Cyber Defense eMagazine September Edition for 2021

cyberdefensemagazine

Cyber Defense eMagazine September Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Understanding The Importance of

Gold Optis: Most Innovative and Socially

Designing for Security

Conscious Technologies at Black Hat

Evaluating Security Practices in

How Trustworthy is Your Cyber Defense?

Response to Colonial Pipeline And South

Korean KAERI Attacks

New Report Reveals Traditional Anti-

Malware Solutions Miss 74% of Threats

Chinese Government Will Begin to

Stockpile Zero-Days in September

How to Proactively Prepare for a Breach

…and much more…

…and much more…

Cyber Defense eMagazineSeptember 2021 Edition 1

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


CONTENTS

Welcome to CDM’s September 2021 Issue ------------------------------------------------------------------------- 6

Gold Optis: Most Innovative and Socially Conscious Technologies at Black Hat --------- 33

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

Silver Optis: Innovative and Socially Conscious Technologies at Black Hat ---------------- 46

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

Bronze Optis: Innovative Technologies at Black Hat ------------------------------------------------ 59

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

Looking Back at Executive Order on Cybersecurity and What it Means for Your Business

------------------------------------------------------------------------------------------------------------------------- 67

By James Gorman, CISO of AuthX

How Trustworthy is Your Cyber Defense? -------------------------------------------------------------- 71

By Tom Brennan, Chairman, CREST USA

New Report Reveals Traditional Anti-Malware Solutions Miss 74% of Threats ------------- 74

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies

Cyber Security Incident Response Plan: How to Proactively Prepare for a Breach ------- 77

By Joseph Carson, Advisory CISO, ThycoticCentrify

The Importance of Multi-Factor Authentication and Strong Passwords ---------------------- 80

By Jeff Severino, CyberLock Defense, Lockton Affinity

Time to Act: How Real-Time Analytics Can Help Stop the Cyber Kill Chain ----------------- 84

By Dr. William Bain, CEO and Founder of ScaleOut Software

Combatting Industry Burnout by Building Resilient Security Teams -------------------------- 87

By Rick McElroy, Principal Cybersecurity Strategist, VMware

Considering Collateral Intrusion in Digital Forensics ----------------------------------------------- 90

By Alan McConnell, Forensic Advisor, Cyan

Keeping Health Records Safe from Cyber Criminals ------------------------------------------------ 94

By Dexter Caffey, Founder and CEO, Smart Eye Technology

Why Your Hospital Network Needs an IoT Security Policy ---------------------------------------- 97

By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies

Cyber Defense eMagazineSeptember 2021 Edition 2

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Offense Activities Sharing in Criminal Justice Case ----------------------------------------------- 101

By Milica D. Djekic

Cybersecurity Challenges of Working from Home during COVID-19 Pandemic and a

Proposed 8 step WFH Cyber-attack Mitigation Plan ---------------------------------------------- 108

By Glorin Sebastian, Senior Consultant, EY

HTML Smuggling: A Resurgent Cause for Concern ----------------------------------------------- 111

By Vinay Pidathala, Director of Security Research, Menlo Security

New CIOs: 5 Key Steps in Your First 100 Days ------------------------------------------------------ 115

By Etay Maor, Senior Director, Security Strategy, Cato Networks

Cyber EO and Meeting Cloud Modernization Effort ------------------------------------------------ 118

By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance,

Zscaler

Defeat Ransomware with Immutable Backup Data and Encryption --------------------------- 121

By Jon Toor, CMO, Cloudian

The Struggle You Don’t See: Mitigating the Impacts of Cyberattacks on the Workforce

----------------------------------------------------------------------------------------------------------------------- 124

By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog

How Bug Bounty Programs Can Help Businesses Achieve Agile Transformation ------ 128

By Sam Lowe, UK Lead, YesWeHack

Using Decentralized, Zero-Knowledge Services to Enhance Security ----------------------- 131

By Ben Golub, CEO and Executive Chairman at Storj

How to Play Like You're in the Security Majors When You’re Still in the Minors --------- 134

By Patrick Murray, chief product officer, Tugboat Logic

SQL Cyber Attacks Are a Danger to Your Company ----------------------------------------------- 137

By Ryan Ayers, Consultant

AIOps Offers Security Teams an Early Warning System ----------------------------------------- 140

By Ranjan Goel, Vice President, Product Management, LogicMonitor

5 Steps to Protect Your Organization from the Next Ransomware Attack ------------------ 143

By Paul Kohler, CTO, S3

Cyber Defense eMagazineSeptember 2021 Edition 3

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


@MILIEFSKY

From the

Publisher…

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a

Platinum Media Partner of RSA Conference on Feb 7 – 10, 2022 – See You There!

Dear Friends,

From my perspective as Publisher, it’s incumbent upon me to observe the trends and draw patterns of

cybersecurity developments. One recurring theme is the lack of coordination between government entities and

private sector organizations. While we might wish to think otherwise, this should not come as a surprise.

Private companies have the common goal of maximizing shareholder value, usually in revenues and profits. There

are often other considerations in play. Government objectives do not include these goals, since making a profit is

not a government function.

We are seeing movement toward cooperative efforts, but the lack of a definite nexus is still a barrier. May I

suggest a good possible place to start would be adoption of a voluntary agreement, for all organizations engaged

in activities in the 16 elements of critical infrastructure, to implement strict cybersecurity practices. Resilience

and survivability are the watchwords.

At Cyber Defense Magazine we continue as we head into our tenth year of bringing actionable information to our

readers in all sectors and activities. This edition is loaded with great content and fresh ideas so please take the

time to read these articles that pique your interest.

As always, among the valuable resources we rely on to respond to cyber threats are the providers of cybersecurity

solutions. Therefore, we are thrilled to announce that Cyber Defense Magazine has now opened the Global

InfoSec Awards for 2022, with nomination forms found at https://www.cyberdefenseawards.com

Finally, as promised, https://www.cyberdefenseprofessionals.com/ will be coming out of beta this month and very

soon, we’ll announce over 2,000 infosec job openings posted for infosec jobs at various Fortune 1000 companies.

Wishing you all success in your own cyber endeavours and staying one step ahead of the next threat.

Warmest regards,

Gary S. Miliefsky

Gary S.Miliefsky, CISSP®, fmDHS

CEO, Cyber Defense Media Group

Publisher, Cyber Defense Magazine

P.S. When you share a story or an article or information

about CDM, please use #CDM and @CyberDefenseMag

and @Miliefsky – it helps spread the word about our free

resources even more quickly

Cyber Defense eMagazineSeptember 2021 Edition 4

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


@CYBERDEFENSEMAG

CYBER DEFENSE eMAGAZINE

Published monthly by the team at Cyber Defense Media

Group and distributed electronically via opt-in Email,

HTML, PDF and Online Flipbook formats.

PRESIDENT & CO-FOUNDER

Stevin Miliefsky

stevinv@cyberdefensemagazine.com

InfoSec Knowledge is Power. We

will always strive to provide the

latest, most up to date FREE

InfoSec information.

From the International

Editor-in-Chief…

Internationally, we’re finding ransomware attacks on the rise,

once again. Also, DDoS attacks are back.

It will be very interesting to find out who is behind the massive

and prolonged Distributed Denial of Service (DDoS) attack that

hit the Philippine human rights alliance Karapatan. The 25 days

long DDoS attack against the website of Karapatan was

launched by almost 30.000 IP addresses.

One third of the addresses originated from devices that there

were not running “Open Proxies” or “Tor exits”. Identifying this

mysterious part of the botnet turned to be a fascinating research

and a digital forensics challenge. The traces lead us to an Israeli

firm offering access to millions of proxies in mobile operators,

data centres and residential buildings – a perfect infrastructure

to hide the source of DDoS attacks.

I continue to research this and will have news about it on CDM’s

website shortly.

As always, we encourage cooperation and compatibility among

nations and international organizations in responding to these

cybersecurity matters.

Finally, I believe at some point soon we should stop waiting and

start pushing for a Cyber Geneva Convention, so the internet

becomes a less hostile place for bad actors on nation state

cyberwarefare activities.

To our faithful readers, we thank you,

Pierluigi Paganini

International Editor-in-Chief

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER

Pierluigi Paganini, CEH

Pierluigi.paganini@cyberdefensemagazine.com

US EDITOR-IN-CHIEF

Yan Ross, JD

Yan.Ross@cyberdefensemediagroup.com

ADVERTISING

Marketing Team

marketing@cyberdefensemagazine.com

CONTACT US:

Cyber Defense Magazine

Toll Free: 1-833-844-9468

International: +1-603-280-4451

SKYPE: cyber.defense

http://www.cyberdefensemagazine.com

Copyright © 2021, Cyber Defense Magazine, a division

of

CYBER DEFENSE MEDIA GROUP (a Steven G.

Samuels LLC d/b/a)

276 Fifth Avenue, Suite 704, New York, NY 10001

EIN: 454-18-8465, DUNS# 078358935.

All PUBLISHER rights reserved worldwide.

Gary S. Miliefsky, CISSP®

Learn more about our founder & publisher at:

http://www.cyberdefensemagazine.com/about-our-founder/

9 YEARS OF EXCELLENCE!

Providing free information, best practices, tips and

techniques on cybersecurity since 2012, Cyber

Defense magazine is your go-to-source for

Information Security. We’re a proud division of

Cyber CDMG Defense B2C Media MAGAZINE Group:

B2B/B2G MAGAZINE TV RADIO AWARDS

PROFESSIONALS

WEBINARS

Cyber Defense eMagazineSeptember 2021 Edition 5

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Welcome to CDM’s September 2021 Issue

From the U.S. Editor-in-Chief

We’ve begun to turn a corner. Key team members headed out to BlackHat USA 2021 including

Olivia Gallucci as our Cybersecurity Reporter for Cyber Defense Magazine and the winner of

CDM’s 2021 Women in Cybersecurity scholarship. She is studying Computing Security and

Computer Science at Rochester Institute of Technology. She did a fabulous job documenting

her findings on the trade show floor with three very well written articles you’ll find inside this

edition.

While the turnout was not like pre-COVID-19, we hope it’s a growing trend and that RSA

Conference 2022 will continue the trend for what’s so important to us humans – in person social

interaction. There’s no virtual experience that can replace a handshake and a sit down gathering

where experts share ideas and mingling with like minded infosec professionals is most

enjoyable.

We always like to look ahead and project tomorrow being a better day for cybersecurity. Right

around the corner next month is Cybersecurity Awareness Month - so many infosec vendors

are already gearing up with their thoughts and ideas on how to turn the ransomware, cloud

threats and work from home attacks around.

We, also, at Cyber Defense Magazine attempt, each month, to be most valuable to our readers

by keeping current on emerging trends and solutions in the world of cybersecurity. To this end,

we commend your attention to the valuable information provided by our expert contributors.

Wishing you all success in your cybersecurity endeavors,

Yan Ross

U.S. Editor-in-Chief

Cyber Defense Magazine

About the US Editor-in-Chief

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of Cyber

Defense Magazine. He is an accredited author and educator and has provided

editorial services for award-winning best-selling books on a variety of topics.

He also serves as ICFE's Director of Special Projects, and the author of the

Certified Identity Theft Risk Management Specialist ® XV CITRMS® course.

As an accredited educator for over 20 years, Yan addresses risk management

in the areas of identity theft, privacy, and cyber security for consumers and

organizations holding sensitive personal information. You can reach him by e-

mail at yan.ross@cyberdefensemediagroup.com

Cyber Defense eMagazineSeptember 2021 Edition 6

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 7

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 8

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 9

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 10

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 11

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 12

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 13

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 14

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 15

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 16

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 17

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 18

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 19

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 20

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 21

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 22

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 23

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 24

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 25

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 26

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 27

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 28

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 29

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 30

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 31

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 32

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Gold Optis: Most Innovative and Socially Conscious

Technologies at Black Hat

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

I interviewed approximately sixty industry leaders from over forty companies who attended Black Hat.

Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically

highlight twenty-one companies that stand out and whose growth I recommend watching.

Rochester Institute of Technology’s Cybersecurity Club, RITSEC, inspired the metrics I used to analyze

and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while

examining each company’s ability to promote social good, inclusion, and innovation inside and outside

of the company. Furthermore, I referenced materials—public demos, open-source code, and

publications—to determine the accuracy of the company’s claims and the span of its communal reach,

public contributions, and social good.

Cyber Defense eMagazineSeptember 2021 Edition 33

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Given Cyber Defense Magazine's awarding of unicorns ("a private company with a valuation of over $1

billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Optis

Series—to highlight innovative and socially conscious companies at Black Hat USA 2021 (UserGuiding).

The Optis Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria

I used for the Optis Series here or scroll to the end of this article.

Coalfire

Mark Carney, COO of Coalfire

Coalfire is known for its abilities in security compliance, but that is not all it offers. Over the past two years,

Coalfire’s front-end security and pen-testing teams grew significantly and continue to grow in funding,

hiring, and expertise. At present, Coalfire is an organically grown company employing approximately one

thousand security professionals globally and plans to hire around three hundred people by the end of

2021.

Coalfire specializes in cloud infrastructure services, working with almost every international enterprise

cloud infrastructure company. As a result, its products and services—pen-testing, architecture, design,

management, compliance, and multi-cloud support—are influenced by how enterprises use the cloud.

Furthermore, Coalfire continues to develop these areas; its teams in attack strategy, privacy and risk

compliance, and cloud-focused services (i.e., pen-testing, engineering, and management) are

expanding.

Used with permission from Coalfire.

Coalfire recently acquired two companies: Neuralys and Denim Group. Neuralys created pen-testing

management platforms into an attack service management framework by utilizing active and passive

scanning, which helped clients identify new and existing vulnerabilities on their networks in an outgoing

manner. In other words, Neuralys invented a way to continuously pentest networks. Furthermore, Coalfire

acquired Denim Group, a consulting firm specializing in pen-testing and application security; their

platform, ThreadFix, applies application-specific vulnerability aggregation from over fifty databases and

tools. ThreadFix consolidates test results and prioritizes vulnerable clients, reducing the remediation time

up to forty percent.

Learn more: By reading Coalfire’s 3 Annual Penetration Risk Report and by exploring its Reddit page.

College students and faculty may be particularly interested in Coalfire because of its Richard E. Dakin

Fund. The fund was created in honor of the late co-founder of Coalfire, Richard E. Dakin. It supports

Cyber Defense eMagazineSeptember 2021 Edition 34

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


scholarship programs at several universities for promising college students studying cybersecurity and

related fields.

Epiphany Systems

Rob Bathurst, Co-Founder and CTO at Epiphany Systems

Epiphany Systems is an offensive security company providing red team attack paths and solutions for

clients' critical IT assets and users. Its platform is the first offensive cybersecurity program designed to

reduce Time-to-Context. Epiphany Systems spun out from Digitalware at the beginning of 2021. At

present, Epiphany Systems has 22 employees and expects to hire approximately twelve people by 2022.

Epiphany Systems' platform works by analyzing clients' preexisting security data to create attack paths.

Then, the platform analyzes each attack path, the likelihood of exploitation, and the consequences if

exploited to provide clients' security professionals a surface-level view of vulnerabilities on the network.

Furthermore, it integrates with clients' existing security tools.

Used with permission from Epiphany Systems.

Its innovativeness stems from its Time-to-Context approach, which finds solutions for clients' needs within

a specific context. For example, if an administrator can only access a document from one IP address,

Epiphany Systems creates attack paths using that knowledge for how that document could be definitively

accessed. Bathurst explains, "It is difficult to automate generalized red teaming efficiently. Generalized

Cyber Defense eMagazineSeptember 2021 Edition 35

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


human red teaming creates attack paths that tend to be sporadic and unique to a point in time. We find

a target (i.e., an administrator) and work backward to create our attack path that is more precise."

Epiphany Systems intently integrates open-source software (OSS). Even better, Epiphany Systems

contributes to OSS; Bloodhound is one of its favorites. Bathurst adds, "We contribute to OSS wherever

we can. Much of what runs the internet started as small projects that never developed procedures to pass

on development; This is not sustainable. Thus, Epiphany Systems assists OSS projects to ensure smooth

transitions in new and pre-existing legacy projects."

Given that the company is young, it is imperative to examine its future goals and developments. To

answer this, Bathurst explains that "We have shown that we can analyze data in nonobvious ways.

However, that does not mean there are not more possibilities. We want to discover even greater ways of

analyzing data and explaining the impact of that data, especially to leaders outside of tech."

Learn more by reading Epiphany Systems Launches into the Cybersecurity Market with Industry’s First

Offensive Context-Aware Platform

Lightspin

Vladi Sandler, Co-founder and CEO of Lightspin

Lightspin is a cloud security company using an offensive approach to detect cloud misconfigurations; it

designed a platform to secure cloud and Kubernetes environments throughout the development cycle,

simplifying cloud security for IT and DevOps teams. Dell and Ibex granted Lightspin $16 million in series

A funding bringing total funding to date to $20 million.

Lightspin's platform detects all security risks on the network, and its innovativeness stems from its ability

to prioritize the most critical issues and remediate them from build to run time. For example, Lightspin

creates the Attack Path, an interactive diagram displaying clients' vulnerabilities and how each

vulnerability affects other parts of their network. These charts were developed with the C-suite in mind,

providing a simple and usable interface suitable for presentations and reports. Furthermore, Lightspin's

platform uses data from previous attacks to correlate vulnerabilities with the repercussions if exploited.

Cyber Defense eMagazineSeptember 2021 Edition 36

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with permission from Lightspin.

However, the company itself has notable qualities too. It demonstrates a thoughtful and inclusive

workplace. Sandler stated that "Our goal is to build a healthy company. We promote diversity and

inclusion, which is why we have been a gender-balanced company from the beginning. We found that

our company growth, employee happiness, client satisfaction, and community involvement are all tightly

linked, which is why we only promote growth from a healthy and ethical perspective." Most of all,

Lightspin's open-source contributions and support of public initiatives are some of the most impressive

in the Opti series.

Lightspin's GitHub repositories are well-documented and shared. Some of its notable projects include

Red Kube, a red ream K8S adversary emulation based on kubectl, and Red Shadow, an AWS IAM

vulnerability scanner. Lightspin also developed Red Detector, which scans EC2 instances for

vulnerabilities using Vuls. Furthermore, Lightspin's blog provides tutorials on how to use and contribute

to its projects. These tutorials are great for any skill level and receive enthusiasm from users and

contributions. Overall, Lightspin demonstrates technological innovation, creativity, professional

excellence, and social responsibility. As a clear trendsetter and innovator in cybersecurity, I cannot wait

to see how Lightspin's technology develops by the next Black Hat.

Learn more: CISO Talks: Choosing the Right Solution for Your Organization as a CISO, ft. Vladi Sandler,

CEO at Lightspin

Cyber Defense eMagazineSeptember 2021 Edition 37

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Syxsense

Ashley Leonard, CEO of Syxsense

Headquartered in southern California, Syxsense is a software as a service endpoint management and

security software company. Syxsense specializes in combining IT and patch management with security

vulnerability scanning, and now a full remediation capability using Syxsense Cortex, the company’s

workflow builder.

Syxsense's cloud-based platform allows clients to manage all of their endpoints and devices through

drag-and-drop (DnD) workflow technology. Example actions include almost everything: patches, asset

management, vulnerability scanning, software installations, and more. Clients can use and edit pre-built

blocks and create new ones. Furthermore, clients can deploy actions to individual devices, sets of

devices, or all devices. For example, a client could update all of the odd-numbered computers on their

network or change the background to display a cat for all employees named "John."

Syxsense Cortex is a drag-and-drop workflow builder for building remediations to configuration

errors and security vulnerabilities. Used with permission from Syxsense.

As a WordPress blogger, Syxsense's product resonated with me because of its simplistic workflow and

customization. Its DnD security workflow reminds me of how bloggers use DnD blocks to create a website

or post. Furthermore, Syxsense's ability to support any skill level is similar to how WordPress sicks with

bloggers throughout their careers.

For example, new WordPress bloggers almost exclusively use DnD blocks. Over time, they learn how to

customize blocks and how parts of the website interact (i.e., CSS and hosting configurations). Eventually,

bloggers can create new blocks, build websites, fix bugs, and teach others. Skilled bloggers often publish

custom blocks as code, add-ons, and templates, which creates an app-store atmosphere in WordPress.

Cyber Defense eMagazineSeptember 2021 Edition 38

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Syxsense demonstrates similar possibilities in the security industry. Using Syxsense Cortex, clients can

implement Syxsense's platform using premade blocks. Once employees learn how each block's settings

interact with the network, they can customize blocks to fit their exact needs. Moreover, the transferring

of skills from senior techies to new employees is seamless in this environment. I would not be surprised

if its clients use its platform to teach security skills to employees or if security professionals make tutorials

on custom blocks.

Watch Syxsense’s demo on Vimeo.

Lastly, Syxsense scans clients' networks, proposes solutions, and displays potential exploit outcomes.

In other words, Syxsense can fix vulnerabilities its platform detects, and best of all, clients can use DnD

to resolve each issue.

Learn more: Syxsense Releases Two New Solutions for Remediating Endpoint Security Vulnerabilities

ThreatQuotient

Chris Jacob, Global VP of Threat Intelligence Engineers at ThreatQuotient

Another company I would look out for this year is ThreatQuotient, a modern data-driven security

operations platform. The company has a rich history in problem-solving and social networking, arguably

the two best things an organization could have. The company founders--developer Wane Chiang and

security operations officer Ryan Trost--noticed while working in a large security operations center (SOC)

that data was not being shared and accessed efficiently. For example, workers on the 8 AM shift were

not effectively collaborating with other shifts at their company, which led to unnecessary security testing.

Chiang and Trost set out to fix this problem globally by creating a pure-play threat intelligence platform

and an API that could be utilized across departments and organizations; this led to the founding of

ThreatQuotient in 2013.

Cyber Defense eMagazineSeptember 2021 Edition 39

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with permission from ThreatQuotient.

However, ThreatQuotient's intriguing history is not why I selected them as a Gold Opti. ThreatQuotient is

a leading security company in extended detection and response (XDR) that examines intelligence and

information security events to create a holistic picture of threats. The company's innovativeness comes

from its APIs integration with external products. Its mission is to integrate its API with as many platforms,

products, and technologies as possible to promote long-term growth and diversification. Jacob explains

that "If companies share knowledge of adversaries' attacks, techniques, and other intelligence, they could

detect more hacks; although, not necessarily prevent them. We created a data-driven automation and

data-sharing tool that can show what is happening with threats."

ThreatQuotient's founders and many of its employees have an open-source background. As a result, its

platform integrates with clients' preexisting technologies, so they were not locked into a vendor.

Furthermore, its MSSP and intelligence community encourage sharing and collaboration. Jacob stated,

"We believe companies should share to advance the cybersecurity and intelligence community," which

is illustrated by its membership in the Open Cybersecurity Alliance and contributions to OpenDXL.

I am looking forward to learning about the company's future developments, too. Jacob adds, "currently,

we are expanding in XDR, but we have always been in that sphere. What is interesting is that the security

industry is pivoting to where ThreatQuotient has been and calling it XDR. As a result, we are a frontrunner

in XDR technologies, and we are creating new technologies to improve our platform every day."

Learn more at ThreatQuotient's website.

Cyber Defense eMagazineSeptember 2021 Edition 40

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Trend Micro

Jon Clay, VP of Threat Intelligence at Trend Micro

Since its founding in 1988, Trend Micro evolved from a family-run antivirus company to an international

security organization. Trend Micro was the first company to implement internet and virtual machine

scanning technologies. Its specialty is defending against zero-day and zero-hour threats.

I interviewed Jon Clay on Trend Micro's Cyber Risk Index (CRI) and on Trend Micro's latest products and

publications that have impacted the security sphere. After four years of deployment through the Ponemon

Institute, Trend Micro's CRI has mastered calculating clients' preparedness to defend against attacks. Its

index spans from -10 (bad) to +10 (good) and helps C-level executives understand risks within their

organization. In its 2021 distribution, CRI demonstrates that the preparedness to defend from

cybersecurity risks has decreased globally.

