CS May-Jun 2021

Computing
Security
Secure systems, secure data, secure people, secure business
Inside AI
Could this be the
game changer?
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
It’s all-out war!
Espionage, fraud and
ransomware: the highly
explosive issues we face
Living through the great unknown
Part 2 of our ‘2021 Predictions’
is shrouded in great uncertainty
Look to your IT assets
Upgrade could prove pathway
to greater data security
Computing Security May/June 2021

comment
A REMOTE WORLD UNDER THREAT
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
NTT launched its annual Global Threat Intelligence Report recently and some of the key
findings are not going to provide great reassurance to most organisations - not least in
that there has been a 300% increase in attacks, as cybercriminals target key industries.
What NTT's '2021 Global Threat Intelligence Report' reminds us most of all is that, in a world of
evolving cyberthreats, we need to stay well ahead of the curve to secure the next horizon of cyber
resilience. It reveals how hackers are taking advantage of global destabilisation by targeting
essential industries and common vulnerabilities from the shift to remote working.
"Success lies in rethinking what you need to accommodate new ways of working," advises NTT,
"engaging with your ecosystem of partners and customers to entrench trust across the supply
chain; and securing all elements of your infrastructure to drive business value and transformation."
The report highlights how remote working has become a mainstay of the business environment.
Some employees may never permanently return to an in-office working environment. "This was
illustrated in the NTT 2020 Intelligent Workplace Report, which showed that more than half of
organisations (54%) would never return to their pre-pandemic operating model or would pursue
a hybrid operating model with expanded flexible working."
While remote working offers many benefits for employee and employer alike, the likelihood of
being targeted by hackers is high and the volume of attacks rapidly growing. With this new
approach, organisations must place a higher priority on several aspects of their businesses,
cautions NTT:
Managing risk
Addressing cybersecurity issues related to supporting their online presence
Optimising and securing work-from-home arrangements
Preparing to defend against supply chain attacks.
In this issue, we look in depth at home working - how it is continuing to change the landscape
in fundamental ways, and perhaps forever, while also exposing organisations to greater threat
than they have ever faced before - see page 24.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2021 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk May/June 2021 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security May/June 2021
contents
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Inside AI
It’s all-out war!
Espionage, fraud and ransomware:
the highly explo-
Could this be the
game changer?
sive issues we face
Living through the great unknown
Part 2 of our ‘2021 Predictions’
is shrouded in great uncertainty
COMMENT 3
A remote world under threat
Look to your IT assets
Upgrade could prove pathway
to greater data security
ARTICLES
MAJOR OPPORTUNITY AWAITS
TO TACKLE DATA SECURITY 6
Robert Allen of Kingston Technology
Europe looks at the fresh challenges that
hybrid working will bring and how they
can be met
YOU DON'T HAVE TO PREDICT
THE FUTURE TO BE MORE SECURE 8
When maximising your security improvement
efforts, look at the here and now,
rather than what may lie ahead, advises
Paul Harris, CEO, Pentest Ltd
THE REAL AI REVEALED 18
Not unlike big data, the cloud, IoT and just
about every other 'next big thing', more
and more companies are looking for ways
to jump on the AI (Artificial Intelligence)
bandwagon. But can AI help to transform
the security industry, making it sharper,
wiser and less vulnerable?
GREAT AMERICAN CYBER
RECOVERY IN PERIL 10
HOMING IN ON THE PERILS
There hasn't been much good news in
OF HOME WORKING 24
cybersecurity lately, states Ian Thornton-
As home working becomes part of the
Trump, CISO, CYJAX. His take in this
future, many employees will not be
article on recent events reinforces that
returning to the office full-time. But what
to a worrying degree
must businesses do to ensure they don't
PUT A SOC IN IT! 14
leave themselves open to the hackers and
Steve Usher and Rob Treacey, of
attackers? Editor Brian Wall reports
Shearwater Group plc, provide their
insights into the organisational need for
a SOC - Security Operations Centre - and
help to define what they think a good
SOC looks like
TANGLED WEB 30
DARK DAYS IN THE BATTLE
Is there a hacker staring in on you through
AGAINST CYBERCRIME 16
your devices and gadgets, ready to pounce?
The highjacking of a US fuel pipeline by
With Mark Zuckerberg having posted a now
cyber-criminal gang DarkSide signals
deeply worrying times ahead
famous photo of his desk set-up, showing
his laptop with a covered webcam and
WHAT ELSE AWAITS IN 2021? 28
blocked mic, we may all need to follow that
In part 2 of our glimpse into the likely/
path to keep ourselves safe
possible future, we hear more predictions
on where our industry might be heading,
in what must be acknowledged as the
most unpredictable of years
FRAUD AND CYBERCRIME
ALL-OUT WAR 37
SOAR IN THE PANDEMIC 34
Espionage, fraud and ransomware were
According to the Action Fraud team, which
the big weapons of choice in 2020, with
covers activity in England, Wales and
the UK's National Cyber Security Centre
Northern Ireland, covid-related fraud and
having to handle a record number of
cyber security incidents
cybercrime amassed a staggering sum of
£34.5m in stolen money in the 12 months
from 1 March last year.
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk
4

Advanced data security for mobile data
with encrypted USB sticks and SSDs
Ask an Expert today
If you’d like to discuss your specific storage needs with one of our experts to
ensure you are working securely on the go, email: techexperts@kingston.eu
#KingstonIsWithYou
© 2021 Kingston Technology Europe Co LLP and Kingston Digital Europe Co LLP, Kingston Court, Brooklands Close, Sunbury-on-Thames, Middlesex, TW16 7EP, England.
Tel: +44 (0) 1932 738888 Fax: +44 (0) 1932 785469 All rights reserved. All trademarks and registered trademarks are the property of their respective owners.

new-world shake-up
HOW AN IT ASSET UPGRADE COULD BE AN OPPORTUNITY
FOR BUSINESSES TO TACKLE DATA SECURITY
ROBERT ALLEN, DIRECTOR OF MARKETING & TECHNICAL SERVICES AT KINGSTON TECHNOLOGY EUROPE,
LOOKS AT THE FRESH CHALLENGES THAT HYBRID WORKING WILL BRING AND HOW THEY CAN BE MET
Robert Allen, Kingston
Technology Europe.
For the first time in history, working
remotely became mandatory (if
possible to do so) during the first
lockdown restrictions of 2020, due to
Covid-19. It is certain that many businesses
are now thinking of allowing flexible
working after the restrictions will finally
be lifted.
Although the rollout rhythm of
vaccinations is stepping up the pace, a
better work-life balance for employees and
savings on costs for businesses are the main
motivators for this new strategy approach.
Not fully coming back to the office as we
used to do before and adopting this new
hybrid working environment, though, will
come with additional challenges - one of
them being how to improve employee's
equipment where productivity is affected
by IT hardware at the end of its lifespan.
With businesses now trying to 'do more
with less' and with their overall budgets
reduced, they need to think of another
approach regarding how to face it and the
decision may come to upgrade, rather than
replace, some or all affected hardware. By
doing so, they are also embedding circular
economy value principals by optimising the
assets they already have and getting more
out of their existing technology
infrastructure.
STEPPING UP LAPTOP
AND PC PERFORMANCE
Memory and SSD upgrades offer costeffective
means to significantly increase
laptop and PC performance. Just to give a
couple of examples, a memory improvement
could help the system operate much faster
and define the quality of video calls, as well
as supporting the ability to multi-task with
6
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

new-world shake-up
slides and sharing screens and media when
presenting, all of them critical when working
from home.
Likewise, replacing a traditional hard disk
with an SSD results in much quicker boot and
application load times, which can again
improve responsiveness considerably. This can
go a long way to solving frustration with older
computers, so team members will be able to
get on with their jobs easier.
What's more, compared to their hard disc
counterparts, SSDs offer better reliability,
cooler and quieter running, all while
consuming less power. Kingston's entry-level
SSDs are 10x faster than a spinning hard
drive. We are now seeing the next SSD
evolution from SATA to NVMe. With this
approach, businesses can enable costoptimised
incremental innovation that
grows when they do.
The other challenge is to improve data
security while working from home. It is not
the same to be connected to the internet at
home as when doing that in the office's
premises. The first group is exposed to major
security risks. So, the first thing would be to
ensure that the employees are connected
through a VPN, and verify the IT equipment
they use has the latest operating system and
an updated antivirus software.
TWO-FACTOR AUTHENTICATION
AND HARDWARE ENCRYPTION
Business computers should have minimum
security levels implemented by IT specialists,
like, for example, a two-factor authentication
to the system. They should be equipped with
encrypted SSDs, and the use of encrypted
USB drives for transferring data should be
mandatory. These two solutions would allow
a safety storage for employees while working
remotely and the data they are handling
would be secure whilst having immediate
access to it.
Especially with a hybrid work environment in
mind as a feasible setting for the future,
where the work will be carried out combining
both at home and back to the office premises,
the human factor still plays a singular role,
and it could be even easier to accidentally
mishandle customer data while commuting
between one place and the other.
Encryption could be built into the operating
system, but software encryption incurs a
processing performance hit that can slow
down a computer, particularly when used on
external storage devices.
Alternatively, hardware encryption built
directly into a storage device shifts the load
away from the computer and keeps data
secure in the background. Neil Cattermull,
CEO at The Future as a Service and key
security influencer, agrees - "hardware
encryption built into the drive itself offers
better overall performance and more robust
security".
Hardware encryption offers more robust
security measures than software encryption
alone, since the encryption and authentication
process stay within the device itself, rather
than separating it from the rest of the system.
The time it takes to encrypt/decrypt the
information is far shorter when using a
hardware-based encrypted device than when
using software encryption. This means that
the encryption process is not taking valuable
bandwidth away, which gives a further
performance boost for other applications with
less time to encrypt and decrypt the data.
FUTURE-PROOFING THE IT ESTATE
The perfect solution then would be to replace
older equipment with encrypted SSDs, which
would boost performance of older devices,
while protecting the corporate data at the
same time - a cost-effective way of
futureproofing the IT estate, as well as
offering performance benefits while also
providing a further tool to enhance the
business security policy. If the use of encrypted
USBs were also added as an additional layer
of security to mobile data, businesses would
be able to ensure their corporate data are
protected in the shift from home working to
even more mobile working.
Also, in the event of lost or stolen devices,
confidential data would remain safe.
Encrypted devices wouldn't be accessed by
unauthorised people and enterprise set-up
would allow IT admins to remotely wipe the
data on the encrypted USB or encrypted SSDs.
In the process of implementing an asset
refresh, though, it is key to ensure the process
is handled through a trusted partnership.
Having the right technology in place matters,
but it matters most to receive the right advice
from experts with more than 30 years'
experience in the field. Our 'Ask An Expert'
approach is focused on facilitation, guiding
businesses through the choices available,
given their specific technology infrastructure
context.
SECURE WORKING
With the storage market, choosing the right
solution for a given problem may not be
straightforward, considering the technical
requirements involved. Kingston is with you to
secure your data, no matter what your specific
storage environment might be, to ensure your
business is working securely both remotely
and on the go. This is a philosophy that
applies to the company's full portfolio to
communicate the advice, support and high
quality our products offer, highlighting the
pre-sales advice service and the after-sales
support customers can expect.
The gradual shift to WFH that we will see
coming to stay in the future is a good time to
consider simultaneous improvements to data
security and better storage performance.
Choosing to upgrade is a way to roll out
encryption across an organisation, without
the need to invest in an entirely new
computer, and we will continue supporting
businesses, whatever their security and
storage needs are.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
7

masterclass
YOU DON'T HAVE TO PREDICT
THE FUTURE TO BE MORE SECURE
WHEN MAXIMISING YOUR SECURITY IMPROVEMENT EFFORTS, LOOK AT THE HERE AND NOW,
RATHER THAN WHAT MAY LIE AHEAD, ADVISES PAUL HARRIS, CEO, PENTEST LTD
sometimes basic attack techniques. The
OWASP Top 10 (Web Application Security
Risks) is a perfect example of how little
security risks have truly changed over time
and the top two web app vulnerabilities
identified in 2010 are still the top two
web app vulnerabilities in 2021 (Injection
& broken authentication). But it's not just
these top two; many of the issues
identified in 2010's top 10 list are still
around today.
Every year, usually around December,
companies and experts like to predict
what the year ahead will have in
store for their industry. Information
security is no different and you only have
to Google 'cybersecurity predictions 2021,'
to find a whole host of top 10 lists,
articles on upcoming security trends and
the emerging threats to watch out for.
These predictions often focus on new
and exciting technologies, increases
in certain attack techniques, the
continuation of key trends from the
previous years and potential shifts in
the approaches taken by organisations
to ensure they are protected.
But when it comes to information
security ,it seems things don't change too
much. Next year always seems to be the
year infosec gets taken more seriously
within organisations: 2021 is predicted
to be a 'big' year for ransomware (so was
2019 & 2016), phishing attacks will
become more sophisticated (they always
do), remote working concerns will
continue to be important (like they were
last year), attacks on IoT devices look set
to intensify (more devices = more
attacks), cloud security will become more
of a concern (see last year and the year
before that) and, of course, there's the
continued 'rise' of AI, machine learning,
quantum computing etc.
THE WRONG PATH?
Trying to predict the future has its place,
and every business should be considering
the potential opportunities and threats
that the future could present, but when
it comes to security improvements,
predictions and hype can often send us
off down the wrong path, focusing
our efforts on threats, approaches or
technologies that may never come to
fruition.
No matter what the predictions,
one thing will always be for certain:
organisations will continue to be
compromised using known and
Sensitive data exposure, broken access
controls, security misconfiguration,
cross-site scripting flaws, the use of
components with known vulnerabilities,
people using 'Password123!'. These aren't
new or upcoming issues, they've been
highlighted as critical security risks year
after year, yet they still show up in our
testing time and time again.
Yes, thinking about new tech, new
solutions and new approaches is exciting
and, yes, these may help improve your
security posture, but there will never
be a single silver bullet solution. AI and
machine learning are exciting prospects,
but they won't solve all our security issues;
attacks will change and adapt, like they
have always done.
So, if you're looking to maximise your
security improvement efforts, it's often
more effective to look at the here and
now, rather than look to the future.
Getting the basics right is still the fastest
route to raising the defensive bar,
ensuring your current set-up is protected
against existing and known threats before
moving on to consider what may, or may
not, happen in the future.
08
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.

