Cyber Defense eMagazine September Edition for 2021
Cyber Defense eMagazine September Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine September Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Understanding The Importance of<br />
Gold Optis: Most Innovative and Socially<br />
Designing <strong>for</strong> Security<br />
Conscious Technologies at Black Hat<br />
Evaluating Security Practices in<br />
How Trustworthy is Your <strong>Cyber</strong> <strong>Defense</strong>?<br />
Response to Colonial Pipeline And South<br />
Korean KAERI Attacks<br />
New Report Reveals Traditional Anti-<br />
Malware Solutions Miss 74% of Threats<br />
Chinese Government Will Begin to<br />
Stockpile Zero-Days in <strong>September</strong><br />
How to Proactively Prepare <strong>for</strong> a Breach<br />
…and much more…<br />
…and much more…<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 1<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
CONTENTS<br />
Welcome to CDM’s <strong>September</strong> <strong>2021</strong> Issue ------------------------------------------------------------------------- 6<br />
Gold Optis: Most Innovative and Socially Conscious Technologies at Black Hat --------- 33<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Silver Optis: Innovative and Socially Conscious Technologies at Black Hat ---------------- 46<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Bronze Optis: Innovative Technologies at Black Hat ------------------------------------------------ 59<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Looking Back at Executive Order on <strong>Cyber</strong>security and What it Means <strong>for</strong> Your Business<br />
------------------------------------------------------------------------------------------------------------------------- 67<br />
By James Gorman, CISO of AuthX<br />
How Trustworthy is Your <strong>Cyber</strong> <strong>Defense</strong>? -------------------------------------------------------------- 71<br />
By Tom Brennan, Chairman, CREST USA<br />
New Report Reveals Traditional Anti-Malware Solutions Miss 74% of Threats ------------- 74<br />
By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies<br />
<strong>Cyber</strong> Security Incident Response Plan: How to Proactively Prepare <strong>for</strong> a Breach ------- 77<br />
By Joseph Carson, Advisory CISO, ThycoticCentrify<br />
The Importance of Multi-Factor Authentication and Strong Passwords ---------------------- 80<br />
By Jeff Severino, <strong>Cyber</strong>Lock <strong>Defense</strong>, Lockton Affinity<br />
Time to Act: How Real-Time Analytics Can Help Stop the <strong>Cyber</strong> Kill Chain ----------------- 84<br />
By Dr. William Bain, CEO and Founder of ScaleOut Software<br />
Combatting Industry Burnout by Building Resilient Security Teams -------------------------- 87<br />
By Rick McElroy, Principal <strong>Cyber</strong>security Strategist, VMware<br />
Considering Collateral Intrusion in Digital Forensics ----------------------------------------------- 90<br />
By Alan McConnell, Forensic Advisor, Cyan<br />
Keeping Health Records Safe from <strong>Cyber</strong> Criminals ------------------------------------------------ 94<br />
By Dexter Caffey, Founder and CEO, Smart Eye Technology<br />
Why Your Hospital Network Needs an IoT Security Policy ---------------------------------------- 97<br />
By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 2<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Offense Activities Sharing in Criminal Justice Case ----------------------------------------------- 101<br />
By Milica D. Djekic<br />
<strong>Cyber</strong>security Challenges of Working from Home during COVID-19 Pandemic and a<br />
Proposed 8 step WFH <strong>Cyber</strong>-attack Mitigation Plan ---------------------------------------------- 108<br />
By Glorin Sebastian, Senior Consultant, EY<br />
HTML Smuggling: A Resurgent Cause <strong>for</strong> Concern ----------------------------------------------- 111<br />
By Vinay Pidathala, Director of Security Research, Menlo Security<br />
New CIOs: 5 Key Steps in Your First 100 Days ------------------------------------------------------ 115<br />
By Etay Maor, Senior Director, Security Strategy, Cato Networks<br />
<strong>Cyber</strong> EO and Meeting Cloud Modernization Ef<strong>for</strong>t ------------------------------------------------ 118<br />
By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance,<br />
Zscaler<br />
Defeat Ransomware with Immutable Backup Data and Encryption --------------------------- 121<br />
By Jon Toor, CMO, Cloudian<br />
The Struggle You Don’t See: Mitigating the Impacts of <strong>Cyber</strong>attacks on the Work<strong>for</strong>ce<br />
----------------------------------------------------------------------------------------------------------------------- 124<br />
By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog<br />
How Bug Bounty Programs Can Help Businesses Achieve Agile Trans<strong>for</strong>mation ------ 128<br />
By Sam Lowe, UK Lead, YesWeHack<br />
Using Decentralized, Zero-Knowledge Services to Enhance Security ----------------------- 131<br />
By Ben Golub, CEO and Executive Chairman at Storj<br />
How to Play Like You're in the Security Majors When You’re Still in the Minors --------- 134<br />
By Patrick Murray, chief product officer, Tugboat Logic<br />
SQL <strong>Cyber</strong> Attacks Are a Danger to Your Company ----------------------------------------------- 137<br />
By Ryan Ayers, Consultant<br />
AIOps Offers Security Teams an Early Warning System ----------------------------------------- 140<br />
By Ranjan Goel, Vice President, Product Management, LogicMonitor<br />
5 Steps to Protect Your Organization from the Next Ransomware Attack ------------------ 143<br />
By Paul Kohler, CTO, S3<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 3<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
@MILIEFSKY<br />
From the<br />
Publisher…<br />
We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a<br />
Platinum Media Partner of RSA Conference on Feb 7 – 10, 2022 – See You There!<br />
Dear Friends,<br />
From my perspective as Publisher, it’s incumbent upon me to observe the trends and draw patterns of<br />
cybersecurity developments. One recurring theme is the lack of coordination between government entities and<br />
private sector organizations. While we might wish to think otherwise, this should not come as a surprise.<br />
Private companies have the common goal of maximizing shareholder value, usually in revenues and profits. There<br />
are often other considerations in play. Government objectives do not include these goals, since making a profit is<br />
not a government function.<br />
We are seeing movement toward cooperative ef<strong>for</strong>ts, but the lack of a definite nexus is still a barrier. May I<br />
suggest a good possible place to start would be adoption of a voluntary agreement, <strong>for</strong> all organizations engaged<br />
in activities in the 16 elements of critical infrastructure, to implement strict cybersecurity practices. Resilience<br />
and survivability are the watchwords.<br />
At <strong>Cyber</strong> <strong>Defense</strong> Magazine we continue as we head into our tenth year of bringing actionable in<strong>for</strong>mation to our<br />
readers in all sectors and activities. This edition is loaded with great content and fresh ideas so please take the<br />
time to read these articles that pique your interest.<br />
As always, among the valuable resources we rely on to respond to cyber threats are the providers of cybersecurity<br />
solutions. There<strong>for</strong>e, we are thrilled to announce that <strong>Cyber</strong> <strong>Defense</strong> Magazine has now opened the Global<br />
InfoSec Awards <strong>for</strong> 2022, with nomination <strong>for</strong>ms found at https://www.cyberdefenseawards.com<br />
Finally, as promised, https://www.cyberdefenseprofessionals.com/ will be coming out of beta this month and very<br />
soon, we’ll announce over 2,000 infosec job openings posted <strong>for</strong> infosec jobs at various Fortune 1000 companies.<br />
Wishing you all success in your own cyber endeavours and staying one step ahead of the next threat.<br />
Warmest regards,<br />
Gary S. Miliefsky<br />
Gary S.Miliefsky, CISSP®, fmDHS<br />
CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />
Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
P.S. When you share a story or an article or in<strong>for</strong>mation<br />
about CDM, please use #CDM and @<strong>Cyber</strong><strong>Defense</strong>Mag<br />
and @Miliefsky – it helps spread the word about our free<br />
resources even more quickly<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 4<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
@CYBERDEFENSEMAG<br />
CYBER DEFENSE eMAGAZINE<br />
Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media<br />
Group and distributed electronically via opt-in Email,<br />
HTML, PDF and Online Flipbook <strong>for</strong>mats.<br />
PRESIDENT & CO-FOUNDER<br />
Stevin Miliefsky<br />
stevinv@cyberdefensemagazine.com<br />
InfoSec Knowledge is Power. We<br />
will always strive to provide the<br />
latest, most up to date FREE<br />
InfoSec in<strong>for</strong>mation.<br />
From the International<br />
Editor-in-Chief…<br />
Internationally, we’re finding ransomware attacks on the rise,<br />
once again. Also, DDoS attacks are back.<br />
It will be very interesting to find out who is behind the massive<br />
and prolonged Distributed Denial of Service (DDoS) attack that<br />
hit the Philippine human rights alliance Karapatan. The 25 days<br />
long DDoS attack against the website of Karapatan was<br />
launched by almost 30.000 IP addresses.<br />
One third of the addresses originated from devices that there<br />
were not running “Open Proxies” or “Tor exits”. Identifying this<br />
mysterious part of the botnet turned to be a fascinating research<br />
and a digital <strong>for</strong>ensics challenge. The traces lead us to an Israeli<br />
firm offering access to millions of proxies in mobile operators,<br />
data centres and residential buildings – a perfect infrastructure<br />
to hide the source of DDoS attacks.<br />
I continue to research this and will have news about it on CDM’s<br />
website shortly.<br />
As always, we encourage cooperation and compatibility among<br />
nations and international organizations in responding to these<br />
cybersecurity matters.<br />
Finally, I believe at some point soon we should stop waiting and<br />
start pushing <strong>for</strong> a <strong>Cyber</strong> Geneva Convention, so the internet<br />
becomes a less hostile place <strong>for</strong> bad actors on nation state<br />
cyberwarefare activities.<br />
To our faithful readers, we thank you,<br />
Pierluigi Paganini<br />
International Editor-in-Chief<br />
INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER<br />
Pierluigi Paganini, CEH<br />
Pierluigi.paganini@cyberdefensemagazine.com<br />
US EDITOR-IN-CHIEF<br />
Yan Ross, JD<br />
Yan.Ross@cyberdefensemediagroup.com<br />
ADVERTISING<br />
Marketing Team<br />
marketing@cyberdefensemagazine.com<br />
CONTACT US:<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Toll Free: 1-833-844-9468<br />
International: +1-603-280-4451<br />
SKYPE: cyber.defense<br />
http://www.cyberdefensemagazine.com<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division<br />
of<br />
CYBER DEFENSE MEDIA GROUP (a Steven G.<br />
Samuels LLC d/b/a)<br />
276 Fifth Avenue, Suite 704, New York, NY 10001<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All PUBLISHER rights reserved worldwide.<br />
Gary S. Miliefsky, CISSP®<br />
Learn more about our founder & publisher at:<br />
http://www.cyberdefensemagazine.com/about-our-founder/<br />
9 YEARS OF EXCELLENCE!<br />
Providing free in<strong>for</strong>mation, best practices, tips and<br />
techniques on cybersecurity since 2012, <strong>Cyber</strong><br />
<strong>Defense</strong> magazine is your go-to-source <strong>for</strong><br />
In<strong>for</strong>mation Security. We’re a proud division of<br />
<strong>Cyber</strong> CDMG <strong>Defense</strong> B2C Media MAGAZINE Group:<br />
B2B/B2G MAGAZINE TV RADIO AWARDS<br />
PROFESSIONALS<br />
WEBINARS<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 5<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Welcome to CDM’s <strong>September</strong> <strong>2021</strong> Issue<br />
From the U.S. Editor-in-Chief<br />
We’ve begun to turn a corner. Key team members headed out to BlackHat USA <strong>2021</strong> including<br />
Olivia Gallucci as our <strong>Cyber</strong>security Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine and the winner of<br />
CDM’s <strong>2021</strong> Women in <strong>Cyber</strong>security scholarship. She is studying Computing Security and<br />
Computer Science at Rochester Institute of Technology. She did a fabulous job documenting<br />
her findings on the trade show floor with three very well written articles you’ll find inside this<br />
edition.<br />
While the turnout was not like pre-COVID-19, we hope it’s a growing trend and that RSA<br />
Conference 2022 will continue the trend <strong>for</strong> what’s so important to us humans – in person social<br />
interaction. There’s no virtual experience that can replace a handshake and a sit down gathering<br />
where experts share ideas and mingling with like minded infosec professionals is most<br />
enjoyable.<br />
We always like to look ahead and project tomorrow being a better day <strong>for</strong> cybersecurity. Right<br />
around the corner next month is <strong>Cyber</strong>security Awareness Month - so many infosec vendors<br />
are already gearing up with their thoughts and ideas on how to turn the ransomware, cloud<br />
threats and work from home attacks around.<br />
We, also, at <strong>Cyber</strong> <strong>Defense</strong> Magazine attempt, each month, to be most valuable to our readers<br />
by keeping current on emerging trends and solutions in the world of cybersecurity. To this end,<br />
we commend your attention to the valuable in<strong>for</strong>mation provided by our expert contributors.<br />
Wishing you all success in your cybersecurity endeavors,<br />
Yan Ross<br />
U.S. Editor-in-Chief<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
About the US Editor-in-Chief<br />
Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & U.S. Editor-in-Chief of <strong>Cyber</strong><br />
<strong>Defense</strong> Magazine. He is an accredited author and educator and has provided<br />
editorial services <strong>for</strong> award-winning best-selling books on a variety of topics.<br />
He also serves as ICFE's Director of Special Projects, and the author of the<br />
Certified Identity Theft Risk Management Specialist ® XV CITRMS® course.<br />
As an accredited educator <strong>for</strong> over 20 years, Yan addresses risk management<br />
in the areas of identity theft, privacy, and cyber security <strong>for</strong> consumers and<br />
organizations holding sensitive personal in<strong>for</strong>mation. You can reach him by e-<br />
mail at yan.ross@cyberdefensemediagroup.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 6<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 7<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 8<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 9<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 10<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 11<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 12<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 13<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 14<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 15<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 16<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 17<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 18<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 19<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 20<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 21<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 22<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 23<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 24<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 25<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 26<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 27<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 28<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 29<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 30<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 31<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 32<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Gold Optis: Most Innovative and Socially Conscious<br />
Technologies at Black Hat<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
I interviewed approximately sixty industry leaders from over <strong>for</strong>ty companies who attended Black Hat.<br />
Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically<br />
highlight twenty-one companies that stand out and whose growth I recommend watching.<br />
Rochester Institute of Technology’s <strong>Cyber</strong>security Club, RITSEC, inspired the metrics I used to analyze<br />
and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while<br />
examining each company’s ability to promote social good, inclusion, and innovation inside and outside<br />
of the company. Furthermore, I referenced materials—public demos, open-source code, and<br />
publications—to determine the accuracy of the company’s claims and the span of its communal reach,<br />
public contributions, and social good.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 33<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Given <strong>Cyber</strong> <strong>Defense</strong> Magazine's awarding of unicorns ("a private company with a valuation of over $1<br />
billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Optis<br />
Series—to highlight innovative and socially conscious companies at Black Hat USA <strong>2021</strong> (UserGuiding).<br />
The Optis Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria<br />
I used <strong>for</strong> the Optis Series here or scroll to the end of this article.<br />
Coalfire<br />
Mark Carney, COO of Coalfire<br />
Coalfire is known <strong>for</strong> its abilities in security compliance, but that is not all it offers. Over the past two years,<br />
Coalfire’s front-end security and pen-testing teams grew significantly and continue to grow in funding,<br />
hiring, and expertise. At present, Coalfire is an organically grown company employing approximately one<br />
thousand security professionals globally and plans to hire around three hundred people by the end of<br />
<strong>2021</strong>.<br />
Coalfire specializes in cloud infrastructure services, working with almost every international enterprise<br />
cloud infrastructure company. As a result, its products and services—pen-testing, architecture, design,<br />
management, compliance, and multi-cloud support—are influenced by how enterprises use the cloud.<br />
Furthermore, Coalfire continues to develop these areas; its teams in attack strategy, privacy and risk<br />
compliance, and cloud-focused services (i.e., pen-testing, engineering, and management) are<br />
expanding.<br />
Used with permission from Coalfire.<br />
Coalfire recently acquired two companies: Neuralys and Denim Group. Neuralys created pen-testing<br />
management plat<strong>for</strong>ms into an attack service management framework by utilizing active and passive<br />
scanning, which helped clients identify new and existing vulnerabilities on their networks in an outgoing<br />
manner. In other words, Neuralys invented a way to continuously pentest networks. Furthermore, Coalfire<br />
acquired Denim Group, a consulting firm specializing in pen-testing and application security; their<br />
plat<strong>for</strong>m, ThreadFix, applies application-specific vulnerability aggregation from over fifty databases and<br />
tools. ThreadFix consolidates test results and prioritizes vulnerable clients, reducing the remediation time<br />
up to <strong>for</strong>ty percent.<br />
Learn more: By reading Coalfire’s 3 Annual Penetration Risk Report and by exploring its Reddit page.<br />
College students and faculty may be particularly interested in Coalfire because of its Richard E. Dakin<br />
Fund. The fund was created in honor of the late co-founder of Coalfire, Richard E. Dakin. It supports<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 34<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
scholarship programs at several universities <strong>for</strong> promising college students studying cybersecurity and<br />
related fields.<br />
Epiphany Systems<br />
Rob Bathurst, Co-Founder and CTO at Epiphany Systems<br />
Epiphany Systems is an offensive security company providing red team attack paths and solutions <strong>for</strong><br />
clients' critical IT assets and users. Its plat<strong>for</strong>m is the first offensive cybersecurity program designed to<br />
reduce Time-to-Context. Epiphany Systems spun out from Digitalware at the beginning of <strong>2021</strong>. At<br />
present, Epiphany Systems has 22 employees and expects to hire approximately twelve people by 2022.<br />
Epiphany Systems' plat<strong>for</strong>m works by analyzing clients' preexisting security data to create attack paths.<br />
Then, the plat<strong>for</strong>m analyzes each attack path, the likelihood of exploitation, and the consequences if<br />
exploited to provide clients' security professionals a surface-level view of vulnerabilities on the network.<br />
Furthermore, it integrates with clients' existing security tools.<br />
Used with permission from Epiphany Systems.<br />
Its innovativeness stems from its Time-to-Context approach, which finds solutions <strong>for</strong> clients' needs within<br />
a specific context. For example, if an administrator can only access a document from one IP address,<br />
Epiphany Systems creates attack paths using that knowledge <strong>for</strong> how that document could be definitively<br />
accessed. Bathurst explains, "It is difficult to automate generalized red teaming efficiently. Generalized<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 35<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
human red teaming creates attack paths that tend to be sporadic and unique to a point in time. We find<br />
a target (i.e., an administrator) and work backward to create our attack path that is more precise."<br />
Epiphany Systems intently integrates open-source software (OSS). Even better, Epiphany Systems<br />
contributes to OSS; Bloodhound is one of its favorites. Bathurst adds, "We contribute to OSS wherever<br />
we can. Much of what runs the internet started as small projects that never developed procedures to pass<br />
on development; This is not sustainable. Thus, Epiphany Systems assists OSS projects to ensure smooth<br />
transitions in new and pre-existing legacy projects."<br />
Given that the company is young, it is imperative to examine its future goals and developments. To<br />
answer this, Bathurst explains that "We have shown that we can analyze data in nonobvious ways.<br />
However, that does not mean there are not more possibilities. We want to discover even greater ways of<br />
analyzing data and explaining the impact of that data, especially to leaders outside of tech."<br />
Learn more by reading Epiphany Systems Launches into the <strong>Cyber</strong>security Market with Industry’s First<br />
Offensive Context-Aware Plat<strong>for</strong>m<br />
Lightspin<br />
Vladi Sandler, Co-founder and CEO of Lightspin<br />
Lightspin is a cloud security company using an offensive approach to detect cloud misconfigurations; it<br />
designed a plat<strong>for</strong>m to secure cloud and Kubernetes environments throughout the development cycle,<br />
simplifying cloud security <strong>for</strong> IT and DevOps teams. Dell and Ibex granted Lightspin $16 million in series<br />
A funding bringing total funding to date to $20 million.<br />
Lightspin's plat<strong>for</strong>m detects all security risks on the network, and its innovativeness stems from its ability<br />
to prioritize the most critical issues and remediate them from build to run time. For example, Lightspin<br />
creates the Attack Path, an interactive diagram displaying clients' vulnerabilities and how each<br />
vulnerability affects other parts of their network. These charts were developed with the C-suite in mind,<br />
providing a simple and usable interface suitable <strong>for</strong> presentations and reports. Furthermore, Lightspin's<br />
plat<strong>for</strong>m uses data from previous attacks to correlate vulnerabilities with the repercussions if exploited.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 36<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with permission from Lightspin.<br />
However, the company itself has notable qualities too. It demonstrates a thoughtful and inclusive<br />
workplace. Sandler stated that "Our goal is to build a healthy company. We promote diversity and<br />
inclusion, which is why we have been a gender-balanced company from the beginning. We found that<br />
our company growth, employee happiness, client satisfaction, and community involvement are all tightly<br />
linked, which is why we only promote growth from a healthy and ethical perspective." Most of all,<br />
Lightspin's open-source contributions and support of public initiatives are some of the most impressive<br />
in the Opti series.<br />
Lightspin's GitHub repositories are well-documented and shared. Some of its notable projects include<br />
Red Kube, a red ream K8S adversary emulation based on kubectl, and Red Shadow, an AWS IAM<br />
vulnerability scanner. Lightspin also developed Red Detector, which scans EC2 instances <strong>for</strong><br />
vulnerabilities using Vuls. Furthermore, Lightspin's blog provides tutorials on how to use and contribute<br />
to its projects. These tutorials are great <strong>for</strong> any skill level and receive enthusiasm from users and<br />
contributions. Overall, Lightspin demonstrates technological innovation, creativity, professional<br />
excellence, and social responsibility. As a clear trendsetter and innovator in cybersecurity, I cannot wait<br />
to see how Lightspin's technology develops by the next Black Hat.<br />
Learn more: CISO Talks: Choosing the Right Solution <strong>for</strong> Your Organization as a CISO, ft. Vladi Sandler,<br />
CEO at Lightspin<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 37<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Syxsense<br />
Ashley Leonard, CEO of Syxsense<br />
Headquartered in southern Cali<strong>for</strong>nia, Syxsense is a software as a service endpoint management and<br />
security software company. Syxsense specializes in combining IT and patch management with security<br />
vulnerability scanning, and now a full remediation capability using Syxsense Cortex, the company’s<br />
workflow builder.<br />
Syxsense's cloud-based plat<strong>for</strong>m allows clients to manage all of their endpoints and devices through<br />
drag-and-drop (DnD) workflow technology. Example actions include almost everything: patches, asset<br />
management, vulnerability scanning, software installations, and more. Clients can use and edit pre-built<br />
blocks and create new ones. Furthermore, clients can deploy actions to individual devices, sets of<br />
devices, or all devices. For example, a client could update all of the odd-numbered computers on their<br />
network or change the background to display a cat <strong>for</strong> all employees named "John."<br />
Syxsense Cortex is a drag-and-drop workflow builder <strong>for</strong> building remediations to configuration<br />
errors and security vulnerabilities. Used with permission from Syxsense.<br />
As a WordPress blogger, Syxsense's product resonated with me because of its simplistic workflow and<br />
customization. Its DnD security workflow reminds me of how bloggers use DnD blocks to create a website<br />
or post. Furthermore, Syxsense's ability to support any skill level is similar to how WordPress sicks with<br />
bloggers throughout their careers.<br />
For example, new WordPress bloggers almost exclusively use DnD blocks. Over time, they learn how to<br />
customize blocks and how parts of the website interact (i.e., CSS and hosting configurations). Eventually,<br />
bloggers can create new blocks, build websites, fix bugs, and teach others. Skilled bloggers often publish<br />
custom blocks as code, add-ons, and templates, which creates an app-store atmosphere in WordPress.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 38<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Syxsense demonstrates similar possibilities in the security industry. Using Syxsense Cortex, clients can<br />
implement Syxsense's plat<strong>for</strong>m using premade blocks. Once employees learn how each block's settings<br />
interact with the network, they can customize blocks to fit their exact needs. Moreover, the transferring<br />
of skills from senior techies to new employees is seamless in this environment. I would not be surprised<br />
if its clients use its plat<strong>for</strong>m to teach security skills to employees or if security professionals make tutorials<br />
on custom blocks.<br />
Watch Syxsense’s demo on Vimeo.<br />
Lastly, Syxsense scans clients' networks, proposes solutions, and displays potential exploit outcomes.<br />
In other words, Syxsense can fix vulnerabilities its plat<strong>for</strong>m detects, and best of all, clients can use DnD<br />
to resolve each issue.<br />
Learn more: Syxsense Releases Two New Solutions <strong>for</strong> Remediating Endpoint Security Vulnerabilities<br />
ThreatQuotient<br />
Chris Jacob, Global VP of Threat Intelligence Engineers at ThreatQuotient<br />
Another company I would look out <strong>for</strong> this year is ThreatQuotient, a modern data-driven security<br />
operations plat<strong>for</strong>m. The company has a rich history in problem-solving and social networking, arguably<br />
the two best things an organization could have. The company founders--developer Wane Chiang and<br />
security operations officer Ryan Trost--noticed while working in a large security operations center (SOC)<br />
that data was not being shared and accessed efficiently. For example, workers on the 8 AM shift were<br />
not effectively collaborating with other shifts at their company, which led to unnecessary security testing.<br />
Chiang and Trost set out to fix this problem globally by creating a pure-play threat intelligence plat<strong>for</strong>m<br />
and an API that could be utilized across departments and organizations; this led to the founding of<br />
ThreatQuotient in 2013.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 39<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with permission from ThreatQuotient.<br />
However, ThreatQuotient's intriguing history is not why I selected them as a Gold Opti. ThreatQuotient is<br />
a leading security company in extended detection and response (XDR) that examines intelligence and<br />
in<strong>for</strong>mation security events to create a holistic picture of threats. The company's innovativeness comes<br />
from its APIs integration with external products. Its mission is to integrate its API with as many plat<strong>for</strong>ms,<br />
products, and technologies as possible to promote long-term growth and diversification. Jacob explains<br />
that "If companies share knowledge of adversaries' attacks, techniques, and other intelligence, they could<br />
detect more hacks; although, not necessarily prevent them. We created a data-driven automation and<br />
data-sharing tool that can show what is happening with threats."<br />
ThreatQuotient's founders and many of its employees have an open-source background. As a result, its<br />
plat<strong>for</strong>m integrates with clients' preexisting technologies, so they were not locked into a vendor.<br />
Furthermore, its MSSP and intelligence community encourage sharing and collaboration. Jacob stated,<br />
"We believe companies should share to advance the cybersecurity and intelligence community," which<br />
is illustrated by its membership in the Open <strong>Cyber</strong>security Alliance and contributions to OpenDXL.<br />
I am looking <strong>for</strong>ward to learning about the company's future developments, too. Jacob adds, "currently,<br />
we are expanding in XDR, but we have always been in that sphere. What is interesting is that the security<br />
industry is pivoting to where ThreatQuotient has been and calling it XDR. As a result, we are a frontrunner<br />
in XDR technologies, and we are creating new technologies to improve our plat<strong>for</strong>m every day."<br />
Learn more at ThreatQuotient's website.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 40<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Trend Micro<br />
Jon Clay, VP of Threat Intelligence at Trend Micro<br />
Since its founding in 1988, Trend Micro evolved from a family-run antivirus company to an international<br />
security organization. Trend Micro was the first company to implement internet and virtual machine<br />
scanning technologies. Its specialty is defending against zero-day and zero-hour threats.<br />
I interviewed Jon Clay on Trend Micro's <strong>Cyber</strong> Risk Index (CRI) and on Trend Micro's latest products and<br />
publications that have impacted the security sphere. After four years of deployment through the Ponemon<br />
Institute, Trend Micro's CRI has mastered calculating clients' preparedness to defend against attacks. Its<br />
index spans from -10 (bad) to +10 (good) and helps C-level executives understand risks within their<br />
organization. In its <strong>2021</strong> distribution, CRI demonstrates that the preparedness to defend from<br />
cybersecurity risks has decreased globally.<br />
Used with the permission of Trend Micro.<br />
Trend Micro also progressed in the open-source sphere. One of their most famous open-source tools,<br />
Trend Micro Locality Sensitive Hashing (TLSH), has been publicly adopted by multiple antivirus firms.<br />
TLSH uses machine learning to identify files that are similar in nature. For example, if a file contains the<br />
text "oliviagallucci.com" and another file contains "oliviagalucci.com" (missing an l), then TLSH would<br />
generate two very similar hashes. Furthermore, Trend Micro partnered with Synk, an open-source<br />
security company, to develop Cloud One, a scanner that detects malicious or vulnerable code in opensource<br />
repositories.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 41<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Unlike many companies, it is clear that Trend Micro fosters a culture of openness and collaboration.<br />
Readers interested in learning about Trend Micro—open-source contributions, product development, or<br />
