Cyber Defense eMagazine July 2021 Edition

Colonial Key Business Pipeline, Lessons JBS Cyber Learned Attacks from Shine The 

Spotlight SolarWinds on Operational Hack Technology 

Vulnerabilities for Wide Range of Business 

Sectors Data Loss Prevention in Turbulent Times 

Getting A Digital The Journey: Cloud Right A Long - Security and Winding and Road 

Compliance 

Why Ensuring Cyber Resilience Has Never Been 

Flipping More Critical the Cyber or More Script Challenging Than It Is 

Today 

…and much more… 

…and much more… 

Cyber Defense eMagazine – July 2021 Edition 1 

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s July 2021 Issue ------------------------------------------------------------------------------------------------- 7 

Colonial Pipeline, JBS Cyber Attacks Shine Spotlight on Operational Technology Vulnerabilities for 

Wide Range of Business Sectors ----------------------------------------------------------------------------------------- 33 

By Fred Gordy, Director of Cyber Security at Intelligent Buildings --------------------------------------------------- 33 

Getting The Cloud Right - Security and Compliance ---------------------------------------------------------------- 36 

By Tim Dinsmore, Technical Director, Appurity -------------------------------------------------------------------------------- 36 

Flipping the Cyber Script --------------------------------------------------------------------------------------------------- 39 

By Mark Sincevich, Federal Director, Illumio ----------------------------------------------------------------------------------- 39 

How To Make The Most of Increased Cybersecurity Spend ------------------------------------------------------ 42 

By Stu Sjouwerman, CEO, KnowBe4 ---------------------------------------------------------------------------------------------- 42 

Common Sense Cybersecurity Steps for Managed Service Providers (MSPs) -------------------------------- 45 

By Wes Spencer, CISO at Perch Security – a ConnectWise Solution ----------------------------------------------- 45 

Threat Intelligence Should Be Shared Not Shamed ----------------------------------------------------------------- 48 

By Nuno Povoa, Eurofins Cybersecurity US ------------------------------------------------------------------------------------- 48 

NATO to Consider Military Response to Cyberattacks ------------------------------------------------------------- 51 

By Doug Britton, CEO, Haystack Solutions --------------------------------------------------------------------------------------- 51 

Know Thy Enemy, Break Their Cyber Kill Chain ---------------------------------------------------------------------- 54 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies ----------------------------------------- 54 

Uncovering the Dark Side of the Colonial Pipeline Attack -------------------------------------------------------- 57 

By Alon Nachmany, Director of Customer Success AppViewX ------------------------------------------------------------- 57 

How To Protect Power Infrastructure from Ransomware Attacks ---------------------------------------------- 60 

By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas, Eaton ------------------- 60 

Ransomware and the Cybersecurity Industry’s Problem of Perception --------------------------------------- 63 

By Jack B. Blount, President and CEO, INTRUSION, Inc. --------------------------------------------------------------------- 63 

Easyjet Data Breach One-Year On: What Are the Next Steps? -------------------------------------------------- 66 

By Aman Johal, Director and Lawyer at Your Lawyers ----------------------------------------------------------------------- 66 



Ransomware, the Ultimate Cyber Threat to Municipalities ------------------------------------------------------ 69 

By Yehudah Sunshine, Head of PR, odix ----------------------------------------------------------------------------------------- 69 

Operational Technology (OT) Ransomware - How Did We Get Here? ----------------------------------------- 72 

By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions ----------------------------------------------------- 72 

A Case of Identity: A New Approach To User Authentication Protecting Personal Credentials Remains 

The Weakest Link In Data Security -------------------------------------------------------------------------------------- 75 

By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd ------------------------------------------- 75 

A 3-Part Plan for Getting Started with Cybersecurity -------------------------------------------------------------- 79 

By Doug Folsom, President of Cybersecurity and Chief Technology Officer, TRIMEDX --------------------------- 79 

How to Deal with Online Security --------------------------------------------------------------------------------------- 82 

By Gary Alterson, Vice President Security Solutions, Rackspace Technology------------------------------------------ 82 

The Risks of The Vulnerable Iot Devices ------------------------------------------------------------------------------- 85 

By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt --------------------------------------------------------------- 85 

Three Steps to Building Email Cyber Resilience ---------------------------------------------------------------------- 89 

By Toni Buhrke, Director of Sales Engineering, Mimecast ----------------------------------------------------------------- 89 

Guided-Saas NDR: Redefining A Solution So SOC/IR Teams Aren’t Fighting Adversaries Alone, 

Distracted and In The Dark ----------------------------------------------------------------------------------------------- 92 

By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon ------------------------------------------------------ 92 

Hardware Trojan Detection----------------------------------------------------------------------------------------------- 95 

By Sylvain Guilley, General Manager and CTO at Secure-IC ---------------------------------------------------------------- 95 

StayHackFree – Your Kid’s Sports Team ----------------------------------------------------------------------------- 100 

By James Gorman, CISO, Authx --------------------------------------------------------------------------------------------------- 100 

Tips for Avoiding Online Scams During COVID-19 ---------------------------------------------------------------- 103 

By Cindy Murphy, President, Tetra Defense ------------------------------------------------------------------------- 103 

Banking Fraud up 159% as Transactions Hit Pre-Pandemic Volumes --------------------------------------- 108 

By Rajiv Pimplaskar, CRO, Veridium -------------------------------------------------------------------------------------------- 108 

Why Cyber Risk Is the Top Concern of The Financial Services Industry -------------------------------------- 111 

By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz Global Corporate & 

Specialty -------------------------------------------------------------------------------------------------------------------------------- 111 



What Educational Institutions Need to Do to Protect Themselves From Cyber Threats? --------------- 115 

By Cyril James, Founder and CEO, Secure Triad ------------------------------------------------------------------------------ 115 

Business Continuity: Where InfoSec and Disaster Recovery Meet -------------------------------------------- 119 

By Adam Berger, VP of Global IT and Cloud Operations, Infrascale ---------------------------------------------------- 119 

Biometrics Challenges ---------------------------------------------------------------------------------------------------- 123 

By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 123 

Epic V. Apple Trial - Impact of Big Tech Battles on Consumers' Rights -------------------------------------- 125 

By Brad Ree, CTO, The ioXt Alliance --------------------------------------------------------------------------------------------- 125 

How The Pandemic Has Changed the Value of Health Data --------------------------------------------------- 128 

By Aman Johal, Lawyer and Director of Your Lawyers --------------------------------------------------------------------- 128 

Galvanizing the Cyber Workforce in Private Industry ------------------------------------------------------------ 132 

By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC ------------------------------------- 132 

Play 'Smart' on the Crime Scene --------------------------------------------------------------------------------------- 136 

By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 136 

The Top 10 Cybersecurity Conferences of 2021 -------------------------------------------------------------------- 138 

By Nicole Allen, Marketing Executive, SaltDNA. ----------------------------------------------------------------------------- 138 



@MILIEFSKY 

From the 

Publisher… 

New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com 

Dear Friends, 

From the 30,000-foot view of the Publisher, the scenery has changed. In the space of only a month, we are seeing 

COVID yielding space to CYBER. Put another way, the pandemic vector is transitioning from health space to cyber 

space. 

There are powerful cybersecurity considerations involved in re-imposing defensive protocols in a concentrated 

network environment, as well as making adjustments for those who will remain in a remote work location. 

In light of more ransomware developments in all areas of activity, it’s imperative for more and deeper cooperation 

among the sectors of government, private and publicly traded companies, nonprofits, and especially small and 

medium-size companies. It’s become apparent that there is no such thing as “too small to attack” for ransomware 

criminals. 

We continue to monitor closely the discussion of whether ransom payments should be prohibited, restricted, 

regulated or otherwise treated by governments. It appears that those organizations doing business with 

government entities, especially in the supply chain of critical infrastructure elements, would logically be among 

the first to be subjected to such government intervention. 

Among the valuable resources we rely on to respond to these threats are the providers of cybersecurity solutions. 

Cyber Defense Media Group has now opened nominations for the 2021 Black Unicorns Awards. Details are posted 

at: https://cyberdefenseawards.com/black-unicorn-awards-for-2021-fact-sheet/ 

Wishing you all success in your own cyber endeavors. 

Warmest regards, 

Gary S. Miliefsky 

Gary S.Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information about 

CDM, please use #CDM and @CyberDefenseMag and 

@Miliefsky – it helps spread the word about our free resources 

even more quickly 



@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media Group and 

distributed electronically via opt-in Email, HTML, PDF and Online 

Flipbook formats. 

PRESIDENT & CO-FOUNDER 

Stevin Miliefsky 

stevinv@cyberdefensemagazine.com 

InfoSec Knowledge is Power. We will 

always strive to provide the latest, most 

up to date FREE InfoSec information. 

From the International 

Editor-in-Chief… 

For the first time, cybersecurity has been among the most pressing topics 

at a meeting of the “Group of 7” countries. The summit took place in mid- 

June, and it appears that the participants are taking firm actions to forestall 

attacks on the elements of their critical infrastructure. 

See, for example: https://www.reuters.com/world/europe/g7-demandaction-russia-cybercrimes-chemical-weapon-use-2021-06-13/ 

These 7 nations have identified certain sources of cyber attacks and have 

demanded that those involved put a stop to them. In particular, the group 

issued a communique which said Russia must "hold to account those within 

its borders who conduct ransomware attacks, abuse virtual currency to 

launder ransoms, and other cybercrimes." 

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER 

Pierluigi Paganini, CEH 

Pierluigi.paganini@cyberdefensemagazine.com 

US EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

SKYPE: cyber.defense 

http://www.cyberdefensemagazine.com 

Copyright © 2021, Cyber Defense Magazine, a division of 

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a) 

276 Fifth Avenue, Suite 704, New York, NY 10001 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

In an action closely related to this cybersecurity response, the EU has 

recently taken action on a privacy initiative with strong cyber implications. 

We continue to see regulatory actions on privacy which also can have 

positive effects on cybersecurity defenses. 

It’s important to remember, however, that even compliance with laws, 

treaties and regulations may not absolve organizations from liability in the 

event of a data breach or ransomware attack. 

As always, we encourage cooperation and compatibility among nations and 

international organizations in responding to these cybersecurity and privacy 

matters. 

To our faithful readers, we thank you, 

Pierluigi Paganini 

International Editor-in-Chief 

PUBLISHER 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

9 YEARS OF EXCELLENCE! 

Providing free information, best practices, tips and 

techniques on cybersecurity since 2012, Cyber Defense 

magazine is your go-to-source for Information Security. 

We’re a proud division of Cyber Defense Media Group: 

CDMG 

B2C MAGAZINE 

B2B/B2G MAGAZINE TV RADIO AWARDS 

PROFESSIONALS 

WEBINARS 



Welcome to CDM’s July 2021 Issue 

From the U.S. Editor-in-Chief 

Reflecting on the topics of our articles this month, this is what we see: an increase in the number and 

depth of articles with actionable information for cybersecurity professionals and others interested in the 

trends and implications of these developments. 

In particular, we are pleased to carry over 30 articles this month on lessons to be learned and actions to 

take in response to ransomware attacks, protection of critical infrastructure, and applications of 

cybersecurity practices and programs. 

We’re pleased to include articles on a full spectrum of recognition of threats, preventive measures, 

means of assuring resilience and sustainability, and even the structural aspects of organizations with 

responsibility to maintain the confidentiality, accessibility, and integrity of sensitive data. 

As editor, I would encourage our readers to become familiar with the 16 areas of critical infrastructure 

designated by the Department of Homeland Security, found at www.dhs.gov . Going forward, activities 

in these areas will become more and more important in the world of cybersecurity. 

We strive to make Cyber Defense Magazine most valuable to our readers by keeping current on emerging 

trends and solutions in the world of cybersecurity. To this end, we commend your attention to the 

valuable actionable information provided by our expert contributors. 

Wishing you all success in your cybersecurity endeavors, 

Yan Ross 

U.S. Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of 

Cyber Defense Magazine. He is an accredited author and educator and 

has provided editorial services for award-winning best-selling books on 

a variety of topics. He also serves as ICFE's Director of Special Projects, 

and the author of the Certified Identity Theft Risk Management Specialist 

® XV CITRMS® course. As an accredited educator for over 20 years, 

Yan addresses risk management in the areas of identity theft, privacy, 

and cyber security for consumers and organizations holding sensitive 

personal information. You can reach him by e-mail at 

yan.ross@cyberdefensemediagroup.com 





















































Colonial Pipeline, JBS Cyber Attacks Shine Spotlight on 

Operational Technology Vulnerabilities for Wide Range 

of Business Sectors 

By Fred Gordy, Director of Cyber Security at Intelligent Buildings 

The recent Colonial Pipeline Co. and JBS SA cyber attacks were about more than the temporary crippling 

of the gas industry in the southeast United States or a short-term delay in meat production. It lays bare 

the vulnerabilities faced by any company that uses operational technology (OT) and information 

technology (IT). 

OT refers to the hardware and software used to change, monitor, or control physical devices, processes, 

and events within a company or organization. Most office workers are more familiar with IT. Having an 

issue with your computer? Call IT. Have a suspicious email in your inbox? Report it to IT. The IT 



department is responsible for keeping the company’s computer systems safe. OT departments may not 

be as commonplace, but the pipeline crisis highlights the need for dedicated OT staff or contracted 

professionals. 

For Colonial Pipeline, the bottom line is they didn’t understand how their own IT and OT systems were 

connected. It takes both to work the problem. Without a fully vetted incident response plan, companies 

are not prepared for system compromises. OT is not exclusive to pipelines, production plants, dams, and 

other infrastructure and industrial environments. All commercial buildings, including office complexes, 

retail, hospitality, education, healthcare, government, and others have OT systems. 

The OT systems in these facilities may include HVAC, elevators, lighting controls, metering, fire safety, 

access control, and other technologies, all subject to hacking, misconfiguration, phishing, and 

ransomware. Call it intelligent buildings, smart building systems, or whatever you like — building system 

cybersecurity matters. Attacks have caused catastrophic operational interruptions in many buildings. 

These attacks generally go unreported because they do not involve compromising sensitive personal 

information of users or customers, but that does not mean they are unimportant. 

The Colonial Pipeline Co. incident made national news because the company’s shutdown led to a fuel 

shortage and price increase in the southeast United States that prompted officials to warn folks not to try 

using plastic bags to stockpile gasoline. Foreign hackers used basic ransomware technology to take 

control of Colonial’s IT systems. To regain control, the company paid the hackers more than $4 million. 

Just weeks after this event, JBS SA, the world’s largest meat processing company, experienced a similar 

cyberattack, which caused temporary closures of plant operations due to affected servers supporting its 

operations in North America and Australia. 

These incidents — and the relatively low level of skill needed to carry out the attacks — should have all 

company leaders moving to assess vulnerabilities of their buildings’ OT systems, as the gateway to IT 

systems. Working with professionals, such as those at Intelligent Buildings, will become even more 

important as the federal government prepares to issue cybersecurity regulations for pipelines that will 

also impact other industries. Complexity will continue to increase and the effect will be felt at a lower 

level, even down to its influence on insurance premiums. 

Even if the regulations do not extend beyond pipelines or other critical infrastructure, they will include 

sound guidance that applies across sectors. For example, one part of the regulations would require the 

periodic review of remote network connections that can be soft spots for hackers to attack. This is 

especially pertinent with so many more people working from home during the pandemic and several 

companies considering at least a hybrid model that allows at least some work from home days. 

While the pipeline and plant shutdowns affected thousands and may seem far removed from many 

business leaders, building tenants know that convenience, productivity, and health and safety play a vital 

role in occupant experience. Additionally, having hackers take control of a building’s elevators or shutting 

down a company’s production lines can also have catastrophic impact on a more local level, so one thing 



is clear: Cyberattacks will continue and companies large and small need increased focus on cybersecurity 

of both IT and OT systems. 

About the Author 

Fred Gordy is Director of Cyber Security at Intelligent Buildings, a 

company focused on Smart Building advisory, assessment, and 

managed services at scale for both new projects and existing 

portfolios. Intelligent Buildings helps customers manage risk, 

enhance occupant well-being, and continually improve performance 

by providing unmatched expertise, practical recommendations, and 

targeted services. Fred can be reached at 

fred.gordy@intelligentbuildings.com. 



Getting The Cloud Right - Security and Compliance 

By Tim Dinsmore, Technical Director, Appurity 

COVID has been responsible for many things. Perhaps cloud computing doesn’t spring to the top of your 

list, but the pandemic has certainly spurred many organisations into adopting a cloud-first strategy. 

Indeed, research carried out by Forbes suggested that the majority of businesses surveyed had 

accelerated their move to cloud due to the pandemic. The underlying force of course is an overall shift 

towards remote working - this is where cloud computing can flex its muscles. But it’s not only remote 

working that has fueled cloud adoption - data (and its inherent security / protection) is a prime factor for 

organisations to move towards a cloud-first working environment. 

With security in mind, cloud service providers (CSPs) offer better security than when an organisation 

stores data ‘on-premise’. However, moving to a cloud-centric way of working still provides challenges 

when it comes to privacy and security. For example, consider the use and handling of data. Once upon 

a time, data management was the sole concern of the business. In recent years however, governments 

and other concerned parties have sought to gain control (thus ensuring higher levels of data security) by 

introducing legislation - the EU’s GDPR for example. Such levels of legislation ultimately adds new levels 



of management complexity for any business that handles and stores data. And it’s not just GDPR that 

businesses need to comply with. There are various data management and protection requirements that 

exist across a number of industries. And whilst most businesses can outsource their operations to some 

degree or other, when it comes to compliance, then the business is left to carry the can. And this can’t 

be taken lightly - if your business falls foul of compliance then you face expensive penalties and even 

reputational damage. 

Visibility is key if your business aspires to a secure and compliant cloud system. Popular, well-known 

SaaS solutions come with inbuilt security as standard - however, they also have blind spots. Also, many 

SaaS offer features that are only offered at the top end of the price range, inevitably making them too 

expensive if you are not at enterprise level. This makes reporting a laborious affair for those tasked with 

putting together and auditing data from a variety of sources. Organisations are also seeing a surge in the 

use of personal devices along with an increase in BYOD policies. This has brought about the need to 

increase the resource assigned to monitoring the escalating use of out-of-scope apps. But adopting 

security and data solutions is a process that needs to be tempered against productivity and user 

experience - this should not be compromised. Employees and users at every level of the organisation 

need access to data regardless of their location or choice of device. 

A Cloud Access Security Broker (CASB) solution can optimise visibility across an organisation, by 

monitoring all user activity within cloud applications (company-approved and shadow apps) and enforce 

both internal policies and external compliance requirements. A CASB solution should additionally be 

adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection, 

monitoring, and consolidation. Many CASB solutions are designed with compliance in mind. They provide 

granular visibility and control over user interaction with cloud applications and broad audit trails of such 

user activity. They are perfect for centralised control, management and ease of use. 

Taking compliance and data protection seriously requires a proactive approach to data management. By 

understanding where potential data breaches exist, they can be eliminated at source. The risk of infected 

or malicious files making their way into the cloud, or the threat of identity theft for example, are still 

prevalent and must be considered as part of any data protection strategy. Identity theft, perhaps via stolen 

passwords, is a leading cause of data breaches. This makes it imperative for businesses to adopt 

stronger-than-password protection - an absolute necessity. One-time passcodes (OTPs) are used widely 

by businesses as an extra layer of security to password protection, but some are vulnerable to 

interception or phishing attempts. It is highly advisable to choose real-time generated OTPs to boost 

security. 

As businesses of all shapes and sizes increasingly move to the Cloud to manage and store all of their 

data and apps, the need for a robust and comprehensive solution for security and compliance in the cloud 

should be the foremost consideration. At the end of the day, an informed and planned proactive strategy 

affords those in charge all the confidence they need that compliance regulations are being met, rather 

than having to respond in a reactive manner with the ensuing chaos that can arise. Cloud-centered 

working is officially here to stay so let’s do it efficiently, securely and by the book. 




Tim Dinsmore is the Technical Director of Appurity, the cross-platform 

mobility specialists. 

https://appurity.co.uk/security-in-the-cloud/ 



Flipping the Cyber Script 

Getting Ahead of Attackers with a Zero Trust Architecture 

By Mark Sincevich, Federal Director, Illumio 

It’s hard to find a recent cybersecurity attack where the company didn’t have an existing firewall with 

antivirus protection. Last year alone, the world spent $173 billion on cybersecurity. Yet, cyberattacks are 

more detrimental and frequent than ever before. A lack of spending isn’t the issue, the real problem is 

not implementing the correct strategy. 

As an industry, we’ve been focused on having a strong perimeter without considering what happens if, 

or more realistically when, an attack breaches the perimeter. Assuming a breach has occurred is one of 

the tenants of a Zero Trust architecture. If agencies don’t up-level defense, and soon, attackers will 

always be one, or many, steps ahead. 

The Current Security Model Isn’t Working 

Federal efforts such as the Department of Homeland Security’s (DHS) Continuous Diagnostics and 

Mitigation (CDM) Program have provided a dynamic approach to ensure federal civilian agencies install 

‘detect and defend’ antivirus software and have recently upgraded firewall hardware among other 

recommendations. However, as evidenced by the recent SolarWinds and Colonial Pipeline attacks, these 

measures alone are insufficient. 



Additionally, both CDM and the DHS EINSTEIN detection system, deployed to catch known malware, 

missed the SolarWinds attack and failed to report anything was amiss. Since new attacks move quickly 

and often go undetected, deploying assets to 'chase the enemy’ often means the damage is already 

done. The traditional detect and defend approach will not prevent attacks from moving around the 

network, which is when the real harm continues to occur. 

Federal CISO, Chris DeRusha, noted the need for agencies to move in a new direction, “Everyone and 

everything is untrustworthy until we prove otherwise.” 

Rather than relying on “comply-to-connect” security policies, teams must adhere to a key pillar of Zero 

Trust – assume that an initial breach has already occurred and that attackers are already inside of the 

network. 

Thankfully, We Have a New Model That Does Work… 

Here’s the good news: The White House recently released new cybersecurity guidance in an Executive 

Order, directing agencies to adopt the principles of Zero Trust security to modernize and bolster the 

nation’s cyber defenses. A Zero Trust security model gives federal cyber leaders the ability to make their 

networks and agencies more resilient to attacks. 

While Zero Trust is not new, many agencies will need to start implementing this security methodology 

from the ground up – a good place to start is from the inside out. Start by identifying your most valuable 

assets. For most, these live in the data center and cloud. Then, segment these assets from other parts 

of the network. The more granular these segments are, the better. 

Rather than blindly segmenting the network, agencies should leverage Zero Trust Segmentation, which 

establishes allowlists that indicate which apps and workloads can connect. Any connection that is not 

explicitly stated is denied by default. 

When a ransomware attack tries to move from the initially compromised point to the rest of the network, 

Zero Trust Segmentation will stop it in its tracks. In other words, even if malicious actors gain access, 

they cannot move to the applications and data that agencies deem most critical because they are blocked 

by default. This approach will only allow connections between authorized and legitimate applications and 

workloads and will deny everything else. 

Maturing the Zero Trust Model 

Perimeter security and detection are important parts of the cybersecurity equation, but alone, they’re not 

enough to keep us secure. A Zero Trust strategy requires a permanent change in philosophy where 

teams trust nothing in their network by default. 

Teams should architect their networks from the inside out using Zero Trust Segmentation to increase 

visibility and stop the spread of ransomware across systems. As agencies design and implement Zero 



Trust strategies, they will prevent cyber incidents from becoming disasters. Our data, networks, and our 

nation will be safer for it. 


Mark Sincevich is the Federal Director at Illumio. 



