CS May-Jun 2021
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Inside AI<br />
Could this be the<br />
game changer?<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
It’s all-out war!<br />
Espionage, fraud and<br />
ransomware: the highly<br />
explosive issues we face<br />
Living through the great unknown<br />
Part 2 of our ‘<strong>2021</strong> Predictions’<br />
is shrouded in great uncertainty<br />
Look to your IT assets<br />
Upgrade could prove pathway<br />
to greater data security<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong>
comment<br />
A REMOTE WORLD UNDER THREAT<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
NTT launched its annual Global Threat Intelligence Report recently and some of the key<br />
findings are not going to provide great reassurance to most organisations - not least in<br />
that there has been a 300% increase in attacks, as cybercriminals target key industries.<br />
What NTT's '<strong>2021</strong> Global Threat Intelligence Report' reminds us most of all is that, in a world of<br />
evolving cyberthreats, we need to stay well ahead of the curve to secure the next horizon of cyber<br />
resilience. It reveals how hackers are taking advantage of global destabilisation by targeting<br />
essential industries and common vulnerabilities from the shift to remote working.<br />
"Success lies in rethinking what you need to accommodate new ways of working," advises NTT,<br />
"engaging with your ecosystem of partners and customers to entrench trust across the supply<br />
chain; and securing all elements of your infrastructure to drive business value and transformation."<br />
The report highlights how remote working has become a mainstay of the business environment.<br />
Some employees may never permanently return to an in-office working environment. "This was<br />
illustrated in the NTT 2020 Intelligent Workplace Report, which showed that more than half of<br />
organisations (54%) would never return to their pre-pandemic operating model or would pursue<br />
a hybrid operating model with expanded flexible working."<br />
While remote working offers many benefits for employee and employer alike, the likelihood of<br />
being targeted by hackers is high and the volume of attacks rapidly growing. With this new<br />
approach, organisations must place a higher priority on several aspects of their businesses,<br />
cautions NTT:<br />
Managing risk<br />
Addressing cybersecurity issues related to supporting their online presence<br />
Optimising and securing work-from-home arrangements<br />
Preparing to defend against supply chain attacks.<br />
In this issue, we look in depth at home working - how it is continuing to change the landscape<br />
in fundamental ways, and perhaps forever, while also exposing organisations to greater threat<br />
than they have ever faced before - see page 24.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2021</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
Inside AI<br />
It’s all-out war!<br />
Espionage, fraud and ransomware:<br />
the highly explo-<br />
Could this be the<br />
game changer?<br />
sive issues we face<br />
Living through the great unknown<br />
Part 2 of our ‘<strong>2021</strong> Predictions’<br />
is shrouded in great uncertainty<br />
COMMENT 3<br />
A remote world under threat<br />
Look to your IT assets<br />
Upgrade could prove pathway<br />
to greater data security<br />
ARTICLES<br />
MAJOR OPPORTUNITY AWAITS<br />
TO TACKLE DATA SECURITY 6<br />
Robert Allen of Kingston Technology<br />
Europe looks at the fresh challenges that<br />
hybrid working will bring and how they<br />
can be met<br />
YOU DON'T HAVE TO PREDICT<br />
THE FUTURE TO BE MORE SECURE 8<br />
When maximising your security improvement<br />
efforts, look at the here and now,<br />
rather than what may lie ahead, advises<br />
Paul Harris, CEO, Pentest Ltd<br />
THE REAL AI REVEALED 18<br />
Not unlike big data, the cloud, IoT and just<br />
about every other 'next big thing', more<br />
and more companies are looking for ways<br />
to jump on the AI (Artificial Intelligence)<br />
bandwagon. But can AI help to transform<br />
the security industry, making it sharper,<br />
wiser and less vulnerable?<br />
GREAT AMERICAN CYBER<br />
RECOVERY IN PERIL 10<br />
HOMING IN ON THE PERILS<br />
There hasn't been much good news in<br />
OF HOME WORKING 24<br />
cybersecurity lately, states Ian Thornton-<br />
As home working becomes part of the<br />
Trump, CISO, CYJAX. His take in this<br />
future, many employees will not be<br />
article on recent events reinforces that<br />
returning to the office full-time. But what<br />
to a worrying degree<br />
must businesses do to ensure they don't<br />
PUT A SOC IN IT! 14<br />
leave themselves open to the hackers and<br />
Steve Usher and Rob Treacey, of<br />
attackers? Editor Brian Wall reports<br />
Shearwater Group plc, provide their<br />
insights into the organisational need for<br />
a SOC - Security Operations Centre - and<br />
help to define what they think a good<br />
SOC looks like<br />
TANGLED WEB 30<br />
DARK DAYS IN THE BATTLE<br />
Is there a hacker staring in on you through<br />
AGAINST CYBERCRIME 16<br />
your devices and gadgets, ready to pounce?<br />
The highjacking of a US fuel pipeline by<br />
With Mark Zuckerberg having posted a now<br />
cyber-criminal gang DarkSide signals<br />
deeply worrying times ahead<br />
famous photo of his desk set-up, showing<br />
his laptop with a covered webcam and<br />
WHAT ELSE AWAITS IN <strong>2021</strong>? 28<br />
blocked mic, we may all need to follow that<br />
In part 2 of our glimpse into the likely/<br />
path to keep ourselves safe<br />
possible future, we hear more predictions<br />
on where our industry might be heading,<br />
in what must be acknowledged as the<br />
most unpredictable of years<br />
FRAUD AND CYBERCRIME<br />
ALL-OUT WAR 37<br />
SOAR IN THE PANDEMIC 34<br />
Espionage, fraud and ransomware were<br />
According to the Action Fraud team, which<br />
the big weapons of choice in 2020, with<br />
covers activity in England, Wales and<br />
the UK's National Cyber Security Centre<br />
Northern Ireland, covid-related fraud and<br />
having to handle a record number of<br />
cyber security incidents<br />
cybercrime amassed a staggering sum of<br />
£34.5m in stolen money in the 12 months<br />
from 1 March last year.<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
Advanced data security for mobile data<br />
with encrypted USB sticks and SSDs<br />
Ask an Expert today<br />
If you’d like to discuss your specific storage needs with one of our experts to<br />
ensure you are working securely on the go, email: techexperts@kingston.eu<br />
#KingstonIsWithYou<br />
© <strong>2021</strong> Kingston Technology Europe Co LLP and Kingston Digital Europe Co LLP, Kingston Court, Brooklands Close, Sunbury-on-Thames, Middlesex, TW16 7EP, England.<br />
Tel: +44 (0) 1932 738888 Fax: +44 (0) 1932 785469 All rights reserved. All trademarks and registered trademarks are the property of their respective owners.
new-world shake-up<br />
HOW AN IT ASSET UPGRADE COULD BE AN OPPORTUNITY<br />
FOR BUSINESSES TO TACKLE DATA SECURITY<br />
ROBERT ALLEN, DIRECTOR OF MARKETING & TECHNICAL SERVICES AT KINGSTON TECHNOLOGY EUROPE,<br />
LOOKS AT THE FRESH CHALLENGES THAT HYBRID WORKING WILL BRING AND HOW THEY CAN BE MET<br />
Robert Allen, Kingston<br />
Technology Europe.<br />
For the first time in history, working<br />
remotely became mandatory (if<br />
possible to do so) during the first<br />
lockdown restrictions of 2020, due to<br />
Covid-19. It is certain that many businesses<br />
are now thinking of allowing flexible<br />
working after the restrictions will finally<br />
be lifted.<br />
Although the rollout rhythm of<br />
vaccinations is stepping up the pace, a<br />
better work-life balance for employees and<br />
savings on costs for businesses are the main<br />
motivators for this new strategy approach.<br />
Not fully coming back to the office as we<br />
used to do before and adopting this new<br />
hybrid working environment, though, will<br />
come with additional challenges - one of<br />
them being how to improve employee's<br />
equipment where productivity is affected<br />
by IT hardware at the end of its lifespan.<br />
With businesses now trying to 'do more<br />
with less' and with their overall budgets<br />
reduced, they need to think of another<br />
approach regarding how to face it and the<br />
decision may come to upgrade, rather than<br />
replace, some or all affected hardware. By<br />
doing so, they are also embedding circular<br />
economy value principals by optimising the<br />
assets they already have and getting more<br />
out of their existing technology<br />
infrastructure.<br />
STEPPING UP LAPTOP<br />
AND PC PERFORMANCE<br />
Memory and SSD upgrades offer costeffective<br />
means to significantly increase<br />
laptop and PC performance. Just to give a<br />
couple of examples, a memory improvement<br />
could help the system operate much faster<br />
and define the quality of video calls, as well<br />
as supporting the ability to multi-task with<br />
6<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
new-world shake-up<br />
slides and sharing screens and media when<br />
presenting, all of them critical when working<br />
from home.<br />
Likewise, replacing a traditional hard disk<br />
with an SSD results in much quicker boot and<br />
application load times, which can again<br />
improve responsiveness considerably. This can<br />
go a long way to solving frustration with older<br />
computers, so team members will be able to<br />
get on with their jobs easier.<br />
What's more, compared to their hard disc<br />
counterparts, SSDs offer better reliability,<br />
cooler and quieter running, all while<br />
consuming less power. Kingston's entry-level<br />
SSDs are 10x faster than a spinning hard<br />
drive. We are now seeing the next SSD<br />
evolution from SATA to NVMe. With this<br />
approach, businesses can enable costoptimised<br />
incremental innovation that<br />
grows when they do.<br />
The other challenge is to improve data<br />
security while working from home. It is not<br />
the same to be connected to the internet at<br />
home as when doing that in the office's<br />
premises. The first group is exposed to major<br />
security risks. So, the first thing would be to<br />
ensure that the employees are connected<br />
through a VPN, and verify the IT equipment<br />
they use has the latest operating system and<br />
an updated antivirus software.<br />
TWO-FACTOR AUTHENTICATION<br />
AND HARDWARE ENCRYPTION<br />
Business computers should have minimum<br />
security levels implemented by IT specialists,<br />
like, for example, a two-factor authentication<br />
to the system. They should be equipped with<br />
encrypted SSDs, and the use of encrypted<br />
USB drives for transferring data should be<br />
mandatory. These two solutions would allow<br />
a safety storage for employees while working<br />
remotely and the data they are handling<br />
would be secure whilst having immediate<br />
access to it.<br />
Especially with a hybrid work environment in<br />
mind as a feasible setting for the future,<br />
where the work will be carried out combining<br />
both at home and back to the office premises,<br />
the human factor still plays a singular role,<br />
and it could be even easier to accidentally<br />
mishandle customer data while commuting<br />
between one place and the other.<br />
Encryption could be built into the operating<br />
system, but software encryption incurs a<br />
processing performance hit that can slow<br />
down a computer, particularly when used on<br />
external storage devices.<br />
Alternatively, hardware encryption built<br />
directly into a storage device shifts the load<br />
away from the computer and keeps data<br />
secure in the background. Neil Cattermull,<br />
CEO at The Future as a Service and key<br />
security influencer, agrees - "hardware<br />
encryption built into the drive itself offers<br />
better overall performance and more robust<br />
security".<br />
Hardware encryption offers more robust<br />
security measures than software encryption<br />
alone, since the encryption and authentication<br />
process stay within the device itself, rather<br />
than separating it from the rest of the system.<br />
The time it takes to encrypt/decrypt the<br />
information is far shorter when using a<br />
hardware-based encrypted device than when<br />
using software encryption. This means that<br />
the encryption process is not taking valuable<br />
bandwidth away, which gives a further<br />
performance boost for other applications with<br />
less time to encrypt and decrypt the data.<br />
FUTURE-PROOFING THE IT ESTATE<br />
The perfect solution then would be to replace<br />
older equipment with encrypted SSDs, which<br />
would boost performance of older devices,<br />
while protecting the corporate data at the<br />
same time - a cost-effective way of<br />
futureproofing the IT estate, as well as<br />
offering performance benefits while also<br />
providing a further tool to enhance the<br />
business security policy. If the use of encrypted<br />
USBs were also added as an additional layer<br />
of security to mobile data, businesses would<br />
be able to ensure their corporate data are<br />
protected in the shift from home working to<br />
even more mobile working.<br />
Also, in the event of lost or stolen devices,<br />
confidential data would remain safe.<br />
Encrypted devices wouldn't be accessed by<br />
unauthorised people and enterprise set-up<br />
would allow IT admins to remotely wipe the<br />
data on the encrypted USB or encrypted SSDs.<br />
In the process of implementing an asset<br />
refresh, though, it is key to ensure the process<br />
is handled through a trusted partnership.<br />
Having the right technology in place matters,<br />
but it matters most to receive the right advice<br />
from experts with more than 30 years'<br />
experience in the field. Our 'Ask An Expert'<br />
approach is focused on facilitation, guiding<br />
businesses through the choices available,<br />
given their specific technology infrastructure<br />
context.<br />
SECURE WORKING<br />
With the storage market, choosing the right<br />
solution for a given problem may not be<br />
straightforward, considering the technical<br />
requirements involved. Kingston is with you to<br />
secure your data, no matter what your specific<br />
storage environment might be, to ensure your<br />
business is working securely both remotely<br />
and on the go. This is a philosophy that<br />
applies to the company's full portfolio to<br />
communicate the advice, support and high<br />
quality our products offer, highlighting the<br />
pre-sales advice service and the after-sales<br />
support customers can expect.<br />
The gradual shift to WFH that we will see<br />
coming to stay in the future is a good time to<br />
consider simultaneous improvements to data<br />
security and better storage performance.<br />
Choosing to upgrade is a way to roll out<br />
encryption across an organisation, without<br />
the need to invest in an entirely new<br />
computer, and we will continue supporting<br />
businesses, whatever their security and<br />
storage needs are.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
7
masterclass<br />
YOU DON'T HAVE TO PREDICT<br />
THE FUTURE TO BE MORE SECURE<br />
WHEN MAXIMISING YOUR SECURITY IMPROVEMENT EFFORTS, LOOK AT THE HERE AND NOW,<br />
RATHER THAN WHAT MAY LIE AHEAD, ADVISES PAUL HARRIS, CEO, PENTEST LTD<br />
sometimes basic attack techniques. The<br />
OWASP Top 10 (Web Application Security<br />
Risks) is a perfect example of how little<br />
security risks have truly changed over time<br />
and the top two web app vulnerabilities<br />
identified in 2010 are still the top two<br />
web app vulnerabilities in <strong>2021</strong> (Injection<br />
& broken authentication). But it's not just<br />
these top two; many of the issues<br />
identified in 2010's top 10 list are still<br />
around today.<br />
Every year, usually around December,<br />
companies and experts like to predict<br />
what the year ahead will have in<br />
store for their industry. Information<br />
security is no different and you only have<br />
to Google 'cybersecurity predictions <strong>2021</strong>,'<br />
to find a whole host of top 10 lists,<br />
articles on upcoming security trends and<br />
the emerging threats to watch out for.<br />
These predictions often focus on new<br />
and exciting technologies, increases<br />
in certain attack techniques, the<br />
continuation of key trends from the<br />
previous years and potential shifts in<br />
the approaches taken by organisations<br />
to ensure they are protected.<br />
But when it comes to information<br />
security ,it seems things don't change too<br />
much. Next year always seems to be the<br />
year infosec gets taken more seriously<br />
within organisations: <strong>2021</strong> is predicted<br />
to be a 'big' year for ransomware (so was<br />
2019 & 2016), phishing attacks will<br />
become more sophisticated (they always<br />
do), remote working concerns will<br />
continue to be important (like they were<br />
last year), attacks on IoT devices look set<br />
to intensify (more devices = more<br />
attacks), cloud security will become more<br />
of a concern (see last year and the year<br />
before that) and, of course, there's the<br />
continued 'rise' of AI, machine learning,<br />
quantum computing etc.<br />
THE WRONG PATH?<br />
Trying to predict the future has its place,<br />
and every business should be considering<br />
the potential opportunities and threats<br />
that the future could present, but when<br />
it comes to security improvements,<br />
predictions and hype can often send us<br />
off down the wrong path, focusing<br />
our efforts on threats, approaches or<br />
technologies that may never come to<br />
fruition.<br />
No matter what the predictions,<br />
one thing will always be for certain:<br />
organisations will continue to be<br />
compromised using known and<br />
Sensitive data exposure, broken access<br />
controls, security misconfiguration,<br />
cross-site scripting flaws, the use of<br />
components with known vulnerabilities,<br />
people using 'Password123!'. These aren't<br />
new or upcoming issues, they've been<br />
highlighted as critical security risks year<br />
after year, yet they still show up in our<br />
testing time and time again.<br />
Yes, thinking about new tech, new<br />
solutions and new approaches is exciting<br />
and, yes, these may help improve your<br />
security posture, but there will never<br />
be a single silver bullet solution. AI and<br />
machine learning are exciting prospects,<br />
but they won't solve all our security issues;<br />
attacks will change and adapt, like they<br />
have always done.<br />
So, if you're looking to maximise your<br />
security improvement efforts, it's often<br />
more effective to look at the here and<br />
now, rather than look to the future.<br />
Getting the basics right is still the fastest<br />
route to raising the defensive bar,<br />
ensuring your current set-up is protected<br />
against existing and known threats before<br />
moving on to consider what may, or may<br />
not, happen in the future.<br />
08<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.
