CS Sep-Oct 2021

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.



Secure systems, secure data, secure people, secure business


Health check on warding off

a cyber security attack








As COVID strictures ease, data

vigilance remains vital


The top 30 vulnerabilities

all highlighted and shared


Current digital infrastructure

on verge of being obliterated

Computing Security September 2021











EDITOR: Brian Wall





Edward O’Connor


+ 44 (0)1689 616 000

After what seems like an eternity of lockdown, we can finally make the announcement:

the Computing Security Awards are back to their full glory and live for 2021!

The pandemic forced a rethink in 2020, with the much-feted gala occasions that we have

all come to know and love so well sadly set to one side and the actual awards themselves

having to be carried out remotely. Yet, such is their enduring impact, they were still a huge

success, with the distant popping of the champagne corks in the offices of the winners widely

reported in the aftermath.

So, it is my pleasure and delight to announce that the 2021 Computing Security Awards

ceremony will once again be held before a living, breathing, up-close audience.

But before that day is upon us, we need the help of you, our readers, in deciding who will make

it into this year's final, with the prospect of claiming the top prizes. So, tell us which companies

have helped to secure your organisation's digital infrastructure over the past year? What cyber

security products/services have impressed you most? Who came to your aid when remote

working threatened to bring your systems to a grinding halt?

Go to the awards nominations page now - computingsecurityawards.co.uk - and choose those

companies, products and services you feel deserve the highest recognition for how they have

performed over the last 12 months.

The nominations phase will remain open until Friday, 24 September, but please make your

choices now - time soon flies by and we don't want to miss out on your selections.

Then, with our shortlists compiled for all of the awards categories, we will all 'dress to impress'

for the grand climax itself, when the winners and runners-up are revealed at the Computing

Security Awards Ceremony in London on Thursday, 2 December, 2021.

Yes, it's back - and it's live!

Brian Wall


Computing Security


Lyndsey Camplin


+ 44 (0)7946 679 853

Stuart Leigh


+ 44 (0)1689 616 000

PUBLISHER: John Jageurs


Published by Barrow & Thompkins

Connexions Ltd (BTC)

35 Station Square,

Petts Wood, Kent, BR5 1LZ

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22


UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2021 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk September 2021 computing security



Secure systems, secure data, secure people, secure business

Computing Security September 2021






Health check on warding off

a cyber security attack


The top 30 vulnerabilities

all highlighted and shared








As COVID strictures ease,

data vigilance remains vital


Our 2021Awards will be LIVE!


Current digital infrastructure

on verge of being obliterated



Jeffrey Carpenter and (posthumously) Dan

Kaminsky have been inducted into FIRST's

Incident Response Hall of Fame.


Authentication to the laptop or the server

itself can often be overlooked, cautions

SecurEnvoy's Michael Urgero


Making assumptions can be a big mistake

- yet sometimes it can pay off handsomely,

as with information security, says Paul

Harris, Managing Director, Pentest Limited



The time to prepare for a safe quantum

When Cheshire and Merseyside Health

computing future is now, argues Chris

and Care Partnership wanted to see how

it would stand up to a cyber-attack, it

Erven, CEO, KETS Quantum Security. Why?

asked Gemserv Health to test its defences

Because we don't go 30 seconds without

touching digital technology of some kind,


all of which is networked, none of which


is quantum-safe, he points out.

Educating consumers on data security is

very important, but individuals must play

their part, too, points out David Emm,

principal security researcher at Kaspersky




Carnival Cruises suffering four data

Carmen Oprita of Endpoint Protector by

breaches in 15 months flags up what

CoSoSys looks at the many outsider and

tempestuous waters the travel industry can

insider threats that can damage businesses

- and how they can fight back

sail in. But why do many organisations fail

to protect their systems and information,


and fall victim to repeated breaches?


International allies share details of the

top 30 vulnerabilities that were routinely

exploited by malicious actors in 2020



Top cyber criminals can swiftly navigate

ADISA Asset Recovery Standard 8.0

has been formally approved by the

around your defences, breach your

UK Information Commissioner's Office

network in minutes and evade detection

for months. Advanced persistent threats


(APTs) present a massive challenge - but

It's time to select your top performers for

what is the most effective way forward?

the Computing Security Awards 2021

computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk



In the first six months of this year alone,

global ransomware volume reached an

unprecedented 304.7 million attempted

attacks. Stopping ransomware groups is no

small task. The scale of the economy behind

these groups is significant, with many

boasting corporate structures of their own

There’s a difference between

feeling secure & knowing

you're secure.

Information Security Advice

Penetration Testing

Adversary Simulation


industry honours



Jeffrey Carpenter has dedicated more

than 30 years to improving the state of

information security.

Dan Kaminsky: best known for his work

finding a critical flaw in the Internet's

Domain Name System (DNS).

Jeffrey Carpenter and (posthumously)

Dan Kaminsky are the latest to be

inducted into FIRST's Incident Response

Hall of Fame. They join past inductees Ian

Cook, Don Stikvoort and Klaus-Peter


Jeffrey Carpenter has dedicated more

than 30 years to improving the state of

information security. In 1995, he joined the

CERT Coordination Center at Carnegie

Mellon University's Software Engineering

Institute, initially as an incident response

analyst, then five years later managing

more than 50 technical individuals.

He was instrumental in helping the

US Department of Defence and the US

Department of Homeland Security create

teams to exchange incident information

and indicators between government and

critical infrastructure organisations. He also

worked closely with the US Department of

Homeland Security on the formation of

US-CERT, the national computer security

incident response team (CSIRT) for the

United States.


Carpenter helped many other governments

and regional organisations around the

world establish national incident response

capabilities. He founded a successful

annual conference for technical staff

working for CSIRTs with national

responsibility to promote collaboration

among these organisations. His active

involvement in the incident response

community over the years has included

presenting in various forums, and serving

on Forum of Incident Response and Security

Teams (FIRST) committees and working

groups. He is currently the Secureworks

senior director of Incident Response

Consulting and Threat Intelligence.

"I am humbled by this honour," said

Carpenter. "This recognition also reflects

the efforts of my former colleagues at the

CERT Coordination Center to advance the

incident response community, for I could

not have had any success without them. In

addition, it is a privilege to be inducted

with my friend Dan Kaminsky, whose work

in incident response and product security

impacted so many people. We miss him



Dan Kaminsky (1979-2021) was a noted

American security researcher - best known

for his work finding a critical flaw in the

Internet's Domain Name System (DNS)

and leading what became the largest

synchronised fix to the Internet

infrastructure of all time in 2008. He

was also known for being a great human

being - helping colleagues, friends and

community members attend events,

working on many health apps, assisting

colour-blind people, hearing aid technology

and telemedicine, and fighting as a privacy

rights advocate. His ethos was to do things

because they were the right thing to do,

not because they would elicit financial gain.

Kaminsky was co-founder and chief

scientist of WhiteOps (recently renamed

Human) and spent his career advising

several Fortune 500 companies, such as

Cisco, Avaya and Microsoft on their

cybersecurity. In addition, he spent three

years working with Microsoft on their

Vista, Server 2008 and Windows 7 releases.


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

ADISA ICT Asset Recovery Standard 8.0

is formally approved by the UK ICO

(Approval ICO – CSC/003 and ICO – CSC/004)

Use an ADISA Certified company to be assured of UK GDPR compliance

when disposing of your IT assets.

Visit adisa.global to find out more

Want to know how to retire assets

so you can promote reuse AND meet

data protection legislation?

ADISA offers a range of training courses all presented by

leaders in the field, including a brand-new course which helps

data controllers write an asset retirement program to achieve

the objective of meeting sustainability and security targets.

Visit adisa.global/training to find out more

MFA and Windows







SecurEnvoy Windows Logon Agent.

Michael Urgero, SecurEnvoy: his

company's solution protects the

Windows Logon process with true

multi-factor authentication.

Look at how far we've come over the

years. The introduction and mainstream

use of virtualisation in the data centre,

cloud and the 'work from anywhere' has

sparked some amazing opportunities, from

the rapid development of business ideas to

remotely supporting critical systems and

customers. Not all that long ago, we were

a much more analogue group, much more

manual and hands-on in our methods.

Coming with the high-speed rush of new

technologies that are fully intended to make

lives easier, there are also new security

threats to care for and consider. We've gone

to great lengths to ensure that our

employees have easy and secure access to

the business, and that our system operators

can keep those systems running. Have we

done enough? How will we know? These are

some of the things on the minds of IT execs,

as they lay awake into the night.


One of the parts that's often missed is the

authentication to the laptop or the server

itself. The desktop interface of these devices

is where all the action is and it should be just

as secure. New virtualised, cloud and hybrid

solutions make accessing these devices

almost an entirely remote affair. Apart from

accessing your laptop directly, everything else

you do in a day is pretty much done on

systems elsewhere.

One could argue that Microsoft simply

doesn't do enough with its traditional

username and password and, what's more;

Windows Hello is difficult to deploy, manage

and has its own share of issues; ask any help

desk administrator and you'll get an ear full.


Securing these corporate assets is an urgent

issue and our customers know that. Our

solution comes complete with our integrated

SecurEnvoy Windows Logon Agent. Our

solution installs directly on the laptop or

server and protects the Windows Logon

process with true multi-factor authentication.

By doing this, verification of the

username and password is challenged

and verified with the trust of multi-factor

authentication quickly and easily.

Some of our customers have deployed our

SecurEnvoy Windows Logon Agent to all

corporate end-point devices as well as all

servers in the data center, both physical

and virtual to assure the identity of

employees as they authenticate.


The initial prompt is the same as it always

has been, asking for a username and

password. You are immediately prompted

for the multi-factor token, which is available

in a variety of methods. Everything from

push notifications to a mobile device, SMS

messaging, physical tokens or manual entry

to name just a few.

The same agent would be loaded on both

Windows 7/10 devices and Windows Servers

as well from Microsoft Windows Server 2008

forward. This software can be distributed

using any of the common methods, from

Active Directory to third party deployment

tools and best of all, works when devices are

completely off-line.

For more details, and to get a demo and

talk about our solutions, feel free to give us a

call. Be sure. Be Confident. SecurEnvoy.


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk



4th November 2021

Hilton London Canary Wharf

The Security IT Summit is a hybrid

event which continues to follow the

award-winning structure of

pre-arranged one-to-one meetings

between IT and Cyber Security

professionals, and leading industry

solution providers.

Virtual attendance options are


Free for industry buyers to attend.

James Howe

01992 374096







Ransomware attacks are becoming

increasingly devastating to companies.

Not only do they inflict massive

disruptions to operations, but criminals

are also asking for ever-larger ransoms to

unlock the encrypted files and machines hit

by the attacks.