Used with the permission of Trend Micro.

Trend Micro also progressed in the open-source sphere. One of their most famous open-source tools,

Trend Micro Locality Sensitive Hashing (TLSH), has been publicly adopted by multiple antivirus firms.

TLSH uses machine learning to identify files that are similar in nature. For example, if a file contains the

text "oliviagallucci.com" and another file contains "oliviagalucci.com" (missing an l), then TLSH would

generate two very similar hashes. Furthermore, Trend Micro partnered with Synk, an open-source

security company, to develop Cloud One, a scanner that detects malicious or vulnerable code in opensource

repositories.

Cyber Defense eMagazineSeptember 2021 Edition 41

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Unlike many companies, it is clear that Trend Micro fosters a culture of openness and collaboration.

Readers interested in learning about Trend Micro—open-source contributions, product development, or

otherwise—have ample resources to explore its professionals' expertise and outlook at any point in its

history.

Further reading: Trend Micro Demonstrates Threat Expertise at Virtual Black Hat USA 2021

For those interested in assisting with Trend Micro's open-source programs, Clay recommends

contributing to its Zero Day Initiative, which consists of approximately ten thousand researchers globally

to find vulnerabilities and bugs. The Zero Day Initiative helps clients develop intrusion prevention systems

with an eighty-day protection period.

vArmour

Tim Eades, CEO of vArmour

vArmour is an Application Relationship Management company focusing on operational risk, application

resiliency, and securing hybrid cloud environments. The company was founded in 2011 and created due

to many enterprises lacking the skills or resources necessary to analyze company networks. vArmour is

backed by Highland Capital Partners, AllegisCyber, Redline Capital, Citi Ventures, and Telstra. vArmour’s

products help clients determine which security relationships are working and which are failing and helps

clients then analyze those failing relationships and execute solutions.

vArmour is innovative in its technology and culture. It has experience with every industry, making its

solutions very diverse. However, banks, telecommunications, and critical infrastructure companies are

its primary clients. Eades describes vArmour's innovative culture well: “We are a very kind, humble, and

smart company [that is] solving enterprise security problems from the inside out, as opposed to the

outside in. vArmour is not just a detective. You find the problem, decide what you want to have happen,

then control for those things with programming.” In the Los Altos office, there is a mural with “Shoulder

to Shoulder,” symbolizing the golden rule with vArmour’s twist. In Eades’ words, “We do it together, and

we do it as one.”

Cyber Defense eMagazineSeptember 2021 Edition 42

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with permission from vArmour.

vArmour also contributes to public forums, growing a supportive community around its projects. Eades

states that “Thinking in public and sharing our ideas with the work and receiving feedback allows us to

ensure our company is heading in the right direction morally and technologically.” Moreover, vArmour

assists clients using multiple licenses from legal, technical, and social perspectives.

Cyber Defense eMagazineSeptember 2021 Edition 43

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Diana Nicholas, Marketing Engagement and Partner Associate at vArmour, performing at vArmour’s live

show. Used with permission from vArmour.

Lastly, vArmour shined at Black Hat this year. vArmour joined 13 other cybersecurity companies to create

the live Security Leaders concert, with the Social Animals headlining and featuring performances

including the band of Diana Nicholas, a Marketing Engagement and Partner Associate at vArmour.

However, this is a common practice at vArmour. The company loves promoting “breakout moments” for

its employees and up-and-coming musicians. For example, vArmour has an annual tradition of hiring upand-coming

musicians for a live show. Eades is very proud to note that they even hired Royal Blood

before they were famous. Overall, I was blown away by the enthusiasm and support of this team, and I

look forward to following vArmour technical and cultural growth.

Learn more at vArmour’s website.

Judging Criteria

Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners

from joining. However, some companies and leaders strive to alleviate these barriers.

For example, Clark Mills and Major Clifford McKay created the Optimist Dinghy (Opti) to ease financial

and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful

that it became one of the most popular sailboats globally and has introduced millions to sailing.

Similar to Mills and McKay's progress in sailing, the companies recognized by the Optis Series have

significantly improved their community and industry. The Optis Series highlights cybersecurity

companies' innovation and ability to address social, technical, and economic barriers. Furthermore, the

definition of an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents

the outlook of cybersecurity if these trends continue (Merriam-Webster, 2021).

Here are the judging criteria:

- Highly differentiated and innovative by offering a unique product, technology, or technique.

- Demonstrates company growth, ideally supported by numerical data like funding and

sponsorship, acquisitions, and hiring trends.

- Active external enthusiasm and press.

- Practices embodied by “Security Through Community,” such as inclusion initiatives and a

supportive company culture.

- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,

publications, blogs, events, and licensing choices).

Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold

companies exemplified all five. All companies, however, epitomized their awarded categories enough to

deserve substantial recognition for their efforts.

Cyber Defense eMagazineSeptember 2021 Edition 44

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'

values and technologies. I also cited evidence whenever possible through public numerical data, blog

posts, reports, publications, and product demos. Read the full criteria here.

About the Author

Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine and

the winner of CDM’s 2021 Women in Cybersecurity scholarship. She is

studying Computing Security and Computer Science at Rochester Institute

of Technology.

She is a Free and Open Source Software advocate and Linux enthusiast.

Olivia can be reached online here at CDM and at https://oliviagallucci.com/

and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/

Cyber Defense eMagazineSeptember 2021 Edition 45

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Silver Optis: Innovative and Socially Conscious

Technologies at Black Hat

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

I interviewed approximately sixty industry leaders from over forty companies who attended Black Hat.

Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically

highlight twenty-one companies that stand out and whose growth I recommend watching.

Rochester Institute of Technology’s Cybersecurity Club, RITSEC, inspired the metrics I used to analyze

and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while

examining each company’s ability to promote social good, inclusion, and innovation inside and outside

of the company. Furthermore, I referenced materials—public demos, open-source code, and

publications—to determine the accuracy of the company’s claims and the span of its communal reach,

public contributions, and social good.

Cyber Defense eMagazineSeptember 2021 Edition 46

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Given Cyber Defense Magazine's awarding of unicorns ("a private company with a valuation of over $1

billion") and that Olympic sailing occurred during Black Hat, I created a conceptual framework—The Opti

Series—to highlight innovative and socially conscious companies at Black Hat USA 2021 (UserGuiding).

The Opti Series contains three articles: bronze, silver, and gold. You can learn about the judging criteria

I used for the Opti Series here or scroll to the end of this article.

CyberGRX

Dave Stapleton, CISO of CyberGRX

CyberGRX is a software as a service company using a varied source of data to manage and analyze

third-party security risks. Specifically, CyberGRX uses an exchange model of data to provide

organizations with a dynamic stream of third-party data and advanced analytics so clients can efficiently

manage, monitor, and mitigate risk in their partner ecosystems. Its goal is to connect every company with

the exchange system to increase global understanding of third-party risk inheritance and promote the

disclosure of security risks in business agreements.

The exchange model is CyberGRX's innovative key. Its platform is the largest risk exchange platform

globally and contains thousands of risk assessments, allowing organizations to quickly identify which

third parties pose the highest cyber risk and help those third parties and organizations alike focus their

resources on critical areas. Thus, CyberGRX's clients gain a better understanding of third-party

assessment data, enabling them to derive logical risk insights, make informed business decisions, and

save thousands of hours spent on assessment chasing.

Cyber Defense eMagazineSeptember 2021 Edition 47

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


3D depiction of a third-party ecosystem demonstrating the interconnectedness of organizations

today. Used with permission from CyberGRX.

CyberGRX provides visibility into clients' third-party ecosystems, so they can determine which third

parties are missing the controls needed to respond to emerging threats like ransomware and

extortionware. Its analysis promotes accountability and shared responsibility by allowing third-party risks

to become a first-party responsibility. When companies know their third parties are vulnerable, they can

help those parties with remediating vulnerabilities in critical areas. CyberGRX's mission promotes

knowledge and growth in cybersecurity, and its platform provides new security insights which have not

been available before.

Cyber Defense eMagazineSeptember 2021 Edition 48

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Digital Shadows

Alastair Paterson, CEO and Co-Founder of Digital Shadows

Founded in 2011, Digital Shadows focuses on digital risk and threat intelligence. It specializes in

identifying data loss like intellectual property, customer data, and credentials. Digital Shadows created

one of the largest credential databases globally, hosting over 25 billion entries. Digital Shadows’ sales

increased over fifty percent from last year, and it expects to hire around twenty employees by the end of

2021.

Digital Shadows’ platform alerts clients of data leakages on code-sharing sites like GitHub, GitLab, and

Bitbucket. These leakages often stem from things like accidentally publishing code and leaving keys

open. It also can detect when file stores are accidentally shared (i.e., Amazon S3 buckets).

Used with permission from Digital Shadows.

Lastly, Digital Shadows can detect brand impersonations. For example, oliviagallucci.com is my website;

if an adversary created oliviagalucci.com (one l), Digital Shadows would disclose the event to me. Its

platform can also detect fake apps and social media profiles.

Cyber Defense eMagazineSeptember 2021 Edition 49

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with permission from Digital Shadows.

Digital Shadows uses multiple open-source tools; Spring Framework, Guava, Terraform, Apache HBase,

and Jenkins are a few notable ones. Paterson stated that “Digital Shadows began open-sourcing some

of its projects after our security research team discussed how we could give back to the community.” One

of Digital Shadows' notable repositories is Orca, an asset discovery tool. Paterson continued, "One of

our goals is to integrate into the open-source community to foster collaboration and constructive

feedback,” and Digital Shadows is well on its way to achieving this goal.

ExtraHop

Jeff Costlow, CISO of ExtraHop

ExtraHop is a network detection and response (NDR) provider, helping organizations secure

environments and implement threat protections. ExtraHop specializes in detecting lateral movement and

increasing the effectiveness of high-speed networks. Its goal is to bridge the gap between SIEM and EDR

across client networks to help organizations detect and respond to advanced threats.

Cyber Defense eMagazineSeptember 2021 Edition 50

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


ExtraHop DNS LAM. Permission to use from ExtraHop.

ExtraHop's innovation stems from its Reveal(x) 360, a software as a service platform utilizing cloud-scale

artificial intelligence to analyze adversaries in real-time. Reveal(x) 360 works at the network level and

analyzes up to 100 Gbps. Furthermore, ExtraHop's behavioral network analytics detect approximately

1500 high-risk threats per month, including supply chain attacks, APTs, and Zero Days. Reveal(x) 360 is

able to decrypt traffic to provide complete visibility and enable deep forensics investigations. Reveal(x)

360 also can see activity without being detected, so bad actors don’t even know that they are being

watched. This is an important part of ExtraHop’s NDR solution, given that recent highly sophisticated

attacks like SolarWinds SUNBURST have brought awareness to the fact that hackers are learning to

evade traditional security methods and tools.

Cyber Defense eMagazineSeptember 2021 Edition 51

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


ExtraHop overview. Permission to use from ExtraHop.

ExtraHop regularly contributes cyber threat data and anonymized threat intel identified via their platform

to the security community. Key contributions include ExtraHop’s research on the techniques used in the

SolarWinds Sunburst attack to evade detection as well as the company’s research on connected devices

during Covid-19. ExtraHop also contributed to the latest version of the MITRE ATT&CK Framework and

Knowledge Base, which now includes the latest developments in network detection and response

methodologies. By sharing the growing body of network attack behaviors in the MITRE ATT&CK

framework, security teams are now better equipped to detect and respond to advanced threats as they

integrate NDR Into their security operations. The MITRE ATT&CK framework is natively integrated into

the ExtraHop Reveal(x) 360 interface, which further helps security professionals detect the latest tactics,

techniques and procedures being used by adversaries on their networks. ExtraHop’s security research

team regularly shares threat briefs, which are immediately available to customers via the product and

also published publicly on ExtraHop’s blog.

Learn more: Why Cyber Defense Needs Software Behavior Transparency by Ben Higgins, Distinguished

Software Engineer at ExtraHop

GuidePoint Security

Tony Cook, Head of Threat Intelligence

Mark Lance, Senior Director of Cyber Defense

Victor Wieczorek, VP of Application Security and Threat & Attack Simulation

GuidePoint Security is a peer-play security consulting and management company. It has spread from its

east coast beginnings to expand across most of the United States. GuidePoint’s focus is solving complex

Cyber Defense eMagazineSeptember 2021 Edition 52

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


problems from a consultative approach. Its innovativeness stems from its unique company model.

GuidePoint Security provides cybersecurity solutions and services through a localized team within that

region, with additional teams providing capabilities across the entire nation.

Unlike many companies, GuidePoint Security does not promote sponsored products because it is not a

vendor. GuidePoint Security endorses quality products to ensure productivity and client satisfaction.

GuidePoint Security is heavily involved in the open-source community and prides itself on its communal

outreach and diverse solutions. OSS is built into or surrounds most of its tools, and as a result, its teams

have become effective contributors, analyzers, and creators of OSS. One of its notable projects is

RedCommander, a red team infrastructure complete with Redirectors and basic domain fronting.

GuidePoint Security also contributes to open source communities such as Velociraptor, BloodHound,

MISP, and others.

GuidePoint employs approximately five hundred security professionals and expects to hire around one

hundred people within the following year. For those interested in working with GuidePoint Security, the

senior leaders stated that “we want people who are hungry to learn, care about the quality of their work,

and are passionate about security in their free time.” In the future, GuidePoint Security is focusing on

developing automation and productivity tools to ensure that “smart people are doing smart things.

Follow GuidePoint Security on LinkedIn here.

NTT

Setu Kulkarni, VP of Corporate Strategy & Business Development

Bruce Snell, VP of Security Strategy and Transformation

NTT is a global technology services company. As a global information and communications technology

provider, the company employs about fifty thousand people across 57 countries. I interviewed two NTT

executives—Setu Kulkarni and Bruce Snell—about their team's latest developments.

Learn more: NTT’s Virtual Reality SOC Tour

NTT's Security Division functions as a managed security services provider (MSSP), supplying talented

professionals and diverse vendor relationships to its clients so that they can focus on running the

business and leave everything from security operations to threat monitoring and intelligence to incident

response to their NTT team. Furthermore, around forty percent of internet traffic runs through NTT, which

gives their specialists unmatched expertise in malicious traffic and vulnerability analysis. Bruce describes

it as "watching the weather patterns of cybersecurity."

NTT’s Application Security (AppSec) team utilizes an innovative consumption model, factoring in clients'

budget and regulatory needs; it offers an AppSec platform, technical expertise, and training. Its AppSec

platform helps clients detect, track, and remediate vulnerabilities on all of their devices. NTT's AppSec

team also tracks open-source software (OSS) vulnerabilities and assists clients with OSS remediation.

When OSS vulnerabilities are particularly problematic, NTT proposes remediations to the original OSS

project.

Cyber Defense eMagazineSeptember 2021 Edition 53

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Olivia Gallucci (CDM) interviewing NTT execs, Setu Kulkarni and Bruce Snell, at the 2021 Black Hat

Conference. Permission to use from NTT.

NTT also shares their intel, giving back to the community. For example, the Security Division publishes

its threat landscape findings in monthly threat reports and the annual Global Threat Intelligence Report.

The August report looks at how in the last few years, ransomware has held a steady 3-4% rate of all

detected malware, according to NTT’s Global Threat Intelligence Report. But in 2020, this increased to

about 6% (a nearly 50% increase). Since then, ransomware activity has increased exponentially in 2021.

If we continue to see this rate of incident occurrence, we can expect ransomware to be at 12% of all

detected malware before the end of 2021. This may not seem like a significant statistic, but it represents

millions of detections and could indicate a total increase of about 300% in the last two years or even as

much as one attack every 11 seconds.

The AppSec team does something similar in their AppSec Stats Flash Report, which are monthly state

of application security updates. Furthermore, NTT contributes to CVE databases and is a member of the

Cloud Security Alliance and Cyber Threat Alliance.

Read NTT’s August 2021 Threat Report here.

Cyber Defense eMagazineSeptember 2021 Edition 54

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


OneSpan

Will LaSala, Director of Security Solutions and Security Evangelist at OneSpan; Official Member of the

Forbes Technology Council

OneSpan is a digital banking, security, and electronic signature company founded in 1991. Its most

innovative technologies involve mobile clients, specifically application hardening. OneSpan’s Mobile

Application Shielding platform can lock specific apps so that the phone will work even if one app gets

hacked. Furthermore, the platform allows clients to analyze mobile devices and corresponding servers

simultaneously. OneSpan’s central goal is to ensure that clients’ employees can detect and harden

insecure applications and devices.

Permission to use from OneSpan.

OneSpan also contributes to the open-source community. OneSpan uses its contributions to multiple

crypto libraries to receive feedback and promote transparency. In LaSala’s words, “We value the opensource

communities’ support for security and feedback purposes. Releasing code to the public also

protects the security community against hijacked open-source libraries.” Overall, OneSpan’s

contributions to one-time password and cryptography projects exemplify its dedication to security and

communal growth.

Learn more by reading OneSpan’s Global Financial Regulations Report and listening to the UserFriendly

2.0 podcast, episode Black Hat 2021 and Rodeo.

Qualys

Sumdeth Thakar, CEO of Qualys

Qualys is a software as a service company founded in 1999; it offers cloud-based security solutions in

the fragmented security industry. The company has strategic partnerships with leading cloud providers,

managed services providers, and consulting firms like Amazon, Microsoft, Google, Accenture, IBM,

Infosys, NTT, and Verizon.

Cyber Defense eMagazineSeptember 2021 Edition 55

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with permission from Qualys.

Qualys' innovativeness stems from its ability to make security efficient, cost-effective, and scalable,

offering solutions for almost every security concern. Qualys provides a one-stop solution, consolidating

pre-existing technologies into a simple and easy-to-use platform.

Qualys built its backend and highly scalable platform by leveraging OSS and in-house technology.

Furthermore, Qualys uses OSS to improve security event monitoring by tracking 2.5+ billion messages

on Kafta and 8 trillion data points on Elastic search daily. In Thakar's words, "You can leverage opensource

technology to build massive-scale platforms; Qualys is a great example of that. As a result, we

are continually increasing our public contributions, especially in the OSS community."

Cyber Defense eMagazineSeptember 2021 Edition 56

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Learn more: Qualys at Black Hat USA 2021

Judging Criteria

Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners

from joining. However, some companies and leaders strive to alleviate these barriers.

For example, Clark Mills and Major Clifford McKay created the Optimist Dinghy (Opti) to ease financial

and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful

that it became one of the most popular sailboats globally and has introduced millions to sailing.

Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Series have

significantly improved their community and industry. The Opti Series highlights cybersecurity companies'

innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of

an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook

of cybersecurity if these trends continue (Merriam-Webster, 2021).

Here are the judging criteria:

- Highly differentiated and innovative by offering a unique product, technology, or technique.

- Demonstrates company growth, ideally supported by numerical data like funding and

sponsorship, acquisitions, and hiring trends.

- Active external enthusiasm and press.

- Practices embodied by “Security Through Community,” such as inclusion initiatives and a

supportive company culture.

- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,

publications, blogs, events, and licensing choices).

Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold

companies exemplified all five. All companies, however, epitomized their awarded categories enough to

deserve substantial recognition for their efforts.

I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'

values and technologies. I also cited evidence whenever possible through public numerical data, blog

posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-for-the-opti-series/

Cyber Defense eMagazineSeptember 2021 Edition 57

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine and

the winner of CDM’s 2021 Women in Cybersecurity scholarship. She is

studying Computing Security and Computer Science at Rochester Institute

of Technology.

She is a Free and Open Source Software advocate and Linux enthusiast.

Olivia can be reached online here at CDM and at https://oliviagallucci.com/

and @ivyhac and https://www.linkedin.com/in/olivia-gallucci/

Cyber Defense eMagazineSeptember 2021 Edition 58

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Bronze Optis: Innovative Technologies at Black Hat

By Olivia Gallucci, Cybersecurity Reporter, Cyber Defense Magazine

I interviewed approximately sixty industry leaders from over forty companies who attended Black Hat.

Although this article series—The Optis—can be read as a traditional Black Hat recap, I specifically

highlight twenty-one companies that stand out and whose growth I recommend watching.

Rochester Institute of Technology’s Cybersecurity Club, RITSEC, inspired the metrics I used to analyze

and rank companies. Specifically, I adopted RITSEC’s motto, “Security Through Community,” while

examining each company’s ability to promote social good, inclusion, and innovation inside and outside

of the company. Furthermore, I referenced materials—public demos, open-source code, and

publications—to determine the accuracy of the company’s claims and the span of its communal reach,

public contributions, and social good.

Cyber Defense eMagazineSeptember 2021 Edition 59

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Given Cyber Defense Magazine's awarding of unicorns ("a private company with a valuation of over $1

billion") and that Olympic sailing occurred during Black Hat, I created a conceptual award—Optis—in

three ranks: bronze, silver, and gold (UserGuiding). You can learn about the judging criteria I used for

this award here or scroll to the end of this article.

Axis Security

Dor Knafo, Co-Founder and CEO of Axis Security

Gil Azreilant, Co-Founder and CTO of Axis Security

Axis Security offers a secure access service edge, protecting originations by analyzing application-layer

traffic. Clients use its software and cloud platform in tandem to monitor company networks. Its software

handles client services and resource access by instructing the client when access is unexpected or

discouraged.

Axis Security built its technology in-house to streamline policy and vendor relationships. Its solutions

include secure partner access for third parties, merging and acquisitions, cloud migration, and enabling

remote work environments. Axis Security's most innovative technology is its cloud-based VPN

replacement, Application Access Cloud. The platform provides its clients an easy and safe connection to

any device without ever touching the clients' apps or networks.

Axis Security exemplifies global citizenship by leveraging open-source works and contributing to opensource

communities. One of the open-source projects Axis Security uses and contributes to is

WireGuard, an open-source virtual private network.

Learn more: Dark Reading News Desk talks to Axis Security

CyberSaint

Padraic O'Reilly, Co-Founder and CPO of CyberSaint

CyberSaint is a software as a service company securing critical infrastructure and other highly regulated

industries. Their goal is to understand customers' cybersecurity risk profiles to prevent future attacks.

CyberSaint created the CyberStrong Platform, an automated solution that continuously analyses realtime

telemetry to perform compliance and risk assessments across standards such as NIST, CIS20,

NERC-CIP, and many others. CyberStrong allows clients to make better business decisions by ranking

their risk and compliance posture internally, geographically, and industry-wide. Its creativity draws from

its ability to take regulatory regiments used in governance risk and compliance and implement those

standards across their risk management program in a way that enables cybersecurity resilience. It does

this through its patented natural language processing (NLP) technologies, intuitive user interface, and

executive reports.

Cyber Defense eMagazineSeptember 2021 Edition 60

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


CyberSaint’s Risk Register. Used with the permission of CyberSaint.

CyberSaint analyzes all types of data sources—feeds, proprietary and open-source intelligence, and

threat information—with their NLP to optimize hardening systems. CyberSaint uses its NLP technology

to leverage telemetry from applications, creating static mappings to controls by implementing the

application and dynamic mappings to controls based on data feeds. This NLP also is used to automate

crosswalks, using a customers' existing control scores to fulfill requirements across any set of frameworks

or standards within seconds in an "assess once, use many" fashion. Furthermore, CyberStrong helps

clients understand their overall cyber risk and compliance posture, strategy, and security.

CyberSaints contributions to the community include the Making Space in Cybersecurity pledge, pro bono

consulting to Massachusetts-based non-profits, and gifting no-cost annual licenses to our healthcare

customers amid the COVID-19 crisis.

