more advanced, human-operated tactics that have been used

in targeted ransomware attacks. Once an adversary lands within a victim’s network, they perform

reconnaissance, learn the lay of the land, and gradually expand their foothold, acquiring more privileges

as they go. We’ve seen common malware variants leveraged by multiple attack groups like the Emotet

malware, which comes with an evolving bag of tricks to commoditize this infection and lateral movement.

This process typically ends with Domain Administrator access within an Active Directory domain and

provides the attackers carte blanche ability to move within the organization and access any and all data,

including sensitive personnel and customer records. It’s a simple behavior change for these adversaries

to gather and exfiltrate this data prior to dropping a crypto-ransomware payload.

The Maze Ransomware Group isn’t alone in this approach. We’ve seen other recent examples of attacks

resulting in data breaches affecting students in the Clarke County school district and children and parents

participating in Child Protective Services. Each of these attacks leaked information including Social

Security Numbers, showing attackers have no remorse when it comes to putting the identities of innocent

bystanders in their wake – even children.

This seemingly subtle, yet highly substantial evolution in ransomware is catching companies off guard.

The focus has been on recovering from a ransomware attack, not mitigating a data breach. Whether a

ransomware attack constituted a data breach had once been a debated topic that was taken on a caseby-case

basis, but that is quickly becoming a thing of the past as the data is undoubtedly stolen and, in

many cases, exposed.

This shift in behavior by ransomware groups should not be taken lightly. The message is loud and clear.

Attackers will go to whatever lengths necessary to extort a ransom payment, and the identities of millions

of unsuspecting victims are at risk.

An Attack on Data Privacy

This behavioral shift is concerning in more ways than one. It’s hard enough to protect your network from

crypto ransomware. Now, with each ransomware attack equating to a potential data breach, new

challenges arise.

Recently, companies have been more focused on data privacy with the rise in regulations such as the

EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

These regulations place a greater responsibility on organizations to protect their customer and employee

data and improve data breach notification policies. Failure to comply can result in fines, and even class

action lawsuits by affected individuals.

As if ransomware wasn’t costly enough, modern privacy regulations up the ante. As a result, new

strategies are needed to shift focus from recovering from a ransomware attack to mitigating the risks

associated with credential and data theft and protecting your critical data from the prying hands of

attackers.

Cyber Defense eMagazineNovember 2020 Edition 43

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


You Can’t Protect What You Don’t Know

Traditional ransomware strategy would dictate you just need to be able to blow away compromised

devices and restore from backup. While this is still a costly endeavor, it is becoming more and more

reasonable, and admittedly still worthwhile. With ransomware focusing on exfiltration before encryption,

data security now lands squarely in the middle of ransomware prevention.

The first step to mitigating a data breach is to gain an understanding of where your data resides. This is

also typically required for companies undertaking Data Privacy Impact Assessment (DPIA) or a Data Risk

Assessment (DRA).

While many organizations can point to where customer and employee data enters their organization, its

typically difficult to track where it goes from there. Examples of activities that can lead to data sprawl for

sensitive customer data can include:

• Extracting information from applications into spreadsheets and saving them to network file shares,

collaboration sites, or sending as email attachments

• Pasting or discussing sensitive information within chat applications like Microsoft Teams or Slack

• Creating copies of production data for development or integration testing

• Employees saving local copies of customer data to their laptops to work with, and then leaving them behind

If you don’t take the time to locate this data within your network, you can trust that your attackers will.

Once you can identify and corral your sensitive data, you can now focus on protecting it.

Zero Trust is Not Enough, It’s Time for Zero Standing Privilege

Most ransomware attacks follow similar patterns. After the initial infection occurs within the network, they

will go through a pattern of credential compromise, lateral movement, and privilege escalation. These

attacks thrive on overprovisioned administrator access, and in many cases can compromise an entire

Active Directory domain within hours of initial compromise.

Many cybersecurity initiatives have focused on implementing the tenets of a Zero Trust Model, with the

mantra of “never trust, always verify” and a focus on implementing a least privilege model and adopting

strong authentication. All of this is a great step towards improved security and mitigation of data breach

activity.

However, attackers have proven they can still patiently learn the ins and outs of any network,

masquerading as legitimate users, bypassing multi-factor authentication (MFA) and other obstacles put

in their way. One of the primary contributors to this being possible is an overabundance of privileged

accounts that maintain persistent access to an organization’s IT infrastructure. Regardless of whether

privileged account credentials have been rotated, attackers can still compromise these accounts and

leverage the artifacts they leave behind to move laterally on their way to privileged escalation, and

ultimately domain dominance.

A new focus needs to be on evolving the Zero Trust methodology to one of Zero Standing Privilege,

where persistent privileged access is removed altogether, specifically for privileged accounts. This

doesn’t mean only Domain Administrator and root accounts with full administrative access; this includes

any users with highly privileged access to your critical systems and private data.

Cyber Defense eMagazineNovember 2020 Edition 44

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


When these individuals need access, they must go through special procedures to be granted just enough

access, only when they need that access, and then the privileges should be entirely removed when their

privileged activity is done.

The removal of the vast majority of privileged accounts is what will ultimately reduce the attack surface

every organization is struggling to defend. It raises the drawbridge around your sensitive data, keeping

attackers out. This not only helps companies protect themselves from ransomware attacks, but keep the

data and identities safe for the individuals who they rely on the most – their customers and employees.

About the Author

Jeff Warren is Stealthbits’ General Manager of Products. Jeff and his

teams are responsible for designing and delivering Stealthbits’ high

quality, innovative solutions. He has held multiple roles within the

Technical Product Management group since joining the organization a

decade ago, initially building Stealthbits’ SharePoint management

offerings before shifting focus to the organization’s Data Access

Governance solution portfolio as a whole. Before joining Stealthbits, Jeff

was a Software Engineer at Wall Street Network, a solutions provider

specializing in GIS software and custom SharePoint development. Jeff

holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Jeff can be reached on Twitter at @SbitsJeff and at our company website https://www.stealthbits.com/

Cyber Defense eMagazineNovember 2020 Edition 45

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How COVID Tests the Resilience of Your Cloud Data

Infrastructure

By Noah Johnson, Co-founder & CTO, Dasera

In recent years, we’ve seen a massive shift as companies eliminate the physical restraints of IT

infrastructure and its users by moving to a cloud-based computing environment. According to a Gartner

forecast from November 2019, worldwide public cloud revenue is predicted to increase to a whopping

$308.5 billion.

“As organizations increase their reliance on cloud technologies, IT teams are rushing to embrace cloudbuilt

applications and relocate existing digital assets.”

While this is great for convenience and your wallet, the security of your infrastructure comes into question

when so many businesses have shifted to a work from home setting, whether permanent or temporary.

How resilient is your cloud data infrastructure when the safety net of the perimeter is gone, and what is

the best way to protect yourself and your data moving forward?

COVID-19 and the new environment

We have seen so many changes this year in how we live our lives that it’s become hard to keep up. While

the big shifts, like permanent or extended work from home, have been obvious changes, what about the

more subtle ones, like protecting your business while your employees are working remotely?

The attacks on cloud services more than doubled in 2019. In the Red Book of Insider Threats, Amol

Kulkarni, Chief Product Officer at Crowdstrike mentions a 330% increase in e-crime attacks since the

Cyber Defense eMagazineNovember 2020 Edition 46

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


start of the pandemic. In the same book, Jintendra Joshi, the Head of Information Security at BetterUp

says, “In the post-COVID world, our perimeters have disappeared and the line between trusted insiders

and outsiders have blurred.”

Without the safety net of the perimeter in-office, companies need to innovate when it comes to their

security just as much as they’ve had to with remote work.

Personal networks

The biggest security issue that companies face right now is the simple fact that employees and

contractors have to access the cloud via less secure personal networks and personal devices. This

means that before 2020, protecting your networks or endpoints was the simple solution to cloud data

breaches, the solution that blanketed all of your employees under one security umbrella. With your

employees working from home or using personal devices, that security umbrella has all but closed.

Instead of focusing on the missing blanket, businesses should put a magnifying glass on how data is

being used by employees in order to protect against cloud data breaches. This approach is based on two

salient points:

• Security has to be applied at runtime, rather than just at rest or after the fact

• Security has to sit closer to the source i.e. the datasets where sensitive data is stored

Adopting a proactive approach that protects data upstream and at runtime doesn’t have to be

complicated; all it takes is foreseeing how data is used in normal situations and identifying anomalies that

can result in breaches.

Let’s use two scenarios that can potentially be very dangerous in the current COVID pandemic.

Know when an employee is being unnecessarily inquisitive

The pandemic has left a trail of employees experiencing remote work burnout. Reports suggest as many

as 69% of employees are experiencing burnout symptoms while working from home. Combining this with

employees taking fewer holidays means lesser opportunities to decompress and relax. Tired and

frustrated employees might also behave recklessly or become prone to errors of judgement.

This leads to situations where people might use cloud data in ways that are not appropriate or in line with

company ethics and policies. For example:

• Looking at a celebrity’s PII data out of inquisitiveness (e.g. health issues or items bought)

• Finding out what their partner or ex has been doing in an app (e.g. purchase/ messaging history)

• Checking out data on their peers’ work (e.g. sales performance of other reps or territories)

How you can build resiliency: every time a data request hits a cloud repository, it generates a SQL

query. This SQL query holds the key to understanding anomalous behaviors. AI solutions like Dasera

can identify when a possible (accidental or malicious) privacy violation happens. Alternatively, if the

number of data requests per day aren’t too high, the security ops team should review the logs manually.

Cyber Defense eMagazineNovember 2020 Edition 47

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


If a violation occurs, bring it up with the person, their manager, and in some cases (e.g. repeat offenders)

send the case to HR or the person in for training.

The extra line of defense against a credential thief

External hackers are leveraging the uncertainty of the times and the additional vulnerability of remote

teams to step up their phishing attacks and stealing credentials. Once an external attacker possesses

valid credentials, it’s very hard for security teams to differentiate between an actual user (who’s getting

work done) and a thief trying to steal information.

Attackers now apply several sophistications in their exfiltration attempts in order to bypass established

security systems that monitor user behavior. Once again the SQL acts as the best possible means to add

an extra layer of protection against nefarious activities.

How you can build resiliency: AI can once again understand which data fields are more sensitive and

personal in nature (e.g. emails, social security numbers) compared to others (e.g. last purchase date).

Algorithms can also detect even the most sophisticated exfiltration attempts on these fields e.g. data

downloaded in randomized batches that are not big enough to flag alerts in your current security stack.

How resilient would you say your cloud data in use is?

The question readers should ask themselves at this point is: am I 100% certain neither of the above

scenarios happened in our organization since March or April 2020? Shopify just announced two of its

employees siphoned off customer data for personal gain. The pandemic has thrown all security teams in

the deep end of the pool. And the speed of business requires all of us to be agile and to be able to

leverage cloud data to grow faster. The difference in resilience determines which security team keeps

dealing with incidents versus which one becomes a true enabler of cloud technology.

Cyber Defense eMagazineNovember 2020 Edition 48

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Noah Johnson is Co-founder & CTO, Dasera

Noah Johnson is a security researcher, entrepreneur,

and co-founder & CTO of Dasera. Noah received his

Ph.D. in Computer Science from UC Berkeley and has

founded three companies based on his academic

research. Noah recently developed the first practical

system to provide differential privacy for general SQL

queries. This work was featured in Wired and Gizmodo,

and serves as the technical foundation of Dasera’s

products. Previously Noah led a team of students in

developing a platform for automated security analysis

of mobile apps. Noah commercialized this work by co-founding Ensighta Security, which was acquired

by FireEye in 2012. Noah received several awards as a graduate student including the Signature

Innovation Fellowship, Sevin Rosen Award for Innovation, and the Tony Leong Lim Pre-Doctoral Award.

Cyber Defense eMagazineNovember 2020 Edition 49

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The Impact of Ransomware on Cloud Services and How

to Stop Attacks

By Davit Asatryan, Product Manager, Spin Technology

Cloud technology and services continue to gain popularity due to their ability to allow businesses to cut

costs, improve an outdated IT infrastructure, and stay current with the competition. However, security

isn’t always top of mind when adding new services. The dramatic increase in connected devices and the

web of hardware and software used to connect to the internet and cloud means organizational data is

more vulnerable than ever to attack. Without the proper security protections to protect employees using

these cloud services, organizations can easily fall victim to ransomware.

Ransomware works by infiltrating a user’s PC or mobile device via malicious software that is usually

installed unintentionally after clicking a link in an email that’s posed as something else. Once installed,

the software uses cryptography to prevent users from accessing their files and demands a sum of money

to unencrypt the data. Until recently, ransomware was mostly an issue on local computers or mobile

devices. However, the most recent wave of ransomware attacks is infiltrating cloud apps. This introduces

Cyber Defense eMagazineNovember 2020 Edition 50

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


a new and more serious threat for modern businesses, especially those that rushed to the cloud to enable

remote workers without taking proper security precautions.

Types of Ransomware

A large percentage of malware is known to deliver ransomware, and more than half of malware-infected

files are shared publicly. The most common types of cloud malware include JavaScript exploits and

droppers, Microsoft Office macros, PDF exploits, Linux malware, and Backdoors. If a hacker manages to

gain access to a cloud service provider successfully, they can essentially launch a ransomware attack

that can affect every customer.

Ransomware called Cerber targets Office 365 users via malicious macros in Office documents attached

to spam emails. While Office 365 automatically disables macros to prevent malware from entering the

system, Cerber uses social engineering to trick the user into bypassing this security feature. While many

cloud services offer the option to recover a previous version of files, this does not mean that they are

safe from ransomware. If the user has the opportunity to delete these previous versions, so does the

malware. The cloud can also spread malware to other users through the sharing of infected files and

automatic syncing. For example, Virlock ransomware specifically targets cloud storage and collaboration

platforms, allowing it to replicate rapidly through the whole network from a single infected user.

Cloud applications, including file sharing, collaboration, and social networks, are becoming one of the

most common ways of spreading malware. One out of every ten companies has malware in their cloud

storage facility. It is therefore vital that any company using the cloud for storage or collaboration invests

in automated daily backup and daily cloud apps auditing to detect and recover from malware attacks.

However, these examples do not mean that using the cloud for backup and collaboration is riskier than

confining all software to in-house. Most small to medium businesses do not have the resources to ensure

state-of-the-art security for their data. In this case, relying on the more sophisticated security measures

of enterprise cloud providers is both economical and provides enhanced data security.

Reducing the Risk and Impact of Ransomware in the Cloud

The best way to protect yourself from vulnerabilities is to ensure that software is always kept up to date

and patched for urgent security updates. Many businesses struggle with ensuring patches are current

and installed on every machine within the organization. Hence, a system for deploying updates in a timely

fashion is essential for network integrity. Mobile code such as Java and Flash can make calls to a website

to download malicious software. Removing them from your browser will increase the security and make

ransomware attacks less likely. It is also essential to provide thorough security training for staff and

educate them on how malware can infect files. This alone can reduce the risk of ransomware that is

installed due to a user clicking a link in a phishing email, for example.

Each organization should carefully develop its IT security policies, making sure to account for working in

the cloud. For example, restricting the use of cloud applications to enterprise-level software will

significantly reduce the risk of malware attacks due to their superior security controls. Cloud-based

antivirus software, network monitoring, and threat detection, including the ability to block suspicious

activity, is another effective way to create a more secure computing environment when there are a lot of

users on the network. Regular backups with efficient recovery capability are the best way to recover from

Cyber Defense eMagazineNovember 2020 Edition 51

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


a ransomware attack. They allow an earlier, unencrypted version of the data to be restored, thereby

nullifying the effect of the ransomware.

Most cloud service providers have secure backups (this should be an essential requirement when looking

for a cloud provider), however, if they do not have an efficient recovery procedure in place, it may take

days or weeks to restore files to their original unencrypted state, which can cost affected organizations

substantially in terms of lost business hours. It’s also essential that cloud service providers use

sophisticated and up-to-date anti-malware on their servers to detect infected files.

Encryption is Key

In many cloud applications such as Google Apps, Office 365, and Salesforce, data is created in the cloud

and copied to the backup provider. Cloud backup providers have their security in place to ensure the

safety of the physical servers, but data may be vulnerable while it is in transit. Any communication of data

between the client and the cloud provider must be encrypted. Not all encryption algorithms are equal,

and it’s important to make sure the provider you use is utilizing industry-standard encryption protocols.

Cloud data services should use only protocol TLSv1.1 or higher. Additionally, they should own a security

certificate that has been confirmed by a well-known and trusted certification. Data should be encrypted

while in transit and once it reaches the servers of the cloud provider and remains in storage. Storing the

data in encrypted format means that if an unauthorized person manages to achieve physical or electronic

access to these backup servers, the actual data will still be inaccessible.

A Multi-Faceted Defense

Businesses are becoming increasingly high-tech and connected. As their needs and demands grow, so

too will the digital security industry to meet these needs. The security needs of digital businesses include

more sophisticated security policies and management, advanced monitoring, detection, and autoresponse

systems, and more secure access control. The challenge is providing all these things in an

environment that is growing and has diverse needs. Businesses need to remain vigilant and continuously

alert to the potential of cloud ransomware attacks, especially in a national climate where employees are

working off-site and using unprotected personal devices to access company cloud files.

About the Author

Davit Asatryan, Product Manager, Spin Technology.Davit Asatryan is a

Product Manager who has been working with Spin Technology since 2018.

He is a Cloud Security & Backup specialist focused on protecting G Suite

& Office 365 data.Davit can be reached online at (davit@spintech.ai) and

at our company website www.spin.ai.

Cyber Defense eMagazineNovember 2020 Edition 52

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Perfecting Your Cybersecurity Sales Process

by Katie Teitler, Senior Analyst, TAG Cyber

How Is Your Cyber Security Sales Process?

Sales has been around since the dawn of tradesmanship. Even before the term was codified, heck,

probably before humans’ early ancestors spoke a language anyone alive today would recognize, humans

have been selling wares. Looking at more recent history, pre-1990s or so, sales were conducted in person

or over the phone. In person—even door-to-door—sales were considered the best and most reliable

method. If you could look someone in the eye and shake their hand, your chances of making a sale were

greatly increased.

When email and the internet started to become ubiquitous, salespeople held on to tried and true methods,

dialing for dollars, as it were, and racking up thousands of dollars in travel fees and air miles to visit

prospects in cities wide and far. By the early 2000s, the digital realm changed sales for good. LinkedIn

was launched in 2002 and suddenly businesspeople had a new way to connect. It wasn’t long before

savvy salespeople saw an opportunity and started trying to connect with new, prospective clients, then

move them to the next phase, a.k.a., the one-on-one, in-person meeting where the relationship was fully

developed.

As time went on, and other platforms made it easier for salespeople to find their “financial buyer” via a

quick internet search, the number of unsolicited cyber sales pitches increased exponentially. Executives

were inundated with the one-two punch of email-followed-by-phone-message—always under 30

seconds!—in an effort to reach new prospects. As it became easier for salespeople to identify and

connect with potential buyers, buyers found new ways to filter out the noise. Thus, it grew even more

imperative for salespeople to connect with a greater number of people every day. It didn’t matter how you

Cyber Defense eMagazineNovember 2020 Edition 53

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


got through. Just get through. Just get someone to take a call. Just get someone to sit through a demo.

Just get them to know you.

