CS Nov-Dec 2020

Computing
Security
Secure systems, secure data, secure people, secure business
HACKERS FOR HIRE
Only cyber resilience will
stop them in their tracks
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
SPOT CHECKS
Contact tracing could be
‘infringing human rights’
SIEGE MENTALITY
Cyber-attacks go global
HAVE YOU BEEN SMISHED?
Beware the growing texting menace
Computing Security Nov/Dec 2020

My peace of
mind starts
with Neustar
Security.
Cloud Security Solutions that are
Always-on, Ultra Secure.
security.neustar

comment
TIME TO TAKE GDPR UP A GEAR
Recent research has revealed that GDPR doesn't go far enough in the eyes of many
IT leaders and employees, who are calling for greater tech regulations around
data protection and cyber security. The research, which comes from Snow
Software, looks at responses from 1,000 IT leaders and 3,000 employees across the
globe. Key findings reveal:
94% of IT leaders and 82% of employees believe more regulations are needed. That's
compared to 74% of employees in 2019 survey. Of those who do want to see more
tech regulations, the two leading areas were data protection (54% of IT leaders/46%
employees) and cybersecurity (54% IT/ 42% employees).
In the UK, 54% of IT would prefer to see regulations that are firmly focused on
cybersecurity first and foremost, followed closely by data protection at 48%. Data
collection and encryption tie for third at 35% each, followed by competition and
universal connectivity at 22% each. British and German IT respondents had the highest
percentage of those who felt the technology industry did not need more regulation,
both reporting 9%. Australians were slightly lower at 6%, while just 2% of American IT
leaders thought additional regulation was not needed.
When asked how the current state of technology regulations made them feel, the
leading sentiment among IT leaders in 2020 was hopeful at 43%. Yet employees
reported being slightly less hopeful - 26% in 2020 down from 29% in 2019.
Unsuprisingly, perhaps, the biggest gap that existed between IT leaders and employees
was around empowerment - in the current year, 32% of IT leaders felt empowered,
versus just 15% of employees.
The biggest year-over-year change related to vulnerability - and this was a positive.
Nearly twice as many employees felt vulnerable in 2019 (24%), compared to 2020
(13% employees and 10% of IT leaders). It suggests organisations are perceived to
be getting a better grip on keeping the workorce safer and more secure. It will be
interesting to see how well such votes of confidence hold up in the wider business
world, as the Covid-19 pandemic continues to exert its impact on us all.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Abby Penn
(abby.penn@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2020 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Nov/Dec 2020 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security Nov/Dec 2020
contents
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
HACKERS FOR HIRE
SPOT CHECKS
Contact tracing could be
Only cyber resilience will
‘infringing human rights’
stop them in their tracks
SIEGE MENTALITY
Cyber-attacks go global
HAVE YOU BEEN SMISHED?
COMMENT 3
Time to take GDPR up a gear
Beware the growing texting menace
EDITOR’S FOCUS 6
Life under siege
OPEN-AND-SHUT CASE 15
Being receptive to ethical disclosure is
vital, states Paul Ritchie, Managing
Security Consultant, Pentest Limited
THE NEW ORDER 16
Is now the perfect time to get your (IT)
house in order? Paul Harris, managing
director, Pentest, offers his thoughts
SHATTERED TRUST 8
Babylon Health suffered a data breach
where users of the GP remote consultation
service were able to access videos of other
patients' appointments with their doctor.
Are such hack attacks, which are soaring,
becoming beyond our control?
HITTING THE SWEET SPOT 18
Digital transformation is forecast to be
the next driver for mergers & acquisitions
SMISH, SMASH, BASH! 12
A relatively new spin on phishing has
DENTED SHIELD 20
entered the lexicon, in the form of
The EU-US Privacy Shield has been ruled
'smishing'. But what is that exactly and
invalid, shaking up how data protection
how dangerous might it be to the
and data privacy are regarded
unsuspecting? And where does ‘vishing’
come to play? Welcome to an ever more
BRAKING BAD! 25
perplexing world!
Car owners could be putting themselves
at great risk by not clearing their personal
data before selling their vehicles
APTS AND COVID-19 30
WE HAVE CONTACT 22
A recent intelligence report reveals how
Effective contact tracing is important when
advanced persistent threats are using the
it comes to successfully limiting the spread
coronavirus as a lure
of pandemics. Yet the data that is gathered
could well lead to human rights abuses, if
THE GOOD... AND THE BAD 31
effective safeguards are not put in place to
Confusion around some new technologies
protect the privacy of individuals
is hitting many companies trying to be
compliant with the GDPR
REBALANCING THE BOOKS 32
Awareness around gender diversity in the
HACKERS FOR HIRE 26
cyber security industry is starting to improve,
‘Hacker for hire’ groups are said to be
but there's still a very long way to go
targeting hundreds of thousands of
institutions around the world, including
PRODUCT REVIEWS
advocacy groups, journalists, elected
• Cybereason Mobile 19
officials, lawyers, hedge funds and
• Hornetsecurity 365 Total Protection 29
companies. Can they be stopped?
computing security Nov-Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk
4

Pragmatic and experienced
risk management professionals
Xcina Consulting provides high quality business and technology risk assurance and
advisory services, which only comes from years of experience in our clients’ shoes.
We help to ensure an organisation’s key risks are appropriately managed; its processes
and controls are robust and fit for purpose; it remains compliant with legislation
and regulation and wherever feasible it leverages industry standards as part of
good practice.
Accredited by the Payment Card Industry’s Security Standards Council as a Qualified
Security Assessor (QSA) company and a British Standards Institution (BSI) platinum
member for the provision of services related to ISO27001 (Information Security) and
ISO22301 (Business Continuity).
All our consultants have 10+ years minimum experience and have held senior level
positions.
Our services can be customised to your needs.
• Business Continuity and Crisis Management
• Data Protection
• Financial Processes & Procedures
• Information Security / Cyber Security
• IT & OT Security
• Payment Card Industry
• Project & Change
• Risk Management
• Control Assurance (ISAE3402 / SSAE18)
• Due Diligence
• Governance
• Internal Audit
• Operational Processes & Procedures
• Process Management
• Regulatory Compliance (finance services)
• Third Party Management
020 3985 8467
www.xcinaconsulting.com
info@xcinaconsulting.com

editor's focus
UNDER SIEGE
NATION-STATE LED CYBER-ATTACKS ARE BEING UNLEASHED ON GOVERNMENTS AT
AN EVER-GROWING RATE. VIGILANCE IS THE KEY TO HINDERING THEIR IMPACT
It was of great concern to see Australia's
government and institutions being
subjected this year to concerted attacks by
sophisticated, state-based cyber hacks. This is
something that has also plagued the UK for
some time now and is an indication of how
hacking is increasingly used to infiltrate
'enemy states', with a view to disrupting how
they function.
Australia Prime Minister Scott Morrison
has revealed that the cyber-attacks were
widespread, covering "all levels of
government", as well as essential services and
businesses. He has been reluctant to identify
any specific state actor and claims no major
personal data breaches had been made,
although others have been quicker to point
the finger, with China alleged to be the most
likely culprit in the eyes of many observers.
Morrison has said that the attacks spanned
"government, industry, political organisations,
education, health, essential service providers
and operators of other critical infrastructure".
The attacks happened over many months
and are not going away, the government
concedes. It is hoping that raising public
awareness by admitting to these breaches will
help businesses to improve their defences.
But the government has also stressed how
this "malicious" activity is being seen right
across the globe, making it far from a unique
problem to Australia. Previously, defence
manufacturers, government contractors
and accounting firms have been among
those to report data breaches.
300-PLUS ATTACKS
In light of the Australian Government
becoming a victim of a nation-state led cyberattack
affecting all levels of government,
Toni Vitale, head of data protection at JMW
Solicitors LLP, had this to say: "No country is
immune to such attacks and, in the UK,
the National Cyber Security Centre
announced at the end of 2019 that it has
defended British organisations against more
than 300 state-backed cyber-attacks.... As in
Australia, the UK central government was the
main focus of the attacks, but other sectors,
such as academia, IT, managed service
providers and transport and health, were
also attacked. The NCSC actively takes down
fraudulent websites, which are used
by nation states to gather intelligence and
finance their craft."
Training staff to be vigilant to cyber-attacks
is key, states Vitale. They should be taught to:
Avoid clicking on links, opening
attachments or emails from people you
don't know or companies you don't do
business with
Be vigilant when opening links or
attachments from people you do know
particularly if they are unexpected
Be aware of email spoofing, where an
email arrives from someone you believe
you know, but has unexpected links or
attachments, as these are the most
common methods used by cyberattackers
to gain entry into systems.
06
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus
"Well trained staff become your strongest
defence against cyber-attacks, rather than
your weakest link," he adds.
SAFETY FALLS ON EVERYONE
According to Nick Savvides, director of
Strategic Business at Forcepoint, the attacks
that targeted Australia serve as a timely
reminder that cyber security is a serious
issue and affects every aspect of life.
Everybody has a role to play in keeping us
safe from cyber-security threats, he points
out. "Sophisticated threat actors, statebased
threat actors, have significant
capabilities, and do not rest in their efforts
to gain footholds into our systems,
applications and data. It is important that
governments, businesses and individuals
remain vigilant and continue to improve
their cyber-security practices. We have
entered a new era of business and
government, where cyber-attacks pose
an existential threat to business and can
cripple the machinery of government."
The public revelation of the attacks
also acts as a signal to the threat actors
responsible that the government and some
in the private sector are aware of the
attacks, Savvides comments. "Interestingly,
two specific controls, patching internetfacing
systems [protecting the edge
of networks], enforcing multifactor
authentication for users [protecting the
users], were specifically called out by
the defence minister. This indicates that
attackers likely operated sophisticated
targeted phishing campaigns to capture
usernames and passwords from victims
and were possibly in possession of 0-day
vulnerabilities against systems or used
older vulnerabilities on systems that are
difficult to patch."
While Australia has significant capabilities
in cyber-security and an active cyber-security
community, unfortunately not all
organisations are at the same level, with
many organisations simply not having right
capabilities, he says. "We are also struggling
with a skills shortage, with unfilled cybersecurity
roles in every sector; that means
many of the skills end up in the top end of
town and large departments, leaving small
and medium business, and government
agencies exposed."
GEO-POLITICAL TENSIONS
Meanwhile, Tim Wellsmore, Mandiant
Government Solutions, Asia Pacific, points
to the "considerable geo-political tension
occurring at the moment involving Australia
and, from our experience, we know that
state-sponsored cyber threat activity directly
replicates geo-political tensions, so it would
be plausible to assume this reported activity
and announcement is connected".
FireEye is, he adds, aware of the reported
incidents and the type of exploitation of
systems that are occurring, and have seen
only a few related impacts to its customer
base. "However, we are seeing an increasing
focus by both state-sponsored and criminal
cyber threat actors on exploiting Common
Vulnerabilities and Exposures (CVEs) soon
after they are announced publicly when
victims' systems are not patched quickly
enough, and we deal with state-sponsored
threats against our customers on a daily
basis."
The information provided in the Australian
Government ACSC advisory on this issue is
very detailed, he notes, "and provides good
guidance and serves as a timely reminder
to ensure organisations maintain vigilance
in the cyber security programs including
the use of patching and multi-factor
authentication in their networks".
As Wellsmore confirms, such threats will
continue, with an inevitable increase in
cyber threat activity as our world becomes
more and more technologically dependent,
and therefore both attractive to outside
infiltrators and increasingly vulnerable to
their growing arsenal of weaponry.
Nick Savvides, Forcepoint: everybody has
a role to play in keeping us safe from
cyber-security threats.
Toni Vitale, JMW Solicitors: training staff
to be vigilant to cyber-attacks is key.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
07

