CS Sep-Oct 2021

Computing
Security
Secure systems, secure data, secure people, secure business
PULSATING TIMES
Health check on warding off
a cyber security attack
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
CHIMES OF FREEDOM
As COVID strictures ease, data
vigilance remains vital
WEIGHTY OUTCOMES
The top 30 vulnerabilities
all highlighted and shared
QUANTUM LEAPS AND BOUNDS
Current digital infrastructure
on verge of being obliterated
Computing Security September 2021

WARNING
MICROSOFT 365 LETS
RANSOMWARE & PHISHING
SLIP THROUGH!
THREAT
MONITOR
START MONITORING YOUR
M365 FOR FREE

comment
2021 COMPUTING SECURITY AWARDS.... WILL BE LIVE!
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
After what seems like an eternity of lockdown, we can finally make the announcement:
the Computing Security Awards are back to their full glory and live for 2021!
The pandemic forced a rethink in 2020, with the much-feted gala occasions that we have
all come to know and love so well sadly set to one side and the actual awards themselves
having to be carried out remotely. Yet, such is their enduring impact, they were still a huge
success, with the distant popping of the champagne corks in the offices of the winners widely
reported in the aftermath.
So, it is my pleasure and delight to announce that the 2021 Computing Security Awards
ceremony will once again be held before a living, breathing, up-close audience.
But before that day is upon us, we need the help of you, our readers, in deciding who will make
it into this year's final, with the prospect of claiming the top prizes. So, tell us which companies
have helped to secure your organisation's digital infrastructure over the past year? What cyber
security products/services have impressed you most? Who came to your aid when remote
working threatened to bring your systems to a grinding halt?
Go to the awards nominations page now - computingsecurityawards.co.uk - and choose those
companies, products and services you feel deserve the highest recognition for how they have
performed over the last 12 months.
The nominations phase will remain open until Friday, 24 September, but please make your
choices now - time soon flies by and we don't want to miss out on your selections.
Then, with our shortlists compiled for all of the awards categories, we will all 'dress to impress'
for the grand climax itself, when the winners and runners-up are revealed at the Computing
Security Awards Ceremony in London on Thursday, 2 December, 2021.
Yes, it's back - and it's live!
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2021 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk September 2021 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security September 2021
contents
CONTENTS
Computing
Security
PULSATING TIMES
Health check on warding off
a cyber security attack
WEIGHTY OUTCOMES
The top 30 vulnerabilities
all highlighted and shared
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
CHIMES OF FREEDOM
As COVID strictures ease,
data vigilance remains vital
COMMENT 3
Our 2021Awards will be LIVE!
QUANTUM LEAPS AND BOUNDS
Current digital infrastructure
on verge of being obliterated
ARTICLES
FAME REACHES OUT 6
Jeffrey Carpenter and (posthumously) Dan
Kaminsky have been inducted into FIRST's
Incident Response Hall of Fame.
ADDING MFA TO WINDOWS LOGON 8
Authentication to the laptop or the server
itself can often be overlooked, cautions
SecurEnvoy's Michael Urgero
MORE THAN A ROLL OF THE DICE 14
Making assumptions can be a big mistake
- yet sometimes it can pay off handsomely,
as with information security, says Paul
Harris, Managing Director, Pentest Limited
QUANTUM LEAPS - AND BOUNDS 18
CYBER DEFENCES CHALLENGED 16
The time to prepare for a safe quantum
When Cheshire and Merseyside Health
computing future is now, argues Chris
and Care Partnership wanted to see how
it would stand up to a cyber-attack, it
Erven, CEO, KETS Quantum Security. Why?
asked Gemserv Health to test its defences
Because we don't go 30 seconds without
touching digital technology of some kind,
PRIVACY PAYOFF: CHAMPIONING
all of which is networked, none of which
DATA VIGILANCE POST-PANDEMIC 24
is quantum-safe, he points out.
Educating consumers on data security is
very important, but individuals must play
their part, too, points out David Emm,
principal security researcher at Kaspersky
PROTECTING BUSINESS DATA IN A
CRUISING FOR A BRUISING 21
TIME OF 'WORK FROM ANYWHERE' 26
Carnival Cruises suffering four data
Carmen Oprita of Endpoint Protector by
breaches in 15 months flags up what
CoSoSys looks at the many outsider and
tempestuous waters the travel industry can
insider threats that can damage businesses
- and how they can fight back
sail in. But why do many organisations fail
to protect their systems and information,
CYBER AGENCIES START TO FLEX
and fall victim to repeated breaches?
THEIR COLLECTIVE MUSCLES 28
International allies share details of the
top 30 vulnerabilities that were routinely
exploited by malicious actors in 2020
HOW TO DISRUPT THE KILL-CHAIN 32
ADISA SETS THE STANDARD 30
Top cyber criminals can swiftly navigate
ADISA Asset Recovery Standard 8.0
has been formally approved by the
around your defences, breach your
UK Information Commissioner's Office
network in minutes and evade detection
for months. Advanced persistent threats
WE WANT YOUR AWARDS VOTES! 31
(APTs) present a massive challenge - but
It's time to select your top performers for
what is the most effective way forward?
the Computing Security Awards 2021
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk
4
FIGHTING RANSOMWARE WAR 10
In the first six months of this year alone,
global ransomware volume reached an
unprecedented 304.7 million attempted
attacks. Stopping ransomware groups is no
small task. The scale of the economy behind
these groups is significant, with many
boasting corporate structures of their own

There’s a difference between
feeling secure & knowing
you're secure.
Information Security Advice
Penetration Testing
Adversary Simulation
www.pentest.co.uk