How To Make The Most of Increased Cybersecurity 

Spend 

The average organization devotes 21% of its IT budget to cybersecurity. 

By Stu Sjouwerman, CEO, KnowBe4 

With the threat of malware touching more and more organizations, boards are beginning to devote greater 

resources to cybersecurity. The unfortunate truth is that a successful cyberattack can sink a business. 

The average remediation cost of a ransomware attack, for example, is $1.85 million, according to a 

Sophos report. The cost of non-compliance if sensitive data is exfiltrated can also be considerable, and 

the lasting reputational damage is hard to quantify. 

Companies that may have been tempted to gamble in the past are now seeing the financial sense in 

increasing cybersecurity spend. The average organization devotes 21% of its IT budget to cybersecurity, 

according to the Hiscox Cyber Readiness Report; an increase that has been driven by a sustained rise 

in the frequency of cyberattacks recently. 



The growing threat 

In the last 12 months, the percentage of organizations experiencing a cyber-attack jumped from 38% to 

43%, according to Hiscox data, and 73% of those victims experienced more than one attack. A paltry 9% 

reported they were able to defend the attack with no impact on operations. Stronger defenses and better 

preparation are required to avoid potential disaster. 

Beyond the disruptive impact of ransomware or DDoS attacks, there lurks the even worse threat of a fullblown 

data breach. It takes 280 days on average to identify and contain a data breach and costs $3.86 

million, according to the Ponemon Institute. It’s far better to spend a fraction of that amount to bolster 

your defenses and harden your security posture. 

The question is where to spend it to ensure the greatest impact. 

Phishing and BEC attacks 

We know that malware can usually be traced back to a phishing attack. Threat actors are increasingly 

picking their targets and getting smarter about how they approach them. Spear phishing is on the rise 

and sophisticated attacks employ stolen credentials to attack laterally. If a message or email appears 

legitimate, or worse comes from a colleague’s account that has been hacked, the risk of someone clicking 

a link or downloading a file and triggering a malware installation is much greater. The unpleasant truth is 

that anyone can be fooled. Employees of all levels can fall victim to phishing scams. 

Business Email Compromise (BEC) is also a serious concern, with the FBI reporting $1.8 billion losses 

through BEC, which is a staggering 42% of the cybercrime loss total. Much more sophisticated and 

targeted at CEOs, CFOs, and other high-ranking executives, BEC can be the result of months of 

reconnaissance, with attackers building complex infrastructures and hacking multiple accounts in pursuit 

of a big payday. 

Spending effectively to boost security 

The temptation to sink any budget increase for cybersecurity into a tool or platform that promises to 

safeguard your data is understandable, but there’s a better way to strengthen your security. If we accept 

that security systems can always be bypassed by persuading people to unwittingly grant access, then 

it’s clear that the best way forward is to educate and empower your workforce. 

Security awareness training is crucial because by teaching people to spot the common signs of a phishing 

attack will develop the muscle memory you want to see. 

Establish a baseline before you begin and set targets for improvement with periodic tests, such as mock 

phishing campaigns, to determine what progress has been made. Test results and any real-life security 

incidents that occur should be leveraged as learning opportunities and used to inform ongoing training. 

Make sure that you combine training with stronger security controls and strict procedures. At the shallow 

end, you have to provide phish alert buttons to make it easy to report suspicious emails. Reports should 



trigger an investigation that includes feedback for the employee who flagged the message. 

Responsibilities, processes, and expectations should be clear and easily accessible for everyone. 

To tackle more sophisticated spear phishing or BEC attacks, design controls around funds transfers or 

sensitive data sharing. By requiring multiple people to sign off on transactions over a certain amount or 

insisting on in-person meetings or video calls to confirm the legitimacy of data or funds requests, you can 

prevent major losses. Consider the worst-case scenarios and design controls that will block scammers. 

Enlisting your employees 

Employees are your most valuable resource. They have the deepest understanding of your business and 

are invested in helping you strengthen security. Ask for their advice and input to identify the greatest risks 

and learn how best to safeguard their areas of responsibility. Having an open dialog for prioritizing the 

assets that need securing will send a clear message and encourages people to take risk management 

more seriously. 

If you educate employees and equip them with the right tools, you can quickly make vast improvements 

to your cybersecurity stance. Continuous training and a program of attack simulations that emulates realworld 

threats will deliver tangible benefits. 

Ultimately, it’s by enlisting employees that you will squeeze the greatest value from any increase in your 

cybersecurity spend. 


Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] 

developer of security awareness training and simulated phishing 

platforms, with over 37,000 customers and more than 25 million users. 

KnowBe4 also offers a KCM GRC platform that provides ready-made 

templates for quick compliance evaluations and reporting. Centralized 

policy distribution and tracking helps users remain compliant, as does 

flagging risky users. Sjouwerman was previously co-founder of Sunbelt 

Software, the anti-malware software company acquired in 2010. He is the 

author of four books, his latest being “Cyberheist: The Biggest Financial 

Threat Facing American Businesses.” He can be reached at 

ssjouwerman@knowbe4.com or company website 

https://www.knowbe4.com/ 



Common Sense Cybersecurity Steps for Managed 

Service Providers (MSPs) 

By Wes Spencer, CISO at Perch Security – a ConnectWise Solution 

Covid-19 changed the IT landscape for a lot of MSPs helping customers, suppliers and partners as they 

struggled to adopt digital services and technologies to make work-from-home models a reality. This rapid 

transformation opened the door for opportunistic cybercriminals to figure out new ways to target MSP 

clients, particularly small and medium-size businesses (SMBs). 

Case-in-point: nearly 73% of MSPs we surveyed for our Perch Security 2021 MSP Threat Report 

confirmed at least one customer had a security incident last year and that nearly 60% of these incidents 

were related to ransomware. 



Why MSPs and their customers are uniquely vulnerable to cybercriminals. 

MSPs are increasingly in the line of fire for cybercriminals, as seen during last year’s crisis. MSPs hold 

the keys to hundreds of organizations that they manage, making it attractive to go after many at once. 

“Buffalo Jump” attacks occur when an MSP is breached and more than one managed organization is 

compromised with malware as a result. Ransomware has also moved to the cloud. 

Attackers understand MSP tools and know how to exploit the vulnerabilities and tools that MSPs depend 

upon. They know that enterprise-grade security solutions are rarely built for use by MSPs, who represent 

a large number of companies, each with its own appetite for risk, or lack of understanding of cybersecurity 

tools or resource constraints. 

Last year marked a rapid digital transformation as more customers shifted to the cloud. This introduced 

a slew of potential new vulnerabilities and risks for uneducated and unshielded customers. In fact, 82% 

of MSPs told us that the budget reserved for cybersecurity increased in 2020, with 75% of respondents 

indicating their spending would increase on average by 12.1% in 2021. Of the three types identified in 

our report - front runners, trying to keep up, and lagging behind - MSPs in the last category that don’t 

prioritize a security-first approach for a fast-evolving threat landscape take the biggest risk in terms of 

time and money loss. 

Common sense cybersecurity steps for MSPs 

MSPs need to take threats seriously, even if their customers don’t. Here are some common sense 

security steps and approaches for MSPs: 

• Recognize you’re a valuable target – Most importantly, if you lack the right staff and training, 

then get on board with trusted partners and peers that can help you grow your security know-how 

and capabilities. 

• Educate customers –Becoming more assertive with customers and bundling security into all 

packages will put you in a stronger position. 

• Evaluate Budget – Educating leadership on the gaps and risks with a self-assessment is the only 

way to get an increased security budget. 

• Get Dedicated Staff – Tools alone aren’t enough; you need human capacity to operate and 

interact with security solutions, whether with dedicated security personnel or managed security 

services. 

• Reduce tool sprawl – Find security controls that work well together and with your current ticketing 

systems and complement your stack. 

• Maximize your spread – When thinking about what to bundle into basic packages, keep in mind 

the realities of today’s increasingly converged customer environments, including must-have 

SOC/SIEM with additional XDR/MDR/EDR layered tools. 

• Tackle passwords and training –Passwords remain a key weak link where security failures are 

concerned, so password reuse training, architecting multi-factor authentication and security keys 

for single-sign-on are important. 



The next big thing: addressing remote workforce security gaps 

What happens when everyone suddenly starts working from home? Security becomes pushed to the 

backburner. With fully remote and hybrid working models set to stay for the long term, MSPs must 

urgently review the effectiveness of existing security controls in terms of where employees – and their 

customers’ users – now work and determine whether an alternative deployment architecture or controls 

are needed to cover the risk. 

There are a lot of timely reasons for MSPs to get their cybersecurity ducks in a row, from protecting 

customers to insurance firms hardening their attitudes toward cyber policies and new compliance 

regulations. Whatever the reason, the time is now. 


Wes Spencer is the CISO at Perch Security, which was 

acquired by ConnectWise in November 2020. He is 

responsible for leading external security strategies, 

working with external constituencies and media. He also 

provides cybersecurity thought leadership to 

ConnectWise’s partners, enabling them to build more 

mature cybersecurity programs for themselves and their 

clients. 

Wes has been in the technology industry for 22 years, 

garnering awards such as Cyber Educator of the Year by 

the Cybersecurity Excellence Awards in 2020. Additionally, 

Wes is a part of multiple boards, serving on the Advisory 

Committee on Cybersecurity at the University of Florida, 

the Advisory Board on Cybersecurity Management at 

Murray State University, and as Chairman at the 

Community Institution Council Advisory Group, FS-ISAC. He has been featured in numerous 

publications, including The Wall Street Journal, ProPublica, Dark Reading, and Bleeping Computer. 

Wes attended Murray State University, earning both a Bachelor of Science in Cybersecurity and a Master 

of Science in Cybersecurity. In 2017, he was named among Murray State’s Alumni of the Year. 

Outside of work, Wes runs a YouTube channel with 30,000 subscribers covering cybersecurity and 

cryptocurrency. He is happily married and enjoys gaming and exploring the outdoors with his four 

children. 



Threat Intelligence Should Be Shared Not Shamed 

By Nuno Povoa, Eurofins Cybersecurity US 

When the DarkSide ransomware group shut down the Colonial Pipelines’ gas distribution that stretches 

from Texas to New Jersey, something rather remarkable happened: the criminals apologized. 

The DarkSide group issued an apology, saying its goal was not in "creating problems for society" but "to 

make money." According to Newsweek, the hacker’s statement released on the Darkweb read in part, 

"Our goal is to make money, and not to create problems for society. From today we introduce moderation 

and check each company that our partners want to encrypt to avoid social consequences in the future." 

The world witnessed a cyber-terrorist organization playing a type of PR game to frame their attack as a 

‘Robin Hood’-type of good deed. 



Applying PR tactics is a new page in the hacker playbook to mask the organizational root causes of 

cyberattacks. Within these companies being targeted, it’s not a factor of negligence, it’s a lack of a clear 

understanding as to what these cybersecurity risks mean and how to translate them into impact. There's 

a big gap between the IT side of the house and the operational departments; each side has a separate 

administration department that doesn't always share security-related information in a timely manner. In 

the Colonial Pipeline’s case, their corporate exposure to the internet was most likely very tight, but 

exposure through its refineries—where they probably have their own security rules and procedures— 

was weaker and may not have matched up more stringent corporate security policies. 

Threat intelligence remains very compartmentalized and there's no central repository to share 

information. In many of these cybersecurity instances, investigators have to go to multiple sources, in 

multiple departments, to begin pinpointing the root cause of the attack. The highly operationalized 

companies who prioritized what is only important to their specific part of the organization prolong the 

attack identification process. From the IT department down to the industrial control systems, there needs 

to be a better accountability structure in place and support for corporate-wide threat/risk data sharing— 

especially in utilities. 

Attackers - A Victimless Mindset 

Oftentimes, criminals who do these types of attacks are under the impression that it’s a victimless crime 

and at one point, the company will get reimbursed by their cyber insurance provider. In the Colonial 

Pipeline case, the hackers are hitting the company’s bottom line as well as affecting the price of gas all 

along the U.S Eastern seaboard. “We are sorry. We wanted to start a little fire not a big fire” is far from 

an already morally dubious ‘Robin Hood’ act. Imagine what would have happened if this was a wellcalculated 

attack on purpose, like the 2015 attack on the Ukraine power grid. 

To combat criminal hackers there needs to be a real-time, institutional understanding of what the threats 

are and a universal repository of data shared among all organizations, similar to how the National Oceanic 

and Atmospheric Administration (NOAA) shares all weather-related information to benefit everyone. But 

the fact remains that companies don't want to talk about their cybersecurity issues fearing bad PR and 

shareholder repercussions. All organizations need to share information on security breaches to create 

resiliency that enables quicker and more effective attack responses. To achieve this resiliency and 

collective response, companies need to have an overall risk management strategy—not just a bunch of 

vendor management tools—to create a reasonable strategy. 

Conclusion 

We live in a world where virtually everything is connected to the internet and there will always be bad 

actors looking for a way in. Companies need to embrace this reality, but a lot of organizations chose to 

downplay their chances of being hacked. The minute devices are connected to the internet there is an 



access port for hackers - companies must take this seriously and be ready to respond with a well-thoughtout 

plan. 

Aligning with “industry best practices” has been the security mantra and goal of many niche industries, 

and while there's clear value in understanding and replicating the security goals within a particular 

technology or business vertical, it's crucial that the experience of other industries is not overlooked in the 

process. In the event of an attack, victims need to quickly disseminate the information so there is a 

universal understanding of the attack and a cooperative solution-share. This stands in stark contrast to 

the present-day concern companies have of simply comparing themselves to competitors in order to 

establish their security posture—oil, gas, energy, and manufacturing organizations are noticeably trapped 

in that mindset. 

Companies should not be relying solely on automated security tools for defense. No security tool is 

perfect, most security software demands constant tuning, writing another correlation rule, ingesting and 

parsing more logs, or configuring alerts based on a new predetermined condition. Adding to the 

complexity, many tools now employ machine learning and behavioral analytics, further abstracting the 

analysts from what is happening in the background. Risk rises alongside the evolving complexity of the 

system, and more than ever organizations need to implement a layered defense containing perimeter 

controls, EDR response, risk assessment processes, patch management, and people managing the 

security logs. Only with a layered defense for visibility and business resilience, and the universal, 

immediate, sharing of intelligence will we be able to remove one of the cyberattacker’s most valuable 

tools—corporate shame. 


As Senior Security Consultant, Nuno Povoa is the lead penetration tester 

at Eurofins Cybersecurity US. For over a decade, Nuno has developed 

strategic and technical insights to actively improve data and business 

resilience for major organizations in the USA, Europe and Asia. His past 

and present clients include major Oil & Gas, automotive manufacturing, 

broadcasting, and health care organizations. 



NATO to Consider Military Response to Cyberattacks 

As NATO Nations Face New Realities, The Worldwide Search For Cyber Talent Picks Up. 

By Doug Britton, CEO, Haystack Solutions 

In yesterday’s Brussels Summit Communiqué - Issued by the Heads of State and Government 

participating in the meeting of the North Atlantic Council in Brussels 14 June 2021, NATO alerts 

that it will consider on a case-by-case basis treating cyberattacks similar to physical attacks against allies. 

The communique indicates NATO may launch a military response against perpetrators. 

Under Article 5 of the 1949 NATO treaty, any armed attack on a NATO ally is considered an attack on all 

alliance members, who may then defend the ally. At the North Atlantic Council meeting in Brussels 

yesterday, the alliance disclosed a Comprehensive Cyber Defence Policy in which Article 5 responses 

may be taken following a cyberattack. 

The move follows several recent high-profile cyberattacks on commercial/industrial sector providers of 

critical infrastructure and services. 



The Loud Clarion Call: 

As a former linguist and HUMINTer in U.S. Army intelligence with U.S. Special Forces Command during 

Operation Enduring Freedom and former cyber-intel initiative contributor at Lockheed, this news jumped 

out to me on several levels. 

First, NATO is acknowledging that Russia, China and other nation-states pose major cybersecurity 

threats, both because of direct actions and because of the third-party threat actors operating on their soil, 

presumably with tacit permission. 

The first half of 2021 has seen both an increase in commercial/industrial critical infrastructure 

cyberattacks, and a dramatic escalation of their potential impact - Colonial Pipeline, food processor JBL, 

as well as commercial sector corporations such as Fuji being just the latest example. 

New findings from researchers with Check Point show that ransomware attacks have increased 93% 

year over year. Moreover: 

• The number of organizations impacted by ransomware has risen to 1,210 in June 2021 alone, 

• Check Point Research sees a 41% increase in attacks since the beginning of 2021, contributing 

to the aforementioned 93% increase, and 

• Surprisingly, despite the high-profile U.S. entities attacked, Latin America and Europe saw the 

largest increase in ransomware attacks since the beginning of 2021, marking a 62% and a 59% 

increase, respectively. 

Elena Elkina, JD, CIPP/US, CIPP/E, CIPT, and Partner with corporate privacy consultants Aleada, noted 

that we live in a world where cyber defense is imperative for companies and countries. “In the light of the 

frequency, complexity, and destructive power of the most recent attacks, the only surprise is that it took 

NATO up to this point to make public this decision and take assertive action. The time for delicacy is 

over, and it is time for NATO to reaffirm its position and request other countries to act respectfully and 

responsibly.” 

Help Wanted in The Hunt for Premium Talent: This communique makes clear that the U.S. and her 

allies must change the urgency and economics around finding the undiscovered cyber geniuses whose 

innate aptitudes make them among the potential best and brightest, and then train them at a new pace 

and price point, and get them into the fight as soon as possible. This is a clarion call for the best talent 

on defense, repelling attackers at the cyber borders, and on offense, deploying cyber weapons against 

adversaries.” 

As Garret Grajek, CEO of YouAttest, observed, the open nature of the democratic nations’ networks 

forces the West to apply pressure on the points of origin of such attacks. “NATO’s message is a strong 

sign to the nations that either harbor or turn a blind-eye to attackers on its soil that these malware 

campaigns will be taken very seriously.” 



The number of open positions in various cyber roles exceeds the number of people that are currently in 

the profession today, with some suggesting that there will be another 145% growth required over the next 

5 years. Our current methods of identifying talent clearly aren’t able to keep up. The industry is also 

suffering from a somewhat polarizing perception of being a bro-network of hackers, at the fuzzy edge of 

ethics and laws. 

To change the math and attract new entrants, the industry needs new perspectives. The sheer number 

of people needed in cyber jobs do not align with the 4+ year timeline of college programs. The economy 

requires the ability to add people into the fight with months of training vs. years. One way we get people 

ready in months vs. years is to focus on learners that have the highest likelihood of internalizing the 

training and putting it to work on cyber battlefields. 

Typically, cyber training has a high percentage of washouts that either don’t complete the training or fail 

to transition into practice. Advances in cognitive testing around cyber would allow for more efficient 

deployment of training resources. Additionally, the same methods can give people with no technical 

background or prior experience, perhaps from philosophy or criminal justice, a pathway to becoming 

cyber warriors. 

NATO’s ability to meet this enemy on the multifaceted battlefield requires that we can find, train, and 

equip the cyber warriors. A revolution in talent development can get us there, if we move quickly. 


Doug Britton is the founding CEO of Haystack Solutions. Doug 

drew from his years in military intelligence and years as a cyber 

executive to craft a better way to find cyber talent. Haystack 

Solutions finds cyber genius using test methods developed for the 

US intelligence community and DOD, transferred out of the 

University of Maryland. Additionally, Doug is the CTO and a 

Director of RunSafe Security. As RunSafe’s CTO, Doug plays an 

essential role in showcasing how RunSafe’s technology changes 

the economics of cyber defense, and he has been instrumental in 

driving the RunSafe technology strategy and roadmap, the 

development of its patent portfolio and IP strategy, managing 

software development teams, and building a world-class security research team. Prior to RunSafe 

Security, Doug founded Kaprica Security which sold its Tachyon business to Samsung. He has also 

managed large-scale security research, reverse engineering, and exploit development programs for 

Lockheed Martin and SAIC. A trained computer scientist, Doug started his career in the National Center 

for Supercomputing Applications at the University of Illinois, before serving as a Russian Linguist and 

Interrogator in the US Army. He has also earned an MBA from the University of Maryland and mentors 

several entrepreneurs and students launching their business. 

Doug can be reached online at @CATA_Haystacks and at our company website 

http://www.haystacksolutions.com/ 



Know Thy Enemy, Break Their Cyber Kill Chain 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies 

The Cyber Kill Chain, developed by Lockheed Martin in 2011, appropriates the military’s concept of ‘kill 

chain’ relating to structuring an attack into stages – from identifying an adversary’s weak links to exploiting 

them. In the same way that the traditional kill chain describes the seven steps in a physical attack – 

identification of the target, forced dispatch to the target, decision, order to attack the target, and finally, 

target destruction – the Cyber Kill Chain describes the modus operandi of a typical cyber intrusion in 

seven phases: 

1. External Reconnaissance – Identifying the target’s weaknesses, studying them, and then 

selecting which methods of attack can be executed with the highest degree of success. This initial 

stage involves the harvesting of organizational details such as mailing lists, social network activity, 

information on technology choices, conference details, etc. 

2. Weaponization and Packaging – This phase can take many shapes, including web application 

exploitation, compound document vulnerabilities delivered in Office, PDF or other document 

formats, off-the-shelf or custom malware, or watering hole attacks. Essentially, this is the part 

where the attacker packages up the exploit with a backdoor into a deliverable payload. 



3. Delivery – Transmission of the payload is either target-initiated (a user browses to a malicious 

web presence, leading to an exploit delivering malware, or they open a malicious PDF file) or 

attacker-initiated (network service compromise or SQL injection) – whichever digital method and 

means of transporting or launching the attack best suits the intended target. 

4. Exploitation – Once the payload has been delivered to the user, device or computer, it will work 

to compromise the asset, thereby gaining a foothold in the target’s IT environment. How this is 

achieved technically hinges on the type of digital attack selected. This can involve an exploit 

mechanism, like specialized code that takes advantage of a known software vulnerability to 

execute on a victim’s system. Depending on the victim, zero-day exploitation is a possibility as 

well, but in most cases, it isn’t necessary for adversaries to go to this expense. 

5. Installation – The objective of this step is to establish persistence on the victim system. It typically 

involves the installation of malware, such as a bot client or trojan, that will proceed to run 

whenever the compromised device powers on or reboots. This is typically designed to gain 

persistence at the endpoints where it has access and enables the adversary’s control of the 

application without alerting the target’s organization. 

6. Command and Control – This stage is simple: Set up and initiate a communication mechanism, 

or the “Command and Control (C2) channel” as security experts call it, to exercise authority on 

the affected devices and exfiltrate data remotely. The level of complexity in this step can range 

from simply transmitting data via normal network services (e.g., HTTP, IRC, and others), to 

something much more sophisticated like concealing specially encrypted traffic in tricky, 

unexpected network services (in ICMP messages or DNS options, for example). Some of the 

more modern threats even use social media mechanisms, like Facebook or Twitter posts, for 

command and control. Ultimately, this channel enables the adversary to tell the controlled “asset” 

what to do next and what information to gather. 

7. Actions on Targets – In the seventh and final phase, intruders use the “hands on keyboard” 

access they’ve gained to carry out any malicious actions necessary to achieve their original goals. 

This can involve ransomware installation, keylogging, grabbing password hashes, using the 

webcam to spy, collecting any or all of your files and data, and much more. 

One criticism of Lockheed’s original Cyber Kill Chain is that it doesn’t adequately address a common 

stage of attack known as lateral movement or pivoting. Often, the first device a malicious actor gets 

control of isn’t the intended target, so they must take additional measures to gain access to the key 

systems or data required to accomplish their mission. To account for this, Lockheed considers its Cyber 

Kill Chain to be circular rather than linear. 

