Cyber Defense eMagazine January 2021 Edition

Cyber Defense eMagazine January Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine January Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES


Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

3 Email Hacking Techniques to Watch In


5 AIOps Trends That Will Shape 2021

Zero Trust Remote Access for Engineering


Communication Streaming Challenges

…and much more…

Cyber Defense eMagazineJanuary 2021 Edition 1

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Welcome to CDM’s January 2021 Issue -------------------------------------------------------------------------------------------- 7

3 Email Hacking Techniques to Watch In 2021 ------------------------------------------------------------------------- 23

By Adrien Gendre, Chief Product & Services Officer, Vade Secure

5 AIOps Trends That Will Shape 2021 ------------------------------------------------------------------------------------- 26

By Tej Redkar, Chief Product Officer at LogicMonitor

Securing Digital Identities in A Predominantly Remote World ---------------------------------------------------- 30

By Bob Eckel, President & CEO, Aware, Inc.

Businesses Must Protect Their Most Critical Asset: Their Data ---------------------------------------------------- 33

By Trevor J. Morgan, Ph.D., Product Manager at comforte AG

Zero Trust Remote Access for Engineering Teams--------------------------------------------------------------------- 36

By Colin Rand, VP of Engineering, Banyan Security

Cryptocurrency Ransomware Is on The Rise During COVID-19 – Here’s What Businesses of All Sizes

Need to Know About Dealing with Attacks ----------------------------------------------------------------------------- 41

By Marc Grens, Co-Founder & President at DigitalMint

E-Commerce and Lockdown: The Perfect Storm for Cyber Threats ----------------------------------------------- 44

By Aman Johal, Lawyer and Director of Your Lawyers

Communication Streaming Challenges ----------------------------------------------------------------------------------- 47

By Milica D. Djekic

Anatomy of a hack – Solar Winds Orion --------------------------------------------------------------------------------- 50

By James Gorman, CISO, Authx

Cybersecurity Maturity Model Certification (CMMC) ---------------------------------------------------------------- 53

By Carter Schoenberg, CISSP & CMMC Registered Practitioner Vice President – Cybersecurity SoundWay

Consulting, Inc.

Businesses Should See Security as An Enabler of Digital Transformation, Not A Hindrance ------------- 57

By Matt Gyde, CEO, Security Division at NTT Ltd.

Asset Management, The Weakest Link in Cybersecurity Risk -------------------------------- 60

By Gyan Prakash, Head of Cyber Security / Security Engineering, Altimetrik Corp

Cyber Defense eMagazineJanuary 2021 Edition 2

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The Rising Tide of Security Threats in The Industrial Internet of Things ---------------------------------------- 70

By Don Schleede, Information Security Officer at Digi International

E-Merchants: Secure Your Online Sales from Cybersecurity Threats -------------------------------------------- 73

By Anthony Webb, EMEA Vice President, A10 Networks

The Privileged Credential Security Advantage ------------------------------------------------------------------------- 76

By Tony Goulding, Cybersecurity Evangelist at Centrify

How To Keep Your Children Safe In Remote Learning Situations ------------------------------------------------- 79

By Nevin Markwart, Chief Information Security Officer at FutureVault

More Internal Security Needed, Less Budget – 10 Tips to Help ---------------------------------------------------- 82

By Jody Paterson - Founder and Executive Chairman. ERP Maestro

Personal Data Breaches for GDPR Compliance: Everything You Need to Know ------------------------------ 86

By Dan May, Commercial Director, ramsac

Brave New World: Safari Content Blocking ----------------------------------------------------------------------------- 89

By Andrey Meshkov, CEO and CTO at AdGuard

When Businesses Get Hacked- Who Are the Victims? ---------------------------------------------------------------- 93

By Nicole Allen, Marketing Executive, SaltDNA.

Security and Remote Management: What Is the Market Looking Like as We Head Towards 2021? -- 97

By Gil Pekelamn, CEO, Atera

Working from Home? You’re Not Alone ------------------------------------------------------------------------------- 100

By Steve Hanna, Embedded Systems Work Group Co-Chair at Trusted Computing Group (TCG) and Jun Takei,

Japan Regional Forum Co-Chair at Trusted Computing Group

The Best Network Protection: Go Deep or Go Broad?-------------------------------------------------------------- 104

By Albert Zhichun Li, Chief Scientist, Stellar Cyber

Cybersecurity Predictions For 2021 -------------------------------------------------------------------------------------- 106

By Topher Tebow, Cybersecurity Analyst (Malware), Acronis

Why 'Thinking Small' Is the Way to Stop Ransomware and Other Cyber Attacks ------------------------- 109

By Yuval Baron, CEO at AlgoSec, explains why micro-segmentation is one of the most effective methods to

limit the damage of attacks on a network

Your Vulnerabilities are Making You Miss Your Misconfigurations -------------------------------------------- 112

By Evan Anderson, Director of Offense, Randori

Cyber Defense eMagazineJanuary 2021 Edition 3

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Are Your Organization’s Critical Assets Five Steps or Fewer from A Cyber Attacker? -------------------- 117

By Gus Evangelakos, Director Field Engineering, XM Cyber

Moving to Active Defense: What It Means, How It Works and What You Can Do Now ----------------- 120

By Ofer Israeli, CEO and founder, Illusive Networks

How Next-Gen Identity Governance and Administration (IGA) Fits in with Your Hybrid IT Strategy 123

By Thomas Müller-Martin, Global Partner Technical Lead, Omada

Analytics Security Insight On 2021 And Beyond --------------------------------------------------------------------- 126

By Billy Spears, Chief Information Security Officer, Alteryx

Innovation, Automation and Securing A “Work from Anywhere” Environment In The Middle East - 129

By Mazen A. Dohaji, Vice President, India, Middle East, Turkey & Africa (iMETA), LogRhythm

Peer-To-Peer Cybersecurity Insights For 2021 ------------------------------------------------------------------------ 133

By Stuart Berman, IT Central Station Super User

Transitioning to Remote Work: The Apps You’ll Need to Ensure A Productive Workforce -------------- 135

By Ikechukwu Nnabeze, SEO Copywriter, Traqq

Cyber Defense eMagazineJanuary 2021 Edition 4

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


From the


New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com

Dear Friends,

It’s a given that we are all ready to put 2020 behind us; executing plans for a much

better, brighter year in 2021. For all your support, we humbly THANK YOU SO

MUCH! We so much value our readers, our partners and our sponsors.

To be sure, there will be new challenges to take the place of the ones we’ve been

facing for the past year. Publication and distribution of valuable actionable

information is for us the key to successfully navigating these troubled waters.

As we’ve recently notched up to the 2 nd most popular cybersecurity publication and news source, we’re proud to

be entering our 9 th year producing Cyber Defense Magazine as we continue to focus on providing valuable

resources to our readers and sponsors, reaching the right kind of executives with our shared messages. Our

readers include buyers, decision-makers, and influencers in the IT/InfoSec ecosystem.

As we publish this January issue, we look ahead to the year 2021 with great anticipation for new and exciting

challenges and responses in the industry. The articles in this month’s Cyber Defense Magazine, which are provided

from a broad array of contributors, demonstrate that our community continues to pursue a new phase,

emphasizing basics while we address broader issues as well.

In addition to the important articles in the January issue, we are pleased to continue providing the powerful

combination of monthly eMagazines, daily updates, and features on the Cyber Defense Magazine home page, and

webinars featuring national and international experts on topics of current interest.

Finally, we’re answering the call to help fill so many infosec job openings, entering our second year of CDM Young

Women in Cybersecurity Scholarships and with our new www.cyberdefenseprofessionals.com job portal – free to

post a job opening or your resume, so please leverage it and let us know how to improve it in 2021 and beyond.

Warmest regards,

Gary S. Miliefsky

Gary S.Miliefsky, CISSP®, fmDHS

CEO, Cyber Defense Media Group

Publisher, Cyber Defense Magazine

P.S. When you share a story or an article or information about

CDM, please use #CDM and @CyberDefenseMag and

@Miliefsky – it helps spread the word about our free resources

even more quickly

Cyber Defense eMagazineJanuary 2021 Edition 5

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.



Published monthly by the team at Cyber Defense Media Group and

distributed electronically via opt-in Email, HTML, PDF and Online

Flipbook formats.


Stevin Miliefsky


InfoSec Knowledge is Power. We will

always strive to provide the latest, most

up to date FREE InfoSec information.

From the International


With a new year before us, the international perspective on cybersecurity

matters brings renewed emphasis on competition, privacy, and regulatory


We see antitrust actions against several of the big tech leaders, updates of

privacy rules among various jurisdictions, and new challenges from



Pierluigi Paganini, CEH



Yan Ross, JD



Marketing Team



Cyber Defense Magazine

Toll Free: 1-833-844-9468

International: +1-603-280-4451

SKYPE: cyber.defense


On one hand, these trends are apparently intended to result in stronger

cybersecurity overall. But in the usual manner, the law of unintended

consequences often overrides good intentions.

The natural tension between anti-monopoly actions on one side and

regulated monopoly market behavior on the other is playing out in the

cybersecurity arena. And that interplay is complicated by the crossjurisdictional

nature of the industry.

A final challenging factor is that the world we live in today is a stage for

nation-states and other governmental entities to exhibit multiple

personalities: both as cooperating authorities in regulation and as

competitors in exercising control over digital assets.

As always, we encourage cooperation and compatibility among nations and

international organizations on cybersecurity, regulatory, and privacy


To our faithful readers, we thank you,

Pierluigi Paganini

International Editor-in-Chief

P.S. Please visit our new consumer magazine for family and friends.

Copyright © 2021, Cyber Defense Magazine, a division of

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)

276 Fifth Avenue, Suite 704, New York, NY 10001

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.


Gary S. Miliefsky, CISSP®

Learn more about our founder & publisher at:



Providing free information, best practices, tips and

techniques on cybersecurity since 2012, Cyber Defense

magazine is your go-to-source for Information Security.

We’re a proud division of Cyber Defense Media Group:




Cyber Defense eMagazineJanuary 2021 Edition 6

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Welcome to CDM’s January 2021 Issue

From the U.S. Editor-in-Chief

As we enter a new year, it is important to pause and reflect on both the challenges and highlights of the

year just past – from a cybersecurity perspective.

In 2020, Cyber Defense Magazine carried nearly 300 articles of paramount value in identifying and

responding to cybersecurity threats and opportunities.

Can our industry claim complete success (if that is even a fair question)? Perhaps not, but after all, we

do operate in a theater of asymmetrical warfare: the defenders must bat 1000, while the attackers need

only score the occasional base hit. Nonetheless, goals are worth setting and approaching as closely as


From a more sanguine point of view, on behalf of Cyber Defense Magazine, we can state this without

fear of contradiction: If all our readers were allowed to and funded to implement all the actionable

advice of our contributors and sponsors, our overall cyber experience in 2020 would have been much

improved. Let’s keep the pressure on the Boards, CEOs and CFOs how important cyber hygiene has

become. It’s not an insurance policy anymore, it’s a must implement, daily and even more vigorously.

While we cannot change the past, we can surely learn from it. To that end, let me commend to our

readers the contents of our January issue. The breadth and depth of this month’s articles cover various

sources and topics, with a wealth of actionable information.

With that introduction, we are pleased to present the January 2021 issue of Cyber Defense Magazine.

Wishing you all success in your cyber security endeavors,

Yan Ross

US Editor-in-Chief

Cyber Defense Magazine

About the US Editor-in-Chief

Yan Ross, J.D., is a Cybersecurity Journalist & US Editor-in-Chief for

Cyber Defense Magazine. He is an accredited author and educator and

has provided editorial services for award-winning best-selling books on

a variety of topics. He also serves as ICFE's Director of Special Projects,

and the author of the Certified Identity Theft Risk Management Specialist

® XV CITRMS® course. As an accredited educator for over 20 years,

Yan addresses risk management in the areas of identity theft, privacy,

and cyber security for consumers and organizations holding sensitive personal information. You can

reach him via his e-mail address at yan.ross@cyberdefensemediagroup.com

Cyber Defense eMagazineJanuary 2021 Edition 7

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 8

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 9

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 10

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 11

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 12

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 13

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 14

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 15

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 16

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 17

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 18

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 19

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 20

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 21

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 22

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

3 Email Hacking Techniques to Watch In 2021

By Adrien Gendre, Chief Product & Services Officer, Vade Secure

Ransomware hobbled businesses in 2020, while COVID-19 spawned an endless stream of cyberattacks.

What both have in common is email. With 91 percent of cyberattacks beginning with an email, a single

click can mean the difference between business as usual and operations standstill. Here are three

hacking techniques to watch out for in 2021.

1. Leveraging images to bypass email filters

Image quality might be critical to the authenticity of a phishing email, but it’s what’s going on behind the

image that makes the difference between detection and delivery. Known phishing emails—or phishing

emails that have been blacklisted—can find their way back into inboxes with a series of image

manipulation techniques. Unfortunately, most email filters cannot detect them.

Cyber Defense eMagazineJanuary 2021 Edition 23

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Invisible to the naked eye, images that have been even slightly manipulated cause a known phishing

email to appear unique to an email filter. By distorting the color, tone, or geometry of an image, a hacker

has the ability to update a blacklisted phishing email with a new image and bypass an email filter that

can’t extract and analyze content from images.

Recently, we’ve been seeing an increase in the number of malicious emails containing remote based that

store malicious textual content. Embedded in the body of email but hosted on outside domains, remote

images must be fetched over a network to be analyzed. The process can’t be done in real-time. In

November alone, Vade Secure analyzed 26.2 million remote images and blocked 261.1 million emails

containing remote images.

Extracting and analyzing content from images requires Computer Vision, an expensive, resourceintensive

field of artificial intelligence that has yet to become standard in email security. Until then, we

expect to see manipulated images and remote-based images grow.

2. Depositing malicious emails via IMAP connections

In late November, Vade Secure detected a mass wave of spam emails being deposited into mailboxes

without passing through transport layers. We suspect that the hacker or hackers used a new tool called

Email Appender, which is available on the dark web, to deposit the spam.

Email Appender allows hackers to validate compromised account credentials and connect directly to the

accounts via IMAP. Once connected, hackers can configure proxies to avoid detection and deposit emails

directly into accounts, even in bulk. Because the emails are sent from compromised accounts, it’s not

necessary for hackers to spoof the email addresses. However, they can adjust the sender display names

to fit the narrative of the spam campaign.

We believe that hackers are using spam messages to test Email Appender and the IMAP method before

moving on to phishing and malware attacks, which require more time, effort, and skill. Hackers tend to

test new techniques on consumers before moving on to corporate targets. Business users are more savvy

because of mandated security awareness training, and businesses tend to have more sophisticated

security systems.

When the IMAP method goes corporate, we expect platforms like Microsoft 365 to become targets. APIbased

email security solutions that are natively integrated with Microsoft 365 offer post-remediation

capabilities not found in secure email gateways. If and when email threats bypass security, businesses

can reach in and remove them, often before users have the chance to click.

Cyber Defense eMagazineJanuary 2021 Edition 24

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

3. Hijacking email threads

When Emotet malware returned in July, it was made all the more difficult to detect due to thread hijacking.

Leveraging user accounts already compromised by Emotet and other viruses, hackers injected

themselves into legitimate email threads, spreading phishing links and malware-loaded Word documents

as they posed as business colleagues and acquaintances.

While many users might be trained to inspect email for signs of spoofing, the average user is unlikely to

scrutinize an email that is part of a thread. This is what makes thread hijacking so dangerous. With the

conversation already established, hackers are free to converse with other users in the thread. And

because their guard is down, users are likely to take the bait.

With a technique like thread hijacking, hackers can forgo border security and infiltrate a business from

the inside. With the relative ease of getting inside, we expect thread hijacking to gain prominence in 2021.

Mitigating new threats

The above techniques prove that hackers are not only keeping up with the advances in email security

but also outpacing it in many respects. Innovations in artificial intelligence bring new detection and

remediation capabilities that will only grow in the coming years. But when threats do bypass security,

continuous user training, including at the moment of need, will be critical to neutralizing attacks.

About the Author

Adrien Gendre is Chief Product & Services Officer at Vade Secure. His

product vision and cybersecurity experience has been instrumental in Vade

Secure’s evolution from startup to world leader in predictive email defense.

A speaker at M3AAWG (Messaging, Malware & Mobile Anti-Abuse Working

Group), Adrien is a sought-after email security expert who shares his

expertise to educate businesses about email threats and facilitate new

approaches in the cybersecurity community. With unparalleled access to

global email threat intelligence, Adrien brings his email security expertise

and innovative product approach to the ongoing development and

advancement of phishing, spear phishing, and malware protection

technologies at Vade Secure.

Cyber Defense eMagazineJanuary 2021 Edition 25

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

5 AIOps Trends That Will Shape 2021

By Tej Redkar, Chief Product Officer at LogicMonitor

If 2020 has taught us anything, it is that life is nothing if not unpredictable. Yet, the unforeseen possibilities

of tomorrow are the very reasons why our society has fully embraced technology today. In the past

decade, technology trends such as artificial intelligence (AI) and automation have improved us as a

society by fostering faster collaboration and saving us a significant amount of time. At the forefront of

modern-day trends is AIOps, or the practice of using AI in IT Operations (ITOps).

AIOps platforms combine big data and machine learning to find patterns, identify problems, and predict

and prevent future issues from occurring. More recently, AIOps has been a valuable tool in helping

companies scale high volumes of data due to the unprecedented shift to a remote workforce. As AIOps

continues to grow in popularity, it’s important to keep up with key trends in its progression. The following

reflects a variety of trends that I have my eye on for next year.

1. AIOps Is Moving from One Data Type to Multiple Data Type Algorithms

AIOps traditionally uses big data platforms to aggregate siloed IT Operations data in one place. Looking

ahead, data scientists will be designing AI algorithms to converge multiple data types, such as metrics,

logs and transactions, to draw a correlation and identify differences in the combined data. The trend

emerged after various probabilistic methods, such as AI, machine learning and statistical analysis were

applied to metrics, logs and transactions. These actions allowed data scientists to draw a correlation

Cyber Defense eMagazineJanuary 2021 Edition 26

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

etween the data sets and filter out signal from noise so that organizations can troubleshoot issues


When it comes to investing in AIOps, the ultimate goal is to save people time -- either through early

warnings, filtering signal from noise, or automation -- so they can focus on more important problems

rather than doing repetitive routine work. Many technology companies have already started investing in

that trend.

2. Remote Work Is Driving More Technology Platforms to Deploy AI To Detecting Problems

Remote work will be the legacy of 2020 and likely the new status quo moving forward. Prior to the

coronavirus pandemic, data was typically concentrated in very specific areas due to collective working

environments. Now that the pandemic has forced companies to support a remote workforce, every

individual remote user is a data generator -- causing data volumes to skyrocket.

Monitoring employee productivity and digital continuity is crucial during these times, yet remains

challenging for ITOps teams to manage. More intelligent algorithms are needed to predict issues with

employee productivity or customer experience using the product remotely. This is where AI helps.

When it comes to AI, it doesn’t matter where users are working from. Once an algorithm is programmed,

its only job is to ingest the data, extract intelligence, and then output the optimized value. The AI function

can automate complex processing of disparate data sources and help IT teams predict problems before

they occur by detecting patterns in large volumes of data.

3. AIOps will become more embedded in observability platforms

AIOps and observability will soon become counterparts to empower ITOps to do more in less time.

Observability in IT refers to a system’s ability to gather actionable data and diagnose what’s happening,

where it’s happening, and -- more importantly -- why an error or issue occurred within the system. This

is done by combining monitoring, log analysis, and machine learning into an environment that can easily

detect issues, proactively identify anomalies, and scale as necessary.

Observability platforms examine metrics, dependencies and logs, and bring them together into a unified

platform to detect patterns between the different data types. This data provides greater observability into

the customer experience, employee productivity, as well as digital infrastructure to help teams better

understand how the business is performing.

After achieving observability, ITOps teams must answer the question of what to do with this information.

That’s where AIOps comes in. By taking an algorithmic approach to ITOps combined with machine

learning, IT teams can automate an influx of data to output actionable insights faster than ever before.

AIOps platforms also enable their users to set dynamic thresholds, identify anomalies, and find the root

cause of an issue. By embedding AIOps and observability into one unified platform, IT teams can predict

problems faster and resolve them before it negatively impacts the business.

Cyber Defense eMagazineJanuary 2021 Edition 27

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

4. Security and IT Operations Will Be Better Integrated

As enterprise IT environments continue to mature, the need for advanced security platforms will inevitably

follow. The fundamental data sets used in security platforms, including cybersecurity and product

security, are almost the same as IT operation data sets. Security algorithms dissect metrics and logs that

flow through infrastructures to model historical behavioral patterns and flag anomalies. Using AI, this

process can be further automated towards blocking bad actors in real-time.

For example, say a hacker is trying to penetrate a firewall that is detected by either a change in the

volume of data, or a change in the location of the traditional user. Security features can be used to classify

that particular access as either regular access, hacker access, or insecure access. Once the access data

is detected, automation systems can block the IP address of the hacker’s particular region or that

particular range.

Regardless of the business problem, the underlying data required to gather this intelligence is still logs,

metrics, and transactions within an infrastructure. The only difference is the problem that IT security

teams are trying to solve. Security teams want to know whether a bad actor is trying to access the system,

while ITOps teams are more interested in employing applications that will protect their users and provide

a better customer experience. Next year, ITOps and Security teams will likely collaborate more closely

to not only detect problems in the infrastructure performance, but also prevent cybersecurity threats in

near real-time.

5. AIOps Platforms Will Decrease Time-to-Value

While AIOps platforms are meant to handle added complexity, humans are still required to configure and

deploy them. Next year, AIOps capabilities will become more mainstream within products. SaaS

products, in particular, will improve significantly with better actionable insights and new proactive

capabilities within the product. This advancement will set the foundation for future integrated self-healing

systems, which will further reduce the burden on human teams.

Properly educating employees on AIOps platforms also affects time-to-value. AIOps platforms are most

efficient when they are managed by the right team. Investing in AIOps just to say you have it doesn’t add

value to the business if IT isn’t sure how to use AIOps. Build a team that is cross-functional between the

business, data owners, and engineers. Together, these three pillars will be able to derive real value out

of any AIOps initiative.

I constantly see organizations driving initiatives tied to buzzwords instead of a real business problem.

AIOps is about solving complex business problems, and, therefore, IT teams should identify the problems

they want to overcome before diving in headfirst. Once that is understood across the board, solving

problems using AI becomes easier. If organizations do not follow this basic advice, they will likely remain

in a state of AI immaturity and will spend significant amounts of time on failed projects.

Cyber Defense eMagazineJanuary 2021 Edition 28

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The Bottom Line

AIOps is a journey, not a quarterly goal or a yearly goal. From a business perspective, AIOps should be

invested in for the long-term, but only after knowing where the business stands within its own maturity


About the Author

Tej Redkar has been building enterprise software products for more than

20 years. He has led engineering, product management, user

experience, and data science teams in industry-leading organizations

like Microsoft, VMWare, Cisco, and AppDynamics. Tej has consistently

delivered highly successful products like Rational Rose, VMware Labs,

Microsoft Azure Machine Learning, PowerBI, and AppDynamics that

have fundamentally transformed people’s productivity in respective

domains. As Chief Product Officer, Tej brings the right balance of

business and deep technical expertise to the team to drive strategy and

execution at LogicMonitor. You can learn more about Tej Redkar and

LogicMonitor at www.logicmonitor.com.

Cyber Defense eMagazineJanuary 2021 Edition 29

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Securing Digital Identities in A Predominantly Remote


COVID-19 and the subsequent uptick in targeted cyberattacks accelerate the need for biometricbased

digital onboarding

By Bob Eckel, President & CEO, Aware, Inc.

As we entered 2020, organizations were beginning to undergo transformations to meet the growing

demands of an increasingly digital marketplace. In adopting new technologies to streamline and

accelerate business operations, banks and other consumer-focused businesses aimed to drive steady

increases of biometric-based digital onboarding methods. These industries were striving to remove

friction from onboarding processes at the same time they needed to address growing security threat

concerns where biometrics were gaining trust as secure, passwordless option for a broad range of

authentication practices.

Then we witnessed the criticality of businesses reprioritizing their digital transformation processes as the

impacts of the COVID-19 pandemic unfolded. As organizations across the world were forced to move

their entire businesses online in the matter of weeks – some for the first time – they had to rapidly shift

their business models to accommodate a predominantly remote workforce. With many unprepared to

Cyber Defense eMagazineJanuary 2021 Edition 30

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

handle the IT and security challenges, identities became more vulnerable and in turn protection more

valuable than ever. As 2021 kicks off, it’s important that businesses understand the benefits behind

biometric-based digital onboarding to ensure organizational integrity as they continue to secure the digital

identities of employees and customers alike.

Enhance remote authentication against increased cyber activity

Since the beginning of 2020, there have been more than 445 million cyberattacks reported, which is

double when compared to the entirety of 2019. When the pandemic forced millions of employees into

remote work settings, it opened up huge opportunities for cybercriminals to take advantage of any security

weak points to attacks aimed at stealing personally identifiable information (PII). In March alone, phishing

attacks related to COVID-19 surged 667% as hackers aimed to separate consumers from their

credentials, looking to leverage fraudulent pandemic-related information and many individuals initial entry

to the all online world to gain access. Still today, as the large majority of the world remains remote and

people do more shopping, learning and working at home, hackers are looking harder for ways to take

advantage of weakened security.