view from within<br />
GREAT AMERICAN CYBER RECOVERY IN PERIL<br />
THERE HASN'T BEEN MUCH GOOD NEWS IN CYBERSECURITY LATELY, STATES IAN THORNTON-TRUMP,<br />
CISO, CYJAX. HIS TAKE, BELOW, ON RECENT EVENTS REINFORCES THAT TO A WORRYING DEGREE<br />
In the first three months of <strong>2021</strong>,<br />
organisations were exposed by 0days<br />
in Microsoft Exchange and Accellion's<br />
secure file transfer appliance, and there<br />
have been revelations of three more<br />
malware strains related to the<br />
SolarWinds Orion product. This brings<br />
the total number of malware related to<br />
Orion to eight, including some that have<br />
been attributed to both Russian and<br />
Chinese operatives.<br />
Just before we turned the dial to <strong>2021</strong>,<br />
we ended the year with a chilling statistic<br />
from McAfee and the Centre for<br />
Strategic and International Studies<br />
(<strong>CS</strong>IS): "Cybercrime costs the world<br />
economy more than $1 trillion, or just<br />
more than one percent of global GDP,<br />
which is up more than 50 percent from a<br />
2018 study that put global losses at<br />
close to $600 billion." Given the action<br />
this year already, that figure is only likely<br />
to rise.<br />
HAVE WE HIT ROCK BOTTOM<br />
IN CYBERSECURITY?<br />
This is a hard question to answer, but the<br />
signs for cybersecurity, in my estimation,<br />
all point to an unsustainable situation.<br />
For the people who suffered as a<br />
result of the Texas winter<br />
storm, there is a 50-<br />
billion-dollar<br />
bill attached<br />
that now<br />
has to<br />
be<br />
dealt with. While that event which had<br />
little to do with a cyberattack, I mention<br />
it here to provide some perspective - the<br />
climate and cyber spheres have far more<br />
in common than we think and are under<br />
a sustained global threat.<br />
It was not a widespread cyberattack<br />
against the national critical infrastructure<br />
of Texas that left thousands without<br />
power and water (as far as we know).<br />
In fact, the failure in Texas was of a far<br />
more human nature: lawmakers also<br />
failed to pass measures over the past<br />
two decades that would have required<br />
the operator of the state's main power<br />
grid to ensure adequate reserves to<br />
shield against blackouts, provided better<br />
representation for residential and small<br />
commercial consumers on the board that<br />
oversees that agency and allowed the<br />
state's top emergency-planning agency<br />
to make sure power plants were<br />
adequately 'hardened' against disaster.<br />
DRAWING A LINE FROM<br />
TEXAS TO CYBER<br />
Thankfully, we have not seen cyberattack<br />
that has resulted in tens of billions of<br />
dollars of damage - or have we? So far,<br />
the most impactful cyberattack has been<br />
relatively accurately measured at $1.3<br />
billion in losses that Maersk has claimed<br />
from its insurers following the NotPetya<br />
attack that hit its computer networks.<br />
It remains to be seen if this amount will<br />
ever be paid (at least as I write), since<br />
insurance companies are suggesting<br />
NotPetya was a "hostile act amounting to<br />
a war or terrorist attack" and therefore<br />
10<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
view from within<br />
denying coverage under some Merck<br />
policies.<br />
On 16 August 2017, 128 countries<br />
signed The Minamata Convention on<br />
Mercury, which is an international treaty<br />
designed to protect human health and<br />
the environment from anthropogenic<br />
emissions and releases of mercury and<br />
mercury compounds. The vast majority of<br />
these emissions were caused by individual<br />
and small gold mining operations, even<br />
though organic mercury compounds<br />
were first described in the 1800s, with<br />
fatal cases of mercury poisoning reported<br />
in 1865.<br />
Despite all kinds of clinical evidence<br />
from the 1900s onwards and regulatory<br />
safeguards established in the 1960s and<br />
1970s, which were largely ineffective, the<br />
consensus after 156 years is: 'Mercury is<br />
bad for the environment and bad for<br />
humans.' In a word, it's 'toxic'.<br />
The story of cybersecurity, or rather the<br />
lack of it, is like the demoralising story<br />
of mercury, and it's my hope that we<br />
reach a broad understanding that<br />
poor cybersecurity is also bad for the<br />
environment and bad for humans in<br />
a lot less than 156 years.<br />
Like the human desire to risk mercury<br />
poisoning in the pursuit of physical gold,<br />
we are Bitcoin mining virtual gold by<br />
burning energy at an alarming rate, with<br />
a high likelihood of future toxic<br />
environmental effects, from directly and<br />
indirectly by facilitating cyber ransoms.<br />
BITCOIN SHOCKWAVES<br />
An article in the BBC technology section,<br />
with the headline 'Bitcoin consumes more<br />
electricity than Argentina', ran on 10 Feb<br />
<strong>2021</strong> and did not receive nearly as much<br />
attention as it deserved. Buried within the<br />
article, however, was arguably an even<br />
more sinister detail.<br />
According to David Gerard, quoted in<br />
the article: "Tesla got $1.5bn in<br />
environmental subsidies in 2020, funded<br />
by the taxpayer. It turned around and<br />
spent $1.5bn on Bitcoin, which is mostly<br />
mined with electricity from coal. Their<br />
subsidy needs to be examined." It<br />
certainly should be, as Tesla's purchase<br />
propelled the virtual currency to<br />
unprecedented new values making<br />
roughly $1 billion in profits from its<br />
investment into Bitcoin, according to<br />
some estimates.<br />
Earlier this year, aerospace firm Dassault<br />
Falcon Jet suffered an extensive data<br />
breach by the Ragnar Locker ransomware<br />
operators. The attackers had remained<br />
hidden on the company's network for<br />
more than six months, having used the<br />
'Shitrix' vulnerability (CVE-2019-19781) to<br />
gain persistence on the network. They<br />
then started encrypting the data on 7<br />
December 2020, after exfiltrating the<br />
data steal it before encryption.<br />
EXPLOITATION AND RANSOMWARE<br />
The cybercriminals demanded $2 billion<br />
in Bitcoin as a ransom. Exploitation<br />
and ransomware are the unfortunate<br />
consequences of being online, but, as<br />
I alluded to earlier, there are far more<br />
impactful cyberattacks capable of<br />
inflicting millions, if not billions, in<br />
damages.<br />
Take, for instance, this attack in 2013:<br />
'AP Twitter hack causes panic on Wall<br />
Street and sends Dow plunging.' During<br />
the three minutes that the 'fake tweet'<br />
was circulating, it wiped $136 billion in<br />
equity market value. About an hour after<br />
it was over, a group of hackers who cause<br />
trouble in support of Assad, an informal<br />
collective known as the Syrian Electronic<br />
Army, claimed responsibility for the<br />
attack. What perhaps is most concerning<br />
is when one tweet by a celebrity on 21<br />
Feb 2018 could inflict a loss of $1.3<br />
Ian Thornton-Trump, CISO, CYJAX.<br />
billion out of the market capitalisation<br />
of Snap. For those in western nations<br />
advocating a potential military cyber<br />
response to Russian cyberattacks on<br />
SolarWinds and Chinese attacks on<br />
SolarWinds and Microsoft, they may<br />
have forgotten just how precarious a<br />
digital world we live in. Let's hope we<br />
back away from 'cyber war drums' before<br />
we are shown precisely how vulnerable<br />
we really are.<br />
ENTERING THE ERA OF CYBER<br />
DISASTER CAPITALISM<br />
It's a sad state of affairs if we invest<br />
millions of dollars in cybersecurity and<br />
yet billions of dollars of damages can be<br />
inflicted by a tweet, because of the<br />
precarious digital environment we have<br />
created. Naomi Klein writes: "The appetite<br />
for easy, short-term profits offered by<br />
purely speculative investment has turned<br />
the stock, currency and real estate<br />
markets into crisis-creation machines." In<br />
a 2018 opinion piece on Bitcoin, Klein's<br />
labelling of some of the cryptocurrency<br />
industry's leading figures as "tax dodgers"<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
11
view from within<br />
seemed eerily to foreshadow the recent<br />
<strong>2021</strong> indictment of John McAfee and an<br />
associate related to cryptocurrency<br />
promotional activities.<br />
Given the current state of affairs,<br />
wherever, increasing opening up of<br />
business systems seems inexorable, 0day<br />
vulnerabilities in Microsoft exchange,<br />
Accellion and others demonstrate that we<br />
are facing both a cybersecurity crisis and<br />
a broader tech industry crisis.<br />
Anyone looking at the problem as an<br />
exclusively cybersecurity problem is not<br />
seeing the whole picture. "In early 1970,<br />
as a result of heightened public concerns<br />
about deteriorating city air, natural areas<br />
littered with debris and urban water<br />
supplies contaminated with dangerous<br />
impurities, President Richard Nixon<br />
presented the House and Senate a<br />
ground-breaking 37-point message on<br />
the environment."<br />
It is once again time for American<br />
leadership, with the UK, EU and other<br />
Western nations supporting President<br />
Biden, in introducing an aggressive cyber<br />
protection-focused legislative agenda<br />
empowering a 'Cyber Protection Agency'.<br />
We need to see the kind of global<br />
enforcement powers that the EPA<br />
unleashed against Volkswagen.<br />
"Volkswagen said its 2015 diesel cheating<br />
scandal has cost it 31.3 billion euros (USD<br />
$34.69 bn) in fines and settlements." And<br />
in 2017, the US-based VW executive Oliver<br />
Schmidt, who oversaw emissions issues,<br />
was sentenced to seven years in prison and<br />
fined $400,000, the maximum possible<br />
under a plea deal the German national<br />
made with prosecutors after admitting to<br />
charges of conspiring to mislead US<br />
regulators and violate clean-air laws.<br />
The solution for the tech industry, and its<br />
related cybersecurity problem, is simple:<br />
hold organisations and individuals<br />
accountable for cybersecurity by requiring<br />
adherence to an aggressive regulatory<br />
framework. There is already a model for<br />
this in the environmental and financial<br />
services protection frameworks: they may<br />
not be perfect, but, as they say, "perfect is<br />
the enemy of good/better" and what we<br />
need right now is something to clean up<br />
the global cyber environmental mess we<br />
have created. The last twenty years of<br />
letting the 'cyber market decide' has<br />
managed to make us ever more<br />
vulnerable. Something has to change.<br />
Cyjax constantly monitors the internet looking for data<br />
relevant to your organisation’s security posture and<br />
reputation.<br />
ADVANCED THREAT INTELLIGENCE<br />
Accurate, Timely and Actionable. Our threat<br />
information is augmented and processed by security<br />
cleared analysts. Bespoke information on the risks<br />
unique to your business displayed in a comprehensive<br />
threat intelligence dashboard.<br />
Put our eyes on your risks. Speak to us today.<br />
+44 (0)20 7096 0668 info@cyjax.com www.cyjax.com
FULLSTACK VULNERABILITY MANAGEMENT<br />
CONTINUOUS VULNERABILITY<br />
INTELLIGENCE<br />
Accurately identifies vulnerabilities<br />
and exposures across the full stack.<br />
All threats are verified by<br />
cybersecurity experts, providing<br />
exploitable risk and remediation<br />
guidance.<br />
“The expertise and<br />
delivery of this service<br />
has been outstanding...”<br />
SECURITY AND RISK MANAGEMENT,<br />
MEDIA INDUSTRY, 30B+ US<br />
2020
Security Operations Centre<br />
PUT A SOC IN IT!<br />
A SECURITY OPERATIONS CENTRE (SOC) HAS BECOME ONE OF THE<br />
VITAL COMPONENTS OF A WELL-ROUNDED CYBER SECURITY PROGRAMME<br />
ASecurity Operations Centre (SOC)<br />
has become one of the vital<br />
components of a well-rounded<br />
cyber security programme, not only in<br />
large scale organisations but increasingly<br />
in SME organisations who are now<br />
beginning to manage their cyber security<br />
risks more seriously.<br />
In this article, Steve Usher and Rob<br />
Treacey, of Shearwater Group plc, not only<br />
provide a brief insight into the<br />
organisational need for a SOC but also<br />
help to define what they think a good SOC<br />
looks like as well as the advantages and<br />
disadvantages of running a SOC in-house<br />
versus outsourcing it through a Managed<br />
Security Service Provider (MSSP).<br />
IT AIN'T FICTION, JUST<br />
A NATURAL FACT<br />
One only has to look at some of the facts<br />
and figures from reputable, research<br />
sources in 2020 alone to understand<br />
why there is an ever increasing need<br />
for organisations to consider deploying<br />
a SOC.<br />
72% of enterprises lack internal<br />
capability for threat management.<br />
Source: Everest Group Market Trends 2020<br />
37% of enterprises have already<br />
outsourced their SOC requirements<br />
to 3rd party MSSPs.<br />
Source: Everest Group Market Trends 2020<br />
The UK National Cyber Security Centre<br />
(N<strong>CS</strong>C), handled 723 incidents<br />
between 1 September 2019 and 31<br />
August 2020. In the previous three<br />
years, it handled an average of<br />
602 annual incidents.<br />
Source: UK National Cyber Security Centre - 4th<br />
Annual Review 2020<br />
I NEED YOU, SO STOP HIDING<br />
Some senior leaders are still choosing to bury<br />
their heads in the sand in the hope that they<br />
will not fall victim to a cyber incident. Cyber<br />
security threats are not about to disappear<br />
anytime soon, they will continue to grow and<br />
evolve. Various factors are driving the need<br />
for a SOC, notably:<br />
A Changing Threat Landscape: The threat<br />
landscape is getting broader, more advanced<br />
and malicious with the adoption of cloud,<br />
mobile and IoT technologies. With this<br />
adoption, there is no longer a clear<br />
demarcation between an organisation's<br />
internal and external network.<br />
Increased Complexity: The threat<br />
environment is becoming more complex and<br />
advanced with coordinated and adaptive<br />
attacks.<br />
MY DEFINITION IS THIS<br />
The SOC acts as a nexus as it melds together<br />
the systems and personnel responsible for<br />
providing, maintaining, investigating, and<br />
responding to cyber security events within<br />
an organisation.<br />
It works closely with all cyber security<br />
staff, especially security engineers, who<br />
maintain, troubleshoot and deploy security<br />
technologies. It should also work closely, or<br />
even overlap, with the Incident Response (IR)<br />
team, as most of the time the SOC will be<br />
directing the IR team when dealing with<br />
incidents. Additionally, the SOC plays an<br />
advisory role to technology related teams,<br />
such as the vulnerability management and<br />
cloud technology teams.<br />
GOOD THING, WHERE<br />
HAVE YOU GONE?<br />
What makes a good SOC is subjective. Core<br />
components are universal, such as a well<br />
configured SIEM or log management system<br />
as well as the ability to monitor various<br />
security products that are deployed<br />
throughout the network. Other components<br />
are down to the organisation using the SOC.<br />
An incident management system along with<br />
a SOAR (Security Orchestration, Automation,<br />
and Response) and EDR (Endpoint Detection<br />
and Response) are highly desirable, whereas a<br />
TIP (Threat Intelligence Platform) can be<br />
extremely useful to organisations who have<br />
a mature SOC. Threat intelligence feeds can<br />
also be used to enrich the information in<br />
SIEM and assist with the detections and<br />
reactions to the runbooks in SOAR. These can<br />
also be fed into firewalls, IPS units, and other<br />
technologies that ingest API feeds.<br />
Depending on the stated goals of the SOC,<br />
various other services may be considered. BAS<br />
(Breach and Attack Simulation) services can<br />
be deployed on a continuous basis to ensure<br />
any issues reported by penetration tests, or<br />
red team engagements, are mitigated and<br />
remain mitigated though product updates<br />
and changes to policies.<br />
SOC staff may come from diverse<br />
backgrounds, but there are also common<br />
personality traits that should be considered<br />
and nurtured. Curiosity is one of these traits,<br />
along with a drive to constantly learn and<br />
expand knowledge.<br />
Staff can specialise in multiple disciplines,<br />
including threat hunting, threat modelling,<br />
malware analysis and threat intelligence, to<br />
name but a few. Having a diverse range of<br />
skills and backgrounds can be extremely<br />
14<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Security Operations Centre<br />