Ultimately, understanding the Cyber Kill Chain helps those tasked with protecting systems and data 

identify the different and varying defenses that need to be in place for effective security. While 

cybercriminals are constantly evolving their attack techniques, their approach will always consist of these 

fundamental stages. Effective security defenses rely on intimate knowledge of adversaries and their tools 

and tactics. And, the closer to the first link of the Cyber Kill Chain an attack can be stopped, the better. 



Cybercriminals have a knack for tracking down the weakest point of entry between them and an attack 

on a corporate network, which is often through endpoint devices such as mobile phones, tablets and 

laptops, or other wireless and IoT devices. The massive shift to remote work this past year has inhibited 

traditional corporate network security because it can’t protect users beyond its perimeter. For this reason, 

security strategies for our “new normal” need to strengthen defenses on remote employees’ endpoints at 

home. Endpoint protection (EPP) detects and prevents many phases of the Cyber Kill Chain, completely 

thwarting most attacks or enabling IT administrators to remediate the most complex and sophisticated 

threats in later stages. 

While adversaries must advance through each of the seven phases in the Cyber Kill Chain in order to 

realize success, IT/security teams just need to shut down a single link to break it. Malicious actors can 

often access the most valuable assets of the organization they’re targeting via endpoints in homes where 

employees are doing their work remotely. Therefore, stopping malicious actors at the endpoint radically 

reduces the likelihood of a successful cyberattack. 


Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline 

cybersecurity expert for nearly two decades, Corey regularly 

contributes to security publications and speaks internationally at 

leading industry trade shows like RSA. He has written thousands of 

security alerts and educational articles and is the primary contributor 

to the Secplicity Community, which provides daily videos and content 

on the latest security threats, news and best practices. A Certified 

Information Systems Security Professional (CISSP), Corey enjoys 

"modding" any technical gizmo he can get his hands on and 

considers himself a hacker in the old sense of the word. 

Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/ 



Uncovering the Dark Side of the Colonial Pipeline Attack 

By Alon Nachmany, Director of Customer Success AppViewX 

The Colonial Pipeline, which stretches more than 5,500 miles from Houston to New York and provides 

the eastern United States with almost half of its diesel, gas, and jet fuel, was shuttered after a ransomware 

cyber-attack. The attack was carried out by DarkSide, a cyber-criminal gang that attacks privately-owned 

businesses and donates a portion of what they take to charity. DarkSide also sells the ransomware they 

develop to other cyber-criminals who can then use it to carry out attacks in exchange for part of the profit. 

The impact of the attack hasn’t been catastrophic; there were some spikes in price in some states and 

some gas stations did run out of gas. The national average gas price rose by two cents, and the more 

significant effects have been a result of people's panic buying fuel and businesses making attempts to 

save fuel. But the attack has highlighted just how vulnerable both the pipeline and the American energy 

systems are. 

The Colonial Pipeline is nearly 60 years old. Over time, expansions and loops have been added to the 

pipeline to increase its capacity and make the process more high-tech and automated. Today, the 

company uses pumps, thermostats, sensors, and valves to monitor and control the pipeline, and a robot 

to inspect the thousands of miles of pipeline and find and report any anomalies. All of these technologies 

are connected to a central system that was targeted by DarkSide. Colonial has the pipeline back up and 

running and is now working closely with the Energy Department to ensure that something like this does 

not happen again. 



Outdated and Vulnerable OT Systems are Becoming Easy Targets 

The major factor that impacted the pipeline’s restart is how quickly Colonial could determine precisely 

how much of their infrastructure was affected by the attack. With many Operational Technology (OT) 

systems, there is a lack of visibility, meaning it could take a significant amount of time to determine the 

severity of an attack. OT systems were designed in the 1970s and have become incredibly outdated over 

the last 50 years as technology has become significantly more sophisticated. 

So have hackers. 

These OT systems were built with one thing in mind -- “Availability.” They simply cannot go down. 

Operational Technology is the technology that runs our utilities and critical infrastructure. As listed above, 

OT includes, among others, pumps, thermostats, sensors, and valves—devices that cannot afford to be 

shut down. And often, communications within these systems are not encrypted. In fact, some might even 

use a clear text username and password, if any authentication is required at all. OT systems are simply 

not like IT systems which are managed and secured by an IT team who know the system inside and out 

and can access any aspect of it in seconds to determine the damage caused. Many IT and cyber teams 

aren’t even aware of OT systems and how they are set up, so they aren’t able to easily manage or secure 

them, though this is currently changing. 

This is a big part of why the entire pipeline was shut down. Due to the lack of visibility and not knowing 

what information the hackers had taken, Colonial had no way of knowing what DarkSide could do next. 

So, their safest and quickest option was to halt the entire process until they could determine the extent 

of the attack. But shutting down also indicates that the company does not have a lot of faith in its OT 

security, which is a major red flag and something that needs to be addressed by the industry as a whole. 

Biden’s Cybersecurity Executive Order Comes as a Saving Grace 

In the days since the Colonial Pipeline cyber-attack, President Biden and other officials have prepared to 

issue an executive order requiring federal agencies and their contractors to strengthen their 

cybersecurity. The order created a Cybersecurity Incident Review Board similar to the National 

Transportation Safety Board, which investigates civil transportation accidents in the air or at sea. 

Once the order is put into effect, it will require software vulnerabilities to be reported to the government 

so that they can be addressed rather than being swept under the rug. This would hold companies liable, 

in a way they aren’t currently. If a company’s software doesn’t comply with regulations or they fail to 

report a vulnerability, there are consequences including a possible ban from selling their software to the 

government, which can kill their business’s viability. 

That being said, many of utilities are private for-profit companies. This means that utility companies, like 

other companies, apply the “Cybersecurity Risk Equation.” A simple calculation of the probability of a 

cyber event times the cost of that event would be the budget for securing the solution. What this equation 

won’t take into account is the cost to the general public. For example, as we saw with the short gas 

outages, what if there is no gas? What happens when first responders don’t have fuel? 



Energy and Utilities – You Have No Choice but to Reinvent Your Security 

The Energy and Utility industry is our country’s lifeline providing essential everyday services to people. 

Any breakdown in this critical infrastructure can paralyze the entire system and have debilitating impacts 

on the consumers and a country’s economy at large. Ironically, the sector has been more lax than 

necessary in building a resilient cybersecurity posture. 

The increasing convergence of IT and OT systems and the lack of adequate OT security have introduced 

many security weak links into the infrastructure, making it an attractive target for cybercriminals. The 

Colonial Pipeline attack is a classic case exposing these security gaps and blatantly highlighting the need 

to bridge them with a well thought-through, strong, and sustainable security strategy. 

Biden’s executive order is a welcome move in that direction. Let us hope that the industry will act soon, 

or history won’t be kind. 


Alon Nachmany is the Director of Customer Success at AppViewX. 

He has more than 15 years of cybersecurity experience including 

being a former Chief Information Security Officer (CISO). He has 

worked with critical infrastructure, specifically with operational 

technology, and has consulted for water treatment and power 

companies as well as major airports and governments. In May 

2019, He was a speaker at the DOE’s Cybersecurity Conference. 

He can be reached via Twitter @AppViewX and at our company 

website @AppViewX.com 



How To Protect Power Infrastructure from Ransomware 

Attacks 

Why every point count in the era of increasing intelligence 

By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas, 

Eaton 

The continuing emergence of IoT is bringing new meaning to the old saying: “a chain is only as strong as 

its weakest link.” Advancements in connected technologies are helping enterprises achieve many 

benefits, allowing them to tap into new data insights and streamline efficiency in exciting ways. However, 

with this integration comes the responsibility to ensure the entire network remains protected, as more 

points of intelligent capabilities create more potential areas for cybersecurity risk. 

Cyber attackers are out in full force and more savvy than ever before, businesses need to consider every 

possible avenue to keep their organization properly protected, including power infrastructure. In this 

article, we’ll cover how to approach the threat of ransomware attacks through power devices and provide 

measures to keep cyber criminals at bay. 

Cybersecurity in current context 

Safeguarding against ransomware strikes has never been more critical. In 2020 alone, the prevalence of 

ransomware attacks in the U.S. skyrocketed by 109 percent, according to the 2020 SonicWall Cyber 

Threat Report, costing businesses more than $75 billion a year, part of which is attributed to downtime 

expenses. Experts attribute the rapid increase of threats to the influx of home-based employees resulting 

from the COVID-19 pandemic. 

When businesses migrate to a hyper distributed IT environment flexibility will grow but the threat of 

growing cyberattacks can’t be ignored. This point was driven home recently when Colonial Pipeline faced 



a cyberattack that shut down approximately 5,500 miles of pipeline, causing panic among travelers facing 

gas shortages and long lines at gas pumps across the eastern seaboard. 

These type of events underscore the importance of safeguarding all network-connected equipment 

against cyber threats, which encompasses uninterruptible power systems (UPSs), power distribution and 

cooling systems. 

A resource guide for power protection 

As hackers continually attempt to overcome the cybersecurity mitigations businesses are putting in place, 

organizations must ensure that there is no point of access for malicious activity. Having a running 

cybersecurity checklist for power management can help IT teams keep their strategy up-to-date and 

effective in the face of evolving threats. 

• Keep certifications in check: One of the best things IT teams can do to drive the most effective 

level of security is to stay on top of cybersecurity certifications being developed by global 

standards organizations like Underwriters Laboratories (UL) and the International Electrotechnical 

Commission (IEC). These organizations are expanding their processes for certifying products as 

secure across the network which includes power backup devices. 

There are UPS network management cards available with UL 2900-1 and ISA/IEC 62443 

certification that have built-in cybersecurity capabilities and features. Buying products with these 

types of safeguards against possible ransomware attacks can transform a UPS into an enterprise 

IoT device with cybersecurity protection. 

• Use software to manage firmware updates: By pairing backup equipment with power 

management software, enterprises have the ability to make timely firmware installation and 

updates to stay ahead of emerging cybersecurity threats. As new threats are identified, 

businesses can work with their technology service providers to embed necessary patches or 

solutions. 

For example, as Ripple20 vulnerabilities were recently identified in the Quadros stack, potentially 

billions of connected devices were exposed to this vulnerability. Power management software 

allows mass updating to apply patches and remove this exposure, at scale, quickly across the 

power 

chain. 

• Look for ways to expand and improve: Although primarily developed to monitor and manage 

UPSs and rack PDUs—as well as gracefully shut downloads during a loss of utility power, even 

in virtualized environments—power management solutions may also be used to provide an 

inexpensive, highly viable air gap solution. The security measure helps keep secure networks 

physically isolated from unsecured ones such as the Internet. 

Power management software has the capability to integrate with Windows operating systems and 

common virtualization systems, allowing IT teams to automatically discover and monitor common 

power infrastructure and IT equipment. Some solutions can also be customized to trigger specific 

actions on a customized schedule in alignment with UPSs and/or power distribution units (PDUs). 



• Merge physical and digital solutions: Enterprises should also consider physical security as part 

of their strategy to keep power management equipment safe. Taking measures to deploy smart 

security locks on IT racks can help to ensure that only authorized personnel have access to IT 

equipment. 

While ransomware attacks are a mounting threat across every business landscape, they are especially 

risky to small- and medium-sized organizations that tend to have smaller security budgets and less 

dedicated IT personnel. By deploying simple measures, companies can help safeguard their IT 

infrastructure against these expensive and detrimental attacks. 

Business continuity planning is a must 

Successful enterprises not only utilize the previously discussed mitigations to prevent becoming a victim 

of ransomware, but also have a comprehensive business continuity plan in place. The first step is to 

make sure that files are regularly backed up. In some cases, this simple process will allow victims to 

recover their data at no cost. 

It is possible that ransomware attackers will attempt to coerce a company to pay the ransom by 

threatening to publicly release sensitive information. For this reason, organizations should always encrypt 

their data to prevent attackers from gaining this type of leverage. It is also possible for ransomware 

attackers to encrypt or destroy backups. Because of this, it is essential to maintain a copy of backups in 

a separate location that is isolated from the network as a last line of defense. 

The journey forward 

Enterprises will keep looking for new ways to use IoT solutions as the technology landscape advances. 

Businesses stand to benefit significantly from this evolution, but cybersecurity must remain top-of-mind 

to protect against operational downtime, data loss and negative impact on lifecycle costs and brand 

reputation. With a multi-faceted strategy that includes power management in the equation, businesses 

can ensure that progress and protection go hand-in-hand. 


Hervé Tardy is Vice President of Marketing and Strategy for Eaton’s 

Power Quality business unit in the Americas region. In this role, Hervé 

manages the Americas product roadmap for power solutions, software 

and connectivity products to reinforce Eaton’s technology leadership. 

You can find more information at Eaton.com. 



Ransomware and the Cybersecurity Industry’s Problem 

of Perception 

By Jack B. Blount, President and CEO, INTRUSION, Inc. 

In the past year, we’ve seen ransomware attacks spike significantly – not only in frequency but also in 

scale. A recent Checkpoint Research report (CPR) noted a 57% increase in organizations affected by 

ransomware within the past 6 months. 

Attacks by groups such as Babuk, Hafnium, DearCry and most recently Darkside have made big 

headlines – impacting large organizations, infrastructure, and public safety. And these attacks don’t just 

affect the target companies – the recent attack on Microsoft affected more than 30,000 organizations 

using Microsoft Exchange servers. Before that, it was the Sunburst breach that, aside from creating other 

calamities, allowed these bad actors to look deep into Microsoft’s software code, browsing to their heart’s 

content. Now, the Colonial Pipeline ransomware attack resulted in one of the country’s biggest suppliers 

of fuel to the East Coast being shut down for days – the ramifications of which are yet to be seen. 

It is scary to think what destructive minds can do once they get unfettered access to the systems that run 

the world’s commerce, education, manufacturing, critical infrastructure, defense, and even entire 

governments. 

The most common worms and malware causing this surge are Ryuk and Maze. But there are other 

popular ones – Bad Rabbit, Cryptolocker, GoldenEye, Jigsaw, LeChiffre, Locky, NotPetya, Petya, and 

WannaCry – to name a few. As these existing malwares, along with an ever-increasing number of 



variants, gain momentum from well-funded and well-organized adversaries, we can expect to see a 

growing number of headlines of compromised organizations of all sizes. 

WannaCry makes a comeback 

It's no surprise that WannaCry is also rearing its ugly head. Back in 2017, the WannaCry outbreak 

infected as many as 200,000 computers within 72 hours. Using the EternalBlue exploit in Windows SMB 

(server message block protocol) the malware could infect new victims on its own, spreading exponentially 

over the internet. WannaCry is still infecting Windows servers for one simple reason: they are unpatched. 

It's astonishing, really, that it’s been four years since Microsoft released the fixes for WannaCry, yet there 

are still unpatched servers that exist today. Common segments targeted by WannaCry are 

government/military, manufacturing, banking, and healthcare. According to CPR, the United States is the 

primary target recipient, garnering 49% of all exploit attempts. Auditing of server software is needed 

immediately to identify unpatched servers, with special attention to those that haven’t been powered up 

in a long time. 

Looking at Cybersecurity from a New Angle 

The reason these ransomware attacks continue to be successful is that the solutions we use to prevent 

cyberattacks haven’t changed much. We continue to focus on signatures and an outside-in approach, 

giving organizations a false sense of security. The reality is that the cybercriminals keep finding new ways 

to breach our outer layers of protection. Once they are in a network, they can live there for months, 

searching for an organization’s most valuable data or assets. Because most solutions don’t monitor 

outgoing traffic, these criminals are able to steal an organization’s data and figuratively walk right out the 

door with it, with little to no monitoring. 

It’s time we start looking at cybersecurity with a new perspective, and focus on solutions that monitor 

both incoming and outgoing traffic. Hackers first accessed SolarWinds on September 4, 2019, and the 

hackers got away with their code long before the malware was discovered. It had been living in that 

network for about nine months before it was detected – it had gotten past firewalls and other solutions 

meant to keep it out. 

No matter the type, malware needs a connection in order to carry out its task of stealing data. Without 

being able to “call home” or connect to an outside server, it cannot deploy malicious code. 

Monitoring and immediately killing these connections is the only way to successfully prevent these 

damaging ransomware attacks that leave organizations in the impossible position to decide whether to 

pay up, or lose their valuable data, information and assets. 




Jack Blount is President and CEO of INTRUSION, Inc., a leading 

provider of entity identification, high speed data mining, cybercrime 

and advanced persistent threat detection products. 

Blount has an extensive career in technology as a visionary in the 

personal computer, local area networking, ERP, mobile computing, 

big data, cybersecurity, and AI fields. Most recently, he was the 

founder of a strategic consultancy for enterprise, startup and federal 

government organizations. Prior to that, he served as CIO of the 

United States Department of Agriculture where he was responsible 

for designing a new, 10-layer cyber security architecture, protecting 

more than 100,000 employees and billions of dollars. 

His experience also includes roles at IBM and Novell, where he served as SVP of Business Development 

and helped expand its business from $50M to $2B in just six years. Blount has served as the CTO, COO, 

and CEO of eight technology, turnaround companies, and has served on twelve technology company 

Boards of Directors. 

Blount graduated from Southern Methodist University with a degree in Mathematics and did his graduate 

MBA studies while working at IBM. 

Jack can be reached online at our company website https://www.intrusion.com/ 



Easyjet Data Breach One-Year On: What Are the Next 

Steps? 

By Aman Johal, Director and Lawyer at Your Lawyers 

The EasyJet 2020 data breach 

On Wednesday 19 th May, we passed the one-year anniversary of the EasyJet 2020 data breach hitting 

the headlines, one of the largest data breaches in UK history. 

Resulting from a “highly sophisticated” attack, the personal details of around nine million EasyJet 

customers were exposed to hackers. While the airline was quick to claim that there was no evidence that 

any personal information had been misused, it did admit that, as well as email addresses and travel 

details, the hackers had stolen the credit card details of approximately 2,208 customers. 

The stolen credit card data are understood to have included the three-digit security code – known as the 

CVV number – on the back of cards. 

In a statement following the hack, EasyJet said it had gone public to warn the nine million customers 

whose personal details had been exposed. However, it did not provide any further details about the nature 

of the attack or the suspected motives. Instead, the airline’s own investigation suggested that hackers 

were targeting the company’s intellectual property, rather than hunting for information that could be used 

to commit crimes like identity theft. 



The airline industry’s poor record on cybersecurity 

The airline industry does not have a great track record concerning cybersecurity. In 2018, it was 

discovered that the personal details of almost half a million British Airways customers had been harvested 

by hackers over two separate attacks. Users of the airline’s website and app had their data copied to 

criminals who had exploited a weakness in the payment processing systems. The personal information 

exposed included full names, debit and credit card numbers, addresses, email addresses, and CVV 

numbers. 

The Information Commissioner’s Office originally announced an intention to fine British Airways £183 

million for the breach. However, this was dramatically reduced to just £20 million in October 2020. 

You would hope that the British Airways data breach debacle was a warning to the airline industry. 

Unfortunately, it appears that such warnings have fallen on deaf ears. On May 23 rd , Air India said that 

the personal data of about 4.5 million passengers had been compromised following an incident at SITA, 

the Indian flag carrier airline’s data processor. 

The stolen information included passengers’ names, credit card details, dates of birth, contact 

information, passport information, ticket information, and frequent flyer data. 

While Air India claimed it did not hold CVV/CVC data, it did encourage passengers to change passwords 

“wherever applicable to ensure the safety of their personal data”. 

The potential compensation payouts for EasyJet 

In this sense, the type of data stolen in the Air India hack is similar to the EasyJet breach in 2020, so we 

can use past breaches – such as the British Airways hack – to estimate the likely compensation pay-out 

for victims of EasyJet’s data breach. 

For the British Airways data breach, we believe that the average compensation awards could be in the 

region of £6,000 for each claimant, meaning that the airline could face a potential compensation bill of 

up to £2.4 billion. Based on current case law, which is the foundation on which the Judge will assess the 

British Airways case, together with data from our own settled claims, we can estimate that average 

settlements for data protection and privacy breach cases are in the region of £6,500 for damages, with 

common amounts ranging from around £500 to £15,000. 

Any victims of the EasyJet data breach should keep these compensation figures in mind and remember 

that data breaches are often caused by businesses not adhering to best practice when implementing 

cybersecurity measures. The process of claiming compensation is often far simpler than first imagined 

and, as illustrated by our updated compensation estimates, there can be significant financial rewards for 

claimants seeking the compensation they are owed. 




Aman founded consumer action law firm Your Lawyers in 2006, 

and over the last decade he has grown Your Lawyers into a 

highly profitable litigation firm. 

Your Lawyers is a firm which is determined to fight on behalf of 

Claimants and to pursue cases until the best possible outcomes 

are reached. They have been appointed Steering Committee 

positions by the High Court of Justice against big corporations like British Airways - the first GDPR GLO 

- as well as the Volkswagen diesel emissions scandal, which is set to be the biggest consumer action 

ever seen in England and Wales. 

Aman has also has successfully recovered millions of pounds for a number of complex personal injury 

and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in 

the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of 

law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic 

data leak and the Ticketmaster breach. 



Ransomware, the Ultimate Cyber Threat to 

Municipalities 

With 45% of ransomware attacks targeting municipalities, something must shift the needle. 

By Yehudah Sunshine, Head of PR, odix 

Municipalities face the risk of persistent cyber-attacks in every direction. From embedded malware in file 

attachments, malicious code uploaded via removable media, and the endless risk of viruses and dubious 

data uploaded via self-service/ file transfer portals, municipalities, and local governments are increasingly 

in the crosshairs of hackers, state-sponsored cyber campaigns, and opportunist looking to cash out at 

the expense of local coffers. 

Much like in the physical battlefield, the only way the manage the risks and prioritize threats is through 

triage. In the case of municipalities that means focusing on ransomware and its devastating effects to 

secure data and vital resources needed to keep communities operating. 

Why are municipalities so vulnerable to attack? 

Municipalities have become a beacon to cybercriminals due to their role as a storehouse to vast swaths 

of private data which are more often than not poorly protected by out-of-date security protocols littered 

with excessive systems admins and countless security gaps. The data, ranging from tax information and 



voting records to social security numbers, and everything in between, if compromised can result in 

extensive financial liability to the municipality and far greater loss to the individuals. 

Further exacerbating the situation, municipalities by law are required to be transparent and provide their 

constituency with vast data points on any number of vital services or projects they may implement. While 

the public may appreciate this consideration, hackers have capitalized on this obligation to exploit the 

public infrastructure for personal gains. 

“Because local governments maintain sensitive personally identifiable information, they have a fiduciary 

duty to safeguard that information. As large-scale data breaches continue to make headlines, local 

governments must make cybersecurity a priority.” 

Between the financial obligations and the massive and publicly embarrassing cyber-attacks which have 

plagued cities for the past 5 years, many prominent voices are demanded broader municipal cyber 

accountability and a cohesive strategy to mitigating cyber risk. 

Why do 45% of ransomware attacks target municipalities? 

Municipalities have become a major focal point of hackers because they often fail to implement effective 

data protection policies. From rarely backing up data, not implementing multifactor authentication, failing 

to provide consistent cybersecurity education for their employees to not deploying innovative endpoint 

and cloud security solutions, municipalities' significant and easily exploited weak points make them 

particularly susceptible to attack. 

Complicating matters “Small and medium-sized cities [often] do not have the resources or funds they 

need to invest in IT security. Cities also struggle to keep pace with technology. For example, refresh 

cycles may not be timely because of the required continuity of their services for its citizens, or new IPbased 

delivery activities are implemented on aging computer systems. Additionally, municipalities deal 

with fractured organizational structure and public-sector bureaucracy, which lead to slower 

deployment of security measures.” 