health monitoring
SHATTERED TRUST
A USER OF A POPULAR HEALTH APP WAS INADVERTENTLY ABLE TO ACCESS DOZENS OF VIDEO
RECORDINGS OF OTHER PATIENTS' CONSULTATIONS, WHICH HAS BEEN BLAMED ON A 'SOFTWARE ERROR'
The Babylon Health data breach, which
allowed users of the GP remote
consultation service to access videos
of other patients' appointments with their
doctor, will be remembered for a long time.
With Covid-19 driving a more remote way of
patients engaging with medics, news of the
breach sent a chill down many a spine.
The issue first came to light on 9 June when
a user announced on Twitter that he had been
able to view about 50 videos of other patients'
appointments. A follow-up check by the firm
revealed that other UK users could also see
others' sessions.
The company’s own investigations had
shown that "three patients, who had booked
and had appointments, were incorrectly
presented with…recordings of other patients'
consultations through a subsection of the
user's profile within the app, but had not
viewed them". Babylon Health also confirmed
that it had resolved what was a 'software
error', rather than a malicious attack, and
had notified regulators.
Babylon allows its members to speak to
a doctor, therapist or other health specialist
via a smartphone video call and, when
applicable, sends an electronic prescription
to a nearby pharmacy. It has more than two
million registered users in the UK.
Aman Johal, director and lawyer of
YourLawyers, says that since the coronavirus
outbreak, there has been a huge increase in
demand for digital healthcare services. "In
2019, just 1% of NHS appointments took
place over video conference. In March this
year, requests for video consultations on the
healthcare app myGP skyrocketed by 1,451%.
With more patients than ever registering
with digital healthcare providers, it's extremely
alarming to hear that a user of the Babylon
Health app was able to access dozens of
confidential video recordings of other
patients' consultations.
More than 2.3 million registered users across
the UK have trusted Babylon with their
confidential health data. The exposure of
private video consultations to third-party users
is not only a failure of doctor-patient
confidentiality, but also a serious breach of the
GDPR. This revelation may shatter consumer
trust in digital healthcare," Johal warns.
Cybersecurity firm Carbon Black estimates
that personal health information is three
times more valuable to hackers than other
identifying information, adds Johal. "This
makes services like Babylon Health lucrative
targets for hackers and are commonly
attacked: a report released by Clearswift
earlier this year revealed that in 2019 almost
two-thirds of healthcare services suffered a
cyber-security incident. Despite the potential
penalties imposed by the ICO in the post-
GDPR era, lessons have clearly not been
learned."
Athough Babylon blamed the breach on a
software error, rather than a malicious attack,
Johal still points to serious shortcomings.
"Software glitches differ from the targeted
cyberattacks we are used to seeing in the
media, but the fact this error originated from
8
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

health monitoring
within the company itself does not make it
any less harmful. All organisations must
ensure they employ systems and procedures
to identify and prevent potential vulnerabilities
being exposed, including staff training."
LITMUS TEST
"These past few months have been
unprecedented in lots of ways, with many
new working practices thrust upon businesses
that were generally unprepared to such
sudden changes," says Steve Jackson, sales
director at Clinical DPO, one of the largest
outsource data protection officer suppliers in
the healthcare sector. "With a very challenging
economic environment ahead of us, many
are saying this is the litmus test for data
protection."
Will it be viewed as too difficult and too
restrictive in the fluid new normal business
environment, does he think? "Not necessarily.
With many businesses now capturing clinical
data about their staff and their customers, in
order to protect both from COVID-19, CDPO
has received many calls from clients now
seeing the importance of data usage in a firsthand
way and, with that, a new appreciation
to the risk to data posed by many of these
new working practices."
GDPR COMPLEXITIES
So, why has it taken such a dramatic event to
have organisations reassess their own attitude
to data and to their own risk regarding
potential brand and financial exposure?
"The answer lies in a cursory review of the
two years plus since the introduction of
GDPR," states Jackson. "This new legislation
brought a wave of products encouraging
businesses to buy a flat-packed tick-box data
protection compliance solution and today we
are still told by organisations that they have
'completed their GDPR', not appreciating that
GDPR is not a one-time project, but, much
like financial accounting requirements or
HR, data protection must be integrated into
the organisation, so it becomes part of the
company DNA and embedded into 'business
as usual'."
How exactly can this be achieved? "GDPR
introduced a mandated approach to the
appointment of a DPO for organisations
processing large-scale health data," according
to Jackson. "A glance at the ICO's public
register, however, indicates that many
organisations both large and small are still
to appoint a DPO. The single greatest reason
that we see for this lack of appetite for
change is a lack of time that business allocates
to effect this change."
Many data protection issues are not simply
data problems, he adds - they often arise
from an organisation's governance and
culture, as well as operational decisionmaking,
"whether it be understanding the
need, implementing the correct resource
or service, or, as we have seen on many
occasions as an outsourced DPO service,
taking the time to implement the processes
and support being provided by the DPO".
There are no silver bullet solutions, Jackson
concludes. "However, embedding data
protection by design is better in the long
run, but a business must engage to effect
this change. Until this is accepted and
understood, data protection will only
remain on the periphery of a business."
INADEQUATE TESTING?
The root cause of the Babylon Health breach
has never been fully disclosed, but may be
attributed to inadequate testing of the new
feature before moving it into a production
environment, suggests Rob Treacey, MD; cohead
of Xcina Consulting and Shearwater
Group DPO. "Although it seems that Babylon
Health has tried to downplay the significance
of the exposure and remediated it in a timely
manner, such breaches can have an adverse
impact on an organisation."
It remains to be seen whether Babylon
Health will experience any longer-lasting
reputational damage or if it will be able to
fully recover from such a breach, he adds.
"However, one thing is for certain: users will
be more cautious about using the App in
future or may simply refuse to use it
altogether, especially if they have an
alternative."
CONFIDENCE AND TRUST
As Treacey points out, end users need to
have absolute confidence and complete trust
in an organisation's ability to safeguard their
personal data, especially where that involves
sensitive personal data.
"As a risk management consultancy that
performs regular reviews and audits of our
clients, we see such process and control
weaknesses within the software development
lifecycle as not uncommon." These are
normally the result of:
Failure to adequately test and sign off
software updates or upgrades before
release into a production environment
Lack of oversight by organisations that
outsource their software development
to third parties
Lack of awareness by developers and
testers around the latest software security
risks and vulnerabilities, such as injection,
security misconfigurations, sensitive data
exposure and authentication
ssoftware design or architecture that is
inadequate
Cutting corners, due to the pressure to
release software updates or upgrades
against tight deadlines.
"Any organisation that experiences a data
breach, due to a software weakness or any
related software processes and controls,"
he says, "is merely putting itself in the shop
window for a future cyber-attack, not
to mention any subsequent fine from a
supervisory authority. Some organisations
may be able to minimise their reputation
damage or loss of users, but others may be
less fortunate".
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
9

health monitoring
Kelvin Murray, Webroot: the healthcare
industry is at particular risk of cyber-attacks
and data breaches
Steve Jackson, Clinical DPO: there's an
appreciation of the risk to data posed by
many of the new working practices.
KEY QUESTIONS
"Anyone who develops an app that handles
sensitive customer data should ask themselves
two important questions - is it secure and is it
really necessary?" advises Kelvin Murray, senior
threat researcher at Webroot. "We're seeing
that breaches such as these are all too
common and anyone looking to save time
and money by moving to a digital system
should take risks such as these into
consideration.
"Companies that hold private information
should also ensure they have clearly defined
security policies and procedures to avoid the
leak of information. This starts with employee
education, which underscores all effective
cybersecurity and data protection strategies
and comprehensive best practice guides are
critical to protecting information, especially
when holding sensitive data on customers.
"This is especially important in the healthcare
industry, which is at particular risk of cyberattacks
and data breaches, as information
such as health records is very valuable to
criminals. It will always command high
prices on the dark web, as it can be used
for criminal activities such as fraud, extortion
and in the drug trade."
NO ACTION
And the outcome of the breach at Babylon
Health? It will face "no further action", the
ICO) has since confirmed.
"When a data incident occurs, we would
expect an organisation to consider whether it
is appropriate to contact the people affected,
and to consider whether there are steps
that can be taken to protect them from any
potential adverse effects,” a spokesperson
said. “Babylon Health reported an incident to
us. After looking at the details, we provided
Babylon with detailed advice and concluded
no further action was necessary."
The ICO had the power to fine Babylon
Health up to 4% of its worldwide annual
turnover, while the affected patients might
yet be entitled to claim compensation.
RACE TO TRACE
Concerns that digital tracing systems for
COVID-19 could become 'back doors' to
mass surveillance have already mounted,
with academics from 26 countries issuing
a warning that contact-tracing apps could
hamper trust. Confirming you have been
infected with coronavirus requires personal
data to be submitted, recorded, exchanged
and stored, with some apps, like the UK
government's NHSX, indicating that it may be
stored and used for future research purposes.
But with backing as part of the European
Open Science Cloud (EOSC) - a far-reaching
initiative that is changing the way in which
European research is conducted, with
researchers quickly developing instant
diagnoses for major diseases and tackling
climate change - a small research team has
been able to respond rapidly to the pandemic
and develop a contact-tracing app in the
space of a few months.
TIPPING THE BALANCE
This app - called Tracing Ireland's Population
(TIP) - gives users ownership of their data,
places them in full control of any track and
tracing (rather than an automated program
collecting and storing your information to be
used at a later date), and hosts all information
in encrypted form.
"Alexa will invade your privacy more than
our app does," claims co-creator Dr Paul
Byrnes. "Like many contact-tracing systems
hoping to end blanket lockdowns by
providing an accurate, targeted picture of
infections, our new facility looks set to enable
smaller, localised restrictions.
"The success of any contact-tracing app
depends on whether people will engage with
it and, if they don't trust it, they won't use it,"
comments Byrnes. "It's that simple. Once the
pandemic is over, all data will be erased."
10
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