view from within
GREAT AMERICAN CYBER RECOVERY IN PERIL
THERE HASN'T BEEN MUCH GOOD NEWS IN CYBERSECURITY LATELY, STATES IAN THORNTON-TRUMP,
CISO, CYJAX. HIS TAKE, BELOW, ON RECENT EVENTS REINFORCES THAT TO A WORRYING DEGREE
In the first three months of 2021,
organisations were exposed by 0days
in Microsoft Exchange and Accellion's
secure file transfer appliance, and there
have been revelations of three more
malware strains related to the
SolarWinds Orion product. This brings
the total number of malware related to
Orion to eight, including some that have
been attributed to both Russian and
Chinese operatives.
Just before we turned the dial to 2021,
we ended the year with a chilling statistic
from McAfee and the Centre for
Strategic and International Studies
(CSIS): "Cybercrime costs the world
economy more than $1 trillion, or just
more than one percent of global GDP,
which is up more than 50 percent from a
2018 study that put global losses at
close to $600 billion." Given the action
this year already, that figure is only likely
to rise.
HAVE WE HIT ROCK BOTTOM
IN CYBERSECURITY?
This is a hard question to answer, but the
signs for cybersecurity, in my estimation,
all point to an unsustainable situation.
For the people who suffered as a
result of the Texas winter
storm, there is a 50-
billion-dollar
bill attached
that now
has to
be
dealt with. While that event which had
little to do with a cyberattack, I mention
it here to provide some perspective - the
climate and cyber spheres have far more
in common than we think and are under
a sustained global threat.
It was not a widespread cyberattack
against the national critical infrastructure
of Texas that left thousands without
power and water (as far as we know).
In fact, the failure in Texas was of a far
more human nature: lawmakers also
failed to pass measures over the past
two decades that would have required
the operator of the state's main power
grid to ensure adequate reserves to
shield against blackouts, provided better
representation for residential and small
commercial consumers on the board that
oversees that agency and allowed the
state's top emergency-planning agency
to make sure power plants were
adequately 'hardened' against disaster.
DRAWING A LINE FROM
TEXAS TO CYBER
Thankfully, we have not seen cyberattack
that has resulted in tens of billions of
dollars of damage - or have we? So far,
the most impactful cyberattack has been
relatively accurately measured at $1.3
billion in losses that Maersk has claimed
from its insurers following the NotPetya
attack that hit its computer networks.
It remains to be seen if this amount will
ever be paid (at least as I write), since
insurance companies are suggesting
NotPetya was a "hostile act amounting to
a war or terrorist attack" and therefore
10
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

view from within
denying coverage under some Merck
policies.
On 16 August 2017, 128 countries
signed The Minamata Convention on
Mercury, which is an international treaty
designed to protect human health and
the environment from anthropogenic
emissions and releases of mercury and
mercury compounds. The vast majority of
these emissions were caused by individual
and small gold mining operations, even
though organic mercury compounds
were first described in the 1800s, with
fatal cases of mercury poisoning reported
in 1865.
Despite all kinds of clinical evidence
from the 1900s onwards and regulatory
safeguards established in the 1960s and
1970s, which were largely ineffective, the
consensus after 156 years is: 'Mercury is
bad for the environment and bad for
humans.' In a word, it's 'toxic'.
The story of cybersecurity, or rather the
lack of it, is like the demoralising story
of mercury, and it's my hope that we
reach a broad understanding that
poor cybersecurity is also bad for the
environment and bad for humans in
a lot less than 156 years.
Like the human desire to risk mercury
poisoning in the pursuit of physical gold,
we are Bitcoin mining virtual gold by
burning energy at an alarming rate, with
a high likelihood of future toxic
environmental effects, from directly and
indirectly by facilitating cyber ransoms.
BITCOIN SHOCKWAVES
An article in the BBC technology section,
with the headline 'Bitcoin consumes more
electricity than Argentina', ran on 10 Feb
2021 and did not receive nearly as much
attention as it deserved. Buried within the
article, however, was arguably an even
more sinister detail.
According to David Gerard, quoted in
the article: "Tesla got $1.5bn in
environmental subsidies in 2020, funded
by the taxpayer. It turned around and
spent $1.5bn on Bitcoin, which is mostly
mined with electricity from coal. Their
subsidy needs to be examined." It
certainly should be, as Tesla's purchase
propelled the virtual currency to
unprecedented new values making
roughly $1 billion in profits from its
investment into Bitcoin, according to
some estimates.
Earlier this year, aerospace firm Dassault
Falcon Jet suffered an extensive data
breach by the Ragnar Locker ransomware
operators. The attackers had remained
hidden on the company's network for
more than six months, having used the
'Shitrix' vulnerability (CVE-2019-19781) to
gain persistence on the network. They
then started encrypting the data on 7
December 2020, after exfiltrating the
data steal it before encryption.
EXPLOITATION AND RANSOMWARE
The cybercriminals demanded $2 billion
in Bitcoin as a ransom. Exploitation
and ransomware are the unfortunate
consequences of being online, but, as
I alluded to earlier, there are far more
impactful cyberattacks capable of
inflicting millions, if not billions, in
damages.
Take, for instance, this attack in 2013:
'AP Twitter hack causes panic on Wall
Street and sends Dow plunging.' During
the three minutes that the 'fake tweet'
was circulating, it wiped $136 billion in
equity market value. About an hour after
it was over, a group of hackers who cause
trouble in support of Assad, an informal
collective known as the Syrian Electronic
Army, claimed responsibility for the
attack. What perhaps is most concerning
is when one tweet by a celebrity on 21
Feb 2018 could inflict a loss of $1.3
Ian Thornton-Trump, CISO, CYJAX.
billion out of the market capitalisation
of Snap. For those in western nations
advocating a potential military cyber
response to Russian cyberattacks on
SolarWinds and Chinese attacks on
SolarWinds and Microsoft, they may
have forgotten just how precarious a
digital world we live in. Let's hope we
back away from 'cyber war drums' before
we are shown precisely how vulnerable
we really are.
ENTERING THE ERA OF CYBER
DISASTER CAPITALISM
It's a sad state of affairs if we invest
millions of dollars in cybersecurity and
yet billions of dollars of damages can be
inflicted by a tweet, because of the
precarious digital environment we have
created. Naomi Klein writes: "The appetite
for easy, short-term profits offered by
purely speculative investment has turned
the stock, currency and real estate
markets into crisis-creation machines." In
a 2018 opinion piece on Bitcoin, Klein's
labelling of some of the cryptocurrency
industry's leading figures as "tax dodgers"
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
11

view from within
seemed eerily to foreshadow the recent
2021 indictment of John McAfee and an
associate related to cryptocurrency
promotional activities.
Given the current state of affairs,
wherever, increasing opening up of
business systems seems inexorable, 0day
vulnerabilities in Microsoft exchange,
Accellion and others demonstrate that we
are facing both a cybersecurity crisis and
a broader tech industry crisis.
Anyone looking at the problem as an
exclusively cybersecurity problem is not
seeing the whole picture. "In early 1970,
as a result of heightened public concerns
about deteriorating city air, natural areas
littered with debris and urban water
supplies contaminated with dangerous
impurities, President Richard Nixon
presented the House and Senate a
ground-breaking 37-point message on
the environment."
It is once again time for American
leadership, with the UK, EU and other
Western nations supporting President
Biden, in introducing an aggressive cyber
protection-focused legislative agenda
empowering a 'Cyber Protection Agency'.
We need to see the kind of global
enforcement powers that the EPA
unleashed against Volkswagen.
"Volkswagen said its 2015 diesel cheating
scandal has cost it 31.3 billion euros (USD
$34.69 bn) in fines and settlements." And
in 2017, the US-based VW executive Oliver
Schmidt, who oversaw emissions issues,
was sentenced to seven years in prison and
fined $400,000, the maximum possible
under a plea deal the German national
made with prosecutors after admitting to
charges of conspiring to mislead US
regulators and violate clean-air laws.
The solution for the tech industry, and its
related cybersecurity problem, is simple:
hold organisations and individuals
accountable for cybersecurity by requiring
adherence to an aggressive regulatory
framework. There is already a model for
this in the environmental and financial
services protection frameworks: they may
not be perfect, but, as they say, "perfect is
the enemy of good/better" and what we
need right now is something to clean up
the global cyber environmental mess we
have created. The last twenty years of
letting the 'cyber market decide' has
managed to make us ever more
vulnerable. Something has to change.
Cyjax constantly monitors the internet looking for data
relevant to your organisation’s security posture and
reputation.
ADVANCED THREAT INTELLIGENCE
Accurate, Timely and Actionable. Our threat
information is augmented and processed by security
cleared analysts. Bespoke information on the risks
unique to your business displayed in a comprehensive
threat intelligence dashboard.
Put our eyes on your risks. Speak to us today.
+44 (0)20 7096 0668 info@cyjax.com www.cyjax.com

FULLSTACK VULNERABILITY MANAGEMENT
CONTINUOUS VULNERABILITY
INTELLIGENCE
Accurately identifies vulnerabilities
and exposures across the full stack.
All threats are verified by
cybersecurity experts, providing
exploitable risk and remediation
guidance.
“The expertise and
delivery of this service
has been outstanding...”
SECURITY AND RISK MANAGEMENT,
MEDIA INDUSTRY, 30B+ US
2020

