CS Sep-Oct 2021
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
PULSATING TIMES<br />
Health check on warding off<br />
a cyber security attack<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
CHIMES OF FREEDOM<br />
As COVID strictures ease, data<br />
vigilance remains vital<br />
WEIGHTY OUTCOMES<br />
The top 30 vulnerabilities<br />
all highlighted and shared<br />
QUANTUM LEAPS AND BOUNDS<br />
Current digital infrastructure<br />
on verge of being obliterated<br />
Computing Security <strong>Sep</strong>tember <strong>2021</strong>
WARNING<br />
MICROSOFT 365 LETS<br />
RANSOMWARE & PHISHING<br />
SLIP THROUGH!<br />
THREAT<br />
MONITOR<br />
START MONITORING YOUR<br />
M365 FOR FREE
comment<br />
<strong>2021</strong> COMPUTING SECURITY AWARDS.... WILL BE LIVE!<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
After what seems like an eternity of lockdown, we can finally make the announcement:<br />
the Computing Security Awards are back to their full glory and live for <strong>2021</strong>!<br />
The pandemic forced a rethink in 2020, with the much-feted gala occasions that we have<br />
all come to know and love so well sadly set to one side and the actual awards themselves<br />
having to be carried out remotely. Yet, such is their enduring impact, they were still a huge<br />
success, with the distant popping of the champagne corks in the offices of the winners widely<br />
reported in the aftermath.<br />
So, it is my pleasure and delight to announce that the <strong>2021</strong> Computing Security Awards<br />
ceremony will once again be held before a living, breathing, up-close audience.<br />
But before that day is upon us, we need the help of you, our readers, in deciding who will make<br />
it into this year's final, with the prospect of claiming the top prizes. So, tell us which companies<br />
have helped to secure your organisation's digital infrastructure over the past year? What cyber<br />
security products/services have impressed you most? Who came to your aid when remote<br />
working threatened to bring your systems to a grinding halt?<br />
Go to the awards nominations page now - computingsecurityawards.co.uk - and choose those<br />
companies, products and services you feel deserve the highest recognition for how they have<br />
performed over the last 12 months.<br />
The nominations phase will remain open until Friday, 24 <strong>Sep</strong>tember, but please make your<br />
choices now - time soon flies by and we don't want to miss out on your selections.<br />
Then, with our shortlists compiled for all of the awards categories, we will all 'dress to impress'<br />
for the grand climax itself, when the winners and runners-up are revealed at the Computing<br />
Security Awards Ceremony in London on Thursday, 2 December, <strong>2021</strong>.<br />
Yes, it's back - and it's live!<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2021</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Sep</strong>tember <strong>2021</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
PULSATING TIMES<br />
Health check on warding off<br />
a cyber security attack<br />
WEIGHTY OUTCOMES<br />
The top 30 vulnerabilities<br />
all highlighted and shared<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
CHIMES OF FREEDOM<br />
As COVID strictures ease,<br />
data vigilance remains vital<br />
COMMENT 3<br />
Our <strong>2021</strong>Awards will be LIVE!<br />
QUANTUM LEAPS AND BOUNDS<br />
Current digital infrastructure<br />
on verge of being obliterated<br />
ARTICLES<br />
FAME REACHES OUT 6<br />
Jeffrey Carpenter and (posthumously) Dan<br />
Kaminsky have been inducted into FIRST's<br />
Incident Response Hall of Fame.<br />
ADDING MFA TO WINDOWS LOGON 8<br />
Authentication to the laptop or the server<br />
itself can often be overlooked, cautions<br />
SecurEnvoy's Michael Urgero<br />
MORE THAN A ROLL OF THE DICE 14<br />
Making assumptions can be a big mistake<br />
- yet sometimes it can pay off handsomely,<br />
as with information security, says Paul<br />
Harris, Managing Director, Pentest Limited<br />
QUANTUM LEAPS - AND BOUNDS 18<br />
CYBER DEFENCES CHALLENGED 16<br />
The time to prepare for a safe quantum<br />
When Cheshire and Merseyside Health<br />
computing future is now, argues Chris<br />
and Care Partnership wanted to see how<br />
it would stand up to a cyber-attack, it<br />
Erven, CEO, KETS Quantum Security. Why?<br />
asked Gemserv Health to test its defences<br />
Because we don't go 30 seconds without<br />
touching digital technology of some kind,<br />
PRIVACY PAYOFF: CHAMPIONING<br />
all of which is networked, none of which<br />
DATA VIGILANCE POST-PANDEMIC 24<br />
is quantum-safe, he points out.<br />
Educating consumers on data security is<br />
very important, but individuals must play<br />
their part, too, points out David Emm,<br />
principal security researcher at Kaspersky<br />
PROTECTING BUSINESS DATA IN A<br />
CRUISING FOR A BRUISING 21<br />
TIME OF 'WORK FROM ANYWHERE' 26<br />
Carnival Cruises suffering four data<br />
Carmen Oprita of Endpoint Protector by<br />
breaches in 15 months flags up what<br />
CoSoSys looks at the many outsider and<br />
tempestuous waters the travel industry can<br />
insider threats that can damage businesses<br />
- and how they can fight back<br />
sail in. But why do many organisations fail<br />
to protect their systems and information,<br />
CYBER AGENCIES START TO FLEX<br />
and fall victim to repeated breaches?<br />
THEIR COLLECTIVE MUSCLES 28<br />
International allies share details of the<br />
top 30 vulnerabilities that were routinely<br />
exploited by malicious actors in 2020<br />
HOW TO DISRUPT THE KILL-CHAIN 32<br />
ADISA SETS THE STANDARD 30<br />
Top cyber criminals can swiftly navigate<br />
ADISA Asset Recovery Standard 8.0<br />
has been formally approved by the<br />
around your defences, breach your<br />
UK Information Commissioner's Office<br />
network in minutes and evade detection<br />
for months. Advanced persistent threats<br />
WE WANT YOUR AWARDS VOTES! 31<br />
(APTs) present a massive challenge - but<br />
It's time to select your top performers for<br />
what is the most effective way forward?<br />
the Computing Security Awards <strong>2021</strong><br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4<br />
FIGHTING RANSOMWARE WAR 10<br />
In the first six months of this year alone,<br />
global ransomware volume reached an<br />
unprecedented 304.7 million attempted<br />
attacks. Stopping ransomware groups is no<br />
small task. The scale of the economy behind<br />
these groups is significant, with many<br />
boasting corporate structures of their own
There’s a difference between<br />
feeling secure & knowing<br />
you're secure.<br />
Information Security Advice<br />
Penetration Testing<br />
Adversary Simulation<br />
www.pentest.co.uk
industry honours<br />
FAME REACHES OUT<br />
INDUSTRY STALWARTS INDUCTED INTO HALL OF FAME<br />
Jeffrey Carpenter has dedicated more<br />
than 30 years to improving the state of<br />
information security.<br />
Dan Kaminsky: best known for his work<br />
finding a critical flaw in the Internet's<br />
Domain Name System (DNS).<br />
Jeffrey Carpenter and (posthumously)<br />
Dan Kaminsky are the latest to be<br />
inducted into FIRST's Incident Response<br />
Hall of Fame. They join past inductees Ian<br />
Cook, Don Stikvoort and Klaus-Peter<br />
Kossakowski.<br />
Jeffrey Carpenter has dedicated more<br />
than 30 years to improving the state of<br />
information security. In 1995, he joined the<br />
CERT Coordination Center at Carnegie<br />
Mellon University's Software Engineering<br />
Institute, initially as an incident response<br />
analyst, then five years later managing<br />
more than 50 technical individuals.<br />
He was instrumental in helping the<br />
US Department of Defence and the US<br />
Department of Homeland Security create<br />
teams to exchange incident information<br />
and indicators between government and<br />
critical infrastructure organisations. He also<br />
worked closely with the US Department of<br />
Homeland Security on the formation of<br />
US-CERT, the national computer security<br />
incident response team (<strong>CS</strong>IRT) for the<br />
United States.<br />
NATIONAL INCIDENT RESPONSE<br />
Carpenter helped many other governments<br />
and regional organisations around the<br />
world establish national incident response<br />
capabilities. He founded a successful<br />
annual conference for technical staff<br />
working for <strong>CS</strong>IRTs with national<br />
responsibility to promote collaboration<br />
among these organisations. His active<br />
involvement in the incident response<br />
community over the years has included<br />
presenting in various forums, and serving<br />
on Forum of Incident Response and Security<br />
Teams (FIRST) committees and working<br />
groups. He is currently the Secureworks<br />
senior director of Incident Response<br />
Consulting and Threat Intelligence.<br />
"I am humbled by this honour," said<br />
Carpenter. "This recognition also reflects<br />
the efforts of my former colleagues at the<br />
CERT Coordination Center to advance the<br />
incident response community, for I could<br />
not have had any success without them. In<br />
addition, it is a privilege to be inducted<br />
with my friend Dan Kaminsky, whose work<br />
in incident response and product security<br />
impacted so many people. We miss him<br />
dearly."<br />
INSPIRATIONAL HUMAN BEING<br />
Dan Kaminsky (1979-<strong>2021</strong>) was a noted<br />
American security researcher - best known<br />
for his work finding a critical flaw in the<br />
Internet's Domain Name System (DNS)<br />
and leading what became the largest<br />
synchronised fix to the Internet<br />
infrastructure of all time in 2008. He<br />
was also known for being a great human<br />
being - helping colleagues, friends and<br />
community members attend events,<br />
working on many health apps, assisting<br />
colour-blind people, hearing aid technology<br />
and telemedicine, and fighting as a privacy<br />
rights advocate. His ethos was to do things<br />
because they were the right thing to do,<br />
not because they would elicit financial gain.<br />
Kaminsky was co-founder and chief<br />
scientist of WhiteOps (recently renamed<br />
Human) and spent his career advising<br />
several Fortune 500 companies, such as<br />
Cisco, Avaya and Microsoft on their<br />
cybersecurity. In addition, he spent three<br />
years working with Microsoft on their<br />
Vista, Server 2008 and Windows 7 releases.<br />
6<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ADISA ICT Asset Recovery Standard 8.0<br />
is formally approved by the UK ICO<br />
(Approval ICO – <strong>CS</strong>C/003 and ICO – <strong>CS</strong>C/004)<br />
Use an ADISA Certified company to be assured of UK GDPR compliance<br />
when disposing of your IT assets.<br />
Visit adisa.global to find out more<br />
Want to know how to retire assets<br />
so you can promote reuse AND meet<br />
data protection legislation?<br />
ADISA offers a range of training courses all presented by<br />
leaders in the field, including a brand-new course which helps<br />
data controllers write an asset retirement program to achieve<br />
the objective of meeting sustainability and security targets.<br />
Visit adisa.global/training to find out more
MFA and Windows<br />
ADDING MULTI-FACTOR<br />
AUTHENTICATION TO WINDOWS LOGON<br />
ONE KEY AREA OF SECURITY THAT CAN OFTEN BE OVERLOOKED<br />
IS THE AUTHENTICATION TO THE LAPTOP OR THE SERVER ITSELF.<br />
PROTECTING THESE CORPORATE ASSETS IS AN URGENT ISSUE,<br />
CAUTIONS SECURENVOY'S MICHAEL URGERO<br />
SecurEnvoy Windows Logon Agent.<br />
Michael Urgero, SecurEnvoy: his<br />
company's solution protects the<br />
Windows Logon process with true<br />
multi-factor authentication.<br />
Look at how far we've come over the<br />
years. The introduction and mainstream<br />
use of virtualisation in the data centre,<br />
cloud and the 'work from anywhere' has<br />
sparked some amazing opportunities, from<br />
the rapid development of business ideas to<br />
remotely supporting critical systems and<br />
customers. Not all that long ago, we were<br />
a much more analogue group, much more<br />
manual and hands-on in our methods.<br />
Coming with the high-speed rush of new<br />
technologies that are fully intended to make<br />
lives easier, there are also new security<br />
threats to care for and consider. We've gone<br />
to great lengths to ensure that our<br />
employees have easy and secure access to<br />
the business, and that our system operators<br />
can keep those systems running. Have we<br />
done enough? How will we know? These are<br />
some of the things on the minds of IT execs,<br />
as they lay awake into the night.<br />
WHERE THE ACTION IS<br />
One of the parts that's often missed is the<br />
authentication to the laptop or the server<br />
itself. The desktop interface of these devices<br />
is where all the action is and it should be just<br />
as secure. New virtualised, cloud and hybrid<br />
solutions make accessing these devices<br />
almost an entirely remote affair. Apart from<br />
accessing your laptop directly, everything else<br />
you do in a day is pretty much done on<br />
systems elsewhere.<br />
One could argue that Microsoft simply<br />
doesn't do enough with its traditional<br />
username and password and, what's more;<br />
Windows Hello is difficult to deploy, manage<br />
and has its own share of issues; ask any help<br />
desk administrator and you'll get an ear full.<br />
URGENT CHALLENGE<br />
Securing these corporate assets is an urgent<br />
issue and our customers know that. Our<br />
solution comes complete with our integrated<br />
SecurEnvoy Windows Logon Agent. Our<br />
solution installs directly on the laptop or<br />
server and protects the Windows Logon<br />
process with true multi-factor authentication.<br />
By doing this, verification of the<br />
username and password is challenged<br />
and verified with the trust of multi-factor<br />
authentication quickly and easily.<br />
Some of our customers have deployed our<br />
SecurEnvoy Windows Logon Agent to all<br />
corporate end-point devices as well as all<br />
servers in the data center, both physical<br />
and virtual to assure the identity of<br />
employees as they authenticate.<br />
PROMPT ACTION!<br />
The initial prompt is the same as it always<br />
has been, asking for a username and<br />
password. You are immediately prompted<br />
for the multi-factor token, which is available<br />
in a variety of methods. Everything from<br />
push notifications to a mobile device, SMS<br />
messaging, physical tokens or manual entry<br />
to name just a few.<br />
The same agent would be loaded on both<br />
Windows 7/10 devices and Windows Servers<br />
as well from Microsoft Windows Server 2008<br />
forward. This software can be distributed<br />
using any of the common methods, from<br />
Active Directory to third party deployment<br />
tools and best of all, works when devices are<br />
completely off-line.<br />
For more details, and to get a demo and<br />
talk about our solutions, feel free to give us a<br />
call. Be sure. Be Confident. SecurEnvoy.<br />
8<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
UNIQUE EVENT FOR THE<br />
CYBER SECURITY SECTOR<br />
4th November <strong>2021</strong><br />
Hilton London Canary Wharf<br />
The Security IT Summit is a hybrid<br />
event which continues to follow the<br />
award-winning structure of<br />
pre-arranged one-to-one meetings<br />
between IT and Cyber Security<br />
professionals, and leading industry<br />
solution providers.<br />
Virtual attendance options are<br />
available.<br />
Free for industry buyers to attend.<br />
James Howe<br />
01992 374096<br />
j.howe@forumevents.co.uk<br />
securityitsummit.co.uk
ansomware<br />
FIGHTING THE RANSOMWARE WAR<br />
IN THE FIRST SIX MONTHS OF <strong>2021</strong>, GLOBAL RANSOMWARE VOLUME<br />