Mimecast

Jeremy Ventura, Senior Security Strategist at Mimecast

Founded in 2003, Mimecast is a leading email security company. Mimecast combined patented, in-house

solutions with external vendor data to create a super solution to detect malicious emails. Its email security

solution stops malicious emails from entering or leaving client networks. Additionally, its email security

solution is customizable to fit client needs, culture, and threats.

Cyber Defense eMagazineSeptember 2021 Edition 61

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Mimecast is headquartered in the United Kingdom and employs over 1800 security professionals globally.

Furthermore, Mimecast is rapidly growing, expecting to hire approximately six hundred employees by the

end of the fiscal year 2022.

Although Mimecast does not contribute to the open-source community or endorse external open-source

software, it publicly releases its monthly threat proofing report. Furthermore, Mimecast publicly releases

its annual state of email security report, which uses survey results from its forty thousand customers and

C-level executive interviews. One of Mimecast's most intriguing findings was that (⅔) of organizations

admitted they had an email security incident that led to a ransomware attack and that 52 percent of those

organizations paid the ransom.

Future reading: Mimecast’s 2021 The State of Email Security Report.

Nuspire

Jyothish (JV) Varma, VP of Product Management at Nuspire

Nuspire is a managed security services provider (MSSP) founded in 1999. Like most MSSPs, Nuspire

provides detection, prevention, and response services. However, Nuspire extends traditional remediation

practices; it prevents future attacks via proactive and continual system tuning. Other notable procedures

include Nuspire's human-only technical support and fast onboarding.

Nuspire's platform was built in-house, using open-source components. Although Nuspire does not deliver

open-source software to its clients, it collaborates with open and closed-source vendors to provide clients

with a holistic intelligence landscape.

Used with the permission of Nuspire.

Cyber Defense eMagazineSeptember 2021 Edition 62

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Unlike many MSSPs, Nuspire offers clients the ability to automate responses inside multiple portals,

allowing clients to use familiar technologies. Furthermore, Nuspire draws insights across platforms (i.e.,

SentinelOne, Carbon Black, and CrowdStrike) to ascertain the importance of vulnerabilities and

intelligence. Nuspire will continue to add more vendor platforms, using market analytics and client

feedback to determine which platforms they add next.

Watch Nuspire’s Black Hat webinar here or read about one of Nuspire's publications at Black Hat: Nuspire

Launches New Managed Endpoint Detection and Response (EDR) Service That Supports Leading EDR

Technology Providers Including Carbon Black, SentinelOne, and Others.

ThreatX

Gene Fay, CEO of ThreatX

Founded in 2014, ThreatX is a Web Application and API Protection security company that offers solutions

at each layer of the Open Systems Interconnection model. ThreatX offers solutions across web

applications and APIs: Web Application Firewalls (WAFs), API security, bot management, and DDoS

protection.

ThreatX's most innovative technology is its automated WAF. ThreatX acknowledged the constraints of

non-automated WAFs (i.e., WAFs that use fine-grain rules) calculating false negatives and positives. Fay

explained, “Web applications and APIs are under constant assault by highly sophisticated threat actors

and techniques. The ThreatX WAAP combines dynamic web application and API security into a single

platform, providing actionable insights to reduce vulnerabilities and prevent future attacks.” For example,

ThreatX can quickly detect if an API or resource is exposed, which alerts clients of the issue at the time

of occurrence. This timeliness alleviates accidental leakages and future breaches.

Read about ThreatX’s press release—ThreatX Announces API Catalog to Provide Enterprises a Clear

View of Attack Surface—published at Black Hat.

Trustwave

Darren Van Booven, Lead Principal Consultant at Trustwave; former CISO of the United States House

of Representatives

Trustwave is a global managed threat detection and response (MDR) and managed security services

(MSS) company that protects SMBs and enterprises around the world from advanced cyber threats. The

Trustwave Fusion Platform is a cloud-based XDR platform that serves as the foundation for the

company’s managed security services, products, and other cybersecurity offerings. Trustwave

particularly excels in protecting organizations operating across the cloud, databases, operational

technologies, and the supply chain. It also has leading consulting and professional services, digital

forensics, and incident response teams. With the surge in ransomware over the past year, Trustwave

has seen a 2x demand for its ransomware preparedness services.

Cyber Defense eMagazineSeptember 2021 Edition 63

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Used with the permission of Trustwave.

Trustwave SpiderLab is the company’s expert research group that produces industry-recognized threat

intelligence and frequently publishes reports on newly discovered vulnerabilities. SpiderLab maintains

ModSecurity, an open-source, cross-platform WAF engine for Apache, IIS, and Nginx. ModSecurity has

a robust event-based programming language that protects a range of attacks against web applications

and allows for HTTP traffic monitoring, logging, and real-time analysis.

Trustwave Government Solutions, the wholly-owned subsidiary of Trustwave Holdings, Inc., recently

announced it has joined the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Information

Sharing and Collaboration Program (CISCP). The overall mission of CISCP is to build cybersecurity

resiliency and to harden the defenses of the U.S. and its strategic partners through threat intelligence

sharing. Trustwave is also an active contributor to the MITRE ATT&CK framework.

I cannot wait to see more developments out of Trustwave and its SpiderLabs research team. Trustwave’s

commitment to offering truly global security and thoughtfulness in its security research contributions are

something to emulate.

Further reading: Trustwave Launches First-of-Its-Kind Cyber Supply Chain Risk Assessment Solution for

the Pacific Region and Trustwave Recognized as a Top 10 MSSP by Cyber Defense Magazine

Cyber Defense eMagazineSeptember 2021 Edition 64

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


ZeroFox

Sam Small, CSO of ZeroFox

ZeroFox is a security company protecting client brands, reputations, and consumers. ZeroFox's specialty

is tracking impersonation attempts—from individual to nation-state adversaries—by analyzing data on

the clear and dark web.

ZeroFox was the first company in the social media protection space and has built many technologies

within its platform using NLP and artificial intelligence. ZeroFox recently acquired two security

organizations: Cyveillance and Vigilante.

ZeroFox's platform is customizable, timely, and scalable. Its clients receive direct access to its cloudprocessing

pipeline, where hundreds of customizable rules are pre-made, so clients can rely on

ZeroFox's expertise or build solutions around specific policies and threats. Furthermore, ZeroFox's

platform is able to test the effectiveness of specific threat mitigations by analyzing its clients' responses

to identical threats. Overall, ZeroFox is one of the most riveting companies at Black Hat, and its

specialization in protection and intelligence outside the firewall, including on social media, deep and dark

web, is something to follow.

Further reading: ZeroFox Launches New External Threat Hunting Module within Platform, Empowering

Analysts with Direct Access to Full-Spectrum Threat Intelligence Data Lake

Awarding Criteria

Sailing is similar to cybersecurity in that social, technical, and economic barriers often prevent beginners

from joining. However, some companies and leaders strive to alleviate these barriers.

For example, Clark Mills and Major Clifford McKay created the Optimist Dinghy (Opti) to ease financial

and age barriers to sailing (The Optimist Dinghy 1947-2007, 2013). The Opti design was so successful

that it became one of the most popular sailboats globally and has introduced millions to sailing.

Similar to Mills and McKay's progress in sailing, the companies recognized by the Opti Awards have

significantly improved their community and industry. The Opti Award highlights cybersecurity companies'

innovation and ability to address social, technical, and economic barriers. Furthermore, the definition of

an optimist, "a person who is inclined to be hopeful and to expect good outcomes," represents the outlook

of cybersecurity if these trends continue (Merriam-Webster, 2021).

Here are the judging criteria:

- Highly differentiated and innovative by offering a unique product, technology, or technique.

- Demonstrates company growth, ideally supported by numerical data like funding and

sponsorship, acquisitions, and hiring trends.

- Active external enthusiasm and press.

- Practices embodied by “Security Through Community,” such as inclusion initiatives and a

supportive company culture.

Cyber Defense eMagazineSeptember 2021 Edition 65

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


- Socially conscious contributions that are easily proved or demonstrated (i.e., open-source code,

publications, blogs, events, and licensing choices).

Bronze companies fit into one or two categories, while silver companies demonstrated three or four; gold

companies exemplified all five. All companies, however, epitomized their awarded categories enough to

deserve substantial recognition for their efforts.

I was very flexible with my interviews, and I did my best to create a holistic picture of each companies'

values and technologies. I also cited evidence whenever possible through public numerical data, blog

posts, reports, publications, and product demos. Read the full criteria at https://oliviagallucci.com/judgingcriteria-for-the-opti-series/

About the Author

Olivia Gallucci is a Cybersecurity Reporter for Cyber Defense Magazine, and

winner of CDM’s 2021 Women in Cybersecurity scholarship. She is studying

Computing Security and Computer Science at Rochester Institute of

Technology.

She is a Free and Open Source Software advocate and Linux enthusiast. Olivia

can be reached online here at CDM and at https://oliviagallucci.com/ and

@ivyhac and https://www.linkedin.com/in/olivia-gallucci/

Cyber Defense eMagazineSeptember 2021 Edition 66

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Looking Back at Executive Order on

Cybersecurity and What it Means for Your

Business

By James Gorman, CISO of AuthX

On May 12, 2021, President Biden issued an Executive Order focused on

improving the nation's cybersecurity. This executive order strives to accomplish several

important objectives for the United States’ approach to safeguarding its data and systems.

1. Create a Zero Trust environment

2. Manage the supply chain and its vulnerabilities

3. Minimize barriers to intelligence sharing

4. Create a Safety Review Board

5. Create a standardized playbook for Incident Response

Cyber Defense eMagazineSeptember 2021 Edition 67

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The key outcomes for US cybersecurity procedures from this executive order include:

1. Developing a Zero Trust environment. This insight can apply to any organization, regardless of

industry or size. Incorporating just this one element will lead to the most effective tightening of

security globally.

A Zero Trust environment refers to an environment that has no implicit trust boundaries. The benefit of

this approach is that it ensures we only allow authenticated and authorized people to access our

applications and systems. This can look very different depending on the application, but inherently in this

type of environment, no one or no system is implicitly trusted, and authentication and access

rights must be verified at each access step.

This component will ensure all access to systems run or used by the federal government involves Multi-

Factor Authentication.

2. Enhancing Supply Chain Security. This includes creating a way to track the deployment and

provenance within the software lifecycle. It will likely involve lots of new reporting and compliance

related to making the software supply chain less vulnerable. This type of approach serves as an

example of a system that can prevent large-scale cyber-attacks, such the SolarWinds hack from

late last year.

Much of this new infrastructure will make it harder for smaller players because of the cost of keeping up

the various mandates. As the industry goes forward, we should consider how this may create barriers to

entry for small software developers. Do we want to limit the availability of small software developers?

How can the cost and complexity be minimized? Consideration for this needs to be a discussion topic as

we advance.

3. Improving Coordination and Sharing of Threat Information. The EO gives direction to

improve the coordination and sharing of cyber threats

between federal law enforcement, federal government agencies,

IT

contractors, cloud service providers, and industry. To make this happen, contract language will

likely have to be renewed.

While increased communication helps bolster cybersecurity, it comes with additional risks to mitigate.

When sharing more information between intelligence agencies, law enforcement agencies, and

corporations, the privacy rights of individuals and corporate intellectual property rights must be assured.

4. Create a Safety Review Board. The EO creates a Safety Review Board, which is positive

because it codifies an automatic review and “lessons learned” session. Performing lessons

learned sessions is a crucial way to improve future outcomes. Bringing together Homeland

Security and the Attorney General will create an environment where we can more easily bring the

perpetrators of any act of cyber-attack to justice. However, the US needs to be careful to avoid

this board overreaching - especially when it comes to citizens - and ensure civil liberties are

protected.

Cyber Defense eMagazineSeptember 2021 Edition 68

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


5. Standardize the Playbook for Vulnerabilities and Incidents. Having a go-to playbook is critical

in the event of an incident or a breach. The unfortunate reality is that most cybersecurity branches

of organizations are run worse than your child's hockey team. Your child's team has a playbook,

they practice, and they play the game after practice. Most cybersecurity plans are sitting on a

shelf somewhere in a binder, and are never tested or practiced.

Having one playbook for the entire federal government is like the whole NFL having the same

playbook – or maybe more like the NFL and all college football teams using the same

playbook. The Agriculture Department plays in a far different environment from that of

Departments of Energy or Defense.

Having a playbook and actively putting it into practice much more critical than having

conformity across organizations.

So, what does this executive order mean for your organization? For most companies - unless they are

doing business with the government - little will directly affect us.

But there are five main takeaways from this initiative that every company can and should

implement:

1) Create a Zero Trust environment.

• Segment your business applications to minimize exposure to hostile actors.

• Use a robust authentication system to ensure whom you are allowing into your network is who

they say they are.

2) Manage software and operating system patching process.

• Use automated tools and scheduled update times to do updates.

• Follow the guidelines of the Software Developer to ensure that bugs are fixed in your environment

ASAP.

3) Create an open environment that will allow for free and rapid sharing of information.

• Make it easy to report potential and actual threats to those who can mitigate these concerns.

• Encourage the team to report or request assistance for any questionable emails, computer

activity, etc.

4) Do an after-action review on all incidents.

• Record what went right.

• Make sure you add to the playbook unforeseen developments.

5) Create a playbook - an incident response plan.

• Make it second nature for your team to take action when an issue arises.

Cyber Defense eMagazineSeptember 2021 Edition 69

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


• Create a broad outline of how you want an issue handled.

• Ensure you have all the contact points for the important people/organizations in the front of the

book.

Overall, the President's executive order provides a good overview of how to make our nation’s critical

information systems more secure with a lot of guidance and timelines. It also helps the government lead

by example to illustrate what an enterprise can do to make itself more secure and enable a faster and

more standardized response to cyber threats.

As always – StayHackFree!

About the Author

James Gorman CISO, Authx

James is a solutions-driven, results-focused technologist and

entrepreneur with experience securing, designing, building,

deploying, and maintaining large-scale, mission-critical

applications and networks. Over the last 15 years, he has lead

teams through multiple FedRAMP, NIST, ISO, PCI, and

HITRUST compliance audits. As a consultant, he has helped

numerous companies formulate their strategy for compliance and infrastructure scalability. His previous

leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations,

Founder & Principal Consultant, Vice President and CEO at GE, Epoch Internet, NETtel, Cable and

Wireless, SecureNet, and Transaction Network Services.

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/) and at

our company website https://authx.com James can be reached online at (james@authx.com,

https://www.linkedin.com/in/jamesgorman/ ) and at our company website https://authx.com

Cyber Defense eMagazineSeptember 2021 Edition 70

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


How Trustworthy is Your Cyber Defense?

Make your cybersecurity spending pay off with added defense tactics and provider accreditation

By Tom Brennan, Chairman, CREST USA

Cyber criminals are branching out from the big guys, the Facebook-type large scale breaches, to the

small-to-medium-sized enterprises. A new global study by Analysys Mason shows SMB’s are paying

attention: they estimate SMBs spent $57 billion on cyber-security in 2020, and anticipate this figure hitting

$90 billion in 2025. By nature, SMBs work with less security budget and staff. For SMBs, and even for

companies with deep pockets, your cyber defense investment has to be just the first step in a powerful

threat defense.

The threat universe in which we do business today is an equal-opportunity one. The rise of ransomwareas-a-service

and the ability to purchase malware on the dark web has lowered the barrier to entry and

made cybercrime accessible to anyone. The result is that no sector or size of company can ignore these

targeted or indiscriminate attacks.

Cyber Defense eMagazineSeptember 2021 Edition 71

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Understanding the Cyber Attacker

This expanding threat climate makes it all the more important to understand what data is attractive to an

attacker and to discover where your security weaknesses are so you can fix them before someone else

finds and exploits them. The best way to discover where vulnerabilities lie is to simulate malicious attacks,

from inside or outside of the organization, in order to see how easy it is to break into your network and

steal valuable data or deny access to critical assets.

The practice of this type of simulation is called penetration testing. Demand for this very skilled, technical,

and clearly very sensitive investigation and analysis, has seen a rapid rise in demand. While penetration

testing has traditionally been associated with government organizations and large financial institutions

and corporations, it is now commonplace among medium-sized companies, and the wider public sector.

Verify Penetration Testing Knowledge

Evaluating the trustworthiness of a third-party provider to conduct penetration testing has to be part of

your improved threat defense. You need to have confidence and trust in a specialist company that

delivers this service regarding how information and knowledge is handled and processed. Seek out an

accreditation that will verify the level of knowledge, skill and competence of a provider in relationship to

penetration testing, cyber incident response and threat intelligence. This accreditation also can apply to

individuals within your organization who are part of your security operations team. These accredited

providers and individuals need to stay one step ahead of cyber criminals and be well versed in the tools

and techniques used in the most sophisticated attacks.

Another benefit of vetting your providers is the ability to tell your customers that their

data is adequately protected and that you take cyber security seriously. While larger organizations may

have more security staff, if you’re an SME, you have to do more with less, and you have fewer reserves

with which to survive a costly cyberattack. A good practice is to explore what are the baseline

requirements for cyber hygiene in your organization: what can’t you afford to lose in terms of data, a

computer asset shutdown, or in ecommerce, for example, a privacy breach of your customer’s

information. This information needs to be integrated into your overall cyber defense, and a reputable

provider should be able to give you a solid defense strategy for all items.

In fact, it has been shown that organizations with a basic level of cyber hygiene have not been affected

by random attacks such as WannaCry. Accreditation also helps you better leverage your investment. The

Analysys Mason study also found investment in third-party, managed security services to represent the

largest segment from 2020-2025, an estimated $30 billion at a 14% CAGR. Getting the most qualified

providers and individuals makes sense, given the substantial projected spend.

Evaluating Your SOC

Despite best endeavors, it is impossible to be 100% secure. If your business does fall victim to a malicious

cyber security incident, your immediate task is to act as quickly as possible to limit the impact and

damage. An information Security Operations Center (SOC) is often the first line of defense so there is an

increasing demand to ensure that it is operating effectively. The difficulty lies in how to make this

Cyber Defense eMagazineSeptember 2021 Edition 72

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


assessment when you’re using third-party services. It is impossible to assess capability based on

marketing material and almost impossible to assess capability through a procurement process. To help

to resolve this issue, it is possible to apply an accreditation process specifically to SOCs. This includes

procedural audits, physical audits and technical assessments.

Better Defense Benefits All

With billions being spent on cyber defense, it is good economic policy to put that investment to the

highest, most effective use. Using penetration testing, seeking formal accreditation of your security

service providers, and having a very clear picture of your most critical threats, will give you a more

powerful, and trustworthy security foundation.

About the Author

Tom Brennan is Chairman of CREST USA, an international not-forprofit

accreditation and certification body that represents and

supports the technical information security market. In this role, he

works with government and commercial organizations to optimize

the value of CREST as a cybersecurity accreditation body and

industry standards advocate. Brennan also serves as an industry

evangelist and educator on the value of using accredited

cybersecurity products and professionals to improve consumer

privacy, security and protections worldwide.

Cyber Defense eMagazineSeptember 2021 Edition 73

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


New Report Reveals Traditional Anti-Malware Solutions

Miss 74% of Threats

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies

The threat landscape is an erratic and ever-evolving beast. While it knows no master, its behavior is

broadly directed by the host of threat actors that pull on its reins from all corners of the world, constantly

adapting their tactics and techniques to better sniff out points of weakness and infiltrate organizations.

Businesses must stay up to date on the latest threat intelligence to understand their adversaries, bolster

defenses and avoid falling prey. For this reason, the WatchGuard Threat Lab research team produces a

quarterly security report detailing the latest malware and network attack trends based on anonymized

data from tens of thousands of WatchGuard appliances deployed across the globe.

The Threat Lab’s latest Internet Security Report reveals the highest level of zero-day malware detections

we’ve ever recorded. In fact, evasive malware rates have actually eclipsed those of traditional threats,

which is yet another sign that organizations must continue to evolve their defenses in order to stay ahead

of increasingly sophisticated threat actors. The research also covers new threat intelligence around rising

network attack rates, how malicious actors are trying to disguise and repurpose old exploits, and the

quarter’s top malware attacks.

Cyber Defense eMagazineSeptember 2021 Edition 74

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Hungry for more? Here are some additional key findings to feast on:

1. Network attacks are on the rise – WatchGuard appliances detected more than 4 million network

attacks, a 21% increase compared to the previous quarter and the highest volume since early

2018. Corporate servers and assets on site are still high-value targets for attackers despite the

shift to remote and hybrid work, so organizations must maintain perimeter security alongside userfocused

protections.

2. Fileless malware variant surges in popularity – XML.JSLoader is a malicious payload that

appeared for the first time in both WatchGuard’s top malware by volume and most widespread

malware detections lists. It was also the variant WatchGuard detected most often via HTTPS

inspection in Q1’21. The sample WatchGuard identified uses an XML external entity (XXE) attack

to open a shell to run command to bypass the local PowerShell execution policy and runs in a

non-interactive way, hidden from the actual user or victim. This is another example of the rising

prevalence of fileless malware and the need for advanced endpoint detection and response

capabilities.

3. Attackers disguise ransomware loader as legitimate PDF attachments with the help of a

simple file name trick – Ransomware loader Zmutzy surfaced as a top-two encrypted malware

variant by volume in Q1’21. Associated with Nibiru ransomware specifically, victims encounter

this threat as a zipped file attachment to an email or a download from a malicious website.

Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF.

Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass

the malicious zip file off as a PDF. This type of attack highlights the importance of phishing

education and training, as well as implementing back-up solutions in the event that a variant like

this unleashes a ransomware infection.

4. Hackers co-opt reputable domains to mine cryptocurrency – In Q1’21, WatchGuard’s

DNSWatch service blocked several compromised and outright malicious domains associated with

cryptomining threats. Cryptominer malware has become increasingly popular due to recent price

spikes in the cryptocurrency market and the ease with which threat actors can siphon resources

from unsuspecting victims.

5. An old directory traversal attack technique comes back with a vengeance – WatchGuard

detected a new threat signature in Q1’21 that involves a directory traversal attack via cabinet

(CAB) files, a Microsoft-designed archival format intended for lossless data compression and

embedded digital certificates. A new addition to WatchGuard’s top 10 network attacks list, this

exploit either tricks users into opening a malicious CAB file using conventional techniques, or by

spoofing a network-connected printer to fool users into installing a printer driver via a

compromised CAB file.

6. IoT devices continue to present an attractive attack surface for malicious actors – While it

didn’t make WatchGuard’s top 10 malware list for Q1’21, the Linux.Ngioweb.B variant has been

used by adversaries recently to target IoT devices. The first version of this sample targeted Linux

servers running WordPress, arriving initially as an extended format language (EFL) file. Another

Cyber Defense eMagazineSeptember 2021 Edition 75

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


version of this malware turns the IoT devices into a botnet with rotating command and control

servers.

7. Lessons learned from HAFNIUM zero days – Last quarter, Microsoft reported that adversaries

used the four HAFNIUM vulnerabilities in various Exchange Server versions to gain full,

unauthenticated system remote code execution and arbitrary file-write access to any unpatched

server exposed to the Internet, as most email servers are. WatchGuard incident analysis dives

into the vulnerabilities and highlights the importance of HTTPS inspection, timely patching and

replacing legacy systems. You can read more here.

If there’s one key takeaway from our latest threat analysis, it’s this: Traditional anti-malware solutions

alone simply aren’t sufficient for today’s threat environment. Every organization needs to have a layered,

proactive security strategy that involves machine learning and behavioral analysis to detect and block

new and advanced threats. Remember, to the beast that is the threat landscape, every business is fair

game – and the hunt never ends.

About the Author

Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline

cybersecurity expert for nearly two decades, Corey regularly

contributes to security publications and speaks internationally at

leading industry trade shows like RSA. He has written thousands of

security alerts and educational articles and is the primary contributor

to the Secplicity Community, which provides daily videos and

content on the latest security threats, news and best practices. A

Certified Information Systems Security Professional (CISSP), Corey

enjoys "modding" any technical gizmo he can get his hands on and

considers himself a hacker in the old sense of the word.

Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/

Cyber Defense eMagazineSeptember 2021 Edition 76

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Security Incident Response Plan: How to

Proactively Prepare for a Breach

By Joseph Carson, Advisory CISO, ThycoticCentrify

Many organizations are coming to the harsh realization that it’s only a matter of when, not if, they will fall

victim to a cyberattack.

These attacks can range from data breaches to ransomware to Distributed Denial of Service (DDoS)

attacks and are often a result of malicious actions by cybercriminals or nation-state actors operating from

different parts of the globe.

There is no shortage of technology designed to defend against cybercrime, but it will always come down

to your organization’s ability to make the right security decisions. Failing to properly train employees on

the security measures you have in place can greatly increase the risk of a simple mistake – like clicking

a phishing link, for instance – threatening your entire network and infrastructure.

Cyber incident response is a structured technique used to manage an organization’s cybersecurity

incidents to limit further damage. Formulating a cyber incident response plan specific to your organization

is an investment in its cybersecurity. It should be a permanent item on your breach checklist.

Cyber Defense eMagazineSeptember 2021 Edition 77

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Incident Response Plan

Planning and preparing for a cybersecurity incident is crucial to ensure your response is efficient and

organized. A lack of preparation is certain to result in major repercussions should you fall victim to a

cyberattack.

Let’s review some steps your organization can take to increase resiliency and response.

1. Ownership and Responsibility – The first step to implementing an incident response plan is to decide

who will be responsible for it. Keep in mind who has the appropriate training, what tools and systems are

available to handle an incident, and the amount of time that may be required for incident response.

2. Roles and Contacts – There must be clearly specified roles for anyone and everyone who would be

involved in incident response regardless of their department or position in the organization. They have to

know how a cyber-attack can impact them and what they’re expected to do to mitigate it.

An attack becoming public, for example, can bring a unique set of challenges that your entire organization

must be prepared to handle. Your help desk can get overwhelmed with customer calls, which may lead

to a DDoS attack on the help desk, so it’s crucial to understand the capacity and strength of your help

desk in the event of an attack.

3. Contacts and Methods of Communication – Typical means of communication – such as email,

messaging, or VoIP – may be severed in an attack, so it’s important to have alternative contact details

and means of communication on hand at all times. Who needs to be contacted during an incident? What

is the priority list of contacts? It should also be available offline and include system owners and technical

responders.

4. The Threat – Clearly define how the incident was identified. Was it internal, external, a system alert,

or another method? Who detected it, and how was it reported? Record all the sources and times that the

attack has passed through. At what stage of the incident did the security team get involved?

Document the entire nature of the incident from the type of incident, source, assets and resources

affected, location, and extent. Assess the impact on your company based on the data on system

classification so you can identify the proper security measures to perform next. It’s crucial for each step

taken during the incident to be recorded.

5. Identification and Confirmation – If the incident has not yet been confirmed at this point, you must

pinpoint the type of incident and verify that it is a real incident.

6. Containment – This involves stopping the attack to avoid any further harm. You must decide if the

incident is safe to watch and learn from once it’s been identified and confirmed, or if you have to take

more dramatic measures and pull the plug. The indicators of compromise (IoCs) can help indicate the

extent of the impacted systems and update firewalls and network security to record evidence that can be

used for forensics in the future. Determine what, if any, sensitive data was stolen and what the potential

risk is to your company.

Cyber Defense eMagazineSeptember 2021 Edition 78

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


This stage is where you must prepare for potential legal outcomes. Consult with your legal team and

review compliance and risks to see if any regulations were impacted. Depending on your country,

industry, or the data affected, you may also have to report the incident to appropriate authorities or

affected parties such as partners and customers. This is where prepared PR statements are crucial.

7. Eradication – Repair the affected systems to their original state, and compile all the evidence available

while maintaining a solid chain of custody. Collect logs, audits, memory dumps, disk images, and network

traffic. Digital forensics will be limited without proper evidence compiling, making a follow-up investigation

unlikely. Get rid of the security risk so the attacker no longer has access.

8. Recovery – Recovery from the incident is needed to recuperate systems availability, integrity, and

confidentiality. Make sure your services have been restored and company operations are back on track.

Establish monitoring and continuous detection on the IoCs from the incident.

9. Lessons Learned – Learning from the cybersecurity incident is very important. What went well during

the incident, and what could have been done better? Create an Incident Response Report that includes

all parts of the company that were impacted by the attack.

A Cyber Security Incident Response Plan is Crucial

No organization wants to experience it, but it’s only a matter of time before you become the victim of a

cyber-attack. It’s becoming more and more likely with the ever-expanding cybercrime landscape. Having

a solid response plan in place could be the difference in reducing risks and minimizing impact to ensure

your company can comfortably move forward following a cybersecurity incident.

About the Author

Joseph Carson is a cyber security professional and ethical hacker

with more than 25 years' experience in enterprise security

specializing in blockchain, endpoint security, network security,

application security & virtualization, access controls and privileged

account management. Joseph is a Certified Information Systems

Security Professional (CISSP), active member of the cyber security

community frequently speaking at cyber security conferences

globally, often being quoted and contributing to global cyber security

publications. He is a cyber security advisor to several governments, critical infrastructure, financial,

transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving

workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security

perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at

Thycotic. Joseph can be reached online at Joseph.Carson@thycotic.com and at our company website

https://thycotic.com/.

Cyber Defense eMagazineSeptember 2021 Edition 79

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The Importance of Multi-Factor Authentication and

Strong Passwords

Understanding and implementing MFA and strong password protocol.

By Jeff Severino, CyberLock Defense, Lockton Affinity

The importance of multi-factor authentication and password security is critical. Often, it is your best line

of defense for protecting all your data, devices and systems from unauthorized access. Unfortunately,

many don’t take password security seriously, which makes them especially vulnerable to hackers.

Good password security can help protect you from data breaches, network intrusions, malware and

viruses. It can also minimize your risk of the lawsuits, fines and bad publicity that can accompany a data

breach.

Here’s what to know about the latest recommended password security best practices, including

minimizing your risk from hackers, choosing good passwords and utilizing multi-factor authentication.

Cyber Defense eMagazineSeptember 2021 Edition 80

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Why Passwords Are Important

In today’s world, everyone must take steps to safeguard their data, devices and systems from

unauthorized access with strong password security. In some professions, such as banking, law,

education and healthcare, you can even face fines and penalties for not doing so.

Passwords are useful for protecting many different types of sensitive and confidential data and computer

systems, including:

• Work terminals

• Point-of-sale systems

• Email communications

• Social media accounts

• Ticketing systems

• IT infrastructure

• Mobile devices

• Customer files

• Client documentation

• Vendor systems

• Billing information

• Financial records

Even if it’s not specifically required by your industry’s professional association or local, state or federal

law, protecting all your data, devices and systems with the best password protection is just good

business. It also ensures you maintain the trust of your clients and customers and avoid unnecessary

downtime and liability risk.

How Hackers Can Crack Your Password

Setting a password for all your systems and devices is a good first step to securing your data. But it’s

important to realize that even with all your systems protected by passwords, it’s still possible for someone

to gain unauthorized access, because things are always changing.

While computer systems have become more advanced, hackers have upped their game as well. You

may have noticed that popular websites and services are prompting you to update your password more

frequently and requiring you to pick stronger and better passwords when you do. This is because hackers

may be able to guess your weak passwords and can use technology to hack even moderately secure

passwords.

With new technology, some hackers are able to crack simple passwords of up to 10 characters instantly.

Even properly chosen passwords that include numbers, symbols, uppercase and lowercase letters can

be cracked in just a few minutes to hours if they are shorter than eight characters long.

Many computer users still choose passwords that are easy to guess and there are now billions of

compromised and stolen passwords listed online. Using similar passwords for different websites can also

Cyber Defense eMagazineSeptember 2021 Edition 81

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


allow a hacker who has gained access to one of your accounts to access other accounts. Plus, a hacker

who finds one of your passwords may be able to guess your other ones.

How to Pick a Good Password

Choosing good passwords for all your logins can protect you from getting hacked and minimize the

chance of confidential information falling into the wrong hands. Here are the best practices to follow:

• Choose a strong password. Strong passwords combine uppercase and lowercase letters and

numbers and are at least 8 characters long. Always avoid using nicknames, birthdays or ordinary

words in the dictionary.

• Keep your passwords confidential. Avoid sharing passwords with anyone else. If multiple

employees need to use the same terminal or system, make sure everyone has their own individual

login and password credentials.

• Avoid reusing old passwords. Use a new password every time you’re prompted, since

compromised passwords will always be vulnerable. Facebook CEO Mark Zuckerberg found this

out when he was hacked due to reusing an old password.

• Pick a unique password for everything. Differentiating your passwords for each accounts

ensures a hacker can’t access all your accounts with one login. This keeps small hacks from

turning into major ones.

• Keep track of all your passwords. The average person now has to juggle about 100 passwords.

Keep track by writing them down on a piece of paper stored in a secure location or consider using

a password manager.

• Use a password manager. With a browser or cloud-based password manager, there is a master

password that secures all your logins. To login to your accounts, you only need to remember the

master password.

• Check for compromised passwords. It’s possible to research whether one of your passwords

has been compromised and should be updated. Check Google Password Checkup or Mozilla

Firefox Monitor to see if your login has been compromised.

• Set up password reset options. To avoid losing access to your accounts, set up password reset

options with memorable security question answers and a backup email or phone number on file.

• Turn on multi-factor authentication. By requiring a verification code be sent to your phone or

email, multi-factor authentication can keep a hacker from being able to log into your account even

if they do get ahold of your password.

Cyber Defense eMagazineSeptember 2021 Edition 82

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The Importance of Multi-Factor Authentication

Many experts now highlight the importance of multi-factor authentication (MFA) or two-factor

authentication (2FA) to help avoid unauthorized access to your accounts and systems.

Multi-factor authentication works by requiring something else from you besides your login and password

to access your account. This could be a PIN, security question answers, or a temporary security code

emailed or texted to you. Some high-security MFA systems even work with badges, USB key fobs, or

fingerprints and other biometric data. The idea is to provide two or more levels of security so that only

you can access your data.

Multi-factor authentication usually doesn’t require verification for every login, only those where you are

logging on from an unfamiliar device, a home or public internet connection or during off hours. It’s easy

to set up and turn on MFA or 2FA features on common apps such as Gmail, Office and Facebook. Other

systems may have the tool enabled by default. With this feature, even a hacker who has stolen your

password needs additional access to your email account, text messages or even biometric data to gain

access to your account.

How to Better Protect Yourself

With good password security you can minimize your risk from hackers, protecting your data, devices and

systems from unauthorized access. But even a great password can’t prevent all cyber-attacks. You can

take your security to the next level with cyber liability insurance from CyberLock Defense.

About the Author

CyberLock Defense from Lockton Affinity provides industry-leading cyber

liability insurance that offers full limits of cybercrime (cyber theft), social

engineering, fraudulent funds transfer and more. With more than 35

industry groups eligible, including professional services, health care,

retail, financial services and more, this comprehensive coverage helps

protect your business against the costs associated with a cyber attack at

affordable rates.

Those interested in coverage can visit CyberLockDefense.com or contact

CyberLock Defense practice leader Jeff Severino at 913-652-7520 or

JSeverino@locktonaffinity.com.

Cyber Defense eMagazineSeptember 2021 Edition 83

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Time to Act: How Real-Time Analytics Can Help Stop the

Cyber Kill Chain

Access to Real-Time Contextualized Information through In-Memory Computing Can Help Security

Teams Spot Evolving Threats Before It’s Too Late

By Dr. William Bain, CEO and Founder of ScaleOut Software

In cybersecurity, timing is everything. Whether an attacker is looking for a misconfiguration or zero-day

to exploit and extract crown jewel data, organizations must scramble to address vulnerabilities and

counter attacks before it’s too late. Cybersecurity teams manage sprawling systems which generate

volumes of alerts and data for analysis, but security information and event management (SIEM) software

often uses tools that don’t speak well to each other, and much of the data needs to be examined offline

after the fact. These challenges make it difficult to spot issues in the moment and to know when and

where to act.

SIEM solutions typically log activities and enable security practitioners to create and apply rulesets that

extract information for alerting within their organizations. Using dashboards that show managers raw

telemetry by region or events recorded over time, they help identify possible intrusions and kill chain

activity that could lead to the injection of malware or other threats. However, delayed forensic analysis of

logs and the display of large volumes of aggregated telemetry makes it difficult to mitigate emerging

threats as they occur. While SIEM solutions do a good job of monitoring across attack vectors, they fall

short in spotting trends in the moment and providing real-time communication throughout a cyber kill

chain.

Cyber Defense eMagazineSeptember 2021 Edition 84

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Real-Time Analytics Boost in the Moment Decision Making

With time of the essence, how can we enhance current techniques and obtain insights fast enough to

interrupt cyberattacks? How can we provide deeper introspection in real-time on incoming telemetry to

enable fast, effective action while reducing the likelihood of false positives?

A new software technique for streaming analytics called “real-time digital twins” (RTDTs) may be the

answer to this problem. This technique moves the focus from just examining patterns within data streams

to monitoring the dynamic behavior of data sources, such as nodes within a large network infrastructure.

For each data source, a separate RTDT software component incorporates evolving information that helps

analyze incoming messages and update a dynamic assessment of the data source’s condition. This

approach yields a significantly deeper understanding and better, faster decision-making on whether to

take action to block a threat which cannot be achieved by just looking at data within an incoming message

stream. As a result, RTDTs have the potential to rapidly accelerate the execution of SIEM algorithms in

detecting malicious attacks, correlating events, and possibly intervening in time to halt an attack without

reacting to false positives.

The power of RTDTs is made possible by in-memory computing techniques, which can ingest, store and

analyze large volumes of incoming data within milliseconds. This technology creates new opportunities

for SIEM software. Instead of just storing incoming events, an in-memory computing platform can

correlate and analyze them by data source as they arrive. This could enable SIEM software to maintain

a real-time threat assessment for each network entry point or node that sends events to the system for

analysis. Instead of requiring security analysts to analyze logged events to build a picture of an evolving

attack, they could use RTDTs to continuously analyze telemetry from every data source within the

network infrastructure, and they could visualize the results of this analysis in real time.

Mapping and Improving Communication Across the Network

Using RTDTs, organizations could integrate event tracking in memory with associated contextual

information into existing SIEM solutions and react to potential threats in milliseconds. Many SIEM

solutions maintain agents that are distributed throughout an organization’s networks to report suspicious

events that might signal a threat. Instead of just adding these events to a dashboard and logging them

for offline analysis, they also could track them using RTDTs. Each RTDT could immediately run a

machine-learning algorithm to classify activities, eliminate false positives, and signal alerts to security

managers, engineers, CISOs or other key stakeholders when threats or lateral movement risks are

predicted.

Beyond that, RTDTs could communicate with each other to help isolate an evolving threat. For example,

when an event includes information indicating a connection and possible threat to another network node,

an RTDT could message the target node’s RTDT to improve its threat assessment algorithm in spotting

suspicious behavior and interrupting kill chains. Sending messages between RTDTs to track the

progression of an intruder within a network could enable the system to build a real-time map of potential

kill chains and possibly get ahead of an assailant to block threats.

Cyber Defense eMagazineSeptember 2021 Edition 85

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Strengthening Security and Time to Action

By harnessing new approaches for real-time analytics, as made possible with in-memory computing

hosting real-time digital twins, cybersecurity teams can make use of new technology for monitoring and

intercepting active threats. This technology can also strengthen current industry tools, such as SIEM

software, to improve communication and context sharing throughout networks. Now organizations have

a new weapon for moving from post-attack analysis to identifying an attack in the moment and stopping

it from happening at all.

About the Author

Dr. William L. Bain is the founder and CEO of ScaleOut Software, a

leader in developing software products to enhance operational

intelligence within live systems. Over a 40-year career focused on

parallel computing, Bill he has contributed to advancements at Bell

Labs Research, Intel, and Microsoft, and holds several patents in

computer architecture and distributed computing. He earned his

Ph.D. in electrical engineering from Rice University. Bill can be

reached through email, LinkedIn and the ScaleOut Software

Website.

Cyber Defense eMagazineSeptember 2021 Edition 86

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Combatting Industry Burnout by Building Resilient

Security Teams

By Rick McElroy, Principal Cybersecurity Strategist, VMware

We have reached a pivotal point in the history of cybersecurity. Catalyzed by the shift to an anywherework

environment during COVID-19, attack surfaces expanded and cybercriminals became more

sophisticated, creating looming threats for security teams. As a result, stress and burnout within the

security industry is rising in lockstep. Defenders are stretched thin countering complex attacks, gaining

visibility into new environments and constantly being on alert.

Expanding threat landscape increases stress for defenders

Following the rush to the cloud amid the pandemic, cybercriminals have continued to exploit these

environments to deliver integrity and destructive attacks, leading to a spike in incident response

engagements and alerts. According to VMware’s recent Global Incident Response Threat Report, nearly

half of security professionals said that more than one-third of attacks were targeted at cloud workloads

and nearly half targeted victims via island hopping.

The shift to an anywhere-work environment also resulted in adversaries increasingly leveraging business

communication platforms such as Microsoft Teams, Skype, Slack, Google Chat to move around a given

environment and launch sophisticated attacks. Our research found that 32 percent of cybersecurity

professionals observed attackers using business communication platforms to facilitate lateral movement.

These business communication platforms are the perfect delivery mechanism for attacks because

organizations and users implicitly trust them and they operate in a known environment.

Cyber Defense eMagazineSeptember 2021 Edition 87

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


As the work environment evolves digitally, it creates more vulnerabilities in the threat landscape, leaving

enterprises more susceptible to attacks and putting increased pressure on security teams.

Combating burnout on security teams

Recently, the Information Systems Security Association found that the cybersecurity skills crisis has not

only continued, but worsened over the past five years. With cybersecurity skills already in short supply,

the prospect of losing additional workforce is troubling, especially in the context of the Great Resignation.

Despite their best efforts, defenders are struggling to counter the growing attacks and gain visibility into

new environments, such as the cloud, containers, and business communication applications.

This level of stress is impacting their well-being, which carries significant implications for the industry.

Over the past 12 months, 51 percent of security professionals experienced extreme stress or burnout,

and 65 percent said they have considered leaving their job because of it. To help decrease the mounting

pressure security professionals face, business leaders must prioritize building resilient teams and

creating a supportive work environment.

Here are six best practices leaders can implement:

• Consider rotations of work. It is essential that teams feel like they are developing and progressing

professionally and they may not be able to do that after being in the same high-stress environment

year after year. This will not only allow for new perspectives and generate creative ideas but it will

also give people room to recharge.

• Empower individuals to take mental health days. An “always on” mentality is not only dangerous to

the people involved, but can lead to poor and reactive decision making. Forcing people to interact

with others under already stressful conditions is a recipe for disaster. Allow teams space to work

and empower them to know when they need to step away.

• Encourage non-standard activities like meetings outside, walking meetings, and mindfulness

training. Mindfulness training is designed to help people deal with stress so encourage teams to

take classes and take periodic breaks to reset their mind and come back refreshed.

• Invest in solutions that empower defenders to detect and stop attacks. Legacy security systems

are no longer sufficient for protecting against the sophisticated cyberattacks of today. What’s

more, these systems require a good amount of manual work and analysis by security teams. Look

to invest in tools that automate time-consuming, manual processes and ones that empower

defenders to implement security stacks built for a cloud-first world. When a new tool is introduced,

give teams time to adjust to the technology before deploying another new tool.

• Schedule 1-on-1s that are focused on employees. 1-on-1s are a great way to connect with team

members however they must be used correctly. Instead of discussing a specific project, use the

time to honestly check-in with team members. Let them set the agenda and allow them to speak

about what they need.

• Give defenders a real break after a high stress event. Breaches and compromises can be extremely

stressful on teams, especially when incidents last multiple days. Teams are rarely given time off

after these incidents which ultimately leads to burnout and unhappy team members.

The anywhere-work environment is here to stay, so leaders need to devise a roadmap to proactively

protect the well-being of their security teams. That should start with arming security professionals with

the tools and resources needed to do their job while maintaining a healthy mindset.

Cyber Defense eMagazineSeptember 2021 Edition 88

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Rick McElroy is a Principal Cybersecurity Strategist at VMware. He

has 24 years of information security experience educating and

advising organizations on reducing their risk posture and tackling

tough security challenges. Previously, he held security positions with

the U.S. Department of Defense, and in several industries including

retail, insurance, entertainment, cloud computing, and higher

education. Rick can be reached online at @InfoSecRick and at our

company website.

Cyber Defense eMagazineSeptember 2021 Edition 89

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Considering Collateral Intrusion in Digital Forensics

Achieving A Balance Between Public Protection and Public Privacy

By Alan McConnell, Forensic Advisor, Cyan

The importance of digital evidence contained on the personal devices of suspects, victims, and witnesses

in assisting Law Enforcement investigate serious crime cannot be understated. However, never has the

public’s awareness of their right to protect personal data on their devices (such as tablets, laptops, and

smartphones) been as strong as it is today.

While there appears to be a general acceptance of the need for Law Enforcement to obtain digital

evidence from personal devices, the recent publication of reports such as “Digital stop and search: how

the UK police can secretly download everything from your mobile phone” by Privacy International 1 , as

well as several high-profile news stories questioning the technology Law Enforcement agencies use to

obtain digital evidence, have brought the issues involved to mainstream attention.

Digital evidence

In the not-too-distant past, the recovery of digital evidence was the realm of specialist Cybercrime units,

investigating cyber dependent crimes such as attacks on computer systems and infrastructure, or cyber

enabled crimes where computers were used in the commission of ‘traditional’ crimes.

Cyber Defense eMagazineSeptember 2021 Edition 90

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The proliferation of home computing and mobile digital devices has meant that important digital evidence

now potentially exists for most criminal cases. In fact, one senior police manager reporting to the House

of Lords Science and Technology Select Committee in 2019 2 stated that digital evidence now plays a

role in 90% of criminal cases.

Such is the volume of potentially relevant digital evidence in criminal cases today, there is a real risk that

it could overwhelm Police Forces and the judiciary. To mitigate this risk, many Police Forces have, or are

planning to, roll-out digital triage capabilities to front-line officers to help quickly identify those devices

that are likely to contain pertinent evidential data and rule out those that do not, reducing the number of

devices seized for full forensics examination and the volume of data that must be examined.

This move from individuals’ digital devices only being examined by highly trained expert digital forensic

analysts, to potentially being routinely examined for evidence by a much larger group of less experienced

Officers, understandably raises concerns around the preservation of private data.

Data privacy

There are few areas of today’s life that do not involve the use of a home computer, mobile phone, or

tablet. From taking and storing our holiday photos, work communications and internet banking, to private

communications with family and loved ones, our digital devices are at the very centre of our private lives.

These devices are an ever-increasing repository for our personal and sensitive information. A cursory

look at my own browsing history, communications, geo-location data and biometric information would

piece together to give a surprisingly deep and accurate insight into my social life, state of mind and

physical health (thanks for telling me to stand up every hour Apple!).

The data held on my devices is just that: my data. As such, I have every right to expect that my data will

not be viewed or used by anyone else without my consent. As a former Police Detective and Digital

Forensic Analyst, however, I am acutely aware that the ever-increasing scope of digital forensic

capabilities available to Law Enforcement is of immense value when it comes to detecting crimes,

securing convictions, and identifying victims. Herein lies the problem.

Collateral intrusion

Traditional techniques for the recovery of digital evidence have generally been rather indiscriminate in

what data they obtain from a device. Taking a full forensic image of a computer’s hard drive or external

storage device or extracting the full contents of a mobile phone before then searching that data for

evidence pertinent to an investigation is standard practice. However, searching through large amounts

of data to find a small amount of digital evidence inevitably leads to collateral intrusion, the unintentional

gathering of non case-relevant data alongside relevant data, into a person’s private data that is not

pertinent to the investigation.