"Throughout the last months, statesponsored

ransomware attacks inflicting

damage on critical infrastructure have

dominated the headlines," points out

LogPoint CTO Christian Have. "JBS recently

paid 11 million dollars following an attack

that shut down all the companies' US beef

plants. Just before that, an attack paralysed

Ireland's health services for weeks in the

middle of a pandemic. The attack happened

in the wake of the Colonial Pipeline attack

that caused fear of gas shortages. CNA

Financial, one of the largest insurance

companies in the US, reportedly paid 40

million dollars to get access to its files and to

restore its operations, making it the largest

reported ransom paid to date. In comparison,

40 million dollars is more than most

companies spend on their cybersecurity

budget - it is even more than what many

companies spend on their entire IT budget."


Due to the surges in state-sponsored

ransomware attacks in the US and Europe,

many government institutions, including

the White House, have urged companies

to bolster their defences to help stop the

ransomware groups, he adds. "The G7 group

has called on Russia, in particular, to identify,

disrupt and hold to account those within its

borders who conduct ransomware attacks

and other cybercrimes. One of the few

outcomes of the Biden-Putin summit is

an agreement to consult on cybersecurity.

However, the agreement is ambiguous

without any specific actions."

The ransomware ecosystem explained - a

ransom payout isn't always the end goal

Stopping ransomware groups is no small

task. The scale of the economy behind these

groups is significant. Many active groups

have corporate structures, with roles and

responsibilities that mirror regular software

development organisations.

These criminal organisations are well-funded

and highly motivated to develop their attacks

- but their revenue streams do not begin or

end with victims paying up a ransom, he

stresses. Have points to "an entire

ransomware ecosystem, capitalising on

successfully executing attacks", such as:

Groups selling access to platforms that

deliver end-to-end ransomware-as-aservice

for other groups to use

Brokers that deliver teams of highly

specialised developers that can build

and deploy malware. "Think of this as

malware recruiting"

Certain groups only gain access to

corporate networks. They will not

actively disrupt the operations or demand

ransom; instead, they sell access to victims

for other groups to capitalise on

The increasing sophistication of ransomware

groups has led many organisations to

implement a multitude of tools to help detect

and prevent attacks. But what really works?


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk



"For the last 15 years, CISOs, security

operations teams and security vendors have

put a significant focus on complex attacks

and staying on top of the cutting edge of

what adversaries can do. For example, the

malicious computer worm Stuxnet launches

extremely advanced campaigns. The result is

that a lot of organisations have a relatively

extensive portfolio of advanced

technologies. These technologies are

expensive, complex to use and even more

complex to integrate with each other and

the surrounding security ecosystem."

The Colonial Pipeline breach happened

because a remote access platform failed to

enforce or require multi-factor authentication,

Have states. "Combined with

a shared password used among several

users, attackers found a way into the

infrastructure. Advanced detection tools are

not meant to detect such basic mistakes.

Failing to cover the basics - patching, secure

configurations or following best practices -

is a pattern repeating itself in many of the

recent attacks. It is not without reason

that every authority on cybersecurity has

patching and baselining configurations

as some of the first recommendations for

companies to strengthen their cybersecurity


So, why are companies not just patching

everything, implementing the Zero Trust

model and forcing multi-factor authentication

everywhere? Especially when the

most considerable material risk to the

operations and existence of the organisation

is a ransomware attack? "IT operations

is hard," Have responds. "The security

operations team, IT operations team and

enterprise risk management team often

have siloed thinking with different objectives

and incentives. Aligning activities and goals

across various departments is, without

a doubt, part of the problem." One of the

things LogPoint hears from its customers is

that they need a unified overview of the

technical risk aspects. "Implementing a unified

solution, such as ZeroTrust orchestration

or XDR is complex and, in many cases,

expensive. Some of our customers are turning

to fewer vendors and relying on open

standards - for example, MITRE for a

taxonomy of attacks, MISP

to share threat observations and YARA to

identify malware indicators to offload some

of the headaches of aligning different

departments' ways of working."



LogPoint can help organisations align

detection and response activities, comments

Have. "LogPoint ingests log data, which

security teams can use to easily detect

ransomware variants like FiveHands, Egregor

or Ryuk. The REvil group that hit JBS uses

a tactic to delete Shadow Copies before

encryption. Deleting Shadow Copies makes a

restore significantly more difficult. LogPoint

can immediately detect deletion of Shadow

Copies by looking for the following

command across all log sources:"

Ingesting log data allows analysts to

interrogate systems for more information

about known issues, such as detected

vulnerabilities, deviations from best practices

or enterprise policies. "However, combining

log data with vulnerability data, configuration

compliance and more advanced interrogation

of the system, we can uncover the unknown

issues by formulating more exact risk scores

of the infrastructure and its components."

"With the risk scores nailed down, we are

currently working on coupling indicators of

ransomware, such as the deletion of Shadow

Copies, with threat intelligence and malware

research to identify documented adversarial

techniques. The goal is that the system can

conclude the type of ransomware group or

variant, so we are more prepared to deal with

and respond to the threat. Our system uses a

combination of natural language processing

and machine learning to connect the dots.

"We are also working with our customers on

building the final step - automating and

orchestrating the response with situational

awareness and understanding of the next

phase of the attack. We have small agents

deployed on our customers' machines that

can enforce policies, disconnect machines

from networks and otherwise act based on

how security operators want to approach

a potential issue."


At the end of the day, it becomes clear to

security researchers who are following

ransomware groups that the asymmetry

between the capabilities and the incentive for

the attackers and the maturity and budgets

of the defenders is becoming more

pronounced, he adds. "When critical

infrastructure is under attack through large

and small companies, it is obvious that more

technology will not solve the issue alone.

Outsourcing IT operations or security

operations alone is not solving the problem

either." With that in mind, Have sees three

paths forward:

Law enforcement agencies must

cooperate across borders to target

ransomware groups, track payments and

ultimately change the operational risk for

these groups, so that it is more expensive

to do illicit business

Breaking down silos within organisations,

getting the cybersecurity, IT operations

and risk management teams to speak the

same language and align expectations.

"Who owns the backup - IT? Who is

responsible for the disaster recovery -

Security? Who owns the business

continuity planning - Enterprise risk


More laws and regulations on the matter.

"GDPR has done a lot to bring focus and

awareness about reporting breaches to

infrastructure. But more is needed. GPDR

works for personal data, but disruptions

to critical infrastructure following a

ransomware attack are not necessarily

under the umbrella of GDPR and, as such,

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security



can go under the radar. With more

sharing, increased focus and potentially

fines levied against organisations that fail

to prevent or protect their infrastructure

adequately, boardrooms will begin to take

the threat seriously."


To further grasp the scale of ransomware's

soaring impact, you have only to look at the

latest report from SonicWall. In its mid-year

2021 cyber threat report update*, it proffers

the startling statistic that, in the first six

months of 2021, global ransomware volume

reached an unprecedented 304.7 million

attempted attacks- already eclipsing the

304.6 million ransomware attempts logged

for the entirety of 2020, as recorded by

SonicWall Capture Labs.

"In all, ransomware for the first half of this

year is up a staggering 151% over the same

time period in 2020. While Q1 was worrying,

Q2 was markedly worse - going into spring,

ransomware jumped from 115.8 million to

188.9 million, enough to make Q2 the worst

quarter for ransomware SonicWall has ever

recorded. If we're lucky, this will be an

aberration. Some years, such as 2019, see

ransomware totals high in the first half, then

fall off during the second half." Time will tell.

But even if we don't record a single

ransomware attempt in the entire second

half (which is irrationally optimistic), 2021

will already go down as the worst year for

ransomware SonicWall has ever recorded.

"While Q2 was record-setting in its own right,

every month during the quarter set a new

record, too. After rising to a new high in

April, ransomware rose again in May, then

saw another increase in June.

During that month, SonicWall recorded

78.4 million ransomware attempts - more

than the entire second quarter of 2020, and

nearly half the total number of attacks for the

year in 2019. Even 2021's lowest month

didn't provide much of a reprieve. With 36.3

million ransomware hits, March 2021 had

more ransomware than all but one month

in 2020."

Why is ransomware rising so rapidly?

There are several factors that SonicWall

identifies as being behind the recent increase

in ransomware, but the fact remains: "The

more organisations there are that are forced

to pay out, the more incentive ransomware

groups have to launch attacks."

While ransomware operators

are getting better at finding

and encrypting backups, they've also found

another way to ensure victims pay up, despite

the existence of current backups: extortion.

"In an increasing number of cases, such the

recent attacks on Colonial Pipeline and the

city of Tulsa, Okla., attackers are stealing and

exfiltrating the data before they encrypt files.

This means that, even if the victims have

ironclad backups and can rebuild their

network easily, they may still pay to preserve

their reputation, avoid fines and maintain

regulatory compliance with regards to

personally identifiable."


Unfortunately, organisations that display a

willingness to pay may be opening

themselves up to be attacked again soon

after, either by the same group of

cybercriminals or by another group who

heard about the original payment, says

SonicWall. "

According to ZDNet, roughly eight in

10 organisations that opt to pay a ransom

wind up being attacked again - and of those

victims, nearly half believe the second attack

was perpetrated by the same cybercriminals

as the first. While it's unclear how many

organisations are targeted by repeat attacks -

companies are often reluctant to publicly

acknowledge ransomware incidents for this

very reason - at least three have made

headlines in recent years: the city

of Baltimore, Australian logistics

firm Toll Group and American

technology company Pitney


* Mid-Year Update: 2021

SonicWall Cyber Threat Report


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

50 % OFF




Immutable data storage

Get 50% off MSRP on Arcserve UDP/ Arcserve Appliance and StorageCraft

OneXafe, to protect your data from ransomware attacks today.

The recent merger of Arcserve and StorageCraft has created a powerhouse that brings customers the

broadest portfolio of data management & data protection solutions available from a single vendor.

While the data growth tsunami continues to grow and ransomware consistently on the rise, you

have more data to protect, and more to recover.

Arcserve UDP Data

Protection Software

Unified data and ransomware

protection to neutralize

ransomware attacks, restore data,

and perform orchestrated recovery.

Arcserve Appliances

All-in-one enterprise

backup, cybersecurity, and

disaster recovery, with

multi-petabyte scalability.

StorageCraft OneXafe

Immutable Storage

Scale-out object-based NAS

storage with immutable

snapshots to safeguard data.


information security





When you assume, you make an ass

out of 'u' and me, or so the saying

goes, and, in many situations,

making assumptions can be misguided. But,

in other situations, it pays to assume.