As a direct culmination of a lack of effective IT governance and a proven history of paying ransoms, 

attackers continue to target municipalities for massive financial gains. 

How to mitigate the risks? 

Municipalities must tactfully balance the needs for prevention, deterrence, identification, and discovery 

of the attack itself, with an effective strategy for the response, crisis management, damage control, and 

eventually a protocol to return to regular operations. The complexity of this task demands a 

comprehensive understanding of the interplay of malicious players and the expanding attack surface to 

win the battle of critical infrastructure cybersecurity. 

It is critical that municipalities prioritize cyber threats, allocate much-needed funds to implement important 

technical solutions, and instill a holistic cybersecurity culture from the top down through the support of 

key leaders and ongoing employee education to build cyber resilience the application of industry best 

security practices. 




Yehudah Sunshine, Head of PR, odix. Bringing together his 

diverse professional cyber know-how, intellectual fascination with 

history and culture, and eclectic academic background focusing on 

diplomacy and the cultures of Central Asia, Yehudah Sunshine 

keenly blends his deep understanding of the global tech ecosystem 

with a nuanced worldview of the underlying socio-economic and 

political forces which drive policy and impact innovation in the 

cyber sectors. Yehudah's current work focuses on how to create 

and enhance marketing strategies and cyber-driven thought 

leadership for odix, an Israel-based cybersecurity start-up. 

Sunshine has written and researched extensively within 

cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli 

diplomatic inroads, Israeli innovation and technology, and Chinese economic policy. Yehudah can be 

reached online at (Yehudah@odi-x.com & https://www.linkedin.com/in/yehudah-sunshine/) and at our 

company website http://www.odi-x.com 



Operational Technology (OT) Ransomware - How Did We 

Get Here? 

By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions 

In the last 18 months, ransomware was responsible for all disclosed shutdowns of OT networks, 

manufacturing plants and other physical operations. High profile victims include the Colonial Pipeline, 

JBS meat packing plants, a Honda factory and X-FAB's semiconductor plants. What's going on here? 

Mega-Trends 

To an extent, this problem reflects long-standing trends in industry and in computing. For decades, both 

business operations and more recently physical operations, have been automating steadily, deploying 

ever more computer networks and ever more software. All this comes “built in” with hidden defects, 

software vulnerabilities and the potential for mis-configuration and mis-operation. The result is a steadily 

increasing population of targets for ransomware. 

Looking deeper, networking is the lifeblood of modern automation. The problem is that all cyber-sabotage 

attacks have the ability to move between computers and within networks, and all network connections 

can convey such attacks. With a constantly increasing pool of connected targets, that we see steadily 

more cyber attacks shutting down physical operations makes perfect sense. 



A second reason for the increase in ransomware is, bluntly, cryptocurrency. In the early days of 

ransomware, criminals depended on credit card payments, bank transfers, or even cash. However, credit 

card vendors were not keen to cooperate in criminal ventures, bank transfers were easily traceable, and 

cash required physical access. Reliable, untraceable, and anonymized payment processing was a 

problem. Today, pretty much all ransomware actors receive payment in cryptocurrencies, as they are 

much less susceptible to influence by legitimate authorities than are other payment mechanisms. Entire 

underground economies have emerged to launder such funds. With reasonably reliable ways of being 

paid, the profits for ransomware criminal groups are increasing sharply. 

A third reason for the increase in ransomware with OT consequences is the widespread use of 

sophisticated attack tools and techniques. In the last decade, nation-state-grade attack tools have leaked 

into the public domain. The most prominent such incident was the Shadow Brokers releasing materials 

they stole from the “Equation Group,” a group widely believed to be a branch of the US National Security 

Agency (NSA). There was a day when many organizations would ask “Yes, these nation-state attacks 

are powerful, but we're just not that important - why would anyone spend an attack that powerful on us?” 

Today the answer is clear - criminal groups are using the tools and techniques of nation-states. These 

groups target anyone with money. Do you have money? 

OT Consequences 

The most serious OT consequences attributed to ransomware in the last 18 months have been production 

shutdowns, with the biggest in US history being the recent Colonial Pipeline shutdown. Details of exactly 

how the ransomware triggered these shutdowns vary - some ransomware, such as SNAKE/EKANS 

variants, target and penetrate OT systems specifically. Other ransomware targets IT networks and 

impairs IT systems that are vital to physical operations. Still other attacks target IT networks, but 

enterprises shut down their physical operations as precautionary measures. In all cases, the result is the 

same, with the same damage. 

Enterprises with physical operations are valuable ransomware targets, whether or not OT networks are 

specifically targeted by the criminals. This is because OT networks are soft targets. A great deal of 

production equipment is very sensitive - recertifying an OT network for safe and reliable operation after 

a significant software upgrade can be extremely expensive and can take days, weeks and sometimes 

even longer. Most organizations are not willing to incur this expense at all frequently, resulting in large 

numbers of old versions of operating system and applications running in those networks. An attack that 

gets loose in one of these networks can do a great deal of damage very quickly. 

Couple this with the fact that physical operations represent huge investments in infrastructure, raw 

materials, and lost opportunities during shutdowns, and it is no surprise that many industrial operations 

are willing to pay large ransoms in hopes of materially reducing the duration and severity of shutdowns. 

In recent events, Colonial Pipeline has admitted to paying $4.4 million dollars in ransom, though part of 

that ransom was later recovered by authorities. The JBS organization is reported to have paid $11 million. 



OT Cyber Solutions 

To try and reduce OT consequences due to ransomware attacks, enterprises need OT-specific security 

monitoring solutions, coupled with IT security monitoring systems, good backups regimes, and practiced 

incident response teams. We should not, however, confuse these measures with each other. In terms of 

the NIST Framework, we prevent downtime with protective security measures, while we reduce the 

duration of downtime with detective, responsive and recovery measures. The top goal of any OT security 

program is to prevent production downtime due to ransomware. 

OT-specific protective measures include securely designed network segmentation, use of unidirectional 

security gateways, secure scheduled updates, and very secure remote access systems. Making physical 

operations networks impervious to ransomware both reduces production risks and reduces the urgency 

of any ransomware payment. When IT networks are compromised by ransomware, robust OT security 

measures give us the time we need to recover those IT systems from backups without paying the 

criminals. Robust OT security allows production to continue throughout the IT outage - gasoline is still in 

the pipeline, and finished goods are still coming out of the manufacturing plants. 

What do we do? 

Do not believe criminals who claim, like Darkside did with the Colonial Pipeline, that OT consequences 

are not their intent. So long as enterprises with physical operations are more likely than average to pay 

ransoms, criminals will continue to target those enterprises. Only when we stop paying the criminals for 

targeting businesses with industrial operations will the criminals find other targets. 


Lior Frenkel, CEO & Co-Founder of Waterfall Security 

Solutions. With more than 20 years of hardware and software 

research and development experience, Mr. Frenkel leads 

Waterfall Security with extensive business and management 

expertise. As part of his thought leadership and contribution 

for the industry, Lior serves as member of management at 

Israeli High-Tech Association (HTA), of the Manufacturers’ 

Association of Israel and Chairman of the Cyber Forum of 

HTA. Lior can be reached at @WaterfallSecure and at our 

company website www.waterfall-security.com. 



A Case of Identity: A New Approach To User 

Authentication Protecting Personal Credentials Remains 

The Weakest Link In Data Security. 

By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd 

Protecting identity and personal credentials remain the weak link in data security. As infosec managers 

strengthen the wall around enterprise assets and apply new strategies to protect cloud data, individual 

users still fall prey to phishing attacks and have their credentials stolen, putting enterprise data at risk. 

Identity theft continues to be the primary source of data breaches, and with the new movement toward 

work-from-home following the COVID-19 pandemic, it has become more important than ever to secure 

individual identity and prevent data from being compromised due to human error. It’s time to rethink user 

authentication. 

The number of cyberattacks designed to steal personal identity continues to skyrocket. According to the 

U.S. Federal Trade Commission, the number of identity theft cases doubled from 2019 to 2020, with a 

spike immediately following the coronavirus lockdown. The new work-from-home business culture makes 



identity theft even more attractive since employee credentials can unlock enterprise access as well as 

enabling identity theft. As a result, employers are seeing a rise in problems related to stolen credentials. 

With the coming of the COVID-19 pandemic, organizations found themselves scrambling to extend 

security to work-from-home employees. To promote business continuity and still maintain systems 

security, companies realized they had to secure employees’ home networks, laptops, and mobile devices. 

At the same time, more than half of workers reported having to find a workaround to security measures 

to do their jobs. 

The old security strategies are inadequate to support the new remote workforce. What is needed is a 

new approach that makes personal security and identity authentication easy, foolproof, and costeffective. 

A digital trust ecosystem could be the golden ticket to security. But, organizations must first 

learn from the pandemic and adapt to the challenges it presents. 

Security Lessons Learned from the Pandemic 

Among the emerging trends from the pandemic is the new work-from-home culture. According to Gartner, 

82% of corporate leaders plan to make some form of remote work-from-home policy permanent. What 

started as a scramble to support a new remote workforce is now an enduring part of the enterprise 

landscape. While maintaining firewalls and malware protection is still essential, infosec managers also 

must give more attention to securing home offices and validating remote worker credentials. 

Authenticating individual employees is an ongoing challenge for the enterprise. While reports of malware 

attacks are down, phishing attacks are on the rise with companies reporting an average of 1,185 attacks 

per month, with most attacks seeking to acquire user credentials. No matter how resilient a company’s 

security measures are, user behavior continues to be a wild card. Any employee can be fooled by a 

phishing attack and inadvertently hand their keys to corporate access to a cybercriminal. 

Personal identity continues to be the weak link in security. By acquiring the right personal information, 

cybercriminals gain unauthorized access to business assets, personal finances, medical records, and 

more, or they can use stolen credentials to open fraudulent accounts. Since individual user authentication 

is the weak point in security, there must be a better approach to secure identity. 

The ideal solution is to create a unique, foolproof personal identifier that stays with the individual. Such 

an identifier must be able to authenticate identity without revealing personal information that can be used 

for identity theft, such as a social security number or even a mother’s maiden name. Managing these 

individual credentials also must create little or no work for infosec while still giving them the means to 

control access to enterprise assets. 



Implementing a digital trust ecosystem based on distributed ledger technology like that used in blockchain 

offers the ideal approach. 

Creating a Digital Trust Ecosystem 

Distributed ledger technology has created new possibilities for managing digital identity. Unlike a 

traditional database, distributed ledgers record transactional or record details in multiple locations at the 

same time, with each node verifying every item to create a consensus. For identity management, using 

distributed ledger allows you to authenticate identity or credentials without exposing the credentials 

themselves. The only thing that is revealed is that the distributed ledger system has verified the 

information to prove identity. 

Using distributed ledger technology, you can create a digital trust ecosystem as a SaaS platform. This 

approach can be used by a single organization, such as a company, or it can be established as a 

confidential consortium where multiple entities use the same digital identity verification system. 

While the underlying technology of a digital trust ecosystem is somewhat complex, the practical approach 

is simple: 

1. It starts with a trusted attribute authority that validates identity information. It could be a 

government agency such as the Department of Motor Vehicles, or it could be a private company. 

2. Users who want to participate need to onboard the consortium. That way they stay in control of 

who has access to their identity data. 

3. During the onboarding process, their identity is verified. The attribute authority validates 

individuals using whatever information is necessary, such as a social security number, birth certificate, 

or login credentials, and that data is protected using a distributed ledger. The individual is then given a 

unique authenticator, such as a QR code. 

4. Any organization can opt into the same consortium to authenticate user identity. Since none of 

the credentials themselves are exposed, there is no risk of identity theft, and there is no longer any need 

to share passwords or login credentials. 

The benefit of this approach is the unique identifier follows the user, so the same code can be used for 

multiple applications. Anyone who wants to use the system simply downloads a QR reader for their 

smartphone. There is no added work for IT or infosec to secure enterprise users, and the same identity 

can be extended to partners, suppliers, and other parties without having to set up new credentials each 

time. 



The future of enterprise security needs to focus more on secure identity authentication and less on 

protecting assets with passwords and biometrics. By adopting distributed ledger technology, 

authentication credentials can be made secure while giving users a digital identity card that is impossible 

to counterfeit and can potentially be used everywhere. The potential applications for a digital identity card 

go well beyond employee verifications. It can be used for professional certifications, travel authorization, 

even for vaccine passports. You can protect personal medical data in the same way you protect 

passwords and personal identifiers. The technology is already being used in New South Wales to issue 

digital drivers’ licenses and professional trade licenses. 

By having security reside with the individual rather than using passwords or access keys, you place the 

user in control of authentication while providing infosec managers with the means to authenticate 

employees without adding security overhead. That’s a secure and scalable approach for everyone. 


Benjamin Kiunisala is Head of Customer Engagement at TrustGrid Pty, 

Ltd. TrustGrid enables governments and organizations to create 

secure digital ecosystems anywhere in the world with sovereign control 

of data and maximized citizen privacy. TrustGrid orchestrates multiple 

state-of-the-art technologies into a single platform, combining 

innovative cryptography, data privacy, confidential computing and 

distributed ledger technology into a highly customizable digital 

ecosystem platform. Benjamin can be reached online at 

benjamink@trustgrid.com and at our company website 

http://trustgrid.com/ 



A 3-Part Plan for Getting Started with Cybersecurity 

By Doug Folsom, President of Cybersecurity and Chief Technology Officer, TRIMEDX 

Imagine a hospital has just added a host of MRI scanners and infusion pumps to its network. 

Responsibility for the security of the devices is murky: Are clinical engineers the primary caretakers, or do 

information technology teams monitor those devices? It’s often unclear, and in the confusion, devices are 

left vulnerable. The situation is a cybercriminal’s dream, and it happens more often than expected. 

Years ago, the lines on device management were clear: Clinical engineering (CE) monitored medical 

equipment while IT managed the network and the corresponding data. However, the increase in the sheer 

number of devices connected to the internet has blurred these lines and made it easier for devices to fall 

through the cracks. 

Not only that, but additional “gray zone” connected devices are often overlooked. If a refrigerator is used 

to store COVID-19 vaccines, is it considered a medical device? Such questions have not all been 

answered, leaving holes in cybersecurity efforts that criminals are taking advantage of. 

Thankfully, having a robust cybersecurity plan can help hospitals prevent threats by assigning ownership 

to connected devices, effectively eliminating much of the vulnerability for cybercrime. 



Cybersecurity is not optional 

Let’s be clear: Hospital cybercrime is not going away anytime soon. With nearly 70% of medical devices 

expected to be network-connected by 2025, hospitals will be more vulnerable than ever, creating a need 

for awareness of what they own and who's responsible for it. 

While not the prime entry point for a cyberattack, connected devices are an opening for cybercriminals 

to exploit. Criminals have recognized the ability to “kidnap” devices, shut down critical hospital operations 

and demand a ransom. A recent joint advisory by the Cybersecurity and Infrastructure Security Agency, 

the Department of Health and Human Services and the FBI says there’s “credible information of an 

increased imminent cybercrime threat to U.S. hospitals and healthcare providers.” 

Not only are hospital cyberattacks dangerous for patients, but they’re costly. According to research by 

Comparitech, last year alone over 91 US healthcare organizations suffered some type of ransomware 

attack, with an estimated cost of nearly $21 billion. The resulting administrative effects of an attack — 

canceled appointments, lost records and potential lawsuits — can prove damaging both financially and 

reputationally. 

Step 1: The framework 

The first step toward establishing medical device cybersecurity is to develop an overall idea of what 

effective cybersecurity efforts look like. The NIST Cybersecurity Framework Core defines five basic 

activities to get there: 

Identify: Analyze existing inventory to establish an accurate baseline to work with. Determine whether 

security policies and procedures are aligned across CE and IT responsibilities. 

Protect: Ensure that physical and remote access to CE assets are protected. Develop a formal 

management process for any clinical assets that lasts throughout installation, maintenance, transfers and 

disposition. 

Detect: Monitor personnel activity to detect potential cybersecurity threats. Continuously improve 

detection processes through monitoring and adjustment. 

Respond: Establish a response plan in case of an incident. Implement established criteria for any 

incident reports. 

Recover: Plan recovery training and testing for CE and IT teams in response to an incident. Consider 

hospital reputation in recovery plan development. 

The first and most important step toward effective cybersecurity efforts is to ensure that CE and IT teams 

are aligned on ownership of devices with a roadmap for shared responsibility. 

Step 2: The action plan 

After you’ve walked through the framework to develop a sense of where you’re currently at, the next step 

is to implement a plan of action. Be sure to empower your core CE team with reliable inventory assets 

before it joins the cybersecurity effort. Having a comprehensive assessment of inventory allows both 

teams to better identify risks and cross-reference vulnerabilities. 

Once teams have been assigned responsibilities, move to other functions to ensure device security. 

Prioritize data collection and vulnerability tracking and research, as well as OEM management and 

relationships. Monitor patches and address them efficiently. Having an idea of current and potential 

device vulnerabilities can best help CE and IT teams spot problems before they become threats. 



As threats continue to evolve, it’s important that cybersecurity action plans evolve with them. 

Implementing all of these pieces together enables CE and IT teams to reduce, detect and counter threats 

before they have a chance to do lasting damage. 

Step 3: The execution 

With a tailored action plan in place, you’re finally ready to set everything moving. Don’t treat medical 

devices like normal workplace devices — they aren’t. A laptop in the office is not the same as a monitor 

in the hospital. 

OEMs are great resources for helping to address vulnerabilities because they know the devices better 

than anyone. Ensure that all patches and remediations are validated by the manufacturer before 

implementing them. If unsure of installation procedures, request instructions and updated manuals. The 

best way to start is by identifying clinical equipment with critical vulnerabilities for which there are already 

OEM-validated patches to install. Be sure to record those efforts in the computerized maintenance 

management system (CMMS) inventory. 

Consider integrating a network-based medical device monitoring solution as well. These tools help in 

streamlining and expanding connected device inventory, and they enable collaboration and transparency 

between CE and IT teams. 

It’s easy to be shaken by the potential of a cybersecurity threat, especially given what attacks can do to 

hospital systems. Luckily, there are solutions available for administrators who are ready to implement 

them. By using a framework to get started, a plan of action and effective execution, hospitals have the 

ability to help their teams protect against the damage that cyberattacks can cause. 


Doug Folsom is president of cybersecurity and chief technology 

officer for TRIMEDX, an industry-leading, independent clinical 

asset management company delivering comprehensive clinical 

engineering services, clinical asset informatics and medical device 

cybersecurity. Doug has nearly 30 years of information technology 

leadership experience. Previously, he held positions at Kohl’s 

Department Stores, Sterling Commerce and The Spiegel Group. 

He earned his master’s degree in business from Ohio University 

and a bachelor’s degree in electrical engineering technology from 

DeVry Institute of Technology. 



How to Deal with Online Security 

Security Considerations for the Post-COVID, Cloud-First World 

By Gary Alterson, Vice President Security Solutions, Rackspace Technology 

Organizations have always had to think about protection. Locks on the storefront may have done the job 

back in the day, but as interactions become more digital, organizations face an increasingly elaborate 

threat landscape. The constant cycle of change, reaction and evolution is like an arms race between 

defenders and adversaries. 

A decade ago, we were talking about firewalls and how to protect networks. Today, the focus is on how 

to protect companies as they move to cloud native environments, tinker with low-code/no-code 

development and exploit data with AI and machine learning. The new technology landscape means 

preparing for new cybersecurity realities. As organizations forge into adopting cloud native environments, 

there are four areas that require significant focus. 



1. Endpoint and user protection 

Despite having the best intentions, the biggest security vulnerability in any organization is your 

own people. Even with cybersecurity training, employees make mistakes and it only takes one 

mistake to create a catastrophe. 

Train your people to be a little bit more paranoid. Users should be on high alert for suspicious 

emails, social engineering attempts and other low-tech intrusion tactics. Establishing visibility via 

sophisticated endpoint security monitoring and management tools adds an extra layer of 

protection to detect and respond to intrusions. Basic endpoint security diligence can no longer be 

achieved via basic anti-virus. 

2. Zero Trust 

As you provide access to your systems, it’s critical that you ensure that the person on the endpoint 

and the endpoint itself are trustworthy. Even after authenticated into the network, users should 

only be able to access what they need to complete their job — so that access to the most sensitive 

data is limited. That's the basis of Zero Trust security: don’t extend full trust to anyone or anything. 

Multi-factor authentication helps to further confirm an authorized device is used by an authorized 

individual. With so many workers using BYOD and working off of the corporate network, 

authentication should also validate the trustworthiness of the device itself by, for example, testing 

for patching or up-to-date security software. 

To limit the impact of a potential incident, be sure to implement layers — like segmentation, 

intrusion prevention and host-based protection — to help provide defense-in-depth security. With 

overlapping layers, if one fails, there’s another layer of protection. 

3. System hygiene 

Many of the security breaches we hear about in the news could have easily been avoided. Why? 

Because they hadn’t installed the latest security patches. The result is usually weeks of cleanup, 

significant financial impact and the possibility of significant business disruption. 

Hygiene is just as important in your cloud environment. Unlike physical systems, cloud hygiene 

embraces automation. Instead of patching, you'd bring up new images and take down old images 

and VMs, but it's the same basic hygiene principles. As you start using serverless and functions 

to build applications, make sure that you're taking care of basic security hygiene within your code. 



4. Security automation 

Security threats can happen in seconds, so AI and machine learning are becoming indispensable 

in quickly identifying and acting on anomalies. Behavioral analytics monitors the behaviors of 

objects in the cloud, network devices or users to see potential threats. Having that computerbased 

eye lets you detect and respond to incidents before they turn into attacks. 

Instead of waiting for someone to manually respond to an alert, automated tools can be set to 

detect atypical behavior, determine whether it's malicious and respond to it based on your 

predetermined parameters. Automation enables the system to see when activity looks odd and 

flag it or automatically block access altogether. 

Security hasn’t changed, but the tools and threats have evolved. Focusing on these four areas, in addition 

to manning security basics, is the foundation of a modern cybersecurity strategy. 


Gary Alterson is VP of Security Solutions at Rackspace. In this role 

he acts as GM for Rackspace’s security solutions focused on 

supporting digital transformations and cloud acceleration. 

Previously, Gary led Customer Experience and Services Product 

Management at Cisco Systems where he built professional, 

managed, and support services addressing cloud security and 

advanced threats. At Cisco and at Neohapsis, a nationally 

recognized cybersecurity boutique consultancy, Gary and his teams 

were instrumental in transforming enterprise and government 

security programs to effectively address shifting business models, 

emerging technologies, and the evolving threat environment. 

As a previous CISO and security architect, Gary has over 20 years 

experience on the front lines of security, protecting and responding 

to threats across multiple industries. Gary is often sought out to speak 

on secure digitization, cloud, and emerging technology security frameworks as well as enterprise security. 



The Risks of The Vulnerable Iot Devices 

By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt 

Internet of Things (IoT) is a trending topic that has been made headlines from the last decade and causing 

enormous constraints for home users and companies from the security point of view. The damage caused 

by vulnerabilities in IoT devices is tremendous and allows cybercriminals to get access and take control 

of them remotely in attacks that can be exploited to gain access to the internal networks. 

In addition, these kinds of vulnerabilities provide cybercriminals with a baseline to bypass firewalls, gain 

access to private networks and also steal sensitive and critical information as it travels across connected 

device environments. In this sense, the risk associated with these compromised devices also allows 

cyberattacks to spread to other networked systems, proliferating internally, maintaining persistence for 

large months and even years because of the detection and monitorization of anomalous activity on these 

devices is still a big challenge. 