Security Operations Centre
PUT A SOC IN IT!
A SECURITY OPERATIONS CENTRE (SOC) HAS BECOME ONE OF THE
VITAL COMPONENTS OF A WELL-ROUNDED CYBER SECURITY PROGRAMME
ASecurity Operations Centre (SOC)
has become one of the vital
components of a well-rounded
cyber security programme, not only in
large scale organisations but increasingly
in SME organisations who are now
beginning to manage their cyber security
risks more seriously.
In this article, Steve Usher and Rob
Treacey, of Shearwater Group plc, not only
provide a brief insight into the
organisational need for a SOC but also
help to define what they think a good SOC
looks like as well as the advantages and
disadvantages of running a SOC in-house
versus outsourcing it through a Managed
Security Service Provider (MSSP).
IT AIN'T FICTION, JUST
A NATURAL FACT
One only has to look at some of the facts
and figures from reputable, research
sources in 2020 alone to understand
why there is an ever increasing need
for organisations to consider deploying
a SOC.
72% of enterprises lack internal
capability for threat management.
Source: Everest Group Market Trends 2020
37% of enterprises have already
outsourced their SOC requirements
to 3rd party MSSPs.
Source: Everest Group Market Trends 2020
The UK National Cyber Security Centre
(NCSC), handled 723 incidents
between 1 September 2019 and 31
August 2020. In the previous three
years, it handled an average of
602 annual incidents.
Source: UK National Cyber Security Centre - 4th
Annual Review 2020
I NEED YOU, SO STOP HIDING
Some senior leaders are still choosing to bury
their heads in the sand in the hope that they
will not fall victim to a cyber incident. Cyber
security threats are not about to disappear
anytime soon, they will continue to grow and
evolve. Various factors are driving the need
for a SOC, notably:
A Changing Threat Landscape: The threat
landscape is getting broader, more advanced
and malicious with the adoption of cloud,
mobile and IoT technologies. With this
adoption, there is no longer a clear
demarcation between an organisation's
internal and external network.
Increased Complexity: The threat
environment is becoming more complex and
advanced with coordinated and adaptive
attacks.
MY DEFINITION IS THIS
The SOC acts as a nexus as it melds together
the systems and personnel responsible for
providing, maintaining, investigating, and
responding to cyber security events within
an organisation.
It works closely with all cyber security
staff, especially security engineers, who
maintain, troubleshoot and deploy security
technologies. It should also work closely, or
even overlap, with the Incident Response (IR)
team, as most of the time the SOC will be
directing the IR team when dealing with
incidents. Additionally, the SOC plays an
advisory role to technology related teams,
such as the vulnerability management and
cloud technology teams.
GOOD THING, WHERE
HAVE YOU GONE?
What makes a good SOC is subjective. Core
components are universal, such as a well
configured SIEM or log management system
as well as the ability to monitor various
security products that are deployed
throughout the network. Other components
are down to the organisation using the SOC.
An incident management system along with
a SOAR (Security Orchestration, Automation,
and Response) and EDR (Endpoint Detection
and Response) are highly desirable, whereas a
TIP (Threat Intelligence Platform) can be
extremely useful to organisations who have
a mature SOC. Threat intelligence feeds can
also be used to enrich the information in
SIEM and assist with the detections and
reactions to the runbooks in SOAR. These can
also be fed into firewalls, IPS units, and other
technologies that ingest API feeds.
Depending on the stated goals of the SOC,
various other services may be considered. BAS
(Breach and Attack Simulation) services can
be deployed on a continuous basis to ensure
any issues reported by penetration tests, or
red team engagements, are mitigated and
remain mitigated though product updates
and changes to policies.
SOC staff may come from diverse
backgrounds, but there are also common
personality traits that should be considered
and nurtured. Curiosity is one of these traits,
along with a drive to constantly learn and
expand knowledge.
Staff can specialise in multiple disciplines,
including threat hunting, threat modelling,
malware analysis and threat intelligence, to
name but a few. Having a diverse range of
skills and backgrounds can be extremely
14
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

Security Operations Centre
advantageous to the overall efficacy of the
SOC. It is no secret that there is a shortage
of experienced security staff and this is no
different when looking for experienced
SOC staff and managers.
It is important to take time to find the right
personnel and realise it will take time. Truly
experienced and knowledgeable staff want
to work for an organisation with appropriate
cultural values, who provide them with a
competitive salary and sufficient training.
INSIDE OUT
For organisations who are looking to
establish an in-house SOC or are looking to
outsource to an MSSP, that provides a
SOCaaS (Security Operations Centre as a
service), here are some pros and cons to
consider: -
PROS
Cost: A SOCaaS generally has a single
monthly fee with no office space, equipment,
staff salaries or training costs
to consider.
High Quality and Experienced Staff:
Experienced SOC staff invariably demand
a high salary and are becoming increasingly
harder to find. Using a SOCaaS not only
negates the headache of finding and
retaining high quality staff but also the
training they will expect.
New Technologies: Can be adopted faster
due to the ability of an MSSP to recruit staff
quicker, train them more efficiently, and
move staff around while others dedicate time
to learning new technologies and products.
24/7 Monitoring: Can be performed using
shift work and global locations. For an
internal SOC, finding quality staff to work
unusual hours, such as overnight, is not only
difficult but extremely costly. Provided the
organisation, utilising the SOCaaS, has the
ability and desire to respond to any threats,
found outside of normal working hours, this
aspect of the service is vital.
CONS
Access: High level access will need to be
provided to the SOCaaS, as a third party
provider, which opens up an organisation to
an additional vector of attack. Access can
include domain admin accounts, local admin
accounts, multi-factor authentication tokens
as well as access to sensitive or valuable
information on an organisation's network.
Response Times: Response times from a
SOCaaS could be slower due to the time is
takes for the alerts, logs and events to arrive
at the SOCaaS. Also, SOCaaS are generally
governed by SLAs and should the SOCaaS
have numerous customers and become busy,
then urgent alerts / incidents will be triaged,
irrespective of the customer.
ALL I KNOW AT THE END
OF THE DAY
So whether your organisation is considering
deploying a SOC, or has already deployed
one, remember that not all SOCs are created
equal. Consider a SOC that takes your
organisation on a journey of continuous
improvement; has highly skilled resources; is
flexible and agile and constantly evolving;
leverages best in class products; has global
capability and most importantly, aligns with
your organisation's cyber security risk
appetite. If you do not have the capability or
budget to establish a SOC internally, consider
outsourcing it to a trusted MSSP.
………………………………………………
About the authors:
Steve Usher is a Senior Security Analyst at
Brookcourt Solutions, which is a reseller
and integrator of cyber security solutions.
Rob Treacey is Managing Director of
Technology Risk Management at Xcina
Consulting, which helps organisations
strengthen their security posture.
Both Brookcourt Solutions and Xcina
Consulting form part of the broader
Shearwater Group plc.
Rob Treacey, Managing Director of
Technology Risk Management at Xcina
Consulting.
Steve Usher, a Senior Security Analyst at
Brookcourt Solutions.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
15

ansomware attack
DARK DAYS IN BATTLE AGAINST CYBERCRIME
THE HIGHJACKING OF A U.S. FUEL PIPELINE BY CYBER-CRIMINAL
GANG DARKSIDE IS A HARBINGER OF DEEPLY WORRYING TIMES AHEAD
Steve Forbes, Nominet: declaration of a
state of emergency, due to cyber-attack,
could become the new normal.
The US government issued emergency
legislation after its largest fuel pipeline
(the Colonial Pipeline) was hit by a
ransomware cyber-attack. The pipeline was
swiftly taken offline after the attack that has
been widely attributed to the cyber-criminal
gang DarkSide.
As well as encrypting the data, Darkside
also threatened to leak the data online, if
the ransom wasn’t paid. The shutdown
disrupted gas supplies along the East Coast
and caused panic buying, leaving some gas
stations without fuel. Service to the entire
pipeline system was eventually restored.
Steve Forbes, government cyber security
expert at Nominet, had this to say about the
domino effect of CNI attacks on this scale:
"The declaration of a state of emergency, due
to cyber-attack, could become the new
normal. With the largest fuel pipeline in the
US grinding operations to a halt, due to a
ransomware attack, the attack on Colonial is
likely to have a ripple effect across the globe.
"The attack will be a stark reminder of how
connected our world now is. While the
demand for oil across the US East Coast
was evident, the fact that this greatly
impacted the financial markets and traders
demonstrates that this really was the tip of
the iceberg. That's not to mention the fact
that the severity of this breach could well
worsen, if confidential information is leaked,
as the group has threatened.”
Being able to take systems offline and
begin a process of restoration is undeniably
important, he adds, but warns there is an
additional threat, if this data is exposed. “It
underlines the importance of international
collaboration to bring down these highly
coordinated groups early in their
development, if we want to protect our
critical services.”
Chief product and development officer at
Ava Security, Ran Pugach, says the Colonial
Pipeline incident highlights the increasing
risk that ransomware is posing to critical
national industrial infrastructure and the
physical consequences that these attacks
can have on society. "Especially with more
than 90% of attacks involving human error,
according to the UK's Information
Commissioner's Office, securing critical
national infrastructure against social
engineering attacks is essential. We've seen
similar attacks like this, when the Florida
water treatment facility was hacked
through TeamViewer.
"In order to prevent ransomware attacks
like this, organisations need to embrace a
new approach built around the user, as the
rise of remote working makes us more
exposed than ever. Hackers are experts in
social engineering and will use whatever
information they can to leverage multiple
entry points or avenues to achieve their
goals. This can be through malicious emails
or suspicious websites."
A preventive approach to ransomware
protection leverages user education and
cyber awareness, Pugach adds. "Installing
end-point detection and response tools
is a good first step. These solutions are
essential in helping not only to salvage the
situation, but also to be able to investigate
and understand where the vulnerability
was and how to prevent it in the future.
Nevertheless, such solutions have to be
complemented with further safeguards
that can capture anomalies, understand
and correct user behaviour."
16
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

ansomware attack
Ransomware attacks such as this one
continue to dominate the news, as they
remain a popular tactic for cybercriminals,
says Dr Francis Gaffney, director - Threat
Intelligence & Response, at Mimecast.
"At Mimecast, our recent State of Email
Security report found that 61% of businesses
worldwide have been affected by
ransomware in the past 12 months, which
illustrates how common ransomware has
become. Attacks like this have the potential
to disrupt an organisation and impact its
ability to conduct essential operations or
provide critical services to the community,
which can have significant consequences.
"Our research found that companies
impacted by ransomware lost an average
of six working days to system downtime,
with 37% saying downtime lasted one
week or more. This disruption forces many
organisations to pay the ransom and our
research shows that 52% of businesses did
so. However, only 66% of those were able to
recover their data. The remaining 34% never
saw their data again, despite paying the
ransom."
It is likely that the increase in remote
working played a role in this attack, he
states. "With the rise of engineers remotely
accessing control systems for the pipeline
from home, cybercriminals are able to prey
on vulnerabilities associated with this way of
working to access the organisation's system."
In the past decade, there has been a push
to move more and more Operational
Technology (OT) systems into the IP world,
given that ICS and SCADA networks are
often facsimiles in design, components and
software, regardless of where they are
deployed. "However, the equipment's
defences against threats that are common
today, such as malicious and recreational
hackers, can be lacking, because the dangers
did not exist when the systems were first
installed," adds Gaffney. "This increased
connectivity [for example, via the
proliferation of 5G and the IoT/IIOT] makes
them more vulnerable to cyber-attack."
Organisations must start investing in
cybersecurity preparedness and awareness
training, he advises. "From our research, 43%
of respondents said that employee lack of
cognisance about current campaigns and
wider cybersecurity issues is one of their
greatest vulnerabilities, and yet only one
in five respondents indicated they have
ongoing [more than once per month]
security awareness training in place. It is
recommended that organisations focus
on prevention, rather than cure, by
implementing strong resiliency measures,
and ensure that employees are properly
trained in cyber awareness."
INADEQUATELY PROTECTED
Gareth Williams, VP, Secure Communications
and Information Systems UK at Thales, says
the ransomware attack on the Colonial
Pipeline is a reminder that the operational
technology (OT) that our day-to-day lives
rely on is increasingly becoming a target for
malicious actors.
"This attack serves to confirm that
businesses are not adequately protected
when it comes to OT security and must start
taking cybersecurity seriously and increase
protection across their business," Williams
cautions. "However, building a cohesive
approach to securing your OT can
sometimes be an engineering challenge
as much as a cyber one, so teams cannot
approach this in the same way they would
IT security - it's a different ball game and
critical national infrastructure is at stake. "
One of the first steps on this path is
identifying where data is held, but also who
and what applications, and code, are trusted
to access it. "In doing this, rogue code, such
as ransomware, will be unable to weave its
way onto a database to encrypt it and gain
control of the data."
Francis Gaffney, Mimecast: likely that the
increase in remote working played a role
in this attack.
Ran Pugach, Ava Security: organisations
need to embrace a new approach built
around the user.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
17

AI & ML
THE REAL AI REVEALED
CAN AI HELP TRANSFORM THE SECURITY INDUSTRY, MAKING IT SHARPER, WISER AND LESS VULNERABLE?
AI is a very popular, often misused,
buzzword right now. Not unlike big
data, the cloud, IoT and every other
'next big thing', more and more companies
are looking for ways to jump on the AI
bandwagon. But how many of today's AI
offerings actually meet the AI test? While
they may use technologies that analyse data
and let results drive certain outcomes, that's
not AI; pure AI is about reproducing
cognitive abilities to automate tasks.
Matti Aksela, vice
president -
Artificial
Intelligence,
F-Secure,
says he
can see the interplay between AI/ML and
cyber security as having three angles. "Not all
security companies address all three," he
states, "nor do they necessarily need to, but I
do think they are all worth consideration."
First, AI/ML can be used for better cyber
security. "There are obvious use cases in
improving detection and response solutions
by having machine learning-powered
detections and then also automated
responses taken - when appropriate.
Sometimes, the right action is to pull the
human into the loop, but not always;
sometimes quick action with limited risk is
the correct approach - for example, to stop a
data exfiltration attempt or simply collect
more information from a process before it
stops and is no longer accessible.
"We can build better security products with
the help of AI/ML, but we can also improve
our own processes as security companies and
utilise the vast amounts of data that we have
to take the right actions towards our
customers better. As an extension to the
scope of what is feasible for security
solutions, F-Secure is exploring the use of
collaborative intelligent agents in 'Project
Blackfin'."
The second perspective he singles out is the
offensive use of AI/ML. "In addition to
needing to be prepared for the inevitable rise
of AI-powered attacks, security companies
can use the technology to help customers
prepare to face attacks more effectively via
AI-assisted red teaming - not even to
mention how much better we can train
defensive systems to protect our customers."
Last, but not least, is the perspective on
security of AI/ML. "There are many AI/ML
models out there and sadly few of them are
secure. Take this from a person who has
moved to cyber security after a couple of
decades of making a living researching and
building machine-learning solutions. To say
that security is often an afterthought is being
optimistic - it is usually not even thought
about at all."
But AI/ML models are susceptible to attacks
that are different from traditional
cyberattacks, Aksela adds, in the sense that
they don't require breaching the system -
machine learning can be manipulated just by
manipulating the data. "And this can have
very dire consequences, especially in AI
systems that interact with the physical world,
like autonomous vehicles or drones. We
believe this is one of the key areas receiving
too little attention and have been working to
develop methods to improve the security of
ML/AI over their entire lifecycle. Secure AI/ML
is the foundation for trustworthy AI/ML and
we need AI/ML that can be trusted to reach
the full potential of AI."
GREATER RISK EXPOSURE
Even after the lockdown lifts, it's likely that
hybrid working is here to stay. However, one
of the consequences of this shifting security
perimeter is that businesses are far more
exposed to the risk of data leaks and other
malicious threats, cautions Camille
Charaudeau, VP product strategy at digital
risk protection company CybelAngel.
"Data is now being shared and stored on
more devices and collaborative applications
than ever before and, as employees are at
home unsupervised, it can be harder to have
the normal security checks in place. When
staff use devices or applications not
managed or sanctioned by the IT
department, the security perimeter
consequently becomes more porous,
18
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