smishing
SMISH, SMASH, BASH!
A RELATIVELY NEW SPIN ON PHISHING HAS ENTERED THE LEXICON, IN THE FORM OF 'SMISHING'.
BUT WHAT IS THAT EXACTLY AND HOW DANGEROUS MIGHT IT BE TO THE UNSUSPECTING?
Phishing scams have become an all
too familiar weapon used against
businesses and individuals, and are
a type of fraud that can come in many
different forms. These scams not only
employ various online techniques, such
as fake emails and pop-up ads, but can
also include phone calls. Often, the
people behind these scams use fear
tactics, in order to get their victims to take
the bait. As Norton points out: "Phishing
is essentially an online con game, and
phishers are nothing more than tech-savvy
con artists and identity thieves. They use
spam, malicious websites, email messages
and instant messages to trick people
into divulging sensitive information."
Banking information, along with credit
card accounts, usernames and passwords,
are just some of the information phishers
seek to exploit.
And now we have 'smishing' to contend
with. For those who are yet to encounter
this form of attack, here are some of its
hallmarks. "Put simply, smishing is any
kind of phishing that involves a text
message. Often times, this form of
phishing involves a text message in an
SMS or a phone number," states Norton.
Smishing is particularly scary, it adds,
because quite often people tend to be
more inclined to trust a text message than
an email. Most people are aware of the
security risks involved with clicking on
links in emails. This is less true when it
comes to text messages.
Smishing uses elements of social
engineering to get people to share their
personal information. "This tactic
leverages your trust, in order to obtain
your information. The information a
smisher is looking for can be anything
from an online password, to your Social
Security Number, to your credit card
information. Once the smisher has that,
they can often start applying for new
credit in your name. That's where you're
really going to start running into
problems."
Another option used by smisher is to say
that, if you don't click a link and enter
your personal information, that you're
going to be charged per day for use of
a service. "If you haven't signed up for the
12
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

smishing
service, ignore the message," advises
Norton. "If you see any unauthorised
charges on your credit card or debit card
statement, take it up with your bank.
They'll be on your side."
HOW TO KNOW IF YOU'RE
BEING SMISHED
In general, don't reply to text messages
from people you don't know. That's the
best way to remain safe. "This is especially
true when the SMS comes from a phone
number that doesn't look like a phone
number, such as a '5000' phone number.
This is a sign that the text message is
actually just an email sent to a phone.
You should also exercise basic precautions
when using your phone. Don't click on
links you get on your phone, unless you
know the person they're coming from.
Even if you get a text message with a link
from a friend, consider verifying they
meant to send the link before clicking
on it. A full-service Internet security suite
isn't just for laptops and desktops. It also
makes sense for your mobile phone.
A VPN such as Norton Secure VPN is
also one advisable option for your mobile
devices. This will secure and encrypt any
communication taking place between
your mobile and the Internet on the
other end. "Never install apps from text
messages. Any apps you install on your
device should come straight from the
official app store. These programs have
vigorous testing procedures to go through
before they're allowed in the marketplace.
Err on the side of caution. If you have any
doubt about the safety of a text message,
don't even open it."
Almost all of the text messages that you
get are going to be totally fine. However,
it only takes single rogue message to
compromise your security. With just a
little bit of common sense and caution,
you can make sure that you don't become
a victim of identity theft.
WHAT SMISHERMEN USE AS BAIT
As Kapsersky Labs points out, texting is
the most common use of smartphones -
and so a rich source of pickings for
smishers. Experian found that adult
mobile users aged 18 to 24 send more
than 2,022 texts per month-on average,
that's 67 per day-and receive 1,831.
"A couple of other factors make this a
particularly insidious security threat,"
warns Kaspersky. "Most people know
something of the risks of email fraud.
You've probably learned to be suspicious
of emails that say 'Hi-check out this cool
link' and don't contain an actual personal
message from the supposed sender.
"When people are on their phones, they
are less wary. Many assume that their
smartphones are more secure than
computers. But smartphone security has
limitations and cannot directly protect
against smishing. As noted by WillisWire,
cybercrime aimed at mobile devices is
rocketing, just as mobile device usage is.
However, while Android devices remain
the prime target for malware-simply
because so many of them are out there;
and the platform offers greater flexibility
for customers (and cybercriminals!)-
smishing, like SMS itself, works crossplatform.
This puts iPhone and iPad users
at particular risk, because they often feel
they are immune to attack."
Although Apple's iOS mobile technology
has a good reputation for security, no
mobile operating system can by itself
protect you from phishing-style attacks,
argues Kaspersky. "Another risk factor is
that you use your smartphone on the go,
often when you're distracted or in a hurry.
This means that you're more likely to get
caught with your guard down and thus
respond without thinking, should you
receive a message asking for bank
information or to redeem a coupon."
The good news is that the potential
ramifications of these attacks are easy to
protect against. In fact, you can keep
yourself safe by doing nothing at all.
"The attack can only do damage if you
take the bait."
No financial institution or merchant
will send you a text message asking you
to update your account information or
confirm your ATM card code, reiterates
Kaspersky. "If you get a message that
seems to be from your bank or a
merchant you do business with, and it
asks you to click on something in the
message, it's a fraud. Call your bank or
merchant directly, if you are in any doubt.
Remember that, like email phishing,
smishing is a crime of trickery - it depends
on fooling the victim into cooperating by
clicking a link or providing information.
Indeed, the simplest protection against
these attacks is to do nothing at all."
As technology has developed and
evolved, the ways in which scammers try
to target people has developed with it,
comments the Financial Ombudsman
Service (FOS). "From fake websites to
text messages that appear to be from
a legitimate source, scammers will
try a variety of ways to get personal
information from you, in order to take
money from your accounts, use the details
you share to pretend to be you, or to sell
on. As well as use of technology, we also
see scammers trying to manipulate or
exploit situations to build trust or create
panic, to try to get people to divulge
information over the phone, and
sometimes even face to face.
MULTIPLE TARGETS
The FOS sees a wide variety of
circumstances in the complaints that
are referred to it and not just related to
banking - "we know that fraudsters also
look to target pensions, investments and
insurances, too". The industry regulator,
the FCA, has information on its website
about avoiding investment and pension
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
13

smishing
scams, while the Association of British
Insurers offers tips on how to avoid
insurance-related scams.
"It's particularly important to be vigilant
at the moment, as a major event like
the Covid-19 (coronavirus) outbreak can
lead to new types of scams emerging,"
cautions the FOS .It cites how Action
Fraud, the UK reporting centre for fraud
and cyber-crime, has recently reported
an increase in Covid-19 related fraud and
scams, especially with so many people
are remotely and from home - and hence
more exposed and vulnerable.
For those whose minds are buckling
from the overload of scamming terms in
circulation, Webroot has tried to simplify
the process. "If you're at all concerned
with the latest techniques cybercriminals
are using to defraud their victims, your
vocabulary may be running over with
terms for the newest tactics," it says.
"Here's a brief refresher to help keep
them straight."
MANY WEAK POINTS
Smishing, as described above, uses text
messages to extract the sought-after
information
Vishing is when a fraudulent actor
calls a victim pretending to be from
a reputable organisation and tries to
extract personal information, such as
banking or credit card information
Phishing is any type of social
engineering attack aimed at getting a
victim to voluntarily turn over valuable
information by pretending to be
a legitimate source. Both smishing and
vishing are variations of this tactic.
Webroot has singled out the following
smishing techniques to watch out for:
Sending a link that then triggers the
downloading of a malicious app. Clicks
can trigger automatic downloads on
smartphones, the same way they can on
desktop internet browsers. In smishing
campaigns, these apps are often
designed to track your keystrokes, steal
your identity, cede control of your phone
to hackers or encrypt the files on your
phone and hold them for ransom
Linking to information-capturing forms.
In the same way many email phishing
campaigns aim to direct their victims to
online forms, where their information
can be stolen, this technique uses text
messages to do the same. Once a user
has clicked on the link and been
redirected, any information entered into
the form can be read and misused by
scammers
Targeting users with personal
information. In a variation of spear
phishing, committed smishers may
research a user's social media activity, in
order to entice their target with highly
personalised bait text messages. The end
goal is the same as any phishing attack,
but it's important to know that these
scammers do sometimes come armed
with your personal information to give
their ruse a real feel.
Referrals to tech support. Again, this is a
variation on the classic tech support scam
or it could be thought of as the 'vish via
smish'. An SMS message will instruct the
recipient to contact a customer support
line via a number that's provided. Once
on the line, the scammer will try to pry
information from the caller by pretending
to be a legitimate customer service
representative.
The ultimate message is to treat more
or less everything as suspect, until it's
proved it isn't. That way, your chances
of staying 'unsmished, unvished and
unphished' will be significantly increased.
14
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

masterclass
OPEN-AND-SHUT CASE
BEING OPEN TO ETHICAL DISCLOSURE IS VITAL, STATES PAUL RITCHIE,
MANAGING SECURITY CONSULTANT, PENTEST LIMITED
As a young and idealistic ethical
hacker, I wanted to help fix the
online world, to make it a better
and more secure place for everyone.
Ethical disclosure was one of the ways
I thought I could make a difference.
After all, having folks willing to
investigate your security for free, and
then tell you about the issues, seemed
like it would be highly beneficial and
warmly welcomed. It wasn't.
Ethical disclose circa 2005-2010 was
an absolute horror show. First, it was
difficult to find someone to talk to
within an organisation. When you
did find someone, you would have to
clarify what the problem was, explain
that you were not attacking them (very
important), that this was a friendly
'head's up' and that you wouldn't be
sharing the secrets with anyone. I do
not miss the sweaty palms while waiting
to see if it was going to be "thanks for
info!" or "here's another lawyer's letter.
Cease & Desist!" It was usually the latter.
At the time, I was baffled by how
communications like this could result
in such action. It seemed hard to justify
when the bad guys were targeting you
and not telling you anything, whilst the
good guys, the ones pointing out your
vulnerabilities, were getting legal
threats.
As I've matured, I can see the layers
of pressure which could generate such
a response, but things are getting better.
Bug bounty programs have helped
a great deal and it's fantastic to see
organisations make better use of the
information security community, but
they aren't for everyone.
Even if bug bounties aren't for you,
there is still an opportunity that you
can benefit from ethical disclosure and
I have seen it done extremely well by
several organisations over the years.
So, what can you learn from these
companies, if you wish to reap the
benefits of ethical disclosure?
First, identify a point of contact
who will be responsible for inbound
disclosures and give them the
information they need to effectively
triage reports. This could include
a risk register (even if it is just on a
spreadsheet) and an up-to-date list of
assets, showing who is responsible for
each asset and how to contact them.
You may even want to estimate the
value of the assets to your business,
thereby allowing the person responsible
for triaging to prioritise their efforts.
Secondly, make disclosure contact
details visible and create a PGP key to
ensure reports can be sent securely.
This will give researchers the confidence
that reports will be taken seriously and
provide them with a direct route by
which to disclose their findings.
Thirdly, don't make legal threats your
default position. Draw up a disclosure
policy and have this on your website.
This will help outline what reporters
Paul Ritchie, Managing Security
Consultant, Pentest Limited.
can expect from you. This can also set
out the ground rules for disclosure,
especially what you can/cannot be
looking in to. If a report is in breach
of this policy, then, yes, legal 'cease
and desist' letters can be used.
Finally, acknowledge reporters where
you can. This doesn't have to be a
monetary reward; it can be as simple
as acknowledging the reporter on your
website.
These steps often require minimal
effort, but they can be extremely
beneficial and it's a great starting point
for improving your cyber maturity.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
15