Sales digital transformation

Consequently, over the last few decades, sales has evolved from a highly personalized profession to a

high velocity numbers game. Especially in light of COVID, without any in-person meetings or industry

events, and as the economy has presented numerous sales challenges, enterprise buyers have reported

a massive uptick in digital solicitations. But because cyber security product sales, for many (not all), has

become high volume, high velocity outreach, product seekers and budget holders have become the

causalities of a spray and prey sales approach. TAG Cyber’s enterprise clients note this all the time: I’m

receiving more LinkedIn messages where the person has no idea what my job title is or what my

responsibilities are. I got two emails today where the note read, “Dear %FirstName%.” I, myself, have

receive several messages in the last few weeks asking if I am interested in buying networking equipment,

phishing prevention software, video conferencing software, and lead generation lists. I’m a cyber security

industry analyst. I need none of these things (OK, maybe technically I need the phishing [spam]

prevention but it’s not my network, not my budget, not my decision).

Quite simply, this spray and pray approach doesn’t work for end users, practitioners, implementers...i.e.,

buyers. Good salespeople know this, but they can feel trapped by arbitrary metrics required by

management teams pushing employees to hit their quotas. Somehow, a good portion of sales has

become like the 1980s perfume sales reps in the mall who would ask if you wanted a spritz of their new

perfume, and even when you said no, would spray it in your direction anyway. Maybe the shopper will

catch a whiff and realize they really do want to buy this perfume. Today, the sales process has changed,

and many salespeople have lost sight of the need to educate themselves on prospects—the individuals

they’re contacting—before reaching out. And spritzing.

The art of taking the time to get to know a prospect has been lost, and it has been precipitated by our

overreliance on technology and the rush, rush, rush world we live in. As a result, nearly every time we

talk to an enterprise security client about vendor product selection, we hear the same things: It’s hard to

find a salesperson who will listen to what we need. Vendors have canned product pitches, and they all

focus on the same “differentiators” as their competitors. We went through multiple sales calls and an

entire demo then found out their product is incompatible with our environment. On the first call, the vendor

said they could do X, but when we were ready to purchase, they said they’d be building that capability

custom and we wouldn’t have it until 4 weeks after we deploy.

But we know that there are good cyber salespeople out there who believe in their products and have just

lost their way. The startup SaaS culture has turned sales into metrics rather than relationships. And it’s

hurting both sides of the equation.

Because, as analysts, we sit at the intersection of vendors and buyers, we recommend cyber security

salespeople return to the “old-fashioned” mentality of a personalized sales approach but combined with

the advantages of modern technology. If done correctly, the result will be more conversations, more

opportunities, and more (possibly higher value) sales. One challenge, in certain cases, will be convincing

sales managers to adjust metrics to reflect the time and effort it takes to get to the first meeting—more

reflective of a pre-2000s sales cycle where “hitting the number” is more important than number of new

contacts added to the CRM.

Cyber Defense eMagazineNovember 2020 Edition 54

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Do your homework

For those with true sales persuasive powers (or enough trust of their sales leadership), we recommend

getting back to sales basics. Selling your cyber security solution is about people and their needs. And no

two companies have the exact same needs, so throw out the corporate pitch deck and start your meetings

with conversations. Before you're given the permission for a conversation, though, you'll need to do your

homework on the person whom you’re trying to convince to make time in their schedule. This convincing

will require more time than stalking the surface of someone‘s LinkedIn profile. For instance, my profile

says that I am a cyber security analyst. Job titles in security can be tricky, but it’s well worth a

salesperson’s time to a) visit my company’s website to see what the company does and the context of

my work as an employee and, b) look at my LinkedIn activity. Literally two minutes is all it would take

someone to figure out that I am a research analyst, not the person who monitors network/cloud

technologies and investigates alerts and security issues.

Many security executives intentionally have sparse social media profiles, but a quick Google search will

often provide greater context about the person’s offline activity and interests. For instance, before Ed

(TAG Cyber’s CEO, founder, and lead analyst) founded TAG Cyber, he did a ton of presenting and

speaking as AT&T’s Chief Security Officer. His presentations were varied—Ed could/can speak

eloquently on any security topic—but often his presentations reflected what his internal team was

currently working on. Even if this isn’t the case for other CSOs/CISOs, it’s at least an opening for a

conversation. And it shows the CSO/CISO that the salesperson bothered to minimally look into the

individual rather than simply spamming them because of their job title.

For large, publicly traded companies, salespeople should peek at the Annual Report/10K, other investor

information, and company press releases to see what security tidbits they can glean. As cyber security

has become a top-line business risk, security initiatives have made their way into these public documents

and can give hints about the company’s approach to security. And again, if it doesn’t give the salesperson

specific information about the prospect, referencing business goals in the context of security will at least

demonstrates effort to learn and listen. That said, don’t half @$s it. Do your homework with honest

intentions and you’re more likely to gain the connection.

After the connection

If the salesperson has done a bit of background investigation and catches the eye or ear of a potential

buyer, the next step is...more research! This time, though, in the form of listening. Use the 80/20 rule:

listen 80% of the time; speak 20% of the time. If you’re a salesperson doing more speaking than listening

on your first few calls, you’re headed down the wrong path. Don't make it about your groundbreaking,

fully automated, cloud-based, zero latency, environment-agnostic powered by artificial intelligence

solution.

Go in with the intention of fact finding. A good salesperson must understand the buyer’s/enterprise’s:


Business requirements: How will the technology be used? In what context? What are the

intended outcomes? What are the KPIs the tool will be measured against? Who will be responsible

for the day-to-day management/operation of technology? How much professional service support

will they need? Are there additional stakeholders involved in the decision (who are not involved

in current discussions)?

Cyber Defense eMagazineNovember 2020 Edition 55

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.




Architectural requirements: What networks/data/apps/OSs/languages does it need to support?

Does the company run legacy tech, or does it operate int he cloud only? Will the company need

help migrating from on-prem to cloud? What are the company’s plans for scaling?

Implementation requirements: Can the company support network changes? Can the company

support integrations themselves? What is their timeframe for implementation? What is their

timeline for results/reports/data?

The main thing for salespeople to remember is that there are humans on the other end of the

phone/keyboard/screen who need to solve real problems for their businesses. For them, buying a product

is about a need, not your quota. While it’s a conundrum—the more product you push, the more you get

paid, the better your job security—the irony is that the more you listen, the quicker and easier it will be to

find the right buyers and the less time you will spend time sending blind emails.

For example, on a recent call with a major enterprise, the security program owners were complaining that

they were about to enter the POC stage with a security vendor and it became clear the vendor was

unaware that the company was still running a large chunk of its infrastructure on Linux/Unix. To the

enterprise, it was obvious—it’s what they dealt with every day. The vendor, on the other hand, was

thinking about its cloud-friendly tech and missed a major foundational element that made the product

incompatible with the enterprise’s environment.

Because the vendor didn’t take the time to learn about the business’s requirements, discussions were

halted in their tracks after months of conversations. This was wasted time for everyone; the salesperson

would have been better served gathering requirements in the first calls and moving on to a more viable

prospect with real sales potential, and the enterprise would have been better off evaluating a different

vendor.

More than enough prospects to fill your funnel

The reality of today’s cyber security landscape is that there are more than enough enterprise buyers. The

trick is finding the right match. And salespeople won’t do that with vanilla emails or messages that aren’t

suited to the buyer and don’t touch on a pain point.

Every day I log on to social media and see end user friends and colleagues complaining about the

inappropriate and off-target messages they’re receiving from product salespeople. Yet, they all need to

buy products to run their companies! In fairness, and salespeople know this, there is some recalcitrance

around the idea of “sales.” The spray and prey method used by few (but too many) salespeople has

soured the soup for potential buyers—they’ve come to expect a smash and grab approach rather than

someone who takes the time to get to know them and their security technology needs.

Technology has made it possible for people to reach farther and wider than ever before. And as such,

there’s been a loss of personalization in how we interact. However, technology has also given us the

tools to learn more about people—or any subject—from anywhere and at any time. While digital

transformation has largely made sales a numbers game, it also has the potential to bring it back around

and create opportunities for customization. One very successful salesperson I know recently said to me,

“Sales has gone way too far into metrics and away from actually being human and solving real needs.

So, anything I can do to correct that is top of my list. It's easier for me to work on a problem when they

know I'm not just trying to shove software down their throats.”

Cyber Defense eMagazineNovember 2020 Edition 56

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Though sales culture won’t change overnight, I firmly believe we have a huge opportunity—as most of

us still sit at home, working in isolation—to start connecting better with others. In a sales context, this will

result in less time spent on emails that are inevitably filtered directly into spam, never read, and only

count toward arbitrary metrics goals. A personalized approach to connecting will, in fact, lead to quicker,

larger deals that end in bigger paychecks and President’s Club awards...when we can all travel and see

each other in person again.

About the Author

Katie Teitler is a Senior Analyst at TAG Cyber

where she collaborates with security

organizations on market messaging, positioning,

and strategy. In previous roles, she has

managed, written, and published content for two

research firms, a cybersecurity events company,

and a security software vendor. Katie is a coauthor

of “Zero Trust Security for Dummies."

Katie Teitler can be reached online at katie@tag-cyber.com and at our company website https://www.tagcyber.com/.

Cyber Defense eMagazineNovember 2020 Edition 57

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Data Migration Security

WHAT TO KNOW

By Devin Partida, Cybersecurity Writer, ReHack Magazine

If you're planning a data migration soon, there are some crucial things to do to increase the likelihood of

keeping it safe. Migrating data means moving it between locations, formats or locations.

Prioritizing data security is essential for successful outcomes. However, doing that is not as

straightforward as some people think. These tips will help with that all-important matter.

1. Confirm the Location of Your Critical Data

If your data migration includes critical content, do you know where all of it resides? If not, you're in the

majority. Research indicates that 82% of respondents from organizations did not know where those

enterprises kept all the critical data. The same study showed that 55% cited data fragmentation across

multiple databases as slowing their progress.

That's a data security risk because it could give the false impression that all the most important

information got safely moved to the new destination. That may not be a valid conclusion to make. Audit

the data before a migration happens. Doing that helps ensure you find all the necessary records. Tools

also exist to help find duplicate or obsolete content that you can delete before starting to move the data.

Cyber Defense eMagazineNovember 2020 Edition 58

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


2. Plan a Phased Migration

When learning about data migrations, you'll almost certainly come across details about a process called

Extract, Transform and Load (ETL). It encompasses the three main stages that happen when moving

information.

The extract portion involves collecting data and reading it from a database. The transform step then

converts the extracted data from its previous form to the format required by the new location. Finally, the

load step writes the data to the target database.

Keep security in a top-of-mind position by opting for a phased approach. In other words, decide to migrate

your least-important data first. Focus on the material that has business value but does not include

sensitive details.

You should also hold off on migrating any data deemed essential to your company's operations. Doing

that allows you to vet the security of the data host's systems and avoid major unforeseen problems.

3. Become Familiar With Applicable Cybersecurity and Encryption Protocols

A frequently chosen kind of migration occurs when companies shift some of their on-premises information

to cloud data centers. This decision is often a smart one from a data security standpoint. Cloud platforms

usually include dedicated encryption and cybersecurity protocols that customers automatically have

access to through their service packages.

However, consider how you could beef up cybersecurity and data encryption with additional measures

applied by your company. Taking that approach is especially wise when the information in question is

highly sensitive or includes customer details.

When people get word of data breaches or other security-related matters affecting their details, they

rapidly lose trust in the involved companies.

4. Back Up the Data First

As you map out the schedule for data migration, don't start moving the content before backing up all the

files. Even if things go relatively smoothly, you could still end up with missing, incomplete or corrupt files.

Having the data backed up supports data security by letting you restore content when needed.

Weigh the pros and cons of all the options available to you before choosing one. For example, if you're

only migrating a small number of files, putting them on a USB drive might be the simplest possibility. A

mirrored drive or a cloud backup service is likely more appropriate for more extensive migration efforts.

5. Maintain All Necessary Compliance and Access Requirements

If your data migration involves keeping some content in on-premises facilities, and moving the rest to the

cloud, ensure that your security standards are identically tight across those locations. A common way to

do that is to set up security policies for aspects like access control. Once you lay out the desired security

environment for the data, check that the cloud host meets or exceeds them.

Cyber Defense eMagazineNovember 2020 Edition 59

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Verify that your data security plans include specifics for all applicable laws that dictate how to handle

customer information, such as the General Data Protection Regulation (GDPR). Other data privacy

stipulations relate to patient medical data. Your company must continue to abide by the rules before,

during and after a migration.

Fortunately, automated tools can make that easier by automatically applying the parameters you set.

Cutting Data Migration Risks

Many of today's businesses are extremely dependent on data. The trouble is that the information

possessed by a company could grow to such a gigantic amount that migrating it becomes too much of a

hassle or prohibitively costly.

Moving smaller databases of information still includes risks that could threaten data security. However,

by following the suggestions here and doing more research to determine which challenges your company

faces, you can reduce data migration problems.

About the Author

Devin Partida is a cybersecurity and technology writer. She is also

the Editor-in-Chief at ReHack.com.

Cyber Defense eMagazineNovember 2020 Edition 60

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Has Your Data Been Leaked to the Dark Web?

By Randy Reiter CEO of Don’t Be Breached

The part of the internet not indexed by search engines is referred to as the Dark Web. The Dark Web is

however frequently misunderstood. The Dark Web is a network of forums, websites and communication

tools like email. What differentiates the Dark Web from the traditional internet is that users are required

to run a suite of tools such as the Tor browser that assists in hiding web traffic. The Tor browser routes

a web page request through a series of proxy servers operated by thousands of volunteers around the

globe that renders an IP address untraceable.

The Dark Web is used for both illegal and respected activities. Criminals exploit the Dark Web’s

anonymity to sell drugs and guns. Organizations like Facebook and the United Nations use the Dark Web

to protect political and religious dissidents in oppressive nations. Legitimate actors like law enforcement

organizations, cryptologists and journalists also use the Dark Web to be anonymous or investigate illegal

activities.

A 2019 study, Into the Web of Profit, conducted by Dr. Michael McGuires at the University of Surrey,

shows that the number of Dark Web listings that could harm an enterprise has risen by 20% since 2016.

Of all listings (excluding those selling drugs), 60% could potentially harm enterprises.

On the Dark Web one can purchase personnel information such as names, addresses, phone numbers,

tax ids, credit card numbers, login ids, passwords and hacked Netflix accounts. Software that hackers

Cyber Defense eMagazineNovember 2020 Edition 61

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


use to break into workstations and servers are also for sale. Some of the darker items for sale include

guns, drugs, counterfeit money and Hackers that can be hired to perform cyber-attacks.

For example for $500 the credentials to a $50,000 bank account can be purchased. Or for $500 one can

buy prepaid debit cards having a $2,500 balance. A lifetime Netflix premium account goes for $6.

In a recent 2020 report by the security company ImmuniWeb they report that 97% of the leading

cybersecurity companies had data leaks or security incidents exposed of the Dark Web. They found over

4,000 incidents of stolen confidential data exposed on the Dark Web per cybersecurity company. Half

the Dark Web exposed data was plaintext credentials such as financial and personal information.

A large number of these data leaks were attributed to cybersecurity company third party suppliers or subcontractors.

Some of these data breaches occurred as recent as August, 2020.

Even cybersecurity companies are not immune to Data Breaches (e.g. caused by Zero Day attacks and

other methods). The ImmuniWeb report covered almost 400 cybersecurity companies in the USA,

Canada, UK, Ireland, Germany, France, Czech Republic, Israel, Japan, Russia and India. Cybersecurity

companies in the US suffered the highest incidents, followed by the UK and Canada, then Ireland, Japan,

Germany, Israel, the Czech Republic, Russia, and Slovakia.

Today’s mega Data Breaches are now costing companies $392 to recover from.

How to Stop Confidential Database Data from Being Ransomed or Sold on the Dark Web?

Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing,

law enforcement, defense, homeland security and public utility data. This data is almost always stored in

Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server

and Sybase databases. Once inside the security perimeter (e.g. via a Zero Day attack) a Hacker or Rogue

Insider can use commonly installed database utilities to steal confidential database data.

Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from

a network tap or proxy server with no impact on the database server. This SQL activity is very predictable.

Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or

SQL commands that run millions of times a day.

Advanced SQL Behavioral Analysis of Database Query and SQL Activity Prevents Data Breaches

Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database

activity is. Then from a network tap or proxy server the database query and SQL activity can be nonintrusively

monitored in real-time and non-normal SQL activity immediately identified. These approaches

are inexpensive to setup. Now nonnormal database SQL activity from Hackers or Rogue Insiders can be

detected in a few milli seconds. The Hacker or Rogue Insider database session can be immediately

terminated and the Security Team notified so that confidential database data is not ransomed or sold on

the Dark Web.

Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum

amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to

10,000 unique SQL queries sent to a database. This type of data protection can detect never before

observed query activity, queries sent from a never observed IP address and queries sending more data

to an IP address than the query has ever sent before. This allows real-time detection of Hackers and

Cyber Defense eMagazineNovember 2020 Edition 62

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Rogue Insiders attempting to steal confidential database data. Once detected the security team can be

notified within a few milli-seconds so that an embarrassing and costly data breach is prevented.

About the Author

Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools

company. He is the architect of the Database Cyber Security Guard

product, a database Data Breach prevention product for Informix,

MariaDB, Microsoft SQL Server, MySQL, Oracle and Sybase

databases. He has a Master’s Degree in Computer Science and has

worked extensively over the past 25 years with real-time network

sniffing and database security. Randy can be reached online at

rreiter@DontBeBreached.com, www.DontBeBreached.com and

www.SqlPower.com/Cyber-Attacks.

Cyber Defense eMagazineNovember 2020 Edition 63

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


No Meows Is Good News: Proactive Nosql Database

Security in The Era of Meow Attacks

By Jack Harper, Director of Professional Services at Couchbase

This summer, a spate of cyberattacks in which cybercriminals targeted internet connected ElasticSearch

and other unsecured databases continued to fuel concerns about database security. And the attacks

were not only prolific, they were more brazen: the “Meow” attacks in particular were a series of automated

malware that completely destroyed unsecured databases vs. taking the data hostage. It was game over

before the ball was even in play.

Deja Vu?

In 2017, thousands of unsecured instances of MongoDB and ElasticSearch fell prey to attacks by a threat

actor using the moniker Krakeno. These types of attacks resurfaced this summer with nearly 30,000

users affected in July. Thousands of businesses lost their data in this mass data hostage event, then the

Meow attack came along--accessing unsecured databases-- and one-upped the Krakeno-like attacks by

completely destroying the data with its automated malware.

The ongoing attacks suggest that database administrators or developers continue to overlook appropriate

security in their internet-facing databases (NoSQL) that are at the crux of these attacks, leaving them to

fall prey to the likes of Meow. To understand how to implement adequate security in a NoSQL

environment, let’s first take a closer look at what a NoSQL database is and better educate ourselves on

what tighter security controls in a NoSQL environment actually look like.

A NoSQL Primer

NoSQL databases are a product of the 21 st century’s desire to deliver increasingly fast, always-on digital

experiences. Unlike their older and better-known ‘relational' database relatives that require predictable

and structured data to operate, NoSQL (Not-Only-SQL) provides an extremely dynamic and cloud-

Cyber Defense eMagazineNovember 2020 Edition 64

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


friendly way for organizations to manage real-time, unstructured data. NoSQL databases commonly

deployed to be internet-facing, which can allow cybercriminals to poke holes in them if they are unguarded

or poorly planned and executed.

The reality is that modern applications need NoSQL databases, which places the onus on the designers

and developers to build or use better systems to protect them. The issue can be addressed if vendors

create secure-by-default features and users follow security best practices.