Information security is one of these situations

and, by assuming the worst, you can start to

plan for it and prepare to defend against it.

The recent spike of ransomware attacks has

shown companies what a potential worstcase

scenario looks like when it comes to

information security, with companies being

taken offline and critical data being lost.

This wakeup call has forced many into

action, but ransomware is only one of the

potential attack vectors and there are

numerous routes into a company. Yes,

ransomware may be hitting the headlines,

but it's not going to be everyone's biggest

risk. So, if you're looking for solutions

because of the headlines, then you may be

wasting your money.

A successful attack only needs one route in,

but defenders need to protect against many

potential entry points. In this situation, the

advantage is with the attacker and, with

the time, skills and resources, it's a matter

of 'when' an attack will get through, rather

than 'if'.

Risk analysis and scenario planning allows

you to assume that the worst will happen,

that an attacker will get through. It's an

approach that more and more companies are

looking to undertake in the face of growing,

and often unknown, threats. As a 'table-top'

exercise, it's far more cost effective than

implementing a tech 'solution' and allows

companies to look at their wider security,

building a roadmap of improvements that

will bring the greatest security benefits. So,

how do you go about it?


A company's crown jewels aren't just

important, they're critical and if they were to

be stolen or made unavailable, for even the

shortest time, it could mean your business

stops operating. But what are your

company's crown jewels? For many it's

intellectual property, the design of a new

product or your products 'secret recipe', for

others it could be financial data.

Maybe it's the source code for a piece of

software you've been developing, patient

information, live production systems, servers

running internal operations, your e-

commerce website, the list goes on. Your

crown jewels can be a combination of many


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

information security

things, but, whatever they are, they need to

be protected. The key question you need to

ask yourself is: what are the things I, or my

clients, can't afford to lose?


When it comes to cyber threats, sophisticated

is a word that is used a lot. "We were the

victims of a sophisticated cyber-attack" is the

usual line when news of a breach breaks.

But when the dust settles, it's often found

that the attack wasn't sophisticated at all.

Everyone likes to think they're the target of

sophisticated attacks, but most attacks

are opportunistic in nature, using simple

techniques to expose weak security practices,

unpatched systems or take advantage of

human vulnerability. By identifying your

most likely real-world threats and targets, you

can start to prioritise the risks, identify the

techniques they would most likely use, and

the potential routes they are likely to take.




One of the fundamental IT security challenges

within organisations is the shadow IT 'visibility

gap' between assumed, or known, infrastructure

and what truly exists. Whether it's

because of merger & acquisition activities,

personnel changes, or infrastructure changes

over time, it can be easy to lose track of your

IT estate.

Obtaining an exact picture of what you have

is key and if you can't see a legitimate device

on your network then how can you properly

defend it? Once you have full knowledge of

what you have, you then need to understand

the security measures you have in place,

but not just from a tech point of view, you

need to look at your security processes,

procedures, operating rules, and system

design as well. Having this clear picture

across your estate will enable you to

understand where potential entry points exist

and expose weaknesses which may allow an

attacker to move easily across your network.



Once you have full 360-degree view of

your organisation, what's important to you

and your threats, you can start to develop

scenarios, ones that could have an extreme

effect on your company. For example, a

realistic scenario could be that an organised

criminal group has stolen your intellectual

property, or that hacktivists have brought

down your ecommerce website through

a DDOS attack. With a range of realistic

scenarios in hand you can then evaluate

which ones bring the highest risk.

Once you've evaluated the risk scenarios,

you can start to think about making

improvements, but firstly, it's important

to understand the steps the threats may

have taken to achieve their goal. This can

be done by conducting an attack tree

analysis, working backwards from the

goal, step by step, to continually ask

'how' it was possible.

Now you understand the potential steps

taken to achieve the goal, you need to

identify controls that would predict,

prevent, detect, or respond to these actions

at every stage of the attack. Some controls

may already be in place, but it's important

to analyse how effective controls are and

identify where gaps exist. Where gaps

do exist, you can then evaluate the

associated cost, and effectiveness, of the

controls needed, helping to prioritise your

remediation efforts.



The more effective defensive measures you

put in place, the more difficult you make it

for would-be attackers. But how do you

know if your defences are truly effective?

You need to test them. Having your work

tested can seem like a daunting prospect

and it can be easy to think that it's going to

belittle or ridicule your security efforts. But

that's not the case. Testing is designed to

Paul Harris, Pentest: a successful attack

only needs one route in, but defenders

need to protect against many potential

entry points.

support your efforts, ensuring that your

business is as protected as possible from the

primary risk scenarios you have identified.

Penetration testing and red teaming are

great options, in terms of evaluating your

defensive measures - and testers will look

to simulate the actions of an attacker,

potentially uncovering further vulnerabilities,

supporting remediation and providing

you with the assurances that your efforts

have been truly effective.




Information security can sometimes be seen

as a tick in the box exercise and that, once

it's complete, you're protected. But that isn't

the case. What's considered safe today may

be vulnerable to attack tomorrow. Attackers

are always looking for new attack routes,

new techniques, new vulnerabilities and no

company, or technology, is 'unhackable'.

Security improvement efforts, such as risk

analysis and scenario planning, need to be

ongoing, helping keep your company one

step ahead of any malicious threats.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


health check



Cheshire and Merseyside Health and

Care Partnership wanted to find out

how well it would stand up to a

cyber-attack. So, it asked Gemserv Health

to put together a scenario-based response

exercise that started with some seriously

bad news - but uncovered a lot of useful


It's 8am and it was a nice day until you

turned on the radio. The news has just

started and the lead story is that a video

has been released showing a group of

NHS leaders making worrying remarks

about a Covid-19 vaccine.

They seem to be suggesting that safety

issues are being covered up and the share

price of the vaccine maker has crashed

10% overnight. The phone starts ringing.

It's a press officer wanting to know what

IT is going to do about this leak, or fake,

or whatever it is.


This is the scenario that greeted 22 heads

of IT in Cheshire and Merseyside in spring

2021. It was constructed by Gemserv

Health, with input from Cheshire and

Merseyside Health and Care Partnership,

to find out how the integrated care system

(ICS) would respond to a cyber security


Paul Charnley, digital lead for the ICS,

explains that the commissioners, councils,

hospitals and other providers in the area

have their own policies and procedures

in place. But the ICS didn't have an

overarching response that was tested

and ready to use.

that requires every organisation to plan

for and rehearse its response to a cyberattack,

but one of the things that we

learned from WannaCry is that a cyberincident

can impact a large geography

very quickly," he says. "We need to be able

to coordinate.

"The exercise that we ran really brought

that to life. It was very salutary and very

helpful, and it has given us a lot to think

about. We have learned a lot since

WannaCry, but we are in an arms race

with the hackers and we've still got more

to do."


WannaCry was the worldwide ransomware

attack launched in May 2017. It didn't

target the NHS, but the National Audit

Office estimated that 34% of trusts in

England were impacted anyway.

One reason was that the NHS employs

a lot of people; with 1.3 million staff, it

had a lot of malicious emails to contend

with. Another was that WannaCry spread

through older, unpatched Windows

systems; and the NHS had a lot of those

in computers and medical devices.

However, a third


was that there was no coordinated fightback.

The NAO reported that the

Department of Health had been working

on a plan, but it hadn't been tested at a

local level, so "it was not immediately clear

who should lead the response and there

were problems with communications."

Some trusts couldn't be reached by email

"because they had been infected by

WannaCry or had shut down their email

systems as a precaution", leaving a mix of

switchboards, mobiles and WhatsApp as

the only way through.


IT leads in Cheshire and Merseyside

wanted to do better. "After WannaCry, we

swore that we would work more closely

together, under the tagline: 'we are only as

strong as our weakest link'," says Charnley.

The 22 heads of IT in the area agreed to

standardise their policies and procedures,

and to pool any funds made available by

the NHS, to make the money go further.

Cheshire and Merseyside HCP is now

working with NHS Digital on a target

cyber-security architecture and on a

procurements process to deliver the


"NHS Digital has a data protection toolkit


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

health check

This has enabled individual organisations

to work to a standard on one

of two security information and event

management systems: one medical

device protection product; and one

single sign-on product to give staff

secure access to clinical and

administrative systems.

"We have worked on our strategy and

then we have moved to manage our

supplier market and our procurement

teams to buy in harmony with that," he

adds. "Gemserv has supported both the

policy and the business models."


Cheshire and Merseyside HCP is better

protected against a cyber-attack than it

was five-years ago; but the mantra of

cyber-security is not to ask "if" a cyberincident

is possible but "when" one will


The scenario-based exercise was

designed to find out how ready the ICS is

to deal with an attack; and whether IT

leaders across the patch are clear about

who will lead the response and how they

should communicate with each other.

Before Covid-19 arrived, the ICS had

been looking to run a physical event,

but because of the pandemic it moved to

Microsoft Teams. Five virtual break-out

rooms were set up for organisational

teams to use, and the scenario was fed

to them.

As the event went on, the teams also

received 'injects' of information to take

the scenario in a different direction and

test their ongoing responses. They got

some 'good' news: the video didn't

feature local executives and was instead

a 'deepfake'. They also received some

'bad' news: one of the executives who

had been deep-faked had also been spear

phished. His email and that of his

contacts had been targeted. A route was

open for a ransomware attack.


Charnley says that on the day of the

cyber scenario event, years of hard work

in Cheshire and Merseyside paid off. IT

teams were able to mount a more

coordinated and coherent response to

the Gemserv scenario than they were to


They also had better tools to use.

However, the exercise showed there were

gaps to fill. The area turned out to be

short of some specific cyber-security

expertise out of hours. There were still

questions about how decisions would be

made that were big enough to require

sign-off from Government departments

in London or the NHS's central bodies in


It emerged that health and local

authority incident response planners

needed a cyber playbook to put

alongside the playbooks they have for

dealing with train wrecks, chemical

spills or even nuclear incidents. Gemserv

Health is now helping to write one, and

when it is ready, Charnley wants to test

it by running the exercise again.

"Gemserv told us that the military builds

things and then attacks them," he says.

"It costs millions of pounds. We don't

have that kind of money, but we can

learn a lot this way. I want to do this

every six-months - certainly every year -

and I think every ICS should be planning

to do the same.

"I'd definitely encourage others to follow

this model and this approach. We

wanted to work with an external partner,

because it's easy to be insular or to play

to your strengths in these exercises.

Having an external view was very helpful.

It gave us a lot of things to think about."

Paul Charnley, digital lead for ICS: no

overarching response in place that was

tested and ready to use.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


global intelligence




The time to prepare for a safe quantum

computing future is now, argues Chris

Erven, CEO, KETS Quantum Security.