industry insights
THE NEW ORDER
IS NOW THE PERFECT TIME TO GET YOUR (I.T.) HOUSE IN ORDER?
PAUL HARRIS, MANAGING DIRECTOR, PENTEST, OFFERS HIS THOUGHTS
There's a lightbulb in the bathroom
at home that's been burnt out for
about eight months. It's always been
on the list of things to fix, but I've either
forgotten about it when at the shops or
had more pressing things to do; after all,
it wasn't really a big deal, especially when
there are plenty of other bulbs working in
the bathroom.
I say 'wasn't' a big deal, as things
changed. Lockdown happened.
Spending all your time at home makes
you more aware of the small, and not so
small, jobs that need to be done around
the house. Previously insignificant home
improvement jobs start to play on your
mind. The clock on the oven is out by
three minutes, the living room door isn't
quite sitting correctly, there's a small
crack in one of the bathroom tiles, one
of the kitchen chairs has been wobbly for
years. Things you could easily dismiss and
ignore before suddenly start to play on
your mind, growing until they become
critical issues. It's no surprise that people
were queuing outside Ikea for over two
hours on the first day after lockdown was
eased. (To clarify, I wasn't one of them!)
I usually go to great lengths to avoid
doing the home improvement jobs,
hence why the lightbulb has been out for
so long, but during lockdown they have
often given me a welcome distraction
from what's going on in the outside
world. I've even got around to tackling
the big jobs, the ones I really hate, like
cleaning out the garage.
Paul Harris, managing director, Pentest.
It's amazing the stuff you find when you
do that: old games consoles you've not
16
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

industry insights
seen in years, records that you never
knew you had, a million and one Allen
keys, an assortment of sports equipment,
the traditional tin of Quality Street from
the 80s, now containing screws and wall
plugs, cables, and lots and lots of
electronic wires and cables. Whilst some
of this stuff is useful, most of it will either
end up at the charity shop or the tip, but
at the end of it all there's a great sense
of satisfaction that you know where
everything is and that everything is in
order (for now at least).
Organisations aren't so different and
it's easy to collect a host of information
technology 'stuff'. It's even easier to lose
track of this technology as time goes on -
especially as the company grows and
people move on, vital knowledge can
easily get lost along the way.
But when it comes to organisations,
the consequences of not knowing what
you have or how it may be connected
to the outside world can be dangerous,
providing malicious threats with a
potential way into your networks.
KNOWING WHAT YOU HAVE
One of the fundamental IT security
challenges within organisations,
especially larger ones, is the shadow IT
'visibility gap' between assumed or known
infrastructure and what actually exists.
Understanding this is a first vital step in
developing a robust security posture for
an organisation. After all, if you don't
know a legitimate device or application
exists on your network, how can you
properly defend it? Similarly, if you are
missing legitimate devices, you may also
be missing unauthorised devices. Could
any of these anonymous devices provide
backdoors into the network, and perhaps
leave your infrastructure exposed and
vulnerable?
"But I know exactly what I have on my
network," I hear you say. Well, you'd be
surprised. There have been plenty of
cases where we have heard this, only
to discover an unknown device or
application on a network during an estate
discovery investigation, whether it be
a legacy server situated at a remote site, a
website that has been put online as a test
by an internal department, an IoT device
plugged into your network by a member
of staff, IT infrastructure inherited as part
of an acquisition or an application that
was meant to be internal, but is available
to the internet. It can be hard to have
a full oversight on what's truly sitting on
your network.
ASSESS THE RISK, PROTECT OR GET RID
Like the stuff from my garage, once you
know what you have, you need to decide
whether it's still needed. If it is useful to
the organisation, then you'll need to take
the necessary steps to conduct an analysis
of the security and data compliance risks,
and to put in place effective measures
that bring it in line with corporate
policies. If it's not useful, then it's best
to remove it from the network and from
external view. But how do you go about
securing a previously unknown device or
application that you wish to keep on the
network? Well, it will all depend on what
you've found and the nature of the data
it stores or processes, but there is one
standard thing you should be checking as
a matter of course. One of the easiest
things you can do to improve security of
a previously unknown device or
application on your network is to make
sure you have up-to-date versions of
software where possible. If a device or
application is running on an old version
of software, then it is highly likely there
will be security flaws present. Attackers
are all too aware of the security
vulnerabilities within unpatched software,
meaning these could be potentially used
to gain entry to a network and to
ultimately exploit your organisation.
STARTING WITH A CLEAN HOUSE
There is no doubting that the coronavirus
situation has been terrible. As businesses
and as a society, we are likely to face
more turbulence as we ease back towards
normality, however that normal may look.
But before the stresses, strains and
busyness of this new 'normal' take over,
I would argue that now is the perfect
opportunity to step back, to take a look
at some of the jobs we've always put off
and to prepare our organisations for
better times ahead.
Gaining a full understanding of your IT
estate should be considered one of these
vital jobs and, as a company, we've seen
first-hand that it's a job that many
organisations have put off over the years.
Yes, you want to be doing something
more exciting, but it's not as painful as
you may think; we do all the leg work for
our clients. And, unless you know what
you have and what the risks are, you
won't be able to gain the peace of mind
that your network is as secure as possible.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
17

mergers & acquisitions
HITTING THE SWEET SPOT
DIGITAL TRANSFORMATION IN THE CYBER-SECURITY SECTOR IS FORECAST TO BE THE BIG DRIVER
FOR MERGERS & ACQUISITIONS (M&A) AND INVESTMENT FOR THE REST OF 2020
Ben Kolada has been apppointed ICON's
head of US Tech Investment Banking.
Technology-focused investment bank ICON
Corporate Finance believes that digital
transformation across all industry sectors
has accelerated to become the most pressing
priority for organisations in the aftermath of
Covid-19. ICON predicts this will drive future
growth and appetite for acquisition of tech
companies worldwide, particularly in the
cyber-security sector.
Its assessment is underpinned by a recent
ICON survey of some of the most active UK
M&A buyers. This showed that there has been
no drop in appetite for acquisition in the tech
sector in 2020, which remains high, with key
areas for expansion expected to be in cyber
security, fintech, Cloud, managed services,
healthtech, AI (artificial intelligence) and
enterprise software.
As organisations adapt to new ways of
working, companies in the US tech market will
continue to be amongst the most acquisitive,
as they continue to seek out deep tech and
disruptive young companies that are reshaping
the world. To capitalise on future growth in the
sector and US market appetite, ICON has
extended its footprint into the region with the
opening of an office in San Francisco. It aims to
bring clients in Europe, Africa and Asia direct
access to the epicentre of the world's tech
community, where appetite for investment and
acquisition in disruptive technology persists. For
US clients, it will present new possibilities in
both domestic and international markets.
With the West Coast central to its future
expansion plans, ICON, which led US-based
IQVIA's acquisition of UK-based Optimum
Contact and JP Morgan's funding of UK-based
Mosaic Smart Data, has appointed former
industry analyst at 451 Research and DataTech
expert Ben Kolada as head of US Tech
Investment Banking. He has more than a
decade of experience in the sector and a deep
knowledge of the West Coast and US markets.
According to Pitchbook Data's Emerging
FinTech research*, increasing cybersecurity
threats are forcing organisations to turn to
technology to mitigate against business
interruption, protecting both systems and
remote workers. This is particularly acute for
financial institutions, where new areas of risk
and regulation have been introduced to
address expanding cyberthreats and data
security concerns.
CEO and founder of ICON, Alan Bristow,
adds: "As the world discovers the new
normal, it is the tech sector that will drive
societal changes and enable new ways of
working. The US West Coast's innovative
approach and its dominance in deals
origination is the core driver for our new
presence in San Francisco. We are excited
to be bringing US markets to Europe's
doorstep and vice versa."
* Pitchbook Data Inc Emerging FinTech
Research Q1 2020
18
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

product review
CYBEREASON MOBILE
The coronavirus pandemic and its
continuing impact have changed the
threat landscape for ever and only
the most agile organisations will survive.
The huge changes in working practices and
unprecedented surge in cyberattacks have
presented enterprises with tough data
security challenges, making endpoint
protection a critical priority.
Clearly, the focus needs to be on mobiles,
as the balance is shifting sharply away
from traditional devices. It's no surprise
that mobiles are being targeted by a large
percentage of malware, as they present
a lucrative target that can easily provide
a back door into the corporate network.
Cybereason is a specialist in endpoint
protection and it offers an enterprise-class
threat prevention, detection and response
solution, with real-time awareness. It has a
sharp focus on keeping remote workforces
safe and its latest Mobile component delivers
these services to Android and iOS devices.
The Defense Platform applies a layered
approach to endpoint security with
signature-based and AI next-generation
antimalware, application controls and
dynamic behavioural analysis to block
ransomware attacks. It goes beyond
most competing products, as it correlates
seemingly isolated incidents to present
a clear picture of an attack.
Cybereason can analyse up to 8 million
events per second and yet has a remarkably
light touch on the network. It uses small
footprint endpoint sensors, which enforce
local antimalware, collect information and
pass it on to detection servers for analysis
and correlation.
The Mobile component is managed in the
cloud for customers making deployment
a swift process. The Cybereason mobile
app is customised to the organisation's
requirements and can be pushed out using
a wide variety of deployment methods.
Once installed, the app enforces
predefined security policies, so protection
starts immediately. Mobile users enjoy
the same multi-layered prevention as
workstation users, but with additional
security measures, such as SMS phishing
attack negation and app behaviour
analysis.
The Cybereason autonomous protection
app is tamper-proof and constantly
monitors mobile devices in real-time for
suspicious behaviour. When a user installs a
new app, its activities and communications
will be blocked until it is certified as safe
and it will not permit known malicious
apps to be installed.
The app blocks attempts to exploit OS
vulnerabilities and monitors all network
activity, looking for suspicious north-south
connections. It requires no training to use
and interaction with end users is kept to
a minimum, as the app doesn't interfere
with user privacy or their experience,
while its lightweight design ensures it
won't compromise device performance
or battery longevity.
The only time they'll see it is when
malicious activity has been detected. The
app pops up with a yellow screen, if risky
activity has been identified or a red one,
if it considers the device to be at risk and
requiring immediate remedial action,
performed by Cybereason.
The app provides detailed notifications
about security events, such as attempts
to access phishing sites or those known
to harbour malicious content. These
are considered secured events, so the
notifications are informational; but those
such as OS vulnerabilities that need an
update to rectify will be listed as requiring
action.
There's much more going on in the
background, as mobile alerts are sent to
the Defense Platform detection servers for
event correlation. Cybereason provides MDR
(managed detection and response) services
for mobiles where its analyst teams review
events, advise the customer of all security
issues and provide remediation services.
The pandemic has created a whole new
world since it struck, forcing organisations
to rapidly reassess their security posture.
Mobile security is now an essential
ingredient for survival, and Cybereason
delivers a sophisticated threat protection
solution that fills the gaps that legacy
endpoint protection solutions leave behind.
Product: Cybereason Mobile
Supplier: Cybereason
Telephone: 0203 036 0974
Web site: www.cybereason.com
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
19