advantageous to the overall efficacy of the<br />
SOC. It is no secret that there is a shortage<br />
of experienced security staff and this is no<br />
different when looking for experienced<br />
SOC staff and managers.<br />
It is important to take time to find the right<br />
personnel and realise it will take time. Truly<br />
experienced and knowledgeable staff want<br />
to work for an organisation with appropriate<br />
cultural values, who provide them with a<br />
competitive salary and sufficient training.<br />
INSIDE OUT<br />
For organisations who are looking to<br />
establish an in-house SOC or are looking to<br />
outsource to an MSSP, that provides a<br />
SOCaaS (Security Operations Centre as a<br />
service), here are some pros and cons to<br />
consider: -<br />
PROS<br />
Cost: A SOCaaS generally has a single<br />
monthly fee with no office space, equipment,<br />
staff salaries or training costs<br />
to consider.<br />
High Quality and Experienced Staff:<br />
Experienced SOC staff invariably demand<br />
a high salary and are becoming increasingly<br />
harder to find. Using a SOCaaS not only<br />
negates the headache of finding and<br />
retaining high quality staff but also the<br />
training they will expect.<br />
New Technologies: Can be adopted faster<br />
due to the ability of an MSSP to recruit staff<br />
quicker, train them more efficiently, and<br />
move staff around while others dedicate time<br />
to learning new technologies and products.<br />
24/7 Monitoring: Can be performed using<br />
shift work and global locations. For an<br />
internal SOC, finding quality staff to work<br />
unusual hours, such as overnight, is not only<br />
difficult but extremely costly. Provided the<br />
organisation, utilising the SOCaaS, has the<br />
ability and desire to respond to any threats,<br />
found outside of normal working hours, this<br />
aspect of the service is vital.<br />
CONS<br />
Access: High level access will need to be<br />
provided to the SOCaaS, as a third party<br />
provider, which opens up an organisation to<br />
an additional vector of attack. Access can<br />
include domain admin accounts, local admin<br />
accounts, multi-factor authentication tokens<br />
as well as access to sensitive or valuable<br />
information on an organisation's network.<br />
Response Times: Response times from a<br />
SOCaaS could be slower due to the time is<br />
takes for the alerts, logs and events to arrive<br />
at the SOCaaS. Also, SOCaaS are generally<br />
governed by SLAs and should the SOCaaS<br />
have numerous customers and become busy,<br />
then urgent alerts / incidents will be triaged,<br />
irrespective of the customer.<br />
ALL I KNOW AT THE END<br />
OF THE DAY<br />
So whether your organisation is considering<br />
deploying a SOC, or has already deployed<br />
one, remember that not all SOCs are created<br />
equal. Consider a SOC that takes your<br />
organisation on a journey of continuous<br />
improvement; has highly skilled resources; is<br />
flexible and agile and constantly evolving;<br />
leverages best in class products; has global<br />
capability and most importantly, aligns with<br />
your organisation's cyber security risk<br />
appetite. If you do not have the capability or<br />
budget to establish a SOC internally, consider<br />
outsourcing it to a trusted MSSP.<br />
………………………………………………<br />
About the authors:<br />
Steve Usher is a Senior Security Analyst at<br />
Brookcourt Solutions, which is a reseller<br />
and integrator of cyber security solutions.<br />
Rob Treacey is Managing Director of<br />
Technology Risk Management at Xcina<br />
Consulting, which helps organisations<br />
strengthen their security posture.<br />
Both Brookcourt Solutions and Xcina<br />
Consulting form part of the broader<br />
Shearwater Group plc.<br />
Rob Treacey, Managing Director of<br />
Technology Risk Management at Xcina<br />
Consulting.<br />
Steve Usher, a Senior Security Analyst at<br />
Brookcourt Solutions.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
15
ansomware attack<br />
DARK DAYS IN BATTLE AGAINST CYBERCRIME<br />
THE HIGHJACKING OF A U.S. FUEL PIPELINE BY CYBER-CRIMINAL<br />
GANG DARKSIDE IS A HARBINGER OF DEEPLY WORRYING TIMES AHEAD<br />
Steve Forbes, Nominet: declaration of a<br />
state of emergency, due to cyber-attack,<br />
could become the new normal.<br />
The US government issued emergency<br />
legislation after its largest fuel pipeline<br />
(the Colonial Pipeline) was hit by a<br />
ransomware cyber-attack. The pipeline was<br />
swiftly taken offline after the attack that has<br />
been widely attributed to the cyber-criminal<br />
gang DarkSide.<br />
As well as encrypting the data, Darkside<br />
also threatened to leak the data online, if<br />
the ransom wasn’t paid. The shutdown<br />
disrupted gas supplies along the East Coast<br />
and caused panic buying, leaving some gas<br />
stations without fuel. Service to the entire<br />
pipeline system was eventually restored.<br />
Steve Forbes, government cyber security<br />
expert at Nominet, had this to say about the<br />
domino effect of CNI attacks on this scale:<br />
"The declaration of a state of emergency, due<br />
to cyber-attack, could become the new<br />
normal. With the largest fuel pipeline in the<br />
US grinding operations to a halt, due to a<br />
ransomware attack, the attack on Colonial is<br />
likely to have a ripple effect across the globe.<br />
"The attack will be a stark reminder of how<br />
connected our world now is. While the<br />
demand for oil across the US East Coast<br />
was evident, the fact that this greatly<br />
impacted the financial markets and traders<br />
demonstrates that this really was the tip of<br />
the iceberg. That's not to mention the fact<br />
that the severity of this breach could well<br />
worsen, if confidential information is leaked,<br />
as the group has threatened.”<br />
Being able to take systems offline and<br />
begin a process of restoration is undeniably<br />
important, he adds, but warns there is an<br />
additional threat, if this data is exposed. “It<br />
underlines the importance of international<br />
collaboration to bring down these highly<br />
coordinated groups early in their<br />
development, if we want to protect our<br />
critical services.”<br />
Chief product and development officer at<br />
Ava Security, Ran Pugach, says the Colonial<br />
Pipeline incident highlights the increasing<br />
risk that ransomware is posing to critical<br />
national industrial infrastructure and the<br />
physical consequences that these attacks<br />
can have on society. "Especially with more<br />
than 90% of attacks involving human error,<br />
according to the UK's Information<br />
Commissioner's Office, securing critical<br />
national infrastructure against social<br />
engineering attacks is essential. We've seen<br />
similar attacks like this, when the Florida<br />
water treatment facility was hacked<br />
through TeamViewer.<br />
"In order to prevent ransomware attacks<br />
like this, organisations need to embrace a<br />
new approach built around the user, as the<br />
rise of remote working makes us more<br />
exposed than ever. Hackers are experts in<br />
social engineering and will use whatever<br />
information they can to leverage multiple<br />
entry points or avenues to achieve their<br />
goals. This can be through malicious emails<br />
or suspicious websites."<br />
A preventive approach to ransomware<br />
protection leverages user education and<br />
cyber awareness, Pugach adds. "Installing<br />
end-point detection and response tools<br />
is a good first step. These solutions are<br />
essential in helping not only to salvage the<br />
situation, but also to be able to investigate<br />
and understand where the vulnerability<br />
was and how to prevent it in the future.<br />
Nevertheless, such solutions have to be<br />
complemented with further safeguards<br />
that can capture anomalies, understand<br />
and correct user behaviour."<br />
16<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware attack<br />
Ransomware attacks such as this one<br />
continue to dominate the news, as they<br />
remain a popular tactic for cybercriminals,<br />
says Dr Francis Gaffney, director - Threat<br />
Intelligence & Response, at Mimecast.<br />
"At Mimecast, our recent State of Email<br />
Security report found that 61% of businesses<br />
worldwide have been affected by<br />
ransomware in the past 12 months, which<br />
illustrates how common ransomware has<br />
become. Attacks like this have the potential<br />
to disrupt an organisation and impact its<br />
ability to conduct essential operations or<br />
provide critical services to the community,<br />
which can have significant consequences.<br />
"Our research found that companies<br />
impacted by ransomware lost an average<br />
of six working days to system downtime,<br />
with 37% saying downtime lasted one<br />
week or more. This disruption forces many<br />
organisations to pay the ransom and our<br />
research shows that 52% of businesses did<br />
so. However, only 66% of those were able to<br />
recover their data. The remaining 34% never<br />
saw their data again, despite paying the<br />
ransom."<br />
It is likely that the increase in remote<br />
working played a role in this attack, he<br />
states. "With the rise of engineers remotely<br />
accessing control systems for the pipeline<br />
from home, cybercriminals are able to prey<br />
on vulnerabilities associated with this way of<br />
working to access the organisation's system."<br />
In the past decade, there has been a push<br />
to move more and more Operational<br />
Technology (OT) systems into the IP world,<br />
given that I<strong>CS</strong> and SCADA networks are<br />
often facsimiles in design, components and<br />
software, regardless of where they are<br />
deployed. "However, the equipment's<br />
defences against threats that are common<br />
today, such as malicious and recreational<br />
hackers, can be lacking, because the dangers<br />
did not exist when the systems were first<br />
installed," adds Gaffney. "This increased<br />
connectivity [for example, via the<br />
proliferation of 5G and the IoT/IIOT] makes<br />
them more vulnerable to cyber-attack."<br />
Organisations must start investing in<br />
cybersecurity preparedness and awareness<br />
training, he advises. "From our research, 43%<br />
of respondents said that employee lack of<br />
cognisance about current campaigns and<br />
wider cybersecurity issues is one of their<br />
greatest vulnerabilities, and yet only one<br />
in five respondents indicated they have<br />
ongoing [more than once per month]<br />
security awareness training in place. It is<br />
recommended that organisations focus<br />
on prevention, rather than cure, by<br />
implementing strong resiliency measures,<br />
and ensure that employees are properly<br />
trained in cyber awareness."<br />
INADEQUATELY PROTECTED<br />
Gareth Williams, VP, Secure Communications<br />
and Information Systems UK at Thales, says<br />
the ransomware attack on the Colonial<br />
Pipeline is a reminder that the operational<br />
technology (OT) that our day-to-day lives<br />
rely on is increasingly becoming a target for<br />
malicious actors.<br />
"This attack serves to confirm that<br />
businesses are not adequately protected<br />
when it comes to OT security and must start<br />
taking cybersecurity seriously and increase<br />
protection across their business," Williams<br />
cautions. "However, building a cohesive<br />
approach to securing your OT can<br />
sometimes be an engineering challenge<br />
as much as a cyber one, so teams cannot<br />
approach this in the same way they would<br />
IT security - it's a different ball game and<br />
critical national infrastructure is at stake. "<br />
One of the first steps on this path is<br />
identifying where data is held, but also who<br />
and what applications, and code, are trusted<br />
to access it. "In doing this, rogue code, such<br />
as ransomware, will be unable to weave its<br />
way onto a database to encrypt it and gain<br />
control of the data."<br />
Francis Gaffney, Mimecast: likely that the<br />
increase in remote working played a role<br />
in this attack.<br />
Ran Pugach, Ava Security: organisations<br />
need to embrace a new approach built<br />
around the user.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
17
AI & ML<br />
THE REAL AI REVEALED<br />
CAN AI HELP TRANSFORM THE SECURITY INDUSTRY, MAKING IT SHARPER, WISER AND LESS VULNERABLE?<br />
AI is a very popular, often misused,<br />
buzzword right now. Not unlike big<br />
data, the cloud, IoT and every other<br />
'next big thing', more and more companies<br />
are looking for ways to jump on the AI<br />
bandwagon. But how many of today's AI<br />
offerings actually meet the AI test? While<br />
they may use technologies that analyse data<br />
and let results drive certain outcomes, that's<br />
not AI; pure AI is about reproducing<br />
cognitive abilities to automate tasks.<br />
Matti Aksela, vice<br />
president -<br />
Artificial<br />
Intelligence,<br />
F-Secure,<br />
says he<br />
can see the interplay between AI/ML and<br />
cyber security as having three angles. "Not all<br />
security companies address all three," he<br />
states, "nor do they necessarily need to, but I<br />
do think they are all worth consideration."<br />
First, AI/ML can be used for better cyber<br />
security. "There are obvious use cases in<br />
improving detection and response solutions<br />
by having machine learning-powered<br />
detections and then also automated<br />
responses taken - when appropriate.<br />
Sometimes, the right action is to pull the<br />
human into the loop, but not always;<br />
sometimes quick action with limited risk is<br />
the correct approach - for example, to stop a<br />
data exfiltration attempt or simply collect<br />
more information from a process before it<br />
stops and is no longer accessible.<br />
"We can build better security products with<br />
the help of AI/ML, but we can also improve<br />
our own processes as security companies and<br />
utilise the vast amounts of data that we have<br />
to take the right actions towards our<br />
customers better. As an extension to the<br />
scope of what is feasible for security<br />
solutions, F-Secure is exploring the use of<br />
collaborative intelligent agents in 'Project<br />
Blackfin'."<br />
The second perspective he singles out is the<br />
offensive use of AI/ML. "In addition to<br />
needing to be prepared for the inevitable rise<br />
of AI-powered attacks, security companies<br />
can use the technology to help customers<br />
prepare to face attacks more effectively via<br />
AI-assisted red teaming - not even to<br />
mention how much better we can train<br />
defensive systems to protect our customers."<br />
Last, but not least, is the perspective on<br />
security of AI/ML. "There are many AI/ML<br />
models out there and sadly few of them are<br />
secure. Take this from a person who has<br />
moved to cyber security after a couple of<br />
decades of making a living researching and<br />
building machine-learning solutions. To say<br />
that security is often an afterthought is being<br />
optimistic - it is usually not even thought<br />
about at all."<br />
But AI/ML models are susceptible to attacks<br />
that are different from traditional<br />
cyberattacks, Aksela adds, in the sense that<br />
they don't require breaching the system -<br />
machine learning can be manipulated just by<br />
manipulating the data. "And this can have<br />
very dire consequences, especially in AI<br />
systems that interact with the physical world,<br />
like autonomous vehicles or drones. We<br />
believe this is one of the key areas receiving<br />
too little attention and have been working to<br />
develop methods to improve the security of<br />
ML/AI over their entire lifecycle. Secure AI/ML<br />
is the foundation for trustworthy AI/ML and<br />
we need AI/ML that can be trusted to reach<br />
the full potential of AI."<br />
GREATER RISK EXPOSURE<br />
Even after the lockdown lifts, it's likely that<br />
hybrid working is here to stay. However, one<br />
of the consequences of this shifting security<br />
perimeter is that businesses are far more<br />
exposed to the risk of data leaks and other<br />
malicious threats, cautions Camille<br />
Charaudeau, VP product strategy at digital<br />
risk protection company CybelAngel.<br />
"Data is now being shared and stored on<br />
more devices and collaborative applications<br />
than ever before and, as employees are at<br />
home unsupervised, it can be harder to have<br />
the normal security checks in place. When<br />
staff use devices or applications not<br />
managed or sanctioned by the IT<br />
department, the security perimeter<br />
consequently becomes more porous,<br />
18<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
AI & ML<br />
increasing the attack surface and introduces<br />