Why? "For the simple fact that, in today's

world, we don't go 30 seconds without

touching digital technology of some kind,

all of which is networked, none of which is

quantum-safe. We know that quantum

computers will be experts at breaking the

security of our current digital infrastructure.

We need to upgrade this to be quantumsafe


He points to the 'Mosca equation' (posited

by Michele Mosca of the Institute for

Quantum Computing) to summarise when

we need to worry about upgrading our

cyber security.

This equation is given by:

x+y> z


x = the security lifetime of our data,

y = the time required to upgrade to

quantum-safe systems,

and z = the time to build a quantum


"If it is going to take 10 years to upgrade

and you want, for example, your online

medical records to be secure minimally for

15 years. Meanwhile, a quantum computer

is built in the next 5-10 years - then it is

already too late! Best case, your sensitive

data will effectively be unencrypted and in

the clear for 20 years. And this 'store now,

crack later' attack has been going on for

years." Soon, he says, we will be living in

a world where most of our current forms

of cryptography will be useless, because

investment and developments in quantum

computing are only accelerating. "What is

more, we likely won't know when this

happens, because a quantum computer

capable of doing this represents such a

huge advantage, those who own it will

keep it secret."

The good news, though, is that we are

not defenceless. "Computer scientists,

physicists, and engineers have been

working hard on new quantum-safe

methods." Two of the biggest tools he

identifies for the new quantum-safe toolbox


Post-quantum cryptography (PQC)

algorithms - new algorithms conjectured

to be immune to a quantum computer's

processing capabilities

And quantum cryptography (QC) - new

quantum hardware that has been

proven to be immune to a quantum


What difference will this make to

computing security? "Well, we will have to

upgrade," he points out. "Think the Y2K

bug, but less hype and more well-reasoned

concern. And this upgrade will need to

occur both at the software and hardware


What can be done to ward off this

apocalyptic scenario? "At the highest level,

we need our telecommunications

infrastructure to be upgraded. This is

behind the EuroQCI Initiative, which aims to

build a secure quantum communications

infrastructure that spans the EU. Similar

initiatives exist now in the US, UK, China,

South Korea and Japan."


At the organisation level, the first things

that need to be done are:

Recognise the problem

Put resource behind it

Perform a quantum-safe health check

And develop your organisation's

quantum readiness roadmap.

Lastly, get involved in early innovation

projects, he advises. "These new methods

are different. PQC algorithms generally

require more memory or are slower, while

QC methods involve new hardware - these


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

global intelligence

will have implications for your organisation.

The best way to figure out the

implications is to start experimenting with

these new tools. Conveniently, this is the

number one aim of the testbeds being

built - to engage with end-users!"

And you don't need a huge team of

scientists is Erven's reassuring message.

"A small team is more than enough to

partner with the cutting-edge start-ups

and SMEs pioneering quantum-safe

solutions. Together, we can ward off the

digital security apocalypse and continue

to thrive as a civilisation using a quantumsafe

version of the secure, connected,

information infrastructure that has

contributed so much to humanity's rapid

developments of the last 35 years."


According to Roger Grimes, data driven

defence evangelist at KnowBe4: "Your

competitors or nation-states could be

sniffing your currently protected network

traffic, waiting for the day a few years

from now when they can use quantum

computers to crack your existing

encryption. As we have seen, various

nation states have no problem attacking

every commercial company possible, if it

contains intellectual property of interest

or even simply to steal money. It is going

to take any organisation many years to

fully prepare for the necessary postquantum


"So, even if you started now, it would be

years before your data was protected.

And any organisation that either has

sufficiently capable quantum computers

now or in the near future, that wants

your confidential data, could have an

incentive to sniff your data now…or

during the years of preparation you will

require to get to post-quantum

protections." Grimes' advice? "Every

organisation should begin immediately

taking a data protection inventory. It starts

by identifying all confidential data and the

systems and cryptography that protect it.

That means recording encryption, digital

signatures and hashing algorithms used to

encrypt, sign and verify content, along

with key lengths. This sort of inventory

should have already been done, but

almost no one has done it.

"Creating it and maintaining it will be

useful and valuable for the post-quantum

migration and any other crypto migration

afterward. The hardest part is the original

data collection. Maintaining it is not nearly

as hard. But that original data collection is

likely to take many months, if not years,

for most organisations.

And, regardless of the quantum issue,

simply understanding your cryptography

state will lead to better crypto-agility and

that will pay huge benefits forevermore.

But you need to get going now. Data

protection inventory and agility is not easy,

and it takes a long time. So, get started

now. Post quantum is your first valid


From the data protection inventory, what

happens next? "You then determine what

data needs to be protected more than

a few years, which is not protected with

quantum-resistant cryptography," Grimes

advises. "In some cases, like with symmetric

encryption and hashes, it might mean

simply increasing key lengths. And in

others, like with asymmetric encryption,

key exchanging and digital signing, it will

mean replacing it with a quantumresistant


"Those solutions include post-quantum

encryption, physical isolation, quantum

key distribution and other quantum

devices, like quantum random number

generators. There is a coming Y2K-like

problem…and really it is already here, and

people do not realise it."


There have been quite a few predictions

about how quickly quantum computing will

arrive. But whatever the exact date and

time, it's clear that not just one, but two

races have already begun, says Timothy

Hollebeek, industry technology strategist,

DigiCert. "The recent few years have

exponentially accelerated the development

of quantum computing, with a variety

of breakthroughs and a number of

grandstanding announcements from tech

giants that they would be heavily investing

in the area. Even in 2020, pandemic

notwithstanding, quantum technology was

striding ahead. The breakneck speed of

quantum acceleration has kept up through

2021, too."

For all those developments, he says the

next major milestone will be when someone

solves a problem with quantum that a

conventional supercomputer simply cannot.

"But even when that day comes, it won't

mean that RSA or ECC encryption are in

direct threat. Although quantum can break

them, it would still require large quantum

computers to do so."

Even when they're commercially available,

quantum computers and technology will

likely be prohibitively expensive to most, he

adds. "What these ever-accelerating series

of developments are likely to do is act in the

same way that Moore's Law accelerated the

development of classical computing. Each

new development will further hasten the

pace towards quantum technology, driving

investment and innovation in the direction

of more powerful quantum computers."

That's one race between researchers,

scientists and organisations. "There's a more

urgent race, too - between individual

organisations' cryptography and the

quantum algorithms which will be able to

break current cryptography. The reality is

we don't know exactly when quantum is

going to become a threat and, as such,

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


global intelligence

Chris Erven, KETS Quantum Security: we will

soon be living in a world where most current

forms of cryptography will be useless.

A render of KETS Quantum Security's chipbased


organisations need to start preparing."

That means getting to grips with Post-

Quantum Cryptography (PQC). "Indeed,

organisations can begin adopting hybrid

RSA/PQC certificates and, critically, testing

them in their own environments now."

But there's a more fundamental element

that Hollebeek single out when it comes to

being ready for the arrival of quantum.

"The threat that quantum poses to current

cryptography won't just necessitate

stronger algorithms, but will likely mean

that organisations have to become a lot

quicker on their feet when it comes to

cryptography. Crypto-agility is a concept

which organisations must start working

towards quickly.

Quantum threats will likely need a diverse

array of algorithms to protect against and

organisations will need to swap out

encryption algorithms on the fly as security

demands. That will be a significant task for

most companies, involving a fundamental

reshaping of how they do cryptography.

Quantum threats, however, demand it."



A five-to-10-year timeframe for quantum

computing to become a reality is probably

overly pessimistic, given the monumental

investment by businesses, governments and

investors around the world, states Dave

Bestwick, CTO of quantum cryptography

specialists Arqit.

"Only recently, we witnessed another

company, PsiQuantum, attain unicorn

status and raise huge amounts of

investment to bring a quantum computer

to market within the next few years."

Businesses therefore need to be

considering their options today, he

cautions, because not only are malicious

actors busy stockpiling data to decrypt as

soon as quantum computing emerges, but

also swapping from PKI to quantum

encryption takes time.

"Quantum computing will be hugely

disruptive to our digital world, as it will

undermine the basic security foundations

of the Internet. Most internet communications

are secured by PKI and quantum

computers can break this method of

encryption within minutes. Companies that

own valuable patents, highly sensitive

government data underpinning critical

infrastructure and defence will all be

vulnerable; as will bank details, health

records and even cryptocurrency."

However, not all forms of encryption will

be obliterated: symmetric encryption keys

are not susceptible to quantum attack, he

confirms. "This approach is endorsed by

the American Encryption Standard (AES).

However, until recently several barriers to

adoption existed, most notably the problem

of secure key sharing. Quantum key

distribution can solve this problem, but its

use over fibre networks is limited by signal

absorption, which constrains practical key

distribution to distances of less than about


This posed a problem for exchanging keys

over larger distances, but this challenge has

been eliminated recently with innovation

from companies like Arqit, he asserts,

which has "developed a way for quantum

key distribution to take place over satellite

systems to secure digital communications


Bestwick is under no illusions that the

menace from quantum computers is a clear

and present danger, as it threatens to

undermine PKI, which today forms the

foundations for most secure digital

communications. "However, innovations in

the area of symmetric encryption mean

there’s a way to avert disaster, but

businesses need to act promptly to protect

their data, today and in the future."


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

all at sea





When Carnival Cruises was hit by its

first data breach in 2020, it caused

deep concern within the industry.

This is, after all, the world's largest travel

company. When it succumbed to a fourth

breach in June this year - the fourth such

breach in 15 months - the reaction was

more akin to raised eyebrows, because

unfortunately we have become somewhat

desensitised to these occurrences, taking out

many of the major corporates.

The latest Carnival Cruises breach saw data

compromised that contained names, dates

of birth, passport numbers, home addresses,

phone numbers, social security numbers,

along with COVID-19 test results. This came

on top of the other cyberattacks on Carnival

Corporation since the beginning of the

COVID-19 pandemic, two of which were

ransomware demands.

The travel and tourism sector, such as hotels

and airlines, has been heavily targeted of late,

as clearly it offers lucrative pickings. But why

do large organisations fall prey so readily to

multiple cyberattacks and data breaches? This

is a complex issue, most certainly, but Trevor

Morgan, product manager at comforte AG,

believes we can consider three aspects of any

organisation that would encourage multiple

successful attacks: value, culture and


"Let's look at each one to see how it

contributes to precipitating multiple

incidents," he comments. "Any enterprise

possessing highly valuable data will continue

to be a target, even if it has sustained

previous cyberattacks. Consumer-based

industries, such as travel and entertainment,

retail and financial services, definitely apply, as

they collect sensitive information on large

swathes of their customers and prospects.