Collateral Intrusion in the context of examining a digital device for evidential data can occur in many

ways, but examples include:

• Viewing a suspect’s non-pertinent personal photos while looking for images of Child Sexual Abuse

• Reading communications data outside of the timeframe relevant to the offence being investigated

Cyber Defense eMagazineSeptember 2021 Edition 91

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


• The viewing of data on a device that infringes on the privacy of persons not subject to the

investigation e.g., acquaintances of the suspect who may appear in photographs

Selective extraction, whereby Law Enforcement need only collect data from a device that is strictly

relevant to the case in question, is one approach and potential solution to collateral intrusion, and

favoured in particular where concerns have been raised that victims and survivors having their entire

phone examined after a serious sexual assault is a disproportionate and unnecessary invasion of their

privacy. The challenge therefore is to ensure a balance is struck between the benefits that digital evidence

brings, and the new ethical dilemmas created by the techniques used to recover that evidence.

A collaborative approach

These concerns are understood by the Digital Forensic community and in a commentary submitted to

the Forensic Science International journal in 2020 3 , a number of updates to the ACPO Good Practice

Guide for Digital Evidence 4 were proposed, among which was, “All justifiable measures must be taken to

limit both collateral intrusion and disruption caused by their investigation.”

The issue of collateral intrusion has also been recognised by UK Policing and earlier this year the College

of Policing issued new ‘Authorised Professional Practice’ guidance on the extraction of material form

digital devices’ 5 .

The examination of a person’s devices for digital evidence will likely always involve an element of

unavoidable collateral intrusion. Law Enforcement will continue to take measures to minimise this with

more stringent processes and guidance, but there is also a need for the creators of digital forensic tools

to assist by developing tools in direct collaboration with Law Enforcement that can help reduce potential

collateral intrusion by allowing focused targeting and extraction of investigation-relative digital evidence

only.

A balance can be found between protecting the public by helping identify digital evidence to ensure

dangerous offenders are identified and prosecuted, and protecting the public’s right to privacy by helping

ensure that the recovery of this digital evidence does not compromise a person’s private data.

By working closely with Law Enforcement, tools need to be developed which give front-line Officers the

ability to examine digital devices very quickly, and on-site, for known illegal content while completely

protecting the owner’s privacy by only exposing the investigator to case-relevant data.

1 - https://privacyinternational.org/report/1699/digital-stop-and-search-how-uk-police-can-secretlydownload-everything-your-mobile

2 - https://publications.parliament.uk/pa/ld201719/ldselect/ldsctech/333/33302.htm

3 – “ACPO principles for digital evidence: Time for an update?” - Forensic Science International: Reports

Volume 2, December 2020

4 - ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011) - Association of Chief

Police Officers of England, Wales & Northern Ireland

5 - https://www.app.college.police.uk/app-content/extraction-of-material-from-digital-devices/

Cyber Defense eMagazineSeptember 2021 Edition 92

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Alan McConnell is Forensic Advisor at Cyan. He is an

experienced Digital Forensic Analyst with 12 years Law

Enforcement experience of conducting forensic and

criminal investigations and presenting evidence in court,

having served as a Detective and Digital Forensic Analyst

for Police Scotland before joining Cyan in 2019. Alan can

be reached on Cyan’s twitter @cyanforensics and at our

company website https://cyanforensics.com/

Cyber Defense eMagazineSeptember 2021 Edition 93

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Keeping Health Records Safe from Cyber Criminals

By Dexter Caffey, Founder and CEO, Smart Eye Technology

The healthcare industry is currently one of the most lucrative targets for hackers. A recent report by a

mobile security company shows that many digital health platforms have vulnerabilities that allow criminals

to access medical health records, personal information, and even credit card and billing information.

Cyber-thieves then use all this data at their disposal to commit financial/insurance fraud and identity theft.

Healthcare organizations are usually subject to stringent compliance regulations since they store great

amounts of sensitive data. However, sensitive information can become prone to hacking when stored

using cloud technologies. A 2018 report shows that up to 84% of healthcare organizations store data in

the cloud, indicative of medical facilities being at risk and vulnerable to attacks through that avenue.

Though some medical facilities choose to store data on more secure private networks, there are reports

which illustrate that these networks can also be breached. Hackers can obtain employee logins by

sending employees malicious software disguised as emails. When employees key in their login

information, criminals can then receive copies, and use this information to steal more data, even from

secure networks.

Why Healthcare Records Are Valuable

The reason this is such a lucrative industry? Cyber criminals can opt to sell stolen medical records for

hefty prices.

This has led to a demand for medical information on the dark web. Provider data is sold for up to $500

per listing, which is then used for fake insurance claims and prescriptions. Health insurance logins, sold

at an average of $3.25, may be used to obtain medical services allocated for other patients.

Cyber Defense eMagazineSeptember 2021 Edition 94

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The website PrivacyAffairs.com launched a project called the Dark Web Price Index that provides

hundreds of examples of data being sold and reported the prices. Aside from medical information and

health insurance records, other data being sold include online banking logins sold at an average of $40,

full credit card details ranging from $14-$30, and copies of ID cards.

Hackers can obtain copies of passports when they are part of a health organization’s data system. A

forged U.S. passport can be sold for $4,000 while other types of government IDs are sold from $400-

$500. These are used to help criminals pretend to be US citizens or to be of other nationalities, further

enabling identity thieves.

How Medical Records Are Hacked

Another common form of cyber-attack is through using ransomware, a type of malware that makes data

inaccessible to the owner. A ransomware attack begins by targeting an employee through phishing, which

is malware usually disguised as an email to steal employee logins.

These logins are then used to breach a secure data network so that all records can be encrypted by the

ransomware, making them inaccessible. Hackers then ask for compensation (or a “ransom” in this case)

in exchange for data they’ve taken. If the medical facility refuses to pay, the information is then sold on

the dark web.

The best way to deal with the situation is not to negotiate but instead call the police.

Protecting Health Records from Attacks

In most cases, users don’t know that their computer or network has been infected by ransomware until

they find that they can no longer access their data. There is little that can be done once this happens.

To avoid reaching this point, healthcare organizations should invest in data protection and safeguard

their networks from possible attacks.

To start, the FBI provides guidelines for organizations to protect themselves from ransomware attacks.

Since most attacks start by phishing information from users, the FBI warns all healthcare employees to

be careful about applications they download or links that they click on while working. The FBI also reminds

organizations to keep all operating systems, software, and applications up-to-date. All computers should

also have anti-virus and anti-malware solutions set to automatically update and run regular scans.

Data should be regularly backed up, and checkpoints should be established to ensure that backups are

completed. Backed-up data should then be further secured, stored independently, and should be kept

out of access from other computers or networks.

A continuity plan should also be in place in case an organization becomes the victim of a ransomware

attack, to ensure that a medical facility can continue providing key healthcare functions if health records

happen to become inaccessible.

Cyber Defense eMagazineSeptember 2021 Edition 95

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Moving Forward with Tech in Healthcare

The digitalization of medical information has introduced technologies that enable medical facilities to store

and update patient records in real-time, a big leap from the slow process of manual filing. However, these

new technologies also give rise to new vulnerabilities.

Healthcare organizations and medical facilities need to adopt not just the latest record-keeping tools but

also the best security systems to protect their data, making their digitization holistic.

Cybercriminals are constantly on the lookout for their next victims. Medical facilities should remain vigilant

to ensure that they can provide the best protection possible for their patients.

About the Author

Dexter Caffey, Founder and CEO of Smart Eye Technology.

Dexter Caffey founded Smart Eye Technology in January 2018.

Prior to his tech startup, Mr. Caffey founded an alternative investment

firm, Caffey Investment Group, in 1998 at the age of 25.

While on a business trip to Israel in the fall of 2017, Mr. Caffey attended

a cybersecurity conference. As he chatted with another conference

attendee who was a cybersecurity expert, he happened to glance at

the man’s laptop screen and saw open word documents and PDF files.

“Why should I be able to see any document on this guy’s laptop?”

He asked himself “what if I could create an app that prevented anyone else from seeing what’s on my

screen? An app that would look at their face and say, ‘Nope, I only recognize Dexter’s face. We’re

blocking you out.’” The idea and pursuit of a new type of technology to help protect the privacy of

confidential information was born.

Dexter can be reached online at LinkedIn and at our company website https://smarteyetechnology.com/

Cyber Defense eMagazineSeptember 2021 Edition 96

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Why Your Hospital Network Needs an IoT Security Policy

By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies

The Internet of Things (IoT) industry has a security problem that has existed since its inception. From the

Mirai botnet that took disrupted internet goliaths like Netflix, Twitter, and Reddit in 2016 to the recent

Verkada security camera breaches that impacted tech giants Tesla and Cloudflare, IoT weaknesses have

continued to be a popular tool in the cybercriminal arsenal despite constant warnings from security

professionals. While these high-profile breaches draw attention to traditional IoT devices and their

security concerns, other classes of IoT continue to skyrocket in adoption rates despite having just as

serious of security concerns and potentially even more disastrous of results in the event of a breach. IoT

in the healthcare industry is a perfect example of this trend. Industry experts place the healthcare IoT

adoption on track to reaching a massive 25.9% compound annual growth rate (CAGR) by 2028, primarily

because of the massive benefit network-connected sensors and data sharing provide. But that benefit

comes at the cost of increased attack surface for threat actors.

The medical industry faces a unique concern where technical issues can manifest to actual life and death

scenarios. Additionally, healthcare delivery organizations (HDOs) like hospitals and clinics often rely on

expensive highly customized applications and devices that they are then hesitant to apply updates and

Cyber Defense eMagazineSeptember 2021 Edition 97

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


patches to for risk of breaking something and leaving them without their critical tools. Drawing parallels

to traditional IoT that typically comes as custom software running on a several-year-old flavor of Linux,

medical IoT devices are often built on archaic versions of Microsoft Windows and Windows Server. In

fact, last year researchers found 45% of medical devices were vulnerable to the critical BlueKeep

Windows exploit that Microsoft considered serious enough to release legacy patches for out of support

versions of their operating system.

IoT security concerns can boil down to three main issues, 1) A lack of security considerations during

manufacturing, 2) A lack of knowledge and visibility for those that deploy IoT, and 3) A lack of device

update management after deployment. The first issue, security considerations during manufacturing, is

largely because most IoT consumers demand devices that are inexpensive and first and foremost. When

the only concerns are that the device is cheap and that it technically works, manufacturers lack incentive

to spend resources improving the security of their products. This leads to devices with weak hard-coded

passwords, outdated software, and operating systems lacking even basic hardening protections. The

2016 Mirai botnet flourished not by exploiting some sophisticated zero-day vulnerability in IoT cameras,

but by running through a list of 61 common usernames and passwords against a management interface

left open by the device manufacturers.

When it comes time to deploy IoT, network and systems administrators face the difficult task of managing

devices where endpoint-based detection and visibility tools are either unavailable or highly discouraged

to reduce risk of interfering with the device. IT teams are also faced with the difficult task of identifying

rogue IoT on their networks added there by employees. While the devices themselves don’t hold much

of value for cyber criminals, infected IoT can act as a base camp for moving laterally behind a network’s

perimeter.

Even when researchers identify and disclose vulnerabilities in IoT devices, applying security updates

often ranges from difficult to impossible. Many IoT deployments have no considerations for long-term

maintenance which means identified vulnerabilities stick around. Last year, researchers at JSOF

identified vulnerabilities in a popular network connectivity library present on hundreds of millions of IoT

devices which they called Ripple20. Vulnerabilities like Ripple20 in traditional endpoints and systems are

usually handled with a simple software update but in embedded systems like IoT, applying those updates

isn’t a simple task.

Despite these security concerns, IoT is here to stay, and for good reason. Network-connected medical

equipment enables healthcare professionals to provide faster and more accurate diagnostics and greater

efficiencies at a time where our global healthcare system is under tremendous stress. IoT adoption is

skyrocketing because the benefits outweigh the security concerns. But just because the security

concerns are outweighed, doesn’t mean they can be ignored. To successfully deploy these new

technologies while maintaining a strong security posture, healthcare organizations must be proactive

about defining an IoT policy that accounts for the additional care these devices require.

Cyber Defense eMagazineSeptember 2021 Edition 98

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


While the most “secure” solution would be to unplug everything, there may be a very good reason to keep

around that device running on an out-of-date version of Windows even though it is a block of metaphorical

swiss cheese when it comes to security. Determining the business case for your IoT deployment is an

important first step towards building a strong policy. Part of this process is knowing what you have in the

first place though. IoT devices are notoriously difficult to keep track of due to a lack in compatible endpoint

agents. This is where network visibility tools like scanners with robust fingerprinting engines come in

handy to crawl through the dark corners of your network and spot hosts you may have missed. Don’t

treat this as a one-off thing either, monitoring and visibility must be an ongoing process for to be

successful.

You’ll also need to consider how you deploy IoT. This class of devices is one of the greatest benefactors

of the zero-trust approach to security. Zero-trust is a whole other discussion on its own but the bulk of it

comes down to moving to a never-trust, always verify approach to security. Instead of treating your

internal network like a safe haven protected by a shielded perimeter, consider the safeguards you need

in place to stop a malicious user or endpoint already on the inside from wreaking havoc. For IoT, this

means deploying devices on segregated networks away from your other systems and especially away

from your most critical resources. If you find you have the business justification to keep around that

unpatched system, protect it on the network level by restricting access to the specific ports and protocols

required for that tool to function and by applying security services to those connections to identify network

attacks and malware. Be sure to regularly audit your IoT devices with vulnerability scans and security

assessments so you know what you need to defend against and aren’t blindsided by something you didn’t

spot.

Finally, make sure you are using your visibility tools to their full potential. Even if you can’t deploy

protections on a device directly, you can still use tools to identify anomalous activity and raise the alarm

in the event of something suspicious. Network intrusion detection systems can help cover the weak spots

left open by IoT. The fact of the matter is, you will stop 100% of attacks and anyone who tells you

otherwise is lying to you. If you keep all your eggs in the “prevention” basket while ignoring detection and

response capabilities, you’ll end up having a significantly more difficult time identifying those incidents

that do make it through your defenses.

IoT has its proven benefits, but not without security drawbacks. It isn’t too late to get started on a strong

IoT security policy and tackle those security concerns head on. With the right planning, paired with strong

technical controls, you can make the most of what these devices have to offer and still sleep somewhat

easily at night.

Cyber Defense eMagazineSeptember 2021 Edition 99

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Marc Laliberte is the Technical Security Operations Manager

at WatchGuard Technologies. Specializing in networking

security protocols and Internet of Things technologies, Marc’s

day-to-day responsibilities include researching and reporting on

the latest information security threats and trends. He has

discovered, analyzed, responsibly disclosed and reported on

numerous security vulnerabilities in a variety of Internet of Things

devices since joining the WatchGuard team in 2012. With

speaking appearances at industry events including RSA and

regular contributions to online IT, technology and security

publications, Marc is a thought leader who provides insightful

security guidance to all levels of IT personnel.

Marc can be reached online at @XORRO_ and at https://www.watchguard.com

Cyber Defense eMagazineSeptember 2021 Edition 100

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Offense Activities Sharing in Criminal Justice Case

By Milica D. Djekic

The criminal justice case could include a broad spectrum of details getting the need to be deeply explored

and investigated by the case management team and the other officers. The offense activities are not only

limited to the crime scene and they can get delivered, shared and transferred domestically, regionally or

in the transnational manner. In this effort, we would analyze the common criminal justice scheme being

the theft that can be committed in the frequent places normally targeting the victims who would do the

stoppage or just slow down with their moving. The thieves could operate in any public area independently

or as a group and as it’s so hard to imagine the thief working without any communications or logistics on

even being somehow apart from his zone – it’s clear that such an offender could belong to the criminal

group that would conduct the joint offense operation, so far. Through this article, we intend to introduce

the terms Offense-as-a-Teaming (OaaT) and Crime-as-a-Teaming (CaaT) as well as explain how some

sort of criminality could pull in a number of the criminal justice offenders in order to commit the offense

together. In no case, the discussed crime as the theft is would not mean any kind of organized crime

activity, but it also can invoke several criminals on the spot and some of them in the background. The

offense activities being conducted on the crime scene and wider could include sharing of goods, money,

communications and logistics resources being from the vital significance in doing the criminal or another

offense. In other words, all offense activities should get studied carefully and step-by-step as the entire

Cyber Defense eMagazineSeptember 2021 Edition 101

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


crime scene could appear as the quite complex and dynamic environment providing a plenty of details

and actions. For instance, taking the money from the victim and giving it to the co-offender is the crime

scene activity being shared through the criminal justice case. The OaaT and CaaT are the terms that

would cover on the events occurring through committing the offense on the spot and those phrases would

be explained through this effort the later on. The theft by itself could cope with the connotation of the less

serious crime and even if it would look like it can get understanded through some kind of the regular

models, the situation in the practice is far more complicated. The main reasons for so are the theft can

happen anywhere in the public and sometimes it’s quite challenging providing the accurate and timing

information about where, when and how such an offense occurred. In other words, it’s up to the

investigators to resolve such a complaint and document the entire criminal justice scheme in order to

give some effort to the future crime prevention on. Next, it could be so important to deal with the

comprehensive crime scene modeling and management in order to deeply understand the entire event

and all its actors. The communications linkage is the best way to diagnose the entire case and figure out

how many offenders have been engaged into the entire crime scheme. Through this contribution, we

would want to stress out the standard criminal justice scenarios regarding the theft offense as well as

make some starting points how such a crime could get resolved completely and in details following the

procedures as well as the best practice being well-developed within any competitive law enforcement

agency and the overall case management groups.

Introduction

The purpose of this review is to give some ideas and perspectives to the law enforcement officers doing

the investigation how well they could investigate the usual crime as the theft is. Normally, the thieves

would choose the overcrowded spots such as the downtowns, public transportation and trading spots for

a reason those would be the areas of the people getting with themselves the money, jewelry and credit

cards. The persons in the busy places would be in the rush and the offenders would know so as they

would be present on the spot and monitor any single move happening there. Their experience would

teach them that it’s quite unsafe getting anything from anyone being in the fast walk. Also, anyone being

in strength could resist if he figures out someone is putting his fingers into his pocket. Those are so

challenging to the thieves, so they would put an eye on everyone and patiently wait for their target to stop

or even slow down as they could conduct their operation on. Apparently, if someone is in the shape and

moving quickly the offender may attempt the offense, but there are the realistic chances that he would

miss to grab the catch or he would anyhow get into trouble if the targeting person makes a decision to

strike back. So, the skillful thieves would select to attack once someone has stopped or slowed down

doing, say, taking on the bus through the peak hour. In such a time, the frequency of the people in the

public is quite high and the persons waiting on the bus doors to take on must slow down and that’s so

convenient moment to attack that person from his back. It cannot be guaranteed that the thief would get

any catch in every single attempt, but sometimes the people using the public transportation could get

something valuable with themselves. On the other hand, when we take into consideration the public spot

as the shopping center is it’s obvious that the people in shopping need to slow down when they do some

payment, pack their bags or transfer the goods from their carriage into their cars. The common sense

would suggest to the thief that’s the perfect moment to attack and in such a case his chances to get the

good catch could only increase. The similar situation is in any downtown as there are a lot of people

getting concentrated in the small area and the offender would commonly circulate through that spot. In

other words, no thief once in action would be on rest unless his victim from the crowd would stop for a

moment to check out something and when the incident occurs the criminal would not remain close to that

place, but he would continue moving trying to leave the crime scene, so far.

Cyber Defense eMagazineSeptember 2021 Edition 102

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Someone being good in the theft business would have the skill to steal anything from anyone not even

getting noticed to do so. The public spots could offer a heap of places for sitting or remaining aside in

any fashion and the experienced thieves would use such an advantage to stay less obvious and do the

good observation of such a terrain. So, if they notice anyone walking slowly or taking a break they would

simply attack and if their estimation got accurate they would be satisfied with what they obtained through

that illegal activity. The reason why the thieves would operate as a team is that they would get the better

control of their zone and they would cover on each other in a much more secure way. Also, the thieves

could rely on the strong logistics in order to escape from the crime scene. For instance, the theft teams

could use any kind of traffic systems in order to commit the crime or leave the place with some catch.

The experienced Police officers could easily recognize the criminal behavior and the offenders would be

aware of that, so they would use the new tactics and techniques in order to remain less obvious. One of

the well-known tactics of staying less obvious is taking care about the appearance and the overall outfit.

For example, the intelligently chosen cloths could make anyone getting the part of the environment. In

addition, there are some standard behavioral and habit models that could suggest the suspicious

activities. The law enforcement officers have the task to provide the certain level of safety and security

to the community and for such a reason it’s necessary to study the ongoing tendencies as such a method

could be the best way to prevent and respond to the crime. In other words, if it’s well-known that the theft

offense could happen in the crowded areas it’s requiring to monitor those spots from time to time. The

role of the law enforcement is to remove the crime from the street in the same time providing the relatively

safe working conditions to their workforce. That’s quite difficult to obtain, so that’s why it’s needed to think

smart in order to assure everyone including the members of the public from being attacked or harmed,

so far.

The main question to the thieves in the public is how to remain less visible to the common people or the

authorities patrolling on. So, the concern to any thief is how to steal something from someone in so skillful

and secret manner not dragging a lot of attention from the victim’s surrounding. The fact is the thieves

would choose to attack the weak, old and slowing down community members as they would not notice

such an offense at that certain moment or they would not get capable to resist if they even get anything

about such a crime. The towns, cities and other populated areas are well known for their rush, fast pace

and overcrowding, so the victims in there could get just captured by the local criminal groups and left in

the shock sometimes being injured or hurt by the offenders. The most reliable way to the offender to

attack and take something from his victim is the moment when that person is on the stoppage or slowing

down. That may happen when the person is making cell phone calls, doing texting in the public or using

the phone cabins on the street. In such a situation, the potential victim is less aware about what is going

on and the experienced street criminal would know how to take advantage over such an occurrence. The

point is the thieves are not scared from the street and they can spend the hours outside waiting for the

right moment to attack. The practice would show they can use some of their camouflage tactics in order

to remain less obvious and in such a sense it’s not surprising that they could pretend they are taking the

break somewhere or doing anything being so common to that busy spot. The good criminologists would

deeply study and understand the psychology of these street predators and they would know that the

offenders could count on one or more accommodations in so convenient areas of the populated place

which would serve them to take a rest, get some food and drink or change the cloths. In other words,

once on the crime scene the offenders could demonstrate the confidence about what they do and the

seriously heavy cases would not show the fear even if they see the Police on the spot. They have the

strong nerves and in any situation they can find the way to leave that site so calmly. The best method to

hide in some environment is to be the part of that surrounding and if the criminal can change his

appearance depending where he is at that certain time, he would definitely win the battle over the

authorities as well as the victim of the criminal offense. It may seem that sending the patrolling car or the

officers on the feet could be the good preventive measure for the theft criminalities. In our opinion, that

methodology could make less confident criminals hesitate, but the experienced street beasts would

Cyber Defense eMagazineSeptember 2021 Edition 103

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


continue doing what they normally do. The theft can bring the good profit and no one would willingly give

up from so. There are relatively safe places in the world, but the majority of cities anywhere across the

globe could cope with some kind of violence if the authorities make a decision to attempt such an

aggressive approach. So, if there is the need to prevent the theft in the public, the smart game should

get played against those troubling individuals and further through this effort we would explain what the

best techniques to avoid some of the false positives are.

The theft as a crime is well-studied through the practice and anyone coping with that sort of offense is

aware how hard it can be to combat the criminal groups committing such a criminality. In our

understanding, it’s about the joint offense and in other words, it’s difficult to imagine the lone wolf thief.