Data privacy
BEYOND THE EU-US PRIVACY SHIELD:
WHAT'S NEXT FOR EUROPEAN ENTERPRISES?
A NEW RULING HAS SHAKEN UP HOW THE EU AND U.S. REGARD DATA PROTECTION AND DATA PRIVACY
comes to processing and using data, namely:
For more effective monitoring and control
of an entire population
For the pursuit of one's own geopolitical
interests
For the benefit of specific economic
interests
With focus on data protection and the
rights of individuals.
Cloud computing and the networking of a
wide variety of systems mean many European
companies send data streams to the United
States, where the international market leaders,
the so-called 'big players', are based. The ECJ's
ruling means there are many enterprises that
are compelled to act now.
The European Court of Justice (ECJ)
judgment invalidating the EU-US Privacy
Shield has caused uncertainty for many
enterprises and presented them with
challenges on how to handle private data. In
the long term, this ruling offers European
enterprises valuable chances for reassessing
data-driven business models and re-imagining
them in a way that is compliant with the
required protections of personal data. Things
may not be so simple for US enterprises
seeking trade in Europe.
As with its predecessor, the Safe Harbour
Privacy Principles, overturned in 2015, the EU-
US Privacy Shield determined that transferred
data in the United States was not sufficiently
protected under the current EU law (GDPR)
demands. Standard Contractual Clauses,
which constitute the foundation on which
many enterprises transfer data to the USA,
continue to be valid. If, however, it turns out
that, despite these clauses, data protection in
the United States (in real and concrete cases)
does not take place, this last remaining legal
basis will undoubtedly be invalidated as well.
Private digital data is increasingly valuable
and is a highly sought-after resource - 'the
new gold'. There are different motives when it
We asked Cryptshare CEO Mark Forrest to
offer his thoughts on what has transpired:
What are the key takeaways from this ruling?
Mark Forrest: This ruling did not take place in
a vacuum. We are looking at 20 years of
legislation: From the Safe Harbour Privacy
Principles to the EU-US Privacy Shield, the
practice of self-certification had enabled
companies to tick a box and say, "Yes, we
comply". They did not have to prove their
compliance, rather their non-compliance had
to be proven. This practice has now been
ruled invalid.
European legislation demands that privacy
requires specific top priority guidelines. In the
United States, other factors are in the
foreground: National security takes
precedence over data protection concerns,
meaning privacy gets put aside, or is
diminished as a consideration. With this
ruling, there are penalties in place that can be
large for companies that breach the EU
requirements and the case against Facebook
20
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

Data privacy
today's legal reality.
has been re-opened.
The US has a strong national agenda; their
economic interests and national security
concerns don't necessarily align with EU data
protection laws. The question now is how the
US will respond. Will US companies be fined
for violations of GDPR or could US intelligence
agencies be restricted in their access to the
personal data of European citizens? We
should expect some debate; with national
security, it is a two-way street. Data-driven
business with high economic value is more
biased to US interests.
What are the implications for European
enterprises?
MF: Many will look at this and think, "There is
nothing we can do". Most use tools provided
by third parties from outside the enterprise
and there is a high dependency on external
contractors. In today's world, there is no going
back from using office tools, databases,
analytics tool, integrations…it is not only
cloud service providers offering these, and the
biggest players are in the US; in Europe, we
have fewer data-driven businesses, and many
promising EU based technologies and startups
have been acquired in their infancy.
If you remove those tools because US
companies don't meet the required standards
of GDPR, many EU companies can't function
well. European enterprises are required to
comply with all data protection laws, so they
must identify any areas where they don't and
take action. If they fail to do so, they risk
getting dragged into a maelstrom of fines.
The potential financial consequences of this
ruling are huge.
What can enterprises do, in concrete terms?
MF: This ECJ ruling was effective immediately.
So, it is important for enterprises to act now
and mitigate the potential risks. European
companies operating mainly in Europe already
have a high standard to meet, namely the
GDPR; they run into trouble when they
employ the services of companies that don't
comply. European enterprises need to divert
the risks that suppliers can cause for them and
require their compliance with any applicable
EU data protection laws. Eventually, there will
be a new agreement increasing the pressure
on the US to change priority, but until then
businesses must ensure their compliance with
How has Cryptshare reacted to this?
MF: Enterprises must comply the way they
needed to before. For European companies
operating in Europe, we already have a high
standard, which we help companies to meet.
Data is one of today's most valuable assets;
entire business models are built on it.
Therefore, it greatly matters where this data
goes and what happens to it, once it is there.
Enterprises need a product like Cryptshare to
protect their data in transit, and make sure it
remains safe between senders and its
intended recipient, not falling victim to
predators that include data-driven businesses,
bad actors and governments both legitimate
and malign. That is the essence of the ECJ
ruling.
Where can transatlantic data privacy
agreements go from here?
MF: Action is required from all parties;
politicians must draft a new agreement
between the EU and the USA that constitutes
a sustainable and resilient basis for all future
data transfers to the USA, and this must be
done quickly. In order to stand up to the
scrutiny of the ECJ, any agreement must
ultimately meet the data protection
requirements that EU standards demand.
In the United States, other factors are clearly
given priority, namely their economic interests
and their intelligence agencies' wide-reaching
powers to access personal data, regardless of
its origin or location. They have so far shown
little willingness to make concessions to
European data protection laws, should they
come at the expense of their national
interests. It currently seems that it will be up
to Europe to make its own demands for data
protection and data privacy a reality, as the US
seems unwilling to concede ground.
To find out how enterprises can exchange
sensitive messages and files in a secure,
traceable and compliant way, go to:
https://bit.ly/3mU8is1
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
21

contact tracing
WE HAVE CONTACT
THERE IS AN INCREASING RELIANCE ON DATA-DRIVEN TECHNOLOGIES TO HELP CONTAIN COVID-19,
ESPECIALLY THROUGH CONTACT TRACING. BUT MIGHT THESE INFRINGE HUMAN RIGHTS?
All contact tracing apps have one thing
in common: they record when you're
close to someone else (usually in a
way that preserves your privacy) and try to
characterise how close and for how long,
states Ian Levy, in a blog published on the
National Cyber Security Centre website.
In all sensible models, he points out, this
information is held privately on the user's
phone. "The differences start when someone
reports they're ill. Then, the different design
choices and cryptographic models dictate
the public health responses your app can
support." In his blog, Levy uses the word
'anonymous' in its security sense. "That's
different to the definition under GDPR and
other law. The proper legal descriptions of
the data we use are in the Data Protection
Impact Assessments, which will be
published," he continues.
In the first model (known as 'the
decentralised model'), you tell the system
you're ill and give it no extra information.
Periodically, it collects a list of everyone who
has said they're ill and sends it out to all users
of the app. "Individual devices look to see if
any of its local contacts are on the list and
tells their user, if this is the case (subject to
some local risk modelling about the sort of
encounters they had). Notifications will lead
to some health interventions, probably selfisolation
to start with."
Those concerned about failures to protect
individual's privacy have argued that this
decentralised model is the one to follow,
as it gives maximum protection. However,
Levy argues that, "while the health authority
would know the anonymous identity of the
22
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

contact tracing
app that's reported symptoms [or sometimes
perhaps just a Bluetooth broadcast value],
it wouldn't know any of the contacts [even
anonymously] and so won't know anything
about how that user may have spread the
disease". In some systems, he adds, "some
users may be able to donate some aggregate
contact data”. In one instance, he had seen
five people who claimed to be infected', but
nothing could be linked to a particular
contact event, or other user.
CENTRALISED APPROACH
The other model is the 'centralised' one
where an ill user reports their symptoms, but
also gives all their anonymous contacts to
the public health authority, along with some
details about the type of contact they've had
(duration and proximity, for example). "The
health authority can use risk modelling to
decide which contacts are most at risk,
and then notify them to take some action -
again probably self-isolation to start with.
Importantly, the public health authority has
anonymous data to help it understand how
the disease appears to be spreading and has
the anonymous contact graphs to carry out
some analysis."
So, the health authority could discover that
a particular anonymous person seems to
infect people really well. While the system
wouldn't know who they are, encounters
with them could be scored as more risky and
adjust the risk of someone being infected
by a particular encounter appropriately. The
NHS app uses this centralised model, but
also protects your security and privacy
strongly," Levy comments.
While some see technological solutions as
a critical tool for contact tracing, quarantine
enforcement, tracking the spread of Covid-
19 and allocating medical resources, these
practices raise significant human rights
concerns. In fact, Norway's Smittestopp
contact tracing app was suspended in mid-
June, following criticism that it was too
invasive of people's privacy. The criticism
came from the national data protection
agency Datatilsynet, which stated that the
benefits of the app were disproportionate
to the privacy infractions it cost their citizens.
Norway's institute of public health also
agreed to delete all data. Significantly,
Smittestopp used a centralised model of data
collection, which was also being utilised in
the UK and France's contact tracing apps.
WAKE-UP CALL
"Norway's decision to suspend its COVID-19
contact tracing app, due to privacy concerns,
was excellent news for Norwegian citizens
and a wake-up call for other countries
currently using or rolling out similar
centralised contact tracing systems," was
the comment at that time from Ray Walsh,
digital privacy expert at ProPrivacy.
"Norway's Smittestopp app uses
a centralised model of data collection - a
troubling and invasive system identical to
that being used in both France and the UK.
Norway's contact tracing app scored just
1 out of 10 in our in-depth study of
Coronavirus contact tracing apps, making
it one of the most invasive and dangerous
apps in the world. Anytime that data is held
in a centralised database, that data is at
risk of data mismanagement, abuse, leaks
or data breaches. Plenty of countries
have demonstrated that it is possible to
implement a contact tracing system that is
completely decentralised and that does not
unnecessarily put citizens' privacy at risk."
Meanwhile, a team at the Technical
University of Munich (TUM) developed an IT
service that simplified the registration and
contact tracing process, while protecting
personal data. The service was therefore seen
as one that could complement the warning
app launched by the German Ministry of
Health and might also be used at locations
where contact lists are not mandatory.
Still, effective contact tracing is important
for successfully limiting the spread of
pandemics, says Georg Carle, professor of
Network Architectures and Services at TUM.
In search of a solution, he worked with his
former doctoral candidate Johann Schlamp
to develop QRONITON. This service, which
uses QR codes that can be scanned with a
mobile phone, will enable organisations to
meet their documentation obligations and
help public health authorities to identify
endangered individuals quickly. Any location
- whether it's at a restaurant table or an seat
in a lecture hall - can be provided with an
individual QR code. When scanned by a
user, the code is captured along with a time
stamp and contact data. What sets this
solution apart from similar approaches is a
sophisticated, multi-stage encryption system
that protects the data.
RESTRICTED ACCESS
"The data are stored centrally on a server,"
says TUM's Carle. "However, they are
encrypted in a form that cannot be read
by the server operator, and which the
authorities can access only in the form of
subsets - and even then, only with the
consent of the concerned parties." If an
infection with the novel coronavirus
SARS-CoV-2 is reported to a public health
authority, it will provide a personal
authorisation code to the infected individual.
The authority can access data on the places
visited and the direct contact persons only
if the infected person enters the code
in QRONITON. "The principle of data
minimisation was very important to us,"
says Schlamp. "The system captures only a
telephone number and a postal code. The
latter is used to determine which authority
can access the data in case of a concrete
infection risk."
QRONITON is a browser-based tool, which
means that the user does not need to install
an app. It also means that users can be
sure that data are not being collected in the
background. They can decide themselves
whether or how often they wish to scan QR
codes. The developers also had users without
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
23