The reason is simple: threat actors want that

data for personal gain.

"Whether the dataset contains thousands or

millions of data subjects, complete with

sensitive PII that can be used to initiate

identity theft or other fraud, or whether it

contains less volume, but more substantive

information, meaning something that can

hold up operations and be used as leverage

[think ransomware attacks on infrastructure

companies], the fact of the matter is that, if

the organisation gathers and stores sensitive

information, hackers want it."

A company's culture has quite a lot to do

with the ability to close down attack vectors

and thwart cyberattacks, adds Morgan.

"The reason is that a large percentage of

attacks originate from vulnerabilities caused

by human error. We're talking here about

misconfigurations, lifting and shifting

unprotected data or simply pure carelessness.

Companies that try to move too quickly and

put an emphasis on output, rather than

process, are particularly vulnerable to human

error. However, the organisation that actively

instils a culture of data privacy and security

among its employees has a much better

chance of deterring one or multiple attacks."


This type of culture not only depends on

the individual contributors caring about

sustaining that culture, he states, but also

on the executive team placing value and

meaning behind it, to assess performance

and allocate rewards, based on employees'

willingness to be more sensitive to data

privacy and security, and follow the right

processes to mitigate or eliminate human

error. If executives are seen dismissing the

'rules' to get something accomplished,

then this behaviour trickles throughout the

company as others emulate it, and soon

that valuable culture falls apart. Every

member of an organisation must be

absolutely committed to a corporate culture

of data privacy and security."

Lastly, technology clearly has a massive

impact on whether or not incidents become

successful data breaches. A huge organisation

that puts all its IT investment into

perimeter-based security, access control

and/or intrusion detection may be lulled into

thinking that they are more secure, but in

all actuality focusing on the perimeter and

data access will only put off the moment

when a threat actor successfully penetrates

the perimeter barrier. "Therefore, many

cybersecurity experts advise a more holistic

approach whereby the data itself is

protected, along with the borders around

that data and user activity within the


"We're talking here about data tokenisation

and format-preserving encryption," says

Morgan. "These protection methods replace

sensitive data elements with innocuous

representational tokens, which render the

data meaningless, even if it falls into the

wrong hands. Better yet, data-centric security

that preserves format enables enterprises to

work with protected data, rather than 'deprotecting'

it for vital activities such as data

analytics. The less you de-protect your data,

the better off you'll be."

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


all at sea

Trevor Morgan, comforte AG: if an

organisation gathers and stores sensitive

information, hackers want it.

Amit Sharma, Synopsys Software Integrity

Group: security awareness training very

important for employees and partners

handling sensitive data.

Of course, other factors play into the

reasons that an organisation can be hit

multiple or many times by cyberattacks,

he points out. "The lesson, though, is that

enterprises aren't powerless, if they recognise

the true worth of the data they collect and

process, treat that data as their most valuable

asset and use the most comprehensive

strategy-including data-centric security-to

protect it against threat actors who want to

get to it."


The reasons why different organisations fail

to protect their systems and information

adequately and why some fall victim to

breaches repeatedly vary enormously, says

Richard Walters, CTO of Censornet. "Every

enterprise has unique attributes that inform

the security ecosystem they need to build

and manage to some degree. The travel

sector seems to struggle with securing

content in databases linked to externallyfacing

web applications. This problem hasn't

just affected Carnival Cruises, but also BA,

Marriott, Cathay Pacific, Hyatt and easyJet."

To tackle this problem, he advises, the

travel industry needs to build security into

the software development lifecycle and

continuously assess externally facing

applications for vulnerabilities. "A Which?

study carried out midway through last year

looked at vulnerabilities in systems owned by

ninety-eight of the travel industry's biggest

names and identified many with hundreds of

vulnerabilities, including companies like BA

and Marriott, some of which had already

suffered major breaches. Marriott was the

worst, with 497 vulnerabilities."

There is nothing unique about the

challenges facing companies in this sector,

Walters continues. "Perhaps what is different

is that the travel industry has undergone a

dramatic transformation in recent years, with

web apps replacing brochures and travel

agents. What players in this industry have

failed to do is understand the associated

security issues. It's no different to what

we're seeing in the automotive industry,

with attacks on connected vehicles, or in

the medical device industry. None of the

companies in these sectors is an expert in

cyber security, but they seem unable to realise

they have a need to engage with companies

that are."

There is little doubt that security ecosystem

complexity - with larger organisations using

70-plus security point products - is also a

contributing factor. "Censornet research has

found that 92% of enterprises get more than

500 SOC alerts per day - which is a problem

when you consider that a single analyst

can handle just 10 alerts per day. Human

resources alone are dangerously insufficient,

leaving no time for proactive threat hunting

or searching for indicators of compromise.

There is an urgent need to bridge the gap

between alert overload and analyst capacity

in every sector - and the travel industry is

no different," he says. "The reality is that

breaches are often missed, due to alert

overload. All of the Indicators of Compromise

(IOCs) were almost certainly there in the logs




System breaches are not declining. Theft,

business disruptions, data leaks all continue

to occur, even though leaders know the risks.

Why? "Today's IT systems have only gotten

more complex," responds Keith Driver, chief

technical officer at Titania. "The rise of BYOD,

Software as a Service, the move to public or

hybrid cloud and especially working from

remote locations have given IT risk holders

a headache."

Building a fortress around IT assets is still

the norm, he points out, but it's become

an untenable form of protection for two

reasons. "First, the complexity of the IT

infrastructure makes it challenging to

determine and manage where the boundary

between corporate and external data exists.


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

all at sea

Secondly, adversaries' capabilities [be they

individuals or more sophisticated and wellfunded

actors] continues to grow.

"As a result, the ability to keep attackers

at bay gets harder and harder, resulting in

breaches. Determined attackers will always

find a way in. This is where Zero Trust

Architecture comes into play - approaching

security as if a compromise has or will occur

using functional blocks within a network that

require authorisation/authentication steps to

access resources. More organisations need to

adopt this approach. It requires a cultural

shift in addition to a different approach to

solutions. But once this assumption is made,

the strategy is one to ensure damage is

minimal. When there is no assumption of

trust, there is no assumption of identity

and no automatic authorisation to enter

a system. All of this makes it more difficult

for an attacker to move around a network

to gain access to more valuable assets."

It's not just about Zero Trust either, Driver

adds. "It's also important to segment a

network and control the access to it. This

makes it harder for attackers to navigate

from one end to the other and hit their

target. Here's where businesses fall down.

While both are critical to network security,

being vigilant about configuration can't take

a back seat. It needs to be correct and unable

to be compromised - either by attackers or by


"Businesses need to identify these vulnerabilities,

examining routers, switches and

firewalls using tools that score the level of

risk and let them assess where the priorities

lie, so time and resources are allocated

appropriately. This gives organisations a

complete picture of where, how and what

can be compromised - across the network,

on every device at every point of the day."


"One common reason why data breaches

take place is no - or improper - access

control," says Amit Sharma, security engineer,

Synopsys Software Integrity Group. "Thirdparty

access is an area that is oftentimes

neglected, thus providing opportunities to

cyber-attackers. My recommendation would

be for organisations to carry out in-depth

checks on their infrastructure and the

services they employ to operate and manage

their applications and data. The first step

involves classifying your data and then using

the appropriate controls to protect it

depending on the classification."


Other proactive measures that organisations

can and should take is implementing

an identity and access management (IAM)

policy governing access controls, using

strong passwords (and not re-using

a password across services) and using

encryption. "Secure vendor management

policies should be in place, which should

vet partners and vendors, thereby managing

and controlling access to data that is

exposed to vendors, contractors and third

parties. Regular testing for loopholes and

routine checks on the infrastructure are

also important mechanisms to build into

your security strategy. With the constant

advancement in technologies, attack

patterns are also changing rapidly and we

need to evolve along with it. Firewalls are

simply not enough," insists Sharma.

Reviewing the processes governing data

handling is also crucial to ensure customer

data is securely maintained. "With the

ongoing pandemic, it's very common to see

data being transmitted from unsecured

networks and unmanaged machines.

"Other measures to consider include

network segmentation, active monitoring

and developing capabilities to respond to

incidents effectively. Security awareness

training not only for employees, but also

for partners who are handling sensitive data,

is also a very important consideration for

an organisation."

Keith Driver, Titania: important to segment

a network and control the access to it.

The travel sector seems to struggle with

securing content in databases linked to

externally-facing web applications.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


information security





Much has been made of the 'new

normal' that awaits us beyond

COVID - or at least, this stage

of COVID. As we learn to live either with

or without the virus, we have already

entered our post-lockdown lives. Those

long-awaited holidays, that music

festival, a three-time-postponed sporting

event. Or, via a few clicks of a button,

your online shopping network, your

updated communications apps, your

more dispersed and digitised social life.

It's understandable that people have

been eager to get back to normal now

that restrictions have lifted. However,

in the race to return to these events,

there has been an increased security

conundrum - but what is the privacy

price people are willing to pay to ensure

that they are at the front of the queue

when getting back into events, going

on holiday and more?

What personal data are those in Europe

willing to sacrifice for post-pandemic

freedoms? At first glance, it's clear that

we are willing to pay quite a hefty

price. A new data privacy heatmap has

explored the new consumer dynamic

across Europe to gauge what people are,

and are not, willing to share in the form

of personal data, in order to access these

new freedoms, solutions and online


In the UK, for example, almost threequarters

(72%) would be happy to share

personal healthcare, location and contact

data if it meant a quicker release of

restrictions and back into events,

festivals, social spaces or airports. And

seven in 10 European respondents also

stated they would be prepared to

provide personal healthcare and

movement data for more freedoms.

Furthermore, 45% of European

respondents said they would willingly

provide healthcare and movement data

to help their own country overcome

COVID-19. On the domestic front, 84%

of Brits would share personal data for

free digital services, while lures of

discounts, online convenience or 'free

gifts' would also tempt many out of their

private details. While the promise of gifts

and details may seem appealing, many

don't realise the privacy implications of

giving such information away.

These insights and attitudes bring fresh

cybersecurity concerns to the fore. But is

it a lack of awareness or a lack of care

that is failing to halt the data deluge? It

seems to be the latter. Almost all (95%)

of Brits claim that data privacy is

important to them, and they also seem

to be aware of the pitfalls, with 83%

voicing concern that their data could fall

into the wrong hands over the next

two years. And this sentiment is echoed

throughout Europe, too. In fact, as

revealed by the heatmap, 95% of

Europeans feel data privacy is important

but only 52% of the continent's

population feel in control of their

personal data. Eight in 10 Europeans

also fear that their personal data will fall

into hands of criminals, just as Brits do

as well.