REACHED AN UNPRECEDENTED 304.7 MILLION ATTEMPTED ATTACKS<br />
Ransomware attacks are becoming<br />
increasingly devastating to companies.<br />
Not only do they inflict massive<br />
disruptions to operations, but criminals<br />
are also asking for ever-larger ransoms to<br />
unlock the encrypted files and machines hit<br />
by the attacks.<br />
"Throughout the last months, statesponsored<br />
ransomware attacks inflicting<br />
damage on critical infrastructure have<br />
dominated the headlines," points out<br />
LogPoint CTO Christian Have. "JBS recently<br />
paid 11 million dollars following an attack<br />
that shut down all the companies' US beef<br />
plants. Just before that, an attack paralysed<br />
Ireland's health services for weeks in the<br />
middle of a pandemic. The attack happened<br />
in the wake of the Colonial Pipeline attack<br />
that caused fear of gas shortages. CNA<br />
Financial, one of the largest insurance<br />
companies in the US, reportedly paid 40<br />
million dollars to get access to its files and to<br />
restore its operations, making it the largest<br />
reported ransom paid to date. In comparison,<br />
40 million dollars is more than most<br />
companies spend on their cybersecurity<br />
budget - it is even more than what many<br />
companies spend on their entire IT budget."<br />
DEFENCES MUST BE BOLSTERED<br />
Due to the surges in state-sponsored<br />
ransomware attacks in the US and Europe,<br />
many government institutions, including<br />
the White House, have urged companies<br />
to bolster their defences to help stop the<br />
ransomware groups, he adds. "The G7 group<br />
has called on Russia, in particular, to identify,<br />
disrupt and hold to account those within its<br />
borders who conduct ransomware attacks<br />
and other cybercrimes. One of the few<br />
outcomes of the Biden-Putin summit is<br />
an agreement to consult on cybersecurity.<br />
However, the agreement is ambiguous<br />
without any specific actions."<br />
The ransomware ecosystem explained - a<br />
ransom payout isn't always the end goal<br />
Stopping ransomware groups is no small<br />
task. The scale of the economy behind these<br />
groups is significant. Many active groups<br />
have corporate structures, with roles and<br />
responsibilities that mirror regular software<br />
development organisations.<br />
These criminal organisations are well-funded<br />
and highly motivated to develop their attacks<br />
- but their revenue streams do not begin or<br />
end with victims paying up a ransom, he<br />
stresses. Have points to "an entire<br />
ransomware ecosystem, capitalising on<br />
successfully executing attacks", such as:<br />
Groups selling access to platforms that<br />
deliver end-to-end ransomware-as-aservice<br />
for other groups to use<br />
Brokers that deliver teams of highly<br />
specialised developers that can build<br />
and deploy malware. "Think of this as<br />
malware recruiting"<br />
Certain groups only gain access to<br />
corporate networks. They will not<br />
actively disrupt the operations or demand<br />
ransom; instead, they sell access to victims<br />
for other groups to capitalise on<br />
The increasing sophistication of ransomware<br />
groups has led many organisations to<br />
implement a multitude of tools to help detect<br />
and prevent attacks. But what really works?<br />
10<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
BASIC SECURITY IS ESSENTIAL<br />
"For the last 15 years, CISOs, security<br />
operations teams and security vendors have<br />
put a significant focus on complex attacks<br />
and staying on top of the cutting edge of<br />
what adversaries can do. For example, the<br />
malicious computer worm Stuxnet launches<br />
extremely advanced campaigns. The result is<br />
that a lot of organisations have a relatively<br />
extensive portfolio of advanced<br />
technologies. These technologies are<br />
expensive, complex to use and even more<br />
complex to integrate with each other and<br />
the surrounding security ecosystem."<br />
The Colonial Pipeline breach happened<br />
because a remote access platform failed to<br />
enforce or require multi-factor authentication,<br />
Have states. "Combined with<br />
a shared password used among several<br />
users, attackers found a way into the<br />
infrastructure. Advanced detection tools are<br />
not meant to detect such basic mistakes.<br />
Failing to cover the basics - patching, secure<br />
configurations or following best practices -<br />
is a pattern repeating itself in many of the<br />
recent attacks. It is not without reason<br />
that every authority on cybersecurity has<br />
patching and baselining configurations<br />
as some of the first recommendations for<br />
companies to strengthen their cybersecurity<br />
efforts."<br />
So, why are companies not just patching<br />
everything, implementing the Zero Trust<br />
model and forcing multi-factor authentication<br />
everywhere? Especially when the<br />
most considerable material risk to the<br />
operations and existence of the organisation<br />
is a ransomware attack? "IT operations<br />
is hard," Have responds. "The security<br />
operations team, IT operations team and<br />
enterprise risk management team often<br />
have siloed thinking with different objectives<br />
and incentives. Aligning activities and goals<br />
across various departments is, without<br />
a doubt, part of the problem." One of the<br />
things LogPoint hears from its customers is<br />
that they need a unified overview of the<br />
technical risk aspects. "Implementing a unified<br />
solution, such as ZeroTrust orchestration<br />
or XDR is complex and, in many cases,<br />
expensive. Some of our customers are turning<br />
to fewer vendors and relying on open<br />
standards - for example, MITRE for a<br />
taxonomy of attacks, MISP<br />
to share threat observations and YARA to<br />
identify malware indicators to offload some<br />
of the headaches of aligning different<br />
departments' ways of working."<br />
STRENGTHENING RANSOMWARE<br />
DEFENCES AND DETECTION<br />
LogPoint can help organisations align<br />
detection and response activities, comments<br />
Have. "LogPoint ingests log data, which<br />
security teams can use to easily detect<br />
ransomware variants like FiveHands, Egregor<br />
or Ryuk. The REvil group that hit JBS uses<br />
a tactic to delete Shadow Copies before<br />
encryption. Deleting Shadow Copies makes a<br />
restore significantly more difficult. LogPoint<br />
can immediately detect deletion of Shadow<br />
Copies by looking for the following<br />
command across all log sources:"<br />
Ingesting log data allows analysts to<br />
interrogate systems for more information<br />
about known issues, such as detected<br />
vulnerabilities, deviations from best practices<br />
or enterprise policies. "However, combining<br />
log data with vulnerability data, configuration<br />
compliance and more advanced interrogation<br />
of the system, we can uncover the unknown<br />
issues by formulating more exact risk scores<br />
of the infrastructure and its components."<br />
"With the risk scores nailed down, we are<br />
currently working on coupling indicators of<br />
ransomware, such as the deletion of Shadow<br />
Copies, with threat intelligence and malware<br />
research to identify documented adversarial<br />
techniques. The goal is that the system can<br />
conclude the type of ransomware group or<br />
variant, so we are more prepared to deal with<br />
and respond to the threat. Our system uses a<br />
combination of natural language processing<br />
and machine learning to connect the dots.<br />
"We are also working with our customers on<br />
building the final step - automating and<br />
orchestrating the response with situational<br />
awareness and understanding of the next<br />
phase of the attack. We have small agents<br />
deployed on our customers' machines that<br />
can enforce policies, disconnect machines<br />
from networks and otherwise act based on<br />
how security operators want to approach<br />
a potential issue."<br />
ENDING THE VICIOUS CYCLE<br />
At the end of the day, it becomes clear to<br />
security researchers who are following<br />
ransomware groups that the asymmetry<br />
between the capabilities and the incentive for<br />
the attackers and the maturity and budgets<br />
of the defenders is becoming more<br />
pronounced, he adds. "When critical<br />
infrastructure is under attack through large<br />
and small companies, it is obvious that more<br />
technology will not solve the issue alone.<br />
Outsourcing IT operations or security<br />
operations alone is not solving the problem<br />
either." With that in mind, Have sees three<br />
paths forward:<br />
Law enforcement agencies must<br />
cooperate across borders to target<br />
ransomware groups, track payments and<br />
ultimately change the operational risk for<br />
these groups, so that it is more expensive<br />
to do illicit business<br />
Breaking down silos within organisations,<br />
getting the cybersecurity, IT operations<br />
and risk management teams to speak the<br />
same language and align expectations.<br />
"Who owns the backup - IT? Who is<br />
responsible for the disaster recovery -<br />
Security? Who owns the business<br />
continuity planning - Enterprise risk<br />
management?"<br />
More laws and regulations on the matter.<br />
"GDPR has done a lot to bring focus and<br />
awareness about reporting breaches to<br />
infrastructure. But more is needed. GPDR<br />
works for personal data, but disruptions<br />
to critical infrastructure following a<br />
ransomware attack are not necessarily<br />
under the umbrella of GDPR and, as such,<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
11
ansomware<br />
can go under the radar. With more<br />
sharing, increased focus and potentially<br />
fines levied against organisations that fail<br />
to prevent or protect their infrastructure<br />
adequately, boardrooms will begin to take<br />
the threat seriously."<br />
SOARING IMPACT<br />
To further grasp the scale of ransomware's<br />
soaring impact, you have only to look at the<br />
latest report from SonicWall. In its mid-year<br />
<strong>2021</strong> cyber threat report update*, it proffers<br />
the startling statistic that, in the first six<br />
months of <strong>2021</strong>, global ransomware volume<br />
reached an unprecedented 304.7 million<br />
attempted attacks- already eclipsing the<br />
304.6 million ransomware attempts logged<br />
for the entirety of 2020, as recorded by<br />
SonicWall Capture Labs.<br />
"In all, ransomware for the first half of this<br />
year is up a staggering 151% over the same<br />
time period in 2020. While Q1 was worrying,<br />
Q2 was markedly worse - going into spring,<br />
ransomware jumped from 115.8 million to<br />
188.9 million, enough to make Q2 the worst<br />
quarter for ransomware SonicWall has ever<br />
recorded. If we're lucky, this will be an<br />
aberration. Some years, such as 2019, see<br />
ransomware totals high in the first half, then<br />
fall off during the second half." Time will tell.<br />
But even if we don't record a single<br />
ransomware attempt in the entire second<br />
half (which is irrationally optimistic), <strong>2021</strong><br />
will already go down as the worst year for<br />
ransomware SonicWall has ever recorded.<br />
"While Q2 was record-setting in its own right,<br />
every month during the quarter set a new<br />
record, too. After rising to a new high in<br />
April, ransomware rose again in May, then<br />
saw another increase in June.<br />
During that month, SonicWall recorded<br />
78.4 million ransomware attempts - more<br />
than the entire second quarter of 2020, and<br />
nearly half the total number of attacks for the<br />
year in 2019. Even <strong>2021</strong>'s lowest month<br />
didn't provide much of a reprieve. With 36.3<br />
million ransomware hits, March <strong>2021</strong> had<br />
more ransomware than all but one month<br />
in 2020."<br />
Why is ransomware rising so rapidly?<br />
There are several factors that SonicWall<br />
identifies as being behind the recent increase<br />
in ransomware, but the fact remains: "The<br />
more organisations there are that are forced<br />
to pay out, the more incentive ransomware<br />
groups have to launch attacks."<br />
While ransomware operators<br />
are getting better at finding<br />
and encrypting backups, they've also found<br />
another way to ensure victims pay up, despite<br />
the existence of current backups: extortion.<br />
"In an increasing number of cases, such the<br />
recent attacks on Colonial Pipeline and the<br />
city of Tulsa, Okla., attackers are stealing and<br />
exfiltrating the data before they encrypt files.<br />
This means that, even if the victims have<br />
ironclad backups and can rebuild their<br />
network easily, they may still pay to preserve<br />
their reputation, avoid fines and maintain<br />
regulatory compliance with regards to<br />
personally identifiable."<br />
THE EXTORTION FACTOR<br />
Unfortunately, organisations that display a<br />
willingness to pay may be opening<br />
themselves up to be attacked again soon<br />
after, either by the same group of<br />
cybercriminals or by another group who<br />
heard about the original payment, says<br />
SonicWall. "<br />
According to ZDNet, roughly eight in<br />
10 organisations that opt to pay a ransom<br />
wind up being attacked again - and of those<br />
victims, nearly half believe the second attack<br />
was perpetrated by the same cybercriminals<br />
as the first. While it's unclear how many<br />
organisations are targeted by repeat attacks -<br />
companies are often reluctant to publicly<br />
acknowledge ransomware incidents for this<br />
very reason - at least three have made<br />
headlines in recent years: the city<br />
of Baltimore, Australian logistics<br />
firm Toll Group and American<br />
technology company Pitney<br />
Bowes."<br />
* Mid-Year Update: <strong>2021</strong><br />
SonicWall Cyber Threat Report<br />
12<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
50 % OFF<br />
RANSOMWARE<br />
PREVENTION<br />
& PROTECTION<br />
Immutable data storage<br />
Get 50% off MSRP on Arcserve UDP/ Arcserve Appliance and StorageCraft<br />
OneXafe, to protect your data from ransomware attacks today.<br />
The recent merger of Arcserve and StorageCraft has created a powerhouse that brings customers the<br />
broadest portfolio of data management & data protection solutions available from a single vendor.<br />
While the data growth tsunami continues to grow and ransomware consistently on the rise, you<br />
have more data to protect, and more to recover.<br />
Arcserve UDP Data<br />
Protection Software<br />
Unified data and ransomware<br />
protection to neutralize<br />
ransomware attacks, restore data,<br />
and perform orchestrated recovery.<br />
Arcserve Appliances<br />
All-in-one enterprise<br />
backup, cybersecurity, and<br />
disaster recovery, with<br />
multi-petabyte scalability.<br />
StorageCraft OneXafe<br />
Immutable Storage<br />
Scale-out object-based NAS<br />
storage with immutable<br />
snapshots to safeguard data.<br />
info.arcserve.com/en-gb/immutablebackup-promo
information security<br />
ASSUMPTIONS - MORE THAN A ROLL OF THE DICE<br />
MAKING ASSUMPTIONS CAN BE A BIG MISTAKE - YET SOMETIMES IT CAN PAY OFF<br />
HANDSOMELY. INFORMATION SECURITY IS ONE SUCH INSTANCE OF THE LATTER,<br />
SAYS PAUL HARRIS, MANAGING DIRECTOR, PENTEST LIMITED<br />
When you assume, you make an ass<br />
out of 'u' and me, or so the saying<br />
goes, and, in many situations,<br />
making assumptions can be misguided. But,<br />
in other situations, it pays to assume.<br />
Information security is one of these situations<br />
and, by assuming the worst, you can start to<br />
plan for it and prepare to defend against it.<br />
The recent spike of ransomware attacks has<br />
