Cyber Defense eMagazine September Edition for 2021

Understanding The Importance of 

Gold Optis: Most Innovative and Socially 

Designing for Security 

Conscious Technologies at Black Hat 

Evaluating Security Practices in 

How Trustworthy is Your Cyber Defense? 

Response to Colonial Pipeline And South 

Korean KAERI Attacks 

New Report Reveals Traditional Anti- 

Malware Solutions Miss 74% of Threats 

Chinese Government Will Begin to 

Stockpile Zero-Days in September 

How to Proactively Prepare for a Breach 

…and much more… 

…and much more… 

Cyber Defense eMagazine – September 2021 Edition 1 

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s September 2021 Issue ------------------------------------------------------------------------- 6 

Gold Optis: Most Innovative and Socially Conscious Technologies at Black Hat --------- 33 

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine 

Silver Optis: Innovative and Socially Conscious Technologies at Black Hat ---------------- 46 


Bronze Optis: Innovative Technologies at Black Hat ------------------------------------------------ 59 


Looking Back at Executive Order on Cybersecurity and What it Means for Your Business 

------------------------------------------------------------------------------------------------------------------------- 67 

By James Gorman, CISO of AuthX 

How Trustworthy is Your Cyber Defense? -------------------------------------------------------------- 71 

By Tom Brennan, Chairman, CREST USA 

New Report Reveals Traditional Anti-Malware Solutions Miss 74% of Threats ------------- 74 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies 

Cyber Security Incident Response Plan: How to Proactively Prepare for a Breach ------- 77 

By Joseph Carson, Advisory CISO, ThycoticCentrify 

The Importance of Multi-Factor Authentication and Strong Passwords ---------------------- 80 

By Jeff Severino, CyberLock Defense, Lockton Affinity 

Time to Act: How Real-Time Analytics Can Help Stop the Cyber Kill Chain ----------------- 84 

By Dr. William Bain, CEO and Founder of ScaleOut Software 

Combatting Industry Burnout by Building Resilient Security Teams -------------------------- 87 

By Rick McElroy, Principal Cybersecurity Strategist, VMware 

Considering Collateral Intrusion in Digital Forensics ----------------------------------------------- 90 

By Alan McConnell, Forensic Advisor, Cyan 

Keeping Health Records Safe from Cyber Criminals ------------------------------------------------ 94 

By Dexter Caffey, Founder and CEO, Smart Eye Technology 

Why Your Hospital Network Needs an IoT Security Policy ---------------------------------------- 97 

By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies 



Offense Activities Sharing in Criminal Justice Case ----------------------------------------------- 101 

By Milica D. Djekic 

Cybersecurity Challenges of Working from Home during COVID-19 Pandemic and a 

Proposed 8 step WFH Cyber-attack Mitigation Plan ---------------------------------------------- 108 

By Glorin Sebastian, Senior Consultant, EY 

HTML Smuggling: A Resurgent Cause for Concern ----------------------------------------------- 111 

By Vinay Pidathala, Director of Security Research, Menlo Security 

New CIOs: 5 Key Steps in Your First 100 Days ------------------------------------------------------ 115 

By Etay Maor, Senior Director, Security Strategy, Cato Networks 

Cyber EO and Meeting Cloud Modernization Effort ------------------------------------------------ 118 

By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, 

Zscaler 

Defeat Ransomware with Immutable Backup Data and Encryption --------------------------- 121 

By Jon Toor, CMO, Cloudian 

The Struggle You Don’t See: Mitigating the Impacts of Cyberattacks on the Workforce 

----------------------------------------------------------------------------------------------------------------------- 124 

By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog 

How Bug Bounty Programs Can Help Businesses Achieve Agile Transformation ------ 128 

By Sam Lowe, UK Lead, YesWeHack 

Using Decentralized, Zero-Knowledge Services to Enhance Security ----------------------- 131 

By Ben Golub, CEO and Executive Chairman at Storj 

How to Play Like You're in the Security Majors When You’re Still in the Minors --------- 134 

By Patrick Murray, chief product officer, Tugboat Logic 

SQL Cyber Attacks Are a Danger to Your Company ----------------------------------------------- 137 

By Ryan Ayers, Consultant 

AIOps Offers Security Teams an Early Warning System ----------------------------------------- 140 

By Ranjan Goel, Vice President, Product Management, LogicMonitor 

5 Steps to Protect Your Organization from the Next Ransomware Attack ------------------ 143 

By Paul Kohler, CTO, S3 



@MILIEFSKY 

From the 

Publisher… 

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a 

Platinum Media Partner of RSA Conference on Feb 7 – 10, 2022 – See You There! 

Dear Friends, 

From my perspective as Publisher, it’s incumbent upon me to observe the trends and draw patterns of 

cybersecurity developments. One recurring theme is the lack of coordination between government entities and 

private sector organizations. While we might wish to think otherwise, this should not come as a surprise. 

Private companies have the common goal of maximizing shareholder value, usually in revenues and profits. There 

are often other considerations in play. Government objectives do not include these goals, since making a profit is 

not a government function. 

We are seeing movement toward cooperative efforts, but the lack of a definite nexus is still a barrier. May I 

suggest a good possible place to start would be adoption of a voluntary agreement, for all organizations engaged 

in activities in the 16 elements of critical infrastructure, to implement strict cybersecurity practices. Resilience 

and survivability are the watchwords. 

At Cyber Defense Magazine we continue as we head into our tenth year of bringing actionable information to our 

readers in all sectors and activities. This edition is loaded with great content and fresh ideas so please take the 

time to read these articles that pique your interest. 

As always, among the valuable resources we rely on to respond to cyber threats are the providers of cybersecurity 

solutions. Therefore, we are thrilled to announce that Cyber Defense Magazine has now opened the Global 

InfoSec Awards for 2022, with nomination forms found at https://www.cyberdefenseawards.com 

Finally, as promised, https://www.cyberdefenseprofessionals.com/ will be coming out of beta this month and very 

soon, we’ll announce over 2,000 infosec job openings posted for infosec jobs at various Fortune 1000 companies. 

Wishing you all success in your own cyber endeavours and staying one step ahead of the next threat. 

Warmest regards, 

Gary S. Miliefsky 

Gary S.Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information 

about CDM, please use #CDM and @CyberDefenseMag 

and @Miliefsky – it helps spread the word about our free 

resources even more quickly 



@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media 

Group and distributed electronically via opt-in Email, 

HTML, PDF and Online Flipbook formats. 

PRESIDENT & CO-FOUNDER 

Stevin Miliefsky 

stevinv@cyberdefensemagazine.com 

InfoSec Knowledge is Power. We 

will always strive to provide the 

latest, most up to date FREE 

InfoSec information. 

From the International 

Editor-in-Chief… 

Internationally, we’re finding ransomware attacks on the rise, 

once again. Also, DDoS attacks are back. 

It will be very interesting to find out who is behind the massive 

and prolonged Distributed Denial of Service (DDoS) attack that 

hit the Philippine human rights alliance Karapatan. The 25 days 

long DDoS attack against the website of Karapatan was 

launched by almost 30.000 IP addresses. 

One third of the addresses originated from devices that there 

were not running “Open Proxies” or “Tor exits”. Identifying this 

mysterious part of the botnet turned to be a fascinating research 

and a digital forensics challenge. The traces lead us to an Israeli 

firm offering access to millions of proxies in mobile operators, 

data centres and residential buildings – a perfect infrastructure 

to hide the source of DDoS attacks. 

I continue to research this and will have news about it on CDM’s 

website shortly. 

As always, we encourage cooperation and compatibility among 

nations and international organizations in responding to these 

cybersecurity matters. 

Finally, I believe at some point soon we should stop waiting and 

start pushing for a Cyber Geneva Convention, so the internet 

becomes a less hostile place for bad actors on nation state 

cyberwarefare activities. 

To our faithful readers, we thank you, 

Pierluigi Paganini 

International Editor-in-Chief 

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER 

Pierluigi Paganini, CEH 

Pierluigi.paganini@cyberdefensemagazine.com 

US EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

SKYPE: cyber.defense 

http://www.cyberdefensemagazine.com 

Copyright © 2021, Cyber Defense Magazine, a division 

of 

CYBER DEFENSE MEDIA GROUP (a Steven G. 

Samuels LLC d/b/a) 

276 Fifth Avenue, Suite 704, New York, NY 10001 

EIN: 454-18-8465, DUNS# 078358935. 

All PUBLISHER rights reserved worldwide. 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

9 YEARS OF EXCELLENCE! 

Providing free information, best practices, tips and 

techniques on cybersecurity since 2012, Cyber 

Defense magazine is your go-to-source for 

Information Security. We’re a proud division of 

Cyber CDMG Defense B2C Media MAGAZINE Group: 

B2B/B2G MAGAZINE TV RADIO AWARDS 

PROFESSIONALS 

WEBINARS 



Welcome to CDM’s September 2021 Issue 

From the U.S. Editor-in-Chief 

We’ve begun to turn a corner. Key team members headed out to BlackHat USA 2021 including 

Olivia Gallucci as our Cybersecurity Reporter for Cyber Defense Magazine and the winner of 

CDM’s 2021 Women in Cybersecurity scholarship. She is studying Computing Security and 

Computer Science at Rochester Institute of Technology. She did a fabulous job documenting 

her findings on the trade show floor with three very well written articles you’ll find inside this 

edition. 

While the turnout was not like pre-COVID-19, we hope it’s a growing trend and that RSA 

Conference 2022 will continue the trend for what’s so important to us humans – in person social 

interaction. There’s no virtual experience that can replace a handshake and a sit down gathering 

where experts share ideas and mingling with like minded infosec professionals is most 

enjoyable. 

We always like to look ahead and project tomorrow being a better day for cybersecurity. Right 

around the corner next month is Cybersecurity Awareness Month - so many infosec vendors 

are already gearing up with their thoughts and ideas on how to turn the ransomware, cloud 

threats and work from home attacks around. 

We, also, at Cyber Defense Magazine attempt, each month, to be most valuable to our readers 

by keeping current on emerging trends and solutions in the world of cybersecurity. To this end, 

we commend your attention to the valuable information provided by our expert contributors. 

Wishing you all success in your cybersecurity endeavors, 

Yan Ross 

U.S. Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of Cyber 

Defense Magazine. He is an accredited author and educator and has provided 

editorial services for award-winning best-selling books on a variety of topics. 

He also serves as ICFE's Director of Special Projects, and the author of the 

Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. 

As an accredited educator for over 20 years, Yan addresses risk management 

in the areas of identity theft, privacy, and cyber security for consumers and 

organizations holding sensitive personal information. You can reach him by e- 

mail at yan.ross@cyberdefensemediagroup.com 























































Gold Optis: Most Innovative and Socially Conscious 

Technologies at Black Hat 


I interviewed approximately sixty industry leaders from over forty companies who attended Black Hat. 

Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically 

highlight twenty-one companies that stand out and whose growth I recommend watching. 

Rochester Institute of Technology’s Cybersecurity Club, RITSEC, inspired the metrics I used to analyze 

and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while 

examining each company’s ability to promote social good, inclusion, and innovation inside and outside 

of the company. Furthermore, I referenced materials—public demos, open-source code, and 

publications—to determine the accuracy of the company’s claims and the span of its communal reach, 

public contributions, and social good. 



Given Cyber Defense Magazine's awarding of unicorns ("a private company with a valuation of over $1 

billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Optis 

Series—to highlight innovative and socially conscious companies at Black Hat USA 2021 (UserGuiding). 

The Optis Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria 

I used for the Optis Series here or scroll to the end of this article. 

Coalfire 

Mark Carney, COO of Coalfire 

Coalfire is known for its abilities in security compliance, but that is not all it offers. Over the past two years, 

Coalfire’s front-end security and pen-testing teams grew significantly and continue to grow in funding, 

hiring, and expertise. At present, Coalfire is an organically grown company employing approximately one 

thousand security professionals globally and plans to hire around three hundred people by the end of 

2021. 

Coalfire specializes in cloud infrastructure services, working with almost every international enterprise 

cloud infrastructure company. As a result, its products and services—pen-testing, architecture, design, 

management, compliance, and multi-cloud support—are influenced by how enterprises use the cloud. 

Furthermore, Coalfire continues to develop these areas; its teams in attack strategy, privacy and risk 

compliance, and cloud-focused services (i.e., pen-testing, engineering, and management) are 

expanding. 

Used with permission from Coalfire. 

Coalfire recently acquired two companies: Neuralys and Denim Group. Neuralys created pen-testing 

management platforms into an attack service management framework by utilizing active and passive 

scanning, which helped clients identify new and existing vulnerabilities on their networks in an outgoing 

manner. In other words, Neuralys invented a way to continuously pentest networks. Furthermore, Coalfire 

acquired Denim Group, a consulting firm specializing in pen-testing and application security; their 

platform, ThreadFix, applies application-specific vulnerability aggregation from over fifty databases and 

tools. ThreadFix consolidates test results and prioritizes vulnerable clients, reducing the remediation time 

up to forty percent. 

Learn more: By reading Coalfire’s 3 Annual Penetration Risk Report and by exploring its Reddit page. 

College students and faculty may be particularly interested in Coalfire because of its Richard E. Dakin 

Fund. The fund was created in honor of the late co-founder of Coalfire, Richard E. Dakin. It supports 



scholarship programs at several universities for promising college students studying cybersecurity and 

related fields. 

Epiphany Systems 

Rob Bathurst, Co-Founder and CTO at Epiphany Systems 

Epiphany Systems is an offensive security company providing red team attack paths and solutions for 

clients' critical IT assets and users. Its platform is the first offensive cybersecurity program designed to 

reduce Time-to-Context. Epiphany Systems spun out from Digitalware at the beginning of 2021. At 

present, Epiphany Systems has 22 employees and expects to hire approximately twelve people by 2022. 

Epiphany Systems' platform works by analyzing clients' preexisting security data to create attack paths. 

Then, the platform analyzes each attack path, the likelihood of exploitation, and the consequences if 

exploited to provide clients' security professionals a surface-level view of vulnerabilities on the network. 

Furthermore, it integrates with clients' existing security tools. 

Used with permission from Epiphany Systems. 

Its innovativeness stems from its Time-to-Context approach, which finds solutions for clients' needs within 

a specific context. For example, if an administrator can only access a document from one IP address, 

Epiphany Systems creates attack paths using that knowledge for how that document could be definitively 

accessed. Bathurst explains, "It is difficult to automate generalized red teaming efficiently. Generalized 



human red teaming creates attack paths that tend to be sporadic and unique to a point in time. We find 

a target (i.e., an administrator) and work backward to create our attack path that is more precise." 

Epiphany Systems intently integrates open-source software (OSS). Even better, Epiphany Systems 

contributes to OSS; Bloodhound is one of its favorites. Bathurst adds, "We contribute to OSS wherever 

we can. Much of what runs the internet started as small projects that never developed procedures to pass 

on development; This is not sustainable. Thus, Epiphany Systems assists OSS projects to ensure smooth 

transitions in new and pre-existing legacy projects." 

Given that the company is young, it is imperative to examine its future goals and developments. To 

answer this, Bathurst explains that "We have shown that we can analyze data in nonobvious ways. 

However, that does not mean there are not more possibilities. We want to discover even greater ways of 

analyzing data and explaining the impact of that data, especially to leaders outside of tech." 

Learn more by reading Epiphany Systems Launches into the Cybersecurity Market with Industry’s First 

Offensive Context-Aware Platform 

Lightspin 

Vladi Sandler, Co-founder and CEO of Lightspin 

Lightspin is a cloud security company using an offensive approach to detect cloud misconfigurations; it 

designed a platform to secure cloud and Kubernetes environments throughout the development cycle, 

simplifying cloud security for IT and DevOps teams. Dell and Ibex granted Lightspin $16 million in series 

A funding bringing total funding to date to $20 million. 

Lightspin's platform detects all security risks on the network, and its innovativeness stems from its ability 

to prioritize the most critical issues and remediate them from build to run time. For example, Lightspin 

creates the Attack Path, an interactive diagram displaying clients' vulnerabilities and how each 

vulnerability affects other parts of their network. These charts were developed with the C-suite in mind, 

providing a simple and usable interface suitable for presentations and reports. Furthermore, Lightspin's 

platform uses data from previous attacks to correlate vulnerabilities with the repercussions if exploited. 



Used with permission from Lightspin. 

However, the company itself has notable qualities too. It demonstrates a thoughtful and inclusive 

workplace. Sandler stated that "Our goal is to build a healthy company. We promote diversity and 

inclusion, which is why we have been a gender-balanced company from the beginning. We found that 

our company growth, employee happiness, client satisfaction, and community involvement are all tightly 

linked, which is why we only promote growth from a healthy and ethical perspective." Most of all, 

Lightspin's open-source contributions and support of public initiatives are some of the most impressive 

in the Opti series. 

Lightspin's GitHub repositories are well-documented and shared. Some of its notable projects include 

Red Kube, a red ream K8S adversary emulation based on kubectl, and Red Shadow, an AWS IAM 

vulnerability scanner. Lightspin also developed Red Detector, which scans EC2 instances for 

vulnerabilities using Vuls. Furthermore, Lightspin's blog provides tutorials on how to use and contribute 

to its projects. These tutorials are great for any skill level and receive enthusiasm from users and 

contributions. Overall, Lightspin demonstrates technological innovation, creativity, professional 

excellence, and social responsibility. As a clear trendsetter and innovator in cybersecurity, I cannot wait 

to see how Lightspin's technology develops by the next Black Hat. 

Learn more: CISO Talks: Choosing the Right Solution for Your Organization as a CISO, ft. Vladi Sandler, 

CEO at Lightspin 



Syxsense 

Ashley Leonard, CEO of Syxsense 

Headquartered in southern California, Syxsense is a software as a service endpoint management and 

security software company. Syxsense specializes in combining IT and patch management with security 

vulnerability scanning, and now a full remediation capability using Syxsense Cortex, the company’s 

workflow builder. 

Syxsense's cloud-based platform allows clients to manage all of their endpoints and devices through 

drag-and-drop (DnD) workflow technology. Example actions include almost everything: patches, asset 

management, vulnerability scanning, software installations, and more. Clients can use and edit pre-built 

blocks and create new ones. Furthermore, clients can deploy actions to individual devices, sets of 

devices, or all devices. For example, a client could update all of the odd-numbered computers on their 

network or change the background to display a cat for all employees named "John." 

Syxsense Cortex is a drag-and-drop workflow builder for building remediations to configuration 

errors and security vulnerabilities. Used with permission from Syxsense. 

As a WordPress blogger, Syxsense's product resonated with me because of its simplistic workflow and 

customization. Its DnD security workflow reminds me of how bloggers use DnD blocks to create a website 

or post. Furthermore, Syxsense's ability to support any skill level is similar to how WordPress sicks with 

bloggers throughout their careers. 

For example, new WordPress bloggers almost exclusively use DnD blocks. Over time, they learn how to 

customize blocks and how parts of the website interact (i.e., CSS and hosting configurations). Eventually, 

bloggers can create new blocks, build websites, fix bugs, and teach others. Skilled bloggers often publish 

custom blocks as code, add-ons, and templates, which creates an app-store atmosphere in WordPress. 



Syxsense demonstrates similar possibilities in the security industry. Using Syxsense Cortex, clients can 

implement Syxsense's platform using premade blocks. Once employees learn how each block's settings 

interact with the network, they can customize blocks to fit their exact needs. Moreover, the transferring 

of skills from senior techies to new employees is seamless in this environment. I would not be surprised 

if its clients use its platform to teach security skills to employees or if security professionals make tutorials 

on custom blocks. 

Watch Syxsense’s demo on Vimeo. 

Lastly, Syxsense scans clients' networks, proposes solutions, and displays potential exploit outcomes. 

In other words, Syxsense can fix vulnerabilities its platform detects, and best of all, clients can use DnD 

to resolve each issue. 

Learn more: Syxsense Releases Two New Solutions for Remediating Endpoint Security Vulnerabilities 

ThreatQuotient 

Chris Jacob, Global VP of Threat Intelligence Engineers at ThreatQuotient 

Another company I would look out for this year is ThreatQuotient, a modern data-driven security 

operations platform. The company has a rich history in problem-solving and social networking, arguably 

the two best things an organization could have. The company founders--developer Wane Chiang and 

security operations officer Ryan Trost--noticed while working in a large security operations center (SOC) 

that data was not being shared and accessed efficiently. For example, workers on the 8 AM shift were 

not effectively collaborating with other shifts at their company, which led to unnecessary security testing. 

Chiang and Trost set out to fix this problem globally by creating a pure-play threat intelligence platform 

and an API that could be utilized across departments and organizations; this led to the founding of 

ThreatQuotient in 2013. 



Used with permission from ThreatQuotient. 

However, ThreatQuotient's intriguing history is not why I selected them as a Gold Opti. ThreatQuotient is 

a leading security company in extended detection and response (XDR) that examines intelligence and 

information security events to create a holistic picture of threats. The company's innovativeness comes 

from its APIs integration with external products. Its mission is to integrate its API with as many platforms, 

products, and technologies as possible to promote long-term growth and diversification. Jacob explains 

that "If companies share knowledge of adversaries' attacks, techniques, and other intelligence, they could 

detect more hacks; although, not necessarily prevent them. We created a data-driven automation and 

data-sharing tool that can show what is happening with threats." 

ThreatQuotient's founders and many of its employees have an open-source background. As a result, its 

platform integrates with clients' preexisting technologies, so they were not locked into a vendor. 

Furthermore, its MSSP and intelligence community encourage sharing and collaboration. Jacob stated, 

"We believe companies should share to advance the cybersecurity and intelligence community," which 

is illustrated by its membership in the Open Cybersecurity Alliance and contributions to OpenDXL. 

I am looking forward to learning about the company's future developments, too. Jacob adds, "currently, 

we are expanding in XDR, but we have always been in that sphere. What is interesting is that the security 

industry is pivoting to where ThreatQuotient has been and calling it XDR. As a result, we are a frontrunner 

in XDR technologies, and we are creating new technologies to improve our platform every day." 

Learn more at ThreatQuotient's website. 



Trend Micro 

Jon Clay, VP of Threat Intelligence at Trend Micro 

Since its founding in 1988, Trend Micro evolved from a family-run antivirus company to an international 

security organization. Trend Micro was the first company to implement internet and virtual machine 

scanning technologies. Its specialty is defending against zero-day and zero-hour threats. 

I interviewed Jon Clay on Trend Micro's Cyber Risk Index (CRI) and on Trend Micro's latest products and 

publications that have impacted the security sphere. After four years of deployment through the Ponemon 

Institute, Trend Micro's CRI has mastered calculating clients' preparedness to defend against attacks. Its 

index spans from -10 (bad) to +10 (good) and helps C-level executives understand risks within their 

organization. In its 2021 distribution, CRI demonstrates that the preparedness to defend from 

cybersecurity risks has decreased globally. 

Used with the permission of Trend Micro. 