industry honours
FAME REACHES OUT
INDUSTRY STALWARTS INDUCTED INTO HALL OF FAME
Jeffrey Carpenter has dedicated more
than 30 years to improving the state of
information security.
Dan Kaminsky: best known for his work
finding a critical flaw in the Internet's
Domain Name System (DNS).
Jeffrey Carpenter and (posthumously)
Dan Kaminsky are the latest to be
inducted into FIRST's Incident Response
Hall of Fame. They join past inductees Ian
Cook, Don Stikvoort and Klaus-Peter
Kossakowski.
Jeffrey Carpenter has dedicated more
than 30 years to improving the state of
information security. In 1995, he joined the
CERT Coordination Center at Carnegie
Mellon University's Software Engineering
Institute, initially as an incident response
analyst, then five years later managing
more than 50 technical individuals.
He was instrumental in helping the
US Department of Defence and the US
Department of Homeland Security create
teams to exchange incident information
and indicators between government and
critical infrastructure organisations. He also
worked closely with the US Department of
Homeland Security on the formation of
US-CERT, the national computer security
incident response team (CSIRT) for the
United States.
NATIONAL INCIDENT RESPONSE
Carpenter helped many other governments
and regional organisations around the
world establish national incident response
capabilities. He founded a successful
annual conference for technical staff
working for CSIRTs with national
responsibility to promote collaboration
among these organisations. His active
involvement in the incident response
community over the years has included
presenting in various forums, and serving
on Forum of Incident Response and Security
Teams (FIRST) committees and working
groups. He is currently the Secureworks
senior director of Incident Response
Consulting and Threat Intelligence.
"I am humbled by this honour," said
Carpenter. "This recognition also reflects
the efforts of my former colleagues at the
CERT Coordination Center to advance the
incident response community, for I could
not have had any success without them. In
addition, it is a privilege to be inducted
with my friend Dan Kaminsky, whose work
in incident response and product security
impacted so many people. We miss him
dearly."
INSPIRATIONAL HUMAN BEING
Dan Kaminsky (1979-2021) was a noted
American security researcher - best known
for his work finding a critical flaw in the
Internet's Domain Name System (DNS)
and leading what became the largest
synchronised fix to the Internet
infrastructure of all time in 2008. He
was also known for being a great human
being - helping colleagues, friends and
community members attend events,
working on many health apps, assisting
colour-blind people, hearing aid technology
and telemedicine, and fighting as a privacy
rights advocate. His ethos was to do things
because they were the right thing to do,
not because they would elicit financial gain.
Kaminsky was co-founder and chief
scientist of WhiteOps (recently renamed
Human) and spent his career advising
several Fortune 500 companies, such as
Cisco, Avaya and Microsoft on their
cybersecurity. In addition, he spent three
years working with Microsoft on their
Vista, Server 2008 and Windows 7 releases.
6
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

ADISA ICT Asset Recovery Standard 8.0
is formally approved by the UK ICO
(Approval ICO – CSC/003 and ICO – CSC/004)
Use an ADISA Certified company to be assured of UK GDPR compliance
when disposing of your IT assets.
Visit adisa.global to find out more
Want to know how to retire assets
so you can promote reuse AND meet
data protection legislation?
ADISA offers a range of training courses all presented by
leaders in the field, including a brand-new course which helps
data controllers write an asset retirement program to achieve
the objective of meeting sustainability and security targets.
Visit adisa.global/training to find out more

MFA and Windows
ADDING MULTI-FACTOR
AUTHENTICATION TO WINDOWS LOGON
ONE KEY AREA OF SECURITY THAT CAN OFTEN BE OVERLOOKED
IS THE AUTHENTICATION TO THE LAPTOP OR THE SERVER ITSELF.
PROTECTING THESE CORPORATE ASSETS IS AN URGENT ISSUE,
CAUTIONS SECURENVOY'S MICHAEL URGERO
SecurEnvoy Windows Logon Agent.
Michael Urgero, SecurEnvoy: his
company's solution protects the
Windows Logon process with true
multi-factor authentication.
Look at how far we've come over the
years. The introduction and mainstream
use of virtualisation in the data centre,
cloud and the 'work from anywhere' has
sparked some amazing opportunities, from
the rapid development of business ideas to
remotely supporting critical systems and
customers. Not all that long ago, we were
a much more analogue group, much more
manual and hands-on in our methods.
Coming with the high-speed rush of new
technologies that are fully intended to make
lives easier, there are also new security
threats to care for and consider. We've gone
to great lengths to ensure that our
employees have easy and secure access to
the business, and that our system operators
can keep those systems running. Have we
done enough? How will we know? These are
some of the things on the minds of IT execs,
as they lay awake into the night.
WHERE THE ACTION IS
One of the parts that's often missed is the
authentication to the laptop or the server
itself. The desktop interface of these devices
is where all the action is and it should be just
as secure. New virtualised, cloud and hybrid
solutions make accessing these devices
almost an entirely remote affair. Apart from
accessing your laptop directly, everything else
you do in a day is pretty much done on
systems elsewhere.
One could argue that Microsoft simply
doesn't do enough with its traditional
username and password and, what's more;
Windows Hello is difficult to deploy, manage
and has its own share of issues; ask any help
desk administrator and you'll get an ear full.
URGENT CHALLENGE
Securing these corporate assets is an urgent
issue and our customers know that. Our
solution comes complete with our integrated
SecurEnvoy Windows Logon Agent. Our
solution installs directly on the laptop or
server and protects the Windows Logon
process with true multi-factor authentication.
By doing this, verification of the
username and password is challenged
and verified with the trust of multi-factor
authentication quickly and easily.
Some of our customers have deployed our
SecurEnvoy Windows Logon Agent to all
corporate end-point devices as well as all
servers in the data center, both physical
and virtual to assure the identity of
employees as they authenticate.
PROMPT ACTION!
The initial prompt is the same as it always
has been, asking for a username and
password. You are immediately prompted
for the multi-factor token, which is available
in a variety of methods. Everything from
push notifications to a mobile device, SMS
messaging, physical tokens or manual entry
to name just a few.
The same agent would be loaded on both
Windows 7/10 devices and Windows Servers
as well from Microsoft Windows Server 2008
forward. This software can be distributed
using any of the common methods, from
Active Directory to third party deployment
tools and best of all, works when devices are
completely off-line.
For more details, and to get a demo and
talk about our solutions, feel free to give us a
call. Be sure. Be Confident. SecurEnvoy.
8
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