shown companies what a potential worstcase<br />
scenario looks like when it comes to<br />
information security, with companies being<br />
taken offline and critical data being lost.<br />
This wakeup call has forced many into<br />
action, but ransomware is only one of the<br />
potential attack vectors and there are<br />
numerous routes into a company. Yes,<br />
ransomware may be hitting the headlines,<br />
but it's not going to be everyone's biggest<br />
risk. So, if you're looking for solutions<br />
because of the headlines, then you may be<br />
wasting your money.<br />
A successful attack only needs one route in,<br />
but defenders need to protect against many<br />
potential entry points. In this situation, the<br />
advantage is with the attacker and, with<br />
the time, skills and resources, it's a matter<br />
of 'when' an attack will get through, rather<br />
than 'if'.<br />
Risk analysis and scenario planning allows<br />
you to assume that the worst will happen,<br />
that an attacker will get through. It's an<br />
approach that more and more companies are<br />
looking to undertake in the face of growing,<br />
and often unknown, threats. As a 'table-top'<br />
exercise, it's far more cost effective than<br />
implementing a tech 'solution' and allows<br />
companies to look at their wider security,<br />
building a roadmap of improvements that<br />
will bring the greatest security benefits. So,<br />
how do you go about it?<br />
KNOW WHAT'S IMPORTANT<br />
A company's crown jewels aren't just<br />
important, they're critical and if they were to<br />
be stolen or made unavailable, for even the<br />
shortest time, it could mean your business<br />
stops operating. But what are your<br />
company's crown jewels? For many it's<br />
intellectual property, the design of a new<br />
product or your products 'secret recipe', for<br />
others it could be financial data.<br />
Maybe it's the source code for a piece of<br />
software you've been developing, patient<br />
information, live production systems, servers<br />
running internal operations, your e-<br />
commerce website, the list goes on. Your<br />
crown jewels can be a combination of many<br />
14<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
information security<br />
things, but, whatever they are, they need to<br />
be protected. The key question you need to<br />
ask yourself is: what are the things I, or my<br />
clients, can't afford to lose?<br />
IDENTIFY YOUR REAL-WORLD THREATS<br />
When it comes to cyber threats, sophisticated<br />
is a word that is used a lot. "We were the<br />
victims of a sophisticated cyber-attack" is the<br />
usual line when news of a breach breaks.<br />
But when the dust settles, it's often found<br />
that the attack wasn't sophisticated at all.<br />
Everyone likes to think they're the target of<br />
sophisticated attacks, but most attacks<br />
are opportunistic in nature, using simple<br />
techniques to expose weak security practices,<br />
unpatched systems or take advantage of<br />
human vulnerability. By identifying your<br />
most likely real-world threats and targets, you<br />
can start to prioritise the risks, identify the<br />
techniques they would most likely use, and<br />
the potential routes they are likely to take.<br />
UNDERSTAND YOUR FULL ESTATE<br />
AND HOW ATTACKERS COULD<br />
MOVE ACROSS IT<br />
One of the fundamental IT security challenges<br />
within organisations is the shadow IT 'visibility<br />
gap' between assumed, or known, infrastructure<br />
and what truly exists. Whether it's<br />
because of merger & acquisition activities,<br />
personnel changes, or infrastructure changes<br />
over time, it can be easy to lose track of your<br />
IT estate.<br />
Obtaining an exact picture of what you have<br />
is key and if you can't see a legitimate device<br />
on your network then how can you properly<br />
defend it? Once you have full knowledge of<br />
what you have, you then need to understand<br />
the security measures you have in place,<br />
but not just from a tech point of view, you<br />
need to look at your security processes,<br />
procedures, operating rules, and system<br />
design as well. Having this clear picture<br />
across your estate will enable you to<br />
understand where potential entry points exist<br />
and expose weaknesses which may allow an<br />
attacker to move easily across your network.<br />
DEVELOP YOUR SCENARIOS,<br />
PRIORITISE YOUR IMPROVEMENTS<br />
Once you have full 360-degree view of<br />
your organisation, what's important to you<br />
and your threats, you can start to develop<br />
scenarios, ones that could have an extreme<br />
effect on your company. For example, a<br />
realistic scenario could be that an organised<br />
criminal group has stolen your intellectual<br />
property, or that hacktivists have brought<br />
down your ecommerce website through<br />
a DDOS attack. With a range of realistic<br />
scenarios in hand you can then evaluate<br />
which ones bring the highest risk.<br />
Once you've evaluated the risk scenarios,<br />
you can start to think about making<br />
improvements, but firstly, it's important<br />
to understand the steps the threats may<br />
have taken to achieve their goal. This can<br />
be done by conducting an attack tree<br />
analysis, working backwards from the<br />
goal, step by step, to continually ask<br />
'how' it was possible.<br />
Now you understand the potential steps<br />
taken to achieve the goal, you need to<br />
identify controls that would predict,<br />
prevent, detect, or respond to these actions<br />
at every stage of the attack. Some controls<br />
may already be in place, but it's important<br />
to analyse how effective controls are and<br />
identify where gaps exist. Where gaps<br />
do exist, you can then evaluate the<br />
associated cost, and effectiveness, of the<br />
controls needed, helping to prioritise your<br />
remediation efforts.<br />
PUT YOUR IMPROVEMENT<br />
EFFORTS TO THE TEST<br />
The more effective defensive measures you<br />
put in place, the more difficult you make it<br />
for would-be attackers. But how do you<br />
know if your defences are truly effective?<br />
You need to test them. Having your work<br />
tested can seem like a daunting prospect<br />
and it can be easy to think that it's going to<br />
belittle or ridicule your security efforts. But<br />
that's not the case. Testing is designed to<br />
Paul Harris, Pentest: a successful attack<br />
only needs one route in, but defenders<br />
need to protect against many potential<br />
entry points.<br />
support your efforts, ensuring that your<br />
business is as protected as possible from the<br />
primary risk scenarios you have identified.<br />
Penetration testing and red teaming are<br />
great options, in terms of evaluating your<br />
defensive measures - and testers will look<br />
to simulate the actions of an attacker,<br />
potentially uncovering further vulnerabilities,<br />
supporting remediation and providing<br />
you with the assurances that your efforts<br />
have been truly effective.<br />
MAKE SURE INFORMATION SECURITY<br />
IS AN ONGOING PROCESS, NOT JUST<br />
A ONE-OFF<br />
Information security can sometimes be seen<br />
as a tick in the box exercise and that, once<br />
it's complete, you're protected. But that isn't<br />
the case. What's considered safe today may<br />
be vulnerable to attack tomorrow. Attackers<br />
are always looking for new attack routes,<br />
new techniques, new vulnerabilities and no<br />
company, or technology, is 'unhackable'.<br />
Security improvement efforts, such as risk<br />
analysis and scenario planning, need to be<br />
ongoing, helping keep your company one<br />
step ahead of any malicious threats.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
15
health check<br />
8AM AND I.T. IS IN FOR A VERY TOUGH DAY!<br />
STARK LESSON UNFOLDS IN THE CYBER SECURITY DANGERS THAT ARE LURKING 'OUT THERE'<br />
Cheshire and Merseyside Health and<br />
Care Partnership wanted to find out<br />
how well it would stand up to a<br />
cyber-attack. So, it asked Gemserv Health<br />
to put together a scenario-based response<br />
exercise that started with some seriously<br />
bad news - but uncovered a lot of useful<br />
information.<br />
It's 8am and it was a nice day until you<br />
turned on the radio. The news has just<br />
started and the lead story is that a video<br />
has been released showing a group of<br />
NHS leaders making worrying remarks<br />
about a Covid-19 vaccine.<br />
They seem to be suggesting that safety<br />
issues are being covered up and the share<br />
price of the vaccine maker has crashed<br />
10% overnight. The phone starts ringing.<br />
It's a press officer wanting to know what<br />
IT is going to do about this leak, or fake,<br />
or whatever it is.<br />
CYBER-ATTACKS SPREAD, FAST<br />
This is the scenario that greeted 22 heads<br />
of IT in Cheshire and Merseyside in spring<br />
<strong>2021</strong>. It was constructed by Gemserv<br />
Health, with input from Cheshire and<br />
Merseyside Health and Care Partnership,<br />
to find out how the integrated care system<br />
(I<strong>CS</strong>) would respond to a cyber security<br />
incident.<br />
Paul Charnley, digital lead for the I<strong>CS</strong>,<br />
explains that the commissioners, councils,<br />
hospitals and other providers in the area<br />
have their own policies and procedures<br />
in place. But the I<strong>CS</strong> didn't have an<br />
overarching response that was tested<br />
and ready to use.<br />
that requires every organisation to plan<br />
for and rehearse its response to a cyberattack,<br />
but one of the things that we<br />
learned from WannaCry is that a cyberincident<br />
can impact a large geography<br />
very quickly," he says. "We need to be able<br />
to coordinate.<br />
"The exercise that we ran really brought<br />
that to life. It was very salutary and very<br />
helpful, and it has given us a lot to think<br />
about. We have learned a lot since<br />
WannaCry, but we are in an arms race<br />
with the hackers and we've still got more<br />
to do."<br />
LEARNING FROM WANNACRY<br />
WannaCry was the worldwide ransomware<br />
attack launched in May 2017. It didn't<br />
target the NHS, but the National Audit<br />
Office estimated that 34% of trusts in<br />
England were impacted anyway.<br />
One reason was that the NHS employs<br />
a lot of people; with 1.3 million staff, it<br />
had a lot of malicious emails to contend<br />
with. Another was that WannaCry spread<br />
through older, unpatched Windows<br />
systems; and the NHS had a lot of those<br />
in computers and medical devices.<br />
However, a third<br />
problem<br />
was that there was no coordinated fightback.<br />
The NAO reported that the<br />
Department of Health had been working<br />
on a plan, but it hadn't been tested at a<br />
local level, so "it was not immediately clear<br />
who should lead the response and there<br />
were problems with communications."<br />
Some trusts couldn't be reached by email<br />
"because they had been infected by<br />
WannaCry or had shut down their email<br />
systems as a precaution", leaving a mix of<br />
switchboards, mobiles and WhatsApp as<br />
the only way through.<br />
ONLY AS STRONG AS WEAKEST LINK<br />
IT leads in Cheshire and Merseyside<br />
wanted to do better. "After WannaCry, we<br />
swore that we would work more closely<br />
together, under the tagline: 'we are only as<br />
strong as our weakest link'," says Charnley.<br />
The 22 heads of IT in the area agreed to<br />
standardise their policies and procedures,<br />
and to pool any funds made available by<br />
the NHS, to make the money go further.<br />
Cheshire and Merseyside HCP is now<br />
working with NHS Digital on a target<br />
cyber-security architecture and on a<br />
procurements process to deliver the<br />
strategy.<br />
"NHS Digital has a data protection toolkit<br />
16<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
health check<br />
This has enabled individual organisations<br />
to work to a standard on one<br />
of two security information and event<br />
management systems: one medical<br />
device protection product; and one<br />
single sign-on product to give staff<br />
secure access to clinical and<br />
administrative systems.<br />
"We have worked on our strategy and<br />
then we have moved to manage our<br />
supplier market and our procurement<br />
teams to buy in harmony with that," he<br />
adds. "Gemserv has supported both the<br />
policy and the business models."<br />
FINDING THE GAPS<br />
Cheshire and Merseyside HCP is better<br />
protected against a cyber-attack than it<br />
was five-years ago; but the mantra of<br />
cyber-security is not to ask "if" a cyberincident<br />
is possible but "when" one will<br />
occur.<br />
The scenario-based exercise was<br />
designed to find out how ready the I<strong>CS</strong> is<br />
to deal with an attack; and whether IT<br />
leaders across the patch are clear about<br />
who will lead the response and how they<br />
should communicate with each other.<br />
Before Covid-19 arrived, the I<strong>CS</strong> had<br />
been looking to run a physical event,<br />
but because of the pandemic it moved to<br />
Microsoft Teams. Five virtual break-out<br />
rooms were set up for organisational<br />
teams to use, and the scenario was fed<br />
to them.<br />
As the event went on, the teams also<br />
received 'injects' of information to take<br />
the scenario in a different direction and<br />
test their ongoing responses. They got<br />
some 'good' news: the video didn't<br />
feature local executives and was instead<br />
a 'deepfake'. They also received some<br />
'bad' news: one of the executives who<br />
had been deep-faked had also been spear<br />
phished. His email and that of his<br />
contacts had been targeted. A route was<br />
open for a ransomware attack.<br />
NOT IF, BUT WHEN<br />
Charnley says that on the day of the<br />
cyber scenario event, years of hard work<br />
in Cheshire and Merseyside paid off. IT<br />
teams were able to mount a more<br />
coordinated and coherent response to<br />
the Gemserv scenario than they were to<br />
WannaCry.<br />
They also had better tools to use.<br />
However, the exercise showed there were<br />
gaps to fill. The area turned out to be<br />
short of some specific cyber-security<br />
expertise out of hours. There were still<br />
questions about how decisions would be<br />
made that were big enough to require<br />
sign-off from Government departments<br />
in London or the NHS's central bodies in<br />
Leeds.<br />
It emerged that health and local<br />
authority incident response planners<br />
needed a cyber playbook to put<br />
alongside the playbooks they have for<br />
dealing with train wrecks, chemical<br />
spills or even nuclear incidents. Gemserv<br />
Health is now helping to write one, and<br />
when it is ready, Charnley wants to test<br />
it by running the exercise again.<br />
"Gemserv told us that the military builds<br />
things and then attacks them," he says.<br />
"It costs millions of pounds. We don't<br />
have that kind of money, but we can<br />
learn a lot this way. I want to do this<br />
every six-months - certainly every year -<br />
and I think every I<strong>CS</strong> should be planning<br />
to do the same.<br />
"I'd definitely encourage others to follow<br />
this model and this approach. We<br />
wanted to work with an external partner,<br />
because it's easy to be insular or to play<br />
to your strengths in these exercises.<br />
Having an external view was very helpful.<br />
It gave us a lot of things to think about."<br />
Paul Charnley, digital lead for I<strong>CS</strong>: no<br />
overarching response in place that was<br />
tested and ready to use.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
17
global intelligence<br />
QUANTUM LEAPS - AND BOUNDS<br />