Trend Micro also progressed in the open-source sphere. One of their most famous open-source tools, 

Trend Micro Locality Sensitive Hashing (TLSH), has been publicly adopted by multiple antivirus firms. 

TLSH uses machine learning to identify files that are similar in nature. For example, if a file contains the 

text "oliviagallucci.com" and another file contains "oliviagalucci.com" (missing an l), then TLSH would 

generate two very similar hashes. Furthermore, Trend Micro partnered with Synk, an open-source 

security company, to develop Cloud One, a scanner that detects malicious or vulnerable code in opensource 

repositories. 



Unlike many companies, it is clear that Trend Micro fosters a culture of openness and collaboration. 

Readers interested in learning about Trend Micro—open-source contributions, product development, or 

otherwise—have ample resources to explore its professionals' expertise and outlook at any point in its 

history. 

Further reading: Trend Micro Demonstrates Threat Expertise at Virtual Black Hat USA 2021 

For those interested in assisting with Trend Micro's open-source programs, Clay recommends 

contributing to its Zero Day Initiative, which consists of approximately ten thousand researchers globally 

to find vulnerabilities and bugs. The Zero Day Initiative helps clients develop intrusion prevention systems 

with an eighty-day protection period. 

vArmour 

Tim Eades, CEO of vArmour 

vArmour is an Application Relationship Management company focusing on operational risk, application 

resiliency, and securing hybrid cloud environments. The company was founded in 2011 and created due 

to many enterprises lacking the skills or resources necessary to analyze company networks. vArmour is 

backed by Highland Capital Partners, AllegisCyber, Redline Capital, Citi Ventures, and Telstra. vArmour’s 

products help clients determine which security relationships are working and which are failing and helps 

clients then analyze those failing relationships and execute solutions. 

vArmour is innovative in its technology and culture. It has experience with every industry, making its 

solutions very diverse. However, banks, telecommunications, and critical infrastructure companies are 

its primary clients. Eades describes vArmour's innovative culture well: “We are a very kind, humble, and 

smart company [that is] solving enterprise security problems from the inside out, as opposed to the 

outside in. vArmour is not just a detective. You find the problem, decide what you want to have happen, 

then control for those things with programming.” In the Los Altos office, there is a mural with “Shoulder 

to Shoulder,” symbolizing the golden rule with vArmour’s twist. In Eades’ words, “We do it together, and 

we do it as one.” 



Used with permission from vArmour. 

vArmour also contributes to public forums, growing a supportive community around its projects. Eades 

states that “Thinking in public and sharing our ideas with the work and receiving feedback allows us to 

ensure our company is heading in the right direction morally and technologically.” Moreover, vArmour 

assists clients using multiple licenses from legal, technical, and social perspectives. 



Diana Nicholas, Marketing Engagement and Partner Associate at vArmour, performing at vArmour’s live 

show. Used with permission from vArmour. 

Lastly, vArmour shined at Black Hat this year. vArmour joined 13 other cybersecurity companies to create 

the live Security Leaders concert, with the Social Animals headlining and featuring performances 

including the band of Diana Nicholas, a Marketing Engagement and Partner Associate at vArmour. 

However, this is a common practice at vArmour. The company loves promoting “breakout moments” for 

its employees and up-and-coming musicians. For example, vArmour has an annual tradition of hiring upand-coming 

musicians for a live show. Eades is very proud to note that they even hired Royal Blood 

before they were famous. Overall, I was blown away by the enthusiasm and support of this team, and I 

look forward to following vArmour technical and cultural growth. 

Learn more at vArmour’s website. 

Judging Criteria 

Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners 

from joining. However, some companies and leaders strive to alleviate these barriers. 

For example, Clark Mills and Major Clifford McKay created the Optimist Dinghy (Opti) to ease financial 

and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful 

that it became one of the most popular sailboats globally and has introduced millions to sailing. 

Similar to Mills and McKay's progress in sailing, the companies recognized by the Optis Series have 

significantly improved their community and industry. The Optis Series highlights cybersecurity 

companies' innovation and ability to address social, technical, and economic barriers. Furthermore, the 

definition of an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents 

the outlook of cybersecurity if these trends continue (Merriam-Webster, 2021). 

Here are the judging criteria: 

- Highly differentiated and innovative by offering a unique product, technology, or technique. 

- Demonstrates company growth, ideally supported by numerical data like funding and 

sponsorship, acquisitions, and hiring trends. 

- Active external enthusiasm and press. 

- Practices embodied by “Security Through Community,” such as inclusion initiatives and a 

supportive company culture. 

- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code, 

publications, blogs, events, and licensing choices). 

Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold 

companies exemplified all five. All companies, however, epitomized their awarded categories enough to 

deserve substantial recognition for their efforts. 



I was very flexible with my interviews, and I did my best to create a holistic picture of each companies' 

values and technologies. I also cited evidence whenever possible through public numerical data, blog 

posts, reports, publications, and product demos. Read the full criteria here. 

About the Author 

Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine and 

the winner of CDM’s 2021 Women in Cybersecurity scholarship. She is 

studying Computing Security and Computer Science at Rochester Institute 

of Technology. 

She is a Free and Open Source Software advocate and Linux enthusiast. 

Olivia can be reached online here at CDM and at https://oliviagallucci.com/ 

and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/ 



Silver Optis: Innovative and Socially Conscious 

Technologies at Black Hat 














billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Opti 

Series—to highlight innovative and socially conscious companies at Black Hat USA 2021 (UserGuiding). 

The Opti Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria 

I used for the Opti Series here or scroll to the end of this article. 

CyberGRX 

Dave Stapleton, CISO of CyberGRX 

CyberGRX is a software as a service company using a varied source of data to manage and analyze 

third-party security risks. Specifically, CyberGRX uses an exchange model of data to provide 

organizations with a dynamic stream of third-party data and advanced analytics so clients can efficiently 

manage, monitor, and mitigate risk in their partner ecosystems. Its goal is to connect every company with 

the exchange system to increase global understanding of third-party risk inheritance and promote the 

disclosure of security risks in business agreements. 

The exchange model is CyberGRX's innovative key. Its platform is the largest risk exchange platform 

globally and contains thousands of risk assessments, allowing organizations to quickly identify which 

third parties pose the highest cyber risk and help those third parties and organizations alike focus their 

resources on critical areas. Thus, CyberGRX's clients gain a better understanding of third-party 

assessment data, enabling them to derive logical risk insights, make informed business decisions, and 

save thousands of hours spent on assessment chasing. 



3D depiction of a third-party ecosystem demonstrating the interconnectedness of organizations 

today. Used with permission from CyberGRX. 

CyberGRX provides visibility into clients' third-party ecosystems, so they can determine which third 

parties are missing the controls needed to respond to emerging threats like ransomware and 

extortionware. Its analysis promotes accountability and shared responsibility by allowing third-party risks 

to become a first-party responsibility. When companies know their third parties are vulnerable, they can 

help those parties with remediating vulnerabilities in critical areas. CyberGRX's mission promotes 

knowledge and growth in cybersecurity, and its platform provides new security insights which have not 

been available before. 



Digital Shadows 

Alastair Paterson, CEO and Co-Founder of Digital Shadows 

Founded in 2011, Digital Shadows focuses on digital risk and threat intelligence. It specializes in 

identifying data loss like intellectual property, customer data, and credentials. Digital Shadows created 

one of the largest credential databases globally, hosting over 25 billion entries. Digital Shadows’ sales 

increased over fifty percent from last year, and it expects to hire around twenty employees by the end of 

2021. 

Digital Shadows’ platform alerts clients of data leakages on code-sharing sites like GitHub, GitLab, and 

Bitbucket. These leakages often stem from things like accidentally publishing code and leaving keys 

open. It also can detect when file stores are accidentally shared (i.e., Amazon S3 buckets). 

Used with permission from Digital Shadows. 

Lastly, Digital Shadows can detect brand impersonations. For example, oliviagallucci.com is my website; 

if an adversary created oliviagalucci.com (one l), Digital Shadows would disclose the event to me. Its 

platform can also detect fake apps and social media profiles. 



Used with permission from Digital Shadows. 

Digital Shadows uses multiple open-source tools; Spring Framework, Guava, Terraform, Apache HBase, 

and Jenkins are a few notable ones. Paterson stated that “Digital Shadows began open-sourcing some 

of its projects after our security research team discussed how we could give back to the community.” One 

of Digital Shadows' notable repositories is Orca, an asset discovery tool. Paterson continued, "One of 

our goals is to integrate into the open-source community to foster collaboration and constructive 

feedback,” and Digital Shadows is well on its way to achieving this goal. 

ExtraHop 

Jeff Costlow, CISO of ExtraHop 

ExtraHop is a network detection and response (NDR) provider, helping organizations secure 

environments and implement threat protections. ExtraHop specializes in detecting lateral movement and 

increasing the effectiveness of high-speed networks. Its goal is to bridge the gap between SIEM and EDR 

across client networks to help organizations detect and respond to advanced threats. 



ExtraHop DNS LAM. Permission to use from ExtraHop. 

ExtraHop's innovation stems from its Reveal(x) 360, a software as a service platform utilizing cloud-scale 

artificial intelligence to analyze adversaries in real-time. Reveal(x) 360 works at the network level and 

analyzes up to 100 Gbps. Furthermore, ExtraHop's behavioral network analytics detect approximately 

1500 high-risk threats per month, including supply chain attacks, APTs, and Zero Days. Reveal(x) 360 is 

able to decrypt traffic to provide complete visibility and enable deep forensics investigations. Reveal(x) 

360 also can see activity without being detected, so bad actors don’t even know that they are being 

watched. This is an important part of ExtraHop’s NDR solution, given that recent highly sophisticated 

attacks like SolarWinds SUNBURST have brought awareness to the fact that hackers are learning to 

evade traditional security methods and tools. 



ExtraHop overview. Permission to use from ExtraHop. 

ExtraHop regularly contributes cyber threat data and anonymized threat intel identified via their platform 

to the security community. Key contributions include ExtraHop’s research on the techniques used in the 

SolarWinds Sunburst attack to evade detection as well as the company’s research on connected devices 

during Covid-19. ExtraHop also contributed to the latest version of the MITRE ATT&CK Framework and 

Knowledge Base, which now includes the latest developments in network detection and response 

methodologies. By sharing the growing body of network attack behaviors in the MITRE ATT&CK 

framework, security teams are now better equipped to detect and respond to advanced threats as they 

integrate NDR Into their security operations. The MITRE ATT&CK framework is natively integrated into 

the ExtraHop Reveal(x) 360 interface, which further helps security professionals detect the latest tactics, 

techniques and procedures being used by adversaries on their networks. ExtraHop’s security research 

team regularly shares threat briefs, which are immediately available to customers via the product and 

also published publicly on ExtraHop’s blog. 

Learn more: Why Cyber Defense Needs Software Behavior Transparency by Ben Higgins, Distinguished 

Software Engineer at ExtraHop 

GuidePoint Security 

Tony Cook, Head of Threat Intelligence 

Mark Lance, Senior Director of Cyber Defense 

Victor Wieczorek, VP of Application Security and Threat & Attack Simulation 

GuidePoint Security is a peer-play security consulting and management company. It has spread from its 

east coast beginnings to expand across most of the United States. GuidePoint’s focus is solving complex 



problems from a consultative approach. Its innovativeness stems from its unique company model. 

GuidePoint Security provides cybersecurity solutions and services through a localized team within that 

region, with additional teams providing capabilities across the entire nation. 

Unlike many companies, GuidePoint Security does not promote sponsored products because it is not a 

vendor. GuidePoint Security endorses quality products to ensure productivity and client satisfaction. 

GuidePoint Security is heavily involved in the open-source community and prides itself on its communal 

outreach and diverse solutions. OSS is built into or surrounds most of its tools, and as a result, its teams 

have become effective contributors, analyzers, and creators of OSS. One of its notable projects is 

RedCommander, a red team infrastructure complete with Redirectors and basic domain fronting. 

GuidePoint Security also contributes to open source communities such as Velociraptor, BloodHound, 

MISP, and others. 

GuidePoint employs approximately five hundred security professionals and expects to hire around one 

hundred people within the following year. For those interested in working with GuidePoint Security, the 

senior leaders stated that “we want people who are hungry to learn, care about the quality of their work, 

and are passionate about security in their free time.” In the future, GuidePoint Security is focusing on 

developing automation and productivity tools to ensure that “smart people are doing smart things. 

Follow GuidePoint Security on LinkedIn here. 

NTT 

Setu Kulkarni, VP of Corporate Strategy & Business Development 

Bruce Snell, VP of Security Strategy and Transformation 

NTT is a global technology services company. As a global information and communications technology 

provider, the company employs about fifty thousand people across 57 countries. I interviewed two NTT 

executives—Setu Kulkarni and Bruce Snell—about their team's latest developments. 

Learn more: NTT’s Virtual Reality SOC Tour 

NTT's Security Division functions as a managed security services provider (MSSP), supplying talented 

professionals and diverse vendor relationships to its clients so that they can focus on running the 

business and leave everything from security operations to threat monitoring and intelligence to incident 

response to their NTT team. Furthermore, around forty percent of internet traffic runs through NTT, which 

gives their specialists unmatched expertise in malicious traffic and vulnerability analysis. Bruce describes 

it as "watching the weather patterns of cybersecurity." 

NTT’s Application Security (AppSec) team utilizes an innovative consumption model, factoring in clients' 

budget and regulatory needs; it offers an AppSec platform, technical expertise, and training. Its AppSec 

platform helps clients detect, track, and remediate vulnerabilities on all of their devices. NTT's AppSec 

team also tracks open-source software (OSS) vulnerabilities and assists clients with OSS remediation. 

When OSS vulnerabilities are particularly problematic, NTT proposes remediations to the original OSS 

project. 



Olivia Gallucci (CDM) interviewing NTT execs, Setu Kulkarni and Bruce Snell, at the 2021 Black Hat 

Conference. Permission to use from NTT. 

NTT also shares their intel, giving back to the community. For example, the Security Division publishes 

its threat landscape findings in monthly threat reports and the annual Global Threat Intelligence Report. 

The August report looks at how in the last few years, ransomware has held a steady 3-4% rate of all 

detected malware, according to NTT’s Global Threat Intelligence Report. But in 2020, this increased to 

about 6% (a nearly 50% increase). Since then, ransomware activity has increased exponentially in 2021. 

If we continue to see this rate of incident occurrence, we can expect ransomware to be at 12% of all 

detected malware before the end of 2021. This may not seem like a significant statistic, but it represents 

millions of detections and could indicate a total increase of about 300% in the last two years or even as 

much as one attack every 11 seconds. 

The AppSec team does something similar in their AppSec Stats Flash Report, which are monthly state 

of application security updates. Furthermore, NTT contributes to CVE databases and is a member of the 

Cloud Security Alliance and Cyber Threat Alliance. 

Read NTT’s August 2021 Threat Report here. 



OneSpan 

Will LaSala, Director of Security Solutions and Security Evangelist at OneSpan; Official Member of the 

Forbes Technology Council 

OneSpan is a digital banking, security, and electronic signature company founded in 1991. Its most 

innovative technologies involve mobile clients, specifically application hardening. OneSpan’s Mobile 

Application Shielding platform can lock specific apps so that the phone will work even if one app gets 

hacked. Furthermore, the platform allows clients to analyze mobile devices and corresponding servers 

simultaneously. OneSpan’s central goal is to ensure that clients’ employees can detect and harden 

insecure applications and devices. 

Permission to use from OneSpan. 

OneSpan also contributes to the open-source community. OneSpan uses its contributions to multiple 

crypto libraries to receive feedback and promote transparency. In LaSala’s words, “We value the opensource 

communities’ support for security and feedback purposes. Releasing code to the public also 

protects the security community against hijacked open-source libraries.” Overall, OneSpan’s 

contributions to one-time password and cryptography projects exemplify its dedication to security and 

communal growth. 

Learn more by reading OneSpan’s Global Financial Regulations Report and listening to the UserFriendly 

2.0 podcast, episode Black Hat 2021 and Rodeo. 

Qualys 

Sumdeth Thakar, CEO of Qualys 

Qualys is a software as a service company founded in 1999; it offers cloud-based security solutions in 

the fragmented security industry. The company has strategic partnerships with leading cloud providers, 

managed services providers, and consulting firms like Amazon, Microsoft, Google, Accenture, IBM, 

Infosys, NTT, and Verizon. 



Used with permission from Qualys. 

Qualys' innovativeness stems from its ability to make security efficient, cost-effective, and scalable, 

offering solutions for almost every security concern. Qualys provides a one-stop solution, consolidating 

pre-existing technologies into a simple and easy-to-use platform. 

Qualys built its backend and highly scalable platform by leveraging OSS and in-house technology. 

Furthermore, Qualys uses OSS to improve security event monitoring by tracking 2.5+ billion messages 

on Kafta and 8 trillion data points on Elastic search daily. In Thakar's words, "You can leverage opensource 

technology to build massive-scale platforms; Qualys is a great example of that. As a result, we 

are continually increasing our public contributions, especially in the OSS community." 



Learn more: Qualys at Black Hat USA 2021 

Judging Criteria 






Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Series have 

significantly improved their community and industry. The Opti Series highlights cybersecurity companies' 

innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of 

an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook 

of cybersecurity if these trends continue (Merriam-Webster, 2021). 















posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-for-the-opti-series/ 




Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine and 

the winner of CDM’s 2021 Women in Cybersecurity scholarship. She is 

studying Computing Security and Computer Science at Rochester Institute 

of Technology. 

She is a Free and Open Source Software advocate and Linux enthusiast. 

Olivia can be reached online here at CDM and at https://oliviagallucci.com/ 

and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/ 



Bronze Optis: Innovative Technologies at Black Hat 














billion") and that Olympic sailing occurred during Black Hat, I created a conceptual award—Optis—in 

three ranks: bronze, silver, and gold (UserGuiding). You can learn about the judging criteria I used for 

this award here or scroll to the end of this article. 

Axis Security 

Dor Knafo, Co-Founder and CEO of Axis Security 

Gil Azreilant, Co-Founder and CTO of Axis Security 

Axis Security offers a secure access service edge, protecting originations by analyzing application-layer 

traffic. Clients use its software and cloud platform in tandem to monitor company networks. Its software 

handles client services and resource access by instructing the client when access is unexpected or 

discouraged. 

Axis Security built its technology in-house to streamline policy and vendor relationships. Its solutions 

include secure partner access for third parties, merging and acquisitions, cloud migration, and enabling 

remote work environments. Axis Security's most innovative technology is its cloud-based VPN 

replacement, Application Access Cloud. The platform provides its clients an easy and safe connection to 

any device without ever touching the clients' apps or networks. 

Axis Security exemplifies global citizenship by leveraging open-source works and contributing to opensource 

communities. One of the open-source projects Axis Security uses and contributes to is 

WireGuard, an open-source virtual private network. 

Learn more: Dark Reading News Desk talks to Axis Security 

CyberSaint 

Padraic O'Reilly, Co-Founder and CPO of CyberSaint 

CyberSaint is a software as a service company securing critical infrastructure and other highly regulated 

industries. Their goal is to understand customers' cybersecurity risk profiles to prevent future attacks. 

CyberSaint created the CyberStrong Platform, an automated solution that continuously analyses realtime 

telemetry to perform compliance and risk assessments across standards such as NIST, CIS20, 

NERC-CIP, and many others. CyberStrong allows clients to make better business decisions by ranking 

their risk and compliance posture internally, geographically, and industry-wide. Its creativity draws from 

its ability to take regulatory regiments used in governance risk and compliance and implement those 

standards across their risk management program in a way that enables cybersecurity resilience. It does 

this through its patented natural language processing (NLP) technologies, intuitive user interface, and 

executive reports. 



CyberSaint’s Risk Register. Used with the permission of CyberSaint. 

CyberSaint analyzes all types of data sources—feeds, proprietary and open-source intelligence, and 

threat information—with their NLP to optimize hardening systems. CyberSaint uses its NLP technology 

to leverage telemetry from applications, creating static mappings to controls by implementing the 

application and dynamic mappings to controls based on data feeds. This NLP also is used to automate 

crosswalks, using a customers' existing control scores to fulfill requirements across any set of frameworks 

or standards within seconds in an "assess once, use many" fashion. Furthermore, CyberStrong helps 

clients understand their overall cyber risk and compliance posture, strategy, and security. 

CyberSaints contributions to the community include the Making Space in Cybersecurity pledge, pro bono 

consulting to Massachusetts-based non-profits, and gifting no-cost annual licenses to our healthcare 

customers amid the COVID-19 crisis. 

Mimecast 

Jeremy Ventura, Senior Security Strategist at Mimecast 

Founded in 2003, Mimecast is a leading email security company. Mimecast combined patented, in-house 

solutions with external vendor data to create a super solution to detect malicious emails. Its email security 

solution stops malicious emails from entering or leaving client networks. Additionally, its email security 

solution is customizable to fit client needs, culture, and threats. 



Mimecast is headquartered in the United Kingdom and employs over 1800 security professionals globally. 

Furthermore, Mimecast is rapidly growing, expecting to hire approximately six hundred employees by the 

end of the fiscal year 2022. 

Although Mimecast does not contribute to the open-source community or endorse external open-source 

software, it publicly releases its monthly threat proofing report. Furthermore, Mimecast publicly releases 

its annual state of email security report, which uses survey results from its forty thousand customers and 

C-level executive interviews. One of Mimecast's most intriguing findings was that (⅔) of organizations 

admitted they had an email security incident that led to a ransomware attack and that 52 percent of those 

organizations paid the ransom. 

Future reading: Mimecast’s 2021 The State of Email Security Report. 

Nuspire 

Jyothish (JV) Varma, VP of Product Management at Nuspire 

Nuspire is a managed security services provider (MSSP) founded in 1999. Like most MSSPs, Nuspire 

provides detection, prevention, and response services. However, Nuspire extends traditional remediation 

practices; it prevents future attacks via proactive and continual system tuning. Other notable procedures 

include Nuspire's human-only technical support and fast onboarding. 

Nuspire's platform was built in-house, using open-source components. Although Nuspire does not deliver 

open-source software to its clients, it collaborates with open and closed-source vendors to provide clients 

with a holistic intelligence landscape. 

Used with the permission of Nuspire. 



Unlike many MSSPs, Nuspire offers clients the ability to automate responses inside multiple portals, 

allowing clients to use familiar technologies. Furthermore, Nuspire draws insights across platforms (i.e., 

SentinelOne, Carbon Black, and CrowdStrike) to ascertain the importance of vulnerabilities and 

intelligence. Nuspire will continue to add more vendor platforms, using market analytics and client 

feedback to determine which platforms they add next. 

Watch Nuspire’s Black Hat webinar here or read about one of Nuspire's publications at Black Hat: Nuspire 

Launches New Managed Endpoint Detection and Response (EDR) Service That Supports Leading EDR 

Technology Providers Including Carbon Black, SentinelOne, and Others. 