Biometrics make the identity proofing process more robust and secure. They can’t be stolen in the same

manner as your login credentials or lost like a password. They leverage unique personal data – such as

face, voice, finger or iris prints – that people can store and then match later as a single or multi-factor

authentication process. With facial recognition being 99.7% accurate and improving yearly, according to

NIST, biometrics provides that extra layer of defense to ensure identities remain protected. Regardless

of increased threats targeting users who don’t have the security training to help them to flag phishing

emails and other related scams, their identities are more secure.

Ensure your customer is who they say they are by keeping fraudsters out

While facial recognition is a particularly useful biometric modality for mobile onboarding and

authentication – with nearly all mobile devices having built-in cameras and microphones – the method is

still vulnerable to so-called “presentation attacks” – otherwise known as “spoofs.” In short, a fraudster

can try to spoof the biometric data on file by presenting a facsimile, such as a photo, video recording or

mask. In mobile un-proctored onboarding, a fraudster can try to impersonate a victim using a false match

presentation attack. In doing so, they can falsely use their victim’s identity to open a new account. By

registering a false image – a picture of a random person, a smudged image that wouldn’t be biometrically

searchable – a fraudster could work to open up new fake accounts.

To protect against these ploys, it’s essential to apply robust liveness detection when using facial

recognition for unattended or un-proctored mobile applications. There are a couple of ways in mitigating

the risk of facial presentation attacks through liveness detection algorithms: by analyzing facial images

to determine whether they are of a live human being or a reproduction or by adding a second biometric

modality, such as voice or speaker recognition. “Passive” liveness detection addresses this issue by

distinguishing between a live person and a spoof without forcing the user to participate in the matching


Cyber Defense eMagazineJanuary 2021 Edition 31

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Provide a touchless onboarding process to meet social-distancing guidelines

Part of the appeal of biometric authentication technologies during a pandemic or Flu season is the

touchless access they provide. Voice biometrics and face recognition enable hands-free authentication

and access, eliminating the need to use on-site PIN pads, card readers or kiosks. To limit the spread of

the virus, businesses need to shift more of their onboarding functions online. By focusing on implementing

frictionless authentication processes through the use of biometrics, organizations can ensure that

customers remain safe, physically, at the same time that they verify that customers are who they claim

they are when in-person verification is not an option.

Additionally, providing a positive onboarding experience can be a critical business differentiator. This is

especially true for banks, which are facing pressure from online competitors and seeing their services

commoditized. If they get the onboarding right, they can secure a customer’s loyalty for a lifetime. Forcing

a customer to provide physical identification multiple times or answer too many questions can sour a

relationship from the start. Biometrics work better in onboarding settings when it doesn’t slow the user


As the world continues to leverage technology to provide a more secure, seamless, and now touchless

experience for users, we can anticipate biometrics will be a driving force. Growing at a faster rate than

non-biometric technology, they will be instrumental in enterprises’ moves to make the onboarding process

more efficient as organizations bring identity verification to the forefront of their business operations.

About the Author

Robert A. Eckel is the Chief Executive Officer & President of Aware,

Inc. He also serves on the board of directors for the International

Biometrics + Identity Association (IBIA), as a strategic advisory board

member of Evolv Technology, and as a consultant for Digimarc

Corporation. Over his distinguished career, he has held many positions

of note within the biometric and identity space, including: Regional

President and Chief Executive Officer of IDEMIA’s NORAM Identity &

Security division from 2017 to 2018; President and Chief Executive

Officer of MorphoTrust USA, LLC from 2011 to 2017; Executive Vice

President and President of the Secure Credentialing Division of L-1

Identity Solutions Company from 2008-2011; and President of the

Identity Systems division of Digimarc Corporation from 2005 to 2008. Mr. Eckel has received his Master’s

degree in Electrical Engineering from the University of California Los Angeles, and his Bachelor’s degree

in Electrical Engineering from the University of Connecticut. Robert can be reached online on Twitter and

LinkedIn and at our company website: https://www.aware.com/


Cyber Defense eMagazineJanuary 2021 Edition 32

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Businesses Must Protect Their Most Critical Asset: Their


By Trevor J. Morgan, Ph.D., Product Manager at comforte AG

Protecting sensitive data is a challenge facing every business and enterprise. The value of data is rising

to the extent that it is often referred to as ‘the new gold’ and a fundamental business asset. This value

naturally means that many criminals are turning their efforts to focus on procuring highly sensitive

personally identifiable information (PII) handled and processed by companies. While data is very

dynamic, it is essential to ensure that it is secured across all stages of its lifecycle. This is especially true

as many companies prioritize network agility and digital transformation over data security in an effort to

continue business operations through workforce enablement. In fact, according to the KPMG CIO Survey

2020, this year has seen innovation taking greater priority alongside improving security, however

“cybersecurity can sometimes become a secondary priority.” Yet, if enterprises wish to stay on the right

side of data security regulations, then protecting the data itself is imperative. In fact, budgetary shifts

across many industry verticals have resulted in more money being focused on securing the crown jewels

of PII.

One alarming trend is that data is increasingly shifting from secured corporate networks to private servers

as the trend towards home working continues. This has resulted in a widespread distribution of data

Cyber Defense eMagazineJanuary 2021 Edition 33

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

within unsecured environments, ultimately meaning a loss of data control and security. If this data were

to fall into the wrong hands by any means (unintentional leak or concentrated intentional attack), then the

consequences would be massive. Not only would it negatively impact brand perception, but it could also

result in compliance penalties from regulating bodies and severe loss of trust from savvy customers who

are becoming more aware of just how valuable their data is. Regardless of how a breach happens, be it

by a careless employee or malicious criminal intent, the consequences unfortunately remain the same.

Therefore, business decision-makers should ensure that systems and mechanisms are in place that

supersede traditional security measures. Instead of protecting siloed data at rest, or simply protecting

corporate networks with a firewall, businesses should instead pivot to protect their most critical asset at

the point of value: the data itself.

Why do hackers want my data?

The global pandemic has greatly altered the current state of data security. As workers migrate away from

internal security processes within corporate networks (mostly access- and perimeter-based), the

availability of data stolen and harvested on the dark web has increased exponentially in the past few

months. In fact, the cost of data on the dark web has plummeted up to 60% as of October 2020, and as

of December, PII is being sold on the dark web for as little as 50 cents (USD). This perceived

commoditization poses several questions. Primarily, if data is the new gold, why is obtaining it so cheap?

The biggest reason that so much of this data has not been taken advantage of is because of the relative

low transaction volume as a result of pandemic restrictions.

The biggest challenge that enterprises face is to understand where their data is held, who has access to

it, and where it is stored. Organizations must seek out and discover their data, be it structured (in a

database) or unstructured data. This will not only provide security teams with a holistic understanding of

their current data security posture, but it will also assist with regulatory compliance and auditing. Only by

undertaking this procedure will enterprises be able to properly secure data, as you cannot defend what

you cannot see. This exercise of data discovery is a deliberate attempt to known the unknowns within

the total data environment.

Data is a highly mobile and dynamic asset that crosses traditional boundaries of on-premise and in the

cloud. Often it’s a hybrid approach, existing somewhere in both environments. This situation requires a

security strategy that prioritizes the data instead of access to it or the borders around it. The only solution

is to protect the data itself and not just the perimeters around it. This data-centric approach to security

focuses on the focal point that criminals are striving to attack, removing the incentive for cybercriminals

if the data is protected and ultimately worthless to them because it cannot be leveraged.

Protecting PII

But how can businesses look to deploy data-centric security to their advantage? The most widely

accepted solution when it comes to data-centric security is tokenization. In plain terms, tokenization

replaces PII data with a substitute representational token. This means that protected tokenized data is

still available for analytical purposes and other aspects of corporate workflows, but in the wrong hands it

has no discernable meaning and thus no value, and as it cannot be transformed into plain text it means

that even if this data were misplaced or mishandled then the pseudonymized data would not be

considered punishable under CCPA. Regulatory compliance is still met.

Cyber Defense eMagazineJanuary 2021 Edition 34

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Tokenization also allows businesses to protect data upstream, allowing downstream applications and

systems to inherit protection and close security gaps across the enterprise. Referential integrity means

the protected values can be used for analytics without the need to de-protect the data, passing all system

and validity checks across the system. This condition helps to meet another best practice in data security,

which is to avoid de-protecting data as much as possible.

Currently, organizations spend considerable money in order to reduce risk, be it in the form of endpoint

and mobile protection, cloud security, app security, or network defense. These traditional perimeterbased

security methods only protect against known attack vectors, meaning that it is impossible to totally

prevent data breaches and mitigate this threat with current piece-meal security approaches. In fact,

further benefits of deploying data-centric security, and in particular tokenization, include the clear return

on investment capabilities. This approach to security offers more comprehensive coordination when it

comes to complying with industry regulations. Indeed, for PCI DSS, such an approach can save

thousands or even millions in audit costs and time. Furthermore, where data protection is considered

your responsibility (and this is always the case with data your process and store in the cloud), data-centric

security offers peace of mind by protecting against data breach or loss of data.

For security teams struggling to enact digital transformation, trying to ensure network agility, and laboring

to prevent embarrassing data breaches, data-centric security is a promising solution. It’s also one that

can be deployed in weeks rather than months or years, without modification to existing applications and

workflows. So, what’s stopping you from taking the fundamental step of protecting your data with datacentric


About the Author

Trevor J. Morgan is responsible for product management at comforte AG

(https://www.comforte.com/, where he is dedicated to developing and

bringing to market enterprise data protection solutions. He has spent the

majority of his career in technology organizations bringing to market

software, hardware and services for enterprise and government

customers. Trevor has held senior-level, lead positions in sales

engineering, product management, software architecture and product

marketing in companies like Cisco, Capital One and Ciena. He holds a

Ph.D. from Texas Tech University and a bachelor’s and master’s from

Baylor University.

Trevor can be reached online at https://www.linkedin.com/in/trevor-jmorgan-ph-d-8b663515/

Cyber Defense eMagazineJanuary 2021 Edition 35

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Zero Trust Remote Access for Engineering Teams

By Colin Rand, VP of Engineering, Banyan Security

Engineering organizations present numerous challenges for security programs when it comes to remote

access. They need secure access to dynamic hosts, services, and applications to productively do their

jobs. The infrastructure these teams require is varied, ranging from external SaaS to internally hosted

web services for wikis, git and build servers, various TCP services such as SSH and RDP, as well as

database access and recently a huge wave of Kubernetes. These services are complex and often

undocumented, especially as projects are under active development before they reach production

environments. Securing these critical R&D assets arguably makes an Engineering org the most

challenging department that InfoSec teams have to manage.

VPNs, falling short of today’s security requirements with their “one size fits all” strategy, are often at the

core of serious usability, manageability, and security issues.

Let’s look at an infrastructure example. Most organizations use a sequence of VPNs, Bastion hosts, and

firewalls to manage network connectivity from user to server. Then, they use some combination of

directory services and authentication managers to manage credentials so the user can authenticate into

the server itself. Lot of moving parts, lots of available attack surface for the bad guys, and this is but a

single use case.

Cyber Defense eMagazineJanuary 2021 Edition 36

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Lately, Zero Trust is all the buzz, and for good reason. With a Zero Trust security posture, the user and

device are explicitly authenticated and access is granted only for the specific server (without broad

network access). By leveraging the organization’s IDP for authentication and issuing short-lived

certificates with the user’s entitlements, connectivity is set up on-demand, eliminating the risk associated

with static passwords and credential leakage. Real-time trust scoring enforcement allows for dynamic

security policies that can be customized based on the sensitivity of server environments.

Let’s discuss some remote access challenges felt by engineering teams that are beautifully solved with

a Zero Trust solution.

Cyber Defense eMagazineJanuary 2021 Edition 37

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

VPN Challenges

While access challenges cause pain and suffering to all end users, they can and do present serious

issues for development teams. And, engineers, being smart and loving a challenge, unfortunately often

work around those issues. Take these two anecdotes from a veteran engineering leader that highlight

what goes wrong in the pits of engineering when remote access fails us – I suspect you’ll recognize the


In one particularly locked-down engineering environment, developers had no access to production, no

development environments were accessible without a VPN, etc. An enterprising developer who wanted

to do some prototyping work from home decided that the VPN was too troublesome, so of course the dev

just copied “his” source code, uploaded it to Google drive, downloaded it onto his personal workstation

at home, and... you can see where this is going. The lesson – the desire to be productive was treated as

more important than pesky security policy and a big security hole was created as a result.

Another time an engineer, having heard about new policies coming he didn't want to deal with, set up his

own private bastion host in production. Of course, he didn't tell anyone, and soon after ended up leaving

the company’s employment. Later, over drinks with a former colleague, he reminisced about what he had

done, laughing about how they could still get into production anytime they wanted.

No More Excuses

Different teams have different remote access needs. All security teams think through the process of what

resources are being protected, their sensitivity, and what is at risk of misuse. They have sophisticated

means for analyzing risk profiles, but suffer with a blunt tool for handling the needs of the modern “remotefirst”

engineer. These design decisions become tradeoffs for what work needs to be done – criticality and

time sensitivity of task vs. the risk that is introduced. Yesterday we were concerned about 'where' the

work needed to be done. Today that is irrelevant, it's anywhere and everywhere.

Engineers are Engineers, right?

Go into a modern software engineering organization and you will see many teams and activities being

performed. To name a few:

• Site Reliability Engineer (SRE)

• DevOps

• Apps & Services

• QA/Test

• Data Engineering

• Data Analytics

Each team needs to be reviewed from a security perspective to determine what is the least privileged

access that they need to perform their roles. Each needs their resources protected, their devices secured,

and their identities validated. Once confirmed, they can perform their critical work. Safety first!

If only it were that easy. Each team has many similarities at a high level, but get into the details and their

needs begin to diverge, often widely.

What is different about them?

Cyber Defense eMagazineJanuary 2021 Edition 38

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Let's look at what's the same. They all have a wide assortment of 'things' they need to access that require

protection. These 'things' include various TCP services (SSH), web apps and APIs (internally hosted or

in the public cloud), SaaS, and oh yeah, throw in Kubernetes too.

The type of access each team needs is quite different. Perhaps your SRE needs access to production

environments to see why a load balancer is misbehaving, but does the on-call developer supporting them

also need this access? The DevOps team wants access to the build and development tools, such as the

git and build servers, plus cloud environments, but should they have full access to production?

Another team, QA, needs to replicate issues found in production in production-like environments. They

may need access to the hosts the services run on, or perhaps the databases themselves. But do they

get access to the build tooling? What if the QA team is a subcontractor?

Each access decision requires discussion and design. What was previously one size fits all now works

for none.

When thinking about the design, fine grain controls need to be implemented for each team, considering

the sensitivity of the activity. Is production access needed, or is production data needed but not the rest

of the infrastructure? The traditional hard boundaries of physical networks are now messy.

Let's look at a data engineering scenario. A production warehouse will have collection, aggregate, and

analysis workloads. This might be implemented as a combination of cloud infrastructure, 3rd party SaaS

tools, and internally-developed applications. When a new engineer is onboarded, security factors to

consider with regard to access control include whether their device is compromised, or if their disk is

encrypted or not. Do you want to allow the engineer do a pull of sensitive data onto such a device, not

knowing the state of its security? Perhaps a better path is allowing them to access a reporting UI from a

personal device, but no data-level queries can be run. That might be a good alignment of risk vs. task


Each team has its own ecosystem of tools, each with its own quirks. (It's all software built on software

after all.) Each time a different remote access strategy is involved, the engineer gets frustrated as more

security workarounds are deployed, making for an increasing fragile system that is more cumbersome to

use. Want to eliminate shared passwords on that internally-hosted service that doesn't have SAML

support? Want to make sure a particular API is accessed only by devices that are deemed secure?

Oh, and don't forget about handling contractor/third-party access. Or offshore teams. Or compliance…

Is it easy?

Is security easy? No. Is achieving “Zero Trust” easy? Certainly not at the boil-the-ocean level, but the

good news is that a value-adding project with some sensible constraints is totally achievable. And doing

so results in scalable identity-based access that factors in device health and security.

Step one is coming to grips with the challenge and deciding now is the time to take it on. Secure remote

access platforms, like Banyan Security’s Zero Trust Remote Access Platform, exist that allow you to

easily introduce zero trust, least privilege access in a consistent way across differing resources and

heterogeneous infrastructure. Security dramatically improves. Usability, now consistent, becomes easy

to the point of transparent.

Cyber Defense eMagazineJanuary 2021 Edition 39

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

My recommendation is to tackle a small project, perhaps just a few SSH hosts, maybe GitHub, or perhaps

just getting better visibility into your devices. Understanding the challenge is the first step on the path and

nothing beats a little hands-on prototyping.

About the Author

Colin Rand is the Vice President of Engineering at Banyan Security.

He has extensive experience in engineering leadership and product

development working at a wide range of enterprise startups to latestage

and enterprise companies. Most recently Colin helped

transform Delphix from an on-premise data management appliance

to create their first SaaS offering with an integrated product strategy

to create a hybrid platform. Before then, he led the platform initiative

for Lookout, a BeyondCorp mobile security company, managing

data, identity, and security services for ML-based mobile threat

protection. Colin’s wide experience brought him through Salesforce,

AKQA (creative agency) as well as his own startups in NYC. Colin

began his career as a hands-on developer after studying computer

engineering at the University of Michigan.

Cyber Defense eMagazineJanuary 2021 Edition 40

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cryptocurrency Ransomware Is on The Rise During

COVID-19 – Here’s What Businesses of All Sizes Need to

Know About Dealing with Attacks

By Marc Grens, Co-Founder & President at DigitalMint

Crypto-related ransomware attacks are on the rise, and the pandemic has only hastened its propagation.

For example, from 2018 to 2020, ransomware attacks have increased by 200%. Yet during the COVID-

19 pandemic alone, from January to May of 2020, ransomware attacks have grown by 900%. This is not

surprising with the rise and vulnerabilities of remote work and individuals mixing their professional and

personal lives online.

Ransomware is a common cybersecurity threat facing a wide variety of industries, from public entities

like government agencies and healthcare organizations, where confidential data storage is critical, to

Cyber Defense eMagazineJanuary 2021 Edition 41

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

financial services and even manufacturing. Worse yet, a federal cybersecurity advisory committee has

warned of an increased cybersecurity threat to hospitals even while dealing with the pandemic.

These types of attacks do not discriminate based on company size either. Small and mid-size businesses

are at as much risk as large companies. And it is all only going to get worse in 2021 as technology

continues to improve and advance. Hackers have become more emboldened and brazen, and

unfortunately, some businesses continue to lag behind in cybersecurity precautions. Based on all this

information, it is worth considering what steps leaders can take to deal with crypto-related ransomware


Cryptocurrency Ransomware Attacks: What You Can—and Should—Do

There are some steps you can take to either avoid a ransomware attack or, at the least, handle it with

minimum damage to your company’s reputation, data, and fiscal health.

1. Train and educate employees about ransomware and how to avoid it—If your IT Department

does not already have a set of cybersecurity training modules in place, consider building out a

comprehensive program to educate employees about ransomware. Be sure to update the program

regularly, as new developments in cybersecurity are rapid. In addition, stress to all your employees how

serious ransomware can be.

2. Know that paying the ransom is a last-resort option—While there are plenty of ways to recover

losses and deal with the ransom, such as employing companies like DigitalMint, who have used their

cryptocurrency and financial networks to help them settle cases with ransoms as high as more than $10

million in the past, you should know that in general, paying the actual ransom is the last resort. You

should not immediately pay it without considering your other options and seeking professional technical

advice to determine the damage that may have been done

3. Hire a reputable cyber incident response firm with technical expertise —Once attacked by

ransomware, remain calm and hire a reputable cyber incident response firm. They need to analyze the

situation, assess the damage, understand how much data has been released, and advise you on how to

proceed. This will not only include determining a strategy for handling the current ransomware issue, but

it also will include remedying vulnerabilities in your system to prevent future attacks.

4. Avoid conflicts of interest—This is very important, possibly the most important point: avoid

conflicts of interest, especially when dealing with the cryptocurrency ransom itself. There should be a

clear separation of the cyber incident response firm and cyber settlement financial services organization

that acquires the cryptocurrency. It would be best if you chose a separate partner for each role in the

process because a cyber incident response firm that also deals with the financial payment side of things

might have a conflict of interest that prevents them from doing the best job for you possible under the


For instance, perhaps the cyber incident response firm knows how to get your data back without paying

the ransom; if that consultant also handles your business's potential cyber settlement cryptocurrency

purchase, why would they want to stop at the cybersecurity consultation step in the process if they are

incentivized to purchase your settlement? Instead of solving the problem early in the process without a

ransom payment, your consultant might be tempted to proceed with payment to receive an extra

Cyber Defense eMagazineJanuary 2021 Edition 42

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

commission from you. That is why companies like DigitalMint focus solely on cyber settlement financial

services, removing any conflict of interest.

5. Prevent financial red-flags in cryptocurrency transactions—In many cases, especially with

small and mid-size businesses, fast and large cryptocurrency transactions can be seen as suspicious by

regulatory authorities and financial institutions. For that reason, you must prevent red-flags with your

transactions. Doing this includes:

● Banking transparency with settlements—Make sure your cyber cryptocurrency settlement

partner company is transparent about its transactions and has a history of always rigorously

recording documentation of all cryptocurrency transactions.

● Strong relationship with banks and firms who deal with cryptocurrency—Many smaller

cryptocurrency settlement companies do not have partnerships with organizations that specialize

or even deal in cryptocurrency. This is why your cyber settlement partner must already have those

strong relationships with organizations that handle cryptocurrency transactions.

● Strong AML (Anti-Money Laundering) and other stringent compliance programs—Your

cyber cryptocurrency settlement partner must always comply with AML, OFAC, and other federal

and state regulatory guidelines. Since you are dealing with hackers, it can be easy to avoid

compliant transactions, but if your cyber settlement partner is in compliance with the Anti-Money

Laundering Program and other compliance programs, you will not be prone to sink to the hackers’

levels of unlawful behavior.

The Takeaway: Ransomware Does Not Have to Be the End of Your Company

While it is true that the growing threat of ransomware attacks continues to increase rapidly in the age of

the COVID-19 pandemic—and has been spiking at an alarming rate even prior to the pandemic, there

are still some relatively simple steps you can take to prevent or minimize the damage to your company.

However, if you choose to hire a trusted independent cyber incident response firm, ensure any conflicts

of interest are mitigated or fully disclosed.

About the Author

Marc Grens is the Co-Founder & President of DigitalMint, a trusted

cryptocurrency ransomware resolution provider that enables clients

to purchase Bitcoin and other cryptocurrencies to settle ransomware

incidents. He is a serial entrepreneur with more than 15 years of

experience in the investment industry. Prior to DigitalMint, Grens held

senior positions at Charles Schwab, HighTower Advisors, and Alpha

Strategies. He received his M.B.A. from the Kellstadt Graduate

School of Business at DePaul University in 2010, and a B.A. from

Illinois State University. Grens is an active angel investor and serves

on multiple advisory boards of companies in the Chicago tech


Marc Grens can be reached at www.digitalmint.io.

Cyber Defense eMagazineJanuary 2021 Edition 43

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

E-Commerce and Lockdown: The Perfect Storm for

Cyber Threats

The impact of lockdowns on cybersecurity

By Aman Johal, Lawyer and Director of Your Lawyers

The UK’s National Cyber Security Centre (NCSC) reported that a quarter of all cyberattacks over the past

year are linked to the pandemic. Action Fraud, the UK’s National Fraud and Cybercrime Reporting Centre,

disclosed that there have been over 16,300 successful cyber scams with losses amounting to £16.6m

during the first lockdown period alone.

Research also revealed that 86% of consumers experienced some form of cybercrime during the

pandemic as retailers turn to increased e-commerce out of necessity. Action Fraud found that people

aged 18-26 were the most vulnerable to cybercrime on online shopping platforms, such as Depop and

eBay, representing 24% of victims.

Cyber Defense eMagazineJanuary 2021 Edition 44

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The second national lockdown in November pushed the nation back online for four more weeks, which

served to increase cybersecurity risks once more. Black Friday, which took place on 27thNovember, was

an additional factor, and phishing attacks reportedly increased by 336% when compared to previous

years. In 2020, visits to e-retailers were up 35% year on year, inevitably correlating with a surge in

cyberattacks and the risks that they pose.

And that is not the end of it. With the Christmas shopping season in full swing, further data has revealed

that less than half of UK retailers feel that they have adequate cybersecurity measures in place. 45%

believe that their third-party partners are not prepared either, a matter that has been a point of contention

in the Ticketmaster data breach which involved a third-party vulnerability and exposed the personal

information of 1.5 million UK customers.

The threat is so severe that the NCSC has launched its Cyber Aware campaign in December to educate

consumers and businesses alike about the online threat posed during the festive season. These

cumulative factors are indeed a significant cause for concern. The lack of urgency in retailers and

consumers to protect themselves against cyber threats, in addition to the increasing sophistication of

hackers already boasting a wealth of practice from the first lockdown, has created a ticking time bomb.

Data breach: the straw that could break the camel’s back

It is critical that e-retailers deliver on their responsibility to protect customer data. Failure to do so could

result in significant legal and financial repercussions.

The UK’s Information Commissioner’s Office (ICO) has the power to issue significant fines for data

breaches in accordance with the GDPR. In October 2020, it issued its first two significant fines against

British Airways (BA) and Marriott, at £20million and £18.4million respectively – although these figures do

represent a disappointing climb-down from the original intention to fine in the sums of £183m and £99m.