QUANTUM COMPUTERS WILL SOON SMASH THROUGH THE MATHEMATICAL CRYPTOGRAPHY<br />
WE RELY ON AS A SOCIETY, IT IS FORECAST. HOW DO WE KEEP OURSELVES SAFE THEN?<br />
The time to prepare for a safe quantum<br />
computing future is now, argues Chris<br />
Erven, CEO, KETS Quantum Security.<br />
Why? "For the simple fact that, in today's<br />
world, we don't go 30 seconds without<br />
touching digital technology of some kind,<br />
all of which is networked, none of which is<br />
quantum-safe. We know that quantum<br />
computers will be experts at breaking the<br />
security of our current digital infrastructure.<br />
We need to upgrade this to be quantumsafe<br />
now."<br />
He points to the 'Mosca equation' (posited<br />
by Michele Mosca of the Institute for<br />
Quantum Computing) to summarise when<br />
we need to worry about upgrading our<br />
cyber security.<br />
This equation is given by:<br />
x+y> z<br />
where:<br />
x = the security lifetime of our data,<br />
y = the time required to upgrade to<br />
quantum-safe systems,<br />
and z = the time to build a quantum<br />
computer.<br />
"If it is going to take 10 years to upgrade<br />
and you want, for example, your online<br />
medical records to be secure minimally for<br />
15 years. Meanwhile, a quantum computer<br />
is built in the next 5-10 years - then it is<br />
already too late! Best case, your sensitive<br />
data will effectively be unencrypted and in<br />
the clear for 20 years. And this 'store now,<br />
crack later' attack has been going on for<br />
years." Soon, he says, we will be living in<br />
a world where most of our current forms<br />
of cryptography will be useless, because<br />
investment and developments in quantum<br />
computing are only accelerating. "What is<br />
more, we likely won't know when this<br />
happens, because a quantum computer<br />
capable of doing this represents such a<br />
huge advantage, those who own it will<br />
keep it secret."<br />
The good news, though, is that we are<br />
not defenceless. "Computer scientists,<br />
physicists, and engineers have been<br />
working hard on new quantum-safe<br />
methods." Two of the biggest tools he<br />
identifies for the new quantum-safe toolbox<br />
are:<br />
Post-quantum cryptography (PQC)<br />
algorithms - new algorithms conjectured<br />
to be immune to a quantum computer's<br />
processing capabilities<br />
And quantum cryptography (QC) - new<br />
quantum hardware that has been<br />
proven to be immune to a quantum<br />
computer.<br />
What difference will this make to<br />
computing security? "Well, we will have to<br />
upgrade," he points out. "Think the Y2K<br />
bug, but less hype and more well-reasoned<br />
concern. And this upgrade will need to<br />
occur both at the software and hardware<br />
level."<br />
What can be done to ward off this<br />
apocalyptic scenario? "At the highest level,<br />
we need our telecommunications<br />
infrastructure to be upgraded. This is<br />
behind the EuroQCI Initiative, which aims to<br />
build a secure quantum communications<br />
infrastructure that spans the EU. Similar<br />
initiatives exist now in the US, UK, China,<br />
South Korea and Japan."<br />
FIRST ACTIONS TO BE TAKEN<br />
At the organisation level, the first things<br />
that need to be done are:<br />
Recognise the problem<br />
Put resource behind it<br />
Perform a quantum-safe health check<br />
And develop your organisation's<br />
quantum readiness roadmap.<br />
Lastly, get involved in early innovation<br />
projects, he advises. "These new methods<br />
are different. PQC algorithms generally<br />
require more memory or are slower, while<br />
QC methods involve new hardware - these<br />
18<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
global intelligence<br />
will have implications for your organisation.<br />
The best way to figure out the<br />
implications is to start experimenting with<br />
these new tools. Conveniently, this is the<br />
number one aim of the testbeds being<br />
built - to engage with end-users!"<br />
And you don't need a huge team of<br />
scientists is Erven's reassuring message.<br />
"A small team is more than enough to<br />
partner with the cutting-edge start-ups<br />
and SMEs pioneering quantum-safe<br />
solutions. Together, we can ward off the<br />
digital security apocalypse and continue<br />
to thrive as a civilisation using a quantumsafe<br />
version of the secure, connected,<br />
information infrastructure that has<br />
contributed so much to humanity's rapid<br />
developments of the last 35 years."<br />
BLOODHOUNDS ON THE TRAIL<br />
According to Roger Grimes, data driven<br />
defence evangelist at KnowBe4: "Your<br />
competitors or nation-states could be<br />
sniffing your currently protected network<br />
traffic, waiting for the day a few years<br />
from now when they can use quantum<br />
computers to crack your existing<br />
encryption. As we have seen, various<br />
nation states have no problem attacking<br />
every commercial company possible, if it<br />
contains intellectual property of interest<br />
or even simply to steal money. It is going<br />
to take any organisation many years to<br />
fully prepare for the necessary postquantum<br />
transition.<br />
"So, even if you started now, it would be<br />
years before your data was protected.<br />
And any organisation that either has<br />
sufficiently capable quantum computers<br />
now or in the near future, that wants<br />
your confidential data, could have an<br />
incentive to sniff your data now…or<br />
during the years of preparation you will<br />
require to get to post-quantum<br />
protections." Grimes' advice? "Every<br />
organisation should begin immediately<br />
taking a data protection inventory. It starts<br />
by identifying all confidential data and the<br />
systems and cryptography that protect it.<br />
That means recording encryption, digital<br />
signatures and hashing algorithms used to<br />
encrypt, sign and verify content, along<br />
with key lengths. This sort of inventory<br />
should have already been done, but<br />
almost no one has done it.<br />
"Creating it and maintaining it will be<br />
useful and valuable for the post-quantum<br />
migration and any other crypto migration<br />
afterward. The hardest part is the original<br />
data collection. Maintaining it is not nearly<br />
as hard. But that original data collection is<br />
likely to take many months, if not years,<br />
for most organisations.<br />
And, regardless of the quantum issue,<br />
simply understanding your cryptography<br />
state will lead to better crypto-agility and<br />
that will pay huge benefits forevermore.<br />
But you need to get going now. Data<br />
protection inventory and agility is not easy,<br />
and it takes a long time. So, get started<br />
now. Post quantum is your first valid<br />
reason."<br />
From the data protection inventory, what<br />
happens next? "You then determine what<br />
data needs to be protected more than<br />
a few years, which is not protected with<br />
quantum-resistant cryptography," Grimes<br />
advises. "In some cases, like with symmetric<br />
encryption and hashes, it might mean<br />
simply increasing key lengths. And in<br />
others, like with asymmetric encryption,<br />
key exchanging and digital signing, it will<br />
mean replacing it with a quantumresistant<br />
solution.<br />
"Those solutions include post-quantum<br />
encryption, physical isolation, quantum<br />
key distribution and other quantum<br />
devices, like quantum random number<br />
generators. There is a coming Y2K-like<br />
problem…and really it is already here, and<br />
people do not realise it."<br />
NEXT MAJOR MILESTONE<br />
There have been quite a few predictions<br />
about how quickly quantum computing will<br />
arrive. But whatever the exact date and<br />
time, it's clear that not just one, but two<br />
races have already begun, says Timothy<br />
Hollebeek, industry technology strategist,<br />
DigiCert. "The recent few years have<br />
exponentially accelerated the development<br />
of quantum computing, with a variety<br />
of breakthroughs and a number of<br />
grandstanding announcements from tech<br />
giants that they would be heavily investing<br />
in the area. Even in 2020, pandemic<br />
notwithstanding, quantum technology was<br />
striding ahead. The breakneck speed of<br />
quantum acceleration has kept up through<br />
<strong>2021</strong>, too."<br />
For all those developments, he says the<br />
next major milestone will be when someone<br />
solves a problem with quantum that a<br />
conventional supercomputer simply cannot.<br />
"But even when that day comes, it won't<br />
mean that RSA or ECC encryption are in<br />
direct threat. Although quantum can break<br />
them, it would still require large quantum<br />
computers to do so."<br />
Even when they're commercially available,<br />
quantum computers and technology will<br />
likely be prohibitively expensive to most, he<br />
adds. "What these ever-accelerating series<br />
of developments are likely to do is act in the<br />
same way that Moore's Law accelerated the<br />
development of classical computing. Each<br />
new development will further hasten the<br />
pace towards quantum technology, driving<br />
investment and innovation in the direction<br />
of more powerful quantum computers."<br />
That's one race between researchers,<br />
scientists and organisations. "There's a more<br />
urgent race, too - between individual<br />
organisations' cryptography and the<br />
quantum algorithms which will be able to<br />
break current cryptography. The reality is<br />
we don't know exactly when quantum is<br />
going to become a threat and, as such,<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
19
global intelligence<br />
Chris Erven, KETS Quantum Security: we will<br />
soon be living in a world where most current<br />
forms of cryptography will be useless.<br />
A render of KETS Quantum Security's chipbased<br />
solutions.<br />
organisations need to start preparing."<br />
That means getting to grips with Post-<br />
Quantum Cryptography (PQC). "Indeed,<br />
organisations can begin adopting hybrid<br />
RSA/PQC certificates and, critically, testing<br />
them in their own environments now."<br />
But there's a more fundamental element<br />
that Hollebeek single out when it comes to<br />
being ready for the arrival of quantum.<br />
"The threat that quantum poses to current<br />
cryptography won't just necessitate<br />
stronger algorithms, but will likely mean<br />
that organisations have to become a lot<br />
quicker on their feet when it comes to<br />
cryptography. Crypto-agility is a concept<br />
which organisations must start working<br />
towards quickly.<br />
Quantum threats will likely need a diverse<br />
array of algorithms to protect against and<br />
organisations will need to swap out<br />
encryption algorithms on the fly as security<br />
demands. That will be a significant task for<br />
most companies, involving a fundamental<br />
reshaping of how they do cryptography.<br />
Quantum threats, however, demand it."<br />
HUGELY DISRUPTIVE TO<br />
OUR DIGITAL WORLD<br />
A five-to-10-year timeframe for quantum<br />
computing to become a reality is probably<br />
overly pessimistic, given the monumental<br />
investment by businesses, governments and<br />
investors around the world, states Dave<br />
Bestwick, CTO of quantum cryptography<br />
specialists Arqit.<br />
"Only recently, we witnessed another<br />
company, PsiQuantum, attain unicorn<br />
status and raise huge amounts of<br />
investment to bring a quantum computer<br />
to market within the next few years."<br />
Businesses therefore need to be<br />
considering their options today, he<br />
cautions, because not only are malicious<br />
actors busy stockpiling data to decrypt as<br />
soon as quantum computing emerges, but<br />
also swapping from PKI to quantum<br />
encryption takes time.<br />
"Quantum computing will be hugely<br />
disruptive to our digital world, as it will<br />
undermine the basic security foundations<br />
of the Internet. Most internet communications<br />
are secured by PKI and quantum<br />
computers can break this method of<br />
encryption within minutes. Companies that<br />
own valuable patents, highly sensitive<br />
government data underpinning critical<br />
infrastructure and defence will all be<br />
vulnerable; as will bank details, health<br />
records and even cryptocurrency."<br />
However, not all forms of encryption will<br />
be obliterated: symmetric encryption keys<br />
are not susceptible to quantum attack, he<br />
confirms. "This approach is endorsed by<br />
the American Encryption Standard (AES).<br />
However, until recently several barriers to<br />
adoption existed, most notably the problem<br />
of secure key sharing. Quantum key<br />
distribution can solve this problem, but its<br />
use over fibre networks is limited by signal<br />
absorption, which constrains practical key<br />
distribution to distances of less than about<br />
150km."<br />
This posed a problem for exchanging keys<br />
over larger distances, but this challenge has<br />
been eliminated recently with innovation<br />
from companies like Arqit, he asserts,<br />
which has "developed a way for quantum<br />
key distribution to take place over satellite<br />
systems to secure digital communications<br />
globally".<br />
Bestwick is under no illusions that the<br />
menace from quantum computers is a clear<br />
and present danger, as it threatens to<br />
undermine PKI, which today forms the<br />
foundations for most secure digital<br />
communications. "However, innovations in<br />
the area of symmetric encryption mean<br />
there’s a way to avert disaster, but<br />
businesses need to act promptly to protect<br />
their data, today and in the future."<br />
20<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
all at sea<br />
CRUISING FOR A BRUISING<br />
CARNIVAL CRUISES SUFFERING FOUR DATA BREACHES IN 15 MONTHS<br />
FLAGS UP WHAT TEMPESTUOUS WATERS THE TRAVEL INDUSTRY - AND<br />
TOURISM IN GENERAL - SAILS IN. BUT WHY ARE THEY SO VULNERABLE?<br />
When Carnival Cruises was hit by its<br />
first data breach in 2020, it caused<br />
deep concern within the industry.<br />
This is, after all, the world's largest travel<br />
company. When it succumbed to a fourth<br />
breach in June this year - the fourth such<br />
breach in 15 months - the reaction was<br />
more akin to raised eyebrows, because<br />
unfortunately we have become somewhat<br />
desensitised to these occurrences, taking out<br />
many of the major corporates.<br />
The latest Carnival Cruises breach saw data<br />
compromised that contained names, dates<br />
of birth, passport numbers, home addresses,<br />
phone numbers, social security numbers,<br />
along with COVID-19 test results. This came<br />
on top of the other cyberattacks on Carnival<br />
Corporation since the beginning of the<br />
COVID-19 pandemic, two of which were<br />
ransomware demands.<br />
The travel and tourism sector, such as hotels<br />
and airlines, has been heavily targeted of late,<br />
as clearly it offers lucrative pickings. But why<br />
do large organisations fall prey so readily to<br />
multiple cyberattacks and data breaches? This<br />
is a complex issue, most certainly, but Trevor<br />
Morgan, product manager at comforte AG,<br />
believes we can consider three aspects of any<br />
organisation that would encourage multiple<br />
successful attacks: value, culture and<br />
technology.<br />
"Let's look at each one to see how it<br />
contributes to precipitating multiple<br />
incidents," he comments. "Any enterprise<br />
possessing highly valuable data will continue<br />
to be a target, even if it has sustained<br />
previous cyberattacks. Consumer-based<br />
industries, such as travel and entertainment,<br />
retail and financial services, definitely apply, as<br />
they collect sensitive information on large<br />