otherwise—have ample resources to explore its professionals' expertise and outlook at any point in its<br />
history.<br />
Further reading: Trend Micro Demonstrates Threat Expertise at Virtual Black Hat USA <strong>2021</strong><br />
For those interested in assisting with Trend Micro's open-source programs, Clay recommends<br />
contributing to its Zero Day Initiative, which consists of approximately ten thousand researchers globally<br />
to find vulnerabilities and bugs. The Zero Day Initiative helps clients develop intrusion prevention systems<br />
with an eighty-day protection period.<br />
vArmour<br />
Tim Eades, CEO of vArmour<br />
vArmour is an Application Relationship Management company focusing on operational risk, application<br />
resiliency, and securing hybrid cloud environments. The company was founded in 2011 and created due<br />
to many enterprises lacking the skills or resources necessary to analyze company networks. vArmour is<br />
backed by Highland Capital Partners, Allegis<strong>Cyber</strong>, Redline Capital, Citi Ventures, and Telstra. vArmour’s<br />
products help clients determine which security relationships are working and which are failing and helps<br />
clients then analyze those failing relationships and execute solutions.<br />
vArmour is innovative in its technology and culture. It has experience with every industry, making its<br />
solutions very diverse. However, banks, telecommunications, and critical infrastructure companies are<br />
its primary clients. Eades describes vArmour's innovative culture well: “We are a very kind, humble, and<br />
smart company [that is] solving enterprise security problems from the inside out, as opposed to the<br />
outside in. vArmour is not just a detective. You find the problem, decide what you want to have happen,<br />
then control <strong>for</strong> those things with programming.” In the Los Altos office, there is a mural with “Shoulder<br />
to Shoulder,” symbolizing the golden rule with vArmour’s twist. In Eades’ words, “We do it together, and<br />
we do it as one.”<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 42<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with permission from vArmour.<br />
vArmour also contributes to public <strong>for</strong>ums, growing a supportive community around its projects. Eades<br />
states that “Thinking in public and sharing our ideas with the work and receiving feedback allows us to<br />
ensure our company is heading in the right direction morally and technologically.” Moreover, vArmour<br />
assists clients using multiple licenses from legal, technical, and social perspectives.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 43<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Diana Nicholas, Marketing Engagement and Partner Associate at vArmour, per<strong>for</strong>ming at vArmour’s live<br />
show. Used with permission from vArmour.<br />
Lastly, vArmour shined at Black Hat this year. vArmour joined 13 other cybersecurity companies to create<br />
the live Security Leaders concert, with the Social Animals headlining and featuring per<strong>for</strong>mances<br />
including the band of Diana Nicholas, a Marketing Engagement and Partner Associate at vArmour.<br />
However, this is a common practice at vArmour. The company loves promoting “breakout moments” <strong>for</strong><br />
its employees and up-and-coming musicians. For example, vArmour has an annual tradition of hiring upand-coming<br />
musicians <strong>for</strong> a live show. Eades is very proud to note that they even hired Royal Blood<br />
be<strong>for</strong>e they were famous. Overall, I was blown away by the enthusiasm and support of this team, and I<br />
look <strong>for</strong>ward to following vArmour technical and cultural growth.<br />
Learn more at vArmour’s website.<br />
Judging Criteria<br />
Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners<br />
from joining. However, some companies and leaders strive to alleviate these barriers.<br />
For example, Clark Mills and Major Clif<strong>for</strong>d McKay created the Optimist Dinghy (Opti) to ease financial<br />
and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful<br />
that it became one of the most popular sailboats globally and has introduced millions to sailing.<br />
Similar to Mills and McKay's progress in sailing, the companies recognized by the Optis Series have<br />
significantly improved their community and industry. The Optis Series highlights cybersecurity<br />
companies' innovation and ability to address social, technical, and economic barriers. Furthermore, the<br />
definition of an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents<br />
the outlook of cybersecurity if these trends continue (Merriam-Webster, <strong>2021</strong>).<br />
Here are the judging criteria:<br />
- Highly differentiated and innovative by offering a unique product, technology, or technique.<br />
- Demonstrates company growth, ideally supported by numerical data like funding and<br />
sponsorship, acquisitions, and hiring trends.<br />
- Active external enthusiasm and press.<br />
- Practices embodied by “Security Through Community,” such as inclusion initiatives and a<br />
supportive company culture.<br />
- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,<br />
publications, blogs, events, and licensing choices).<br />
Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold<br />
companies exemplified all five. All companies, however, epitomized their awarded categories enough to<br />
deserve substantial recognition <strong>for</strong> their ef<strong>for</strong>ts.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 44<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'<br />
values and technologies. I also cited evidence whenever possible through public numerical data, blog<br />
posts, reports, publications, and product demos. Read the full criteria here.<br />
About the Author<br />
Olivia Gallucci is a <strong>Cyber</strong>security Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine and<br />
the winner of CDM’s <strong>2021</strong> Women in <strong>Cyber</strong>security scholarship. She is<br />
studying Computing Security and Computer Science at Rochester Institute<br />
of Technology.<br />
She is a Free and Open Source Software advocate and Linux enthusiast.<br />
Olivia can be reached online here at CDM and at https://oliviagallucci.com/<br />
and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 45<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Silver Optis: Innovative and Socially Conscious<br />
Technologies at Black Hat<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
I interviewed approximately sixty industry leaders from over <strong>for</strong>ty companies who attended Black Hat.<br />
Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically<br />
highlight twenty-one companies that stand out and whose growth I recommend watching.<br />
Rochester Institute of Technology’s <strong>Cyber</strong>security Club, RITSEC, inspired the metrics I used to analyze<br />
and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while<br />
examining each company’s ability to promote social good, inclusion, and innovation inside and outside<br />
of the company. Furthermore, I referenced materials—public demos, open-source code, and<br />
publications—to determine the accuracy of the company’s claims and the span of its communal reach,<br />
public contributions, and social good.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 46<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Given <strong>Cyber</strong> <strong>Defense</strong> Magazine's awarding of unicorns ("a private company with a valuation of over $1<br />
billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Opti<br />
Series—to highlight innovative and socially conscious companies at Black Hat USA <strong>2021</strong> (UserGuiding).<br />
The Opti Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria<br />
I used <strong>for</strong> the Opti Series here or scroll to the end of this article.<br />
<strong>Cyber</strong>GRX<br />
Dave Stapleton, CISO of <strong>Cyber</strong>GRX<br />
<strong>Cyber</strong>GRX is a software as a service company using a varied source of data to manage and analyze<br />
third-party security risks. Specifically, <strong>Cyber</strong>GRX uses an exchange model of data to provide<br />
organizations with a dynamic stream of third-party data and advanced analytics so clients can efficiently<br />
manage, monitor, and mitigate risk in their partner ecosystems. Its goal is to connect every company with<br />
the exchange system to increase global understanding of third-party risk inheritance and promote the<br />
disclosure of security risks in business agreements.<br />
The exchange model is <strong>Cyber</strong>GRX's innovative key. Its plat<strong>for</strong>m is the largest risk exchange plat<strong>for</strong>m<br />
globally and contains thousands of risk assessments, allowing organizations to quickly identify which<br />
third parties pose the highest cyber risk and help those third parties and organizations alike focus their<br />
resources on critical areas. Thus, <strong>Cyber</strong>GRX's clients gain a better understanding of third-party<br />
assessment data, enabling them to derive logical risk insights, make in<strong>for</strong>med business decisions, and<br />
save thousands of hours spent on assessment chasing.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 47<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
3D depiction of a third-party ecosystem demonstrating the interconnectedness of organizations<br />
today. Used with permission from <strong>Cyber</strong>GRX.<br />
<strong>Cyber</strong>GRX provides visibility into clients' third-party ecosystems, so they can determine which third<br />
parties are missing the controls needed to respond to emerging threats like ransomware and<br />
extortionware. Its analysis promotes accountability and shared responsibility by allowing third-party risks<br />
to become a first-party responsibility. When companies know their third parties are vulnerable, they can<br />
help those parties with remediating vulnerabilities in critical areas. <strong>Cyber</strong>GRX's mission promotes<br />
knowledge and growth in cybersecurity, and its plat<strong>for</strong>m provides new security insights which have not<br />
been available be<strong>for</strong>e.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 48<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Digital Shadows<br />
Alastair Paterson, CEO and Co-Founder of Digital Shadows<br />
Founded in 2011, Digital Shadows focuses on digital risk and threat intelligence. It specializes in<br />
identifying data loss like intellectual property, customer data, and credentials. Digital Shadows created<br />
one of the largest credential databases globally, hosting over 25 billion entries. Digital Shadows’ sales<br />
increased over fifty percent from last year, and it expects to hire around twenty employees by the end of<br />
<strong>2021</strong>.<br />
Digital Shadows’ plat<strong>for</strong>m alerts clients of data leakages on code-sharing sites like GitHub, GitLab, and<br />
Bitbucket. These leakages often stem from things like accidentally publishing code and leaving keys<br />
open. It also can detect when file stores are accidentally shared (i.e., Amazon S3 buckets).<br />
Used with permission from Digital Shadows.<br />
Lastly, Digital Shadows can detect brand impersonations. For example, oliviagallucci.com is my website;<br />
if an adversary created oliviagalucci.com (one l), Digital Shadows would disclose the event to me. Its<br />
plat<strong>for</strong>m can also detect fake apps and social media profiles.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 49<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with permission from Digital Shadows.<br />
Digital Shadows uses multiple open-source tools; Spring Framework, Guava, Terra<strong>for</strong>m, Apache HBase,<br />
and Jenkins are a few notable ones. Paterson stated that “Digital Shadows began open-sourcing some<br />
of its projects after our security research team discussed how we could give back to the community.” One<br />
of Digital Shadows' notable repositories is Orca, an asset discovery tool. Paterson continued, "One of<br />
our goals is to integrate into the open-source community to foster collaboration and constructive<br />
feedback,” and Digital Shadows is well on its way to achieving this goal.<br />
ExtraHop<br />
Jeff Costlow, CISO of ExtraHop<br />
ExtraHop is a network detection and response (NDR) provider, helping organizations secure<br />
environments and implement threat protections. ExtraHop specializes in detecting lateral movement and<br />
increasing the effectiveness of high-speed networks. Its goal is to bridge the gap between SIEM and EDR<br />
across client networks to help organizations detect and respond to advanced threats.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 50<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
ExtraHop DNS LAM. Permission to use from ExtraHop.<br />
ExtraHop's innovation stems from its Reveal(x) 360, a software as a service plat<strong>for</strong>m utilizing cloud-scale<br />
artificial intelligence to analyze adversaries in real-time. Reveal(x) 360 works at the network level and<br />
analyzes up to 100 Gbps. Furthermore, ExtraHop's behavioral network analytics detect approximately<br />
1500 high-risk threats per month, including supply chain attacks, APTs, and Zero Days. Reveal(x) 360 is<br />
able to decrypt traffic to provide complete visibility and enable deep <strong>for</strong>ensics investigations. Reveal(x)<br />
360 also can see activity without being detected, so bad actors don’t even know that they are being<br />
watched. This is an important part of ExtraHop’s NDR solution, given that recent highly sophisticated<br />
attacks like SolarWinds SUNBURST have brought awareness to the fact that hackers are learning to<br />
evade traditional security methods and tools.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 51<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
ExtraHop overview. Permission to use from ExtraHop.<br />
ExtraHop regularly contributes cyber threat data and anonymized threat intel identified via their plat<strong>for</strong>m<br />
to the security community. Key contributions include ExtraHop’s research on the techniques used in the<br />
SolarWinds Sunburst attack to evade detection as well as the company’s research on connected devices<br />
during Covid-19. ExtraHop also contributed to the latest version of the MITRE ATT&CK Framework and<br />
Knowledge Base, which now includes the latest developments in network detection and response<br />
methodologies. By sharing the growing body of network attack behaviors in the MITRE ATT&CK<br />
framework, security teams are now better equipped to detect and respond to advanced threats as they<br />
integrate NDR Into their security operations. The MITRE ATT&CK framework is natively integrated into<br />
the ExtraHop Reveal(x) 360 interface, which further helps security professionals detect the latest tactics,<br />
techniques and procedures being used by adversaries on their networks. ExtraHop’s security research<br />
team regularly shares threat briefs, which are immediately available to customers via the product and<br />
also published publicly on ExtraHop’s blog.<br />
Learn more: Why <strong>Cyber</strong> <strong>Defense</strong> Needs Software Behavior Transparency by Ben Higgins, Distinguished<br />
Software Engineer at ExtraHop<br />
GuidePoint Security<br />
Tony Cook, Head of Threat Intelligence<br />
Mark Lance, Senior Director of <strong>Cyber</strong> <strong>Defense</strong><br />
Victor Wieczorek, VP of Application Security and Threat & Attack Simulation<br />
GuidePoint Security is a peer-play security consulting and management company. It has spread from its<br />
east coast beginnings to expand across most of the United States. GuidePoint’s focus is solving complex<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 52<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
problems from a consultative approach. Its innovativeness stems from its unique company model.<br />
GuidePoint Security provides cybersecurity solutions and services through a localized team within that<br />
region, with additional teams providing capabilities across the entire nation.<br />
Unlike many companies, GuidePoint Security does not promote sponsored products because it is not a<br />
vendor. GuidePoint Security endorses quality products to ensure productivity and client satisfaction.<br />
GuidePoint Security is heavily involved in the open-source community and prides itself on its communal<br />
outreach and diverse solutions. OSS is built into or surrounds most of its tools, and as a result, its teams<br />
have become effective contributors, analyzers, and creators of OSS. One of its notable projects is<br />
RedCommander, a red team infrastructure complete with Redirectors and basic domain fronting.<br />
GuidePoint Security also contributes to open source communities such as Velociraptor, BloodHound,<br />
MISP, and others.<br />
GuidePoint employs approximately five hundred security professionals and expects to hire around one<br />
hundred people within the following year. For those interested in working with GuidePoint Security, the<br />
senior leaders stated that “we want people who are hungry to learn, care about the quality of their work,<br />
and are passionate about security in their free time.” In the future, GuidePoint Security is focusing on<br />
developing automation and productivity tools to ensure that “smart people are doing smart things.<br />
Follow GuidePoint Security on LinkedIn here.<br />
NTT<br />
Setu Kulkarni, VP of Corporate Strategy & Business Development<br />
Bruce Snell, VP of Security Strategy and Trans<strong>for</strong>mation<br />
NTT is a global technology services company. As a global in<strong>for</strong>mation and communications technology<br />
provider, the company employs about fifty thousand people across 57 countries. I interviewed two NTT<br />
executives—Setu Kulkarni and Bruce Snell—about their team's latest developments.<br />
Learn more: NTT’s Virtual Reality SOC Tour<br />
NTT's Security Division functions as a managed security services provider (MSSP), supplying talented<br />
professionals and diverse vendor relationships to its clients so that they can focus on running the<br />
business and leave everything from security operations to threat monitoring and intelligence to incident<br />
response to their NTT team. Furthermore, around <strong>for</strong>ty percent of internet traffic runs through NTT, which<br />
gives their specialists unmatched expertise in malicious traffic and vulnerability analysis. Bruce describes<br />
it as "watching the weather patterns of cybersecurity."<br />
NTT’s Application Security (AppSec) team utilizes an innovative consumption model, factoring in clients'<br />
budget and regulatory needs; it offers an AppSec plat<strong>for</strong>m, technical expertise, and training. Its AppSec<br />
plat<strong>for</strong>m helps clients detect, track, and remediate vulnerabilities on all of their devices. NTT's AppSec<br />
team also tracks open-source software (OSS) vulnerabilities and assists clients with OSS remediation.<br />
When OSS vulnerabilities are particularly problematic, NTT proposes remediations to the original OSS<br />
project.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 53<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Olivia Gallucci (CDM) interviewing NTT execs, Setu Kulkarni and Bruce Snell, at the <strong>2021</strong> Black Hat<br />
Conference. Permission to use from NTT.<br />
NTT also shares their intel, giving back to the community. For example, the Security Division publishes<br />
its threat landscape findings in monthly threat reports and the annual Global Threat Intelligence Report.<br />
The August report looks at how in the last few years, ransomware has held a steady 3-4% rate of all<br />
detected malware, according to NTT’s Global Threat Intelligence Report. But in 2020, this increased to<br />
about 6% (a nearly 50% increase). Since then, ransomware activity has increased exponentially in <strong>2021</strong>.<br />
If we continue to see this rate of incident occurrence, we can expect ransomware to be at 12% of all<br />
detected malware be<strong>for</strong>e the end of <strong>2021</strong>. This may not seem like a significant statistic, but it represents<br />
millions of detections and could indicate a total increase of about 300% in the last two years or even as<br />
much as one attack every 11 seconds.<br />
The AppSec team does something similar in their AppSec Stats Flash Report, which are monthly state<br />
of application security updates. Furthermore, NTT contributes to CVE databases and is a member of the<br />
Cloud Security Alliance and <strong>Cyber</strong> Threat Alliance.<br />
Read NTT’s August <strong>2021</strong> Threat Report here.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 54<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
OneSpan<br />
Will LaSala, Director of Security Solutions and Security Evangelist at OneSpan; Official Member of the<br />
Forbes Technology Council<br />
OneSpan is a digital banking, security, and electronic signature company founded in 1991. Its most<br />
innovative technologies involve mobile clients, specifically application hardening. OneSpan’s Mobile<br />
Application Shielding plat<strong>for</strong>m can lock specific apps so that the phone will work even if one app gets<br />
hacked. Furthermore, the plat<strong>for</strong>m allows clients to analyze mobile devices and corresponding servers<br />
simultaneously. OneSpan’s central goal is to ensure that clients’ employees can detect and harden<br />
insecure applications and devices.<br />
Permission to use from OneSpan.<br />
OneSpan also contributes to the open-source community. OneSpan uses its contributions to multiple<br />
crypto libraries to receive feedback and promote transparency. In LaSala’s words, “We value the opensource<br />
communities’ support <strong>for</strong> security and feedback purposes. Releasing code to the public also<br />
protects the security community against hijacked open-source libraries.” Overall, OneSpan’s<br />
contributions to one-time password and cryptography projects exemplify its dedication to security and<br />
communal growth.<br />
Learn more by reading OneSpan’s Global Financial Regulations Report and listening to the UserFriendly<br />
2.0 podcast, episode Black Hat <strong>2021</strong> and Rodeo.<br />
Qualys<br />
Sumdeth Thakar, CEO of Qualys<br />
Qualys is a software as a service company founded in 1999; it offers cloud-based security solutions in<br />
the fragmented security industry. The company has strategic partnerships with leading cloud providers,<br />
managed services providers, and consulting firms like Amazon, Microsoft, Google, Accenture, IBM,<br />
Infosys, NTT, and Verizon.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 55<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with permission from Qualys.<br />
Qualys' innovativeness stems from its ability to make security efficient, cost-effective, and scalable,<br />
offering solutions <strong>for</strong> almost every security concern. Qualys provides a one-stop solution, consolidating<br />
pre-existing technologies into a simple and easy-to-use plat<strong>for</strong>m.<br />
Qualys built its backend and highly scalable plat<strong>for</strong>m by leveraging OSS and in-house technology.<br />
Furthermore, Qualys uses OSS to improve security event monitoring by tracking 2.5+ billion messages<br />
on Kafta and 8 trillion data points on Elastic search daily. In Thakar's words, "You can leverage opensource<br />
technology to build massive-scale plat<strong>for</strong>ms; Qualys is a great example of that. As a result, we<br />
are continually increasing our public contributions, especially in the OSS community."<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 56<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Learn more: Qualys at Black Hat USA <strong>2021</strong><br />
Judging Criteria<br />
Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners<br />
from joining. However, some companies and leaders strive to alleviate these barriers.<br />
For example, Clark Mills and Major Clif<strong>for</strong>d McKay created the Optimist Dinghy (Opti) to ease financial<br />
and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful<br />
that it became one of the most popular sailboats globally and has introduced millions to sailing.<br />
Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Series have<br />
significantly improved their community and industry. The Opti Series highlights cybersecurity companies'<br />
innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of<br />
an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook<br />
of cybersecurity if these trends continue (Merriam-Webster, <strong>2021</strong>).<br />
Here are the judging criteria:<br />
- Highly differentiated and innovative by offering a unique product, technology, or technique.<br />
- Demonstrates company growth, ideally supported by numerical data like funding and<br />
sponsorship, acquisitions, and hiring trends.<br />
- Active external enthusiasm and press.<br />
- Practices embodied by “Security Through Community,” such as inclusion initiatives and a<br />
supportive company culture.<br />
- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,<br />
publications, blogs, events, and licensing choices).<br />
Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold<br />
companies exemplified all five. All companies, however, epitomized their awarded categories enough to<br />
deserve substantial recognition <strong>for</strong> their ef<strong>for</strong>ts.<br />
I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'<br />
values and technologies. I also cited evidence whenever possible through public numerical data, blog<br />
posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-<strong>for</strong>-the-opti-series/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 57<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Olivia Gallucci is a <strong>Cyber</strong>security Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine and<br />
the winner of CDM’s <strong>2021</strong> Women in <strong>Cyber</strong>security scholarship. She is<br />
studying Computing Security and Computer Science at Rochester Institute<br />
of Technology.<br />
She is a Free and Open Source Software advocate and Linux enthusiast.<br />
Olivia can be reached online here at CDM and at https://oliviagallucci.com/<br />
and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 58<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Bronze Optis: Innovative Technologies at Black Hat<br />
By Olivia Gallucci, <strong>Cyber</strong>security Reporter, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
I interviewed approximately sixty industry leaders from over <strong>for</strong>ty companies who attended Black Hat.<br />
Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically<br />
highlight twenty-one companies that stand out and whose growth I recommend watching.<br />
Rochester Institute of Technology’s <strong>Cyber</strong>security Club, RITSEC, inspired the metrics I used to analyze<br />
and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while<br />
examining each company’s ability to promote social good, inclusion, and innovation inside and outside<br />
of the company. Furthermore, I referenced materials—public demos, open-source code, and<br />
publications—to determine the accuracy of the company’s claims and the span of its communal reach,<br />
public contributions, and social good.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 59<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Given <strong>Cyber</strong> <strong>Defense</strong> Magazine's awarding of unicorns ("a private company with a valuation of over $1<br />
billion") and that Olympic sailing occurred during Black Hat, I created a conceptual award—Optis—in<br />
three ranks: bronze, silver, and gold (UserGuiding). You can learn about the judging criteria I used <strong>for</strong><br />
this award here or scroll to the end of this article.<br />
Axis Security<br />
Dor Knafo, Co-Founder and CEO of Axis Security<br />
Gil Azreilant, Co-Founder and CTO of Axis Security<br />
Axis Security offers a secure access service edge, protecting originations by analyzing application-layer<br />
traffic. Clients use its software and cloud plat<strong>for</strong>m in tandem to monitor company networks. Its software<br />
handles client services and resource access by instructing the client when access is unexpected or<br />
discouraged.<br />
Axis Security built its technology in-house to streamline policy and vendor relationships. Its solutions<br />
include secure partner access <strong>for</strong> third parties, merging and acquisitions, cloud migration, and enabling<br />
remote work environments. Axis Security's most innovative technology is its cloud-based VPN<br />
replacement, Application Access Cloud. The plat<strong>for</strong>m provides its clients an easy and safe connection to<br />
any device without ever touching the clients' apps or networks.<br />
Axis Security exemplifies global citizenship by leveraging open-source works and contributing to opensource<br />
communities. One of the open-source projects Axis Security uses and contributes to is<br />
WireGuard, an open-source virtual private network.<br />
Learn more: Dark Reading News Desk talks to Axis Security<br />
<strong>Cyber</strong>Saint<br />
Padraic O'Reilly, Co-Founder and CPO of <strong>Cyber</strong>Saint<br />
<strong>Cyber</strong>Saint is a software as a service company securing critical infrastructure and other highly regulated<br />
industries. Their goal is to understand customers' cybersecurity risk profiles to prevent future attacks.<br />
<strong>Cyber</strong>Saint created the <strong>Cyber</strong>Strong Plat<strong>for</strong>m, an automated solution that continuously analyses realtime<br />
telemetry to per<strong>for</strong>m compliance and risk assessments across standards such as NIST, CIS20,<br />
NERC-CIP, and many others. <strong>Cyber</strong>Strong allows clients to make better business decisions by ranking<br />
their risk and compliance posture internally, geographically, and industry-wide. Its creativity draws from<br />
its ability to take regulatory regiments used in governance risk and compliance and implement those<br />
standards across their risk management program in a way that enables cybersecurity resilience. It does<br />
this through its patented natural language processing (NLP) technologies, intuitive user interface, and<br />
executive reports.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 60<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong>Saint’s Risk Register. Used with the permission of <strong>Cyber</strong>Saint.<br />
<strong>Cyber</strong>Saint analyzes all types of data sources—feeds, proprietary and open-source intelligence, and<br />
threat in<strong>for</strong>mation—with their NLP to optimize hardening systems. <strong>Cyber</strong>Saint uses its NLP technology<br />
to leverage telemetry from applications, creating static mappings to controls by implementing the<br />
application and dynamic mappings to controls based on data feeds. This NLP also is used to automate<br />
crosswalks, using a customers' existing control scores to fulfill requirements across any set of frameworks<br />
or standards within seconds in an "assess once, use many" fashion. Furthermore, <strong>Cyber</strong>Strong helps<br />
clients understand their overall cyber risk and compliance posture, strategy, and security.<br />
<strong>Cyber</strong>Saints contributions to the community include the Making Space in <strong>Cyber</strong>security pledge, pro bono<br />
consulting to Massachusetts-based non-profits, and gifting no-cost annual licenses to our healthcare<br />
customers amid the COVID-19 crisis.<br />
Mimecast<br />
Jeremy Ventura, Senior Security Strategist at Mimecast<br />
Founded in 2003, Mimecast is a leading email security company. Mimecast combined patented, in-house<br />
solutions with external vendor data to create a super solution to detect malicious emails. Its email security<br />
solution stops malicious emails from entering or leaving client networks. Additionally, its email security<br />
solution is customizable to fit client needs, culture, and threats.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 61<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Mimecast is headquartered in the United Kingdom and employs over 1800 security professionals globally.<br />
Furthermore, Mimecast is rapidly growing, expecting to hire approximately six hundred employees by the<br />
end of the fiscal year 2022.<br />
Although Mimecast does not contribute to the open-source community or endorse external open-source<br />
software, it publicly releases its monthly threat proofing report. Furthermore, Mimecast publicly releases<br />
its annual state of email security report, which uses survey results from its <strong>for</strong>ty thousand customers and<br />
C-level executive interviews. One of Mimecast's most intriguing findings was that (⅔) of organizations<br />
admitted they had an email security incident that led to a ransomware attack and that 52 percent of those<br />
organizations paid the ransom.<br />
Future reading: Mimecast’s <strong>2021</strong> The State of Email Security Report.<br />
Nuspire<br />
Jyothish (JV) Varma, VP of Product Management at Nuspire<br />
Nuspire is a managed security services provider (MSSP) founded in 1999. Like most MSSPs, Nuspire<br />
provides detection, prevention, and response services. However, Nuspire extends traditional remediation<br />
practices; it prevents future attacks via proactive and continual system tuning. Other notable procedures<br />
include Nuspire's human-only technical support and fast onboarding.<br />
Nuspire's plat<strong>for</strong>m was built in-house, using open-source components. Although Nuspire does not deliver<br />
open-source software to its clients, it collaborates with open and closed-source vendors to provide clients<br />
with a holistic intelligence landscape.<br />
Used with the permission of Nuspire.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 62<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Unlike many MSSPs, Nuspire offers clients the ability to automate responses inside multiple portals,<br />
allowing clients to use familiar technologies. Furthermore, Nuspire draws insights across plat<strong>for</strong>ms (i.e.,<br />
SentinelOne, Carbon Black, and CrowdStrike) to ascertain the importance of vulnerabilities and<br />
intelligence. Nuspire will continue to add more vendor plat<strong>for</strong>ms, using market analytics and client<br />
feedback to determine which plat<strong>for</strong>ms they add next.<br />