The Big Picture 

The number, and type of vulnerabilities are from lack of device management to critical flaws on hardware 

or software. In a recent article, it’s possible to learn about a vulnerability tracked as CVE-2021-31251 – 

a vulnerability on the telnet protocol – that can be explored to get a remote privileged session, which can 

be abused to take control of the device and used as an initial entry point to access the internal networks. 



There is no perfect formula to resolve this problem, as part of IoT devices are vulnerable to a wide range 

of flaws due to the limited computational abilities and hardware limitations. Device vulnerabilities allow 

cybercriminals to use them as a foothold for their attacks, which reinforces the importance of security 

from the design phase. Some of those vulnerabilities can be enumerated as presented below. 

Lack of a Secure Update Mechanism 

“Lack of ability to securely update the device. This includes lack of firmware validation on the device, lack 

of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of 

security changes due to updates.” 

From this point, it’s necessary to consider how these updates will take place and how to make them more 

secure. For example, when designing a device like a smartwatch or a sensor, it’s necessary to consider 

building an update mechanism for timely updates. 

Lack of Device Management 

“Lack of security support on devices deployed in production, including asset management, update 

management, secure decommissioning, systems monitoring, and response capabilities.” 

One of IoT’s most significant safety risks and challenges is managing all of our devices and closing the 

perimeter. In order to fight that, the scanning and profiling of devices allow IT security teams to have 

visibility of their networked IoT devices, their risks, behavior, and so on. 



Insecure Data Transfer and Storage 

“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, 

in transit, or during processing.” 

The network and communication layers play a central role in all IoT applications and implementations, 

facilitating sharing information between different layers and generating value through real-time interaction 

between IoT devices. The usage of a certificate authority that certifies the complete validation of the 

certified party’s identity shall issue each digital certificate and is seen as a good candidate to mitigate this 

problem. On the other side, data tokenization can protect sensitive encrypted data that only authorized 

devices can decode. 

Weak, Guessable, or Default Passwords 

“Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in 

firmware or client software that grants unauthorized access to deployed systems.” 

A common and pervasive vulnerability in IoT systems today stems from weak or unchanged default 

passwords. Poor management of device credentials places IoT devices at greater risk of becoming 

targets of a brute force attack. 

Insecure Network Services 

“Unnecessary or unsafe network services that run on the devices, particularly those that are exposed to 

the internet, jeopardize the availability of confidentiality, integrity / authenticity of information, and open 

the risk of unauthorized remote control of IoT devices.” 

IoT devices are today integrated into the network infrastructure and can transmit, retrieve, and interpret 

data from linked smart devices, such as smoke alarms, proximity sensors, or optical devices. The 

system’s communication mechanisms will vary but may include network protocols ranging from BLE and 

ZigBee to WiFi, cellular data, and Ethernet. System administrators must scan and close unneeded open 

ports and services which exchange information on their networks as a security measure. 

Insufficient Privacy Protection 

“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, 

or without permission.” 

When individuals request personal data deletion, the provider must ensure that all third parties delete the 

data. 

Insecure Settings by Default 

“Devices or systems shipped with insecure default settings or lack the ability to make the system more 

secure by restricting operators from modifying configurations.” 



Device onboard occurs when a new device is added to the restricted IoT ecosystem. Eavesdropping may 

take place during the onboard step of a new device where the hacker can intercept secret keys that are 

used to establish communications within a constrained network. 

Final Thoughts 

The potential for unpredictable cascading effects of vulnerabilities and poor security in the IoT greatly 

affects the overall security of the Internet. Ensuring that these devices are secure is the shared 

responsibility of its stakeholders. For example, manufacturers need to address known vulnerabilities in 

succeeding products, release patches for existing ones, and report the end of support for older products. 

As a general security measure, it’s strongly recommended to protect network access to devices with 

appropriate mechanisms, and in some cases, isolate them to make difficult their exploration and doing it 

a time-consuming task from the cybercriminals’ point of view. 

At last but not least, let’s take IoT security seriously because this field has been used massively by 

cybercriminals to compromise organizations and their networks turning this into a big and real threat in 

2021. 


Pedro Tavares is a cybersecurity professional and a 

founding member of CSIRT.UBI and Editor-in-Chief of 

seguranca-informatica.pt. 

In recent years he has invested in the field of information 

security, exploring and analyzing a wide range of topics, 

malware, ethical hacking (OSCP-certified), cybersecurity, 

IoT and security in computer networks. He is also a 

Freelance Writer. 

Segurança Informática blog: www.seguranca-informatica.pt 

LinkedIn: 

https://www.linkedin.com/in/sirpedrotavares 

Twitter: 

https://twitter.com/sirpedrotavares 

Contact me: ptavares@seguranca-informatica.pt 



Three Steps to Building Email Cyber Resilience 

By Toni Buhrke, Director of Sales Engineering, Mimecast 

In yet another “nobody saw this one coming” moment, the HAFNIUM MS Exchange hack sent a warning 

shot to global enterprises to better protect fragile corporate email systems. The hack exploited four 

software vulnerabilities in Exchange on-premises services, allowing a state-sponsored threat actor to 

gain access to corporate email networks. While Microsoft issued patching, the breach quickly escalated 

from affecting a handful of companies to compromising more than 250,000 organizations worldwide. 

This breach demonstrated the fragility of corporate email systems, which have never been under more 

pressure than in today’s pandemic-driven “digital workplace.” According to Statista, in 2020 

approximately 306 billion e-mails were sent and received every day worldwide. For enterprises, any 

disruption of this vital communications infrastructure from outages of malicious traffic can be immensely 

damaging. 

While organizations should continue to mitigate their security risks by immediately installing the latest 

patches, they should take their security a step further by implementing an email resilience strategy that 

addresses three key areas of weakness: data risk mitigation, recoverability and continuity. 



Data Housekeeping 

Today’s organizations simply hold on to too much data. There are good intentions behind this − ranging 

from compliance regulations to e-discovery. But having all this data sitting in employee email accounts 

holds significant risk. The more data (especially transactional data) a company holds, the greater a target 

it becomes for hackers. Think about how much of this data could be exposed by the HAFNIUM attack, 

and the problem becomes clear. When sensitive customer data, confidential company information, 

personal data, etc., are left out in the open in common Exchange environments, it’s up for grabs for 

hackers to possibly exploit. 

The solution is to make sure your organization is regularly moving data out of production, a sort of 

“housekeeping.” If email data is regularly and securely archived, it is removed from the production email 

environment and becomes much more difficult for hackers to access. It can always be retrieved if needed 

– but there’s no reason to leave it out in the open, all the time, where the threat actors can potentially get 

it. 

Ensure Emails are Easily Recovered 

In many organizations, employee email inboxes are like full-fledged file systems holding organizational 

history, records, transactions and projects to help employees make intelligent business decisions. It’s 

inevitable an organization will lose some of this data, whether from human error, system outages, 

cyberattacks, natural disasters or other events. 

Restoring lost emails when one of these events occurs is critical to limiting data loss, mitigating business 

damage and minimizing interruptions to productivity. IT and security teams should look for data recovery 

solutions that are tailored to their email solution. A good data recovery solution will automatically sync 

and archive not only email, but also contacts, calendars and personal folders, and be able to provide fast 

and streamlined mail recovery after a disaster. 

Have an Email Continuity Plan 

Continuity is the last and most critical step in building a comprehensive email resilience strategy. 

Companies need to have a backup system in place in case their primary email solution goes down. This 

enables email to continue flowing while issues with the primary system are resolved. 

Even IT departments with the best intentions can’t always install patches immediately and typically will 

wait until a maintenance window to do so. This is why an email continuity solution is essential. It provides 

flexibility, so IT teams can patch, investigate and respond to disruptions while keeping the flow of email 

going with a contingency solution. This ensures a company’s email system doesn’t go offline, which in 

turn keeps the digital workplace functioning full steam, even in the event of a production-system outage. 



Plan Ahead and Avoid Disaster 

The HAFNIUM attack makes it clear that enterprise IT teams need to create a comprehensive email cyber 

resilience strategy. This is even more important today, with threat actors trying to take advantage of the 

unsettled remote-work environment – Mimecast’s “Year of Social Distancing” report revealed a 48% 

increase in threat volume from March 2020 – February 2021 over the previous year, and “The State of 

Email Security” report states that 70% of organizations believe their business will be harmed by email 

attacks in 2021. 

This research confirms that with the new digital workplace, immediate technical mitigation work should 

be a priority if organizations want to limit their risk to malicious attacks. Taking the three steps to email 

resilience is a fast and efficient way to protect not only against the next HAFNIUM, but also all of the 

smaller issues that inevitably arise during the course of business. 


Toni Buhrke is a Director of Sales Engineering at Mimecast with 

more than 20 years of experience in the cybersecurity industry. 

Together, Toni and her team are responsible for designing 

customized email security solutions for Named and Enterprise 

customers in the Eastern region of the U.S. Prior to joining 

Mimecast, she was a Global Director of Systems Engineering at 

Forescout Technologies. During her 12-year tenure there she led 

various systems engineering teams focused on helping commercial 

and public sector organizations and channel partners architect and 

deploy security solutions to protect complex networking 

environments. Throughout her career, Toni’s focus has always been 

on bridging the gap between technology and her customers. She has 

a Master of Business Administration (MBA) and is a Certified Information Systems Security Professional 

(CISSP). Toni is also very active in Women in Technology initiatives throughout the industry. Learn more 

about Toni on LinkedIn, and learn more about Mimecast at https://www.mimecast.com/. 



Guided-Saas NDR: Redefining A Solution So SOC/IR 

Teams Aren’t Fighting Adversaries Alone, Distracted and 

In The Dark 

By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon 

The time has come for SaaS-based security offerings to evolve. While the concepts of SaaS date back 

to 1961 as MIT introduced the use of terminals connected to mainframes, the SaaS concept we know 

today is largely attributed to Salesforce’s launch in 1999. Starting in the late 2000s cyber-security vendors 

started to offer email and web security gateway solutions through a SaaS delivery model, removing the 

complexities of on-premises hardware and software deployment and maintenance while providing a 

uniform security policy across the enterprise. Cloud-native architectures, continuous 

development/deployment and the ability to apply elastic computing to cloud-based analytics have 

propelled innovation to cyber-security products that can’t be achieved by on-premises solutions. 

Now, ten-plus years later, SaaS-based security offerings need to be re-imagined. By examining the 

Network Detection and Response (NDR) market we can see SaaS-based security must evolve. SOC/IR 

teams are rapidly adopting NDRs because of the visibility gaps left by SIEMs and EDRs to identify the 

presence of adversaries in their network. 



NDR technology is built on three principal tenets to provide SOC/IR teams: 

● 

● 

● 

Visibility to and metadata retention of corporate network traffic across cloud and core networks; 

Advanced detection techniques designed to identify presence of adversaries inside the 

organization; and 

Capabilities to triage, threat hunt, and investigate activity to understand the adversaries’ activities 

and formulate comprehensive response plans. 

These fall into the category of three steps forward, but NDR technology can force SOC/IR teams to take 

three steps back if we don’t redefine how SaaS-NDR solutions are delivered. 

Guided-SaaS Step 1: No longer… In The Dark 

Sixty-nine percent of IT and security practitioners cite network visibility as the top reason for SOC 

ineffectiveness. As packets are tamper-proof (unlike EDR logs), NDRs provide network context to 

confidently triage, hunt, and investigate threats effectively. But NDRs don’t magically provide 

comprehensive visibility. While traditional SaaS-based NDR vendors might work to ensure optimal 

visibility at the time of deployment, the responsibility falls on the customer’s security teams to make sure 

the NDR sensors are functioning properly and that the right mirrored traffic is getting to the NDR as 

networks dynamically change. That’s easier said than done in today’s complex hybrid-world and it doesn’t 

take long before blind spots popup and the SOC/IR team are left in the dark. A Guided-SaaS NDR 

delivery model recognizes the importance of including expert lead routine visibility and health checks, 

where the vendor’s specialists assist to optimize visibility and ensure the NDR sensors are healthy. 

Guided-SaaS Step 2: No longer… Distracted. 

Perhaps the most alarming statistic is that 84% of IT and security practitioners also reported that the 

“Minimization of false positives” as the most important SOC activity. While NDRs provide anomaly-based 

machine learning detection techniques, they come at a very expensive cost. Most NDRs require an initial 

4 weeks of laborious efforts by security analysts to ‘train’ the technology on what is benign and malicious 

with the end goal of at best ‘reducing’ false positives if done properly. Oh, and then security analysts 

have to come back and routinely retrain the solution. In other words, the NDR vendor is putting the burden 

on the customer, distracting them from their focus of identifying and responding to adversaries. That is 

a crime. 

Cloud-native NDRs afford us a different approach. With machine learning, behavioral analysis, and threat 

intel-based detection engines working in the vendor’s cloud, Guided-SaaS NDR vendors can perform the 

QA and training of their detection engines for their customers, producing high true-positive findings and 

removing tedious distractions from the SOC/IR team. 

Guided-SaaS Step 3: No longer… Alone. 

It’s no secret to anyone with experience in day-to-day SOC activities that the job is intense with 70% of 

SOC analysts reporting burnout due to the high-pressure environment. Not only is it a race to respond 

before adversaries carry out their mission, but it's daunting to face the challenge without external 

support… effectively going it alone. It is here where redefining SaaS can provide a unique benefit to 

customers. One of the adjacent advances linked to SaaS offerings is software vendors embracing 



Customer Success, the mechanism of engaging with customers to understand their needs and drive 

value from the solution. 

Guided-SaaS NDR takes this concept to the next level. Guided-SaaS staffs their customer success teams 

with field-tested security analysts and incident responders who understand the pressures their customers 

face sitting in the defender’s hot-seat. This empathy allows for better initial and ongoing enablement on 

the product, increasing product proficiency and value. As trusted advisors, these Guided-SaaS security 

experts also can pass along best practices for triage, hunting and investigations, resulting in stronger 

skills for the customer’s security teams. 

Perhaps the most valuable and unique benefit is that when a customer is actively investigating an 

incident, they have access to experienced Guided-SaaS analysts and responders to ask for guidance 

and knowledge of the threat and how best to triage and investigate. During these high-pressure incidents, 

having access to expertise and thus gaining confidence you are taking the right steps to respond 

alleviates pressure and allows for faster and more comprehensive response actions. 

A Call for Vendors to Do Better 

Simply put, vendors must have empathy for the challenges facing SOC/IR teams and transition from 

delivering products that place a burden on the customer to delivering a comprehensive offering that frees 

security professionals to remain focused, ensure optimum visibility, and have access to expertise in the 

dismantling of adversaries. The Guided-SaaS model redefines and evolves how vendors should deliver 

security solutions to ensure technological advances such as enabling extensive visibility, machine 

learning adversary detection, and speedy triage, hunting, and investigation result is three steps forward 

without taking three steps back. 


Fayyaz Rajpari is the Sr. Director of Product Management of 

ThreatINSIGHT Guided-SaaS NDR at Gigamon, where he leads 

the firm’s security products. Fayyaz’s expertise includes serving 

as a lead incident responder for a large insurance provider 

before transitioning to bringing his expertise to driving products 

for FireEye, Mandiant, and Recorded Future. 

Fayyaz can be reached online at fayyaz.rajpari@gigamon.com 

or at http://www.gigamon.com 



Hardware Trojan Detection 

By Sylvain Guilley, General Manager and CTO at Secure-IC 

Hardware Trojan attacks have become more concerning in recent years due to a series of serious events 

in the electronics industry supply chain around the world because of them, such as data theft and 

backdoor insertions. These attacks are based on the concealment and subsequent exploitation of 

malicious hardware in integrated circuits and thus have been nicknamed “Trojan Horses”. These 

malicious attacks can have several purposes such as sabotaging the infrastructures used by the circuits 

or eavesdropping on confidential communications. 

The ability to detect and deal with Trojan Horses has become vital for organizations charged with 

protecting key infrastructure, government and assets. On a business level, today’s applications can be 

critical and security is paramount in many industries such as automotive or avionics; it is important to 

screen and check unreliable chips. 

A Trojan Horse is often defined as malware disguised as legitimate software. Nowadays, we are talking 

about Hardware Trojan Horses that have proven to be very dangerous and have the ability to maliciously 

modify integrated chips. 

Classification of Trojans and the means to detect them 

There are many types of Trojans, and they can be inserted pretty much everywhere in the microchip. 

This is what makes them so difficult to locate, as one could well be located in the chip’s processor while 

another crouches in the chip’s power supply. 

The stealthiest Hardware Trojans are virtually undetectable because they do not appear in the bill of 

materials (BoM). They are implanted in the chip itself and therefore must be investigated at the silicon- 



level to be detected. This creates a “needle in a haystack” situation when trying to flush a purported 

Trojan out. 

Trojans can also be implanted at different phases, from the specification phase to the assembly and 

packaging phase. They may also have different purposes once they are integrated. Some Trojans will 

want to change the functionality of a chip, while others will prefer to degrade performance or completely 

deny the service offered by the chip; still others may leak information. 

A Hardware Trojan Horse has different types of activation mechanisms which makes them hard to detect 

red handed. 

Hardware Trojan detection can almost be considered a type of reverse engineering for ”evidence of 

infection” purposes. While evaluating the system, the evaluator would look for abnormal behavior that 

might harm the functioning of the circuit. In order to be able to detect Hardware Trojans, one must have 

the appropriate skills and tools. 

To this end, two initial techniques have been put forward: 

• Deploying destructive reverse engineering schemes. The main drawback of this technique is that 

it can be very expensive and cannot guarantee the absence of Trojans in untested devices. 

• Using a VLSI testing scheme. The main drawback for this is that it is not very effective as the 

trigger condition is rarely satisfied, all the more for sequential Trojans as they need a sequence 

of vectors to be triggered. 

Based on these two techniques and their drawbacks, a number of other solutions have been 

implemented. 

The reactive way of dealing with Hardware Trojans 

One of the ways to find and deal with a Hardware Trojan is to first be aware of its presence in the system 

and then take action accordingly. 

Analog Detection 

There are many methods that can be used in a reactive way, such as reactive analog detection. Analog 

detection aims to detect abnormal behavior of the system in the pre- and post-silicon stages. This method 

can be static meaning detecting visible malicious components that are hidden on a printed circuit board 

(PCB), or in cable packaging but it can be very limited if the Trojan is hidden inside the system; this is 

where a dynamic method can be leveraged by observing the electromagnetic activity of the system. The 

dynamic method aims to detect unexpected electromagnetic activity and compare it with a golden method 

(a trusted asset with no Trojan). 

Hardware Assertions 

Another method consists in hardware assertions. Some Hardware Trojans are actually a combination of 

hardware and software vulnerabilities that, when combined, allow the system to be exploited. The 

hardware assertion method entails identifying some high-level and critical behavioral invariants and 

checking them while the circuit is running. With many Hardware Trojans, the attacker will attempt to 

modify the behavior or violate the property of the target circuit. Therefore, there is a necessity to check 



the properties (user mode, memory access conditions, rules, instructions) of the asset with a hardware 

module. A single change in these properties betrays the hardware Trojan. 

Sensors 

Sensors can be used to prevent an attacker from performing active attacks where he attempts to disturb 

the normal behavior of the system. When the hardware Trojan is triggered, the system begins to behave 

abnormally, the power supply may decrease drastically and the clock system may be damaged in order 

to stress the system to the point where it cannot perform sensitive operations properly. Sensors are then 

triggered when noticing such events. 

A variety of methods exists to find and deal with Hardware Trojans. While these methods have been 

proven to be effective in detecting hardware Trojans when they are known to be present in the system, 

the need to be able to proactively search and deal with Trojans has rapidly arisen. 

The proactive way of dealing with Hardware Trojans 

While there is a reactive way of finding Hardware Trojan in a system, there is a constant need for 

additional trust. This is why new methods have begun to develop in the security sphere, a way of having 

in-depth protection in a more proactive approach. 

Indeed, since most hardware Trojans detection occur when malicious hardware in the system are already 

known, these new proactive methods are particularly effective in preventing Hardware Trojans in a 

proactive way. This means that the system is equipped with tools that can help it fend off incoming 

attacks. 

Machine Learning 

One of these successful proactive methods is clearly Machine Learning. Indeed, the use of computer 

systems that are able to learn and adapt without following explicit instructions will be key in the future for 

many topics, including hardware Trojan detection and protection. As each Trojan is different, it may be 

difficult to define a method applicable for each case. Machine learning can generate diverse complex 

models and make decisions based on those models. In addition, machine learning is also key in 

understanding hardware Trojans, as they are relatively new and machine learning will help aggregate 

data to help us better understand them. There are two ways to implement Machine Learning: the first is 

supervised learning, where evaluators inject known samples of Hardware Trojan into the system and 

determine how to detect them properly and machine learning enriches its database with those samples; 

the second way is unsupervised learning, where the characteristics of the Trojan are not known and 

machine learning has to detect it on its own by evaluating the parameters and the system’s behavior. 

The latter will help detect new types of Trojans as it is less limited than the former. 

While it is a reactive approach to have a hardware Trojan monitoring hardware IP in a chip for active 

detection of malicious processes on the chip during its runtime, it is often achieved with a higher cost of 

Chip out from 

JTAG testing 

Begin HT 

detection process 

EM signature 

capture of target 

chip 

ML or statistical 

analysis for 

detection 

Detection output 

(HT 

Present/Absent) 

Next step 



inspection and additional computation which may not be desirable by many. Therefore, a proactive 

measure may be to include the Hardware Trojan analysis in the device testing flow. An example is shown 

in the following figure: 

Fig. Testing flow for Hardware Trojans for a chip lot 

Cyber Escort Unit 

Another method is to protect the CPU directly by mitigating vulnerabilities and attacks on code execution 

or integrity induced by software code bugs, malicious activity or sought-after performances neglecting 

security. These types of attacks have the particularity of engaging both software and hardware placing 

the protection layer in the hardware layer that protects both. By following the program execution step by 

step, we are able to detect any unexpected behavior of the CPU, it is not dedicated to a specific attack 

or Trojan type, so irrespective how the Trojan is triggered, by either Hardware or Software means, and 

whatever its payload, any alteration in code execution or code integrity can be detected. 

The Encoded Circuit Method 

The “encoded circuit” method is based on the observation that all integrated circuits are composed of two 

distinct parts: the combinational and sequential part. The sequential part includes the data and control 

registers which are easier to recognize on the IC layout because of their size. It is easier for an attacker 

to connect the Trojan to the sequential part; therefore, this method aims at encoding and masking all 

sequential registers with a Linear Boolean Code. 

Conclusion 

As hardware Trojans continue to be developed for nefarious purposes, it is our duty to protect devices 

from these new threats. While proactive methods are emphasized, it is important to note that reactive 

methods are still viable and should not be disregarded. With so many types of Trojans and so many ways 

to attack systems, companies should use all the tools at their disposal to fight potential threats to their 

systems. 

If you would like to include Hardware Trojan protections in your security plan to protect your systems 

from potential attacks, you can ask for our help. 




My Name is Sylvain Guilley. I am General Manager & CTO at Secure- 

IC, French company offering cybersecurity solutions for embedded 

systems. 

I am also professor at TELECOM-Paris, research associate at École 

Normale Supérieure (ENS, Paris), and adjunct professor at the 

Chinese Academy of Sciences (CAS, Beijing). 

My research interests are trusted computing, cyber-physical security, 

secure prototyping in FPGA & ASIC, and formal/mathematical 

methods. 

I am lead editor of international standards, such as ISO/IEC 20897 (Physically Unclonable Functions), 

ISO/IEC 20085 (Calibration of non-invasive testing tools), and ISO/IEC 24485 (White Box Cryptography). 