swathes of their customers and prospects.<br />
The reason is simple: threat actors want that<br />
data for personal gain.<br />
"Whether the dataset contains thousands or<br />
millions of data subjects, complete with<br />
sensitive PII that can be used to initiate<br />
identity theft or other fraud, or whether it<br />
contains less volume, but more substantive<br />
information, meaning something that can<br />
hold up operations and be used as leverage<br />
[think ransomware attacks on infrastructure<br />
companies], the fact of the matter is that, if<br />
the organisation gathers and stores sensitive<br />
information, hackers want it."<br />
A company's culture has quite a lot to do<br />
with the ability to close down attack vectors<br />
and thwart cyberattacks, adds Morgan.<br />
"The reason is that a large percentage of<br />
attacks originate from vulnerabilities caused<br />
by human error. We're talking here about<br />
misconfigurations, lifting and shifting<br />
unprotected data or simply pure carelessness.<br />
Companies that try to move too quickly and<br />
put an emphasis on output, rather than<br />
process, are particularly vulnerable to human<br />
error. However, the organisation that actively<br />
instils a culture of data privacy and security<br />
among its employees has a much better<br />
chance of deterring one or multiple attacks."<br />
WAIVING THE RULES<br />
This type of culture not only depends on<br />
the individual contributors caring about<br />
sustaining that culture, he states, but also<br />
on the executive team placing value and<br />
meaning behind it, to assess performance<br />
and allocate rewards, based on employees'<br />
willingness to be more sensitive to data<br />
privacy and security, and follow the right<br />
processes to mitigate or eliminate human<br />
error. If executives are seen dismissing the<br />
'rules' to get something accomplished,<br />
then this behaviour trickles throughout the<br />
company as others emulate it, and soon<br />
that valuable culture falls apart. Every<br />
member of an organisation must be<br />
absolutely committed to a corporate culture<br />
of data privacy and security."<br />
Lastly, technology clearly has a massive<br />
impact on whether or not incidents become<br />
successful data breaches. A huge organisation<br />
that puts all its IT investment into<br />
perimeter-based security, access control<br />
and/or intrusion detection may be lulled into<br />
thinking that they are more secure, but in<br />
all actuality focusing on the perimeter and<br />
data access will only put off the moment<br />
when a threat actor successfully penetrates<br />
the perimeter barrier. "Therefore, many<br />
cybersecurity experts advise a more holistic<br />
approach whereby the data itself is<br />
protected, along with the borders around<br />
that data and user activity within the<br />
environment.<br />
"We're talking here about data tokenisation<br />
and format-preserving encryption," says<br />
Morgan. "These protection methods replace<br />
sensitive data elements with innocuous<br />
representational tokens, which render the<br />
data meaningless, even if it falls into the<br />
wrong hands. Better yet, data-centric security<br />
that preserves format enables enterprises to<br />
work with protected data, rather than 'deprotecting'<br />
it for vital activities such as data<br />
analytics. The less you de-protect your data,<br />
the better off you'll be."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
21
all at sea<br />
Trevor Morgan, comforte AG: if an<br />
organisation gathers and stores sensitive<br />
information, hackers want it.<br />
Amit Sharma, Synopsys Software Integrity<br />
Group: security awareness training very<br />
important for employees and partners<br />
handling sensitive data.<br />
Of course, other factors play into the<br />
reasons that an organisation can be hit<br />
multiple or many times by cyberattacks,<br />
he points out. "The lesson, though, is that<br />
enterprises aren't powerless, if they recognise<br />
the true worth of the data they collect and<br />
process, treat that data as their most valuable<br />
asset and use the most comprehensive<br />
strategy-including data-centric security-to<br />
protect it against threat actors who want to<br />
get to it."<br />
STRUGGLES OF TRAVEL SECTOR<br />
The reasons why different organisations fail<br />
to protect their systems and information<br />
adequately and why some fall victim to<br />
breaches repeatedly vary enormously, says<br />
Richard Walters, CTO of Censornet. "Every<br />
enterprise has unique attributes that inform<br />
the security ecosystem they need to build<br />
and manage to some degree. The travel<br />
sector seems to struggle with securing<br />
content in databases linked to externallyfacing<br />
web applications. This problem hasn't<br />
just affected Carnival Cruises, but also BA,<br />
Marriott, Cathay Pacific, Hyatt and easyJet."<br />
To tackle this problem, he advises, the<br />
travel industry needs to build security into<br />
the software development lifecycle and<br />
continuously assess externally facing<br />
applications for vulnerabilities. "A Which?<br />
study carried out midway through last year<br />
looked at vulnerabilities in systems owned by<br />
ninety-eight of the travel industry's biggest<br />
names and identified many with hundreds of<br />
vulnerabilities, including companies like BA<br />
and Marriott, some of which had already<br />
suffered major breaches. Marriott was the<br />
worst, with 497 vulnerabilities."<br />
There is nothing unique about the<br />
challenges facing companies in this sector,<br />
Walters continues. "Perhaps what is different<br />
is that the travel industry has undergone a<br />
dramatic transformation in recent years, with<br />
web apps replacing brochures and travel<br />
agents. What players in this industry have<br />
failed to do is understand the associated<br />
security issues. It's no different to what<br />
we're seeing in the automotive industry,<br />
with attacks on connected vehicles, or in<br />
the medical device industry. None of the<br />
companies in these sectors is an expert in<br />
cyber security, but they seem unable to realise<br />
they have a need to engage with companies<br />
that are."<br />
There is little doubt that security ecosystem<br />
complexity - with larger organisations using<br />
70-plus security point products - is also a<br />
contributing factor. "Censornet research has<br />
found that 92% of enterprises get more than<br />
500 SOC alerts per day - which is a problem<br />
when you consider that a single analyst<br />
can handle just 10 alerts per day. Human<br />
resources alone are dangerously insufficient,<br />
leaving no time for proactive threat hunting<br />
or searching for indicators of compromise.<br />
There is an urgent need to bridge the gap<br />
between alert overload and analyst capacity<br />
in every sector - and the travel industry is<br />
no different," he says. "The reality is that<br />
breaches are often missed, due to alert<br />
overload. All of the Indicators of Compromise<br />
(IOCs) were almost certainly there in the logs<br />
somewhere!"<br />
BUILDING A FORTRESS NOW<br />
'UNTENABLE'<br />
System breaches are not declining. Theft,<br />
business disruptions, data leaks all continue<br />
to occur, even though leaders know the risks.<br />
Why? "Today's IT systems have only gotten<br />
more complex," responds Keith Driver, chief<br />
technical officer at Titania. "The rise of BYOD,<br />
Software as a Service, the move to public or<br />
hybrid cloud and especially working from<br />
remote locations have given IT risk holders<br />
a headache."<br />
Building a fortress around IT assets is still<br />
the norm, he points out, but it's become<br />
an untenable form of protection for two<br />
reasons. "First, the complexity of the IT<br />
infrastructure makes it challenging to<br />
determine and manage where the boundary<br />
between corporate and external data exists.<br />
22<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
all at sea<br />
Secondly, adversaries' capabilities [be they<br />
individuals or more sophisticated and wellfunded<br />
actors] continues to grow.<br />
"As a result, the ability to keep attackers<br />
at bay gets harder and harder, resulting in<br />
breaches. Determined attackers will always<br />
find a way in. This is where Zero Trust<br />
Architecture comes into play - approaching<br />
security as if a compromise has or will occur<br />
using functional blocks within a network that<br />
require authorisation/authentication steps to<br />
access resources. More organisations need to<br />
adopt this approach. It requires a cultural<br />
shift in addition to a different approach to<br />
solutions. But once this assumption is made,<br />
the strategy is one to ensure damage is<br />
minimal. When there is no assumption of<br />
trust, there is no assumption of identity<br />
and no automatic authorisation to enter<br />
a system. All of this makes it more difficult<br />
for an attacker to move around a network<br />
to gain access to more valuable assets."<br />
It's not just about Zero Trust either, Driver<br />
adds. "It's also important to segment a<br />
network and control the access to it. This<br />
makes it harder for attackers to navigate<br />
from one end to the other and hit their<br />
target. Here's where businesses fall down.<br />
While both are critical to network security,<br />
being vigilant about configuration can't take<br />
a back seat. It needs to be correct and unable<br />
to be compromised - either by attackers or by<br />
accident.<br />
"Businesses need to identify these vulnerabilities,<br />
examining routers, switches and<br />
firewalls using tools that score the level of<br />
risk and let them assess where the priorities<br />
lie, so time and resources are allocated<br />
appropriately. This gives organisations a<br />
complete picture of where, how and what<br />
can be compromised - across the network,<br />
on every device at every point of the day."<br />
NEGLECT OVER ACCESS<br />
"One common reason why data breaches<br />
take place is no - or improper - access<br />
control," says Amit Sharma, security engineer,<br />
Synopsys Software Integrity Group. "Thirdparty<br />
access is an area that is oftentimes<br />
neglected, thus providing opportunities to<br />
cyber-attackers. My recommendation would<br />
be for organisations to carry out in-depth<br />
checks on their infrastructure and the<br />
services they employ to operate and manage<br />
their applications and data. The first step<br />
involves classifying your data and then using<br />
the appropriate controls to protect it<br />
depending on the classification."<br />
VENDOR MANAGEMENT POLICIES<br />
Other proactive measures that organisations<br />
can and should take is implementing<br />
an identity and access management (IAM)<br />
policy governing access controls, using<br />
strong passwords (and not re-using<br />
a password across services) and using<br />
encryption. "Secure vendor management<br />
policies should be in place, which should<br />
vet partners and vendors, thereby managing<br />
and controlling access to data that is<br />
exposed to vendors, contractors and third<br />
parties. Regular testing for loopholes and<br />
routine checks on the infrastructure are<br />
also important mechanisms to build into<br />
your security strategy. With the constant<br />
advancement in technologies, attack<br />
patterns are also changing rapidly and we<br />
need to evolve along with it. Firewalls are<br />
simply not enough," insists Sharma.<br />
Reviewing the processes governing data<br />
handling is also crucial to ensure customer<br />
data is securely maintained. "With the<br />
ongoing pandemic, it's very common to see<br />
data being transmitted from unsecured<br />
networks and unmanaged machines.<br />
"Other measures to consider include<br />
network segmentation, active monitoring<br />
and developing capabilities to respond to<br />
incidents effectively. Security awareness<br />
training not only for employees, but also<br />
for partners who are handling sensitive data,<br />
is also a very important consideration for<br />
an organisation."<br />
Keith Driver, Titania: important to segment<br />
a network and control the access to it.<br />
The travel sector seems to struggle with<br />
securing content in databases linked to<br />
externally-facing web applications.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
23
information security<br />
PRIVACY PAYOFF: CHAMPIONING DATA VIGILANCE<br />
AS PEOPLE CONSIDER POST-PANDEMIC LIFE<br />
WHILE EDUCATING CONSUMERS IS IMPORTANT, INDIVIDUALS MUST ENGAGE BY REFLECTING ON THEIR<br />
ONLINE SECURITY AND ITS IMPACT, STATES DAVID EMM, PRINCIPAL SECURITY RESEARCHER AT KASPERSKY<br />
Much has been made of the 'new<br />
normal' that awaits us beyond<br />
COVID - or at least, this stage<br />
of COVID. As we learn to live either with<br />
or without the virus, we have already<br />
entered our post-lockdown lives. Those<br />
long-awaited holidays, that music<br />
festival, a three-time-postponed sporting<br />
event. Or, via a few clicks of a button,<br />
your online shopping network, your<br />
updated communications apps, your<br />
more dispersed and digitised social life.<br />
It's understandable that people have<br />
been eager to get back to normal now<br />
that restrictions have lifted. However,<br />
in the race to return to these events,<br />
there has been an increased security<br />
conundrum - but what is the privacy<br />
price people are willing to pay to ensure<br />
that they are at the front of the queue<br />
when getting back into events, going<br />
on holiday and more?<br />
What personal data are those in Europe<br />
willing to sacrifice for post-pandemic<br />
freedoms? At first glance, it's clear that<br />
we are willing to pay quite a hefty<br />
price. A new data privacy heatmap has<br />
explored the new consumer dynamic<br />
across Europe to gauge what people are,<br />
and are not, willing to share in the form<br />
of personal data, in order to access these<br />
new freedoms, solutions and online<br />
services.<br />
In the UK, for example, almost threequarters<br />
(72%) would be happy to share<br />
personal healthcare, location and contact<br />
data if it meant a quicker release of<br />
restrictions and back into events,<br />
festivals, social spaces or airports. And<br />
seven in 10 European respondents also<br />
stated they would be prepared to<br />
provide personal healthcare and<br />
movement data for more freedoms.<br />
Furthermore, 45% of European<br />
respondents said they would willingly<br />
provide healthcare and movement data<br />
to help their own country overcome<br />
COVID-19. On the domestic front, 84%<br />
of Brits would share personal data for<br />
free digital services, while lures of<br />
discounts, online convenience or 'free<br />
gifts' would also tempt many out of their<br />
private details. While the promise of gifts<br />
and details may seem appealing, many<br />
don't realise the privacy implications of<br />
giving such information away.<br />
These insights and attitudes bring fresh<br />
cybersecurity concerns to the fore. But is<br />
it a lack of awareness or a lack of care<br />
that is failing to halt the data deluge? It<br />
seems to be the latter. Almost all (95%)<br />
of Brits claim that data privacy is<br />
important to them, and they also seem<br />
to be aware of the pitfalls, with 83%<br />
voicing concern that their data could fall<br />
into the wrong hands over the next<br />
two years. And this sentiment is echoed<br />
throughout Europe, too. In fact, as<br />
revealed by the heatmap, 95% of<br />
Europeans feel data privacy is important<br />
but only 52% of the continent's<br />
population feel in control of their<br />
personal data. Eight in 10 Europeans<br />