ThreatX 

Gene Fay, CEO of ThreatX 

Founded in 2014, ThreatX is a Web Application and API Protection security company that offers solutions 

at each layer of the Open Systems Interconnection model. ThreatX offers solutions across web 

applications and APIs: Web Application Firewalls (WAFs), API security, bot management, and DDoS 

protection. 

ThreatX's most innovative technology is its automated WAF. ThreatX acknowledged the constraints of 

non-automated WAFs (i.e., WAFs that use fine-grain rules) calculating false negatives and positives. Fay 

explained, “Web applications and APIs are under constant assault by highly sophisticated threat actors 

and techniques. The ThreatX WAAP combines dynamic web application and API security into a single 

platform, providing actionable insights to reduce vulnerabilities and prevent future attacks.” For example, 

ThreatX can quickly detect if an API or resource is exposed, which alerts clients of the issue at the time 

of occurrence. This timeliness alleviates accidental leakages and future breaches. 

Read about ThreatX’s press release—ThreatX Announces API Catalog to Provide Enterprises a Clear 

View of Attack Surface—published at Black Hat. 

Trustwave 

Darren Van Booven, Lead Principal Consultant at Trustwave; former CISO of the United States House 

of Representatives 

Trustwave is a global managed threat detection and response (MDR) and managed security services 

(MSS) company that protects SMBs and enterprises around the world from advanced cyber threats. The 

Trustwave Fusion Platform is a cloud-based XDR platform that serves as the foundation for the 

company’s managed security services, products, and other cybersecurity offerings. Trustwave 

particularly excels in protecting organizations operating across the cloud, databases, operational 

technologies, and the supply chain. It also has leading consulting and professional services, digital 

forensics, and incident response teams. With the surge in ransomware over the past year, Trustwave 

has seen a 2x demand for its ransomware preparedness services. 



Used with the permission of Trustwave. 

Trustwave SpiderLab is the company’s expert research group that produces industry-recognized threat 

intelligence and frequently publishes reports on newly discovered vulnerabilities. SpiderLab maintains 

ModSecurity, an open-source, cross-platform WAF engine for Apache, IIS, and Nginx. ModSecurity has 

a robust event-based programming language that protects a range of attacks against web applications 

and allows for HTTP traffic monitoring, logging, and real-time analysis. 

Trustwave Government Solutions, the wholly-owned subsidiary of Trustwave Holdings, Inc., recently 

announced it has joined the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Information 

Sharing and Collaboration Program (CISCP). The overall mission of CISCP is to build cybersecurity 

resiliency and to harden the defenses of the U.S. and its strategic partners through threat intelligence 

sharing. Trustwave is also an active contributor to the MITRE ATT&CK framework. 

I cannot wait to see more developments out of Trustwave and its SpiderLabs research team. Trustwave’s 

commitment to offering truly global security and thoughtfulness in its security research contributions are 

something to emulate. 

Further reading: Trustwave Launches First-of-Its-Kind Cyber Supply Chain Risk Assessment Solution for 

the Pacific Region and Trustwave Recognized as a Top 10 MSSP by Cyber Defense Magazine 



ZeroFox 

Sam Small, CSO of ZeroFox 

ZeroFox is a security company protecting client brands, reputations, and consumers. ZeroFox's specialty 

is tracking impersonation attempts—from individual to nation-state adversaries—by analyzing data on 

the clear and dark web. 

ZeroFox was the first company in the social media protection space and has built many technologies 

within its platform using NLP and artificial intelligence. ZeroFox recently acquired two security 

organizations: Cyveillance and Vigilante. 

ZeroFox's platform is customizable, timely, and scalable. Its clients receive direct access to its cloudprocessing 

pipeline, where hundreds of customizable rules are pre-made, so clients can rely on 

ZeroFox's expertise or build solutions around specific policies and threats. Furthermore, ZeroFox's 

platform is able to test the effectiveness of specific threat mitigations by analyzing its clients' responses 

to identical threats. Overall, ZeroFox is one of the most riveting companies at Black Hat, and its 

specialization in protection and intelligence outside the firewall, including on social media, deep and dark 

web, is something to follow. 

Further reading: ZeroFox Launches New External Threat Hunting Module within Platform, Empowering 

Analysts with Direct Access to Full-Spectrum Threat Intelligence Data Lake 

Awarding Criteria 






Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Awards have 

significantly improved their community and industry. The Opti Award highlights cybersecurity companies' 

innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of 

an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook 

of cybersecurity if these trends continue (Merriam-Webster, 2021). 

















posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-for-the-opti-series/ 


Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine, and 

winner of CDM’s 2021 Women in Cybersecurity scholarship. She is studying 

Computing Security and Computer Science at Rochester Institute of 

Technology. 

She is a Free and Open Source Software advocate and Linux enthusiast. Olivia 

can be reached online here at CDM and at https://oliviagallucci.com/ and 

@ivyhac and https://www.linkedin.com/in/olivia-gallucci/ 



Looking Back at Executive Order on 

Cybersecurity and What it Means for Your 

Business 

By James Gorman, CISO of AuthX 

On May 12, 2021, President Biden issued an Executive Order focused on 

improving the nation's cybersecurity. This executive order strives to accomplish several 

important objectives for the United States’ approach to safeguarding its data and systems. 

1. Create a Zero Trust environment 

2. Manage the supply chain and its vulnerabilities 

3. Minimize barriers to intelligence sharing 

4. Create a Safety Review Board 

5. Create a standardized playbook for Incident Response 



The key outcomes for US cybersecurity procedures from this executive order include: 

1. Developing a Zero Trust environment. This insight can apply to any organization, regardless of 

industry or size. Incorporating just this one element will lead to the most effective tightening of 

security globally. 

A Zero Trust environment refers to an environment that has no implicit trust boundaries. The benefit of 

this approach is that it ensures we only allow authenticated and authorized people to access our 

applications and systems. This can look very different depending on the application, but inherently in this 

type of environment, no one or no system is implicitly trusted, and authentication and access 

rights must be verified at each access step. 

This component will ensure all access to systems run or used by the federal government involves Multi- 

Factor Authentication. 

2. Enhancing Supply Chain Security. This includes creating a way to track the deployment and 

provenance within the software lifecycle. It will likely involve lots of new reporting and compliance 

related to making the software supply chain less vulnerable. This type of approach serves as an 

example of a system that can prevent large-scale cyber-attacks, such the SolarWinds hack from 

late last year. 

Much of this new infrastructure will make it harder for smaller players because of the cost of keeping up 

the various mandates. As the industry goes forward, we should consider how this may create barriers to 

entry for small software developers. Do we want to limit the availability of small software developers? 

How can the cost and complexity be minimized? Consideration for this needs to be a discussion topic as 

we advance. 

3. Improving Coordination and Sharing of Threat Information. The EO gives direction to 

improve the coordination and sharing of cyber threats 

between federal law enforcement, federal government agencies, 

IT 

contractors, cloud service providers, and industry. To make this happen, contract language will 

likely have to be renewed. 

While increased communication helps bolster cybersecurity, it comes with additional risks to mitigate. 

When sharing more information between intelligence agencies, law enforcement agencies, and 

corporations, the privacy rights of individuals and corporate intellectual property rights must be assured. 

4. Create a Safety Review Board. The EO creates a Safety Review Board, which is positive 

because it codifies an automatic review and “lessons learned” session. Performing lessons 

learned sessions is a crucial way to improve future outcomes. Bringing together Homeland 

Security and the Attorney General will create an environment where we can more easily bring the 

perpetrators of any act of cyber-attack to justice. However, the US needs to be careful to avoid 

this board overreaching - especially when it comes to citizens - and ensure civil liberties are 

protected. 



5. Standardize the Playbook for Vulnerabilities and Incidents. Having a go-to playbook is critical 

in the event of an incident or a breach. The unfortunate reality is that most cybersecurity branches 

of organizations are run worse than your child's hockey team. Your child's team has a playbook, 

they practice, and they play the game after practice. Most cybersecurity plans are sitting on a 

shelf somewhere in a binder, and are never tested or practiced. 

Having one playbook for the entire federal government is like the whole NFL having the same 

playbook – or maybe more like the NFL and all college football teams using the same 

playbook. The Agriculture Department plays in a far different environment from that of 

Departments of Energy or Defense. 

Having a playbook and actively putting it into practice much more critical than having 

conformity across organizations. 

So, what does this executive order mean for your organization? For most companies - unless they are 

doing business with the government - little will directly affect us. 

But there are five main takeaways from this initiative that every company can and should 

implement: 

1) Create a Zero Trust environment. 

• Segment your business applications to minimize exposure to hostile actors. 

• Use a robust authentication system to ensure whom you are allowing into your network is who 

they say they are. 

2) Manage software and operating system patching process. 

• Use automated tools and scheduled update times to do updates. 

• Follow the guidelines of the Software Developer to ensure that bugs are fixed in your environment 

ASAP. 

3) Create an open environment that will allow for free and rapid sharing of information. 

• Make it easy to report potential and actual threats to those who can mitigate these concerns. 

• Encourage the team to report or request assistance for any questionable emails, computer 

activity, etc. 

4) Do an after-action review on all incidents. 

• Record what went right. 

• Make sure you add to the playbook unforeseen developments. 

5) Create a playbook - an incident response plan. 

• Make it second nature for your team to take action when an issue arises. 



• Create a broad outline of how you want an issue handled. 

• Ensure you have all the contact points for the important people/organizations in the front of the 

book. 

Overall, the President's executive order provides a good overview of how to make our nation’s critical 

information systems more secure with a lot of guidance and timelines. It also helps the government lead 

by example to illustrate what an enterprise can do to make itself more secure and enable a faster and 

more standardized response to cyber threats. 

As always – StayHackFree! 


James Gorman CISO, Authx 

James is a solutions-driven, results-focused technologist and 

entrepreneur with experience securing, designing, building, 

deploying, and maintaining large-scale, mission-critical 

applications and networks. Over the last 15 years, he has lead 

teams through multiple FedRAMP, NIST, ISO, PCI, and 

HITRUST compliance audits. As a consultant, he has helped 

numerous companies formulate their strategy for compliance and infrastructure scalability. His previous 

leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, 

Founder & Principal Consultant, Vice President and CEO at GE, Epoch Internet, NETtel, Cable and 

Wireless, SecureNet, and Transaction Network Services. 

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/) and at 

our company website https://authx.com James can be reached online at (james@authx.com, 

https://www.linkedin.com/in/jamesgorman/ ) and at our company website https://authx.com 



How Trustworthy is Your Cyber Defense? 

Make your cybersecurity spending pay off with added defense tactics and provider accreditation 

By Tom Brennan, Chairman, CREST USA 

Cyber criminals are branching out from the big guys, the Facebook-type large scale breaches, to the 

small-to-medium-sized enterprises. A new global study by Analysys Mason shows SMB’s are paying 

attention: they estimate SMBs spent $57 billion on cyber-security in 2020, and anticipate this figure hitting 

$90 billion in 2025. By nature, SMBs work with less security budget and staff. For SMBs, and even for 

companies with deep pockets, your cyber defense investment has to be just the first step in a powerful 

threat defense. 

The threat universe in which we do business today is an equal-opportunity one. The rise of ransomwareas-a-service 

and the ability to purchase malware on the dark web has lowered the barrier to entry and 

made cybercrime accessible to anyone. The result is that no sector or size of company can ignore these 

targeted or indiscriminate attacks. 



Understanding the Cyber Attacker 

This expanding threat climate makes it all the more important to understand what data is attractive to an 

attacker and to discover where your security weaknesses are so you can fix them before someone else 

finds and exploits them. The best way to discover where vulnerabilities lie is to simulate malicious attacks, 

from inside or outside of the organization, in order to see how easy it is to break into your network and 

steal valuable data or deny access to critical assets. 

The practice of this type of simulation is called penetration testing. Demand for this very skilled, technical, 

and clearly very sensitive investigation and analysis, has seen a rapid rise in demand. While penetration 

testing has traditionally been associated with government organizations and large financial institutions 

and corporations, it is now commonplace among medium-sized companies, and the wider public sector. 

Verify Penetration Testing Knowledge 

Evaluating the trustworthiness of a third-party provider to conduct penetration testing has to be part of 

your improved threat defense. You need to have confidence and trust in a specialist company that 

delivers this service regarding how information and knowledge is handled and processed. Seek out an 

accreditation that will verify the level of knowledge, skill and competence of a provider in relationship to 

penetration testing, cyber incident response and threat intelligence. This accreditation also can apply to 

individuals within your organization who are part of your security operations team. These accredited 

providers and individuals need to stay one step ahead of cyber criminals and be well versed in the tools 

and techniques used in the most sophisticated attacks. 

Another benefit of vetting your providers is the ability to tell your customers that their 

data is adequately protected and that you take cyber security seriously. While larger organizations may 

have more security staff, if you’re an SME, you have to do more with less, and you have fewer reserves 

with which to survive a costly cyberattack. A good practice is to explore what are the baseline 

requirements for cyber hygiene in your organization: what can’t you afford to lose in terms of data, a 

computer asset shutdown, or in ecommerce, for example, a privacy breach of your customer’s 

information. This information needs to be integrated into your overall cyber defense, and a reputable 

provider should be able to give you a solid defense strategy for all items. 

In fact, it has been shown that organizations with a basic level of cyber hygiene have not been affected 

by random attacks such as WannaCry. Accreditation also helps you better leverage your investment. The 

Analysys Mason study also found investment in third-party, managed security services to represent the 

largest segment from 2020-2025, an estimated $30 billion at a 14% CAGR. Getting the most qualified 

providers and individuals makes sense, given the substantial projected spend. 

Evaluating Your SOC 

Despite best endeavors, it is impossible to be 100% secure. If your business does fall victim to a malicious 

cyber security incident, your immediate task is to act as quickly as possible to limit the impact and 

damage. An information Security Operations Center (SOC) is often the first line of defense so there is an 

increasing demand to ensure that it is operating effectively. The difficulty lies in how to make this 



assessment when you’re using third-party services. It is impossible to assess capability based on 

marketing material and almost impossible to assess capability through a procurement process. To help 

to resolve this issue, it is possible to apply an accreditation process specifically to SOCs. This includes 

procedural audits, physical audits and technical assessments. 

Better Defense Benefits All 

With billions being spent on cyber defense, it is good economic policy to put that investment to the 

highest, most effective use. Using penetration testing, seeking formal accreditation of your security 

service providers, and having a very clear picture of your most critical threats, will give you a more 

powerful, and trustworthy security foundation. 


Tom Brennan is Chairman of CREST USA, an international not-forprofit 

accreditation and certification body that represents and 

supports the technical information security market. In this role, he 

works with government and commercial organizations to optimize 

the value of CREST as a cybersecurity accreditation body and 

industry standards advocate. Brennan also serves as an industry 

evangelist and educator on the value of using accredited 

cybersecurity products and professionals to improve consumer 

privacy, security and protections worldwide. 



New Report Reveals Traditional Anti-Malware Solutions 

Miss 74% of Threats 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies 

The threat landscape is an erratic and ever-evolving beast. While it knows no master, its behavior is 

broadly directed by the host of threat actors that pull on its reins from all corners of the world, constantly 

adapting their tactics and techniques to better sniff out points of weakness and infiltrate organizations. 

Businesses must stay up to date on the latest threat intelligence to understand their adversaries, bolster 

defenses and avoid falling prey. For this reason, the WatchGuard Threat Lab research team produces a 

quarterly security report detailing the latest malware and network attack trends based on anonymized 

data from tens of thousands of WatchGuard appliances deployed across the globe. 

The Threat Lab’s latest Internet Security Report reveals the highest level of zero-day malware detections 

we’ve ever recorded. In fact, evasive malware rates have actually eclipsed those of traditional threats, 

which is yet another sign that organizations must continue to evolve their defenses in order to stay ahead 

of increasingly sophisticated threat actors. The research also covers new threat intelligence around rising 

network attack rates, how malicious actors are trying to disguise and repurpose old exploits, and the 

quarter’s top malware attacks. 



Hungry for more? Here are some additional key findings to feast on: 

1. Network attacks are on the rise – WatchGuard appliances detected more than 4 million network 

attacks, a 21% increase compared to the previous quarter and the highest volume since early 

2018. Corporate servers and assets on site are still high-value targets for attackers despite the 

shift to remote and hybrid work, so organizations must maintain perimeter security alongside userfocused 

protections. 

2. Fileless malware variant surges in popularity – XML.JSLoader is a malicious payload that 

appeared for the first time in both WatchGuard’s top malware by volume and most widespread 

malware detections lists. It was also the variant WatchGuard detected most often via HTTPS 

inspection in Q1’21. The sample WatchGuard identified uses an XML external entity (XXE) attack 

to open a shell to run command to bypass the local PowerShell execution policy and runs in a 

non-interactive way, hidden from the actual user or victim. This is another example of the rising 

prevalence of fileless malware and the need for advanced endpoint detection and response 

capabilities. 

3. Attackers disguise ransomware loader as legitimate PDF attachments with the help of a 

simple file name trick – Ransomware loader Zmutzy surfaced as a top-two encrypted malware 

variant by volume in Q1’21. Associated with Nibiru ransomware specifically, victims encounter 

this threat as a zipped file attachment to an email or a download from a malicious website. 

Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF. 

Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass 

the malicious zip file off as a PDF. This type of attack highlights the importance of phishing 

education and training, as well as implementing back-up solutions in the event that a variant like 

this unleashes a ransomware infection. 

4. Hackers co-opt reputable domains to mine cryptocurrency – In Q1’21, WatchGuard’s 

DNSWatch service blocked several compromised and outright malicious domains associated with 

cryptomining threats. Cryptominer malware has become increasingly popular due to recent price 

spikes in the cryptocurrency market and the ease with which threat actors can siphon resources 

from unsuspecting victims. 

5. An old directory traversal attack technique comes back with a vengeance – WatchGuard 

detected a new threat signature in Q1’21 that involves a directory traversal attack via cabinet 

(CAB) files, a Microsoft-designed archival format intended for lossless data compression and 

embedded digital certificates. A new addition to WatchGuard’s top 10 network attacks list, this 

exploit either tricks users into opening a malicious CAB file using conventional techniques, or by 

spoofing a network-connected printer to fool users into installing a printer driver via a 

compromised CAB file. 

6. IoT devices continue to present an attractive attack surface for malicious actors – While it 

didn’t make WatchGuard’s top 10 malware list for Q1’21, the Linux.Ngioweb.B variant has been 

used by adversaries recently to target IoT devices. The first version of this sample targeted Linux 

servers running WordPress, arriving initially as an extended format language (EFL) file. Another 



version of this malware turns the IoT devices into a botnet with rotating command and control 

servers. 

7. Lessons learned from HAFNIUM zero days – Last quarter, Microsoft reported that adversaries 

used the four HAFNIUM vulnerabilities in various Exchange Server versions to gain full, 

unauthenticated system remote code execution and arbitrary file-write access to any unpatched 

server exposed to the Internet, as most email servers are. WatchGuard incident analysis dives 

into the vulnerabilities and highlights the importance of HTTPS inspection, timely patching and 

replacing legacy systems. You can read more here. 

If there’s one key takeaway from our latest threat analysis, it’s this: Traditional anti-malware solutions 

alone simply aren’t sufficient for today’s threat environment. Every organization needs to have a layered, 

proactive security strategy that involves machine learning and behavioral analysis to detect and block 

new and advanced threats. Remember, to the beast that is the threat landscape, every business is fair 

game – and the hunt never ends. 


Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline 

cybersecurity expert for nearly two decades, Corey regularly 

contributes to security publications and speaks internationally at 

leading industry trade shows like RSA. He has written thousands of 

security alerts and educational articles and is the primary contributor 

to the Secplicity Community, which provides daily videos and 

content on the latest security threats, news and best practices. A 

Certified Information Systems Security Professional (CISSP), Corey 

enjoys "modding" any technical gizmo he can get his hands on and 

considers himself a hacker in the old sense of the word. 

Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/ 



Cyber Security Incident Response Plan: How to 

Proactively Prepare for a Breach 

By Joseph Carson, Advisory CISO, ThycoticCentrify 

Many organizations are coming to the harsh realization that it’s only a matter of when, not if, they will fall 

victim to a cyberattack. 

These attacks can range from data breaches to ransomware to Distributed Denial of Service (DDoS) 

attacks and are often a result of malicious actions by cybercriminals or nation-state actors operating from 

different parts of the globe. 

There is no shortage of technology designed to defend against cybercrime, but it will always come down 

to your organization’s ability to make the right security decisions. Failing to properly train employees on 

the security measures you have in place can greatly increase the risk of a simple mistake – like clicking 

a phishing link, for instance – threatening your entire network and infrastructure. 

Cyber incident response is a structured technique used to manage an organization’s cybersecurity 

incidents to limit further damage. Formulating a cyber incident response plan specific to your organization 

is an investment in its cybersecurity. It should be a permanent item on your breach checklist. 



Incident Response Plan 

Planning and preparing for a cybersecurity incident is crucial to ensure your response is efficient and 

organized. A lack of preparation is certain to result in major repercussions should you fall victim to a 

cyberattack. 

Let’s review some steps your organization can take to increase resiliency and response. 

1. Ownership and Responsibility – The first step to implementing an incident response plan is to decide 

who will be responsible for it. Keep in mind who has the appropriate training, what tools and systems are 

available to handle an incident, and the amount of time that may be required for incident response. 

2. Roles and Contacts – There must be clearly specified roles for anyone and everyone who would be 

involved in incident response regardless of their department or position in the organization. They have to 

know how a cyber-attack can impact them and what they’re expected to do to mitigate it. 

An attack becoming public, for example, can bring a unique set of challenges that your entire organization 

must be prepared to handle. Your help desk can get overwhelmed with customer calls, which may lead 

to a DDoS attack on the help desk, so it’s crucial to understand the capacity and strength of your help 

desk in the event of an attack. 

3. Contacts and Methods of Communication – Typical means of communication – such as email, 

messaging, or VoIP – may be severed in an attack, so it’s important to have alternative contact details 

and means of communication on hand at all times. Who needs to be contacted during an incident? What 

is the priority list of contacts? It should also be available offline and include system owners and technical 

responders. 

4. The Threat – Clearly define how the incident was identified. Was it internal, external, a system alert, 

or another method? Who detected it, and how was it reported? Record all the sources and times that the 

attack has passed through. At what stage of the incident did the security team get involved? 

Document the entire nature of the incident from the type of incident, source, assets and resources 

affected, location, and extent. Assess the impact on your company based on the data on system 

classification so you can identify the proper security measures to perform next. It’s crucial for each step 

taken during the incident to be recorded. 

5. Identification and Confirmation – If the incident has not yet been confirmed at this point, you must 

pinpoint the type of incident and verify that it is a real incident. 

6. Containment – This involves stopping the attack to avoid any further harm. You must decide if the 

incident is safe to watch and learn from once it’s been identified and confirmed, or if you have to take 

more dramatic measures and pull the plug. The indicators of compromise (IoCs) can help indicate the 

extent of the impacted systems and update firewalls and network security to record evidence that can be 

used for forensics in the future. Determine what, if any, sensitive data was stolen and what the potential 

risk is to your company. 