Associate editor of the Springer Journal of Cryptography Engineering (JCEN), I have co-authored 250+ 

research papers & filed 40+ invention patents. 

Sylvain Guilley can be reached at contact@secure-ic.com and at our company website www.secureic.com 



StayHackFree – Your Kid’s Sports Team 

Your Kids Sports team is better managed than your Cyber Team. 

By James Gorman, CISO, Authx 

Your Kid's Hockey team has better management than your Cyber Security team. Really, I am not kidding. 

How do I know? Let's start with - your kid's team has a coach, a plan, a practice schedule, and goals. 

Can you honestly say that about your Cyber Security team? 

Your kid's hockey team has a coach - who has some level of competency - in USA Hockey - they have 

to be at a certain level; for most, it is a level 3 that makes sure you have a base knowledge and 

understanding of the rule. In most organizations, there is not a specific person designated to be the 

"coach" of the incident response team, or is there a clearly defined person that will quarterback the 

incident response team? Is your lead technologist also the Incident Response Manager? Is that the right 

mix of responsibilities? There is nothing worse in the thick of an incident than not knowing who is in 

charge or who has the authority to make the difficult calls. Also, most of the kids I used to coach had 



outside coaches - to help them improve the basics. So you need to have designated roles and 

responsibilities, an experienced coach, and outside trainers to reach the management level of your kid's 

hockey team. Outside and ongoing training and a culture of learning are critical to growing Cyberteams. 

How is your team stacking up so far? 

Your kid's hockey team has a game plan - or a playbook. They know where they are supposed to line 

up and what the objective depending on the game circumstance. If there is no formal plan, as is the case 

in most organizations or worse - on a shelf, file server, or website, no one has looked at it since. A 

contractor wrote it for an audit that happened so long ago; the person or consultant who wrote it is on 

their 3rd job since the audit ended. Without a plan, when the time comes to respond, there is chaos. 

People with no direction lead to wasted valuable time and not minimizing or eliminating the impact of an 

incident and it’s cost to your business. A viable plan is critical to the timely execution of your cyber 

defenses. 

All kid's teams have a practice schedule. If your kid's team said - nope, no practices, just games, you 

would expect to lose every time to teams that practice. Your Cyberteam needs to have a regularly 

scheduled practice. At a minimum, you need to exercise the incident plan with a "tabletop" simulation at 

least once a month. The boilerplate template you used for your Incident Management Plan likely calls 

for an annual test of the plan. In today's rapidly changing IT environment, you should exercise the plan 

and update it with lessons learned every month. The Cyber Hackers are out there, and every day they 

are knocking at your doors. What happens at the outset of an ongoing attack will mitigate the lasting 

effects. If you stumble or fumble initially, you beg for lasting consequences and maybe even front-page 

news. Just ask the teams at some of the recent highly publicized hacks. 

All kid's teams have goals. When I was coaching kids' teams, I would have three goals for a game. 

Usually, situational goals had to do with scoring first or not taking any penalties, winning 51%+ of faceoffs, 

with the over-arching aspiration being the main "goal" - having fun. For your Cyberteam, your overarching 

goal should be to StayHackFree - remember, it is not a goal - it is an aspiration. Each month you should 

have or situational goals for your team. For example, one month could be improving the amount of 

Endpoint Protection deployed. Another week it could be who can find the error in the incident response 

plan. Consistently looking for ways to strengthen your threat posture or reduce your organization's attack 

surface is the point of the situational goals. It would be best to have situational and over-arching goals, 

but goals need to be tangible, measurable, and specific. 

So, to sum up. Use the model of your kid's sports teams to improve your cyber defense posture vastly. 

There is no reason not to have a point person or coach lead your incident response team. You must 

have a plan and know where to start before an incident happens. Frequent practice sessions and tabletop 

exercises with lessons learned are a must. Setting situational goals to improve your defense posture is 

critical to being prepared for all comers. Get a coach, get a plan, practice the plan, and have goals to 

StayHackFree. 




James Gorman CISO, Authx ,James is a solutions-driven, 

results-focused technologist and entrepreneur with experience 

securing, designing, building, deploying and maintaining largescale, 

mission-critical applications and networks. Over the last 

15 years he has lead teams through multiple NIST, ISO, PCI, 

and HITRUST compliance audits. As a consultant, he has helped 

multiple companies formulate their strategy for compliance and 

infrastructure scalability. His previous leadership roles include 

CISO, VP of Network Operations & Engineering, CTO, VP of 

Operations, Founder & Principal Consultant, Vice President and 

CEO at companies such as GE, Epoch Internet, NETtel, Cable 

and Wireless, SecureNet, and Transaction Network Services. 

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/ ) and 

at our company website https://authx.com 



Tips for Avoiding Online Scams During COVID-19 

Follow these best practices and stay vigilant to significantly reduce risk for your organization 

By Cindy Murphy, President, Tetra Defense 

Organizations have made significant changes in light of COVID-19, oftentimes favoring health and safety 

over profit. Cab services urge people to stay home. Restaurants offer no-contact deliveries. Perfume 

companies have shifted to making hand sanitizer, and vehicle manufacturers are now making ventilators. 

While many businesses are working hard to fight the hardships COVID-19 has brought about, other 

malicious organizations are working to do just the opposite. 

Since the pandemic took hold of America, there has been a substantial increase in the number of 

cyberattack attempts. Phishing emails are virtually all COVID-19-themed, social engineering involves 

concepts of sickness and health, and ransomware operations are attacking some of the organizations 

that we rely on most: essential businesses. While these scams are nothing new, the way they are 

presented, deployed, and the consequences they have are constantly changing in the COVID-19 era. To 

stay protected, either in person working at an essential business, working from home, or simply staying 

sane in quarantine using the Internet on personal devices, keep cybersecurity front-of-mind. 



Major Online Scams 

The practice of crafting manipulative messages to elicit a specific behavior is considered to be “social 

engineering.” This is an abstract concept considering it casts the widest net, but it is a practice that nearly 

all scams and attacks, either in reality or in the cyber world, rely on. No matter how robust, up-to-date, or 

complicated your technology is to hack into, social engineering preys on the human behind the devices. 

Since the ‘90s, when the term was coined in this context, threat actors have found it’s easier to trick a 

person to give information or access than it is to trick a computer. Even for professional vulnerability 

testing, social engineering is implemented to see how robust security is when faced with someone who 

simply says all the right things to gain unauthorized access. 

Rather than a one-size-fits-all message, social engineering includes specific headlines, unique situations, 

and emotional manipulation to convince a victim to divulge information. Messages may range from the 

email from the “prince in Nigeria who needs your help,” to hyper-specific phone calls or even personalized 

texts that “want to confirm your banking credentials.” Social engineering attacks are always more 

successful the more information the threat actor has at the start. In the COVID-19 era, being able to 

assume that people are home, they are awaiting aid from a stimulus package, or they are collaborating 

with their managers and directors from a distance is enough information to deploy a successful, 

manipulative message. 



Phishing Example 1 

Phishing refers to messages deployed via email, and this is the most popular channel in this context. For 

threat actors, email is an attractive option since it is most likely already connected to an essential device 

like a personal computer or smartphone, and it is most likely connected to the public Internet or an 

organization’s internal network. Since phishing attempts are now socially engineered to appear as though 

they are from credible health sources, the World Health Organization has published guidelines to protect 

potential victims. 

An acronym to become familiar with is BEC, or Business Email Compromise, the act of gaining 

unauthorized access to a business email account. It’s often achieved through the practice of perfectly 

impersonating trusted sources, usually via email. This allows threat actors to disguise themselves as a 

director, a CISO, or even a trusted colleague that is simply asking for information or suggesting you 

download their file. This is one of the most deceptive practices considering the innate trust that we place 

with correct email addresses. Without proper password protection, it’s important to consider that the 

person behind the address is no longer who you expect. 

Staying Vigilant During COVID-19 

Threat actors have an impressive toolkit that includes social engineering and impersonation techniques 

to harvest sensitive data, and this has been the case for decades. In light of COVID-19, the consequences 

of these attacks can prove to be especially devastating. When few businesses are operating at full capacity, and when 

healthcare organizations are quickly becoming overwhelmed, an attack can not only cause disruption, it could risk lives. 

In uncertain times, the last thing anyone wants to worry about is a threat actor gaining unauthorized 

access to valuable data and resources. Malicious organizations have already proven they have no ethical 

boundaries — they have targeted critical infrastructure like HHS to take advantage of the situation that 

COVID-19 has presented. Here are our tips for maintaining cybersecurity from home in this unique time: 

1. Practice “Zero Trust” 

As a best practice, maintaining a healthy level of suspicion is the strongest defense against social 

engineering. Threat actors are reliant on the naivety of users to grant them access and will present any 

number of stories or situations to exploit potential victims. Data manipulation tactics include offering a 

sweet return on an investment (i.e., the Nigerian prince will offer you endless riches), pose as people you 

may innately want to help or donate to, or even threaten you from the account of someone with authority. 

2. Ensure Links are Secure 

In many phishing attempts, there are malicious websites that either perfectly clone trusted sources or 

appear to be legitimate. These websites, however, often deploy malware at the first click. To ensure you 

are visiting trusted web sources, hover over a link before clicking. This will provide, in plain text, the URL 

the link will take you to. While you’re there, be sure to be cognizant of other security measures that your 

web browser will look out for. 



3. Employ Multi-Factor Authentication 

If a threat actor has your password credentials, or you suspect to have given information to a malicious 

source, Multi-Factor Authentication is a great backstop. If a password is entered, access will not be 

granted until a second device can confirm the request, usually through a code or prompt on a smartphone. 

This is a simple tool that is often available via major email providers and Internet-based accounts, and it 

can deter a threat actor from accessing your information. 

4. Use Robust Passwords 

While “password1,” or “123456,” are easy enough to remember, the pain of losing access to your 

accounts is far worse than the pain of implementing complicated, unique passwords to begin with. Threat 

actors can attempt the most common passwords on accounts by the thousands. They scan for any easy 

vulnerabilities they can exploit on the Internet, and you can arm yourself with a strong password to deter 

them. Common guidelines for building a strong password include using at least 12 characters, 

implementing long phrases, and unconventional punctuation. 

5. Update, Update, Update 

While it may be inconvenient to learn how to deal with a new operating system or a new interface, 

updating as quickly as possible ensures your devices are running with the most recent protections. When 

threat actors search for vulnerabilities, they can configure nearly any attack to fit a port of entry, even if 

that entry only operates on a slightly out-of-date app, mobile device, or computer system. Having a fully 

functioning piece of technology from a few years ago is fine, but being sure to update its protection 

systems is a simple safeguard as threat actors remain persistent in COVID-19. 

While organizations continue to implement changes in the name of health and safety, it’s important to 

keep in mind that threat actors are actively working against them. In situations where people are working 

from a new home set up, people are grieving the loss of normalcy, and people are awaiting information 

regarding their health and their paychecks, threat actors are creating messages to manipulate them. 

While these are unprecedented times, and cyberattacks are more consequential than ever, there’s 

comfort in knowing that security best practices still stand, and awareness of these online scams prove 

as a great safeguard in and of itself. 




Cindy Murphy is the President of Tetra Defense, an incident 

response and digital forensics firm based in Madison, Wisconsin.. 

She worked in law enforcement for 31 years, starting her career in 

the US Army in 1985 and joining the Madison Police Department in 

1991. She began investigating computer-related crimes in 1998 

before being promoted to detective in 2000. Since then, Cindy has 

become one of the most highly respected experts in the digital 

forensics field. She has been teaching digital forensics since 2002 

and helped develop a digital forensics certification curriculum for 

Madison Area Technical College and co-authored the SANS 

FOR585 Advanced Smartphone Forensics course. 

Cindy can be reached via Twitter @CindyMurph and at our company 

website: https://tetradefense.com/ 



Banking Fraud up 159% as Transactions Hit 

Pre-Pandemic Volumes 

Organizations and users should aggressively embrace passwordless authentication methods to 

establish a strong un-phishable relationship. 

By Rajiv Pimplaskar, CRO, Veridium 

The latest Feedzai Financial Crime Report Q2 2021 Edition which factors in some 12 billion global 

transactions between January-March 2021, shows that bank fraud is up 159%, including internet, 

telephone, and branch banking. Card-not-present (CNP) transactions were just 18% of all transactions, 

but drove 83% of all fraud attempts. 

The five most commonly attempted scams were Account Takeover (ATO)-up 47%; account opening 

identity theft-up 23%; impersonation scams-up 21%; purchase of goods that never arrived-up 15%’ and 

phishing scams-up 7%. A cyber and passwordless authentication expert with Veridium offers perspective. 



The recent Feedzai report confirms several points regarding the industry’s hypotheses on financial 

fraud. First, as transaction volumes reach all-time highs, banks and insurance companies should brace 

for higher fraud volumes and proactively bolster their risk processes and customer identity and access 

management systems. Second, fraud vectors should be increasingly assumed to be multi modal as bad 

actors will often exploit channels with weaker Know Your Customer (KYC) verification processes, such 

as telephone banking or contact center, as seen by the high surge in fraud attempts from these 

channels. Sometimes even bank card fraud via traditional mail can manifest within the branch and digital 

channels for impersonation and Account Takeovers (ATO) scams. Finally, various forms of phishing, 

social engineering and Man-in-the-Middle (MITM) attacks can be highly effective at overwhelming a vast 

majority of conventional safeguards currently in place by the financial institution. 

Organizations and users should aggressively embrace passwordless authentication methods to establish 

a strong un-phishable relationship between the user’s designated authenticator and the bank systems. 

As identity becomes the new perimeter, strong customer authentication solutions such as Phoneas-a- 

Token and FIDO2 security keys are increasingly gaining popularity. Also, such authentication methods 

offer lower friction and can improve user experience and productivity. 

Fraud is Multi-modal, Constantly Evolves and Gravitates to the Weakest Channel 

With fraud costing the global economy over $5 trillion, financial services firms worldwide are focused on 

fraud prevention in a big way. In countries like the UK, fraud is currently the #1 crime – far outpacing all 

other crime categories! With cost containment being very important in driving shareholder value, fraud 

is a key area, which if not managed carefully, can quickly erode the bank’s earnings. Consequently, 

hundreds of millions of dollars are being invested and fraud defense systems are getting increasingly 

sophisticated. Customer education is also at an all-time high to ensure fraud awareness is top of mind, 

much like conventional wisdom of locking the front door to your house or not leaving valuables left in 

plain sight within your vehicle. 

However, fraudsters are also evolving at an alarming rate and continuously devising new approaches. 

For example, improved defense against ATO scams is being circumvented by a rise in authorized push 

payment fraud where an impersonator convinces the legitimate account owner to authorize a payment 

for a fake crypto currency investment, or a fake invoice. Often the account owner is coached regarding 

what to say if the bank’s fraud department contacts them and many times winds up taking sides with the 

fraudster against the bank’s investigators! From a bank’s perspective, this complicates matters 

significantly as apart from their usual screening, they must now also verify the legitimacy of the safe 

account where the payment is being wired. First party fraud is also on the rise. In several countries 

“money mules” are systematically recruited by organized gangs using a cover story promising quick 

monetary gain via social media with the objective of fraudulent account opening and laundering crime 

money. While several of the victims are college students and teenagers getting scammed, many do it 

for money. As controls over mobile and digital channels have strengthened, fraud has also shifted into 

the contact center where social engineering and MITM attacks can be highly effective at compromising 

traditional KBA (Knowledge Based Authentication). 



Strong Digital Identity Needs Modern Authentication 

Digital transformation initiatives can leverage a treasure trove of personal information already stored by 

the bank including biometrics, biographic information and behavioral data gathered since account 

opening. For example, a video face capture or liveness check during KYC could be combined with 

behavioral data to detect impersonation or known bad behavior. This identity verification could also be 

used as a “trust anchor” as defined by Gartner research, to step up authentication during risky or high 

value transactions, or during a vulnerable situation such as device enrollment or account recovery. 

Passwordless methods such as Phone-as-a-Token or FIDO2’s strong passwordless authentication can 

be adopted to improve website security and reduce dependence on passwords. FIDO2 is the set of 

standards and protocols developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to 

strengthen website authentication. An added benefit is that such technologies, while more secure, are 

also easier to use, providing a better overall user experience and satisfaction. 

Passwordless authentication options for consumers could include use of Phone-as-a-Token where an 

un-phishable trusted relationship is established between the individual and their enrolled mobile phone. 

Phone manufacturers and versions can be managed as part of a “allow / deny list” and potential issues 

exploited during MITM attacks such as jailbreak can be detected. Upon securing consent, the security 

level could be dynamically adjusted depending on the customer’s geolocation and/or behavior, which 

improves protection for the consumer, employee and the company. For private or secure environments 

like contact centers where a phone may not be feasible, FIDO2 security keys could be an efficient 

alternative. 


About the author: A seasoned cybersecurity executive, Rajiv Pimplaskar is 

driving global go-to-market strategy and revenue for Veridium. Based out of 

the company’s New York headquarters, Rajiv comes to Veridium from San 

Francisco-based Cloudmark – a leader in threat intelligence (acquired by 

Proofpoint). Previously, he held senior leadership roles spanning sales, 

marketing, product, and corporate development at Atlantis Computing 

(acquired by HiveIO) and Verizon. Rajiv is an Electrical Engineering and 

Computer Science professional by trade and is passionate about building and 

scaling enterprise software companies that offer a market disruption. 

Rajiv can be reached online at @veridiumid and at our company website https://www.veridiumid.com/ 



Why Cyber Risk Is the Top Concern of The Financial 

Services Industry 

The sector faces a wide range of challenges ranging from Covid to compliance to the cloud, to name just 

a few. 

By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz 

Global Corporate & Specialty 

Ever since Covid-19 led to an unplanned increase in homeworking and electronic trading, cyber security 

experts have been warning financial institutions of a perfect storm. In fact, attacks against the financial 

sector were reported to have increased by well over 200% globally from the beginning of February 2020 

to the end of April 2020, with some 80% of financial institutions reporting an increase in cyber-attacks, 

according to security firm VMware. Weaker controls and oversight, laxer security in the home office and 

the greater likelihood of employees falling victim to scams while working remotely were just some of the 

reasons cited behind this dramatic rise. 

The reason for the uptick in cyber-attacks on the financial services is simple. At the end of the day, cyber 

criminals go where the money is, and financial companies hold an extraordinary amount of sensitive data 

on individuals, businesses and governments. Cyber security has been an existential issue for financial 

institutions, and they have been investing heavily in it for years. However, with such potentially high 

rewards, cyber criminals will also invest time and money into attacking them. For example, the Carbanak 

and Cobalt malware campaigns targeted over 100 financial institutions in more than 40 countries over a 

five year period, stealing over $1bn. 



Regulators get tougher 

At a time when financial institutions are becoming more reliant on technology and data to provide products 

and services to customers, they increasingly face a challenging regulatory environment. In many parts of 

the world, firms face a growing bank of regulation, including evolving data protection and privacy rules, 

as well as cyber security requirements. 

In particular, there has been a seismic shift in the regulatory view of privacy and cyber security. Where 

regulators previously looked to incentivize firms to invest in cyber security, they now see it through the 

lens of consumer rights and data privacy. With the General Data Protection Regulations (GDPR) in 

Europe and the likes of the California Consumer Privacy Act in the US, companies now need to 

operationalize their response to regulation and privacy rights, not just look at cyber security. 

The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines 

and regulatory costs, and growing third party liability. Under the GDPR, the number and value of fines for 

data and privacy has been growing while jurisdictions around the world have been introducing stricter 

data laws. Increasingly, breaches and regulatory actions are followed by litigation, with a number of group 

actions now pending in the UK as well as the US. A data breach at Capital One bank in 2019 – one of 

the largest-ever – resulted in an $80mn fine and a number of lawsuits by affected customers. More 

recently, following a number of major outages at banks and payment processing companies, regulators 

have begun drafting business continuity requirements in a bid to bolster resilience. 

Ransomware attacks on the rise 

Ransomware attacks continue to increase in frequency and severity, with ever larger ransom demands. 

Last year, the Securities Exchange Commission in the US warned about a rise in the number and 

sophistication of ransomware attacks on US financial institutions. Ransomware attacks were up nine fold 

between February and end of April 2020, according to VMware. 

A recent development has seen hackers steal sensitive data and threaten to publish it online if ransoms 

are not paid. US lender Flagstar Bank, for example, suffered a ransomware attack in early 2020 that saw 

hackers post personal details online in an attempt to extort money. Last year, Chilean bank BancoEstado 

shut down branches after a ransomware attack. In March 2021, CNA Hardy was also hit by a 

sophisticated ransomware attack which impacted its operations and email systems and significantly 

disrupted the insurer for a number of weeks. 

If criminals can get access to critical systems or sensitive data, they will look to monetize the attack 

through extortion. At the same time, the rise of cryptocurrencies like Bitcoin is making it easier for cyber 

criminals to carry out successful ransomware or extortion attacks. 

“Fake presidents” and ATM “Jackpotting” 

With many employees working from home and under increased stress, Covid-19 has created 

opportunities for cyber criminals to carry out various scams and cyber-attacks. The US Federal Bureau 

of Investigation (FBI) received over 28,500 complaints related to Covid-19 cyber-crime alone in 2020. 

Many incidents looked to exploit stimulus funds and Paycheck Protection Program (PPP) loans, as well 

as to use Covid-19 related phishing attacks to steal money or personal data. Business email compromise 



(BEC) attacks, also known as “fake president” attacks, are a particular problem for financial institutions 

that make large numbers of high value payments on behalf of their customers. The cost of BEC attacks 

reached $1.86bn in 2020, accounting for almost half of all reported cybercrime losses. Such attacks are 

becoming more sophisticated and increasingly involve identity theft and funds being converted to 

cryptocurrency. 

ATM “jackpotting” attacks continue to be a threat as well. On July 13, 2020, a Belgian savings bank 

Argenta shut down 143 cash machines after criminals tried to take control of their cash machines through 

their network servers. These attacks have become increasingly sophisticated and over the last five years, 

“jackpotting” has cost the financial services sector millions of dollars. 

Third party service providers can be the weak link in the cyber security chain 

One of the largest and most sophisticated cyber-attacks of the past year, the SolarWinds incident, was a 

supply chain attack. Hackers accessed SolarWinds’ network and injected malware into its management 

software in order to target thousands of organizations, including banks and agencies. The SolarWinds 

breach is an important reminder of the potential vulnerabilities of the financial services sector to cyberattacks 

and outages via their reliance on third-party suppliers and service providers, over which they 

have little or no control when it comes to cyber security. This is likely to become a bigger issue as 

regulators increasingly focus on business continuity and operational resilience going forward. 

Most financial institutions are now making use of cloud services-run software to access additional 

processing capacity, as well as for IT infrastructure or to carry out certain processes, such as fraud 

detection or analytics. On one hand, cloud providers are developing tools to help organizations manage 

and mitigate their cyber risks. On the other hand, there is a growing reliance on a relatively small number 

of cloud providers and an opaque cloud infrastructure can potentially create large and systemic risks. A 

Bank of England survey of banks and insurers last year found the provision of IT infrastructure in the 

cloud is already highly concentrated – the top two infrastructure-as-a-service providers had around twothirds 

market share for banks. 

How financial institutions manage risks presented by the cloud will be critical going forward. They are 

effectively offloading a significant portion of cyber security responsibilities to a third-party environment. 

Your cloud service vendors can become your exposure. 

Risk mitigation best practice 

Cyber-attacks often include a human element, where employees, contractors or even customers are 

unwittingly complicit in incidents. When talking to clients, they say cyber is the number one concern of 

every C-suite executive. Particularly we see growing concern for the human factor. Just one click on a 

link or a download can lead to a costly ransomware attack or a data breach, with reputational damage 

and loss of data. 