Watch Nuspire’s Black Hat webinar here or read about one of Nuspire's publications at Black Hat: Nuspire<br />
Launches New Managed Endpoint Detection and Response (EDR) Service That Supports Leading EDR<br />
Technology Providers Including Carbon Black, SentinelOne, and Others.<br />
ThreatX<br />
Gene Fay, CEO of ThreatX<br />
Founded in 2014, ThreatX is a Web Application and API Protection security company that offers solutions<br />
at each layer of the Open Systems Interconnection model. ThreatX offers solutions across web<br />
applications and APIs: Web Application Firewalls (WAFs), API security, bot management, and DDoS<br />
protection.<br />
ThreatX's most innovative technology is its automated WAF. ThreatX acknowledged the constraints of<br />
non-automated WAFs (i.e., WAFs that use fine-grain rules) calculating false negatives and positives. Fay<br />
explained, “Web applications and APIs are under constant assault by highly sophisticated threat actors<br />
and techniques. The ThreatX WAAP combines dynamic web application and API security into a single<br />
plat<strong>for</strong>m, providing actionable insights to reduce vulnerabilities and prevent future attacks.” For example,<br />
ThreatX can quickly detect if an API or resource is exposed, which alerts clients of the issue at the time<br />
of occurrence. This timeliness alleviates accidental leakages and future breaches.<br />
Read about ThreatX’s press release—ThreatX Announces API Catalog to Provide Enterprises a Clear<br />
View of Attack Surface—published at Black Hat.<br />
Trustwave<br />
Darren Van Booven, Lead Principal Consultant at Trustwave; <strong>for</strong>mer CISO of the United States House<br />
of Representatives<br />
Trustwave is a global managed threat detection and response (MDR) and managed security services<br />
(MSS) company that protects SMBs and enterprises around the world from advanced cyber threats. The<br />
Trustwave Fusion Plat<strong>for</strong>m is a cloud-based XDR plat<strong>for</strong>m that serves as the foundation <strong>for</strong> the<br />
company’s managed security services, products, and other cybersecurity offerings. Trustwave<br />
particularly excels in protecting organizations operating across the cloud, databases, operational<br />
technologies, and the supply chain. It also has leading consulting and professional services, digital<br />
<strong>for</strong>ensics, and incident response teams. With the surge in ransomware over the past year, Trustwave<br />
has seen a 2x demand <strong>for</strong> its ransomware preparedness services.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 63<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Used with the permission of Trustwave.<br />
Trustwave SpiderLab is the company’s expert research group that produces industry-recognized threat<br />
intelligence and frequently publishes reports on newly discovered vulnerabilities. SpiderLab maintains<br />
ModSecurity, an open-source, cross-plat<strong>for</strong>m WAF engine <strong>for</strong> Apache, IIS, and Nginx. ModSecurity has<br />
a robust event-based programming language that protects a range of attacks against web applications<br />
and allows <strong>for</strong> HTTP traffic monitoring, logging, and real-time analysis.<br />
Trustwave Government Solutions, the wholly-owned subsidiary of Trustwave Holdings, Inc., recently<br />
announced it has joined the <strong>Cyber</strong>security and Infrastructure Security Agency (CISA) <strong>Cyber</strong> In<strong>for</strong>mation<br />
Sharing and Collaboration Program (CISCP). The overall mission of CISCP is to build cybersecurity<br />
resiliency and to harden the defenses of the U.S. and its strategic partners through threat intelligence<br />
sharing. Trustwave is also an active contributor to the MITRE ATT&CK framework.<br />
I cannot wait to see more developments out of Trustwave and its SpiderLabs research team. Trustwave’s<br />
commitment to offering truly global security and thoughtfulness in its security research contributions are<br />
something to emulate.<br />
Further reading: Trustwave Launches First-of-Its-Kind <strong>Cyber</strong> Supply Chain Risk Assessment Solution <strong>for</strong><br />
the Pacific Region and Trustwave Recognized as a Top 10 MSSP by <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 64<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
ZeroFox<br />
Sam Small, CSO of ZeroFox<br />
ZeroFox is a security company protecting client brands, reputations, and consumers. ZeroFox's specialty<br />
is tracking impersonation attempts—from individual to nation-state adversaries—by analyzing data on<br />
the clear and dark web.<br />
ZeroFox was the first company in the social media protection space and has built many technologies<br />
within its plat<strong>for</strong>m using NLP and artificial intelligence. ZeroFox recently acquired two security<br />
organizations: Cyveillance and Vigilante.<br />
ZeroFox's plat<strong>for</strong>m is customizable, timely, and scalable. Its clients receive direct access to its cloudprocessing<br />
pipeline, where hundreds of customizable rules are pre-made, so clients can rely on<br />
ZeroFox's expertise or build solutions around specific policies and threats. Furthermore, ZeroFox's<br />
plat<strong>for</strong>m is able to test the effectiveness of specific threat mitigations by analyzing its clients' responses<br />
to identical threats. Overall, ZeroFox is one of the most riveting companies at Black Hat, and its<br />
specialization in protection and intelligence outside the firewall, including on social media, deep and dark<br />
web, is something to follow.<br />
Further reading: ZeroFox Launches New External Threat Hunting Module within Plat<strong>for</strong>m, Empowering<br />
Analysts with Direct Access to Full-Spectrum Threat Intelligence Data Lake<br />
Awarding Criteria<br />
Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners<br />
from joining. However, some companies and leaders strive to alleviate these barriers.<br />
For example, Clark Mills and Major Clif<strong>for</strong>d McKay created the Optimist Dinghy (Opti) to ease financial<br />
and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful<br />
that it became one of the most popular sailboats globally and has introduced millions to sailing.<br />
Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Awards have<br />
significantly improved their community and industry. The Opti Award highlights cybersecurity companies'<br />
innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of<br />
an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook<br />
of cybersecurity if these trends continue (Merriam-Webster, <strong>2021</strong>).<br />
Here are the judging criteria:<br />
- Highly differentiated and innovative by offering a unique product, technology, or technique.<br />
- Demonstrates company growth, ideally supported by numerical data like funding and<br />
sponsorship, acquisitions, and hiring trends.<br />
- Active external enthusiasm and press.<br />
- Practices embodied by “Security Through Community,” such as inclusion initiatives and a<br />
supportive company culture.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 65<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,<br />
publications, blogs, events, and licensing choices).<br />
Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold<br />
companies exemplified all five. All companies, however, epitomized their awarded categories enough to<br />
deserve substantial recognition <strong>for</strong> their ef<strong>for</strong>ts.<br />
I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'<br />
values and technologies. I also cited evidence whenever possible through public numerical data, blog<br />
posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-<strong>for</strong>-the-opti-series/<br />
About the Author<br />
Olivia Gallucci is a <strong>Cyber</strong>security Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine, and<br />
winner of CDM’s <strong>2021</strong> Women in <strong>Cyber</strong>security scholarship. She is studying<br />
Computing Security and Computer Science at Rochester Institute of<br />
Technology.<br />
She is a Free and Open Source Software advocate and Linux enthusiast. Olivia<br />
can be reached online here at CDM and at https://oliviagallucci.com/ and<br />
@ivyhac and https://www.linkedin.com/in/olivia-gallucci/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 66<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Looking Back at Executive Order on<br />
<strong>Cyber</strong>security and What it Means <strong>for</strong> Your<br />
Business<br />
By James Gorman, CISO of AuthX<br />
On May 12, <strong>2021</strong>, President Biden issued an Executive Order focused on<br />
improving the nation's cybersecurity. This executive order strives to accomplish several<br />
important objectives <strong>for</strong> the United States’ approach to safeguarding its data and systems.<br />
1. Create a Zero Trust environment<br />
2. Manage the supply chain and its vulnerabilities<br />
3. Minimize barriers to intelligence sharing<br />
4. Create a Safety Review Board<br />
5. Create a standardized playbook <strong>for</strong> Incident Response<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 67<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The key outcomes <strong>for</strong> US cybersecurity procedures from this executive order include:<br />
1. Developing a Zero Trust environment. This insight can apply to any organization, regardless of<br />
industry or size. Incorporating just this one element will lead to the most effective tightening of<br />
security globally.<br />
A Zero Trust environment refers to an environment that has no implicit trust boundaries. The benefit of<br />
this approach is that it ensures we only allow authenticated and authorized people to access our<br />
applications and systems. This can look very different depending on the application, but inherently in this<br />
type of environment, no one or no system is implicitly trusted, and authentication and access<br />
rights must be verified at each access step.<br />
This component will ensure all access to systems run or used by the federal government involves Multi-<br />
Factor Authentication.<br />
2. Enhancing Supply Chain Security. This includes creating a way to track the deployment and<br />
provenance within the software lifecycle. It will likely involve lots of new reporting and compliance<br />
related to making the software supply chain less vulnerable. This type of approach serves as an<br />
example of a system that can prevent large-scale cyber-attacks, such the SolarWinds hack from<br />
late last year.<br />
Much of this new infrastructure will make it harder <strong>for</strong> smaller players because of the cost of keeping up<br />
the various mandates. As the industry goes <strong>for</strong>ward, we should consider how this may create barriers to<br />
entry <strong>for</strong> small software developers. Do we want to limit the availability of small software developers?<br />
How can the cost and complexity be minimized? Consideration <strong>for</strong> this needs to be a discussion topic as<br />
we advance.<br />
3. Improving Coordination and Sharing of Threat In<strong>for</strong>mation. The EO gives direction to<br />
improve the coordination and sharing of cyber threats<br />
between federal law en<strong>for</strong>cement, federal government agencies,<br />
IT<br />
contractors, cloud service providers, and industry. To make this happen, contract language will<br />
likely have to be renewed.<br />
While increased communication helps bolster cybersecurity, it comes with additional risks to mitigate.<br />
When sharing more in<strong>for</strong>mation between intelligence agencies, law en<strong>for</strong>cement agencies, and<br />
corporations, the privacy rights of individuals and corporate intellectual property rights must be assured.<br />
4. Create a Safety Review Board. The EO creates a Safety Review Board, which is positive<br />
because it codifies an automatic review and “lessons learned” session. Per<strong>for</strong>ming lessons<br />
learned sessions is a crucial way to improve future outcomes. Bringing together Homeland<br />
Security and the Attorney General will create an environment where we can more easily bring the<br />
perpetrators of any act of cyber-attack to justice. However, the US needs to be careful to avoid<br />
this board overreaching - especially when it comes to citizens - and ensure civil liberties are<br />
protected.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 68<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
5. Standardize the Playbook <strong>for</strong> Vulnerabilities and Incidents. Having a go-to playbook is critical<br />
in the event of an incident or a breach. The un<strong>for</strong>tunate reality is that most cybersecurity branches<br />
of organizations are run worse than your child's hockey team. Your child's team has a playbook,<br />
they practice, and they play the game after practice. Most cybersecurity plans are sitting on a<br />
shelf somewhere in a binder, and are never tested or practiced.<br />
Having one playbook <strong>for</strong> the entire federal government is like the whole NFL having the same<br />
playbook – or maybe more like the NFL and all college football teams using the same<br />
playbook. The Agriculture Department plays in a far different environment from that of<br />
Departments of Energy or <strong>Defense</strong>.<br />
Having a playbook and actively putting it into practice much more critical than having<br />
con<strong>for</strong>mity across organizations.<br />
So, what does this executive order mean <strong>for</strong> your organization? For most companies - unless they are<br />
doing business with the government - little will directly affect us.<br />
But there are five main takeaways from this initiative that every company can and should<br />
implement:<br />
1) Create a Zero Trust environment.<br />
• Segment your business applications to minimize exposure to hostile actors.<br />
• Use a robust authentication system to ensure whom you are allowing into your network is who<br />
they say they are.<br />
2) Manage software and operating system patching process.<br />
• Use automated tools and scheduled update times to do updates.<br />
• Follow the guidelines of the Software Developer to ensure that bugs are fixed in your environment<br />
ASAP.<br />
3) Create an open environment that will allow <strong>for</strong> free and rapid sharing of in<strong>for</strong>mation.<br />
• Make it easy to report potential and actual threats to those who can mitigate these concerns.<br />
• Encourage the team to report or request assistance <strong>for</strong> any questionable emails, computer<br />
activity, etc.<br />
4) Do an after-action review on all incidents.<br />
• Record what went right.<br />
• Make sure you add to the playbook un<strong>for</strong>eseen developments.<br />
5) Create a playbook - an incident response plan.<br />
• Make it second nature <strong>for</strong> your team to take action when an issue arises.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 69<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
• Create a broad outline of how you want an issue handled.<br />
• Ensure you have all the contact points <strong>for</strong> the important people/organizations in the front of the<br />
book.<br />
Overall, the President's executive order provides a good overview of how to make our nation’s critical<br />
in<strong>for</strong>mation systems more secure with a lot of guidance and timelines. It also helps the government lead<br />
by example to illustrate what an enterprise can do to make itself more secure and enable a faster and<br />
more standardized response to cyber threats.<br />
As always – StayHackFree!<br />
About the Author<br />
James Gorman CISO, Authx<br />
James is a solutions-driven, results-focused technologist and<br />
entrepreneur with experience securing, designing, building,<br />
deploying, and maintaining large-scale, mission-critical<br />
applications and networks. Over the last 15 years, he has lead<br />
teams through multiple FedRAMP, NIST, ISO, PCI, and<br />
HITRUST compliance audits. As a consultant, he has helped<br />
numerous companies <strong>for</strong>mulate their strategy <strong>for</strong> compliance and infrastructure scalability. His previous<br />
leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations,<br />
Founder & Principal Consultant, Vice President and CEO at GE, Epoch Internet, NETtel, Cable and<br />
Wireless, SecureNet, and Transaction Network Services.<br />
James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/) and at<br />
our company website https://authx.com James can be reached online at (james@authx.com,<br />
https://www.linkedin.com/in/jamesgorman/ ) and at our company website https://authx.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 70<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How Trustworthy is Your <strong>Cyber</strong> <strong>Defense</strong>?<br />
Make your cybersecurity spending pay off with added defense tactics and provider accreditation<br />
By Tom Brennan, Chairman, CREST USA<br />
<strong>Cyber</strong> criminals are branching out from the big guys, the Facebook-type large scale breaches, to the<br />
small-to-medium-sized enterprises. A new global study by Analysys Mason shows SMB’s are paying<br />
attention: they estimate SMBs spent $57 billion on cyber-security in 2020, and anticipate this figure hitting<br />
$90 billion in 2025. By nature, SMBs work with less security budget and staff. For SMBs, and even <strong>for</strong><br />
companies with deep pockets, your cyber defense investment has to be just the first step in a powerful<br />
threat defense.<br />
The threat universe in which we do business today is an equal-opportunity one. The rise of ransomwareas-a-service<br />
and the ability to purchase malware on the dark web has lowered the barrier to entry and<br />
made cybercrime accessible to anyone. The result is that no sector or size of company can ignore these<br />
targeted or indiscriminate attacks.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 71<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Understanding the <strong>Cyber</strong> Attacker<br />
This expanding threat climate makes it all the more important to understand what data is attractive to an<br />
attacker and to discover where your security weaknesses are so you can fix them be<strong>for</strong>e someone else<br />
finds and exploits them. The best way to discover where vulnerabilities lie is to simulate malicious attacks,<br />
from inside or outside of the organization, in order to see how easy it is to break into your network and<br />
steal valuable data or deny access to critical assets.<br />
The practice of this type of simulation is called penetration testing. Demand <strong>for</strong> this very skilled, technical,<br />
and clearly very sensitive investigation and analysis, has seen a rapid rise in demand. While penetration<br />
testing has traditionally been associated with government organizations and large financial institutions<br />
and corporations, it is now commonplace among medium-sized companies, and the wider public sector.<br />
Verify Penetration Testing Knowledge<br />
Evaluating the trustworthiness of a third-party provider to conduct penetration testing has to be part of<br />
your improved threat defense. You need to have confidence and trust in a specialist company that<br />
delivers this service regarding how in<strong>for</strong>mation and knowledge is handled and processed. Seek out an<br />
accreditation that will verify the level of knowledge, skill and competence of a provider in relationship to<br />
penetration testing, cyber incident response and threat intelligence. This accreditation also can apply to<br />
individuals within your organization who are part of your security operations team. These accredited<br />
providers and individuals need to stay one step ahead of cyber criminals and be well versed in the tools<br />
and techniques used in the most sophisticated attacks.<br />
Another benefit of vetting your providers is the ability to tell your customers that their<br />
data is adequately protected and that you take cyber security seriously. While larger organizations may<br />
have more security staff, if you’re an SME, you have to do more with less, and you have fewer reserves<br />
with which to survive a costly cyberattack. A good practice is to explore what are the baseline<br />
requirements <strong>for</strong> cyber hygiene in your organization: what can’t you af<strong>for</strong>d to lose in terms of data, a<br />
computer asset shutdown, or in ecommerce, <strong>for</strong> example, a privacy breach of your customer’s<br />
in<strong>for</strong>mation. This in<strong>for</strong>mation needs to be integrated into your overall cyber defense, and a reputable<br />
provider should be able to give you a solid defense strategy <strong>for</strong> all items.<br />
In fact, it has been shown that organizations with a basic level of cyber hygiene have not been affected<br />
by random attacks such as WannaCry. Accreditation also helps you better leverage your investment. The<br />
Analysys Mason study also found investment in third-party, managed security services to represent the<br />
largest segment from 2020-2025, an estimated $30 billion at a 14% CAGR. Getting the most qualified<br />
providers and individuals makes sense, given the substantial projected spend.<br />
Evaluating Your SOC<br />
Despite best endeavors, it is impossible to be 100% secure. If your business does fall victim to a malicious<br />
cyber security incident, your immediate task is to act as quickly as possible to limit the impact and<br />
damage. An in<strong>for</strong>mation Security Operations Center (SOC) is often the first line of defense so there is an<br />
increasing demand to ensure that it is operating effectively. The difficulty lies in how to make this<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 72<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
assessment when you’re using third-party services. It is impossible to assess capability based on<br />
marketing material and almost impossible to assess capability through a procurement process. To help<br />
to resolve this issue, it is possible to apply an accreditation process specifically to SOCs. This includes<br />
procedural audits, physical audits and technical assessments.<br />
Better <strong>Defense</strong> Benefits All<br />
With billions being spent on cyber defense, it is good economic policy to put that investment to the<br />
highest, most effective use. Using penetration testing, seeking <strong>for</strong>mal accreditation of your security<br />
service providers, and having a very clear picture of your most critical threats, will give you a more<br />
powerful, and trustworthy security foundation.<br />
About the Author<br />
Tom Brennan is Chairman of CREST USA, an international not-<strong>for</strong>profit<br />
accreditation and certification body that represents and<br />
supports the technical in<strong>for</strong>mation security market. In this role, he<br />
works with government and commercial organizations to optimize<br />
the value of CREST as a cybersecurity accreditation body and<br />
industry standards advocate. Brennan also serves as an industry<br />
evangelist and educator on the value of using accredited<br />
cybersecurity products and professionals to improve consumer<br />
privacy, security and protections worldwide.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 73<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
New Report Reveals Traditional Anti-Malware Solutions<br />
Miss 74% of Threats<br />
By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies<br />
The threat landscape is an erratic and ever-evolving beast. While it knows no master, its behavior is<br />
broadly directed by the host of threat actors that pull on its reins from all corners of the world, constantly<br />
adapting their tactics and techniques to better sniff out points of weakness and infiltrate organizations.<br />
Businesses must stay up to date on the latest threat intelligence to understand their adversaries, bolster<br />
defenses and avoid falling prey. For this reason, the WatchGuard Threat Lab research team produces a<br />
quarterly security report detailing the latest malware and network attack trends based on anonymized<br />
data from tens of thousands of WatchGuard appliances deployed across the globe.<br />
The Threat Lab’s latest Internet Security Report reveals the highest level of zero-day malware detections<br />
we’ve ever recorded. In fact, evasive malware rates have actually eclipsed those of traditional threats,<br />
which is yet another sign that organizations must continue to evolve their defenses in order to stay ahead<br />
of increasingly sophisticated threat actors. The research also covers new threat intelligence around rising<br />
network attack rates, how malicious actors are trying to disguise and repurpose old exploits, and the<br />
quarter’s top malware attacks.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 74<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Hungry <strong>for</strong> more? Here are some additional key findings to feast on:<br />
1. Network attacks are on the rise – WatchGuard appliances detected more than 4 million network<br />
attacks, a 21% increase compared to the previous quarter and the highest volume since early<br />
2018. Corporate servers and assets on site are still high-value targets <strong>for</strong> attackers despite the<br />
shift to remote and hybrid work, so organizations must maintain perimeter security alongside userfocused<br />
protections.<br />
2. Fileless malware variant surges in popularity – XML.JSLoader is a malicious payload that<br />
appeared <strong>for</strong> the first time in both WatchGuard’s top malware by volume and most widespread<br />
malware detections lists. It was also the variant WatchGuard detected most often via HTTPS<br />
inspection in Q1’21. The sample WatchGuard identified uses an XML external entity (XXE) attack<br />
to open a shell to run command to bypass the local PowerShell execution policy and runs in a<br />
non-interactive way, hidden from the actual user or victim. This is another example of the rising<br />
prevalence of fileless malware and the need <strong>for</strong> advanced endpoint detection and response<br />
capabilities.<br />
3. Attackers disguise ransomware loader as legitimate PDF attachments with the help of a<br />
simple file name trick – Ransomware loader Zmutzy surfaced as a top-two encrypted malware<br />
variant by volume in Q1’21. Associated with Nibiru ransomware specifically, victims encounter<br />
this threat as a zipped file attachment to an email or a download from a malicious website.<br />
Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF.<br />
Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass<br />
the malicious zip file off as a PDF. This type of attack highlights the importance of phishing<br />
education and training, as well as implementing back-up solutions in the event that a variant like<br />
this unleashes a ransomware infection.<br />
4. Hackers co-opt reputable domains to mine cryptocurrency – In Q1’21, WatchGuard’s<br />
DNSWatch service blocked several compromised and outright malicious domains associated with<br />
cryptomining threats. Cryptominer malware has become increasingly popular due to recent price<br />
spikes in the cryptocurrency market and the ease with which threat actors can siphon resources<br />
from unsuspecting victims.<br />
5. An old directory traversal attack technique comes back with a vengeance – WatchGuard<br />
detected a new threat signature in Q1’21 that involves a directory traversal attack via cabinet<br />
(CAB) files, a Microsoft-designed archival <strong>for</strong>mat intended <strong>for</strong> lossless data compression and<br />
embedded digital certificates. A new addition to WatchGuard’s top 10 network attacks list, this<br />
exploit either tricks users into opening a malicious CAB file using conventional techniques, or by<br />
spoofing a network-connected printer to fool users into installing a printer driver via a<br />
compromised CAB file.<br />
6. IoT devices continue to present an attractive attack surface <strong>for</strong> malicious actors – While it<br />
didn’t make WatchGuard’s top 10 malware list <strong>for</strong> Q1’21, the Linux.Ngioweb.B variant has been<br />
used by adversaries recently to target IoT devices. The first version of this sample targeted Linux<br />
servers running WordPress, arriving initially as an extended <strong>for</strong>mat language (EFL) file. Another<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 75<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
version of this malware turns the IoT devices into a botnet with rotating command and control<br />
servers.<br />
7. Lessons learned from HAFNIUM zero days – Last quarter, Microsoft reported that adversaries<br />
used the four HAFNIUM vulnerabilities in various Exchange Server versions to gain full,<br />
unauthenticated system remote code execution and arbitrary file-write access to any unpatched<br />
server exposed to the Internet, as most email servers are. WatchGuard incident analysis dives<br />
into the vulnerabilities and highlights the importance of HTTPS inspection, timely patching and<br />
replacing legacy systems. You can read more here.<br />
If there’s one key takeaway from our latest threat analysis, it’s this: Traditional anti-malware solutions<br />
alone simply aren’t sufficient <strong>for</strong> today’s threat environment. Every organization needs to have a layered,<br />
proactive security strategy that involves machine learning and behavioral analysis to detect and block<br />
new and advanced threats. Remember, to the beast that is the threat landscape, every business is fair<br />
game – and the hunt never ends.<br />
About the Author<br />
Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline<br />
cybersecurity expert <strong>for</strong> nearly two decades, Corey regularly<br />
contributes to security publications and speaks internationally at<br />
leading industry trade shows like RSA. He has written thousands of<br />
security alerts and educational articles and is the primary contributor<br />
to the Secplicity Community, which provides daily videos and<br />
content on the latest security threats, news and best practices. A<br />
Certified In<strong>for</strong>mation Systems Security Professional (CISSP), Corey<br />
enjoys "modding" any technical gizmo he can get his hands on and<br />
considers himself a hacker in the old sense of the word.<br />
Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 76<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> Security Incident Response Plan: How to<br />
Proactively Prepare <strong>for</strong> a Breach<br />
By Joseph Carson, Advisory CISO, ThycoticCentrify<br />
Many organizations are coming to the harsh realization that it’s only a matter of when, not if, they will fall<br />
victim to a cyberattack.<br />
These attacks can range from data breaches to ransomware to Distributed Denial of Service (DDoS)<br />
attacks and are often a result of malicious actions by cybercriminals or nation-state actors operating from<br />
different parts of the globe.<br />
There is no shortage of technology designed to defend against cybercrime, but it will always come down<br />
to your organization’s ability to make the right security decisions. Failing to properly train employees on<br />
the security measures you have in place can greatly increase the risk of a simple mistake – like clicking<br />
a phishing link, <strong>for</strong> instance – threatening your entire network and infrastructure.<br />
<strong>Cyber</strong> incident response is a structured technique used to manage an organization’s cybersecurity<br />
incidents to limit further damage. Formulating a cyber incident response plan specific to your organization<br />
is an investment in its cybersecurity. It should be a permanent item on your breach checklist.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 77<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Incident Response Plan<br />
Planning and preparing <strong>for</strong> a cybersecurity incident is crucial to ensure your response is efficient and<br />
organized. A lack of preparation is certain to result in major repercussions should you fall victim to a<br />
cyberattack.<br />
Let’s review some steps your organization can take to increase resiliency and response.<br />
1. Ownership and Responsibility – The first step to implementing an incident response plan is to decide<br />
who will be responsible <strong>for</strong> it. Keep in mind who has the appropriate training, what tools and systems are<br />
available to handle an incident, and the amount of time that may be required <strong>for</strong> incident response.<br />
2. Roles and Contacts – There must be clearly specified roles <strong>for</strong> anyone and everyone who would be<br />
involved in incident response regardless of their department or position in the organization. They have to<br />
know how a cyber-attack can impact them and what they’re expected to do to mitigate it.<br />
An attack becoming public, <strong>for</strong> example, can bring a unique set of challenges that your entire organization<br />
must be prepared to handle. Your help desk can get overwhelmed with customer calls, which may lead<br />
to a DDoS attack on the help desk, so it’s crucial to understand the capacity and strength of your help<br />
desk in the event of an attack.<br />
3. Contacts and Methods of Communication – Typical means of communication – such as email,<br />
messaging, or VoIP – may be severed in an attack, so it’s important to have alternative contact details<br />
and means of communication on hand at all times. Who needs to be contacted during an incident? What<br />
is the priority list of contacts? It should also be available offline and include system owners and technical<br />
responders.<br />
4. The Threat – Clearly define how the incident was identified. Was it internal, external, a system alert,<br />
or another method? Who detected it, and how was it reported? Record all the sources and times that the<br />
attack has passed through. At what stage of the incident did the security team get involved?<br />
Document the entire nature of the incident from the type of incident, source, assets and resources<br />
affected, location, and extent. Assess the impact on your company based on the data on system<br />
classification so you can identify the proper security measures to per<strong>for</strong>m next. It’s crucial <strong>for</strong> each step<br />
taken during the incident to be recorded.<br />
5. Identification and Confirmation – If the incident has not yet been confirmed at this point, you must<br />
pinpoint the type of incident and verify that it is a real incident.<br />