This stage is where you must prepare for potential legal outcomes. Consult with your legal team and 

review compliance and risks to see if any regulations were impacted. Depending on your country, 

industry, or the data affected, you may also have to report the incident to appropriate authorities or 

affected parties such as partners and customers. This is where prepared PR statements are crucial. 

7. Eradication – Repair the affected systems to their original state, and compile all the evidence available 

while maintaining a solid chain of custody. Collect logs, audits, memory dumps, disk images, and network 

traffic. Digital forensics will be limited without proper evidence compiling, making a follow-up investigation 

unlikely. Get rid of the security risk so the attacker no longer has access. 

8. Recovery – Recovery from the incident is needed to recuperate systems availability, integrity, and 

confidentiality. Make sure your services have been restored and company operations are back on track. 

Establish monitoring and continuous detection on the IoCs from the incident. 

9. Lessons Learned – Learning from the cybersecurity incident is very important. What went well during 

the incident, and what could have been done better? Create an Incident Response Report that includes 

all parts of the company that were impacted by the attack. 

A Cyber Security Incident Response Plan is Crucial 

No organization wants to experience it, but it’s only a matter of time before you become the victim of a 

cyber-attack. It’s becoming more and more likely with the ever-expanding cybercrime landscape. Having 

a solid response plan in place could be the difference in reducing risks and minimizing impact to ensure 

your company can comfortably move forward following a cybersecurity incident. 


Joseph Carson is a cyber security professional and ethical hacker 

with more than 25 years' experience in enterprise security 

specializing in blockchain, endpoint security, network security, 

application security & virtualization, access controls and privileged 

account management. Joseph is a Certified Information Systems 

Security Professional (CISSP), active member of the cyber security 

community frequently speaking at cyber security conferences 

globally, often being quoted and contributing to global cyber security 

publications. He is a cyber security advisor to several governments, critical infrastructure, financial, 

transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving 

workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security 

perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at 

Thycotic. Joseph can be reached online at Joseph.Carson@thycotic.com and at our company website 

https://thycotic.com/. 



The Importance of Multi-Factor Authentication and 

Strong Passwords 

Understanding and implementing MFA and strong password protocol. 

By Jeff Severino, CyberLock Defense, Lockton Affinity 

The importance of multi-factor authentication and password security is critical. Often, it is your best line 

of defense for protecting all your data, devices and systems from unauthorized access. Unfortunately, 

many don’t take password security seriously, which makes them especially vulnerable to hackers. 

Good password security can help protect you from data breaches, network intrusions, malware and 

viruses. It can also minimize your risk of the lawsuits, fines and bad publicity that can accompany a data 

breach. 

Here’s what to know about the latest recommended password security best practices, including 

minimizing your risk from hackers, choosing good passwords and utilizing multi-factor authentication. 



Why Passwords Are Important 

In today’s world, everyone must take steps to safeguard their data, devices and systems from 

unauthorized access with strong password security. In some professions, such as banking, law, 

education and healthcare, you can even face fines and penalties for not doing so. 

Passwords are useful for protecting many different types of sensitive and confidential data and computer 

systems, including: 

• Work terminals 

• Point-of-sale systems 

• Email communications 

• Social media accounts 

• Ticketing systems 

• IT infrastructure 

• Mobile devices 

• Customer files 

• Client documentation 

• Vendor systems 

• Billing information 

• Financial records 

Even if it’s not specifically required by your industry’s professional association or local, state or federal 

law, protecting all your data, devices and systems with the best password protection is just good 

business. It also ensures you maintain the trust of your clients and customers and avoid unnecessary 

downtime and liability risk. 

How Hackers Can Crack Your Password 

Setting a password for all your systems and devices is a good first step to securing your data. But it’s 

important to realize that even with all your systems protected by passwords, it’s still possible for someone 

to gain unauthorized access, because things are always changing. 

While computer systems have become more advanced, hackers have upped their game as well. You 

may have noticed that popular websites and services are prompting you to update your password more 

frequently and requiring you to pick stronger and better passwords when you do. This is because hackers 

may be able to guess your weak passwords and can use technology to hack even moderately secure 

passwords. 

With new technology, some hackers are able to crack simple passwords of up to 10 characters instantly. 

Even properly chosen passwords that include numbers, symbols, uppercase and lowercase letters can 

be cracked in just a few minutes to hours if they are shorter than eight characters long. 

Many computer users still choose passwords that are easy to guess and there are now billions of 

compromised and stolen passwords listed online. Using similar passwords for different websites can also 



allow a hacker who has gained access to one of your accounts to access other accounts. Plus, a hacker 

who finds one of your passwords may be able to guess your other ones. 

How to Pick a Good Password 

Choosing good passwords for all your logins can protect you from getting hacked and minimize the 

chance of confidential information falling into the wrong hands. Here are the best practices to follow: 

• Choose a strong password. Strong passwords combine uppercase and lowercase letters and 

numbers and are at least 8 characters long. Always avoid using nicknames, birthdays or ordinary 

words in the dictionary. 

• Keep your passwords confidential. Avoid sharing passwords with anyone else. If multiple 

employees need to use the same terminal or system, make sure everyone has their own individual 

login and password credentials. 

• Avoid reusing old passwords. Use a new password every time you’re prompted, since 

compromised passwords will always be vulnerable. Facebook CEO Mark Zuckerberg found this 

out when he was hacked due to reusing an old password. 

• Pick a unique password for everything. Differentiating your passwords for each accounts 

ensures a hacker can’t access all your accounts with one login. This keeps small hacks from 

turning into major ones. 

• Keep track of all your passwords. The average person now has to juggle about 100 passwords. 

Keep track by writing them down on a piece of paper stored in a secure location or consider using 

a password manager. 

• Use a password manager. With a browser or cloud-based password manager, there is a master 

password that secures all your logins. To login to your accounts, you only need to remember the 

master password. 

• Check for compromised passwords. It’s possible to research whether one of your passwords 

has been compromised and should be updated. Check Google Password Checkup or Mozilla 

Firefox Monitor to see if your login has been compromised. 

• Set up password reset options. To avoid losing access to your accounts, set up password reset 

options with memorable security question answers and a backup email or phone number on file. 

• Turn on multi-factor authentication. By requiring a verification code be sent to your phone or 

email, multi-factor authentication can keep a hacker from being able to log into your account even 

if they do get ahold of your password. 



The Importance of Multi-Factor Authentication 

Many experts now highlight the importance of multi-factor authentication (MFA) or two-factor 

authentication (2FA) to help avoid unauthorized access to your accounts and systems. 

Multi-factor authentication works by requiring something else from you besides your login and password 

to access your account. This could be a PIN, security question answers, or a temporary security code 

emailed or texted to you. Some high-security MFA systems even work with badges, USB key fobs, or 

fingerprints and other biometric data. The idea is to provide two or more levels of security so that only 

you can access your data. 

Multi-factor authentication usually doesn’t require verification for every login, only those where you are 

logging on from an unfamiliar device, a home or public internet connection or during off hours. It’s easy 

to set up and turn on MFA or 2FA features on common apps such as Gmail, Office and Facebook. Other 

systems may have the tool enabled by default. With this feature, even a hacker who has stolen your 

password needs additional access to your email account, text messages or even biometric data to gain 

access to your account. 

How to Better Protect Yourself 

With good password security you can minimize your risk from hackers, protecting your data, devices and 

systems from unauthorized access. But even a great password can’t prevent all cyber-attacks. You can 

take your security to the next level with cyber liability insurance from CyberLock Defense. 


CyberLock Defense from Lockton Affinity provides industry-leading cyber 

liability insurance that offers full limits of cybercrime (cyber theft), social 

engineering, fraudulent funds transfer and more. With more than 35 

industry groups eligible, including professional services, health care, 

retail, financial services and more, this comprehensive coverage helps 

protect your business against the costs associated with a cyber attack at 

affordable rates. 

Those interested in coverage can visit CyberLockDefense.com or contact 

CyberLock Defense practice leader Jeff Severino at 913-652-7520 or 

JSeverino@locktonaffinity.com. 



Time to Act: How Real-Time Analytics Can Help Stop the 

Cyber Kill Chain 

Access to Real-Time Contextualized Information through In-Memory Computing Can Help Security 

Teams Spot Evolving Threats Before It’s Too Late 

By Dr. William Bain, CEO and Founder of ScaleOut Software 

In cybersecurity, timing is everything. Whether an attacker is looking for a misconfiguration or zero-day 

to exploit and extract crown jewel data, organizations must scramble to address vulnerabilities and 

counter attacks before it’s too late. Cybersecurity teams manage sprawling systems which generate 

volumes of alerts and data for analysis, but security information and event management (SIEM) software 

often uses tools that don’t speak well to each other, and much of the data needs to be examined offline 

after the fact. These challenges make it difficult to spot issues in the moment and to know when and 

where to act. 

SIEM solutions typically log activities and enable security practitioners to create and apply rulesets that 

extract information for alerting within their organizations. Using dashboards that show managers raw 

telemetry by region or events recorded over time, they help identify possible intrusions and kill chain 

activity that could lead to the injection of malware or other threats. However, delayed forensic analysis of 

logs and the display of large volumes of aggregated telemetry makes it difficult to mitigate emerging 

threats as they occur. While SIEM solutions do a good job of monitoring across attack vectors, they fall 

short in spotting trends in the moment and providing real-time communication throughout a cyber kill 

chain. 



Real-Time Analytics Boost in the Moment Decision Making 

With time of the essence, how can we enhance current techniques and obtain insights fast enough to 

interrupt cyberattacks? How can we provide deeper introspection in real-time on incoming telemetry to 

enable fast, effective action while reducing the likelihood of false positives? 

A new software technique for streaming analytics called “real-time digital twins” (RTDTs) may be the 

answer to this problem. This technique moves the focus from just examining patterns within data streams 

to monitoring the dynamic behavior of data sources, such as nodes within a large network infrastructure. 

For each data source, a separate RTDT software component incorporates evolving information that helps 

analyze incoming messages and update a dynamic assessment of the data source’s condition. This 

approach yields a significantly deeper understanding and better, faster decision-making on whether to 

take action to block a threat which cannot be achieved by just looking at data within an incoming message 

stream. As a result, RTDTs have the potential to rapidly accelerate the execution of SIEM algorithms in 

detecting malicious attacks, correlating events, and possibly intervening in time to halt an attack without 

reacting to false positives. 

The power of RTDTs is made possible by in-memory computing techniques, which can ingest, store and 

analyze large volumes of incoming data within milliseconds. This technology creates new opportunities 

for SIEM software. Instead of just storing incoming events, an in-memory computing platform can 

correlate and analyze them by data source as they arrive. This could enable SIEM software to maintain 

a real-time threat assessment for each network entry point or node that sends events to the system for 

analysis. Instead of requiring security analysts to analyze logged events to build a picture of an evolving 

attack, they could use RTDTs to continuously analyze telemetry from every data source within the 

network infrastructure, and they could visualize the results of this analysis in real time. 

Mapping and Improving Communication Across the Network 

Using RTDTs, organizations could integrate event tracking in memory with associated contextual 

information into existing SIEM solutions and react to potential threats in milliseconds. Many SIEM 

solutions maintain agents that are distributed throughout an organization’s networks to report suspicious 

events that might signal a threat. Instead of just adding these events to a dashboard and logging them 

for offline analysis, they also could track them using RTDTs. Each RTDT could immediately run a 

machine-learning algorithm to classify activities, eliminate false positives, and signal alerts to security 

managers, engineers, CISOs or other key stakeholders when threats or lateral movement risks are 

predicted. 

Beyond that, RTDTs could communicate with each other to help isolate an evolving threat. For example, 

when an event includes information indicating a connection and possible threat to another network node, 

an RTDT could message the target node’s RTDT to improve its threat assessment algorithm in spotting 

suspicious behavior and interrupting kill chains. Sending messages between RTDTs to track the 

progression of an intruder within a network could enable the system to build a real-time map of potential 

kill chains and possibly get ahead of an assailant to block threats. 



Strengthening Security and Time to Action 

By harnessing new approaches for real-time analytics, as made possible with in-memory computing 

hosting real-time digital twins, cybersecurity teams can make use of new technology for monitoring and 

intercepting active threats. This technology can also strengthen current industry tools, such as SIEM 

software, to improve communication and context sharing throughout networks. Now organizations have 

a new weapon for moving from post-attack analysis to identifying an attack in the moment and stopping 

it from happening at all. 


Dr. William L. Bain is the founder and CEO of ScaleOut Software, a 

leader in developing software products to enhance operational 

intelligence within live systems. Over a 40-year career focused on 

parallel computing, Bill he has contributed to advancements at Bell 

Labs Research, Intel, and Microsoft, and holds several patents in 

computer architecture and distributed computing. He earned his 

Ph.D. in electrical engineering from Rice University. Bill can be 

reached through email, LinkedIn and the ScaleOut Software 

Website. 



Combatting Industry Burnout by Building Resilient 

Security Teams 

By Rick McElroy, Principal Cybersecurity Strategist, VMware 

We have reached a pivotal point in the history of cybersecurity. Catalyzed by the shift to an anywherework 

environment during COVID-19, attack surfaces expanded and cybercriminals became more 

sophisticated, creating looming threats for security teams. As a result, stress and burnout within the 

security industry is rising in lockstep. Defenders are stretched thin countering complex attacks, gaining 

visibility into new environments and constantly being on alert. 

Expanding threat landscape increases stress for defenders 

Following the rush to the cloud amid the pandemic, cybercriminals have continued to exploit these 

environments to deliver integrity and destructive attacks, leading to a spike in incident response 

engagements and alerts. According to VMware’s recent Global Incident Response Threat Report, nearly 

half of security professionals said that more than one-third of attacks were targeted at cloud workloads 

and nearly half targeted victims via island hopping. 

The shift to an anywhere-work environment also resulted in adversaries increasingly leveraging business 

communication platforms such as Microsoft Teams, Skype, Slack, Google Chat to move around a given 

environment and launch sophisticated attacks. Our research found that 32 percent of cybersecurity 

professionals observed attackers using business communication platforms to facilitate lateral movement. 

These business communication platforms are the perfect delivery mechanism for attacks because 

organizations and users implicitly trust them and they operate in a known environment. 



As the work environment evolves digitally, it creates more vulnerabilities in the threat landscape, leaving 

enterprises more susceptible to attacks and putting increased pressure on security teams. 

Combating burnout on security teams 

Recently, the Information Systems Security Association found that the cybersecurity skills crisis has not 

only continued, but worsened over the past five years. With cybersecurity skills already in short supply, 

the prospect of losing additional workforce is troubling, especially in the context of the Great Resignation. 

Despite their best efforts, defenders are struggling to counter the growing attacks and gain visibility into 

new environments, such as the cloud, containers, and business communication applications. 

This level of stress is impacting their well-being, which carries significant implications for the industry. 

Over the past 12 months, 51 percent of security professionals experienced extreme stress or burnout, 

and 65 percent said they have considered leaving their job because of it. To help decrease the mounting 

pressure security professionals face, business leaders must prioritize building resilient teams and 

creating a supportive work environment. 

Here are six best practices leaders can implement: 

• Consider rotations of work. It is essential that teams feel like they are developing and progressing 

professionally and they may not be able to do that after being in the same high-stress environment 

year after year. This will not only allow for new perspectives and generate creative ideas but it will 

also give people room to recharge. 

• Empower individuals to take mental health days. An “always on” mentality is not only dangerous to 

the people involved, but can lead to poor and reactive decision making. Forcing people to interact 

with others under already stressful conditions is a recipe for disaster. Allow teams space to work 

and empower them to know when they need to step away. 

• Encourage non-standard activities like meetings outside, walking meetings, and mindfulness 

training. Mindfulness training is designed to help people deal with stress so encourage teams to 

take classes and take periodic breaks to reset their mind and come back refreshed. 

• Invest in solutions that empower defenders to detect and stop attacks. Legacy security systems 

are no longer sufficient for protecting against the sophisticated cyberattacks of today. What’s 

more, these systems require a good amount of manual work and analysis by security teams. Look 

to invest in tools that automate time-consuming, manual processes and ones that empower 

defenders to implement security stacks built for a cloud-first world. When a new tool is introduced, 

give teams time to adjust to the technology before deploying another new tool. 

• Schedule 1-on-1s that are focused on employees. 1-on-1s are a great way to connect with team 

members however they must be used correctly. Instead of discussing a specific project, use the 

time to honestly check-in with team members. Let them set the agenda and allow them to speak 

about what they need. 

• Give defenders a real break after a high stress event. Breaches and compromises can be extremely 

stressful on teams, especially when incidents last multiple days. Teams are rarely given time off 

after these incidents which ultimately leads to burnout and unhappy team members. 

The anywhere-work environment is here to stay, so leaders need to devise a roadmap to proactively 

protect the well-being of their security teams. That should start with arming security professionals with 

the tools and resources needed to do their job while maintaining a healthy mindset. 




Rick McElroy is a Principal Cybersecurity Strategist at VMware. He 

has 24 years of information security experience educating and 

advising organizations on reducing their risk posture and tackling 

tough security challenges. Previously, he held security positions with 

the U.S. Department of Defense, and in several industries including 

retail, insurance, entertainment, cloud computing, and higher 

education. Rick can be reached online at @InfoSecRick and at our 

company website. 



Considering Collateral Intrusion in Digital Forensics 

Achieving A Balance Between Public Protection and Public Privacy 

By Alan McConnell, Forensic Advisor, Cyan 

The importance of digital evidence contained on the personal devices of suspects, victims, and witnesses 

in assisting Law Enforcement investigate serious crime cannot be understated. However, never has the 

public’s awareness of their right to protect personal data on their devices (such as tablets, laptops, and 

smartphones) been as strong as it is today. 

While there appears to be a general acceptance of the need for Law Enforcement to obtain digital 

evidence from personal devices, the recent publication of reports such as “Digital stop and search: how 

the UK police can secretly download everything from your mobile phone” by Privacy International 1 , as 

well as several high-profile news stories questioning the technology Law Enforcement agencies use to 

obtain digital evidence, have brought the issues involved to mainstream attention. 

Digital evidence 

In the not-too-distant past, the recovery of digital evidence was the realm of specialist Cybercrime units, 

investigating cyber dependent crimes such as attacks on computer systems and infrastructure, or cyber 

enabled crimes where computers were used in the commission of ‘traditional’ crimes. 



The proliferation of home computing and mobile digital devices has meant that important digital evidence 

now potentially exists for most criminal cases. In fact, one senior police manager reporting to the House 

of Lords Science and Technology Select Committee in 2019 2 stated that digital evidence now plays a 

role in 90% of criminal cases. 

Such is the volume of potentially relevant digital evidence in criminal cases today, there is a real risk that 

it could overwhelm Police Forces and the judiciary. To mitigate this risk, many Police Forces have, or are 

planning to, roll-out digital triage capabilities to front-line officers to help quickly identify those devices 

that are likely to contain pertinent evidential data and rule out those that do not, reducing the number of 

devices seized for full forensics examination and the volume of data that must be examined. 

This move from individuals’ digital devices only being examined by highly trained expert digital forensic 

analysts, to potentially being routinely examined for evidence by a much larger group of less experienced 

Officers, understandably raises concerns around the preservation of private data. 

Data privacy 

There are few areas of today’s life that do not involve the use of a home computer, mobile phone, or 

tablet. From taking and storing our holiday photos, work communications and internet banking, to private 

communications with family and loved ones, our digital devices are at the very centre of our private lives. 

These devices are an ever-increasing repository for our personal and sensitive information. A cursory 

look at my own browsing history, communications, geo-location data and biometric information would 

piece together to give a surprisingly deep and accurate insight into my social life, state of mind and 

physical health (thanks for telling me to stand up every hour Apple!). 

The data held on my devices is just that: my data. As such, I have every right to expect that my data will 

not be viewed or used by anyone else without my consent. As a former Police Detective and Digital 

Forensic Analyst, however, I am acutely aware that the ever-increasing scope of digital forensic 

capabilities available to Law Enforcement is of immense value when it comes to detecting crimes, 

securing convictions, and identifying victims. Herein lies the problem. 

Collateral intrusion 

Traditional techniques for the recovery of digital evidence have generally been rather indiscriminate in 

what data they obtain from a device. Taking a full forensic image of a computer’s hard drive or external 

storage device or extracting the full contents of a mobile phone before then searching that data for 

evidence pertinent to an investigation is standard practice. However, searching through large amounts 

of data to find a small amount of digital evidence inevitably leads to collateral intrusion, the unintentional 

gathering of non case-relevant data alongside relevant data, into a person’s private data that is not 

pertinent to the investigation. 

Collateral Intrusion in the context of examining a digital device for evidential data can occur in many 

ways, but examples include: 

• Viewing a suspect’s non-pertinent personal photos while looking for images of Child Sexual Abuse 

• Reading communications data outside of the timeframe relevant to the offence being investigated 



• The viewing of data on a device that infringes on the privacy of persons not subject to the 

investigation e.g., acquaintances of the suspect who may appear in photographs 

Selective extraction, whereby Law Enforcement need only collect data from a device that is strictly 

relevant to the case in question, is one approach and potential solution to collateral intrusion, and 

favoured in particular where concerns have been raised that victims and survivors having their entire 

phone examined after a serious sexual assault is a disproportionate and unnecessary invasion of their 

privacy. The challenge therefore is to ensure a balance is struck between the benefits that digital evidence 

brings, and the new ethical dilemmas created by the techniques used to recover that evidence. 

A collaborative approach 

These concerns are understood by the Digital Forensic community and in a commentary submitted to 

the Forensic Science International journal in 2020 3 , a number of updates to the ACPO Good Practice 

Guide for Digital Evidence 4 were proposed, among which was, “All justifiable measures must be taken to 

limit both collateral intrusion and disruption caused by their investigation.” 

The issue of collateral intrusion has also been recognised by UK Policing and earlier this year the College 

of Policing issued new ‘Authorised Professional Practice’ guidance on the extraction of material form 

digital devices’ 5 . 

The examination of a person’s devices for digital evidence will likely always involve an element of 

unavoidable collateral intrusion. Law Enforcement will continue to take measures to minimise this with 

more stringent processes and guidance, but there is also a need for the creators of digital forensic tools 

to assist by developing tools in direct collaboration with Law Enforcement that can help reduce potential 

collateral intrusion by allowing focused targeting and extraction of investigation-relative digital evidence 

only. 

A balance can be found between protecting the public by helping identify digital evidence to ensure 

dangerous offenders are identified and prosecuted, and protecting the public’s right to privacy by helping 

ensure that the recovery of this digital evidence does not compromise a person’s private data. 

By working closely with Law Enforcement, tools need to be developed which give front-line Officers the 

ability to examine digital devices very quickly, and on-site, for known illegal content while completely 

protecting the owner’s privacy by only exposing the investigator to case-relevant data. 