In addition to fines, businesses in breach of the GDPR may also face significant compensation pay-outs

for damages. In the case of BA, they could be facing a total pay-out of as much as £3 billion based on

an average possible claim of £6,000 for each of the estimated 500,000 victims.

Customer loyalty is also likely to take a hit following a cyberattack; an additional blow that the retail sector

cannot afford to suffer in 2020. For the UK retail sector as a whole, sales decreased by 19.1% year on

year during the first lockdown, and it is still struggling to recover. Cybersecurity must always be a financial

priority for e-commerce platforms, as data breaches can cost far more on average than investment in

preventative measures.

Despite a dismal outlook for the retail industry on the whole, consumers who are affected by a data

breach this festive season should remember that they could be entitled to pursue compensation from the

responsible party. The power of the law should act as an important deterrent for businesses adopting a

complacent attitude towards their cybersecurity responsibilities, especially as we continue to see

worryingly high numbers of cyberattacks with serious implications for millions of people in the UK.

The surge in cybercrime is unlikely to relent in the near future. With a looming recession predicted for

2021, businesses may be persuaded to cut their cybersecurity spending. It is essential that this does not

happen: companies in the e-commerce sector, and beyond, must view cybersecurity as a non-negotiable


Cyber Defense eMagazineJanuary 2021 Edition 45

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Aman Johal, Lawyer and Director of Your Lawyers

Aman founded consumer action law firm Your Lawyers in

2006, and over the last decade he has grown Your Lawyers

into a highly profitable litigation firm.

Your Lawyers is a firm which is determined to fight on behalf

of Claimants and to pursue cases until the best possible

outcomes are reached. They have been appointed Steering

Committee positions by the High Court of Justice against big

corporations like British Airways - the first GDPR GLO - as

well as the Volkswagen diesel emissions scandal, which is set to be the biggest consumer action ever

seen in England and Wales.

Aman has also has successfully recovered millions of pounds for a number of complex personal injury

and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in

the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of

law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic

data leak and the Ticketmaster breach.

Aman can be reached online at LinkedIn and at our company website: https://www.yourlawyers.co.uk/

Cyber Defense eMagazineJanuary 2021 Edition 46

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Communication Streaming Challenges

By Milica D. Djekic

As it’s well-known, there are a lot of ways of tracking someone’s e-mail, chat or social media accounts.

The defense professionals are quite familiar with such methods and those hotspots could be used in

order to discover the new suspicious activities in cyberspace. So many transnational and terrorist groups

use account tracking to stay updated about someone’s actions in the virtual domain. The main trick with

the network traffic is that the data are put into packets keeping so sensitive information about the payload

and routing information. In other words, those packets can travel from device to device relying on so

critical communications infrastructure. If computer breach and account tracking are well-known ways of

obtaining the sensitive content, it’s quite clear there are more critical points in the data exchange and

storage. For instance, if anyone would want to avoid the challenges of servers, datacenters and endpoints

breaches that person could try to do some communications tracking in order to catch the information on

their way on. In so many cases those contents are under the key and there must be invested some effort

in order to decrypt the message and make it being readable to everyone. In the modern time, so many

communications channels have begun their life path as defense products and today they are fully under

the commercial usage. Anything being widely accessible has the counter-system in order to remain under

the control of its creators. Apparently, no one will develop the solution that works on its own and without

being controllable by human beings. Next, the final product can do only what its developers defined it to

do and it cannot cope without its secret counter-weapon. So, if the e-mail accounts, browsers and social

media profiles deal with some kind of protection and they are so appealingly commercialized, it’s quite

Cyber Defense eMagazineJanuary 2021 Edition 47

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

obvious those advancements have the reversible systems that make them being manageable. The

similar situation is with the communications routes that can be tracked using the widespread monitoring

tools. Even if the packets of their information are well secured they can be transformed into the plaintext

as there are a plenty of options on the marketplace for such a purpose.

The devices in network communicate with each other coping with the certain set of rules. First, it’s

important to understand why communication protocols matter as they are from the crucial significance

for the traffic enabling and information exchange. In other words, if two devices follow such rules and if

their talk is accurate or as defined they will get a permission to make a connection with one another and

do some data transfer. Logically, those information are the part of the communication channel and in both

– policing and military – there can be an advisory who can listen to the traffic and re-direct its samples to

the other machines. We call that operation tapping or streaming. Further, the exchanged information are

secured with some sort of cryptography and the streamer cannot be confident what all that is about. The

point is someone can make a breach into the network traffic as it’s possible making a breach into some

device. On the other hand, when the traffic is streamed there can be a lot of job for cryptanalyst that

needs to decrypt and analyze once sent content. From a security point of view, this matters for a reason

communication tracking can be used by the illegal organizations in order to monitor someone’s activities

on the web. As the consequence of such a campaign we can realize that so many community members

as well as their infrastructure can be under the risk because the bad guys can come into the possession

of the confidential information. Across the globe, there are so many network monitoring applications that

can be applied to do some streaming and with the support of some cryptanalysis efforts reading once

decrypted messages. Basically, the cryptanalyst is a person who is capable to transform the packets of

the information into their plaintext form and make them being accessible to the rest of the team members.

The fact is the cybercrime underworld has always been in position to do such a sort of the operations

and undoubtedly is the threat to communities, businesses and government assets. It appears the hightech

syndicates are the real global threat especially if we have in mind, they can be a very dangerous

weapon in the hands of the rest of criminal and terrorist groups.

The packet of the information is so complex set of the bits that depending on the 0s and 1s position in

the array can mean a lot in the machine language sense. The two basic parts of the data packet are the

payload and routing information that respectively cope with the message itself and the tracking path the

packet must pass in order to be delivered from the starting point unless the final destination. The common

type of the cryptography is end-to-end encryption or E2EE, so far. That kind of encryption means that the

main message is ciphered at one device, then packed into the payload bits and finally sent to the

destinating location. The entire communication network is so huge and very complicated, so in order to

make the data transmission it’s necessary to get along with some path and prevent the encrypted payload

getting streamed and read from its traffic route. The routing information or the path bits serve for the

better packets distribution across the network. The E2EE is one of the best practice approaches in so

many competitive armies and policing units as it serves for the quite reliable delivery of the messages.

That sort of cryptography as anything else has its strong and weak sides and as it’s well-known the

message is encrypted at the initial device and decrypted at the final destination, which means if those

two devices are under the exposure the enemy can come in the possession of the accurate plaintext.

Also, if anyone is doing the channeling of the communication asset that person can figure out the accurate

interpretation of the payload itself. In other words, for the purposes of the good cryptanalysis it’s important

to deal with the advanced knowledge of computer science and engineering and whatever goes through

the channel deals with the array of the packet’s bits. If we know the position of each bit in that array we

can make a choice between the 0 and 1, so – in other words, our chances to make the true guessing are

half-half. In addition, it’s significant to take into consideration the meaning of ASCII characters that can

give an opportunity to figure out how the open message could look like. For instance, any sentence within

Cyber Defense eMagazineJanuary 2021 Edition 48

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

the plaintext ends up with some sign of interpunction, so there can be the entire variations of the possible

decrypted information. In other words, as the E2EE is critical at its endpoints it can be quite concerning

on its way through from the source to destination as the channel can be tapped and potentially broken


In order to illustrate the link encryption, we can use an example of the highway with its entire infrastructure

that serves in directing the traffic on. The driver on that road must know where he goes and he has the

permission to rely on the traffic signalization. In other words, the usage of the maps and GPS navigation

is allowed, but what those all if the driver does not know the pathway. It seems that the link encryption is

more like sending the packet of the information through the well-protected channel which routing

information bits are carefully encrypted. The only fining being available at that moment is the information

about the next stop. So, if it is needed to apply some GPS navigation it’s necessary to go step-by-step.

In other words, stop linkage information is included as the plaintext and reading so it’s possible to figure

out where the next station to such a packet is. In so general terms, those stops can be considered as

hops where the entire packet is decrypted and re-encrypted in order to obtain the information about where

further the packet should be delivered. The best practice has suggested that the most useful solution is

the combination of the E2EE and link encryption for a reason the both – payload and routing information

– are well-protected. That sort of cryptography is known as the super-encryption. The hop is any device

in the network where once directed traffic can go and it can be the router, modem or server. The hop is

also so sensitive point in the network because the hackers can identify that part of the IT infrastructure

and try to attack the place where decryption of the packet itself takes place. That is especially the huge

risk in case of the network monitoring for a reason the bad guys can find and exploit the places where

the plaintext is widely accessible. In other words, the ongoing cyber criminals are extremely skillful

individuals with the exceptional technical brightness that are capable to discover any weakness in the

system and take advantage over so. The mix of the E2EE and link encryption gives the safer environment

for data transport, but it’s still vulnerable to the high-tech attacks and campaigns.

About the Author

Milica D. Djekic is an Independent Researcher from Subotica, the

Republic of Serbia. She received her engineering background from

the Faculty of Mechanical Engineering, University of Belgrade. She

writes for some domestic and overseas presses and she is also the

author of the book “The Internet of Things: Concept, Applications

and Security” being published in 2017 with the Lambert Academic

Publishing. Milica is also a speaker with the BrightTALK expert’s

channel. She is the member of an ASIS International since 2017

and contributor to the Australian Cyber Security Magazine since

2018. Milica's research efforts are recognized with Computer

Emergency Response Team for the European Union (CERT-EU),

Censys Press, BU-CERT UK and EASA European Centre for

Cybersecurity in Aviation (ECCSA). Her fields of interests are cyber

defense, technology and business. Milica is a person with disability.

Cyber Defense eMagazineJanuary 2021 Edition 49

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Anatomy of a hack – Solar Winds Orion

Nation State hacks major IS Software vender

By James Gorman, CISO, Authx

What happened when one of the leading IT support venders in the world, leading government agencies

the world over and up 18,000-33,000 1 companies running the affected version (2019.4 HF

5 and 2020.2 with no hotfix or 2020.2 HF 1) 2 of SolarWinds Orion software.

What happened.

1) The threat actor – indicated to be a nation state in Microsoft’s Threat Intelligence Center’s

release 3 - was able to compromise the update process for Solar Winds and imbed a trojan horse

that allowed the attacker to gain administrative access to the network.

2) Using the acquired administrative access the intruder used a lateral attack to gain access to the

certificate signing credentials of the organization. This allows the attacker to generate “reallooking”

credentials to continue to move throughout the organization.

3) Using the now trusted yet hacked credentials, the attacker then takes stock of what else they

have access to in the organization, on-premise and cloud based. This is because they have

access to seemingly valid credentials and are not flagging most alerts looking for unusual login


4) Once the attacker has access to a Global Administrator’s account or its trusted certificate, they

use that to impersonate the admin, they essentially have the keys to the kingdom and can







Cyber Defense eMagazineJanuary 2021 Edition 50

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

create new global admins, add them to existing services and or create new services and then

go after API access to the organization.

What has been reported is that once this particular hacker gets access to the global administrator they

keep the malicious programs – Malware - to a minimum and used remote access to move through the

enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory,

essentially every system that relies on federated access and authentication. The list keeps growing of

who was hacked and it is a veritable who’s who of what a Nation State actor would want – US State

Department, Pentagon, Department of Homeland Security, National institute of Health and others, as

well as many private firms 4 . While many of the known targets are the “big guys” if you use Solar Winds

Orion assume you are compromised.

If you use Solar winds Orion assume you are compromised, take it off line, upgrade and contact

SolarWinds. https://www.solarwinds.com/securityadvisory

If you are a CISO or security professional, you should know that in this hack you could do everything

right and still have been vulnerable. You could have anti-malware tools running, login restrictions on

sensitive systems, monitoring of the failures, all the things you would do in a traditional defense in

depth environment. Because you trusted your supply chain and one of the largest and most trusted

names in network monitoring and management was breached and you are now vulnerable and

probably compromised.

You could have done everything right and still been compromised! This is the lesson to learn

here all you can do is mitigate and minimize the damage done. Some hackers are very, very good

and your security is only as good as your weakest link in your supply chain. It could be one of your

largest and most trusted IT suppliers that are the avenue of attack. You have to trust and verify


So what is a person to do if they are or are not compromised? There are some things that had they

been in place cold have mitigated or limited the damage due to the internal spread of this particular

hack. We still do not know how the development/release system at SolarWinds was compromised – I

for one am looking forward to seeing how that happened.

What to do now that we know what we know –

1) Update your software frequently – this is still the best way to keep known vulnerabilities at bay.

Don’t let this supply chain hack scare you into not keeping your systems up to date. It is one of

the most basic principals in Cybersecurity – path your systems

2) Use updated antivirus systems that are quickly updated to mitigate this attack.



Cyber Defense eMagazineJanuary 2021 Edition 51

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

3) Monitor your network and systems for anomalous behavior – Look for multiple power shell

access to Active Directory from the same machine. Especially privileged sign ins. 5

4) Look for adds to your federated services, use best practices for securing your AD FS services. 6

5) Use whitelists for access to your sensitive network segments – block outbound traffic except

what is needed for vital business processes on your trust segments. This blocks the trojans

access to its home Command and Control (C2) servers where the hackers then get access to

your environment.

6) Use hardware based tokens (HSMs) for SAML signatures.

7) Alert and verify as authorized new access credentials on OAuth applications and

8) Reduce attack surface by removing applications and service principals that are not needed on

your systems. Make sure you are logging the service principal access and look for anomalies.

9) Use multifactor authentication with Biometric factors for all log ins.

Authx https://authx.com is a prime example of how to verify who actually has access to your

systems. It is a multifactor authentication mechanism that uses biometrics – face, finger, palm or

one-time pad to give additional validity to the user access experience. Authx or another would have

limited the ability for lateral movement and the persistence of this or most imposter credential


About the Author

James Gorman CISO, Authx

James is a solutions-driven, results-focused technologist and

entrepreneur with experience securing, designing, building, deploying

and maintaining large-scale, mission-critical applications and

networks. Over the last 15 years he has lead teams through multiple

NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he

has helped multiple companies formulate their strategy for compliance

and infrastructure scalability. His previous leadership roles include

CISO, VP of Network Operations & Engineering, CTO, VP of

Operations, Founder & Principal Consultant, Vice President and CEO

at companies such as GE, Epoch Internet, NETtel, Cable and

Wireless, SecureNet, and Transaction Network Services.

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/ , etc..)

and at our company website https://authx.com





Cyber Defense eMagazineJanuary 2021 Edition 52

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cybersecurity Maturity Model Certification (CMMC)

It is not about compliance, or is it?

By Carter Schoenberg, CISSP & CMMC Registered Practitioner Vice President –

Cybersecurity SoundWay Consulting, Inc.

As of the date of this publication, new requirements for U.S. Defense Contractors are in play. The days

of taking an approach addressing cybersecurity requirements in the form of, “it doesn’t apply to me” are

officially over. In case you missed it, there are four letters that should have you standing up and taking

notice (CMMC). To start with, what exactly is CMMC? The Cybersecurity Maturity Model Certification

(aka CMMC) is a new and comprehensive framework that will dictate future awards made by the U.S.

Department of Defense. This framework is managed by a non-government entity known as the CMMC

Accreditation Body (AB) and fully supported by the highest levels of the U.S Department of Defense

(DOD) Leadership.

Starting back in 2017, requirements to meet 110 security controls described in the National Institute of

Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information

in Non-Federal Systems and Organizations” were included in formal solicitations under the Defense

Cyber Defense eMagazineJanuary 2021 Edition 53

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Federal Acquisition Regulation (DFAR). Unfortunately, procurement officials generally highlighted this

requirement with a single sentence in solicitations and relied upon self-attestation. Since that time, the

F35 Strike Fighter technical designs, Naval defensive electronics on sea vessels, and arguably the

largest release of malware created for offensive operations by the National Security Agency have all

been compromised due to poor cyber hygiene by U.S. Government Contractors (GovCons).

Regardless if we like it or not, the U.S. Government is justified in taking the position “enough is enough”

and now forcing all, let me say that again,…”ALL” GovCons seeking work with the DOD to demonstrate

adequate cyber hygiene. These efforts are spearheaded by Ms. Katie Arrington. As described by Ms.

Arrington, the Government is taking a crawl, walk, run approach towards formal implementation of

CMMC. CMMC has five levels of maturity starting with Maturity Level 1 equating to being able to

demonstrate 17 practices (security safeguards) are implemented. Starting around June 2021, it is

estimated 15 contracts will be issued impacting 1500 GovCons and this will ramp up to all engagements

no later than FY2026. This is all contingent upon formal adoption within the DFAR.

To make matters even more interesting is that the interim DFAR ruling explicitly states as of December

1, 2020, a large number of GovCons have to immediately report their current status towards conforming

with NIST SP:800-171 to the Government. If the level of accuracy for self-attestations seen previously

is any indicator, there is a likelihood that GovCons may be inclined to fudge the results because who at

the Defense Department is really going to police the results, right? WRONG! Misrepresenting the results

has two significant consequences. One adverse consequence is defined by industry stakeholders and

one is being overlooked. The first is what is known as a False Claims Act. This is actually a criminal

investigation under the direction of the Justice Department and targets individuals (CEOs, Boards of

Directors). The second is under the Federal Trade Commission (FTC) as a TITLE 15 violation for an

unfair and deceptive business practice and can result in heavy financial sanctions.

The Government is socializing their goal is not to make a compliance mandate but rather to foster the

adoption of actual cybersecurity best practices in a way that enhances the GovCon. Regardless if you

are Maturity Level 1 or even Level 5, two forms of objective evidence will be required for proof of adoption

of the practices and processes defined within CMMC. Sounds a lot like a compliance initiative. Instead

of using the term “audit” the term “assessment” is the CMMC nomenclature.

If you have been through a FISMA, CMMI, ISO, PCI or other audit where objective evidence is required

for proof of meeting the standard, this exercise is academically no different. There is one caveat to that.

Once Maturity Level 3 is applicable (GovCon receives or creates CUI), then simply having safeguarding

controls and appropriate policies & procedures is not enough. It is incumbent on the GovCon to

demonstrate they are all “managed”. What does that mean though? Think of it as “operationalizing” these

Cyber Defense eMagazineJanuary 2021 Edition 54

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

est practices into your core business daily operations. From here, you advance to Maturity Level 4,

requiring everything from Levels 1-3 plus being able to demonstrate everything is “Reviewed” at least

annually. Then at Maturity Level 5, you must be able to demonstrate your organization is optimizing the

aforementioned practices and processes.

If you are already ISO 27001 certified, congratulations – it is no longer enough. If you are CMMI Level 3

Certified, congratulations – it too is no longer enough. What about FedRAMP? That too is no longer


To date, the DOD is stating that having your formal certification is not required to bid, just required at time

of award. The Government and the CMMC-AB estimate you should allow yourself a 6-month window to

prepare for Maturity Level 3 and higher. Having performed almost 40 of these types of assessments for

Government and Industry, GovCons would be wise to project an 8 to 10-month runway. These

presumptions are also problematic because the average award timeline is approximately 120 calendar

days. Even if the 6-month preparation estimate is correct, that still leaves a delta of two months. This

essentially means a failure to have certification prior to submitting your proposal for Maturity Level 3 and

higher will likely result in somebody else receiving the award.

For GovCons that are micro-size entities with home-based offices, you should consider the strong

likelihood that your home will actually be inspected even at Maturity Level 1. For more details on what

assessors will look for, please click here.

It is important to note that if you are a GovCon you should:

• Take immediate steps towards CMMC preparation at Maturity Level 1 with an understanding you

may likely be required for Level 3 rating within a year or so.

• Carefully review the specifications of the requirements in CMMC.

• Do not take the position of believing you are in good shape because your IT guy told you so.

• Do not take the position this framework will go away with the new administration.

• Do seek out Registered Provider Organizations that have licensed Registered Practitioners

authorized by the CMMC Accreditation Body.

• Understand this framework is a work in progress and will continue to evolve as the cyber threat

landscape evolves.

One last noteworthy point is that there are a number of industry stakeholders continuously trying to find

fault with the CMMC-AB and Ms. Arrington. Taking this approach is like waving at the train when it has

already left the station. ALL ABOARD!

Cyber Defense eMagazineJanuary 2021 Edition 55

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Carter Schoenberg is the Vice President of Cybersecurity at SoundWay

Consulting. Carter has over 20 years’ experience supporting Government

and Industry stakeholders and is a subject matter expert on the

Cybersecurity Maturity Model Certification (CMMC), cyber investment

strategies, reducing organizational exposure to harm by cyber liabilities.

His work products have been used by DHS, DOD, NIST, and the ISAC


Carter can be reached online at

c.schoenberg@soundwayconsulting.com and through

www.soundwayconsulting.com or the CMMC Marketplace

Cyber Defense eMagazineJanuary 2021 Edition 56

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Businesses Should See Security as An Enabler of Digital

Transformation, Not A Hindrance

A distributed workforce has renewed the importance of security for all aspects of organizations’ technology estates

By Matt Gyde, CEO, Security Division at NTT Ltd.

The pandemic has put a spotlight on cybersecurity issues as businesses have moved to a distributed

workforce model. Many businesses found it difficult to move with agility to provide employees with the

devices and network infrastructure needed to operate and communicate seamlessly when COVID-19 first


In fact, according to NTT’s 2020 Intelligent Workplace Report ‘Shaping Employee Experiences for a

World Transformed’, in many cases, employees have been left to use their personal devices and

applications, increasing the risk of security vulnerabilities. Additionally, only 46.4% of global businesses

surveyed for the same report claimed they increased their IT security capabilities to keep their

organization and employees secure.

The rise in nefarious threats during the pandemic is clearly outlined in NTT’s Global Threat Intelligence

report as hackers seek to exploit the coronavirus-related panic. Attacks have included informationstealing

malware built into a fake World Health Organization (WHO) information app, while phishing

emails have offered in-demand items including face masks, hand sanitizer and Coronavirus tests. These

were so bad that the World Health Organization (WHO) called it an “infodemic.”

Cyber Defense eMagazineJanuary 2021 Edition 57

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Secure by design approach crucial for businesses to protect themselves

Unfortunately, just like the COVID-19 virus itself, cybercriminals and spies aren’t becoming fatigued by

its impact on our personal and professional freedoms and prospects, as many of us are. Threat actors

and organizations are opportunistic and both well-organized and funded enough to ramp up their

nefarious activities despite the current worldwide crisis.

This has, in turn, spawned renewed acknowledgment of the importance of security being embedded in

all aspects of organizations’ technology estates. Whether applications and workloads are running onpremises

or in a public or private cloud and, irrespective of whether people are working from home, the

office, or remotely, infrastructure needs to be inherently secure by design and entrenched into every

aspect of a business’s environment. Security cannot be ‘bolted on’ as an afterthought because it impacts

both the customer and employee experience.

Perhaps many organizations have not embedded security in their organization because they see security

as a hindrance and not a driver of digital enablement. A cultural mind-set shift needs to happen. Security

helps businesses to deliver transformational technology that enables the best user experience. And it is

intrinsically linked to the protection of employee data.

Digital transformation with SASE

At NTT, we predict in our ‘Future Disrupted: 2021’ report that the concept of ‘secure access service edge’

(SASE), a term coined by Gartner, is going to be a mainstream trend in the next 12 months. SASE

focuses on achieving the best end-user experience in an increasingly SaaS and software-defined network

paradigm, securing APIs and capitalizing on ‘as-a-service’ scenarios such as firewall-as-a-service or


In order to start with SASE, businesses will need to truly assess what, and which assets, they need to

protect, where distributed workloads are running, how their business consumes applications and ensure

infrastructure is fit for purpose:

• Assess what, and which assets businesses need to protect: To start, businesses should look

at data protection. They’ll need to pinpoint exactly what they absolutely have to protect and

decipher what is ‘crown jewels’ data and information versus what’s not. Then they can return to

the basics: good operations hygiene and due diligence

• Understand where various workloads are running: This will mean businesses should look at

implementing appropriate firewalls and micro-segmentation

• Consider applications and how they’re being consumed: Importantly, businesses should ask

themselves how these consumption trends tie back to the platform strategy and related enduser/customer

and end-point protocols and how are they interacting with various workloads and


• ‘Dust-off’ existing network and application security strategies: Businesses should ensure

that their security strategies are still fit-for-purpose. This will likely include making decisions about

their path to SD-WAN adoption

Ultimately, businesses must ensure that cybersecurity protects internal operations and employee data,

as well as its customers. Today, this means that simply buying ‘point’ security is no longer a viable

approach – it needs to be baked into system design.

Cyber Defense eMagazineJanuary 2021 Edition 58

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Businesses must increasingly focus on ensuring that cybersecurity is an enabler, not a hindrance, to

digital transformation and use the right frameworks and partnerships within the ecosystem to do so. There

is no more important time than now for the industry to come together to mount a powerful defence against

an ever-mounting and ever-evolving cyber threat.

About the Author

Matt Gyde is the President and Chief Executive Officer, Security Division at

NTT Ltd. He is leading the security strategy, services and go-to-market

execution to build the world’s most recognized security business. Matt can be

reached via his LinkedIn profile at: https://www.linkedin.com/in/matt-gyde/ and

at https://hello.global.ntt.

Cyber Defense eMagazineJanuary 2021 Edition 59

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Asset Management, The Weakest Link in Cybersecurity


By Gyan Prakash, Head of Cyber Security / Security Engineering, Altimetrik Corp


This paper shares the details on limitations of existing asset management solutions for Cybersecurity

needs and how to enhance the capability of existing asset management solutions that would meet

enterprise cybersecurity risk needs. Uncover high risk and vulnerable assets to CISOs and senior

management with data driven automation on near real time basis.