contact tracing
smartphones in mind: These users can print
out a personal QR code to be scanned by
restaurants and other places they visit.
KEEPING WATCH
Human Rights Watch is equally concerned
about proposals for the use of mobile
location data in the Covid-19 response,
because the data usually contains sensitive
and revealing insights about people's
identity, location, behaviour, associations
and activities. Indeed, mobile location data
programs to combat Covid-19 may not
be scientifically necessary and could lead
to human rights abuses, if they are not
equipped with effective safeguards to
protect privacy. The long history of
emergency actions, such as surveillance
measures put in place to counter terrorism,
shows that they often go too far, fail to
have their desired effect and, once approved,
often outlast their justification, according to
the international watchdog body.
Contact tracing’s goal is, of course, to
interrupt transmission by rapidly identifying
individuals who have been in close contact
of someone who is infected, defined by the
United States Centers for Disease Control
and Prevention (CDC) as within six feet of
someone for approximately 10 or more
minutes. The idea is to encourage such
individuals to isolate themselves from others,
and seek testing and treatment.
Because the coronavirus is primarily
transmitted through person-to-person
contact via respiratory droplets when an
infected person coughs, sneezes or talks,
mobile location data has been advocated in
many quarters as an essential method to
identify potentially exposed individuals.
Companies and governments are also
examining location data in aggregate form
to better understand general patterns of
people's movements and behaviours, and
how these have changed over time. Such
analysis aims to forecast how the virus might
be spreading and the effectiveness of public
health interventions, particularly social
distancing measures, and identify ways to
better allocate testing and medical resources.
RIGHTS & FREEDOMS
Even in times of emergency, when States
restrict human rights for public health
reasons, international human rights law says
that measures taken that limit people's rights
and freedoms must be lawful, necessary and
proportionate. States of emergency need to
be limited in duration and any curtailment
of rights needs to take into consideration
the disproportionate impact on specific
populations or marginalised groups.
These rules apply to efforts to track and
manage Covid-19 using mobile location
data. The collection and analysis of
such data could reveal users' identities,
movements, and associations in a manner
that interferes with the right to privacy.
Article 17 of the International Covenant on
Civil and Political Rights (ICCPR), which is
derived from Article 12 of the Universal
Declaration of Human Rights (UDHR),
establishes "the protection of the law"
against "arbitrary or unlawful interference"
with an individual's "privacy, family, home,
or correspondence." The United Nations
Human Rights Committee has found that
restrictions on the right to privacy must take
place only "in cases envisaged by the law."
Restrictions must also be "proportionate to
the end sought, and ... necessary in the
circumstances of any given case".
In the EU, eight major telcos agreed earlier
this year to share anonymised metadata with
the EC for modelling and predicting the
propagation of the coronavirus. An official
from the commission advised that the data
would be aggregated and anonymised, and
that the commission will delete it when the
pandemic is over. However, and worryingly,
the European Data Protection Supervisor
has previously warned about the possibility
of such measures becoming permanent.
24
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

data disasters
BRAKING BAD!
CAR OWNERS COULD BE PUTTING THEIR PERSONAL DATA AT RISK BY NOT CLEARING
THIS BEFORE SELLING THEIR CARS, ACCORDING TO CONSUMER WATCHDOG WHICH?
AWhich? survey has revealed that
car owners could be putting their
personal information seriously at
risk by failing to clear their data before
selling their cars. In a survey of over
14,000 drivers who sold cars in the
last two years, four in five failed to
wipe information transferred from their
phone, such as contact numbers, home
address and even WiFi passwords, to
their cars before they sold them.
Chris Harris, EMEA technical director
at Thales, has been looking at the clear
dangers of this behaviour, and what
drivers and car manufacturers can do
to stop sensitive data falling into the
wrong hands. "When selling a car, we're
usually quick to remove our possessions -
whether that's CDs, a roof rack, or
personalised seat covers. However,
many of us are failing to remove our
more 'invisible' possessions, and with
cars becoming increasingly connected,
they are swiftly becoming a hotbed
for potentially lucrative sensitive data,
including addresses, recent calls and
birthdays.
"The majority of us wouldn't be
comfortable sharing this kind of
information with complete strangers,
so it's concerning to see consumers
unwittingly hand this data across,"
adds Harris. "Whether you're selling
a car, taking a ride with a friend or
even returning a rental car, it's essential
to practice good data hygiene and
protect your personal data. However,
manufacturers need to be doing more
to ensure data hygiene is easy to practice
and drivers know how to remove this
data."
He offers what he describes as "three
quick tips" for keeping such data safe
when selling your car:
1. When you come to sell your car,
consider all the places where your
personal information may be stored and
find out from the car's manual how to
delete or erase it. Most of us wouldn't
be comfortable sharing our address,
contacts and recent messages with a
complete stranger, but that's effectively
what we're doing by not clearing
sensitive data from our cars.
2. Go through any accounts or apps
that you may have connected to the
vehicle, and ensure you've logged out
and removed any saved data. You won't
want the new owner benefiting from
services you've subscribed to - and, just
as importantly, the new owner probably
won't be too grateful when your app
unknowingly starts to control their new
vehicle.
3. Finally, check for old-school methods
of storing data. Did you have a USB stick
or CD in the glovebox with music you
were playing in the car? What else might
that memory stick have had on it? Even
files you thought you had deleted can
often be recovered from hard drives and
USB sticks.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
25

hacking surge
HACKERS FOR HIRE
HACKER FOR HIRE GROUPS ARE LEAVING A TRAIL OF DESTRUCTION IN THEIR WAKE. THE RIGHT
CYBER RESILIENCE STRATEGIES MUST BE PUT IN PLACE TO COUNTERACT THIS GROWING THREAT
operators used to disguise the phishing links.
We subsequently discovered that this
shortener was part of a larger network of
custom URL shorteners operated by a single
group [Dark Basin]. Because the shorteners
created URLs with sequential shortcodes, we
were able to enumerate them and identify
almost 28,000 additional URLs containing
email addresses of targets. We used open
source intelligence techniques to identify
hundreds of targeted individuals and
organisations. We later contacted a substantial
fraction of them, assembling a global picture
of Dark Basin's targeting."
Citizen Lab's investigation yielded several
clusters of interest, including two clusters of
advocacy organisations in the United States
working on climate change and net neutrality.
"While we initially thought that Dark Basin
might be state-sponsored, the range of
targets soon made it clear that Dark Basin
was likely a hack-for-hire operation. Dark
Basin's targets were often on only one side of
a contested legal proceeding, advocacy issue
or business deal."
According to a report published by
internet-watching Citizen Lab, hacker
for hire groups are targeting hundreds
of thousands of institutions around the world,
including advocacy groups, journalists, elected
officials, lawyers, hedge funds and companies.
"We give the name 'Dark Basin' to a hackfor-hire
organisation that has targeted
thousands of individuals and organisations
on six continents, including senior politicians,
government prosecutors, CEOs, journalists,
and human rights defenders," states Citizen
Lab. "Over the course of our multi-year
investigation, we found that Dark Basin likely
conducted commercial espionage on behalf
of their clients against opponents involved
in high-profile public events, criminal cases,
financial transactions, news stories and
advocacy."
In 2017, Citizen Lab was contacted by
a journalist who had been targeted with
phishing attempts and asked if it would
investigate. "We linked the phishing attempts
to a custom URL shortener, which the
CYBERCRIME EVOLUTION
What this all too clearly demonstrates is that
cybercrime has evolved and cybercrime-as-aservice
(CAAS) is now a commonplace activity.
"Not so long ago, if one wanted to launch
a distributed denial of service [DDoS] attack,
then one would need to develop the required
malware, push the malware out into the
web, infect enough computers to create a
sufficiently large attack force and then launch
the attack against the desired target domain,"
says Kev Brear, director of consulting -
Technology Risk - Xcina Consulting. "This
was a time-consuming and labour-intensive
process, and it required a fair degree of
26
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

hacking surge
technical expertise to develop the malware
and manage the DDoS attack process."
However, the world of technology has
'progressed' and it is entirely possible to
purchase a DDoS attack from the 'Dark web'.
"One simply has to make contact with one of
the numerous vendors of the services and
specify the target, the magnitude and
duration of the attack, pay the required fee
(usually in crypto-currency) and then one sits
back and observes as the crime unfolds," he
adds. "The DDoS attack will have an associated
service level agreement, but quite how the SLA
is enforced in the event of a disagreement is
currently an opaque area!"
This "commoditisation of cybercrime" now
extends beyond DDoS attacks, states Brear,
and it is possible to purchase ransomware
attacks, targeted hacks, bespoke malware,
phishing email templates, industrial espionage
services, and lists of potential targets for
frauds and extortion attempts. "The other
consequence of the commoditisation of
cybercrime is that traditional criminals can
purchase the required technical solutions to
combine with their criminal prowess, and
produce ever more inventive methods to
defraud and attack people and organisations."
Action Fraud, the UK's dedicated resource
for reporting fraud and cyber-crime, estimated
that UK citizens have already lost around
£16 million from online scams and frauds in
the earlier stages of the UK lockdown. "Also,
the illegal takeover, or compromise, of cloudbased
email accounts is approaching epidemic
proportions and shows no signs of abating
anytime soon," Brear warns.
"Despite the focus on disruption to business
operations created by the Covid-19 crisis, the
traditional challenges created by cybercrime
have not diminished and organisations need
to have in place appropriate protective
measures, security response plans and
business continuity arrangements to maintain
their critical services and functions." What is
clear from these findings is that the range of
threats that organisations face is increasing
and now, more than ever, it's essential that
companies have the right cyber resilience
strategies in place to counteract this growing
threat - which has only been amplified by the
coronavirus pandemic and remote working.
This is supported by another report, published
by cyber security specialist firm Mimecast,
titled 'State of Email Security', which has
detailed some of threats facing businesses
today. The report surveyed 1,025 global IT
decision makers. Some of key findings include:
60% of IT professionals surveyed believed
it's inevitable or likely they will suffer from
an email-borne attack in the coming year
72% of respondents reported an increase
in phishing on their organisations and,
due to the global pandemic, threat actors
are broadly using impersonation and
BEC to steal from unsuspecting users.
Mimecast has found that impersonation
fraud attempts jumped by a staggering
30% from January to April 2020
47% of IT professionals surveyed in the UK
say the volume of email-based spoofing of
customers, vendors or business partners,
using their brand to trick an organisation
into giving cybercriminals money, sensitive
intellectual property or login credentials
has increased over the past year
51% of IT professionals surveyed in the UK
say the volume of email-based spoofing
of well-known internet brands (Microsoft,
PayPal etc), asking employees for money,
sensitive intellectual property or login
credentials, has increased in the last year.
TIMES ARE CHANGING
This research comes at a time when
organisations across the globe have been
forced to adopt remote work policies for
employees in response to the coronavirus
pandemic. Threat actors have seized this
opportunity and evolved the ways they are
targeting their victims. Domain-spoofing and
email-spoofing have become mainstream
attack vectors, according to the report. Nearly
half of organisations (49%) surveyed report
anticipating an increase in web or email
spoofing and brand exploitation in the next
12 months, and it is a rising concern. In fact,
84% of respondents felt concerned about
an email domain, web domain, brand
exploitation or site spoofing attack. It is critical
for organisations to look beyond their email
perimeters to determine how cyber threat
actors may be using and damaging their
brands online.
Similar to years past, impersonation attacks,
phishing attempts and ransomware continue
to be a major problem, according to the
research. Seventy-two per cent of report
participants said phishing attacks remained
flat or increased in the previous 12 months
and 74% reported the same of impersonation
attacks. This indicates that phishing is
potentially becoming more difficult to stop
or prevent, due to more advanced tactics such
as spear-phishing.
Ransomware also continues to wreak havoc,
as just over half of respondents (51%) said
that ransomware attacks impacted their
organisation, citing data loss, downtime,
financial loss and loss of reputation or trust
among customers.
The State of Email Security 2020 report also
shines a light on the urgent need for a more
cyber-aware workforce. Encouragingly, 97%
of the respondents' organisations offered
security awareness training at varying
frequencies and formats. However, 60% of
those surveyed reported having been hit by
malicious activity spread from employee to
employee, pointing to the fact that the format
or frequency of these trainings could be the
problem. With frequent, consistent, engaging
content that humanises security, security
awareness training is an effective way to
reduce risk inside the network and
organisation.
While threat actors are visibly gaining in
sophistication and evolving, their tactics in
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
27