While educating consumers is

important, it is equally crucial that

individuals themselves engage in

considering their online security and its

impact. A prime example would be social

media and the ease through which

people often share large amounts of

private data without considering the

wider implications as to whom can

access that information, such as

advertisers and marketers for example.

It is a case of taking responsibility for

their online safety as they would in

person. This includes understanding

the information they are giving and

whether the benefits outweigh the risks.


That being said, businesses hold the

main responsibility for making people's

privacy a priority. They must ask

themselves not only from a legal

standpoint, but from an ethical one:

what is the purpose of the data that is

being collected? And: what are the

implications of having this data, should

there be a security breach? After all, the

more data that is held, the more at risk

it becomes, meaning that only essential

information should be collected. The

most important question that businesses

must ask themselves, however, is: what

are we doing to protect consumers?

Not only will asking this question mean

businesses are protecting customer's data


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

information security

more effectively, but they will also help

protect themselves. After all, a GDPR

violation can lead to fines of up to 20

million Euros, or up to four per cent of

the company's global annual turnover -

quite a hefty price to pay. And that's not

including the reputational damage that

comes with a data breach, if consumers

understandably lose faith in a business's

ability to manage their data.

Ian Thornton-Trump, CISO at Cyjax,

suggests that the way to tackle many

of the issues faced is through endpoint

detection and response (EDR). "Increasingly,

EDR is finding favour over traditional

anti-virus, but to be most effective,

these solutions must be deployed into

a managed, licensed and hardened IT


This, in essence, would enable

businesses to become more vigilant, in

terms of cyber threats, equipping them

with the tools to spot and manage them.

Though an EDR solution is not a silver

bullet, it's a vital part of an organisation's

cybersecurity arsenal - which, when

combined with staff education and a

professional and personal sense of data

protection responsibility, will help keep

people's personal assets safe.

The majority of consumers are

concerned about their data being stolen

in the near future - and though the

onus is on businesses to protect this

information, individuals should also

understand the implications of giving out

their personal data - especially if it's for

free gifts or discounts - and consider if it

is really worth the return they receive.

Overall, a careful balance must be struck

between both the excitement of getting

back to life as it once was and what data

needs to be shared to unlock those



The public has long looked forward to

embarking on much-missed holidays and

attending events; however, as they get

more confident and life resumes as

normal, we must also seek to support

them in their cybersecurity hygiene, as

well as increasing their knowledge about

how to protect themselves and their

personal data, allowing them to enjoy

those well-earned post-pandemic

experiences safely.

Simple steps to limit the amount of

personal data that is accessible that can

be taken by consumers include: deleting

profiles and accounts from websites or

apps that are no longer used; investing

in password managers, which create,

save and store passwords automatically,

meaning people don't have to use the

same password for all of the online

services they use; and utilising the Right

to Erasure, better known as 'The Right to

Be Forgotten', which empowers people

to be able to request that their data is

completely removed from business


With these steps taken, and the

amount of personal data 'out there'

drastically lessened, people can feel more

assured that their information is safe,

and controlled, offering them far greater

protection from their data being used for

criminal or unethical gains.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


new-world shake-up







benefits productivity, due to reduced travel

time, fewer distractions and a more flexible

schedule, organisations must ensure that

they are equipped with the right security

tools. In the new reality of working from

anywhere, there are various outsider and

insider threats that can cause damages to a

business, including fines, penalties, and loss

of consumer trust. There are also new ways

of accessing confidential information,

posing higher risks for sensitive data.

And, if an employee compromises data

while working remotely, it is more difficult

to identify how and when it happened.


According to a Malwarebytes report,

Enduring from Home: COVID-19's Impact

on Business Security, the potential for

cyberattacks and data breaches has

increased since employees are working from

home. Some 20% of respondents said they

encountered a security breach, due to a

remote worker, since the outbreak of the

COVID-19 pandemic. This has led to higher

costs, too, with 24% of respondents saying

they paid unexpected expenses to address

a cybersecurity breach or malware attack

following shelter-in-place orders.

Remote work has changed from an

option to a necessity, as organisations

worldwide have closed their offices

amid the COVID-19 health crisis. With a

remote or hybrid workforce, it's essential for

companies to have proper security tools in

place, preventing them from various threats

that could lead to data breaches.

The work scene has completely changed

since the outbreak of the COVID-19

pandemic. Last year, work from home

became the new normal for many employees

worldwide, followed by announcements of

hybrid work arrangements this year. While,

according to the Velocity Smart Technology

Market Research Report 2021, remote work

Therefore, the prevention and protection

of data remain of utmost importance.

Companies need to ensure that employees

are handling and storing sensitive data such

as Personally Identifiable Information (PII)

securely, in accordance with different data

protection laws. To achieve this, employers

should put additional safeguards and

provisions in place to prevent sensitive

data from being misused or mislaid while

employees work remotely.

Here are the most important steps

companies with a distributed workforce

should take to ensure data security:

1. Train employees

Cybersecurity training should be mandatory


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

new-world shakeup

for every employee, regardless of their role

or position in the company. They should be

aware of the most common types of threats,

including those caused by malicious

outsiders, such as phishing attacks and those

originating within the organisation itself

caused by social engineering, shadow IT

or sharing data with unauthorised persons.

While criminal attacks are responsible for

many data breaches, human error is also

a significant contributor to security issues.

In these days of remote work, organisations

need to take extra precautions regarding

COVID-19 related scams. Employees need to

be aware of suspicious links or attachments

related to COVID-19, as internet criminals

have widely exploited the pandemic in

numerous phishing and scam campaigns.

With employees working outside the office,

companies must ensure that everybody

knows basic password security, safe

browsing habits and physical security.

Training should be an ongoing procedure,

with required video courses, assessments


2. Create a remote work policy

Establishing clear rules to govern how

employees work remotely is another crucial

step towards security. A telework or remote

work policy needs to provide information

to the workforce on how to act safely with

corporate devices and data when working

from outside the office. The absence of such

a policy can compromise the compliance of

the organisation.

To ensure security in the age of remote

and hybrid work arrangements, the telework

policy should include information on:

whether employees are allowed or not to

use personal devices when working outside

of the office; if they can install non-work

related software on the devices used for

remote access; how should they report

suspicious incidents while working from

home etc.

3. Require two-factor or

multi-factor authentication

Two-factor authentication (2FA) or multifactor

authentication (MFA) is a security

enhancement that can help to keep accounts

and information safe from unauthorised

entities. By applying this additional security

layer, companies can ensure that unauthorised

parties cannot remotely access their

networks or user accounts.

When employees use 2FA or MFA to access

and use any company apps, resources, tools

or data, the likelihood of malicious outsiders

gaining access to information is considerably


4. Have visibility and control

over your company data

Data cannot be protected without knowing

where it is stored and how it is used. An

effective data security strategy ensures both.

By deploying a Data Loss Prevention (DLP)

solution, such as Endpoint Protector,

companies can discover where their sensitive

data resides and monitor the data flow.

Unauthorised data transfers can be blocked

with DLP software and administrators are

alerted. In this way, it is possible to ensure

that sensitive data, such as customers'

personal data or intellectual property, does

not get outside the corporate network or

a user without access.

5. Ensure policies remain active offline

When employees work remotely, they may

not always have a continuous internet

connection available. This means that, while

their computer is offline, data protection

policies are not active.

In this way, companies risk data loss and

non-compliance with data protection laws

like the GDPR or PCI DSS. By using a DLP

solution that applies policies directly on the

endpoint, organisations can ensure that data

continues to be protected and monitored,

whether a computer is online or not.

6. Use encryption

Data encryption is another important best

practice from a security standpoint. When

employees work remotely, it is even more

critical, as it can ensure that, if a device is

lost or stolen, data can't be accessed by

unauthorised people. Hard drives and

individual files can be encrypted with native

encryption tools, like BitLocker in Windows

and FileVault in macOS, without requiring

additional investments.

Data transfers between company-owned

systems and remote work locations should

also be encrypted. A Virtual Private Network

(VPN) is an easy and cost-efficient method

to do this, with some VPNs offering militarygrade

256-bit encryption of data. By

providing a VPN service to all employees,

their internet activities are carried out as if

they are working directly in the office.

7. Keep systems and programs up to date

In these times of teleworking, ensuring that

programs and operating systems are updated

regularly is a critical aspect of security.

Outdated systems and third-party

applications often have weak spots and

vulnerabilities, opening up the business

for cyberattacks. Besides regularly updating

the operating system and third-party

applications, it is essential to keep an eye

on the antivirus and antimalware program, as

well as firewall firmware.

While work from home comes with IT

security risks, the COVID-19 pandemic has

irrevocably changed the world and remote

work is here to stay. Employees enjoy a more

relaxed environment, and that there's no

more stress and wasted time to commute,

while employers can save money on office

space and equipment, with no loss of


With this transition to remote work looking

to be long term, now is the perfect time to

secure employees' endpoints and ensure the

company's data stays safe.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


global intelligence




Advice on countering the most publicly

known-and often dated-software

vulnerabilities has been published

for private and public sector organisations

worldwide. It is part of a global initiative to

combat cyber attacks by sharing intelligence

and creating a united front.

The cyber agencies behind the drive are the

UK's National Cyber Security Centre (NCSC),

Cybersecurity and Infrastructure Security

Agency (CISA), Australian Cyber Security

Centre (ACSC) and Federal Bureau of

Investigation (FBI) have published a joint

advisory*, highlighting 30 vulnerabilities

routinely exploited by cyber actors in 2020

and those being exploited in 2021.

In 2021, malicious cyber actors continued

to target vulnerabilities in perimeter-type

devices. Today's advisory lists the vendors,

products, and CVEs, and recommends that

organisations prioritise patching those listed.


"We are committed to working with allies to

raise awareness

of global


weaknesses - and present easily actionable

solutions to mitigate them," states NCSC

director for operations, Paul Chichester.

"The advisory… puts the power in every

organisation's hands to fix the most common

vulnerabilities, such as unpatched VPN

gateway devices. Working with our

international partners, we will continue

to raise awareness of the threats posed by

those that seek to cause harm."

As well as alerting organisations to the

threat, the advisory directs public and private

sector partners to the support and resources

available to mitigate and remediate these


Meanwhile, guidance for organisations

on how to protect themselves in cyberspace

can be found on the NCSC website. The

centre’s '10 Steps to Cyber Security collection'


provides a summary of advice for security and

technical professionals. On the mitigation

of vulnerabilities, network defenders are

encouraged to familiarise themselves

with guidance on

establishing an

effective vulnerability management process.