also fear that their personal data will fall<br />
into hands of criminals, just as Brits do<br />
as well.<br />
While educating consumers is<br />
important, it is equally crucial that<br />
individuals themselves engage in<br />
considering their online security and its<br />
impact. A prime example would be social<br />
media and the ease through which<br />
people often share large amounts of<br />
private data without considering the<br />
wider implications as to whom can<br />
access that information, such as<br />
advertisers and marketers for example.<br />
It is a case of taking responsibility for<br />
their online safety as they would in<br />
person. This includes understanding<br />
the information they are giving and<br />
whether the benefits outweigh the risks.<br />
PRIORITISING CUSTOMER PRIVACY<br />
That being said, businesses hold the<br />
main responsibility for making people's<br />
privacy a priority. They must ask<br />
themselves not only from a legal<br />
standpoint, but from an ethical one:<br />
what is the purpose of the data that is<br />
being collected? And: what are the<br />
implications of having this data, should<br />
there be a security breach? After all, the<br />
more data that is held, the more at risk<br />
it becomes, meaning that only essential<br />
information should be collected. The<br />
most important question that businesses<br />
must ask themselves, however, is: what<br />
are we doing to protect consumers?<br />
Not only will asking this question mean<br />
businesses are protecting customer's data<br />
24<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
information security<br />
more effectively, but they will also help<br />
protect themselves. After all, a GDPR<br />
violation can lead to fines of up to 20<br />
million Euros, or up to four per cent of<br />
the company's global annual turnover -<br />
quite a hefty price to pay. And that's not<br />
including the reputational damage that<br />
comes with a data breach, if consumers<br />
understandably lose faith in a business's<br />
ability to manage their data.<br />
Ian Thornton-Trump, CISO at Cyjax,<br />
suggests that the way to tackle many<br />
of the issues faced is through endpoint<br />
detection and response (EDR). "Increasingly,<br />
EDR is finding favour over traditional<br />
anti-virus, but to be most effective,<br />
these solutions must be deployed into<br />
a managed, licensed and hardened IT<br />
environment."<br />
This, in essence, would enable<br />
businesses to become more vigilant, in<br />
terms of cyber threats, equipping them<br />
with the tools to spot and manage them.<br />
Though an EDR solution is not a silver<br />
bullet, it's a vital part of an organisation's<br />
cybersecurity arsenal - which, when<br />
combined with staff education and a<br />
professional and personal sense of data<br />
protection responsibility, will help keep<br />
people's personal assets safe.<br />
The majority of consumers are<br />
concerned about their data being stolen<br />
in the near future - and though the<br />
onus is on businesses to protect this<br />
information, individuals should also<br />
understand the implications of giving out<br />
their personal data - especially if it's for<br />
free gifts or discounts - and consider if it<br />
is really worth the return they receive.<br />
Overall, a careful balance must be struck<br />
between both the excitement of getting<br />
back to life as it once was and what data<br />
needs to be shared to unlock those<br />
freedoms.<br />
SIMPLE STEPS TO STAY SAFE<br />
The public has long looked forward to<br />
embarking on much-missed holidays and<br />
attending events; however, as they get<br />
more confident and life resumes as<br />
normal, we must also seek to support<br />
them in their cybersecurity hygiene, as<br />
well as increasing their knowledge about<br />
how to protect themselves and their<br />
personal data, allowing them to enjoy<br />
those well-earned post-pandemic<br />
experiences safely.<br />
Simple steps to limit the amount of<br />
personal data that is accessible that can<br />
be taken by consumers include: deleting<br />
profiles and accounts from websites or<br />
apps that are no longer used; investing<br />
in password managers, which create,<br />
save and store passwords automatically,<br />
meaning people don't have to use the<br />
same password for all of the online<br />
services they use; and utilising the Right<br />
to Erasure, better known as 'The Right to<br />
Be Forgotten', which empowers people<br />
to be able to request that their data is<br />
completely removed from business<br />
servers.<br />
With these steps taken, and the<br />
amount of personal data 'out there'<br />
drastically lessened, people can feel more<br />
assured that their information is safe,<br />
and controlled, offering them far greater<br />
protection from their data being used for<br />
criminal or unethical gains.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
25
new-world shake-up<br />
HOW TO PROTECT BUSINESS DATA WHILE<br />
EMPLOYEES WORK FROM ANYWHERE<br />
CARMEN OPRITA, MANAGER SALES AND BUSINESS DEVELOPMENT AT<br />
ENDPOINT PROTECTOR BY COSOSYS, LOOKS AT THE MANY OUTSIDER<br />
AND INSIDER THREATS THAT CAN DAMAGE BUSINESSES - AND HOW<br />
THEY CAN FIGHT BACK<br />
benefits productivity, due to reduced travel<br />
time, fewer distractions and a more flexible<br />
schedule, organisations must ensure that<br />
they are equipped with the right security<br />
tools. In the new reality of working from<br />
anywhere, there are various outsider and<br />
insider threats that can cause damages to a<br />
business, including fines, penalties, and loss<br />
of consumer trust. There are also new ways<br />
of accessing confidential information,<br />
posing higher risks for sensitive data.<br />
And, if an employee compromises data<br />
while working remotely, it is more difficult<br />
to identify how and when it happened.<br />
HIGHER COST OF BREACHES<br />
According to a Malwarebytes report,<br />
Enduring from Home: COVID-19's Impact<br />
on Business Security, the potential for<br />
cyberattacks and data breaches has<br />
increased since employees are working from<br />
home. Some 20% of respondents said they<br />
encountered a security breach, due to a<br />
remote worker, since the outbreak of the<br />
COVID-19 pandemic. This has led to higher<br />
costs, too, with 24% of respondents saying<br />
they paid unexpected expenses to address<br />
a cybersecurity breach or malware attack<br />
following shelter-in-place orders.<br />
Remote work has changed from an<br />
option to a necessity, as organisations<br />
worldwide have closed their offices<br />
amid the COVID-19 health crisis. With a<br />
remote or hybrid workforce, it's essential for<br />
companies to have proper security tools in<br />
place, preventing them from various threats<br />
that could lead to data breaches.<br />
The work scene has completely changed<br />
since the outbreak of the COVID-19<br />
pandemic. Last year, work from home<br />
became the new normal for many employees<br />
worldwide, followed by announcements of<br />
hybrid work arrangements this year. While,<br />
according to the Velocity Smart Technology<br />
Market Research Report <strong>2021</strong>, remote work<br />
Therefore, the prevention and protection<br />
of data remain of utmost importance.<br />
Companies need to ensure that employees<br />
are handling and storing sensitive data such<br />
as Personally Identifiable Information (PII)<br />
securely, in accordance with different data<br />
protection laws. To achieve this, employers<br />
should put additional safeguards and<br />
provisions in place to prevent sensitive<br />
data from being misused or mislaid while<br />
employees work remotely.<br />
Here are the most important steps<br />
companies with a distributed workforce<br />
should take to ensure data security:<br />
1. Train employees<br />
Cybersecurity training should be mandatory<br />
26<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
new-world shakeup<br />
for every employee, regardless of their role<br />
or position in the company. They should be<br />
aware of the most common types of threats,<br />
including those caused by malicious<br />
outsiders, such as phishing attacks and those<br />
originating within the organisation itself<br />
caused by social engineering, shadow IT<br />
or sharing data with unauthorised persons.<br />
While criminal attacks are responsible for<br />
many data breaches, human error is also<br />
a significant contributor to security issues.<br />
In these days of remote work, organisations<br />
need to take extra precautions regarding<br />
COVID-19 related scams. Employees need to<br />
be aware of suspicious links or attachments<br />
related to COVID-19, as internet criminals<br />
have widely exploited the pandemic in<br />
numerous phishing and scam campaigns.<br />
With employees working outside the office,<br />
companies must ensure that everybody<br />
knows basic password security, safe<br />
browsing habits and physical security.<br />
Training should be an ongoing procedure,<br />
with required video courses, assessments<br />
etc.<br />
2. Create a remote work policy<br />
Establishing clear rules to govern how<br />
employees work remotely is another crucial<br />
step towards security. A telework or remote<br />
work policy needs to provide information<br />
to the workforce on how to act safely with<br />
corporate devices and data when working<br />
from outside the office. The absence of such<br />
a policy can compromise the compliance of<br />
the organisation.<br />
To ensure security in the age of remote<br />
and hybrid work arrangements, the telework<br />
policy should include information on:<br />
whether employees are allowed or not to<br />
use personal devices when working outside<br />
of the office; if they can install non-work<br />
related software on the devices used for<br />
remote access; how should they report<br />
suspicious incidents while working from<br />
home etc.<br />
3. Require two-factor or<br />
multi-factor authentication<br />
Two-factor authentication (2FA) or multifactor<br />
authentication (MFA) is a security<br />
enhancement that can help to keep accounts<br />
and information safe from unauthorised<br />
entities. By applying this additional security<br />
layer, companies can ensure that unauthorised<br />
parties cannot remotely access their<br />
networks or user accounts.<br />
When employees use 2FA or MFA to access<br />
and use any company apps, resources, tools<br />
or data, the likelihood of malicious outsiders<br />
gaining access to information is considerably<br />
reduced.<br />
4. Have visibility and control<br />
over your company data<br />
Data cannot be protected without knowing<br />
where it is stored and how it is used. An<br />
effective data security strategy ensures both.<br />
By deploying a Data Loss Prevention (DLP)<br />
solution, such as Endpoint Protector,<br />
companies can discover where their sensitive<br />
data resides and monitor the data flow.<br />
Unauthorised data transfers can be blocked<br />
with DLP software and administrators are<br />
alerted. In this way, it is possible to ensure<br />
that sensitive data, such as customers'<br />
personal data or intellectual property, does<br />
not get outside the corporate network or<br />
a user without access.<br />
5. Ensure policies remain active offline<br />
When employees work remotely, they may<br />
not always have a continuous internet<br />
connection available. This means that, while<br />
their computer is offline, data protection<br />
policies are not active.<br />
In this way, companies risk data loss and<br />
non-compliance with data protection laws<br />
like the GDPR or PCI DSS. By using a DLP<br />
solution that applies policies directly on the<br />
endpoint, organisations can ensure that data<br />
continues to be protected and monitored,<br />
whether a computer is online or not.<br />
6. Use encryption<br />
Data encryption is another important best<br />
practice from a security standpoint. When<br />
employees work remotely, it is even more<br />
critical, as it can ensure that, if a device is<br />
lost or stolen, data can't be accessed by<br />
unauthorised people. Hard drives and<br />
individual files can be encrypted with native<br />
encryption tools, like BitLocker in Windows<br />
and FileVault in macOS, without requiring<br />
additional investments.<br />
Data transfers between company-owned<br />
systems and remote work locations should<br />
also be encrypted. A Virtual Private Network<br />
(VPN) is an easy and cost-efficient method<br />
to do this, with some VPNs offering militarygrade<br />
256-bit encryption of data. By<br />
providing a VPN service to all employees,<br />
their internet activities are carried out as if<br />
they are working directly in the office.<br />
7. Keep systems and programs up to date<br />
In these times of teleworking, ensuring that<br />
programs and operating systems are updated<br />
regularly is a critical aspect of security.<br />
Outdated systems and third-party<br />
applications often have weak spots and<br />
vulnerabilities, opening up the business<br />
for cyberattacks. Besides regularly updating<br />
the operating system and third-party<br />
applications, it is essential to keep an eye<br />
on the antivirus and antimalware program, as<br />
well as firewall firmware.<br />
While work from home comes with IT<br />
security risks, the COVID-19 pandemic has<br />
irrevocably changed the world and remote<br />
work is here to stay. Employees enjoy a more<br />
relaxed environment, and that there's no<br />
more stress and wasted time to commute,<br />
while employers can save money on office<br />
space and equipment, with no loss of<br />
productivity.<br />
With this transition to remote work looking<br />
to be long term, now is the perfect time to<br />
secure employees' endpoints and ensure the<br />
company's data stays safe.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
27
global intelligence<br />
CYBER AGENCIES FLEX THEIR GLOBAL MUSCLES<br />
INTERNATIONAL ALLIES SHARE DETAILS OF TOP 30 VULNERABILITIES<br />
THAT WERE ROUTINELY EXPLOITED BY MALICIOUS ACTORS IN 2020<br />
Advice on countering the most publicly<br />
known-and often dated-software<br />
vulnerabilities has been published<br />
for private and public sector organisations<br />
worldwide. It is part of a global initiative to<br />
combat cyber attacks by sharing intelligence<br />
and creating a united front.<br />
The cyber agencies behind the drive are the<br />
UK's National Cyber Security Centre (N<strong>CS</strong>C),<br />
Cybersecurity and Infrastructure Security<br />
Agency (CISA), Australian Cyber Security<br />
Centre (A<strong>CS</strong>C) and Federal Bureau of<br />
Investigation (FBI) have published a joint<br />
advisory*, highlighting 30 vulnerabilities<br />
routinely exploited by cyber actors in 2020<br />
and those being exploited in <strong>2021</strong>.<br />
In <strong>2021</strong>, malicious cyber actors continued<br />
to target vulnerabilities in perimeter-type<br />
devices. Today's advisory lists the vendors,<br />
products, and CVEs, and recommends that<br />
organisations prioritise patching those listed.<br />
GLOBAL CYBER WEAKNESSES<br />
"We are committed to working with allies to<br />
raise awareness<br />
of global<br />
cyber<br />
weaknesses - and present easily actionable<br />
solutions to mitigate them," states N<strong>CS</strong>C<br />
director for operations, Paul Chichester.<br />
"The advisory… puts the power in every<br />
organisation's hands to fix the most common<br />
vulnerabilities, such as unpatched VPN<br />
gateway devices. Working with our<br />
international partners, we will continue<br />
to raise awareness of the threats posed by<br />
those that seek to cause harm."<br />
As well as alerting organisations to the<br />