AI & ML
increasing the attack surface and introduces
more points of vulnerability through which
attackers can take advantage. Data that's
leaked or breached can wreak havoc, as
hackers use this data to launch phishing
attempts. This can be from fake websites
using malicious domains to resell company
credentials on the Dark Web, or can exploit
vulnerabilities on exposed, shadow assets."
To mitigate the risk, IT teams need to
ensure that new applications installed aren't
forgotten and that sensitive business data is
not entered into ad hoc apps, breaking
corporate security policies," he advises.
"Better cross-functional collaboration
between IT and staff is mandatory to
decrease the amount of Shadow IT assets
and protect against vulnerabilities. Educating
staff on good cyber hygiene is a simple way
to minimise these dangers."
Most importantly, businesses must
understand what sensitive data is beyond the
security perimeter. "They must have the tools
and resources to detect whether their thirdparty
infrastructure, shadow assets or critical
datasets may have leaked across the internet
from open databases to cloud apps,
connected storage devices and Dark Web
forums," adds Charaudeau. "Comprehensive
24x7 monitoring is the minimum
requirement here and the speed to detect
sensitive vulnerabilities is the difference
between damage limitation or a major
breach; security teams must have actionable
intelligence, free from false positives to act
effectively and resolve the issue."
MAKING A DIFFERENCE
The cybersecurity industry has a challenge.
Spending continues to soar, with the market
predicted to be worth nearly $175 billion by
2024. "Yet it's debatable whether
organisations are becoming any more
secure," says Craig Hattersley, CTO, SOC.OS.
One report from January claimed that the
number of exposed and compromised
records in 2020 soared 141% year-on-year to
top 37 billion. "To many, AI is the technology
that will finally win us the cyber arms race."
While they're undoubtedly wrong, he adds,
and in fact AI in its truest sense is only being
used by a handful of vendors, there are some
potential applications where it could make a
difference. Notably, in helping analysts make
sense of the chaos of alerts flooding into
Security Operations Centres (SOCs). "The
cybersecurity market is swamped with
vendor marketing messages proudly
explaining their AI credentials. It's a shame,
because overuse of the term has diluted its
meaning for the real innovators out there -
the research institutes and pioneering
vendors that are genuinely tapping the
power of AI in cutting edge use cases. I'd
estimate that only around 5% of vendors
today can legitimately claim to be in this
select group."
On the plus side, he adds, "this probably
means the bad guys don't have access to
genuine AI technology yet either. There's a
world of difference between using clever
algorithms in attacks and recruiting university
graduates to write complex neural network
programs. I'd be surprised if even nation
states are creating novel AI, as opposed to
reusing existing technology".
Yet when it comes to threat detection and
response, there are opportunities to use AI -
specifically to address the common challenge
of alert overload. "Many organisations today
are running multiple security tools, where
the default setting is to sound the alarm,"
adds Hattersley. "This kind of hair trigger
approach seems like a deliberate calculation
by the vendors themselves - better to issue
an alert than be accused of missing
something. However, the end result is a
deluge of false positives, which overwhelms
SOC teams."
Here's where AI could play a role, he
believes - in trawling through all of this data,
across all of these platforms, and
Sebastien Goutal, Vade: achievements of
AI - and especially of Deep Neural
Networks - are real and spectacular.
Matti Aksela, F-Secure: security teams must
have actionable intelligence, free from false
positives.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
19

AI & ML
Keith Driver, Titania: AI should be applied
where it adds the most value and creates
the fewest problems.
Craig Hattersley, SOCOS: overuse of the term
AI has diluted its meaning for the real
innovators out there.
understanding contextually when an alert is
not valid. "And, by the same token, flagging
when one is. Humans simply don't have the
capacity to process millions or even billions
of logs like this each day. The need a
superhuman assistant to provide that holistic
monitoring and intelligence for them."
He points to how, in military history, the
advent of real-time battlefield
communications was a major breakthrough.
"It enabled information to be centralised
from disparate outposts for informed
decision-making. The same must happen in
this modern-day cyber context. At the
moment, many organisations are still at the
stage of building those security 'outposts' -
getting the right sensors and monitoring
tools in place. We're still some way from
using AI to make better informed decisions
with this data. But when it comes, it could
have a huge impact on the effectiveness of
SOCs and the productivity of the analysts
that staff them."
DETECTING, RESPONDING AND
REMEDIATING THREATS
Data security is a priority for all organisations
today and when an organisation loses data,
whether accidental or as a result of a
cyberattack, the repercussions are endless:
from damage to brand, loss in customer
trust, loss in revenue and significant
regulatory compliance fines, points out Denis
Borovikov, CTO & Co-founder of Synthesized.
"As a result, organisations are deploying new
cutting-edge AI technology to detect,
respond and remediate threats. However,
what is even more interesting is the proactive
approach data-driven companies are taking
to ensure their data is safe to begin with,
without impeding innovation.
"One emerging AI privacy-preserving
solution that is gaining prominence is datasynthesis
technology, which generates
synthetic data that models the characteristics
of original data, but doing so in a way that
makes it impossible to re-identify individuals.
Unlike standard synthetic data that can be
susceptible to linkage or attribute disclosure
attacks, these platforms can filter/disable
sensitive data attributes in records, or
conditionally generate data that has a low
risk of being used in a linkage attack, and
reveal too much information about an
individual, he says.
"Unlike traditional anonymisation
techniques such as data masking,
pseudonymisation, generalisation, data
perturbation and data swapping, there is no
1-to-1 mapping between original data and
anonymised data; each new data point is
completely generated 'out of thin air'. In this
way, making the data unusable to
cybercriminals - the risk is completely
eliminated."
When newly created intelligent data is
paired with the use of data clean rooms,
data security is strengthened further. "Data
clean rooms offer a secure and isolated
space in which businesses and their
stakeholders can collaborate, but maintain
full control of their own data," Borovikov
concludes. "As it is tightly integrated with an
enterprise's logging and monitoring tools,
organisations have a full audit of all data
access and movement. In this way, they are
empowered to safely and freely collaborate
over data without fear of disastrous
consequences, should it fall into the wrong
hands."
LINKED DESTINIES
While focusing on AI, it is worth also
mentioning Robot Process Automation (RPA).
They both have a part to play in each other's
destiny. RPA is used to work in conjunction
with people by automating repetitive
processes [attended automation], whereas AI
is viewed as a form of technology to replace
human labour and automate end-to-end
[unattended automation]. Again, RPA uses
structured inputs and logic, while AI uses
unstructured inputs and develops its own
logic. Combining both RPA and artificial
intelligence can create a fully autonomous
20
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

AI & ML
process, according to NICE, whose attended
automation solution, NEVA, is targeted at
bringing people and robots together.
RPA has been on the lips of many across the
IT sector, points out Harel Tayeb, CEO at
Kryon. "With the desire to increase ROI, gain
complete process visibility, raise productivity,
and better employee and customer
experiences, the ability to deploy bots to
automate and scale repetitive business
processes has become a more than intriguing
prospect for CIOs. But it's important to note
that it's not all plain sailing for RPA. Although
these benefits may sound lucrative, they're
automatically made completely redundant, if
security issues emerge after implementation."
When proceeding with the journey of
automating the processes with the greatest
potential ROI, robots are given access to
highly sensitive information. For instance, this
can include customers' credit card numbers,
social security numbers, bank account
numbers and records of financial
transactions. "A veteran attacker can exploit
access to a company's bots, in order to steal
data or gain unauthorised access to systems
and applications, launching a potentially
catastrophic cyberattack. In a worst-case
scenario, cyberattacks have the potential to
become inconceivably detrimental to
businesses, costing millions of pounds and
can even lead to liquidation through
bankruptcy."
By declining to give robots access to these
kinds of confidential information, enterprises
can greatly reduce or even eliminate the
security risks associated with RPA. However,
this move would simultaneously diminish the
key benefits companies stand to gain from
RPA, so it can feel like a Catch 22. Reducing
RPA's benefits would defeat the very purpose
of implementing RPA in the first place.
So, what's the good news? "Well, certain
things are moving in the right direction - and
it's all around compliance, security and
governance," he says. "The ISO 27701 is an
extension standard that builds upon and
enhances that with a framework for privacy
information management systems (PIMS) to
secure and manage personally identifiable
information. ISO 27701 could become the
first widely adopted data privacy standard for
RPA vendors. This framework is essential for
any RPA company doing business in Europe,
due to GDPR, or any other region with similar
data privacy regulations."
TWIN FACTORS
AI application in modern systems is due
primarily to two factors, states Keith Driver,
chief technical officer, Titania: the availability
of powerful compute platforms and the
democratisation of the software ecosystem
surrounding AI implementation.
"AI implies that a facsimile of independent
thought is present in the solution. However,
in security, it is mainly applied to correlation
or anomaly detection tasks, associating
activities and events that could represent a
threat or to identify atypical behaviour or a
network anomaly that needs investigating.
Returning to the definition of intelligence,
these AI implementations are just efficient
algorithms, performing tasks based on
trained and verified models. For the
implementation to meet the meaning of
intelligence, it must adapt to its environment
and still produce meaningful, valid
outcomes."
Here, Unsupervised Deep Machine Learning,
a subcategory of AI, comes closer to the
meaning of intelligence, Driver argues. "In
Deep Learning frameworks, the algorithm
independently selects features from the data
to build a model and deduce characteristics,
such as unforeseen and unexpected patterns
in the data. Deep Learning excels where the
data is consistent in nature and composition,
arrives in large volumes and is difficult, if not
impossible, for mathematicians and data
scientists to identify important features to
include in analysis."
In both cases, the validity of the conclusions
drawn by AI is not absolute, but must be
judged on a probabilistic scale. In safetycritical
systems, this is problematic. "Applying
these definitions to security data, we are in a
fortunate position. While our systems
operate on vast data lakes/streams and need
to return conclusions rapidly to prevent harm
to our data and networks, some inaccurate
results are tolerable, as long as they can be
identified. But their identification costs
valuable skilled human time."
Reducing the number of false positives is a
key goal in the cyber security industry. "SIEM
systems are inundated with false positives,
resulting in operator alarm fatigue and
impacting on their ability to detect real
threats. Keeping the false positives to a
minimum means employing deterministic
technologies to the greatest extent possible,
ensuring that only the hardest problems are
considered for AI-based solutions."
DEFINING AUTOMATION LEVELS
Masaharu Goto, principal research engineer
in Keysight Technologies, also points out that
Machine Learning can be a component of AI,
but it is not AI. "To discuss AI specifically, we
need to start by defining the levels of
automation that are required to meet the
objective. Today's 'AI' is mostly pattern
recognition and automation of
algorithm/parameter selection to optimise its
accuracy."
Machine learning algorithms are classified
into two categories: supervised and
unsupervised, he adds. "Supervised learning is
used to detect known patterns, while
unsupervised learning is best when the goal
is to detect unknown anomalies. Since the
signature created by Trojans is unknown,
unsupervised learning is more useful when
attempting to detect them. Among
unsupervised learning algorithms, clustering
has become an essential tool for analysing
big data in many applications.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
21