Elsewhere, the NCSC's Early Warning Service


also provides vulnerability

and open port alerts. This is a free NCSC

service designed to inform your organisation

of potential cyber attacks on your network as

soon as possible. The service uses a variety of

information feeds from the NCSC, trusted

public, commercial and closed sources, which

includes several privileged feeds not available


To sign up to the NCSC's Early Warning

Service, go to:



So, what exactly does the service do? Early

Warning filters millions of events that the

NCSC receives every day and, using the IP and

domain names you provide, correlates those

which are relevant to your organisation

into daily notifications for your nominated

contacts via the Early Warning portal.

Organisations that are signed up

receive the following highlevel

types of alerts:


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

global intelligence

Incident Notifications - activity that

suggests an active compromise of your

system. For example: a host on your

network has most likely been infected with

a strain of malware

Network Abuse Events - this may be

indicators that your assets have been

associated with malicious or undesirable

activity, such as a client on your network

has been detected scanning the internet

Vulnerability and Open Port Alerts -

indications of vulnerable services running

on your network or potentially undesired

applications are exposed to the internet.

For example: you have a vulnerable

application or have an exposed

Elasticsearch service.

Cyber security researchers will often uncover

malicious activity on the internet or discover

weaknesses in organisations security controls

and release this information in information

feeds. In addition, the NCSC or its partners

may uncover information that is indicative of

a cyber security compromise on a network.

The NCSC will collate this information and

use this data to alert organisations about

potential attacks on their networks.

There are two types of alerts that will be sent

out when an alert has been detected for any


Daily Threat Alert - this includes Incident

Notifications and Network Abuse Reports

Weekly Vulnerability Alert - this includes

Vulnerability and Open Port Alerts.

The organisation involved can then use

this information passed on by Early Warning

to investigate the issue and implement

appropriate mitigation solutions where

required. The NCSC's website provides advice

and guidance on how to deal with most

cyber security concerns.


By signing up to Early Warning, an organisation

will be alerted to the presence of

malware and vulnerabilities affecting its

network. Early Warning will notify on all

cyber attacks detected by feed suppliers

against that particular organisation. "This

should not be used as the only layer of

defence for a network," cautions the NCSC.

"Early Warning should complement your

existing security controls."


Early Warning aims to enhance security by

increasing awareness of the low-grade

incidents that could become much bigger

issues, so that organisations can act on these

at the earliest opportunity, so that they have

increased confidence in the security of their

networks. Other key considerations:

The service is free and fully funded

by the NCSC

Early Warning does not conduct any active

scanning of a networks itself. (However,

some of the feeds may use scan-derived

data - eg, from commercial feeds.)

CISA executive assistant director for

Cybersecurity, Eric Goldstein, comments:

"Organisations that apply the best practices of

cyber security, such as patching, can reduce

their risk to cyber actors exploiting known

vulnerabilities in their networks. Collaboration

is a crucial part of CISA's work and we have

partnered with ACSC, NCSC and FBI to

highlight cyber vulnerabilities that public and

private organisations should prioritise for

patching to minimise risk of being exploited

by malicious actors."

For his part, FBI cyber assistant director

Bryan Vorndran had this to add: "The FBI

remains committed to sharing information

with public and private organisations in an

effort to prevent malicious cyber actors from

exploiting vulnerabilities.

"We firmly believe that coordination and

collaboration with our federal and private

sector partners will ensure a safer cyber

environment to decrease the opportunity

for these actors to succeed."


Head of the ACSC, Abigail Bradshaw CSC,

believes the guidance will be valuable for

enabling network defenders and

organisations to lift collective defences

against cyber threats. "This advisory

complements our advice available through

cyber.gov.au and underscores the

determination of the ACSC and our partner

agencies to collaboratively combat malicious

cyber activity."

Amongst those who see attacks and

breaches every day out in the commercial

world, Jon Fielding, managing director, EMEA

Apricorn, sees the NCSC joint advisory as a

great demonstration of collaboration and the

growing need to mitigate against these

common threats. "We are in a software age

and digitalisation is being embraced by more

and more businesses, but, in doing so, the

risks are extended, as security fails to keep

pace with the level of software development

which can provide a weak link into a

corporate network. Ultimately, businesses will

never be 100% secure and, whilst the joint

advisory is a positive step, data needs to be

kept offline and encrypted wherever possible.

Employing a hardware-centric approach,

void of software involvement and encrypting

sensitive data wherever it resides [server,

laptop, removable media] is imperative, so

that, if defences are breached, you remain


* https://us-cert.cisa.gov/ncas/alerts/aa21-209a

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security


asset disposal




determined by their own responses to those

key questions.

"This has allowed the ADISA Standard 8.0

to introduce a tiering level for the controls,

which are put in place in over 30 areas

where different risk countermeasures have

been identified. With a total number of 221

criteria, this is the most exacting assessment

of a data processor within this specific

industry," adds Mellings.

In July 2019, ADISA CEO Steve Mellings

sent a rather speculative email into the

ICO, asking for details about how he

could apply to get the ADISA ITAD Industry

Standard recognised under Article 42 of the

then EU GDPR. "That request now seems a

very long time ago," he reflects, "as we have

battled through Brexit, creation of UK GDPR

and, of course, COVID challenges. But, as

per the ICO press release on 19 August,

I'm delighted to now be able to publicly

confirm that ADISA IT Asset Recovery

Standard 8.0 has become one of the first

Standards approved by the Commissioner."


"A key part of our work with the ICO was to

find a way to empower the data controller

to make decisions on critical processes

undertaken during the asset recovery and

data sanitisation activity which they may not

even be aware of," explains Mellings "These

processes introduce risk and the ICO made it

clear that the data controller needed to

be made aware of these and be able to

determine the level of controls required."

This caused much discussion about how it

could be achieved without a requirement for

the data controller to be completely handson

in the process and it wasn't until he

remembered the old CESG Business Impact

Levels that the solution became apparent.

"By customising that concept, ADISA has

created the 'Data Impact Assessment Level'

or 'DIAL'. This is a formula in which the data

controller answers five simple questions,

which will then identify them at a particular

DIAL rating. These questions are based

on threat, risk appetite, categories of data,

volume of data and, finally, impact of

a data breach, and will enable the controller

to present to their supplier a 'DIAL that is



"In short, it means that, over the two-year

period, we've worked with the Commissioner

to agree on what needs to happen

during the Asset Recovery and Data

Sanitisation process for it to be viewed as

UK GDPR compliant. With data protection

and cyber security being a complex area,

this new ICO-approved Standard can help

fix one problem that many don't even know

they have - how to dispose of retired assets

and ensure regulatory compliance."


"Whilst Standard 8.0 has now been formally

recognised, we are now undertaking the

second part of our project, which is to get

our auditing process UKAS accredited, such

that we have a UK GDPR-approved scheme,"

he adds. "We've been working on this

behind the scenes for over 12 months and

our application to UKAS is now in, and we

expect this process to take between 6-9

months. This will provide ample time for

existing certified ITADs and new applicants

to working towards 8.0 to ensure those

companies certified to Standard 8.0 can

genuinely evidence UK GDPR compliance."

To find out more, go to https://adisa.global - or

just click here.


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

CS Nominations 2021





It’s official: the Computing Security

Awards for 2021 will be taking place

LIVE in London in December! (Page 3)

Forced to go 'virtual' last year, the news

couldn't be more welcome - and we

plan to celebrate the occasion with all

the panache and passion of previous

awards. In the meantime, we need you - our

readers - to play a key part in the build-up by

nominating those Companies, Products &

Services you feel deserve recognition for

the impact they have had over the last 12

very difficult months. You may want to

reflect on some of the following criteria,

for example, in reaching your verdict:

Which companies have helped to

secure your organisation's digital

infrastructure over the past year?

What Cyber Security products/

services have most impressed you?

Are you a Cyber Security company

that’s proud of the service or technology

you have provided to customers?

Go to the awards nominations page now -

computingsecurityawards.co.uk - and cast

your votes.


Advanced Persistent Threat (APT) Solution of the Year

AI and Machine learning based Security Solution of the Year

Anti Malware Solution of the Year

Anti Phishing Solution of the Year

Cloud-Delivered Security Solution of Year

Compliance Award - Security

Contribution to CyberSecurity Award - Person

Customer Service Award - Security

Cyber Security Innovation Award: Countering Covid-19

.DLP Solution of the Year

Editor's Choice - Benchtested

Email Security Solution of the Year

Encryption Solution of the Year

Enterprise Security Solution of the Year

Identity and Access Management Solution of the Year

Incident Response & Investigation Security Service Provider of the Year

Mobile Security Solution of the Year

Network Security Solution of the Year

New Cloud-Delivered Security Solution of the Year

New Security Software Solution of the Year

One to Watch Security - Company

One to Watch Security - Product

Penetration Testing Solution of the Year

Remote Monitoring Security Solution of the Year

Secure Data & Asset Disposal Company of the Year

Security Company of the Year

Security Distributor of the Year

Security Education and Training Provider of the Year

Security Project Category(s) of the Year

Security Reseller of the Year

Security Service Provider of the Year

SME Security Solution of the Year

Threat Intelligence Award

Web Application Firewall of the Year

To discuss nominating, voting, becoming a sponsor or booking

seats at the Awards ceremony, please contact:

Edward O'Connor

Email: edward.oconnor@btc.co.uk

Tel: +44 (0) 1689 616000

Lyndsey Camplin

Email: lyndsey.camplin@btc.co.uk

Stuart Leigh

Email: stuart.leigh@btc.co.uk


Nominations open - 20 August

Nominations close - 24 September

Finalists announced & voting opens - 1 October

Voting closes - 19 November

Awards Ceremony - 2 December

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security







From cyber criminals who seek personal

financial information and intellectual

property to state-sponsored cyber

attacks designed to steal data and

compromise infrastructure, today's advanced

persistent threats (APTs) can sidestep cyber

security efforts and cause serious damage to

your organisation. A skilled and determined

cyber criminal can use multiple vectors and

entry points to navigate around defences,

breach your network in minutes and evade

detection for months. APTs present a massive

challenge for organisational cyber security


"While traditional cybersecurity measures

are effective for dealing with opportunistic

cybercrime, they are not enough to protect

organisations against APT attacks," says David

Emm, principal security researcher, Kaspersky.

"Rather, it's essential to deploy a specific

anti-targeted attack solution that is able

to proactively monitor the network and

combines extended detection and response

capabilities - combining in-depth

investigation, threat hunting and central

management and co-ordination.