6. Containment – This involves stopping the attack to avoid any further harm. You must decide if the<br />
incident is safe to watch and learn from once it’s been identified and confirmed, or if you have to take<br />
more dramatic measures and pull the plug. The indicators of compromise (IoCs) can help indicate the<br />
extent of the impacted systems and update firewalls and network security to record evidence that can be<br />
used <strong>for</strong> <strong>for</strong>ensics in the future. Determine what, if any, sensitive data was stolen and what the potential<br />
risk is to your company.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 78<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
This stage is where you must prepare <strong>for</strong> potential legal outcomes. Consult with your legal team and<br />
review compliance and risks to see if any regulations were impacted. Depending on your country,<br />
industry, or the data affected, you may also have to report the incident to appropriate authorities or<br />
affected parties such as partners and customers. This is where prepared PR statements are crucial.<br />
7. Eradication – Repair the affected systems to their original state, and compile all the evidence available<br />
while maintaining a solid chain of custody. Collect logs, audits, memory dumps, disk images, and network<br />
traffic. Digital <strong>for</strong>ensics will be limited without proper evidence compiling, making a follow-up investigation<br />
unlikely. Get rid of the security risk so the attacker no longer has access.<br />
8. Recovery – Recovery from the incident is needed to recuperate systems availability, integrity, and<br />
confidentiality. Make sure your services have been restored and company operations are back on track.<br />
Establish monitoring and continuous detection on the IoCs from the incident.<br />
9. Lessons Learned – Learning from the cybersecurity incident is very important. What went well during<br />
the incident, and what could have been done better? Create an Incident Response Report that includes<br />
all parts of the company that were impacted by the attack.<br />
A <strong>Cyber</strong> Security Incident Response Plan is Crucial<br />
No organization wants to experience it, but it’s only a matter of time be<strong>for</strong>e you become the victim of a<br />
cyber-attack. It’s becoming more and more likely with the ever-expanding cybercrime landscape. Having<br />
a solid response plan in place could be the difference in reducing risks and minimizing impact to ensure<br />
your company can com<strong>for</strong>tably move <strong>for</strong>ward following a cybersecurity incident.<br />
About the Author<br />
Joseph Carson is a cyber security professional and ethical hacker<br />
with more than 25 years' experience in enterprise security<br />
specializing in blockchain, endpoint security, network security,<br />
application security & virtualization, access controls and privileged<br />
account management. Joseph is a Certified In<strong>for</strong>mation Systems<br />
Security Professional (CISSP), active member of the cyber security<br />
community frequently speaking at cyber security conferences<br />
globally, often being quoted and contributing to global cyber security<br />
publications. He is a cyber security advisor to several governments, critical infrastructure, financial,<br />
transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving<br />
workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security<br />
perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at<br />
Thycotic. Joseph can be reached online at Joseph.Carson@thycotic.com and at our company website<br />
https://thycotic.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 79<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Importance of Multi-Factor Authentication and<br />
Strong Passwords<br />
Understanding and implementing MFA and strong password protocol.<br />
By Jeff Severino, <strong>Cyber</strong>Lock <strong>Defense</strong>, Lockton Affinity<br />
The importance of multi-factor authentication and password security is critical. Often, it is your best line<br />
of defense <strong>for</strong> protecting all your data, devices and systems from unauthorized access. Un<strong>for</strong>tunately,<br />
many don’t take password security seriously, which makes them especially vulnerable to hackers.<br />
Good password security can help protect you from data breaches, network intrusions, malware and<br />
viruses. It can also minimize your risk of the lawsuits, fines and bad publicity that can accompany a data<br />
breach.<br />
Here’s what to know about the latest recommended password security best practices, including<br />
minimizing your risk from hackers, choosing good passwords and utilizing multi-factor authentication.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 80<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Why Passwords Are Important<br />
In today’s world, everyone must take steps to safeguard their data, devices and systems from<br />
unauthorized access with strong password security. In some professions, such as banking, law,<br />
education and healthcare, you can even face fines and penalties <strong>for</strong> not doing so.<br />
Passwords are useful <strong>for</strong> protecting many different types of sensitive and confidential data and computer<br />
systems, including:<br />
• Work terminals<br />
• Point-of-sale systems<br />
• Email communications<br />
• Social media accounts<br />
• Ticketing systems<br />
• IT infrastructure<br />
• Mobile devices<br />
• Customer files<br />
• Client documentation<br />
• Vendor systems<br />
• Billing in<strong>for</strong>mation<br />
• Financial records<br />
Even if it’s not specifically required by your industry’s professional association or local, state or federal<br />
law, protecting all your data, devices and systems with the best password protection is just good<br />
business. It also ensures you maintain the trust of your clients and customers and avoid unnecessary<br />
downtime and liability risk.<br />
How Hackers Can Crack Your Password<br />
Setting a password <strong>for</strong> all your systems and devices is a good first step to securing your data. But it’s<br />
important to realize that even with all your systems protected by passwords, it’s still possible <strong>for</strong> someone<br />
to gain unauthorized access, because things are always changing.<br />
While computer systems have become more advanced, hackers have upped their game as well. You<br />
may have noticed that popular websites and services are prompting you to update your password more<br />
frequently and requiring you to pick stronger and better passwords when you do. This is because hackers<br />
may be able to guess your weak passwords and can use technology to hack even moderately secure<br />
passwords.<br />
With new technology, some hackers are able to crack simple passwords of up to 10 characters instantly.<br />
Even properly chosen passwords that include numbers, symbols, uppercase and lowercase letters can<br />
be cracked in just a few minutes to hours if they are shorter than eight characters long.<br />
Many computer users still choose passwords that are easy to guess and there are now billions of<br />
compromised and stolen passwords listed online. Using similar passwords <strong>for</strong> different websites can also<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 81<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
allow a hacker who has gained access to one of your accounts to access other accounts. Plus, a hacker<br />
who finds one of your passwords may be able to guess your other ones.<br />
How to Pick a Good Password<br />
Choosing good passwords <strong>for</strong> all your logins can protect you from getting hacked and minimize the<br />
chance of confidential in<strong>for</strong>mation falling into the wrong hands. Here are the best practices to follow:<br />
• Choose a strong password. Strong passwords combine uppercase and lowercase letters and<br />
numbers and are at least 8 characters long. Always avoid using nicknames, birthdays or ordinary<br />
words in the dictionary.<br />
• Keep your passwords confidential. Avoid sharing passwords with anyone else. If multiple<br />
employees need to use the same terminal or system, make sure everyone has their own individual<br />
login and password credentials.<br />
• Avoid reusing old passwords. Use a new password every time you’re prompted, since<br />
compromised passwords will always be vulnerable. Facebook CEO Mark Zuckerberg found this<br />
out when he was hacked due to reusing an old password.<br />
• Pick a unique password <strong>for</strong> everything. Differentiating your passwords <strong>for</strong> each accounts<br />
ensures a hacker can’t access all your accounts with one login. This keeps small hacks from<br />
turning into major ones.<br />
• Keep track of all your passwords. The average person now has to juggle about 100 passwords.<br />
Keep track by writing them down on a piece of paper stored in a secure location or consider using<br />
a password manager.<br />
• Use a password manager. With a browser or cloud-based password manager, there is a master<br />
password that secures all your logins. To login to your accounts, you only need to remember the<br />
master password.<br />
• Check <strong>for</strong> compromised passwords. It’s possible to research whether one of your passwords<br />
has been compromised and should be updated. Check Google Password Checkup or Mozilla<br />
Firefox Monitor to see if your login has been compromised.<br />
• Set up password reset options. To avoid losing access to your accounts, set up password reset<br />
options with memorable security question answers and a backup email or phone number on file.<br />
• Turn on multi-factor authentication. By requiring a verification code be sent to your phone or<br />
email, multi-factor authentication can keep a hacker from being able to log into your account even<br />
if they do get ahold of your password.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 82<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Importance of Multi-Factor Authentication<br />
Many experts now highlight the importance of multi-factor authentication (MFA) or two-factor<br />
authentication (2FA) to help avoid unauthorized access to your accounts and systems.<br />
Multi-factor authentication works by requiring something else from you besides your login and password<br />
to access your account. This could be a PIN, security question answers, or a temporary security code<br />
emailed or texted to you. Some high-security MFA systems even work with badges, USB key fobs, or<br />
fingerprints and other biometric data. The idea is to provide two or more levels of security so that only<br />
you can access your data.<br />
Multi-factor authentication usually doesn’t require verification <strong>for</strong> every login, only those where you are<br />
logging on from an unfamiliar device, a home or public internet connection or during off hours. It’s easy<br />
to set up and turn on MFA or 2FA features on common apps such as Gmail, Office and Facebook. Other<br />
systems may have the tool enabled by default. With this feature, even a hacker who has stolen your<br />
password needs additional access to your email account, text messages or even biometric data to gain<br />
access to your account.<br />
How to Better Protect Yourself<br />
With good password security you can minimize your risk from hackers, protecting your data, devices and<br />
systems from unauthorized access. But even a great password can’t prevent all cyber-attacks. You can<br />
take your security to the next level with cyber liability insurance from <strong>Cyber</strong>Lock <strong>Defense</strong>.<br />
About the Author<br />
<strong>Cyber</strong>Lock <strong>Defense</strong> from Lockton Affinity provides industry-leading cyber<br />
liability insurance that offers full limits of cybercrime (cyber theft), social<br />
engineering, fraudulent funds transfer and more. With more than 35<br />
industry groups eligible, including professional services, health care,<br />
retail, financial services and more, this comprehensive coverage helps<br />
protect your business against the costs associated with a cyber attack at<br />
af<strong>for</strong>dable rates.<br />
Those interested in coverage can visit <strong>Cyber</strong>Lock<strong>Defense</strong>.com or contact<br />
<strong>Cyber</strong>Lock <strong>Defense</strong> practice leader Jeff Severino at 913-652-7520 or<br />
JSeverino@locktonaffinity.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 83<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Time to Act: How Real-Time Analytics Can Help Stop the<br />
<strong>Cyber</strong> Kill Chain<br />
Access to Real-Time Contextualized In<strong>for</strong>mation through In-Memory Computing Can Help Security<br />
Teams Spot Evolving Threats Be<strong>for</strong>e It’s Too Late<br />
By Dr. William Bain, CEO and Founder of ScaleOut Software<br />
In cybersecurity, timing is everything. Whether an attacker is looking <strong>for</strong> a misconfiguration or zero-day<br />
to exploit and extract crown jewel data, organizations must scramble to address vulnerabilities and<br />
counter attacks be<strong>for</strong>e it’s too late. <strong>Cyber</strong>security teams manage sprawling systems which generate<br />
volumes of alerts and data <strong>for</strong> analysis, but security in<strong>for</strong>mation and event management (SIEM) software<br />
often uses tools that don’t speak well to each other, and much of the data needs to be examined offline<br />
after the fact. These challenges make it difficult to spot issues in the moment and to know when and<br />
where to act.<br />
SIEM solutions typically log activities and enable security practitioners to create and apply rulesets that<br />
extract in<strong>for</strong>mation <strong>for</strong> alerting within their organizations. Using dashboards that show managers raw<br />
telemetry by region or events recorded over time, they help identify possible intrusions and kill chain<br />
activity that could lead to the injection of malware or other threats. However, delayed <strong>for</strong>ensic analysis of<br />
logs and the display of large volumes of aggregated telemetry makes it difficult to mitigate emerging<br />
threats as they occur. While SIEM solutions do a good job of monitoring across attack vectors, they fall<br />
short in spotting trends in the moment and providing real-time communication throughout a cyber kill<br />
chain.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 84<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Real-Time Analytics Boost in the Moment Decision Making<br />
With time of the essence, how can we enhance current techniques and obtain insights fast enough to<br />
interrupt cyberattacks? How can we provide deeper introspection in real-time on incoming telemetry to<br />
enable fast, effective action while reducing the likelihood of false positives?<br />
A new software technique <strong>for</strong> streaming analytics called “real-time digital twins” (RTDTs) may be the<br />
answer to this problem. This technique moves the focus from just examining patterns within data streams<br />
to monitoring the dynamic behavior of data sources, such as nodes within a large network infrastructure.<br />
For each data source, a separate RTDT software component incorporates evolving in<strong>for</strong>mation that helps<br />
analyze incoming messages and update a dynamic assessment of the data source’s condition. This<br />
approach yields a significantly deeper understanding and better, faster decision-making on whether to<br />
take action to block a threat which cannot be achieved by just looking at data within an incoming message<br />
stream. As a result, RTDTs have the potential to rapidly accelerate the execution of SIEM algorithms in<br />
detecting malicious attacks, correlating events, and possibly intervening in time to halt an attack without<br />
reacting to false positives.<br />
The power of RTDTs is made possible by in-memory computing techniques, which can ingest, store and<br />
analyze large volumes of incoming data within milliseconds. This technology creates new opportunities<br />
<strong>for</strong> SIEM software. Instead of just storing incoming events, an in-memory computing plat<strong>for</strong>m can<br />
correlate and analyze them by data source as they arrive. This could enable SIEM software to maintain<br />
a real-time threat assessment <strong>for</strong> each network entry point or node that sends events to the system <strong>for</strong><br />
analysis. Instead of requiring security analysts to analyze logged events to build a picture of an evolving<br />
attack, they could use RTDTs to continuously analyze telemetry from every data source within the<br />
network infrastructure, and they could visualize the results of this analysis in real time.<br />
Mapping and Improving Communication Across the Network<br />
Using RTDTs, organizations could integrate event tracking in memory with associated contextual<br />
in<strong>for</strong>mation into existing SIEM solutions and react to potential threats in milliseconds. Many SIEM<br />
solutions maintain agents that are distributed throughout an organization’s networks to report suspicious<br />
events that might signal a threat. Instead of just adding these events to a dashboard and logging them<br />
<strong>for</strong> offline analysis, they also could track them using RTDTs. Each RTDT could immediately run a<br />
machine-learning algorithm to classify activities, eliminate false positives, and signal alerts to security<br />
managers, engineers, CISOs or other key stakeholders when threats or lateral movement risks are<br />
predicted.<br />
Beyond that, RTDTs could communicate with each other to help isolate an evolving threat. For example,<br />
when an event includes in<strong>for</strong>mation indicating a connection and possible threat to another network node,<br />
an RTDT could message the target node’s RTDT to improve its threat assessment algorithm in spotting<br />
suspicious behavior and interrupting kill chains. Sending messages between RTDTs to track the<br />
progression of an intruder within a network could enable the system to build a real-time map of potential<br />
kill chains and possibly get ahead of an assailant to block threats.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 85<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Strengthening Security and Time to Action<br />
By harnessing new approaches <strong>for</strong> real-time analytics, as made possible with in-memory computing<br />
hosting real-time digital twins, cybersecurity teams can make use of new technology <strong>for</strong> monitoring and<br />
intercepting active threats. This technology can also strengthen current industry tools, such as SIEM<br />
software, to improve communication and context sharing throughout networks. Now organizations have<br />
a new weapon <strong>for</strong> moving from post-attack analysis to identifying an attack in the moment and stopping<br />
it from happening at all.<br />
About the Author<br />
Dr. William L. Bain is the founder and CEO of ScaleOut Software, a<br />
leader in developing software products to enhance operational<br />
intelligence within live systems. Over a 40-year career focused on<br />
parallel computing, Bill he has contributed to advancements at Bell<br />
Labs Research, Intel, and Microsoft, and holds several patents in<br />
computer architecture and distributed computing. He earned his<br />
Ph.D. in electrical engineering from Rice University. Bill can be<br />
reached through email, LinkedIn and the ScaleOut Software<br />
Website.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 86<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Combatting Industry Burnout by Building Resilient<br />
Security Teams<br />
By Rick McElroy, Principal <strong>Cyber</strong>security Strategist, VMware<br />
We have reached a pivotal point in the history of cybersecurity. Catalyzed by the shift to an anywherework<br />
environment during COVID-19, attack surfaces expanded and cybercriminals became more<br />
sophisticated, creating looming threats <strong>for</strong> security teams. As a result, stress and burnout within the<br />
security industry is rising in lockstep. Defenders are stretched thin countering complex attacks, gaining<br />
visibility into new environments and constantly being on alert.<br />
Expanding threat landscape increases stress <strong>for</strong> defenders<br />
Following the rush to the cloud amid the pandemic, cybercriminals have continued to exploit these<br />
environments to deliver integrity and destructive attacks, leading to a spike in incident response<br />
engagements and alerts. According to VMware’s recent Global Incident Response Threat Report, nearly<br />
half of security professionals said that more than one-third of attacks were targeted at cloud workloads<br />
and nearly half targeted victims via island hopping.<br />
The shift to an anywhere-work environment also resulted in adversaries increasingly leveraging business<br />
communication plat<strong>for</strong>ms such as Microsoft Teams, Skype, Slack, Google Chat to move around a given<br />
environment and launch sophisticated attacks. Our research found that 32 percent of cybersecurity<br />
professionals observed attackers using business communication plat<strong>for</strong>ms to facilitate lateral movement.<br />
These business communication plat<strong>for</strong>ms are the perfect delivery mechanism <strong>for</strong> attacks because<br />
organizations and users implicitly trust them and they operate in a known environment.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 87<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
As the work environment evolves digitally, it creates more vulnerabilities in the threat landscape, leaving<br />
enterprises more susceptible to attacks and putting increased pressure on security teams.<br />
Combating burnout on security teams<br />
Recently, the In<strong>for</strong>mation Systems Security Association found that the cybersecurity skills crisis has not<br />
only continued, but worsened over the past five years. With cybersecurity skills already in short supply,<br />
the prospect of losing additional work<strong>for</strong>ce is troubling, especially in the context of the Great Resignation.<br />
Despite their best ef<strong>for</strong>ts, defenders are struggling to counter the growing attacks and gain visibility into<br />
new environments, such as the cloud, containers, and business communication applications.<br />
This level of stress is impacting their well-being, which carries significant implications <strong>for</strong> the industry.<br />
Over the past 12 months, 51 percent of security professionals experienced extreme stress or burnout,<br />
and 65 percent said they have considered leaving their job because of it. To help decrease the mounting<br />
pressure security professionals face, business leaders must prioritize building resilient teams and<br />
creating a supportive work environment.<br />
Here are six best practices leaders can implement:<br />
• Consider rotations of work. It is essential that teams feel like they are developing and progressing<br />
professionally and they may not be able to do that after being in the same high-stress environment<br />
year after year. This will not only allow <strong>for</strong> new perspectives and generate creative ideas but it will<br />
also give people room to recharge. <br />
• Empower individuals to take mental health days. An “always on” mentality is not only dangerous to<br />
the people involved, but can lead to poor and reactive decision making. Forcing people to interact<br />
with others under already stressful conditions is a recipe <strong>for</strong> disaster. Allow teams space to work<br />
and empower them to know when they need to step away. <br />
• Encourage non-standard activities like meetings outside, walking meetings, and mindfulness<br />
training. Mindfulness training is designed to help people deal with stress so encourage teams to<br />
take classes and take periodic breaks to reset their mind and come back refreshed. <br />
• Invest in solutions that empower defenders to detect and stop attacks. Legacy security systems<br />
are no longer sufficient <strong>for</strong> protecting against the sophisticated cyberattacks of today. What’s<br />
more, these systems require a good amount of manual work and analysis by security teams. Look<br />
to invest in tools that automate time-consuming, manual processes and ones that empower<br />
defenders to implement security stacks built <strong>for</strong> a cloud-first world. When a new tool is introduced,<br />
give teams time to adjust to the technology be<strong>for</strong>e deploying another new tool. <br />
• Schedule 1-on-1s that are focused on employees. 1-on-1s are a great way to connect with team<br />
members however they must be used correctly. Instead of discussing a specific project, use the<br />
time to honestly check-in with team members. Let them set the agenda and allow them to speak<br />
about what they need. <br />
• Give defenders a real break after a high stress event. Breaches and compromises can be extremely<br />
stressful on teams, especially when incidents last multiple days. Teams are rarely given time off<br />
after these incidents which ultimately leads to burnout and unhappy team members. <br />
The anywhere-work environment is here to stay, so leaders need to devise a roadmap to proactively<br />
protect the well-being of their security teams. That should start with arming security professionals with<br />
the tools and resources needed to do their job while maintaining a healthy mindset.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 88<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Rick McElroy is a Principal <strong>Cyber</strong>security Strategist at VMware. He<br />
has 24 years of in<strong>for</strong>mation security experience educating and<br />
advising organizations on reducing their risk posture and tackling<br />
tough security challenges. Previously, he held security positions with<br />
the U.S. Department of <strong>Defense</strong>, and in several industries including<br />
retail, insurance, entertainment, cloud computing, and higher<br />
education. Rick can be reached online at @InfoSecRick and at our<br />
company website.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 89<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Considering Collateral Intrusion in Digital Forensics<br />
Achieving A Balance Between Public Protection and Public Privacy<br />
By Alan McConnell, Forensic Advisor, Cyan<br />
The importance of digital evidence contained on the personal devices of suspects, victims, and witnesses<br />
in assisting Law En<strong>for</strong>cement investigate serious crime cannot be understated. However, never has the<br />
public’s awareness of their right to protect personal data on their devices (such as tablets, laptops, and<br />
smartphones) been as strong as it is today.<br />
While there appears to be a general acceptance of the need <strong>for</strong> Law En<strong>for</strong>cement to obtain digital<br />
evidence from personal devices, the recent publication of reports such as “Digital stop and search: how<br />
the UK police can secretly download everything from your mobile phone” by Privacy International 1 , as<br />
well as several high-profile news stories questioning the technology Law En<strong>for</strong>cement agencies use to<br />
obtain digital evidence, have brought the issues involved to mainstream attention.<br />
Digital evidence<br />
In the not-too-distant past, the recovery of digital evidence was the realm of specialist <strong>Cyber</strong>crime units,<br />
investigating cyber dependent crimes such as attacks on computer systems and infrastructure, or cyber<br />
enabled crimes where computers were used in the commission of ‘traditional’ crimes.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 90<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The proliferation of home computing and mobile digital devices has meant that important digital evidence<br />
now potentially exists <strong>for</strong> most criminal cases. In fact, one senior police manager reporting to the House<br />
of Lords Science and Technology Select Committee in 2019 2 stated that digital evidence now plays a<br />
role in 90% of criminal cases.<br />
Such is the volume of potentially relevant digital evidence in criminal cases today, there is a real risk that<br />
it could overwhelm Police Forces and the judiciary. To mitigate this risk, many Police Forces have, or are<br />
planning to, roll-out digital triage capabilities to front-line officers to help quickly identify those devices<br />
that are likely to contain pertinent evidential data and rule out those that do not, reducing the number of<br />
devices seized <strong>for</strong> full <strong>for</strong>ensics examination and the volume of data that must be examined.<br />
This move from individuals’ digital devices only being examined by highly trained expert digital <strong>for</strong>ensic<br />
analysts, to potentially being routinely examined <strong>for</strong> evidence by a much larger group of less experienced<br />
Officers, understandably raises concerns around the preservation of private data.<br />
Data privacy<br />
There are few areas of today’s life that do not involve the use of a home computer, mobile phone, or<br />
tablet. From taking and storing our holiday photos, work communications and internet banking, to private<br />
communications with family and loved ones, our digital devices are at the very centre of our private lives.<br />
These devices are an ever-increasing repository <strong>for</strong> our personal and sensitive in<strong>for</strong>mation. A cursory<br />
look at my own browsing history, communications, geo-location data and biometric in<strong>for</strong>mation would<br />
piece together to give a surprisingly deep and accurate insight into my social life, state of mind and<br />
physical health (thanks <strong>for</strong> telling me to stand up every hour Apple!).<br />
The data held on my devices is just that: my data. As such, I have every right to expect that my data will<br />
not be viewed or used by anyone else without my consent. As a <strong>for</strong>mer Police Detective and Digital<br />
Forensic Analyst, however, I am acutely aware that the ever-increasing scope of digital <strong>for</strong>ensic<br />
capabilities available to Law En<strong>for</strong>cement is of immense value when it comes to detecting crimes,<br />
securing convictions, and identifying victims. Herein lies the problem.<br />
Collateral intrusion<br />
Traditional techniques <strong>for</strong> the recovery of digital evidence have generally been rather indiscriminate in<br />
what data they obtain from a device. Taking a full <strong>for</strong>ensic image of a computer’s hard drive or external<br />
storage device or extracting the full contents of a mobile phone be<strong>for</strong>e then searching that data <strong>for</strong><br />
evidence pertinent to an investigation is standard practice. However, searching through large amounts<br />
of data to find a small amount of digital evidence inevitably leads to collateral intrusion, the unintentional<br />
gathering of non case-relevant data alongside relevant data, into a person’s private data that is not<br />
pertinent to the investigation.<br />
Collateral Intrusion in the context of examining a digital device <strong>for</strong> evidential data can occur in many<br />
ways, but examples include:<br />
• Viewing a suspect’s non-pertinent personal photos while looking <strong>for</strong> images of Child Sexual Abuse<br />
• Reading communications data outside of the timeframe relevant to the offence being investigated<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 91<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
• The viewing of data on a device that infringes on the privacy of persons not subject to the<br />
investigation e.g., acquaintances of the suspect who may appear in photographs<br />
Selective extraction, whereby Law En<strong>for</strong>cement need only collect data from a device that is strictly<br />
relevant to the case in question, is one approach and potential solution to collateral intrusion, and<br />
favoured in particular where concerns have been raised that victims and survivors having their entire<br />
phone examined after a serious sexual assault is a disproportionate and unnecessary invasion of their<br />
privacy. The challenge there<strong>for</strong>e is to ensure a balance is struck between the benefits that digital evidence<br />
brings, and the new ethical dilemmas created by the techniques used to recover that evidence.<br />
A collaborative approach<br />
These concerns are understood by the Digital Forensic community and in a commentary submitted to<br />
the Forensic Science International journal in 2020 3 , a number of updates to the ACPO Good Practice<br />
Guide <strong>for</strong> Digital Evidence 4 were proposed, among which was, “All justifiable measures must be taken to<br />
limit both collateral intrusion and disruption caused by their investigation.”<br />
The issue of collateral intrusion has also been recognised by UK Policing and earlier this year the College<br />
of Policing issued new ‘Authorised Professional Practice’ guidance on the extraction of material <strong>for</strong>m<br />
digital devices’ 5 .<br />
The examination of a person’s devices <strong>for</strong> digital evidence will likely always involve an element of<br />
unavoidable collateral intrusion. Law En<strong>for</strong>cement will continue to take measures to minimise this with<br />
more stringent processes and guidance, but there is also a need <strong>for</strong> the creators of digital <strong>for</strong>ensic tools<br />
to assist by developing tools in direct collaboration with Law En<strong>for</strong>cement that can help reduce potential<br />
collateral intrusion by allowing focused targeting and extraction of investigation-relative digital evidence<br />
only.<br />
A balance can be found between protecting the public by helping identify digital evidence to ensure<br />
dangerous offenders are identified and prosecuted, and protecting the public’s right to privacy by helping<br />
ensure that the recovery of this digital evidence does not compromise a person’s private data.<br />
By working closely with Law En<strong>for</strong>cement, tools need to be developed which give front-line Officers the<br />
ability to examine digital devices very quickly, and on-site, <strong>for</strong> known illegal content while completely<br />
protecting the owner’s privacy by only exposing the investigator to case-relevant data.<br />