AI & ML
Camille Charaudeau, CybelAngel: the
speed to detect sensitive vulnerabilities is
the difference between damage
limitation or a major breach.
Harel Tayeb, Kryon: RPA has been on the lips
of many across the IT sector of late.
"While many implementations of
unsupervised machine learning algorithms
utilising clustering have been developed,
most have been unable to handle large
amounts of waveform data. The issue is that
waveforms are numerical arrays containing
thousands of data points. A waveform
database containing millions of waveform
segments each consisting of thousands of
data points presents a difficult challenge in
terms of data analysis and classification."
Sorting and classifying such a massive
database using conventional algorithms
requires extensive computing resources and
long processing times, states Goto. "Only the
combination of a high-bandwidth highresolution
dynamic current measurement
capabilities and an ultra-fast clustering
algorithm can provide such an efficient
means to identify hardware Trojans."
MAJOR BREAKTHROUGHS
Depictions of Artificial Intelligence in media,
films and TV shows are often misleading and
confusing, says Sebastien Goutal, chief
science officer at Vade. "Today's AI is indeed
very different from Skynet - the self-aware
military super intelligence that took control
of the world in the popular Terminator movie
franchise. However, the achievements of AI -
and especially of Deep Neural Networks - are
real and spectacular, and major
breakthroughs have been achieved recently."
As an illustration, he singles out the defeat
of the world's best Go player Lee Sedol
against Google DeepMind's AlphaGo AI was
a major milestone for AI and the Computer
Science community. More recently, selfdriving
vehicles have drawn a lot of attention
and are expected quite soon.
"The use of AI in cybersecurity is an
interesting topic," he adds. "Threat analysts
and security researchers are quite pragmatic
people and have built technologies to tackle
cyberthreats in many different ways. IP
blacklists, heuristic rules, fingerprints or
signature-based tools, such as Yara, are
widespread approaches within the
cybersecurity community - and there is a
common consensus that there is no perfect
algorithm, and that security is achieved by
combining these technologies together; the
icing on the cake being the end user security
awareness training, so that they become an
active element of the last line of defence."
"So, how does AI fit into the picture? "Well,
classic machine learning algorithms - such as
SVM, Random Forest or Logistic Regression -
have been used and are still being used,
among other things," explains Goutal.
"There is, however, a challenge that limits
their impact: the cyberthreat landscape is
moving constantly and, as such, it is
necessary to re-train these models very often,
and indeed too often.
"This major drawback explains why machine
learning algorithms have not been very
popular in the past within the cybersecurity
community. However, the situation of AI has
changed in the last five years: The Deep
Learning revolution happened, and the
performance of Computer Vision and Natural
Language Processing (NLP) models has
skyrocketed."
How then do you leverage Deep Learning
models to detect cyberthreats? "One way is
to build a Deep Learning-based virtual SOC
operator. For instance, this virtual SOC
operator could detect phishing emails and
webpages, as they rely mostly on visual
features such as textual content, the targeted
brand logo and visual identity: the text can
be extracted with an OCR (Optical Character
Recognition) technology and analysed with
Natural Language Processing models, the
brand logo can be identified with a logo
detection technology.
“It is up to the cybersecurity community to
imagine new ways to leverage Deep Learning
to strengthen their defence," he concludes.
22
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

My peace of
mind starts
with Neustar
Security.
Cloud Security Solutions that are
Always-on, Ultra Secure.
security.neustar

home working
HOMING IN ON THE PERILS OF HOME WORKING
REMOTE WORKING IS WORKING! EMPLOYERS, IN THE MAIN, HAVE SEEN IT SUCCEED ON A GRAND
SCALE. BUT HAS IT MADE BREACHES INEVITABLE? EDITOR BRIAN WALL REPORTS
As home working becomes ever more
part of the future, many businesses
have confirmed that employees will
not be expected to return to the office fulltime
when pandemic restrictions are lifted.
But what must businesses do to ensure they
don't leave themselves open to the hackers
and attackers already looking to exploit the
slightest vulnerability - and all too often
succeeding?
"As teams remain dispersed, with BYOD
policies now the norm and flexibility taking
precedence, infosec professionals must find
a way to regain control of their cybersecurity
strategy," says Ollie Sheridan, security principal
at Gigamon. "Introducing a companywide
Zero Trust approach means IT teams can
counter threats and monitor risks across their
networks proactively, and the future hybrid
workforce will no longer pose such a security
issue."
The implicit trust often afforded to internal
networks creates a plethora of vulnerabilities
for an organisation now that networks have
turned inside out following the shift to
remote working. "While 'internal' was often
viewed as 'safe' in comparison to the possible
dangers of the 'external', the lateral
movement of a cyberattack - from a personal
device into the company network - now
means that no user should be considered
'safe' without multi-factor authentication.
"Rather than innocent until proven guilty, a
Zero Trust framework believes each individual
may be a threat, unless they can provide
proof of their authenticity. This model also
improves the productivity of SecOps teams,
as with less security breaches comes more
accurate alerts, the ability for systems to run
faster and significantly reduced network
downtime. Zero Trust therefore not only
bolsters a defence strategy, but ensures
business processes run smoothly despite
the new, hybrid and often siloed ways of
working," Sheridan insists.
"Integral to a Zero Trust framework is
network visibility. It is impossible to manage
or monitor threats in a clouded environment,
and visibility into all data-in-motion - even
encrypted traffic - is important for IT
professionals to understand and authorise
that which is safe; and detect and mitigate
that which is not.
"As the workforce adapts to new ways of
working, with hybridity leading the way,
implementing the right IT infrastructure that
serves both those in the office and those
working remotely is a top priority," he adds.
"NetOps teams must look to new tools [or
optimise what is already in place] to enable
full visibility across a network. Visibility will
then become the glue that holds together the
Zero Trust framework and allows the
detection of undesirable behaviours, as well
as the analysis of metadata to explain the
origin and movement of a cyberattack, and
ultimately keep an organisation secure."
Carolyn Crandall, chief security advocate,
Attivo Networks, points to how COVID-19
quickly drove businesses to change to
facilitate employees working from home,
"and the sudden onset of the crisis meant
24
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

home working
they had to make security compromises in
the spirit of achieving service availability.
Naturally, both technology-based and
human-based security issues have arisen as
a result".
As and when we enter the second half of
2021 and employees return to the office,
they will quickly become the new 'insider
threat' to be concerned about, she warns.
"Many of these systems will connect back
onto networks with infected systems.
Organisations without the proper security
controls to detect lateral movement,
credential misuse and privilege escalation may
find that Pandora's box has been opened."
Organisations can take a few steps to
minimise the risk, Crandall advises. "Require
systems to be patched before reconnecting
to networks, utilise Network Access Control
(NAC), use visibility tools that show attack
paths from the endpoint and Active Directory,
and remediate exposed credentials and
attacks. Adding detection for live attacks on
Active Directory will also be essential, so that
in-network attackers can't gain the privileges
or access to progress their attacks or install
backdoors for future use."
DATA HAVOC
When staff use devices or applications that
ate not managed or sanctioned by the IT
department, the security perimeter
consequently becomes more porous,
increasing the attack surface and introduces
more points of vulnerability through which
attackers can take advantage, says Camille
Charaudeau, VP product strategy at digital
risk protection company CybelAngel.
"Data that's leaked or breached can wreak
havoc, as hackers use this data to launch
phishing attempts. This can be from fake
websites using malicious domains to resell
company credentials on the Dark Web or can
exploit vulnerabilities on exposed, shadow
assets." To mitigate the risk, he suggests, IT
teams need to ensure that new applications
installed aren't forgotten and that sensitive
business data is not entered into ad hoc apps,
breaking corporate security policies. "Poor
application configuration can allow stored
data to be left exposed, vulnerable and under
the radar of security teams inviting risks.
Better cross-functional collaboration between
IT and staff is mandatory to decrease the
amount of Shadow IT assets and protect
against vulnerabilities. Educating staff on
good cyber hygiene is a simple way to
minimise these dangers."
Most importantly, businesses must
understand what sensitive data is beyond the
security perimeter. "They must have the tools
and resources to detect whether their thirdparty
infrastructure, shadow assets, or critical
datasets may have leaked across the internet
from open databases to cloud apps,
connected storage devices and Dark Web
forums," adds Charaudeau. "Comprehensive
24x7 monitoring is the minimum
requirement here and the speed to detect
sensitive vulnerabilities is the difference
between damage limitation or a major
breach. Security teams must have actionable
intelligence, free from false positives to act
effectively and resolve the issue."
Oliver Cronk, chief IT architect, EMEA at
Tanium, points to the way in which digital
transformation has been forced to accelerate
rapidly, as huge numbers of staff were forced
into home working. "Many organisations
have put stop-gap IT solutions in place to
keep up. This approach, which we believe is
especially prevalent in sectors hit hardest by
the pandemic, often creates cybersecurity
weaknesses. Another issue is that many
organisations are struggling with reduced
revenue or funding at the moment and have
to make cutbacks, but cybersecurity is not an
area they can afford to neglect.
"As lockdown continues and some teams
are being asked to do more with less
resources, they remain increasingly vulnerable
to cyber threats, due to distraction or fatigue,
Carolyn Crandal, Attivo Networks: with
the sudden onset of the crisis, businesses
had to make security compromises in the
spirit of achieving service availability.
Ed Macnair, Censornet: one way of reducing
the impact of large-scale breaches is Multi-
Factor Authentication.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
25

home working
Ashley Stephenson, Corero Network
Security: an increase in Distributed Denial
of Service attacks correlates with the
increase in remote working.
Paul Norbury, SecureDrives: Deploying
passwordless authentication can also result
in significant financial savings..
which can cause employees to drop their
guard when it comes to clicking on malicious
links in emails. In addition, IT audit continues
to fail many organisations, with some of the
recent security issues we've seen being a
direct result of IT audit and governance
processes being used that are out of touch
with what is really going on in modern
organisations."
Businesses need to ensure they are planning
for the long term by setting up a security
foundation which is flexible, data-driven and
efficient," advises Cronk, "whilst equipping IT
teams to respond to threats immediately
from wherever they are based. "Whilst the
pandemic has created challenges for IT
teams, this period should also be seen as
an opportunity to optimise IT security and
operations. Teams should consider embracing
technologies such as distributed cloud
architecture and endpoint management,
which will give businesses the visibility and
control they need to minimise the likelihood
of a damaging cyber-attack in the age of
lockdowns and mass remote working".
DDOS ATTACKS SURGE
Ashley Stephenson, CTO, Corero Network
Security, says his company has observed an
increase in the number of Distributed Denial
of Service (DDoS) attacks and targets across
its customer base since the latter part of Q1
2020, which it believes, in part, correlates
with the increase in remote working.
"One factor supporting this observation is
the increasing use of OpenVPN, a popular
open-source VPN technology. OpenVPN
allows companies or individuals to extend
their private networks in a secure and reliable
manner. In contrast to legitimate OpenVPN
usage, proof-of-concept source code for
Denial-of-Service attacks exploiting an
OpenVPN reflection/amplification vulnerability
was posted on the Internet as far back as
2017. In October 2019, a more significant
reflection/amplification vulnerability was
found in SoftEther - a derivative version of
OpenVPN. "This added another new DDoS
weapon to the cybercriminal's arsenal. The
damaging impact of the SoftEther
vulnerability has become more apparent
during the COVID-19 pandemic, most likely
due to the increased number of remote
workers which in turn drives the deployment
of OpenVPN servers."
A simple search for the OpenVPN default
port UDP1194 on shodan.io shows how
many potential reflectors are out there, adds
Stephenson. "In March 2020, the result
returned approximately 827K accessible
OpenVPN servers, with the number growing
by approximately 10K new servers a week
during the pandemic. This represents more
than enough servers to launch a powerful
volumetric or packet rate DDoS attack.
"While many common reflection attacks
(Including DNS amplification, NTP reflection,
Memcached and reflective CLDAP) generate
large, often fragmented, response packets,
the size of the replies directed to the victim
from OpenVPN reflectors is relatively small -
usually 60 to 72 Bytes. However, the
vulnerability causes retries, with many of
these small packets resulting in a 30x
response amplification factor, which, when
multiplied by number of available reflectors,
can generate enormous packet rates resulting
in a Denial-of-Service condition for many
victims, he concludes. "Corero researchers
have observed OpenVPN reflection attacks
routinely exceeding 30Gbps, with a year-overyear
increase of nearly 400% in the use of
OpenVPN reflection as an attack vector."
With home working putting additional
pressure on already strained IT and security
infrastructures, digital security anywhere and
everywhere has never been more important,
states David Emm, principal security
researcher at Kaspersky. "Whilst individuals
must be mindful of cybersecurity, businesses
need to take steps to increase the level of
awareness of threats among employees.
Moreover, it is the responsibility of businesses
26
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