Highlights the gap in the current asset management solutions and the critical role of Asset management

solution provides in secure enterprise from advance threats and cyber security risk management.

Importance of asset management in identifying asset criticality rating or static risk, inherent risk and

residual risk.

Cyber Defense eMagazineJanuary 2021 Edition 60

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cybersecurity risk not only help uncover the critical risky assets but also helps drive the enterprise

priorities and future enhancements & investment on security technologies


IT Asset management solutions helps discovers and provide visibility into the assets with regards to every

IP connected device in enterprise environment. Accurate asset discovery and visibility is one of the critical

needs to secure the asset. What you see is what you protect.

Leading research shows that on average companies are blind to 40% of the devices in their environment.

As a result, businesses do not have a real-time, comprehensive view of all the assets in their

environment—or know the risks associated with them.

Assets can be broadly divided into following categories:

- Endpoint User Devices (Managed Assets & Unmanaged Assets)

- Production and Non-Production Network Infrastructure devices

- Enterprise IoT devices (Camera, Printers, Smart TVs, HVAC Systems, Industrial Robots, Medical

Devices, Physical Security Access etc.)

ISO 27001 - Information Security Management System (ISMS) certifications requires enterprise to

identify information assets in scope for the management system and define appropriate protection

responsibilities. NIST and CIS Critical Security Controls also include asset inventory management as part

of critical infrastructure security.

IT Asset inventory management is the basic need of an enterprise and urgency of discovery and visibility

is not critical, whereas enterprise security primarily rely on accurate and detailed assets visibility on nearreal

time basis.

Cyber Defense eMagazineJanuary 2021 Edition 61

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Majority of the enterprise assets are distributed across many different geos, networks such as private

network, public cloud. With remote work universally acceptable, the near-real time asset visibility and

management becomes even more critical.

Traditional Asset Management

Usually, there Asset management solutions in the market. Agent based on Network scan based and both

of them plays a critical role in providing Assets visibility.

Network Scan based Asset Discovery: Network Scan based solutions helps identify / discovery

devices on the network, the limitations are that network scan must be reachable to all networks, VLANs,

subnets in the entire enterprise.

Network based scans are limited to the details discovered over the network.

Agent based Asset discovery: Agent based solution provides info about the OS and core OS services,

versions, Middleware services, patches etc.

Traditional asset management solutions also referred as CMDB (Configuration Management Database)

are required to meet the IT inventory & asset management need such as asset ownership, cost center,

supporting patch management needs. These solutions were not designed to keep cybersecurity threats

and cybersecurity risk management in focus.

Cybersecurity Dependency on Asset Management

Before we get into the details on Cybersecurity dependency, it is important to understand definition of an

asset. Generally, asset is defined as an IP connected device, this usually works fine but has challenging

in managing serverless assets. An application consists of group an assets.

The exponential increase in the number of assets be it a mobile device or microservices based light

weight servers, self-mutating server and serverless assets has made the near real-time asset

management even more critical. The assets distributed over many networks and geos and private and

public networks. The next generation asset management will be supporting the following capabilities:

- Provides asset context with regards to network placement & external visibility

- Binding between assets and applications or micro-services running on the assets

- Provides asset criticality risk rating

- Status of security agents on the assets

- Status of SIEM integration for OS level and application-level logs

- Correlating each asset with all the known security vulnerabilities either related to OS or application

or identity & access management or firewall

Cyber Defense eMagazineJanuary 2021 Edition 62

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

- Mapping sensitive data assets (such as PII, PAI or PHR) with each of the servers

- Continuously track assets against enterprise security compliance

Since 2019, OWASP has been also reporting Improper Assets Management as one of the top ten API

Security vulnerabilities across the industry.

Automate Asset Criticality Risk Rating

Asset Criticality is the most important factor in understanding the risk of an asset being compromised.

The asset criticality rating provides the view on the asset risk without any known security vulnerability.

Any asset in production and non-production environment introduces risk and the risk is related to the type

of data asset that assets process or handles, exposure of an asset to outside world and how an

unavailability of assets impacts the business and enterprise services. We can also call this static risk

that means minimum risk that this asset introduces to the enterprise.

None of the traditional asset management solutions offers Asset Criticality Risk Rating, hence many

enterprises rely on generating this asset criticality rating using non-standard and adhoc techniques.

Asset Criticality Risk Rating What would be impact on enterprise if an asset is unavailable, tampered or


Critical assets are those that are essential for supporting the critical enterprise business needs. These

assets will have a high consequence of failure, and it must be ensured that such assets of failure are

avoided. These assets should be identified on urgent basis and more focus should be paid to these


Cyber Defense eMagazineJanuary 2021 Edition 63

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Every organization has a way to identify which applications are critical, which is fairly easy but the

challenges are mapping each and every asset to these critical applications and doing it consistently on

real time basis.

Building an Asset Criticality Rating

Asset Criticality Risk Rating (ACRR) is foundation of determining Asset Risk. Some of the important

aspect of building ACRR are following:

- It must be fully automated and not dependent on user input

- Provides consistent ACRR and in near real time

- Provides options for Risk analyst to update the weightage of ACRR

ACRR Calculation Approach

In the proposed section, we share details on how CVSS (Common Vulnerability Scoring System) can be

used for build ACRR. CVSS is an open framework providing characteristics and severity of software

vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental.

Our interest is in the Base CVSS. The Base CVSS represents the intrinsic qualities of a vulnerability that

are constant over time and across user environments and composed of two sets of metrics: Exploitability

metrics and Impact metrics.

Exploitability Metrics

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Impact Metrics

Confidentiality Impact

Integrity Impact

Availability Impact


For ACRR, we only need Impact Metrics, and we will then find an average Impact for Confidentiality,

Integrity and Availability across all the key attributes required for generating ACRR.

Cyber Defense eMagazineJanuary 2021 Edition 64

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

ACRR Formula

The ACRR is based on the CVSS standard used for security vulnerability rating. We extend the same

the same model to measure the criticality of an application. We will be using the following formula

ACRR= f(Confidentiality, Integrity, Availability)

Ci = Average weight of all the Confidentiality Impact for the asset

Ii = Average weight of all the Integrity Impact for the asset

Ai = Average weight of all the Availability Impact for the asset

ISS = Impact Sub-Score

ISS = (1 -((1-Ci)*(1-Ii)*(1-Ai)))

ACRR = roundup (min (ISS * 8, 10))

The min() function returns the item with the lowest value of the items

The roundup roundup to zero decimal

We derived the constant 8 based on iterating with number assets that provide the acceptable risk rating

score and following Delphi method.

Mathematical Ranges

Ci = [0,1] ,

Ii = [0,1] ,

Ai = [0,1]

ACRR = [0 , 10.0]

Cyber Defense eMagazineJanuary 2021 Edition 65

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

ACRR Rating Scale

All the ACRR scores will be mapped to a qualitative rating and we will be in line with the industry standard

CVSS rating scale;


ACRR Score

None 0.0

Low 0.1 to 3.9

Medium 4.0 to 6.9

High 7.0 to 8.9

Critical 9.0 to 10.0

ACRR Worksheet

We are going to use the following key indicators for our worksheet to demonstrate generate ACRR for a

given asset.

Key Indicator Descriptions Possible options

Sensitive Data Handling The type of data asset This could Personally

applications or server is Identifiable Information (PII),


PCI Card Data (PCD),

Personal Health Information

Application Exposure

Service Tier

This represents application

exposure to type of users and


A service tier is indicating how

critical a service is to the

operation of your business

from availability point of view.

(PHI) etc

Public Internet, Partner

Network, Internet Network

It could be Tier-0, Tier-1, Tier-

2 and Tier-3. Whereas T0 –

which is critical service to T3-

Which is non-essential

Sensitive Data Volume

Number of External users

Volume of data processed by

the application or the servers

involved in that applications.

Number of active external

users of the applications and

will also apply to all the

servers involved.

It could be block of 100K or

10K based on business risk.

1million – 10million

Cyber Defense eMagazineJanuary 2021 Edition 66

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Development Model This indicated if the

Application was developed by

internal development team or

developed using out souring

model or mixed

Hosting Environment This indicates the asset

hosting environment.

Internally Developed,

Externally Developed, Hybrid,

3 rd Party Product

Public IaaS, PaaS or

Kubernetes, SaaS, Private

Data Center

Additional key indicators could be used based on risks and threats related to Hosting Environment,

Number of Admin users etc.

In next section, we will generate ACRR for a given asset, we are going to use following key indicators

that helps identify the impact. For each of these key indicators, we are going to assign weightage for

Confidentiality, Integrity and Availability. The weightage is assigned based on the risk / impact that will

caused if the asset involved gets compromised. The weightage must be assigned between 0 and 1. The

lower weight is for low impact and higher weight is for high impact.

Key Indicator Indicator Value Confidentiality






Sensitive Data PCD & PII 0.7 0.7 Not applicable


Application Exposure Public Internet Not applicable Not



Service Tier Tier-0 Not applicable Not



Sensitive Data Volume 1million – 5million 0.8 0.8 Not applicable

Number of external 100k-1m Not applicable Not




Development Model Internally 0.2 0.2 Not applicable


Hosting Model Public IaaS 0.6 0.6 Not applicable

In essence, ACRR determines the impact the business is going to suffer if the asset in question were to

be compromised.

Ci = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6

Ii = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6

Ai = (0.9+0.9+0.7)/3 = 2.3/3 = 0.8

Cyber Defense eMagazineJanuary 2021 Edition 67

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Ci, Li, Ai are rounded off to 1 decimal.

ISS = 1 -((1-0.6)*(1-0.6)*(1-0.8))

ACRR = roundup(min(ISS * 8 , 10))

The Asset Criticality Risk Rating is High.

Enhance CyberSecurity Risk

The goal of the asset management solution is to provide the asset attributes or key indicators collected

using agent and or network-based scans and on consistent basis. The ACRR data does not change often

but is critical for providing cybersecurity risk.

Inherent Risk: As we know there are no perfect assets or applications. Any applications or servers on

an average will have 40-75 known issues that includes vulnerabilities from Network & Infrastructure,

open-source library, application security vulnerabilities from SAST, DAST etc.

The inherent risk hugely depends on static risk i.e., ACRR, so it is very important to get the ACRR right

on consistent basis and through automation.

Inherent risk can be derived using CVSS methodologies as well and the challenge will be average out

the exploit and impact across all the known vulnerabilities. Inherent must be done on daily basis and only

a good automation mechanism with asset management and vulnerability correlation can provide this


Residual Risk: Residual risk is what the CISOs are looking for to get an idea on how effective

Cybersecurity investment has been and how are they protecting the known issues that cannot be fixed

due to number of limitations. Residual Risk is the risk score after taking consideration of all the security

counter measure and exploit prevention solution in place. Residual risk are the real threat and risk to the


Cyber Defense eMagazineJanuary 2021 Edition 68

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Gyan Prakash is a Head of Information Security at Altimetrik.

Before joining Altimetrik, Gyan was Global Head of Application

Security & Security Engineering at Visa from 2016-2020. He

managed Product Security Architecture and Engineering,

Application Security & vulnerability management. Gyan also led

Future of Payment and Blockchain / Crypto Currency research at

Visa from 2014-2016.

Gyan has 20+ years of experience in security technologies. He

has implemented mature DevSecOps at Visa and has been

consulting with Fortune 500 organizations working to implement

DevSecOps at scale. Gyan is a technologist and innovator at

heart, with 250 global patents including 152 granted in the areas of system security, mobile security,

tokenization, and blockchain.

LinkedIn: https://www.linkedin.com/in/gyan-prakash-747a8a2/

Altimetrik Corp: https://www.altimetrik.com/

Cyber Defense eMagazineJanuary 2021 Edition 69

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The Rising Tide of Security Threats in The Industrial

Internet of Things

By Don Schleede, Information Security Officer at Digi International

Throughout Cyber Security Awareness Month in October, many organizations shared their thoughts on

the state of cybersecurity and reflected on the processes and steps that can improve it. However, the

discussion largely focused on protecting end users rather than building security into networks and devices

from a systemic perspective. In addition, through its theme of “If You Connect It, Protect It,” however,

Cybersecurity Awareness Month has also opened the door to conversations about IoT cybersecurity.

Most IoT discussions focus on consumer IoT – the smart trend-of-the-moment. That’s not surprising since

consumer-centric applications and devices are increasingly visible in everyday life and provide that “living

in the future” feeling that grabs attention. However, industrial and enterprise IoT applications have just

as many implications – though perhaps slightly less visibly, which means they receive far less attention

and are less understood. It’s easier to assume that industrial IoT is more secure than its consumer

counterparts, since those applications are backed by large organizations facing greater security risks.

However, that’s a mistaken notion: The industrial IoT’s struggle with security remains a challenge that is

largely unaddressed.

Cyber Defense eMagazineJanuary 2021 Edition 70

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Understanding the Industrial IoT

When we talk about IoT, we tend to think of devices and connected “things” – smart TVs, home security

systems, self-driving cars, to name a few. We rarely consider the resources these “things” rely on or the

networks that connect them. Yet these systems are underpinned by hundreds – perhaps thousands – of

connected devices that, when compromised, can have far-reaching consequences.

To talk about industrial IoT security, we must first understand the types of disruptive security threats:

• Confidentiality threats – These intrusions expose sensitive or confidential information, including

the viewing of data in the actual device or the theft/cloning of device firmware itself.

• Theft of service – Authentication weaknesses or failures create critical vulnerabilities. Upgrade

features, unlocked without authorization, are also an important threat.

• Data integrity threats – Unauthorized messages are introduced into a network, or an unauthorized

party takes control of a device.

• Availability threats – Denial-of-service (DOS) attacks prevent the device from sending messages

by flooding it with hostile traffic.

All of these disruptions can arise through different methods, from reverse engineering, micro-probing a

chip, or exploiting unintentional security vulnerabilities within a code to exploiting weaknesses in internet

protocols or crypto or key handling. No matter the source, one thing is clear: We need to know where to

improve security and how to close those gaps.

Building security from the ground up

Our analysis of active devices found that 43% of IIoT devices communicate insecurely. That’s certainly

far better than consumer IoT devices (98% of which are unsecured), but the reality is that the number is

still far too high, and the potential repercussions of these lax protocols are serious. From manufacturing,

transportation, and utilities to healthcare and other industries, organizations must adopt key strategies to

prevent and mitigate security issues:

• Security-by-Design: Vendors and customers repeatedly choose lower costs and faster go-tomarket

options instead of investing the necessary time and effort to design and build top-level

security into their devices and applications. As vulnerabilities and attacks continue, organizations

are – at last – beginning to factor in the risks (think: liabilities and compliance issues) caused by

faulty security settings and inadequate encryption/privacy protection. Security is also gaining

importance over the long run because it reduces the costs of potential breaches.

• Device Authentication and Identity: Passwords remain one of the most common forms of

authentication – and one of the most common ways threat actors penetrate systems. Many

organizations are opting for multi-factor authentication (MFA) that adds a second layer of access

protection by requiring additional forms of authentication. From location-based options such as

an IP address to something the user physically possesses like a phone or a key fob, MFA offers

flexible controls for easier management and a smoother and faster user experience, while

improving overall security even for physically dispersed devices.

Cyber Defense eMagazineJanuary 2021 Edition 71

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

• Updates and Upgrades: IIoT devices have much longer longevity than consumer IoT devices –

as much as 10-15 years. Updating and upgrading the firmware and software for each device

becomes increasingly challenging as the volume of devices in the field rises. An organization

cannot just deploy thousands of devices. It must manage them throughout that lengthy lifecycle.

IIoT leaders can offer centralized device management solutions to help administrators manage

updates and patches, troubleshoot through out-of-band-management, reconfigure devices, and

monitor the health of the entire network. This holistic approach provides insight when a specific

device is at risk and helps them mitigate issues before they worsen.

• Risk Assessments and IoT Regulations: As we move into 2021, the number of IIoT devices

will continue to grow, requiring organizations to assess both devices and networks. For security

professionals, this is already a best practice for all deployments. However, soon it will be the

standard thanks to guidelines within the NIST’s IoT security framework, legislative and industry

regulations, and other mandates. This is a move in the right direction and a long-overdue step

since large swaths of the IoT remain vulnerable today.

Awareness, Understanding, and Action

Embedded security is a critical requirement for a growing number of connected IoT applications and

devices, especially as threats continue to rise. Although, we continue to play catch-up with threat actors,

we are seeing a gradual shift in the right direction. More leaders understand the need to improve security,

and new regulations have identified and highlighted a problem that has been lurking for years. It is time

for IoT vendors, developers, admins, and engineers to make security a top priority.

About the Author

Don Schleede is the Information Security Officer for Digi International,

a Minnesota-based manufacturer of embedded systems, as well as

routers, gateways, and other communications devices for the Industrial

IoT. He has 27 years of experience in high-tech security and has been

with Digi for more than seven years. Earlier, Don held positions as a

developer, IT Operations Director, and IT Architect. Don can be

reached online at (EMAIL, TWITTER, etc..) and at our company

website http://www.mycompany.com/

Cyber Defense eMagazineJanuary 2021 Edition 72

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

E-Merchants: Secure Your Online Sales from

Cybersecurity Threats

By Anthony Webb, EMEA Vice President, A10 Networks

This year, online retailers pushed the boundaries with “Black Friday” deals in the hopes of improving their

online sales, thanks to the uncertainty around in-store shopping due to COVID-19, leading many

customers to make their purchases from the safety of their own homes. As a result, e-commerce

merchants have witnessed a significant uptick in users and devices connecting to websites than in recent


Good Cybersecurity is Crucial

The good news for e-tailers is that overall sales are expected to grow in the new year. This has added

importance in a year when many e-commerce businesses have faced unprecedented disruption.

However, one thing is clear. Online sales will take centre stage.

Cyber Defense eMagazineJanuary 2021 Edition 73

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

However, just as online sales are at the forefront, so should cybersecurity. Retailers aren’t the only ones

looking to capitalise on the increase in online spending. Shopping seasons offer hackers an opportunity

to profit as well. We’ve already seen a huge uptick in cyber-threats due to COVID-19. Now, online

shopping provides cyber-criminals with additional motivation to launch their attacks using some of the

below tactics:

Phishing – Phishing and its variants, including spear-fishing and whaling, are email-based attacks that

leverage social engineering techniques to fool recipients into providing sensitive information to the

attacker. While spear-fishing and whaling attacks are more targeted than phishing, all three forms attempt

to get the victim to read the email, click on a link, possibly open an attachment, and ultimately disclose

valuable personal or corporate information.

Ransomware – Ransomware attacks seek to extort money from victims by encrypting access to files or

entire systems until they pay the attacker a ransom, have become increasingly popular in recent years.

Much of this has to do with the potential to make large sums of money from the ransoms. Another reason

for the rise in ransomware attacks is the availability of ransomware-as-a-service (RaaS) kits, which are

inexpensive to purchase on the black market, making it easy for novice hackers to launch their own

attacks. Phishing emails are the top threat vector to distribute ransomware.

Distributed Denial of Service (DDoS) – DDoS attacks are designed to stop a computer, server, website,

or service from operating by flooding it with internet traffic generated by an army of bots called a botnet.

The tremendous growth in Internet of Things (IoT) devices, many of which are not properly secured, has

made it easier for attackers to take control of more devices and create botnets. DDoS attacks can be

especially damaging to e-commerce businesses if customers can’t access their websites to make


Malware – Malware attacks take many forms including viruses, worms, spam, spyware, and more. Some

malware threats such as spam are more of an annoyance, while others such as viruses and worms can

spread across a network infecting systems and negatively impacting their performance and user

productivity. Similarly, spyware can slow down systems. However, it can also be used to report sensitive

information such as passwords back to the hacker.

Injections – Injection attacks such as cross-site scripting and SQL injections are used to exploit

vulnerabilities in web applications by injecting malicious code into a program, which then interprets the

code and changes the program’s execution. In other words, it gets the application to do something

unintended such as alter the behavior of a website or expose confidential data like login credentials to

the attacker. E-commerce businesses hit with an injection attack could find their customers redirected to

a fake site which illegally harvests customer information.

The Consequences of Poor Cybersecurity

If e-commerce merchants are not prepared to stop malware, DDoS attacks, and other threats, the

consequences of a successful attack could be the difference between surviving and ceasing trading.

Here’s what businesses could be facing:

Lost Revenue – Any downtime to a web server that prevents customers from making a purchase is

damaging to online sales and can potentially have a severe impact, especially for smaller organisations.

Data Theft – The increase in online shopping during sales periods is a lure for cybercriminals to launch

attacks aimed at stealing corporate and customer data. Phishing emails claiming to have information on

fake shopping receipts, shipping status, and customer surveys are very popular in the run-up to


Disruption of Services – DDoS and ransomware attacks can target services that we deem essential.

E-commerce sites, public utilities, and schools are just a few examples of their victims. Shutting down

access to a service, even for a short period time, can have major financial and social impacts.

Cyber Defense eMagazineJanuary 2021 Edition 74

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Damaged Reputation – Damage can extend beyond short-term financial losses and data theft.

Consumer confidence and brand reputation can quickly erode when consumers have a poor online

experience. Customers aren’t shy about using social media to express their displeasure.

Reduced Productivity – It’s not just customers who feel the impact of a successful attack. If employees

can’t access the applications they need to do their jobs, expect to see a drop in productivity with an

accompanying rise in undesirable workarounds.

Steps to Take

Cybersecurity is an everyday concern. Fortunately, there are some things that organisations can do to

keep applications, networks, and the business safe from threats, especially during peak online shopping


First, look for a solution that provides DDoS detection and mitigation to ensure services are continually

available to legitimate users. Hackers have learned how to weaponise IoT devices to launch complex

multi-vector and volumetric attacks, capable of bringing down application servers and entire networks.

Second, protect web-based applications with web application firewall (WAF) technology. Outdated

applications are especially vulnerable to attacks. A WAF will secure them from hackers looking to exploit

HTTP and web application-based flaws.

Third, find solutions that meet current and future platform needs. Organisations may not have transitioned

to the cloud yet, but they’ll likely have some cloud-based apps. They must be sure their solution is ready

when the company is ready, whether it is moving to a hybrid cloud or multi-cloud infrastructure. And

finally, continue to educate employees on the need for good cyber hygiene. According to a 2019 IBM

study, 95% of cybersecurity breaches are caused by human error.

With this shift to online a potentially permanent one, e-commerce merchants should expect these

sustained levels of activity going forward. Therefore, it’s imperative that e-commerce businesses secure

applications, servers, and networks from cyber threats at all times.

About the Author

As VP EMEA, Anthony Webb is responsible for managing and growing

A10’s sales operations, as well as leading the company’s sales and channel

strategy across the region. Before joining A10, he served as vice president

EMEA of Ixia Technologies, focusing on maintaining Ixia’s position as the

leading provider in network testing while driving their leadership status in

network visibility. Prior to joining Ixia, he held positions at the vice president

and managing director level for Juniper Networks, running sales

organizations across EMEA and in the UK. In 2000, he joined Cisco as sales

manager for service provider and enterprise verticals in the UK, before

serving as enterprise sales director emerging markets with Cisco in MEA,

then collaboration sales director emerging markets. He left Cisco in 2011 to return to the UK.

Anthony can be reached online at (awebb@a10networks.com) and at our company website


Cyber Defense eMagazineJanuary 2021 Edition 75

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The Privileged Credential Security Advantage

By Tony Goulding, Cybersecurity Evangelist at Centrify

Over time, a causality has emerged that accounts for the majority of security risks for enterprises:

privileged accounts lead to data breaches. So much so that the majority of breaches (over 67 percent) in

2020 were caused by credential theft.

Organizations that prioritize privileged credential security have an advantage over their peers by ensuring

their operations are more resilient to data breaches. However, there’s a gap that continues to widen

between those guarded against a breach and the numerous others that aren’t.

Many have paid attention and embraced the warnings and guidance from analysts, press, and vendors

that called for implementing privileged access management (PAM) security controls to mitigate the risk.

The question is, did you go far enough?

Cyber Defense eMagazineJanuary 2021 Edition 76

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

IT Automation Software and the Attack Surface

As it relates to privileged accounts, the attack surface can be enormous and very diverse. Reducing this

attack surface is a primary objective. However, for many organizations, the first – and often, only – focus

is on the human administrator and their privileged activities.

Let’s visit another slice of this attack surface that often flies under the radar. Your mileage may vary, but

this risk can be just as significant, if not more so. It’s the use of privileged accounts by IT automation

software; tools commonly found in IT service management (ITSM), IT operations management (ITOM),

and continuous configuration and automation (CCA) platforms, such as asset discovery, vulnerability

scanning, and software orchestration.

For example, you may use one tool to scan the network for systems and analyze each one looking for

exploits, vulnerabilities, and misconfigurations. And another tool may help you maintain a single system

of record for your IT assets by conducting an inventory of each system, feeding results into different tools

to show applications, infrastructure, as well as service relationships and dependencies. On top of these,

a different tool from a different vendor may be helping you control your IT infrastructure, job scheduling,

and inventory management. Like the others, it needs administrative access to IT infrastructure.

In common, they all need to log into IT systems via SSH or WinRM to run commands and scripts with

privileges and obtain system-level intelligence.

Therein lies the risk.

Externalizing Credential Management

By default, IT configures these privileged account IDs and passwords statically within the tool. Let’s be

clear about what this means. You’re entrusting the keys to every IT system, on-premises and perhaps in

the cloud as well, to an application whose core strength is not identity and credential management. Not

only that, IT must manually configure dozens or even hundreds of credentials in the tool. Multiply that by

the number of tools requiring privileged accounts, and the lights never go off for IT. We haven’t even got

to password rotation.