UNIQUE EVENT FOR THE
CYBER SECURITY SECTOR
4th November 2021
Hilton London Canary Wharf
The Security IT Summit is a hybrid
event which continues to follow the
award-winning structure of
pre-arranged one-to-one meetings
between IT and Cyber Security
professionals, and leading industry
solution providers.
Virtual attendance options are
available.
Free for industry buyers to attend.
James Howe
01992 374096
j.howe@forumevents.co.uk
securityitsummit.co.uk

ansomware
FIGHTING THE RANSOMWARE WAR
IN THE FIRST SIX MONTHS OF 2021, GLOBAL RANSOMWARE VOLUME
REACHED AN UNPRECEDENTED 304.7 MILLION ATTEMPTED ATTACKS
Ransomware attacks are becoming
increasingly devastating to companies.
Not only do they inflict massive
disruptions to operations, but criminals
are also asking for ever-larger ransoms to
unlock the encrypted files and machines hit
by the attacks.
"Throughout the last months, statesponsored
ransomware attacks inflicting
damage on critical infrastructure have
dominated the headlines," points out
LogPoint CTO Christian Have. "JBS recently
paid 11 million dollars following an attack
that shut down all the companies' US beef
plants. Just before that, an attack paralysed
Ireland's health services for weeks in the
middle of a pandemic. The attack happened
in the wake of the Colonial Pipeline attack
that caused fear of gas shortages. CNA
Financial, one of the largest insurance
companies in the US, reportedly paid 40
million dollars to get access to its files and to
restore its operations, making it the largest
reported ransom paid to date. In comparison,
40 million dollars is more than most
companies spend on their cybersecurity
budget - it is even more than what many
companies spend on their entire IT budget."
DEFENCES MUST BE BOLSTERED
Due to the surges in state-sponsored
ransomware attacks in the US and Europe,
many government institutions, including
the White House, have urged companies
to bolster their defences to help stop the
ransomware groups, he adds. "The G7 group
has called on Russia, in particular, to identify,
disrupt and hold to account those within its
borders who conduct ransomware attacks
and other cybercrimes. One of the few
outcomes of the Biden-Putin summit is
an agreement to consult on cybersecurity.
However, the agreement is ambiguous
without any specific actions."
The ransomware ecosystem explained - a
ransom payout isn't always the end goal
Stopping ransomware groups is no small
task. The scale of the economy behind these
groups is significant. Many active groups
have corporate structures, with roles and
responsibilities that mirror regular software
development organisations.
These criminal organisations are well-funded
and highly motivated to develop their attacks
- but their revenue streams do not begin or
end with victims paying up a ransom, he
stresses. Have points to "an entire
ransomware ecosystem, capitalising on
successfully executing attacks", such as:
Groups selling access to platforms that
deliver end-to-end ransomware-as-aservice
for other groups to use
Brokers that deliver teams of highly
specialised developers that can build
and deploy malware. "Think of this as
malware recruiting"
Certain groups only gain access to
corporate networks. They will not
actively disrupt the operations or demand
ransom; instead, they sell access to victims
for other groups to capitalise on
The increasing sophistication of ransomware
groups has led many organisations to
implement a multitude of tools to help detect
and prevent attacks. But what really works?
10
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
BASIC SECURITY IS ESSENTIAL
"For the last 15 years, CISOs, security
operations teams and security vendors have
put a significant focus on complex attacks
and staying on top of the cutting edge of
what adversaries can do. For example, the
malicious computer worm Stuxnet launches
extremely advanced campaigns. The result is
that a lot of organisations have a relatively
extensive portfolio of advanced
technologies. These technologies are
expensive, complex to use and even more
complex to integrate with each other and
the surrounding security ecosystem."
The Colonial Pipeline breach happened
because a remote access platform failed to
enforce or require multi-factor authentication,
Have states. "Combined with
a shared password used among several
users, attackers found a way into the
infrastructure. Advanced detection tools are
not meant to detect such basic mistakes.
Failing to cover the basics - patching, secure
configurations or following best practices -
is a pattern repeating itself in many of the
recent attacks. It is not without reason
that every authority on cybersecurity has
patching and baselining configurations
as some of the first recommendations for
companies to strengthen their cybersecurity
efforts."
So, why are companies not just patching
everything, implementing the Zero Trust
model and forcing multi-factor authentication
everywhere? Especially when the
most considerable material risk to the
operations and existence of the organisation
is a ransomware attack? "IT operations
is hard," Have responds. "The security
operations team, IT operations team and
enterprise risk management team often
have siloed thinking with different objectives
and incentives. Aligning activities and goals
across various departments is, without
a doubt, part of the problem." One of the
things LogPoint hears from its customers is
that they need a unified overview of the
technical risk aspects. "Implementing a unified
solution, such as ZeroTrust orchestration
or XDR is complex and, in many cases,
expensive. Some of our customers are turning
to fewer vendors and relying on open
standards - for example, MITRE for a
taxonomy of attacks, MISP
to share threat observations and YARA to
identify malware indicators to offload some
of the headaches of aligning different
departments' ways of working."
STRENGTHENING RANSOMWARE
DEFENCES AND DETECTION
LogPoint can help organisations align
detection and response activities, comments
Have. "LogPoint ingests log data, which
security teams can use to easily detect
ransomware variants like FiveHands, Egregor
or Ryuk. The REvil group that hit JBS uses
a tactic to delete Shadow Copies before
encryption. Deleting Shadow Copies makes a
restore significantly more difficult. LogPoint
can immediately detect deletion of Shadow
Copies by looking for the following
command across all log sources:"
Ingesting log data allows analysts to
interrogate systems for more information
about known issues, such as detected
vulnerabilities, deviations from best practices
or enterprise policies. "However, combining
log data with vulnerability data, configuration
compliance and more advanced interrogation
of the system, we can uncover the unknown
issues by formulating more exact risk scores
of the infrastructure and its components."
"With the risk scores nailed down, we are
currently working on coupling indicators of
ransomware, such as the deletion of Shadow
Copies, with threat intelligence and malware
research to identify documented adversarial
techniques. The goal is that the system can
conclude the type of ransomware group or
variant, so we are more prepared to deal with
and respond to the threat. Our system uses a
combination of natural language processing
and machine learning to connect the dots.
"We are also working with our customers on
building the final step - automating and
orchestrating the response with situational
awareness and understanding of the next
phase of the attack. We have small agents
deployed on our customers' machines that
can enforce policies, disconnect machines
from networks and otherwise act based on
how security operators want to approach
a potential issue."
ENDING THE VICIOUS CYCLE
At the end of the day, it becomes clear to
security researchers who are following
ransomware groups that the asymmetry
between the capabilities and the incentive for
the attackers and the maturity and budgets
of the defenders is becoming more
pronounced, he adds. "When critical
infrastructure is under attack through large
and small companies, it is obvious that more
technology will not solve the issue alone.
Outsourcing IT operations or security
operations alone is not solving the problem
either." With that in mind, Have sees three
paths forward:
Law enforcement agencies must
cooperate across borders to target
ransomware groups, track payments and
ultimately change the operational risk for
these groups, so that it is more expensive
to do illicit business
Breaking down silos within organisations,
getting the cybersecurity, IT operations
and risk management teams to speak the
same language and align expectations.
"Who owns the backup - IT? Who is
responsible for the disaster recovery -
Security? Who owns the business
continuity planning - Enterprise risk
management?"
More laws and regulations on the matter.
"GDPR has done a lot to bring focus and
awareness about reporting breaches to
infrastructure. But more is needed. GPDR
works for personal data, but disruptions
to critical infrastructure following a
ransomware attack are not necessarily
under the umbrella of GDPR and, as such,
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
11