threat, the advisory directs public and private<br />
sector partners to the support and resources<br />
available to mitigate and remediate these<br />
vulnerabilities.<br />
Meanwhile, guidance for organisations<br />
on how to protect themselves in cyberspace<br />
can be found on the N<strong>CS</strong>C website. The<br />
centre’s '10 Steps to Cyber Security collection'<br />
(https://www.ncsc.gov.uk/collection/10-steps)<br />
provides a summary of advice for security and<br />
technical professionals. On the mitigation<br />
of vulnerabilities, network defenders are<br />
encouraged to familiarise themselves<br />
with guidance on<br />
establishing an<br />
effective vulnerability management process.<br />
EARLY WARNING SYSTEM<br />
Elsewhere, the N<strong>CS</strong>C's Early Warning Service<br />
(https://www.ncsc.gov.uk/information/earlywarning-service)<br />
also provides vulnerability<br />
and open port alerts. This is a free N<strong>CS</strong>C<br />
service designed to inform your organisation<br />
of potential cyber attacks on your network as<br />
soon as possible. The service uses a variety of<br />
information feeds from the N<strong>CS</strong>C, trusted<br />
public, commercial and closed sources, which<br />
includes several privileged feeds not available<br />
elsewhere.<br />
To sign up to the N<strong>CS</strong>C's Early Warning<br />
Service, go to:<br />
https://www.earlywarning.service.ncsc.gov.uk<br />
/?referrer=acdwebsite.<br />
So, what exactly does the service do? Early<br />
Warning filters millions of events that the<br />
N<strong>CS</strong>C receives every day and, using the IP and<br />
domain names you provide, correlates those<br />
which are relevant to your organisation<br />
into daily notifications for your nominated<br />
contacts via the Early Warning portal.<br />
Organisations that are signed up<br />
receive the following highlevel<br />
types of alerts:<br />
28<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
global intelligence<br />
Incident Notifications - activity that<br />
suggests an active compromise of your<br />
system. For example: a host on your<br />
network has most likely been infected with<br />
a strain of malware<br />
Network Abuse Events - this may be<br />
indicators that your assets have been<br />
associated with malicious or undesirable<br />
activity, such as a client on your network<br />
has been detected scanning the internet<br />
Vulnerability and Open Port Alerts -<br />
indications of vulnerable services running<br />
on your network or potentially undesired<br />
applications are exposed to the internet.<br />
For example: you have a vulnerable<br />
application or have an exposed<br />
Elasticsearch service.<br />
Cyber security researchers will often uncover<br />
malicious activity on the internet or discover<br />
weaknesses in organisations security controls<br />
and release this information in information<br />
feeds. In addition, the N<strong>CS</strong>C or its partners<br />
may uncover information that is indicative of<br />
a cyber security compromise on a network.<br />
The N<strong>CS</strong>C will collate this information and<br />
use this data to alert organisations about<br />
potential attacks on their networks.<br />
There are two types of alerts that will be sent<br />
out when an alert has been detected for any<br />
organisation:<br />
Daily Threat Alert - this includes Incident<br />
Notifications and Network Abuse Reports<br />
Weekly Vulnerability Alert - this includes<br />
Vulnerability and Open Port Alerts.<br />
The organisation involved can then use<br />
this information passed on by Early Warning<br />
to investigate the issue and implement<br />
appropriate mitigation solutions where<br />
required. The N<strong>CS</strong>C's website provides advice<br />
and guidance on how to deal with most<br />
cyber security concerns.<br />
BENEFITS OF EARLY WARNING<br />
By signing up to Early Warning, an organisation<br />
will be alerted to the presence of<br />
malware and vulnerabilities affecting its<br />
network. Early Warning will notify on all<br />
cyber attacks detected by feed suppliers<br />
against that particular organisation. "This<br />
should not be used as the only layer of<br />
defence for a network," cautions the N<strong>CS</strong>C.<br />
"Early Warning should complement your<br />
existing security controls."<br />
ENHANCING SECURITY<br />
Early Warning aims to enhance security by<br />
increasing awareness of the low-grade<br />
incidents that could become much bigger<br />
issues, so that organisations can act on these<br />
at the earliest opportunity, so that they have<br />
increased confidence in the security of their<br />
networks. Other key considerations:<br />
The service is free and fully funded<br />
by the N<strong>CS</strong>C<br />
Early Warning does not conduct any active<br />
scanning of a networks itself. (However,<br />
some of the feeds may use scan-derived<br />
data - eg, from commercial feeds.)<br />
CISA executive assistant director for<br />
Cybersecurity, Eric Goldstein, comments:<br />
"Organisations that apply the best practices of<br />
cyber security, such as patching, can reduce<br />
their risk to cyber actors exploiting known<br />
vulnerabilities in their networks. Collaboration<br />
is a crucial part of CISA's work and we have<br />
partnered with A<strong>CS</strong>C, N<strong>CS</strong>C and FBI to<br />
highlight cyber vulnerabilities that public and<br />
private organisations should prioritise for<br />
patching to minimise risk of being exploited<br />
by malicious actors."<br />
For his part, FBI cyber assistant director<br />
Bryan Vorndran had this to add: "The FBI<br />
remains committed to sharing information<br />
with public and private organisations in an<br />
effort to prevent malicious cyber actors from<br />
exploiting vulnerabilities.<br />
"We firmly believe that coordination and<br />
collaboration with our federal and private<br />
sector partners will ensure a safer cyber<br />
environment to decrease the opportunity<br />
for these actors to succeed."<br />
LIFT COLLECTIVE DEFENCES<br />
Head of the A<strong>CS</strong>C, Abigail Bradshaw <strong>CS</strong>C,<br />
believes the guidance will be valuable for<br />
enabling network defenders and<br />
organisations to lift collective defences<br />
against cyber threats. "This advisory<br />
complements our advice available through<br />
cyber.gov.au and underscores the<br />
determination of the A<strong>CS</strong>C and our partner<br />
agencies to collaboratively combat malicious<br />
cyber activity."<br />
Amongst those who see attacks and<br />
breaches every day out in the commercial<br />
world, Jon Fielding, managing director, EMEA<br />
Apricorn, sees the N<strong>CS</strong>C joint advisory as a<br />
great demonstration of collaboration and the<br />
growing need to mitigate against these<br />
common threats. "We are in a software age<br />
and digitalisation is being embraced by more<br />
and more businesses, but, in doing so, the<br />
risks are extended, as security fails to keep<br />
pace with the level of software development<br />
which can provide a weak link into a<br />
corporate network. Ultimately, businesses will<br />
never be 100% secure and, whilst the joint<br />
advisory is a positive step, data needs to be<br />
kept offline and encrypted wherever possible.<br />
Employing a hardware-centric approach,<br />
void of software involvement and encrypting<br />
sensitive data wherever it resides [server,<br />
laptop, removable media] is imperative, so<br />
that, if defences are breached, you remain<br />
protected."<br />
* https://us-cert.cisa.gov/ncas/alerts/aa21-209a<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
29
asset disposal<br />
ADISA SETS THE STANDARD<br />
ADISA ASSET RECOVERY STANDARD 8.0 IS FORMALLY<br />
APPROVED BY UK INFORMATION COMMISSIONER'S OFFICE<br />
determined by their own responses to those<br />
key questions.<br />
"This has allowed the ADISA Standard 8.0<br />
to introduce a tiering level for the controls,<br />
which are put in place in over 30 areas<br />
where different risk countermeasures have<br />
been identified. With a total number of 221<br />
criteria, this is the most exacting assessment<br />
of a data processor within this specific<br />
industry," adds Mellings.<br />
In July 2019, ADISA CEO Steve Mellings<br />
sent a rather speculative email into the<br />
ICO, asking for details about how he<br />
could apply to get the ADISA ITAD Industry<br />
Standard recognised under Article 42 of the<br />
then EU GDPR. "That request now seems a<br />
very long time ago," he reflects, "as we have<br />
battled through Brexit, creation of UK GDPR<br />
and, of course, COVID challenges. But, as<br />
per the ICO press release on 19 August,<br />
I'm delighted to now be able to publicly<br />
confirm that ADISA IT Asset Recovery<br />
Standard 8.0 has become one of the first<br />
Standards approved by the Commissioner."<br />
DATA IMPACT ASSURANCE LEVELS<br />
"A key part of our work with the ICO was to<br />
find a way to empower the data controller<br />
to make decisions on critical processes<br />
undertaken during the asset recovery and<br />
data sanitisation activity which they may not<br />
even be aware of," explains Mellings "These<br />
processes introduce risk and the ICO made it<br />
clear that the data controller needed to<br />
be made aware of these and be able to<br />
determine the level of controls required."<br />
This caused much discussion about how it<br />
could be achieved without a requirement for<br />
the data controller to be completely handson<br />
in the process and it wasn't until he<br />
remembered the old CESG Business Impact<br />
Levels that the solution became apparent.<br />
"By customising that concept, ADISA has<br />
created the 'Data Impact Assessment Level'<br />
or 'DIAL'. This is a formula in which the data<br />
controller answers five simple questions,<br />
which will then identify them at a particular<br />
DIAL rating. These questions are based<br />
on threat, risk appetite, categories of data,<br />
volume of data and, finally, impact of<br />
a data breach, and will enable the controller<br />
to present to their supplier a 'DIAL that is<br />
WHAT DOES THIS MEAN<br />
AND HOW CAN IT HELP YOU?<br />
"In short, it means that, over the two-year<br />
period, we've worked with the Commissioner<br />
to agree on what needs to happen<br />
during the Asset Recovery and Data<br />
Sanitisation process for it to be viewed as<br />
UK GDPR compliant. With data protection<br />
and cyber security being a complex area,<br />
this new ICO-approved Standard can help<br />
fix one problem that many don't even know<br />
they have - how to dispose of retired assets<br />
and ensure regulatory compliance."<br />
WE'RE ONLY HALFWAY THERE<br />
"Whilst Standard 8.0 has now been formally<br />
recognised, we are now undertaking the<br />
second part of our project, which is to get<br />
our auditing process UKAS accredited, such<br />
that we have a UK GDPR-approved scheme,"<br />
he adds. "We've been working on this<br />
behind the scenes for over 12 months and<br />
our application to UKAS is now in, and we<br />
expect this process to take between 6-9<br />
months. This will provide ample time for<br />
existing certified ITADs and new applicants<br />
to working towards 8.0 to ensure those<br />
companies certified to Standard 8.0 can<br />
genuinely evidence UK GDPR compliance."<br />
To find out more, go to https://adisa.global - or<br />
just click here.<br />
30<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
<strong>CS</strong> Nominations <strong>2021</strong><br />
NOMINATIONS OPEN NOW - AND WE WANT YOUR VOTES!<br />
THE COMPUTING SECURITY AWARDS <strong>2021</strong> ARE FAST APPROACHING, SO IT'S TIME FOR YOU, OUR READERS,<br />
TO CAST YOUR VOTES FOR THE COMPANIES, PRODUCTS AND SERVICES THAT HAVE IMPRESSED YOU MOST<br />
IN THE PAST 12 MONTHS<br />
It’s official: the Computing Security<br />
Awards for <strong>2021</strong> will be taking place<br />
LIVE in London in December! (Page 3)<br />
Forced to go 'virtual' last year, the news<br />
couldn't be more welcome - and we<br />
plan to celebrate the occasion with all<br />
the panache and passion of previous<br />
awards. In the meantime, we need you - our<br />
readers - to play a key part in the build-up by<br />
nominating those Companies, Products &<br />
Services you feel deserve recognition for<br />
the impact they have had over the last 12<br />
very difficult months. You may want to<br />
reflect on some of the following criteria,<br />
for example, in reaching your verdict:<br />
Which companies have helped to<br />
secure your organisation's digital<br />
infrastructure over the past year?<br />
What Cyber Security products/<br />
services have most impressed you?<br />
Are you a Cyber Security company<br />
that’s proud of the service or technology<br />
you have provided to customers?<br />
Go to the awards nominations page now -<br />
computingsecurityawards.co.uk - and cast<br />
your votes.<br />
HERE IS THE FULL LIST OF THE <strong>2021</strong> AWARDS CATEGORIES AWAITING YOUR VOTES:<br />
Advanced Persistent Threat (APT) Solution of the Year<br />
AI and Machine learning based Security Solution of the Year<br />
Anti Malware Solution of the Year<br />
Anti Phishing Solution of the Year<br />
Cloud-Delivered Security Solution of Year<br />
Compliance Award - Security<br />
Contribution to CyberSecurity Award - Person<br />
Customer Service Award - Security<br />
Cyber Security Innovation Award: Countering Covid-19<br />
.DLP Solution of the Year<br />
Editor's Choice - Benchtested<br />
Email Security Solution of the Year<br />
Encryption Solution of the Year<br />
Enterprise Security Solution of the Year<br />
Identity and Access Management Solution of the Year<br />
Incident Response & Investigation Security Service Provider of the Year<br />
Mobile Security Solution of the Year<br />
Network Security Solution of the Year<br />
New Cloud-Delivered Security Solution of the Year<br />
New Security Software Solution of the Year<br />
One to Watch Security - Company<br />
One to Watch Security - Product<br />
Penetration Testing Solution of the Year<br />
Remote Monitoring Security Solution of the Year<br />
Secure Data & Asset Disposal Company of the Year<br />
Security Company of the Year<br />
Security Distributor of the Year<br />
Security Education and Training Provider of the Year<br />
Security Project Category(s) of the Year<br />
Security Reseller of the Year<br />
Security Service Provider of the Year<br />
SME Security Solution of the Year<br />
Threat Intelligence Award<br />
Web Application Firewall of the Year<br />
To discuss nominating, voting, becoming a sponsor or booking<br />
seats at the Awards ceremony, please contact:<br />
Edward O'Connor<br />
Email: edward.oconnor@btc.co.uk<br />
Tel: +44 (0) 1689 616000<br />
Lyndsey Camplin<br />
Email: lyndsey.camplin@btc.co.uk<br />
Stuart Leigh<br />
Email: stuart.leigh@btc.co.uk<br />
<strong>CS</strong> AWARDS <strong>2021</strong> - KEY DATES:<br />
Nominations open - 20 August<br />
Nominations close - 24 <strong>Sep</strong>tember<br />
Finalists announced & voting opens - 1 <strong>Oct</strong>ober<br />
Voting closes - 19 November<br />
Awards Ceremony - 2 December<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
31
APTs<br />
HOW TO DISRUPT THE KILL-CHAIN<br />
IT MIGHT TAKE ONLY MINUTES FOR A CYBERCRIMINAL TO BREAK<br />
INTO YOUR NETWORK - SO HOW DO YOU ENSURE THEY NEVER<br />
GET THAT FAR?<br />
From cyber criminals who seek personal<br />
financial information and intellectual<br />
property to state-sponsored cyber<br />
attacks designed to steal data and<br />
compromise infrastructure, today's advanced<br />
persistent threats (APTs) can sidestep cyber<br />
security efforts and cause serious damage to<br />
your organisation. A skilled and determined<br />
cyber criminal can use multiple vectors and<br />