Training and technology can help minimize human error. As the first line of security and defense, 

employees can make or break an organization’s cyber security position and at often times, their 

reputation. Those that are well trained can significantly reduce the impact of a breach or even prevent it 

from happening. Employees should be regarded as part of the cyber security team, and, as such, there 

should be a corresponding investment in their training and education. The same applies to top 



management, who should periodically rehearse scenarios to better prepare and respond to a major cyber 

incident. Since cyber security goes right up the chain, building resilience and business continuity planning 

is absolutely key to reduce the impact. 

Companies should consider taking the opportunity to carry out a desktop exercise with their insurer and 

broker, and include key internal and external stakeholders. This builds trust and can take the sting out of 

any crisis. Cross-sector exchange and cooperation among companies – such as what has been 

established by the Charter of Trust – is also key when it comes to defying highly commercially organized 

cyber crime, developing joint security standards and improving cyber resilience. 


Paul Schiavone, Global Industry Solutions Director Financial Services 

at Allianz Global Corporate & Specialty, has over twenty years of 

experience in the insurance industry as legal counsel, underwriter, 

broker, manager and Chief Underwriting Officer, working in New York, 

Paris, San Francisco and London. 

Paul can be reached online at https://www.linkedin.com/in/paulschiavone-91401b40/ 



What Educational Institutions Need to Do to Protect 

Themselves From Cyber Threats? 

By Cyril James, Founder and CEO, Secure Triad 

The COVID 19 pandemic and the subsequent lockdown have forever changed how we socially mingle 

and live our lives. The effects are felt in our personal and professional lives as well. 

A major impact is felt in the education fraternity who as a response to the threats posed by the pandemic, 

has adopted an online learning and training format. 

The use of technology in the education sector is no longer considered a novelty but a norm, making them 

prime targets for cyber-attacks. 

Though online learning has made it possible for students across the world to continue their education 

from the safety of their homes. It has added new complexities to the cyber security challenges faced 

by educational institutes. 

The current pandemic has handed cybercriminals tailor-made opportunities for attacking the institutes' 

network and its teachers and students as well. 

Though this may not be a challenge unique to the education sector alone, it poses a larger threat. Unlike 

office employees, students lack exposure and training in dealing with school cyber security. 



Challenges Faced by Education Institutes 

An increase in coronavirus related phishing mails is on the rise. With teachers, students and school 

administration workers spending more and more time online such mails can easily find their way into their 

inbox. 

These malware scams can easily prey on the naïve and untrained minds of students and teachers, 

making them victims of account takeovers and accidental sharing of private information. 

This provides cyber hackers with the information required to log into the institute's servers, access 

sensitive and important data, and launch Ransomware attacks. 

Another challenge faced by educational institutes is the lack of skilled IT staff, leaving the institution's 

network susceptible to such cyber threats. 

With institutions being shut down due to the pandemic, a skeletal staff is at work, with a majority working 

remotely from home. In such a scenario, the institute's cyber security needs such as identification of risky/ 

suspicious users or mail, effective implementation of network security, device management, and endpoint 

security policies may be neglected. 

This lack of or weak cyber security infrastructure provides hackers with a golden opportunity to attack 

and infect the network. Many employees are using personal systems while working remotely, which does 

not possess a robust and sophisticated security system and is susceptible to malicious attacks easily. 

The aforementioned are some of the challenges faced by institutes. It is essential to understand the 

measures that need to be adopted to safeguard their network and data. 

Awareness and Training 

Basic training should be provided to the administration and faculty and the students and their parents. 

Especially in the case of younger students, parents should be responsible for monitoring the child’s 

activities online. 

Faculty, students, and parents need to be made aware of the risks of using online platforms and the 

threat of being targeted by cyber hackers. It is imperative to train staff, students, and parent in how to 

identify and deal with malware and phishing emails. 

In this way, the risk of accidental opening and clicking of phishing emails can be significantly reduced. 

Institutes should also prepare and enforce an acceptable use policy that clearly states to the students 

what is acceptable or what is not, and the faculty clearly understands the framework for what is allowed 

when using online learning forums. 

Technical Treat Response Support 

Institutes should hire cyber security experts. It should be looked at as an investment in the institute’s 

security. The team would be responsible for managing all the security needs of the institute, which 

includes configuration and update of the security system, threat hunting, detection, and response 

services 24/7. 



Firewall Security 

VPN connectivity, giving institutes the option to choose either or both for secure remote connectivity. 

Having SD-WAN integrated in the firewall allows institutes to connect remotely and share data securely 

with each other. 

Synchronized security is also possible, making it easy to identify if a connected remote device is infected 

and can be isolated until it is clean and free of malware. This way they spread of infection across the 

network can be prevented. 

Two-factor or multi-factor authentication 

It is an effective tool against unauthorized access or phishing. To ensure that the faculty and students 

adhere to internet safety policies and as a precautionary measure, the institute should mandate turning 

on alerts for any suspicious activity or non-compliant devices. 

Antivirus and web access 

Unless institutes are providing faculty and students with a secure VPN, they will need to ensure their 

online safety, which can be easily done by setting up web filtering rules. 

Licensed antivirus software’s block access to inappropriate websites, stop risky files from being 

downloaded and provide category-based web filtering. Additionally, phishing can be prevented by using 

advanced endpoint protection technologies to stop the attack chain and predictively prevent future attacks 

of similar nature. 

The software should also be capable of automatic roll back to a pre-altered state if files are encrypted. 

This will protect data if faculty or students are using school-supplied laptops or tabs. 

The increase in the coronavirus cases has created uncertainty as to when educational institutes will be 

able to go back to functioning normally or is this going to give rise to an entirely new normal of online 

learning. 

This makes it essential that the educational institutes take the appropriate steps to adopt cyber security 

measures that will maximize their safety. 

If in case institutes do not have cyber security resources, third party managed security service providers 

can also be hired. These vendors can provide support or coordination in developing a sustainable, secure 

and successful online learning experience. 

However, when dealing with third party individuals who will be having access to sensitive data, institutes 

conduct their due diligence and background must check before hiring such entities to manage their 

systems and services. 




Cyril James is the Founder and CEO, Secure Triad. He has a solid 

foundation in the Information Technology and Communication 

industry with over 13 years of experience. His expertise lies in 

Information Security, specializing in network, web and mobile 

applications, and cloud penetration testing across various industry 

domains like banking, insurance, energy, telecom, IT products and 

services, and others. He is well-versed in penetration testing 

methodologies including OWASP, OSSTMM and PTES. He has solid 

understanding of technical concepts of cloud computing, machine 

learning, and various programming languages. Cyril is a visionary and strategy-builder, has good 

communication skills, and is great with managing teams. Cyril can be reached online at (EMAIL, 

TWITTER, LinkedIn) and at our company website https://securetriad.io/ 



Business Continuity: Where InfoSec and Disaster 

Recovery Meet 

By Adam Berger, VP of Global IT and Cloud Operations, Infrascale 

The escalation of cyber-attacks and the intensity of recent natural disasters create the same fundamental 

risk for businesses large and small — business continuity. Every business manager feels the weight of a 

potential disruption to normal operations, whether ransomware attack or storm-induced mass power 

outages are to blame. Ensuring business continuity requires maintaining vigilance on two sides of a coin: 

preventing disruption from occurring in the first place and restoring operations as quickly as possible after 

any disruption. For the sake of this article, we’ll limit our use of “prevention” to topics of Information 

Security (InfoSec) (i.e., procedures or measures used to protect digital data from unauthorized use) in 

businesses with any online or digital presence. 

The efficacy of any business continuity plan depends largely on the fast, robust implementation of both 

information security and disaster recovery. But the reality is that the two are deeply intertwined, both 

fundamentally concerned with keeping network, infrastructure configurations, and data protected and 

usable. 



Leaving Nothing to Chance: Assess and Mitigate your Risks Through Asset Identification and 

effective risk analysis. Three Effective Asset Determinations 

Developing information security and disaster recovery plans that ensure a high level of data protection 

and safeguard business continuity begins with a baseline evaluation that makes three vital determinations 

which can be done as part of a risk analysis. 

First, businesses must identify all assets important to the company, including physical and information 

assets. These might be servers, confidential files, intellectual property, customer product, and other key 

assets. While it sounds obvious, software asset management (SAM) isn’t only about optimizing 

purchases, deployment, and maintenance of tech. It begins with a comprehensive inventory of assets. 

This is important since many SMB and midsized businesses simply do not have a complete view into 

every tool and process their teams use. 

For information security plans, an inventory should include knowing what kinds of secure access and 

protections from data exploitation is in place for every asset. For disaster recovery, the inventory should 

include knowing the required availability of all infrastructure assets and data for internal or external 

customers to maintain service levels. 

Second, for each asset inventoried, businesses must specify the value of what they’re protecting, to both 

the company and to customers. If particular infrastructure processes or data were gone, what will the 

damage be to the company? This should be measured in terms of both direct revenue loss and in terms 

of reputation loss. 

Third, businesses must determine the level of investment the company is willing and able to make to 

protect each asset, including all types of data. An honest cost-benefit analysis and assessment of the 

company’s financial health should be factored into the level of investment required and weighed against 

other business priorities. 

Although these baseline evaluations are often tasked to particular management and technical teams, a 

company’s leadership team bears ultimate responsibility. An effective leadership team knows what assets 

the company has, the value of each, risks related to each and the investment that should be made to 

protect them based on a business’s risk tolerance. A healthy information security practice helps deliver 

an effective risk analysis to allow businesses make these critical decisions. 

Heads: Mitigating InfoSec Risks in Business Processes and in Technical Choices 

Beyond the baseline evaluations, the information security side of the equation requires that businesses 

drill down into the origin of risk. A sound plan should consider risk that comes from business processes 

as well as technical choices. 

With respect to risk in business processes, company leaders should ask: 

● 

● 

● 

● 

What vendors do we use, and do we understand their processes and protections? 

Are there third-party requirements such as protocols and regulations like ISO 27001, SOC, and 

HIPAA? 

Have we evaluated our contract management processes? Are these processes fully understood? 

What kinds of confidentiality agreements do we have in place? 



● 

● 

● 

● 

How educated are employees on information security risks? Are they trained properly regarding 

acceptable use policy and how to protect infrastructure and data? 

Is there change management established to prevent infrastructure and data from being 

compromised by mistake or deliberately? 

If a software company, are engineering practices in place to make sure code is developed in a 

secure way? 

What regulatory laws are applicable to our business for the regions we operate in? 

With respect to technical choices, company leaders should ask: 

● 

● 

● 

● 

● 

● 

● 

What kinds of technical controls are in place for every asset, and do we know where every asset 

is located and who has access? 

Are appropriate antivirus and malware protections in place? 

Are the right tools in place to identify other kinds of malicious behavior? 

Is strong network protection in place, like firewalls and next generation options for enterprises? 

Are there different layers of application filtering and strong access control systems in place? 

Are there powerful logging tools in place that help ensure excellent visibility into what’s happening 

inside infrastructure? 

Are there powerful monitoring tools in place to detect any anomalies that may compromise servers 

and other infrastructure? 

For every interface from which critical information can be accessed, a company needs to have a tool or 

mechanism in place to identify what’s happening. The bottom line with risk, however, remains twofold. If 

information security is not baked into the ongoing business processes that support daily and changing 

business needs, a potential security threat could completely bypass all the powerful technical tools in 

place. A CISO can spend a million dollars on technical security and backup disaster recovery tools, but 

risks will remain if business processes are poorly managed. Making sure a company is investing in 

securing those “softer” processes, as well as its technical tools, is key and an often-overlooked part of 

information security. 

It’s noteworthy that approaches like zero trust architecture are best suited to mature enterprise security 

programs that can accommodate the level of granularity that zero trust requires. Zero trust makes sense 

for banks or companies with financial data and intellectual property or other information that is high value, 

where a security topology already features robust process management and significant financial 

investment. However, despite its value, SMB and midsized businesses typically are not able to make the 

investment in tools, people, and processes that zero trust requires. 

Tails: Upon Disruption, Planning for Optimal RPO and RTO – Your response to incidents is as 

important as your defense from them. 

If business disruption does occur and breaks through a company’s administrative processes and 

technical defenses, whether via attack or non-malicious disaster, disaster recovery planning dovetails 

with infosec incident management. For disaster recovery, two key metrics come into play, and both are 

very important for business leaders to understand. 



Recovery Point Objective (RPO) refers to the amount of data a company can lose or the time period of 

data loss that a company can withstand and still be viable. Recovery Time Objective (RTO) refers to the 

time frame after a disaster until business operations are functioning normally again, with resources 

available for use. Financial institutions with sensitive data and real-time transactions require RPO and 

RTO that are much smaller and briefer — seconds or minutes — than other kinds of businesses that may 

be able to withstand hours of data loss and days until recovery. An RTO that is two minutes versus 24 

hours equates to a very different level of business investment in people, processes, and availability. Do 

your security and disaster response plans allow you to meet these objectives? Do you have the people 

and technical resources to executive on these plans? 

Another key consideration for disaster recovery planning is how to utilize cloud and on-premises 

resources. Enterprises with highly customized infrastructure may benefit from hosting their own data 

center or leveraging hybrid-cloud deployments. Smaller to midsized companies, where workloads are not 

as customized, may achieve a better return on investment (ROI) with a cloud provider. Public cloud can 

enable efficient spin up and getting infrastructure back online quickly when there’s no need for heavy 

customization of services. 

Companies must seek to safeguard business continuity both before disruption occurs and after the fact. 

Since the weight of a potential disruption to normal business operations can be crippling, business 

leaders need to clearly assess both information security and backup and disaster recovery. A data 

protection plan that includes both will ensure that the best and safest path forward is always available - 

on either side of the business continuity coin. 


Adam Berger is VP of Global IT and Cloud Operations at 

Infrascale. Prior to Infrascale, Adam has managed cloud 

operations organizations at VMWare, OVHcloud US and 

AWS. In his career, he has helped grow and run 

operations teams to provide world class infrastructure 

support, security and compliance as well as technical 

support. 

As the Director of Cloud Operations at VMware, he grew 

the cloud operations infrastructure team to support 

vCloud Air platform which expanded globally over three 

years. This included establishing a centralized global 

NOC, platform engineering teams and operational tooling development teams across US, APAC and 

EMEA. At OVHcloud US, as the Senior Director of Operations, he continued managing vCloud air 

(purchased by OVH) while helping the France-based based company establish their US footprint. This 

included helping launch the US service offering, operationalizing two new data centers, building the 

security and compliance organization as well as establishing the internal IT support functions. Most 

recently he was with AWS, where he served as the Global service owner for EC2 in their technical support 

group. Adam can be reached online at https://www.linkedin.com/in/adamlberger and at our company 

website https://www.infrascale.com/. 



Biometrics Challenges 

By Milica D. Djekic 

The armed guys have approached a bank and made an assault to its office. The security manager has 

followed procedures and the criminals have collected money safely leaving the crime scene. After several 

minutes the Police patrolling has arrived there. They have started an inspection as well as interviewing 

of all people being present at the crime scene at that moment. That seems as a lot of hard work. The first 

step the authorities have taken is collecting the findings and evidence from the place of the crime. The 

video monitoring system has served its role, but there have been some fingerprint and DNA footages as 

well. So, they have gotten an identity of offenders, but the good question is how they might track their 

route. The experienced investigators know that the criminals could take some of the communication 

devices with themselves, so that search could be run, too. 

It appears that’s only an empty bullet as the offenders have switched off their devices while on the crime 

scene. In other words, the authorities can get who they are, but not where they are. It seems like a maze, 

does not it? Think twice! If the Police deal with their biometrics parameters they can run a search through 

some domestic and international databases looking for ID documents that match such a criterion. Next, 

they will do so and bingo – the several passports with those biometrics inputs have been found for the 

same fingerprint trace. In other words, now the authorities know those guys cope with the fake passports. 

And what then? Still unclear? Basically, no! 

What’s possible to do in such a case is to figure out that the bank robbers need to make some route after 

committing the crime. They need the communication, logistics and accommodation in order to stay on 

the surface. Above all, they deal with the fake ID cards and passports, but the biometrics with those 



documents is theirs. If not, they would fail at the simple identification anywhere. Also, what is obvious 

someone will insert those data into the Police register. Some corrupted staff or clever hacker – does not 

matter! The fact is the criminals are always on the move and sooner or later they will need to give their 

details for scanning if, for instance, they want to cross some border. That’s the moment the smart 

investigators have been waiting for. In other words, if that location and time are known, it’s possible to 

make some search for device being present then and there. Bingo again! The investigation has gotten 

the signal and the entire history and ongoing route have been discovered. The bad guys need some 

accommodation to spend their time there, so it will be a piece of cake to get those asset connections as 

well as all the contacts being made from there. It seems it’s not that hard to track the biometrics, right? 

The new tendencies could bring us a better focus of the offenders that will deactivate their devices at the 

place of checking out, but it’s quite challenging being that uncatchable, so far. Anyhow, we need the 

smart policing that will always be at least one step ahead of threats, so as the bad guys have capacity to 

think we must do so better than them, so far. 

About The Author 

Milica D. Djekic is an Independent Researcher from Subotica, the 

Republic of Serbia. She received her engineering background from 

the Faculty of Mechanical Engineering, University of Belgrade. She 

writes for some domestic and overseas presses and she is also the 

author of the book “The Internet of Things: Concept, Applications 

and Security” being published in 2017 with the Lambert Academic 

Publishing. Milica is also a speaker with the BrightTALK expert’s 

channel. She is the member of an ASIS International since 2017 and 

contributor to the Australian Cyber Security Magazine since 2018. 

Milica's research efforts are recognized with Computer Emergency Response Team for the European 

Union (CERT-EU), Censys Press, BU-CERT UK and EASA European Centre for Cybersecurity in 

Aviation (ECCSA). Her fields of interests are cyber defense, technology and business. Milica is a person 

with disability. 



Epic V. Apple Trial - Impact of Big Tech Battles on 

Consumers' Rights 

By Brad Ree, CTO, The ioXt Alliance 

Recently, popular app Fortnite’s parent company Epic Games, has taken Apple to court over the hold the 

tech giant has over the app store ecosystem. The argument being made was that the Apple app store is 

a monopoly and stifles competition by charging exorbitant rates on purchases in the store and that it has 

breached antitrust laws by removing apps, including Fortnite, from the app store. Epic Games is fighting 

for app developers’ rights which would remove Apple’s power and require the shift in policies to allow 

developers to include in-app purchases without Apple its 30% “Apple tax” commission, which has the 

potential to permanently alter the mobile apps industry. 

As the closing arguments came to an end and we await a verdict, this “app battle royale” has certainly 

raised other questions on tech companies’ effect on consumers. When companies such as Apple put up 

walls and don't allow for competition within their devices or app stores by blocking outside apps and 

integrations within the ecosystem, the consumers’ right to choose is impacted. 

If Epic Games ends up winning the trial, the iOS store market will be forced to open to many, which would 

be a win for app developers and consumers, but could come with some security risks if not managed 

properly. The app store and developers need to consider how they should emphasize safety so 



consumers are able to make informed decisions on what they download to mitigate security risks and put 

those app-users first. 

What does more open mobile ecosystems mean for the industry 

A more open app ecosystem would increase competition and allow consumers to have a bigger pool of 

apps to choose from. While competition benefits consumers, it also could open them up to some unknown 

risks and security vulnerabilities – especially as there aren’t currently universal security standards for app 

development. 

To execute a secure, open mobile app market properly, standards need to be put in place to ensure apps 

are developed with security in mind from the start to protect all consumers, and developers, from the 

devastating impacts of a data breach. 

Why the mobile app industry needs security standards 

According to Apple, it’s security standards in the iOS store are high which is why they limit developers in 

their store and is how they have earned consumers’ trust - and opening their ecosystem to other 

developers could threaten that. However, if they did open the store, Apple could adopt security measures 

for mobile apps to encourage competition and guarantee that any new and current apps have been 

developed per the guidelines to make them cyber-secure. To be the most effective, security standards 

should be based on industry-wide agreement and managed by a third party whose only interest is 

securing the applications for the consumer. Apple setting the standards and being the sole judge and jury 

leaves them in the same controlling seat that they are already in. 

Transparency from the developers and the app stores need to play a bigger role to protect consumers 

and give them the resources to make informed decisions on their downloads. Universal security 

standards for mobile apps could help create a safer environment for end-users and help provide cohesive 

guidelines for industry stakeholders to align with to mitigate security risks and put consumers first. There 

are already mobile app standards available through industry-led organizations such as the ioXt Alliance, 

which could help create uniformity when it comes to security across the mobile app ecosystems if 

implemented. With standards in place, consumers can be in control of their downloads and app 

developers could safely participate in the app store with minimal risks. 

The Epic Games vs. Apple trial has the potential to change the mobile apps industry if the verdict is 

swayed in Epic Games’ favor. This could set a standard to stop big tech companies from monopolizing 

ecosystems and stifling consumers’ right to choose, giving other developers a chance to benefit from an 

open market. Universal standards in place for mobile app development would help create a safer mobile 

apps industry and hold the app store and developers accountable to uphold security for all end-users – 

thus putting consumers first in this competitive market. 




Brad Ree is the Chief Technology Officer at the ioXt Alliance, 

the leading organization for IoT standardized security and 

privacy requirements. In this role, he leads ioXt’s security 

products supporting the alliance. Brad holds more than 25 

patents and is the former security advisor chair for Zigbee. He 

has developed communication systems for AT&T, General 

Electric, and Arris. Before joining the ioXt Alliance, Brad was 

vice president of IoT security at Verimatrix, where he led the 

development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols 

and their associated security models. 

Brad can be reached at the ioXt Alliance company website : https://www.ioxtalliance.org/ 



How The Pandemic Has Changed the Value of Health 

Data 

By Aman Johal, Lawyer and Director of Your Lawyers 

The 11 th March marked one year since the World Health Organisation (WHO) declared the Covid-19 

outbreak a pandemic. To date, over 34,505,380 people in the UK have been vaccinated, paving the way 

for a return to normality by allowing the easing of restrictions. At present, people who have had a Covid 

jab receive a vaccination card and the details are stored on their medical records. The government is 

now considering how people could prove their Covid vaccination status, with vaccine passports the most 

likely solution as "a temporary measure". The hope is that this could reduce social distancing and facilitate 

international travel. 

According to UK government sources, the NHS app could host the vaccine passports, although it is 

unclear how far the project has progressed. A government source reportedly told the BBC that the app 

will not be ready “imminently”, while Vaccines Minister Nadhim Zahawi said work is underway to prepare 

it. 

However, the use of vaccine certification is proving controversial. Basing the passport on an app may 

discriminate against those with low incomes or older people who don’t have access to smartphones, and 

some may be unable or unwilling to have a vaccine. There are also worries that the immunity passports 

could pave the way for a full ID system, which civil rights group Liberty said could permanently curb rights 

and freedoms once the pandemic is over. Added to this, they could potentially heighten the risk of data 



eaches because large amounts of highly private information could be readily available if a hacker gets 

access to a mobile device. 

The rise in cybercrime 

During the last year, the UK has seen a significant rise in cybercrime which was likely worsened by the 

pandemic. Cybersecurity firm ESET analysed the state of cybercrime in the UK for 2020, and identified 

an increase of 19% compared to 2019. The UK Government has announced “ground-breaking” plans to 

protect consumers using smart devices from cyberattacks. As sales in smart devices soar (up 49% since 

the start of the coronavirus pandemic), cybercriminals continue to become more adept at exploiting 

security weaknesses. Many devices remain vulnerable to attack, and just one vulnerable device could 

jeopardise a whole network – as illustrated by the 2017 North American casino attack. 