more points of vulnerability through which<br />
attackers can take advantage. Data that's<br />
leaked or breached can wreak havoc, as<br />
hackers use this data to launch phishing<br />
attempts. This can be from fake websites<br />
using malicious domains to resell company<br />
credentials on the Dark Web, or can exploit<br />
vulnerabilities on exposed, shadow assets."<br />
To mitigate the risk, IT teams need to<br />
ensure that new applications installed aren't<br />
forgotten and that sensitive business data is<br />
not entered into ad hoc apps, breaking<br />
corporate security policies," he advises.<br />
"Better cross-functional collaboration<br />
between IT and staff is mandatory to<br />
decrease the amount of Shadow IT assets<br />
and protect against vulnerabilities. Educating<br />
staff on good cyber hygiene is a simple way<br />
to minimise these dangers."<br />
Most importantly, businesses must<br />
understand what sensitive data is beyond the<br />
security perimeter. "They must have the tools<br />
and resources to detect whether their thirdparty<br />
infrastructure, shadow assets or critical<br />
datasets may have leaked across the internet<br />
from open databases to cloud apps,<br />
connected storage devices and Dark Web<br />
forums," adds Charaudeau. "Comprehensive<br />
24x7 monitoring is the minimum<br />
requirement here and the speed to detect<br />
sensitive vulnerabilities is the difference<br />
between damage limitation or a major<br />
breach; security teams must have actionable<br />
intelligence, free from false positives to act<br />
effectively and resolve the issue."<br />
MAKING A DIFFERENCE<br />
The cybersecurity industry has a challenge.<br />
Spending continues to soar, with the market<br />
predicted to be worth nearly $175 billion by<br />
2024. "Yet it's debatable whether<br />
organisations are becoming any more<br />
secure," says Craig Hattersley, CTO, SOC.OS.<br />
One report from January claimed that the<br />
number of exposed and compromised<br />
records in 2020 soared 141% year-on-year to<br />
top 37 billion. "To many, AI is the technology<br />
that will finally win us the cyber arms race."<br />
While they're undoubtedly wrong, he adds,<br />
and in fact AI in its truest sense is only being<br />
used by a handful of vendors, there are some<br />
potential applications where it could make a<br />
difference. Notably, in helping analysts make<br />
sense of the chaos of alerts flooding into<br />
Security Operations Centres (SOCs). "The<br />
cybersecurity market is swamped with<br />
vendor marketing messages proudly<br />
explaining their AI credentials. It's a shame,<br />
because overuse of the term has diluted its<br />
meaning for the real innovators out there -<br />
the research institutes and pioneering<br />
vendors that are genuinely tapping the<br />
power of AI in cutting edge use cases. I'd<br />
estimate that only around 5% of vendors<br />
today can legitimately claim to be in this<br />
select group."<br />
On the plus side, he adds, "this probably<br />
means the bad guys don't have access to<br />
genuine AI technology yet either. There's a<br />
world of difference between using clever<br />
algorithms in attacks and recruiting university<br />
graduates to write complex neural network<br />
programs. I'd be surprised if even nation<br />
states are creating novel AI, as opposed to<br />
reusing existing technology".<br />
Yet when it comes to threat detection and<br />
response, there are opportunities to use AI -<br />
specifically to address the common challenge<br />
of alert overload. "Many organisations today<br />
are running multiple security tools, where<br />
the default setting is to sound the alarm,"<br />
adds Hattersley. "This kind of hair trigger<br />
approach seems like a deliberate calculation<br />
by the vendors themselves - better to issue<br />
an alert than be accused of missing<br />
something. However, the end result is a<br />
deluge of false positives, which overwhelms<br />
SOC teams."<br />
Here's where AI could play a role, he<br />
believes - in trawling through all of this data,<br />
across all of these platforms, and<br />
Sebastien Goutal, Vade: achievements of<br />
AI - and especially of Deep Neural<br />
Networks - are real and spectacular.<br />
Matti Aksela, F-Secure: security teams must<br />
have actionable intelligence, free from false<br />
positives.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
19
AI & ML<br />
Keith Driver, Titania: AI should be applied<br />
where it adds the most value and creates<br />
the fewest problems.<br />
Craig Hattersley, SOCOS: overuse of the term<br />
AI has diluted its meaning for the real<br />
innovators out there.<br />
understanding contextually when an alert is<br />
not valid. "And, by the same token, flagging<br />
when one is. Humans simply don't have the<br />
capacity to process millions or even billions<br />
of logs like this each day. The need a<br />
superhuman assistant to provide that holistic<br />
monitoring and intelligence for them."<br />
He points to how, in military history, the<br />
advent of real-time battlefield<br />
communications was a major breakthrough.<br />
"It enabled information to be centralised<br />
from disparate outposts for informed<br />
decision-making. The same must happen in<br />
this modern-day cyber context. At the<br />
moment, many organisations are still at the<br />
stage of building those security 'outposts' -<br />
getting the right sensors and monitoring<br />
tools in place. We're still some way from<br />
using AI to make better informed decisions<br />
with this data. But when it comes, it could<br />
have a huge impact on the effectiveness of<br />
SOCs and the productivity of the analysts<br />
that staff them."<br />
DETECTING, RESPONDING AND<br />
REMEDIATING THREATS<br />
Data security is a priority for all organisations<br />
today and when an organisation loses data,<br />
whether accidental or as a result of a<br />
cyberattack, the repercussions are endless:<br />
from damage to brand, loss in customer<br />
trust, loss in revenue and significant<br />
regulatory compliance fines, points out Denis<br />
Borovikov, CTO & Co-founder of Synthesized.<br />
"As a result, organisations are deploying new<br />
cutting-edge AI technology to detect,<br />
respond and remediate threats. However,<br />
what is even more interesting is the proactive<br />
approach data-driven companies are taking<br />
to ensure their data is safe to begin with,<br />
without impeding innovation.<br />
"One emerging AI privacy-preserving<br />
solution that is gaining prominence is datasynthesis<br />
technology, which generates<br />
synthetic data that models the characteristics<br />
of original data, but doing so in a way that<br />
makes it impossible to re-identify individuals.<br />
Unlike standard synthetic data that can be<br />
susceptible to linkage or attribute disclosure<br />
attacks, these platforms can filter/disable<br />
sensitive data attributes in records, or<br />
conditionally generate data that has a low<br />
risk of being used in a linkage attack, and<br />
reveal too much information about an<br />
individual, he says.<br />
"Unlike traditional anonymisation<br />
techniques such as data masking,<br />
pseudonymisation, generalisation, data<br />
perturbation and data swapping, there is no<br />
1-to-1 mapping between original data and<br />
anonymised data; each new data point is<br />
completely generated 'out of thin air'. In this<br />
way, making the data unusable to<br />
cybercriminals - the risk is completely<br />
eliminated."<br />
When newly created intelligent data is<br />
paired with the use of data clean rooms,<br />
data security is strengthened further. "Data<br />
clean rooms offer a secure and isolated<br />
space in which businesses and their<br />
stakeholders can collaborate, but maintain<br />
full control of their own data," Borovikov<br />
concludes. "As it is tightly integrated with an<br />
enterprise's logging and monitoring tools,<br />
organisations have a full audit of all data<br />
access and movement. In this way, they are<br />
empowered to safely and freely collaborate<br />
over data without fear of disastrous<br />
consequences, should it fall into the wrong<br />
hands."<br />
LINKED DESTINIES<br />
While focusing on AI, it is worth also<br />
mentioning Robot Process Automation (RPA).<br />
They both have a part to play in each other's<br />
destiny. RPA is used to work in conjunction<br />
with people by automating repetitive<br />
processes [attended automation], whereas AI<br />
is viewed as a form of technology to replace<br />
human labour and automate end-to-end<br />
[unattended automation]. Again, RPA uses<br />
structured inputs and logic, while AI uses<br />
unstructured inputs and develops its own<br />
logic. Combining both RPA and artificial<br />
intelligence can create a fully autonomous<br />
20<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
AI & ML<br />
process, according to NICE, whose attended<br />
automation solution, NEVA, is targeted at<br />
bringing people and robots together.<br />
RPA has been on the lips of many across the<br />
IT sector, points out Harel Tayeb, CEO at<br />
Kryon. "With the desire to increase ROI, gain<br />
complete process visibility, raise productivity,<br />
and better employee and customer<br />
experiences, the ability to deploy bots to<br />
automate and scale repetitive business<br />
processes has become a more than intriguing<br />
prospect for CIOs. But it's important to note<br />
that it's not all plain sailing for RPA. Although<br />
these benefits may sound lucrative, they're<br />
automatically made completely redundant, if<br />
security issues emerge after implementation."<br />
When proceeding with the journey of<br />
automating the processes with the greatest<br />
potential ROI, robots are given access to<br />
highly sensitive information. For instance, this<br />
can include customers' credit card numbers,<br />
social security numbers, bank account<br />
numbers and records of financial<br />
transactions. "A veteran attacker can exploit<br />
access to a company's bots, in order to steal<br />
data or gain unauthorised access to systems<br />
and applications, launching a potentially<br />
catastrophic cyberattack. In a worst-case<br />
scenario, cyberattacks have the potential to<br />
become inconceivably detrimental to<br />
businesses, costing millions of pounds and<br />
can even lead to liquidation through<br />
bankruptcy."<br />
By declining to give robots access to these<br />
kinds of confidential information, enterprises<br />
can greatly reduce or even eliminate the<br />
security risks associated with RPA. However,<br />
this move would simultaneously diminish the<br />
key benefits companies stand to gain from<br />
RPA, so it can feel like a Catch 22. Reducing<br />
RPA's benefits would defeat the very purpose<br />
of implementing RPA in the first place.<br />
So, what's the good news? "Well, certain<br />
things are moving in the right direction - and<br />
it's all around compliance, security and<br />
governance," he says. "The ISO 27701 is an<br />
extension standard that builds upon and<br />
enhances that with a framework for privacy<br />
information management systems (PIMS) to<br />
secure and manage personally identifiable<br />
information. ISO 27701 could become the<br />
first widely adopted data privacy standard for<br />
RPA vendors. This framework is essential for<br />
any RPA company doing business in Europe,<br />
due to GDPR, or any other region with similar<br />
data privacy regulations."<br />
TWIN FACTORS<br />
AI application in modern systems is due<br />
primarily to two factors, states Keith Driver,<br />
chief technical officer, Titania: the availability<br />
of powerful compute platforms and the<br />
democratisation of the software ecosystem<br />
surrounding AI implementation.<br />
"AI implies that a facsimile of independent<br />
thought is present in the solution. However,<br />
in security, it is mainly applied to correlation<br />
or anomaly detection tasks, associating<br />
activities and events that could represent a<br />
threat or to identify atypical behaviour or a<br />
network anomaly that needs investigating.<br />
Returning to the definition of intelligence,<br />
these AI implementations are just efficient<br />
algorithms, performing tasks based on<br />
trained and verified models. For the<br />
implementation to meet the meaning of<br />
intelligence, it must adapt to its environment<br />
and still produce meaningful, valid<br />
outcomes."<br />
Here, Unsupervised Deep Machine Learning,<br />
a subcategory of AI, comes closer to the<br />
meaning of intelligence, Driver argues. "In<br />
Deep Learning frameworks, the algorithm<br />
independently selects features from the data<br />
to build a model and deduce characteristics,<br />
such as unforeseen and unexpected patterns<br />
in the data. Deep Learning excels where the<br />
data is consistent in nature and composition,<br />
arrives in large volumes and is difficult, if not<br />
impossible, for mathematicians and data<br />
scientists to identify important features to<br />
include in analysis."<br />
In both cases, the validity of the conclusions<br />
drawn by AI is not absolute, but must be<br />
judged on a probabilistic scale. In safetycritical<br />
systems, this is problematic. "Applying<br />
these definitions to security data, we are in a<br />
fortunate position. While our systems<br />
operate on vast data lakes/streams and need<br />
to return conclusions rapidly to prevent harm<br />
to our data and networks, some inaccurate<br />
results are tolerable, as long as they can be<br />
identified. But their identification costs<br />
valuable skilled human time."<br />
Reducing the number of false positives is a<br />
key goal in the cyber security industry. "SIEM<br />
systems are inundated with false positives,<br />
resulting in operator alarm fatigue and<br />
impacting on their ability to detect real<br />
threats. Keeping the false positives to a<br />
minimum means employing deterministic<br />
technologies to the greatest extent possible,<br />
ensuring that only the hardest problems are<br />
considered for AI-based solutions."<br />
DEFINING AUTOMATION LEVELS<br />
Masaharu Goto, principal research engineer<br />
in Keysight Technologies, also points out that<br />
Machine Learning can be a component of AI,<br />
but it is not AI. "To discuss AI specifically, we<br />
need to start by defining the levels of<br />
automation that are required to meet the<br />
objective. Today's 'AI' is mostly pattern<br />
recognition and automation of<br />
algorithm/parameter selection to optimise its<br />
accuracy."<br />
Machine learning algorithms are classified<br />
into two categories: supervised and<br />
unsupervised, he adds. "Supervised learning is<br />
used to detect known patterns, while<br />
unsupervised learning is best when the goal<br />
is to detect unknown anomalies. Since the<br />
signature created by Trojans is unknown,<br />
unsupervised learning is more useful when<br />
attempting to detect them. Among<br />
unsupervised learning algorithms, clustering<br />
has become an essential tool for analysing<br />
big data in many applications.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
21
AI & ML<br />
Camille Charaudeau, CybelAngel: the<br />
speed to detect sensitive vulnerabilities is<br />
the difference between damage<br />
limitation or a major breach.<br />
Harel Tayeb, Kryon: RPA has been on the lips<br />
of many across the IT sector of late.<br />
"While many implementations of<br />
unsupervised machine learning algorithms<br />
utilising clustering have been developed,<br />
most have been unable to handle large<br />
amounts of waveform data. The issue is that<br />
waveforms are numerical arrays containing<br />
thousands of data points. A waveform<br />
database containing millions of waveform<br />
segments each consisting of thousands of<br />
data points presents a difficult challenge in<br />
terms of data analysis and classification."<br />
Sorting and classifying such a massive<br />
database using conventional algorithms<br />
requires extensive computing resources and<br />
long processing times, states Goto. "Only the<br />
combination of a high-bandwidth highresolution<br />
dynamic current measurement<br />
capabilities and an ultra-fast clustering<br />
algorithm can provide such an efficient<br />
means to identify hardware Trojans."<br />
MAJOR BREAKTHROUGHS<br />
Depictions of Artificial Intelligence in media,<br />
films and TV shows are often misleading and<br />
confusing, says Sebastien Goutal, chief<br />
science officer at Vade. "Today's AI is indeed<br />
very different from Skynet - the self-aware<br />
military super intelligence that took control<br />
of the world in the popular Terminator movie<br />
franchise. However, the achievements of AI -<br />
and especially of Deep Neural Networks - are<br />
real and spectacular, and major<br />
breakthroughs have been achieved recently."<br />