home working
to implement appropriate policies and
processes to secure corporate systems -
wherever staff are working.
"The risks associated with staff now working
with data outside of the corporate network,
on personal devices, is something that
businesses must look to mitigate. Without
knowing what devices are in contact with a
business's data systems, IT and cybersecurity
teams have great difficulty anticipating how
company assets can be potentially
compromised, sold on or even held for
ransom; and managing the risks effectively,"
adds Emm.
"With latest research revealing that more
than 90% of all cyber breaches are caused by
human error, companies must have complete
oversight of how their IT systems and
hardware are being used by remote
workforces - and this has subsequently led
to a sharp rise in the implementation of
monitoring software, while the UK has been
working from home. As a result of this
software, nearly a quarter of UK workers
(24%) are using their own devices for work to
avoid being watched, while three in 10 (31%)
have admitted that they would use their own
devices more for work, if company-provided
devices had monitoring software installed.
"Clearly, businesses should not go too far
along the surveillance route," he believes,
"otherwise employees may take their entire
at-home activities off the corporate radar,
resulting in the wholesale creation of shadow
IT, over which they have limited control.
While remote working does bring significant
benefits to workers, there is also a dark side
when it's not managed holistically. There is
also a serious need for employers to examine
their 'surveillance' practices to understand the
true impact on productivity and worker
satisfaction."
Paul Norbury, CEO SecureDrives, agrees
unequivocally that supporting a workforce
that's working from home sets a whole
new set of challenges for security teams.
"At SecureDrives, we know passwordless
authentication works, that it is easy to deploy
and administer remotely, and that it saves
people time every single login. In cases where
people log in to multiple computers, multiple
times a day, automated proximity-based login
- and logout - through passwordless
authentication can add literally hours of time
to the working day.
SECURITY ONUS ON BUSINESSES
"Deploying passwordless authentication can
also result in significant financial savings.
According to a World Economic Forum
report, companies spend on average 2.5
months a year resetting internal passwords,
20% to 50% of all calls to the IT helpdesk
concern password resets and the estimated
cost of a single reset ranges from $30 to $70.
The same report notes that password-safe
company LastPass has estimated companies
spend on average $1 million per year in
staffing helpdesks to deal with password
resets. While passwordless authentication
obviously has deployment and management
costs, it doesn't require the same level of enduser
support."
The logic that has seen consumer
technology make its way into the office so
many times in the past can play its part with
passwordless login, too, says Norbury. "We
have become used to logging in to our
phones and computers using facial or
fingerprint recognition, and this familiarity
makes the idea of passwordless login for
work more palatable, because, as end users,
we know from experience that it is both easy
to work with and secure. Implementing
passwordless authentication is an element of
digital transformation that can benefit
individuals, IT teams and the bottom line."
"Cloud applications have transformed the
way users and teams communicate, share
and collaborate," points out Ed Macnair, CEO
of Censornet. "Organisations should be
mindful of this move into the cloud, because
staff are now even more likely to be using
apps that are unauthorised and potentially
dangerous. The cloud shift has radically
changed the threat landscape, which means
that web security is no longer enough.
Organisations would be wise to quickly adopt
a Cloud Access Security Broker (CASB)
solution, which have gone from being a 'nice
to have' to become an essential security tool."
With teams dispersed away from the safety
of the organisation's network, IT teams are
always having to review risk, he continues.
"Context is king. If a login is requested from a
strange location, time, day or device, a secure
authentication solution should pick this up
and ensure further verification before
allowing access. Likewise, strange behaviour
in the office should be recognised. It's highly
unlikely that a 9-5 weekday worker will be in
the office at 2am on a Saturday morning. If a
login is received at this time, it should trigger
alarm bells. Or perhaps a promotion, if the
log-on is genuine."
With so many risks associated with account
compromise and at a time when many
organisations are in flux, it's more important
than ever to prove whether logins are
legitimate or not, states Macnair. "One way of
reducing the impact of large-scale breaches is
Multi-Factor Authentication, which ensures
any stolen credentials cannot be used to gain
access to your organisation's environment,
challenging the user, based on contextual
flags, such as location or device, and
providing flexible delivery of session-specific,
real-time generated one-time passcodes."
Organisations should also adopt a Zero Trust
approach, based on an 'authenticate then
connect' model, he adds. "This will allow
employees to connect to the service they have
permission for only once they have been
authenticated. In the much longer term,
companies will start to roll out a Secure
Access Service Edge (SASE) framework. Zero
Trust is a great way to get started on the road
to SASE, so it's important to make the right
decisions immediately to lay the groundwork
for this new security paradigm."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
27

predictions
WHAT ELSE AWAITS IN 2021?
IN PART 2 OF OUR GLANCE INTO THE (POSSIBLE) FUTURE, WE HEAR MORE
PREDICTIONS ON WHERE THE YEAR 2021 MAY BE LEADING OUR INDUSTRY
The prediction game is at best a
perilous one and even more so in what
has been, in calendar month terms at
least, the most unpredictable of years. Yet
trying to foresee what might happen within
the security industry has always been
something of a fraught exercise in crystal
ball gazing. So, these insights do retain
their value, despite - and maybe even
because of - how challenging the times
may be.
The abrupt shift to remote work, due to
the pandemic, has caused many obstacles,
of course. "Legacy approaches to identity
and access management (IAM) are clinging
to outdated notions of corporate
perimeters and in-person interactions.
Conversely, overwhelmingly digital
customer-facing interactions create urgency,
with respect to digital identity initiatives
and reducing bias in identity-proofing
processes." That is the view of Akif Khan,
senior director analyst, Gartner, who says
that the old security model of "inside means
trusted" and "outside means untrusted" has
been broken for a long time.
"By 2025, cybersecurity mesh will support
more than half of all IAM requests,
enabling a more explicit, mobile and
adaptive unified access
management model," he predicts. "The
mesh model of cybersecurity provides
a more integrated, scalable, flexible and
reliable approach to digital asset access
control than traditional security perimeter
controls."
Organisations lack the resources and skills
to plan, develop, acquire and implement
comprehensive IAM solutions, he adds.
"As a result, they're contracting professional
services firms to provide the necessary
support, particularly where multiple
functions need to be addressed
simultaneously. Increasingly, organisations
will rely on MSSP firms for advice, guidance
and integration recommendations. By
2023, 40% of IAM application convergence
will primarily be driven by MSSPs that focus
on delivery of best-of-breed solutions in
an integrated approach - shifting influence
from product vendors to service partners."
IDENTITY-PROOFING TOOLS
Historically, vendor-provided enrolment
and recovery workflows for multifactor
authentication have incorporated weak
affirmation signals, such as email addresses
and phone numbers. As a result,
implementing higher-trust corroboration
has been left as an exercise for the
organisations.
"Because of the massive increase in remote
interactions with employees, more robust
enrolment and recovery procedures are
an urgent requirement, as it is harder to
differentiate between attackers and
legitimate users," adds Khan. "By 2024,
30% of large organisations will newly
implement identity-proofing tools to
address common weaknesses in workforce
identity life cycle processes."
Centralised approaches to managing
identity data struggle to provide benefits in
the three key areas: privacy, assurance and
pseudonymity. "A decentralised approach
uses blockchain technology to help ensure
privacy, enabling individuals to validate
information requests by providing only
the absolute minimum required amount
of information."
He believes that, by 2024, a true global,
portable, decentralised identity standard
will emerge in the market to address
business, personal, societal, and identityinvisible
use cases. "Bias with respect to
race, age, gender and other characteristics
gained attention significantly in 2020,
coinciding with the increased interest
in document-centric identity
proofing in online use cases. This
'ID plus selfie' process uses face
28
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

predictions
recognition algorithms to compare selfies
of customers with the photo in their
identity document."
THE HUMAN LAYER
If remote working in 2020/21 has taught
us anything, it's the importance of securing
the individuals within each organisation's
'human layer', says Tony Pepper, CEO, Igress.
"When offices closed overnight, it amplified
the role of the individual within our security
strategies and the risks that each person
brings. As we look towards the rest of
2021, insider risk will be front-of-mind for
many organisations, as they work to secure
remote and hybrid environments for the
long term.
"Advanced machine learning technologies
that examine the context within which
individuals make decisions and alert them
to risky behaviour have been utilised by
early adopters to effectively target security
at individuals- and in 2021 and beyond,
this technology will see rapid adoption."
Linked to this, states Pepper, we're going
to see the continued decline of traditional
email DLP technology, as organisations
improve security for their most missioncritical
communication channel. "56%
of the IT leaders responding to our 2021
Data Loss Prevention Report acknowledged
they're under increased pressure from
clients to keep sensitive data safe on email,
while 100% of those who have deployed
traditional email DLP technologies are
frustrated by them. With increased
adoption of advanced email DLP solutions
that utilise contextual machine learning,
organisations will turn away from
traditional technologies."
THE HUMAN LAYER
"As 2020 has shown, predicting the future
is hard!" states Emma Maslen, VP & GM
of EMEA & APAC for Ping Identity. " Yet
what is clear is that, moving forward, all
organisations need to be able to react to
unexpected shifts in society, technology
and culture. The emergence of working
from home as a viable option for large
segments of the workforce is likely to
endure. Some employees are now enjoying
the reduction in commute, more family
meal times and greater flexibility in the
working day, which I think they will be
reluctant to let go in the future. Ensuring
employees are enabled to work from
home, in a productive way, will be a big
theme for the future."
This leads neatly to her second point - the
continuing war for talent. "As the world is
disrupted, employees are looking for a
vision or a mission that resonates, along
with working environments that empower
them to do their best. Ensuring frictionless
access to technology will lead to a
reduction in frustration, which will, in turn,
help organisations to both attract and
keep the best talent. Yet the frictionless
experience must extend beyond the
organisational structure and become a
mantra for how organisations deal with
customers, citizens, partners, suppliers - in
fact, every B2B and B2C relationship must
shift towards seamless interactions."
As such, identity is going to be a big
focus for both the workforce and the wider
consumer space, adds Maslen. "Not only
are we working more from home, but we
are also shopping, banking, studying and
engaging with the state increasingly from
home. Yet still people are bombarded with
username and password requests, and this
situation gets worse as more interactions
become completely digital."
If 2020 was the year of disruption, then
2021 will hopefully be a year where agility
becomes the new watchword, she further
states - "a year where we start to build a
more sustainable work and life balance
that is based around results, and less
around where people and systems are
geographically located".
Akif Khan, Gartner: by 2023, 40% of IAM
application convergence will primarily be
driven by MSSPs that focus on delivery of
best-of-breed solutions in an integrated
approach.
Emma Maslen, Ping: 2021 will hopefully
be a year where we start to build a more
sustainable work and life balance that is
based around results.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
29

webcam woes
TANGLED WEB
IS THERE A HACKER STARING IN ON YOU THROUGH YOUR DEVICES AND GADGETS, READY TO
POUNCE? WE FIND OUT HOW VITAL IT IS TO KEEP WEBCAMS COVERED WHEN THEY'RE NOT IN USE
With the rapid rise in remote
working, more of us than ever
before are taking video calls from
the privacy of our own homes. Sometimes
these even take place in our bedrooms- the
same rooms where we lounge around in our
pyjamas, sleep and even change our clothes.
But just how secure are our Mac and PC
webcams? Are we being watched?
Computing Security has been liaising with
the technology experts at Reincubate and
they have been running us through the risks
that await 'out there'. Here is their take on
things…
REINCUBATE
The rapid growth of remote and home
working has led to a lot of users getting
webcams or setting up Zoom equipment in
their own homes. Mark Zuckerberg
inadvertently brought attention to the risks
of users being covertly monitored through
their computer's webcams or mics when he
posted a now famous photo of his desk setup,
showing his laptop with a covered
webcam and blocked mic. If even the creator
of Facebook blocks his, who else does?
Apple's release of iOS 14 has done even
more to safeguard users from
unintentionally recording with its new
orange and green dots. That said, user
privacy can be violated by a simple accident
and without malicious intent. Plenty of
Zoom users haven't realised that their
cameras were on or that, when joining a
Zoom call, the host might have configured
the call to start with user cameras on.
Additionally, it's possible to join a Zoom call
with your camera off, be placed in a waiting
room before the call begins and then have
the camera turn on once the host admits the
user to the call.
Generally speaking, there are few video
apps where the host can remotely enable
video, if the participant has turned it off after
the start of the call and Zoom is safe in this
regard. It does, however, have a feature
whereby the host can remotely unmute a
participants' microphone. If you're in the
habit of stepping away from your computer
on long calls to get a cup of coffee while
muted, beware that you might be unmuted
without knowing about it. Similarly, if you're
joining the call from a room with other
people around, their unexpected presence in
your background may cause them
embarrassment, if they're not expecting to
be broadcast.
These inadvertent risks can be handled with
a few simple precautions: covering or
physically disconnecting a webcam makes
things more obvious and having a mic with a
physical mute button helps.
SECURING YOUR CAMERA AND MIC
ON AN IPHONE
iPhone and iPad users have the least to worry
about. So long as the device has not been
jailbroken, it is extremely unlikely that
hackers can remotely monitor the device's
camera or mic. As far as Apple's orange and
green dots, referred to above, are
concerned, yes, it's still possible for apps to
access an iOS device's camera and mic, but
in order for this to happen, users must first
install an app and grant it permission to
record video and audio. It's possible for apps
to record audio - but not video - while
backgrounded, but, again, permissions must
first be given by the user. Of course, there's
always the possibility of state-level cyber
espionage, but this is unlikely to affect the
average user and is almost impossible to
mitigate for, short of not using technology.
Broadly speaking, your iPhone and iPad
should be perfectly safe, so long as you don't
let them out of your sight, and only install
apps that you trust.
SECURING YOUR WEBCAM AND MIC
ON A MAC
A Mac or a MacBook Pro is second only to
30
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