1 - https://privacyinternational.org/report/1699/digital-stop-and-search-how-uk-police-can-secretlydownload-everything-your-mobile<br />
2 - https://publications.parliament.uk/pa/ld201719/ldselect/ldsctech/333/33302.htm<br />
3 – “ACPO principles <strong>for</strong> digital evidence: Time <strong>for</strong> an update?” - Forensic Science International: Reports<br />
Volume 2, December 2020<br />
4 - ACPO Good Practice Guide <strong>for</strong> Digital Evidence, Version 5 (October 2011) - Association of Chief<br />
Police Officers of England, Wales & Northern Ireland<br />
5 - https://www.app.college.police.uk/app-content/extraction-of-material-from-digital-devices/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 92<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Alan McConnell is Forensic Advisor at Cyan. He is an<br />
experienced Digital Forensic Analyst with 12 years Law<br />
En<strong>for</strong>cement experience of conducting <strong>for</strong>ensic and<br />
criminal investigations and presenting evidence in court,<br />
having served as a Detective and Digital Forensic Analyst<br />
<strong>for</strong> Police Scotland be<strong>for</strong>e joining Cyan in 2019. Alan can<br />
be reached on Cyan’s twitter @cyan<strong>for</strong>ensics and at our<br />
company website https://cyan<strong>for</strong>ensics.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 93<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Keeping Health Records Safe from <strong>Cyber</strong> Criminals<br />
By Dexter Caffey, Founder and CEO, Smart Eye Technology<br />
The healthcare industry is currently one of the most lucrative targets <strong>for</strong> hackers. A recent report by a<br />
mobile security company shows that many digital health plat<strong>for</strong>ms have vulnerabilities that allow criminals<br />
to access medical health records, personal in<strong>for</strong>mation, and even credit card and billing in<strong>for</strong>mation.<br />
<strong>Cyber</strong>-thieves then use all this data at their disposal to commit financial/insurance fraud and identity theft.<br />
Healthcare organizations are usually subject to stringent compliance regulations since they store great<br />
amounts of sensitive data. However, sensitive in<strong>for</strong>mation can become prone to hacking when stored<br />
using cloud technologies. A 2018 report shows that up to 84% of healthcare organizations store data in<br />
the cloud, indicative of medical facilities being at risk and vulnerable to attacks through that avenue.<br />
Though some medical facilities choose to store data on more secure private networks, there are reports<br />
which illustrate that these networks can also be breached. Hackers can obtain employee logins by<br />
sending employees malicious software disguised as emails. When employees key in their login<br />
in<strong>for</strong>mation, criminals can then receive copies, and use this in<strong>for</strong>mation to steal more data, even from<br />
secure networks.<br />
Why Healthcare Records Are Valuable<br />
The reason this is such a lucrative industry? <strong>Cyber</strong> criminals can opt to sell stolen medical records <strong>for</strong><br />
hefty prices.<br />
This has led to a demand <strong>for</strong> medical in<strong>for</strong>mation on the dark web. Provider data is sold <strong>for</strong> up to $500<br />
per listing, which is then used <strong>for</strong> fake insurance claims and prescriptions. Health insurance logins, sold<br />
at an average of $3.25, may be used to obtain medical services allocated <strong>for</strong> other patients.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 94<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The website PrivacyAffairs.com launched a project called the Dark Web Price Index that provides<br />
hundreds of examples of data being sold and reported the prices. Aside from medical in<strong>for</strong>mation and<br />
health insurance records, other data being sold include online banking logins sold at an average of $40,<br />
full credit card details ranging from $14-$30, and copies of ID cards.<br />
Hackers can obtain copies of passports when they are part of a health organization’s data system. A<br />
<strong>for</strong>ged U.S. passport can be sold <strong>for</strong> $4,000 while other types of government IDs are sold from $400-<br />
$500. These are used to help criminals pretend to be US citizens or to be of other nationalities, further<br />
enabling identity thieves.<br />
How Medical Records Are Hacked<br />
Another common <strong>for</strong>m of cyber-attack is through using ransomware, a type of malware that makes data<br />
inaccessible to the owner. A ransomware attack begins by targeting an employee through phishing, which<br />
is malware usually disguised as an email to steal employee logins.<br />
These logins are then used to breach a secure data network so that all records can be encrypted by the<br />
ransomware, making them inaccessible. Hackers then ask <strong>for</strong> compensation (or a “ransom” in this case)<br />
in exchange <strong>for</strong> data they’ve taken. If the medical facility refuses to pay, the in<strong>for</strong>mation is then sold on<br />
the dark web.<br />
The best way to deal with the situation is not to negotiate but instead call the police.<br />
Protecting Health Records from Attacks<br />
In most cases, users don’t know that their computer or network has been infected by ransomware until<br />
they find that they can no longer access their data. There is little that can be done once this happens.<br />
To avoid reaching this point, healthcare organizations should invest in data protection and safeguard<br />
their networks from possible attacks.<br />
To start, the FBI provides guidelines <strong>for</strong> organizations to protect themselves from ransomware attacks.<br />
Since most attacks start by phishing in<strong>for</strong>mation from users, the FBI warns all healthcare employees to<br />
be careful about applications they download or links that they click on while working. The FBI also reminds<br />
organizations to keep all operating systems, software, and applications up-to-date. All computers should<br />
also have anti-virus and anti-malware solutions set to automatically update and run regular scans.<br />
Data should be regularly backed up, and checkpoints should be established to ensure that backups are<br />
completed. Backed-up data should then be further secured, stored independently, and should be kept<br />
out of access from other computers or networks.<br />
A continuity plan should also be in place in case an organization becomes the victim of a ransomware<br />
attack, to ensure that a medical facility can continue providing key healthcare functions if health records<br />
happen to become inaccessible.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 95<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Moving Forward with Tech in Healthcare<br />
The digitalization of medical in<strong>for</strong>mation has introduced technologies that enable medical facilities to store<br />
and update patient records in real-time, a big leap from the slow process of manual filing. However, these<br />
new technologies also give rise to new vulnerabilities.<br />
Healthcare organizations and medical facilities need to adopt not just the latest record-keeping tools but<br />
also the best security systems to protect their data, making their digitization holistic.<br />
<strong>Cyber</strong>criminals are constantly on the lookout <strong>for</strong> their next victims. Medical facilities should remain vigilant<br />
to ensure that they can provide the best protection possible <strong>for</strong> their patients.<br />
About the Author<br />
Dexter Caffey, Founder and CEO of Smart Eye Technology.<br />
Dexter Caffey founded Smart Eye Technology in January 2018.<br />
Prior to his tech startup, Mr. Caffey founded an alternative investment<br />
firm, Caffey Investment Group, in 1998 at the age of 25.<br />
While on a business trip to Israel in the fall of 2017, Mr. Caffey attended<br />
a cybersecurity conference. As he chatted with another conference<br />
attendee who was a cybersecurity expert, he happened to glance at<br />
the man’s laptop screen and saw open word documents and PDF files.<br />
“Why should I be able to see any document on this guy’s laptop?”<br />
He asked himself “what if I could create an app that prevented anyone else from seeing what’s on my<br />
screen? An app that would look at their face and say, ‘Nope, I only recognize Dexter’s face. We’re<br />
blocking you out.’” The idea and pursuit of a new type of technology to help protect the privacy of<br />
confidential in<strong>for</strong>mation was born.<br />
Dexter can be reached online at LinkedIn and at our company website https://smarteyetechnology.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 96<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Why Your Hospital Network Needs an IoT Security Policy<br />
By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies<br />
The Internet of Things (IoT) industry has a security problem that has existed since its inception. From the<br />
Mirai botnet that took disrupted internet goliaths like Netflix, Twitter, and Reddit in 2016 to the recent<br />
Verkada security camera breaches that impacted tech giants Tesla and Cloudflare, IoT weaknesses have<br />
continued to be a popular tool in the cybercriminal arsenal despite constant warnings from security<br />
professionals. While these high-profile breaches draw attention to traditional IoT devices and their<br />
security concerns, other classes of IoT continue to skyrocket in adoption rates despite having just as<br />
serious of security concerns and potentially even more disastrous of results in the event of a breach. IoT<br />
in the healthcare industry is a perfect example of this trend. Industry experts place the healthcare IoT<br />
adoption on track to reaching a massive 25.9% compound annual growth rate (CAGR) by 2028, primarily<br />
because of the massive benefit network-connected sensors and data sharing provide. But that benefit<br />
comes at the cost of increased attack surface <strong>for</strong> threat actors.<br />
The medical industry faces a unique concern where technical issues can manifest to actual life and death<br />
scenarios. Additionally, healthcare delivery organizations (HDOs) like hospitals and clinics often rely on<br />
expensive highly customized applications and devices that they are then hesitant to apply updates and<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 97<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
patches to <strong>for</strong> risk of breaking something and leaving them without their critical tools. Drawing parallels<br />
to traditional IoT that typically comes as custom software running on a several-year-old flavor of Linux,<br />
medical IoT devices are often built on archaic versions of Microsoft Windows and Windows Server. In<br />
fact, last year researchers found 45% of medical devices were vulnerable to the critical BlueKeep<br />
Windows exploit that Microsoft considered serious enough to release legacy patches <strong>for</strong> out of support<br />
versions of their operating system.<br />
IoT security concerns can boil down to three main issues, 1) A lack of security considerations during<br />
manufacturing, 2) A lack of knowledge and visibility <strong>for</strong> those that deploy IoT, and 3) A lack of device<br />
update management after deployment. The first issue, security considerations during manufacturing, is<br />
largely because most IoT consumers demand devices that are inexpensive and first and <strong>for</strong>emost. When<br />
the only concerns are that the device is cheap and that it technically works, manufacturers lack incentive<br />
to spend resources improving the security of their products. This leads to devices with weak hard-coded<br />
passwords, outdated software, and operating systems lacking even basic hardening protections. The<br />
2016 Mirai botnet flourished not by exploiting some sophisticated zero-day vulnerability in IoT cameras,<br />
but by running through a list of 61 common usernames and passwords against a management interface<br />
left open by the device manufacturers.<br />
When it comes time to deploy IoT, network and systems administrators face the difficult task of managing<br />
devices where endpoint-based detection and visibility tools are either unavailable or highly discouraged<br />
to reduce risk of interfering with the device. IT teams are also faced with the difficult task of identifying<br />
rogue IoT on their networks added there by employees. While the devices themselves don’t hold much<br />
of value <strong>for</strong> cyber criminals, infected IoT can act as a base camp <strong>for</strong> moving laterally behind a network’s<br />
perimeter.<br />
Even when researchers identify and disclose vulnerabilities in IoT devices, applying security updates<br />
often ranges from difficult to impossible. Many IoT deployments have no considerations <strong>for</strong> long-term<br />
maintenance which means identified vulnerabilities stick around. Last year, researchers at JSOF<br />
identified vulnerabilities in a popular network connectivity library present on hundreds of millions of IoT<br />
devices which they called Ripple20. Vulnerabilities like Ripple20 in traditional endpoints and systems are<br />
usually handled with a simple software update but in embedded systems like IoT, applying those updates<br />
isn’t a simple task.<br />
Despite these security concerns, IoT is here to stay, and <strong>for</strong> good reason. Network-connected medical<br />
equipment enables healthcare professionals to provide faster and more accurate diagnostics and greater<br />
efficiencies at a time where our global healthcare system is under tremendous stress. IoT adoption is<br />
skyrocketing because the benefits outweigh the security concerns. But just because the security<br />
concerns are outweighed, doesn’t mean they can be ignored. To successfully deploy these new<br />
technologies while maintaining a strong security posture, healthcare organizations must be proactive<br />
about defining an IoT policy that accounts <strong>for</strong> the additional care these devices require.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 98<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
While the most “secure” solution would be to unplug everything, there may be a very good reason to keep<br />
around that device running on an out-of-date version of Windows even though it is a block of metaphorical<br />
swiss cheese when it comes to security. Determining the business case <strong>for</strong> your IoT deployment is an<br />
important first step towards building a strong policy. Part of this process is knowing what you have in the<br />
first place though. IoT devices are notoriously difficult to keep track of due to a lack in compatible endpoint<br />
agents. This is where network visibility tools like scanners with robust fingerprinting engines come in<br />
handy to crawl through the dark corners of your network and spot hosts you may have missed. Don’t<br />
treat this as a one-off thing either, monitoring and visibility must be an ongoing process <strong>for</strong> to be<br />
successful.<br />
You’ll also need to consider how you deploy IoT. This class of devices is one of the greatest benefactors<br />
of the zero-trust approach to security. Zero-trust is a whole other discussion on its own but the bulk of it<br />
comes down to moving to a never-trust, always verify approach to security. Instead of treating your<br />
internal network like a safe haven protected by a shielded perimeter, consider the safeguards you need<br />
in place to stop a malicious user or endpoint already on the inside from wreaking havoc. For IoT, this<br />
means deploying devices on segregated networks away from your other systems and especially away<br />
from your most critical resources. If you find you have the business justification to keep around that<br />
unpatched system, protect it on the network level by restricting access to the specific ports and protocols<br />
required <strong>for</strong> that tool to function and by applying security services to those connections to identify network<br />
attacks and malware. Be sure to regularly audit your IoT devices with vulnerability scans and security<br />
assessments so you know what you need to defend against and aren’t blindsided by something you didn’t<br />
spot.<br />
Finally, make sure you are using your visibility tools to their full potential. Even if you can’t deploy<br />
protections on a device directly, you can still use tools to identify anomalous activity and raise the alarm<br />
in the event of something suspicious. Network intrusion detection systems can help cover the weak spots<br />
left open by IoT. The fact of the matter is, you will stop 100% of attacks and anyone who tells you<br />
otherwise is lying to you. If you keep all your eggs in the “prevention” basket while ignoring detection and<br />
response capabilities, you’ll end up having a significantly more difficult time identifying those incidents<br />
that do make it through your defenses.<br />
IoT has its proven benefits, but not without security drawbacks. It isn’t too late to get started on a strong<br />
IoT security policy and tackle those security concerns head on. With the right planning, paired with strong<br />
technical controls, you can make the most of what these devices have to offer and still sleep somewhat<br />
easily at night.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 99<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Marc Laliberte is the Technical Security Operations Manager<br />
at WatchGuard Technologies. Specializing in networking<br />
security protocols and Internet of Things technologies, Marc’s<br />
day-to-day responsibilities include researching and reporting on<br />
the latest in<strong>for</strong>mation security threats and trends. He has<br />
discovered, analyzed, responsibly disclosed and reported on<br />
numerous security vulnerabilities in a variety of Internet of Things<br />
devices since joining the WatchGuard team in 2012. With<br />
speaking appearances at industry events including RSA and<br />
regular contributions to online IT, technology and security<br />
publications, Marc is a thought leader who provides insightful<br />
security guidance to all levels of IT personnel.<br />
Marc can be reached online at @XORRO_ and at https://www.watchguard.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 100<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Offense Activities Sharing in Criminal Justice Case<br />
By Milica D. Djekic<br />
The criminal justice case could include a broad spectrum of details getting the need to be deeply explored<br />
and investigated by the case management team and the other officers. The offense activities are not only<br />
limited to the crime scene and they can get delivered, shared and transferred domestically, regionally or<br />
in the transnational manner. In this ef<strong>for</strong>t, we would analyze the common criminal justice scheme being<br />
the theft that can be committed in the frequent places normally targeting the victims who would do the<br />
stoppage or just slow down with their moving. The thieves could operate in any public area independently<br />
or as a group and as it’s so hard to imagine the thief working without any communications or logistics on<br />
even being somehow apart from his zone – it’s clear that such an offender could belong to the criminal<br />
group that would conduct the joint offense operation, so far. Through this article, we intend to introduce<br />
the terms Offense-as-a-Teaming (OaaT) and Crime-as-a-Teaming (CaaT) as well as explain how some<br />
sort of criminality could pull in a number of the criminal justice offenders in order to commit the offense<br />
together. In no case, the discussed crime as the theft is would not mean any kind of organized crime<br />
activity, but it also can invoke several criminals on the spot and some of them in the background. The<br />
offense activities being conducted on the crime scene and wider could include sharing of goods, money,<br />
communications and logistics resources being from the vital significance in doing the criminal or another<br />
offense. In other words, all offense activities should get studied carefully and step-by-step as the entire<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 101<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
crime scene could appear as the quite complex and dynamic environment providing a plenty of details<br />
and actions. For instance, taking the money from the victim and giving it to the co-offender is the crime<br />
scene activity being shared through the criminal justice case. The OaaT and CaaT are the terms that<br />
would cover on the events occurring through committing the offense on the spot and those phrases would<br />
be explained through this ef<strong>for</strong>t the later on. The theft by itself could cope with the connotation of the less<br />
serious crime and even if it would look like it can get understanded through some kind of the regular<br />
models, the situation in the practice is far more complicated. The main reasons <strong>for</strong> so are the theft can<br />
happen anywhere in the public and sometimes it’s quite challenging providing the accurate and timing<br />
in<strong>for</strong>mation about where, when and how such an offense occurred. In other words, it’s up to the<br />
investigators to resolve such a complaint and document the entire criminal justice scheme in order to<br />
give some ef<strong>for</strong>t to the future crime prevention on. Next, it could be so important to deal with the<br />
comprehensive crime scene modeling and management in order to deeply understand the entire event<br />
and all its actors. The communications linkage is the best way to diagnose the entire case and figure out<br />
how many offenders have been engaged into the entire crime scheme. Through this contribution, we<br />
would want to stress out the standard criminal justice scenarios regarding the theft offense as well as<br />
make some starting points how such a crime could get resolved completely and in details following the<br />
procedures as well as the best practice being well-developed within any competitive law en<strong>for</strong>cement<br />
agency and the overall case management groups.<br />
Introduction<br />
The purpose of this review is to give some ideas and perspectives to the law en<strong>for</strong>cement officers doing<br />
the investigation how well they could investigate the usual crime as the theft is. Normally, the thieves<br />
would choose the overcrowded spots such as the downtowns, public transportation and trading spots <strong>for</strong><br />
a reason those would be the areas of the people getting with themselves the money, jewelry and credit<br />
cards. The persons in the busy places would be in the rush and the offenders would know so as they<br />
would be present on the spot and monitor any single move happening there. Their experience would<br />
teach them that it’s quite unsafe getting anything from anyone being in the fast walk. Also, anyone being<br />
in strength could resist if he figures out someone is putting his fingers into his pocket. Those are so<br />
challenging to the thieves, so they would put an eye on everyone and patiently wait <strong>for</strong> their target to stop<br />
or even slow down as they could conduct their operation on. Apparently, if someone is in the shape and<br />
moving quickly the offender may attempt the offense, but there are the realistic chances that he would<br />
miss to grab the catch or he would anyhow get into trouble if the targeting person makes a decision to<br />
strike back. So, the skillful thieves would select to attack once someone has stopped or slowed down<br />
doing, say, taking on the bus through the peak hour. In such a time, the frequency of the people in the<br />
public is quite high and the persons waiting on the bus doors to take on must slow down and that’s so<br />
convenient moment to attack that person from his back. It cannot be guaranteed that the thief would get<br />
any catch in every single attempt, but sometimes the people using the public transportation could get<br />
something valuable with themselves. On the other hand, when we take into consideration the public spot<br />
as the shopping center is it’s obvious that the people in shopping need to slow down when they do some<br />
payment, pack their bags or transfer the goods from their carriage into their cars. The common sense<br />
would suggest to the thief that’s the perfect moment to attack and in such a case his chances to get the<br />
good catch could only increase. The similar situation is in any downtown as there are a lot of people<br />
getting concentrated in the small area and the offender would commonly circulate through that spot. In<br />
other words, no thief once in action would be on rest unless his victim from the crowd would stop <strong>for</strong> a<br />
moment to check out something and when the incident occurs the criminal would not remain close to that<br />
place, but he would continue moving trying to leave the crime scene, so far.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 102<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Someone being good in the theft business would have the skill to steal anything from anyone not even<br />
getting noticed to do so. The public spots could offer a heap of places <strong>for</strong> sitting or remaining aside in<br />
any fashion and the experienced thieves would use such an advantage to stay less obvious and do the<br />
good observation of such a terrain. So, if they notice anyone walking slowly or taking a break they would<br />
simply attack and if their estimation got accurate they would be satisfied with what they obtained through<br />
that illegal activity. The reason why the thieves would operate as a team is that they would get the better<br />
control of their zone and they would cover on each other in a much more secure way. Also, the thieves<br />
could rely on the strong logistics in order to escape from the crime scene. For instance, the theft teams<br />
could use any kind of traffic systems in order to commit the crime or leave the place with some catch.<br />
The experienced Police officers could easily recognize the criminal behavior and the offenders would be<br />
aware of that, so they would use the new tactics and techniques in order to remain less obvious. One of<br />
the well-known tactics of staying less obvious is taking care about the appearance and the overall outfit.<br />
For example, the intelligently chosen cloths could make anyone getting the part of the environment. In<br />
addition, there are some standard behavioral and habit models that could suggest the suspicious<br />
activities. The law en<strong>for</strong>cement officers have the task to provide the certain level of safety and security<br />
to the community and <strong>for</strong> such a reason it’s necessary to study the ongoing tendencies as such a method<br />
could be the best way to prevent and respond to the crime. In other words, if it’s well-known that the theft<br />
offense could happen in the crowded areas it’s requiring to monitor those spots from time to time. The<br />
role of the law en<strong>for</strong>cement is to remove the crime from the street in the same time providing the relatively<br />
safe working conditions to their work<strong>for</strong>ce. That’s quite difficult to obtain, so that’s why it’s needed to think<br />
smart in order to assure everyone including the members of the public from being attacked or harmed,<br />
so far.<br />
The main question to the thieves in the public is how to remain less visible to the common people or the<br />
authorities patrolling on. So, the concern to any thief is how to steal something from someone in so skillful<br />
and secret manner not dragging a lot of attention from the victim’s surrounding. The fact is the thieves<br />
would choose to attack the weak, old and slowing down community members as they would not notice<br />
such an offense at that certain moment or they would not get capable to resist if they even get anything<br />
about such a crime. The towns, cities and other populated areas are well known <strong>for</strong> their rush, fast pace<br />
and overcrowding, so the victims in there could get just captured by the local criminal groups and left in<br />
the shock sometimes being injured or hurt by the offenders. The most reliable way to the offender to<br />
attack and take something from his victim is the moment when that person is on the stoppage or slowing<br />
down. That may happen when the person is making cell phone calls, doing texting in the public or using<br />
the phone cabins on the street. In such a situation, the potential victim is less aware about what is going<br />
on and the experienced street criminal would know how to take advantage over such an occurrence. The<br />
point is the thieves are not scared from the street and they can spend the hours outside waiting <strong>for</strong> the<br />
right moment to attack. The practice would show they can use some of their camouflage tactics in order<br />
to remain less obvious and in such a sense it’s not surprising that they could pretend they are taking the<br />
break somewhere or doing anything being so common to that busy spot. The good criminologists would<br />
deeply study and understand the psychology of these street predators and they would know that the<br />
offenders could count on one or more accommodations in so convenient areas of the populated place<br />
which would serve them to take a rest, get some food and drink or change the cloths. In other words,<br />
once on the crime scene the offenders could demonstrate the confidence about what they do and the<br />
seriously heavy cases would not show the fear even if they see the Police on the spot. They have the<br />
strong nerves and in any situation they can find the way to leave that site so calmly. The best method to<br />
hide in some environment is to be the part of that surrounding and if the criminal can change his<br />
appearance depending where he is at that certain time, he would definitely win the battle over the<br />
authorities as well as the victim of the criminal offense. It may seem that sending the patrolling car or the<br />
officers on the feet could be the good preventive measure <strong>for</strong> the theft criminalities. In our opinion, that<br />
methodology could make less confident criminals hesitate, but the experienced street beasts would<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 103<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
continue doing what they normally do. The theft can bring the good profit and no one would willingly give<br />
up from so. There are relatively safe places in the world, but the majority of cities anywhere across the<br />
globe could cope with some kind of violence if the authorities make a decision to attempt such an<br />
aggressive approach. So, if there is the need to prevent the theft in the public, the smart game should<br />
get played against those troubling individuals and further through this ef<strong>for</strong>t we would explain what the<br />
best techniques to avoid some of the false positives are.<br />
The theft as a crime is well-studied through the practice and anyone coping with that sort of offense is<br />
aware how hard it can be to combat the criminal groups committing such a criminality. In our<br />
understanding, it’s about the joint offense and in other words, it’s difficult to imagine the lone wolf thief.<br />
The places being so attractive tourist destinations are so suitable spots <strong>for</strong> doing the theft and the<br />
experienced offenders would just monitor on the internationals not belonging to the local community how<br />
they would deal with the unknown environment. The offenders would be well-familiar with any single part<br />
of that area, while the tourists would not even know the basic orientation amongst that surrounding. They<br />
would usually rely on the maps or another navigation system – commonly stopping and asking <strong>for</strong> the<br />
in<strong>for</strong>mation, so in other words, they would be more than obvious to the local criminal groups as someone<br />
coming from aboard. The people on the journey are relaxed and they would spend a plenty of time doing<br />
sightseeing or taking the photos and recordings not paying any attention on what is happening around<br />
them. Also, there would be so many opportunities to buy so lovely souvenirs to the family members and<br />
friends and the tourists would enjoy doing so. In addition, the local thieves would be so confident about<br />
their zone, while the people coming from the other places would know nothing or just a bit about such a<br />
territory. Also, there is the realistic chance that some of the less serious thefts would never get reported<br />
to the local authorities <strong>for</strong> a reason the tourists would simply give up from the complaint <strong>for</strong> not knowing<br />
anything about the local Police. Many would not cope with the local language, so they could get scared<br />
to even attempt anything. The most important stuffs such as the passports and the travelling tickets could<br />
get left in the hotel rooms, while the objects like cameras, money and credit cards could go on excursion<br />
with the visitors. Practically, those things are under the threat and the thieves would carefully choose to<br />
commit the crime that would never get reported to the law en<strong>for</strong>cement agencies. Sometimes the people<br />
could get unconfident if the object got stolen or just missed somewhere. Stealing the credit card to anyone<br />
who would enjoy the excursion could be the risk, but that risk can bring the good profit on. Differently<br />
saying, the street predators could concentrate to get something valuable as jewelry, watches, video<br />
cameras, some money or anything else not being under the focus <strong>for</strong> a reason of enjoying so beautiful<br />
time in some world’s famous environment, so far.<br />
On the other hand, the thieves would develop the strong need of being active and always on the move<br />
in order to avoid the criminal justice. Their victims could be the both – domestic or international people<br />
and in the big places the majority of sightseeing spots would normally be overcrowded with the visitors<br />
and the offenders would circulate there looking <strong>for</strong> someone being so free and unaware of the dangers<br />
of the unknown environment. Those streets predators would so deeply cope with the psychology of their<br />
victims and they would literally flawlessly estimate the right moment to attack. In our belief, the theft is<br />