The legalities surrounding vaccine passports 

It is important to dissect whether companies like airlines can legally require travellers to input vaccination 

information, as the entitlement to process medical data normally requires consent. However, if it became 

a prerequisite for travel, the focus then is on whether a person wishes to travel or not. We should not 

simply assume consent. 

An overarching consideration is the highly sensitive nature of the information in question. The 

confidentiality and sensitivity of medical records makes them prized assets for cybercriminals, and 

potentially raises the chances of a data breach occurring. 

Compensation pay-outs for offending businesses are often far more costly because of the increased 

potential for consumers to experience distress and psychological trauma from breaches or leaks involving 

medical data. For example, victims of the 2018 British Airways (BA) data breach could be eligible to claim 

up to an estimated £16,000 in cases of severe psychological distress. Comparatively, in the case of 

the 56 Dean Street data breach in 2015, when a leak exposed the contact details of almost 800 patients 

using the clinic for HIV services, the most seriously affected claimants could potentially receive damages 

of up to £30,000. 

The importance of health data 

Storing any type of personal consumer data comes with risks. BA suffered two significant data breaches 

in 2018, exposing the personal information of more than 420,000 customers. As a result, the Information 

Commissioner’s Office (ICO) issued BA with a £20m fine, with the total compensation pay-out in the 

group action against BA potentially reaching an additional £2.4bn. 

Health data is among the most valuable data a cybercriminal can steal, with a single health record 

reportedly costing $250 on the black market, compared to a reported $5.40 for payment card details. 

Vaccine passports could heighten the risk to health data: increased accessibility may result in more 



cybercriminals targeting the public’s health information as we loosen restrictions over the next few 

months. 

Gary Cantrell, Head of Investigations at the HHS Office of Inspector General, said hackers tend to steal 

medical records because they are like "a treasure trove of information about you." They can contain a 

patient's full name, address history, financial information, and National Insurance numbers, which can be 

enough information for hackers to take out a loan or set up a line of credit under patients' names. 

Increasingly, hackers are selling information for profit on the black market. According to Reuters, buyers 

might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false 

insurance claim. 

The impact of medical data breaches 

As we increasingly rely on technology, hackers are finding new ways to attack IT systems, disrupt 

computer networks, and steal information. There can be huge benefits when patient data is used 

responsibly to save lives and advance medical research, but it is undeniable that it comes with risks. 

The potential impact of a data breach often depends on the circumstances. Someone who has a sensitive 

medical condition may be much more concerned if part of their medical history was exposed or disclosed. 

The possibility that it might fall into the wrong hands could cause them emotional distress. 

According to Brandon Reagin, a victim of medical record theft, it's a "mess." Reagin's identity was stolen 

in 2004, and the person who accessed Reagin's personal information used it to steal cars and rack up 

$20,000 worth of medical procedures. He was reportedly unable to get the charges scrubbed from his 

credit report "until the next billing cycle." Then, the process would start all over again. 

The person who stole Reagin's identity served time in prison. But, 17 years later, he still hasn't been able 

to undo all of the damage, including to the integrity of his own medical files, as the “hospital may still have 

his information, his blood type under my name at that hospital… It's a little weird to think". 

Proactive steps consumers and healthcare providers can take to protect their data 

Healthcare providers and their business associates must balance delivering quality patient care with 

protecting patient privacy, always ensuring that they are meeting the strict regulatory requirements set 

out in legislation, such as the General Data Protection Regulation (GDPR). 

Healthcare staff can protect information with a number of measures including: 

• educating staff; 

• restricting access to information and applications; 

• implementing data usage controls; 

• logging, auditing and monitoring use; 

• encrypting data both on servers and when it is being transferred; 



• securing mobile and remote working devices; 

• mitigating connected device risks by conducting regular risk assessments; 

• backing up data to secure offsite locations; 

• carefully evaluating the security and compliance of business associates. 

The past has taught us that protecting information in the healthcare industry is not an easy task, but an 

important one nonetheless – even more so in a post-pandemic world. 


My name is Aman Johal, I am a lawyer and director at 

Your Lawyers. 

Aman can be reached online at his company website 

https://www.yourlawyers.co.uk/ 



Galvanizing the Cyber Workforce in Private Industry 

An agile approach for developing key talent 

By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC 

Introduction 

Cyber is a highly specialized field that is in high demand for talented individuals, yet there is so much that 

is unknown about the field itself. How is it that we know that the field of cybersecurity is the future; on 

the horizon and unparalleled in employment opportunity but lack so much of the fundamental knowledge 

of what is needed in the field? 

According to cyberseek.org, there are approximately 465,000 cyber security job openings across the US 

in both private and public sectors (Cyberseek, 2021). With the development of the National Institute of 

Cybersecurity Engineering (NICE) framework, the regulations defined by the National Institute of 

Standards and Technology (NIST) and the National Institute of Cybersecurity Careers and Studies 

(NICCS), the public sector has made great strides to develop cyber career pathways for government 

employees. In the private sector, there needs to be a similar push for organizations, as cyber 

vulnerabilities are a huge threat to corporations and proprietary information. 



This topic has great relevance because national security and protecting proprietary information are 

pressing issues on the minds of many corporate leaders. In addition to this, especially in a COVID 

environment, the way that we work is rapidly evolving. There is a high demand and short supply of 

talented cyber professionals and it seems that there is a need for a cyber version of “Talent Management”, 

and there is great need for versatility and agility in designing the cyber workforce of tomorrow. 

Observations from the field 

In both private and public industries, workforce development is usually broken into two separate 

functions: talent management and organization development. Talent management is usually positioned 

to focus on high potential individuals (a small subset of the full workforce), while organization 

development has been stated to encompass the whole. As the field of cyber security expands and 

organizations rush to fill the demand across the world, it seems that cyber career development is 

becoming a nearly separate initiative to talent management and organization development. It is 

imperative that cyber, organization development and talent management professionals begin to 

collaborate and dig deep into the field in its nascency to understand the needs of the upcoming workforce. 

For roughly six months, I had the opportunity to work as a contractor to a federal organization in a role 

focused on cyber workforce development. It was during this time that I learned about the various 

initiatives being taken within the public sector to strengthen national security defense against cyberattacks. 

One of the key efforts being taken was to develop cyber career pathways and comparative 

roles between sibling fields (i.e.- information technology, project management, etc.) and one of the most 

interesting observations I noted was the creation of a focused role specific to cyber workforce 

development. It’s become apparent to me that the public sector may be on to something; private industry 

should consider establishing such a function as well. 

Establishing a dedicated role for cyber workforce development 

When taking a step back to consider the compartmentalized nature of these three areas, relevant 

research by Bazerman et al. introduce two distinct concepts that inhibit creativity and rationale as to why 

this concept of a new hybrid role has not yet emerged (Bazerman et al., 2013, p. 63): 

• Bounded rationality – suggests that our thinking is limited and biased in systematic ways. 

• Bounded awareness – prevents people from noticing or focusing on useful, observable and 

relevant data 

The concepts of bounded rationality and bounded awareness continue the mindset of the past and 

potentially obstruct the logic for such a position to be created in the future. As private companies aim to 

protect critical business information, it may be well worth the time to develop key resources to create a 

strong team of cyber individuals. An effort of this magnitude highlights the need for organizations to have 

a resource with the combined skills of a talent management, organization development and cyber 

professional to execute such an endeavor. 

In order to identify key talent, it requires a seasoned cyber professional to understand the technical 

aspects of each role to build strengths, close gaps, and recognize the attributes necessary to be 

successful in cyber. In addition to technical acumen, a working knowledge of the human capital lifecycle 



and organizational enablement is necessary to understand how to grow talent. Relevant literature 

supports the idea of hybrid roles when discussing the concept of the Versatilist, or “people whose 

widening portfolios of roles, knowledge, insight, context and experiences can be applied and recombined 

in numerous ways to fuel innovative business value” (Bopp et al., 2010, p. 130). 

One way to visualize such a role could be achieved is through the use of the cyber workforce development 

logic model: 

The logic model establishes Cyber Workforce and visualizes Development a dedicated Logic Model. role Rogers, (the 2021 cyber workforce development versatilist) 

for an individual that possesses the skills of a talent management and organizational development 

professional, and the arrows indicate support from those dedicated functions. This individual also 

possesses the technical skills of a cyber expert, and the light arrow indicates foundational support from 

information technology and cybersecurity. The expert is then able to properly support, grow, and 

enhance professionals at any stage of their career. 

Potential arguments and considerations 

With any new idea, there is always inherent risk. A potential argument to this proposal is that having a 

cyber workforce development versatilist role could be considered a duplication. As talent management 

and organization development professionals are skilled in developing individuals across the human 

capital lifecycle, the responsibility of recruiting by identifying expertise could be shifted to hiring 

managers. Hiring managers typically possess the technical skills and (ideally) have moved into 

management roles based on their ability to lead. As they possess the necessary skills needed to identify 

and recruit talent, they could work with talent management/organization development professionals to 

get the same result. 



I recommend that leaders of private organizations consider this framework and a dedicated role to cyber 

workforce development as there is a great need and not enough bandwidth on either side to ensure 

focused development of cyber professionals. Should this approach be adopted, private organizations 

(which tend to have less of a cyber team, and instead a cyber individual) would be able to better prepare 

for cyber threats and ultimately protect proprietary information. In addition to this, organizations would 

become more aware of the resources needed for proper cyber security and have a dedicated 

professional(s) for managing and developing those employees across the human capital lifecycle. 

Conclusion 

Ultimately, the key position is that the landscape of cyber is brand new and there is a great deal that we 

do not know about it, yet we still need to prepare. In order to do so, the public sector should consider 

developing a specific role (cyber workforce development versatilist) to develop that specific subset of 

talent. A cyber workforce professional would have the ability to conduct the responsibilities of a Talent 

Management/Organization Development professional but would also have the technical expertise of a 

cyber professional. That unique skillset would enable them to identify, recruit and develop talent and 

galvanize the workforce. 


Brandon Rogers is the Chief Executive Officer and Principal 

Consultant of Paradoxical Solutions, LLC and a second-year student 

at Bowling Green State University in the Doctorate in Organization 

Development and Change program. In his most recent role, he was 

responsible for cyberspace workforce development with a federal 

agency. Before this role, he worked at Honda R&D Americas and was 

responsible for implementing engineering tools for requirements 

management and Agile project management initiatives for the vehicle 

integrated controls department. Brandon graduated from Kent State 

University with a BA in I/O Psychology and obtained his MS in Positive 

Organizational Development and Change from Case Western Reserve 

University. Brandon can be reached online via email 

(Brandon.Rogers@paradoxicalsolutions.com) and at his company 

website www.paradoxicalsolutions.com. 



Play 'Smart' on the Crime Scene 

By Milica D. Djekic 

In criminology, the crime scene is a transferrable term that can cover many physical locations at the same 

glance. Also, that spot can be correlated with one or more offenses and in such a fashion it’s important 

to deal with the policing as well as investigation skill in order to make an accurate estimation of what 

happened for real. It’s quite hard explaining what occurred somewhere and for such a purpose it’s needed 

to organize so many officers, detectives and investigators that are capable to during the certain period of 

time document the entire situation and do some tracking after the crime has been committed. The crime 

scene spot on its own can be permanent and temporary depending if the criminals with their activities are 

linked to some spot only for few hours or apparently, several years. In case anyone is doing an 

exploitation or production of some good it’s clear that such a group will not change their location that 

frequently. On the other hand, in case of some looting scenarios the offenders will just attack some place 

and vanish, so far. In both cases, playing smart on the crime scene means leaving no trace in the 

cyberspace and some well-organized criminal groups will know so and, say, in some armed robbery they 

will switch off their devices relying on the local telecommunication or satellite infrastructure. As it’s known, 

the best way to avoid tracking is to disclose device from the crime scene or probably remove its battery 

from the housing as that’s the most convenient method to stay invisible, so far. In this article, we will 

make a look at the possibilities of the interconnected world to get disconnected sometimes as well as 

analyze how it is feasible to avoid the criminal justice tracking for some time, but also never commit the 

perfect crime as it does not exist as the absolute security is still impossible. 

Many of us have read the news saying some criminal group or syndicate committed some heavy offense 

and consequently, they have been arrested after some period of time. Immediately after the incident the 

investigators have appeared on the crime scene and they collected the findings and evidence, so far. 

Some time has passed and the entire occurrence was under the investigation, so the criminals did not 



fail that promptly. After, say, several months the law enforcement agency has announced that the 

offenders are finally behind the bars and the entire case is waiting its epilog on the court. It’s quite 

challenging to prove someone’s guiltiness and issue some kind of punishment, so it’s clear why it is 

significant to do the good investigation and clue collecting procedures. Indeed, the part of the public will 

be amazed with so effective policing work, while many will wonder how the officers have accomplished 

such a demanding task. The fact is the bad guys will not play that smart on the crime scene and they will 

take the activated devices with them. What does that mean? In case anyone is using internet, cell phone 

or satellite communication service their signal will leave some footage within the local ICT infrastructure. 

Any device amongst the range will do a plenty of recalling in the sub-second moment and doing so it will 

send the information it is still the part of the local grid. So, that recalling is crucial and if it is happening 

the local service provider will be quite confident that the trace comes from such a device. Another good 

point could be how we can know that such a device belongs to that offender. 

In the looting sort of crime when some place or person is attacked there will be heaps of security cameras 

that will precisely determine and record the moment of the criminal offense. On the other hand, if we 

know the time and place we can confirm with the local network if it has caught the signal of any portable 

device that uses the internet, cellular or satellite connectivity to deal with the rest of the environment. 

That was the piece of cake, was not that? 

About The Author 

Milica D. Djekic is an Independent Researcher from Subotica, the 

Republic of Serbia. She received her engineering background from 

the Faculty of Mechanical Engineering, University of Belgrade. She 

writes for some domestic and overseas presses and she is also the 

author of the book “The Internet of Things: Concept, Applications 

and Security” being published in 2017 with the Lambert Academic 

Publishing. Milica is also a speaker with the BrightTALK expert’s 

channel. She is the member of an ASIS International since 2017 and 

contributor to the Australian Cyber Security Magazine since 2018. 

Milica's research efforts are recognized with Computer Emergency 

Response Team for the European Union (CERT-EU), Censys Press, 

BU-CERT UK and EASA European Centre for Cybersecurity in Aviation (ECCSA). Her fields of interests 

are cyber defense, technology and business. Milica is a person with disability. 



The Top 10 Cybersecurity Conferences of 2021 

By Nicole Allen, Marketing Executive, SaltDNA. 

If you're anything like us, you love going to technology and cyber conferences. Expert forums, 

opportunities to test out emerging innovations, and opportunities to network with those in the industry are 

just a few reasons as to why attendees enjoy these events. It's important for business and security 

executives who want to implement successful cybersecurity programmes to stay up to date on industry 

best practises and technologies. That's why we've compiled a list of the best conferences to attend in 

2021 from around the world. There's bound to be an event on this list that fits your interests, regardless 

of your status or goals! 

Despite the fact that COVID-19 has put an end to in-person industry conferences in most countries for 

the time being, the cybersecurity events calendar has remained impressively busy. Indoor events will 

almost certainly be among the last to return to normal once the Covid response-mandated restrictions in 

several countries are lifted. However, due to the widespread availability of vaccines, certain information 

security activities scheduled for the second half of 2021 will be held in person. If such plans are carried 

out or not, there may be no going back to the previous way things used to be. 

It will be interesting to see how many formerly in-person events stick with the online model, follow a hybrid 

model where those who can't participate can instead stream presentations, or dismiss the hybrid 

alternative altogether. 



1. Infosecurity Europe 

Where: Olympia, London 

When: 8th-10th June 2021 

The biggest cybersecurity conference in Europe is Infosecurity Europe. This year marks the 25th 

anniversary of the three-day festival. This year's theme is "resilience." Hours of information and 

cybersecurity content will provide attendees with realistic insight into governance, risk management, and 

compliance, identity and access control, data privacy, and threat intelligence. 

It is the European marketplace for information security professionals to conduct business, learn about 

industry trends, and communicate with current and potential clients or suppliers. Exhibitors will present 

the most diverse selection of new products and services on the market at the show. In addition, an 

unrivalled complementary education network draws delegates from all over the world. It will provide you 

with business critical knowledge, best practise, and realistic case studies while addressing the most 

recent issues and needs. 

2. 2021 National Cyber Summit 

Where: Huntsville, AL 

When: 8th-10th June 2021 

The National Cyber Summit is a premier cyber security-technology event that provides industry 

visionaries and rising leaders with unique educational, collaborative, and workforce development 

opportunities. 

The Summit gathers both government and business participants and is held in Huntsville, Alabama, one 

of the United States’ greatest technical hubs. Huntsville has long been renowned as the home of 

Department of Defense and civilian departments and agencies such as DHS, NIST, NASA, TVA, NSA, 

and DOE, but it also has a diverse range of companies. Healthcare, automotive, and energy industries, 

as well as academics, genetic research, and high technology, are all represented. 

3. Hack In Paris 

Where: Maison de la Chimie, Paris 

When: 28th June - 2nd July 

This event is for hands-on cybersecurity enthusiasts, and it includes realistic laboratories, seminars, and 

wargames where you can put your hacking skills to the test against your peers. Hands-on malware 

analysis and reverse engineering training with Amr Thabet, a vulnerability researcher at Tenable, are 

among the notable training sessions already reported. 



4. Black Hat USA 2021 

Where: Mandalay Bay Convention Center, Las Vegas 

When: 31st July- 5th August 2021 

Black Hat USA, now in its 24th year, is hosting a unique hybrid event experience, giving the cybersecurity 

community the option of how they want to participate. Black Hat USA 2021 will kick off with four days of 

virtual training (July 31-August 3) that will be performed in real-time online with all instructors available at 

all times. The two-day main conference (August 4-5), which will include Briefings, Arsenal, Business Hall, 

and more, will be a hybrid event, including both an online (virtual) and a live, in-person event in Las 

Vegas. 

These trainings, which are often only available during Black Hat, are given by professionals from around 

the world and provide opportunity for offensive and defensive hackers of all levels to gain firsthand 

technical skill-building. 

5. DefCon 29 

Where: Las Vegas Nevada 

When: 5th-8th August 2021 

DefCon is the oldest event on the list, having been hosted for the first time in 1993. It is a hands-on 

gathering for amateur and professional hackers. The identity of the 25,000 attendees are kept hidden, 

and the event features lock-picking contests, cypher challenges, and technical pranks in a competitive 

atmosphere. Even the conference badges are highly complicated electronic artefacts full of challenges, 

rather than basic laminated pieces of paper. 

The badge challenge, which consists of many "sub-puzzles" placed around DEFCON, is one of the most 

popular cryptographic puzzle challenges at DefCon. Some tasks are classics that occur every year, while 

others are famously tough to solve. 

6. Women in Cybersecurity 

Where: Denver, Colorado 

When: 8th-10th September 2021 

This event honours women in academia, industry, and government who are leaders in the field of 

cybersecurity. It's a fantastic project to increase diversity in the cybersecurity field, encourage female 



leaders, and help each other advance. There is a special emphasis on encouraging female students to 

enrol, with scholarships and other forms of support. The list of speakers hasn't been released yet, but 

we're expecting it to be fantastic! If you're a woman in cyberspace, you should attend this event. 

7. Cybersecurity & Cloud Expo Global 2021 

Where: Business Design Centre, London 

When: 6th - 7th September 2021 

The Cyber Security & Cloud Expo event is co-located with the IoT Tech Expo, AI & Big Data Expo, and 

Blockchain Expo on the 6-7 September in the Business Design Centre, and virtually from the 13-15 

September, so you can discover the future of these converging technologies under one roof. 

As modern companies evolve, the conference agenda will address the genuine concerns that CISOs and 

security professionals face today. With an emphasis on collaboration and support for the security 

community, we're displaying the most innovative and significant advances in the solutions industry. With 

a focus on learning and creating connections in the burgeoning cyber security and cloud arena, the 

conference will feature a series of top-level keynotes, interactive panel discussions, and solution-based 

case studies. 

8. Gartner Security & Risk Management Summit 

Where: Orlando, FL 

When: 20th-22nd September 2021 

The timetable and programme for 2021 are currently in the works. Gartner's own summary of the 2021 

event is as follows: Over the course of four days, leaders from security, identity and access management, 

and risk management joined Gartner experts digitally to provide vital ideas on developing an effective, 

risk-based cybersecurity programme. The conference will provide the tools needed to establish agile 

security and IT risk management plans in order to manage the risk that comes with digital companies 

and to be better prepared for the next global shock. 

9. InfoSec World 

Where: Disney Coronado Springs Resort, Orlando, Florida 

When: 25th-27th October 2021 

InfoSec World has been the "business of security" conference for the past 25 years. While the agenda 

has yet to be released, we have no doubt that the organisers will put together a fantastic lineup of 

speakers this year, as they always do. The InfoSec World conference is one of the world's largest, 



inging together information security professionals from all walks of life, industries, and fields of study - 

bringing together over 100 nations worldwide. 

The conference this year will combine the best of both worlds, with both an in-person and a virtual 

component. If you can, we recommend going in person because you'll be close enough to "breach" the 

Magic Kingdom main gate from the conference floor. 

10. ACM Conference on Computer and Communications Security 

Where: Seoul, South Korea 

When: 14th-19th November 2021 

The flagship annual conference of the Association of Computing Machinery's Special Interest Group on 

Security, Audit, and Control (SIGSAC) is primarily focused on research. Researchers, practitioners, 

developers, and users from all around the world will gather at the conference to discuss cutting-edge 

ideas and outcomes. The conference holds a range of keynotes with expert speakers specialising in 

information security, along with a variety of workshops to get involved in during the event. 

If you can’t wait for all of these events and are seeking a way to secure your organisation's 

communications in the meantime, please contact us. 

About SaltDNA 

SaltDNA is a multi-award winning cyber security company providing a fully enterprise-managed software 

solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered 

encryption techniques to meet the highest of security standards. SaltDNA offers ‘Peace of Mind’ for 

Organisations who value their privacy, by giving them complete control and secure communications, to 

protect their trusted relationships and stay safe. SaltDNA is headquartered in Belfast, N. Ireland, for more 

information visit SaltDNA. 


Nicole Allen, Marketing Executive at SaltDNA. Nicole has been working 

within the SaltDNA Marketing team for several years and has played a 

crucial role in building SaltDNA's reputation. Nicole implements many 

of SaltDNA's digital efforts as well as managing SaltDNA's presence at 

events, both virtual and in person events for the company. 

Nicole can be reached online at (LINKEDIN, TWITTER or by emailing 

nicole.allen@saltdna.com) and at our company website https://saltdna.com/. 























You asked, and it’s finally here…we’ve launched CyberDefense.TV 

Hundreds of exceptional interviews and growing… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine. 



FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL 

ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2021, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. 

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a 

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com, 

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability 

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, 

Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com 

All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part of this 

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, 

recording, taping or by any information storage retrieval system without the written permission of the publisher 

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of 

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may 

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect 

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content 

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at 



276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 


www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 07/02/2021 

Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH 

(with others coming soon...) 



9 Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know 

What You Think. It's mobile and tablet friendly and superfast. We hope you 

like it. In addition, we're shooting for 7x24x365 uptime as we continue to 

scale with improved Web App Firewalls, Content Deliver Networks (CDNs) 

around the Globe, Faster and More Secure DNS 

and CyberDefenseMagazine.com up and running as an array of live mirror 

sites and our new B2C consumer magazine CyberSecurityMagazine.com. 

Millions of monthly readers and new platforms coming…starting with 

https://www.cyberdefenseprofessionals.com this month…

Cyber Defense eMagazine July 2021 Edition

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?