1 - https://privacyinternational.org/report/1699/digital-stop-and-search-how-uk-police-can-secretlydownload-everything-your-mobile 

2 - https://publications.parliament.uk/pa/ld201719/ldselect/ldsctech/333/33302.htm 

3 – “ACPO principles for digital evidence: Time for an update?” - Forensic Science International: Reports 

Volume 2, December 2020 

4 - ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011) - Association of Chief 

Police Officers of England, Wales & Northern Ireland 

5 - https://www.app.college.police.uk/app-content/extraction-of-material-from-digital-devices/ 




Alan McConnell is Forensic Advisor at Cyan. He is an 

experienced Digital Forensic Analyst with 12 years Law 

Enforcement experience of conducting forensic and 

criminal investigations and presenting evidence in court, 

having served as a Detective and Digital Forensic Analyst 

for Police Scotland before joining Cyan in 2019. Alan can 

be reached on Cyan’s twitter @cyanforensics and at our 

company website https://cyanforensics.com/ 



Keeping Health Records Safe from Cyber Criminals 

By Dexter Caffey, Founder and CEO, Smart Eye Technology 

The healthcare industry is currently one of the most lucrative targets for hackers. A recent report by a 

mobile security company shows that many digital health platforms have vulnerabilities that allow criminals 

to access medical health records, personal information, and even credit card and billing information. 

Cyber-thieves then use all this data at their disposal to commit financial/insurance fraud and identity theft. 

Healthcare organizations are usually subject to stringent compliance regulations since they store great 

amounts of sensitive data. However, sensitive information can become prone to hacking when stored 

using cloud technologies. A 2018 report shows that up to 84% of healthcare organizations store data in 

the cloud, indicative of medical facilities being at risk and vulnerable to attacks through that avenue. 

Though some medical facilities choose to store data on more secure private networks, there are reports 

which illustrate that these networks can also be breached. Hackers can obtain employee logins by 

sending employees malicious software disguised as emails. When employees key in their login 

information, criminals can then receive copies, and use this information to steal more data, even from 

secure networks. 

Why Healthcare Records Are Valuable 

The reason this is such a lucrative industry? Cyber criminals can opt to sell stolen medical records for 

hefty prices. 

This has led to a demand for medical information on the dark web. Provider data is sold for up to $500 

per listing, which is then used for fake insurance claims and prescriptions. Health insurance logins, sold 

at an average of $3.25, may be used to obtain medical services allocated for other patients. 



The website PrivacyAffairs.com launched a project called the Dark Web Price Index that provides 

hundreds of examples of data being sold and reported the prices. Aside from medical information and 

health insurance records, other data being sold include online banking logins sold at an average of $40, 

full credit card details ranging from $14-$30, and copies of ID cards. 

Hackers can obtain copies of passports when they are part of a health organization’s data system. A 

forged U.S. passport can be sold for $4,000 while other types of government IDs are sold from $400- 

$500. These are used to help criminals pretend to be US citizens or to be of other nationalities, further 

enabling identity thieves. 

How Medical Records Are Hacked 

Another common form of cyber-attack is through using ransomware, a type of malware that makes data 

inaccessible to the owner. A ransomware attack begins by targeting an employee through phishing, which 

is malware usually disguised as an email to steal employee logins. 

These logins are then used to breach a secure data network so that all records can be encrypted by the 

ransomware, making them inaccessible. Hackers then ask for compensation (or a “ransom” in this case) 

in exchange for data they’ve taken. If the medical facility refuses to pay, the information is then sold on 

the dark web. 

The best way to deal with the situation is not to negotiate but instead call the police. 

Protecting Health Records from Attacks 

In most cases, users don’t know that their computer or network has been infected by ransomware until 

they find that they can no longer access their data. There is little that can be done once this happens. 

To avoid reaching this point, healthcare organizations should invest in data protection and safeguard 

their networks from possible attacks. 

To start, the FBI provides guidelines for organizations to protect themselves from ransomware attacks. 

Since most attacks start by phishing information from users, the FBI warns all healthcare employees to 

be careful about applications they download or links that they click on while working. The FBI also reminds 

organizations to keep all operating systems, software, and applications up-to-date. All computers should 

also have anti-virus and anti-malware solutions set to automatically update and run regular scans. 

Data should be regularly backed up, and checkpoints should be established to ensure that backups are 

completed. Backed-up data should then be further secured, stored independently, and should be kept 

out of access from other computers or networks. 

A continuity plan should also be in place in case an organization becomes the victim of a ransomware 

attack, to ensure that a medical facility can continue providing key healthcare functions if health records 

happen to become inaccessible. 



Moving Forward with Tech in Healthcare 

The digitalization of medical information has introduced technologies that enable medical facilities to store 

and update patient records in real-time, a big leap from the slow process of manual filing. However, these 

new technologies also give rise to new vulnerabilities. 

Healthcare organizations and medical facilities need to adopt not just the latest record-keeping tools but 

also the best security systems to protect their data, making their digitization holistic. 

Cybercriminals are constantly on the lookout for their next victims. Medical facilities should remain vigilant 

to ensure that they can provide the best protection possible for their patients. 


Dexter Caffey, Founder and CEO of Smart Eye Technology. 

Dexter Caffey founded Smart Eye Technology in January 2018. 

Prior to his tech startup, Mr. Caffey founded an alternative investment 

firm, Caffey Investment Group, in 1998 at the age of 25. 

While on a business trip to Israel in the fall of 2017, Mr. Caffey attended 

a cybersecurity conference. As he chatted with another conference 

attendee who was a cybersecurity expert, he happened to glance at 

the man’s laptop screen and saw open word documents and PDF files. 

“Why should I be able to see any document on this guy’s laptop?” 

He asked himself “what if I could create an app that prevented anyone else from seeing what’s on my 

screen? An app that would look at their face and say, ‘Nope, I only recognize Dexter’s face. We’re 

blocking you out.’” The idea and pursuit of a new type of technology to help protect the privacy of 

confidential information was born. 

Dexter can be reached online at LinkedIn and at our company website https://smarteyetechnology.com/ 



Why Your Hospital Network Needs an IoT Security Policy 

By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies 

The Internet of Things (IoT) industry has a security problem that has existed since its inception. From the 

Mirai botnet that took disrupted internet goliaths like Netflix, Twitter, and Reddit in 2016 to the recent 

Verkada security camera breaches that impacted tech giants Tesla and Cloudflare, IoT weaknesses have 

continued to be a popular tool in the cybercriminal arsenal despite constant warnings from security 

professionals. While these high-profile breaches draw attention to traditional IoT devices and their 

security concerns, other classes of IoT continue to skyrocket in adoption rates despite having just as 

serious of security concerns and potentially even more disastrous of results in the event of a breach. IoT 

in the healthcare industry is a perfect example of this trend. Industry experts place the healthcare IoT 

adoption on track to reaching a massive 25.9% compound annual growth rate (CAGR) by 2028, primarily 

because of the massive benefit network-connected sensors and data sharing provide. But that benefit 

comes at the cost of increased attack surface for threat actors. 

The medical industry faces a unique concern where technical issues can manifest to actual life and death 

scenarios. Additionally, healthcare delivery organizations (HDOs) like hospitals and clinics often rely on 

expensive highly customized applications and devices that they are then hesitant to apply updates and 



patches to for risk of breaking something and leaving them without their critical tools. Drawing parallels 

to traditional IoT that typically comes as custom software running on a several-year-old flavor of Linux, 

medical IoT devices are often built on archaic versions of Microsoft Windows and Windows Server. In 

fact, last year researchers found 45% of medical devices were vulnerable to the critical BlueKeep 

Windows exploit that Microsoft considered serious enough to release legacy patches for out of support 

versions of their operating system. 

IoT security concerns can boil down to three main issues, 1) A lack of security considerations during 

manufacturing, 2) A lack of knowledge and visibility for those that deploy IoT, and 3) A lack of device 

update management after deployment. The first issue, security considerations during manufacturing, is 

largely because most IoT consumers demand devices that are inexpensive and first and foremost. When 

the only concerns are that the device is cheap and that it technically works, manufacturers lack incentive 

to spend resources improving the security of their products. This leads to devices with weak hard-coded 

passwords, outdated software, and operating systems lacking even basic hardening protections. The 

2016 Mirai botnet flourished not by exploiting some sophisticated zero-day vulnerability in IoT cameras, 

but by running through a list of 61 common usernames and passwords against a management interface 

left open by the device manufacturers. 

When it comes time to deploy IoT, network and systems administrators face the difficult task of managing 

devices where endpoint-based detection and visibility tools are either unavailable or highly discouraged 

to reduce risk of interfering with the device. IT teams are also faced with the difficult task of identifying 

rogue IoT on their networks added there by employees. While the devices themselves don’t hold much 

of value for cyber criminals, infected IoT can act as a base camp for moving laterally behind a network’s 

perimeter. 

Even when researchers identify and disclose vulnerabilities in IoT devices, applying security updates 

often ranges from difficult to impossible. Many IoT deployments have no considerations for long-term 

maintenance which means identified vulnerabilities stick around. Last year, researchers at JSOF 

identified vulnerabilities in a popular network connectivity library present on hundreds of millions of IoT 

devices which they called Ripple20. Vulnerabilities like Ripple20 in traditional endpoints and systems are 

usually handled with a simple software update but in embedded systems like IoT, applying those updates 

isn’t a simple task. 

Despite these security concerns, IoT is here to stay, and for good reason. Network-connected medical 

equipment enables healthcare professionals to provide faster and more accurate diagnostics and greater 

efficiencies at a time where our global healthcare system is under tremendous stress. IoT adoption is 

skyrocketing because the benefits outweigh the security concerns. But just because the security 

concerns are outweighed, doesn’t mean they can be ignored. To successfully deploy these new 

technologies while maintaining a strong security posture, healthcare organizations must be proactive 

about defining an IoT policy that accounts for the additional care these devices require. 



While the most “secure” solution would be to unplug everything, there may be a very good reason to keep 

around that device running on an out-of-date version of Windows even though it is a block of metaphorical 

swiss cheese when it comes to security. Determining the business case for your IoT deployment is an 

important first step towards building a strong policy. Part of this process is knowing what you have in the 

first place though. IoT devices are notoriously difficult to keep track of due to a lack in compatible endpoint 

agents. This is where network visibility tools like scanners with robust fingerprinting engines come in 

handy to crawl through the dark corners of your network and spot hosts you may have missed. Don’t 

treat this as a one-off thing either, monitoring and visibility must be an ongoing process for to be 

successful. 

You’ll also need to consider how you deploy IoT. This class of devices is one of the greatest benefactors 

of the zero-trust approach to security. Zero-trust is a whole other discussion on its own but the bulk of it 

comes down to moving to a never-trust, always verify approach to security. Instead of treating your 

internal network like a safe haven protected by a shielded perimeter, consider the safeguards you need 

in place to stop a malicious user or endpoint already on the inside from wreaking havoc. For IoT, this 

means deploying devices on segregated networks away from your other systems and especially away 

from your most critical resources. If you find you have the business justification to keep around that 

unpatched system, protect it on the network level by restricting access to the specific ports and protocols 

required for that tool to function and by applying security services to those connections to identify network 

attacks and malware. Be sure to regularly audit your IoT devices with vulnerability scans and security 

assessments so you know what you need to defend against and aren’t blindsided by something you didn’t 

spot. 

Finally, make sure you are using your visibility tools to their full potential. Even if you can’t deploy 

protections on a device directly, you can still use tools to identify anomalous activity and raise the alarm 

in the event of something suspicious. Network intrusion detection systems can help cover the weak spots 

left open by IoT. The fact of the matter is, you will stop 100% of attacks and anyone who tells you 

otherwise is lying to you. If you keep all your eggs in the “prevention” basket while ignoring detection and 

response capabilities, you’ll end up having a significantly more difficult time identifying those incidents 

that do make it through your defenses. 

IoT has its proven benefits, but not without security drawbacks. It isn’t too late to get started on a strong 

IoT security policy and tackle those security concerns head on. With the right planning, paired with strong 

technical controls, you can make the most of what these devices have to offer and still sleep somewhat 

easily at night. 




Marc Laliberte is the Technical Security Operations Manager 

at WatchGuard Technologies. Specializing in networking 

security protocols and Internet of Things technologies, Marc’s 

day-to-day responsibilities include researching and reporting on 

the latest information security threats and trends. He has 

discovered, analyzed, responsibly disclosed and reported on 

numerous security vulnerabilities in a variety of Internet of Things 

devices since joining the WatchGuard team in 2012. With 

speaking appearances at industry events including RSA and 

regular contributions to online IT, technology and security 

publications, Marc is a thought leader who provides insightful 

security guidance to all levels of IT personnel. 

Marc can be reached online at @XORRO_ and at https://www.watchguard.com 



Offense Activities Sharing in Criminal Justice Case 

By Milica D. Djekic 

The criminal justice case could include a broad spectrum of details getting the need to be deeply explored 

and investigated by the case management team and the other officers. The offense activities are not only 

limited to the crime scene and they can get delivered, shared and transferred domestically, regionally or 

in the transnational manner. In this effort, we would analyze the common criminal justice scheme being 

the theft that can be committed in the frequent places normally targeting the victims who would do the 

stoppage or just slow down with their moving. The thieves could operate in any public area independently 

or as a group and as it’s so hard to imagine the thief working without any communications or logistics on 

even being somehow apart from his zone – it’s clear that such an offender could belong to the criminal 

group that would conduct the joint offense operation, so far. Through this article, we intend to introduce 

the terms Offense-as-a-Teaming (OaaT) and Crime-as-a-Teaming (CaaT) as well as explain how some 

sort of criminality could pull in a number of the criminal justice offenders in order to commit the offense 

together. In no case, the discussed crime as the theft is would not mean any kind of organized crime 

activity, but it also can invoke several criminals on the spot and some of them in the background. The 

offense activities being conducted on the crime scene and wider could include sharing of goods, money, 

communications and logistics resources being from the vital significance in doing the criminal or another 

offense. In other words, all offense activities should get studied carefully and step-by-step as the entire 



crime scene could appear as the quite complex and dynamic environment providing a plenty of details 

and actions. For instance, taking the money from the victim and giving it to the co-offender is the crime 

scene activity being shared through the criminal justice case. The OaaT and CaaT are the terms that 

would cover on the events occurring through committing the offense on the spot and those phrases would 

be explained through this effort the later on. The theft by itself could cope with the connotation of the less 

serious crime and even if it would look like it can get understanded through some kind of the regular 

models, the situation in the practice is far more complicated. The main reasons for so are the theft can 

happen anywhere in the public and sometimes it’s quite challenging providing the accurate and timing 

information about where, when and how such an offense occurred. In other words, it’s up to the 

investigators to resolve such a complaint and document the entire criminal justice scheme in order to 

give some effort to the future crime prevention on. Next, it could be so important to deal with the 

comprehensive crime scene modeling and management in order to deeply understand the entire event 

and all its actors. The communications linkage is the best way to diagnose the entire case and figure out 

how many offenders have been engaged into the entire crime scheme. Through this contribution, we 

would want to stress out the standard criminal justice scenarios regarding the theft offense as well as 

make some starting points how such a crime could get resolved completely and in details following the 

procedures as well as the best practice being well-developed within any competitive law enforcement 

agency and the overall case management groups. 

Introduction 

The purpose of this review is to give some ideas and perspectives to the law enforcement officers doing 

the investigation how well they could investigate the usual crime as the theft is. Normally, the thieves 

would choose the overcrowded spots such as the downtowns, public transportation and trading spots for 

a reason those would be the areas of the people getting with themselves the money, jewelry and credit 

cards. The persons in the busy places would be in the rush and the offenders would know so as they 

would be present on the spot and monitor any single move happening there. Their experience would 

teach them that it’s quite unsafe getting anything from anyone being in the fast walk. Also, anyone being 

in strength could resist if he figures out someone is putting his fingers into his pocket. Those are so 

challenging to the thieves, so they would put an eye on everyone and patiently wait for their target to stop 

or even slow down as they could conduct their operation on. Apparently, if someone is in the shape and 

moving quickly the offender may attempt the offense, but there are the realistic chances that he would 

miss to grab the catch or he would anyhow get into trouble if the targeting person makes a decision to 

strike back. So, the skillful thieves would select to attack once someone has stopped or slowed down 

doing, say, taking on the bus through the peak hour. In such a time, the frequency of the people in the 

public is quite high and the persons waiting on the bus doors to take on must slow down and that’s so 

convenient moment to attack that person from his back. It cannot be guaranteed that the thief would get 

any catch in every single attempt, but sometimes the people using the public transportation could get 

something valuable with themselves. On the other hand, when we take into consideration the public spot 

as the shopping center is it’s obvious that the people in shopping need to slow down when they do some 

payment, pack their bags or transfer the goods from their carriage into their cars. The common sense 

would suggest to the thief that’s the perfect moment to attack and in such a case his chances to get the 

good catch could only increase. The similar situation is in any downtown as there are a lot of people 

getting concentrated in the small area and the offender would commonly circulate through that spot. In 

other words, no thief once in action would be on rest unless his victim from the crowd would stop for a 

moment to check out something and when the incident occurs the criminal would not remain close to that 

place, but he would continue moving trying to leave the crime scene, so far. 



Someone being good in the theft business would have the skill to steal anything from anyone not even 

getting noticed to do so. The public spots could offer a heap of places for sitting or remaining aside in 

any fashion and the experienced thieves would use such an advantage to stay less obvious and do the 

good observation of such a terrain. So, if they notice anyone walking slowly or taking a break they would 

simply attack and if their estimation got accurate they would be satisfied with what they obtained through 

that illegal activity. The reason why the thieves would operate as a team is that they would get the better 

control of their zone and they would cover on each other in a much more secure way. Also, the thieves 

could rely on the strong logistics in order to escape from the crime scene. For instance, the theft teams 

could use any kind of traffic systems in order to commit the crime or leave the place with some catch. 

The experienced Police officers could easily recognize the criminal behavior and the offenders would be 

aware of that, so they would use the new tactics and techniques in order to remain less obvious. One of 

the well-known tactics of staying less obvious is taking care about the appearance and the overall outfit. 

For example, the intelligently chosen cloths could make anyone getting the part of the environment. In 

addition, there are some standard behavioral and habit models that could suggest the suspicious 

activities. The law enforcement officers have the task to provide the certain level of safety and security 

to the community and for such a reason it’s necessary to study the ongoing tendencies as such a method 

could be the best way to prevent and respond to the crime. In other words, if it’s well-known that the theft 

offense could happen in the crowded areas it’s requiring to monitor those spots from time to time. The 

role of the law enforcement is to remove the crime from the street in the same time providing the relatively 

safe working conditions to their workforce. That’s quite difficult to obtain, so that’s why it’s needed to think 

smart in order to assure everyone including the members of the public from being attacked or harmed, 

so far. 

The main question to the thieves in the public is how to remain less visible to the common people or the 

authorities patrolling on. So, the concern to any thief is how to steal something from someone in so skillful 

and secret manner not dragging a lot of attention from the victim’s surrounding. The fact is the thieves 

would choose to attack the weak, old and slowing down community members as they would not notice 

such an offense at that certain moment or they would not get capable to resist if they even get anything 

about such a crime. The towns, cities and other populated areas are well known for their rush, fast pace 

and overcrowding, so the victims in there could get just captured by the local criminal groups and left in 

the shock sometimes being injured or hurt by the offenders. The most reliable way to the offender to 

attack and take something from his victim is the moment when that person is on the stoppage or slowing 

down. That may happen when the person is making cell phone calls, doing texting in the public or using 

the phone cabins on the street. In such a situation, the potential victim is less aware about what is going 

on and the experienced street criminal would know how to take advantage over such an occurrence. The 

point is the thieves are not scared from the street and they can spend the hours outside waiting for the 

right moment to attack. The practice would show they can use some of their camouflage tactics in order 

to remain less obvious and in such a sense it’s not surprising that they could pretend they are taking the 

break somewhere or doing anything being so common to that busy spot. The good criminologists would 

deeply study and understand the psychology of these street predators and they would know that the 

offenders could count on one or more accommodations in so convenient areas of the populated place 

which would serve them to take a rest, get some food and drink or change the cloths. In other words, 

once on the crime scene the offenders could demonstrate the confidence about what they do and the 

seriously heavy cases would not show the fear even if they see the Police on the spot. They have the 

strong nerves and in any situation they can find the way to leave that site so calmly. The best method to 

hide in some environment is to be the part of that surrounding and if the criminal can change his 

appearance depending where he is at that certain time, he would definitely win the battle over the 

authorities as well as the victim of the criminal offense. It may seem that sending the patrolling car or the 

officers on the feet could be the good preventive measure for the theft criminalities. In our opinion, that 

methodology could make less confident criminals hesitate, but the experienced street beasts would 



continue doing what they normally do. The theft can bring the good profit and no one would willingly give 

up from so. There are relatively safe places in the world, but the majority of cities anywhere across the 

globe could cope with some kind of violence if the authorities make a decision to attempt such an 

aggressive approach. So, if there is the need to prevent the theft in the public, the smart game should 

get played against those troubling individuals and further through this effort we would explain what the 

best techniques to avoid some of the false positives are. 

The theft as a crime is well-studied through the practice and anyone coping with that sort of offense is 

aware how hard it can be to combat the criminal groups committing such a criminality. In our 

understanding, it’s about the joint offense and in other words, it’s difficult to imagine the lone wolf thief. 

The places being so attractive tourist destinations are so suitable spots for doing the theft and the 

experienced offenders would just monitor on the internationals not belonging to the local community how 

they would deal with the unknown environment. The offenders would be well-familiar with any single part 

of that area, while the tourists would not even know the basic orientation amongst that surrounding. They 

would usually rely on the maps or another navigation system – commonly stopping and asking for the 

information, so in other words, they would be more than obvious to the local criminal groups as someone 

coming from aboard. The people on the journey are relaxed and they would spend a plenty of time doing 

sightseeing or taking the photos and recordings not paying any attention on what is happening around 

them. Also, there would be so many opportunities to buy so lovely souvenirs to the family members and 

friends and the tourists would enjoy doing so. In addition, the local thieves would be so confident about 

their zone, while the people coming from the other places would know nothing or just a bit about such a 

territory. Also, there is the realistic chance that some of the less serious thefts would never get reported 

to the local authorities for a reason the tourists would simply give up from the complaint for not knowing 

anything about the local Police. Many would not cope with the local language, so they could get scared 

to even attempt anything. The most important stuffs such as the passports and the travelling tickets could 

get left in the hotel rooms, while the objects like cameras, money and credit cards could go on excursion 

with the visitors. Practically, those things are under the threat and the thieves would carefully choose to 

commit the crime that would never get reported to the law enforcement agencies. Sometimes the people 

could get unconfident if the object got stolen or just missed somewhere. Stealing the credit card to anyone 

who would enjoy the excursion could be the risk, but that risk can bring the good profit on. Differently 

saying, the street predators could concentrate to get something valuable as jewelry, watches, video 

cameras, some money or anything else not being under the focus for a reason of enjoying so beautiful 

time in some world’s famous environment, so far. 