the joint offense and it can occur under the certain circumstances which should get studied by the skillful<br />
criminologists who are capable to analyze those tendencies. The challenge plus is that so many those<br />
offenses would never get reported to the Police, so the authorities would stay without any in<strong>for</strong>mation<br />
about such a criminal offense. At the very beginning of this article, we would introduce two terms being<br />
Offense-as-a-Teaming and Crime-as-a-Teaming, so it’s important to provide a bit more suggestions<br />
about those phrases. The Offense-as-a-Teaming (OaaT) is any act of violation or criminality that includes<br />
more than one actor to get committed on. That offense could be recognized as a joint ef<strong>for</strong>t to break the<br />
law or another legal regulation, so far. The similar case is with the Crime-as-a-Teaming (CaaT) indicating<br />
on something being fully criminal and conducted as the joint activity. Apparently, through this ef<strong>for</strong>t we<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 104<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
would discuss the possibilities of tackling the theft as an offense in the community coping with some<br />
preventive as well as diagnostics measures. The fact is that <strong>for</strong>m of criminality could get challenged<br />
invoking the patrolling <strong>for</strong>ces, but that step could be quite counter-productive <strong>for</strong> a reason it could cause<br />
some kind of the street violence. The greatest weakness of anyone committing the OaaT or CaaT is his<br />
dependability on the team that is connected using the communications technologies. In other words, if<br />
we try to develop the intelligent methodologies how to model and control the crime scene relying on cyber<br />
networks, we could count on the adequate response to such illegal activities that would, consequently,<br />
get better prevented on.<br />
The need of reliable communications<br />
The OaaT and CaaT would get the teaming in common suggesting it’s about the joint activity that would<br />
rely on the team as the lawbreaking unit. The biggest challenge to such a group is how to operate in the<br />
public maintaining the touch with each other. Those offenders would count on each other and so<br />
frequently need each other to get covered and protected. Basically, there is no the true trust between the<br />
criminals as they would only deal with some rules being typical to their environment. The point is those<br />
individuals would need to manage their communications as well as in<strong>for</strong>mation exchange somehow, so<br />
as anyone else they would develop some sort of the dependability on the emerging technologies. It would<br />
appear that with the discoveries of the first modern communications systems the history would happen<br />
faster than ever and the entire human kind would begin living at the extremely prompt pace. The similar<br />
situation is with the criminal environment that would exchange the findings in the sub-second period of<br />
time. In other words, as anyone else the criminals would get dependable on cyber solutions. To remind,<br />
the cyber is anything being correlated with the internet, computers and mobile systems and at this stage<br />
of our development that’s something being available in so commercial fashion. In other words, the<br />
offenders committing the theft are also in the need <strong>for</strong> the reliable communications, so they would<br />
commonly apply the cell phones, mobile devices, internet connectivity and satellite communications in<br />
order to maintain the contact with each other. Once they are on their terrain looking <strong>for</strong> committing the<br />
crime, they would talk to each other using the current communications solutions. Practically, that’s the<br />
great trap to them <strong>for</strong> a reason that’s how they would leave the trace in the cyberspace and get more<br />
approachable to the authorities. To be honest, there is no silver bullet in any field of the interest, so the<br />
similar case is with the criminology. Apparently, no approach can give the instant results and resolve<br />
literally everything, so far. Right here, what we can do is to make some suggestions how some basic theft<br />
cases could get handled using the policing procedures, policies and best practices.<br />
On the other hand, it’s significant to figure out how the theft crime appears as well as realize that any<br />
offender doing so would carry on with himself the communications device that would send and receive<br />
some electricity signal on. The Police can catch that electricity activity using so professional equipment<br />
and that’s how the offenders could be discovered. The problem is someone being the victim of the theft<br />
would not necessarily get aware when the crime occurred, so the authorities would only deal with the<br />
complaint that something got stolen – but they would not know how and when. In other words, the Police<br />
members at the first stage could deal with the quite wide crime scene that should get searched somehow.<br />
In this paper, we would mention some tips and guidelines on how the investigation regarding the theft<br />
offense could get run and conducted, but as we said such an approach is not necessary the winning one<br />
in the practice. As we said, the tendency would show that the thieves would choose to attack when the<br />
victim is doing stoppage or slowing down, so once the investigative team has obtained the inspection of<br />
the crime scene and started looking in the cyberspace <strong>for</strong> more clues – they can firstly try to capture<br />
those moments of the victims cell phone signal when he stopped or slowed down. In any such an<br />
occurrence, it’s so important to look <strong>for</strong> the closest electronics devices because some of them could<br />
belong to the thief and if that method provides some outcomes regarding the criminal offender<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 105<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
identification the entire team doing that offense could get diagnosticated and put under the case. It’s quite<br />
obvious that this tactic could offer some results in the investigation, but it is not fully comprehensive and<br />
straight<strong>for</strong>ward as it needs a lot of hard work and smart thinking in order to get advantaging to the<br />
investigators. Practically, it’s possible to discover the entire criminal group following such a suggestion,<br />
but it’s not absolutely guaranteed that the certain case would get resolved coping with such a strategy<br />
only. In other words, the victim of theft would report about the abuse and the investigation should cope<br />
with the most common tactics in order to tackle the case and discover who has committed the crime, so<br />
<strong>for</strong> such a purpose it’s important to look <strong>for</strong> the track in the cyberspace, so far.<br />
The most common way <strong>for</strong> offenders to exchange the in<strong>for</strong>mation on the crime scene or wider is using<br />
the GSM, GPRS, GPS and TCP/IP communications and navigation channels. The simple Smartphone<br />
being the mobile device has the capacity to offer such a broad spectrum of services, so the <strong>for</strong>ensic<br />
detectives should look <strong>for</strong> the very first track right there. In the practice, maybe some theft crime scene<br />
would get investigated and reconstructed so deeply, but it’s also important to take into the consideration<br />
the fact the theft teams would not only steal the money, but commonly some of the valuable objects. For<br />
instance, if anyone’s laptop, credit card or camera has been stolen on the spot, it’s clear that the criminals<br />
would not take with themselves those stuffs and keep them in their accommodation – but they would<br />
rather find the ways to make advantage over such a stolen good. In other words, the street predators are<br />
usually connected with the entire black market and our suggestion how the entire criminal ring could get<br />
tracked in the cyberspace has its arguments even in such a case. So, what is so crucially needed in<br />
responding to such a challenging offense or the group of offenses is the skill in both – physical and hightech<br />
domain, so if the needed procedures and policies are not yet developed – the law en<strong>for</strong>cement<br />
agencies should work hard to do so effectively and in such a manner tackle and understand that complex<br />
landscape.<br />
The common logistics schemes<br />
It’s quite interesting to imagine how it works when the theft is occurring on the crime scene and the<br />
offenders are trying to rely on some logistics support. Apparently, the theft can be committed in both –<br />
public spot and public transportation and in the both cases the offenders should cope with the good<br />
tactics how to avoid any sort of complications on the crime scene. If the crime is happening amongst<br />
some busy place, it’s so obvious that there could be some private vehicles within the parking areas that<br />
can serve as the suitable logistics backup. In other words, the offenders need to appear and escape from<br />
the crime scene, so <strong>for</strong> such a purpose they would use either the private vehicles with someone sitting<br />
in there and waiting <strong>for</strong> them or they would take advantage over the public transportation network. In the<br />
both cases, the risk is more or less the similar. The well-known scheme is that someone being in the<br />
logistics as a backup could apply cyber technologies and track the route of the offender on some mobile<br />
device map trying to get the most appropriate moment to come and pick up the criminal from the crime<br />
scene. The common scenario is that the thieves could have some accommodation in some area of the<br />
town and they can use that place to take a rest or do some of the basic human needs, so far. That<br />
accommodation could get recognized as their nest that can serve to get prepared <strong>for</strong> the offense, make<br />
the plan about the crime and keep some of the stolen good be<strong>for</strong>e it gets sold on the black market. In<br />
addition, the logistics could also rely on cyber technologies in sense of monitoring, tracking and<br />
navigation the criminals on the spot usually doing so from the background. The experience would suggest<br />
that the thieves are not necessary in the same zone during the day, but they are rather shifting from one<br />
area to another. That could be the good camouflage scenario and the intelligent tactic to avoid the law<br />
en<strong>for</strong>cement officers. In any sense, the theft as a crime could be the quite huge challenge and the source<br />
of the competitive profit that could make the community members being unsafe and the entire society<br />
suffering the drawback in case of the inadequate response to such a scheme.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 106<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The ways of escaping from crime scene<br />
In the practice, the offenders could stay close to the crime scene once they commit the crime or they can<br />
try to escape either immediately or with some time delay. If the crime is happening in the downtown, it’s<br />
possible the offenders would cope with the secret spots to hide and if the seizure occurs they can either<br />
chose to hide in the public or escape from the crime scene so promptly using their own vehicles or the<br />
public logistics. The Police patrolling is always close to any neighborhood and once someone reports<br />
that something has been stolen from him the officers would come to make the inspection. In the<br />
criminology, the theft is considered as the less serious crime, but the fact is it should not get observed<br />
like so as it brings the good incomes to anyone being in such a business. In other words, it’s important<br />
to cope with such a crime tendency and make the well-studied reports that could support any Police<br />
Department to understand, tackle and respond to such a concern, so far.<br />
Discussions & Conclusions<br />
Investigating the theft is not the easy task and the entire investigation should cope with the well-developed<br />
procedures and evidence collecting as the ultimate goals in the case management. Also, it’s needed to<br />
understand the psychology of the offender as well as the victim in order to recognize some of the trends<br />
going on at the street. Everything must be according to the law and the investigation is updated hour by<br />
hour in order to keep its course and choose the new methods and tactics in gaining the findings and<br />
clues, so far. The investigators being relevant to those cases could through the experience demonstrate<br />
the high level of proficiency in the criminal justice investigation as well as show some of the innovative<br />
approaches to their tasks. Finally, there are some suggestions and guidelines how that sort of the crime<br />
could get resolved, but it’s needed to follow the entire social and cultural trends, so far.<br />
About The Author<br />
Milica D. Djekic is an Independent Researcher from Subotica,<br />
the Republic of Serbia. She received her engineering<br />
background from the Faculty of Mechanical Engineering,<br />
University of Belgrade. She writes <strong>for</strong> some domestic and<br />
overseas presses and she is also the author of the book “The<br />
Internet of Things: Concept, Applications and Security” and<br />
“The Insider’s Threats: Operational, Tactical and Strategic<br />
Perspective“ being published in 2017 and <strong>2021</strong> respectively<br />
with the Lambert Academic Publishing. Milica is also a speaker<br />
with the BrightTALK expert’s channel. She is the member of an<br />
ASIS International since 2017 and contributor to the Australian<br />
<strong>Cyber</strong> Security Magazine since 2018. Milica's research ef<strong>for</strong>ts are recognized with Computer Emergency<br />
Response Team <strong>for</strong> the European Union (CERT-EU), Censys Press, BU-CERT UK and EASA European<br />
Centre <strong>for</strong> <strong>Cyber</strong>security in Aviation (ECCSA). Her fields of interests are cyber defense, technology and<br />
business. Milica is a person with disability.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 107<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong>security Challenges of Working from Home during<br />
COVID-19 Pandemic and a Proposed 8 step WFH<br />
<strong>Cyber</strong>-attack Mitigation Plan<br />
By Glorin Sebastian, Senior Consultant, EY<br />
This article is a review of the study conducted and presented by the author at the 36th IBIMA conference<br />
in Granada, Spain. It has been widely discussed that, one of the main cybersecurity problems with the<br />
Covid pandemic and increased remote work is that even though work from home provides greater<br />
productivity and flexibility, employees working from home have a higher chance of being victims to cyber<br />
incidents and much higher chances of their systems being infected by a Malware or virus [1].<br />
Glorin’s study aimed at confirming this issue and also to identify a framework of cybersecurity controls<br />
that would be used to mitigate the cyber-attacks, that could be faced by remote employees while working<br />
from home. Based on the survey conducted as part of Glorin’s study [2], it was found that over 60% of<br />
the respondents agreed that there has been an increase in fraudulent emails, Phishing attempts, and<br />
spam to corporate email, since start of Covid-19 Pandemic. As part of the study based on responses<br />
from survey participants and also based on best practices, an 8 step WFH <strong>Cyber</strong>-attack Mitigation Plan<br />
was suggested, the steps in this proposed mitigation plan include:<br />
1. Remote Monitoring: Installing centralized network scanning techniques including firm firewalls that<br />
restrict network traffic. This step also includes securing the network and the router making sure it is<br />
updated with the latest firmware and that auto-updates are enabled. Further the internet service provider<br />
would be able to provide instructions on how to securely configure the router.<br />
2. Incident Management: Incident management by the firm IT team should be enabled on the employee<br />
IT systems used <strong>for</strong> remote work, which is an extension of the firm level IT Monitoring and includes SIEM<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 108<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
(Security in<strong>for</strong>mation and event management) that provides real-time analysis of security issues<br />
generated.<br />
3. Employee training: It is to be made sure that employees are provided with appropriate training to<br />
ensure they are aware of the various cybersecurity attacks that they could face while working remotely.<br />
This involves making the correct selection of security settings on their work devices like choosing the<br />
WPA2 Security option <strong>for</strong> enhanced Wi-Fi Security.<br />
4. Access controls: Ensuring the users have proper access controls and making sure to maintain proper<br />
segregation of duties between two conflicting business functions is important. Another method to<br />
implement access controls would be network segmentation by creating multiple "subnets" in your Home<br />
network, each with their own SSID to connect to. One could be used <strong>for</strong> office work, the other <strong>for</strong> family<br />
and finally a third <strong>for</strong> home devices. Thus, once a device gets compromised, it cannot easily be used to<br />
eavesdrop on the other subnets.<br />
5. Backups and BIA Recovery plans: The firms disaster recovery plan should include backups and BIA<br />
(Business impact assessment) to set precedence <strong>for</strong> effective communication, mitigation, and recovery<br />
in case of critical cyberattacks and this recovery plan should be extended to firm IT systems used by<br />
employees <strong>for</strong> work from home as well.<br />
6. VPN & Multi-Factor Authentication: Both using VPN (Virtual private network) and MFA (Multi Factor<br />
authentication) ensures the user data is protected. Employees that access company Data while<br />
connected to a VPN ensure that the Data in motion between 2 devices on the Public network is protected,<br />
same as they are connected over a Private network. It is also crucial to change your router's default SSID<br />
(Service Set Identifier) including administrative password and network password. Passwords should use<br />
a passphrase which is usually tougher to crack. Reuse of passwords should be avoided via firm policy.<br />
7. Vendor Security controls: Given a lot of critical Business processes and Data are outsourced to<br />
vendors, it is important to ensure that controls, especially Security controls on the Vendor side are<br />
effective.<br />
8. End-point Security and patching: Endpoint Security ensures each end point that is connected to the<br />
central corporate network is compliant to the organization standards and thus protects employee systems<br />
from malware, ransom ware and other similar cyber-attacks.<br />
FOOTNOTES:<br />
[1] 6 <strong>Cyber</strong>security Tips When You Work From Home, John Egan, Daphne Foreman, "www.<strong>for</strong>bes.com/<br />
advisor/personal-finance/cybersecurity-tips-when-you-work-from-home/"<br />
[2] Glorin SEBASTIAN (<strong>2021</strong>)," A Descriptive Study on <strong>Cyber</strong>security Challenges of Working from Home<br />
during COVID-19 Pandemic and a Proposed 8 step WFH <strong>Cyber</strong>-attack Mitigation Plan", Communications<br />
of the IBIMA, Vol. <strong>2021</strong> (<strong>2021</strong>), Article ID 589235, DOI: 10.5171/<strong>2021</strong>.589235<br />
https://ibimapublishing.com /articles/CIBIMA/<strong>2021</strong>/589235/589235.pdf<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 109<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Glorin Sebastian is a Senior Consultant with one of the big four<br />
accounting firms in its Technology Consulting practice with over seven<br />
years of experience in IT risk and cybersecurity compliance. He is a<br />
certified CISSP and CISA. and helps per<strong>for</strong>m IT regulatory and<br />
cybersecurity audits as well as works to mitigate firm IT risks by<br />
designing and implementing effective Application Security and<br />
Controls associated with ERP system implementations. Being a part<br />
time Masters in <strong>Cyber</strong>security student at Georgia Institute of<br />
Technology, he also does part time <strong>Cyber</strong>security research trying to solve some of the common<br />
cybersecurity issues. You can connect with Glorin here: Glorin Sebastian CISSP,CISA - Advisory Senior<br />
Consultant - EY | LinkedIn<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 110<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
HTML Smuggling: A Resurgent Cause <strong>for</strong> Concern<br />
By Vinay Pidathala, Director of Security Research, Menlo Security<br />
<strong>Cyber</strong>security is never straight<strong>for</strong>ward.<br />
While defense techniques, technologies, policies and methodologies continue to evolve at pace, such<br />
defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new<br />
ways, catching security teams off guard.<br />
Indeed, recent times have provided many headaches <strong>for</strong> security professionals; <strong>Cyber</strong>security Ventures<br />
reveals that cyber attacks in <strong>2021</strong> will amount to a collective cost of approximately $6 trillion – and the<br />
situation isn’t <strong>for</strong>ecast to improve any time soon. Where attacks are expected to intensify by an additional<br />
15% a year <strong>for</strong> the next four years, total cyber attack-centric damages could amount to as much as $10.5<br />
trillion by 2025.<br />
One of the main concerns today is the exponentially growing number of techniques that cybercriminals<br />
are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they<br />
continue to expand their techniques, with the next being ever more malicious than the last.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 111<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
HTML Smuggling explained<br />
HTML Smuggling is a prime example of this in action.<br />
While the broad concept itself is nothing new, the threat is making something of a resurgence having<br />
recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was<br />
uncovered in December 2020.<br />
In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security<br />
through the generation of malicious code behind a firewall. This is executed in the browser on the target<br />
endpoint.<br />
Where a malicious payload is constructed in the browser, no objects need to be transferred, which<br />
network perimeter security systems might typically detect. As a result, through HTML Smuggling, many<br />
commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be<br />
sidestepped.<br />
ISOMorph – a new variation<br />
This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph.<br />
Here, popular talk over voice, video, and text digital communication plat<strong>for</strong>m Discord was targeted, the<br />
app being home to more than 150 million active users.<br />
With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim's computer.<br />
This is then constructed on the endpoint, removing the opportunity <strong>for</strong> detection. After installation, the<br />
hackers are then able to execute the payload that infects the computer with remote access trojans<br />
(RATs), be<strong>for</strong>e setting about logging passwords and exfiltrating data.<br />
While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as<br />
any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue.<br />
Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working<br />
models are now commonly used, the increased use of cloud services and expansion of organizations’<br />
digital footprints has exposed a series of new security related challenges.<br />
Today, the browser plays a more vital role in day-to-day operations than ever be<strong>for</strong>e – yet, un<strong>for</strong>tunately,<br />
it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more<br />
attractive proposition to threat actors.<br />
From access to execution<br />
So, what should we be looking out <strong>for</strong> in the case of an HTML Smuggling attack?<br />
In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email<br />
attachments and web drive-by downloads to achieve initial infection.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 112<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize<br />
file downloads. This entails the construction of the malicious payload on the HTML page as opposed to<br />
making an HTTP request that can then retrieve a desired asset from a web server.<br />
With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required<br />
components that would be able to install software. The benefit of the ISO file is that it does not require<br />
the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to<br />
achieve persistence by creating a Windows directory on the endpoint.<br />
Equally, it is one example of a file type that is exempt from inspection across both web and email gateway<br />
devices.<br />
In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the<br />
VBScript will often contain various malicious scripts capable of executing and thereafter fetching<br />
additional PowerShell scripts that can download a file to the endpoint.<br />
The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw<br />
MSBuild.exe used, <strong>for</strong> example – a process that is typically whitelisted, allowing the injected code to<br />
further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory be<strong>for</strong>e<br />
injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed.<br />
Prevention and solutions<br />
The resurgence of HTML Smuggling should be cause <strong>for</strong> concern.<br />
While vaccination ef<strong>for</strong>ts continue to ramp up and economies and societies continue to open up once<br />
more, the impact of COVID-19 will be felt long after <strong>2021</strong>. In the case of work, the many benefits that<br />
have been realized from remote and hybrid working models will ensure that such ways of working won’t<br />
disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack<br />
their target endpoints.<br />
For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an<br />
effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while<br />
bypassing traditional network security tools.<br />
So, how can it be combatted? The answer is in the <strong>for</strong>m of isolation technologies.<br />
Developed with the simple purpose of comprehensively protecting users as they use web services – be<br />
it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint<br />
and external threats from the internet.<br />
While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never<br />
downloaded to the endpoint, eliminating the opportunity <strong>for</strong> malicious code to infiltrate a device and begin<br />
exploiting vulnerabilities.<br />
To achieve a robust endpoint protection strategy, isolation must be placed front and center.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 113<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Vinay Pidathala is Director, Security Research at Menlo Security based<br />
in Mountain View, Cali<strong>for</strong>nia. Previously, Vinay was at Aruba Networks<br />
and also held positions at FireEye and Qualys.<br />
Vinay can be reached online at: @menlosecurity and at our company<br />
website: https://www.menlosecurity.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 114<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
New CIOs: 5 Key Steps in Your First 100 Days<br />
Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success.<br />
By Etay Maor, Senior Director, Security Strategy, Cato Networks<br />
Starting off as a new CIO in a tough, dynamic environment can be daunting. CIOs must juggle multiple<br />
issues like coping with hybrid workplaces, changing cybersecurity and compliance protocols, increasing<br />
ransomware attacks and high expectations from the board, to name but a few. New CIOs need to tackle<br />
biased perceptions, make a good first impression, assess the current state of processes and policies and<br />
determine a strategy to build a foundation that drives innovation.<br />
Other CIO challenges may involve building a deep awareness of the IT organization, developing close<br />
relationships with key stakeholders and achieving wide acceptance <strong>for</strong> strategic goals while also gaining<br />
some quick wins that boosts confidence in your talents.<br />
In speaking with countless CIOs about their security posture, I’m always intrigued by what lessons they’d<br />
offer new CIOs. In truth, there doesn’t seem to be a single set of ‘guiding principles’ <strong>for</strong> best launching<br />
into a CIO role. There are, however, strategies and tips that repeat themselves in my conversations.<br />
Here, then, are five of those often-cited takeaways battle-tested CIOs recommend new CIOs follow in<br />
their first 100 days in office.<br />
1. Get to Know Your Organization and Team<br />
With many stakeholders and team members operating remotely, one of the most significant hurdles a<br />
CIO must overcome is to <strong>for</strong>ge meaningful, interdepartmental relationships.<br />
• With IT Teams: Start with regular one-on-ones, seek out the issues they regularly wrestle with<br />
and assess whether it involves technology, infrastructure, processes or people. Familiarize<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 115<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
yourself with the strategy and tactics currently in place and evaluate if these adequately align with<br />
overall business goals.<br />
• With non-IT Teams: Start with key executives and leadership teams. Understand their role in the<br />
business and how they interact with IT. Evaluate recent IT requests and determine whether they<br />
have been resolved satisfactorily. Prepare questions relevant to their role but listen carefully to<br />
understand their overall strategic vision and expectations from IT.<br />
2. Determine the state of IT and Security Infrastructure<br />
Conduct a detailed technology risk assessment of your network infrastructure, databases, applications,<br />
cybersecurity and back-ups. Evaluate the current state of policies, procedures, compliance, security<br />
awareness and service delivery levels. Get to know your vendor-partners and learn the contract status<br />
from each, especially big-ticket deals. Know your IT budgets (planned vs. actual). Figure out what stage<br />
the company is at relative to their digital trans<strong>for</strong>mation process.<br />
As a first measure, benchmark what you can. Three years down the road you should be able to sell a<br />
story of sustained improvement. Conduct a baseline assessment and capture metrics from current<br />
applications and security practices. This will also help identify what is and isn’t working.<br />
3. Define your Goals and Chart Out a Plan<br />
Once you’ve got a handle on IT’s position and learned about its resources and capabilities, it's time to<br />
develop swift action plans <strong>for</strong> urgent and simple issues to help define an overall blueprint of your longerterm<br />
company strategy. Your plan should include an executive summary, your department’s strengths<br />
and weaknesses; opportunities and threats; new trends, tools and capabilities; the tactics you will use<br />
along with costs, time and impact – in short, guiding principles that will drive future decisions.<br />
4. Incorporate Digital Trans<strong>for</strong>mation<br />
Whether it’s changing buyer behavior or securing a large-scale remote work<strong>for</strong>ce, the demand <strong>for</strong> digital<br />
trans<strong>for</strong>mation post-pandemic (i.e., digital methods to improve business processes and continuity) has<br />
accelerated by several years.<br />
New CIOs must keep this momentum going by identifying and implementing technology that can<br />
significantly trans<strong>for</strong>m customer and employee experiences. As an example, CIOs can leverage<br />
automation and AI to improve product efficiency or augment intelligence to an existing product, giving it<br />
a competitive edge. In cybersecurity, CIOs can leverage trans<strong>for</strong>mational technologies like SASE (Secure<br />
Access Service Edge) to boost cybersecurity, provide high-speed connectivity and reduce IT overheads.<br />
5. Get Priorities in Order<br />
Choose your battles wisely based on mandates, urgency, business needs, ROI, previous experiences<br />
and understanding of market trends. Seize opportunities <strong>for</strong> quick wins like improving processes, vendor<br />
management, SLA timelines and end-user applications. Resist firefighting.<br />
Weigh out the risks and repercussions be<strong>for</strong>e you make major decisions. Get executive sponsorship <strong>for</strong><br />
your actions and priorities. If needed, set up a steering committee to secure buy-in from a diverse group.<br />
Determine where the power lines are drawn and what priorities can be addressed first to instill greater<br />
confidence across internal stakeholders.<br />
There is no silver bullet <strong>for</strong> a successful transition. We can all agree that there is a lot to manage and not<br />
everything is just about technology. Having an organized approach in place <strong>for</strong> your first 100 days<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 116<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
ensures you cover all your bases, leaning in <strong>for</strong> a better shot at being successful in your new role along<br />
with establishing yourself as a valued and inspirational leader.<br />
About the Author<br />
Etay Maor is the Senior Director of Security Strategy <strong>for</strong> Cato<br />
Networks, provider of the world’s first Secure Access Service<br />
Edge (SASE) plat<strong>for</strong>m, converging SD-WAN and network<br />
security into cloud-native services. Previously, Etay was the<br />
Chief Security Officer <strong>for</strong> IntSights, where he led strategic<br />
cybersecurity research and security services. Etay has also held<br />
senior security positions at IBM, where he created and led<br />
breach response training and security research, and RSA<br />
Security’s <strong>Cyber</strong> Threats Research Labs, where he managed<br />
malware research and intelligence teams. Etay is an adjunct<br />