Planning is everything

It really is this simple: plan correctly, and your business will be able to prevent vulnerabilities and leaks

before they occur. And it starts with choosing the right NoSQL provider. If the vendor sells security as a

bolt-on feature that’s not baked into the system, they probably aren't the right partner to start with. It’s

your duty to ask the hard questions around their knowledge of end-to-end security. Check their

development logs to see if they have been reporting vulnerabilities in their systems and ask about how

easy it is to implement security capabilities around the database. Research can be a tedious step in

selecting the right provider, but it’s also imperative. It could make the difference between suffering an

attack and not.

Next, think about how your data is secured in transit. Data is never only transferred behind the firewall, a

lot of it is going to move outside of your organization, and while this isn't dangerous in and of itself, it is

where the most risk lies. Beyond your network are a host of third parties that may not follow your

encryption policies, making it even more important for you to encrypt every dataset – regardless of where

it’s stored. Make sure your planning includes securing data both at rest and in transit by investing in SSL

connections for client/server and server/server communications.

Your NoSQL database needs to form part of your security planning and must have a visible security

roadmap that provides insights into how its developers are ensuring that it is continually updated and

secured. As with any new technology, improvements are continuous, making it essential for your teams

to regularly check and implement these changes, especially if they have a material impact on your

cybersecurity policies or needs.

Nine tips to NoSQL security success

Once the planning is done, now it’s time to put it into practice. Here are nine tips on how to avoid falling

prey to cyber-attacks--or becoming “Meow Mix”:

#1 Don’t expose raw databases to the internet. This is a fundamental security rule, and as simple as

it sounds, it is important as they come. If you don’t store all your nodes behind a secure database firewall,

you risk the security of your sensitive information.

#2 Keep your software up to date. Security professionals will warn that security starts at the weakest

link, and this is often out of date server operating systems. So unless you install the latest encryption

patches, no data security can be guaranteed. As the WannaCry, Spectre/Meltdown, and now Meow

attacks have highlighted, there’s no substitute for responsible patch management.

Cyber Defense eMagazineNovember 2020 Edition 65

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


#3 Delete “default” and sample databases. The word “default” is the playground for cybercriminals.

Those who have suffered cyber breaches will know, it can nearly always be replaced with the phrase

insecure: default passwords are weak passwords; default settings are unsafe settings. If there is a default

anything in your environment – always delete it.

#4 Strong passwords are essential. Again, another seemingly mundane and straightforward action,

but one that is the most overlooked. Default or weak passwords attract cybercriminals like bees to honey.

Change passwords often, use unique passwords for different projects, make sure passwords are strong,

and very importantly, change all default passwords.

#5 Use role-based access control (RBAC) and Active Directory. Control privileges to both

administrative activities and data access with fine-grained access control. Also, protect user credentials

and manage them at a centrally controlled place with Active Directory.

#6 Encrypt your data in-transit, on the wire, and at rest: Make sure that your data is encrypted as it

travels over networks during client-server communications or when it is being replicated within the

database server or being replicated between database servers in different data centers/zones/regions.

Likewise, you should encrypt the data when it is stored for persistence. These measures prevent

unauthorized access to data at all levels.

#7 Use updated TLS Ciphers. Transport Layer Security (TLS) enables secure network communications.

This security can be further enhanced by using updated versions of the ciphers and/or by picking

customized ciphers. On top, a well-thought-out policy for certification expiration/rotation/revocation

should also be implemented.

#8 Limit port access. Allow firewalled access to the minimum set of network ports that are needed for

your database to work.

#9 Report security issues immediately. If your database has been breached or you think there may

be a security flaw, report it. Immediately. There is a community of people out there that can offer you

advice and benefit from this information. Security is always better when we pool resources and work

together as an industry – keeping us one step ahead of cybercriminals.

A problem shared

Hackers and cybercriminals are always going to be part and parcel of our business life. It is a bleak

reality. We need to invest in education and adopt best practices, and we need to acknowledge that

ensuring compliance and adopting good security policies is an industry-wide responsibility.

For those of us deploying, implementing, and developing on databases, this is even more relevant. From

web, mobile, and app developers through to C-suite and technology executives, everyone involved in

databases has responsibility for ensuring they are secure. NoSQL vendors also have a responsibility to

ensure that their systems provide users with the tools to secure themselves better and secure their

services by default.

Cyber Defense eMagazineNovember 2020 Edition 66

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


If the recent spate of attacks is anything to go by, it is unrealistic to think that NoSQL data breaches and

leaks are a thing of the past. Instead, we need to view each one as a reminder for businesses to take

database security seriously.

About the Author

My name is Jack Harper, I am the Director of Professional

Services at Couchbase.

Jack Harper is a leader on the Professional Services team at

Couchbase, where he leverages nearly 20 years of

experience identifying, mitigating, and resolving technical

issues as well as architecting and implementing solutions for

customers. His background also includes extensive

experience with software testing and QA best practices and

methodologies as they relate to various implementations of

the SDLC (Agile, XP, RAD, waterfall). Jack is a Certified PMP

(Project Management Professional) with 6+ years’

experience working on software development projects.

Jack Harper can be reached online at (TWITTER, LinkedIn

and at our company website https://www.couchbase.com /

Cyber Defense eMagazineNovember 2020 Edition 67

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Takeaway from the SANS Institute Attack: Without

Proper Care, “Consent Phishing” Can Happen to Anyone

Gamified Training for Security Teams Can Raise Vigilance and Advance Skills to Defend Against the

Latest Attack Exploits.

By Chloé Messdaghi, VP of Strategy, Point3 Security

The SANS Institute, established in 1989 as a cooperative research and education organization, has

helped train and inform more than 165,000 security professionals around the world – from auditors and

network administrators to chief information security officers and security experts across the global

information security community.

A deeply trusted source for information security training, security certifications and research, the SANS

Institute also operates the Internet's well-regarded early warning system - the Internet Storm Center.

So when the SANS Institute reported it was the victim of a phishing attack that led to the theft of 28,000

records, the cybersecurity community echoed with the question: how could that have happened?

We don’t know if the SANS employee who clicked the bad link (or links) was on the security team or if

they were in another function such as sales, marketing or operations. If they were not on the security side

of SANS, there’s the strong potential that they were apathetic about cybersecurity because they’ve never

Cyber Defense eMagazineNovember 2020 Edition 68

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


had an attack targeted at them before. If the phishing target was someone not on the SANS security

team, it begs questions about what kind of training they had. Many companies train hundreds or

thousands of “civilian” non-technical employees virtually and dryly, with multiple choice questions and

very basic content, rather than employing ongoing training and testing.

And as we’ve seen, if the employee is checking their email on their phone or a smaller device, they’re

more likely to click on a bad link – both because the visual acuity to the bad link is very poor and because

of the sense of immediacy that these devices drive in us all.

It’s so important to train employees never to click on an embedded link from a stranger, and never click

on a short URL such as a Bitly. Email recipients must be trained and regularly reminded to look for and

identify the entire link before clicking on it – every time.

We might not ever know exactly how the person fell into the trap - SANS might not share that - but the

malicious payload could have been within any incoming message. A bogus sales or prospect email, a

message purporting to be from the recipient’s manager, or some intriguing topic of broader interest are

common ploys, as are urgent company security warnings, employee bonus and holiday notifications, and

even messages claiming to hold confidential personnel data.

Phishers definitely understand the human element, and they work to understand peoples’ pain points and

passions to make their emails compelling. They also know when to send a phishing email to drive

immediate responses. That why we counsel that if a supposed work email comes in after work hours, it’s

best not to respond – especially from a mobile device. Or if there’s a time-sensitive, must respond email,

the sender should also text the receiver both to let them know and to help the recipient know that the

email is legitimate.

And if the phishing victim at SANS actually IS someone on the security team, it’s important to realize that

they’re likely not apathetic to security practices but that the organization either may not be investing in

their own security teams, or team members may be suffering from burn out.

It’s important to realize that burn-out is a natural by-product of both the transition to WFH and the urgency

of the current situation. This means it’s more important than ever to gain an unbiased and equitable

performance measurements, and to invest in the security team's development and up-skills training, and

do so in ways (such as gamification) that are personally engaging as well as professionally helpful.

Otherwise, we’re at risk of depending on security teams who are both under equipped and undermotivated

to protect their colleagues.

The objective assessment of skills that gamified training provides is also a wellspring of useful, unbiased

information on some of the inherent strengths and weaknesses of individual employees, and helps both

team members and employers address skills gaps in positive ways.

At the core, gamification is play – it’s also an assessment means that offers benefits without injury to data

or concern to talented team members. It’s proving to be a great way to cultivate talent, both security pros

and those they serve, growing their skills in ways that hit the temporal lobe, actually rewards participants,

and keeps vigilance against phishing and other attack methods front of mind.

As the latest findings from Juniper Threat Labs on the continually evolving IcedID trojan and malware

dropper show, the sophistication level of exploits is growing constantly, and bad actors are investing

heavily in innovation.

And unfortunately, too many companies aren’t following suit in investing in either their teams or defense

strategies. For example, recent IBM findings showed that only one third of companies had a breach

Cyber Defense eMagazineNovember 2020 Edition 69

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


playbook, and of those having playbooks, most applied them inconsistently. Given that the average

breach costs the organization $8.9 million, not counting the opportunity costs of lost business, it’s clear

that proactive, ongoing cybersecurity awareness is imperative.

At this point, the only two things that we know are that we are seeing more phishing attacks this year

than ever before, and that SANS was fast and forthright in responding to this attack. While some personal

information was disclosed, it could have been far worse – fortunately, no financial information was

leaked.

The takeaway is: we all need to stay aware, humble and prepared – if a phishing attack can snag

someone at the SANS institute, it can happen to any of us who let our guard down.

About the Author

Chloé Messdaghi is vice president of strategy at Point3 Security,

president at Women of Security (WoSEC), founder of

WeAreHackerz, ethical hacker advocate, podcaster, and is an

expert in the cybersecurity industry. She is a frequent speaker

at cybersecurity conferences and events, and is a trusted source

to business and security media.

Chloé Messdaghi, VP of Strategy, Point3 Security

Chloé can be reached online at @ChloeMessdaghi and at our

company website Point3.net (ittakesahuman.com).

Cyber Defense eMagazineNovember 2020 Edition 70

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Behind the Scenes of AppSec’s Misalignment

There’s something to be heard in the conversation.

By John Worrall, CEO at ZeroNorth

We live in a world defined by software, which is precisely why it must be secure. From the everyday

applications we use on our devices to the avionic software of modern commercial aircraft, the code

embedded behind the functions of civilization matters in every way. But there’s a problem. Our current

approach to building and delivering this critical software is now in the midst of a serious evolution, as it

moves from siloed processes and mindsets to something more unified.

Our current model for building secure software often revolves around buying a scanning tool… and then

another… and another… until we find ourselves with a craftsman-like approach that produces data in

different formats. Aside from the deep knowledge needed to run each tool, the even bigger obstacle is

processing the overwhelming amount of information resulting from those scans. And just like a craftsmanstyle

approach, it isn’t scalable and can’t cover the needs of a growing business—or a planet becoming

increasingly reliant on software.

Proof of the Problem

Fortunately for those who care about the security of modern applications, there are some solutions on

the horizon. A recent report conducted by the Ponemon Institute and sponsored by ZeroNorth provides

some real insight on how the ownership and governance of application security is fragmented and in

need of repair. But this “repair” comes from better relationships, not better code.

Ponemon’s report clearly illustrates just how deep the divide between AppSec and DevOps has grown,

more specifically around the issue of how to build secure software from day one. According to the

research, 77% of developers say this existing schism affects their ability to meet organizational

expectations, such as deadlines, while 70% of AppSec professionals claim the divide puts the security of

applications at risk. 1 And what we see as a result is not technology holding up progress, but people.

1

Source: Revealing the Cultural Divide Between Application Security and Development

Cyber Defense eMagazineNovember 2020 Edition 71

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


As organizations continue to look for more effective ways of prioritizing software security, without

impacting productivity, they are realizing that developers view these measures as a hindrance to

innovation and speed. And, of course, AppSec teams believe DevOps should be far more vigilant about

ensuring security happens at all stages of the development life cycle. In fact, 65% of security pros say

developers publish code with known vulnerabilities, while the same exact percentage (65%) of

developers say the security team doesn’t understand the pressure they’re facing. 2 And therein lies the

misalignment.

Another part of this misalignment comes from a lack of clarity about who actually owns the security piece

in the first place. Only 67% of AppSec professionals believe their team is ultimately responsible for the

security of software applications, compared to just 39% of developers. These numbers alone indicate a

massive gap in the larger security effort, a gap that raises serious questions about accountability and

visibility. When misalignment within an organization is this extreme, and no one knows who’s “watching

the kids,” the integrity and success of the business is jeopardized.

Thoughts for the Future

So, what does a more unified mindset around security look like? It starts with a mutual understanding of

each other’s roles and responsibilities, of each other’s requirements. A more federated outlook on

AppSec means everyone involved—from security to business to product leaders—are doing their

prescribed part to ensure security is prioritized. But it requires a coordinated effort and unified approach.

The work is fragmented and so are the results. Everyone has to bond on their shared desire to build and

deliver quality software to market, together as a larger team.

Then we can improve things. This divide between security and development professionals offers up a

much-needed opportunity for change, in both thinking and practice. With the right moves, CISOs and

other security leaders can bridge this gap by embracing a unified approach for AppSec. This would allow

security teams to sets standards and provides frameworks, while DevOps and product teams execute

their work within those guidelines. By serving as unifier, CISO and other security leaders have a chance

to make security front-and-center, without hindering the speed and velocity requirements of the Dev

teams.

The “right moves” will be different among organizations, but modeling a mindset and culture of security

first is a great start. Everyone involved needs to remember that a robust AppSec program is not just nice

to have, or worse an obstacle—it’s a business imperative. In this scenario, CISOs can advise teams to

formulate a stronger coordinated effort, where security, DevOps and business teams come together for

the good of software, for the good of the world. It may sound dramatic, but it’s entirely true.

Security leaders also need to ensure the proper resources are allocated to safeguard applications in the

development and production phase of the software life cycle. This includes training and support to help

developers build the necessary secure coding skills. They also need to implement continuous testing

throughout the development life cycle, starting at code check-in, to find and fix vulnerabilities early in the

process. These moves help to stay on top of vulnerabilities, improve developer productivity and get

product releases out the door on time. As members of senior leadership, CISOs need to build security

into the organization’s overall risk management strategy and report out on the business’ most important

KPIs.

2

Source: Revealing the Cultural Divide Between Application Security and Development

Cyber Defense eMagazineNovember 2020 Edition 72

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Next Steps

Where we go from here is actually pretty clear. We need to build a shared vision, bring teams together

and communicate about who does what and when. Commitment from both sides is critical to build this

kind of collaborative relationship, but it is possible. And once everyone acknowledges the many ways

security can improve the final outcome, including all the business benefits resulting from strong product

security, they will hopefully find things just work better when everyone’s on the same side.

About the Author

John Worrall joined ZeroNorth in 2019 as chief executive officer,

leading the company in its delivery of the only platform for risk-based

vulnerability orchestration across applications and infrastructure. As

CEO, John heads up all aspects of the company’s strategy, product,

operations and go-to-market functions. Prior to this role, John was

chief marketing officer (CMO) at CyberArk, where he played a critical

role in leading the company through its initial public offering. He also

held the position of executive vice president at CounterTack, serving

on the leadership team that secured the company’s Series A funding.

Before his time at CounterTack, he was the chief marketing officer at

ActivIdentity; vice president and general manager of the Security

Intelligence & Event Management business unit at RSA; and CMO at

RSA. John holds a bachelor’s degree in economics from St. Lawrence University.

Website: https://www.zeronorth.io/

SOCIALS:

Twitter

Personal

Company

LinkedIn

Personal

Company

Cyber Defense eMagazineNovember 2020 Edition 73

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Emotet Attacks Surge in 2020, but Could Be Prevented

By Dan Piazza, Technical Product Manager, Stealthbits Technologies, Inc.

The Emotet malware, originally detected as a banking trojan in 2014, has become one of those most

prevalent malware threats in 2020, and the economic fallout from an Emotet attack can range into millions

of dollars (USD). Over the years Emotet has evolved well beyond a banking trojan and is typically

delivered via phishing emails that turn infected hosts into bots and malware spreaders. Emotet is also no

longer content simply executing its own malicious code – once a victim is infected Emotet can download

additional malware into the network, such as Ryuk or Trickbot.

However, the biggest threat Emotet brings is still the spread of ransomware throughout an organization

– encrypting everything in its path and often exfiltrating sensitive data so the attacker can threaten the

victim with a public leak of that information if the ransom isn’t paid.

Emotet is also quite hard to detect and eliminate. Emotet is polymorphic – meaning it constantly changes

itself to maintain persistence and avoid signature-based detection by endpoint protection. It’s also

modular, meaning components can easily be swapped in and out depending on what an attacker wants

to achieve. Some variants act as ransomware, others target cryptocurrency wallets, and some may

propagate botnets. Emotet is even aware of when it’s running inside a VM and will lay dormant to avoid

detection in sandboxed environments – which security researchers use to observe and decompile

malware in a safe space.

Cyber Defense eMagazineNovember 2020 Edition 74

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Coupled with a wide variety of attack techniques, one could say Emotet’s complexity and effectiveness

make it “enterprise-grade” malware. Additional techniques used by Emotet include password grabbers,

software packing, obfuscated files, network sniffing, process discovery, remote service exploits,

command and control (C2) using non-standard ports, data exfiltration via C2 channels, and more. With

its current feature set and ability to quickly evolve, the danger Emotet poses is clear.

Taking advantage of another recent malware trend, Emotet has also become a malware-as-a-service

that’s sold to various threat actors on the dark web that otherwise may not have had the capability of

developing such complex malware themselves. This opens the door to less-skilled attackers utilizing the

power of Emotet, resulting in even wider spread of the already prevalent malware. Add this to the malware

“dropper” capabilities of Emotet, and it’s single-handedly keeping older malware variants alive, spreading,

and prospering.

User Education – More Important Than Ever

Given that most Emotet infections start as phishing emails, this surge in matured Emotet attacks is a

perfect example of why organizations need to continuously educate users on how to detect and avoid

modern phishing emails. Although spam filters and other methods of blocking malicious messages should

be in place for all organizations, it only takes one email to get through and successfully trick a user for

Emotet to start moving laterally throughout a network and eventually into domain admin rights. Emotet

will also hijack legitimate, existing email threads once a host has been infected, so users need to be wary

of every email they receive and not just new threads from fake or spoofed addresses.

Unfortunately, it's inevitable that a user will eventually slip up, succumb to a phishing attack, and become

infected. That's when Emotet starts to move laterally through a network until it gains domain admin rights,

which brings up two valuable points: limit special share access, and keep all systems patched and up to

date. Emotet, and the malware variants it delivers, often prefer to target admin$, c$, and ipc$ shares to

enumerate and move through a network. By limiting access to these shares to the absolute minimum, it’s

possible to slow Emotet down and block its go-to infection routes. This should be coupled with ensuring

all systems are running the latest updates provided by software and OS vendors, so vulnerable exploits

can be patched and eliminated as they’re discovered.

Limiting the Scope of Attacks

Cybersecurity software, such as privileged access management, can also limit the scope of what

privileged sessions (that Emotet targets) can do by not only limiting access to resources, but also by

limiting which specific actions can be taken during these sessions. The goal of this workflow is to reduce

the standing privilege in a network to zero, which drastically reduces the attack surface for Emotet and

buys time for the security team to remove the threat once detected.

Emotet continues to be a major threat and source of stress for IT and security professionals everywhere,

however with proper preventative measures it’s possible to halt it dead in its tracks.