ansomware
can go under the radar. With more
sharing, increased focus and potentially
fines levied against organisations that fail
to prevent or protect their infrastructure
adequately, boardrooms will begin to take
the threat seriously."
SOARING IMPACT
To further grasp the scale of ransomware's
soaring impact, you have only to look at the
latest report from SonicWall. In its mid-year
2021 cyber threat report update*, it proffers
the startling statistic that, in the first six
months of 2021, global ransomware volume
reached an unprecedented 304.7 million
attempted attacks- already eclipsing the
304.6 million ransomware attempts logged
for the entirety of 2020, as recorded by
SonicWall Capture Labs.
"In all, ransomware for the first half of this
year is up a staggering 151% over the same
time period in 2020. While Q1 was worrying,
Q2 was markedly worse - going into spring,
ransomware jumped from 115.8 million to
188.9 million, enough to make Q2 the worst
quarter for ransomware SonicWall has ever
recorded. If we're lucky, this will be an
aberration. Some years, such as 2019, see
ransomware totals high in the first half, then
fall off during the second half." Time will tell.
But even if we don't record a single
ransomware attempt in the entire second
half (which is irrationally optimistic), 2021
will already go down as the worst year for
ransomware SonicWall has ever recorded.
"While Q2 was record-setting in its own right,
every month during the quarter set a new
record, too. After rising to a new high in
April, ransomware rose again in May, then
saw another increase in June.
During that month, SonicWall recorded
78.4 million ransomware attempts - more
than the entire second quarter of 2020, and
nearly half the total number of attacks for the
year in 2019. Even 2021's lowest month
didn't provide much of a reprieve. With 36.3
million ransomware hits, March 2021 had
more ransomware than all but one month
in 2020."
Why is ransomware rising so rapidly?
There are several factors that SonicWall
identifies as being behind the recent increase
in ransomware, but the fact remains: "The
more organisations there are that are forced
to pay out, the more incentive ransomware
groups have to launch attacks."
While ransomware operators
are getting better at finding
and encrypting backups, they've also found
another way to ensure victims pay up, despite
the existence of current backups: extortion.
"In an increasing number of cases, such the
recent attacks on Colonial Pipeline and the
city of Tulsa, Okla., attackers are stealing and
exfiltrating the data before they encrypt files.
This means that, even if the victims have
ironclad backups and can rebuild their
network easily, they may still pay to preserve
their reputation, avoid fines and maintain
regulatory compliance with regards to
personally identifiable."
THE EXTORTION FACTOR
Unfortunately, organisations that display a
willingness to pay may be opening
themselves up to be attacked again soon
after, either by the same group of
cybercriminals or by another group who
heard about the original payment, says
SonicWall. "
According to ZDNet, roughly eight in
10 organisations that opt to pay a ransom
wind up being attacked again - and of those
victims, nearly half believe the second attack
was perpetrated by the same cybercriminals
as the first. While it's unclear how many
organisations are targeted by repeat attacks -
companies are often reluctant to publicly
acknowledge ransomware incidents for this
very reason - at least three have made
headlines in recent years: the city
of Baltimore, Australian logistics
firm Toll Group and American
technology company Pitney
Bowes."
* Mid-Year Update: 2021
SonicWall Cyber Threat Report
12
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

50 % OFF
RANSOMWARE
PREVENTION
& PROTECTION
Immutable data storage
Get 50% off MSRP on Arcserve UDP/ Arcserve Appliance and StorageCraft
OneXafe, to protect your data from ransomware attacks today.
The recent merger of Arcserve and StorageCraft has created a powerhouse that brings customers the
broadest portfolio of data management & data protection solutions available from a single vendor.
While the data growth tsunami continues to grow and ransomware consistently on the rise, you
have more data to protect, and more to recover.
Arcserve UDP Data
Protection Software
Unified data and ransomware
protection to neutralize
ransomware attacks, restore data,
and perform orchestrated recovery.
Arcserve Appliances
All-in-one enterprise
backup, cybersecurity, and
disaster recovery, with
multi-petabyte scalability.
StorageCraft OneXafe
Immutable Storage
Scale-out object-based NAS
storage with immutable
snapshots to safeguard data.
info.arcserve.com/en-gb/immutablebackup-promo

information security
ASSUMPTIONS - MORE THAN A ROLL OF THE DICE
MAKING ASSUMPTIONS CAN BE A BIG MISTAKE - YET SOMETIMES IT CAN PAY OFF
HANDSOMELY. INFORMATION SECURITY IS ONE SUCH INSTANCE OF THE LATTER,
SAYS PAUL HARRIS, MANAGING DIRECTOR, PENTEST LIMITED
When you assume, you make an ass
out of 'u' and me, or so the saying
goes, and, in many situations,
making assumptions can be misguided. But,
in other situations, it pays to assume.
Information security is one of these situations
and, by assuming the worst, you can start to
plan for it and prepare to defend against it.
The recent spike of ransomware attacks has
shown companies what a potential worstcase
scenario looks like when it comes to
information security, with companies being
taken offline and critical data being lost.
This wakeup call has forced many into
action, but ransomware is only one of the
potential attack vectors and there are
numerous routes into a company. Yes,
ransomware may be hitting the headlines,
but it's not going to be everyone's biggest
risk. So, if you're looking for solutions
because of the headlines, then you may be
wasting your money.
A successful attack only needs one route in,
but defenders need to protect against many
potential entry points. In this situation, the
advantage is with the attacker and, with
the time, skills and resources, it's a matter
of 'when' an attack will get through, rather
than 'if'.
Risk analysis and scenario planning allows
you to assume that the worst will happen,
that an attacker will get through. It's an
approach that more and more companies are
looking to undertake in the face of growing,
and often unknown, threats. As a 'table-top'
exercise, it's far more cost effective than
implementing a tech 'solution' and allows
companies to look at their wider security,
building a roadmap of improvements that
will bring the greatest security benefits. So,
how do you go about it?
KNOW WHAT'S IMPORTANT
A company's crown jewels aren't just
important, they're critical and if they were to
be stolen or made unavailable, for even the
shortest time, it could mean your business
stops operating. But what are your
company's crown jewels? For many it's
intellectual property, the design of a new
product or your products 'secret recipe', for
others it could be financial data.
Maybe it's the source code for a piece of
software you've been developing, patient
information, live production systems, servers
running internal operations, your e-
commerce website, the list goes on. Your
crown jewels can be a combination of many
14
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