The places being so attractive tourist destinations are so suitable spots for doing the theft and the

experienced offenders would just monitor on the internationals not belonging to the local community how

they would deal with the unknown environment. The offenders would be well-familiar with any single part

of that area, while the tourists would not even know the basic orientation amongst that surrounding. They

would usually rely on the maps or another navigation system – commonly stopping and asking for the

information, so in other words, they would be more than obvious to the local criminal groups as someone

coming from aboard. The people on the journey are relaxed and they would spend a plenty of time doing

sightseeing or taking the photos and recordings not paying any attention on what is happening around

them. Also, there would be so many opportunities to buy so lovely souvenirs to the family members and

friends and the tourists would enjoy doing so. In addition, the local thieves would be so confident about

their zone, while the people coming from the other places would know nothing or just a bit about such a

territory. Also, there is the realistic chance that some of the less serious thefts would never get reported

to the local authorities for a reason the tourists would simply give up from the complaint for not knowing

anything about the local Police. Many would not cope with the local language, so they could get scared

to even attempt anything. The most important stuffs such as the passports and the travelling tickets could

get left in the hotel rooms, while the objects like cameras, money and credit cards could go on excursion

with the visitors. Practically, those things are under the threat and the thieves would carefully choose to

commit the crime that would never get reported to the law enforcement agencies. Sometimes the people

could get unconfident if the object got stolen or just missed somewhere. Stealing the credit card to anyone

who would enjoy the excursion could be the risk, but that risk can bring the good profit on. Differently

saying, the street predators could concentrate to get something valuable as jewelry, watches, video

cameras, some money or anything else not being under the focus for a reason of enjoying so beautiful

time in some world’s famous environment, so far.

On the other hand, the thieves would develop the strong need of being active and always on the move

in order to avoid the criminal justice. Their victims could be the both – domestic or international people

and in the big places the majority of sightseeing spots would normally be overcrowded with the visitors

and the offenders would circulate there looking for someone being so free and unaware of the dangers

of the unknown environment. Those streets predators would so deeply cope with the psychology of their

victims and they would literally flawlessly estimate the right moment to attack. In our belief, the theft is

the joint offense and it can occur under the certain circumstances which should get studied by the skillful

criminologists who are capable to analyze those tendencies. The challenge plus is that so many those

offenses would never get reported to the Police, so the authorities would stay without any information

about such a criminal offense. At the very beginning of this article, we would introduce two terms being

Offense-as-a-Teaming and Crime-as-a-Teaming, so it’s important to provide a bit more suggestions

about those phrases. The Offense-as-a-Teaming (OaaT) is any act of violation or criminality that includes

more than one actor to get committed on. That offense could be recognized as a joint effort to break the

law or another legal regulation, so far. The similar case is with the Crime-as-a-Teaming (CaaT) indicating

on something being fully criminal and conducted as the joint activity. Apparently, through this effort we

Cyber Defense eMagazineSeptember 2021 Edition 104

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


would discuss the possibilities of tackling the theft as an offense in the community coping with some

preventive as well as diagnostics measures. The fact is that form of criminality could get challenged

invoking the patrolling forces, but that step could be quite counter-productive for a reason it could cause

some kind of the street violence. The greatest weakness of anyone committing the OaaT or CaaT is his

dependability on the team that is connected using the communications technologies. In other words, if

we try to develop the intelligent methodologies how to model and control the crime scene relying on cyber

networks, we could count on the adequate response to such illegal activities that would, consequently,

get better prevented on.

The need of reliable communications

The OaaT and CaaT would get the teaming in common suggesting it’s about the joint activity that would

rely on the team as the lawbreaking unit. The biggest challenge to such a group is how to operate in the

public maintaining the touch with each other. Those offenders would count on each other and so

frequently need each other to get covered and protected. Basically, there is no the true trust between the

criminals as they would only deal with some rules being typical to their environment. The point is those

individuals would need to manage their communications as well as information exchange somehow, so

as anyone else they would develop some sort of the dependability on the emerging technologies. It would

appear that with the discoveries of the first modern communications systems the history would happen

faster than ever and the entire human kind would begin living at the extremely prompt pace. The similar

situation is with the criminal environment that would exchange the findings in the sub-second period of

time. In other words, as anyone else the criminals would get dependable on cyber solutions. To remind,

the cyber is anything being correlated with the internet, computers and mobile systems and at this stage

of our development that’s something being available in so commercial fashion. In other words, the

offenders committing the theft are also in the need for the reliable communications, so they would

commonly apply the cell phones, mobile devices, internet connectivity and satellite communications in

order to maintain the contact with each other. Once they are on their terrain looking for committing the

crime, they would talk to each other using the current communications solutions. Practically, that’s the

great trap to them for a reason that’s how they would leave the trace in the cyberspace and get more

approachable to the authorities. To be honest, there is no silver bullet in any field of the interest, so the

similar case is with the criminology. Apparently, no approach can give the instant results and resolve

literally everything, so far. Right here, what we can do is to make some suggestions how some basic theft

cases could get handled using the policing procedures, policies and best practices.

On the other hand, it’s significant to figure out how the theft crime appears as well as realize that any

offender doing so would carry on with himself the communications device that would send and receive

some electricity signal on. The Police can catch that electricity activity using so professional equipment

and that’s how the offenders could be discovered. The problem is someone being the victim of the theft

would not necessarily get aware when the crime occurred, so the authorities would only deal with the

complaint that something got stolen – but they would not know how and when. In other words, the Police

members at the first stage could deal with the quite wide crime scene that should get searched somehow.

In this paper, we would mention some tips and guidelines on how the investigation regarding the theft

offense could get run and conducted, but as we said such an approach is not necessary the winning one

in the practice. As we said, the tendency would show that the thieves would choose to attack when the

victim is doing stoppage or slowing down, so once the investigative team has obtained the inspection of

the crime scene and started looking in the cyberspace for more clues – they can firstly try to capture

those moments of the victims cell phone signal when he stopped or slowed down. In any such an

occurrence, it’s so important to look for the closest electronics devices because some of them could

belong to the thief and if that method provides some outcomes regarding the criminal offender

Cyber Defense eMagazineSeptember 2021 Edition 105

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


identification the entire team doing that offense could get diagnosticated and put under the case. It’s quite

obvious that this tactic could offer some results in the investigation, but it is not fully comprehensive and

straightforward as it needs a lot of hard work and smart thinking in order to get advantaging to the

investigators. Practically, it’s possible to discover the entire criminal group following such a suggestion,

but it’s not absolutely guaranteed that the certain case would get resolved coping with such a strategy

only. In other words, the victim of theft would report about the abuse and the investigation should cope

with the most common tactics in order to tackle the case and discover who has committed the crime, so

for such a purpose it’s important to look for the track in the cyberspace, so far.

The most common way for offenders to exchange the information on the crime scene or wider is using

the GSM, GPRS, GPS and TCP/IP communications and navigation channels. The simple Smartphone

being the mobile device has the capacity to offer such a broad spectrum of services, so the forensic

detectives should look for the very first track right there. In the practice, maybe some theft crime scene

would get investigated and reconstructed so deeply, but it’s also important to take into the consideration

the fact the theft teams would not only steal the money, but commonly some of the valuable objects. For

instance, if anyone’s laptop, credit card or camera has been stolen on the spot, it’s clear that the criminals

would not take with themselves those stuffs and keep them in their accommodation – but they would

rather find the ways to make advantage over such a stolen good. In other words, the street predators are

usually connected with the entire black market and our suggestion how the entire criminal ring could get

tracked in the cyberspace has its arguments even in such a case. So, what is so crucially needed in

responding to such a challenging offense or the group of offenses is the skill in both – physical and hightech

domain, so if the needed procedures and policies are not yet developed – the law enforcement

agencies should work hard to do so effectively and in such a manner tackle and understand that complex

landscape.

The common logistics schemes

It’s quite interesting to imagine how it works when the theft is occurring on the crime scene and the

offenders are trying to rely on some logistics support. Apparently, the theft can be committed in both –

public spot and public transportation and in the both cases the offenders should cope with the good

tactics how to avoid any sort of complications on the crime scene. If the crime is happening amongst

some busy place, it’s so obvious that there could be some private vehicles within the parking areas that

can serve as the suitable logistics backup. In other words, the offenders need to appear and escape from

the crime scene, so for such a purpose they would use either the private vehicles with someone sitting

in there and waiting for them or they would take advantage over the public transportation network. In the

both cases, the risk is more or less the similar. The well-known scheme is that someone being in the

logistics as a backup could apply cyber technologies and track the route of the offender on some mobile

device map trying to get the most appropriate moment to come and pick up the criminal from the crime

scene. The common scenario is that the thieves could have some accommodation in some area of the

town and they can use that place to take a rest or do some of the basic human needs, so far. That

accommodation could get recognized as their nest that can serve to get prepared for the offense, make

the plan about the crime and keep some of the stolen good before it gets sold on the black market. In

addition, the logistics could also rely on cyber technologies in sense of monitoring, tracking and

navigation the criminals on the spot usually doing so from the background. The experience would suggest

that the thieves are not necessary in the same zone during the day, but they are rather shifting from one

area to another. That could be the good camouflage scenario and the intelligent tactic to avoid the law

enforcement officers. In any sense, the theft as a crime could be the quite huge challenge and the source

of the competitive profit that could make the community members being unsafe and the entire society

suffering the drawback in case of the inadequate response to such a scheme.

Cyber Defense eMagazineSeptember 2021 Edition 106

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The ways of escaping from crime scene

In the practice, the offenders could stay close to the crime scene once they commit the crime or they can

try to escape either immediately or with some time delay. If the crime is happening in the downtown, it’s

possible the offenders would cope with the secret spots to hide and if the seizure occurs they can either

chose to hide in the public or escape from the crime scene so promptly using their own vehicles or the

public logistics. The Police patrolling is always close to any neighborhood and once someone reports

that something has been stolen from him the officers would come to make the inspection. In the

criminology, the theft is considered as the less serious crime, but the fact is it should not get observed

like so as it brings the good incomes to anyone being in such a business. In other words, it’s important

to cope with such a crime tendency and make the well-studied reports that could support any Police

Department to understand, tackle and respond to such a concern, so far.

Discussions & Conclusions

Investigating the theft is not the easy task and the entire investigation should cope with the well-developed

procedures and evidence collecting as the ultimate goals in the case management. Also, it’s needed to

understand the psychology of the offender as well as the victim in order to recognize some of the trends

going on at the street. Everything must be according to the law and the investigation is updated hour by

hour in order to keep its course and choose the new methods and tactics in gaining the findings and

clues, so far. The investigators being relevant to those cases could through the experience demonstrate

the high level of proficiency in the criminal justice investigation as well as show some of the innovative

approaches to their tasks. Finally, there are some suggestions and guidelines how that sort of the crime

could get resolved, but it’s needed to follow the entire social and cultural trends, so far.

About The Author

Milica D. Djekic is an Independent Researcher from Subotica,

the Republic of Serbia. She received her engineering

background from the Faculty of Mechanical Engineering,

University of Belgrade. She writes for some domestic and

overseas presses and she is also the author of the book “The

Internet of Things: Concept, Applications and Security” and

“The Insider’s Threats: Operational, Tactical and Strategic

Perspective“ being published in 2017 and 2021 respectively

with the Lambert Academic Publishing. Milica is also a speaker

with the BrightTALK expert’s channel. She is the member of an

ASIS International since 2017 and contributor to the Australian

Cyber Security Magazine since 2018. Milica's research efforts are recognized with Computer Emergency

Response Team for the European Union (CERT-EU), Censys Press, BU-CERT UK and EASA European

Centre for Cybersecurity in Aviation (ECCSA). Her fields of interests are cyber defense, technology and

business. Milica is a person with disability.

Cyber Defense eMagazineSeptember 2021 Edition 107

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cybersecurity Challenges of Working from Home during

COVID-19 Pandemic and a Proposed 8 step WFH

Cyber-attack Mitigation Plan

By Glorin Sebastian, Senior Consultant, EY

This article is a review of the study conducted and presented by the author at the 36th IBIMA conference

in Granada, Spain. It has been widely discussed that, one of the main cybersecurity problems with the

Covid pandemic and increased remote work is that even though work from home provides greater

productivity and flexibility, employees working from home have a higher chance of being victims to cyber

incidents and much higher chances of their systems being infected by a Malware or virus [1].

Glorin’s study aimed at confirming this issue and also to identify a framework of cybersecurity controls

that would be used to mitigate the cyber-attacks, that could be faced by remote employees while working

from home. Based on the survey conducted as part of Glorin’s study [2], it was found that over 60% of

the respondents agreed that there has been an increase in fraudulent emails, Phishing attempts, and

spam to corporate email, since start of Covid-19 Pandemic. As part of the study based on responses

from survey participants and also based on best practices, an 8 step WFH Cyber-attack Mitigation Plan

was suggested, the steps in this proposed mitigation plan include:

1. Remote Monitoring: Installing centralized network scanning techniques including firm firewalls that

restrict network traffic. This step also includes securing the network and the router making sure it is

updated with the latest firmware and that auto-updates are enabled. Further the internet service provider

would be able to provide instructions on how to securely configure the router.

2. Incident Management: Incident management by the firm IT team should be enabled on the employee

IT systems used for remote work, which is an extension of the firm level IT Monitoring and includes SIEM

Cyber Defense eMagazineSeptember 2021 Edition 108

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


(Security information and event management) that provides real-time analysis of security issues

generated.

3. Employee training: It is to be made sure that employees are provided with appropriate training to

ensure they are aware of the various cybersecurity attacks that they could face while working remotely.

This involves making the correct selection of security settings on their work devices like choosing the

WPA2 Security option for enhanced Wi-Fi Security.

4. Access controls: Ensuring the users have proper access controls and making sure to maintain proper

segregation of duties between two conflicting business functions is important. Another method to

implement access controls would be network segmentation by creating multiple "subnets" in your Home

network, each with their own SSID to connect to. One could be used for office work, the other for family

and finally a third for home devices. Thus, once a device gets compromised, it cannot easily be used to

eavesdrop on the other subnets.

5. Backups and BIA Recovery plans: The firms disaster recovery plan should include backups and BIA

(Business impact assessment) to set precedence for effective communication, mitigation, and recovery

in case of critical cyberattacks and this recovery plan should be extended to firm IT systems used by

employees for work from home as well.

6. VPN & Multi-Factor Authentication: Both using VPN (Virtual private network) and MFA (Multi Factor

authentication) ensures the user data is protected. Employees that access company Data while

connected to a VPN ensure that the Data in motion between 2 devices on the Public network is protected,

same as they are connected over a Private network. It is also crucial to change your router's default SSID

(Service Set Identifier) including administrative password and network password. Passwords should use

a passphrase which is usually tougher to crack. Reuse of passwords should be avoided via firm policy.

7. Vendor Security controls: Given a lot of critical Business processes and Data are outsourced to

vendors, it is important to ensure that controls, especially Security controls on the Vendor side are

effective.

8. End-point Security and patching: Endpoint Security ensures each end point that is connected to the

central corporate network is compliant to the organization standards and thus protects employee systems

from malware, ransom ware and other similar cyber-attacks.

FOOTNOTES:

[1] 6 Cybersecurity Tips When You Work From Home, John Egan, Daphne Foreman, "www.forbes.com/

advisor/personal-finance/cybersecurity-tips-when-you-work-from-home/"

[2] Glorin SEBASTIAN (2021)," A Descriptive Study on Cybersecurity Challenges of Working from Home

during COVID-19 Pandemic and a Proposed 8 step WFH Cyber-attack Mitigation Plan", Communications

of the IBIMA, Vol. 2021 (2021), Article ID 589235, DOI: 10.5171/2021.589235

https://ibimapublishing.com /articles/CIBIMA/2021/589235/589235.pdf

Cyber Defense eMagazineSeptember 2021 Edition 109

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Glorin Sebastian is a Senior Consultant with one of the big four

accounting firms in its Technology Consulting practice with over seven

years of experience in IT risk and cybersecurity compliance. He is a

certified CISSP and CISA. and helps perform IT regulatory and

cybersecurity audits as well as works to mitigate firm IT risks by

designing and implementing effective Application Security and

Controls associated with ERP system implementations. Being a part

time Masters in Cybersecurity student at Georgia Institute of

Technology, he also does part time Cybersecurity research trying to solve some of the common

cybersecurity issues. You can connect with Glorin here: Glorin Sebastian CISSP,CISA - Advisory Senior

Consultant - EY | LinkedIn

Cyber Defense eMagazineSeptember 2021 Edition 110

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


HTML Smuggling: A Resurgent Cause for Concern

By Vinay Pidathala, Director of Security Research, Menlo Security

Cybersecurity is never straightforward.

While defense techniques, technologies, policies and methodologies continue to evolve at pace, such

defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new

ways, catching security teams off guard.

Indeed, recent times have provided many headaches for security professionals; Cybersecurity Ventures

reveals that cyber attacks in 2021 will amount to a collective cost of approximately $6 trillion – and the

situation isn’t forecast to improve any time soon. Where attacks are expected to intensify by an additional

15% a year for the next four years, total cyber attack-centric damages could amount to as much as $10.5

trillion by 2025.

One of the main concerns today is the exponentially growing number of techniques that cybercriminals

are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they

continue to expand their techniques, with the next being ever more malicious than the last.

Cyber Defense eMagazineSeptember 2021 Edition 111

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


HTML Smuggling explained

HTML Smuggling is a prime example of this in action.

While the broad concept itself is nothing new, the threat is making something of a resurgence having

recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was

uncovered in December 2020.

In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security

through the generation of malicious code behind a firewall. This is executed in the browser on the target

endpoint.

Where a malicious payload is constructed in the browser, no objects need to be transferred, which

network perimeter security systems might typically detect. As a result, through HTML Smuggling, many

commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be

sidestepped.

ISOMorph – a new variation

This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph.

Here, popular talk over voice, video, and text digital communication platform Discord was targeted, the

app being home to more than 150 million active users.

With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim's computer.

This is then constructed on the endpoint, removing the opportunity for detection. After installation, the

hackers are then able to execute the payload that infects the computer with remote access trojans

(RATs), before setting about logging passwords and exfiltrating data.

While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as

any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue.

Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working

models are now commonly used, the increased use of cloud services and expansion of organizations’

digital footprints has exposed a series of new security related challenges.

Today, the browser plays a more vital role in day-to-day operations than ever before – yet, unfortunately,

it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more

attractive proposition to threat actors.

From access to execution

So, what should we be looking out for in the case of an HTML Smuggling attack?

In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email

attachments and web drive-by downloads to achieve initial infection.

Cyber Defense eMagazineSeptember 2021 Edition 112

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize

file downloads. This entails the construction of the malicious payload on the HTML page as opposed to

making an HTTP request that can then retrieve a desired asset from a web server.

With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required

components that would be able to install software. The benefit of the ISO file is that it does not require

the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to

achieve persistence by creating a Windows directory on the endpoint.

Equally, it is one example of a file type that is exempt from inspection across both web and email gateway

devices.

In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the

VBScript will often contain various malicious scripts capable of executing and thereafter fetching

additional PowerShell scripts that can download a file to the endpoint.

The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw

MSBuild.exe used, for example – a process that is typically whitelisted, allowing the injected code to

further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory before

injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed.

Prevention and solutions

The resurgence of HTML Smuggling should be cause for concern.

While vaccination efforts continue to ramp up and economies and societies continue to open up once

more, the impact of COVID-19 will be felt long after 2021. In the case of work, the many benefits that

have been realized from remote and hybrid working models will ensure that such ways of working won’t

disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack

their target endpoints.

For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an

effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while

bypassing traditional network security tools.

So, how can it be combatted? The answer is in the form of isolation technologies.

Developed with the simple purpose of comprehensively protecting users as they use web services – be

it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint

and external threats from the internet.

While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never

downloaded to the endpoint, eliminating the opportunity for malicious code to infiltrate a device and begin

exploiting vulnerabilities.

To achieve a robust endpoint protection strategy, isolation must be placed front and center.

Cyber Defense eMagazineSeptember 2021 Edition 113

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


About the Author

Vinay Pidathala is Director, Security Research at Menlo Security based

in Mountain View, California. Previously, Vinay was at Aruba Networks

and also held positions at FireEye and Qualys.

Vinay can be reached online at: @menlosecurity and at our company

website: https://www.menlosecurity.com/

Cyber Defense eMagazineSeptember 2021 Edition 114

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


New CIOs: 5 Key Steps in Your First 100 Days

Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success.

By Etay Maor, Senior Director, Security Strategy, Cato Networks

Starting off as a new CIO in a tough, dynamic environment can be daunting. CIOs must juggle multiple

issues like coping with hybrid workplaces, changing cybersecurity and compliance protocols, increasing

ransomware attacks and high expectations from the board, to name but a few. New CIOs need to tackle

biased perceptions, make a good first impression, assess the current state of processes and policies and

determine a strategy to build a foundation that drives innovation.

Other CIO challenges may involve building a deep awareness of the IT organization, developing close

relationships with key stakeholders and achieving wide acceptance for strategic goals while also gaining

some quick wins that boosts confidence in your talents.

In speaking with countless CIOs about their security posture, I’m always intrigued by what lessons they’d

offer new CIOs. In truth, there doesn’t seem to be a single set of ‘guiding principles’ for best launching

into a CIO role. There are, however, strategies and tips that repeat themselves in my conversations.

Here, then, are five of those often-cited takeaways battle-tested CIOs recommend new CIOs follow in

their first 100 days in office.

1. Get to Know Your Organization and Team

With many stakeholders and team members operating remotely, one of the most significant hurdles a

CIO must overcome is to forge meaningful, interdepartmental relationships.

• With IT Teams: Start with regular one-on-ones, seek out the issues they regularly wrestle with

and assess whether it involves technology, infrastructure, processes or people. Familiarize

Cyber Defense eMagazineSeptember 2021 Edition 115

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


yourself with the strategy and tactics currently in place and evaluate if these adequately align with

overall business goals.

• With non-IT Teams: Start with key executives and leadership teams. Understand their role in the

business and how they interact with IT. Evaluate recent IT requests and determine whether they

have been resolved satisfactorily. Prepare questions relevant to their role but listen carefully to

understand their overall strategic vision and expectations from IT.

2. Determine the state of IT and Security Infrastructure

Conduct a detailed technology risk assessment of your network infrastructure, databases, applications,

cybersecurity and back-ups. Evaluate the current state of policies, procedures, compliance, security

awareness and service delivery levels. Get to know your vendor-partners and learn the contract status

from each, especially big-ticket deals. Know your IT budgets (planned vs. actual). Figure out what stage

the company is at relative to their digital transformation process.

As a first measure, benchmark what you can. Three years down the road you should be able to sell a

story of sustained improvement. Conduct a baseline assessment and capture metrics from current

applications and security practices. This will also help identify what is and isn’t working.

3. Define your Goals and Chart Out a Plan

Once you’ve got a handle on IT’s position and learned about its resources and capabilities, it's time to

develop swift action plans for urgent and simple issues to help define an overall blueprint of your longerterm

company strategy. Your plan should include an executive summary, your department’s strengths

and weaknesses; opportunities and threats; new trends, tools and capabilities; the tactics you will use

along with costs, time and impact – in short, guiding principles that will drive future decisions.

4. Incorporate Digital Transformation

Whether it’s changing buyer behavior or securing a large-scale remote workforce, the demand for digital

transformation post-pandemic (i.e., digital methods to improve business processes and continuity) has

accelerated by several years.

New CIOs must keep this momentum going by identifying and implementing technology that can

significantly transform customer and employee experiences. As an example, CIOs can leverage

automation and AI to improve product efficiency or augment intelligence to an existing product, giving it

a competitive edge. In cybersecurity, CIOs can leverage transformational technologies like SASE (Secure

Access Service Edge) to boost cybersecurity, provide high-speed connectivity and reduce IT overheads.