As an illustration, he singles out the defeat<br />
of the world's best Go player Lee Sedol<br />
against Google DeepMind's AlphaGo AI was<br />
a major milestone for AI and the Computer<br />
Science community. More recently, selfdriving<br />
vehicles have drawn a lot of attention<br />
and are expected quite soon.<br />
"The use of AI in cybersecurity is an<br />
interesting topic," he adds. "Threat analysts<br />
and security researchers are quite pragmatic<br />
people and have built technologies to tackle<br />
cyberthreats in many different ways. IP<br />
blacklists, heuristic rules, fingerprints or<br />
signature-based tools, such as Yara, are<br />
widespread approaches within the<br />
cybersecurity community - and there is a<br />
common consensus that there is no perfect<br />
algorithm, and that security is achieved by<br />
combining these technologies together; the<br />
icing on the cake being the end user security<br />
awareness training, so that they become an<br />
active element of the last line of defence."<br />
"So, how does AI fit into the picture? "Well,<br />
classic machine learning algorithms - such as<br />
SVM, Random Forest or Logistic Regression -<br />
have been used and are still being used,<br />
among other things," explains Goutal.<br />
"There is, however, a challenge that limits<br />
their impact: the cyberthreat landscape is<br />
moving constantly and, as such, it is<br />
necessary to re-train these models very often,<br />
and indeed too often.<br />
"This major drawback explains why machine<br />
learning algorithms have not been very<br />
popular in the past within the cybersecurity<br />
community. However, the situation of AI has<br />
changed in the last five years: The Deep<br />
Learning revolution happened, and the<br />
performance of Computer Vision and Natural<br />
Language Processing (NLP) models has<br />
skyrocketed."<br />
How then do you leverage Deep Learning<br />
models to detect cyberthreats? "One way is<br />
to build a Deep Learning-based virtual SOC<br />
operator. For instance, this virtual SOC<br />
operator could detect phishing emails and<br />
webpages, as they rely mostly on visual<br />
features such as textual content, the targeted<br />
brand logo and visual identity: the text can<br />
be extracted with an OCR (Optical Character<br />
Recognition) technology and analysed with<br />
Natural Language Processing models, the<br />
brand logo can be identified with a logo<br />
detection technology.<br />
“It is up to the cybersecurity community to<br />
imagine new ways to leverage Deep Learning<br />
to strengthen their defence," he concludes.<br />
22<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
My peace of<br />
mind starts<br />
with Neustar<br />
Security.<br />
Cloud Security Solutions that are<br />
Always-on, Ultra Secure.<br />
security.neustar
home working<br />
HOMING IN ON THE PERILS OF HOME WORKING<br />
REMOTE WORKING IS WORKING! EMPLOYERS, IN THE MAIN, HAVE SEEN IT SUCCEED ON A GRAND<br />
SCALE. BUT HAS IT MADE BREACHES INEVITABLE? EDITOR BRIAN WALL REPORTS<br />
As home working becomes ever more<br />
part of the future, many businesses<br />
have confirmed that employees will<br />
not be expected to return to the office fulltime<br />
when pandemic restrictions are lifted.<br />
But what must businesses do to ensure they<br />
don't leave themselves open to the hackers<br />
and attackers already looking to exploit the<br />
slightest vulnerability - and all too often<br />
succeeding?<br />
"As teams remain dispersed, with BYOD<br />
policies now the norm and flexibility taking<br />
precedence, infosec professionals must find<br />
a way to regain control of their cybersecurity<br />
strategy," says Ollie Sheridan, security principal<br />
at Gigamon. "Introducing a companywide<br />
Zero Trust approach means IT teams can<br />
counter threats and monitor risks across their<br />
networks proactively, and the future hybrid<br />
workforce will no longer pose such a security<br />
issue."<br />
The implicit trust often afforded to internal<br />
networks creates a plethora of vulnerabilities<br />
for an organisation now that networks have<br />
turned inside out following the shift to<br />
remote working. "While 'internal' was often<br />
viewed as 'safe' in comparison to the possible<br />
dangers of the 'external', the lateral<br />
movement of a cyberattack - from a personal<br />
device into the company network - now<br />
means that no user should be considered<br />
'safe' without multi-factor authentication.<br />
"Rather than innocent until proven guilty, a<br />
Zero Trust framework believes each individual<br />
may be a threat, unless they can provide<br />
proof of their authenticity. This model also<br />
improves the productivity of SecOps teams,<br />
as with less security breaches comes more<br />
accurate alerts, the ability for systems to run<br />
faster and significantly reduced network<br />
downtime. Zero Trust therefore not only<br />
bolsters a defence strategy, but ensures<br />
business processes run smoothly despite<br />
the new, hybrid and often siloed ways of<br />
working," Sheridan insists.<br />
"Integral to a Zero Trust framework is<br />
network visibility. It is impossible to manage<br />
or monitor threats in a clouded environment,<br />
and visibility into all data-in-motion - even<br />
encrypted traffic - is important for IT<br />
professionals to understand and authorise<br />
that which is safe; and detect and mitigate<br />
that which is not.<br />
"As the workforce adapts to new ways of<br />
working, with hybridity leading the way,<br />
implementing the right IT infrastructure that<br />
serves both those in the office and those<br />
working remotely is a top priority," he adds.<br />
"NetOps teams must look to new tools [or<br />
optimise what is already in place] to enable<br />
full visibility across a network. Visibility will<br />
then become the glue that holds together the<br />
Zero Trust framework and allows the<br />
detection of undesirable behaviours, as well<br />
as the analysis of metadata to explain the<br />
origin and movement of a cyberattack, and<br />
ultimately keep an organisation secure."<br />
Carolyn Crandall, chief security advocate,<br />
Attivo Networks, points to how COVID-19<br />
quickly drove businesses to change to<br />
facilitate employees working from home,<br />
"and the sudden onset of the crisis meant<br />
24<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
home working<br />
they had to make security compromises in<br />
the spirit of achieving service availability.<br />
Naturally, both technology-based and<br />
human-based security issues have arisen as<br />
a result".<br />
As and when we enter the second half of<br />
<strong>2021</strong> and employees return to the office,<br />
they will quickly become the new 'insider<br />
threat' to be concerned about, she warns.<br />
"Many of these systems will connect back<br />
onto networks with infected systems.<br />
Organisations without the proper security<br />
controls to detect lateral movement,<br />
credential misuse and privilege escalation may<br />
find that Pandora's box has been opened."<br />
Organisations can take a few steps to<br />
minimise the risk, Crandall advises. "Require<br />
systems to be patched before reconnecting<br />
to networks, utilise Network Access Control<br />
(NAC), use visibility tools that show attack<br />
paths from the endpoint and Active Directory,<br />
and remediate exposed credentials and<br />
attacks. Adding detection for live attacks on<br />
Active Directory will also be essential, so that<br />
in-network attackers can't gain the privileges<br />
or access to progress their attacks or install<br />
backdoors for future use."<br />
DATA HAVOC<br />
When staff use devices or applications that<br />
ate not managed or sanctioned by the IT<br />
department, the security perimeter<br />
consequently becomes more porous,<br />
increasing the attack surface and introduces<br />
more points of vulnerability through which<br />
attackers can take advantage, says Camille<br />
Charaudeau, VP product strategy at digital<br />
risk protection company CybelAngel.<br />
"Data that's leaked or breached can wreak<br />
havoc, as hackers use this data to launch<br />
phishing attempts. This can be from fake<br />
websites using malicious domains to resell<br />
company credentials on the Dark Web or can<br />
exploit vulnerabilities on exposed, shadow<br />
assets." To mitigate the risk, he suggests, IT<br />
teams need to ensure that new applications<br />
installed aren't forgotten and that sensitive<br />
business data is not entered into ad hoc apps,<br />
breaking corporate security policies. "Poor<br />
application configuration can allow stored<br />
data to be left exposed, vulnerable and under<br />
the radar of security teams inviting risks.<br />
Better cross-functional collaboration between<br />
IT and staff is mandatory to decrease the<br />
amount of Shadow IT assets and protect<br />
against vulnerabilities. Educating staff on<br />
good cyber hygiene is a simple way to<br />
minimise these dangers."<br />
Most importantly, businesses must<br />
understand what sensitive data is beyond the<br />
security perimeter. "They must have the tools<br />
and resources to detect whether their thirdparty<br />
infrastructure, shadow assets, or critical<br />
datasets may have leaked across the internet<br />
from open databases to cloud apps,<br />
connected storage devices and Dark Web<br />
forums," adds Charaudeau. "Comprehensive<br />
24x7 monitoring is the minimum<br />
requirement here and the speed to detect<br />
sensitive vulnerabilities is the difference<br />
between damage limitation or a major<br />
breach. Security teams must have actionable<br />
intelligence, free from false positives to act<br />
effectively and resolve the issue."<br />
Oliver Cronk, chief IT architect, EMEA at<br />
Tanium, points to the way in which digital<br />
transformation has been forced to accelerate<br />
rapidly, as huge numbers of staff were forced<br />
into home working. "Many organisations<br />
have put stop-gap IT solutions in place to<br />
keep up. This approach, which we believe is<br />
especially prevalent in sectors hit hardest by<br />
the pandemic, often creates cybersecurity<br />
weaknesses. Another issue is that many<br />
organisations are struggling with reduced<br />
revenue or funding at the moment and have<br />
to make cutbacks, but cybersecurity is not an<br />
area they can afford to neglect.<br />
"As lockdown continues and some teams<br />
are being asked to do more with less<br />
resources, they remain increasingly vulnerable<br />
to cyber threats, due to distraction or fatigue,<br />
Carolyn Crandal, Attivo Networks: with<br />
the sudden onset of the crisis, businesses<br />
had to make security compromises in the<br />
spirit of achieving service availability.<br />
Ed Macnair, Censornet: one way of reducing<br />
the impact of large-scale breaches is Multi-<br />
Factor Authentication.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
25
home working<br />
Ashley Stephenson, Corero Network<br />
Security: an increase in Distributed Denial<br />
of Service attacks correlates with the<br />
increase in remote working.<br />
Paul Norbury, SecureDrives: Deploying<br />
passwordless authentication can also result<br />
in significant financial savings..<br />
which can cause employees to drop their<br />
guard when it comes to clicking on malicious<br />
links in emails. In addition, IT audit continues<br />
to fail many organisations, with some of the<br />
recent security issues we've seen being a<br />
direct result of IT audit and governance<br />
processes being used that are out of touch<br />
with what is really going on in modern<br />
organisations."<br />
Businesses need to ensure they are planning<br />
for the long term by setting up a security<br />
foundation which is flexible, data-driven and<br />
efficient," advises Cronk, "whilst equipping IT<br />
teams to respond to threats immediately<br />
from wherever they are based. "Whilst the<br />
pandemic has created challenges for IT<br />
teams, this period should also be seen as<br />
an opportunity to optimise IT security and<br />
operations. Teams should consider embracing<br />
technologies such as distributed cloud<br />
architecture and endpoint management,<br />
which will give businesses the visibility and<br />
control they need to minimise the likelihood<br />
of a damaging cyber-attack in the age of<br />
lockdowns and mass remote working".<br />
DDOS ATTACKS SURGE<br />
Ashley Stephenson, CTO, Corero Network<br />
Security, says his company has observed an<br />
increase in the number of Distributed Denial<br />
of Service (DDoS) attacks and targets across<br />
its customer base since the latter part of Q1<br />
2020, which it believes, in part, correlates<br />
with the increase in remote working.<br />
"One factor supporting this observation is<br />
the increasing use of OpenVPN, a popular<br />
open-source VPN technology. OpenVPN<br />
allows companies or individuals to extend<br />
their private networks in a secure and reliable<br />
manner. In contrast to legitimate OpenVPN<br />
usage, proof-of-concept source code for<br />
Denial-of-Service attacks exploiting an<br />
OpenVPN reflection/amplification vulnerability<br />
was posted on the Internet as far back as<br />
2017. In October 2019, a more significant<br />
reflection/amplification vulnerability was<br />
found in SoftEther - a derivative version of<br />
OpenVPN. "This added another new DDoS<br />
weapon to the cybercriminal's arsenal. The<br />
damaging impact of the SoftEther<br />
vulnerability has become more apparent<br />
during the COVID-19 pandemic, most likely<br />
due to the increased number of remote<br />
workers which in turn drives the deployment<br />
of OpenVPN servers."<br />
A simple search for the OpenVPN default<br />
port UDP1194 on shodan.io shows how<br />
many potential reflectors are out there, adds<br />
Stephenson. "In March 2020, the result<br />
returned approximately 827K accessible<br />
OpenVPN servers, with the number growing<br />
by approximately 10K new servers a week<br />
during the pandemic. This represents more<br />
than enough servers to launch a powerful<br />
volumetric or packet rate DDoS attack.<br />
"While many common reflection attacks<br />
(Including DNS amplification, NTP reflection,<br />
Memcached and reflective CLDAP) generate<br />
large, often fragmented, response packets,<br />
the size of the replies directed to the victim<br />
from OpenVPN reflectors is relatively small -<br />
usually 60 to 72 Bytes. However, the<br />
vulnerability causes retries, with many of<br />
these small packets resulting in a 30x<br />
response amplification factor, which, when<br />
multiplied by number of available reflectors,<br />
can generate enormous packet rates resulting<br />
in a Denial-of-Service condition for many<br />
victims, he concludes. "Corero researchers<br />
have observed OpenVPN reflection attacks<br />
routinely exceeding 30Gbps, with a year-overyear<br />
increase of nearly 400% in the use of<br />
OpenVPN reflection as an attack vector."<br />
With home working putting additional<br />
pressure on already strained IT and security<br />
infrastructures, digital security anywhere and<br />
everywhere has never been more important,<br />
states David Emm, principal security<br />
researcher at Kaspersky. "Whilst individuals<br />
must be mindful of cybersecurity, businesses<br />
need to take steps to increase the level of<br />
awareness of threats among employees.<br />
Moreover, it is the responsibility of businesses<br />
26<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
home working<br />
to implement appropriate policies and<br />
processes to secure corporate systems -<br />
wherever staff are working.<br />
"The risks associated with staff now working<br />
with data outside of the corporate network,<br />
on personal devices, is something that<br />
businesses must look to mitigate. Without<br />
knowing what devices are in contact with a<br />
business's data systems, IT and cybersecurity<br />
teams have great difficulty anticipating how<br />
company assets can be potentially<br />
compromised, sold on or even held for<br />
ransom; and managing the risks effectively,"<br />
adds Emm.<br />
"With latest research revealing that more<br />
than 90% of all cyber breaches are caused by<br />
human error, companies must have complete<br />
oversight of how their IT systems and<br />
hardware are being used by remote<br />
workforces - and this has subsequently led<br />
to a sharp rise in the implementation of<br />
monitoring software, while the UK has been<br />
working from home. As a result of this<br />
software, nearly a quarter of UK workers<br />
(24%) are using their own devices for work to<br />
avoid being watched, while three in 10 (31%)<br />
have admitted that they would use their own<br />
devices more for work, if company-provided<br />
devices had monitoring software installed.<br />