Cyber Defense eMagazineNovember 2020 Edition 75

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Dan Piazza is a Technical Product Manager at Stealthbits

Technologies, responsible for File Systems and Sensitive Data

in their Data Access Governance solution, StealthAUDIT. He’s

worked in technical roles since 2013, with a passion for

cybersecurity, data protection, storage, and automation.

Stealthbits is a cybersecurity software company focused on

protecting sensitive data and the credentials attackers use to

steal that data.

Dan can be reached online at linkedin.com/in/danieljpiazza

and at our company website https://www.stealthbits.com/

Cyber Defense eMagazineNovember 2020 Edition 76

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Zero Trust Model Is Meaningless Without TLS Inspection

Protecting users against modern, invisible cyber threats

By Babur Khan, Technical Marketing Engineer at A10 Networks

A security strategy is only as strong as its weakest point. No matter how extensive your network defenses

are, if there is even one blind spot, you are still vulnerable to attacks. This is true even for the Zero Trust

model, at the core of modern cybersecurity. Fortunately, there is a way to fix it.

Zero Trust Model: The Perfect Security Strategy…with a Catch

Zero Trust security / Zero Trust model has become a critical element of network defense. Its rise has

been driven by the way traditional concepts of secured zones, perimeters, network segments—even

“inside” and “outside”—have been rendered outdated by the modern cyberthreat landscape. After all, you

can’t count on walls to keep you safe from insider attacks by people with legitimate access, prevent multilevel

attacks designed to bring networks down, or stop lateral movement during the course of an attack.

• The Zero Trust model responds to these challenges by adopting the approach of “trust nobody”—inside or

outside the network. Cybersecurity strategies are redesigned accordingly along four key principles:

• Create network micro-segments and micro-perimeters to restrict east-west traffic flow and limit excessive

user privileges and access as much as possible.

Cyber Defense eMagazineNovember 2020 Edition 77

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


• Strengthen incident detection and response using comprehensive analytics and automation.

• Integrate solutions across multi-vendor networks with ease, so they can work together seamlessly, enabling

compliance and unified security. The solutions should also be easy to use so that additional complexity can

be removed.

• Provide comprehensive and centralized visibility into users, devices, data, the network, and workflows.

This sounds good in principle. Even the name “Zero Trust Security” is reassuring, with absolute terms

that suggest absolute protection. But there is a catch: The Zero Trust model works only when you have

full visibility into people and their activities. If something is invisible, there is no way for you to ensure that

it does not pose a risk. And that is true for the vast majority of network traffic thanks to the widespread

use of encryption.

Zero Trust Model / Zero Trust Security Blind Spot

Encryption is now ubiquitous across the internet. Google reports that over 90 percent of the traffic passing

through its services is encrypted, and the numbers are similar for other vendors as well. This trend has

been great for privacy—but it is devastating for security, whether you are implementing a Zero Trust

model or something different. As encryption renders network traffic invisible to legacy solutions, your

network’s security stack is effectively useless.

In response, many security vendors incorporate TLS inspection into their solutions. In effect, they decrypt

traffic, inspect it, and then re-encrypt it before passing it on. But this “distributed TLS inspection”

approach, in which decryption and re-encryption happens separately for each device in the security stack,

brings problems of its own. Network bottlenecks and performance problems typically compromise service

quality for business users and customers—an unacceptable penalty in today’s competitive business

environment. What is more, the need to deploy private keys in multiple locations across the multi-vendor,

multi-device security infrastructure expands the attack surface, increasing risk.

For the Zero Trust model to deliver on its promise, companies need a way to eliminate the Zero Trust

model blind spot without sacrificing service quality.

Full Encrypted Traffic Visibility via TLS inspection

avoid the downsides of distributed encryption, a solution must provide full visibility to the enterprise

security infrastructure through a dedicated, centralized SSL decryption solution. This needs to be

complemented by a multi-layered security approach for optimal protection.

Cyber Defense eMagazineNovember 2020 Edition 78

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Solutions need to take a “decrypt once, inspect many times” approach, letting the entire security

infrastructure inspect all traffic in clear text, at fast speeds, to avoid performance penalties and excess

complexity. The following additional features also support the four key principles of Zero Trust discussed

above:

User access control – SSL Insight can enforce authentication and authorization policies to restrict user

access, log detailed user access information, and provide the ability to apply different security policies

based on user and group IDs. Additional security services including URL filtering, application visibility

and control, threat intelligence, and threat investigation help strengthen the security efficacy of the entire

enterprise network.

Micro-segmentation – Granular traffic control, user and group ID-based traffic control, and support for

multi-tenancy facilitate micro-segmentation.

Rapid incident detection and response – The Harmony® Controller SSLi app provides comprehensive,

centralized visibility, and the ability to manage all SSL Insight deployments remotely from one location,

ensuring that uniform policies are applied across the organization.

Flexible deployment and integration – As a vendor-agnostic solution, SSL Insight integrates easily

with existing security devices by placing them in a secure decrypt zone.

Ease of Use – SSL Insight can be deployed within minutes in any network environment without causing

any network outages or disruptions. Centralized management enables full visibility, uniform security

policy enforcement, unified analytics, and SaaS traffic visibility across all SSL Insight deployments.

Without centralized and dedicated SSL inspection/TLS inspection, the Zero Trust model is unable to do

what it was designed to do – protect our networks, users and data from threats residing inside and outside

the network. SSL Insight provides a complete solution that not only enables the inspection of all incoming

and outgoing traffic, but also provides additional security services that can help strengthen your Zero

Trust strategy

Cyber Defense eMagazineNovember 2020 Edition 79

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Babur Nawaz Khan is a Technical Marketing Engineer at A10

Networks. He primarily focuses on A10's Enterprise Security and

DDoS Protection solutions. Prior to this, he was a member of A10's

Corporate Systems Engineering team, focusing on Application

Delivery Controllers. Babur holds a master's degree in Computer

Science from the University of Maryland, Baltimore County.

Babur can be reached at our company website

https://www.a10networks.com/contact-us/contact-sales/

Cyber Defense eMagazineNovember 2020 Edition 80

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Automated Pentesting – Ready to Replace Humans?

Is Automation the end of human pentesting?

By Alex Haynes, CISO, CDL

In the past few years, automation in many spheres of Cybersecurity has increased dramatically, but

pentesting has remained stubbornly immune to this. While crowdsourced security has evolved as an

alternative to pentesting in the past 10 years, it’s not based on automation but simply throwing more

humans at a problem (and in the process, creating its own set of weaknesses). Recently though,

automated pentesting tools have now surfaced to a point where they are usable to automate pentesting

under certain conditions. This begs the question, are human pentesters heading for redundancy? Can

we replace them with these tools?

To answer this question, we need to understand how they work, and crucially, what they don’t do. While

I’ve spent a great deal of the past year testing these tools and comparing them in like-for-like tests against

a human pentester, the big caveat here is that these automation tools are improving at a phenomenal

rate, so depending on when you read this, it may already be out of date.

First of all, the ‘delivery’ of the pentest is done by either an agent or a VM, which effectively simulates the

pentester’s laptop and/or attack proxy plugging into your network. So far, so normal. The pentesting bot

will then perform reconnaissance on its environment by performing identical scans to what a human

would do – so where you often have human pentesters perform a vulnerability scan with their tool of

choice or just a ports and services sweep with nmap or masscan. Once they’ve established where they

sit within the environment they will filter through what they’ve found and this is where their similarities to

vulnerability scanners end.

Cyber Defense eMagazineNovember 2020 Edition 81

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Vulnerability scanners will simply list a series of vulnerabilities and potential vulnerabilities that have been

found with no context as to their exploitability and will simply regurgitate CVE references and CVSS

scores. They will sometimes paste ‘proof’ that the system is vulnerable but don’t cater well to false

positives. The automated pentesting tools will then choose out of this list of targets the ‘best’ system to

take over, making decisions based on ease of exploit, noise and other such factors. So for example, if it

was presented with an windows machine which was vulnerable to eternalblue it may favour this over

brute forcing an open SSH port that authenticates with a password as it’s a known quantity and much

faster/easier exploit.

Once it gains a foothold, it will propagate itself through the network, mimicking the way a pentester or

attacker would do it, but the only difference being it actually installs a version of its own agent on the

exploited machine and continues its pivot from there (there are variations in how different vendors do

this). It then starts the process again from scratch, but this time will also make sure it forensically

investigates the machine it has landed on to give it more ammunition to continue it’s journey through your

network. This is where it will dump password hashes if possible or look for hardcoded credentials or SSH

keys. It will then add this to its repertoire for the next round of its expansion. So while previously it may

have just repeated the scan/exploit/pivot this time it will try a pass the hash attack, or try connecting to

an SSH port using the key it just pilfered. Then, it pivots again from here and so on and so forth.

If you notice a lot of similarities between how a human pentester behaves then you’re absolutely right –

a lot of this is exactly how pentesters (and to a less extent) attackers behave. The toolsets are similar

and the techniques and vectors used to pivot are identical in many ways. So what’s different?

Well first of all, the act of automation gives a few advantages over the ageing pentesting methodology

(and equally chaotic crowdsourced methodology).

The speed of the test and reporting is many magnitudes faster, and the reports are actually surprisingly

readable (after verifying with some QSA’s, they will also pass the various PCI-DSS pentesting

requirements). No more waiting days or weeks for a report that has been drafted by humans hands and

gone through a few rounds of QA before being delivered into your hands. This is one of the primary

weaknesses of human pentests since the adoption of continuous delivery has caused many pentest

reports to become out of date as soon as they are delivered since the environment on which the test was

completed has been updated multiple times since, and therefore, had potential vulnerabilities and

misconfigurations introduced that weren’t present at the time of the pentest. This is why traditional

pentesting is more akin to a snapshot of your security posture at a particular point in time.

Automated pentesting tools get around this limitation by being able to run tests daily, or twice daily, or on

every change, and have a report delivered almost instantly. This means you can potentially pentest your

environment daily and detect changes in configuration on an exploitability level on a daily basis too rather

than relying on a report delivered weeks later.

The 2 nd advantage is the entry point. While with a human pentest you may typically give them a specific

entry point into your network, with an automated pentest you can run the same pentest multiple times

from different entry points to uncover vulnerable vectors within your network and monitor various impact

scenarios depending on the entry point. While this is theoretically possible with a human it would require

a huge budgetary investment due to having to pay each time for a different test.

So what are the downsides to all this? Well first off, automated pentesting tools don’t understand web

applications – at all. While they will detect something like a web server at the ports/services level they

won’t understand that you have an IDOR vulnerability in your internal API or a SSRF in an internal web

Cyber Defense eMagazineNovember 2020 Edition 82

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


page that you can use to pivot further. This is because the web stack today is complex, and to be fair

even specialist scanners (like Web Application Scanners), have a hard time detecting vulnerabilities that

aren’t low hanging fruit (such as XSS or SQLi). This leads to a secondary weakness in automated

pentesting tools in that you can only use them ‘inside’ the network. As most exposed company

infrastructure will be web based, and automated pentesting tools don’t understand these, you’ll still need

to stick to a good ol’ fashioned human pentester for testing from the outside.

To conclude, the technology shows a lot of promise, but it’s early days and while they aren’t ready to

make human pentesters redundant just yet, they do have a role in meeting today’s offensive security

challenges that can’t be met without automation.

About the Author

Alex Haynes is a former pentester with a background in offensive

security and is credited for discovering vulnerabilities in products by

Microsoft, Adobe, Pinterest, Amazon Web Services and IBM. He is

a former top 10 ranked researcher on Bugcrowd and a member of

the Synack Red Team. He is currently CISO at CDL. Alex has

contributed to United States Cyber Security Magazine, Cyber

Defense Magazine, Infosecurity Magazine, and IAPP tech blog. He

is also a regular speaker at security conferences on the topic of

offensive security.

Cyber Defense eMagazineNovember 2020 Edition 83

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Mitigating the Pitfalls of Onedrive Security

By Veniamin Simonov, Director of Product Management, at NAKIVO Inc.

With COVID-19 triggering a potential long-term shift to working from home, SecOps teams are coming

under increasing pressure to keep data safe and systems secure. When it comes to cloud storage and

the protection of business data and applications, remote work has increased the threat of data loss and

data theft. Teleworking has also laid bare the data safety shortcomings of even established services like

Microsoft OneDrive.

Millions of people and businesses rely on OneDrive as a cloud storage and synchronization service and

for good reason. It’s been built with cybersecurity in mind. It is also one of the best and most powerful

cloud storage and syncing apps around, beating out DropBox, iCloud and Google Drive thanks to its ease

of use and simplicity. However, users should not rush to store all their data in OneDrive or any online

platform without carefully considering the data safety risks of cloud storage. If you want to use OneDrive

safely you should know the risks beforehand so you can make better decisions to reduce the probability

of undesired scenarios.

The three main safety and security concerns users should consider are data theft, data corruption and

data loss. In this article, we discuss how to mitigate them.

Cyber Defense eMagazineNovember 2020 Edition 84

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Not even Microsoft is fool proof

While Microsoft maintains that files stored on OneDrive are secure because they are encrypted on

Microsoft servers, this doesn’t mean you cannot be hacked. Aggressive hackers can access your drive

through trivial but surprisingly common mistakes. Using simple passwords and storing them in obvious

locations on your computer is a great example of a common error that could weaken your security. If it’s

easy for you to find, then it’s easy to do so for a persistent hacker too.

The risk is only further heightened by operating on public Wi-Fi networks, especially if you need to log in

to your Office 365 account. If the firewall is configured improperly on a router, attackers can use open

ports and vulnerabilities to infect computers.

Another risk factor is providing more permissions than needed when sharing files on OneDrive, which

gives other users the power to delete data, write unwanted changes to files and corrupt files if their

computers are infected by viruses. Companies should avoid granting administrator privileges when they

are not needed. Administrators should create regular user accounts for themselves for sending emails

and working on routine tasks such as sharing files on OneDrive and editing Office 365 documents.

Disaster can also strike when using an operating system without the latest security patches for software

such as Windows or Flash Player. Browsers can also have hidden vulnerabilities that can lead to exploits

as hackers manage to get control of a user’s machine.

Of course, all these risks can be running in the background without the user’s knowledge for a prolonged

period of time. A delayed response only makes matters worse and further compromises users, resulting

in significant losses and making it difficult to restore any lost data. However, users may be able to prevent

data loss by using the OneDrive security recommendations, which are rules to abide by for optimal use

of cloud software.

What are the security recommendations for using OneDrive?

There are the obvious recommendations, such as using a strong password and making sure that your

anti-virus software is up to scratch to make sure that it can detect malicious files on your computer and

delete them to prevent infection and data loss. But there are also other official recommendations, such

as deploying two-factor authentication with the Microsoft Authenticator mobile app. This will stop anyone

from getting to your files even if they figure out your password. For example, if a thief accesses your

device with a saved password, your phone acts as a second form of authentication.

You can also protect more sensitive data with the OneDrive personal vault, as it requires another form of

identification and automatically locks after a certain amount of time. This is especially useful if your device

is compromised while your regular storage folder is unlocked.

OneDrive also provides the Office 365 admin center for administrators of organizations to manage their

security settings centrally. Its Security and Compliance Center and automation tools and security

monitoring systems allow users to configure automated alerts that are triggered by suspicious activity.

Exchange Online Protection is a feature that can protect Office 365 accounts in your organization against

spam and malware. Microsoft Threat Intelligence and Advanced Threat protection also help protect Office

365 users against malware.

Cyber Defense eMagazineNovember 2020 Edition 85

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


It’s the little things that count

On any account, a user should not underestimate the importance of security or data protection. Avoiding

the little errors, such as storing passwords, payment data and other critical files on OneDrive in a careless

manner can make all the difference when it comes to creating a secure home office set up for employees.

It’s the small changes that can make a big difference when it comes to data protection.

This is because most of the security concerns for OneDrive stem from oversight and user error. To date,

there is no evidence of data leaks caused by Microsoft errors from data centers used for OneDrive cloud

storage. Microsoft uses modern technologies and standards for security and removes any found issues

as soon as they are identified. Microsoft helps protect its users from potential threats by identifying and

analyzing software and online content. When you download, install and run software, it checks the

reputation of downloaded programs and ensures you’re protected against known threats. Users are also

warned about software that is unidentifiable. On Microsoft’s end, encryption is performed when storing

data on Microsoft servers and when transferring data over networks – and encryption is the king of data

protection.

Overall, just because Microsoft hasn’t experienced a OneDrive hack itself, doesn’t mean that users don’t

have to worry about that. This is especially a risk when the virtual workforce is working from a variety of

locations and accessing cloud storage via a number of devices. No antivirus or protection technology is

perfect. So, as remote home and business users, it’s now more important than ever for them to be aware

of and deploy OneDrive’s security recommendations, and that they work with network administrators to

keep their networks safe in today’s accelerated threat landscape. If users can take a proactive approach

and apply recommendations as they are communicated, OneDrive will continue to be a viable cloud

service to support today’s remote working environment. End of article.

About the Author

My Name is Veniamin Simonov. I am Director of Product

Management at Nakivo, and I am responsible for driving the

execution of features and functionality for NAKIVO Backup &

Replication. My background includes several positions in product

management, with 10 years of experience working with

virtualization and cloud technology.

Veniamin can be reached online at @Naviko and at our company

website https://www.nakivo.com/

Cyber Defense eMagazineNovember 2020 Edition 86

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Emerging Technologies Create A New Line of Defense in

The Fight Against Fraud

ARTIFICIAL INTELLIGENCE POWERS VOICE BIOMETRICS FOR A MORE SECURE,

FRICTIONLESS CUSTOMER EXPERIENCE

By Brett Beranek, Vice President and General Manager, Security and Biometrics, Nuance

Communications

A growing number of organizations are deploying biometrics for a simpler, more secure way for

customers to validate their identities and do business with your organization. These emerging

technologies, often powered by artificial intelligence, not only help to combat near-constant attacks by

hackers, but they also provide your customers with high levels of security and convenience.

Social disruptions, such as a global pandemic, produce new realities that create paradigms in myriad

areas of life. That can mean accelerated transitions into new ways of living, from permanent work-fromhome

arrangements and telehealth to remote schooling and virtual socializing. Simultaneously, these

digital behaviors are opening new doors to hackers and fraudsters, who remain ready to capitalize on

any vulnerabilities, chaos, and uncertainty.

For example, Nuance has learned from its customers that the volume of fraud attacks is on the rise –

ranging from 200% - 400% in the past few weeks, depending on the industry. Some of these relate

directly to the pandemic, with recent reports 1 suggesting there have been at least 500 coronavirus-related

scams and over 2,000 phishing attempts so far. This figure is only set to increase as time goes by. These

crimes come with a hefty price tag, costing the global economy more than $5 trillion annually 2 .

1

The Guardian, April 2020

2 Crowe Financial Cost of Fraud Report.

3

Choose.co.uk, March 2020

Cyber Defense eMagazineNovember 2020 Edition 87

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Fraud is preventable

Your first line of defense often means reminding your customers to use unique passwords not replicated

on other sites, to enable multi-factor authentication, and to establish challenging questions to verify

identities in the case of a forgotten password. As long as passwords are the first line of defense, then

fraud losses will continue increasing year-after-year as it has for the past two decades. Fraudsters will

leverage the tried-and-true methods of phishing for passwords, or leveraging the password reset process

(e.g. OTP SMS or security questions) to perpetrate their fraud. I recently interviewed a fraud victim, Rob

Ross, who lost over $1m because of this OTP SMS password reset mechanism alone. As an industry,

we need to definitely put a big red X on passwords, password reset processes, and OTP SMS

mechanisms if we ever stand a chance to start reversing the trend and see decreases in fraud losses.