information security
things, but, whatever they are, they need to
be protected. The key question you need to
ask yourself is: what are the things I, or my
clients, can't afford to lose?
IDENTIFY YOUR REAL-WORLD THREATS
When it comes to cyber threats, sophisticated
is a word that is used a lot. "We were the
victims of a sophisticated cyber-attack" is the
usual line when news of a breach breaks.
But when the dust settles, it's often found
that the attack wasn't sophisticated at all.
Everyone likes to think they're the target of
sophisticated attacks, but most attacks
are opportunistic in nature, using simple
techniques to expose weak security practices,
unpatched systems or take advantage of
human vulnerability. By identifying your
most likely real-world threats and targets, you
can start to prioritise the risks, identify the
techniques they would most likely use, and
the potential routes they are likely to take.
UNDERSTAND YOUR FULL ESTATE
AND HOW ATTACKERS COULD
MOVE ACROSS IT
One of the fundamental IT security challenges
within organisations is the shadow IT 'visibility
gap' between assumed, or known, infrastructure
and what truly exists. Whether it's
because of merger & acquisition activities,
personnel changes, or infrastructure changes
over time, it can be easy to lose track of your
IT estate.
Obtaining an exact picture of what you have
is key and if you can't see a legitimate device
on your network then how can you properly
defend it? Once you have full knowledge of
what you have, you then need to understand
the security measures you have in place,
but not just from a tech point of view, you
need to look at your security processes,
procedures, operating rules, and system
design as well. Having this clear picture
across your estate will enable you to
understand where potential entry points exist
and expose weaknesses which may allow an
attacker to move easily across your network.
DEVELOP YOUR SCENARIOS,
PRIORITISE YOUR IMPROVEMENTS
Once you have full 360-degree view of
your organisation, what's important to you
and your threats, you can start to develop
scenarios, ones that could have an extreme
effect on your company. For example, a
realistic scenario could be that an organised
criminal group has stolen your intellectual
property, or that hacktivists have brought
down your ecommerce website through
a DDOS attack. With a range of realistic
scenarios in hand you can then evaluate
which ones bring the highest risk.
Once you've evaluated the risk scenarios,
you can start to think about making
improvements, but firstly, it's important
to understand the steps the threats may
have taken to achieve their goal. This can
be done by conducting an attack tree
analysis, working backwards from the
goal, step by step, to continually ask
'how' it was possible.
Now you understand the potential steps
taken to achieve the goal, you need to
identify controls that would predict,
prevent, detect, or respond to these actions
at every stage of the attack. Some controls
may already be in place, but it's important
to analyse how effective controls are and
identify where gaps exist. Where gaps
do exist, you can then evaluate the
associated cost, and effectiveness, of the
controls needed, helping to prioritise your
remediation efforts.
PUT YOUR IMPROVEMENT
EFFORTS TO THE TEST
The more effective defensive measures you
put in place, the more difficult you make it
for would-be attackers. But how do you
know if your defences are truly effective?
You need to test them. Having your work
tested can seem like a daunting prospect
and it can be easy to think that it's going to
belittle or ridicule your security efforts. But
that's not the case. Testing is designed to
Paul Harris, Pentest: a successful attack
only needs one route in, but defenders
need to protect against many potential
entry points.
support your efforts, ensuring that your
business is as protected as possible from the
primary risk scenarios you have identified.
Penetration testing and red teaming are
great options, in terms of evaluating your
defensive measures - and testers will look
to simulate the actions of an attacker,
potentially uncovering further vulnerabilities,
supporting remediation and providing
you with the assurances that your efforts
have been truly effective.
MAKE SURE INFORMATION SECURITY
IS AN ONGOING PROCESS, NOT JUST
A ONE-OFF
Information security can sometimes be seen
as a tick in the box exercise and that, once
it's complete, you're protected. But that isn't
the case. What's considered safe today may
be vulnerable to attack tomorrow. Attackers
are always looking for new attack routes,
new techniques, new vulnerabilities and no
company, or technology, is 'unhackable'.
Security improvement efforts, such as risk
analysis and scenario planning, need to be
ongoing, helping keep your company one
step ahead of any malicious threats.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
15

health check
8AM AND I.T. IS IN FOR A VERY TOUGH DAY!
STARK LESSON UNFOLDS IN THE CYBER SECURITY DANGERS THAT ARE LURKING 'OUT THERE'
Cheshire and Merseyside Health and
Care Partnership wanted to find out
how well it would stand up to a
cyber-attack. So, it asked Gemserv Health
to put together a scenario-based response
exercise that started with some seriously
bad news - but uncovered a lot of useful
information.
It's 8am and it was a nice day until you
turned on the radio. The news has just
started and the lead story is that a video
has been released showing a group of
NHS leaders making worrying remarks
about a Covid-19 vaccine.
They seem to be suggesting that safety
issues are being covered up and the share
price of the vaccine maker has crashed
10% overnight. The phone starts ringing.
It's a press officer wanting to know what
IT is going to do about this leak, or fake,
or whatever it is.
CYBER-ATTACKS SPREAD, FAST
This is the scenario that greeted 22 heads
of IT in Cheshire and Merseyside in spring
2021. It was constructed by Gemserv
Health, with input from Cheshire and
Merseyside Health and Care Partnership,
to find out how the integrated care system
(ICS) would respond to a cyber security
incident.
Paul Charnley, digital lead for the ICS,
explains that the commissioners, councils,
hospitals and other providers in the area
have their own policies and procedures
in place. But the ICS didn't have an
overarching response that was tested
and ready to use.
that requires every organisation to plan
for and rehearse its response to a cyberattack,
but one of the things that we
learned from WannaCry is that a cyberincident
can impact a large geography
very quickly," he says. "We need to be able
to coordinate.
"The exercise that we ran really brought
that to life. It was very salutary and very
helpful, and it has given us a lot to think
about. We have learned a lot since
WannaCry, but we are in an arms race
with the hackers and we've still got more
to do."
LEARNING FROM WANNACRY
WannaCry was the worldwide ransomware
attack launched in May 2017. It didn't
target the NHS, but the National Audit
Office estimated that 34% of trusts in
England were impacted anyway.
One reason was that the NHS employs
a lot of people; with 1.3 million staff, it
had a lot of malicious emails to contend
with. Another was that WannaCry spread
through older, unpatched Windows
systems; and the NHS had a lot of those
in computers and medical devices.
However, a third
problem
was that there was no coordinated fightback.
The NAO reported that the
Department of Health had been working
on a plan, but it hadn't been tested at a
local level, so "it was not immediately clear
who should lead the response and there
were problems with communications."
Some trusts couldn't be reached by email
"because they had been infected by
WannaCry or had shut down their email
systems as a precaution", leaving a mix of
switchboards, mobiles and WhatsApp as
the only way through.
ONLY AS STRONG AS WEAKEST LINK
IT leads in Cheshire and Merseyside
wanted to do better. "After WannaCry, we
swore that we would work more closely
together, under the tagline: 'we are only as
strong as our weakest link'," says Charnley.
The 22 heads of IT in the area agreed to
standardise their policies and procedures,
and to pool any funds made available by
the NHS, to make the money go further.
Cheshire and Merseyside HCP is now
working with NHS Digital on a target
cyber-security architecture and on a
procurements process to deliver the
strategy.
"NHS Digital has a data protection toolkit
16
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