professor at Boston College and is part of Call <strong>for</strong> Paper (CFP) committees <strong>for</strong> the RSA Conference and<br />
QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and <strong>Cyber</strong>-<br />
Terrorism.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 117<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> EO and Meeting Cloud Modernization Ef<strong>for</strong>t<br />
By Stephen Kovac, Vice President of Global Government and Head of Corporate<br />
Compliance, Zscaler<br />
In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to<br />
meet President Biden’s Executive Order (EO) on Improving the Nation’s <strong>Cyber</strong>security to protect users,<br />
devices, and data.<br />
In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and<br />
Human Services Office of Inspector General, Department of Education, and <strong>Cyber</strong>security and<br />
Infrastructure Security Agency (CISA).<br />
We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how<br />
agencies can achieve modernization goals and the terms of the EO.<br />
The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan<br />
<strong>for</strong> zero trust architectures using National Institute of Standards and Technology (NIST) special<br />
publications, and report their status to OMB and the Department of National Security Advisor <strong>for</strong><br />
<strong>Cyber</strong>security.<br />
Working to implement these modernization ef<strong>for</strong>ts is a journey, not a destination, as agencies work to<br />
make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes.<br />
“Thank God <strong>for</strong> the EO, I say,” said Gerald Caron, Chief In<strong>for</strong>mation Officer <strong>for</strong> the Department of Health<br />
and Human Services Office of Inspector General. “I think it moves us more towards being effective overall<br />
– <strong>for</strong> our agencies to be effective at cyber – not just checking boxes.”<br />
Mitigating Threat with Zero Trust<br />
The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent,<br />
detect, assess, and remediate cyber incidents.”<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 118<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Zero trust gives agencies strong access management and security tools to prevent unauthorized users<br />
from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace<br />
of mind as they monitor their environment.<br />
NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the<br />
enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all<br />
communication regardless of network location, and granting access on a per-session basis. This creates<br />
a least privilege access model to ensure the right person, device, and service has access to the data<br />
they need while protecting high-value assets.<br />
The NIST National <strong>Cyber</strong>security Center of Excellence (NCCoE) recently announced its Implementing a<br />
Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate<br />
several approaches to implementing zero trust architectures. This coalition will work side by side to realize<br />
the opportunity <strong>for</strong> zero trust to strengthen every agency’s cyber defenses.<br />
“For us, when we talk about zero trust architectures, it's not just the discussion around technologies,<br />
infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven<br />
Hernandez, Chief In<strong>for</strong>mation Security Officer at the Department of Education. “It's also a very robust<br />
discussion around data, because data is at the heart of everything that we're driving.”<br />
President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically<br />
“establish a training program to ensure agencies are effectively trained and equipped to manage<br />
FedRAMP requests.”<br />
A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users<br />
and applications to ensure comprehensive security regardless of where they connect from, and what they<br />
connect to.<br />
This approach reduces the attack surface and the risk of users accessing unauthorized data or<br />
applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users<br />
connecting to the network on any device, in any location – a huge advantage <strong>for</strong> managing an extensive<br />
remote or hybrid environment.<br />
Updated Policy and Modern Security <strong>for</strong> Complex Environments<br />
The updated TIC 3.0 guidance has opened the door <strong>for</strong> agencies to adopt modern, hybrid cloud<br />
environments. This security approach will be critically important <strong>for</strong> agencies to secure their cloud<br />
capabilities and scale up and down as needed.<br />
“The guidance offers a new security strategy <strong>for</strong> agencies to explore new opportunities, redefine the<br />
perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean<br />
Connelly, TIC Program Manager and Senior <strong>Cyber</strong>security Architect at CISA. “New visibility is the most<br />
fundamental change in the guidance.”<br />
As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance,<br />
agencies can position the security closer to the resources, having everything at one access point.<br />
To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model,<br />
which addresses today’s most common security challenges arising from more applications living outside<br />
the data center, sensitive data stored across multiple cloud services, and users connecting from<br />
anywhere, on any device.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 119<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Following the SASE model, agencies can invert the traditional security model to move essential security<br />
functions to the cloud so users can access data and networks from any location, while security is pushed<br />
as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such<br />
as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and<br />
Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure<br />
Solutions (EIS) in the same way.<br />
What’s Next as Agencies Modernize<br />
The updated policies, authorizations, new security measures, and hybrid work environments are pointing<br />
agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this<br />
push, they can learn from one another on this journey.<br />
“I think we're headed in that direction, we're going to find ourselves there one way or another, and I think<br />
that's a good thing,” said Hernandez. “I think that by having more people in a centralized environment,<br />
with less attack surface, better configuration, and change control – ultimately, we can learn from each<br />
other and have a body of practice around centers of excellence that do this well.”<br />
About the Author<br />
Stephen Kovac is the Vice President of Global Government<br />
and Head of Corporate Compliance of Zscaler. He is<br />
responsible <strong>for</strong> strategy, productizing, and certification of the<br />
Zscaler plat<strong>for</strong>m across global governments. He also runs the<br />
global compliance ef<strong>for</strong>ts <strong>for</strong> all of Zscaler. In his role, Stephen<br />
leads his team’s ef<strong>for</strong>ts to advance Federal IT modernization<br />
by delivering cloud security solutions through direct-to-cloud<br />
connections and zero trust security capabilities. He has pushed<br />
<strong>for</strong> cloud security re<strong>for</strong>m by speaking at events, meeting with<br />
agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be<br />
reached online at Twitter, LinkedIn, and at our company website<br />
https://www.zscaler.com/solutions/government<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 120<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Defeat Ransomware with Immutable Backup Data and<br />
Encryption<br />
Move beyond traditional security strategies to protect against the two most common types of ransomware<br />
threats<br />
By Jon Toor, CMO, Cloudian<br />
The Director of the FBI recently described ransomware as posing a threat comparable in scale to the<br />
<strong>September</strong> 11 terrorist attacks. In light of these comments, and after several high-profile ransomware<br />
incidents such as the Colonial Pipeline attack, there should be little doubt that ransomware poses the<br />
greatest cybersecurity threat to organizations today.<br />
Broadly speaking, cybercriminals take two approaches to ransomware: they encrypt data to prevent<br />
victims from accessing it, and they download confidential or sensitive in<strong>for</strong>mation and threaten to release<br />
it to the public. These two approaches are not mutually exclusive – cybercriminals will often encrypt data<br />
and threaten to release it to the public if ransoms aren’t paid within a certain timeframe. In fact, data<br />
extortion attempts now occur in 77% of ransomware attacks.<br />
Organizations are employing several traditional strategies to combat this threat, such as using endpoint<br />
security solutions and conducting anti-phishing training <strong>for</strong> employees. While these are helpful best<br />
practices, they will eventually fail against savvy cybercriminals. There are two proven ways to mitigate<br />
the impact of ransomware: the use of immutable (or unchangeable) backup data and encryption.<br />
Immutable storage backups prevent hackers from encrypting data, thereby neutralizing their ability to<br />
lock up data and prevent organizations from accessing it. Meanwhile, data encryption prevents<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 121<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
cybercriminals from exposing data. Because many ransomware gangs try to do both during each attack,<br />
organizations should employ data immutability and encryption to protect themselves fully and avoid<br />
having to pay ransom.<br />
Immutable storage<br />
In traditional ransomware attacks, cybercriminals encrypt an enterprise’s critical data, holding it hostage<br />
and making it inaccessible until the victim pays a ransom. The best way to defend against these attacks<br />
is by creating immutable backup copies of your data. Immutable storage is cost efficient and simple to<br />
use: Once a backup data copy is written, that backup cannot be altered or erased <strong>for</strong> a specified period<br />
of time, making it impossible <strong>for</strong> ransomware to encrypt that data. If a ransomware attack does occur,<br />
organizations can rapidly restore that data backup through a normal recovery process. There’s no need<br />
to pay a ransom.<br />
There are two storage architectures that provide data immutability. One is to create a backup copy on<br />
magnetic tape. If that tape is then physically removed from the library, it effectively becomes<br />
unchangeable. However, this approach takes extensive time and resources to manage. The other option<br />
is to use immutable object storage as a backup target. Select object storage plat<strong>for</strong>ms support an<br />
immutability feature called Object Lock which prevents data from being encrypted or deleted <strong>for</strong> a userdefined<br />
period. Multiple backup software vendors support this feature as part of a fully automated backup<br />
workflow. In the event of an attack, this provides fast recovery from a clean data copy.<br />
Data encryption<br />
In the other type of ransomware attack, cybercriminals access an organization’s sensitive in<strong>for</strong>mation,<br />
download it and threaten to release it publicly or sell it on the dark web unless the victim pays. Immutable<br />
backup storage isn’t enough in this case, as the hackers aren’t trying to lock an organization out of its<br />
data. That’s why it’s important to encrypt your sensitive data.<br />
Data encryption works by changing data into ciphertext, an unrecognizable <strong>for</strong>mat that requires a special<br />
key to decipher it. Without the corresponding decryption key, hackers can’t release the data in a <strong>for</strong>m<br />
that’s intelligible.<br />
Both data-at-rest (stored data) and data-in-flight (data that’s being acquired or moved within an<br />
organization, such as data being migrated to a public cloud) should be encrypted to prevent data<br />
extortion. For data-at-rest, AES-256 encryption employs a system-generated encryption key (regular<br />
Server-side Encryption, or SSE) or a customer-provided and managed encryption key (SSE-C). Here,<br />
the upload and download requests are securely submitted using HTTPS, and the system does not store<br />
a copy of the encryption key.<br />
Data in-flight data is also vulnerable to breaches through a process called “eavesdropping.” Using this<br />
method, cybercriminals “listen” to data communications, searching <strong>for</strong> passwords or other in<strong>for</strong>mation<br />
being transmitted in plaintext. To prevent eavesdropping, AES-256 encryption can be combined with<br />
secure transport protocols. These protocols include SSE, Amazon Web Services Key Management<br />
Service (AWS KMS), OASIS Key Management Interoperability Protocol (KMIP) and Transport Layer<br />
Security / Secure Socket Layer (TLS/SSL).<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 122<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Conclusion<br />
As ransomware attacks grow in frequency and sophistication, more organizations will be hit in <strong>2021</strong>,<br />
causing substantial economic losses and reputational damage. It’s critical that enterprises move beyond<br />
traditional cybersecurity strategies to ensure their businesses are protected. Immutable storage and data<br />
encryption are the most effective and comprehensive ways to prevent ransomware from wreaking havoc<br />
on your organization.<br />
About Jon Toor<br />
Jon Toor is the CMO of Cloudian. Jon leads Cloudian’s inbound<br />
and outbound marketing teams. Prior to Cloudian, Toor served<br />
as vice president of digital marketing and demand generation at<br />
Brocade. He also served as the vice president of marketing at<br />
Xsigo Systems where he led the outbound marketing team, a<br />
group he led from company launch until the company<br />
acquisition by Oracle. Prior to Xsigo, he served at ONStor as<br />
vice president of marketing. Toor holds an MBA, bachelor of science in mechanical engineering, and a<br />
bachelor of arts in economics all from Stan<strong>for</strong>d University.<br />
Jon can be reached online at https://www.linkedin.com/in/jontoor/ or jtoor@cloudian.com and, more<br />
in<strong>for</strong>mation on Cloudian is available at https://www.cloudian.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 123<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Struggle You Don’t See: Mitigating the Impacts of<br />
<strong>Cyber</strong>attacks on the Work<strong>for</strong>ce<br />
By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog<br />
As cyberattacks increase, cybersecurity professionals point to business interruption costs as a way to<br />
get senior management’s attention. At the same time, the industry discusses security professional<br />
burnout and alert fatigue as problems. However, sitting between security teams and senior management<br />
is an entire work<strong>for</strong>ce that also feels the effect of cyberattacks. Very few people dig into the impact that<br />
attacks have on employees, also known as end-users and customer support teams.<br />
In the end, all three groups find themselves frustrated. End-users can’t do their jobs. IT help desks can’t<br />
answer questions. Security teams work continuously to find the root cause of the problem.<br />
End-users: The Frustration Is Real<br />
Despite security professionals often bemoaning the “human element” leading to cybersecurity attacks,<br />
they often <strong>for</strong>get that the attacks impact end-users. Most data breach news articles focus on data and<br />
financial impacts, but few mention the impact a cybersecurity attack has on customer and end-user daily<br />
activities.<br />
So what is the impact? The answer is: it depends.<br />
When threat actors attacked Scripps Health in May <strong>2021</strong>, hospitals were <strong>for</strong>ced to cancel appointments<br />
because healthcare professionals could not access patient records. An article reporting on the 2020<br />
malware attack against the Southeastern Pennsylvania Transportation Authority (SEPTA) noted that “the<br />
effect behind the scenes left end-users scrambling to find colleagues’ phone numbers and resorting to<br />
personal email accounts as many work remotely.” Not only does business interruption lead to lost income<br />
and end-user productivity, but it also leads to frustration.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 124<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Help Desk: Putting on a Brave Face<br />
When end-users face a technology problem, the first call is usually to the IT help desk. Be<strong>for</strong>e the security<br />
team jumps into action, end-users may notice operational issues, including:<br />
●<br />
●<br />
●<br />
System latency<br />
Unavailable applications<br />
Account lockouts<br />
Consider the following examples.<br />
A Distributed Denial of Service (DDoS) attack shuts down the network. End-users are unable to access<br />
the network. Thinking that the problem is something wrong with their wireless connection or password,<br />
they call the IT help desk.<br />
A threat actor attempts to use a stolen credential to access an application. When the end-user tries to<br />
log into their account, she finds that her account has been locked. She calls the IT help desk.<br />
In each case, the IT help desk acts as the “first responder,” answering questions and trying to fix the<br />
problem. If security and IT operations teams do not effectively communicate, end-user frustration grows.<br />
The IT help desk fails to provide the hoped-<strong>for</strong> customer service because they need to start looking <strong>for</strong><br />
the root cause of the problem.<br />
The Security Team: Working to Investigate and Resolve the Incident<br />
Behind the scenes, the security team receives alerts, investigates the incident, and finds ways to resolve<br />
the incident. However, the security team’s struggle is also real.<br />
In some cases, frustrated end-users calling the IT operations team <strong>for</strong> help might be the first indication<br />
that a company suffered an attack. The problem is not the security team. It’s the volume of alerts and<br />
false positives. According to one article, 39% of security teams say that they handle 1,000 alerts per day,<br />
and 93% say they cannot address all the alerts on the same day. Without high-fidelity alerts and tools<br />
that streamline investigations, security teams spend hours sifting through data.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 125<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Teamwork With Centralized Log Management<br />
Nobody wants unhappy end-users. Nobody wants security breaches. How do you make it easy <strong>for</strong> your<br />
teams to turn this around to happy users and a robust security posture? Enter centralized log<br />
management.<br />
Log data is the same no matter the source. It’s the visibility that varies based on roles. IT operations are<br />
searching <strong>for</strong> that locked-out end-user, monitoring <strong>for</strong> any configuration issues or per<strong>for</strong>mance<br />
bottlenecks. Security teams are looking at the data from the perspective of the threat hunter or to<br />
proactively secure the infrastructure from known breaches. The best way to keep end-users happy and<br />
productive while maintaining a robust security posture is <strong>for</strong> your IT and security teams to work with a<br />
centralized log management solution built and architected the right way to support the needs of the<br />
business. The result is faster detection, deeper visibility into the log data <strong>for</strong> more useable intelligence,<br />
higher quality results, and more.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 126<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Even when you pull back the curtain and give your end-users a front-row seat to a typical day in the world<br />
of IT and security, they <strong>for</strong>get everything the minute they’re staring at the message “Incorrect password”<br />
on their screen or drumming their fingers when the systems are offline. In the end, the best way to keep<br />
your end-users happy is to end the struggle they don’t see.<br />
About the Author<br />
Nick Carstensen, CISSP, is the Product Manager - Security &<br />
Integrations at Graylog. Nick is a cybersecurity expert with<br />
15+ experience in Security and the Log/SIEM Industry. For more<br />
in<strong>for</strong>mation, visit https://graylog.org.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 127<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How Bug Bounty Programs Can Help Businesses Achieve<br />
Agile Trans<strong>for</strong>mation<br />
By Sam Lowe, UK Lead, YesWeHack<br />
The pandemic has been a catalyst <strong>for</strong> digital trans<strong>for</strong>mation but while many businesses have advanced<br />
their operations by years in a matter of months, many organizations have seen their pace of adoption<br />
hindered by the complexity of IT security.<br />
As modern businesses with a digital presence try to balance existing and new technology deployments<br />
in an ever-evolving landscape of digital threats, many find themselves in a tug of war between the need<br />
<strong>for</strong> speed and having sufficient protocols in place when it comes to cybersecurity. Here, striking a balance<br />
is crucial.<br />
Traditionally, most organizations have relied on penetration testing or ‘pentests’, to identify vulnerabilities<br />
in applications. However, this approach is proving itself increasingly obsolete in today’s fast-paced digital<br />
world.<br />
How pentests hinder agile trans<strong>for</strong>mation<br />
Penetration testing can be described as a security exercise whereby a cyber security professional<br />
attempts to find and exploit vulnerabilities in a computer system. The purpose of the simulated attack is<br />
to identify any weak spots in a system’s defenses that attackers could potentially exploit.<br />
Yet, penetration testing is limited in regard to the skill mobilized. Only a small cohort of security experts<br />
are used, and this could mean that a consultant involved in the testing may lack the relevant skills needed<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 128<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
to master the technical environments associated with the tests and the potential attack techniques. With<br />
pentest deadlines being tight enough as is – with often too many projects to follow – security experts with<br />
limited exposure to complicated threats can hinder agility.<br />
Furthermore, most pentests are invariably one-off, time-boxed processes, per<strong>for</strong>med one or two weeks<br />
per year, resulting in only a snapshot of vulnerabilities found during the test. This can be impractical when<br />
you consider that serious and critical vulnerabilities often take several weeks, if not months to discover.<br />
In truth, annual or bi-annual audits are not compatible in meeting the growing need <strong>for</strong> businesses to<br />
remain agile and scale at speed, especially when the rapid pace of software development demands a<br />
more dynamic approach.<br />
Collaboration that goes beyond traditional testing<br />
So how can organizations deliver applications while meeting business objectives? Implementing a bug<br />
bounty program can help by identifying and eliminating the vulnerabilities that opportunistic hackers will<br />
target across the growing attack surface. The plat<strong>for</strong>m acting as a useful resource <strong>for</strong> developers,<br />
providing them with easy access to security researchers than can highlight vulnerabilities found within<br />
their applications and suggest recommended patches.<br />
By collaborating with hunters, developers can ensure that security is not a cumbersome process and<br />
soak up the skills and knowledge shared by the hunter to provide stringent security that is implemented<br />
into future projects. It also gives assurances <strong>for</strong> management teams by initiating remedial checks that<br />
can be carried out to ensure that the bugs that have been highlighted by the security researcher have<br />
been properly patched.<br />
An innovative approach to testing<br />
Essentially, a bug bounty plat<strong>for</strong>m provides continuous security monitoring that enables businesses to<br />
be reactive to impending threats. It is an agreement whereby organizations reward ‘ethical hackers’ or<br />
security researchers <strong>for</strong> reporting bugs concerning security exploits and vulnerabilities. The more critical<br />
the reported bug is, the higher the reward.<br />
In an ideal world a bug bounty programme would be run at the start of the development of an application<br />
and then as a continuous program – surfacing bugs during the pre-production, acceptance or testing<br />
phase and beyond.<br />
At a time when it is estimated that cybercrime will cost the world a staggering $10.5 trillion annually by<br />
2025, it’s important that organizations adopt a multi-layered defense. A bug bounty program should be a<br />
crucial component of any company’s security stack. Here’s why.<br />
Commitment to security<br />
Over the years, data protection has become a more pressing issue <strong>for</strong> businesses to address as more<br />
hackers look to leverage stolen customer data against organizations. Volkswagen is just one of the many<br />
companies in recent months that have suffered a customer data breach, in this case impacting 3.3 million<br />
customers.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 129<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
In 2019, Canva had a data breach that saw in<strong>for</strong>mation from over 139 million of its users’ exposed. And<br />
last year the details of more than 538 million Weibo users were available <strong>for</strong> sale online following a hack.<br />
Ransomware is also paralyzing businesses – the single biggest attack on record occurring this year when<br />
a vulnerability in Kaseya VSA software was leveraged against multiple managed service providers and<br />
their customers. In its wake, hundreds of businesses in the world were negatively impacted.<br />
Today’s consumers have an expectation that businesses will do their upmost to keep their data secure,<br />
with any data breach denting consumer confidence in a business. Deploying a public bug bounty program<br />
is a good way <strong>for</strong> a business to demonstrate its commitment to protecting customer data.<br />
Lazada, the leading e-commerce plat<strong>for</strong>m in Southeast Asia and a subsidiary of the Alibaba group is one<br />
company demonstrating its commitment to protecting its user data. Since January 2020, it has been<br />
working with ethical hackers to detect security vulnerabilities in its IT environment. To date over<br />
US$150,000 in bounties have been awarded to security researchers as part of its private bug bounty<br />
program in which a select group of security researchers are invited to find bugs with their system.<br />
After running such a successful 18-month private program, it has now launched a public bounty program<br />
on YesWeHack’s plat<strong>for</strong>m and is offering $10,000 per vulnerability discovered.<br />
For companies that use a bug bounty program, in addition to enabling businesses to identify new attack<br />
techniques and find solutions to counteract them, it also reassures customers that the safety of their data<br />
is valued by the business they are trusting with it.<br />
The future is bug bounty<br />
Evolution is part and parcel of any industry. For organizations planning to incorporate cybersecurity best<br />
practices, a bug bounty program enables you to be ahead of the curve. It allows you to utilize the expertize<br />
and skills of tens of thousands of security researchers and provides you with a better chance of finding<br />
critical vulnerabilities. For modern businesses that need to be increasingly agile against the growing<br />
threats of cyberattacks, while also being nimble enough to foster digital trans<strong>for</strong>mation, a bug bounty<br />
program should be considered as a crucial weapon in your arsenal to neutralize threats.<br />
About the Author<br />
Sam is the UK lead at YesWeHack and helps organisations<br />
strengthen their cyber security through the adoption of Bug Bounty.<br />
He was previously the Commercial Manager <strong>for</strong> a leading Managed<br />
Security Service Provider (MSSP), working with clients on improving<br />
their overall cyber security strategy.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 130<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Using Decentralized, Zero-Knowledge Services to<br />
Enhance Security<br />
By Ben Golub, CEO and Executive Chairman at Storj<br />
Over the years, DevOps and cybersecurity teams have faced an increasingly complex challenge of<br />
thwarting attackers and protecting the systems they secure. <strong>2021</strong> has proven to be no different. In just<br />
the first seven months, businesses and governments around the world have faced some of the most<br />
sophisticated attacks we’ve ever seen.<br />
Ransomware attacks like the Colonial Pipeline and JBS meats attacks have crippled various aspects of<br />
the US economy and cost companies millions of dollars in lost revenue and ransomware fees. On the<br />
Dark Web, you can now even buy RaaS (Ransomware-as-a-service), meaning nearly anyone can now<br />
be a hacker making millions from ransomware by holding files hostage. Meanwhile, traditional data<br />
breaches have exposed the personal in<strong>for</strong>mation of hundreds of millions of people around the world. In<br />
just the first half of this year, it’s estimated that 18.8 billion records were exposed through various attacks.<br />
It’s no coincidence that earlier this year President Biden issued an executive order on Improving the<br />
Nation’s <strong>Cyber</strong>security. In this executive order, President Biden specifically calls on government agencies<br />
to adopt zero trust architectures as one way to combat “sophisticated malicious cyber campaigns that<br />
threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 131<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Decentralization and Zero-Knowledge Networks<br />
Many people in the decentralized cloud space believe that while zero trust is a great start, it actually<br />
doesn’t go far enough. Zero Trust architectures assume a system attempting to access a resource has<br />
been compromised. Zero knowledge architectures assume even the infrastructure hosting the resource<br />
may be compromised. Your security posture changes considerably when you can't even trust your own<br />
infrastructure.<br />
By building in this redundancy, zero-knowledge architectures ensure every part of the network is secure<br />
and that data is always available. This protects against many vulnerabilities, such as the misconfigured<br />
print server that attackers used in the Equifax data breach, the misconfigured S3 buckets that leave data<br />
exposed, the typo that brings down a substantial portion of the Internet, and even many types of<br />
cryptoviral ransomware attacks.<br />
Decentralized storage systems do this by using erasure coding to build redundancy into files and<br />
encryption to keep them secure and only accessible by the file owner. For example, a file may be encoded<br />
<strong>for</strong> redundancy and broken up into 80 pieces, of which only 29 are required to rebuild the data. Each of<br />
these pieces is encrypted using keys only possessed by the data owner (and those they authorize) and<br />
exists on a unique Node. As long as 52 Nodes—all of which have their own power supply, internet<br />
connection, and facilities—are not taken offline at the exact same time, data remains intact and the file<br />
can be rebuilt from its existing pieces. No piece of the infrastructure has access to the encryption keys<br />
and there<strong>for</strong>e the underlying data. Because of its zero-knowledge architecture, the system is also auditing<br />
all these 80 Nodes to ensure they’re storing what they say they do. If they’re not, the missing piece is<br />
rebuilt in its encrypted state.<br />
If a cryptoviral ransomware attack threatened a single Node or even a larger group of Nodes, the system<br />
could identify the attack through audits and rebuild all the missing pieces be<strong>for</strong>e any file was lost.<br />
Chaos Engineering and the Simian Army<br />
By building a network so any part of it could fail, you ensure that the network itself will not. This is exactly<br />
how today’s internet works. You don’t care about the routers and switches that connect you from point A<br />
to point B. You simply design the data being transferred to be impervious to potential eavesdroppers.<br />
The internet is designed to be decentralized—it’s only when centralized repos are created (and breached)<br />
that you encounter outages that take down large swaths of the internet.<br />
Another great example of using security, redundancy, and decentralized architectures to create resilience<br />
is Netflix. To achieve exceptional availability, Netflix has pioneered the notion of “Chaos Engineering.” In<br />
2011, Netflix created an internal tool called Chaos Monkey that randomly (and purposely) takes out entire<br />
servers. This <strong>for</strong>ced their engineers to design systems that are resilient in a way that simulated failures<br />
and tabletop exercises never could produce. Netflix has since extended Chaos Monkey to an entire<br />
simian army that takes out systems, subnets, availability zones, and (in the case of Chaos Kong) entire<br />
data center regions. By purposely creating an environment where device availability can’t be trusted,<br />
Netflix creates an environment where there is high system availability.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 132<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Using Edge-based Access Controls to Stop Ransomware<br />
Decentralized systems generally use decentralized, edge-based access management tools such as<br />
Macaroons. These types of edge-based access controls mean there is no central repo of keys <strong>for</strong><br />
attackers to target. This allows businesses to decouple various capabilities—such as search, read, write,<br />
and delete—without having to employ specialized individuals or expensive services. While sophisticated<br />
cybersecurity professionals can build similar one-off architectures, with decentralized systems, all of this<br />