On the other hand, the thieves would develop the strong need of being active and always on the move 

in order to avoid the criminal justice. Their victims could be the both – domestic or international people 

and in the big places the majority of sightseeing spots would normally be overcrowded with the visitors 

and the offenders would circulate there looking for someone being so free and unaware of the dangers 

of the unknown environment. Those streets predators would so deeply cope with the psychology of their 

victims and they would literally flawlessly estimate the right moment to attack. In our belief, the theft is 

the joint offense and it can occur under the certain circumstances which should get studied by the skillful 

criminologists who are capable to analyze those tendencies. The challenge plus is that so many those 

offenses would never get reported to the Police, so the authorities would stay without any information 

about such a criminal offense. At the very beginning of this article, we would introduce two terms being 

Offense-as-a-Teaming and Crime-as-a-Teaming, so it’s important to provide a bit more suggestions 

about those phrases. The Offense-as-a-Teaming (OaaT) is any act of violation or criminality that includes 

more than one actor to get committed on. That offense could be recognized as a joint effort to break the 

law or another legal regulation, so far. The similar case is with the Crime-as-a-Teaming (CaaT) indicating 

on something being fully criminal and conducted as the joint activity. Apparently, through this effort we 



would discuss the possibilities of tackling the theft as an offense in the community coping with some 

preventive as well as diagnostics measures. The fact is that form of criminality could get challenged 

invoking the patrolling forces, but that step could be quite counter-productive for a reason it could cause 

some kind of the street violence. The greatest weakness of anyone committing the OaaT or CaaT is his 

dependability on the team that is connected using the communications technologies. In other words, if 

we try to develop the intelligent methodologies how to model and control the crime scene relying on cyber 

networks, we could count on the adequate response to such illegal activities that would, consequently, 

get better prevented on. 

The need of reliable communications 

The OaaT and CaaT would get the teaming in common suggesting it’s about the joint activity that would 

rely on the team as the lawbreaking unit. The biggest challenge to such a group is how to operate in the 

public maintaining the touch with each other. Those offenders would count on each other and so 

frequently need each other to get covered and protected. Basically, there is no the true trust between the 

criminals as they would only deal with some rules being typical to their environment. The point is those 

individuals would need to manage their communications as well as information exchange somehow, so 

as anyone else they would develop some sort of the dependability on the emerging technologies. It would 

appear that with the discoveries of the first modern communications systems the history would happen 

faster than ever and the entire human kind would begin living at the extremely prompt pace. The similar 

situation is with the criminal environment that would exchange the findings in the sub-second period of 

time. In other words, as anyone else the criminals would get dependable on cyber solutions. To remind, 

the cyber is anything being correlated with the internet, computers and mobile systems and at this stage 

of our development that’s something being available in so commercial fashion. In other words, the 

offenders committing the theft are also in the need for the reliable communications, so they would 

commonly apply the cell phones, mobile devices, internet connectivity and satellite communications in 

order to maintain the contact with each other. Once they are on their terrain looking for committing the 

crime, they would talk to each other using the current communications solutions. Practically, that’s the 

great trap to them for a reason that’s how they would leave the trace in the cyberspace and get more 

approachable to the authorities. To be honest, there is no silver bullet in any field of the interest, so the 

similar case is with the criminology. Apparently, no approach can give the instant results and resolve 

literally everything, so far. Right here, what we can do is to make some suggestions how some basic theft 

cases could get handled using the policing procedures, policies and best practices. 

On the other hand, it’s significant to figure out how the theft crime appears as well as realize that any 

offender doing so would carry on with himself the communications device that would send and receive 

some electricity signal on. The Police can catch that electricity activity using so professional equipment 

and that’s how the offenders could be discovered. The problem is someone being the victim of the theft 

would not necessarily get aware when the crime occurred, so the authorities would only deal with the 

complaint that something got stolen – but they would not know how and when. In other words, the Police 

members at the first stage could deal with the quite wide crime scene that should get searched somehow. 

In this paper, we would mention some tips and guidelines on how the investigation regarding the theft 

offense could get run and conducted, but as we said such an approach is not necessary the winning one 

in the practice. As we said, the tendency would show that the thieves would choose to attack when the 

victim is doing stoppage or slowing down, so once the investigative team has obtained the inspection of 

the crime scene and started looking in the cyberspace for more clues – they can firstly try to capture 

those moments of the victims cell phone signal when he stopped or slowed down. In any such an 

occurrence, it’s so important to look for the closest electronics devices because some of them could 

belong to the thief and if that method provides some outcomes regarding the criminal offender 



identification the entire team doing that offense could get diagnosticated and put under the case. It’s quite 

obvious that this tactic could offer some results in the investigation, but it is not fully comprehensive and 

straightforward as it needs a lot of hard work and smart thinking in order to get advantaging to the 

investigators. Practically, it’s possible to discover the entire criminal group following such a suggestion, 

but it’s not absolutely guaranteed that the certain case would get resolved coping with such a strategy 

only. In other words, the victim of theft would report about the abuse and the investigation should cope 

with the most common tactics in order to tackle the case and discover who has committed the crime, so 

for such a purpose it’s important to look for the track in the cyberspace, so far. 

The most common way for offenders to exchange the information on the crime scene or wider is using 

the GSM, GPRS, GPS and TCP/IP communications and navigation channels. The simple Smartphone 

being the mobile device has the capacity to offer such a broad spectrum of services, so the forensic 

detectives should look for the very first track right there. In the practice, maybe some theft crime scene 

would get investigated and reconstructed so deeply, but it’s also important to take into the consideration 

the fact the theft teams would not only steal the money, but commonly some of the valuable objects. For 

instance, if anyone’s laptop, credit card or camera has been stolen on the spot, it’s clear that the criminals 

would not take with themselves those stuffs and keep them in their accommodation – but they would 

rather find the ways to make advantage over such a stolen good. In other words, the street predators are 

usually connected with the entire black market and our suggestion how the entire criminal ring could get 

tracked in the cyberspace has its arguments even in such a case. So, what is so crucially needed in 

responding to such a challenging offense or the group of offenses is the skill in both – physical and hightech 

domain, so if the needed procedures and policies are not yet developed – the law enforcement 

agencies should work hard to do so effectively and in such a manner tackle and understand that complex 

landscape. 

The common logistics schemes 

It’s quite interesting to imagine how it works when the theft is occurring on the crime scene and the 

offenders are trying to rely on some logistics support. Apparently, the theft can be committed in both – 

public spot and public transportation and in the both cases the offenders should cope with the good 

tactics how to avoid any sort of complications on the crime scene. If the crime is happening amongst 

some busy place, it’s so obvious that there could be some private vehicles within the parking areas that 

can serve as the suitable logistics backup. In other words, the offenders need to appear and escape from 

the crime scene, so for such a purpose they would use either the private vehicles with someone sitting 

in there and waiting for them or they would take advantage over the public transportation network. In the 

both cases, the risk is more or less the similar. The well-known scheme is that someone being in the 

logistics as a backup could apply cyber technologies and track the route of the offender on some mobile 

device map trying to get the most appropriate moment to come and pick up the criminal from the crime 

scene. The common scenario is that the thieves could have some accommodation in some area of the 

town and they can use that place to take a rest or do some of the basic human needs, so far. That 

accommodation could get recognized as their nest that can serve to get prepared for the offense, make 

the plan about the crime and keep some of the stolen good before it gets sold on the black market. In 

addition, the logistics could also rely on cyber technologies in sense of monitoring, tracking and 

navigation the criminals on the spot usually doing so from the background. The experience would suggest 

that the thieves are not necessary in the same zone during the day, but they are rather shifting from one 

area to another. That could be the good camouflage scenario and the intelligent tactic to avoid the law 

enforcement officers. In any sense, the theft as a crime could be the quite huge challenge and the source 

of the competitive profit that could make the community members being unsafe and the entire society 

suffering the drawback in case of the inadequate response to such a scheme. 



The ways of escaping from crime scene 

In the practice, the offenders could stay close to the crime scene once they commit the crime or they can 

try to escape either immediately or with some time delay. If the crime is happening in the downtown, it’s 

possible the offenders would cope with the secret spots to hide and if the seizure occurs they can either 

chose to hide in the public or escape from the crime scene so promptly using their own vehicles or the 

public logistics. The Police patrolling is always close to any neighborhood and once someone reports 

that something has been stolen from him the officers would come to make the inspection. In the 

criminology, the theft is considered as the less serious crime, but the fact is it should not get observed 

like so as it brings the good incomes to anyone being in such a business. In other words, it’s important 

to cope with such a crime tendency and make the well-studied reports that could support any Police 

Department to understand, tackle and respond to such a concern, so far. 

Discussions & Conclusions 

Investigating the theft is not the easy task and the entire investigation should cope with the well-developed 

procedures and evidence collecting as the ultimate goals in the case management. Also, it’s needed to 

understand the psychology of the offender as well as the victim in order to recognize some of the trends 

going on at the street. Everything must be according to the law and the investigation is updated hour by 

hour in order to keep its course and choose the new methods and tactics in gaining the findings and 

clues, so far. The investigators being relevant to those cases could through the experience demonstrate 

the high level of proficiency in the criminal justice investigation as well as show some of the innovative 

approaches to their tasks. Finally, there are some suggestions and guidelines how that sort of the crime 

could get resolved, but it’s needed to follow the entire social and cultural trends, so far. 

About The Author 

Milica D. Djekic is an Independent Researcher from Subotica, 

the Republic of Serbia. She received her engineering 

background from the Faculty of Mechanical Engineering, 

University of Belgrade. She writes for some domestic and 

overseas presses and she is also the author of the book “The 

Internet of Things: Concept, Applications and Security” and 

“The Insider’s Threats: Operational, Tactical and Strategic 

Perspective“ being published in 2017 and 2021 respectively 

with the Lambert Academic Publishing. Milica is also a speaker 

with the BrightTALK expert’s channel. She is the member of an 

ASIS International since 2017 and contributor to the Australian 

Cyber Security Magazine since 2018. Milica's research efforts are recognized with Computer Emergency 

Response Team for the European Union (CERT-EU), Censys Press, BU-CERT UK and EASA European 

Centre for Cybersecurity in Aviation (ECCSA). Her fields of interests are cyber defense, technology and 

business. Milica is a person with disability. 



Cybersecurity Challenges of Working from Home during 

COVID-19 Pandemic and a Proposed 8 step WFH 

Cyber-attack Mitigation Plan 

By Glorin Sebastian, Senior Consultant, EY 

This article is a review of the study conducted and presented by the author at the 36th IBIMA conference 

in Granada, Spain. It has been widely discussed that, one of the main cybersecurity problems with the 

Covid pandemic and increased remote work is that even though work from home provides greater 

productivity and flexibility, employees working from home have a higher chance of being victims to cyber 

incidents and much higher chances of their systems being infected by a Malware or virus [1]. 

Glorin’s study aimed at confirming this issue and also to identify a framework of cybersecurity controls 

that would be used to mitigate the cyber-attacks, that could be faced by remote employees while working 

from home. Based on the survey conducted as part of Glorin’s study [2], it was found that over 60% of 

the respondents agreed that there has been an increase in fraudulent emails, Phishing attempts, and 

spam to corporate email, since start of Covid-19 Pandemic. As part of the study based on responses 

from survey participants and also based on best practices, an 8 step WFH Cyber-attack Mitigation Plan 

was suggested, the steps in this proposed mitigation plan include: 

1. Remote Monitoring: Installing centralized network scanning techniques including firm firewalls that 

restrict network traffic. This step also includes securing the network and the router making sure it is 

updated with the latest firmware and that auto-updates are enabled. Further the internet service provider 

would be able to provide instructions on how to securely configure the router. 

2. Incident Management: Incident management by the firm IT team should be enabled on the employee 

IT systems used for remote work, which is an extension of the firm level IT Monitoring and includes SIEM 



(Security information and event management) that provides real-time analysis of security issues 

generated. 

3. Employee training: It is to be made sure that employees are provided with appropriate training to 

ensure they are aware of the various cybersecurity attacks that they could face while working remotely. 

This involves making the correct selection of security settings on their work devices like choosing the 

WPA2 Security option for enhanced Wi-Fi Security. 

4. Access controls: Ensuring the users have proper access controls and making sure to maintain proper 

segregation of duties between two conflicting business functions is important. Another method to 

implement access controls would be network segmentation by creating multiple "subnets" in your Home 

network, each with their own SSID to connect to. One could be used for office work, the other for family 

and finally a third for home devices. Thus, once a device gets compromised, it cannot easily be used to 

eavesdrop on the other subnets. 

5. Backups and BIA Recovery plans: The firms disaster recovery plan should include backups and BIA 

(Business impact assessment) to set precedence for effective communication, mitigation, and recovery 

in case of critical cyberattacks and this recovery plan should be extended to firm IT systems used by 

employees for work from home as well. 

6. VPN & Multi-Factor Authentication: Both using VPN (Virtual private network) and MFA (Multi Factor 

authentication) ensures the user data is protected. Employees that access company Data while 

connected to a VPN ensure that the Data in motion between 2 devices on the Public network is protected, 

same as they are connected over a Private network. It is also crucial to change your router's default SSID 

(Service Set Identifier) including administrative password and network password. Passwords should use 

a passphrase which is usually tougher to crack. Reuse of passwords should be avoided via firm policy. 

7. Vendor Security controls: Given a lot of critical Business processes and Data are outsourced to 

vendors, it is important to ensure that controls, especially Security controls on the Vendor side are 

effective. 

8. End-point Security and patching: Endpoint Security ensures each end point that is connected to the 

central corporate network is compliant to the organization standards and thus protects employee systems 

from malware, ransom ware and other similar cyber-attacks. 

FOOTNOTES: 

[1] 6 Cybersecurity Tips When You Work From Home, John Egan, Daphne Foreman, "www.forbes.com/ 

advisor/personal-finance/cybersecurity-tips-when-you-work-from-home/" 

[2] Glorin SEBASTIAN (2021)," A Descriptive Study on Cybersecurity Challenges of Working from Home 

during COVID-19 Pandemic and a Proposed 8 step WFH Cyber-attack Mitigation Plan", Communications 

of the IBIMA, Vol. 2021 (2021), Article ID 589235, DOI: 10.5171/2021.589235 

https://ibimapublishing.com /articles/CIBIMA/2021/589235/589235.pdf 




Glorin Sebastian is a Senior Consultant with one of the big four 

accounting firms in its Technology Consulting practice with over seven 

years of experience in IT risk and cybersecurity compliance. He is a 

certified CISSP and CISA. and helps perform IT regulatory and 

cybersecurity audits as well as works to mitigate firm IT risks by 

designing and implementing effective Application Security and 

Controls associated with ERP system implementations. Being a part 

time Masters in Cybersecurity student at Georgia Institute of 

Technology, he also does part time Cybersecurity research trying to solve some of the common 

cybersecurity issues. You can connect with Glorin here: Glorin Sebastian CISSP,CISA - Advisory Senior 

Consultant - EY | LinkedIn 



HTML Smuggling: A Resurgent Cause for Concern 

By Vinay Pidathala, Director of Security Research, Menlo Security 

Cybersecurity is never straightforward. 

While defense techniques, technologies, policies and methodologies continue to evolve at pace, such 

defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new 

ways, catching security teams off guard. 

Indeed, recent times have provided many headaches for security professionals; Cybersecurity Ventures 

reveals that cyber attacks in 2021 will amount to a collective cost of approximately $6 trillion – and the 

situation isn’t forecast to improve any time soon. Where attacks are expected to intensify by an additional 

15% a year for the next four years, total cyber attack-centric damages could amount to as much as $10.5 

trillion by 2025. 

One of the main concerns today is the exponentially growing number of techniques that cybercriminals 

are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they 

continue to expand their techniques, with the next being ever more malicious than the last. 



HTML Smuggling explained 

HTML Smuggling is a prime example of this in action. 

While the broad concept itself is nothing new, the threat is making something of a resurgence having 

recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was 

uncovered in December 2020. 

In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security 

through the generation of malicious code behind a firewall. This is executed in the browser on the target 

endpoint. 

Where a malicious payload is constructed in the browser, no objects need to be transferred, which 

network perimeter security systems might typically detect. As a result, through HTML Smuggling, many 

commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be 

sidestepped. 

ISOMorph – a new variation 

This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph. 

Here, popular talk over voice, video, and text digital communication platform Discord was targeted, the 

app being home to more than 150 million active users. 

With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim's computer. 

This is then constructed on the endpoint, removing the opportunity for detection. After installation, the 

hackers are then able to execute the payload that infects the computer with remote access trojans 

(RATs), before setting about logging passwords and exfiltrating data. 

While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as 

any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue. 

Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working 

models are now commonly used, the increased use of cloud services and expansion of organizations’ 

digital footprints has exposed a series of new security related challenges. 

Today, the browser plays a more vital role in day-to-day operations than ever before – yet, unfortunately, 

it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more 

attractive proposition to threat actors. 

From access to execution 

So, what should we be looking out for in the case of an HTML Smuggling attack? 

In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email 

attachments and web drive-by downloads to achieve initial infection. 



Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize 

file downloads. This entails the construction of the malicious payload on the HTML page as opposed to 

making an HTTP request that can then retrieve a desired asset from a web server. 

With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required 

components that would be able to install software. The benefit of the ISO file is that it does not require 

the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to 

achieve persistence by creating a Windows directory on the endpoint. 

Equally, it is one example of a file type that is exempt from inspection across both web and email gateway 

devices. 

In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the 

VBScript will often contain various malicious scripts capable of executing and thereafter fetching 

additional PowerShell scripts that can download a file to the endpoint. 

The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw 

MSBuild.exe used, for example – a process that is typically whitelisted, allowing the injected code to 

further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory before 

injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed. 

Prevention and solutions 

The resurgence of HTML Smuggling should be cause for concern. 

While vaccination efforts continue to ramp up and economies and societies continue to open up once 

more, the impact of COVID-19 will be felt long after 2021. In the case of work, the many benefits that 

have been realized from remote and hybrid working models will ensure that such ways of working won’t 

disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack 

their target endpoints. 

For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an 

effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while 

bypassing traditional network security tools. 

So, how can it be combatted? The answer is in the form of isolation technologies. 

Developed with the simple purpose of comprehensively protecting users as they use web services – be 

it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint 

and external threats from the internet. 

While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never 

downloaded to the endpoint, eliminating the opportunity for malicious code to infiltrate a device and begin 

exploiting vulnerabilities. 

To achieve a robust endpoint protection strategy, isolation must be placed front and center. 




Vinay Pidathala is Director, Security Research at Menlo Security based 

in Mountain View, California. Previously, Vinay was at Aruba Networks 

and also held positions at FireEye and Qualys. 

Vinay can be reached online at: @menlosecurity and at our company 

website: https://www.menlosecurity.com/ 



New CIOs: 5 Key Steps in Your First 100 Days 

Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success. 

By Etay Maor, Senior Director, Security Strategy, Cato Networks 

Starting off as a new CIO in a tough, dynamic environment can be daunting. CIOs must juggle multiple 

issues like coping with hybrid workplaces, changing cybersecurity and compliance protocols, increasing 

ransomware attacks and high expectations from the board, to name but a few. New CIOs need to tackle 

biased perceptions, make a good first impression, assess the current state of processes and policies and 

determine a strategy to build a foundation that drives innovation. 

Other CIO challenges may involve building a deep awareness of the IT organization, developing close 

relationships with key stakeholders and achieving wide acceptance for strategic goals while also gaining 

some quick wins that boosts confidence in your talents. 

In speaking with countless CIOs about their security posture, I’m always intrigued by what lessons they’d 

offer new CIOs. In truth, there doesn’t seem to be a single set of ‘guiding principles’ for best launching 

into a CIO role. There are, however, strategies and tips that repeat themselves in my conversations. 

Here, then, are five of those often-cited takeaways battle-tested CIOs recommend new CIOs follow in 

their first 100 days in office. 

1. Get to Know Your Organization and Team 

With many stakeholders and team members operating remotely, one of the most significant hurdles a 

CIO must overcome is to forge meaningful, interdepartmental relationships. 

• With IT Teams: Start with regular one-on-ones, seek out the issues they regularly wrestle with 

and assess whether it involves technology, infrastructure, processes or people. Familiarize 



yourself with the strategy and tactics currently in place and evaluate if these adequately align with 

overall business goals. 

• With non-IT Teams: Start with key executives and leadership teams. Understand their role in the 

business and how they interact with IT. Evaluate recent IT requests and determine whether they 

have been resolved satisfactorily. Prepare questions relevant to their role but listen carefully to 

understand their overall strategic vision and expectations from IT. 

2. Determine the state of IT and Security Infrastructure 

Conduct a detailed technology risk assessment of your network infrastructure, databases, applications, 

cybersecurity and back-ups. Evaluate the current state of policies, procedures, compliance, security 

awareness and service delivery levels. Get to know your vendor-partners and learn the contract status 

from each, especially big-ticket deals. Know your IT budgets (planned vs. actual). Figure out what stage 

the company is at relative to their digital transformation process. 

As a first measure, benchmark what you can. Three years down the road you should be able to sell a 

story of sustained improvement. Conduct a baseline assessment and capture metrics from current 

applications and security practices. This will also help identify what is and isn’t working. 

3. Define your Goals and Chart Out a Plan 

Once you’ve got a handle on IT’s position and learned about its resources and capabilities, it's time to 

develop swift action plans for urgent and simple issues to help define an overall blueprint of your longerterm 

company strategy. Your plan should include an executive summary, your department’s strengths 

and weaknesses; opportunities and threats; new trends, tools and capabilities; the tactics you will use 

along with costs, time and impact – in short, guiding principles that will drive future decisions. 

4. Incorporate Digital Transformation 

Whether it’s changing buyer behavior or securing a large-scale remote workforce, the demand for digital 

transformation post-pandemic (i.e., digital methods to improve business processes and continuity) has 

accelerated by several years. 

New CIOs must keep this momentum going by identifying and implementing technology that can 

significantly transform customer and employee experiences. As an example, CIOs can leverage 

automation and AI to improve product efficiency or augment intelligence to an existing product, giving it 

a competitive edge. In cybersecurity, CIOs can leverage transformational technologies like SASE (Secure 

Access Service Edge) to boost cybersecurity, provide high-speed connectivity and reduce IT overheads. 

5. Get Priorities in Order 

Choose your battles wisely based on mandates, urgency, business needs, ROI, previous experiences 

and understanding of market trends. Seize opportunities for quick wins like improving processes, vendor 

management, SLA timelines and end-user applications. Resist firefighting. 

Weigh out the risks and repercussions before you make major decisions. Get executive sponsorship for 

your actions and priorities. If needed, set up a steering committee to secure buy-in from a diverse group. 

Determine where the power lines are drawn and what priorities can be addressed first to instill greater 

confidence across internal stakeholders. 

There is no silver bullet for a successful transition. We can all agree that there is a lot to manage and not 

everything is just about technology. Having an organized approach in place for your first 100 days 



ensures you cover all your bases, leaning in for a better shot at being successful in your new role along 

with establishing yourself as a valued and inspirational leader. 