"Clearly, businesses should not go too far<br />
along the surveillance route," he believes,<br />
"otherwise employees may take their entire<br />
at-home activities off the corporate radar,<br />
resulting in the wholesale creation of shadow<br />
IT, over which they have limited control.<br />
While remote working does bring significant<br />
benefits to workers, there is also a dark side<br />
when it's not managed holistically. There is<br />
also a serious need for employers to examine<br />
their 'surveillance' practices to understand the<br />
true impact on productivity and worker<br />
satisfaction."<br />
Paul Norbury, CEO SecureDrives, agrees<br />
unequivocally that supporting a workforce<br />
that's working from home sets a whole<br />
new set of challenges for security teams.<br />
"At SecureDrives, we know passwordless<br />
authentication works, that it is easy to deploy<br />
and administer remotely, and that it saves<br />
people time every single login. In cases where<br />
people log in to multiple computers, multiple<br />
times a day, automated proximity-based login<br />
- and logout - through passwordless<br />
authentication can add literally hours of time<br />
to the working day.<br />
SECURITY ONUS ON BUSINESSES<br />
"Deploying passwordless authentication can<br />
also result in significant financial savings.<br />
According to a World Economic Forum<br />
report, companies spend on average 2.5<br />
months a year resetting internal passwords,<br />
20% to 50% of all calls to the IT helpdesk<br />
concern password resets and the estimated<br />
cost of a single reset ranges from $30 to $70.<br />
The same report notes that password-safe<br />
company LastPass has estimated companies<br />
spend on average $1 million per year in<br />
staffing helpdesks to deal with password<br />
resets. While passwordless authentication<br />
obviously has deployment and management<br />
costs, it doesn't require the same level of enduser<br />
support."<br />
The logic that has seen consumer<br />
technology make its way into the office so<br />
many times in the past can play its part with<br />
passwordless login, too, says Norbury. "We<br />
have become used to logging in to our<br />
phones and computers using facial or<br />
fingerprint recognition, and this familiarity<br />
makes the idea of passwordless login for<br />
work more palatable, because, as end users,<br />
we know from experience that it is both easy<br />
to work with and secure. Implementing<br />
passwordless authentication is an element of<br />
digital transformation that can benefit<br />
individuals, IT teams and the bottom line."<br />
"Cloud applications have transformed the<br />
way users and teams communicate, share<br />
and collaborate," points out Ed Macnair, CEO<br />
of Censornet. "Organisations should be<br />
mindful of this move into the cloud, because<br />
staff are now even more likely to be using<br />
apps that are unauthorised and potentially<br />
dangerous. The cloud shift has radically<br />
changed the threat landscape, which means<br />
that web security is no longer enough.<br />
Organisations would be wise to quickly adopt<br />
a Cloud Access Security Broker (CASB)<br />
solution, which have gone from being a 'nice<br />
to have' to become an essential security tool."<br />
With teams dispersed away from the safety<br />
of the organisation's network, IT teams are<br />
always having to review risk, he continues.<br />
"Context is king. If a login is requested from a<br />
strange location, time, day or device, a secure<br />
authentication solution should pick this up<br />
and ensure further verification before<br />
allowing access. Likewise, strange behaviour<br />
in the office should be recognised. It's highly<br />
unlikely that a 9-5 weekday worker will be in<br />
the office at 2am on a Saturday morning. If a<br />
login is received at this time, it should trigger<br />
alarm bells. Or perhaps a promotion, if the<br />
log-on is genuine."<br />
With so many risks associated with account<br />
compromise and at a time when many<br />
organisations are in flux, it's more important<br />
than ever to prove whether logins are<br />
legitimate or not, states Macnair. "One way of<br />
reducing the impact of large-scale breaches is<br />
Multi-Factor Authentication, which ensures<br />
any stolen credentials cannot be used to gain<br />
access to your organisation's environment,<br />
challenging the user, based on contextual<br />
flags, such as location or device, and<br />
providing flexible delivery of session-specific,<br />
real-time generated one-time passcodes."<br />
Organisations should also adopt a Zero Trust<br />
approach, based on an 'authenticate then<br />
connect' model, he adds. "This will allow<br />
employees to connect to the service they have<br />
permission for only once they have been<br />
authenticated. In the much longer term,<br />
companies will start to roll out a Secure<br />
Access Service Edge (SASE) framework. Zero<br />
Trust is a great way to get started on the road<br />
to SASE, so it's important to make the right<br />
decisions immediately to lay the groundwork<br />
for this new security paradigm."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
27
predictions<br />
WHAT ELSE AWAITS IN <strong>2021</strong>?<br />
IN PART 2 OF OUR GLANCE INTO THE (POSSIBLE) FUTURE, WE HEAR MORE<br />
PREDICTIONS ON WHERE THE YEAR <strong>2021</strong> MAY BE LEADING OUR INDUSTRY<br />
The prediction game is at best a<br />
perilous one and even more so in what<br />
has been, in calendar month terms at<br />
least, the most unpredictable of years. Yet<br />
trying to foresee what might happen within<br />
the security industry has always been<br />
something of a fraught exercise in crystal<br />
ball gazing. So, these insights do retain<br />
their value, despite - and maybe even<br />
because of - how challenging the times<br />
may be.<br />
The abrupt shift to remote work, due to<br />
the pandemic, has caused many obstacles,<br />
of course. "Legacy approaches to identity<br />
and access management (IAM) are clinging<br />
to outdated notions of corporate<br />
perimeters and in-person interactions.<br />
Conversely, overwhelmingly digital<br />
customer-facing interactions create urgency,<br />
with respect to digital identity initiatives<br />
and reducing bias in identity-proofing<br />
processes." That is the view of Akif Khan,<br />
senior director analyst, Gartner, who says<br />
that the old security model of "inside means<br />
trusted" and "outside means untrusted" has<br />
been broken for a long time.<br />
"By 2025, cybersecurity mesh will support<br />
more than half of all IAM requests,<br />
enabling a more explicit, mobile and<br />
adaptive unified access<br />
management model," he predicts. "The<br />
mesh model of cybersecurity provides<br />
a more integrated, scalable, flexible and<br />
reliable approach to digital asset access<br />
control than traditional security perimeter<br />
controls."<br />
Organisations lack the resources and skills<br />
to plan, develop, acquire and implement<br />
comprehensive IAM solutions, he adds.<br />
"As a result, they're contracting professional<br />
services firms to provide the necessary<br />
support, particularly where multiple<br />
functions need to be addressed<br />
simultaneously. Increasingly, organisations<br />
will rely on MSSP firms for advice, guidance<br />
and integration recommendations. By<br />
2023, 40% of IAM application convergence<br />
will primarily be driven by MSSPs that focus<br />
on delivery of best-of-breed solutions in<br />
an integrated approach - shifting influence<br />
from product vendors to service partners."<br />
IDENTITY-PROOFING TOOLS<br />
Historically, vendor-provided enrolment<br />
and recovery workflows for multifactor<br />
authentication have incorporated weak<br />
affirmation signals, such as email addresses<br />
and phone numbers. As a result,<br />
implementing higher-trust corroboration<br />
has been left as an exercise for the<br />
organisations.<br />
"Because of the massive increase in remote<br />
interactions with employees, more robust<br />
enrolment and recovery procedures are<br />
an urgent requirement, as it is harder to<br />
differentiate between attackers and<br />
legitimate users," adds Khan. "By 2024,<br />
30% of large organisations will newly<br />
implement identity-proofing tools to<br />
address common weaknesses in workforce<br />
identity life cycle processes."<br />
Centralised approaches to managing<br />
identity data struggle to provide benefits in<br />
the three key areas: privacy, assurance and<br />
pseudonymity. "A decentralised approach<br />
uses blockchain technology to help ensure<br />
privacy, enabling individuals to validate<br />
information requests by providing only<br />
the absolute minimum required amount<br />
of information."<br />
He believes that, by 2024, a true global,<br />
portable, decentralised identity standard<br />
will emerge in the market to address<br />
business, personal, societal, and identityinvisible<br />
use cases. "Bias with respect to<br />
race, age, gender and other characteristics<br />
gained attention significantly in 2020,<br />
coinciding with the increased interest<br />
in document-centric identity<br />
proofing in online use cases. This<br />
'ID plus selfie' process uses face<br />
28<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
predictions<br />
recognition algorithms to compare selfies<br />
of customers with the photo in their<br />
identity document."<br />
THE HUMAN LAYER<br />
If remote working in 2020/21 has taught<br />
us anything, it's the importance of securing<br />
the individuals within each organisation's<br />
'human layer', says Tony Pepper, CEO, Igress.<br />
"When offices closed overnight, it amplified<br />
the role of the individual within our security<br />
strategies and the risks that each person<br />
brings. As we look towards the rest of<br />
<strong>2021</strong>, insider risk will be front-of-mind for<br />
many organisations, as they work to secure<br />
remote and hybrid environments for the<br />
long term.<br />
"Advanced machine learning technologies<br />
that examine the context within which<br />
individuals make decisions and alert them<br />
to risky behaviour have been utilised by<br />
early adopters to effectively target security<br />
at individuals- and in <strong>2021</strong> and beyond,<br />
this technology will see rapid adoption."<br />
Linked to this, states Pepper, we're going<br />
to see the continued decline of traditional<br />
email DLP technology, as organisations<br />
improve security for their most missioncritical<br />
communication channel. "56%<br />
of the IT leaders responding to our <strong>2021</strong><br />
Data Loss Prevention Report acknowledged<br />
they're under increased pressure from<br />
clients to keep sensitive data safe on email,<br />
while 100% of those who have deployed<br />
traditional email DLP technologies are<br />
frustrated by them. With increased<br />
adoption of advanced email DLP solutions<br />
that utilise contextual machine learning,<br />
organisations will turn away from<br />
traditional technologies."<br />
THE HUMAN LAYER<br />
"As 2020 has shown, predicting the future<br />
is hard!" states Emma Maslen, VP & GM<br />
of EMEA & APAC for Ping Identity. " Yet<br />
what is clear is that, moving forward, all<br />
organisations need to be able to react to<br />
unexpected shifts in society, technology<br />
and culture. The emergence of working<br />
from home as a viable option for large<br />
segments of the workforce is likely to<br />
endure. Some employees are now enjoying<br />
the reduction in commute, more family<br />
meal times and greater flexibility in the<br />
working day, which I think they will be<br />
reluctant to let go in the future. Ensuring<br />
employees are enabled to work from<br />
home, in a productive way, will be a big<br />
theme for the future."<br />
This leads neatly to her second point - the<br />
continuing war for talent. "As the world is<br />
disrupted, employees are looking for a<br />
vision or a mission that resonates, along<br />
with working environments that empower<br />
them to do their best. Ensuring frictionless<br />
access to technology will lead to a<br />
reduction in frustration, which will, in turn,<br />
help organisations to both attract and<br />
keep the best talent. Yet the frictionless<br />
experience must extend beyond the<br />
organisational structure and become a<br />
mantra for how organisations deal with<br />
customers, citizens, partners, suppliers - in<br />
fact, every B2B and B2C relationship must<br />
shift towards seamless interactions."<br />
As such, identity is going to be a big<br />
focus for both the workforce and the wider<br />
consumer space, adds Maslen. "Not only<br />
are we working more from home, but we<br />
are also shopping, banking, studying and<br />
engaging with the state increasingly from<br />
home. Yet still people are bombarded with<br />
username and password requests, and this<br />
situation gets worse as more interactions<br />
become completely digital."<br />
If 2020 was the year of disruption, then<br />
<strong>2021</strong> will hopefully be a year where agility<br />
becomes the new watchword, she further<br />
states - "a year where we start to build a<br />
more sustainable work and life balance<br />
that is based around results, and less<br />
around where people and systems are<br />
geographically located".<br />
Akif Khan, Gartner: by 2023, 40% of IAM<br />
application convergence will primarily be<br />
driven by MSSPs that focus on delivery of<br />
best-of-breed solutions in an integrated<br />
approach.<br />
Emma Maslen, Ping: <strong>2021</strong> will hopefully<br />
be a year where we start to build a more<br />
sustainable work and life balance that is<br />
based around results.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
29
webcam woes<br />
TANGLED WEB<br />
IS THERE A HACKER STARING IN ON YOU THROUGH YOUR DEVICES AND GADGETS, READY TO<br />
POUNCE? WE FIND OUT HOW VITAL IT IS TO KEEP WEBCAMS COVERED WHEN THEY'RE NOT IN USE<br />
With the rapid rise in remote<br />
working, more of us than ever<br />
before are taking video calls from<br />
the privacy of our own homes. Sometimes<br />
these even take place in our bedrooms- the<br />
same rooms where we lounge around in our<br />
pyjamas, sleep and even change our clothes.<br />
But just how secure are our Mac and PC<br />
webcams? Are we being watched?<br />
Computing Security has been liaising with<br />
the technology experts at Reincubate and<br />
they have been running us through the risks<br />
that await 'out there'. Here is their take on<br />
things…<br />
REINCUBATE<br />
The rapid growth of remote and home<br />
working has led to a lot of users getting<br />
webcams or setting up Zoom equipment in<br />
their own homes. Mark Zuckerberg<br />
inadvertently brought attention to the risks<br />
of users being covertly monitored through<br />
their computer's webcams or mics when he<br />
posted a now famous photo of his desk setup,<br />
showing his laptop with a covered<br />
webcam and blocked mic. If even the creator<br />
of Facebook blocks his, who else does?<br />
Apple's release of iOS 14 has done even<br />
more to safeguard users from<br />
unintentionally recording with its new<br />
orange and green dots. That said, user<br />
privacy can be violated by a simple accident<br />
and without malicious intent. Plenty of<br />
Zoom users haven't realised that their<br />
cameras were on or that, when joining a<br />
Zoom call, the host might have configured<br />
the call to start with user cameras on.<br />
Additionally, it's possible to join a Zoom call<br />
with your camera off, be placed in a waiting<br />
room before the call begins and then have<br />
the camera turn on once the host admits the<br />
user to the call.<br />
Generally speaking, there are few video<br />
apps where the host can remotely enable<br />
video, if the participant has turned it off after<br />
the start of the call and Zoom is safe in this<br />
regard. It does, however, have a feature<br />
whereby the host can remotely unmute a<br />
participants' microphone. If you're in the<br />
habit of stepping away from your computer<br />
on long calls to get a cup of coffee while<br />
muted, beware that you might be unmuted<br />
without knowing about it. Similarly, if you're<br />
joining the call from a room with other<br />
people around, their unexpected presence in<br />
your background may cause them<br />
embarrassment, if they're not expecting to<br />
be broadcast.<br />
These inadvertent risks can be handled with<br />
a few simple precautions: covering or<br />
physically disconnecting a webcam makes<br />
things more obvious and having a mic with a<br />
physical mute button helps.<br />
SECURING YOUR CAMERA AND MIC<br />
ON AN IPHONE<br />
iPhone and iPad users have the least to worry<br />
about. So long as the device has not been<br />
jailbroken, it is extremely unlikely that<br />