webcam woes
all effective. Most Windows devices will
disable their internal microphone when an
external mic is plugged in and dedicated mic
blockers exist for that purpose. However, it's
very hard to tell whether your device really
will fundamentally disable its internal
microphone when this is done.
an iPhone in its security. Recent Macs include
something called a 'T2 chip', which includes a
number of hardware-based security features.
Most relevant of all, it uses hardware to
physically disable a Mac laptop's microphone
when the laptop is closed or suspended.
From a practical perspective, it's impossible
for Mac's webcam to be in use without the
accompanying green light being turned on.
In the past, there have been workarounds for
this but the known exploits have been fixed
on Macs.
However, the software on the Mac does
not trigger any sort of system-level security
prompt when accessing a webcam or mic, so
users must be careful to only use apps they
trust and not to disable any system-level
protection that is enabled on all Macs by
default. It's possible for any website that a
user is on to request camera and microphone
access, but the user's browser - Chrome,
Safari etc - will have to prompt the user to
give permission. Security-conscious Mac users
may wish to try OverSight (free) or Micro
Snitch (paid for), popular security tools that
run in the background and alert users to any
apps accessing their camera or mic.
STEPS FOR STAYING SECURE ON
WINDOWS OR ANDROID
Unfortunately, Windows and Android users
will have the hardest time of all staying
secure. Often the software and hardware
for these devices are made by different
companies, meaning there's plenty of room
for loopholes between the two. Google's Play
Some of the settings available to a user hosting a Zoom call, including
the ability to enable participant video at the start of the call.
Store is infamous for including malware apps
on a regular basis, and many Android phones
(over 1 billion!) suffer from not getting access
to the latest security patches or Android
updates.
Theoretically, modern Android devices with
the latest security patches will be close to an
iPhone's security - at least each app must
prompt for webcam or mic access, but a
status light won't be shown. But the problem
is it's hard to tell by looking at an Android
device if it's secure or up to date. Simply
because your phone says it has all of the
latest security patches doesn't mean that the
manufacturer of your Android phone has
made all of the security patches available.
From this perspective, Google Android
devices (such as the Pixel) are more
trustworthy, as Google makes both the
software and hardware together and is
ultimately responsible for issuing the most
important security updates.
Staying secure on these platforms is hard.
The problem on Windows is so endemic that
both Lenovo and HP have started building
physical switches and covers into their
webcams to give users some peace of mind.
Without hardware control of the mic, it's
impossible to tell if a Windows laptop could
be recording in the background when open
or closed!
Blocking microphones isn't easy: you can't
cover them with a piece of tape, like you can
a camera, or at least, if you do, it won't be at
Reincubate's advice, if running Android,
would be to only use Google devices such as
thePixel and to avoid installing third-party
apps from the Google Play Store. The risk of
malware or app impersonation is not small.
Seriously, if you want apps, use an iPhone. A
month doesn't pass without a news report of
millions of Android users being infected by
malware.
WHAT ABOUT ALEXA OR THE
HOMEPOD?
Plenty of users have an Alexa or HomePod
device in their home or other forms of smart
devices, like thermostats or security cameras.
These are all capable of broadcasting video
or audio captured within the home. It's very
hard to keep tabs on these and ultimately
one must either trust the company making
them or not. Both Amazon and Apple home
devices may be listened to by the staff in
some circumstances, though there are
controls that can enable users to opt in or
out of parts of this.
If someone has a smart device at home, it's
sensible to behave as if their audio is being
recorded. That is potentially quite a burden.
It's very much not a good idea to buy smart
devices from small, untrusted or unknown
vendors. Who knows what their security is
like?
TOP TIPS TO HELP YOU STAY SECURE
While there's less for modern iPhone and
Mac users to worry about, there is still a set
of best practices we'd recommend for all
users.
Covering your webcam is important on a PC,
but it's arguably helpful for all users, in that it
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
31

webcam woes
Aidan Fitzpatrick, Reincubate: users should
keep devices closed or powered off when
they are not in use.
Android and Windows are at serious risk
of getting spied on through their webcams.
will serve as a reminder to think about security
while using the computer. Realistically, you're
more likely to inadvertently broadcast yourself
without knowing than you are to be remotely
monitored by anyone else and a cover helps
make that risk obvious.
Anything that makes you more security
conscious is likely a good idea. You'll see no
end of ads online trying to sell plastic webcam
covers: these are junk and you don't need
them. A piece of tape or a sticky note is good
enough for Mark Zuckerberg and it'll work
well enough for you. Any residue left behind
will be easy to remove. And, besides, welldesigned
laptops won't leave enough room to
be closed without damaging themselves when
an additional plastic cover is stuck on.
Use external, physically connected cameras
and audio devices. Relying on an external mic
and camera makes it crystal clear whether
they are physically connected to your
computer or not. This has the advantage that
you can then permanently block your device's
internal camera and mic. Camo is a good
example of a product like this and has the
additional benefit of greatly increasing the
quality that a user will get when they join calls.
Beware of products that require installation of
drivers, or which are from unknown or
untrusted sources.
Closing your laptop or powering off your
computer when not using it will make it
harder or impossible for people to access it
remotely.
If you step away from your Zoom call while it's
muted, perhaps to make a coffee, beware
that a host might remotely unmute you
without your knowing. If your mic has a
physical mute button, you'll be okay. But, if
you're using AirPods or an internal mic, there's
no mute that can override Zoom's settings. If
you're on a call, always assume you might be
overheard.
Keep your software up to date, especially the
main software on your phone and computer,
and any browsers you use.
Don't disable your computer's firewall or
malware. Nowadays, these are enabled by
default on just about every type of computer
and phone, and there's little need to install
additional software, beyond specific products
for monitoring webcam use (see above).
Be aware of general security best practices and
be sure to securely store any video, audio or
photos that you've already taken.
Don't let anyone untrusted use - or repair - any
of your devices. Who knows what they might
install or change!
"There are real risks to not covering a
webcam," warns Aidan Fitzpatrick,
Reincubate," but, for users with Macs and
iPhones, the greatest risk is most likely
accidentally broadcasting themselves or
unknowingly being unmuted by a meeting
host, rather than being surveilled by a hacker.
"Webcam covers and physical mute buttons
on microphones act as fail-safes and helpful
reminders to think about security, and a piece
of tape really is the best solution for use with a
MacBook. I recommend users keep devices
closed or powered off when they are not on
use."
And he adds "It's worth thinking about using
an external webcam or, for better quality, a
smartphone webcam [https://reincubate.com/
camo/], as it can be physically unplugged
between calls. Being able to unplug one's
camera is the best way to stay secure."
32
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
Product Review Service
VENDORS – HAS YOUR SOLUTION BEEN
REVIEWED BY COMPUTING SECURITY YET?
The Computing Security review service has been praised by vendors and
readers alike. Each solution is tested by an independent expert whose findings
are published in the magazine along with a photo or screenshot.
Hardware, software and services can all be reviewed.
Many vendors organise a review to coincide with a new launch. However,
please don’t feel that the service is reserved exclusively for new solutions.
A review can also be a good way of introducing an established solution to
a new audience. Are the readers of Computing Security as familiar with
your solution(s) as you would like them to be?
Contact Edward O’Connor on 01689 616000 or email
edward.oconnor@btc.co.uk to make it happen.

cybercrime insights
FRAUD AND CYBERCRIME SOAR IN PANDEMIC
MORE THAN 6,000 CASES OF COVID-RELATED FRAUD AND CYBERCRIME WERE
RECORDED BY THE UK'S POLICE FORCES IN THE 12 MONTHS AFTER THE VIRUS
FIRST STRUCK. BUT THIS MAY BE JUST THE TIP OF THE ICEBERG
According to the Action Fraud team,
which covers activity in England, Wales
and Northern Ireland, covid-related
fraud and cybercrime amassed a sum of
£34.5 million in stolen money in the 12
months from 1 March last year. And the total
is only forecast to rise at an equally alarming
rate in the months ahead.
In a related development, the National
Cyber Security Centre is tackling several
attacks being launched each month against
the country's pandemic response
infrastructure. These involve attempts to
breach the NHS, vaccine producers and
vaccine supply chains, among other
organisations.
Additional figures disclosed by City of
London Police, which co-ordinates efforts
to combat fraud, include:
More than 150-related arrests were
made since the pandemic began
More than 2,000 websites, phone
numbers and email addresses linked
to the crimes were taken down
A total of 416,000 reports of fraud
and cyber-crime.
The activity peaked between April and May
2020, and January 2021 - both times when
lockdowns were in force.
The Dedicated Card and Payment Crime
Unit, which tackles criminal gangs that are
responsible for financial fraud and scams,
worked with social media platforms
to take down more than 700
accounts linked to
fraudulent activity in
2020, of which over
250 were money mule
recruiters.
But this may be the tip of
the iceberg, it's admitted. In
fact, the National Crime Agency
estimates that just one in five fraud
cases is typically reported to the
police. Many of the scams involved
conning people out of their money and
financial details by focusing on internet
shopping.
Related fraud was 42% higher over the
pandemic than the preceding year, as
criminals took advantage of the fact many
physical stores had been forced to close.
The pandemic appears, however, to have
coincided with a fall in one type of
cybercrime, according to the BBC. "Reported
cases of computer software service fraud -
in which criminals call, offering fake tech
support to fool victims into sharing their
payment card details and other credentials -
dropped by 15.5%," it said.
TARGETING THE VULNERABLE
Nick Emanuel, senior director of Product at
Webroot + Carbonite, comments: "This
insight comes as no surprise as, following the
start of the vaccine rollout last year, our Real-
Time Anti-Phishing protection system found
a rise in malicious URLs and terms to target
vulnerable people, using subjects like the
vaccine and COVID-19. In fact, we saw a
336% increase in use of the word 'vaccine'
found within suspicious domain names
between the 8 December and 6 January,
when compared with the month of March
2020.
"Scams using keywords based on emotive
subjects concerning medical safety and the
pandemic are always going to be more
effective, especially when they're in the public
interest. Additionally, remote work has forced
many employees to use personal devices for
business-related activities, which presents
unique security concerns," he adds.
"With a higher prevalence of malware and
generally fewer security defences in place, it's
easier for malware to slip into the corporate
network via an employee's personal device.
34
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

cybercrime insights
For businesses, better security systems and
training are key for protection, along with
backing up data."
For individuals, defending against these
kinds of attacks should involve security
awareness training and remaining vigilant in
scrutinising the types of emails they receive,
Emanuel advises. "This should also be
underpinned by cybersecurity technology
such as email filtering, anti-virus protection,
and strong password policies."
BEEFING UP THE UK'S IMAGE
Meanwhile, the NCSC has witnessed a
significant increase in the number of attacks
since February, it reveals. In her first speech
as chief executive of the new NCSC, Lindy
Cameron has been paying tribute to what is
seen as the 'bold decision' to create a publicfacing
cyber security organisation within
GCHQ. The virtual speech to an audience at
Queen's University, Belfast, saw her outline
why the UK has a role to play in making it the
safest place to live and do business online.
"The cyber security landscape we see now
in the UK reflects huge progress and relative
strength - but it is not a position we can be
complacent about. Cyber security is still not
taken as seriously as it should be and simply
is not embedded in UK boardrooms," she
said. "The pace of change is no excuse -
in boardrooms, digital literacy is as nonnegotiable
as financial or legal literacy. Our
CEOs should be as close to their CISO as
their finance director and general counsel."
Cybercriminals will often use current events
to try to lure victims and the pandemic has
offered the perfect bait, states Adam Palmer,
chief cybersecurity strategist at Tenable.
"Criminals will capitalise on the interest in
world events," he comments, "such as using
coronavirus-themed malicious emails as a
cover to spread a variety of malware, from
the Emotet, AZORult and Trickbot trojans,
to the Nanocore and Remcos Remote Access
trojans. In January 2021, scammers were
impersonating the UK's National Health
Service via email and text messages, claiming
that victims were eligible for their COVID-19
vaccine. The webpage used the same
template as the real NHS website and asked
users to complete an application, requesting
personally identifiable information [PII], as
well as banking or credit card information."
The tactic of using current affairs to make
scams more successful isn't new, he points
out. "We've seen similar types of scams
associated with natural disasters and other
global events in the past.
"Cyber criminals are inventive and persistent
- they will try to elicit information needed to
further their crimes in all manner of ways and
explore all communication channels, via
email [phishing], telephone calls [vishing] or
increasingly popular via SMS [SMShing], in
the hopes that a small number of victims will
respond," he adds.
Palmer concedes that these targeted
messages can be tricky for even an alert
individual to spot. "The best form of action is
to view every communication, no matter
how convincing, as suspicious. Rather than
interact with links within an electronic
message, navigate to the website yourself
and search for information to verify fact from
fiction. If it's a caller, ask for their name and
say you'll get back in touch once you've
confirmed the request. When in doubt,
report your suspicions to the authorities."
COVID-19 SPIKES
Drawing on data from the Mimecast threat
intelligence team, its report, 'The Year of
Social Distancing', details how threat actors
targeted remote workers during the first year
of the pandemic, from March 2020 to
February 2021. The report describes how
attack volumes surged by 48% during that
time, with sudden increases in volume
corresponding to spikes in COVID-19
infection rates in April and October 2020.
"Threat actors took advantage of the
Adam Palmer, Tenable: criminals using
coronavirus-themed malicious emails to
spread a variety of malware.
Nick Emanuel, Webroot + Carbonite: for
businesses, better security systems and
training are key for protection, along with
backing up data.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
35