health check
This has enabled individual organisations
to work to a standard on one
of two security information and event
management systems: one medical
device protection product; and one
single sign-on product to give staff
secure access to clinical and
administrative systems.
"We have worked on our strategy and
then we have moved to manage our
supplier market and our procurement
teams to buy in harmony with that," he
adds. "Gemserv has supported both the
policy and the business models."
FINDING THE GAPS
Cheshire and Merseyside HCP is better
protected against a cyber-attack than it
was five-years ago; but the mantra of
cyber-security is not to ask "if" a cyberincident
is possible but "when" one will
occur.
The scenario-based exercise was
designed to find out how ready the ICS is
to deal with an attack; and whether IT
leaders across the patch are clear about
who will lead the response and how they
should communicate with each other.
Before Covid-19 arrived, the ICS had
been looking to run a physical event,
but because of the pandemic it moved to
Microsoft Teams. Five virtual break-out
rooms were set up for organisational
teams to use, and the scenario was fed
to them.
As the event went on, the teams also
received 'injects' of information to take
the scenario in a different direction and
test their ongoing responses. They got
some 'good' news: the video didn't
feature local executives and was instead
a 'deepfake'. They also received some
'bad' news: one of the executives who
had been deep-faked had also been spear
phished. His email and that of his
contacts had been targeted. A route was
open for a ransomware attack.
NOT IF, BUT WHEN
Charnley says that on the day of the
cyber scenario event, years of hard work
in Cheshire and Merseyside paid off. IT
teams were able to mount a more
coordinated and coherent response to
the Gemserv scenario than they were to
WannaCry.
They also had better tools to use.
However, the exercise showed there were
gaps to fill. The area turned out to be
short of some specific cyber-security
expertise out of hours. There were still
questions about how decisions would be
made that were big enough to require
sign-off from Government departments
in London or the NHS's central bodies in
Leeds.
It emerged that health and local
authority incident response planners
needed a cyber playbook to put
alongside the playbooks they have for
dealing with train wrecks, chemical
spills or even nuclear incidents. Gemserv
Health is now helping to write one, and
when it is ready, Charnley wants to test
it by running the exercise again.
"Gemserv told us that the military builds
things and then attacks them," he says.
"It costs millions of pounds. We don't
have that kind of money, but we can
learn a lot this way. I want to do this
every six-months - certainly every year -
and I think every ICS should be planning
to do the same.
"I'd definitely encourage others to follow
this model and this approach. We
wanted to work with an external partner,
because it's easy to be insular or to play
to your strengths in these exercises.
Having an external view was very helpful.
It gave us a lot of things to think about."
Paul Charnley, digital lead for ICS: no
overarching response in place that was
tested and ready to use.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
17

global intelligence
QUANTUM LEAPS - AND BOUNDS
QUANTUM COMPUTERS WILL SOON SMASH THROUGH THE MATHEMATICAL CRYPTOGRAPHY
WE RELY ON AS A SOCIETY, IT IS FORECAST. HOW DO WE KEEP OURSELVES SAFE THEN?
The time to prepare for a safe quantum
computing future is now, argues Chris
Erven, CEO, KETS Quantum Security.
Why? "For the simple fact that, in today's
world, we don't go 30 seconds without
touching digital technology of some kind,
all of which is networked, none of which is
quantum-safe. We know that quantum
computers will be experts at breaking the
security of our current digital infrastructure.
We need to upgrade this to be quantumsafe
now."
He points to the 'Mosca equation' (posited
by Michele Mosca of the Institute for
Quantum Computing) to summarise when
we need to worry about upgrading our
cyber security.
This equation is given by:
x+y> z
where:
x = the security lifetime of our data,
y = the time required to upgrade to
quantum-safe systems,
and z = the time to build a quantum
computer.
"If it is going to take 10 years to upgrade
and you want, for example, your online
medical records to be secure minimally for
15 years. Meanwhile, a quantum computer
is built in the next 5-10 years - then it is
already too late! Best case, your sensitive
data will effectively be unencrypted and in
the clear for 20 years. And this 'store now,
crack later' attack has been going on for
years." Soon, he says, we will be living in
a world where most of our current forms
of cryptography will be useless, because
investment and developments in quantum
computing are only accelerating. "What is
more, we likely won't know when this
happens, because a quantum computer
capable of doing this represents such a
huge advantage, those who own it will
keep it secret."
The good news, though, is that we are
not defenceless. "Computer scientists,
physicists, and engineers have been
working hard on new quantum-safe
methods." Two of the biggest tools he
identifies for the new quantum-safe toolbox
are:
Post-quantum cryptography (PQC)
algorithms - new algorithms conjectured
to be immune to a quantum computer's
processing capabilities
And quantum cryptography (QC) - new
quantum hardware that has been
proven to be immune to a quantum
computer.
What difference will this make to
computing security? "Well, we will have to
upgrade," he points out. "Think the Y2K
bug, but less hype and more well-reasoned
concern. And this upgrade will need to
occur both at the software and hardware
level."
What can be done to ward off this
apocalyptic scenario? "At the highest level,
we need our telecommunications
infrastructure to be upgraded. This is
behind the EuroQCI Initiative, which aims to
build a secure quantum communications
infrastructure that spans the EU. Similar
initiatives exist now in the US, UK, China,
South Korea and Japan."
FIRST ACTIONS TO BE TAKEN
At the organisation level, the first things
that need to be done are:
Recognise the problem
Put resource behind it
Perform a quantum-safe health check
And develop your organisation's
quantum readiness roadmap.
Lastly, get involved in early innovation
projects, he advises. "These new methods
are different. PQC algorithms generally
require more memory or are slower, while
QC methods involve new hardware - these
18
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