Server-Side biometric authentication and fraud prevention solutions offer a new line of defense

Server-side biometrics modalities such as voice biometrics have proven hyper-effective at eliminating

passwords, PINs, and security questions as authentication mechanisms in contact centers. You may

have experienced yourself, maybe the last time you called your bank, that you were seamlessly

authenticated this way. What you may not be aware of, is that regardless of if you authenticated this way

or not, voice biometrics was also used to detect fraud on all incoming calls. This is the benefit of an

integrated approach to using biometrics for both fraud prevention and authentication. Organizations have

reported phenomenal results when this approach is taken; For example, HSBC reported over $500m in

reduced fraud losses in 2019 due to this approach 3 .

How is it that contact centers have become, in many cases, more innovative than digital channels such

as mobile apps and websites when it comes to authentication and fraud prevention? One explanation is

in the easy access to “free” device side biometric modalities, such as fingerprint readers and facial

recognition on smartphones, which unfortunately by their very design, have had no impact on fraud

prevention or the elimination of passwords. At the end of the day, because these biometrics modalities

are device-based, they can’t be used to detect fraudsters (no ability to create a watchlist), and they require

a reset process – which is often a PIN or a password.

We have fallen into the trap of “free” and this has represented an immense gift to the fraud community.

Device-side biometrics have created an illusion of increased security, which we are now paying a hefty

price for.

Server-side biometrics, deployed in an integrated fashion for both authentication and fraud prevention,

are an essential tool to rid ourselves of passwords, security questions and OTP SMS. Let us learn from

our peers in the contact center industry and apply these technologies to all of our customer engagement

channels and finally put an end to the incessantly rampant fraud scourge.

Consider a contact center environment with an integrated biometric authentication and fraud prevention

solution in place. When a customer calls into the contact center, they can ditch the password and PIN

and instead use the power of their voice, simply speaking the phrase “My voice is my password” to gain

immediate access to their account. Biometric authentication analyzes more than 140 physical and

behavioral characteristics, including the speaker’s accent and rhythm, to create a unique, individual

voiceprint. In addition, the intelligence built into the authentication software can distinguish between live

speakers and recordings by monitoring sound frequencies. As a result, these voiceprints are vastly more

secure than conventional passwords; that is, hackers can steal a password, but they can’t steal a person’s

voice or reverse-engineer it, even if they were to gain access to the voiceprint from the server.

Cyber Defense eMagazineNovember 2020 Edition 88

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Beyond seamless, frictionless authentication to confirm a customer’s identity, an AI-powered fraud

prevention platform can engage in real-time authentication to help ensure swift and accurate fraud

prevention. If a criminal were to insert him- or herself into a conversation, for example, the intelligence

can quickly identify it and help to prevent financial losses. Likewise, by automatically analyzing calls in

real time, intelligent fraud prevention solutions can easily and quickly identify potential fraud cases before

a crime is committed.

These solutions can help to improve your security efforts across multiple channels (interactive voice

response, SMS chat, virtual assistant, and live chat) to create an efficient, intelligent, more secure

customer experience. And while these solutions can help shore up your boundaries and protocols now

as you adapt to and cope with a time of social disruption, they also set the foundation for a more secure

future.

About the Author

Brett Beranek is the Vice President and General Manager at Nuance

Communications. He is responsible for overseeing every aspect of the

security and biometric business at Nuance. Prior to joining Nuance, he

has held over the past decade various business development &

marketing positions within the enterprise B2B security software space.

Beranek has extensive experience with biometric technologies, in

particular in his role as a founding partner of Viion Systems, a startup

focused on developing facial recognition software solutions for the

enterprise market. Beranek also has in-depth experience with a wide

range of other security technologies, including fingerprint biometrics,

video analytics for the physical security space and license plate

recognition technology. He has earned a Bachelor of Commerce, Information Systems Major, from McGill

University as well as an Executive Marketing certificate from Massachusetts Institute of Technology’s

Sloan School of Management. Brett can be reached on our company website https://www.nuance.com.

Cyber Defense eMagazineNovember 2020 Edition 89

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How to Adapt Financial Services to The Online Space

Securely – And Still Sleep at Night

Financial institutions, like eCommerce industries, are leading today’s fast, pandemic-driven transition to

the digital space. A change that will become a norm.

By Robert Capps, VP of Marketplace, NuData, a Mastercard Company

Branches have now reopened, but many customers will continue to transact online and enjoy the

convenience of banking in pajamas. In a recent NuData webinar with Aite Group’s Julie Conroy, she

shared that, “one bank’s public investor filing says that 75% of their servicing transactions are now digital

in the wake of the pandemic.” In addition, for many financial service employees, the period of remote

work that began in the spring is still ongoing, with no clear end in sight.

Few would disagree that this digital transformation is a positive development that makes financial

services more accessible to everyone, but it doesn’t come without risks. When evolution is rushed, the

established technologies and processes may leave vulnerabilities that bad actors can take advantage of.

To support a streamlined, consistent digital customer experience while also ensuring security, your

organization may need to add additional layers of protection.

Cyber Defense eMagazineNovember 2020 Edition 90

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Add a pandemic to fraud prevention

One-third of finance login attempts within the NuData client network are high risk. This is not a negligible

proportion of the average financial institution’s online traffic.

As Robert Capps explains during the same webinar with the Aite Group, “even when those login attempts

are unsuccessful, they hurt your bottom line by raising operational costs.” He also added, “You’re paying

for more bandwidth, more servers, more licensing fees to run software on those servers, more space in

a data center, more power — and so on — all to process transactions that have zero to negative value

for your company.” For many companies, these expenses run into the double-digit millions or more. By

getting top-of-funnel fraud attacks under control, you could reduce your fraud losses but also impact your

bottom line.

Fraud prevention was already a mind-bending challenge, but the pandemic has made it even worse for

many financial institutions. With many offices closed and travel restricted, users log in from fewer

locations on fewer different devices, making them, at first sight, easier to identify and differentiate from

fraudsters. But financial customers have also changed their habits in sometimes unpredictable ways.

They complete different types of transactions and transact more frequently, at different times of day,

compared to before the pandemic. These behavioral changes thwart some financial institutions’ existing

fraud risk models, increasing false positives, while still letting fraud through.

It doesn’t help that cybercriminals are adopting ever more sophisticated tactics to bypass financial

institutions’ defenses. According to NuData research, in the first half of 2020, 96% of attacks against

financial institutions were sophisticated. These are attacks that tried to mimic human behavior in an

attempt to blend in with legitimate traffic. Some attacks take it one step further and solve bot challenges

such as CAPTCHAs by sending them to human farms — essentially call centers for fraudsters. Humanfarm

workers are paid to process as many requests as possible, manually. Financial institutions need to

understand how these attacks happen and how they behave, to tell them apart from legitimate users.

WFH-ing safely

Remote work poses another growing challenge for financial institutions, as it may increase some types

of fraud risk. Many cyberthreats start at home — for example, a personal device on the home network

infected with malware can be an entry point. Bad actors can use that back door to infect a corporate

asset on the same network. It’s increasingly common for the initial attacker to sell such access to a third

party, who then exploits the breach to compromise user data or perform any number of malicious actions.

5 steps to lose the fear of cyberthreats

When shoring up your cybersecurity protections, prioritize solutions — both internal and external — that

enable an uninterrupted customer journey. As mentioned during the Aite Group webinar, 22% of

consumers left their credit or debit card issuer because of a poor experience. Here are a few ways to

tighten security without adding too much friction.

1. Tighten permissions for administrative users. Lessen the risk of internal fraud or data leakage

by reducing the amount of sensitive information that employees can access, for example, by

anonymizing personally identifiable information (PII). Behavioral analytics tools (see #5 below)

Cyber Defense eMagazineNovember 2020 Edition 91

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


can also help identify anomalous behaviors, such as an employee accessing datasets that aren’t

necessary for their work.

2. Use a VPN to enable access to internal tools. This is a best practice when people are working

from home networks that are generally less secure than networks at the operational center.

3. Employ a bot detection tool to block automated attacks. While bot detection is often placed

as a protection for customer accounts, during COVID-19, we’ve seen an increase in bots directed

at employee services in the work-from-home environment. Protect both sides to minimize your

risk.

4. Use behavioral analytics and passive biometrics to validate identity. A worker at a human

farm cutting and pasting stolen personal information from a spreadsheet doesn’t interact with an

online form the same way as a “good” user who is inputting their own information they know by

heart. And your trusted employee doesn’t use a mouse quite the same way as their roommate

who’s borrowing their computer. Understanding baseline behavioral and passive biometric

signatures for employees and customers lets you quickly flag anomalies that call into question

who’s actually sitting in front of the screen, even if they had all the right credentials.

5. Educate both employees and customers. In any system of cyber defenses, humans are usually

the weakest link. Strengthen it by teaching both customers and employees to look out for threats

in their everyday environment, especially social engineering attacks. On the employee side, it’s

especially important to educate call center workers who may be focused on delivering great

customer experience more than looking out for social engineering threats.

The strongest cyber defenses are not one but many at once. If accelerating your digital transformation

efforts during COVID-19 didn’t leave time to add the necessary protections, now is a good time to start

catching up. By setting up the infrastructure to make remote work more secure, educating employees

and customers about cyber threats and using advanced tools to continuously validate user identity, you

can make your new normal more secure — without sacrificing customer experience.

Cyber Defense eMagazineNovember 2020 Edition 92

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Robert Capps

VP of Marketplace, NuData, a Mastercard Company

Robert is NuData Security’s Vice President of Marketplace

Innovation. He is an industry-recognized technologist,

thought leader, and advisor with over twenty-five years of

experience in retail, payments, financial services, and

cybercrime investigation and prosecution. Robert brings his

industry insight and vision to drive market-leading products

and services for NuData Security, and is the public

spokesperson for the organization.

He is passionate about bringing safety to the digital world in

the shape of cutting-edge technologies, so companies and end users don’t have to worry about risks

from cybercrime.

In previous roles, Robert served as the Global Head of Payments, Security and Fraud for StubHub, as

the Head of Consumer Security for Wachovia and Golden West Financial, and continues to advise early

stage startups.

Robert Capps can be reached online Robert.capps@mastercard.com, nudatasecurity.com

Cyber Defense eMagazineNovember 2020 Edition 93

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cybersecurity Best Practices for End Users

By Jay Ryerse, CISSP, Vice President of Cybersecurity Initiatives, ConnectWise

When it comes to cybersecurity, there are a few misunderstandings. Many clients believe that they’re

completely secure and risk-free after hiring a technology solution provider (TSP) to manage their security.

However, the inaction of employees is the biggest risk to an organization’s information security.

Human error is one of the main points of weakness. In fact, it is reported that 90% of cyberattacks are

caused by human behavior. Knowing this, it’s crucial for businesses to undergo cybersecurity training.

This will ensure that team members learn how to protect sensitive information, understand their

responsibilities, and recognize signs of a malicious threat.

As a TSP, you will mostly likely be responsible for providing security education, training, and guidance

on policies for your clients.

Cyber Defense eMagazineNovember 2020 Edition 94

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Security awareness training should focus on:

• Phishing and social engineering

• Access, passwords, and connection

• Device security

• Physical security

Let’s dive into the tips and best practices that you can teach your clients and end users.

Phishing and Social Engineering

An attack that deceives a user or administrator into disclosing information is considered social

engineering. Phishing, a common social engineering attack, is an attempt to gain control of sensitive

information like credit cards and passwords through email or chat.

Phishing and social engineering attacks are extremely successful because they appear to come from a

credible source. Some giveaways of a phishing attack include links containing random numbers and

letters, typos, an odd sense of urgency, or a general sense that something feels off about the request.

Avoiding Phishing and Social Engineering Attacks

What should clients do if they’ve been involved in a phishing attack?

• Don’t click! If end users feel like something isn’t right, they shouldn’t click on a link or attachment or give

out sensitive information.

• Tell IT or your TSP. Alerting the right person or department in a timely manner is critical in preventing a

phishing scam from spreading company-wide. Always encourage your clients to ask you to investigate or

provide next steps.

Access, Passwords, and Connection

It’s important to go over the different elements of the network, such as access privileges, passwords, and

the network connection itself during cybersecurity training.

Your clients should be aware of which colleagues are general users versus privileged users. Typically,

privileged access is given to users who carry out administrative-level functions or need access to

sensitive data. Your client’s employees should know what user type they are in order to understand what

applications, information, or functions are accessible to them.

When it comes to passwords, especially those used to access IT environments, employees need to be

using best practices. Passwords should be unique to each application or site, contain at least eight

characters with a combination of letters and special characters, and exclude obvious information like

Cyber Defense eMagazineNovember 2020 Edition 95

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


names and birthdays. Generally, it’s best to change and/or update passwords about every six months.

Password management applications, like 1Password, can help make this process easier.

Employees should be cautious about using network connections outside of their home or work. Even

encrypted data on a personal device can be exposed to vulnerabilities through a public network

connection. It’s important to educate and encourage end users to only connect to trusted networks or

secure the connection with proper VPN settings.

Device Security

Today, there is an increasing popularity to Bring Your Own Device (BYOD), meaning an increased

number of mobile or personal devices in the workplace, connecting to the corporate network, and

accessing company data. Introducing outside devices to the network increases the amount of entry points

for threats. With this in mind, mobile devices need to be securely connected to the corporate network and

remain in the employee’s possession.

Personal mobile devices are vulnerable to the same threats that company desktops and laptops face.

Without pre-installed endpoint protection, tablets and smartphones may be even less secure. It’s

important for users to be aware of the applications they’re installing, websites they’re browsing, and links

they’re clicking on.

Physical Security

Online threats aren’t the only risks that employees need to be aware of. Physical security is also a factor

in keeping sensitive information protected. How many times have you accidentally left your computer or

mobile device unattended? It happens to all of us. Unfortunately, an employee’s data would instantly be

at risk if someone decided to steal their unattended phone or log in to their computer.

Here are a few ways that clients can improve their physical security in and out of the office:

• Keep devices locked. Get in the habit of doing this every time you leave your desk. For Windows users,

press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or

the Power key) at the same time.

• Secure your docs. Keep all of your documents in a locked cabinet, rather than leaving sensitive information

out and about. Before leaving for the day, store important documents in a safe or locked cabinet.

• Properly discard info. When throwing away or getting rid of documents and files, make sure you’re

shredding them and discarding them appropriately.

Cyber Defense eMagazineNovember 2020 Edition 96

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Jay Ryerse, CISSP, is the Vice President of Cybersecurity

Initiatives for ConnectWise. He brings more than 25 years

of experience providing information technology and

security solutions to businesses of all sizes. He’s the

previous owner of a successful Atlanta-based MSP and

was the CEO of CARVIR, the cybersecurity company

acquired by Continuum in 2018. Jay is the author of

“Technology 101 For Business Owners”, was named to

“The World’s TOP MSP Executives, Entrepreneurs &

Experts” in 2014 by MSPmentor.net, and was the “2015

Better Your Best” winner from Technology Marketing Toolkit. Today he works closely with IT service

providers and MSPs to provide insight and best practices for securing business networks.

Cyber Defense eMagazineNovember 2020 Edition 97

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The One-Stop Spear Phishing Defense Guide You Will

Ever Need

By Jeff Penner, Senior Manager at ActiveCo Technology Management.

Is your business ready to combat spear phishing attacks?

It’s a question that gives many seasoned CTOs bad jitters.

The truth is that you can shore up your technical systems with the latest IDS systems, firewalls and all

manners of monitoring, but with each new report of unprecedented data and security breach coming in

now, the threat of security vulnerabilities always seems to loom only a stone’s throw away. The problem

does not lie only with the detection and flagging capabilities of your safety systems. It is likely that your

IT systems are doing a sophisticated job of that already. But that doesn’t guarantee your safety from

phishing attacks.

Cyber Defense eMagazineNovember 2020 Edition 98

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


IT Outsourcing firm has considerable experience in both planning and executing pre-emptive safety

tactics to protect businesses from spear phishing. In this article, we will lay out exactly why and how your

business needs to be covered beyond standard IT double checks.

Not a computer problem, but a very human one

The scope of building systemic responses against phishing attacks is always limited as it’s mostly limited

to a purely technical response. This is simply not enough. There can be no systemic defense against

phishing as the threats/ vulnerabilities can literally come from anywhere in the system.

Phishing attacks almost always catch businesses unawares simply because beyond a small coterie of

technical experts, the rest of people involved simply cannot grasp the scope of how a few apparently

insignificant human errors/ breach of protocols can have such a devastating impact on the business.

No matter how many horrifying security breaches pop up in the news every day, the average office-goer

(which may include even high-ranking executives and managers) is trained to think of security

vulnerabilities as ‘someone else’s (most likely IT’s) problem’.

In my view, this mindset problem causes more vulnerability in the system than any technical loophole

you may encounter.

Recognize that clever social engineering can always beat the best-designed firewalls

As far as security systems are concerned, a business can only be as strong as the human links holding

it together. This means enabling everyone from the busboy and interns to the executives running on

attention bias by default to learn how close and personal security problems can get. Their imaginations

need to extend more than the obvious Nigerian prince scams to understand just how sophisticated

targeted phishing attacks can get just by using information in the public domain to be able to dupe

everyone from high-ranking political officers, bureaucrats, company leaders and entire boards and

trustees of organizations.

Whether your system is targeted with phishing, spear fishing or vishing attacks, your staff needs to be

made aware enough about each to detect anomalies a mile way. They also need to be empowered

enough to be able to be proactive when an emergency arises and resourceful enough to follow protocols

without fearing a backlash when they report an incident or admit an error. A toxic or emotionally charged

office atmosphere can be as or even more harmful to your business’ security than a long-running

undetected systemic vulnerability.

Most businesses will benefit tremendously from setting up transparent incident management and security

breach reporting systems that train key personnel in how to respond and protocols to follow in case of a

breach.

Drive the vulnerabilities home and make the problems ‘real’

One of the problems in preparing for security breaches is that few people outside the IT department have

a notion of what to expect in the case of a breach.

Many businesses are starting to realize just how important employee awareness and proactivity is in

traversing fraught scenarios in the case of a threat/ attack. But traditional modes of top-down employee

Cyber Defense eMagazineNovember 2020 Edition 99

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


communications, such as pamphlets, fliers and organization-wide communiqués mostly prove ineffective

in driving the desired levels of security awareness and engagement.

We advise most clients to walk the opposite route. Instead of routine server downtime notifications and

multiple security checkpoint clearances that naturally tend to get associated with a ‘punishment’ neural

association with security protocols, we encourage clients to do fairly informal, small group meetings or

roadshows that discuss potential vulnerabilities in a manner that makes the problems appear closer and

more ‘real’. Discuss latest breaches by all means, but also brainstorm or maybe even create roleplaying

games around how to detect deceptions if someone sends emails to group members while posing to be

a key team member, a vendor/ supplier or even top leaders in the organization.

Divide and stay safe

When it comes to systemic checks to ensure security, your best line of defense can come from separation

of responsibilities, flatter hierarchies and procedures that require at least dual or multiple authorizations

to initiate transactions. Whatever security structure you may come up with, please remember that its

usability is always limited to a few weeks or months. Every system is vulnerable to insider threats and it’s

in your company’s best interest to review and refresh the protocols every few days/ weeks/ months

depending on sensitivity of data. Systemic reviews and risk analysis should be mandatory both

periodically and after key exits/ inductions to ensure every team member remains up to date with the

latest processes. For sensitive data and key financial transactions – extra controls should be

implemented.

Conduct penetration tests at regular intervals

Regular fire drills and hazard awareness are a pain for everyone involved – including drill conductors.

They involve downtime, slow productivity for minutes/ hours, and do cost a pretty penny in annual

budgets. But in real usage scenario, they do save lives – the value of which can scarcely be calculated.