5. Get Priorities in Order

Choose your battles wisely based on mandates, urgency, business needs, ROI, previous experiences

and understanding of market trends. Seize opportunities for quick wins like improving processes, vendor

management, SLA timelines and end-user applications. Resist firefighting.

Weigh out the risks and repercussions before you make major decisions. Get executive sponsorship for

your actions and priorities. If needed, set up a steering committee to secure buy-in from a diverse group.

Determine where the power lines are drawn and what priorities can be addressed first to instill greater

confidence across internal stakeholders.

There is no silver bullet for a successful transition. We can all agree that there is a lot to manage and not

everything is just about technology. Having an organized approach in place for your first 100 days

Cyber Defense eMagazineSeptember 2021 Edition 116

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


ensures you cover all your bases, leaning in for a better shot at being successful in your new role along

with establishing yourself as a valued and inspirational leader.

About the Author

Etay Maor is the Senior Director of Security Strategy for Cato

Networks, provider of the world’s first Secure Access Service

Edge (SASE) platform, converging SD-WAN and network

security into cloud-native services. Previously, Etay was the

Chief Security Officer for IntSights, where he led strategic

cybersecurity research and security services. Etay has also held

senior security positions at IBM, where he created and led

breach response training and security research, and RSA

Security’s Cyber Threats Research Labs, where he managed

malware research and intelligence teams. Etay is an adjunct

professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and

QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-

Terrorism.

Cyber Defense eMagazineSeptember 2021 Edition 117

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber EO and Meeting Cloud Modernization Effort

By Stephen Kovac, Vice President of Global Government and Head of Corporate

Compliance, Zscaler

In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to

meet President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity to protect users,

devices, and data.

In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and

Human Services Office of Inspector General, Department of Education, and Cybersecurity and

Infrastructure Security Agency (CISA).

We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how

agencies can achieve modernization goals and the terms of the EO.

The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan

for zero trust architectures using National Institute of Standards and Technology (NIST) special

publications, and report their status to OMB and the Department of National Security Advisor for

Cybersecurity.

Working to implement these modernization efforts is a journey, not a destination, as agencies work to

make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes.

“Thank God for the EO, I say,” said Gerald Caron, Chief Information Officer for the Department of Health

and Human Services Office of Inspector General. “I think it moves us more towards being effective overall

for our agencies to be effective at cyber – not just checking boxes.”

Mitigating Threat with Zero Trust

The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent,

detect, assess, and remediate cyber incidents.”

Cyber Defense eMagazineSeptember 2021 Edition 118

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Zero trust gives agencies strong access management and security tools to prevent unauthorized users

from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace

of mind as they monitor their environment.

NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the

enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all

communication regardless of network location, and granting access on a per-session basis. This creates

a least privilege access model to ensure the right person, device, and service has access to the data

they need while protecting high-value assets.

The NIST National Cybersecurity Center of Excellence (NCCoE) recently announced its Implementing a

Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate

several approaches to implementing zero trust architectures. This coalition will work side by side to realize

the opportunity for zero trust to strengthen every agency’s cyber defenses.

“For us, when we talk about zero trust architectures, it's not just the discussion around technologies,

infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven

Hernandez, Chief Information Security Officer at the Department of Education. “It's also a very robust

discussion around data, because data is at the heart of everything that we're driving.”

President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically

“establish a training program to ensure agencies are effectively trained and equipped to manage

FedRAMP requests.”

A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users

and applications to ensure comprehensive security regardless of where they connect from, and what they

connect to.

This approach reduces the attack surface and the risk of users accessing unauthorized data or

applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users

connecting to the network on any device, in any location – a huge advantage for managing an extensive

remote or hybrid environment.

Updated Policy and Modern Security for Complex Environments

The updated TIC 3.0 guidance has opened the door for agencies to adopt modern, hybrid cloud

environments. This security approach will be critically important for agencies to secure their cloud

capabilities and scale up and down as needed.

“The guidance offers a new security strategy for agencies to explore new opportunities, redefine the

perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean

Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA. “New visibility is the most

fundamental change in the guidance.”

As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance,

agencies can position the security closer to the resources, having everything at one access point.

To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model,

which addresses today’s most common security challenges arising from more applications living outside

the data center, sensitive data stored across multiple cloud services, and users connecting from

anywhere, on any device.

Cyber Defense eMagazineSeptember 2021 Edition 119

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Following the SASE model, agencies can invert the traditional security model to move essential security

functions to the cloud so users can access data and networks from any location, while security is pushed

as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such

as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and

Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure

Solutions (EIS) in the same way.

What’s Next as Agencies Modernize

The updated policies, authorizations, new security measures, and hybrid work environments are pointing

agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this

push, they can learn from one another on this journey.

“I think we're headed in that direction, we're going to find ourselves there one way or another, and I think

that's a good thing,” said Hernandez. “I think that by having more people in a centralized environment,

with less attack surface, better configuration, and change control – ultimately, we can learn from each

other and have a body of practice around centers of excellence that do this well.”

About the Author

Stephen Kovac is the Vice President of Global Government

and Head of Corporate Compliance of Zscaler. He is

responsible for strategy, productizing, and certification of the

Zscaler platform across global governments. He also runs the

global compliance efforts for all of Zscaler. In his role, Stephen

leads his team’s efforts to advance Federal IT modernization

by delivering cloud security solutions through direct-to-cloud

connections and zero trust security capabilities. He has pushed

for cloud security reform by speaking at events, meeting with

agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be

reached online at Twitter, LinkedIn, and at our company website

https://www.zscaler.com/solutions/government

Cyber Defense eMagazineSeptember 2021 Edition 120

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Defeat Ransomware with Immutable Backup Data and

Encryption

Move beyond traditional security strategies to protect against the two most common types of ransomware

threats

By Jon Toor, CMO, Cloudian

The Director of the FBI recently described ransomware as posing a threat comparable in scale to the

September 11 terrorist attacks. In light of these comments, and after several high-profile ransomware

incidents such as the Colonial Pipeline attack, there should be little doubt that ransomware poses the

greatest cybersecurity threat to organizations today.

Broadly speaking, cybercriminals take two approaches to ransomware: they encrypt data to prevent

victims from accessing it, and they download confidential or sensitive information and threaten to release

it to the public. These two approaches are not mutually exclusive – cybercriminals will often encrypt data

and threaten to release it to the public if ransoms aren’t paid within a certain timeframe. In fact, data

extortion attempts now occur in 77% of ransomware attacks.

Organizations are employing several traditional strategies to combat this threat, such as using endpoint

security solutions and conducting anti-phishing training for employees. While these are helpful best

practices, they will eventually fail against savvy cybercriminals. There are two proven ways to mitigate

the impact of ransomware: the use of immutable (or unchangeable) backup data and encryption.

Immutable storage backups prevent hackers from encrypting data, thereby neutralizing their ability to

lock up data and prevent organizations from accessing it. Meanwhile, data encryption prevents

Cyber Defense eMagazineSeptember 2021 Edition 121

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


cybercriminals from exposing data. Because many ransomware gangs try to do both during each attack,

organizations should employ data immutability and encryption to protect themselves fully and avoid

having to pay ransom.

Immutable storage

In traditional ransomware attacks, cybercriminals encrypt an enterprise’s critical data, holding it hostage

and making it inaccessible until the victim pays a ransom. The best way to defend against these attacks

is by creating immutable backup copies of your data. Immutable storage is cost efficient and simple to

use: Once a backup data copy is written, that backup cannot be altered or erased for a specified period

of time, making it impossible for ransomware to encrypt that data. If a ransomware attack does occur,

organizations can rapidly restore that data backup through a normal recovery process. There’s no need

to pay a ransom.

There are two storage architectures that provide data immutability. One is to create a backup copy on

magnetic tape. If that tape is then physically removed from the library, it effectively becomes

unchangeable. However, this approach takes extensive time and resources to manage. The other option

is to use immutable object storage as a backup target. Select object storage platforms support an

immutability feature called Object Lock which prevents data from being encrypted or deleted for a userdefined

period. Multiple backup software vendors support this feature as part of a fully automated backup

workflow. In the event of an attack, this provides fast recovery from a clean data copy.

Data encryption

In the other type of ransomware attack, cybercriminals access an organization’s sensitive information,

download it and threaten to release it publicly or sell it on the dark web unless the victim pays. Immutable

backup storage isn’t enough in this case, as the hackers aren’t trying to lock an organization out of its

data. That’s why it’s important to encrypt your sensitive data.

Data encryption works by changing data into ciphertext, an unrecognizable format that requires a special

key to decipher it. Without the corresponding decryption key, hackers can’t release the data in a form

that’s intelligible.

Both data-at-rest (stored data) and data-in-flight (data that’s being acquired or moved within an

organization, such as data being migrated to a public cloud) should be encrypted to prevent data

extortion. For data-at-rest, AES-256 encryption employs a system-generated encryption key (regular

Server-side Encryption, or SSE) or a customer-provided and managed encryption key (SSE-C). Here,

the upload and download requests are securely submitted using HTTPS, and the system does not store

a copy of the encryption key.

Data in-flight data is also vulnerable to breaches through a process called “eavesdropping.” Using this

method, cybercriminals “listen” to data communications, searching for passwords or other information

being transmitted in plaintext. To prevent eavesdropping, AES-256 encryption can be combined with

secure transport protocols. These protocols include SSE, Amazon Web Services Key Management

Service (AWS KMS), OASIS Key Management Interoperability Protocol (KMIP) and Transport Layer

Security / Secure Socket Layer (TLS/SSL).

Cyber Defense eMagazineSeptember 2021 Edition 122

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Conclusion

As ransomware attacks grow in frequency and sophistication, more organizations will be hit in 2021,

causing substantial economic losses and reputational damage. It’s critical that enterprises move beyond

traditional cybersecurity strategies to ensure their businesses are protected. Immutable storage and data

encryption are the most effective and comprehensive ways to prevent ransomware from wreaking havoc

on your organization.

About Jon Toor

Jon Toor is the CMO of Cloudian. Jon leads Cloudian’s inbound

and outbound marketing teams. Prior to Cloudian, Toor served

as vice president of digital marketing and demand generation at

Brocade. He also served as the vice president of marketing at

Xsigo Systems where he led the outbound marketing team, a

group he led from company launch until the company

acquisition by Oracle. Prior to Xsigo, he served at ONStor as

vice president of marketing. Toor holds an MBA, bachelor of science in mechanical engineering, and a

bachelor of arts in economics all from Stanford University.

Jon can be reached online at https://www.linkedin.com/in/jontoor/ or jtoor@cloudian.com and, more

information on Cloudian is available at https://www.cloudian.com/.

Cyber Defense eMagazineSeptember 2021 Edition 123

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The Struggle You Don’t See: Mitigating the Impacts of

Cyberattacks on the Workforce

By Nick Carstensen, CISSP, Product Manager - Security & Integrations, Graylog

As cyberattacks increase, cybersecurity professionals point to business interruption costs as a way to

get senior management’s attention. At the same time, the industry discusses security professional

burnout and alert fatigue as problems. However, sitting between security teams and senior management

is an entire workforce that also feels the effect of cyberattacks. Very few people dig into the impact that

attacks have on employees, also known as end-users and customer support teams.

In the end, all three groups find themselves frustrated. End-users can’t do their jobs. IT help desks can’t

answer questions. Security teams work continuously to find the root cause of the problem.

End-users: The Frustration Is Real

Despite security professionals often bemoaning the “human element” leading to cybersecurity attacks,

they often forget that the attacks impact end-users. Most data breach news articles focus on data and

financial impacts, but few mention the impact a cybersecurity attack has on customer and end-user daily

activities.

So what is the impact? The answer is: it depends.

When threat actors attacked Scripps Health in May 2021, hospitals were forced to cancel appointments

because healthcare professionals could not access patient records. An article reporting on the 2020

malware attack against the Southeastern Pennsylvania Transportation Authority (SEPTA) noted that “the

effect behind the scenes left end-users scrambling to find colleagues’ phone numbers and resorting to

personal email accounts as many work remotely.” Not only does business interruption lead to lost income

and end-user productivity, but it also leads to frustration.

Cyber Defense eMagazineSeptember 2021 Edition 124

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The Help Desk: Putting on a Brave Face

When end-users face a technology problem, the first call is usually to the IT help desk. Before the security

team jumps into action, end-users may notice operational issues, including:




System latency

Unavailable applications

Account lockouts

Consider the following examples.

A Distributed Denial of Service (DDoS) attack shuts down the network. End-users are unable to access

the network. Thinking that the problem is something wrong with their wireless connection or password,

they call the IT help desk.

A threat actor attempts to use a stolen credential to access an application. When the end-user tries to

log into their account, she finds that her account has been locked. She calls the IT help desk.

In each case, the IT help desk acts as the “first responder,” answering questions and trying to fix the

problem. If security and IT operations teams do not effectively communicate, end-user frustration grows.

The IT help desk fails to provide the hoped-for customer service because they need to start looking for

the root cause of the problem.

The Security Team: Working to Investigate and Resolve the Incident

Behind the scenes, the security team receives alerts, investigates the incident, and finds ways to resolve

the incident. However, the security team’s struggle is also real.

In some cases, frustrated end-users calling the IT operations team for help might be the first indication

that a company suffered an attack. The problem is not the security team. It’s the volume of alerts and

false positives. According to one article, 39% of security teams say that they handle 1,000 alerts per day,

and 93% say they cannot address all the alerts on the same day. Without high-fidelity alerts and tools

that streamline investigations, security teams spend hours sifting through data.

Cyber Defense eMagazineSeptember 2021 Edition 125

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Teamwork With Centralized Log Management

Nobody wants unhappy end-users. Nobody wants security breaches. How do you make it easy for your

teams to turn this around to happy users and a robust security posture? Enter centralized log

management.

Log data is the same no matter the source. It’s the visibility that varies based on roles. IT operations are

searching for that locked-out end-user, monitoring for any configuration issues or performance

bottlenecks. Security teams are looking at the data from the perspective of the threat hunter or to

proactively secure the infrastructure from known breaches. The best way to keep end-users happy and

productive while maintaining a robust security posture is for your IT and security teams to work with a

centralized log management solution built and architected the right way to support the needs of the

business. The result is faster detection, deeper visibility into the log data for more useable intelligence,

higher quality results, and more.

Cyber Defense eMagazineSeptember 2021 Edition 126

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Even when you pull back the curtain and give your end-users a front-row seat to a typical day in the world

of IT and security, they forget everything the minute they’re staring at the message “Incorrect password”

on their screen or drumming their fingers when the systems are offline. In the end, the best way to keep

your end-users happy is to end the struggle they don’t see.

About the Author

Nick Carstensen, CISSP, is the Product Manager - Security &

Integrations at Graylog. Nick is a cybersecurity expert with

15+ experience in Security and the Log/SIEM Industry. For more

information, visit https://graylog.org.

Cyber Defense eMagazineSeptember 2021 Edition 127

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


How Bug Bounty Programs Can Help Businesses Achieve

Agile Transformation

By Sam Lowe, UK Lead, YesWeHack

The pandemic has been a catalyst for digital transformation but while many businesses have advanced

their operations by years in a matter of months, many organizations have seen their pace of adoption

hindered by the complexity of IT security.

As modern businesses with a digital presence try to balance existing and new technology deployments

in an ever-evolving landscape of digital threats, many find themselves in a tug of war between the need

for speed and having sufficient protocols in place when it comes to cybersecurity. Here, striking a balance

is crucial.

Traditionally, most organizations have relied on penetration testing or ‘pentests’, to identify vulnerabilities

in applications. However, this approach is proving itself increasingly obsolete in today’s fast-paced digital

world.

How pentests hinder agile transformation

Penetration testing can be described as a security exercise whereby a cyber security professional

attempts to find and exploit vulnerabilities in a computer system. The purpose of the simulated attack is

to identify any weak spots in a system’s defenses that attackers could potentially exploit.

Yet, penetration testing is limited in regard to the skill mobilized. Only a small cohort of security experts

are used, and this could mean that a consultant involved in the testing may lack the relevant skills needed

Cyber Defense eMagazineSeptember 2021 Edition 128

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


to master the technical environments associated with the tests and the potential attack techniques. With

pentest deadlines being tight enough as is – with often too many projects to follow – security experts with

limited exposure to complicated threats can hinder agility.

Furthermore, most pentests are invariably one-off, time-boxed processes, performed one or two weeks

per year, resulting in only a snapshot of vulnerabilities found during the test. This can be impractical when

you consider that serious and critical vulnerabilities often take several weeks, if not months to discover.

In truth, annual or bi-annual audits are not compatible in meeting the growing need for businesses to

remain agile and scale at speed, especially when the rapid pace of software development demands a

more dynamic approach.

Collaboration that goes beyond traditional testing

So how can organizations deliver applications while meeting business objectives? Implementing a bug

bounty program can help by identifying and eliminating the vulnerabilities that opportunistic hackers will

target across the growing attack surface. The platform acting as a useful resource for developers,

providing them with easy access to security researchers than can highlight vulnerabilities found within

their applications and suggest recommended patches.

By collaborating with hunters, developers can ensure that security is not a cumbersome process and

soak up the skills and knowledge shared by the hunter to provide stringent security that is implemented

into future projects. It also gives assurances for management teams by initiating remedial checks that

can be carried out to ensure that the bugs that have been highlighted by the security researcher have

been properly patched.

An innovative approach to testing

Essentially, a bug bounty platform provides continuous security monitoring that enables businesses to

be reactive to impending threats. It is an agreement whereby organizations reward ‘ethical hackers’ or

security researchers for reporting bugs concerning security exploits and vulnerabilities. The more critical

the reported bug is, the higher the reward.

In an ideal world a bug bounty programme would be run at the start of the development of an application

and then as a continuous program – surfacing bugs during the pre-production, acceptance or testing

phase and beyond.

At a time when it is estimated that cybercrime will cost the world a staggering $10.5 trillion annually by

2025, it’s important that organizations adopt a multi-layered defense. A bug bounty program should be a

crucial component of any company’s security stack. Here’s why.

Commitment to security

Over the years, data protection has become a more pressing issue for businesses to address as more

hackers look to leverage stolen customer data against organizations. Volkswagen is just one of the many

companies in recent months that have suffered a customer data breach, in this case impacting 3.3 million

customers.

Cyber Defense eMagazineSeptember 2021 Edition 129

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


In 2019, Canva had a data breach that saw information from over 139 million of its users’ exposed. And

last year the details of more than 538 million Weibo users were available for sale online following a hack.

Ransomware is also paralyzing businesses – the single biggest attack on record occurring this year when

a vulnerability in Kaseya VSA software was leveraged against multiple managed service providers and

their customers. In its wake, hundreds of businesses in the world were negatively impacted.

Today’s consumers have an expectation that businesses will do their upmost to keep their data secure,

with any data breach denting consumer confidence in a business. Deploying a public bug bounty program

is a good way for a business to demonstrate its commitment to protecting customer data.

Lazada, the leading e-commerce platform in Southeast Asia and a subsidiary of the Alibaba group is one

company demonstrating its commitment to protecting its user data. Since January 2020, it has been

working with ethical hackers to detect security vulnerabilities in its IT environment. To date over

US$150,000 in bounties have been awarded to security researchers as part of its private bug bounty

program in which a select group of security researchers are invited to find bugs with their system.

After running such a successful 18-month private program, it has now launched a public bounty program

on YesWeHack’s platform and is offering $10,000 per vulnerability discovered.

For companies that use a bug bounty program, in addition to enabling businesses to identify new attack

techniques and find solutions to counteract them, it also reassures customers that the safety of their data

is valued by the business they are trusting with it.

The future is bug bounty

Evolution is part and parcel of any industry. For organizations planning to incorporate cybersecurity best

practices, a bug bounty program enables you to be ahead of the curve. It allows you to utilize the expertize

and skills of tens of thousands of security researchers and provides you with a better chance of finding

critical vulnerabilities. For modern businesses that need to be increasingly agile against the growing

threats of cyberattacks, while also being nimble enough to foster digital transformation, a bug bounty

program should be considered as a crucial weapon in your arsenal to neutralize threats.

About the Author

Sam is the UK lead at YesWeHack and helps organisations

strengthen their cyber security through the adoption of Bug Bounty.

He was previously the Commercial Manager for a leading Managed

Security Service Provider (MSSP), working with clients on improving

their overall cyber security strategy.

Cyber Defense eMagazineSeptember 2021 Edition 130

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Using Decentralized, Zero-Knowledge Services to

Enhance Security

By Ben Golub, CEO and Executive Chairman at Storj

Over the years, DevOps and cybersecurity teams have faced an increasingly complex challenge of

thwarting attackers and protecting the systems they secure. 2021 has proven to be no different. In just

the first seven months, businesses and governments around the world have faced some of the most

sophisticated attacks we’ve ever seen.

Ransomware attacks like the Colonial Pipeline and JBS meats attacks have crippled various aspects of

the US economy and cost companies millions of dollars in lost revenue and ransomware fees. On the

Dark Web, you can now even buy RaaS (Ransomware-as-a-service), meaning nearly anyone can now

be a hacker making millions from ransomware by holding files hostage. Meanwhile, traditional data

breaches have exposed the personal information of hundreds of millions of people around the world. In

just the first half of this year, it’s estimated that 18.8 billion records were exposed through various attacks.

It’s no coincidence that earlier this year President Biden issued an executive order on Improving the

Nation’s Cybersecurity. In this executive order, President Biden specifically calls on government agencies

to adopt zero trust architectures as one way to combat “sophisticated malicious cyber campaigns that

threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Cyber Defense eMagazineSeptember 2021 Edition 131

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Decentralization and Zero-Knowledge Networks

Many people in the decentralized cloud space believe that while zero trust is a great start, it actually

doesn’t go far enough. Zero Trust architectures assume a system attempting to access a resource has

been compromised. Zero knowledge architectures assume even the infrastructure hosting the resource

may be compromised. Your security posture changes considerably when you can't even trust your own

infrastructure.

By building in this redundancy, zero-knowledge architectures ensure every part of the network is secure

and that data is always available. This protects against many vulnerabilities, such as the misconfigured

print server that attackers used in the Equifax data breach, the misconfigured S3 buckets that leave data

exposed, the typo that brings down a substantial portion of the Internet, and even many types of

cryptoviral ransomware attacks.

Decentralized storage systems do this by using erasure coding to build redundancy into files and

encryption to keep them secure and only accessible by the file owner. For example, a file may be encoded

for redundancy and broken up into 80 pieces, of which only 29 are required to rebuild the data. Each of

these pieces is encrypted using keys only possessed by the data owner (and those they authorize) and

exists on a unique Node. As long as 52 Nodes—all of which have their own power supply, internet

connection, and facilities—are not taken offline at the exact same time, data remains intact and the file

can be rebuilt from its existing pieces. No piece of the infrastructure has access to the encryption keys

and therefore the underlying data. Because of its zero-knowledge architecture, the system is also auditing

all these 80 Nodes to ensure they’re storing what they say they do. If they’re not, the missing piece is

rebuilt in its encrypted state.

If a cryptoviral ransomware attack threatened a single Node or even a larger group of Nodes, the system

could identify the attack through audits and rebuild all the missing pieces before any file was lost.

Chaos Engineering and the Simian Army

By building a network so any part of it could fail, you ensure that the network itself will not. This is exactly

how today’s internet works. You don’t care about the routers and switches that connect you from point A

to point B. You simply design the data being transferred to be impervious to potential eavesdroppers.

The internet is designed to be decentralized—it’s only when centralized repos are created (and breached)

that you encounter outages that take down large swaths of the internet.