hacking surge
Adrian Rowley, Gigamon: a much stricter
privilege regulation policy is needed - a
Zero Trust one.
Joe Hancock, MDR Cyber: "Many of the
targets of sophisticated cyber-attacks are
nameless or their experience is tempered
by being part of an organisation that can
protect them.
many ways remain the same, points out
Chris Goettl, director of security solutions,
Ivanti. "This means businesses can cut
through this sophistication and prioritise
measures to maximise their cybersecurity
strategies. For this reason, they should look
to cybersecurity frameworks, such as the
CIS Critical Security Controls.
THE RIGHT MEASURES
"By following the top five CIS guidelines
and adhering to basic cyber hygiene
measures, it's possible to eliminate 85%
of modern cyber threats. Take vulnerability
management, for example: if IT and
security teams don't treat vulnerability
management as an ongoing process,
business infrastructure will be exposed,
as hackers can find and weaponise
vulnerabilities faster than these teams can
patch. Automating this process can further
protect the organisation by minimising the
gap between the onset of new knowledge
and remediation, reducing the period in
which cybercriminals can strike."
Goettl also recognises how businesses
have faced an entirely new security
challenge over recent months due to
the added risks of a remote workforce.
"For companies that weren't prepared to
support remote workers, this was a drastic
change. It's important that IT and security
teams implement tailored measures to
counter this drastic shift in attack surface,
as remote working looks set to continue in
some capacity for the foreseeable future.
"For example,", he also points out,
"patching a remote or fluid workforce may
require the implementation of a hybrid or
cloud-based patch management solution
that can implement patches to companyowned
devices and BYOD, and that won't
take up valuable VPN bandwidth with
update traffic."
With workers undefended away from their
offices and targeted by malicious actors,
companies must keep security front of
mind as they familiarise themselves with
the 'new normal', says Adrian Rowley,
senior director Sales Engineering EMEA at
Gigamon. "As flexible working becomes the
go-to, employees will be shifting between
on-premise and remote working,
combining user-owned and company
devices (not to mention personal WiFi
connections). This will make network
perimeters even harder to define and
to protect.
"Traffic flows will also be impacted,
with users switching from LAN to WAN
and back - so inspecting encrypted and
unencrypted data will be critical for IT and
security teams to keep abreast of potential
threats. Ultimately, the only way to drive
security in these difficult circumstances is
minimising blind spots and ensuring
unclouded visibility throughout the
network."
To create security resilience in times of
uncertainty, companies must move away
from the idea that any asset or user within
the network perimeter can be trusted, and
a much stricter privilege regulation policy is
needed - in other words, a Zero Trust (ZT)
architecture, he continues. "This security
strategy consists of scrutinising asset
behaviour and only granting access based
on this information, rather than based on
pre-existing credentials. Because it's
impossible to monitor what you can't see,
companies need a clear view of everything
that happens on their network to enable
a ZT approach. "What many businesses
haven't grasped yet is that ZT isn't a
product they can buy, deploy and use to
dispel their security woes," states Rowley.
"It's a mindset which must be applied to
every IT and security decision. Shifting
to a ZT model is no easy feat, but it's
imperative to ensure fool-proof protection
at a time when IT environments are
complicated by a fluid workforce and
cyberattacks are fiercer than ever."
28
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

product review
HORNETSECURITY 365 TOTAL PROTECTION
Microsoft 365 is by far the most
prevalent cloud email service for
businesses, but this popularity
brings inherent risks, as it also makes it the
top target for cybercriminals. Email security
features are provided by Microsoft, but
these are widely used, comparatively basic
and, consequently, easier to circumvent.
To provide greater protection, businesses
must implement a multi-layered defence -
and Hornetsecurity offers a cost-effective
and highly efficient solution. Its 365 Total
Protection cloud service provides a wealth
of email security measures, which includes
AI intelligence-based protection, allowing
it to evolve as new threats emerge.
Two options are available, with the
Business version providing all key threat
defence measures, along with live email
tracking, content control and compliance
filtering. The Enterprise version augments
these with ATP (advanced threat
protection) cloud sandboxing, URL
malware controls, email archiving, e-
discovery and forensics analysis tools.
Onboarding from the cloud panel is
swift, as you change your domain's MX
records, go to the registration link
provided and authenticate with your
account from the standard Microsoft 365
login screen. Using its Azure connector,
365 Total Protection synchronises all your
users, with the entire process taking as
little as 30 seconds.
Protection starts immediately, as the
default settings activate full spam and
malware protection, which blocks
suspicious emails before they reach your
mailbox. The Spam and Malware filter uses
over 15,000 heuristics to reject nuisance
messages, such as newsletters and those
sent from mass marketing campaigns.
The cloud panel opens with an email
live tracking view that shows logs of all
inbound and outbound email activity. This
is vastly superior to Microsoft's logging, as
you can view every detail about individual
emails, including header information, and
each one is colour coded to clearly show
its classification.
Multiple filters can be applied to refine
the list and clicking on the coloured icon
for an email loads a drop-down menu
where you can add the sender to deny or
allow lists, report it as spam or release it.
Enterprise users can also pass suspect
emails to the ATP service for further
examination.
Self-service features lighten the support
burden, as users can review their emails
in the portal and release them, where
permitted. Regular reports for each user
can be generated and show spam activity,
quarantined attachments, plus the reasons
for rejection.
The ATP sandbox recognises emails
with encrypted attachments and, if the
password is in the email message body,
it will use it to scan these files. The URL
rewrite feature deals efficiently with email
web links, as Hornetsecurity opens a web
session to its secure proxy to check where
the link connects to and see if it includes
harmful downloads or other threats.
Fraudulent emails that appear to be
legitimate are handled by a targeted
forensics filter, which uses first and last
name combinations in order to check for
authenticity. The compliance filter provides
more granular control of emails by
applying DLP-like rules to outbound
messages that check for specific keywords
in the body, subject and attachment.
The continuity service will prove
invaluable when the Microsoft 365
services go down, as it keeps copies for
three months back for you to use during
the outage and transfers them back to
your account when the service comes
up again. Rule-based encryption for
outbound messages is just as easy to
implement, as all certificates are centrally
managed for you.
Hornetsecurity's 365 Total Protection lives
up to its name, as it delivers a smart email
security solution that integrates seamlessly
with Microsoft 365. It fills the security
holes Microsoft leaves behind and, with
prices for the Business version starting at
only $2 per user per month, is affordable
for organisations of all sizes.
Product: 365 Total Protection
Supplier: Hornetsecurity
Web site: www.hornetsecurity.com
Contact: info@hornetsecurity.com
Price: From $2 per user per month
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
29

threat intelligence
APTS AND COVID-19
A RECENT INTELLIGENCE REPORT REVEALS HOW ADVANCED
PERSISTENT THREATS ARE USING THE CORONAVIRUS AS A LURE
KHNP (Korea Hydro & Nuclear Power) cyber
terrorism attacks of 2014.
Since it first showed itself, Covid-19
has had a catastrophic impact on our
lives, turning into a global pandemic
that has upended economies, livelihoods
and hospital systems - almost all facets
of everyday life has been touched. Such
uncertainty and fear surrounding the
virus and its impact represents a golden
opportunity for threat actors to exploit the
situation, as Malwarebytes points out in
one of its latest Threat Intelligence Reports.
"By using social engineering tactics such
as spam and spear phishing campaigns,
with Covid-19 as a lure, cybercriminals
and threat actors increase the likelihood
of successful attack. From late January on,
several cybercriminal and state-sponsored
groups have been doing just that, using
coronavirus-themed phishing emails as
their infection vector to gain a foothold
on victim machines." In its white paper,
Malwarebytes provides an overview of
several APT groups using coronavirus as an
enticement, as well as a description of their
varied attack vectors, categorising the APT
groups according to the technique they
used to send spam or phishing emails:
template injection, malicious macros, RTF
exploits and malicious LNK files. Here, we
look at just a few it singles out.
TEMPLATE INJECTION
Template injection refers to a technique in
which threat actors embed a script moniker
in the lure document - usually a Microsoft
Office document - that contains a link to
a malicious Office template via an XML
setting. Upon opening the document, the
remote template is dropped and executed.
Kimsuky and Gamaredon are examples of
APTs using template injection.
Kimsuky (also known as Velvet Chollima)
is a North Korean threat actor group active
since 2013 and is known to be behind the
Gamaredon, a Russian APT, primarily
performs cyber espionage operations
against Ukrainian military forces, as well
as individuals related to the Ukrainian
government. Gamaredon has been active
since 2013 and often uses spear phishing
as its initial infection vector.
MALICIOUS MACROS
Embedding malicious macros is the most
popular method of infection used by APTs,
warns Malwarebytes. In this attack vector,
a macro is embedded in the lure document
that will be activated upon its opening.
APT36 is another threat group that has
employed macro-embedded COVID-19
themes in its recent campaigns. The group,
believed to be Pakistani state-sponsored,
mainly targets the defence, embassies and
government of India. The primary targets
of this APT are organisations related to
diplomatic and government agencies in the
UK, China, Japan, the Middle East, the US,
Bangladesh, Sri Lanka and Pakistan.
Hades is the APT group behind the attack
against the Pyeongchang Winter Olympics.
"Evidence suggests that this group is
connected to the well-known Russian
threat actor APT288," points out
Malwarebytes. In their recent campaign,
called Tricky Mouse, Hades targeted
Ukrainian users using COVID-19 lures."
The Malwarebytes Threat Intelligence
team is "monitoring the threat landscape
and paying particular attention to attacks
trying to abuse the public's fear of the
COVID-19 crisis".
30
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