With heightened data risks, we hope security penetration tests should become a regular feature in most

workplaces. Simply put, these tests deploy security experts in the role of hackers who tap into the length

and breadth of a business looking for potential security issues and vulnerabilities. Many businesses do

not have the requisite resources and expertise to conduct these tests in-house. IT support Vancouver

can help you be prepared for and execute security penetration tests efficiently to cover the scope of all

major and minor vulnerabilities at your workplace.

Recognize that spear phishing attacks cannot be isolated

Unlike conventional security products such as antivirus or anti-malware software that most people are

familiar with shoring up your system against phishing attacks cannot be an endpoint approach. Spear

phishing works on the basis of having enough internal knowledge of your business, technical systems

and key human resources in advance to be able to extort confidence in fraudulent activities despite being

on alert.

Building up defense against spear phishing tactics requires developing systemic resilience against a

multitude of attack vectors. This involves keeping a tab on potential sources of attack, their short and

long-term goals, understanding how they choose and build rapport with their intended victims and

Cyber Defense eMagazineNovember 2020 Edition 100

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


ecognizing parts of your system most likely to be under threat. Your system needs to be in shape to be

able to fight off spear phishing attempts before, during and after an attempted breach. You also need to

consult with experts with direct knowledge of dealing with rapidly evolving threats from unknown sources

in businesses of like size and magnitude as your organization. IT security Vancouver can be a good place

to start your research into strengthening your business’ defenses against targeted spear phishing attacks.

About the Author

Jeff Penner is a senior manager at ActiveCo Technology

Management, an IT Outsourcing Vancouver company. Jeff has

been in the managed services industry since 2015, understanding

what business owners are looking for from technology, and

helping them find it. The most important element for a business

owner taking on a new technology partner is peace of mind and

thus Jeff directs his efforts on finding practical information that any

leader can apply to their business. Jeff lives in Vancouver, BC,

sharing his love for learning and “the great indoors” with his 2

daughters. Stay connected on Twitter.

Cyber Defense eMagazineNovember 2020 Edition 101

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The Serverless Security Machine

By Art Sturdevant, Director of Operations, Censys

Servers are BS. They require constant maintenance, monitoring and tweaking. As a security practitioner, regardless

of where your team lands on the org chart, you’re being charged with securing an ever-evolving landscape against

all internal and external threats. The time required just to keep basic services functioning is daunting and now,

you’re probably working even harder to secure and protect your remote workforce, all while working from home.

While the amount of time required to evaluate and respond to threats is constantly increasing, security budgets,

personnel, and tooling are not being adjusted at the same rate or are only adjusted in response to a particular threat

or incident.

Given that time is at such a premium, why is your team still deploying infrastructure that requires constant

supervision? With all these demands on your team, now is the time to move to a serverless infrastructure.

Traditional servers are great in that they can be provisioned and run forever, but unless the server is under constant

load, you’re likely wasting money and resources managing it. Teams are using all kinds of complex tools to deploy

new servers, apply configurations, update users, and apply security patches and still, there are servers that live

outside of these tools or silently lose connectivity, never to be managed again. Every time a new server is deployed,

you’re really managing three different problems -- server updates, software updates, and code updates.

Cyber Defense eMagazineNovember 2020 Edition 102

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Server updates can be risky, which is why large organizations employ a CAB to approve changes and security

updates. Teams schedule downtime or work to deploy across zones without interruption, but because these

changes apply to the entire operating system and are likely not authored by your team, it can be difficult to anticipate

how the change will affect the service you’re trying to manage and even tougher to debug.

Software updates are easier to manage and are likely better understood since the code was written by a team you

know. If you’re already familiar with CI/CD models, then you might already be well suited to the serverless lifestyle.

Code changes go in, peers review the changes, and the code is deployed in a seamless fashion. It may not always

be that flawless, but debugging code you wrote is almost always easier than debugging operating system changes

or behaviors.

By moving to a serverless architecture, you’re removing all the issues around software and security updates, system

breaches, user provisioning, system health monitoring and more. These issues are no longer your team’s problem

because you’re only responsible for deploying code that runs. All of the system updates and application updates

used to run the code are maintained behind the scenes.

Moving to a serverless architecture doesn’t have to be “all or nothing” in order to maximize your time investment.

For example, a good first step might be to evaluate the servers in your environment that only perform one task or

those that are heavily underutilized. A good sign that you’ve identified a solid candidate is when you find a

service/server that is performing a very event-driven task such as a server that collects and ships logs from various

SaaS services or systems. If the service operates on a schedule or cron job - you’ve got a perfect first candidate!

Most users start by moving to a containerized version of their code. Docker is a popular tool and is available on

nearly all platforms. Once you’ve containerized your code, simply deploy it to a docker host, or a cloud service

capable of running containers. Every major cloud provider has support for running containers in production

environments.

If you’re looking for something that is truly serverless, consider evaluating a cloud provider’s “Function as a Service”

(FaaS) offering. These come with a slight learning curve but also a lot of great features including a deployment

model that is easier than containers. FaaS is a model to deploy code (think a python script) and to run it over and

over in response to an event. A common scenario might be to fire a chat notification if a storage bucket becomes

public, or to update TLS certificates on specific hosts as they near expiration. A serverless architecture can allow

your team to quickly deploy proof of concept applications, or full blown applications to manage all corners of your

security program.

Although serverless assets can and often do reduce the administrative burden of managing servers, there are some

limitations to be aware of as you adopt this new model.

- Potential Learning Curve: Containerization and FaaS both require a new skillset. If for no other reason than

to get deployment working in a seamless fashion from your Continuous Integration/Continuous Deployment

tool. Once your team understands the requirements to deploy a service, this is a very repeatable process.

Deploying your first serverless project is likely an afternoon project for you or your team.

- Additional Expense: Misconfigurations can result in higher costs than a traditional virtual appliance in the

cloud. However, even at the increased expense, consider that your team doesn’t need to manage updates,

security patches, or worry about attackers compromising the server. It is a good idea to understand cloud

pricing models before automating these tasks to avoid a surprise at the end of the month. Functions should

be designed to read each word in the book, not each letter and not the whole book either.

Cyber Defense eMagazineNovember 2020 Edition 103

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


- Increased Latency: Depending on the cloud provider, FaaS and containerized services could result in

increased latency because of the “cold start time”. However, once the service is started up, running a

second or hundredth service should be fairly quick.

- Task Timeouts: Most cloud providers limit the amount of time a FaaS task can run before it is terminated.

A common timeout is between 30 seconds and 15 minutes. If you have a long-running task, you might want

to consider breaking it into smaller tasks or moving to containerization since container deployments do not

have the same timeout limitations.

- Updates Require Redeployments: To update containers with new code or new software packages, you’ll

need to redeploy the container to the cloud. If you’re updating a FaaS function, you’ll just need to redeploy

the code. While this might seem like a headache, if you update and deploy using CI/CD tools, this is actually

pretty straightforward. Most clouds allow you to deploy with a canary model - meaning you can direct some

traffic to your new code and some to your old code and keep adjusting until you’re confident that you haven’t

introduced any unexpected problems.

Help your security team alleviate the administrative burdens of managing servers by moving to a fully serverless

infrastructure. It may seem daunting at first, but once you have a couple of services or workflows moved over, you’ll

wonder why you didn’t make the move sooner.

About the Author

Art Sturdevant is the Director of Operations at Censys. An Information

Security professional with over 15 years experience, Art maintains a passion

for open-source projects, entrepreneurship, and the outdoors. Before joining

Censys in 2019, he was a Sr. Security Engineer for Duo Security and is also

a graduate of Central Michigan University where he graduated with honors

with a Bachelor of Science in Business Administration. To learn more about

Censys, visit censys.io or email Art at art@censys.io.

Cyber Defense eMagazineNovember 2020 Edition 104

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Unlocking the Promise of Packet Capture

By Kathryn Ash, President, IPCopper, Inc.

It turns out that IT people do get plenty of exercise. From the job description it sounds like a desk job, but

that promise of getting all the answers without leaving the desk hasn’t panned out. Take the example of

a small 50 Mbps network – it produces around 10 TB of data per month, given 1/3 utilization over 24/7.

That’s only about one hard drive’s worth, so why doesn’t everybody just capture their data in full and reap

the benefits of packet capture by solving technical problems, finding security flaws and, well, getting all

the answers? Why does all troubleshooting still start with a ping, just like it did decades ago? The answer

is glaringly simple: capturing the packets is easy. Making sense of the data is the hard part.

Take a mundane yet essential security task such as making sure all computers on the corporate campus

are using up-to-date SSL. You could check every computer on the network. Or, you could check every

packet on the network. The first takes your time and effort. The second is done by a machine: tell the

machine to examine every packet to answer two questions: Is it SSL, and, if so, which version?

Making sense of packet capture data unlocks numerous possibilities for managing, monitoring, controlling

and securing computer networks, from detecting and keeping tabs on a new device the second it sends

out its first ARP to ferreting out zombie computers and alerting when a client computer’s bandwidth

utilization suddenly looks more like a server’s. Likewise with identifying servers, tracking which computers

checked in with the antivirus update server or even finding out who is sucking up all the bandwidth. This

Cyber Defense eMagazineNovember 2020 Edition 105

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


is all in addition to figuring out who is downloading or uploading files to China and what those files contain.

It’s all in the packets.

While those terabytes of data may prove to be worth their virtual weight in gold, without the processing

power and a system to unlock the value from the packets, they don’t amount to the cost of a hard drive.

A single packet capture appliance lacks the oomph needed to extract value from the data – it bottlenecks

at either the hard drives or the processor, resulting in long waits for queries, packet loss or both.

Distributed packet capture systems, however, aggregate and orchestrate the processing power of

multiple machines to blast through hundreds and thousands of terabytes of full packet capture, while

capturing new packets at the same time.

In today’s computing environment a distributed system of four to eight machines, even with low-cost

processors (yes, even down to yesterday’s desktops), has ample capacity and responsiveness to crunch

the load from a 50 Mbps network. To get a one-minute response to a query spanning one month of data,

you are looking at a ratio of 43,000:1, that is, one minute to process what took over 43,000 minutes to

capture. A low-cost chassis with one regular HDD would deliver about 1 Gbps processing, while an SSD

would deliver 5-7 Gbps. A system of eight machines translates to 8 to 56 Gbps raw processing

throughput, maybe even, on a really good day, 100 Gbps. That brings the ratio down to around 1000:1.

Cutting out the payload would make it possible to take care of that one month of data in 1-2 minutes (and

if your software doesn’t do reports on the payload, what’s the use of having them anyway?). The power

to process the payload and software to generate reports on the payload, however, gives you that very

magical ability to get the answers and solve problems with the data to back it up – without having to hoof

it around campus, checking individual computers one by one. Rather than cutting out the payload to

speed up queries, software for a good distributed packet capture system multiplies the processing

throughput of the hardware 10 to 100 times, making it possible to both capture the payload and get

reports spanning one month of full packet data in less than one minute, even with a small set up of only

four to eight machines. This is a game changer when it comes to packet capture and managing and

monitoring networks, not the least because reports and aggregates take far less storage space than raw

packet capture, meaning the sky’s the limit when it comes to the depth and breadth of the reports

possible.

Once you get a taste of what a distributed system offers, you can expand it further by adding more

hardware to increase the lookback period. This in turn makes it possible to trace problems from the

beginning, rather than investigating them mid-stream and attempting to extrapolate – seeing how a

problem started brings you a lot closer to seeing how it was triggered, than seeing how it ended.

Incidentally, adding more hardware also adds to the available raw processing power, making it possible

to do even more in less time – one of the beauties of a distributed system is its affordable scalability.

In addition to getting results and relegating marathons to your free time, you can also add in feeling good

about doing your part to combat e-waste. Recycling is always good and saving money by reincarnating

old, slow desktops that everyone hates into supercomputers for networking makes you a “green”

champion, in more ways than one.

Cyber Defense eMagazineNovember 2020 Edition 106

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Kathryn Ash is the President of IPCopper, Inc., a manufacturer of

network appliances based in Portland, Oregon. She has been

with the company for over the past decade, guiding the

development and marketing of its cutting edge technology for

packet capture and analysis, most recently presiding over the

debut of its newest product, Lateral Data Processing for

Distributed Packet Capture. Email Kathryn at

kathryn.ash@ipcopper.com or visit http://www.ipcopper.com/.

Cyber Defense eMagazineNovember 2020 Edition 107

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Intelligent Protection Against DNS DDoS Attacks is

Critical Part of Cybersecurity Architecture

By Ashraf Sheet, Regional Director, Middle East & Africa at Infoblox

In 2020 DDoS attacks continue to increase both in volume and in frequency. Nexusguard Research 3 just

reported a 542% increase in DDoS attacks in the first quarter of 2020 when compared with the last quarter

of 2019. The NexusGuard research team also detected unusual traffic patterns from ISPs which included

traffic generated from infected devices.

In rare harmony, Kaspersky also reported that DDoS attacks have doubled in the first quarter of 202

when compared to the last quarter of 2019 4 . Kaspersky also found that DDoS cyberattacks are increasing

in duration – the average attack duration increased by 24% in the first quarter of 2020 compared with the

same quarter one year ago.

3

https://www.businesswire.com/news/home/20200630005295/en/DDoS-Attacks-Increase-542-Quarter-over-

Quarter-Pandemic-Nexusguard/

4

https://securityintelligence.com/articles/avoid-ddos-attacks/

Cyber Defense eMagazineNovember 2020 Edition 108

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


DNS and DDoS attack vectors have emerged as one of the critical weapons of choice to support fraud,

extortion, and malicious attack. Threat actors may be politically motivated, part of organized crime, or

even nation-state cyberwarfare operatives.

The COVID-19 pandemic was the genesis of this new opportunity as the disease continues to impact

businesses and economies worldwide. The net result is that 2020 has become the year of the teleworker.

The use of online services from home and other remote locations became more critical than ever.

Students are online. Employees are serving customers online. Many of us are working from home and

highly dependent on internet connectivity. The mix of devices we use often includes our laptops and

mobile devices. Threat actors have moved with lightspeed to leverage this opportunity.

But just when you thought it could not get worse, it does. DDoS for hire (otherwise known as “booter”

services) allows threat actors to access thousands of pre-configured servers that can be used to launch

DDoS assaults against any organization. Booters are web-based services that provide criminal DDoS

services for hire. These tools are often referred to in polite conversation as IP stressors, which are

legitimately used to test your networks and servers for resiliency. Certainly, stress testing your own

network is normal. But deploying such technology to create a DDoS attack against external parties is

illegal and malicious criminal activity. The great majority of these servers are hijacked, and malicious

activity is usually completely unknown to their owners.

As you would expect, booters are sold on the dark web using untraceable currencies such as Bitcoin. An

informal survey showed that you could “purchase” the use of a compromised server for between $10 to

$150 or more. You get the passwords and access to the server. Some criminal enterprises sell access

to the use of booters “as a service” and vary pricing by the number of attacks you wish to launch, the

duration of the attacks, and even price out the addition of customer support!

As quickly as law enforcement agencies can find them and shut them down, new ones still seem to spring

up. The number of these servers for sale at times looks quite large, with many tens of thousands of

hijacked servers accessible at meagre cost for a motivated attacker.

The DDoS attacks launched by these threat actor booter sites take us back to basics. As always, the mix

of readily usable attack techniques includes DNS amplification and DNS reflection. They may be used

alone and in combination. An amplification attack is a technique used by threat actors where a small

query can trigger a massive response. In this scenario, threat actors flood the server with short requests

that require long responses, allowing a small compute resource to overload the targeted DNS server.

The DNS server is so busy attempting to respond to all these malicious requests that it doesn’t have time

to respond to legitimate ones, and network activity grinds to a halt.

The reflection attack vector sends queries that appear to come from the target of the attack. The huge

volume of responses, which are amplified, are then sent to the target effectively overwhelming the target.

In this scenario, the attacker sends a query to a recursive name server with a spoofed source IP address.

Instead of the real IP address, the threat actor places the target (victim) IP address as the source IP

address. The recursive name server retrieves the answer to the query from the authoritative name server

and sends it to the target.

Cyber Defense eMagazineNovember 2020 Edition 109

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


A sophisticated threat actor can combine the two techniques by spoofing the targets’ IP address and

sending a carefully crafted query that will result in a large payload. This double punch can be an

overwhelming DNS DDoS attack scenario. This allows the threat actor to attack two different targets at

the same time easily.

Comprehensive and intelligent protection against DNS DDoS attacks should be an essential part of your

cybersecurity architecture.

About the Author

Ashraf Sheet is Regional Director, Middle East & Africa at Infoblox. He is

a network and security expert in the region and has held various

progressive roles including senior security consultant, leader for

Managed Security services and head of Security Business Unit for local

and multinational companies.

Ashraf can be reached online at (asheet@infoblox.com) and at our

company website https://www.infoblox.com/

Cyber Defense eMagazineNovember 2020 Edition 110

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


NCSAM Provided an Opportunity to Reset Our Approach

to Cybersecurity

October marked National Cyber Security Awareness Month, but experts warn that cybersecurity

requires attention 24/7/365

By Sam Humphries, Security Strategist, Exabeam

Earlier this year in the rapid transition to a remote workforce, we saw security leaders looking to quickly

find the right balance between ensuring the organization’s productivity needs are met, and keeping the

organization secure. Finding this equilibrium continues. As we maintain a working-from-home structure,

we cannot afford to be complacent when it comes to cybersecurity.

This National Cybersecurity Awareness Month (NCSAM) provided organizations with an opportunity to

hit the reset button. A combination of training, organizational alignment and technology is the right

approach to detecting and stopping security threats. Effective training should help employees understand

and buy-in to the importance of cybersecurity, and in the BYOH (bring your own home) world,

organizations should broaden awareness efforts to include helping users secure their home

environments.

As the cyber-threat landscape becomes increasingly sophisticated, we must continue to arm our security

teams with the knowledge and tools required to succeed in building a better cyber defense. Below, eight

industry experts discuss the importance of NCSAM and encourage organizations to secure their

businesses every day of the year.

Cyber Defense eMagazineNovember 2020 Edition 111

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Torsten George, cybersecurity evangelist, Centrify

"National Cyber Security Awareness Month is an excellent opportunity to remind businesses and

consumers alike to never let their guard down when it comes to protecting access to data. All data has

some kind of value, whether it’s a PIN code, digital medical records, social security numbers, social media

posts, or even blood oxygen levels from your fancy new watch. This year's theme, ‘Do Your Part: Be

#CyberSmart,’ takes on increased significance, as our work and personal lives continue to blur, more

devices are connected to the internet than ever, and a historic amount of critical personal and business

data is shared digitally.

If there's one takeaway for businesses, it's that cyber-attackers no longer ‘hack’ in – they log in using

weak, stolen, or phished credentials. This is especially damaging when it comes to privileged credentials,

such as those used by IT administrators to access critical infrastructure, which are estimated to be

involved in 80% of data breaches. So how can we reduce this number as we move into the holiday season

and 2021?

Granting 'least privilege' is essential to preventing unauthorized access to business-critical systems and

sensitive data by both insiders and external threat actors. Striving towards zero-standing privileges and

only granting just-enough, just-in-time access to target systems and infrastructure limits lateral

movement. As organizations continue their digital transformation journeys, they should look to cloudready

solutions that can scale with modern business needs. By embedding these key principles into the

security stack, the risk of employees' credentials being compromised and/or abused can be dramatically

reduced, compliance can be strengthened, and the organization can be more secure."