hackers can remotely monitor the device's<br />
camera or mic. As far as Apple's orange and<br />
green dots, referred to above, are<br />
concerned, yes, it's still possible for apps to<br />
access an iOS device's camera and mic, but<br />
in order for this to happen, users must first<br />
install an app and grant it permission to<br />
record video and audio. It's possible for apps<br />
to record audio - but not video - while<br />
backgrounded, but, again, permissions must<br />
first be given by the user. Of course, there's<br />
always the possibility of state-level cyber<br />
espionage, but this is unlikely to affect the<br />
average user and is almost impossible to<br />
mitigate for, short of not using technology.<br />
Broadly speaking, your iPhone and iPad<br />
should be perfectly safe, so long as you don't<br />
let them out of your sight, and only install<br />
apps that you trust.<br />
SECURING YOUR WEBCAM AND MIC<br />
ON A MAC<br />
A Mac or a MacBook Pro is second only to<br />
30<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
webcam woes<br />
all effective. Most Windows devices will<br />
disable their internal microphone when an<br />
external mic is plugged in and dedicated mic<br />
blockers exist for that purpose. However, it's<br />
very hard to tell whether your device really<br />
will fundamentally disable its internal<br />
microphone when this is done.<br />
an iPhone in its security. Recent Macs include<br />
something called a 'T2 chip', which includes a<br />
number of hardware-based security features.<br />
Most relevant of all, it uses hardware to<br />
physically disable a Mac laptop's microphone<br />
when the laptop is closed or suspended.<br />
From a practical perspective, it's impossible<br />
for Mac's webcam to be in use without the<br />
accompanying green light being turned on.<br />
In the past, there have been workarounds for<br />
this but the known exploits have been fixed<br />
on Macs.<br />
However, the software on the Mac does<br />
not trigger any sort of system-level security<br />
prompt when accessing a webcam or mic, so<br />
users must be careful to only use apps they<br />
trust and not to disable any system-level<br />
protection that is enabled on all Macs by<br />
default. It's possible for any website that a<br />
user is on to request camera and microphone<br />
access, but the user's browser - Chrome,<br />
Safari etc - will have to prompt the user to<br />
give permission. Security-conscious Mac users<br />
may wish to try OverSight (free) or Micro<br />
Snitch (paid for), popular security tools that<br />
run in the background and alert users to any<br />
apps accessing their camera or mic.<br />
STEPS FOR STAYING SECURE ON<br />
WINDOWS OR ANDROID<br />
Unfortunately, Windows and Android users<br />
will have the hardest time of all staying<br />
secure. Often the software and hardware<br />
for these devices are made by different<br />
companies, meaning there's plenty of room<br />
for loopholes between the two. Google's Play<br />
Some of the settings available to a user hosting a Zoom call, including<br />
the ability to enable participant video at the start of the call.<br />
Store is infamous for including malware apps<br />
on a regular basis, and many Android phones<br />
(over 1 billion!) suffer from not getting access<br />
to the latest security patches or Android<br />
updates.<br />
Theoretically, modern Android devices with<br />
the latest security patches will be close to an<br />
iPhone's security - at least each app must<br />
prompt for webcam or mic access, but a<br />
status light won't be shown. But the problem<br />
is it's hard to tell by looking at an Android<br />
device if it's secure or up to date. Simply<br />
because your phone says it has all of the<br />
latest security patches doesn't mean that the<br />
manufacturer of your Android phone has<br />
made all of the security patches available.<br />
From this perspective, Google Android<br />
devices (such as the Pixel) are more<br />
trustworthy, as Google makes both the<br />
software and hardware together and is<br />
ultimately responsible for issuing the most<br />
important security updates.<br />
Staying secure on these platforms is hard.<br />
The problem on Windows is so endemic that<br />
both Lenovo and HP have started building<br />
physical switches and covers into their<br />
webcams to give users some peace of mind.<br />
Without hardware control of the mic, it's<br />
impossible to tell if a Windows laptop could<br />
be recording in the background when open<br />
or closed!<br />
Blocking microphones isn't easy: you can't<br />
cover them with a piece of tape, like you can<br />
a camera, or at least, if you do, it won't be at<br />
Reincubate's advice, if running Android,<br />
would be to only use Google devices such as<br />
thePixel and to avoid installing third-party<br />
apps from the Google Play Store. The risk of<br />
malware or app impersonation is not small.<br />
Seriously, if you want apps, use an iPhone. A<br />
month doesn't pass without a news report of<br />
millions of Android users being infected by<br />
malware.<br />
WHAT ABOUT ALEXA OR THE<br />
HOMEPOD?<br />
Plenty of users have an Alexa or HomePod<br />
device in their home or other forms of smart<br />
devices, like thermostats or security cameras.<br />
These are all capable of broadcasting video<br />
or audio captured within the home. It's very<br />
hard to keep tabs on these and ultimately<br />
one must either trust the company making<br />
them or not. Both Amazon and Apple home<br />
devices may be listened to by the staff in<br />
some circumstances, though there are<br />
controls that can enable users to opt in or<br />
out of parts of this.<br />
If someone has a smart device at home, it's<br />
sensible to behave as if their audio is being<br />
recorded. That is potentially quite a burden.<br />
It's very much not a good idea to buy smart<br />
devices from small, untrusted or unknown<br />
vendors. Who knows what their security is<br />
like?<br />
TOP TIPS TO HELP YOU STAY SECURE<br />
While there's less for modern iPhone and<br />
Mac users to worry about, there is still a set<br />
of best practices we'd recommend for all<br />
users.<br />
Covering your webcam is important on a PC,<br />
but it's arguably helpful for all users, in that it<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
31
webcam woes<br />
Aidan Fitzpatrick, Reincubate: users should<br />
keep devices closed or powered off when<br />
they are not in use.<br />
Android and Windows are at serious risk<br />
of getting spied on through their webcams.<br />
will serve as a reminder to think about security<br />
while using the computer. Realistically, you're<br />
more likely to inadvertently broadcast yourself<br />
without knowing than you are to be remotely<br />
monitored by anyone else and a cover helps<br />
make that risk obvious.<br />
Anything that makes you more security<br />
conscious is likely a good idea. You'll see no<br />
end of ads online trying to sell plastic webcam<br />
covers: these are junk and you don't need<br />
them. A piece of tape or a sticky note is good<br />
enough for Mark Zuckerberg and it'll work<br />
well enough for you. Any residue left behind<br />
will be easy to remove. And, besides, welldesigned<br />
laptops won't leave enough room to<br />
be closed without damaging themselves when<br />
an additional plastic cover is stuck on.<br />
Use external, physically connected cameras<br />
and audio devices. Relying on an external mic<br />
and camera makes it crystal clear whether<br />
they are physically connected to your<br />
computer or not. This has the advantage that<br />
you can then permanently block your device's<br />
internal camera and mic. Camo is a good<br />
example of a product like this and has the<br />
additional benefit of greatly increasing the<br />
quality that a user will get when they join calls.<br />
Beware of products that require installation of<br />
drivers, or which are from unknown or<br />
untrusted sources.<br />
Closing your laptop or powering off your<br />
computer when not using it will make it<br />
harder or impossible for people to access it<br />
remotely.<br />
If you step away from your Zoom call while it's<br />
muted, perhaps to make a coffee, beware<br />
that a host might remotely unmute you<br />
without your knowing. If your mic has a<br />
physical mute button, you'll be okay. But, if<br />
you're using AirPods or an internal mic, there's<br />
no mute that can override Zoom's settings. If<br />
you're on a call, always assume you might be<br />
overheard.<br />
Keep your software up to date, especially the<br />
main software on your phone and computer,<br />
and any browsers you use.<br />
Don't disable your computer's firewall or<br />
malware. Nowadays, these are enabled by<br />
default on just about every type of computer<br />
and phone, and there's little need to install<br />
additional software, beyond specific products<br />
for monitoring webcam use (see above).<br />
Be aware of general security best practices and<br />
be sure to securely store any video, audio or<br />
photos that you've already taken.<br />
Don't let anyone untrusted use - or repair - any<br />
of your devices. Who knows what they might<br />
install or change!<br />
"There are real risks to not covering a<br />
webcam," warns Aidan Fitzpatrick,<br />
Reincubate," but, for users with Macs and<br />
iPhones, the greatest risk is most likely<br />
accidentally broadcasting themselves or<br />
unknowingly being unmuted by a meeting<br />
host, rather than being surveilled by a hacker.<br />
"Webcam covers and physical mute buttons<br />
on microphones act as fail-safes and helpful<br />
reminders to think about security, and a piece<br />
of tape really is the best solution for use with a<br />
MacBook. I recommend users keep devices<br />
closed or powered off when they are not on<br />
use."<br />
And he adds "It's worth thinking about using<br />
an external webcam or, for better quality, a<br />
smartphone webcam [https://reincubate.com/<br />
camo/], as it can be physically unplugged<br />
between calls. Being able to unplug one's<br />
camera is the best way to stay secure."<br />
32<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose findings<br />
are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.
cybercrime insights<br />
FRAUD AND CYBERCRIME SOAR IN PANDEMIC<br />
MORE THAN 6,000 CASES OF COVID-RELATED FRAUD AND CYBERCRIME WERE<br />
RECORDED BY THE UK'S POLICE FORCES IN THE 12 MONTHS AFTER THE VIRUS<br />
FIRST STRUCK. BUT THIS MAY BE JUST THE TIP OF THE ICEBERG<br />
According to the Action Fraud team,<br />
which covers activity in England, Wales<br />
and Northern Ireland, covid-related<br />
fraud and cybercrime amassed a sum of<br />
£34.5 million in stolen money in the 12<br />
months from 1 March last year. And the total<br />
is only forecast to rise at an equally alarming<br />
rate in the months ahead.<br />
In a related development, the National<br />
Cyber Security Centre is tackling several<br />
attacks being launched each month against<br />
the country's pandemic response<br />
infrastructure. These involve attempts to<br />
breach the NHS, vaccine producers and<br />
vaccine supply chains, among other<br />
organisations.<br />
Additional figures disclosed by City of<br />
London Police, which co-ordinates efforts<br />
to combat fraud, include:<br />
More than 150-related arrests were<br />
made since the pandemic began<br />
More than 2,000 websites, phone<br />
numbers and email addresses linked<br />
to the crimes were taken down<br />
A total of 416,000 reports of fraud<br />
and cyber-crime.<br />
The activity peaked between April and <strong>May</strong><br />
2020, and January <strong>2021</strong> - both times when<br />
lockdowns were in force.<br />
The Dedicated Card and Payment Crime<br />
Unit, which tackles criminal gangs that are<br />
responsible for financial fraud and scams,<br />
worked with social media platforms<br />
to take down more than 700<br />
accounts linked to<br />
fraudulent activity in<br />
2020, of which over<br />
250 were money mule<br />
recruiters.<br />
But this may be the tip of<br />
the iceberg, it's admitted. In<br />
fact, the National Crime Agency<br />
estimates that just one in five fraud<br />
cases is typically reported to the<br />
police. Many of the scams involved<br />
conning people out of their money and<br />
financial details by focusing on internet<br />
shopping.<br />
Related fraud was 42% higher over the<br />
pandemic than the preceding year, as<br />
criminals took advantage of the fact many<br />
physical stores had been forced to close.<br />
The pandemic appears, however, to have<br />
coincided with a fall in one type of<br />
cybercrime, according to the BBC. "Reported<br />
cases of computer software service fraud -<br />
in which criminals call, offering fake tech<br />
support to fool victims into sharing their<br />
payment card details and other credentials -<br />
dropped by 15.5%," it said.<br />
TARGETING THE VULNERABLE<br />
Nick Emanuel, senior director of Product at<br />
Webroot + Carbonite, comments: "This<br />
insight comes as no surprise as, following the<br />
start of the vaccine rollout last year, our Real-<br />
Time Anti-Phishing protection system found<br />
a rise in malicious URLs and terms to target<br />
vulnerable people, using subjects like the<br />
vaccine and COVID-19. In fact, we saw a<br />
336% increase in use of the word 'vaccine'<br />
found within suspicious domain names<br />
between the 8 December and 6 January,<br />
when compared with the month of March<br />
2020.<br />
"Scams using keywords based on emotive<br />
subjects concerning medical safety and the<br />
pandemic are always going to be more<br />
effective, especially when they're in the public<br />
interest. Additionally, remote work has forced<br />
many employees to use personal devices for<br />
business-related activities, which presents<br />
unique security concerns," he adds.<br />
"With a higher prevalence of malware and<br />
generally fewer security defences in place, it's<br />
easier for malware to slip into the corporate<br />
network via an employee's personal device.<br />
34<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cybercrime insights<br />
For businesses, better security systems and<br />
training are key for protection, along with<br />
backing up data."<br />
For individuals, defending against these<br />
kinds of attacks should involve security<br />
awareness training and remaining vigilant in<br />
scrutinising the types of emails they receive,<br />
Emanuel advises. "This should also be<br />
underpinned by cybersecurity technology<br />
such as email filtering, anti-virus protection,<br />
and strong password policies."<br />
BEEFING UP THE UK'S IMAGE<br />
Meanwhile, the N<strong>CS</strong>C has witnessed a<br />
significant increase in the number of attacks<br />
since February, it reveals. In her first speech<br />
as chief executive of the new N<strong>CS</strong>C, Lindy<br />
Cameron has been paying tribute to what is<br />
seen as the 'bold decision' to create a publicfacing<br />
cyber security organisation within<br />
GCHQ. The virtual speech to an audience at<br />
Queen's University, Belfast, saw her outline<br />
why the UK has a role to play in making it the<br />
safest place to live and do business online.<br />
"The cyber security landscape we see now<br />
in the UK reflects huge progress and relative<br />
strength - but it is not a position we can be<br />
complacent about. Cyber security is still not<br />
taken as seriously as it should be and simply<br />
is not embedded in UK boardrooms," she<br />
said. "The pace of change is no excuse -<br />
in boardrooms, digital literacy is as nonnegotiable<br />
as financial or legal literacy. Our<br />
CEOs should be as close to their CISO as<br />
their finance director and general counsel."<br />
Cybercriminals will often use current events<br />
to try to lure victims and the pandemic has<br />
offered the perfect bait, states Adam Palmer,<br />
chief cybersecurity strategist at Tenable.<br />
"Criminals will capitalise on the interest in<br />
world events," he comments, "such as using<br />
coronavirus-themed malicious emails as a<br />
cover to spread a variety of malware, from<br />
the Emotet, AZORult and Trickbot trojans,<br />
to the Nanocore and Remcos Remote Access<br />
trojans. In January <strong>2021</strong>, scammers were<br />
impersonating the UK's National Health<br />
Service via email and text messages, claiming<br />
that victims were eligible for their COVID-19<br />
vaccine. The webpage used the same<br />
template as the real NHS website and asked<br />
users to complete an application, requesting<br />
personally identifiable information [PII], as<br />
well as banking or credit card information."<br />
The tactic of using current affairs to make<br />
scams more successful isn't new, he points<br />
out. "We've seen similar types of scams<br />