Another great example of using security, redundancy, and decentralized architectures to create resilience

is Netflix. To achieve exceptional availability, Netflix has pioneered the notion of “Chaos Engineering.” In

2011, Netflix created an internal tool called Chaos Monkey that randomly (and purposely) takes out entire

servers. This forced their engineers to design systems that are resilient in a way that simulated failures

and tabletop exercises never could produce. Netflix has since extended Chaos Monkey to an entire

simian army that takes out systems, subnets, availability zones, and (in the case of Chaos Kong) entire

data center regions. By purposely creating an environment where device availability can’t be trusted,

Netflix creates an environment where there is high system availability.

Cyber Defense eMagazineSeptember 2021 Edition 132

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Using Edge-based Access Controls to Stop Ransomware

Decentralized systems generally use decentralized, edge-based access management tools such as

Macaroons. These types of edge-based access controls mean there is no central repo of keys for

attackers to target. This allows businesses to decouple various capabilities—such as search, read, write,

and delete—without having to employ specialized individuals or expensive services. While sophisticated

cybersecurity professionals can build similar one-off architectures, with decentralized systems, all of this

is done in easy intuitive ways without adding additional cost or complexity because it’s required to make

the system run.

If ransomware attackers managed to gain access to a network, there is no central repo of credentials to

access to encrypt the data, delete various backups, or commit other nefarious activities. Even if an

attacker was able to get credentials from an application running a backup, those credentials can easily

be restricted to only upload data, rather than modify or delete.

Don’t be the Low-hanging Fruit

As it is with most cybersecurity breaches, unless you’re a high-value target, the best strategy is to avoid

being the lowest-hanging fruit on the tree. Attackers are looking for easy marks, so employing many of

these cybersecurity features that decentralized architectures can offer could greatly reduce the risk of an

attack, while also delivering many other cost and performance benefits.

About the Author

Bio: Ben Golub is the executive chairman and CEO at Storj, an

open source, decentralized cloud storage provider. Under Ben’s

guidance, Storj has rolled out initiatives that deliver better privacy

and security for developers and empower open source projects

by enabling them to passively earn revenue every time their users

store data in the cloud. Ben also serves as an advisor at Mayfield,

a global venture capital firm with over $2.7 billion under

management. He was previously co-founder and CEO at Docker,

the leader of the container and microservices movement and one

of the fastest growing open source companies in history. Prior to Docker, Ben was cofounder and CEO

of Gluster, an open source cloud storage platform that was acquired by Red Hat in 2011. Ben has a BA

from Princeton and an MBA from Harvard.

Email: Ben@storj.io

https://twitter.com/golubbe

https://www.linkedin.com/in/bengolub/

https://www.storj.io/

Cyber Defense eMagazineSeptember 2021 Edition 133

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


How to Play Like You're in the Security Majors When

You’re Still in the Minors

By Patrick Murray, chief product officer, Tugboat Logic

When it comes to smaller businesses and cybersecurity, there are two main issues at play.

One is the misconception that smaller businesses aren’t as high-risk as enterprises in terms of cyberattacks.

The second is, perhaps unsurprisingly, a lack of resources. Even when SMBs recognize the

need for stronger cybersecurity, budget and staffing constraints can keep them from implementing it.

These constraints can make it all too tempting to de-emphasize the establishment of a strong

cybersecurity posture.

The unfortunate reality is that smaller businesses aren’t immune to cyber-attacks – 28% of data breaches

in 2020 involved small businesses, according to Verizon’s Data Breach Investigation Report. And that’s

likely to be higher for 2021, given what we’ve seen with the increase of cyber-attacks in parallel with the

rise of remote work. These attacks are expensive; according to Ponemon Institute, the average cost of

an attack against an SMB is $200,000.

The budget and staffing constraints aren’t likely going away anytime soon, but fortunately, there are

options out there for small businesses that will enable them to implement enterprise-grade cybersecurity

without breaking the bank.

Cyber Defense eMagazineSeptember 2021 Edition 134

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The threat landscape for small businesses

As mentioned above, the idea that small businesses aren’t at risk for cyber-attacks or aren’t of interest to

bad actors is a fallacy that needs to be put to bed. Any business today, no matter its size, is at risk for

cyber-attacks. And while for some this might sound like common sense, the truth is that SMBs are still

really struggling with cybersecurity. Awareness is growing but getting started remains a challenge.

A recent survey by the U.S. Small Business Administration found that 88% of small business owners felt

their business was vulnerable to a cyber-attack, but many can’t afford professional IT services, have

limited time and other resources, or they don’t know where to begin. And a survey of SMBs conducted

by Tugboat Logic found that when it comes to what’s preventing them from reaching their security goals:

• 85% said lack of internal resources prevented their business from adopting new security practices

• 48% said the cost of implementing security was prohibitive or a challenge

• 41% said lack of education in security awareness

A strong security foundation starts with a smart infosec program

An information security program contains the policies and controls that form the foundation of your

security as a company. Maybe you just started your company and want to get the essential security

controls in place. Maybe you’ve already been hacked. Regardless, getting secure can be done by taking

practical steps, with expert guidance, to ensure you’re covering the basics in your security posture. That

includes covering all seven categories of risk: customer, governance, people, regulatory, resilience,

technology, and vendor management. These essentials will help you get through this first stage of

maturity quickly and painlessly, while providing you with an infosec program you can proudly stand

behind.

Too many startups, and even later-stage companies, suffer from lack of a clear and well-structured plan

for security and privacy. This security shortfall comes front and center at quarter’s end when that musthave

customer win slips away due to failure to meet compliance requirements.

Getting started

So then, how do you actually implement a security plan, even with those aforementioned staffing and

budget restrictions? Companies lose time and money guessing which policies and controls to

implement—only to still be at risk from the most serious threats. The good news is that enterprise-grade

security and compliance tools are no longer out of reach for SMBs.

Automation can play a key role, as well. An automated framework from a trusted solution partner can

demystify the process of setting up a security and compliance program – even for those on a shoestring

budget. This will eliminate the guesswork and help you create a credible InfoSec document quickly and

easily.

Don’t forget to evaluate the potential tools carefully. You must do thorough due diligence on any

compliance tool you’re evaluating from both a risk assessment and an organizational fit standpoint. The

tool should provide reputable guidance, as well as grow with you in the longer term. You may start out

with the essential security controls, for example, and then progress to more robust controls as your

Cyber Defense eMagazineSeptember 2021 Edition 135

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


usiness grows, your risks increase and the number of third-party security frameworks you need to have

increases.

Starting from strength

It would be wonderful if cybercriminals would leave smaller companies alone, but it’s not in their interest

to wait to attack until their enemy is strong enough to mount a defense. That means you need to be able

to mount that defense right from the beginning. But it doesn’t mean you have to break the bank to get a

functioning infosec strategy up and running. Some of today’s enterprise-grade security and compliance

tools, coupled with automation, will help you build an infosec program that sets your SMB on a firm

security foundation.

About the Author

Patrick Murray is Chief Product Officer and

early founding member of Tugboat Logic, the

Security Assurance Platform that helps

demystify and automate the process of

managing your InfoSec program. He has

over 20 years of experience in product

management at both early-stage security

startups and public companies such

as Zenprise, DataVisor, and Websense. He

specializes in building new companies from the ground up to thriving businesses, and has built products

across a variety of security areas including Web security, cloud security, mobile security, email security,

data loss prevention, and online fraud prevention.

Patrick can be reached online at https://www.linkedin.com/in/patrickgmurray/ and at our company website

https://tugboatlogic.com.

Cyber Defense eMagazineSeptember 2021 Edition 136

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


SQL Cyber Attacks Are a Danger to Your Company

By Ryan Ayers, Consultant

Cyber attacks cost the global economy more than $1 trillion last year, making it responsible for the theft

of one percent of the global GDP. The pandemic was a bit of a catalyst, as a dependence on ecommerce

led to more opportunities for hackers, but even before COVID, cybercrime was on the rise and evolving.

Most experts expect ecommerce to continue to be sought out even after the pandemic, meaning

cybersecurity’s importance can’t be understated.

One type of cyberattack that is gaining popularity primarily due to how easy it is to do is an SQL injection

attack, and if you have any sort of databasing technology, you’re probably at risk, as SQL is how the vast

majority of data scientists and developers communicate with their databases. Here is a look at what SQL

attacks are, and how you can work to prevent them.

Cyber Defense eMagazineSeptember 2021 Edition 137

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


What is an SQL Injection Attack?

SQL’s primary function is handling structured data. When used properly, data scientists can access

groups of data for analyzation, and can review and remove data that has been stored. In order to access

this data, users need to prove their identities, as some of it can be very sensitive, especially when dealing

with financial data.

A hacker attempting to use an SQL injection attack does so by pretending to be someone who has the

rights to a given database, or simply bypassing protections put on a set of data. The effects of this attack

can be far-reaching, especially if an attacker is able to gain admin rights to the entirety of a database,

which does happen, though smaller breaches are much more common.

Examples of SQL Attacks Costing Companies Big Bucks

SQL has been around for nearly 20 years, and SQL injection attacks have been around for just as long.

They can allow hackers to access the credit card information stored on huge corporations’ databases,

and some attacks have been able to access more than 100 million individuals’ financial records and credit

card information. Here are a few major SQL injection attacks:

September 2002 – One of the first recorded SQL attacks occurred when a hacker accessed more than

200,000 names and credit card numbers off of the database for guess.com’s customers.

In September of 2007, the U.S. Army Corps of Engineers was the victim of an SQL attack, and

government reliance on cybersecurity was ramped up as a result.

On October 1, 2012, a hacking organization used SQL to access and publish personal records of faculty

and employees of more than 53 prestigious universities such as Harvard and Princeton in an attempt to

bring awareness to tuition prices in the United States.

In early 2021, an SQL attack with political motive accessed the database of a far-right website called

Gab, and the hackers published the information of its users online.

Preventing SQL Injection Attacks

At a high level, simple security measures like changing passwords, not allowing your home network to

be active while you’re gone, and setting up authentication methods for anyone and everyone accessing

your network should all be taken seriously. As SQL injection attacks involve deeply protected material

and information, however, there are much more granular ways to protect from these attacks.

Writing code to identify unwelcomed users is a common defense for data scientists, and many modern

firewalls have systems in place to make creating this code very easy. These firewalls can also report

back any malicious attempts to access databases. Hypersensitive data can also be coded in order to add

additional layers of protection.

Looking Forward

SQL isn’t going anywhere anytime soon, and is only poised to continue to be more and more relied upon

and companies move more to the digital office and ecommerce worlds. With this, threats are sure to

continue increasing, and new ways to access SQL databases will surely come to fruition. Staying

Cyber Defense eMagazineSeptember 2021 Edition 138

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


informed and staffing a quality cybersecurity team can keep you ahead of the hacking trends and keep

you and your customers’ information secure.

About the Author

Ryan Ayers has consulted a number of Fortune 500 companies

within multiple industries including information technology and big

data. After earning his MBA in 2010, Ayers also began working with

start-up companies and aspiring entrepreneurs, with a keen focus on

cybersecurity, data collection and analysis. Ryan Ayers can be

reached by email at mailto:ryanayers6@gmail.com and on Twitter

@thebiztechguru.

Cyber Defense eMagazineSeptember 2021 Edition 139

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


AIOps Offers Security Teams an Early Warning System

By Ranjan Goel, Vice President, Product Management, LogicMonitor

IT teams are under immense pressure to work faster than ever and deliver better results—at less cost.

And they’re struggling to do it all as their organizations take in rapidly soaring volumes of data that must

be captured, analyzed and deployed to improve business outcomes.

To meet the challenge, many IT teams are turning to Artificial Intelligence for IT Operations, or AIOps,

which uses big data and machine learning to enhance primary IT functions like identifying,

troubleshooting and resolving availability and performance issues.

Just as important, AIOps secures business infrastructure and applications by automatically blocking bad

actors in near real-time. Let’s say, for example, that a hacker is trying to access a database server. AIOps

can identify the intrusion by detecting either a change in the volume of data or a change in the location

of the user who is trying to access the database server.

AIOps features will then classify this attempted access as normal access, insecure access or elevated

security risk. Once this is done, the information is handed over to an automated system that will block

the IP address or compromised user ID and quarantine to a sandbox for a security expert to analyze

further.

In short, AIOps has the great potential to do double duty. IT and security teams can both deploy AIOps

not only to enhance their organization’s infrastructure performance but also to prevent cybersecurity

threats in near real-time.

Cyber Defense eMagazineSeptember 2021 Edition 140

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


An essential early warning system

The early warning system that AIOps provides is a big step forward for security vendors as they try to

ingest as many signals as possible and understand what’s going on in the IT environment with a 360-

degree perspective. Such vigilance is vital nowadays because hackers are constantly looking for

scenarios in which they can sneak in without tripping any alarms, then prowl around in the IT

environment.

For example, in a recent high-profile hack, the bad guys were lurking undetected in Office 365 email

systems for months, creeping around and gathering information. This type of breach shows that, without

the proper signals from the enterprise architecture, hackers can go undetected for long periods of time

and ultimately do serious damage.

In a world of perfect security, IT teams would have no blind spots and hackers would never gain access

to IT systems. The problem is that today’s hybrid infrastructures typically hold resources in a blend of

cloud and on-premises datacenters—and most security products specialize in monitoring one or the

other. As a result, there is no single IT or security team that has insight across all of the different systems.

AIOps early warning technology detects the symptoms that precede security issues, such as suspicious

patterns and anomalies in performance data, then alerts users. The technology then triggers actions to

root out the bad guys and prevent damage. By warning users sooner, AIOps helps enterprises stop

intruders, protect their data and avoid negative impacts on their brand and bottom line.

Many AIOps advantages

There are other reasons why AIOps is now a must-have for security. One is financial. A typical

organization generates billions of data points in any given day and few organizations can afford to keep

dispatching security people to investigate the numerous problematic signals that occur. There are just

too many of them. But with a technology like AIOps on the job to constantly process signals and put them

in context—i.e., dangerous or not—the process becomes financially manageable.

What is the server behind a particular IP address attempting access? Who is the user? Are there false

positives or duplicate signals? All of this analysis and investigation can be done by AIOps technology in

a consistent and automated way so that security professionals can spend their time on other, more

pressing issues.

Yes, many organizations are still trying to prevent security incidents manually. But the stark reality is that

such an approach is not scalable and typically results in SecOps people spending their day reacting to

issues and trying to minimize incidents. But with AIOps, they have technology that warns them before

issues occur and enables them to prevent problems rather than react to them. Instead, they can focus

on more strategic initiatives that provide value to their organizations. It’s a win-win scenario with less time

spent troubleshooting and more spent time innovating.

Indeed, AIOps is now a necessity for almost every kind of organization, because every kind of

organization, large or small, is now a target for hackers.

The road ahead

Many vendors are now touting their AIOps chops—even if they offer only very basic functionality. So,

separating fact from fiction is critical. CISOs should start with a sandbox approach, setting up two or three

trials of any technology they’re considering - including AIOps - to see if it works for them before

purchasing it and pushing it out.

Cyber Defense eMagazineSeptember 2021 Edition 141

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


As the technology improves, AIOps will only get more proficient at observing signals across all enterprise

systems to illuminate patterns, provide meaningful alerts, detect issues sooner, and enable greater

foresight and automation. As today’s organizations continue to grow and evolve, the ability to provide

predictive insights at scale continues to be more important than ever.

About the Author

Ranjan Goel is a highly experienced product management

executive with a track record of building and launching products in

multiple technology areas including unified observability,

cybersecurity, cloud and networking. He has managed portfolios of

up to a billion dollars in revenue. Ranjan currently leads the product

management organization at LogicMonitor.

Ranjan can be reached online at our company website

https://www.logicmonitor.com/.

Cyber Defense eMagazineSeptember 2021 Edition 142

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


5 Steps to Protect Your Organization from the Next

Ransomware Attack

By Paul Kohler, CTO, S3

We have witnessed the largest ransomware attacks in history in the first half of 2021 alone. From

SolarWinds to CNA Financial Corp, Colonial Pipeline, JBS and Kaseya - ransomware attacks are no

longer “if” it will happen to you, it is when. According to research, ransomware attacks are estimated to

occur every 11 seconds, costing at least $20B a year.

But why are many organizations still reluctant to support and invest in cybersecurity to build a strong

cybersecurity framework to better prevent attacks?

Below are some tactical steps to better protect your organization from a ransomware attack.

Cyber Defense eMagazineSeptember 2021 Edition 143

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Step 1: Assess

The key to solving any problem within your organization is properly defining what you are trying to solve.

Without a thorough assessment of your organization’s cyber preparedness, it will be nearly impossible to

implement/improve your cyber posture. The alternative to a solid assessment is akin to playing a game

of cyber whack-a-mole; stuck in an endless cycle of treating symptoms and not the problem.

This assessment is not a one-time activity. It must be done regularly as the threat landscape is in constant

evolution. Standing still will quickly render your current posture weak and ineffective.

Your assessment should include the following topics:











Governance: Is anyone reviewing access? Any terminated employees/contractors/3rd parties

with active accounts?

Compliance: Are you compliant with all applicable regulations?

Authentication: What is required of users to authenticate to your environment? Is it required

every time?

Physical Asset Management: Are you managing assets consistently?

Information Assets: Are you protecting them? Do you know what they are, where they are, and

who has access to them?

Alignment: Do your policies align with operational objectives?

Access Management: Are you consistently ensuring that the right people have only the access

they need at the time they need it?

Unstructured Data: Who routinely manages access to unstructured data? Where is this data

located?

Monitoring: Anyone watching the henhouse while the foxes are lurking around the perimeter?

Training: Do your employees, contractors, 3rd parties have clarity on what is expected of them?

Step 2: Increase Cybersecurity Hygiene

Now that you have your assessment you know what needs cleaning -- your organization’s hygiene -- and

it needs to be prioritized based on risk. Cybersecurity hygiene is the practice that maintains the basic

health and security of hardware and software. This includes everything from creating cyber policies that

are up to date to updating all software and hardware regularly. It also includes retiring and disposing of

old hardware/software. Do you have any old VPN’s laying around? I can assure you Colonial Pipeline

wishes they didn’t.

Step 3: Develop Detailed Response Plan

Every organization is under the microscope. It is only a matter of time for an organization to come headto-head

against an attack. Instead of hitting the panic button, prepare early with a detailed response plan

(and test it often). There are response frameworks available from organizations such as NIST, CIS and

ISO, but your organization needs to fill in the details.

Cyber Defense eMagazineSeptember 2021 Edition 144

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


The response plan should include filling in the gaps to these major topics:

● Preparation

○ Clarity around what you are protecting.

○ Are you staffed to protect it? Or do you need 3rd party assistance?

○ Who is responsible for what? Who is the backup? Who is the backup to the backup? What

is the chain of command?

○ Have you tested your plan?

● Response

○ Containing the incident

○ Preservation

○ Clear communication

○ Mitigation steps

● Recovery

○ Revisit the thorough assessment

○ Gather forensic information to confirm next steps and plan deployment

○ Analyze and revise plans based on the post-mortem

Step 4: Educate the Organization

As the saying goes, you are only as strong as your weakest link. Security awareness training is essential

to stopping ransomware in its tracks. It is important to train all those who access your organization’s

infrastructure or make use of your organization’s high value information assets. This means training not

only your employees, but your entire ecosystem of users. They are your last line of defense.

An effective training regimen will include:




Employees, contractors, and vendors responsible for protecting organizational data (this includes

all critical data elements and intellectual property)

Phishing, smishing, spear phishing or other social engineering tactics

Asset protection which should include information necessary to secure assets as well as what to

do if an asset is lost or stolen.

Step 5: Implement a Zero-Trust Security Model

Zero Trust is one of the most effective ways for organizations to control access to their networks,

applications, and data. Zero Trust is not a product you can buy off the shelf. It is integration of policy,

procedure and multiple technologies that transforms the way you manage cyber. It combines a wide

range of preventative techniques to deter would-be attackers and limit their access in the event of a

breach. This includes identity verification and behavioral analysis, micro / macro segmentation, endpoint

security, least privilege controls and adaptive authorization.

The Zero Trust framework aims to accomplish several business-critical objectives. At a high-level it

performs five functions:

Cyber Defense eMagazineSeptember 2021 Edition 145

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.







Contains the damage inflicted in case of a breach by limiting access to the network

Streamlines the user experience

Optimizes connectivity

Modernizes security operations

Enables your organization’s digital transformation

Modernized security operations will allow organizations to locate and eradicate malicious code by locating

traces of open-source penetration testing tools and hacking frameworks. Modernized security operations

will also allow security operations to apply behavioral analytics to activities to isolate suspicious activity

and possibly prevent the next cyber attack.

As we enter the next wave of cyber intelligence and combat threats from known and unknown sources,

our biggest weapon is preparedness. Increasing our intelligence on potential threats, learning the

offensive and defensive tools to better monitor and equip our organizations, and our ability to either thwart

or rapidly respond, exponentially increases the level of success. You will either be a victim with failed

countermeasures and significant financial and reputational impact, or able to rapidly deploy responses to

mitigate or avoid damages all together -- the choice is yours.

About the Author

Paul Kohler serves as the Chief Technology Officer for Strategic

Security Solutions (S3). S3 is a leading provider of Identity &

Access Management, Governance, Risk and Compliance and SAP

Security advisory services.

Paul is focused on building a world class delivery organization. He

is committed to building an organization that lives S3’s core values

of integrity, collaboration, intellectual curiosity and transparency.

Paul believes adhering to those core values along with a program

first, technology second mindset will guide S3 in delivering

technical solutions that meet S3’s clients’ needs.

Cyber Defense eMagazineSeptember 2021 Edition 146

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 147

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 148

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 149

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 150

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 151

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 152

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 153

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 154

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 155

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


CyberDefense.TV now has 200 hotseat interviews and growing…

Market leaders, innovators, CEO hot seat interviews and much more.

A division of Cyber Defense Media Group and sister to Cyber Defense Magazine.

Cyber Defense eMagazineSeptember 2021 Edition 156

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL

ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR

FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best

ideas, products and services in the information technology industry. Our monthly Cyber Defense e-

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here

to sign up today and within moments, you’ll receive your first email from us with an archive of our

newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Copyright (C) 2021, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP

(STEVEN G. SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free

(USA): 1-833-844-9468 d/b/a CyberDefenseAwards.com, CyberDefenseMagazine.com,

CyberDefenseNewswire.com, CyberDefenseProfessionals.com, CyberDefenseRadio.com and

CyberDefenseTV.com, is a Limited Liability Corporation (LLC) originally incorporated in the United

States of America. Our Tax ID (EIN) is: 45-4188465, Cyber Defense Magazine® is a registered

trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 078358935. All rights reserved

worldwide. marketing@cyberdefensemagazine.com

All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part

of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including

photocopying, recording, taping or by any information storage retrieval system without the written

permission of the publisher except in the case of brief quotations embodied in critical articles and reviews.

Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter

may have changed since publication and may no longer be valid. The views expressed in this work are

solely those of the author and do not necessarily reflect the views of the publisher, and the publisher

hereby disclaims any responsibility for them. Send us great content and we’ll post it in the magazine for

free, subject to editorial approval and layout. Email us at marketing@cyberdefensemagazine.com

Cyber Defense Magazine

276 Fifth Avenue, Suite 704, New York, NY 1000

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide.

marketing@cyberdefensemagazine.com

www.cyberdefensemagazine.com

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 09/01/2021

Cyber Defense eMagazineSeptember 2021 Edition 157

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH

(with others coming soon...)

9+ Years in The Making…

Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You

Think. It's mobile and tablet friendly and superfast. We hope you like it. In addition,

we're past the five nines of 7x24x365 uptime as we continue to scale with improved Web

App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More

Secure DNS and CyberDefenseMagazine.com up and running as an array of live mirror

sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of

monthly readers and new platforms coming…starting with

https://www.cyberdefenseprofessionals.com this month…

Cyber Defense eMagazineSeptember 2021 Edition 158

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 159

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 160

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.


Cyber Defense eMagazineSeptember 2021 Edition 161

Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.

More magazines by this user
Similar magazines