GDPR
THE GOOD…
AND THE BAD
LACK OF CLARITY AROUND CERTAIN NEW TECHNOLOGIES IS HITTING
MANY LAW-ABIDING COMPANIES TRYING TO BE COMPLIANT WITH THE GDPR
More than two years after the EU
introduced the General Data
Protection Regulation (GDPR),
a report from the European Commission on
the regulation’s progress makes for interesting
reading. In it, the commission speaks of the
many positives delivered. "Citizens are more
empowered and aware of their rights. The
GDPR enhances transparency and gives
individuals enforceable rights, such as the right
of access, rectification, erasure, the right to
object and the right to data portability
Individuals also have the right to lodge a
complaint with a data protection authority
and to seek an effective judicial remedy."
Today, around 69% of the population above
the age of 16 in the EU are said to have heard
about the GDPR and 71% of people about
their national data protection authority,
according to results published in a survey from
the EU Fundamental Rights Agency. "The GDPR
has empowered individuals to play a more
active role in what is happening with their
data in the digital transition."
While GDPR has been widely celebrated -
and even mirrored in some countries, like the
United States with the California Consumer
Privacy Act - it's also clear that the EU needs
to take additional steps to make it a more
effective deterrent, according to Chris Harris,
EMEA technical director at Thales.
"Since its inception, there has been murmurs
about its effectiveness, due to lack of clarity
on compliance and fears around the resources
and power each data protection authority
(DPA) has to track and investigate the number
of breaches that occur in their country. This is
something that should have been sorted from
the start, and not something that we are still
talking about more than two years later - four
plus, if you include the transition period!"
Harris acknowledges that there have been
some hefty fines justifiably dished out, which
have caught the headlines and impressed.
But he also points to how, as organisations
continue to digitally transform, the lack
of clarity around new technologies like
blockchain and AI is actually mostly hitting
law-abiding companies that are just trying
to be compliant. "We need to ensure GDPR
operates as the protective bubble around
personal information that we all want, without
restricting the innovation and development
that the world needs from these disruptive
technologies.
"Smaller companies may have found
compliance harder, not only due to the
complexity and potentially onerous nature
of the requirements, but because many
vendors with GDPR-focused solutions were
understandably scaling their offerings for the
larger organisations. With a continued increase
in the migration to the cloud, this has perhaps
now become simpler with the advent
of solutions such as cloud-agnostic key
management solutions and subscription-based
data-protection-on-demand services."
In order to be truly effective, the EU needs
to give clearer instructions on how to be
compliant that are consistent across each
country, he adds, "while giving local DPAs
more resources to pursue heavy penalties
against companies that are intentionally
putting their customers' data at risk".
Chris Harris, Thales: we need to ensure
GDPR operates as the protective bubble
around personal information.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
31

gender inequality
TIME TO REBALANCE THE BOOKS
AWARENESS AROUND GENDER DIVERSITY IN THE CYBER SECURITY INDUSTRY
IS GETTING BETTER, BUT THERE'S STILL A VERY LONG WAY TO GO
Areport published by CREST has
highlighted progress made in
gender diversity across the cyber
security industry in the past few years
and points to the next steps needed to
further address the gender gap. CREST -
the not-for-profit body that represents
the technical security industry including
vulnerability assessment, penetration
testing, incident response, threat
intelligence and SOC (Security Operations
Centre) - has found that, while
awareness around gender diversity has
improved, there is still work to be done
to make a significant practical difference.
In polls that were taken at CREST's
gender diversity workshop, only 14% of
attendees argued that not enough work
has been done to lessen the gender gap,
but 86% believed that while progress
has been made, it is not nearly enough.
The study also found that 59% of
participants classified their experience in
the industry as mixed, having received
support and enjoyed roles but pointing
to obstacles and challenges that had to
be overcome as a result of being female.
The workshops had the primary focus
and objective of inspiring change and
concluded that the main priorities for
change are encouraging girls at school
to study computer science; improving
visibility of female role models;
challenging the perception of industry
and perceived gender-specific roles;
and industry-wide female mentoring
and coaching.
32
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

gender inequality
The report suggests the primary reason
for the under-representation of women in
the cyber security industry is down to a lack
of interest in the subject from school age.
When considering ways to make change,
the report recommends that industry
leaders - including directors, CEOs and
accreditation bodies - could and should be
responsible for approaching schools help
educate and encourage students. Schools
could also promote initiatives such as
CyberFirst's online Girls Competition,
which aims to inspire the next generation
of young women to consider computer
science as an option, with a view to
a future career in cyber security.
Findings by CREST also point to issues
with current recruitment practices,
including the way job descriptions are
written, the language used and arguably
even candidate requirements. Female
representatives at the workshops agreed
that the inclusion of training options
on the job advert would encourage
more female applicants, as would flexible
working hours, good maternity policies
and back to work support.
Another key finding is the demand for
an industry-wide female mentoring and
coaching scheme to create a stronger,
closer female community, while enabling
women to grow and develop in their
careers.
MUCH MORE TO BE DONE
"It is encouraging that as an industry we
are making progress, but there is a lot
more to do and improving the visibility
of female role models will allow us to
challenge the perception of the cyber
security industry," says Ian Glover, president
of CREST. "Schools hold the key and we
need to help them to encourage more
girls into the industry. Furthermore, the
mentoring scheme would give a platform
on which role models can help to coach
and guide others, which in turn will help
to challenge the perception of gender as
it relates to the industry," adds Glover.
"The actions are well-thought through,
they are doable, but just need the support
of industry, education and recruiters."
FORTUNES TO BE MADE
Interestingly, increasing the number of
women working in cybersecurity could
boost the UK economy by £12.6 billion
according to a new report from Tessian,
the human layer security company. The
report also reveals that closing the 24%
gender pay gap in the UK cybersecurity
industry, and equalising women's salaries
to men's, could add a further £4.4 billion
to the UK economy, albeit such thoughts
must now be tempered by the on-going
ravages inflicted by the pandemic.
The firm carried out a survey of 200
female cybersecurity professionals in both
the US and UK, and interviewed more than
one dozen practitioners from some of the
world's largest organisations about their
personal experiences. The Tessian report
highlights what it sees as the potential
impact of expanding gender diversity in
cybersecurity, as well as current perceptions
around gender bias in the field.
Key findings:
82% of female cybersecurity
professionals in the US believed that
cybersecurity had a gender bias
problem, compared with 49% of
those in the UK
The cybersecurity gender pay gap in
the US was 17%; in the UK, 19%
US respondents were three times as
likely (68%) to believe that a more
gender-balanced workforce would be
an effective tool for recruiting more
women to work in cybersecurity
than UK respondents (22%)
45% of US respondents said equal
pay would help with recruitment,
compared with just 10% of UK
respondents
61% of US respondents cited lack of
qualified talent as a reason why 4m
cybersecurity jobs would be left
unfulfilled by 2021, while only 33% of
UK women cited lack of qualified talent
as a barrier. Once again, Covid-19 will
have had its impact on all these figures.
Factors discouraging women from joining
the cybersecurity industry:
42% of respondents (US. and UK)
believed a cybersecurity skills gap
existed, as the industry isn't considered
'cool' or 'exciting'. This opinion was
most commonly shared by millennials
(46%), compared with 22% of 45-54-
year-olds
A lack of awareness or knowledge of
the industry was the top challenge
female professionals faced at the start
of their career, with 43% citing this as
a barrier
43% of women said a lack of a clear
development path was another
challenge at the start of their
cybersecurity career, while nearly
a quarter (23%) cited a lack of role
models
Just 53% believed their organisations
were doing enough to recruit women
into security roles.
GREATER VISIBILITY
Sabrina Castiglione, senior executive at
Tessian, comments: "For organisations to
successfully recruit more women into
security roles, they need to understand
what's discouraging them from signing
up, beyond just gender bias. We need to
make women in cybersecurity more visible.
We need to tell their stories and raise
awareness of their roles and experiences.
And, once through the door, managers
need to clearly show women the
opportunities available to them to progress
and develop their careers."
Shamla Naidoo, former CISO at IBM, has
this to say: "To many people, cybersecurity
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
33

gender inequality
equates to - and is limited to - someone in
a hoodie bent over a keyboard in a dark
room. That's not the case at all. If we don't
expand beyond that, then we'll lose out
on even more people in the industry." And
she adds: "The future of cybersecurity needs
diversity. 2019 was the worst year on
record for data breaches, with 61% of
organisations reporting a breach as a result
of human error or malicious activity. With
data breaches rising year on year, and with
cyber threats continually evolving, we need
different ideas and approaches to solving
security problems, if we are going to keep
people and data safe."
WOMEN IN CYBER
For its part, Cisco's commitment to the
gender equality cause can be seen in its
'Women in Cyber' initiative, which aims to
bring diversity of thinking to a team and
to a problem - what the company's Gregory
Neal Akers describes as "unique perspectives
that we would otherwise not have, because
of the biases we bring from our own
backgrounds".
Akers, senior vice president of Advanced
Security Initiatives and chief technology
officer within the Global Governments
Solutions Group at Cisco, says he can
see that the gender gap in security is,
unfortunately, real. "We have the problem
of not having enough females in STEM in
general and that yields a gap in security.
I'm especially concerned about female
undergrads and high school students in
STEM, because they tend to gravitate to
other domains like natural sciences or
biology - rather advanced mathematics
that is important to things like encryption
and quantum computing.
"Even within the research environment,
I see senior-level female colleagues at other
institutions lacking more women on their
research teams - not because of bias, but
because there simply isn't a talent pool of
qualified women to draw from."
He believes this situation is rooted in the
primary and secondary education system,
where we're not sufficiently encouraging
girls and women into the field. "For
example, in cryptography, which is my area
of specialty, the required deep level math is
not being taught to enough women. Yet
these skills will be increasingly important
for the ongoing critical development of
Machine Learning. While some women
will be drawn to this work, others may be
reluctant; we need to actively demonstrate
that cyber talent needs extend well beyond
deep maths to a breadth of roles that
demand all available talent. The imperative
is urgent."
So what can be done about this? "We
must incentivise women to get involved in
the cyber field; it offers satisfying experience
and great intellectual stimulation," says
Akers. "I believe in mentoring; for me, as
a leader, it's very gratifying and I always get
back more than I give. I insist on diversity
in staffing activities: diverse interview teams
to assess job candidates; diverse hiring
professionals in HR; and having people
with diverse perspectives make decisions
on rewards and promotions. This can at
times be difficult to do, given the pool of
incumbents available to engage in the
process. But, if you don't have multiple
perspectives on a decision-making advisory
group, you end up with biases and
limitations in the ways to think about
things. Leaders have to be dogmatic
about this and make sure it's being done."
Of course, the cyber talent shortage
requires skilled women and men to fill
much-needed jobs, he points out. "We need
to balance encouraging and incentivising
women to enter the field with cultivating
skills of their male counterparts.
And he concludes: "I firmly believe that,
if the opportunity is presented, over time
there will be a natural tendency for the
balance to come."
34
computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk

FULLSTACK VULNERABILITY MANAGEMENT
CONTINUOUS VULNERABILITY
INTELLIGENCE
Accurately identifies vulnerabilities
and exposures across the full stack.
All threats are verified by
cybersecurity experts, providing
exploitable risk and remediation
guidance.
“The expertise and
delivery of this service
has been outstanding...”
SECURITY AND RISK MANAGEMENT,
MEDIA INDUSTRY, 30B+ US
2020

NEW Sensitive Data Discovery and Remediation
for Atlassian Confluence
Discover, manage and protect sensitive information across your digital stack
- now including Atlassian Confluence
Ascema Sensitive Data Discovery and Extraction discovers, labels, monitors and restricts
business-critical data across enterprise authorised applications.
Find and protect your enterprise crown jewels easily using
Ascema for Atlassian Confluence
Complete data discovery and extraction across cloud and on premise
True content level detection and restriction to safeguard your sensitive data
Highly automated and flexible remediation capabilities
Granular reporting into data threat patterns, user activity and risk profile
Intelligent machine learning to classify sensitive information in real-time
Elegant and simple to deploy, use and manage; all in a single console
Integrated with popular and approved enterprise connectors, including:
Find us on the Atlassian Marketplace, or click here to arrange a live demonstration or enquire about a FREE trial
info@geolang.com
www.geolang.com
+(44) 02920 647 012