Etay Maor is the Senior Director of Security Strategy for Cato 

Networks, provider of the world’s first Secure Access Service 

Edge (SASE) platform, converging SD-WAN and network 

security into cloud-native services. Previously, Etay was the 

Chief Security Officer for IntSights, where he led strategic 

cybersecurity research and security services. Etay has also held 

senior security positions at IBM, where he created and led 

breach response training and security research, and RSA 

Security’s Cyber Threats Research Labs, where he managed 

malware research and intelligence teams. Etay is an adjunct 

professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and 

QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber- 

Terrorism. 



Cyber EO and Meeting Cloud Modernization Effort 

By Stephen Kovac, Vice President of Global Government and Head of Corporate 

Compliance, Zscaler 

In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to 

meet President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity to protect users, 

devices, and data. 

In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and 

Human Services Office of Inspector General, Department of Education, and Cybersecurity and 

Infrastructure Security Agency (CISA). 

We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how 

agencies can achieve modernization goals and the terms of the EO. 

The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan 

for zero trust architectures using National Institute of Standards and Technology (NIST) special 

publications, and report their status to OMB and the Department of National Security Advisor for 

Cybersecurity. 

Working to implement these modernization efforts is a journey, not a destination, as agencies work to 

make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes. 

“Thank God for the EO, I say,” said Gerald Caron, Chief Information Officer for the Department of Health 

and Human Services Office of Inspector General. “I think it moves us more towards being effective overall 

– for our agencies to be effective at cyber – not just checking boxes.” 

Mitigating Threat with Zero Trust 

The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent, 

detect, assess, and remediate cyber incidents.” 



Zero trust gives agencies strong access management and security tools to prevent unauthorized users 

from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace 

of mind as they monitor their environment. 

NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the 

enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all 

communication regardless of network location, and granting access on a per-session basis. This creates 

a least privilege access model to ensure the right person, device, and service has access to the data 

they need while protecting high-value assets. 

The NIST National Cybersecurity Center of Excellence (NCCoE) recently announced its Implementing a 

Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate 

several approaches to implementing zero trust architectures. This coalition will work side by side to realize 

the opportunity for zero trust to strengthen every agency’s cyber defenses. 

“For us, when we talk about zero trust architectures, it's not just the discussion around technologies, 

infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven 

Hernandez, Chief Information Security Officer at the Department of Education. “It's also a very robust 

discussion around data, because data is at the heart of everything that we're driving.” 

President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically 

“establish a training program to ensure agencies are effectively trained and equipped to manage 

FedRAMP requests.” 

A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users 

and applications to ensure comprehensive security regardless of where they connect from, and what they 

connect to. 

This approach reduces the attack surface and the risk of users accessing unauthorized data or 

applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users 

connecting to the network on any device, in any location – a huge advantage for managing an extensive 

remote or hybrid environment. 

Updated Policy and Modern Security for Complex Environments 

The updated TIC 3.0 guidance has opened the door for agencies to adopt modern, hybrid cloud 

environments. This security approach will be critically important for agencies to secure their cloud 

capabilities and scale up and down as needed. 

“The guidance offers a new security strategy for agencies to explore new opportunities, redefine the 

perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean 

Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA. “New visibility is the most 

fundamental change in the guidance.” 

As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance, 

agencies can position the security closer to the resources, having everything at one access point. 

To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model, 

which addresses today’s most common security challenges arising from more applications living outside 

the data center, sensitive data stored across multiple cloud services, and users connecting from 

anywhere, on any device. 



Following the SASE model, agencies can invert the traditional security model to move essential security 

functions to the cloud so users can access data and networks from any location, while security is pushed 

as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such 

as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and 

Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure 

Solutions (EIS) in the same way. 

What’s Next as Agencies Modernize 

The updated policies, authorizations, new security measures, and hybrid work environments are pointing 

agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this 

push, they can learn from one another on this journey. 

“I think we're headed in that direction, we're going to find ourselves there one way or another, and I think 

that's a good thing,” said Hernandez. “I think that by having more people in a centralized environment, 

with less attack surface, better configuration, and change control – ultimately, we can learn from each 

other and have a body of practice around centers of excellence that do this well.” 


Stephen Kovac is the Vice President of Global Government 

and Head of Corporate Compliance of Zscaler. He is 

responsible for strategy, productizing, and certification of the 

Zscaler platform across global governments. He also runs the 

global compliance efforts for all of Zscaler. In his role, Stephen 

leads his team’s efforts to advance Federal IT modernization 

by delivering cloud security solutions through direct-to-cloud 

connections and zero trust security capabilities. He has pushed 

for cloud security reform by speaking at events, meeting with 

agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be 

reached online at Twitter, LinkedIn, and at our company website 

https://www.zscaler.com/solutions/government 



Defeat Ransomware with Immutable Backup Data and 

Encryption 

Move beyond traditional security strategies to protect against the two most common types of ransomware 

threats 

By Jon Toor, CMO, Cloudian 

The Director of the FBI recently described ransomware as posing a threat comparable in scale to the 

September 11 terrorist attacks. In light of these comments, and after several high-profile ransomware 

incidents such as the Colonial Pipeline attack, there should be little doubt that ransomware poses the 

greatest cybersecurity threat to organizations today. 

Broadly speaking, cybercriminals take two approaches to ransomware: they encrypt data to prevent 

victims from accessing it, and they download confidential or sensitive information and threaten to release 

it to the public. These two approaches are not mutually exclusive – cybercriminals will often encrypt data 

and threaten to release it to the public if ransoms aren’t paid within a certain timeframe. In fact, data 

extortion attempts now occur in 77% of ransomware attacks. 

Organizations are employing several traditional strategies to combat this threat, such as using endpoint 

security solutions and conducting anti-phishing training for employees. While these are helpful best 

practices, they will eventually fail against savvy cybercriminals. There are two proven ways to mitigate 

the impact of ransomware: the use of immutable (or unchangeable) backup data and encryption. 

Immutable storage backups prevent hackers from encrypting data, thereby neutralizing their ability to 

lock up data and prevent organizations from accessing it. Meanwhile, data encryption prevents 



cybercriminals from exposing data. Because many ransomware gangs try to do both during each attack, 

organizations should employ data immutability and encryption to protect themselves fully and avoid 

having to pay ransom. 

Immutable storage 

In traditional ransomware attacks, cybercriminals encrypt an enterprise’s critical data, holding it hostage 

and making it inaccessible until the victim pays a ransom. The best way to defend against these attacks 

is by creating immutable backup copies of your data. Immutable storage is cost efficient and simple to 

use: Once a backup data copy is written, that backup cannot be altered or erased for a specified period 

of time, making it impossible for ransomware to encrypt that data. If a ransomware attack does occur, 

organizations can rapidly restore that data backup through a normal recovery process. There’s no need 

to pay a ransom. 

There are two storage architectures that provide data immutability. One is to create a backup copy on 

magnetic tape. If that tape is then physically removed from the library, it effectively becomes 

unchangeable. However, this approach takes extensive time and resources to manage. The other option 

is to use immutable object storage as a backup target. Select object storage platforms support an 

immutability feature called Object Lock which prevents data from being encrypted or deleted for a userdefined 

period. Multiple backup software vendors support this feature as part of a fully automated backup 

workflow. In the event of an attack, this provides fast recovery from a clean data copy. 

Data encryption 

In the other type of ransomware attack, cybercriminals access an organization’s sensitive information, 

download it and threaten to release it publicly or sell it on the dark web unless the victim pays. Immutable 

backup storage isn’t enough in this case, as the hackers aren’t trying to lock an organization out of its 

data. That’s why it’s important to encrypt your sensitive data. 

Data encryption works by changing data into ciphertext, an unrecognizable format that requires a special 

key to decipher it. Without the corresponding decryption key, hackers can’t release the data in a form 

that’s intelligible. 

Both data-at-rest (stored data) and data-in-flight (data that’s being acquired or moved within an 

organization, such as data being migrated to a public cloud) should be encrypted to prevent data 

extortion. For data-at-rest, AES-256 encryption employs a system-generated encryption key (regular 

Server-side Encryption, or SSE) or a customer-provided and managed encryption key (SSE-C). Here, 

the upload and download requests are securely submitted using HTTPS, and the system does not store 

a copy of the encryption key. 

Data in-flight data is also vulnerable to breaches through a process called “eavesdropping.” Using this 

method, cybercriminals “listen” to data communications, searching for passwords or other information 

being transmitted in plaintext. To prevent eavesdropping, AES-256 encryption can be combined with 

secure transport protocols. These protocols include SSE, Amazon Web Services Key Management 

Service (AWS KMS), OASIS Key Management Interoperability Protocol (KMIP) and Transport Layer 

Security / Secure Socket Layer (TLS/SSL). 



Conclusion 

As ransomware attacks grow in frequency and sophistication, more organizations will be hit in 2021, 

causing substantial economic losses and reputational damage. It’s critical that enterprises move beyond 

traditional cybersecurity strategies to ensure their businesses are protected. Immutable storage and data 

encryption are the most effective and comprehensive ways to prevent ransomware from wreaking havoc 

on your organization. 

About Jon Toor 

Jon Toor is the CMO of Cloudian. Jon leads Cloudian’s inbound 

and outbound marketing teams. Prior to Cloudian, Toor served 

as vice president of digital marketing and demand generation at 

Brocade. He also served as the vice president of marketing at 

Xsigo Systems where he led the outbound marketing team, a 

group he led from company launch until the company 

acquisition by Oracle. Prior to Xsigo, he served at ONStor as 

vice president of marketing. Toor holds an MBA, bachelor of science in mechanical engineering, and a 

bachelor of arts in economics all from Stanford University. 

Jon can be reached online at https://www.linkedin.com/in/jontoor/ or jtoor@cloudian.com and, more 

information on Cloudian is available at https://www.cloudian.com/. 



The Struggle You Don’t See: Mitigating the Impacts of 

Cyberattacks on the Workforce 

By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog 

As cyberattacks increase, cybersecurity professionals point to business interruption costs as a way to 

get senior management’s attention. At the same time, the industry discusses security professional 

burnout and alert fatigue as problems. However, sitting between security teams and senior management 

is an entire workforce that also feels the effect of cyberattacks. Very few people dig into the impact that 

attacks have on employees, also known as end-users and customer support teams. 

In the end, all three groups find themselves frustrated. End-users can’t do their jobs. IT help desks can’t 

answer questions. Security teams work continuously to find the root cause of the problem. 

End-users: The Frustration Is Real 

Despite security professionals often bemoaning the “human element” leading to cybersecurity attacks, 

they often forget that the attacks impact end-users. Most data breach news articles focus on data and 

financial impacts, but few mention the impact a cybersecurity attack has on customer and end-user daily 

activities. 

So what is the impact? The answer is: it depends. 

When threat actors attacked Scripps Health in May 2021, hospitals were forced to cancel appointments 

because healthcare professionals could not access patient records. An article reporting on the 2020 

malware attack against the Southeastern Pennsylvania Transportation Authority (SEPTA) noted that “the 

effect behind the scenes left end-users scrambling to find colleagues’ phone numbers and resorting to 

personal email accounts as many work remotely.” Not only does business interruption lead to lost income 

and end-user productivity, but it also leads to frustration. 



The Help Desk: Putting on a Brave Face 

When end-users face a technology problem, the first call is usually to the IT help desk. Before the security 

team jumps into action, end-users may notice operational issues, including: 

● 

● 

● 

System latency 

Unavailable applications 

Account lockouts 

Consider the following examples. 

A Distributed Denial of Service (DDoS) attack shuts down the network. End-users are unable to access 

the network. Thinking that the problem is something wrong with their wireless connection or password, 

they call the IT help desk. 

A threat actor attempts to use a stolen credential to access an application. When the end-user tries to 

log into their account, she finds that her account has been locked. She calls the IT help desk. 

In each case, the IT help desk acts as the “first responder,” answering questions and trying to fix the 

problem. If security and IT operations teams do not effectively communicate, end-user frustration grows. 

The IT help desk fails to provide the hoped-for customer service because they need to start looking for 

the root cause of the problem. 

The Security Team: Working to Investigate and Resolve the Incident 

Behind the scenes, the security team receives alerts, investigates the incident, and finds ways to resolve 

the incident. However, the security team’s struggle is also real. 

In some cases, frustrated end-users calling the IT operations team for help might be the first indication 

that a company suffered an attack. The problem is not the security team. It’s the volume of alerts and 

false positives. According to one article, 39% of security teams say that they handle 1,000 alerts per day, 

and 93% say they cannot address all the alerts on the same day. Without high-fidelity alerts and tools 

that streamline investigations, security teams spend hours sifting through data. 



Teamwork With Centralized Log Management 

Nobody wants unhappy end-users. Nobody wants security breaches. How do you make it easy for your 

teams to turn this around to happy users and a robust security posture? Enter centralized log 

management. 

Log data is the same no matter the source. It’s the visibility that varies based on roles. IT operations are 

searching for that locked-out end-user, monitoring for any configuration issues or performance 

bottlenecks. Security teams are looking at the data from the perspective of the threat hunter or to 

proactively secure the infrastructure from known breaches. The best way to keep end-users happy and 

productive while maintaining a robust security posture is for your IT and security teams to work with a 

centralized log management solution built and architected the right way to support the needs of the 

business. The result is faster detection, deeper visibility into the log data for more useable intelligence, 

higher quality results, and more. 



Even when you pull back the curtain and give your end-users a front-row seat to a typical day in the world 

of IT and security, they forget everything the minute they’re staring at the message “Incorrect password” 

on their screen or drumming their fingers when the systems are offline. In the end, the best way to keep 

your end-users happy is to end the struggle they don’t see. 


Nick Carstensen, CISSP, is the Product Manager - Security & 

Integrations at Graylog. Nick is a cybersecurity expert with 

15+ experience in Security and the Log/SIEM Industry. For more 

information, visit https://graylog.org. 



How Bug Bounty Programs Can Help Businesses Achieve 

Agile Transformation 

By Sam Lowe, UK Lead, YesWeHack 

The pandemic has been a catalyst for digital transformation but while many businesses have advanced 

their operations by years in a matter of months, many organizations have seen their pace of adoption 

hindered by the complexity of IT security. 

As modern businesses with a digital presence try to balance existing and new technology deployments 

in an ever-evolving landscape of digital threats, many find themselves in a tug of war between the need 

for speed and having sufficient protocols in place when it comes to cybersecurity. Here, striking a balance 

is crucial. 

Traditionally, most organizations have relied on penetration testing or ‘pentests’, to identify vulnerabilities 

in applications. However, this approach is proving itself increasingly obsolete in today’s fast-paced digital 

world. 

How pentests hinder agile transformation 

Penetration testing can be described as a security exercise whereby a cyber security professional 

attempts to find and exploit vulnerabilities in a computer system. The purpose of the simulated attack is 

to identify any weak spots in a system’s defenses that attackers could potentially exploit. 

Yet, penetration testing is limited in regard to the skill mobilized. Only a small cohort of security experts 

are used, and this could mean that a consultant involved in the testing may lack the relevant skills needed 



to master the technical environments associated with the tests and the potential attack techniques. With 

pentest deadlines being tight enough as is – with often too many projects to follow – security experts with 

limited exposure to complicated threats can hinder agility. 

Furthermore, most pentests are invariably one-off, time-boxed processes, performed one or two weeks 

per year, resulting in only a snapshot of vulnerabilities found during the test. This can be impractical when 

you consider that serious and critical vulnerabilities often take several weeks, if not months to discover. 

In truth, annual or bi-annual audits are not compatible in meeting the growing need for businesses to 

remain agile and scale at speed, especially when the rapid pace of software development demands a 

more dynamic approach. 

Collaboration that goes beyond traditional testing 

So how can organizations deliver applications while meeting business objectives? Implementing a bug 

bounty program can help by identifying and eliminating the vulnerabilities that opportunistic hackers will 

target across the growing attack surface. The platform acting as a useful resource for developers, 

providing them with easy access to security researchers than can highlight vulnerabilities found within 

their applications and suggest recommended patches. 

By collaborating with hunters, developers can ensure that security is not a cumbersome process and 

soak up the skills and knowledge shared by the hunter to provide stringent security that is implemented 

into future projects. It also gives assurances for management teams by initiating remedial checks that 

can be carried out to ensure that the bugs that have been highlighted by the security researcher have 

been properly patched. 

An innovative approach to testing 

Essentially, a bug bounty platform provides continuous security monitoring that enables businesses to 

be reactive to impending threats. It is an agreement whereby organizations reward ‘ethical hackers’ or 

security researchers for reporting bugs concerning security exploits and vulnerabilities. The more critical 

the reported bug is, the higher the reward. 

In an ideal world a bug bounty programme would be run at the start of the development of an application 

and then as a continuous program – surfacing bugs during the pre-production, acceptance or testing 

phase and beyond. 

At a time when it is estimated that cybercrime will cost the world a staggering $10.5 trillion annually by 

2025, it’s important that organizations adopt a multi-layered defense. A bug bounty program should be a 

crucial component of any company’s security stack. Here’s why. 

Commitment to security 

Over the years, data protection has become a more pressing issue for businesses to address as more 

hackers look to leverage stolen customer data against organizations. Volkswagen is just one of the many 

companies in recent months that have suffered a customer data breach, in this case impacting 3.3 million 

customers. 



In 2019, Canva had a data breach that saw information from over 139 million of its users’ exposed. And 

last year the details of more than 538 million Weibo users were available for sale online following a hack. 

Ransomware is also paralyzing businesses – the single biggest attack on record occurring this year when 

a vulnerability in Kaseya VSA software was leveraged against multiple managed service providers and 

their customers. In its wake, hundreds of businesses in the world were negatively impacted. 

Today’s consumers have an expectation that businesses will do their upmost to keep their data secure, 

with any data breach denting consumer confidence in a business. Deploying a public bug bounty program 

is a good way for a business to demonstrate its commitment to protecting customer data. 

Lazada, the leading e-commerce platform in Southeast Asia and a subsidiary of the Alibaba group is one 

company demonstrating its commitment to protecting its user data. Since January 2020, it has been 

working with ethical hackers to detect security vulnerabilities in its IT environment. To date over 

US$150,000 in bounties have been awarded to security researchers as part of its private bug bounty 

program in which a select group of security researchers are invited to find bugs with their system. 

After running such a successful 18-month private program, it has now launched a public bounty program 

on YesWeHack’s platform and is offering $10,000 per vulnerability discovered. 

For companies that use a bug bounty program, in addition to enabling businesses to identify new attack 

techniques and find solutions to counteract them, it also reassures customers that the safety of their data 

is valued by the business they are trusting with it. 

The future is bug bounty 

Evolution is part and parcel of any industry. For organizations planning to incorporate cybersecurity best 

practices, a bug bounty program enables you to be ahead of the curve. It allows you to utilize the expertize 

and skills of tens of thousands of security researchers and provides you with a better chance of finding 

critical vulnerabilities. For modern businesses that need to be increasingly agile against the growing 

threats of cyberattacks, while also being nimble enough to foster digital transformation, a bug bounty 

program should be considered as a crucial weapon in your arsenal to neutralize threats. 


Sam is the UK lead at YesWeHack and helps organisations 

strengthen their cyber security through the adoption of Bug Bounty. 

He was previously the Commercial Manager for a leading Managed 

Security Service Provider (MSSP), working with clients on improving 

their overall cyber security strategy. 



Using Decentralized, Zero-Knowledge Services to 

Enhance Security 

By Ben Golub, CEO and Executive Chairman at Storj 

Over the years, DevOps and cybersecurity teams have faced an increasingly complex challenge of 

thwarting attackers and protecting the systems they secure. 2021 has proven to be no different. In just 

the first seven months, businesses and governments around the world have faced some of the most 

sophisticated attacks we’ve ever seen. 

Ransomware attacks like the Colonial Pipeline and JBS meats attacks have crippled various aspects of 

the US economy and cost companies millions of dollars in lost revenue and ransomware fees. On the 

Dark Web, you can now even buy RaaS (Ransomware-as-a-service), meaning nearly anyone can now 

be a hacker making millions from ransomware by holding files hostage. Meanwhile, traditional data 

breaches have exposed the personal information of hundreds of millions of people around the world. In 

just the first half of this year, it’s estimated that 18.8 billion records were exposed through various attacks. 

It’s no coincidence that earlier this year President Biden issued an executive order on Improving the 

Nation’s Cybersecurity. In this executive order, President Biden specifically calls on government agencies 

to adopt zero trust architectures as one way to combat “sophisticated malicious cyber campaigns that 

threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” 



Decentralization and Zero-Knowledge Networks 

Many people in the decentralized cloud space believe that while zero trust is a great start, it actually 

doesn’t go far enough. Zero Trust architectures assume a system attempting to access a resource has 

been compromised. Zero knowledge architectures assume even the infrastructure hosting the resource 

may be compromised. Your security posture changes considerably when you can't even trust your own 

infrastructure. 

By building in this redundancy, zero-knowledge architectures ensure every part of the network is secure 

and that data is always available. This protects against many vulnerabilities, such as the misconfigured 

print server that attackers used in the Equifax data breach, the misconfigured S3 buckets that leave data 

exposed, the typo that brings down a substantial portion of the Internet, and even many types of 

cryptoviral ransomware attacks. 

Decentralized storage systems do this by using erasure coding to build redundancy into files and 

encryption to keep them secure and only accessible by the file owner. For example, a file may be encoded 

for redundancy and broken up into 80 pieces, of which only 29 are required to rebuild the data. Each of 

these pieces is encrypted using keys only possessed by the data owner (and those they authorize) and 

exists on a unique Node. As long as 52 Nodes—all of which have their own power supply, internet 

connection, and facilities—are not taken offline at the exact same time, data remains intact and the file 

can be rebuilt from its existing pieces. No piece of the infrastructure has access to the encryption keys 

and therefore the underlying data. Because of its zero-knowledge architecture, the system is also auditing 

all these 80 Nodes to ensure they’re storing what they say they do. If they’re not, the missing piece is 

rebuilt in its encrypted state. 

If a cryptoviral ransomware attack threatened a single Node or even a larger group of Nodes, the system 

could identify the attack through audits and rebuild all the missing pieces before any file was lost. 

Chaos Engineering and the Simian Army 

By building a network so any part of it could fail, you ensure that the network itself will not. This is exactly 

how today’s internet works. You don’t care about the routers and switches that connect you from point A 

to point B. You simply design the data being transferred to be impervious to potential eavesdroppers. 

The internet is designed to be decentralized—it’s only when centralized repos are created (and breached) 

that you encounter outages that take down large swaths of the internet. 