Thankfully, several leading vendors in the space have recognized this. As an alternative, most allow IT

to externalize identity and credential management to a third-party solution designed for the job.

Relocating credentials to a hardened password vault is the best practice to mitigate this risk. Instead of

IT configuring passwords within the tool, the tool fetches them from the vault at scan time. If an attacker

compromises the tool, they won’t find any privileged account passwords in its configuration settings,

preventing lateral movement to the IT servers and limiting what could amount to a complete compromise

of every server in your IT infrastructure, including domain controllers.

Reducing Risk and Adding Value

The value doesn’t end there, however. By now, it’s evident that passwords are inherently weak and

introduce risk. IT can use the vault to strengthen passwords and help prevent login denials. Frequent

rotation helps mitigate the risk, along with setting long, cryptic passwords. Unfortunately, this falls below

Cyber Defense eMagazineJanuary 2021 Edition 77

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

the line of high priorities for many IT shops, resulting in a “set it and forget it” mentality. With the vault,

you get automatic account password rotation coupled with password quality of service policies. You avoid

the risk of stale passwords with low entropy. No longer must IT manually log into each system to change

the local account password, then manually update them in each tool to ensure consistency.

The vault can also help prevent scan failures that occur in-between the scheduled password rotation

jobs. Let’s say someone (a well-meaning internal admin or a threat actor) changes a local system

password, but an ITOM tool is still using the old one. Subsequently, the login would fail, and you now

have gaps in system coverage requiring manual intervention. Some password vaults can automatically

reconcile out-of-sync passwords in real-time during password check out to ensure the local system

account password and the vaulted password are the same. This client-based password reconciliation

feature ensures that your tool will always fetch a valid password from the vault with which to log in at

scan time.

Because unauthorized access is a high-reward, low-risk endeavor, hackers will continue to seek out and

find new ways of gaining access to high-value and sensitive resources. But embracing a defense in depth

strategy by externalizing credential management and gaining insight into incremental risk can go a long

way toward mitigating or preventing data breaches -- even if the specific attack vectors are not yet known.

About the Author

Tony is a Cybersecurity Evangelist at Centrify. He has over 30 years

of security software experience and more than 15 decades of

experience in identity and access management & privileged access


Tony can be reached online on Twitter at @Tony_Centrify and at our

company website www.centrify.com

Cyber Defense eMagazineJanuary 2021 Edition 78

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

How To Keep Your Children Safe In Remote Learning


By Nevin Markwart, Chief Information Security Officer at FutureVault

As parents, we have conflicting feelings on remote learning. One on hand, we want our children to stay

healthy, especially in the midst of a public health crisis. On the other hand, online education opens the

door to new threats—including opportunities for hackers, risks to our children’s privacy, and increased

online harassment.

Fortunately, we as parents can play a proactive role in ensuring that our children’s online education is a

safe and fulfilling experience. Here are several easy steps that you can take to protect your children in

remote learning situations:

Classroom Learning

Creating an open dialogue with your children’s educators is a simple yet effective way to ensure that

everyone is on the same page when it comes to safety and privacy. You should discuss safety protocols

Cyber Defense eMagazineJanuary 2021 Edition 79

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

with the school and flag anything that concerns you. Confirm the school has privacy policies in place and

learn what they are.

Speak with your children’s teachers and meeting administrators about which screenshare tool they use

and confirm that only the school can control screenshare. Learn that program and security features as

much as possible.

Make sure the teacher allows students to turn off their cameras after confirming attendance if they’re

uncomfortable “going live.” Many adults feel uncomfortable on camera, so imagine how children must



Parents should have ultimate control over what their children use and see online. Know what platforms

your children are using, whether for learning or social media. Maintain direct oversight on whom your

children engage with online and limit that circle to known friends, family, and acquaintances. Use

Screentime or Parental Controls to restrict the types of online activities your children can do.

You should set up secure passwords for your children to prevent their accounts from getting hacked.

Secure passwords are at least twelve characters long, do not include dictionary words, and mix numbers,

symbols, and letters (lowercase and uppercase). Turn on your firewall and make sure your children only

download files from people or sites you know and trust.

Remember that anything posted online is public, not private information. So, talk to your children about

what they’re not allowed to post online. They should never post any sensitive personal information (e.g.

social security number, passwords, etc.) on their internet profiles: changing a profile does not delete old

copies of it.


Communication is a key step to prevent cyberbullying. Explain to your children that what happens on the

Internet can be permanent and damaging. You should treat people the same way online as you would in

person: with respect. This includes not saying anything mean or untrue about someone online. Ask your

children’s school what disciplinary measures are in place for online misbehavior.

Report online harassment, including any message that makes your children feel uncomfortable. If the

harassment occurred through your children’s remote learning platform, notify their school. You can also

report harassment to local law enforcement. Make sure to save and print any records of threatening

messages—including screenshots, emails, and texts—for evidence.

Cyber Defense eMagazineJanuary 2021 Edition 80

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Nevin Markwart, Chief Information Security Officer at FutureVault.

Nevin Markwart is the incoming Chief Information Security Office

(CISO) for FutureVault Inc., an innovative internet cloud-based

personal document storage, access and distribution company.

Initiating his third professional career, Nevin graduated in 2019 with a

Master of Science degree in Cybersecurity from Brown University, the

Ivey League school located in Providence, Rhode Island. Nevin is an

online information privacy expert, having written his graduate thesis

paper, “Restricting the Adverse Effects of Internet Terms of Service

Agreements,” with the support of his non-faculty academic advisor

Tom Ridge, former Governor of Pennsylvania and first US Secretary

of the Department of Homeland Security.

Previously, Nevin was the Boston Bruins’ first pick in the 1983 NHL Entry Draft and turned pro

immediately after the draft at age 18. He went on to play nine seasons in the NHL, retiring due to the

cumulative effects of three shoulder surgeries. After retiring from hockey, Nevin completed his MBA in

finance from Northeastern University in Boston in 1994 and began another career in the investment

management industry.

Nevin’s investment industry experience includes senior and executive roles in Boston as an equity analyst

and portfolio manager, director of research, product manager, and head of Canadian equities for firms

including Wellington Management and Fidelity Investments.

Later in his investment management career, Nevin led two Canadian mutual fund companies as CEO:

Calgary-based Canoe Financial and Toronto-based Front Street Capital.

Nevin is a member of the Board of Directors of the Business of Hockey Institute (BHI), the Saskatchewan

CFA Society, Prairie Green Renewable Energy Inc and Evolution Potash. He is also a business

management mentor for the Canadian Consulate’s Canadian Technology Accelerator (CTA) in Boston.

Cyber Defense eMagazineJanuary 2021 Edition 81

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

More Internal Security Needed, Less Budget – 10 Tips to


By Jody Paterson - Founder and Executive Chairman. ERP Maestro

As if internal risks of fraud and data breaches were not high enough, enter in a year of new work

environments and economic uncertainty that has also ushered in an even more risk-prone era. Before

we even knew the word “COVID,” the frequency of fraud had tripled in the last four years, according to

the Ponemon Institute’s 2020 Cost of Insider Threats report. By August of this year, a survey conducted

by the Association of Certified Fraud Examiners (ACFE) revealed that 77 percent of responders said they

had observed an increase in the overall level of fraud since the pandemic began, with one-third noting

that the increase had been significant.

The near-term future doesn’t look better. In the same ACFE report, 92 percent expected fraud to increase

in 2021. However, fraud isn’t the only concern. Data theft by employees also has risen and research firm

Forrester expects to see data breaches caused by insiders to increase by 33 percent in the year ahead.

Cyber Defense eMagazineJanuary 2021 Edition 82

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The cause? More remote work, fear of unemployment and easier ways to access and remove data are

the reasons cited.

At the same time, companies are reluctant to allocate more money for safeguards, even though the need

for improved security is apparent. Yet, we know that leaving risks undetected can end up costing much

more than the security solutions designed to prevent them. How, then, can companies get greater

protection for business systems while also keeping costs down. The following 10 tips can help.

Establish a Security Control Baseline

When developing a strategy and cost-saving budget, start by establishing a security control baseline. A

company’s security baseline is the minimum internal security controls needed to keep a system protected

and the base objectives that must be met to achieve security goals.

Perform a Risk Assessment

Along with creating a security control baseline, determine your current risk level with an analysis of access

risks by user, role and business process. This review will provide a deeper comprehension of key areas

of risk and how to tackle them as cost-effectively as possible.

Calculate Your Risk Tolerance

Along with a risk assessment, a company should know exactly what its risk tolerance is – how much risk

it can afford to have. While risk threshold determines how much risk is acceptable before action must be

taken, risk tolerance gets into the dollars and cents of what a company can afford if an incident occurs.

A company needs to weigh the potential cost of fraud, data breaches and mishaps by employees to

determine if it can tolerate that amount of risk and loss.

Decrease Audit Deficiencies

Companies meeting audit compliance requirements for Sarbanes-Oxley have to think through the risks

and costs of audit deficiencies and material weaknesses and add those to their probability of risks.

Reducing risk – even audit risks – to begin with can be the more cost-effective posture to take.

Reduce Risk Remediation

Cutting the cost of access risk remediation is another budget-saving strategy. By running a risk analysis

more frequently, risks can be found promptly and remediation work can be performed as risks arise rather

than accumulating a massive number of risks and creating an overwhelming amount of remediation work

all at one time. Such a scenario may slow remediation processes and even let some remediation slide,

thereby leaving a company open to a greater risk of damaging incidents.

Cyber Defense eMagazineJanuary 2021 Edition 83

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Eliminate Complexity

Manual processes or risk analyses are more complex and harder to perform. Simplify processes as much

as possible to reduce errors, time and cost. But also think about more simplicity in whatever technology

you use to help control risks. Bear in mind that an intuitive user interface and risk reporting can drive

greater adoption and use while reducing training, costs and risk in general.

Leverage Automation

Lowering risks, cutting audit deficiencies and reducing remediation work are easier to achieve with

automated tools. Organizations can not only save hours and hours of time spent on manual work but also

improve accuracy and remediate any risks faster.

Cloud Technology

Most companies today realize the value of automation, which can be achieved in both on-premise and

cloud technology, but cloud technology can add advantages and savings not possible with on-premise

solutions. Cloud technology can come with some significant cost-savings, from no-cost deployments, to

an end to continual upgrades and maintenance, to extreme flexibility and long-term agility.

Rank Your Solution Needs

One way to be more cost-conscious in security spending is to rank the importance of features in internal

security and access control tools. One way to break this down is to think about not only what you need

today but also what you might need tomorrow and what features are nice-to-haves versus must-haves.

An important caveat here, however, is to not buy any unnecessary bells and whistles. Spending more

doesn’t indicate that you have better cybersecurity readiness. Throwing more money at a problem isn’t

the best approach. Research firm Gartner points out that a company may spend more money but invest

in less-suitable solutions, therefore, inadvertently bloating budgets and making the business more

susceptible to risk.

Employee Training

It may not be so obvious to include employee training when thinking about maximizing your budget. The

truth is, however, that even with taking all of the measures you can with best practices and technology,

insider attacks are attributed to employees of every rank. An all-inclusive security program should make

training on internal risks, as well as external cyber threats, a priority.

In conclusion, cutting costs for internal security shouldn’t mean cutting necessary security solutions or

not investing in new or better tools. There are ways using the tips above, however, to keep costs at a

minimum while getting better risk protection.

Cyber Defense eMagazineJanuary 2021 Edition 84

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Jody Paterson is a trusted governance, risk and compliance

advisor and thought leader who is a Certified Information Security

Specialist (CISSP), a Certified Information Security Auditor (CISA),

a former KPMG director, and Chairman and Founder of ERP


Jody can be reached online at j.paterson@erpmaestro.com, on

LinkedIn at https://www.linkedin.com/in/jodypaterson/ and via our

company website http://www.erpmaestro.com

Cyber Defense eMagazineJanuary 2021 Edition 85

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Personal Data Breaches for GDPR Compliance:

Everything You Need to Know

By Dan May, Commercial Director, ramsac

In the new era of cybercrime, identifying the proper sanctions and reactions for any business can seem

challenging, if not confusing. When it comes to data protection and operational compliance in the digital

world, authorities like the Information Commissioners Office, or ICO, have identified a sense of confusion

surrounding incident management, which includes the whole process itself.

The Information Commissioners Office recently revealed that nearly a third of the 500 reports of data

breaches it receives weekly are unnecessary or fail to meet the minimum threshold of a GDPR personal

data breach. As many operations attempt to anticipate GDPR (or compliance with the General Data

Protection Regulation), there remains an unfortunate atmosphere of confusion, or misunderstanding,

when it comes to appropriate incident management under data protection regulation. Operations seem

to struggle with the types of incidents or breaches that should be officially reported under GDPR.

It is understood that ‘over-reporting’ is the most common reaction to perceived breaches. Whilst this is

largely motivated by a desire for operational transparency and good compliance practice, clearing up

misconceptions surrounding GDPR and data breaches can help businesses remain competitive by

avoiding risky or costly penalties.

Cyber Defense eMagazineJanuary 2021 Edition 86

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Identifying personal data breaches

Over reporting is not a strategy as much as it is a scattered reaction to a data breach. Under GDPR

compliance, which is far-reaching across European territories and beyond, there is a new urgency to

officially report compromises that might upset data protection within your organisation. It is also

considerably more important than a mere courtesy to your employees, but an attempt to strictly regulate

the collection, movement, and storage of personal information, which is why it is most often a challenge

to companies with access to larger amounts of data.

Defined under the General Data Protection Regulation, a personal breach can be understood as a

“breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised

disclosure of, or access to, personal data transmitted, stored or otherwise processed” (captured in Article

4, definition 12).

Importantly, not all ‘breaches’ are equal in severity and, therefore, not every incident needs to be officially

captured and reported. Any compromise that falls outside of the definition, according to GDPR

compliance, or where the severity is limited, then action isn’t necessarily required. The goal for

businesses should be clarifying whether action is officially required or not. But how does this look in

everyday practice?

It is always advisable to evaluate incidents and cases individually, determining the next actions based on

the severity of each breach. Some breaches may affect or inconvenience the role of a single employee,

whereas other, larger compromises can impact the emotional, physical, or financial lives of many.

Any business that suffers a breach should plan to formally document what happened and any next

actions, including whether it was reported or if it failed to meet the criteria. This can help businesses in

the scenario that a decision is challenged.

How soon should a breach be reported?

All businesses are responsible for identifying, and responding to, breaches under data protection. Not

only should businesses aim to have the right controls in place to promptly detect a breach, but they should

report any compromises within 72 hours to the supervisory authority (which is summarised in Article 33).

One of the most common misconceptions about compliance with GDPR is that this mandatory reporting

period accounts for 72 “working” hours – whereas, a breach should be captured within 72 hours from the

moment of discovery.

Where employees or the public might be involved by unauthorised data breaches, those affected should

be appropriately notified. In certain scenarios, a business may even need to release a press statement.

This will allow those affected parties an opportunity to take precautions and guard themselves from any


What needs to be officially reported?

Compliance requires expertise. And failures, delays, or inaccuracies when businesses respond to the

ICO’s request for information is increasingly common. Preparing for incident management within your

organisation means understanding your responsibilities when a breach is detected and how it needs to

be managed – including documenting actions.

Cyber Defense eMagazineJanuary 2021 Edition 87

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Refer to the ICO’s data breach reporting assessment for the kinds of information required following a

breach and the depth expected from your investigation. The ICO expects every business to demonstrate

the depth and breadth of their investigation by responding to everything from breach discovery to

management of its effects.

Failure to respond properly to data breaches, under the GDPR, can result in heavy fines and penalties.

The role of data protection cannot be underestimated, both in how your company plans to prevent

breaches and how it will manage any future ones. Compliance with GDPR, even though commonly

misunderstood, can define how your operation does business in the markets under data protection


About the Author

Dan May is the Commercial Director at ramsac, providing secure, resilient

IT management, cybersecurity, 24-hour support, and IT strategy to

growing businesses in London and the South East.

Cyber Defense eMagazineJanuary 2021 Edition 88

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Brave New World: Safari Content Blocking

By Andrey Meshkov, CEO and CTO at AdGuard

● Content blocking is not a priority for Apple and WebKit.

● Content blocking in Safari is possible despite all its issues and limitations.

● If we want to improve it, we need to contribute to WebKit ourselves.

This article is about content blocking on Apple platforms, mainly iOS. Why is it important to talk

about Apple? First of all, it's Apple, and it enjoys a large enough market share that many users

will be affected by its content blocking capabilities (or lack thereof). Secondly, Manifest v3 is

coming to Chromium, and half of the tech problems in Chromium have been solved, unlike Safari.

There are a lot of similarities between the two, so we’ve been able to draw some conclusions

about where Safari is falling behind. In this article, we’ll go over the content blocking methods

available on iOS, and see how to get around the limitations when possible.

Cyber Defense eMagazineJanuary 2021 Edition 89

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Content blocking in general: System-wide filtering

There are only two options for content blocking: System-wide filtering and Safari Content Blocking.

System-wide filtering is not as widespread as Safari Content Blocking for a number of reasons. However,

it’s the only way you can go beyond Safari and do content blocking in other apps and browsers.

Furthermore, System-wide filtering actually was possible even before Safari Content Blocking was

introduced in 2015. One of the first content blockers on the App Store, in fact, was quite a popular app

called WeBlock, which did system-wide filtering.

All System-wide filtering methods are based on NEVPNManager API. Using a local tunnel, the app can

filter DNS, use a PAC file to block requests, scan SNI, or even intercept TLS. You can have all these in

your app, but unfortunately nothing comes without downsides. There are techniques to bypass DNS

filtering and PAC files, and there are also some technical limitations. For example, there’s a strict memory

limit that iOS imposes on VPN tunnel processes, and it will kill any process that uses over 15MB RAM.

The App Store may not be consistent with Apple’s rules

The App Store Guidelines, Section 5.4, VPN Apps, states: “Parental control, content blocking, and

security apps, among others, from approved providers may also use the NEVPNManager API.” Вut still,

there are no guarantees that your app will be allowed on the App Store.

We at AdGuard have a sad history with the App Store. Everything was great back in 2015 when we

launched the app, but then in 2018, Apple suddenly decided to ban all apps that did system-wide filtering.

We even had to discontinue our AdGuard Pro app after that. Then after a year or so, they changed their

decision again and the guidelines now contain an exemption specifically for parental control, content

blocking and security apps. So we were back in business, the app was approved, and we started working

on a major update, new features, and other cool stuff. In the beginning of 2020, we uploaded a major

update and it was rejected again with pretty much the same wording as they had used two years before.

The reviewer told me over the phone that it wasn’t his decision; they had gathered a committee that

decided that they didn’t want to have a system-wide filtering app on the App Store. So in order to pass

the review, we had to make some rather drastic changes to the app, go through the App Store appeal

process and review board, and only then was it approved. At the same time, I see multiple apps that do

very similar things to the ones that we weren’t allowed to, and nothing happens to them. This shows that

an app may pass the review process, but some time later, another committee may kick the app out of the

App Store—or it might never happen.

The Safari Content Blocking API has issues and limitations...

In contrast to system-wide filtering, there’s no controversy about Safari Content Blocking: it’s definitely

allowed, and it’s safe to make an app that does it—but nothing good comes without complications, so

let's see the issues and limitations of this API. Fortunately some of them can be solved; maybe not fully,

but to an extent.

Safari Content Blocking comes with no debugging tools for debugging content blocking. The only tool

that’s available is the browser Console, where you can see which requests were blocked, but from the

Console output it’s impossible to understand what rule is blocking those requests. Figuring it out can be

an annoying, time-consuming process.

Cyber Defense eMagazineJanuary 2021 Edition 90

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

AdGuard, EasyList and uBlock filters are based on the original Adblock Plus “core” syntax. It has since

been extended, but the “core” part of it is the same among all popular content blockers. Safari Content

Blocking rules have nothing in common with this syntax, which is a problem because we don't want to

create special Safari-only filter lists. Also, Safari just doesn’t provide tools for that. What we want is to

use the good old traditional filter lists like AdGuard and EasyList. For now, we’re using a real-time

approach right on the device to automatically convert our rules into Safari Content Blocking rules for the

AdGuard apps. This way we can convert about 90% of all Easylist & AdGuard filters so they’ll work on


...And slow compiling...

This point is actually pretty massive, because it’s the reason for some other limitations. Safari compiles

every content blocker’s JSON file into a “prefix tree,” and the process is quite slow. For example, it takes

over two seconds on a new MacBook Pro to compile a JSON with just a little over 30K rules.

Compared to content blockers on other platforms, it takes less than a second for the AdGuard Android

app to parse and compile a list with over 100K rules. The obvious difference, though, is that our Android

app uses a different syntax which is not as complicated as regular expressions; perhaps it’s not that

flexible, but it’s specifically optimized for matching URLs.

It’s easy to explain the next limitation. A single content blocker cannot contain more than 50K rules, and

that’s a hard-coded limit. We contacted the developers of WebKit (the browser engine behind Safari),

and they told us that the main reason for this limitation is how slow the compiling process is. They may

increase it a little bit because new devices are faster, but that won’t magically solve all our problems.

There’s no room for a substantial improvement as long as the rules are based on using regular

expressions. This limitation itself is a major problem. AdGuard Base filters + EasyList have 100K rules in

total and simply do not fit within the limit.

There are a couple of things to do in order to solve this issue. We can convert our rules to Safari Content

Blocking rules now, but we also need some more modifications to make the resulting list as short as

possible. One of the things we do is combine similar element-hiding rules into a single rule. This helps a

lot, but it’s still not enough. Another thing that we do is remove obsolete or rarely used rules from the filter

lists that we use in Safari. So in order to solve this sort of issue, filter list maintainers can use special

“hints” to exempt rules from the “optimization” process.

But that’s not all. Now, we come to the issue of multiple content blockers.

AdGuard registers SIX content blockers for Safari, and the user is supposed to enable them all. So,

does six content blockers actually mean that the limit is now 6 x 50K = 300K rules? Yes and no; it’s just

not that simple. The problem is that these content blockers are completely independent, and the rules

in them can’t influence each other. If one content blocker decides that a URL should be blocked, the

other ones can’t undo that decision. Or, if one content blocker decides that some page element should

be blocked, it will be blocked; the others can do nothing about it. But that’s not how it works in real life

on other platforms. Different filter lists are supposed to interact with each other; a good example is

EasyList supplementary language-specific lists: they may fix issues on some local websites.

Cyber Defense eMagazineJanuary 2021 Edition 91

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

...And slow development

This is basically the full list of changes implemented in Safari Content Blocking:

● 2015 - Safari Content Blocking is implemented

● 2016 - Added one new feature (make-https) and a couple of major bugs were fixed

● 2017 - Added one more new feature (if-top-url) which is pretty useless, if you ask me, added

content blockers to WKWebView, and fixed a couple of bugs

Then it drastically slows down…

● 2018 - fixed a couple of bugs, refactoring

● 2019 - fixed a couple of bugs

● 2020 - no significant changes so far

This year, we and Cliqz, Brave, Adblock Plus and some other developers wrote an open letter and

compiled a list of the most pressing issues. Regardless of the severity of those issues, it doesn’t mean

that the WebKit developers are undermining content blockers. To us, it just seems like it’s not a priority

for them, or maybe they have limited resources, or both.

Do it yourself!

Regardless of the reasons behind WebKit’s laxness, it seems the only option we have is to do it ourselves,

since content blocking remains a priority to us. WebKit is open source and they are open to contributions,

so that seems like a good way forward. We may want to start with a proposal or a detailed specification

of the changes we would like to implement in WebKit and see if it gets approved. I hope it does, and then

we can implement it ourselves.

About the Author

Andrey Meshkov is a co-founder and CTO of AdGuard ad blocker. He's

been working in IT for over 15 years and has accumulated tons of

experience not just in his primary work area, but also in related ones, such

as online privacy concerns. Sometimes the urge to share his thoughts

becomes too unbearable and he takes a break from coding to write an

article or two.

First Name can be reached online at (https://twitter.com/ay_meshkov/)

and at our company website http://www.mycompany.com/

Cyber Defense eMagazineJanuary 2021 Edition 92

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

When Businesses Get Hacked- Who Are the Victims?

This article looks into who the victims are when an organisation comes under attack.

By Nicole Allen, Marketing Executive, SaltDNA.

Cyber-attacks occur every two and a half minutes, according to Government statistics, which is why

ensuring that your company is protected and secure is critical. Threats can come in several different

forms that vary depending on their severity. Hackers are deliberately trying to inflict damage in order to

persuade employees to make one mistake which could allow them access into everything they need.

The question is not "Which sectors are targeted the most?", as much as,”which sectors are the most

likely to suffer the greatest loss as a result of a cyber attack?"

Today's cyber criminals are not a homogeneous group. There are hackers who spend months at a time

attempting to extract data and funds from a single company, and there are others who threaten hundreds

of companies with phishing emails and other techniques, hoping to get a handful of curious workers to

click on a mass email attachment and then extort money with a DDOS attack. These strategies result in

their attack continually moving onto a new fresh batch of victims.

So who are the victims of these attacks and how are they affected?


The repercussions of cyber attacks are felt by companies across the globe. The global economy has lost

5.2 trillion dollars over the past five years. Cyber attacks, however, go way beyond financial losses.