"Counteracting modern cyber-threats also

requires a 360-degree view of the TTPs

[Tactics, Techniques and Procedures] used by

advanced threat actors. While the TTPs of

some APT threat actors remain consistent

over time, others refresh their toolsets and

infrastructure, and extend the scope of

their activities. Nevertheless, it's difficult

for attackers to completely change their

behaviour and methods during attack

execution - so identification and analysis of

these patterns promptly helps organisations

deploy effective defensive mechanisms in

advance, thereby disarming attackers and

disrupting the kill-chain," states Emm.

"That's why it's important to harness the

benefits of threat intelligence, to track threat

actors and uncover the most sophisticated

and dangerous targeted attacks across

the world. This will enable organisations

to proactively deploy effective threat

detection and risk mitigation controls

for the associated campaigns - across

enterprises, financial services businesses,

government organisations and managed

security service providers."

Organisations that rely solely on defencein-depth,

firewalls and antivirus risk leaving

themselves open to cyber-attacks, especially

given how massive an undertaking tracking,

analysing, interpreting and mitigating

constantly evolving IT security threats is.

"Enterprises across all sectors are facing a

shortage of the up-to-the-minute, relevant

data they need to help manage the risks

associated with IT security threats, due to:

real threats being buried among thousands

of insignificant alerts; poor incident

prioritisation; inadequate internal funding

due to poor risk visibility; undiscovered, but

active, threats lurking within an organisation;

unknown attack vectors being missed;

and companies pursuing a security strategy

that's not aligned with the current threat

landscape," he cautions.

"Even sophisticated APT threat actors

typically gain an initial foothold by using

social engineering to trick staff into doing

something that jeopardises corporate security

- eg, clicking on a malicious link - so it's vital

to find imaginative ways to 'patch' the

organisation's human resources. This means

identifying risky behaviours and developing

a plan for reshaping people's behaviour. The

ultimate goal should be to develop a security

culture that encompasses digital and realworld

behaviour - and extends into how staff

operate when at home or when travelling.

Purpose-built online security awareness

platforms can help with this."


"Using Advanced Persistent Threats, threat

actors utilise various methods to infiltrate

targeted networks," says Bindu Sundaresan,

director at AT&T Cybersecurity." Some of the

standard attack methods she points out


Social engineering: the attackers employ

manipulative means to obtain confidential

information. This includes phishing

attacks, pretexting, tailgating, and other

means to enter the targeted network

Zero-day attack: the attackers profit

from a security flaw in software before

a security patch is made or installed

Supply chain attack: the attackers exploit

vulnerabilities within the supply chain.

These may be commercial partners and

suppliers who are connected to the

targeted network

Use of backdoors: the attackers exploit

undocumented access to software or use


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk


malware to install backdoors that

bypass authentication.

The defence-in-depth model needs to

evolve to stay relevant by adopting

automated security and a zero-trust model,

she points out. "With this model, security

teams can scale their efforts in the

constantly-changing world of cybersecurity.

There are different levels of traditional

cybersecurity tools, such as firewalls,

antivirus, and defence in depth (IPS, IDS),

which aren't enough against an attack by

an APT. Still, they are necessary as essential

foundational must-haves from a security

standpoint. Advanced security consisting of

network devices with sandboxing systems,

new generation SIEM, EDR and subscriptions

to cyber intelligence services are essential to

detect and respond to attacks of the APT

magnitude. Early detection of APT attacks

is critical for successful mitigation before

networks are compromised and sensitive

data is exposed."

APT is a multi-faceted attack and defences

must include multiple techniques, such

as email filtering, endpoint protection,

privileged access management, and visibility

into the traffic and user behaviour," continues

Sundaresan, expanding on these as follows:

Email filtering: "Most APT attacks leverage

phishing to gain initial access. Filtering

emails, and blocking malicious links or

attachments within emails, can stop these

penetration attempts."

Endpoint protection: "Most APT attacks

involve the takeover of endpoint devices.

Advanced anti-malware protection and

Endpoint Detection and Response can help

identify and react to compromise of an

endpoint by APT actors."

Access control and Privileged Access

Management: "Strong authentication

measures and close management of user

accounts, with a particular focus on

privileged accounts, can reduce APT risks."

Monitoring of traffic, user and entity

behaviour: "Visibility and monitoring can help

identify penetrations, lateral movement and

exfiltration at different stages of an APT


As the definition of APT implies success

against you and your organisation, never has

detection and response been so important,

she concludes. "Preparation is paramount;

the fight against APT is a continuous effort,"

she warns. "Organisations need to become

aware of the nature of these attacks, and the

types of effective practices and technologies

that can help to combat them."


For years, threat actors, like nation states and

cybercriminals, had distinct motivations and

different tools, comments Sam Curry, chief

security officer, Cybereason. "Nation states, or

'advanced persistent threats' as we called

them, moved like submarines, stalking ships

in the waters of target networks, carrying out

the policies of their governments and

providing asymmetric options, aside from the

normal diplomatic, economic, and military

strategies and tactics.

"By contrast, the fight against cybercriminals

more resembled battleship warfare than

submarine. The motivation among criminals

was profit and, as such, it was about

maximising the number of victims and

wringing every drop from an infection for as

long as possible. Even in the old days, the

security industry was not up to the task of

stopping either the malicious operations of

nation states nor the smash-and-grab theft

of cybercriminals."

The silver lining, however, adds Curry, is

the emergence of endpoint detection and

response (EDR), which is often mistaken

for a mere extension of existing endpoint

protection technologies like antivirus or

personal firewalls. "It is a tool for finding the

Sam Curry, Cybereason: nation states moved

like submarines, stalking ships in the waters

of target networks.

Bindu Sundaresan, AT&T Cybersecurity: the

defence-in-depth model needs to evolve to

stay relevant.

www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security



David Emm, Kaspersky: it's essential to

deploy a specific anti-targeted attack


advanced operations and provides the

hunter-killer options for the cyber conflicts

being waged on corporate and government

networks. EDR has evolved first into

managed detection and response (MDR),

providing the men and women behind

screens in managed services, and into

extended detection response (XDR), uplifting

the telemetry recording from formerly

ubiquitous endpoints to the transformed

enterprise of SaaS, Cloud Infrastructure and


Fast forward to today, and the dark side

ecosystem is very different, he states.

"The attackers have not slowed down and

have, in fact, evolved at a faster rate than

defenders have, except perhaps among the

most sophisticated defenders. Not only

are they attacking the newer infrastructure

associated with SaaS services, but they are

now targeting the new IT stack in the form

of IaaS and PaaS compromise. In the last

five years, the lines among attackers have

become more blurred, with sharing of tools

and relationships that mirror the alliances,

investments and partnerships of the more

normal and legitimate industries."


Further, the motivations for each actor have

become less distinct, adds Curry, "with nation

states pursuing currency, in the case of North

Korea, fostering ransomware, in the case

of Russia, and development of supply chain

compromises, in the case of Russia and

China, to name just a few".

The most insidious examples of these are

developments in the last six months, he says.

"The first is ransomware, which is really a

combination of the old APT-style delivery

mechanism through stealthy submarine-like

operations, but doing so for profit. The

second and most recent is evident in

the recent Kaseya attack: supply chain

compromise for the purpose of delivering

ransomware as the payload. This is a killer


This is the reason for the mandate of EDR

(or MDR or XDR) for the US Federal

government in the recent White House

Executive Order, he points out. "Having a

means of finding the attacks as they move

in the slow, subtle, stealthy way through

networks isn't an option. This class of tool

isn't the be-all and end-all, but it's at the top

of the toolkit, along with more advanced

prevention, building resilience, ensuring that

the blast radius of payloads is minimised and

generally using peace time to foster antifragility.

The most significant takeaway: it's

not about who we hire or what we buy. It's

about how we adapt and improve every day."


The worst APTs - or the best APTs, depending

on which side of the fence you're on - are

highly targeted, comments Richard Walters,

CTO of Censornet. "They are painstakingly

researched and crafted with the exact target

environment in mind. In any security

ecosystem consisting of numerous point

products, there will be some that are not

fully integrated - even those that are multilayered

and provide defence-in-depth. This

means there will be security gaps."

APTs are written to relentlessly persist until

those gaps are found and access is gained,

he adds. "VPNs from Pulse Secure, Fortinet

and Palo Alto Networks, as well as VMware's

ESXi Hypervisor, SolarWinds Orion and

O365, have all been targeted. And


"APTs are often so intricately coded to the

target network that they can only have been

designed and written by well-funded,

well-organised entities, such as a foreign

government, a criminal gang or large

enterprise. These need not be mutually

exclusive. Governments will use criminal

organisations to carry out cyber espionage,

enabling them to exercise plausible

deniability. There is an ever-growing body

of evidence for state and criminal actor cooperation

and cross-over.

"Whilst you must be an extremely attractive

and otherwise impenetrable target for state

or criminal actors to use a true zero-day

exploit against you," comments Walters

[given that they cost low single digit millions

of dollars], "customised malware variants

may often form part of an APT, using string

obfuscation to avoid detection by traditional

anti-malware tools. Sandboxing helps -

although not all sandboxes are the same -

but sandbox use is often limited to the email

security channel."

APTs may also consist of multiple layers.

"Too often, an initial threat or infection that

appears to be known and straightforward is

identified, the infected endpoint is cleaned,

rather than subjected to a complete, bare

metal install, and the infosec team moves on.

One month later, the next APT layer activates

and it is harder to detect using standard

security tools. A low and slow approach is

often more successful."


computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

Pragmatic and experienced risk

management professionals

Xcina Consulting is committed to providing high quality risk assurance and advisory services informed by

many years of lived client experiences.

For over 10 years, our clients have enlisted our services to design, assess, test and implement risk

management frameworks in key areas of the organisation, ensuring compliance with best practice,

industry standards, laws and regulations.

We support all organisations with challenging and complex requirements to effectively manage their risks

to realise value.

Our pragmatic, well qualified and experienced consultants design targeted solutions suited to our clients’

specific requirements. No generic templates from us.

We are accredited by the Payment Card Industry’s Security Standards Council as a Qualified Security

Assessor (QSA) company and are a British Standards Institution (BSI) Platinum member for the provision of

ISO27001 (Information Security) and ISO22301 (Business Continuity) services.

Our Core Services:

• Operational Resilience

• Business Continuity and Crisis


• Information Security / Cyber Security

• IT and OT Security

• Payment Card Industry

• Enterprise Risk Management

• Due Diligence

• Internal Audit

• Process Improvement

• Third Party Management (including


• Regulatory Compliance (FCA, PRA)

• Data Protection

• Project and Change Management

• Internal Controls Assurance (ISAE3402,


Xcina Consulting

1 King William Street | London | EC4N 7AF | E info@xcinaconsulting.com | T020 3985 8467 xcinaconsulting.com

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!