Gijsbert Janssen van Doorn, director technical marketing, Zerto

“As organizations transitioned into remote working almost overnight, security teams were left to quickly

ensure their businesses were secure, while trying to fill in the cracks left behind by the introduction of

new networks, new devices, and new cyber attacks.

It isn’t a surprise that cybercriminals started taking advantage of this almost immediately, carrying out

ransomware attacks throughout the pandemic as businesses did everything they could to remain

operational. However, away from the private sector, where healthcare and public sector organisations

have been facing huge pressures to manage and control the COVID-19 outbreak, bad actors have posed

a significant threat. Keeping healthcare operations running in normal circumstances is absolutely critical,

but in the middle of a pandemic, that significance is only magnified.

This year, National Cybersecurity Awareness Month emphasized personal accountability as well as the

importance of taking proactive steps to enhance cybersecurity. Employees, now more than ever, need to

remain vigilant in protecting their organization. Ransomware attacks can and will still occur, so cyber

resilience is imperative. With a 72% increase in ransomware attacks during COVID-19, organizations

need to be prepared for the inevitable.

Once compromised, it’s too late to take any preventative measures. Organizations need to be able to

recover data and get back to operating swiftly and painlessly without paying a ransom. Key to this is

Cyber Defense eMagazineNovember 2020 Edition 112

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


leveraging IT resilience solutions that can quickly and effectively provide recovery after an attack. With

the right continuous data protection tools in place, businesses need not worry about paying ransoms and

can instead simply recover pre-attack data files within seconds.”

Carl D’Halluin, CTO, Datadobi

"The COVID-19 pandemic and remote work economy has served to exacerbate existing cyberthreats

such as inside threat actors, ransomware, or a storage platform-specific bug or hack. Downtime caused

by these attacks can come at a very high cost for organizations — both financially and reputationally.

Unstructured data business continuity planning and protection — whether on-premises or in the cloud —

is still lagging dangerously far behind other cybersecurity efforts. Even worse, hackers are increasingly

viewing NAS (network-attached storage) as a highly-profitable target. It’s important for IT and security

leaders to consider this data when building out security strategies.

“No IT professional wants to imagine the worst-case scenario happening to them: a situation where their

NAS or object storage has been locked up by hackers. As organizations increasingly rely on unstructured

data to perform day-to-day business-critical functions, they need to maintain instantaneous access to this

core data. The best practice would be for organizations to maintain a secure ‘golden copy’ of businesscritical

data in an air-gapped location of their choosing (a physical bunker site, data center, or public

cloud). The golden copy complements the traditional data protection strategy by providing an extra layer

of insurance so that in the event of a cyberattack, business operations can continue.”

Jay Ryserse, CISSP, VP of Cybersecurity Initiatives at ConnectWise

Cybersecurity is a journey, not a destination. The need to reinforce policy and best practices around

cyber hygiene requires continuing education. Whether it's education for your team or conversations about

culture with your customers, you have to consider it’s an ongoing process that requires maintenance.

While National Cyber Security Awareness Month is a great opportunity to discuss the current issues we’re

facing and make plans to address them, cybersecurity is critical 365 days a year. Cyber crime doesn’t

rest and neither should organizations.

The month also presented a good opportunity to discuss the growing importance of cybersecurity within

the managed service provider (MSP) community. When we review the results of a recent survey we

conducted with Vanson Bourne, the importance of investing in ongoing cybersecurity education is evident

in the data. Ninety-one percent of SMBs say they would consider using or moving to a new IT service

provider if it offered the ‘right’ cybersecurity solution. For most, that means having confidence that their

provider will be able to respond to cyber attacks and minimize any damage. If I’m an MSP, I’m going to

focus on educating my team on how to deliver the ‘right’ cybersecurity solutions. MSPs owe it to

themselves to keep up with trends and knowledge in cybersecurity in order to increase their service

offerings and provide their customers with the protection they’re seeking.”

Cyber Defense eMagazineNovember 2020 Edition 113

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Surya Varanasi, CTO, StorCentric

“As cyber threats continue to raise concerns across virtually all industries, particularly healthcare and

financial, it is important that organizations remain compliant and find solutions that implement the latest

encrypted technology to protect their data and the data of their customers.

To support business continuity, as well as ensure data protection and security, IT professionals should

look for policy-based solutions with the ability to fingerprint and encrypt data to fortify businesses against

viruses, ransomware, and other bad actors. Solutions that are able to restore from virtual shortcuts can

decrease the amount of time spent retrieving data and help users bring their businesses back up quickly.

Implementing self-healing technology can help the system to automatically ensure it is in order and

ensure your last line of defense is continuously updated and ready to go. This is an immutable copy that

can’t be altered and it is replicated to a remote location using an encrypted transfer. While you can’t

eliminate cybercrime, you can take steps to help organizations be prepared to evade and/or recover from

it.”

Jeff Hussey, CEO, Tempered

“National Cyber Security Awareness Month is the perfect time to bring awareness to the work that needs

to be done to secure our critical infrastructure. Critical infrastructure — from electrical grids, and smart

city applications to water treatment plants — have vulnerabilities that pose enormous cyber risk and in

turn, risks to communities. Traditionally, these networks have been physically managed and air-gapped.

Managing and securing these networks and remote sites today is difficult, as new technologies are added

to legacy systems.

Fortunately, state-of-the-art secure networking solutions are now available that extend secure

connectivity across physical, virtual, and cloud platforms and secure every endpoint in your network, with

true micro-segmentation and secure remote access. These solutions not only eliminate network-based

attacks, but they also reduce the cost and complexity required to effectively manage critical infrastructure

for governments, utilities, and IoT applications.”

Trevor Bidle, VP of Information Security and Compliance Officer, US Signal

“When we celebrated National Cyber Security Awareness Month in 2019, no one could have predicted

that at that time the following year, the world would be in the midst of a pandemic -- and that many

companies would be faced with the technological challenges of a newly distributed workforce.

Compounding this issue, 64,000 IT professionals are expected to have lost their jobs by the end of 2020,

while cybercrime has quadrupled -- leaving organizations short-staffed yet increasingly targeted by

hackers. The solution for some may be to turn to a third-party SOC that can offload some of the security

posture decisions and monitoring.

For years, vulnerability management tools have been reactive rather than proactive -- only spotting weak

points on the network after they’ve been compromised by a hacker. But the most effective, modern

solutions use threat intelligence to proactively identify, classify and prioritize vulnerabilities based on

criticality -- allowing organizations to catch them before the bad guys do.

Cyber Defense eMagazineNovember 2020 Edition 114

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Many businesses struggle to set up, scan and effectively analyze vulnerability scan results in a way that

drives meaningful action to remedy the issues, however. IT and security departments who want to expand

their teams through a third-party SOC can turn to these highly-trained experts to manage vulnerability

scanning, report analysis and remediation recommendations. In addition to vulnerability management,

organizations can use third-party providers for backup and disaster recovery to help restore data in the

face of ransomware attacks, and to help build and test effective incident response plans.

While there are additional considerations, these steps are a strong start toward a more secure future,

even in these unpredictable times. And it’s important to remember, there’s no shame in asking for help.”

JG Heithcock, General Manager of Retrospect, Inc., a StorCentric Company

“National Cybersecurity Awareness Month served as a reminder that cyber criminals continue to exploit

the pandemic and remote workforce by targeting organizations through phishing, malware distribution,

false domain names, and other attacks on teleworking infrastructure.

Preparing for cybercrime attacks through the use of proven techniques will protect your data and critical

systems, helping your organization to minimize risks, rapidly recover if necessary, and maintain

operations. This includes updating your system and investing in anti-malware software; protecting your

endpoints and not just servers or file sharing systems; implementing a 3-2-1 backup strategy consisting

of: 3 copies of data, 2 different formats and 1 offsite location; routinely monitoring backups to help detect

ransomware; and no matter how uncomfortable it might seem, do not pay the ransom in the event of a

ransomware attack as this doesn’t guarantee your data will be restored.”

About the Author

Sam Humphries, security strategist, Exabeam

Samantha has 20 years of experience in cyber security, and during

this time has held a plethora of roles, one of her favourite titles

being Global Threat Response Manager, which definitely sounds

more glamorous than it was in reality. She has defined strategy for

multiple security products and technologies, helped hundreds of

organisations of all shapes, sizes, and geographies recover and

learn from cyberattacks, and trained many people on security

concepts and solutions.

In her current role as global product marketing team at Exabeam,

she has responsibility for EMEA, Data Lake, compliance, and all

things related to cloud. Samantha authors articles for various

security publications, and is a regular speaker and volunteer at industry events, including BSides, IPExpo,

CyberSecurityX, The Diana Initiative, and Blue Team Village (DEFCON). Samantha can be reached at

our company website http://www.exabeam.com.

Cyber Defense eMagazineNovember 2020 Edition 115

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How Blockchain Is Helping Stop the Spread of COVID-19

By Robert Galarza, CEO, TruTrace Technologies

By now, we all know the cost of COVID-19. Many countries have struggled to contain the virus, forcing

people to practice social distancing, wear masks and take extra precautions to minimize exposure.

Frontline workers are unable to secure the PPE needed to keep them safe. News outlets and social

media are pushing information on the public, right and wrong, causing rifts amongst communities.

The pandemic has ignited a crisis of trust that affects people, governments, products and processes.

What has become clear in the quest to contain and combat the virus is the need for timely data from

reliable sources.

Crypto technology can verify, secure and share data, making it ideal for managing some of the biggest

issues surrounding the spread of coronavirus — the lack of data security, outdated surveillance systems

and poor supply chain management.

Blockchain can build new paradigms of trust by providing transparency for managing and sharing

information. Using decentralization and blockchain technologies, organizations around the world are able

to connect like never before, uniting humanity in a collective front to fight COVID-19 and future viruses.

Let’s examine three ways blockchain is helping stop the spread of COVID-19.

How Blockchain Manages Data Sharing

In March 2020, the World Health Organization (WHO) partnered with several major tech companies

(including Microsoft, IBM and Oracle), along with international health organizations and government

agencies to launch an open data hub called MiPasa.

Created by HACERA, the platform aims to detect COVID-19 carriers and infection hotspots quickly and

precisely. MiPasa will securely share information among individuals, hospitals and authorities, which will

aid in public health analysis and create a single source of verified and up-to-date information.

Governments around the world are introducing contact tracing apps — smartphone apps which use

phone tracking technology to oversee the population’s movement in an effort to monitor and control

outbreaks. One of the main challenges associated with the adoption of these apps is the need to ensure

Cyber Defense eMagazineNovember 2020 Edition 116

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


data protection and privacy for users. That’s where blockchain comes in as a means to store data in

ledgers, protecting it from unauthorized access.

Governments that implement crypto techniques can tackle the pandemic while ensuring patient privacy

is uncompromised. Facilitating the sharing of essential COVID-19 related data will help in diagnosis,

treatment and research for developing a vaccine.

How Blockchain Helps Track Donations

Blockchain ensures donations — monetary or medical equipment — are transparent and traceable.

Previous handling of public donations and the distribution of aid has caused distrust in the perception of

some charity organizations, which has given rise to donation tracking platforms like Shenzong.

Blockchain’s transparency provides donors with full traceability of donations, from the point of being

received, to how donations have been matched to areas most in need, to when donations are delivered.

By ensuring donations are reaching the correct destinations, those most in need will receive the medical

equipment needed to help stop the spread of the coronavirus.

How Blockchain Protects Supply Chains

One of the biggest issues that has emerged from the pandemic is the inability to authenticate healthcare

products, leading to a breakdown of trust in supply chains. The unprecedented demand for quality

disinfectants around the world has created an opportunity for counterfeit and defective products to flood

the market. Unfortunately, thousands of defective products are reaching the market because people are

trying to cut corners. This is the biggest dark spot for a lot of PPE orders; they don’t know where the

products are coming from. The FDA’s recent warnings about deficient and even dangerous products in

the market reinforces the need for reliable products.

Blockchain allows consumers and healthcare practitioners to track the origin and providence of medical

supplies, ensuring products are trustworthy, transparent and traceable. Utilizing digital ledgers,

blockchain records supply chain data on a granular level, connecting information in a way that can be

quickly and rapidly accessed.

Dynamic recall systems are designed to recall a batch lot, so if a product is discovered to be faulty,

blockchain facilitates the ability to connect all the data points back to the original source. This provides

data security to manufacturers on the materials used that can be tracked from origin. Subsequently,

purchasers are reassured they are buying safe, quality products.

A positive note to take away from the tragedy of the pandemic is the acceleration of innovative systems

to help stop the virus from spreading. We might yet see personalized wellness as the next step for

blockchain in the fight against the coronavirus. Blockchain has the capability to manage lifestyle on an

individual level — sleep patterns, fitness levels, nutrition — and how you can best maximize your health

to build the T cells and create the antibodies in your system to stay healthy.

Cyber Defense eMagazineNovember 2020 Edition 117

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Robert Galarza is Chief Executive Officer of TruTrace Technologies,

developer of the first integrated blockchain platform that registers and

tracks intellectual property from Genome to Sale for the cannabis

industry.

Cyber Defense eMagazineNovember 2020 Edition 118

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Patched Minimizes Risk - But Opens the Door for

Compatibility Problems

How to Remediate Federal Systems with Zerologon Vulnerability

By Egon Rinderer, Global Vice President of Technology & Federal CTO, Tanium

In September, the Cybersecurity and Infrastructure Security Agency (CISA) released a notice stating the

Zerologon vulnerability poses an “unacceptable risk” to the federal civilian executive branch, and required

that all federal agencies “immediately apply the Windows Server August 2020 security update” or

disconnect from federal networks. Zerologon is perhaps one of the most significant vulnerabilities to hit

in a long time.

Back in August, Microsoft released the software update Netlogon EoP – or zerologon – to mitigate a

critical vulnerability in the Windows Netlogon Remote Protocol server interface. Netlogon allows devices

to authenticate to the domain controller (DC) and update their password in the Active Directory (AD).

Netlogon is designed for specific tasks like maintaining relationships between members of domains and

the DC, or between many DCs across one or many domains, and replicating the DC database. At the

time of the update, this was only the first update in a phased rollout expected to conclude February 2021.

Federal systems go through routine patches and software updates. These fix and improve security

vulnerabilities and other bugs cybercriminals might use to gain unauthorized access to a user’s device

and sensitive data. Software vendors release critical patches with the intent of protecting the

organizations and users leveraging the software. But, sometimes while the patch may safeguard against

Cyber Defense eMagazineNovember 2020 Edition 119

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


the latest threat, it can also unintentionally create other issues across the network. Ideally, organizations

have a test environment where they can first deploy the patch and measure the effectiveness as well as

any issues it might cause (e.g., if a mission critical tool or function is unavailable). But, test environments

aren’t always identical to the production environment, and some organizations may not have one at all.

While not identical, the impact of this latest patch is reminiscent of the fallout from the Microsoft patch for

Meltdown (CVE-2017-5754). Distribution of the patch was altogether halted at one point due to the issues

it caused for some machines (e.g., failure to boot). What’s unique about the patch for zerologon, however,

is that Microsoft knew prior to release that there would be compatibility issues, which explains the

complexity in the response and guidance—phased implementation, partial enforcement now and more

coming later, an option to go to full enforcement sooner, new logged events to tell you when those

compatibility issues are happening, and a GPO to exempt specific systems from the new restriction.

These patch complexities can leave some networks and users in a precarious position. With the patch

comes certain compatibility issues, but without the patch, hackers can use this vulnerability to create

easy-to-use exploits. This vulnerability allows attackers to impersonate any computer to the DC in the

agency network and change their password – all while going unnoticed by IT teams. Hackers can also

execute remote procedure calls on their behalf to gain access to corporate networks.

In the case of zerologon, since an agency’s active directory rarely, if ever, gets completely rebuilt or

replaced over time, a skilled cybercriminal could quietly establish long-term, full administrative

persistence inside the entire network and remain unnoticed. Further, agencies underestimate its impact

because it 'only affects DCs.’ But the problem is agencies often have far more DCs than they think – and

those DCs are spread all over the globe. Control of any DC grants the ability to do anything they want on

any member machine in the AD forest, including hide persistence on them.

Roadblocks to Closing the Vulnerability

Zerologon isn’t something you can just patch and forget. Remediation requires several steps and

repeated validation. Further, tactics by bad actors are evolving daily – so it is more critical than ever to

routinely update systems to prevent breaches.

The solution is not as simple as shutting the insecure channels of communications, as this can potentially

break other applications and platforms. It is very difficult to determine the impact without rigorous testing.

The exploit depends on signing and encryption being optional. When the protocol’s less-secure option is

unavailable, the exploit no longer works. The patch brings a subtle change to the Netlogon protocol that

breaks the “all-zeroes” exploit technique. This means that even when you can’t require

signing/encryption, successful exploitation of the protocol’s weakness is now mathematically many orders

of magnitude more difficult than it was (That’s good news!).

After patching DCs, you should determine whether any authorized computers are being blocked or will

be blocked in full-enforcement mode (what MS refers to as “Phase II”), so that they can be updated,

retired, or exempted with the new group policy setting.

Cyber Defense eMagazineNovember 2020 Edition 120

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Further, DCs often receive patches later than other systems in the agency network because of a “don’t

rock the boat” mentality. Having the DCs updated and stable is critical – and this means patches and

security updates are approached with hesitation. The bottom line? This vulnerability exposes the keys to

the kingdom – and it is absolutely critical that agencies understand it and take it seriously.

Next Steps

Zerologon patches are only available for versions of Windows that are still supported and receive security

updates. But in practice, many networks have legacy Windows devices or non-Windows devices that

communicate with DCs using the protocol. Federal IT teams who have the patch should utilize the

Microsoft guidance:

• Deploy the August 11, 2020 updates to all applicable DCs in the forest including read-only DCs

• Collect events in DC event logs to determine which devices in the environment are using

vulnerable Netlogon secure channel connections

• Address Netlogon event IDs 5827 and 5828, indicating non-compliant machines that are being

blocked now, and event ID 5829 indicating noncompliant machines that will be blocked when full

enforcement is applied

• Move to enforcement mode in advance of the February 9, 2021 enforcement phase

• Deploy February 9, 2021 updates

Agencies that use Microsoft Windows are better served by taking a holistic risk management approach,

using complete, accurate, and real-time data from a single source to reduce risk and improve security. In

doing so, they can also reduce the number of point products, reallocate budget and scarce resources,

and justify future budget requests for critical security activities – all while providing a more comprehensive

view of the security landscape that enables more strategic business decisions.

Leveraging a single platform that integrates endpoint management and security unifies teams, effectively

breaking down the data silos and closing the accountability, visibility, and resilience gaps that often exist

between IT operations and security teams.

A platform approach also gives agencies end-to-end visibility across end users, DCs, servers, and cloud

endpoints, and the ability to identify assets, protect systems, detect threats, respond to attacks, and

recover at scale. When agencies achieve complete visibility and control, the risk from cyberattacks is

significantly reduced and their ability to make good business decisions is improved.

At this stage, agencies that use the Netlogon server are aware of the vulnerability and the risk it brings.

IT teams must prioritize standard checks for patches and routinely complete vulnerability assessments

to analyze and determine the current level of risk.