A Kaspersky survey confirms that 31% of cyber attacks lead to job losses due to employees being

involved with exposed customer data. According to the Data Security Breaches Report, 32% of all

Cyber Defense eMagazineJanuary 2021 Edition 93

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

organisations have reported cybersecurity breaches over the last 12 months. The method of attack

varies, but well known examples are as follows:

80% of attacks are phishing attacks

28% is hackers impersonating an individual via emails or online

27% are ransomware attacks when businesses come under threat.

These attacks all take advantage of employees and pose major threats to companies.

A strong security plan must include sufficient controls to maintain a basic level of security and a tracking

system to investigate attempts to breach the policy, which should be accompanied by training for all

employees. When it comes to defending themselves from cyber attacks, many businesses fail to

recognise that their people are as important as the cyber tools which they deploy. There are a variety of

low-tech tactics used by hackers to take advantage of employees. Such tactics include: baiting,

unsubscribe buttons, social engineering, keylogger and internal threats.

It is in the best interests of all companies to guarantee that their workers have all the expertise, knowledge

and skills they need to help protect the company and themselves from catastrophic cyber attacks and

data breaches. This means ongoing education and training, with the active participation of the IT

department of the organisation. All employees in the workforce should receive training to understand data

processing, security, secure communications and disposal best practises from the moment they start with

the organisation. It is not appropriate to underestimate the danger of cybersecurity threats, and it is up to

employers to ensure that their workers have the resources required to ensure their business data is

secure at all times.

Business Owners:

A successful cyber attack will cause your organisation to suffer significant harm. It can impact your bottom

line, as well as the customer confidence of your brand. It is possible to narrowly divide the effect of a

security breach into three different categories: financial, reputational and legal.

Cyber attacks can cause devastating consequences to a company, almost to the point where it could

shut a business down. A 2018 IBM study looked at 477 companies from 15 countries that had suffered

some form of data breach and asked them how the organisation was impacted by these cyber-incidents.

From this study, the healthcare sector was by far the most vulnerable in terms of overall damages from

a hack. In fact, this sector registered average costs of more than $400 per compromised customer record.

Financial services, at just over $200 a record, was a distant second. The financial loss usually is caused

by corporate identity theft, financial information theft (e.g. bank data or credit card data), money theft,

trade interruption (e.g. failure to carry out online transactions) or loss of trade or contract.

Trust is an integral element of the relationship between customers and businesses. Cyber attacks can

harm the credibility of your organisation and erode the trust your clients have in you. In turn, this could

potentially lead to: customer loss, loss of sales and a drop in earnings. The effect of reputational harm

may also affect your suppliers, or affect the relationships you might have with your company's partners,

investors and other third parties.

From a legal standpoint, data protection and privacy laws expect you to manage the security of all

personal data owned by you, whether it be your employees or your clients. You can face fines and

regulatory penalties if this information is unintentionally or purposely breached as a result of the company

Cyber Defense eMagazineJanuary 2021 Edition 94

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

failing to enforce adequate security measures. British Airways is a prime example of this having been

fined £20 million for a data breach which affected more than 400,000 of their customers.


Cyber attacks are more likely to occur as cybercrime becomes more profitable. The short-term and longterm

impact that cyber attacks could have on your organisation are important to understand.

Similarly to the business owners having their reputation negatively affected, customers' perception of the

company will change for the worst. According to Forbes Insight report, 46% of organisations were found

to have suffered damage to their reputations and brand value as a result of a data breach. In other words,

once the public sees an organisation in a bad light, its reputation is almost impossible to fix. Just ask

Toyota, or any of the other brands that have suffered a data breach Tesla, or Hancock Health, are just

about the worst light to be in.

Lawsuits and fines are other long-term consequences that affect business’, there has been a huge

increase in class action lawsuits in both the US and UK as victims seek monetary compensation for the

loss of customers data. When cyber attacks leak large quantities of personal information, civil lawsuits

are common. Sometimes, these cases take years and are costly to resolve. According to a report by

security firm Norton, 978 million people in 20 countries lost money to cybercrime in 2017.

How can you prevent your business from falling victim to a cyber attack?

Even the most robust of organisations can be affected by data breaches. Managing the risks accordingly

is very important. An efficient cybersecurity incident response plan and secure communications platform

will assist you in preventing an attack from occurring in the first place, but also elevate pain when having

to manage potential incidents when they do arise. If you're still reading, you will be very aware you're

vulnerable to cyber crime. It is the new normal for all sizes of businesses, big or small. Media reports

concentrate on corporate mega attacks and breaches, but small businesses are the new frontier for cyber

criminals, as discussed earlier.

At SaltDNA we work with organisations across the world of all sizes to enable them to have secure,

confidential conversations wherever they are, at any time. Your best bet to ensure that the possibility of

a cyber attack never becomes your reality is to enforce a secure communications platform alongside a

comprehensive and ongoing employee education on cyber security.

For more information on this article, sign up for a free trial or to talk to a member of the SaltDNA team,

please contact us on info@saltdna.com.

Cyber Defense eMagazineJanuary 2021 Edition 95

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About SaltDNA

SaltDNA is a multi-award winning cyber security company providing a fully enterprise-managed software

solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered

encryption techniques to meet the highest of security standards. SaltDNA offers ‘Peace of Mind’ for

Organisations who value their privacy, by giving them complete control and secure communications, to

protect their trusted relationships and stay safe. SaltDNA is headquartered in Belfast, N. Ireland, for more

information visit SaltDNA.

About the Author

Nicole Allen, Marketing Executive at SaltDNA. Nicole completed her

university placement year with SaltDNA, as part of her degree

studying Communication, Advertising and Marketing at University of

Ulster. Nicole worked alongside her degree part time during her final

year and recently started full time with the company having

completed her placement year with SaltDNA in 2018/19.

Nicole can be reached online at (LINKEDIN, TWITTER or by

emailing nicole.allen@saltdna.com) and at our company website


Cyber Defense eMagazineJanuary 2021 Edition 96

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Security and Remote Management: What Is the Market

Looking Like as We Head Towards 2021?

By Gil Pekelamn, CEO, Atera

For many IT professionals and managed service providers (MSPs), remote management has always

been part of the deal. Especially in this generation’s global economy, service providers are not always

local to their clients, and it is much more efficient and effective to be able to support customers from afar.

The big difference since the COVID-19 pandemic hit the headlines, is that employees are now working

from home, which is a whole different ball game to managing anyone working from an office environment.

Instead of managing a centralized location, there are now multiple remote offices - all with different needs

and security set-ups.

When working from home, employees are much more likely to be using personal devices, or shared

computers, and yet they are still accessing sensitive customer information, much of which is governed

by compliance regulations. Home networks are less secure than office networks, with weaker protocols

in place. A single vulnerability could bring a whole network down, compromising an entire company.

Cyber Defense eMagazineJanuary 2021 Edition 97

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

A Checklist for Remote Management of Home Workers

With many companies already extending WFH policies to continue through to Q2 of 2021, and maybe

even longer, and the FBI reporting a 400% increase in cybercrime since the start of the pandemic,

security procedures are still more important than ever.

It’s therefore essential that security teams up their game. Here are 5 top tips for IT professionals looking

to secure their employee or client remote environments, and better educate end-users about working

from home:

1. Educate Against Phishing Threats: Nearly all cyberattacks come from a malicious link or

attachment, which can only be effective if an employee falls for the scam. Keep your employees

up to date on the latest threats, which sadly, at the moment, are leveraging fear around COVID-

19, such as promising a vaccine or suggesting you have been in contact with someone that has

tested positive.

2. Don’t Forget Patch Management: Patched software is secure software, so whatever your

process, make sure that no employees are running old versions or even end of life software at

home. The best technology partners will allow you to automate the install and update of your

software via vendors such as Chocolatey or Homebrew, so that you’re never behind the times.

3. Think Home Network Vulnerabilities: You may need to think a little out of the box when it comes

to protecting home networks. For example, how secure are your employee’s router settings, and

what smart devices do they have which are connected to the home network? Take a thorough

inventory of all connected devices, and start from there.

4. Multi-Layered is the New Secure: There’s no such thing as a silver bullet for enterprise security

anymore, so your best bet is a layered approach to cybersecurity. This might start with user

education for example, followed by URL or script blocking, and then file scanning and integrity

monitoring, and so on. Even if an attacker gets through one line of defense, the next is ready and


5. Have a Disaster Recovery Plan: If all else fails, a robust disaster recovery plan will mean you

can get back up and running as quickly as possible. Include a plan for business continuity,

protecting sensitive information, minimizing financial loss and disruption to end-users, and an

incident response plan to remain compliant with any relevant regulations.Make sure that your

technology and service providers recognize the importance of securing this kind of unknown


Cyber Defense eMagazineJanuary 2021 Edition 98

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Looking Ahead to 2021, and Beyond

At the moment, none of us know what ‘the new normal’ is going to look like. For some, working from

home will become commonplace, while others might move to a more hybrid way of working, some days

from the office, some from home. We do know that organizations won’t want to risk being caught short

again, struggling to securely manage at the same time as ensuring business continuity.

This signals a real change in mindset for today’s IT professionals. Many companies historically saw IT

as a cost, rather than an investment. They couldn’t see the value in having IT support managing

operations proactively, preferring to hope for the best and call in an expert if and when something needed

attention, on a break-fix model. The pandemic has changed that, showing business stakeholders that

they can’t afford to be unprepared, and that they need a proactive approach to managing both IT and


The important thing when targeting this investment, will be to ensure that security plays well with the rest

of an organization’s IT ecosystem, whether that’s integrated in their professional services automation

such as helpdesk software, or their remote management and maintenance, like remote access

technology for example. If security is reliant on employee behavior or on multiple additional steps or

vendor solutions, you’re going to struggle to ensure that you don’t have gaps.

If, on the other hand, security comes as part of a package deal, you don’t need to rely on employee or

customer education alone. Think about software updates and patching that happen automatically without

any impact on your business operations. Consider a backup solution that is working silently and

effectively in the background. Onboard 2FA as part of the deal for employees from day one. Altogether,

you’re creating a much more resilient and robust environment in which to work.

About the Author

Gil Pekelman is the CEO and Founder of Atera. Under Gil’s

leadership, Atera has grown into the most innovative, industry leading

platform for MSPs both large and small. Prior to founding Atera, Gil

held senior positions at Indigo NV, (now a division of HP) and Exanet

(acquired by DELL). He has a degree in Economics and Management

from Tel-Aviv University and is the sole inventor of three patents.


Cyber Defense eMagazineJanuary 2021 Edition 99

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Working from Home? You’re Not Alone

The rise of cyber hacks in an age of remote working – and how to prevent them

By Steve Hanna, Embedded Systems Work Group Co-Chair at Trusted Computing Group

(TCG) and Jun Takei, Japan Regional Forum Co-Chair at Trusted Computing Group

Technology is replacing a number of real-life activities, helping to maintain a level of normalcy and

connection with familiar faces amid unprecedented times. As remote working continues to prove an everessential

trend in light of our current global climate, organizational networks have expanded from single

offices to cross-country residential spaces, from kitchens to spare rooms.

In fact, according to global tech market advisory firm ABI Research, Connected Home devices are

expected to become more popular in the coming months, with a 30% year-on-year sales increase

projected, with more than 21 billion Internet of Things (IoT) devices expected by 2025. Cloud services

have also been adopted at an increasing rate by organizations to deliver remote services and, with 84

percent of enterprises now running on a multi-cloud strategy, is expected to account for 70 percent of

tech spending this year. As a result, collaboration tools, including various video conferencing platforms,

are being used far more frequently as companies adjust to the new normal of telework. Meanwhile, social

media and video calling services such as FaceTime are allowing families and friends to stay connected

and streaming services are providing entertainment on a more personal level.

This new normal brings with it changed user habits and, with inadequate security protection on these

devices, an increased level of risk in the form of new unknowns such as hacked devices and distributed

denial of service attacks. Connected Home and other IoT disrupts our traditional methods of business,

acting as a bridge between the virtual and physical world and offering new, almost limitless benefit for

Cyber Defense eMagazineJanuary 2021 Edition 100

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

workforces and education. However, at the same time, it also increases the number of opportunities

available to hackers that have never been possible before; remote work is a game changer for society,

bringing huge benefit, but it is crucial that we also understand the risks. Faced with a more integrated

and widespread network, security protection against business email compromise, data thefts and scams

is something that all organizations and users must implement. As a result, it is critical that organizations

invest in collaborative tools to enable remote workers to do their jobs securely whilst adhering to

protective stay-at-home initiatives worldwide.

It Starts at Home

Working from home presents a communication barrier between employees, preventing instant, in-person

discussions about suspicious digital activity that they may observe, for example an unusual email. The

only current replacement of these face-to-face discussions is virtual conference calls – another popular

security oversight and target for attackers. However, while this face-to-face communication is important,

it is not essential to security protection measures, given that the correct automated detection and

prevention security mechanisms are put in place. To successfully protect these avenues of online

correspondence, it is vital that organizations work to become more security-conscious, starting with the

user and their awareness of attacker behavior.

Such measures can be difficult due to the added distractions faced by workers at home, including

childcare and deadline pressures, among other things. From a technical perspective, the home network

should not be trusted as it brings new vulnerabilities and is unable to support devices in the same way a

corporate business network would, making a Virtual Private Network (VPN) essential. In some cases, a

home PC may be used for other purposes by other members of the family, or an employee may want to

use their personal device to access corporate information, for example with a work USB. This misuse not

only provides opportunities for information hacking within the network, but also physically exposes

devices to threats. Such technical risks, combined with the rushed and unpredictable nature of home

working, presents a wide range of vulnerabilities that hackers can take advantage of as they get ever

smarter. However, it is not enough to advise employees as to the correct device and data conduct at

home; organizations need to go beyond this to accept the given risks and implement the appropriate

protection mechanisms.

To prevent device protection from being overlooked amid the irregularity of working from home,

organizations should consider investing in training for remote workers to increase user awareness or

more thorough backup systems. These can be crucial for safe, efficient and secure business operations,

as well as helpful for maintaining normalcy. Preventative measures can also be taken on an

administrative level, especially during video conferencing over collaboration platforms. For example,

using unique access codes for each meeting, enabling a waiting room to keep track of meeting

participants and limiting shared screen options within the meeting, privacy can be protected. By having

the knowledge to put basic security measures in place, question browser pop ups and access a backup

system if things become corrupted, organizational breaches – and breakages – can be prevented.

Securing Devices from the Inside, Out

With many countries having passed the peak of the COVID-19 pandemic, it is expected that this ‘new

normal’ will continue far into our future, meaning that the demand for remote device security is not likely

to wane. In answer to this search for long-term, full-coverage protection, Trusted Computing Group (TCG)

Cyber Defense eMagazineJanuary 2021 Edition 101

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

has been working to develop device security which protects against these new-found risks that have

come with our “new normal” from the inside. Offering agility and fast deployment, Trusted Computing

ensures multi-layered security to safeguard corporate confidential information and personal data against

the growing sophistication of interception and threats in the realm of remote working, not only within PCs

but also among IoT and cloud-connected devices and networks.

Such solutions come in the form of hardware-based, embedded security subsystems, such as the Trusted

Platform Module (TPM). When implemented, these chips create a reliable trust relationship between

interconnected devices, protecting against cyberthreats. Their cost-effective nature enables

organizations to affordably protect entire networks of devices, securing systems thoroughly and

efficiently. TCG specifications are needed to collaborate with government guidelines for a saferconnected

future. This includes not only internal components such as the TPM, but also the use of

security reinforcing authentication mechanisms, such as multi-factor authentication or longer passwords.

Within a network, it is also encouraged to use device provisioning, ensure strong user authentication

mechanisms, employ PKI based certification and conceal the whole system via a hardware-based rootof-trust.

Many of these measures are already available for use in commercial entities and government

digital infrastructures and are recommended for full-coverage data protection.

COVID-19 has significantly impacted society, having pushed Digital Transformation (DX) in many places

all over the world. Where working from home was not previously standard practice before the pandemic,

many organizations now see it as the future of business, education and collaboration. However, while

DX has been long-awaited among society, we must simultaneously implement the appropriate security

protection measures in order to realise its full benefit, and more must be done to create this safe and

secure digital ecosystem. The nature of technology, and therefore cybersecurity, is that it is everchanging;

as devices advance, so do threats. Organizations, having implemented the current

recommended measures, must ensure they remain vigilant and keep systems, software and backups

updated for the ultimate protection. To do so, the integrity of the network endpoints needs to be measured

and constantly monitored to avoid endpoint compromises. In adapting to our new normal and changing

environment, it is vital that we adjust to the new technology challenges rapidly and proactively. By

employing this security-first approach and building on these essential principals of updating, protection

and resilience, billions of IoT and cloud systems will benefit, providing a safe, secure future despite a

growing cybersecurity risk in our increasingly connected world.

Cyber Defense eMagazineJanuary 2021 Edition 102

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Authors

Steve Hanna is the co-chair of the Embedded Systems Work Group in the

Trusted Computing Group (TCG) and Senior Principal at Infineon

Technologies. Hanna is a member of the Security Area Directorate in the

Internet Engineering Task Force, also serving as the liaison from the TCG

to the Industrial Internet Consortium. He is the author of several IETF and

TCG standards and published papers, an inventor or co-inventor on 47

issued U.S. patents, and a regular speaker at industry events. He holds a

Bachelor’s degree in Computer Science from Harvard University. Steve

Hanna can be reached online at tcg@proactive-pr.com and at our company

website: https://trustedcomputinggroup.org/.

Jun Takei is the co-chair of the Japan Regional Forum in the Trusted

Computing Group and is a Principle Engineer in Intel. Since joining Intel,

he has been responsible for technology policy and standards, and has

a wealth of experience in the Internet and wireless communications from

both a technology and policy point of view. From 2004 to 2015, he was

a board member of the one of the most successful Internet research

consortiums, the WIDE project, and has also spent time lecturing at Keio

University. Now, he is working as the director of Security and Trust

Policy in Intel. Jun can be reached online at tcg@proactive-pr.com and

at our company website: https://trustedcomputinggroup.org/.

Cyber Defense eMagazineJanuary 2021 Edition 103

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The Best Network Protection: Go Deep or Go Broad?

Combining Breadth and Depth Brings Full Protection

By Albert Zhichun Li, Chief Scientist, Stellar Cyber

Almost since the beginning of network security, vendors and practitioners have wrestled with choices

between going deep and going broad for their security solutions. Mostly, the choice varies between

predominantly one or the other. Going deep typically means careful monitoring and analysis of certain

types of threats or behaviors at the cost of not examining a much broader range of activity. Solutions that

are broader may lack the clarity and fidelity to make fast, accurate alerting. They also may miss important


The battle to protect data, systems, users and networks has been far from easy. Today, a more interesting

headline might announce when a data breach has not occurred. The odds are heavily in favor of

attackers to penetrate a network and have free rein to engage in theft or damage. These high-value

attacks are human-run and employ multiple approaches over a period of time. The now commonly

acknowledged north, south, east and west type of activities work for an attacker to systematically, and

sometimes serendipitously, accomplish their mission. One step, such as reconnaissance through some

kind of scanning, will lead to a next and a next. This reality means that both depth and breadth are

important if an organization has any hope of curtailing an attack.

Cyber Defense eMagazineJanuary 2021 Edition 104

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

As solutions for eXtended Detection and Response (XDR)—and perhaps other categories of solutions—

emerge, one of the more important questions they will have to face is this ongoing one between depth

and breadth. Depth and breadth can work together to ensure higher fidelity alerts with a low number of

false positives. The ability to understand potential attacker activity with detail as well as context can make

all the difference in flagging something that is truly important. To be productive, activities must be

identified that are both abnormal and malicious.

Breadth is important since attackers use multiple tactics, largely sequentially. The ability to see the

connectedness between events gives security groups a substantial advantage. This “seeing the forest

for the trees” can identify something that might otherwise be missed or provide the fidelity to prevent

“crying wolf” too many times. Breadth can also unify the strength of individual security solutions, each

with its own area of expertise and specialization.

Depth brings important details and may answer a number of the “who, what, where, when, how”

questions. EDR systems, for instance, are best at understanding endpoint activity, CASB solutions are

primed to make sense of certain cloud activities. UEBA tools help examine who did what on the network.

Of course, it is simply not possible that one tool or system can do everything with full expertise and

precision. This is why the idea of not only integrating but also aggregating key findings from a myriad of

tools is so powerful. Sharing “the best of” from each system ensures that the whole is more valuable than

sum of the parts. In this way, breadth and depth can combine and work together to minimize any tradeoffs

of design to produce better results.

Breadth should also work to fill any gaps between detections provided by various systems that might

exist. Usually this means gaps in scope, but sometimes it might mean limitations or delays in what data

is provided by a security system and when. Sensors can help fill this gap that inevitably exists. Logs may

also provide supplemental information, but they generally cannot be depended on for timely insights and

may be limited in what is captured. They can also be manipulated.

Depth and breadth are good things, and vendors and practitioners should continue to build expertise in

both areas. Still, to gain an upper hand against attackers, organizations cannot afford to choose between

the two. Uniting these two dimensions will help even the odds.

About the Author

Albert Zhichun Li is the Chief Scientist at Stellar Cyber. He is a worldrenowned

expert in cyber security, machine learning (ML), systems,

networking and IoT. He is one of the few scientists known to heavily

apply ML to security detection/investigation. Albert has 20 years of

experience in security, and has been applying machine learning to

security for 15 years. Previously, he was the head of NEC Labs’

computer security department, where he initiated, architected and

commercialized NEC’s own AI-driven security platform. He has filed

48 US patents and has published nearly 50 seminal research papers.

Dr. Li has a Ph.D. in system and network security from Northwestern

University and a B.Sc. from Tsinghua University.

Albert can be reached online at Zli@stellarcyber.ai and at our

company website http://stellarcyber.ai

Cyber Defense eMagazineJanuary 2021 Edition 105

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cybersecurity Predictions For 2021

Preparing for the “next normal”

By Topher Tebow, Cybersecurity Analyst (Malware), Acronis

For cybersecurity professionals, this year began more or less like any other. Fast forward to April, and

nearly half of the American workforce was working from home — relying on remote access tools and

cloud services for everyday business needs. It’s been a time of great challenges and opportunities.

We’ve finally settled into the “new normal,” but cyberthreats continue to evolve and respond to the new

environment. As we look forward to 2021, here are a few of our cybersecurity predictions:

1. Attackers will continue targeting remote workers

It goes without saying that the COVID-19 pandemic has fundamentally changed how business is done

these days. Ninety-two percent of global organizations adopted new IT technologies this year, driven by

the need to enable or expand their remote operations. Work-from-anywhere is the new normal, and with

that comes a new IT infrastructure — and myriad associated security and privacy risks.

Companies have rushed to integrate new tools and services for collaboration and remote access, but

often lack the time to thoroughly vet these solutions — or the budget to work with tested vendors, and to

properly train IT staff. Countless organizations are currently using misconfigured solutions (or ones that

are simply of dubious quality), and are at elevated risk as a result.

Cyber Defense eMagazineJanuary 2021 Edition 106

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

2. Threats against MSPs, cloud services, and businesses will rise

With data accessibility at the center of everyday business operations — and remote access and

collaborative features more necessary than ever — IT services are a requirement for every organization.

Small and medium businesses are particularly reliant on managed service providers (MSPs) to fulfill this


We’re already seeing an increase in attacks against MSPs and cloud service providers — no surprise,

given their status as a prime attack target. Successfully compromising a service provider is a far more

efficient prospect than targeting individual businesses, as it allows cybercriminals access to the provider’s

entire customer base in one fell swoop. Expect to see this trend continue.

3. Data exfiltration will become a bigger threat than encryption

While we expect ransomware to hold its position as the number-one cyberthreat to businesses in 2021,

the structure of these threats is shifting. In the near future, we expect that stealing sensitive data — rather

than simply encrypting it on infected systems — will be the primary form that ransomware strikes take.

Cybercriminals seek to monetize every attack, and recent trends have demonstrated that exfiltrating data

greatly increases the odds of successfully negotiating a ransom demand. The prospect of having

sensitive data — like trade secrets or personally-identifiable customer and employee information — sold

or publicly released adds tremendous pressure to companies and government entities. Data protection

and data loss prevention solutions will be particularly important in the coming year.

4. Automation and personalization will cause malware samples to skyrocket

Advances in computing power and artificial intelligence are kicking the malware development cycle into

overdrive. Cybercriminals can build and iterate new cyberthreats with dizzying speed, sending out waves

of attacks and using the results to shape their next variants.

In addition, these threats are increasingly personalized — purpose-built for their targets using information

mined from corporate websites and social media profiles. As spear-phishing campaigns have shown time

and again, those who make the effort to tailor attacks in this way are often rewarded with an increased

success rate.

The industrialization of malware and social engineering campaigns poses a significant threat to modern

businesses. The average lifetime of a malware sample is now down to a mere 3.4 days, severely

hampering the effectiveness of signature-based detection. Now more than ever, it’s critical for

organizations to invest in complete cyber protection solutions that can effectively detect and block both

known and unknown cyberthreats.

Cyber Defense eMagazineJanuary 2021 Edition 107

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

5. Malware will explore new targets

Ransomware threats are expanding beyond their traditional purview of Windows and macOS desktops.

Within organizations, increasingly-exposed industrial control systems (ICS) make a tempting target for

takeover and extortion.

Both at home and in the office, the growing adoption of the internet of things (IoT) — especially in

connection with 5G — will continue to present new areas for infection in the form of smart devices. While

internet-enabled appliances themselves don’t tend to store large quantities of data (nor particularly

sensitive information), they present a potential attack vector towards their manufacturers — and may be

incorporated into DDoS-fueling botnets.