global intelligence
will have implications for your organisation.
The best way to figure out the
implications is to start experimenting with
these new tools. Conveniently, this is the
number one aim of the testbeds being
built - to engage with end-users!"
And you don't need a huge team of
scientists is Erven's reassuring message.
"A small team is more than enough to
partner with the cutting-edge start-ups
and SMEs pioneering quantum-safe
solutions. Together, we can ward off the
digital security apocalypse and continue
to thrive as a civilisation using a quantumsafe
version of the secure, connected,
information infrastructure that has
contributed so much to humanity's rapid
developments of the last 35 years."
BLOODHOUNDS ON THE TRAIL
According to Roger Grimes, data driven
defence evangelist at KnowBe4: "Your
competitors or nation-states could be
sniffing your currently protected network
traffic, waiting for the day a few years
from now when they can use quantum
computers to crack your existing
encryption. As we have seen, various
nation states have no problem attacking
every commercial company possible, if it
contains intellectual property of interest
or even simply to steal money. It is going
to take any organisation many years to
fully prepare for the necessary postquantum
transition.
"So, even if you started now, it would be
years before your data was protected.
And any organisation that either has
sufficiently capable quantum computers
now or in the near future, that wants
your confidential data, could have an
incentive to sniff your data now…or
during the years of preparation you will
require to get to post-quantum
protections." Grimes' advice? "Every
organisation should begin immediately
taking a data protection inventory. It starts
by identifying all confidential data and the
systems and cryptography that protect it.
That means recording encryption, digital
signatures and hashing algorithms used to
encrypt, sign and verify content, along
with key lengths. This sort of inventory
should have already been done, but
almost no one has done it.
"Creating it and maintaining it will be
useful and valuable for the post-quantum
migration and any other crypto migration
afterward. The hardest part is the original
data collection. Maintaining it is not nearly
as hard. But that original data collection is
likely to take many months, if not years,
for most organisations.
And, regardless of the quantum issue,
simply understanding your cryptography
state will lead to better crypto-agility and
that will pay huge benefits forevermore.
But you need to get going now. Data
protection inventory and agility is not easy,
and it takes a long time. So, get started
now. Post quantum is your first valid
reason."
From the data protection inventory, what
happens next? "You then determine what
data needs to be protected more than
a few years, which is not protected with
quantum-resistant cryptography," Grimes
advises. "In some cases, like with symmetric
encryption and hashes, it might mean
simply increasing key lengths. And in
others, like with asymmetric encryption,
key exchanging and digital signing, it will
mean replacing it with a quantumresistant
solution.
"Those solutions include post-quantum
encryption, physical isolation, quantum
key distribution and other quantum
devices, like quantum random number
generators. There is a coming Y2K-like
problem…and really it is already here, and
people do not realise it."
NEXT MAJOR MILESTONE
There have been quite a few predictions
about how quickly quantum computing will
arrive. But whatever the exact date and
time, it's clear that not just one, but two
races have already begun, says Timothy
Hollebeek, industry technology strategist,
DigiCert. "The recent few years have
exponentially accelerated the development
of quantum computing, with a variety
of breakthroughs and a number of
grandstanding announcements from tech
giants that they would be heavily investing
in the area. Even in 2020, pandemic
notwithstanding, quantum technology was
striding ahead. The breakneck speed of
quantum acceleration has kept up through
2021, too."
For all those developments, he says the
next major milestone will be when someone
solves a problem with quantum that a
conventional supercomputer simply cannot.
"But even when that day comes, it won't
mean that RSA or ECC encryption are in
direct threat. Although quantum can break
them, it would still require large quantum
computers to do so."
Even when they're commercially available,
quantum computers and technology will
likely be prohibitively expensive to most, he
adds. "What these ever-accelerating series
of developments are likely to do is act in the
same way that Moore's Law accelerated the
development of classical computing. Each
new development will further hasten the
pace towards quantum technology, driving
investment and innovation in the direction
of more powerful quantum computers."
That's one race between researchers,
scientists and organisations. "There's a more
urgent race, too - between individual
organisations' cryptography and the
quantum algorithms which will be able to
break current cryptography. The reality is
we don't know exactly when quantum is
going to become a threat and, as such,
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
19

global intelligence
Chris Erven, KETS Quantum Security: we will
soon be living in a world where most current
forms of cryptography will be useless.
A render of KETS Quantum Security's chipbased
solutions.
organisations need to start preparing."
That means getting to grips with Post-
Quantum Cryptography (PQC). "Indeed,
organisations can begin adopting hybrid
RSA/PQC certificates and, critically, testing
them in their own environments now."
But there's a more fundamental element
that Hollebeek single out when it comes to
being ready for the arrival of quantum.
"The threat that quantum poses to current
cryptography won't just necessitate
stronger algorithms, but will likely mean
that organisations have to become a lot
quicker on their feet when it comes to
cryptography. Crypto-agility is a concept
which organisations must start working
towards quickly.
Quantum threats will likely need a diverse
array of algorithms to protect against and
organisations will need to swap out
encryption algorithms on the fly as security
demands. That will be a significant task for
most companies, involving a fundamental
reshaping of how they do cryptography.
Quantum threats, however, demand it."
HUGELY DISRUPTIVE TO
OUR DIGITAL WORLD
A five-to-10-year timeframe for quantum
computing to become a reality is probably
overly pessimistic, given the monumental
investment by businesses, governments and
investors around the world, states Dave
Bestwick, CTO of quantum cryptography
specialists Arqit.
"Only recently, we witnessed another
company, PsiQuantum, attain unicorn
status and raise huge amounts of
investment to bring a quantum computer
to market within the next few years."
Businesses therefore need to be
considering their options today, he
cautions, because not only are malicious
actors busy stockpiling data to decrypt as
soon as quantum computing emerges, but
also swapping from PKI to quantum
encryption takes time.
"Quantum computing will be hugely
disruptive to our digital world, as it will
undermine the basic security foundations
of the Internet. Most internet communications
are secured by PKI and quantum
computers can break this method of
encryption within minutes. Companies that
own valuable patents, highly sensitive
government data underpinning critical
infrastructure and defence will all be
vulnerable; as will bank details, health
records and even cryptocurrency."
However, not all forms of encryption will
be obliterated: symmetric encryption keys
are not susceptible to quantum attack, he
confirms. "This approach is endorsed by
the American Encryption Standard (AES).
However, until recently several barriers to
adoption existed, most notably the problem
of secure key sharing. Quantum key
distribution can solve this problem, but its
use over fibre networks is limited by signal
absorption, which constrains practical key
distribution to distances of less than about
150km."
This posed a problem for exchanging keys
over larger distances, but this challenge has
been eliminated recently with innovation
from companies like Arqit, he asserts,
which has "developed a way for quantum
key distribution to take place over satellite
systems to secure digital communications
globally".
Bestwick is under no illusions that the
menace from quantum computers is a clear
and present danger, as it threatens to
undermine PKI, which today forms the
foundations for most secure digital
communications. "However, innovations in
the area of symmetric encryption mean
there’s a way to avert disaster, but
businesses need to act promptly to protect
their data, today and in the future."
20
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