is done in easy intuitive ways without adding additional cost or complexity because it’s required to make<br />
the system run.<br />
If ransomware attackers managed to gain access to a network, there is no central repo of credentials to<br />
access to encrypt the data, delete various backups, or commit other nefarious activities. Even if an<br />
attacker was able to get credentials from an application running a backup, those credentials can easily<br />
be restricted to only upload data, rather than modify or delete.<br />
Don’t be the Low-hanging Fruit<br />
As it is with most cybersecurity breaches, unless you’re a high-value target, the best strategy is to avoid<br />
being the lowest-hanging fruit on the tree. Attackers are looking <strong>for</strong> easy marks, so employing many of<br />
these cybersecurity features that decentralized architectures can offer could greatly reduce the risk of an<br />
attack, while also delivering many other cost and per<strong>for</strong>mance benefits.<br />
About the Author<br />
Bio: Ben Golub is the executive chairman and CEO at Storj, an<br />
open source, decentralized cloud storage provider. Under Ben’s<br />
guidance, Storj has rolled out initiatives that deliver better privacy<br />
and security <strong>for</strong> developers and empower open source projects<br />
by enabling them to passively earn revenue every time their users<br />
store data in the cloud. Ben also serves as an advisor at Mayfield,<br />
a global venture capital firm with over $2.7 billion under<br />
management. He was previously co-founder and CEO at Docker,<br />
the leader of the container and microservices movement and one<br />
of the fastest growing open source companies in history. Prior to Docker, Ben was cofounder and CEO<br />
of Gluster, an open source cloud storage plat<strong>for</strong>m that was acquired by Red Hat in 2011. Ben has a BA<br />
from Princeton and an MBA from Harvard.<br />
Email: Ben@storj.io<br />
https://twitter.com/golubbe<br />
https://www.linkedin.com/in/bengolub/<br />
https://www.storj.io/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 133<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How to Play Like You're in the Security Majors When<br />
You’re Still in the Minors<br />
By Patrick Murray, chief product officer, Tugboat Logic<br />
When it comes to smaller businesses and cybersecurity, there are two main issues at play.<br />
One is the misconception that smaller businesses aren’t as high-risk as enterprises in terms of cyberattacks.<br />
The second is, perhaps unsurprisingly, a lack of resources. Even when SMBs recognize the<br />
need <strong>for</strong> stronger cybersecurity, budget and staffing constraints can keep them from implementing it.<br />
These constraints can make it all too tempting to de-emphasize the establishment of a strong<br />
cybersecurity posture.<br />
The un<strong>for</strong>tunate reality is that smaller businesses aren’t immune to cyber-attacks – 28% of data breaches<br />
in 2020 involved small businesses, according to Verizon’s Data Breach Investigation Report. And that’s<br />
likely to be higher <strong>for</strong> <strong>2021</strong>, given what we’ve seen with the increase of cyber-attacks in parallel with the<br />
rise of remote work. These attacks are expensive; according to Ponemon Institute, the average cost of<br />
an attack against an SMB is $200,000.<br />
The budget and staffing constraints aren’t likely going away anytime soon, but <strong>for</strong>tunately, there are<br />
options out there <strong>for</strong> small businesses that will enable them to implement enterprise-grade cybersecurity<br />
without breaking the bank.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 134<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The threat landscape <strong>for</strong> small businesses<br />
As mentioned above, the idea that small businesses aren’t at risk <strong>for</strong> cyber-attacks or aren’t of interest to<br />
bad actors is a fallacy that needs to be put to bed. Any business today, no matter its size, is at risk <strong>for</strong><br />
cyber-attacks. And while <strong>for</strong> some this might sound like common sense, the truth is that SMBs are still<br />
really struggling with cybersecurity. Awareness is growing but getting started remains a challenge.<br />
A recent survey by the U.S. Small Business Administration found that 88% of small business owners felt<br />
their business was vulnerable to a cyber-attack, but many can’t af<strong>for</strong>d professional IT services, have<br />
limited time and other resources, or they don’t know where to begin. And a survey of SMBs conducted<br />
by Tugboat Logic found that when it comes to what’s preventing them from reaching their security goals:<br />
• 85% said lack of internal resources prevented their business from adopting new security practices<br />
• 48% said the cost of implementing security was prohibitive or a challenge<br />
• 41% said lack of education in security awareness<br />
A strong security foundation starts with a smart infosec program<br />
An in<strong>for</strong>mation security program contains the policies and controls that <strong>for</strong>m the foundation of your<br />
security as a company. Maybe you just started your company and want to get the essential security<br />
controls in place. Maybe you’ve already been hacked. Regardless, getting secure can be done by taking<br />
practical steps, with expert guidance, to ensure you’re covering the basics in your security posture. That<br />
includes covering all seven categories of risk: customer, governance, people, regulatory, resilience,<br />
technology, and vendor management. These essentials will help you get through this first stage of<br />
maturity quickly and painlessly, while providing you with an infosec program you can proudly stand<br />
behind.<br />
Too many startups, and even later-stage companies, suffer from lack of a clear and well-structured plan<br />
<strong>for</strong> security and privacy. This security shortfall comes front and center at quarter’s end when that musthave<br />
customer win slips away due to failure to meet compliance requirements.<br />
Getting started<br />
So then, how do you actually implement a security plan, even with those a<strong>for</strong>ementioned staffing and<br />
budget restrictions? Companies lose time and money guessing which policies and controls to<br />
implement—only to still be at risk from the most serious threats. The good news is that enterprise-grade<br />
security and compliance tools are no longer out of reach <strong>for</strong> SMBs.<br />
Automation can play a key role, as well. An automated framework from a trusted solution partner can<br />
demystify the process of setting up a security and compliance program – even <strong>for</strong> those on a shoestring<br />
budget. This will eliminate the guesswork and help you create a credible InfoSec document quickly and<br />
easily.<br />
Don’t <strong>for</strong>get to evaluate the potential tools carefully. You must do thorough due diligence on any<br />
compliance tool you’re evaluating from both a risk assessment and an organizational fit standpoint. The<br />
tool should provide reputable guidance, as well as grow with you in the longer term. You may start out<br />
with the essential security controls, <strong>for</strong> example, and then progress to more robust controls as your<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 135<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
usiness grows, your risks increase and the number of third-party security frameworks you need to have<br />
increases.<br />
Starting from strength<br />
It would be wonderful if cybercriminals would leave smaller companies alone, but it’s not in their interest<br />
to wait to attack until their enemy is strong enough to mount a defense. That means you need to be able<br />
to mount that defense right from the beginning. But it doesn’t mean you have to break the bank to get a<br />
functioning infosec strategy up and running. Some of today’s enterprise-grade security and compliance<br />
tools, coupled with automation, will help you build an infosec program that sets your SMB on a firm<br />
security foundation.<br />
About the Author<br />
Patrick Murray is Chief Product Officer and<br />
early founding member of Tugboat Logic, the<br />
Security Assurance Plat<strong>for</strong>m that helps<br />
demystify and automate the process of<br />
managing your InfoSec program. He has<br />
over 20 years of experience in product<br />
management at both early-stage security<br />
startups and public companies such<br />
as Zenprise, DataVisor, and Websense. He<br />
specializes in building new companies from the ground up to thriving businesses, and has built products<br />
across a variety of security areas including Web security, cloud security, mobile security, email security,<br />
data loss prevention, and online fraud prevention.<br />
Patrick can be reached online at https://www.linkedin.com/in/patrickgmurray/ and at our company website<br />
https://tugboatlogic.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 136<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
SQL <strong>Cyber</strong> Attacks Are a Danger to Your Company<br />
By Ryan Ayers, Consultant<br />
<strong>Cyber</strong> attacks cost the global economy more than $1 trillion last year, making it responsible <strong>for</strong> the theft<br />
of one percent of the global GDP. The pandemic was a bit of a catalyst, as a dependence on ecommerce<br />
led to more opportunities <strong>for</strong> hackers, but even be<strong>for</strong>e COVID, cybercrime was on the rise and evolving.<br />
Most experts expect ecommerce to continue to be sought out even after the pandemic, meaning<br />
cybersecurity’s importance can’t be understated.<br />
One type of cyberattack that is gaining popularity primarily due to how easy it is to do is an SQL injection<br />
attack, and if you have any sort of databasing technology, you’re probably at risk, as SQL is how the vast<br />
majority of data scientists and developers communicate with their databases. Here is a look at what SQL<br />
attacks are, and how you can work to prevent them.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 137<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
What is an SQL Injection Attack?<br />
SQL’s primary function is handling structured data. When used properly, data scientists can access<br />
groups of data <strong>for</strong> analyzation, and can review and remove data that has been stored. In order to access<br />
this data, users need to prove their identities, as some of it can be very sensitive, especially when dealing<br />
with financial data.<br />
A hacker attempting to use an SQL injection attack does so by pretending to be someone who has the<br />
rights to a given database, or simply bypassing protections put on a set of data. The effects of this attack<br />
can be far-reaching, especially if an attacker is able to gain admin rights to the entirety of a database,<br />
which does happen, though smaller breaches are much more common.<br />
Examples of SQL Attacks Costing Companies Big Bucks<br />
SQL has been around <strong>for</strong> nearly 20 years, and SQL injection attacks have been around <strong>for</strong> just as long.<br />
They can allow hackers to access the credit card in<strong>for</strong>mation stored on huge corporations’ databases,<br />
and some attacks have been able to access more than 100 million individuals’ financial records and credit<br />
card in<strong>for</strong>mation. Here are a few major SQL injection attacks:<br />
<strong>September</strong> 2002 – One of the first recorded SQL attacks occurred when a hacker accessed more than<br />
200,000 names and credit card numbers off of the database <strong>for</strong> guess.com’s customers.<br />
In <strong>September</strong> of 2007, the U.S. Army Corps of Engineers was the victim of an SQL attack, and<br />
government reliance on cybersecurity was ramped up as a result.<br />
On October 1, 2012, a hacking organization used SQL to access and publish personal records of faculty<br />
and employees of more than 53 prestigious universities such as Harvard and Princeton in an attempt to<br />
bring awareness to tuition prices in the United States.<br />
In early <strong>2021</strong>, an SQL attack with political motive accessed the database of a far-right website called<br />
Gab, and the hackers published the in<strong>for</strong>mation of its users online.<br />
Preventing SQL Injection Attacks<br />
At a high level, simple security measures like changing passwords, not allowing your home network to<br />
be active while you’re gone, and setting up authentication methods <strong>for</strong> anyone and everyone accessing<br />
your network should all be taken seriously. As SQL injection attacks involve deeply protected material<br />
and in<strong>for</strong>mation, however, there are much more granular ways to protect from these attacks.<br />
Writing code to identify unwelcomed users is a common defense <strong>for</strong> data scientists, and many modern<br />
firewalls have systems in place to make creating this code very easy. These firewalls can also report<br />
back any malicious attempts to access databases. Hypersensitive data can also be coded in order to add<br />
additional layers of protection.<br />
Looking Forward<br />
SQL isn’t going anywhere anytime soon, and is only poised to continue to be more and more relied upon<br />
and companies move more to the digital office and ecommerce worlds. With this, threats are sure to<br />
continue increasing, and new ways to access SQL databases will surely come to fruition. Staying<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 138<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
in<strong>for</strong>med and staffing a quality cybersecurity team can keep you ahead of the hacking trends and keep<br />
you and your customers’ in<strong>for</strong>mation secure.<br />
About the Author<br />
Ryan Ayers has consulted a number of Fortune 500 companies<br />
within multiple industries including in<strong>for</strong>mation technology and big<br />
data. After earning his MBA in 2010, Ayers also began working with<br />
start-up companies and aspiring entrepreneurs, with a keen focus on<br />
cybersecurity, data collection and analysis. Ryan Ayers can be<br />
reached by email at mailto:ryanayers6@gmail.com and on Twitter<br />
@thebiztechguru.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 139<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
AIOps Offers Security Teams an Early Warning System<br />
By Ranjan Goel, Vice President, Product Management, LogicMonitor<br />
IT teams are under immense pressure to work faster than ever and deliver better results—at less cost.<br />
And they’re struggling to do it all as their organizations take in rapidly soaring volumes of data that must<br />
be captured, analyzed and deployed to improve business outcomes.<br />
To meet the challenge, many IT teams are turning to Artificial Intelligence <strong>for</strong> IT Operations, or AIOps,<br />
which uses big data and machine learning to enhance primary IT functions like identifying,<br />
troubleshooting and resolving availability and per<strong>for</strong>mance issues.<br />
Just as important, AIOps secures business infrastructure and applications by automatically blocking bad<br />
actors in near real-time. Let’s say, <strong>for</strong> example, that a hacker is trying to access a database server. AIOps<br />
can identify the intrusion by detecting either a change in the volume of data or a change in the location<br />
of the user who is trying to access the database server.<br />
AIOps features will then classify this attempted access as normal access, insecure access or elevated<br />
security risk. Once this is done, the in<strong>for</strong>mation is handed over to an automated system that will block<br />
the IP address or compromised user ID and quarantine to a sandbox <strong>for</strong> a security expert to analyze<br />
further.<br />
In short, AIOps has the great potential to do double duty. IT and security teams can both deploy AIOps<br />
not only to enhance their organization’s infrastructure per<strong>for</strong>mance but also to prevent cybersecurity<br />
threats in near real-time.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 140<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
An essential early warning system<br />
The early warning system that AIOps provides is a big step <strong>for</strong>ward <strong>for</strong> security vendors as they try to<br />
ingest as many signals as possible and understand what’s going on in the IT environment with a 360-<br />
degree perspective. Such vigilance is vital nowadays because hackers are constantly looking <strong>for</strong><br />
scenarios in which they can sneak in without tripping any alarms, then prowl around in the IT<br />
environment.<br />
For example, in a recent high-profile hack, the bad guys were lurking undetected in Office 365 email<br />
systems <strong>for</strong> months, creeping around and gathering in<strong>for</strong>mation. This type of breach shows that, without<br />
the proper signals from the enterprise architecture, hackers can go undetected <strong>for</strong> long periods of time<br />
and ultimately do serious damage.<br />
In a world of perfect security, IT teams would have no blind spots and hackers would never gain access<br />
to IT systems. The problem is that today’s hybrid infrastructures typically hold resources in a blend of<br />
cloud and on-premises datacenters—and most security products specialize in monitoring one or the<br />
other. As a result, there is no single IT or security team that has insight across all of the different systems.<br />
AIOps early warning technology detects the symptoms that precede security issues, such as suspicious<br />
patterns and anomalies in per<strong>for</strong>mance data, then alerts users. The technology then triggers actions to<br />
root out the bad guys and prevent damage. By warning users sooner, AIOps helps enterprises stop<br />
intruders, protect their data and avoid negative impacts on their brand and bottom line.<br />
Many AIOps advantages<br />
There are other reasons why AIOps is now a must-have <strong>for</strong> security. One is financial. A typical<br />
organization generates billions of data points in any given day and few organizations can af<strong>for</strong>d to keep<br />
dispatching security people to investigate the numerous problematic signals that occur. There are just<br />
too many of them. But with a technology like AIOps on the job to constantly process signals and put them<br />
in context—i.e., dangerous or not—the process becomes financially manageable.<br />
What is the server behind a particular IP address attempting access? Who is the user? Are there false<br />
positives or duplicate signals? All of this analysis and investigation can be done by AIOps technology in<br />
a consistent and automated way so that security professionals can spend their time on other, more<br />
pressing issues.<br />
Yes, many organizations are still trying to prevent security incidents manually. But the stark reality is that<br />
such an approach is not scalable and typically results in SecOps people spending their day reacting to<br />
issues and trying to minimize incidents. But with AIOps, they have technology that warns them be<strong>for</strong>e<br />
issues occur and enables them to prevent problems rather than react to them. Instead, they can focus<br />
on more strategic initiatives that provide value to their organizations. It’s a win-win scenario with less time<br />
spent troubleshooting and more spent time innovating.<br />
Indeed, AIOps is now a necessity <strong>for</strong> almost every kind of organization, because every kind of<br />
organization, large or small, is now a target <strong>for</strong> hackers.<br />
The road ahead<br />
Many vendors are now touting their AIOps chops—even if they offer only very basic functionality. So,<br />
separating fact from fiction is critical. CISOs should start with a sandbox approach, setting up two or three<br />
trials of any technology they’re considering - including AIOps - to see if it works <strong>for</strong> them be<strong>for</strong>e<br />
purchasing it and pushing it out.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 141<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
As the technology improves, AIOps will only get more proficient at observing signals across all enterprise<br />
systems to illuminate patterns, provide meaningful alerts, detect issues sooner, and enable greater<br />
<strong>for</strong>esight and automation. As today’s organizations continue to grow and evolve, the ability to provide<br />
predictive insights at scale continues to be more important than ever.<br />
About the Author<br />
Ranjan Goel is a highly experienced product management<br />
executive with a track record of building and launching products in<br />
multiple technology areas including unified observability,<br />
cybersecurity, cloud and networking. He has managed portfolios of<br />
up to a billion dollars in revenue. Ranjan currently leads the product<br />
management organization at LogicMonitor.<br />
Ranjan can be reached online at our company website<br />
https://www.logicmonitor.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 142<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
5 Steps to Protect Your Organization from the Next<br />
Ransomware Attack<br />
By Paul Kohler, CTO, S3<br />
We have witnessed the largest ransomware attacks in history in the first half of <strong>2021</strong> alone. From<br />
SolarWinds to CNA Financial Corp, Colonial Pipeline, JBS and Kaseya - ransomware attacks are no<br />
longer “if” it will happen to you, it is when. According to research, ransomware attacks are estimated to<br />
occur every 11 seconds, costing at least $20B a year.<br />
But why are many organizations still reluctant to support and invest in cybersecurity to build a strong<br />
cybersecurity framework to better prevent attacks?<br />
Below are some tactical steps to better protect your organization from a ransomware attack.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 143<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Step 1: Assess<br />
The key to solving any problem within your organization is properly defining what you are trying to solve.<br />
Without a thorough assessment of your organization’s cyber preparedness, it will be nearly impossible to<br />
implement/improve your cyber posture. The alternative to a solid assessment is akin to playing a game<br />
of cyber whack-a-mole; stuck in an endless cycle of treating symptoms and not the problem.<br />
This assessment is not a one-time activity. It must be done regularly as the threat landscape is in constant<br />
evolution. Standing still will quickly render your current posture weak and ineffective.<br />
Your assessment should include the following topics:<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Governance: Is anyone reviewing access? Any terminated employees/contractors/3rd parties<br />
with active accounts?<br />
Compliance: Are you compliant with all applicable regulations?<br />
Authentication: What is required of users to authenticate to your environment? Is it required<br />
every time?<br />
Physical Asset Management: Are you managing assets consistently?<br />
In<strong>for</strong>mation Assets: Are you protecting them? Do you know what they are, where they are, and<br />
who has access to them?<br />
Alignment: Do your policies align with operational objectives?<br />
Access Management: Are you consistently ensuring that the right people have only the access<br />
they need at the time they need it?<br />
Unstructured Data: Who routinely manages access to unstructured data? Where is this data<br />
located?<br />
Monitoring: Anyone watching the henhouse while the foxes are lurking around the perimeter?<br />
Training: Do your employees, contractors, 3rd parties have clarity on what is expected of them?<br />
Step 2: Increase <strong>Cyber</strong>security Hygiene<br />
Now that you have your assessment you know what needs cleaning -- your organization’s hygiene -- and<br />
it needs to be prioritized based on risk. <strong>Cyber</strong>security hygiene is the practice that maintains the basic<br />
health and security of hardware and software. This includes everything from creating cyber policies that<br />
are up to date to updating all software and hardware regularly. It also includes retiring and disposing of<br />
old hardware/software. Do you have any old VPN’s laying around? I can assure you Colonial Pipeline<br />
wishes they didn’t.<br />
Step 3: Develop Detailed Response Plan<br />
Every organization is under the microscope. It is only a matter of time <strong>for</strong> an organization to come headto-head<br />
against an attack. Instead of hitting the panic button, prepare early with a detailed response plan<br />
(and test it often). There are response frameworks available from organizations such as NIST, CIS and<br />
ISO, but your organization needs to fill in the details.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 144<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The response plan should include filling in the gaps to these major topics:<br />
● Preparation<br />
○ Clarity around what you are protecting.<br />
○ Are you staffed to protect it? Or do you need 3rd party assistance?<br />
○ Who is responsible <strong>for</strong> what? Who is the backup? Who is the backup to the backup? What<br />
is the chain of command?<br />
○ Have you tested your plan?<br />
● Response<br />
○ Containing the incident<br />
○ Preservation<br />
○ Clear communication<br />
○ Mitigation steps<br />
● Recovery<br />
○ Revisit the thorough assessment<br />
○ Gather <strong>for</strong>ensic in<strong>for</strong>mation to confirm next steps and plan deployment<br />
○ Analyze and revise plans based on the post-mortem<br />
Step 4: Educate the Organization<br />
As the saying goes, you are only as strong as your weakest link. Security awareness training is essential<br />
to stopping ransomware in its tracks. It is important to train all those who access your organization’s<br />
infrastructure or make use of your organization’s high value in<strong>for</strong>mation assets. This means training not<br />
only your employees, but your entire ecosystem of users. They are your last line of defense.<br />
An effective training regimen will include:<br />
●<br />
●<br />
●<br />
Employees, contractors, and vendors responsible <strong>for</strong> protecting organizational data (this includes<br />
all critical data elements and intellectual property)<br />
Phishing, smishing, spear phishing or other social engineering tactics<br />
Asset protection which should include in<strong>for</strong>mation necessary to secure assets as well as what to<br />
do if an asset is lost or stolen.<br />
Step 5: Implement a Zero-Trust Security Model<br />
Zero Trust is one of the most effective ways <strong>for</strong> organizations to control access to their networks,<br />
applications, and data. Zero Trust is not a product you can buy off the shelf. It is integration of policy,<br />
procedure and multiple technologies that trans<strong>for</strong>ms the way you manage cyber. It combines a wide<br />
range of preventative techniques to deter would-be attackers and limit their access in the event of a<br />
breach. This includes identity verification and behavioral analysis, micro / macro segmentation, endpoint<br />
security, least privilege controls and adaptive authorization.<br />
The Zero Trust framework aims to accomplish several business-critical objectives. At a high-level it<br />
per<strong>for</strong>ms five functions:<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 145<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
●<br />
●<br />
●<br />
●<br />
●<br />
Contains the damage inflicted in case of a breach by limiting access to the network<br />
Streamlines the user experience<br />
Optimizes connectivity<br />
Modernizes security operations<br />
Enables your organization’s digital trans<strong>for</strong>mation<br />
Modernized security operations will allow organizations to locate and eradicate malicious code by locating<br />
traces of open-source penetration testing tools and hacking frameworks. Modernized security operations<br />
will also allow security operations to apply behavioral analytics to activities to isolate suspicious activity<br />
and possibly prevent the next cyber attack.<br />
As we enter the next wave of cyber intelligence and combat threats from known and unknown sources,<br />
our biggest weapon is preparedness. Increasing our intelligence on potential threats, learning the<br />
offensive and defensive tools to better monitor and equip our organizations, and our ability to either thwart<br />
or rapidly respond, exponentially increases the level of success. You will either be a victim with failed<br />
countermeasures and significant financial and reputational impact, or able to rapidly deploy responses to<br />
mitigate or avoid damages all together -- the choice is yours.<br />
About the Author<br />
Paul Kohler serves as the Chief Technology Officer <strong>for</strong> Strategic<br />
Security Solutions (S3). S3 is a leading provider of Identity &<br />
Access Management, Governance, Risk and Compliance and SAP<br />
Security advisory services.<br />
Paul is focused on building a world class delivery organization. He<br />
is committed to building an organization that lives S3’s core values<br />
of integrity, collaboration, intellectual curiosity and transparency.<br />
Paul believes adhering to those core values along with a program<br />
first, technology second mindset will guide S3 in delivering<br />
technical solutions that meet S3’s clients’ needs.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 146<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 147<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 148<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 149<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 150<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 151<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 152<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 153<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 154<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 155<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong><strong>Defense</strong>.TV now has 200 hotseat interviews and growing…<br />
Market leaders, innovators, CEO hot seat interviews and much more.<br />
A division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 156<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL<br />
ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR<br />
FREE.<br />
This magazine is by and <strong>for</strong> ethical in<strong>for</strong>mation security professionals with a twist on innovative consumer<br />
products and privacy issues on top of best practices <strong>for</strong> IT security and Regulatory Compliance. Our<br />
mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />
ideas, products and services in the in<strong>for</strong>mation technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />
Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />
arena plus we’ll in<strong>for</strong>m you as next generation and innovative technology vendors have news worthy of<br />
sharing with you – so enjoy. You get all of this <strong>for</strong> FREE, always, <strong>for</strong> our electronic editions. Click here<br />
to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />
newsletters along with this month’s newsletter.<br />
By signing up, you’ll always be in the loop with CDM.<br />
Copyright (C) <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP<br />
(STEVEN G. SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free<br />
(USA): 1-833-844-9468 d/b/a <strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com,<br />
<strong>Cyber</strong><strong>Defense</strong>Newswire.com, <strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and<br />
<strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability Corporation (LLC) originally incorporated in the United<br />
States of America. Our Tax ID (EIN) is: 45-4188465, <strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered<br />
trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS# 078358935. All rights reserved<br />
worldwide. marketing@cyberdefensemagazine.com<br />
All rights reserved worldwide. Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part<br />
of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including<br />
photocopying, recording, taping or by any in<strong>for</strong>mation storage retrieval system without the written<br />
permission of the publisher except in the case of brief quotations embodied in critical articles and reviews.<br />
Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter<br />
may have changed since publication and may no longer be valid. The views expressed in this work are<br />
solely those of the author and do not necessarily reflect the views of the publisher, and the publisher<br />
hereby disclaims any responsibility <strong>for</strong> them. Send us great content and we’ll post it in the magazine <strong>for</strong><br />
free, subject to editorial approval and layout. Email us at marketing@cyberdefensemagazine.com<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
276 Fifth Avenue, Suite 704, New York, NY 1000<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
marketing@cyberdefensemagazine.com<br />
www.cyberdefensemagazine.com<br />
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 09/01/<strong>2021</strong><br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 157<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH<br />
(with others coming soon...)<br />
9+ Years in The Making…<br />
Thank You to our Loyal Subscribers!<br />
We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know What You<br />
Think. It's mobile and tablet friendly and superfast. We hope you like it. In addition,<br />
we're past the five nines of 7x24x365 uptime as we continue to scale with improved Web<br />
App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More<br />
Secure DNS and <strong>Cyber</strong><strong>Defense</strong>Magazine.com up and running as an array of live mirror<br />
sites and our new B2C consumer magazine <strong>Cyber</strong>SecurityMagazine.com. Millions of<br />
monthly readers and new plat<strong>for</strong>ms coming…starting with<br />
https://www.cyberdefenseprofessionals.com this month…<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 158<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 159<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 160<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2021</strong> <strong>Edition</strong> 161<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.