6. Preparing for the next wave of cyberthreats

This has been a challenging year for businesses, to be sure. And we face a slew of new challenges in

2021. Expect new tactics, never-before-seen malware, relentless automation, and attacks against

surfaces that may not be well protected.

Now more than ever, an intelligent and integrated approach is necessary to stay safe in the digital space.

Businesses must invest in solutions that can stand toe-to-toe with the latest cyberthreats and provide

complete cyber protection.

About the Author

Topher Tebow is a cybersecurity analyst, with a focus on malware tracking and

analysis, at Acronis. Topher spent nearly a decade combating web-based

malware before moving into endpoint protection. Topher has written technical

content for several companies, covering topics from security trends and best

practices, to analysis of malware and vulnerabilities. In addition to being published

in leading cybersecurity publications, Topher has spoken at InfoSec conferences,

and is an active part of the Arizona cybersecurity community. Topher can be

reached online at @TopherTebow on Twitter, and at our company website


Cyber Defense eMagazineJanuary 2021 Edition 108

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Why 'Thinking Small' Is the Way to Stop Ransomware

and Other Cyber Attacks

By Yuval Baron, CEO at AlgoSec, explains why micro-segmentation is one of the most

effective methods to limit the damage of attacks on a network

On August 15, 2020, the cruise line Carnival Corporation fell victim to a cyber-attack that may have

resulted in the loss of personal data of millions of passengers and crew members.

Carnival is the world's largest travel and leisure company with approximately 13 million passengers per

year. The company has not revealed how many customers or which of their individual brands were

affected but what we do know is that law enforcement agencies were been notified because one of the

brands reported a ransomware attack that broke through an encrypted part of their network.

This is not the first time that Carnival's security measures have been circumvented by hackers. In 2019,

a cyber attack on Princess Cruises and Holland America Line resulted in the loss of the personal data of

hundreds of passengers and crew members. The criminals stole names, social security numbers,

passport numbers and credit card information.

Cyber Defense eMagazineJanuary 2021 Edition 109

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Carnival’s experience will feel all too familar to some businesses. In fact, we recently started working with

two organizations who fell victim to high-profile ransomware attacks earlier this year, and reached out to

us after the event to help prevent and mitigate such attacks in the future by tightning their security posture

and limiting attack surface.

While many believe that looking at the big picture is the best way to find solutions to protect large

corporations, the answer actually lies in something much smaller - the micro-segmentation of the network.

Damage limitation through micro-segmentation

Hackers are never going to give up targeting large corporations, and ransomware attacks like that on

Carnival will never disappear. Moreover, as criminals become increasingly sophisticated, it has become

difficult to fully protect your network. What companies can do, however, is limit the potential damage

hackers can cause if they do gain access to sensitive company or customer data.

One way to do this is through network micro-segmentation, which is regarded as one of the most effective

methods to reduce an organization’s attack surface. A lack of it has often been cited as a contributing

factor in some of the largest data losses in ransomware attacks.

Micro-segmentation minimizes the damage that hackers can do if they gain access, by stopping lateral

movement across your networks. Just as the watertight compartments in a ship should contain flooding

if the hull is breached, segmentation isolates servers and systems into separate zones to contain

intruders or malware as well as insider threats, limiting the potential security risks and damage.

Controlling the borders

Although micro-segmentation is recognized as an effective method to enhance security, some

businesses have been slow to adopt it because it can be complex and costly to implement, especially in

traditional on-premise data centers.

Moving to virtualized data centers with Software-Defined Networking (SDN) and cloud connectivity

removes some of these barriers. The flexibility of the SDN enables more advanced, granular zoning,

allowing networks to be divided into hundreds of micro-segments. To achieve this level of security in a

traditional data center would be prohibitively expensive and too complicated to implement.

But virtualized data centers do not eliminate all the stumbling blocks. Enforcing security policies and

firewall configurations on all systems and across different IT environments would still have to be done

manually. But this is an enormous task for the IT security department. This time is then lacking for large

projects. The use of a filtering policy enforced by the micro-segmented structure is therefore still

necessary and writing this policy is the first and biggest hurdle to be overcome.

Cyber Defense eMagazineJanuary 2021 Edition 110

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Simplification of micro-segmentation through security automation

Automated network management makes it much easier for companies to define and enforce their microsegmentation

strategy. It also ensures that critical business services are not blocked due to

misconfiguration and that compliance requirements are met. It autonomously performs application

discovery based on Netflow information and identifies unprotected data streams on the network that

neither pass through a firewall nor are filtered for an application. It automatically detects changes in the

network that collide with the current micro-segmentation setting, immediately suggests policy changes

based on this information and, if desired, automatically and validated enforces them.

So although micro-segmentation can be a costly and time-consuming process, solutions are now

available to significantly speed up, improve and reduce the cost of setup and maintenance. An SDN data

center and cloud combined with security automation puts companies on the road to effective protection

against ransomware attacks of all kinds.

About the Author

Yuval Baron the CEO of AlgoSec. Prior to founding AlgoSec,

Yuval Baron co-founded Actelis Networks Inc. in 1998 where

he served as its CEO until 2002. Actelis Networks is the

leading provider of high performance, scalable broadband over

copper solutions. During his tenure, Actelis Networks raised

$75 million in three separate funding up-rounds from investors

including USVP, NEA, Walden, Carlyle, Salomon Smith

Barney, France Telecom, Sumitomo, and Vertex. Prior to

Actelis, Mr. Baron was vice president of sales and marketing

at RIT Technologies (Nasdaq: RITT), a provider of network

infrastructure solutions for data centers and communication networks. At RIT, he built a distribution

network across 55 countries and drove revenue growth which led to a successful IPO. Prior to RIT, Mr.

Baron spent a decade with Comverse Technology (Nasdaq: CMVT), a leading global provider of telecom

business solutions. Mr. Baron has a B.Sc. in Mathematics, Computer Science, and Economics (Cum

Laude) and an MBA in Finance. Yuval can be reached online at https://twitter.com/AlgoSec and at our

company website https://www.algosec.com/

Cyber Defense eMagazineJanuary 2021 Edition 111

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Your Vulnerabilities are Making You Miss Your


IT organizations regularly configure asset discovery tools in ways that leave them open to abuse by

attackers; Vendor configuration documentation lacks details on the risk.

By Evan Anderson, Director of Offense, Randori

The security industry pays lots of attention to vulnerabilities and the need for patching. While there is a

need for this, the industry has over-indexed on vulnerability management in the past couple decades.

What doesn’t get as much attention, and is often more important to an attacker, are things like common

misconfigurations or an improper implementation that introduces unintended risk. I can say with

confidence that some vendor-recommended implementation strategies are widely abused by redteamers

and attackers to achieve their objectives. I’ve been taking advantage of these types of flaws

since the early 2000s, and it’s so common that red-teamers developed tooling to take advantage of faulty


At Randori, we regularly see improper implementations,suggesting many blue-teamers are unaware of

the risks of certain configuration methods. Vendor documented implementation methods -- that are

Cyber Defense eMagazineJanuary 2021 Edition 112

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

commonly used by IT orgs -- can introduce unintended risk into your environment. And the challenge is

that improper implementations can be near impossible to spot, and even more problematic to fix.

Let’s take a closer look at this problem, using asset discovery tools as an example -- specifically

ServiceNow Discovery. Organizations have rightfully started using auto discovery tools in order to find

services, applications, and devices to mitigate the exposure of misconfigs before attackers can take

advantage of them. These tools give companies a better understanding of what systems are on their

network, their patch level, and how the systems are configured. Discovery tools programmatically log into

systems and run commands to check their configuration.

Unfortunately, asset discovery tools can themselves be improperly configured. This will increase risk to

an organization rather than reducing it.

Before I go on, a note: ServiceNow Discovery is not vulnerable or bad, nor is Virima or BMC Helix

Discovery (other asset discovery tools that suggest similar implementations), it's simply a concrete

example recently used by my team. The problem: When ServiceNow Discovery, BMC Helix Discovery or

Virmia are configured with password credentials rather than a private key, they can easily be taken

advantage of by an attacker.

It’s low risk to use this weakness to for a multitude of reasons:

1. I don’t have to make an exploit (which is expensive and takes time)

2. I can just sit on the network and it will give me credentials - I don’t have to do any discovery or

port scanning.

3. I won’t trigger an alert. In many cases alerts associated with discovery tools are ignored or disable

because they are considered benign (and with good reason).

4. I don’t have to brute force entry (which could trigger alerts).

Cyber Defense eMagazineJanuary 2021 Edition 113

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

“Discovery” explores UNIX and Linux devices utilizing SSH to execute commands on the system in

question. In order to run the exploratory commands, “Discovery” must have some sort of credential in

order to access the system. ServiceNow’s documentation has two ways to configure these credentials.

One is username and password -- the other is via an SSH key. It is more secure to use SSH private key

credentials rather than an SSH password, but password credentials are often preferred because they are

easier to configure. In fact, the ServiceNow Discovery documentation does explicitly state: “SSH private

key credentials are recommended over SSH password credentials for security reasons.” However, it

doesn’t go into detail.

Cyber Defense eMagazineJanuary 2021 Edition 114

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

ServiceNow Discovery Documentation

People use passwords more than private keys because of the ease of deployment. Simply add an

account to the system with a password and you’re in. Private key authentication has the extra steps

generating the key pair, protecting the private key and copying the public key into place on the server


Capability in Action

Let’s assume then as the attacker, I have gained access to a network by compromising a Linux system

and am looking to move laterally to other systems. I begin by quietly observing or sniffing the network

traffic with the goal of gaining situational awareness attempting to figure out what I can see and what I

have access to.

While watching network traffic, I notice an IP address attempting to connect to my compromised system

on TCP port 22 (the default port for SSH servers.) So I know somebody or something is attempting to

login via SSH. I quickly spin up an SSH server I control, and wait.

Often the username for these types of asset discovery tools reference the product in some way. For

instance `ServiceNowUser`. Just armed with that information, I know those credentials likely work on

other *nix systems (UNIX, MacOS, FreeBSD, linux) and users are trained to ignore logins from that


Now I’m off to the races -- I can steal leaked credentials and move laterally to other systems on the

network, with little operational risk. And credentials are often used to verify patch states and system

configurations, thus I have access to that data on each system, giving me a lot more information to do

my job easily and stealthily.

For anyone implementing a new technology consider taking the extra time to configure using a private

key vs. a password (more on the advantages here). Review documentation thoroughly and pay special

attention to best practices. Ask your vendor to give more details on security best practices if they aren’t

included in the documentation. Some configurations may be quick wins for a project, but be careful you

aren’t inadvertently giving away the keys to the kingdom.The details are important to understanding

what risk you are accepting.

Any software that is used on a network should be viewed as part of the attack surface, and thus must

be considered when calculating risk. Purchasing a tool is not the solution to the problem, and may in

fact cause more harm than good. You must allow teams the time to understand the ramifications of a

product, how to properly implement and how to utilize tools properly in your environment. Recognize

the risk you’re taking if you’re asking your team to implement something on a shorter timeframe -- that

often means not as secure.

Cyber Defense eMagazineJanuary 2021 Edition 115

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

Evan Anderson is the Director of Offense at Randori – where he leads

the company’s Hacker Operations Center. In this role, Evan leads a

team developing new and novel offensive capabilities for Randori’s

automated attack platform.

Evan can be reached online at linkedin.com/in/attack/ and at


Cyber Defense eMagazineJanuary 2021 Edition 116

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Are Your Organization’s Critical Assets Five Steps or

Fewer from A Cyber Attacker?

By Gus Evangelakos, Director Field Engineering, XM Cyber

Cybersecurity is an asymmetric battle -- and one in which attackers hold an unfair advantage. Adversaries

maintain the initiative and can attack from novel and unexpected angles, while defenders are forced into

a reactive role.

The asymmetric nature of cybersecurity isn't the sole reason data breaches continue to rise every year,

of course. The popularity of cloud computing and constant expansion of the attack surface also present

substantial ongoing challenges for today's organizations.

This raises an interesting question: Just how quickly can critical assets be exfiltrated by cyber attackers?

The 2020 Verizon Data Breach Investigations Report (DBIR) sheds some light on how attacks are

unfolding -- and why adversaries often need only a handful of steps to expose the most valuable "crown

jewel" assets.

The Landscape Has Never Been More Favorable for Adversaries

Understanding just how vulnerable your systems are is key to assessing risk. This applies to the specifics

of our security environments and the larger conditions that affect how and why breaches occur.

Misconfiguration errors -- which remain at epidemic levels -- are one reason why attack paths are often

so short and direct. Cloud migration mandates, building remote workforce capabilities, managing access

on the fly -- all of the demands placed on IT professionals create conditions that are highly conducive to

misconfigurations. If you look at the highest-profile data breaches of the last five years, misconfigurations

pop up as the culprit again and again.

Cyber Defense eMagazineJanuary 2021 Edition 117

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Launching successful attacks has also never been easier or more accessible, particularly for adversaries

with low to moderate skill and limited resources.

● Deloitte estimates a low-end cyber-attack costing just $34 a month could generate $25,000..

● A phishing campaign for $30 a month can return $500 a month.

● Keylogging can return $723 a month for as little as a $183 investment.

● More sophisticated attacks costing a few thousand dollars could return as much as $1 million per


Yet whether you're dealing with an amateur equipped with cheap darknet malware or a sophisticated

Advanced Persistent Threat, one thing doesn't change: Nobody wants to waste time on hard targets. The

shortest path is always the most attractive.

Five Steps -- Or Less -- From Danger

Attackers have many paths they can choose to target specific assets. Defenders, meanwhile, must try to

visualize and map all the variables related to those paths and manage any vulnerabilities -- certainly no

small task. Hardening the environment by reducing the number of obvious pathways is vitally important,

as many attackers will simply move on to the next target when faced with a resilient security posture.

Attackers are just as concerned about efficiency and ROI as any conventional business.

This means that organizations that can develop security robust enough to require a long procession of

steps are best positioned to deter attacks. Verizon's 2020 DBIR shows that the average breach requires

fewer than five steps. Beyond 20 steps, attacks begin occurring with vastly less frequency. Interestingly,

hacking and malware-based attacks tend to be highly overrepresented among attacks requiring more

than 10 steps, while attacks based on errors, misuse or social paths are highly clustered within the fewerthan-five-steps


Adversaries prefer short paths and rarely attempt longer or more complex attacks -- the numbers attest

to this. This means that any action taken to increase the number of steps adversaries must take also

increases the odds of a successful breach.

What Organizations Can Learn From This

Deterring attackers often comes down to one thing: Being a harder target than the next guy. Adversaries

will typically take the path of least resistance. In practical terms, this means focusing on a few key areas:

Creating a true security culture within your organization. It's essential to create buy-in from the C

suite on down. Every strategic decision should be viewed, in part, through the lens of


Human error -- the kind that can compromise critical assets in a few short steps -- is inevitable.

Raising awareness of best security practices through routine training will only do so much before

returns begin diminishing. One way to manage this risk is to commit to a security posture focused

on continuous improvement.

Automated penetration testing (using tools such as breach and attack simulation software) can

help develop a harder and more resilient security environment. By continuously probing your own

defenses for vulnerabilities, you can uncover gaps before they are exploited and wrest the

initiative from attackers -- making the battle of cybersecurity less asymmetrical.

Cyber Defense eMagazineJanuary 2021 Edition 118

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Gaining insight into how attackers can move laterally to compromise your assets is a core

challenge. Determine how many steps would it take and what remediation steps will close the

attack path. Again, automated penetration testing tools that provide prioritized remediation

recommendations can be helpful in this regard.

In Conclusion

Given that critical assets are often just a handful of steps from danger, it's imperative to harden your

security environments and work toward continuous improvement. For more information on this topic, I

heartily recommend a recent webinar hosted by Security Scorecard that delves into these issues in

greater detail.

About the Author

Gus Evangelakos is the Director of North American Field Engineering at

XM Cyber. He has extensive experience in cybersecurity, having

managed implementations and customer success for many major global

brands such as Varonis, Bromium and Comodo. Gus has spent a

decade also working on the client-side, supporting IT infrastructure and

cybersecurity projects. He has a strong background in micro

virtualization, machine learning, deep learning (AI), sandboxing,

containment, HIPS, AV, behavioral analysis, IOCs, and threat

intelligence. Gus can be reached online via LinkedIn and at our

company website http://xmcyber.com/

Cyber Defense eMagazineJanuary 2021 Edition 119

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Moving to Active Defense: What It Means, How It Works

and What You Can Do Now

By Ofer Israeli, CEO and founder, Illusive Networks

Despite the myriad cybersecurity solutions out there, breaches, attacks and exploitations continue. The

old approach isn’t working; cybersecurity teams need to move from a passive approach to one that’s

more active. And MITRE’s introduction of Shield addresses this directly. MITRE, the federally funded notfor-profit,

has made it clear that active defense, rather than the standard whack-a-mole responsive

defense, is paramount in the fight against cybercrime.

With the release of their Shield framework, MITRE has shifted the cybersecurity focus to active defense

techniques. Government IT teams that know the latest strategies and recommendations put their

agencies in a strong position to remain secure.

Cyber Defense eMagazineJanuary 2021 Edition 120

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

MITRE Shield introduces active defense

The MITRE Corporation’s goal is to “solve problems for a safer world.” Shield is an active defense

knowledge base constructed from over a decade of enemy engagement. With it, MITRE is trying to gather

and organize what it has been learning with respect to active defense and adversary engagement. This

information ranges from “high-level, CISO-ready considerations of opportunities and objectives to

practitioner-friendly discussions of the TTPs available to defenders.” MITRE hopes that Shield will

encourage discussion about active defense and how defenders can use this information to get the upper


But what exactly does active defense mean? And what do organizations need to know?

Understanding active defense

Active defense entails the use of limited offensive action and counterattacks to prevent an adversary from

taking digital territory or assets. Active defense covers a swathe of activities, including engaging the

adversary, basic cyber defensive capabilities and cyber deception. Taken together, these activities

enable IT teams to stop current attacks as well as get more insight into the attacker. Then they can

prepare more thoroughly for future attacks.

MITRE makes it clear in its discussion of Shield that deception capabilities are a necessity in the modern

security stack to truly deter and manage adversaries. In Shield’s new tactic and technique mapping,

deception is prominent across eight active defense tactics—channel, collect, contain, detect, disrupt,

facilitate, legitimize and test—along with 33 defensive techniques.

What agencies need to know

Government organizations are continuous targets for bad actors, whether it’s nation-state attackers

seeing proprietary information or more run-of-the-mill criminals looking to cause chaos and obtain some

PII they can exploit.

There is a huge amount of intellectual property within government agencies. A lot of the intellectual

property that’s created in the U.S. that is of interest to adversaries is in the DoD supply chain or is being

submitted to the U.S. Patent and Trademark office. Government agencies are holding some of the most

valuable and sensitive data sets, including lawsuits being handled by the Department of Justice and

counterterrorism tracking in the Department of Homeland Security.

Bad actors attempt to sneak into these environments and then gain access to even more impactful

information – like stealing the security clearance forms for 20 million people from the Office of Personnel

Management. Analysts estimate that critical breaches of government networks have increased by a factor

of three to six, depending on the targets.

Agencies also need to know and avoid the misconceptions about deception. A prevailing misconception

is that deception is synonymous with honeypots, which have been around for a long time and are no

longer effective. And to make them as realistic as possible requires a lot of management so that if

Cyber Defense eMagazineJanuary 2021 Edition 121

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

attackers engage with a honeypot, they won't be able to detect that it is not a real system and therefore

know they're in the middle of getting caught.

A second misconception is that deception is overly complicated and complex, with comparatively little

ROI. Security organizations could enjoy the benefit of using deception technology – which is lightweight

and has a low cost of maintenance – but are not engaging because they think it’s an overwhelming,

complex approach that they won’t get enough value from.

The reality is that deception technology is not the same as honeypots. That’s how deception began, but

it has evolved significantly since then. Today’s deception takes the breadcrumb/deceptive artifact

approach that leads attackers on a false trail, which triggers alerts so that defenders can find and stop

the attackers in real time. Only unauthorized users know the deceptions exist, as they don’t have any

effect on every day systems, so false positives are dramatically reduced. These aspects of deception

technology add tremendous security and financial value to the IT security organization.

Raise your Shield

The attack surface that security teams must secure continues to expand rapidly as attacker tactics evolve

– whether through nation-states attack teams, insider threats, for-hire groups or others. The forced digital

transformation during the pandemic, and long-term ramifications that have resulted from it, points to the

need for a more robust approach to protecting critical assets. And this is where active defense is key. It

is likely that the MITRE Shield will become a standard to measure security proficiency by. Government

agencies need to expand that proficiency by including the best practice of deception to their security mix.

About the Author

Having pioneered deception-based cybersecurity, founder and CEO of

Illusive Networks Ofer Israeli leads the company at the forefront of the

next evolution of cyber defense. Prior to establishing Illusive Networks,

Ofer managed development teams based around the globe at Israel’s

seminal cybersecurity company Check Point Software Technologies and

was a research assistant in the Atom Chip Lab focusing on theoretical

Quantum Mechanics. Ofer holds B.Sc. degrees in Computer Science

and Physics from Ben-Gurion University of the Negev.

Ofer can be reached on Twitter @ofer_israeli and at


Cyber Defense eMagazineJanuary 2021 Edition 122

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

How Next-Gen Identity Governance and Administration

(IGA) Fits in with Your Hybrid IT Strategy

By Thomas Müller-Martin, Global Partner Technical Lead, Omada

More and more organizations are using a hybrid IT environment that combines both on-premises and

cloud-based applications. The rise of remote work, driven by the pandemic, has only increased the speed

of this transformation. In fact, Gartner predicts that more than 75% of midsize and large organizations

will have adopted some kind of multi-cloud or hybrid IT strategy by 2021.

While this approach brings many advantages, it can also make it harder to get a transparent view of who

has access to which IT systems and applications within the organization. As organizations continuously

move more workloads to digital services, they will need a more solid approach to identity management.

Identity Governance and Administration (IGA) has become a cornerstone of solid IT security, allowing

organizations to implement processes for controlling, managing and auditing access to data, which is an

important prerequisite to reduce the security risk.

Cyber Defense eMagazineJanuary 2021 Edition 123

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

The growth of hybrid IT

Cloud adoption shows no signs of slowing down – in fact, IT spending overall continues to shift to public

cloud computing. Gartner analysts believe that more than 45% of IT spending on system infrastructure,

infrastructure software, application software and business process outsourcing will shift from traditional

solutions to cloud by 2024.

The cloud has been integral for many companies’ capability to stay productive during the shift to remote

work, and it also comes with plenty of other advantages – like the cost savings of not having to house an

on-premises data center. That said, not every business can or should shift entirely to the cloud. Some

things have to remain on-premises and as a result, hybrid IT is growing.

However, these new solutions must still maintain regulatory compliance and secure collaboration across

the organization and with partners and customers. They must support the rapid adoption of new digital

services while respecting security and compliance. The solutions need to protect the brand and IP while

acting in a complex ecosystem. The organization must therefore manage the risk while maintaining

business agility and increasing efficiency.

The role of identity governance and access management

Ensuring security and staying compliant means that identity access management and identity

governance are key. Migrating to the cloud creates potential exposed openings for attackers and different

vulnerabilities, so organizations must revise their risk and security management.

Therefore, they need to have a vision for secure cloud adoption and then establish appropriate

governance. It is important to ensure that a well-functioning, future-proof architecture for identity

management and access governance is implemented. This architecture should secure the organization

long-term and ensure correct data flows across disparate systems and directories.

An organization must know its identities and related accounts before enabling users to access and use

cloud services. Companies must make sure that federated identities from suppliers, partners or

customers are governed in a proper manner. Ideally, this should happen before collaboration begins, and

the correct processes must be established and implemented. Organizations should also establish “local”

security mechanisms, such as access request and certification, and they must also establish policies for

cloud services.

What organizations need to know

When an organization uses an IGA solution, it allows the IT department to manage and govern all user

access rights across a hybrid IT environment. Among the elements IGA processes oversee are:

• audit and compliance reporting to ensure continuous risk overview

• managing access to resources across an organization’s hybrid IT environments (on-premises and

cloud-based applications)

Cyber Defense eMagazineJanuary 2021 Edition 124

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

• performing access reviews and certifications across all cloud and on-premises applications

• onboarding of new employees and offboarding leavers

• a structured approach to onboarding applications

• managing access to applications on a granular level in compliance with company policies,

handling of access assignment policies and provisioning

The ability to process these elements effectively lets companies ensure compliance, save money and

minimize the risk of data theft by insiders and hackers. A key factor in doing this well is ensuring that

business systems are only accessible to those who need to use them to do their job – the “least privilege”


Take control

As cloud adoption soars, hybrid IT shows no sign of slowing down. Market forces have converged to

make this standard operating procedure. But that means, for regulatory and security reasons,

organizations must get control of who has access to which parts of their distributed business systems.

To ensure security, compliance and efficiency, businesses need IGA processes in place. These

processes protect organizations from incidents that could damage their reputation or, in the worst case,

cause them to go out of business. In the era of the cloud, with skyrocketing cyber threats and stringent

legislation such as GDPR, having best practice IGA processes in place has become a license to operate.

Implementing an IGA solution should be seen as a strategic investment, empowering organizations to

realize significant business value.

About the Author

Thomas Müller-Martin is Global Partner Technical Lead at

Omada. He has spent more than 15 years in identity and

access management. As the implementation of identity-centric

cyber-security strategies become more and more relevant for

enterprises around the globe, he helps Omada partners to

make their Identity Governance and Administration journey a


Thomas can be reached online via LinkedIn and omada.net.