Cyber Defense eMagazineNovember 2020 Edition 121

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Egon Rinderer is the Global Vice President of Technology and

Federal CTO at Tanium. With 30 years of Federal and private

sector industry experience, Egon currently leads the global

Enterprise Services Organization as well as leading Tanium

Federal as Chief Technology Officer. Joining Tanium at a time

when the company was made up of less than 20 employees,

he has held roles ranging from Technical Account Manager to

Federal Pod Lead to global Vice President of the TAM

organization. Prior to joining Tanium, Egon was with Intel

Corporation and served throughout the US military and

intelligence community in the United States and abroad in an

operational capacity. Egon can be reached at

egon.rinderer@tanium.com, online at

https://www.linkedin.com/in/egon-rinderer/, or at our company website at

https://www.tanium.com/solutions/federal-government/

Cyber Defense eMagazineNovember 2020 Edition 122

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


For Federal Agencies, Securing Internet of Things

Devices Is A Growing Challenge

By Katherine Gronberg, Vice President of Government Affairs, Forescout

In June, the cybersecurity company JSOF, with help from Forescout, released some eye-opening

research about a set of 19 vulnerabilities, collectively known as Ripple20. The Ripple20 vulnerabilities

are found within the TCP-IP protocol code sold by Ohio-based software company, Treck, and are used

by a wide range of Internet of Things (IoT) and Operational Technology (OT) devices. An OT device

refers to a specific type of computing device that manages, monitors or controls operations that are more

physical or industrial in nature, such as an environmental control or security system. The Ripple20

vulnerabilities make these devices susceptible to remote code execution exploits, which is a type of

exploit that allows an attacker to take full control of a device. This can allow attackers to disrupt the

operations of an organization or to leverage that device as an entry point onto the network to attack other

sensitive assets or information.

A TCP-IP stack is an embedded library of code that allows a device to communicate over the internet.

Treck’s code was built to handle the TCP-IP protocol that connects devices to networks and the internet

and as previously mentioned, is incorporated into a range of IoT and OT devices. Unfortunately,

organizations rarely know the component makeup of their IoT devices, as there is currently no

requirement for manufacturers to provide customers a bill of materials that describes the specific

hardware and software components contained in IoT and OT devices. Common types of devices running

Cyber Defense eMagazineNovember 2020 Edition 123

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Treck include office printers, medical infusion pumps, security cameras, video conferencing tools and

building automation systems, to cite a few examples.

Federal agencies are heavily affected by the Ripple20 vulnerabilities as they increasingly rely on

networked IoT and OT to perform their missions. Forescout sees hundreds, and in some cases

thousands, of smart devices and IoT devices, as well as OT devices, on government networks. We have

seen examples of federal agencies that purchase smart appliances for use in kitchens or labs, but which

the manufacturer will not warranty unless the appliance is granted an internet connection, which may

violate an agency’s policies. Out of a sample of 90,000 devices found running Treck, nearly 6,000 were

in use within the government sector. According to Forescout research, devices and equipment for

heating/ventilation/air conditioning (HVAC), emergency communications and IP camera systems (like

those used for physical building security monitoring) have emerged as riskiest for government agencies.

The pervasiveness of IoT and OT on government networks, with a significant number of those containing

the Ripple20 vulnerability, should signal how important it is that federal agencies have a way to identify

and manage the cyber risks of these kinds of devices. Yet, federal agencies have struggled mightily with

this problem. This is partially because agencies’ IT security functions haven’t really wanted to address

the security of these operational systems and left them largely to the system owners to figure out (e.g.

the facilities management people). Further, until now, none of these parties had adequate tools to

address the security of these devices. IoT and OT devices are not like traditional computers; they are

difficult to detect and can be difficult to identify correctly. They cannot run traditional security software the

way a computer can. In our experiences with new federal customers, we have found that most are

unaware of how much IoT and OT is actually present on their networks.

At the policy level, government leaders have focused their attention on creating conditions and standards

for the manufacturers of IoT and OT to meet, including potentially requiring them to build certain security

features into products. But the IoT attack environment is, frankly, too explosive for static feature

requirements or point-in-time product or vendor certifications to suffice. Examples of such constructs

include IoT product or manufacturer certification processes, the requirement for manufacturers to provide

software or hardware bills of materials, and certification-based “device tagging” mechanisms. While these

ideas will provide agencies more information about the IoT running on their networks, the overall federal

strategy being implemented has to balance these methods with an equal or greater emphasis on

augmenting behavior-based, continuous monitoring approaches. These refer to methods that allow

agencies to monitor, in real time, the network access, posture and behavior of all devices and associated

users, and to continuously enforce controls and compliance on these devices.

These methods are currently being implemented within the Department of Defense (DoD) through the

Comply-to-Connect (C2C) program. The overarching goal of C2C is to improve the authentication,

authorization, compliance assessment and automated remediation of all devices and systems connecting

to a network. Within the C2C framework, IT, IoT and OT devices and systems are detected

instantaneously upon presenting themselves to the network. They are identified, assessed for signs of

compromise and other anomalous configurations and behaviors, and finally assessed for their

compliance with DoD security policies. Compliant devices and systems gain the desired level access to

the network, while unauthorized ones are held in quarantine until they successfully meet requirements.

Cyber Defense eMagazineNovember 2020 Edition 124

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


C2C allows the DoD to inspect every single device for malicious code, prohibited software,

noncompliance and other risks. In responding to challenges of today, C2C applies to IoT devices as well

as systems for industrial control, weapons, medical gear, commercial smart devices and embedded

controls. The program has in its scope all devices and systems within a “single pane of glass,” under a

singular security architecture, as opposed to the security of different device types and systems being

managed by disparate teams within DoD.

The capabilities of C2C will form the foundation of the DoD’s efforts to implement an enterprise Zero

Trust architecture, most importantly, by restricting any device’s network access until it has proven itself

trustworthy. Once approved, C2C requires the continuous monitoring of an endpoint, enforcing its access

to data resources via network segmentation and limited penetration to other networked resources. The

National Institute of Standards and Technology (NIST) has published some especially important guidance

on both Zero Trust and Continuous Monitoring.

There is no turning back to a pre-IoT/OT world. Agencies are now far too reliant on the devices for

mission-critical tasks. IoT must be embraced for its ability to create efficiencies and improve safety in

federal missions, but government IT leaders must simultaneously employ frameworks that can secure

these devices, the data on them and the critical functions they perform. C2C is this framework within the

DoD and it will enable the Department to incorporate IoT innovation into its critical missions while ensuring

they don’t introduce mission-impacting risk.

About the Author

Katherine Gronberg is Vice President of Government Affairs at Forescout

Technologies, Inc., the leader in Enterprise of Things security. Prior to

Forescout, she taught at Georgetown University’s Edmund A. Walsh

School of Foreign Service and ran her own government affairs consulting

firm. Prior to this, Katherine served as a Staff Director on the Senate

Appropriations Committee, handling billions in annual appropriations for

federal agencies such as the Departments of State and Commerce.

Cyber Defense eMagazineNovember 2020 Edition 125

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Nations—Not Individuals—Are After Your IP

By Ryan Benner, Anexinet

A recent Wall Street Journal article titled, Russian Hackers Have Targeted 200 Groups Tied to U.S.

Election, has Microsoft stating that “Russian government hackers have targeted at least 200

organizations tied to the 2020 U.S. election in recent weeks, including national and state political parties

and political consultants working for both Republicans and Democrats.” The article goes on to point out

that other bad actor nations such as China and Iran have also been identified by Microsoft as engaging

in cyberattacks against “high-profile individuals” and “targeting personal accounts of people associated

with President Trump’s campaign,” respectively. There is an understated cybersecurity progression to

this piece: Ten to twenty years ago, bad actors were typically individuals or even small groups, often tied

to organized crime, that were just looking for financial gain. Today we have the skills of a nation seeking

to influence global politics.

The phenomenon of nation-states as bad actors has significantly risen over the last decade. These

nations are not just seeking to steal data for financial gain, they are also looking at acquiring information

to be used for economic espionage such as tapping into power grids or monetary gain from copying

proprietary products and systems such as IT device codes. It’s a wake-up call for any organization to

carefully review its downstream business relationships and contracts. Are they linked in any way to

government entities? Is your company manufacturing proprietary parts for a military vehicle that can be

copied and reproduced cheaper in other parts of the world? If the answer is “yes,” you may be a target

for very well-trained, deep-pocketed bad actors that are extremely persistent in their pursuit of your

intellectual property.

Cyber Defense eMagazineNovember 2020 Edition 126

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


The following are documented cyberattacks performed by bad actor nations:

Unpatched Systems

One of the biggest issues constantly exploited by bad actors is an unpatched system. Over the last few

years, we've seen a plethora of new attacks that leverage exploits that have not been published to the

world yet. According to Security Boulevard, “cyberattacks increased 17% over the past year [2019] and

their severity rose 27% compared to 2018.” The most notable result from the polling was that “60% of

breaches were linked to a vulnerability where a patch was available, but not applied.”

Organizations must realize that bad actor nations have the funding and the manpower to methodically

dig into software and firmware and find these exploits before they would traditionally be found by the

manufacturers themselves. And they leverage these exploits in ways that make it very difficult to find

them because the attacker doesn’t want to just exploit a single system, they want to use the entry system

as a jump-off point to exploit many areas of the network. While in stealth mode, many security tools are

not capable of identifying their presence, because they don’t trip any wires or alarms. It’s their mission to

stay hidden in the network and to take over as many parts of the infrastructure as possible.

Spear-Phishing

CSOonline states that phishing attacks account for more than 80% of reported security incidents and

RiskIQ estimates that $17,700 is lost every minute due to phishing attacks. Why are these figures so

high? Because the end-user is always the weakest link in the chain and by nature, most people are

trusting individuals. That’s why when an email looks official, perhaps from their bank, or their company’s

IT Help Desk, the target willingly hands over their credentials.

Over the years, there has been considerable advancement with email security tools to help recognize

spear-phishing and block it from getting to end-users. This protection includes web and DNS tools that

block end-users’ attempts at clicking fraudulent email links. Ultimately, the responsibility resides with the

end-user to look for oddities in the email such as misspellings or signs in the nomenclature that it’s not

written by a native English speaker. When these emails are identified, end-users must be trained to report

the incident to the IT security department immediately.

Brute Force Attacks and Password Sprays

Brute force leverages a computer system to break an encryption protocol or a password. With the everincreasing

processing power, millions of password attempts can be performed per second. From a

network policy perspective, it's all about ensuring the appropriate, complex passwords are being used

and password lockout policies, such as after 5 bad attempts, are in place. Although brute force attacks

are less successful, the attackers will often come back to test a company’s security policies to see if the

latest protocols have been put into place.

Similar to brute force attacks, password spraying is going after the end-users’ accounts. However, instead

of focusing on one account and trying hundreds of thousands of password combinations, a password

spray attempt will focus on going after a large number of accounts with a handful of commonly used

passwords. This type of attack is effective because many individuals set the security credentials as their

email address and “password 1-2-3,” or similar, simplistic easy-to-remember permutations. Over the last

Cyber Defense eMagazineNovember 2020 Edition 127

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


few years, newer recommendations call for “phrase passwords” to be used, where the end-user selects

a line from their favorite song, wedding vow, or quote; much easier to remember than a ten-character

string.

A Much Bigger Attack Surface

Exacerbating the cyberattack problem is the fact that we now have an immense, remote workforce that

has increased the attack surface exponentially. Now that a much larger percentage of workers and

students are remote and using a lot of new collaboration style software, these bad actors have a much

larger target to hit.

Preventing a cyberattack is extremely difficult, but there are many ways to mitigate the risk. The first step

is to become intimately familiar with every aspect of the network, including hardware, software, end

devices as well as anything connected that could be considered an entry point e.g IoT devices, card

readers, and even printers. From there it goes to ensuring the right policies are in place and building the

right programs around these policies such as the aforementioned methods discussed in the documented

attacks. Once those areas are taken care of, the right tools and software need to be utilized to ensure

the adequate layers of defense are in place to detect and defend critical intellectual property (IP) assets.

With all these checkpoints taken care of, the final step is to layer monitoring on top to ensure credible

alerts are being escalated for proper attention.

You Don’t Have to Go It Alone

A Managed Security Provider (MSP) can help an organization create a customized security program

leveraging premise and cloud-based security tools to protect users and IP assets. Layered on top of the

security program is 24/7 monitoring from trained staff within a Security Operations Center (SOC). MSPs

were created because it's very difficult and expensive for companies to have all the in-house talent—

across all the various cybersecurity disciplines.

From a hacker’s point-of-view, monetary gain seems like table stakes compared to effectively influencing

a nation; and yet, this too may be a stepping stone to even more diabolical efforts. Mitigating risks with

solid security policies, layering security tools, and cutting-edge monitoring systems that prompt

immediate action is the best course of action to protect your organization’s private information and IP.

Cyber Defense eMagazineNovember 2020 Edition 128

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Ryan Benner is Vice President of Presales at Anexinet – a 20-year

digital business solutions provider offering customers a complete

digital experience from engaging front-end interactions to

dependable back-end solutions, all informed by data-driven

insights. Ryan has expertise in building new revenue streams and

significant growth in technology consulting companies. Prior to

Anexinet, Ryan was VP Solutions & Services / VP Enterprise

Infrastructure at Arraya Solutions, where he was instrumental in

enabling the company to achieve 4X revenue growth and transform

from a small VAR to a provider of strategic solutions. Ryan holds a

Bachelor of Science degree in Information Systems from Penn

State University. Anexinet can be found on LinkedIn and Twitter.

Cyber Defense eMagazineNovember 2020 Edition 129

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Video Intercom Systems Reinvent Building Security

By Melvin Braide, Content Writer

Intercom systems have been around for decades, but recently access control solutions have started to

incorporate video functionality, surveillance, and two-way calling. In this piece, we discuss how video

intercom is reinventing residential and commercial building security.

An intercom system is an autonomous, internal communication system within a building or a collection of

buildings that is not part of the public telephone network. It is a familiar presence in offices, multi-tenant

buildings, and some homes. In its most primitive stage, it was nicknamed the "buzzer" – because of the

sound it made when a guest pushed the button at the front door of a multi-tenant building – and letting a

visitor into the building was "buzzing them in." Those systems linger in older facilities.

The buzzer system offered adequate, if not clear, audio. Over time, the frailties of this technology became

apparent. You could hear the guest's voice, but you couldn’t completely verify identification. Simply put,

you couldn't visually assess who you are allowing onto your premises. That changed with video

intercoms.

What Is a Video Intercom System?

Holistic safety and security in today's post-COVID society includes cybersecurity, physical security, and

environmental health and safety. An ideal system would address security on all three fronts. Video

intercom is one such tool. So what is it?

A video intercom is an advanced intercom system with a video component that supports two-way

video calls. The video component allows you to assess anyone at the front door before granting

access. High-end video intercoms combine with cloud-based systems to connect mobile devices

for remote visitor management and access control.

Cyber Defense eMagazineNovember 2020 Edition 130

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


How Is Video Intercom Being Used in Commercial and Residential Buildings??

Video intercom systems are increasingly employed to strengthen security and improve visitor

management. The versatility of video intercom systems makes them suitable for both residential and

commercial facilities. But there are subtle differences in how they are used in different situations.




Office intercom systems: Intercom systems for businesses are used for more extensive

purposes than just granting access to visitors. Office video intercom systems serve as an internal

communication system between offices in the same building and different locations.

Video intercom systems for multi-tenant commercial buildings: High-rise multi-tenant

buildings use video intercom primarily to verify a visitor's identity. In this sense, a visitor also

includes couriers, maintenance personnel, and employees missing their access credentials.

Residential video intercom: For apartment complexes and condominium communities, the

primary concern is to protect against theft, break-ins, and vandalism and monitor access to the

building when you’re not home.

Regardless of the utility, it’s important to choose the right video intercom system. Video intercom systems

come with a variety of features that serve various purposes. You can opt for a wireless video intercom

and connect via WIFI, or you can choose a wired system that connects with ethernet.

Benefits of Video Intercom Solutions

Visitor identification via video increases security

Video intercom adds an extra layer of protection to your residential or office security system. Its standout

feature is the two-way video call that allows you to verify who you are talking to and whether they are

alone. Some video intercoms use up to a 7MP high-resolution camera capable of capturing the tiny

inscriptions on an ID card for verification.

Touchless/hands-free solutions

A video intercom with access control capabilities increases physical health in this COVID world.

Integrated system capabilities can be connected to any electronic door unlock system preinstalled in your

building. With that in place, after confirming the identity of the person at the front door, you can grant

access remotely to align with current social distancing guidelines. It’s completely contactless; hence, no

health fears.

Cloud-based solutions

We come in contact with cloud-based solutions every day. Cloud capabilities have long surpassed

networks for many reasons. The benefits of cloud-based access control mirror the secure and resilient

nature that make the solution so attractive. COVID-19 has exacerbated the utility of on-premise systems,

so the security industry is shifting to put systems management back into the hands of the experts.

Cyber Defense eMagazineNovember 2020 Edition 131

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Remote access control and visitor management

With remote visitor management, it’s possible to remain a healthy distance away from others while

granting or denying access from anywhere. Many times, especially in today’s environment, it’s not

possible to physically welcome a visitor. So, remote capabilities are now becoming an essential feature

when it comes to building a sound facility operation.

Accountability

Accountability has been a security component, but never has it been so pronounced as it is today.

Advanced visitor management systems have the ability to capture data that hasn’t been possible before.

With the help of video intercom, it’s possible to review who is in the building, for what reason, and for

whom. This is incredibly useful in the event of an emergency or should an incident occur within the facility,

where the facility manager is the one held accountable.

About the Author

Melvin Braide, Content Writer

Melvin Braide is a professional content writer and copywriter at Swiftlane, with

a degree in Mechanical Engineering and years of experience writing across

various niches. Melvin focuses on providing valuable and educational content

for Swiftlane’s growing audience in the areas of access control, visitor

management, and security.

Cyber Defense eMagazineNovember 2020 Edition 132

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 133

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 134

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 135

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 136

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 137

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 138

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 139

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 140

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS

“Amazing Keynote”

“Best Speaker on the Hacking Stage”

“Most Entertaining and Engaging”

Gary has been keynoting cyber security events throughout the year. He’s also been a

moderator, a panelist and has numerous upcoming events throughout the year.

If you are looking for a cybersecurity expert who can make the difference from a nice event to

a stellar conference, look no further email marketing@cyberdefensemagazine.com

Cyber Defense eMagazineNovember 2020 Edition 141

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


You asked, and it’s finally here…we’ve launched CyberDefense.TV

At least a dozen exceptional interviews rolling out each month starting this summer…

Market leaders, innovators, CEO hot seat interviews and much more.

A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.

Cyber Defense eMagazineNovember 2020 Edition 142

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL

ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best

ideas, products and services in the information technology industry. Our monthly Cyber Defense e-

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here

to sign up today and within moments, you’ll receive your first email from us with an archive of our

newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Copyright (C) 2020, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com,

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,

Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS#

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com

All rights reserved worldwide. Copyright © 2020, Cyber Defense Magazine. All rights reserved. No part of this

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,

recording, taping or by any information storage retrieval system without the written permission of the publisher

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at

marketing@cyberdefensemagazine.com

Cyber Defense Magazine

276 Fifth Avenue, Suite 704, New York, NY 1000

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.

marketing@cyberdefensemagazine.com

www.cyberdefensemagazine.com

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 11/02/2020

Cyber Defense eMagazineNovember 2020 Edition 143

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


TRILLIONS ARE AT STAKE

No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES

Released:

https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH

In Development:

Cyber Defense eMagazineNovember 2020 Edition 144

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Nearly 9 Years in The Making…

Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know

What You Think. It's mobile and tablet friendly and superfast. We hope you

like it. In addition, we're shooting for 7x24x365 uptime as we continue to

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)

around the Globe, Faster and More Secure DNS

and CyberDefenseMagazine.com up and running as an array of live mirror

sites. Millions of monthly readers and new platforms coming…

Cyber Defense eMagazineNovember 2020 Edition 145

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 146

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 147

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 148

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 149

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineNovember 2020 Edition 150

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!