cybercrime insights
pandemic to launch a torrent of COVID-19
themed social engineering attacks," states
Josh Douglas, vice president, product
management at Mimecast, "understanding
that people were under stress, working in the
home environment, and thus more likely to
be deceived and make mistakes."
The second part of that strategy was to
'flood the zone' in security operations centres.
"They knew analysts would also be stressed
and stretched thin, so overwhelming them
with a high volume of threats would increase
the likelihood of their attacks slipping
through defences."
The report also examines the cyber habits
of at-home workers, which revealed some
alarming facts, including:
A 3x rise in unsafe clicks in March 2020,
right when the work-from-home trend
began
US workers were nearly twice as likely to
open suspicious emails as were workers
in the UK and Germany
A 60% increase in the use of companyissued
computers for personal business.
Even though vaccine rollouts are well
underway and more organisations may soon
start making plans for people to return to
offices in the months ahead, the Mimecast
threat intelligence team has assessed the
likelihood of threat actors continuing to
exploit the unsettled work situation as very
likely ( 95%). These exploitation efforts will
likely focus both on remote workers and
those returning to the office - which creates
the possibility of a new 'unsettled' situation
that opens the door for the possibility of new
waves of social engineering campaigns.
"We're now seeing sophisticated digitaldeception
campaigns where threat actors
combine COVID-19-related social engineering
with multi-channel campaigns - including
email, social media and even phone - to gain
credibility with their targets, so they can
then be tricked into giving away valuable
information or credentials," says Douglas.
"We expect this challenging threat
environment to continue for the foreseeable
future as employees transition to the new
normal which in many cases will be a hybrid
in-office/at-home work mix. It has never been
more important for enterprises to take steps
to counter these digital-deception campaigns
by hardening employees as targets through
ongoing cybersecurity training programs, and
to secure the infrastructure of the new 'virtual
workplace' particularly email and
collaboration tools."
According to the report, the attacks
targeted highly vulnerable sectors, such as:
Attacks on the healthcare sector
"Another way threat actors took advantage
of the COVID-19 crisis was to launch attacks
on overstretched healthcare systems." Threat
actors sought to exploit increased human
error associated with the stressful conditions
to steal data and infect systems with
ransomware-based attacks, in the belief
that organisations operating under urgent
conditions are more likely to pay ransoms -
in this case hospitals urgently trying to
protect the health of their patients.
The summer of ransomware
Mimecast reported the return of Emotet to
the threat landscape in July 2020, after a fivemonth
hiatus. This malware dropper is often
used to deploy the Trickbot trojan as a
second-stage infection, which can then be
used to infect machines with ransomware.
Mimecast detected increasing volumes
throughout the summer (although not all
can be attributed to Emotet).
UNABATED EXPLOITATION
As to the likelihood of threat actors
continuing to exploit the unsettled work
situation, Mimecast has assessed this as
almost certain (95%). These efforts will focus
both on remote workers and those returning
to the office, which creates a whole new
range of social engineering opportunities.
OPPORTUNISTIC ATTACKS
"Threat actors always exploit turmoil -
whether that turmoil is brought on by
unexpected natural disasters, annual events
such as tax season, or a once-in-a-century
pandemic," says the company.
"So, if we know this, why do they continue
to be successful?" it queries. "The answer lies
in the compartmentalised way in which
companies think about security.
"Just like a magician uses multiple tools
(misdirection, lights, special props etc) to
deceive the audience into thinking that one
thing is happening, only to have another
thing happen, threat actors do the same
thing, using multiple orchestrated tactics
and tools to deceive people into drawing
the wrong conclusions, so they are free to
execute their attacks."
VISIBILITY ESSENTIAL
And, just like magicians would be ineffective,
if the audience had complete visibility into
their activities, the best way to defeat threat
actor cyber deception is to gain greater
visibility into their campaigns, suggests
Mimecast. "Defence-in-depth remains an
important foundation of security strategy;
however, it has also contributed to the
infrastructure bloat issue that plagues many
companies - too many security tools, too
few people to manage them all.
"Lessons learned from The Year of Social
Distancing: Cyber deception is the problem.
Part of the solution to this problem is
integration: by integrating best-of-breed
cyber security tools, organisations can gain
much greater and more precise visibility into
cyber deception campaigns to stop them
earlier in their development."
36
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

weaponised attacks
ALL-OUT WAR
ESPIONAGE, FRAUD AND RANSOMWARE WERE THE WEAPONS OF CHOICE IN 2020, WITH THE UK'S
NATIONAL CYBER SECURITY CENTRE HANDLING A RECORD NUMBER OF CYBER SECURITY INCIDENTS
The UK's National Cyber Security Centre
(NCSC) - part of GCHQ and the UK's
technical authority for cyber threats -
dealt with 723 serious incidents between
September 2019 and the end of August
2020, a 20% increase on the 602 it handled
the year before. More than 200 of these
incidents were related to the coronavirus,
according to the NCSC's latest annual review.
The review reveals how the NCSC took
decisive action against malicious actors in the
UK and abroad "who saw the UK's digital
lifelines as vectors for espionage, fraud and
ransomware attacks", states Penny Mordaunt
MP, Paymaster General, in a ministerial
foreword. "The NCSC helped to protect NHS
Trusts, the Nightingale hospitals and vital
NHS systems, ensuring they were able to
function remotely, in spite of coronavirus.
In this year of complex challenges, the NCSC
continues to react to swiftly evolving cyber
threats."
SAFETY AT HOME
When many organisations moved to
remote working because of coronavirus,
the NCSC responded with new guidance
on how to help employees work and
communicate securely from home.
As organisations moved their
business online at pace,
advisories were issued about
how cyber criminals were
seeking to exploit the
pandemic for profit, and
guidance was updated on
how to spot and deal
with suspicious emails,
calls and texts (including
coronavirus-based scams).
With more people using
personal devices for work
purposes came an increased
vulnerability to cyber fraud, as
criminals sought to exploit the
changing circumstances. Some
scams, frequently using phishing
emails, claimed to have a 'cure' for
coronavirus, or sought donations to bogus
medical charities. Many users found that
clicking a bad link led to malware infection,
loss of data and passwords.
In the review, Lindy Cameron, new CEO of
the NCSC, offers an inner eye on how the
centre has responded to the cyber challenge.
"We scanned more than one million NHS IP
addresses for vulnerabilities and our cyber
expertise underpinned the creation of the
UK's coronavirus tracing app. An innovative
approach to removing online threats was
created through the 'Suspicious Email
Reporting Service' - leading to more than
2.3 million reports of malicious emails being
flagged by the British public. Many of the
22,000 malicious URLs taken down as a
result related to coronavirus scams, such as
pretending to sell PPE equipment to hide
a cyber-attack.
Jeremy Fleming, director GCHQ, points to
how the world changed in 2020, as did the
balance of threats we are seeing. "As this
review shows, the expertise of the NCSC,
as part of GCHQ, has been invaluable in
keeping the country safe: enabling us to
defend our democracy, counter high levels
of malicious state and criminal activity, and
protect against those who have tried to
exploit the pandemic. The years ahead are
likely to be just as challenging, but I am
confident that in the NCSC we have
developed the capabilities, relationships and
approaches to keep the UK at the forefront
of global cyber security."
RIPE FOR TARGETING
Nick Emanuel, senior director of product,
Webroot, says it is unfortunate that the
NHS has been a common target for
37
computing security May/June 2021 @CSMagAndAwards www.computingsecurity.co.uk

weaponised attacks
cybercriminals throughout Covid-19, but
that it's also not surprising. "The vast attack
surface of such a large and diverse
organisation is one factor, but the value in
their data is another. The sheer size and
scope of the healthcare industry, its complex
supply chain, and the fact that the public
sector uses many contractors and outside
parties, makes it a difficult task to manage
and secure."
Although the sector is particularly vulnerable
to ransomware, Webroot believes the biggest
concern here is the use of stolen data as a
means to enable further attacks. "It is much
easier to fool victims with a phishing email
once you know details about them and their
colleagues," states Emanuel. "We expect this
to continue. As 2021 brings forward the first
vaccines to fight Covid-19, cyber criminals
will exploit the lack of trusted information
and the widespread use of phone-based
medical appointments to target businesses
and consumers in phishing attacks and BEC
[Business Email Compromise] scams.
"To mitigate future attacks and build cyber
resilience, organisations need to ensure that
adequate defences are in place. Staff training
is essential for defending against phishing
attacks, so they know what to look out for.
The training materials used also need to be
constantly updated to reflect the latest threat
trends and regular simulations should be run
to ensure that the training is having the
desired effect."
FINANCIAL PAY-OFF
"Ransomware-focused cyber threat actors are
evidently pursuing methodologies where they
believe the financial payoff will be the most
beneficial," says Jonathan Miles, senior threat
intelligence analyst at Mimecast. "This means
they look for a combination of ease of
entry, meaning relatively weak security
programmes, combined with a high
willingness and ability to pay. These threat
actors have increasingly found this
combination in the healthcare industry,
a sector that is highly dependent on IT to run
its operations and in possession of some of
the most sensitive data, which is very
profitable for hackers' financially motivated
criminal activity."
For healthcare organisations, the financial
impact of these attacks is only the tip of the
iceberg, he adds, with hackers holding
confidential data hostage also preventing
practitioners to access the patient files,
resulting in delayed treatment - or worse.
"Healthcare also plays a fundamental role in
supporting a nation and is considered part
of its critical national infrastructure. With its
heightened importance during a global
pandemic, it has rapidly become a very
attractive target for nefarious actors intent
on exploiting a time of confusion and
uncertainty."
Cybercriminals know that denying the
services of the healthcare sector at this time
will have massive ramifications. "By denying
services or the efficiency of the healthcare
sector, a hostile actor can be seen as
subverting a nation through undermining the
healthcare aperture, and degrading efficiency,
reputation and trust," adds Miles. "There
is also a possibility that, in attacking a
healthcare organisation that is part of a wider
network of infrastructure, it may be possible
to pivot to other critical facilities."
CYBERSECURITY VIGILANCE
More than any other industry, the healthcare
sector simply cannot afford poor
cybersecurity. "For those organisations that
are subjected to a ransomware attack, the
consequences stretch beyond the breach,
compromise and financial penalties," he
cautions. "A longer lasting outcome is the
reputational damage that the brand will be
tarnished with. When a breach has been
identified, it requires time and effort to
contain the impact and mitigate the damage.
This can cause a significant strain on
resources, focus, people hours and funding
that could have been used elsewhere."
Jonathan Miles, Mimecast: the healthcare
sector simply cannot afford poor
cybersecurity.
Lindy Cameron, National Cyber Security
Centre: we scanned more than one million
NHS IP addresses for vulnerabilities.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2021 computing security
38

2021
is the year of injection.
Just like 2017
& 2013
& 2010
Injection vulnerabilities have been identified as the most
critical risk to web applications by the OWASP Top 10 since 2010.
Let’s stop giving attackers an easy win.
Pentest Ltd are here to challenge your organisation’s information
security posture, to support your improvement efforts and ensure
you, and your clients, are as protected as possible.
Information Security Consultancy
Penetration Testing
Red Teaming
www.pentest.co.uk
0161 233 0100