Another great example of using security, redundancy, and decentralized architectures to create resilience 

is Netflix. To achieve exceptional availability, Netflix has pioneered the notion of “Chaos Engineering.” In 

2011, Netflix created an internal tool called Chaos Monkey that randomly (and purposely) takes out entire 

servers. This forced their engineers to design systems that are resilient in a way that simulated failures 

and tabletop exercises never could produce. Netflix has since extended Chaos Monkey to an entire 

simian army that takes out systems, subnets, availability zones, and (in the case of Chaos Kong) entire 

data center regions. By purposely creating an environment where device availability can’t be trusted, 

Netflix creates an environment where there is high system availability. 



Using Edge-based Access Controls to Stop Ransomware 

Decentralized systems generally use decentralized, edge-based access management tools such as 

Macaroons. These types of edge-based access controls mean there is no central repo of keys for 

attackers to target. This allows businesses to decouple various capabilities—such as search, read, write, 

and delete—without having to employ specialized individuals or expensive services. While sophisticated 

cybersecurity professionals can build similar one-off architectures, with decentralized systems, all of this 

is done in easy intuitive ways without adding additional cost or complexity because it’s required to make 

the system run. 

If ransomware attackers managed to gain access to a network, there is no central repo of credentials to 

access to encrypt the data, delete various backups, or commit other nefarious activities. Even if an 

attacker was able to get credentials from an application running a backup, those credentials can easily 

be restricted to only upload data, rather than modify or delete. 

Don’t be the Low-hanging Fruit 

As it is with most cybersecurity breaches, unless you’re a high-value target, the best strategy is to avoid 

being the lowest-hanging fruit on the tree. Attackers are looking for easy marks, so employing many of 

these cybersecurity features that decentralized architectures can offer could greatly reduce the risk of an 

attack, while also delivering many other cost and performance benefits. 


Bio: Ben Golub is the executive chairman and CEO at Storj, an 

open source, decentralized cloud storage provider. Under Ben’s 

guidance, Storj has rolled out initiatives that deliver better privacy 

and security for developers and empower open source projects 

by enabling them to passively earn revenue every time their users 

store data in the cloud. Ben also serves as an advisor at Mayfield, 

a global venture capital firm with over $2.7 billion under 

management. He was previously co-founder and CEO at Docker, 

the leader of the container and microservices movement and one 

of the fastest growing open source companies in history. Prior to Docker, Ben was cofounder and CEO 

of Gluster, an open source cloud storage platform that was acquired by Red Hat in 2011. Ben has a BA 

from Princeton and an MBA from Harvard. 

Email: Ben@storj.io 

https://twitter.com/golubbe 

https://www.linkedin.com/in/bengolub/ 

https://www.storj.io/ 



How to Play Like You're in the Security Majors When 

You’re Still in the Minors 

By Patrick Murray, chief product officer, Tugboat Logic 

When it comes to smaller businesses and cybersecurity, there are two main issues at play. 

One is the misconception that smaller businesses aren’t as high-risk as enterprises in terms of cyberattacks. 

The second is, perhaps unsurprisingly, a lack of resources. Even when SMBs recognize the 

need for stronger cybersecurity, budget and staffing constraints can keep them from implementing it. 

These constraints can make it all too tempting to de-emphasize the establishment of a strong 

cybersecurity posture. 

The unfortunate reality is that smaller businesses aren’t immune to cyber-attacks – 28% of data breaches 

in 2020 involved small businesses, according to Verizon’s Data Breach Investigation Report. And that’s 

likely to be higher for 2021, given what we’ve seen with the increase of cyber-attacks in parallel with the 

rise of remote work. These attacks are expensive; according to Ponemon Institute, the average cost of 

an attack against an SMB is $200,000. 

The budget and staffing constraints aren’t likely going away anytime soon, but fortunately, there are 

options out there for small businesses that will enable them to implement enterprise-grade cybersecurity 

without breaking the bank. 



The threat landscape for small businesses 

As mentioned above, the idea that small businesses aren’t at risk for cyber-attacks or aren’t of interest to 

bad actors is a fallacy that needs to be put to bed. Any business today, no matter its size, is at risk for 

cyber-attacks. And while for some this might sound like common sense, the truth is that SMBs are still 

really struggling with cybersecurity. Awareness is growing but getting started remains a challenge. 

A recent survey by the U.S. Small Business Administration found that 88% of small business owners felt 

their business was vulnerable to a cyber-attack, but many can’t afford professional IT services, have 

limited time and other resources, or they don’t know where to begin. And a survey of SMBs conducted 

by Tugboat Logic found that when it comes to what’s preventing them from reaching their security goals: 

• 85% said lack of internal resources prevented their business from adopting new security practices 

• 48% said the cost of implementing security was prohibitive or a challenge 

• 41% said lack of education in security awareness 

A strong security foundation starts with a smart infosec program 

An information security program contains the policies and controls that form the foundation of your 

security as a company. Maybe you just started your company and want to get the essential security 

controls in place. Maybe you’ve already been hacked. Regardless, getting secure can be done by taking 

practical steps, with expert guidance, to ensure you’re covering the basics in your security posture. That 

includes covering all seven categories of risk: customer, governance, people, regulatory, resilience, 

technology, and vendor management. These essentials will help you get through this first stage of 

maturity quickly and painlessly, while providing you with an infosec program you can proudly stand 

behind. 

Too many startups, and even later-stage companies, suffer from lack of a clear and well-structured plan 

for security and privacy. This security shortfall comes front and center at quarter’s end when that musthave 

customer win slips away due to failure to meet compliance requirements. 

Getting started 

So then, how do you actually implement a security plan, even with those aforementioned staffing and 

budget restrictions? Companies lose time and money guessing which policies and controls to 

implement—only to still be at risk from the most serious threats. The good news is that enterprise-grade 

security and compliance tools are no longer out of reach for SMBs. 

Automation can play a key role, as well. An automated framework from a trusted solution partner can 

demystify the process of setting up a security and compliance program – even for those on a shoestring 

budget. This will eliminate the guesswork and help you create a credible InfoSec document quickly and 

easily. 

Don’t forget to evaluate the potential tools carefully. You must do thorough due diligence on any 

compliance tool you’re evaluating from both a risk assessment and an organizational fit standpoint. The 

tool should provide reputable guidance, as well as grow with you in the longer term. You may start out 

with the essential security controls, for example, and then progress to more robust controls as your 



usiness grows, your risks increase and the number of third-party security frameworks you need to have 

increases. 

Starting from strength 

It would be wonderful if cybercriminals would leave smaller companies alone, but it’s not in their interest 

to wait to attack until their enemy is strong enough to mount a defense. That means you need to be able 

to mount that defense right from the beginning. But it doesn’t mean you have to break the bank to get a 

functioning infosec strategy up and running. Some of today’s enterprise-grade security and compliance 

tools, coupled with automation, will help you build an infosec program that sets your SMB on a firm 

security foundation. 


Patrick Murray is Chief Product Officer and 

early founding member of Tugboat Logic, the 

Security Assurance Platform that helps 

demystify and automate the process of 

managing your InfoSec program. He has 

over 20 years of experience in product 

management at both early-stage security 

startups and public companies such 

as Zenprise, DataVisor, and Websense. He 

specializes in building new companies from the ground up to thriving businesses, and has built products 

across a variety of security areas including Web security, cloud security, mobile security, email security, 

data loss prevention, and online fraud prevention. 

Patrick can be reached online at https://www.linkedin.com/in/patrickgmurray/ and at our company website 

https://tugboatlogic.com. 



SQL Cyber Attacks Are a Danger to Your Company 

By Ryan Ayers, Consultant 

Cyber attacks cost the global economy more than $1 trillion last year, making it responsible for the theft 

of one percent of the global GDP. The pandemic was a bit of a catalyst, as a dependence on ecommerce 

led to more opportunities for hackers, but even before COVID, cybercrime was on the rise and evolving. 

Most experts expect ecommerce to continue to be sought out even after the pandemic, meaning 

cybersecurity’s importance can’t be understated. 

One type of cyberattack that is gaining popularity primarily due to how easy it is to do is an SQL injection 

attack, and if you have any sort of databasing technology, you’re probably at risk, as SQL is how the vast 

majority of data scientists and developers communicate with their databases. Here is a look at what SQL 

attacks are, and how you can work to prevent them. 



What is an SQL Injection Attack? 

SQL’s primary function is handling structured data. When used properly, data scientists can access 

groups of data for analyzation, and can review and remove data that has been stored. In order to access 

this data, users need to prove their identities, as some of it can be very sensitive, especially when dealing 

with financial data. 

A hacker attempting to use an SQL injection attack does so by pretending to be someone who has the 

rights to a given database, or simply bypassing protections put on a set of data. The effects of this attack 

can be far-reaching, especially if an attacker is able to gain admin rights to the entirety of a database, 

which does happen, though smaller breaches are much more common. 

Examples of SQL Attacks Costing Companies Big Bucks 

SQL has been around for nearly 20 years, and SQL injection attacks have been around for just as long. 

They can allow hackers to access the credit card information stored on huge corporations’ databases, 

and some attacks have been able to access more than 100 million individuals’ financial records and credit 

card information. Here are a few major SQL injection attacks: 

September 2002 – One of the first recorded SQL attacks occurred when a hacker accessed more than 

200,000 names and credit card numbers off of the database for guess.com’s customers. 

In September of 2007, the U.S. Army Corps of Engineers was the victim of an SQL attack, and 

government reliance on cybersecurity was ramped up as a result. 

On October 1, 2012, a hacking organization used SQL to access and publish personal records of faculty 

and employees of more than 53 prestigious universities such as Harvard and Princeton in an attempt to 

bring awareness to tuition prices in the United States. 

In early 2021, an SQL attack with political motive accessed the database of a far-right website called 

Gab, and the hackers published the information of its users online. 

Preventing SQL Injection Attacks 

At a high level, simple security measures like changing passwords, not allowing your home network to 

be active while you’re gone, and setting up authentication methods for anyone and everyone accessing 

your network should all be taken seriously. As SQL injection attacks involve deeply protected material 

and information, however, there are much more granular ways to protect from these attacks. 

Writing code to identify unwelcomed users is a common defense for data scientists, and many modern 

firewalls have systems in place to make creating this code very easy. These firewalls can also report 

back any malicious attempts to access databases. Hypersensitive data can also be coded in order to add 

additional layers of protection. 

Looking Forward 

SQL isn’t going anywhere anytime soon, and is only poised to continue to be more and more relied upon 

and companies move more to the digital office and ecommerce worlds. With this, threats are sure to 

continue increasing, and new ways to access SQL databases will surely come to fruition. Staying 



informed and staffing a quality cybersecurity team can keep you ahead of the hacking trends and keep 

you and your customers’ information secure. 


Ryan Ayers has consulted a number of Fortune 500 companies 

within multiple industries including information technology and big 

data. After earning his MBA in 2010, Ayers also began working with 

start-up companies and aspiring entrepreneurs, with a keen focus on 

cybersecurity, data collection and analysis. Ryan Ayers can be 

reached by email at mailto:ryanayers6@gmail.com and on Twitter 

@thebiztechguru. 



AIOps Offers Security Teams an Early Warning System 

By Ranjan Goel, Vice President, Product Management, LogicMonitor 

IT teams are under immense pressure to work faster than ever and deliver better results—at less cost. 

And they’re struggling to do it all as their organizations take in rapidly soaring volumes of data that must 

be captured, analyzed and deployed to improve business outcomes. 

To meet the challenge, many IT teams are turning to Artificial Intelligence for IT Operations, or AIOps, 

which uses big data and machine learning to enhance primary IT functions like identifying, 

troubleshooting and resolving availability and performance issues. 

Just as important, AIOps secures business infrastructure and applications by automatically blocking bad 

actors in near real-time. Let’s say, for example, that a hacker is trying to access a database server. AIOps 

can identify the intrusion by detecting either a change in the volume of data or a change in the location 

of the user who is trying to access the database server. 

AIOps features will then classify this attempted access as normal access, insecure access or elevated 

security risk. Once this is done, the information is handed over to an automated system that will block 

the IP address or compromised user ID and quarantine to a sandbox for a security expert to analyze 

further. 

In short, AIOps has the great potential to do double duty. IT and security teams can both deploy AIOps 

not only to enhance their organization’s infrastructure performance but also to prevent cybersecurity 

threats in near real-time. 



An essential early warning system 

The early warning system that AIOps provides is a big step forward for security vendors as they try to 

ingest as many signals as possible and understand what’s going on in the IT environment with a 360- 

degree perspective. Such vigilance is vital nowadays because hackers are constantly looking for 

scenarios in which they can sneak in without tripping any alarms, then prowl around in the IT 

environment. 

For example, in a recent high-profile hack, the bad guys were lurking undetected in Office 365 email 

systems for months, creeping around and gathering information. This type of breach shows that, without 

the proper signals from the enterprise architecture, hackers can go undetected for long periods of time 

and ultimately do serious damage. 

In a world of perfect security, IT teams would have no blind spots and hackers would never gain access 

to IT systems. The problem is that today’s hybrid infrastructures typically hold resources in a blend of 

cloud and on-premises datacenters—and most security products specialize in monitoring one or the 

other. As a result, there is no single IT or security team that has insight across all of the different systems. 

AIOps early warning technology detects the symptoms that precede security issues, such as suspicious 

patterns and anomalies in performance data, then alerts users. The technology then triggers actions to 

root out the bad guys and prevent damage. By warning users sooner, AIOps helps enterprises stop 

intruders, protect their data and avoid negative impacts on their brand and bottom line. 

Many AIOps advantages 

There are other reasons why AIOps is now a must-have for security. One is financial. A typical 

organization generates billions of data points in any given day and few organizations can afford to keep 

dispatching security people to investigate the numerous problematic signals that occur. There are just 

too many of them. But with a technology like AIOps on the job to constantly process signals and put them 

in context—i.e., dangerous or not—the process becomes financially manageable. 

What is the server behind a particular IP address attempting access? Who is the user? Are there false 

positives or duplicate signals? All of this analysis and investigation can be done by AIOps technology in 

a consistent and automated way so that security professionals can spend their time on other, more 

pressing issues. 

Yes, many organizations are still trying to prevent security incidents manually. But the stark reality is that 

such an approach is not scalable and typically results in SecOps people spending their day reacting to 

issues and trying to minimize incidents. But with AIOps, they have technology that warns them before 

issues occur and enables them to prevent problems rather than react to them. Instead, they can focus 

on more strategic initiatives that provide value to their organizations. It’s a win-win scenario with less time 

spent troubleshooting and more spent time innovating. 

Indeed, AIOps is now a necessity for almost every kind of organization, because every kind of 

organization, large or small, is now a target for hackers. 

The road ahead 

Many vendors are now touting their AIOps chops—even if they offer only very basic functionality. So, 

separating fact from fiction is critical. CISOs should start with a sandbox approach, setting up two or three 

trials of any technology they’re considering - including AIOps - to see if it works for them before 

purchasing it and pushing it out. 



As the technology improves, AIOps will only get more proficient at observing signals across all enterprise 

systems to illuminate patterns, provide meaningful alerts, detect issues sooner, and enable greater 

foresight and automation. As today’s organizations continue to grow and evolve, the ability to provide 

predictive insights at scale continues to be more important than ever. 


Ranjan Goel is a highly experienced product management 

executive with a track record of building and launching products in 

multiple technology areas including unified observability, 

cybersecurity, cloud and networking. He has managed portfolios of 

up to a billion dollars in revenue. Ranjan currently leads the product 

management organization at LogicMonitor. 

Ranjan can be reached online at our company website 

https://www.logicmonitor.com/. 



5 Steps to Protect Your Organization from the Next 

Ransomware Attack 

By Paul Kohler, CTO, S3 

We have witnessed the largest ransomware attacks in history in the first half of 2021 alone. From 

SolarWinds to CNA Financial Corp, Colonial Pipeline, JBS and Kaseya - ransomware attacks are no 

longer “if” it will happen to you, it is when. According to research, ransomware attacks are estimated to 

occur every 11 seconds, costing at least $20B a year. 

But why are many organizations still reluctant to support and invest in cybersecurity to build a strong 

cybersecurity framework to better prevent attacks? 

Below are some tactical steps to better protect your organization from a ransomware attack. 



Step 1: Assess 

The key to solving any problem within your organization is properly defining what you are trying to solve. 

Without a thorough assessment of your organization’s cyber preparedness, it will be nearly impossible to 

implement/improve your cyber posture. The alternative to a solid assessment is akin to playing a game 

of cyber whack-a-mole; stuck in an endless cycle of treating symptoms and not the problem. 

This assessment is not a one-time activity. It must be done regularly as the threat landscape is in constant 

evolution. Standing still will quickly render your current posture weak and ineffective. 

Your assessment should include the following topics: 

● 

● 

● 

● 

● 

● 

● 

● 

● 

● 

Governance: Is anyone reviewing access? Any terminated employees/contractors/3rd parties 

with active accounts? 

Compliance: Are you compliant with all applicable regulations? 

Authentication: What is required of users to authenticate to your environment? Is it required 

every time? 

Physical Asset Management: Are you managing assets consistently? 

Information Assets: Are you protecting them? Do you know what they are, where they are, and 

who has access to them? 

Alignment: Do your policies align with operational objectives? 

Access Management: Are you consistently ensuring that the right people have only the access 

they need at the time they need it? 

Unstructured Data: Who routinely manages access to unstructured data? Where is this data 

located? 

Monitoring: Anyone watching the henhouse while the foxes are lurking around the perimeter? 

Training: Do your employees, contractors, 3rd parties have clarity on what is expected of them? 

Step 2: Increase Cybersecurity Hygiene 

Now that you have your assessment you know what needs cleaning -- your organization’s hygiene -- and 

it needs to be prioritized based on risk. Cybersecurity hygiene is the practice that maintains the basic 

health and security of hardware and software. This includes everything from creating cyber policies that 

are up to date to updating all software and hardware regularly. It also includes retiring and disposing of 

old hardware/software. Do you have any old VPN’s laying around? I can assure you Colonial Pipeline 

wishes they didn’t. 

Step 3: Develop Detailed Response Plan 

Every organization is under the microscope. It is only a matter of time for an organization to come headto-head 

against an attack. Instead of hitting the panic button, prepare early with a detailed response plan 

(and test it often). There are response frameworks available from organizations such as NIST, CIS and 

ISO, but your organization needs to fill in the details. 



The response plan should include filling in the gaps to these major topics: 

● Preparation 

○ Clarity around what you are protecting. 

○ Are you staffed to protect it? Or do you need 3rd party assistance? 

○ Who is responsible for what? Who is the backup? Who is the backup to the backup? What 

is the chain of command? 

○ Have you tested your plan? 

● Response 

○ Containing the incident 

○ Preservation 

○ Clear communication 

○ Mitigation steps 

● Recovery 

○ Revisit the thorough assessment 

○ Gather forensic information to confirm next steps and plan deployment 

○ Analyze and revise plans based on the post-mortem 

Step 4: Educate the Organization 

As the saying goes, you are only as strong as your weakest link. Security awareness training is essential 

to stopping ransomware in its tracks. It is important to train all those who access your organization’s 

infrastructure or make use of your organization’s high value information assets. This means training not 

only your employees, but your entire ecosystem of users. They are your last line of defense. 

An effective training regimen will include: 

● 

● 

● 

Employees, contractors, and vendors responsible for protecting organizational data (this includes 

all critical data elements and intellectual property) 

Phishing, smishing, spear phishing or other social engineering tactics 

Asset protection which should include information necessary to secure assets as well as what to 

do if an asset is lost or stolen. 

Step 5: Implement a Zero-Trust Security Model 

Zero Trust is one of the most effective ways for organizations to control access to their networks, 

applications, and data. Zero Trust is not a product you can buy off the shelf. It is integration of policy, 

procedure and multiple technologies that transforms the way you manage cyber. It combines a wide 

range of preventative techniques to deter would-be attackers and limit their access in the event of a 

breach. This includes identity verification and behavioral analysis, micro / macro segmentation, endpoint 

security, least privilege controls and adaptive authorization. 

The Zero Trust framework aims to accomplish several business-critical objectives. At a high-level it 

performs five functions: 



● 

● 

● 

● 

● 

Contains the damage inflicted in case of a breach by limiting access to the network 

Streamlines the user experience 

Optimizes connectivity 

Modernizes security operations 

Enables your organization’s digital transformation 

Modernized security operations will allow organizations to locate and eradicate malicious code by locating 

traces of open-source penetration testing tools and hacking frameworks. Modernized security operations 

will also allow security operations to apply behavioral analytics to activities to isolate suspicious activity 

and possibly prevent the next cyber attack. 

As we enter the next wave of cyber intelligence and combat threats from known and unknown sources, 

our biggest weapon is preparedness. Increasing our intelligence on potential threats, learning the 

offensive and defensive tools to better monitor and equip our organizations, and our ability to either thwart 

or rapidly respond, exponentially increases the level of success. You will either be a victim with failed 

countermeasures and significant financial and reputational impact, or able to rapidly deploy responses to 

mitigate or avoid damages all together -- the choice is yours. 


Paul Kohler serves as the Chief Technology Officer for Strategic 

Security Solutions (S3). S3 is a leading provider of Identity & 

Access Management, Governance, Risk and Compliance and SAP 

Security advisory services. 

Paul is focused on building a world class delivery organization. He 

is committed to building an organization that lives S3’s core values 

of integrity, collaboration, intellectual curiosity and transparency. 

Paul believes adhering to those core values along with a program 

first, technology second mindset will guide S3 in delivering 

technical solutions that meet S3’s clients’ needs. 





















CyberDefense.TV now has 200 hotseat interviews and growing… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A division of Cyber Defense Media Group and sister to Cyber Defense Magazine. 



FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL 

ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR 

FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2021, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP 

(STEVEN G. SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free 

(USA): 1-833-844-9468 d/b/a CyberDefenseAwards.com, CyberDefenseMagazine.com, 

CyberDefenseNewswire.com, CyberDefenseProfessionals.com, CyberDefenseRadio.com and 

CyberDefenseTV.com, is a Limited Liability Corporation (LLC) originally incorporated in the United 

States of America. Our Tax ID (EIN) is: 45-4188465, Cyber Defense Magazine® is a registered 

trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 078358935. All rights reserved 

worldwide. marketing@cyberdefensemagazine.com 

All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part 

of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including 

photocopying, recording, taping or by any information storage retrieval system without the written 

permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. 

Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter 

may have changed since publication and may no longer be valid. The views expressed in this work are 

solely those of the author and do not necessarily reflect the views of the publisher, and the publisher 

hereby disclaims any responsibility for them. Send us great content and we’ll post it in the magazine for 

free, subject to editorial approval and layout. Email us at marketing@cyberdefensemagazine.com 


276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

marketing@cyberdefensemagazine.com 

www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 09/01/2021 



Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH 

(with others coming soon...) 

9+ Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You 

Think. It's mobile and tablet friendly and superfast. We hope you like it. In addition, 

we're past the five nines of 7x24x365 uptime as we continue to scale with improved Web 

App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More 

Secure DNS and CyberDefenseMagazine.com up and running as an array of live mirror 

sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of 

monthly readers and new platforms coming…starting with 

https://www.cyberdefenseprofessionals.com this month…

Cyber Defense eMagazine September Edition for 2021

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?