associated with natural disasters and other<br />
global events in the past.<br />
"Cyber criminals are inventive and persistent<br />
- they will try to elicit information needed to<br />
further their crimes in all manner of ways and<br />
explore all communication channels, via<br />
email [phishing], telephone calls [vishing] or<br />
increasingly popular via SMS [SMShing], in<br />
the hopes that a small number of victims will<br />
respond," he adds.<br />
Palmer concedes that these targeted<br />
messages can be tricky for even an alert<br />
individual to spot. "The best form of action is<br />
to view every communication, no matter<br />
how convincing, as suspicious. Rather than<br />
interact with links within an electronic<br />
message, navigate to the website yourself<br />
and search for information to verify fact from<br />
fiction. If it's a caller, ask for their name and<br />
say you'll get back in touch once you've<br />
confirmed the request. When in doubt,<br />
report your suspicions to the authorities."<br />
COVID-19 SPIKES<br />
Drawing on data from the Mimecast threat<br />
intelligence team, its report, 'The Year of<br />
Social Distancing', details how threat actors<br />
targeted remote workers during the first year<br />
of the pandemic, from March 2020 to<br />
February <strong>2021</strong>. The report describes how<br />
attack volumes surged by 48% during that<br />
time, with sudden increases in volume<br />
corresponding to spikes in COVID-19<br />
infection rates in April and October 2020.<br />
"Threat actors took advantage of the<br />
Adam Palmer, Tenable: criminals using<br />
coronavirus-themed malicious emails to<br />
spread a variety of malware.<br />
Nick Emanuel, Webroot + Carbonite: for<br />
businesses, better security systems and<br />
training are key for protection, along with<br />
backing up data.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
35
cybercrime insights<br />
pandemic to launch a torrent of COVID-19<br />
themed social engineering attacks," states<br />
Josh Douglas, vice president, product<br />
management at Mimecast, "understanding<br />
that people were under stress, working in the<br />
home environment, and thus more likely to<br />
be deceived and make mistakes."<br />
The second part of that strategy was to<br />
'flood the zone' in security operations centres.<br />
"They knew analysts would also be stressed<br />
and stretched thin, so overwhelming them<br />
with a high volume of threats would increase<br />
the likelihood of their attacks slipping<br />
through defences."<br />
The report also examines the cyber habits<br />
of at-home workers, which revealed some<br />
alarming facts, including:<br />
A 3x rise in unsafe clicks in March 2020,<br />
right when the work-from-home trend<br />
began<br />
US workers were nearly twice as likely to<br />
open suspicious emails as were workers<br />
in the UK and Germany<br />
A 60% increase in the use of companyissued<br />
computers for personal business.<br />
Even though vaccine rollouts are well<br />
underway and more organisations may soon<br />
start making plans for people to return to<br />
offices in the months ahead, the Mimecast<br />
threat intelligence team has assessed the<br />
likelihood of threat actors continuing to<br />
exploit the unsettled work situation as very<br />
likely ( 95%). These exploitation efforts will<br />
likely focus both on remote workers and<br />
those returning to the office - which creates<br />
the possibility of a new 'unsettled' situation<br />
that opens the door for the possibility of new<br />
waves of social engineering campaigns.<br />
"We're now seeing sophisticated digitaldeception<br />
campaigns where threat actors<br />
combine COVID-19-related social engineering<br />
with multi-channel campaigns - including<br />
email, social media and even phone - to gain<br />
credibility with their targets, so they can<br />
then be tricked into giving away valuable<br />
information or credentials," says Douglas.<br />
"We expect this challenging threat<br />
environment to continue for the foreseeable<br />
future as employees transition to the new<br />
normal which in many cases will be a hybrid<br />
in-office/at-home work mix. It has never been<br />
more important for enterprises to take steps<br />
to counter these digital-deception campaigns<br />
by hardening employees as targets through<br />
ongoing cybersecurity training programs, and<br />
to secure the infrastructure of the new 'virtual<br />
workplace' particularly email and<br />
collaboration tools."<br />
According to the report, the attacks<br />
targeted highly vulnerable sectors, such as:<br />
Attacks on the healthcare sector<br />
"Another way threat actors took advantage<br />
of the COVID-19 crisis was to launch attacks<br />
on overstretched healthcare systems." Threat<br />
actors sought to exploit increased human<br />
error associated with the stressful conditions<br />
to steal data and infect systems with<br />
ransomware-based attacks, in the belief<br />
that organisations operating under urgent<br />
conditions are more likely to pay ransoms -<br />
in this case hospitals urgently trying to<br />
protect the health of their patients.<br />
The summer of ransomware<br />
Mimecast reported the return of Emotet to<br />
the threat landscape in July 2020, after a fivemonth<br />
hiatus. This malware dropper is often<br />
used to deploy the Trickbot trojan as a<br />
second-stage infection, which can then be<br />
used to infect machines with ransomware.<br />
Mimecast detected increasing volumes<br />
throughout the summer (although not all<br />
can be attributed to Emotet).<br />
UNABATED EXPLOITATION<br />
As to the likelihood of threat actors<br />
continuing to exploit the unsettled work<br />
situation, Mimecast has assessed this as<br />
almost certain (95%). These efforts will focus<br />
both on remote workers and those returning<br />
to the office, which creates a whole new<br />
range of social engineering opportunities.<br />
OPPORTUNISTIC ATTACKS<br />
"Threat actors always exploit turmoil -<br />
whether that turmoil is brought on by<br />
unexpected natural disasters, annual events<br />
such as tax season, or a once-in-a-century<br />
pandemic," says the company.<br />
"So, if we know this, why do they continue<br />
to be successful?" it queries. "The answer lies<br />
in the compartmentalised way in which<br />
companies think about security.<br />
"Just like a magician uses multiple tools<br />
(misdirection, lights, special props etc) to<br />
deceive the audience into thinking that one<br />
thing is happening, only to have another<br />
thing happen, threat actors do the same<br />
thing, using multiple orchestrated tactics<br />
and tools to deceive people into drawing<br />
the wrong conclusions, so they are free to<br />
execute their attacks."<br />
VISIBILITY ESSENTIAL<br />
And, just like magicians would be ineffective,<br />
if the audience had complete visibility into<br />
their activities, the best way to defeat threat<br />
actor cyber deception is to gain greater<br />
visibility into their campaigns, suggests<br />
Mimecast. "Defence-in-depth remains an<br />
important foundation of security strategy;<br />
however, it has also contributed to the<br />
infrastructure bloat issue that plagues many<br />
companies - too many security tools, too<br />
few people to manage them all.<br />
"Lessons learned from The Year of Social<br />
Distancing: Cyber deception is the problem.<br />
Part of the solution to this problem is<br />
integration: by integrating best-of-breed<br />
cyber security tools, organisations can gain<br />
much greater and more precise visibility into<br />
cyber deception campaigns to stop them<br />
earlier in their development."<br />
36<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
weaponised attacks<br />
ALL-OUT WAR<br />
ESPIONAGE, FRAUD AND RANSOMWARE WERE THE WEAPONS OF CHOICE IN 2020, WITH THE UK'S<br />
NATIONAL CYBER SECURITY CENTRE HANDLING A RECORD NUMBER OF CYBER SECURITY INCIDENTS<br />
The UK's National Cyber Security Centre<br />
(N<strong>CS</strong>C) - part of GCHQ and the UK's<br />
technical authority for cyber threats -<br />
dealt with 723 serious incidents between<br />
September 2019 and the end of August<br />
2020, a 20% increase on the 602 it handled<br />
the year before. More than 200 of these<br />
incidents were related to the coronavirus,<br />
according to the N<strong>CS</strong>C's latest annual review.<br />
The review reveals how the N<strong>CS</strong>C took<br />
decisive action against malicious actors in the<br />
UK and abroad "who saw the UK's digital<br />
lifelines as vectors for espionage, fraud and<br />
ransomware attacks", states Penny Mordaunt<br />
MP, Paymaster General, in a ministerial<br />
foreword. "The N<strong>CS</strong>C helped to protect NHS<br />
Trusts, the Nightingale hospitals and vital<br />
NHS systems, ensuring they were able to<br />
function remotely, in spite of coronavirus.<br />
In this year of complex challenges, the N<strong>CS</strong>C<br />
continues to react to swiftly evolving cyber<br />
threats."<br />
SAFETY AT HOME<br />
When many organisations moved to<br />
remote working because of coronavirus,<br />
the N<strong>CS</strong>C responded with new guidance<br />
on how to help employees work and<br />
communicate securely from home.<br />
As organisations moved their<br />
business online at pace,<br />
advisories were issued about<br />
how cyber criminals were<br />
seeking to exploit the<br />
pandemic for profit, and<br />
guidance was updated on<br />
how to spot and deal<br />
with suspicious emails,<br />
calls and texts (including<br />
coronavirus-based scams).<br />
With more people using<br />
personal devices for work<br />
purposes came an increased<br />
vulnerability to cyber fraud, as<br />
criminals sought to exploit the<br />
changing circumstances. Some<br />
scams, frequently using phishing<br />
emails, claimed to have a 'cure' for<br />
coronavirus, or sought donations to bogus<br />
medical charities. Many users found that<br />
clicking a bad link led to malware infection,<br />
loss of data and passwords.<br />
In the review, Lindy Cameron, new CEO of<br />
the N<strong>CS</strong>C, offers an inner eye on how the<br />
centre has responded to the cyber challenge.<br />
"We scanned more than one million NHS IP<br />
addresses for vulnerabilities and our cyber<br />
expertise underpinned the creation of the<br />
UK's coronavirus tracing app. An innovative<br />
approach to removing online threats was<br />
created through the 'Suspicious Email<br />
Reporting Service' - leading to more than<br />
2.3 million reports of malicious emails being<br />
flagged by the British public. Many of the<br />
22,000 malicious URLs taken down as a<br />
result related to coronavirus scams, such as<br />
pretending to sell PPE equipment to hide<br />
a cyber-attack.<br />
Jeremy Fleming, director GCHQ, points to<br />
how the world changed in 2020, as did the<br />
balance of threats we are seeing. "As this<br />
review shows, the expertise of the N<strong>CS</strong>C,<br />
as part of GCHQ, has been invaluable in<br />
keeping the country safe: enabling us to<br />
defend our democracy, counter high levels<br />
of malicious state and criminal activity, and<br />
protect against those who have tried to<br />
exploit the pandemic. The years ahead are<br />
likely to be just as challenging, but I am<br />
confident that in the N<strong>CS</strong>C we have<br />
developed the capabilities, relationships and<br />
approaches to keep the UK at the forefront<br />
of global cyber security."<br />
RIPE FOR TARGETING<br />
Nick Emanuel, senior director of product,<br />
Webroot, says it is unfortunate that the<br />
NHS has been a common target for<br />
37<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
weaponised attacks<br />
cybercriminals throughout Covid-19, but<br />
that it's also not surprising. "The vast attack<br />
surface of such a large and diverse<br />
organisation is one factor, but the value in<br />
their data is another. The sheer size and<br />
scope of the healthcare industry, its complex<br />
supply chain, and the fact that the public<br />
sector uses many contractors and outside<br />
parties, makes it a difficult task to manage<br />
and secure."<br />
Although the sector is particularly vulnerable<br />
to ransomware, Webroot believes the biggest<br />
concern here is the use of stolen data as a<br />
means to enable further attacks. "It is much<br />
easier to fool victims with a phishing email<br />
once you know details about them and their<br />
colleagues," states Emanuel. "We expect this<br />
to continue. As <strong>2021</strong> brings forward the first<br />
vaccines to fight Covid-19, cyber criminals<br />
will exploit the lack of trusted information<br />
and the widespread use of phone-based<br />
medical appointments to target businesses<br />
and consumers in phishing attacks and BEC<br />
[Business Email Compromise] scams.<br />
"To mitigate future attacks and build cyber<br />
resilience, organisations need to ensure that<br />
adequate defences are in place. Staff training<br />
is essential for defending against phishing<br />
attacks, so they know what to look out for.<br />
The training materials used also need to be<br />
constantly updated to reflect the latest threat<br />
trends and regular simulations should be run<br />
to ensure that the training is having the<br />
desired effect."<br />
FINANCIAL PAY-OFF<br />
"Ransomware-focused cyber threat actors are<br />
evidently pursuing methodologies where they<br />
believe the financial payoff will be the most<br />
beneficial," says Jonathan Miles, senior threat<br />
intelligence analyst at Mimecast. "This means<br />
they look for a combination of ease of<br />
entry, meaning relatively weak security<br />
programmes, combined with a high<br />
willingness and ability to pay. These threat<br />
actors have increasingly found this<br />
combination in the healthcare industry,<br />
a sector that is highly dependent on IT to run<br />
its operations and in possession of some of<br />
the most sensitive data, which is very<br />
profitable for hackers' financially motivated<br />
criminal activity."<br />
For healthcare organisations, the financial<br />
impact of these attacks is only the tip of the<br />
iceberg, he adds, with hackers holding<br />
confidential data hostage also preventing<br />
practitioners to access the patient files,<br />
resulting in delayed treatment - or worse.<br />
"Healthcare also plays a fundamental role in<br />
supporting a nation and is considered part<br />
of its critical national infrastructure. With its<br />
heightened importance during a global<br />
pandemic, it has rapidly become a very<br />
attractive target for nefarious actors intent<br />
on exploiting a time of confusion and<br />
uncertainty."<br />
Cybercriminals know that denying the<br />
services of the healthcare sector at this time<br />
will have massive ramifications. "By denying<br />
services or the efficiency of the healthcare<br />
sector, a hostile actor can be seen as<br />
subverting a nation through undermining the<br />
healthcare aperture, and degrading efficiency,<br />
reputation and trust," adds Miles. "There<br />
is also a possibility that, in attacking a<br />
healthcare organisation that is part of a wider<br />
network of infrastructure, it may be possible<br />
to pivot to other critical facilities."<br />
CYBERSECURITY VIGILANCE<br />
More than any other industry, the healthcare<br />
sector simply cannot afford poor<br />
cybersecurity. "For those organisations that<br />
are subjected to a ransomware attack, the<br />
consequences stretch beyond the breach,<br />
compromise and financial penalties," he<br />
cautions. "A longer lasting outcome is the<br />
reputational damage that the brand will be<br />
tarnished with. When a breach has been<br />
identified, it requires time and effort to<br />
contain the impact and mitigate the damage.<br />
This can cause a significant strain on<br />
resources, focus, people hours and funding<br />
that could have been used elsewhere."<br />
Jonathan Miles, Mimecast: the healthcare<br />
sector simply cannot afford poor<br />
cybersecurity.<br />
Lindy Cameron, National Cyber Security<br />
Centre: we scanned more than one million<br />
NHS IP addresses for vulnerabilities.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2021</strong> computing security<br />
38
<strong>2021</strong><br />
is the year of injection.<br />
Just like 2017<br />
& 2013<br />
& 2010<br />
Injection vulnerabilities have been identified as the most<br />
critical risk to web applications by the OWASP Top 10 since 2010.<br />
Let’s stop giving attackers an easy win.<br />
Pentest Ltd are here to challenge your organisation’s information<br />
security posture, to support your improvement efforts and ensure<br />
you, and your clients, are as protected as possible.<br />
Information Security Consultancy<br />
Penetration Testing<br />
Red Teaming<br />
www.pentest.co.uk<br />
0161 233 0100