entry points to navigate around defences,<br />
breach your network in minutes and evade<br />
detection for months. APTs present a massive<br />
challenge for organisational cyber security<br />
efforts.<br />
"While traditional cybersecurity measures<br />
are effective for dealing with opportunistic<br />
cybercrime, they are not enough to protect<br />
organisations against APT attacks," says David<br />
Emm, principal security researcher, Kaspersky.<br />
"Rather, it's essential to deploy a specific<br />
anti-targeted attack solution that is able<br />
to proactively monitor the network and<br />
combines extended detection and response<br />
capabilities - combining in-depth<br />
investigation, threat hunting and central<br />
management and co-ordination.<br />
360-DEGREE VIEW<br />
"Counteracting modern cyber-threats also<br />
requires a 360-degree view of the TTPs<br />
[Tactics, Techniques and Procedures] used by<br />
advanced threat actors. While the TTPs of<br />
some APT threat actors remain consistent<br />
over time, others refresh their toolsets and<br />
infrastructure, and extend the scope of<br />
their activities. Nevertheless, it's difficult<br />
for attackers to completely change their<br />
behaviour and methods during attack<br />
execution - so identification and analysis of<br />
these patterns promptly helps organisations<br />
deploy effective defensive mechanisms in<br />
advance, thereby disarming attackers and<br />
disrupting the kill-chain," states Emm.<br />
"That's why it's important to harness the<br />
benefits of threat intelligence, to track threat<br />
actors and uncover the most sophisticated<br />
and dangerous targeted attacks across<br />
the world. This will enable organisations<br />
to proactively deploy effective threat<br />
detection and risk mitigation controls<br />
for the associated campaigns - across<br />
enterprises, financial services businesses,<br />
government organisations and managed<br />
security service providers."<br />
Organisations that rely solely on defencein-depth,<br />
firewalls and antivirus risk leaving<br />
themselves open to cyber-attacks, especially<br />
given how massive an undertaking tracking,<br />
analysing, interpreting and mitigating<br />
constantly evolving IT security threats is.<br />
"Enterprises across all sectors are facing a<br />
shortage of the up-to-the-minute, relevant<br />
data they need to help manage the risks<br />
associated with IT security threats, due to:<br />
real threats being buried among thousands<br />
of insignificant alerts; poor incident<br />
prioritisation; inadequate internal funding<br />
due to poor risk visibility; undiscovered, but<br />
active, threats lurking within an organisation;<br />
unknown attack vectors being missed;<br />
and companies pursuing a security strategy<br />
that's not aligned with the current threat<br />
landscape," he cautions.<br />
"Even sophisticated APT threat actors<br />
typically gain an initial foothold by using<br />
social engineering to trick staff into doing<br />
something that jeopardises corporate security<br />
- eg, clicking on a malicious link - so it's vital<br />
to find imaginative ways to 'patch' the<br />
organisation's human resources. This means<br />
identifying risky behaviours and developing<br />
a plan for reshaping people's behaviour. The<br />
ultimate goal should be to develop a security<br />
culture that encompasses digital and realworld<br />
behaviour - and extends into how staff<br />
operate when at home or when travelling.<br />
Purpose-built online security awareness<br />
platforms can help with this."<br />
INFILTRATION<br />
"Using Advanced Persistent Threats, threat<br />
actors utilise various methods to infiltrate<br />
targeted networks," says Bindu Sundaresan,<br />
director at AT&T Cybersecurity." Some of the<br />
standard attack methods she points out<br />
include:<br />
Social engineering: the attackers employ<br />
manipulative means to obtain confidential<br />
information. This includes phishing<br />
attacks, pretexting, tailgating, and other<br />
means to enter the targeted network<br />
Zero-day attack: the attackers profit<br />
from a security flaw in software before<br />
a security patch is made or installed<br />
Supply chain attack: the attackers exploit<br />
vulnerabilities within the supply chain.<br />
These may be commercial partners and<br />
suppliers who are connected to the<br />
targeted network<br />
Use of backdoors: the attackers exploit<br />
undocumented access to software or use<br />
32<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
APTs<br />
malware to install backdoors that<br />
bypass authentication.<br />
The defence-in-depth model needs to<br />
evolve to stay relevant by adopting<br />
automated security and a zero-trust model,<br />
she points out. "With this model, security<br />
teams can scale their efforts in the<br />
constantly-changing world of cybersecurity.<br />
There are different levels of traditional<br />
cybersecurity tools, such as firewalls,<br />
antivirus, and defence in depth (IPS, IDS),<br />
which aren't enough against an attack by<br />
an APT. Still, they are necessary as essential<br />
foundational must-haves from a security<br />
standpoint. Advanced security consisting of<br />
network devices with sandboxing systems,<br />
new generation SIEM, EDR and subscriptions<br />
to cyber intelligence services are essential to<br />
detect and respond to attacks of the APT<br />
magnitude. Early detection of APT attacks<br />
is critical for successful mitigation before<br />
networks are compromised and sensitive<br />
data is exposed."<br />
APT is a multi-faceted attack and defences<br />
must include multiple techniques, such<br />
as email filtering, endpoint protection,<br />
privileged access management, and visibility<br />
into the traffic and user behaviour," continues<br />
Sundaresan, expanding on these as follows:<br />
Email filtering: "Most APT attacks leverage<br />
phishing to gain initial access. Filtering<br />
emails, and blocking malicious links or<br />
attachments within emails, can stop these<br />
penetration attempts."<br />
Endpoint protection: "Most APT attacks<br />
involve the takeover of endpoint devices.<br />
Advanced anti-malware protection and<br />
Endpoint Detection and Response can help<br />
identify and react to compromise of an<br />
endpoint by APT actors."<br />
Access control and Privileged Access<br />
Management: "Strong authentication<br />
measures and close management of user<br />
accounts, with a particular focus on<br />
privileged accounts, can reduce APT risks."<br />
Monitoring of traffic, user and entity<br />
behaviour: "Visibility and monitoring can help<br />
identify penetrations, lateral movement and<br />
exfiltration at different stages of an APT<br />
attack."<br />
As the definition of APT implies success<br />
against you and your organisation, never has<br />
detection and response been so important,<br />
she concludes. "Preparation is paramount;<br />
the fight against APT is a continuous effort,"<br />
she warns. "Organisations need to become<br />
aware of the nature of these attacks, and the<br />
types of effective practices and technologies<br />
that can help to combat them."<br />
MURKY DEPTHS<br />
For years, threat actors, like nation states and<br />
cybercriminals, had distinct motivations and<br />
different tools, comments Sam Curry, chief<br />
security officer, Cybereason. "Nation states, or<br />
'advanced persistent threats' as we called<br />
them, moved like submarines, stalking ships<br />
in the waters of target networks, carrying out<br />
the policies of their governments and<br />
providing asymmetric options, aside from the<br />
normal diplomatic, economic, and military<br />
strategies and tactics.<br />
"By contrast, the fight against cybercriminals<br />
more resembled battleship warfare than<br />
submarine. The motivation among criminals<br />
was profit and, as such, it was about<br />
maximising the number of victims and<br />
wringing every drop from an infection for as<br />
long as possible. Even in the old days, the<br />
security industry was not up to the task of<br />
stopping either the malicious operations of<br />
nation states nor the smash-and-grab theft<br />
of cybercriminals."<br />
The silver lining, however, adds Curry, is<br />
the emergence of endpoint detection and<br />
response (EDR), which is often mistaken<br />
for a mere extension of existing endpoint<br />
protection technologies like antivirus or<br />
personal firewalls. "It is a tool for finding the<br />
Sam Curry, Cybereason: nation states moved<br />
like submarines, stalking ships in the waters<br />
of target networks.<br />
Bindu Sundaresan, AT&T Cybersecurity: the<br />
defence-in-depth model needs to evolve to<br />
stay relevant.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>tember <strong>2021</strong> computing security<br />
33
APTs<br />
David Emm, Kaspersky: it's essential to<br />
deploy a specific anti-targeted attack<br />
solution.<br />
advanced operations and provides the<br />
hunter-killer options for the cyber conflicts<br />
being waged on corporate and government<br />
networks. EDR has evolved first into<br />
managed detection and response (MDR),<br />
providing the men and women behind<br />
screens in managed services, and into<br />
extended detection response (XDR), uplifting<br />
the telemetry recording from formerly<br />
ubiquitous endpoints to the transformed<br />
enterprise of SaaS, Cloud Infrastructure and<br />
beyond."<br />
Fast forward to today, and the dark side<br />
ecosystem is very different, he states.<br />
"The attackers have not slowed down and<br />
have, in fact, evolved at a faster rate than<br />
defenders have, except perhaps among the<br />
most sophisticated defenders. Not only<br />
are they attacking the newer infrastructure<br />
associated with SaaS services, but they are<br />
now targeting the new IT stack in the form<br />
of IaaS and PaaS compromise. In the last<br />
five years, the lines among attackers have<br />
become more blurred, with sharing of tools<br />
and relationships that mirror the alliances,<br />
investments and partnerships of the more<br />
normal and legitimate industries."<br />
MIXED MOTIVES<br />
Further, the motivations for each actor have<br />
become less distinct, adds Curry, "with nation<br />
states pursuing currency, in the case of North<br />
Korea, fostering ransomware, in the case<br />
of Russia, and development of supply chain<br />
compromises, in the case of Russia and<br />
China, to name just a few".<br />
The most insidious examples of these are<br />
developments in the last six months, he says.<br />
"The first is ransomware, which is really a<br />
combination of the old APT-style delivery<br />
mechanism through stealthy submarine-like<br />
operations, but doing so for profit. The<br />
second and most recent is evident in<br />
the recent Kaseya attack: supply chain<br />
compromise for the purpose of delivering<br />
ransomware as the payload. This is a killer<br />
combination."<br />
This is the reason for the mandate of EDR<br />
(or MDR or XDR) for the US Federal<br />
government in the recent White House<br />
Executive Order, he points out. "Having a<br />
means of finding the attacks as they move<br />
in the slow, subtle, stealthy way through<br />
networks isn't an option. This class of tool<br />
isn't the be-all and end-all, but it's at the top<br />
of the toolkit, along with more advanced<br />
prevention, building resilience, ensuring that<br />
the blast radius of payloads is minimised and<br />
generally using peace time to foster antifragility.<br />
The most significant takeaway: it's<br />
not about who we hire or what we buy. It's<br />
about how we adapt and improve every day."<br />
HIGHLY TARGETED<br />
The worst APTs - or the best APTs, depending<br />
on which side of the fence you're on - are<br />
highly targeted, comments Richard Walters,<br />
CTO of Censornet. "They are painstakingly<br />
researched and crafted with the exact target<br />
environment in mind. In any security<br />
ecosystem consisting of numerous point<br />
products, there will be some that are not<br />
fully integrated - even those that are multilayered<br />
and provide defence-in-depth. This<br />
means there will be security gaps."<br />
APTs are written to relentlessly persist until<br />
those gaps are found and access is gained,<br />
he adds. "VPNs from Pulse Secure, Fortinet<br />
and Palo Alto Networks, as well as VMware's<br />
ESXi Hypervisor, SolarWinds Orion and<br />
O365, have all been targeted. And<br />
compromised.<br />
"APTs are often so intricately coded to the<br />
target network that they can only have been<br />
designed and written by well-funded,<br />
well-organised entities, such as a foreign<br />
government, a criminal gang or large<br />
enterprise. These need not be mutually<br />
exclusive. Governments will use criminal<br />
organisations to carry out cyber espionage,<br />
enabling them to exercise plausible<br />
deniability. There is an ever-growing body<br />
of evidence for state and criminal actor cooperation<br />
and cross-over.<br />
"Whilst you must be an extremely attractive<br />
and otherwise impenetrable target for state<br />
or criminal actors to use a true zero-day<br />
exploit against you," comments Walters<br />
[given that they cost low single digit millions<br />
of dollars], "customised malware variants<br />
may often form part of an APT, using string<br />
obfuscation to avoid detection by traditional<br />
anti-malware tools. Sandboxing helps -<br />
although not all sandboxes are the same -<br />
but sandbox use is often limited to the email<br />
security channel."<br />
APTs may also consist of multiple layers.<br />
"Too often, an initial threat or infection that<br />
appears to be known and straightforward is<br />
identified, the infected endpoint is cleaned,<br />
rather than subjected to a complete, bare<br />
metal install, and the infosec team moves on.<br />
One month later, the next APT layer activates<br />
and it is harder to detect using standard<br />
security tools. A low and slow approach is<br />
often more successful."<br />
34<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Pragmatic and experienced risk<br />
management professionals<br />
Xcina Consulting is committed to providing high quality risk assurance and advisory services informed by<br />
many years of lived client experiences.<br />
For over 10 years, our clients have enlisted our services to design, assess, test and implement risk<br />
management frameworks in key areas of the organisation, ensuring compliance with best practice,<br />
industry standards, laws and regulations.<br />
We support all organisations with challenging and complex requirements to effectively manage their risks<br />
to realise value.<br />
Our pragmatic, well qualified and experienced consultants design targeted solutions suited to our clients’<br />
specific requirements. No generic templates from us.<br />
We are accredited by the Payment Card Industry’s Security Standards Council as a Qualified Security<br />
Assessor (QSA) company and are a British Standards Institution (BSI) Platinum member for the provision of<br />
ISO27001 (Information Security) and ISO22301 (Business Continuity) services.<br />
Our Core Services:<br />
• Operational Resilience<br />
• Business Continuity and Crisis<br />
Management<br />
• Information Security / Cyber Security<br />
• IT and OT Security<br />
• Payment Card Industry<br />
• Enterprise Risk Management<br />
• Due Diligence<br />
• Internal Audit<br />
• Process Improvement<br />
• Third Party Management (including<br />
outsourcing)<br />
• Regulatory Compliance (FCA, PRA)<br />
• Data Protection<br />
• Project and Change Management<br />
• Internal Controls Assurance (ISAE3402,<br />
SSAE18, SOX)<br />
Xcina Consulting<br />
1 King William Street | London | EC4N 7AF | E info@xcinaconsulting.com | T020 3985 8467 xcinaconsulting.com