Cyber Defense eMagazineJanuary 2021 Edition 125

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Analytics & Security Insight On 2021 And Beyond

Predictions for the Future of the Security Space

By Billy Spears, Chief Information Security Officer, Alteryx

2020 has been a year unlike any other, with unforeseen challenges creating hurdles for businesses in

every sector of the economy. As companies look for ways to insulate themselves from future shocks

while preparing for the year ahead, insider insights can help companies to understand how societal and

economic trends have and will impact their industries and what to expect in 2021. Below, I share a few

predictions that will help leaders stay ahead of the curve and tackle anything that 2021 throws at them.

First, I believe that in 2021, zero-trust security will become the new normal. The work-from-anywhere

concept has created an interesting opportunity for CISOs to consider strategic approaches for managing

non-traditional security risks. To accommodate this shift, we’ll see corporate security departments

expanding the perimeter into associates’ homes to ensure that cyber risks are not unknowingly introduced

into the corporate network. 2021 will see CISOs working with HR, further pushing to increase each

associate’s cyber awareness to proactively recognize and report related risks, meaning that “zero-trust

security” will be the new standard methodology for supporting associates working remotely. CISOs must

adopt this model as it improves secure access to corporate resources through continuous assessment

Cyber Defense eMagazineJanuary 2021 Edition 126

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

and intent-based authentication policies. Furthermore, Virtual Private Network (VPN) connections must

become a default setting to increase protections for associates requiring remote access.

Additionally, citizen data scientists will play a bigger role in preventing cyber attacks in 2021. As workers

everywhere become more comfortable working with data, the ability of a business to deliver value in data

processing and analysis increases exponentially. Their ever-expanding skillset increases value by

delivering actionable insights from terabytes of otherwise impenetrable data to help the company

forecast, mitigate risk and fraud, deliver relevant products to their customers and improve cybersecurity

defensiveness. Effective cybersecurity threat hunting has always been built around the constant pursuit,

near capture and repeated escapes of adversaries attempting to infiltrate a corporate network. Using a

powerful analytics platform that enables machine learning capabilities is crucial to detect and address

cybersecurity threats more rapidly by providing security departments with the ability to examine large

volumes of data to uncover trends, identify patterns and deliver actionable intelligence.

With the further democratization of data, 2021 will see citizen data scientists more and more playing a

key role in helping security teams enhance and simplify their cyber defense technologies by precisely

detecting future attacks, proactively identifying security blind spots across the network and protecting

valuable company information.

Cyber Defense eMagazineJanuary 2021 Edition 127

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

About the Author

processes across the organization.

Billy Spears, Chief Information Security Alteryx. He

is responsible for overseeing enterprise cybersecurity

and associated risk management practices. With a

strong focus in both internal and external security, Billy

ensures that Alteryx associates, customers, partners

and vendors are thoroughly protected via state-of-theart

policies, processes and technologies. His passion

for architecting and implementing strategic solutions

that build trust, enable resilience and incorporate core

principles are driving transformation and simplifying

Billy brings more than 20 years of experience leading and building teams in the information and security

space across both the corporate world and the federal government. His strong background in information

and security across different industries and verticals is critical in enforcing best practices within all areas

of the business. Billy’s informed guidance and strategic approach to risk management and security efforts

is instrumental in improving protections as Alteryx and the larger self-service analytics market continues

to grow and expand across the globe.

Prior to joining Alteryx, Billy served as executive vice president and chief information security officer at

loanDepot, a market leader and online mortgage lender for consumers. While in this role, Billy helped

create the first security enabled digital home loan experience for consumers – a game-changing

advancement in the mortgage business. Billy has held similar positions at companies like Hyundai Capital

America, General Electric and Dell, as well as the U.S. Department of Homeland Security. He is also a

veteran of the U.S. Marine Corps.

Billy is an adjunct cybersecurity professor for Webster University and a member of the company advisory

board for Cymatic, a web application defense platform. Billy holds a bachelor’s degree in information

technology from National University and received his MBA from University of Phoenix.

Billy can be reached online on Twitter at his handle @BillyJSpears and at our company website


Cyber Defense eMagazineJanuary 2021 Edition 128

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Innovation, Automation and Securing A “Work from

Anywhere” Environment In The Middle East

By Mazen A. Dohaji, Vice President, India, Middle East, Turkey & Africa (iMETA),


Throughout 2020, enterprises and public sector organizations across the Middle East have been

managing disruption and finding new ways to work. The challenge as we begin 2021 is to not just survive

but thrive in this new business environment. That requires adopting new tools and creating a secure

foundation that keeps users connected and moving forward.

While many organizations have experienced lockdowns and quarantines throughout 2020, security and

infrastructure teams are looking at how to provide flexible working while maintaining their cybersecurity

posture. Users have shifted to a diverse and changeable working environment while cyberattacks in the

Middle East have surged.

The UAE saw cyberattacks increase from 43,000 in April 2020 to peaks of 120,000 in July and 123,000

in August, according to the UAE’s Telecommunications Regulatory Authority (TRA). Between April and

August, there was a 186% increase in cyberattacks in the country, which tracks closely with lockdown

Cyber Defense eMagazineJanuary 2021 Edition 129

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

estrictions. Organizations have to be prepared for further uncertainty in 2021 and take action to manage

their risk in the long term. What they can be certain of is that cyberattacks will continue to be a pain point

and have the potential to spike again in 2021.

‘Work from Anywhere’

Security Operations Center (SOC) teams should be reviewing and reflecting on 2020 and thinking about

how they will support dynamic working environments that aren’t just working from home or in the office

but look more like “work from anywhere” scenarios. Most organizations have evolved tremendously over

the last 12 months and SOC teams need to stay in-tune with current operational norms and expectations

of both users and business managers. SOC teams should question the state-of-play for their organization

in 2021 and ask if their business is prepared for a new dynamic and fluid working environment. They

should ask themselves:

1. What did we learn about our systems and processes throughout 2020?

2. What changes do I need to make to optimize our approach to security in the new year?

3. How do we secure a workforce that is fluid and moving between remote and on-premises?

4. Are my security controls and infrastructure built for this, or am I taking additional risk?

5. What is the state of play for security visibility in this flexible environment?

6. How prepared are we to change and adapt in case we are ready to come back to a fully officebased

operation by the summer?

7. What do our users want? How can we enable their success?

8. Where do we start with so much uncertainty?

Based on their responses, they should take action to ensure that their security posture matches the

organization’s requirements and ensure it is ready to flex and adapt as needed. There are a few basic

steps all organizations in the Middle East should be evaluating and prioritizing.

User Vulnerability

The first step for SOC teams across the Middle East should be to re-enforce best practice within their

organizations and spend time educating users about policies, guidelines and best practices. Internal

communications to users drive awareness and understanding of security risks. This should be increased

and combined with more training. If training took place at the beginning of the pandemic, then

organizations should be revisiting this in 2021.

Whether it is in the private or public sector, user-based threats, like compromised accounts, increase risk

and exposure across organizations. Human nature is still a primary vulnerability in an already complex

threat landscape.

Endpoint is the Bottomline

SOC teams need new levels of visibility that are built to serve both remote and office-based working.

They should be focused on the collection and correlation of endpoint, VPN and other pertinent

infrastructure data like employees connecting back into the corporate network, identity and access

Cyber Defense eMagazineJanuary 2021 Edition 130

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

management, as well as monitoring collaboration technologies like Office 365, Teams, Zoom, and Slack.

It is about gaining visibility and control over the users’ ICT ecosystem and understanding where to, from,

and how employees are authenticating and accessing data and applications.

When an intrusion is suspected, they need to be able to qualify the threat and assess its potential impact.

They can only do that if they have captured a wide variety of activity occurring on their endpoints and

servers in real-time. Every organization should be able to search rich forensic data to understand when

and how the incident occurred, and then contain the compromise with an endpoint lockdown.

Automate Everything

While automating everything might not be possible today, SOC teams should be exploring automating

as many processes as possible. They are capturing massive amounts of data, which has made

automating security processes a necessity. Not only does it eliminate human error, it ensures that precise

decisions can be made at speed. SOC automation tools reduce an organization’s time to qualify (TTQ)

and mean time to respond (MTTR) to a security threat. TTQ refers to the average time it takes to

determine whether an incident is benign or should be considered a threat that requires

investigation. Research by the Ponemon Institute found that it took organizations an average of 280 days

to identify and contain a data breach in 2020.

For most private and public sector organizations, that “wait time” is way too long. In a risky and uncertain

time, they can’t wait for a human to perform an action that could be executed by a Security Information

and Event Management (SIEM) solution with Security Orchestration, Automation and Response (SOAR)


Reinventing the Wheel

When it comes to visibility and automation, there’s no reason to reinvent the wheel. SOC teams don’t

have to develop all of this themselves. Instead, they should look for one-click, out-of-the box automation

solutions that help them meet local compliance requirements and quickly deliver for their organizations.

In markets like the Kingdom of Saudi Arabia, predefined reports and use cases can be made immediately

available to organizations so they can meet local cybersecurity controls. This can be a way to quickly

enhance an organization’s security posture while being able to demonstrate compliance.

It also increases cost-efficiencies and enables local organizations to bridge skills gaps in the Middle East

and benefit from both local and global expertise. Pre-defined use cases and reports can make it simpler

and easier to deploy and enhance security in 2021.

2021 and Beyond

Rapid digitalization across the private and public sector in the Middle East is only going to continue in

2021. The digital transformation and flexible working boom that started in 2020 will accelerate. This

means that cybersecurity has to continually evolve to match the needs of rapidly changing ICT

ecosystems. Adaptability and agility are critical and that starts with a secure foundation. Throughout

Cyber Defense eMagazineJanuary 2021 Edition 131

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

2021, SOC teams should review, reflect and adapt as their operational environment continues to change

and unexpected events influence the threat landscape.

About the Author

Mazen A. Dohaji has worked for LogRhythm for more than 6 years, where he

started as a Senior Regional Director for India, Middle East, Turkey & Africa

(IMETA) and is now Vice President for IMETA. He has 26 years of IT industry

wealth in the Middle East region and more than 3 years in the SIEM

space. Mazen is driven by market challenges and has extensive knowledge

of the Middle Eastern Security market. This has led him to be the trusted

advisor for major government entities and large enterprises across the region.

He has also won “Top Performer” awards in multiple multinational

organizations including IBM (formerly Informix), HP, and McAfee.

Cyber Defense eMagazineJanuary 2021 Edition 132

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Peer-To-Peer Cybersecurity Insights For 2021

Based on real practitioners’ experiences

By Stuart Berman, IT Central Station Super User

December is typically a month when people who work in the IT field offer predictions for the coming year.

2020 has been a highly atypical year, however, so it’s a bit daunting to think about what’s coming over

the horizon. Yet, my company is in a unique position to engage in prognostication. We source user data

directly from users in the trenches. In a year when travel has not been possible, IT professionals could

not rely on the traditional get-togethers and in-person discussions to get advice and feedback from other

industry experts. Online review sites such as our have boomed as a result. With that in mind, here are

five predictions for cybersecurity, based on what are learning from real practitioners.

Countermeasures and security operations catch up with containerization and microservices—

While neither containerization nor microservices are new, they have reached a level of adoption that calls

for a revised approach to cloud security. I say revised, versus new, because it’s easy to get pulled into

“It’s all different, trash everything you’re doing” discussions. These are traps to avoid, as are the seductive

but in my view false ideas like “Firewalls are dead in the cloud. You just need good code.” No, principles

like Defense in Depth don’t go away just because you’re running virtualized services in the cloud. Rather,

securing containers and microservices calls for new, virtualized versions of familiar technologies like


Cyber Defense eMagazineJanuary 2021 Edition 133

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Automation of security processes and SecOps becomes the norm—This has also been a long time

coming, but the security field has reached a point where manual processes will no longer suffice. There

is just too much going on, too many threats to mitigate, too many alerts to handle. Instead, solutions like

Security Orchestration, Automation and Response (SOAR) will become “must haves” in the Security

Operations Center (SOC). SOAR solutions use automated “playbooks” to handle threats at a speed that

people cannot possibly match by hand.

Multiple security and related systems become more deeply integrated—The need to integrate the

different elements of a security program will become more pressing in 2021. This goes along with

automation. As security incident response becomes automated, it will make sense to eliminate manual

handoffs between the systems that power the response, e.g., the SOAR solution will connect with the IT

ticketing system via Application Programming Interfaces (APIs) for generating and assigning tasks.

Security moves a lot faster—Security processes, along with the systems that support them, will start to

move a lot faster in 2021. This might take the form of increased automated system updates versus

manual re-installs, to name just one possible example. Automation also naturally moves processes along

at a far faster clip than was previously possible.

Security partners more closely with other corporate groups—Security, as well as its close cousin,

compliance, will require more collaboration between multiple groups inside an organization. With privacy,

for example, there will likely be much closer coordination between legal teams and engineering. For

example, to ensure the “right to be forgotten” under GDPR and CCPA, the legal team has to have a

thorough understanding of how the consumer’s rights will be honored through technology. To get it right,

everyone is going to have to learn to speak across organizational boundaries.

In general, I think 2021 is going to be a year when the dialogue between vendors and buyers starts to

become more holistic and productive. The cloud computing trend, as well as the growth of DevSecOps

and SOAR, are leading to a situation where the old “My solution is better than their solution” argument

just really falls flat. We are hearing this in so many ways on the site. Buyers no longer care so much if a

solution is 99% effective versus a competitor that is 98%. Good security managers want to understand

how a solution will work in context, for a particular business use case.

One thing is for sure: It’s going to be an interesting year. Let’s all stay safe.

About the Author

Stuart Berman, IT Central Station Super User

Cyber Defense eMagazineJanuary 2021 Edition 134

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Transitioning to Remote Work: The Apps You’ll Need to

Ensure A Productive Workforce

By Ikechukwu Nnabeze, SEO Copywriter, Traqq

The world is changing at a swift pace. A couple of years ago, remote work was an unheard term in the

business world; it was a privilege enjoyed by a select few. However, this is no longer the case as more

organizations are embracing working from home and its associated benefits. Even workers and team

leaders are now quick to sing about the many positives that it brings.

Before the pandemic, working outside the office wasn’t an accepted idea among employers. However,

current health risks have changed many minds. Everyone has been forced to adapt and become flexible

about how things should be done. Employees who have tasted the work-from-home setup would prefer

to continue if given the option.

It’s true that there’s no one-size-fits-all when it comes to deciding the sustainability of remote work for

your business. Even so, it helps to know the best apps that will help your team transition in this permanent

setup. After all, there are several business risks in remote work. Fortunately, there are tech solutions that

can mitigate these common problems. These modern digital apps help you to coordinate and monitor

your staff, no matter their location. From time tracking software to free collaboration tools for remote

teams, there are several ways to ensure productivity among your employees.

Cyber Defense eMagazineJanuary 2021 Edition 135

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Tool to Prevent Miscommunication: Slack

It’s easy to lose proper communication while transitioning to a remote working structure. It’s one of the

common issues companies face, which can lead to a massive dip in productivity. For starters, workers

can no longer talk to each other face to face as they used to. The ease of walking over to a teammate’s

desk to ask questions and come up with solutions to a problem is no longer there. This can lead to a

messy communications network where vital information can get lost.

While emails will work in a scenario where all employees commute to a physical workplace, it’s less

feasible with remote work. It’s difficult to hold continuous conversations over emails, especially when you

need to talk to many people on small issues at the same time.

To create an effective workflow and boost productivity, you need a tool like Slack. This is an instant

communication tool that comes with two primary modes of communication:

• Channels message

• Direct message

Using these two modes, employees can exchange solutions, creative ideas, and information seamlessly.

In addition, it comes with add-ons that give it an added efficiency that you can’t get with email


Slack also features a video call tool that you can use when you want to have face-to-face conversations.

This gives a feeling that’s close to what you get from talking to a colleague or employee in a physical

office. It’s also useful for holding quick meetings. Everyone can simply sign in and enjoy the pleasure of

seeing each other’s faces, smiles, and gestures.

The app allows for file sharing, which makes it the perfect communication tool. Moreover, it can be

integrated with other third-party team management software such as Jira and Google Calendar.

1. Tool to Prevent Time Theft: Traqq

Working from home is great. However, it can come with a problem of distraction. In an office, it’s easy to

keep an eye on your employees, caution them, or help them do their tasks without procrastinating.

However, when it comes to telecommuting, the story is different. You need to find a way to monitor staff

without being the overbearing boss that everybody hates. This is where time management apps come


Traqq is a time tracking software that allows you to keep tabs on employee activity, no matter where they

are in the world. Research shows that individuals tend to work faster when they realize their activity is

being monitored. This means that you can ensure an increase in productivity even without having your

workers under one roof.

For example, managers use Traqq to keep track of their staff’s on-screen activity. They can see which

websites and apps an employee visits during work hours. In addition, they get reports on how much time

a worker spent on those sites and what they were doing on the pages they opened.

This time tracking tool helps you figure out how many minutes or hours each worker spends on particular

tasks. At the end of every week or month, you get a detailed report that’ll help you give feedback and

coaching to your employees. If a staff member is wasting time surfing through Instagram or playing games

during their work time, you’ll know from the activity report that the time management app will generate.

Cyber Defense eMagazineJanuary 2021 Edition 136

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Traqq also performs automatic tracking, which means that it quietly records user activity in the

background without creating distractions or interfering with their daily work. It achieves this by taking

screenshots or video recordings at intervals. The manager can then review this visual data and see an

accurate calculation of the number of hours worked.

This app has many features that help to keep employees focused. For instance, this tool measures each

worker’s activity level based on keyboard movements and mouse clicks. Your staff will stay focused on

tasks, knowing there’s a tool monitoring their activity during work hours.

At the end of the workweek or month, the data is collated, and the app automatically gives you an

extensive report. It shows the productivity level of each worker and provides accurate data for invoicing,

salary payment, and client billing.

2. Tool to Prevent Data Leaks: LastPass

As an organization moves its business online, it has to incorporate a lot of digital tools into daily

operations. Using various apps and services means having several accounts – this, in turn, means

creating many passwords.

It can get tedious trying to keep up with remembering and protecting all company passwords, especially

when you have several employees under your wing. Writing them down somewhere can be risky as well

– they can fall into the wrong hands. To operate an efficient and safe business, you need a way to keep

these passwords secure while ensuring workers don’t get locked out of their accounts.

LastPass protects your company data by giving every team member a single master login password. As

for the passwords to the other numerous accounts, they’re securely stored in the LastPass tool and are

loaded automatically whenever a login page requests them.

The app is available on several platforms and is compatible with numerous devices. It was designed

specifically for remote business purposes and to simplify the process of handling multiple work-fromhome


3. Tool to Prevent File Loss: Google Drive

We cannot overemphasize the importance of having a secure system for sharing files and collaborating

on digital data. Transitioning your business to a remote working structure means you have to find an

efficient platform to protect business-related sensitive information.

Employees need to exchange lots of information to facilitate the work process and ensure that crucial

documents are stored safely. Since they can no longer do this physically, the amount of digital data that

needs to be exchanged online will significantly increase. A secure file-exchanging and projectcollaboration

network is necessary to avoid miscommunication and safeguard sensitive material from

getting lost in transit.

Sending large files through email can get messy because there’s no way to organize and collaborate with

other team members in your inbox. Besides, it’s easy to mistakenly miss an important message when

they pour in from several sources simultaneously. Large organizations can easily invest in customized

file sharing and collaboration tools. However, small businesses might not have the resources to pull it off.

Cyber Defense eMagazineJanuary 2021 Edition 137

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Fortunately, Google came to the rescue with an app, which small to medium-sized companies can use

to share and store data. Google Drive a cloud-based tool that your employees and teammates can use

to collaborate on projects while keeping your data secure. No matter the worker’s location, they can

share, download, edit, and leave comments on documents. The platform gives you 15GB of storage for

free, which you can use to share any type of files—from documents and images to videos and links and

videos and spreadsheets.

Since many people are already familiar with Google-based products, it’ll be easy to transition your

workforce towards using other Google-based tools.

4. Tool to Prevent Mental Blocks: Mural

When in a physical office space, it’s easy to get creative ideas from interacting with other employees,

having meeting sessions, and engaging in playful banters. Even that chance meeting in an elevator can

create bursts of fresh ideas coursing through you. This is not so when working from home – you’re alone,

and it can get stale and mentally dull pretty quickly. There are no brainstorming sessions or cooperative

working events in your home office to get the inspiration flowing.

In these situations, digital communication tools might not be so helpful – creativity and inspiration

sometimes need spontaneity, which these apps don’t give. It can get monotonous scheduling calls and

video conferences just to bounce ideas off each other.

Mural is a digital tool designed specifically for this purpose – the app is like a canvas for ideas and

spontaneous creative thoughts. Unlike most project sharing platforms, it gives you the freedom to share

ideas in any form you want.

Teammates and colleagues can put their thoughts on digital sticky notes, which they can arrange into

diagrams, flow charts, and even drawings. Mural adds a new fun way of staying organized and creative.

It’s a great alternative to other more traditional project management tools and is an amazing tool for

boosting creativity among your workforce.

5. Tool to Prevent Feelings of Isolation: Yammer

Remote work can get lonely sometimes, especially when you’re living alone. We are social creatures,

and we crave human-to-human communication. When making changes to take your business online, this

is something to keep in mind.

While there are many professional collaboration and communication tools with all the right features, these

apps fail to cover the social aspects of cooperating on projects. To achieve team bonding, consistent

communication and feedback between teammates are essential. One way to accomplish this in a

traditional office space is through team-building outings and social events. However, this might not be

possible when you have several employees in different and faraway locations.

Yammer helps you with this. Commonly known as the “Facebook for business,” the app has the makings

of a social media network. However, instead of focusing on random personal updates and gossip news

sharing, the tool focuses on work-related project updates. Teammates can like, share, and comment on

posts/updates made by colleagues on projects that they’re working on, just as they’d on do on social


Cyber Defense eMagazineJanuary 2021 Edition 138

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

6. Tool to Prevent Inefficient Task Delegation: Every Time Zone

Running a remote business means dealing with employees in different time zones. This presents the

challenge of not knowing who’s available at any given time, which can make handing over and task

delegations difficult. Unfortunately, keeping track of everyone’s time zones can be exhausting, and

colleagues may end up messaging or calling each other at odd hours. This can create more barriers to

productive communication.

Every Time Zone is an app that takes away the issue of performing calculations whenever you need to

check who’s available for a task. It shows you the current time in every time zone that your employees

or colleagues are working from. This makes it easier to know whom you can call or chat with when


It may seem like a relatively small issue, but knowing who is available and what time they’re reachable

can help teammates delegate tasks more efficiently. Productive communication is necessary for building

a successful remote business team.


Transitioning to a remote business structure doesn’t mean you have to sacrifice productivity and security.

With the tools listed in this article, you can protect yourself and employees from miscommunication, data

hacking, and time theft. As a manager, solving these issues will give you time to focus on other crucial

aspects of your business that require your attention, such as improving your products and services.

About the Author

Ikechukwu Nnabeze is a tech expert and content writer at Traqq whose

goal is to improve people's lives with the help of modern technology. His

interest in providing practical solutions to real-life tech problems has led

him to a successful career in content creation. His passion is to help

individuals and organizations from all over the world to embrace the lifechanging

beauty of modern technology. He enjoys poetry and stargazing

when he’s not spending time with family.

Ikechukwu can be reached online at support@traqq.com and at our

company website https://traqq.com/

Cyber Defense eMagazineJanuary 2021 Edition 139

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 140

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 141

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS

“Amazing Keynote”

“Best Speaker on the Hacking Stage”

“Most Entertaining and Engaging”

Gary has been keynoting cyber security events throughout the year. He’s also been a

moderator, a panelist and has numerous upcoming events throughout the year.

If you are looking for a cybersecurity expert who can make the difference from a nice event to

a stellar conference, look no further email marketing@cyberdefensemagazine.com

Cyber Defense eMagazineJanuary 2021 Edition 142

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

You asked, and it’s finally here…we’ve launched CyberDefense.TV

At least a dozen exceptional interviews rolling out each month starting this summer…

Market leaders, innovators, CEO hot seat interviews and much more.

A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.

Cyber Defense eMagazineJanuary 2021 Edition 143

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.



This magazine is by and for ethical information security professionals with a twist on innovative consumer

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best

ideas, products and services in the information technology industry. Our monthly Cyber Defense e-

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here

to sign up today and within moments, you’ll receive your first email from us with an archive of our

newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Copyright (C) 2021, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com,

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,

Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS#

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com

All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part of this

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,

recording, taping or by any information storage retrieval system without the written permission of the publisher

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at


Cyber Defense Magazine

276 Fifth Avenue, Suite 704, New York, NY 1000

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.




Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 01/04/2021

Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH

(with others coming soon...)

Cyber Defense eMagazineJanuary 2021 Edition 144

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

9 Years in The Making…

Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know

What You Think. It's mobile and tablet friendly and superfast. We hope you

like it. In addition, we're shooting for 7x24x365 uptime as we continue to

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)

around the Globe, Faster and More Secure DNS

and CyberDefenseMagazine.com up and running as an array of live mirror


Millions of monthly readers and new platforms coming…starting with

https://www.cyberdefenseprofessionals.com this month…

Cyber Defense eMagazineJanuary 2021 Edition 145

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 146

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 147

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 148

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 149

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Cyber Defense eMagazineJanuary 2021 Edition 150

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!