all at sea
CRUISING FOR A BRUISING
CARNIVAL CRUISES SUFFERING FOUR DATA BREACHES IN 15 MONTHS
FLAGS UP WHAT TEMPESTUOUS WATERS THE TRAVEL INDUSTRY - AND
TOURISM IN GENERAL - SAILS IN. BUT WHY ARE THEY SO VULNERABLE?
When Carnival Cruises was hit by its
first data breach in 2020, it caused
deep concern within the industry.
This is, after all, the world's largest travel
company. When it succumbed to a fourth
breach in June this year - the fourth such
breach in 15 months - the reaction was
more akin to raised eyebrows, because
unfortunately we have become somewhat
desensitised to these occurrences, taking out
many of the major corporates.
The latest Carnival Cruises breach saw data
compromised that contained names, dates
of birth, passport numbers, home addresses,
phone numbers, social security numbers,
along with COVID-19 test results. This came
on top of the other cyberattacks on Carnival
Corporation since the beginning of the
COVID-19 pandemic, two of which were
ransomware demands.
The travel and tourism sector, such as hotels
and airlines, has been heavily targeted of late,
as clearly it offers lucrative pickings. But why
do large organisations fall prey so readily to
multiple cyberattacks and data breaches? This
is a complex issue, most certainly, but Trevor
Morgan, product manager at comforte AG,
believes we can consider three aspects of any
organisation that would encourage multiple
successful attacks: value, culture and
technology.
"Let's look at each one to see how it
contributes to precipitating multiple
incidents," he comments. "Any enterprise
possessing highly valuable data will continue
to be a target, even if it has sustained
previous cyberattacks. Consumer-based
industries, such as travel and entertainment,
retail and financial services, definitely apply, as
they collect sensitive information on large
swathes of their customers and prospects.
The reason is simple: threat actors want that
data for personal gain.
"Whether the dataset contains thousands or
millions of data subjects, complete with
sensitive PII that can be used to initiate
identity theft or other fraud, or whether it
contains less volume, but more substantive
information, meaning something that can
hold up operations and be used as leverage
[think ransomware attacks on infrastructure
companies], the fact of the matter is that, if
the organisation gathers and stores sensitive
information, hackers want it."
A company's culture has quite a lot to do
with the ability to close down attack vectors
and thwart cyberattacks, adds Morgan.
"The reason is that a large percentage of
attacks originate from vulnerabilities caused
by human error. We're talking here about
misconfigurations, lifting and shifting
unprotected data or simply pure carelessness.
Companies that try to move too quickly and
put an emphasis on output, rather than
process, are particularly vulnerable to human
error. However, the organisation that actively
instils a culture of data privacy and security
among its employees has a much better
chance of deterring one or multiple attacks."
WAIVING THE RULES
This type of culture not only depends on
the individual contributors caring about
sustaining that culture, he states, but also
on the executive team placing value and
meaning behind it, to assess performance
and allocate rewards, based on employees'
willingness to be more sensitive to data
privacy and security, and follow the right
processes to mitigate or eliminate human
error. If executives are seen dismissing the
'rules' to get something accomplished,
then this behaviour trickles throughout the
company as others emulate it, and soon
that valuable culture falls apart. Every
member of an organisation must be
absolutely committed to a corporate culture
of data privacy and security."
Lastly, technology clearly has a massive
impact on whether or not incidents become
successful data breaches. A huge organisation
that puts all its IT investment into
perimeter-based security, access control
and/or intrusion detection may be lulled into
thinking that they are more secure, but in
all actuality focusing on the perimeter and
data access will only put off the moment
when a threat actor successfully penetrates
the perimeter barrier. "Therefore, many
cybersecurity experts advise a more holistic
approach whereby the data itself is
protected, along with the borders around
that data and user activity within the
environment.
"We're talking here about data tokenisation
and format-preserving encryption," says
Morgan. "These protection methods replace
sensitive data elements with innocuous
representational tokens, which render the
data meaningless, even if it falls into the
wrong hands. Better yet, data-centric security
that preserves format enables enterprises to
work with protected data, rather than 'deprotecting'
it for vital activities such as data
analytics. The less you de-protect your data,
the better off you'll be."
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
21

all at sea
Trevor Morgan, comforte AG: if an
organisation gathers and stores sensitive
information, hackers want it.
Amit Sharma, Synopsys Software Integrity
Group: security awareness training very
important for employees and partners
handling sensitive data.
Of course, other factors play into the
reasons that an organisation can be hit
multiple or many times by cyberattacks,
he points out. "The lesson, though, is that
enterprises aren't powerless, if they recognise
the true worth of the data they collect and
process, treat that data as their most valuable
asset and use the most comprehensive
strategy-including data-centric security-to
protect it against threat actors who want to
get to it."
STRUGGLES OF TRAVEL SECTOR
The reasons why different organisations fail
to protect their systems and information
adequately and why some fall victim to
breaches repeatedly vary enormously, says
Richard Walters, CTO of Censornet. "Every
enterprise has unique attributes that inform
the security ecosystem they need to build
and manage to some degree. The travel
sector seems to struggle with securing
content in databases linked to externallyfacing
web applications. This problem hasn't
just affected Carnival Cruises, but also BA,
Marriott, Cathay Pacific, Hyatt and easyJet."
To tackle this problem, he advises, the
travel industry needs to build security into
the software development lifecycle and
continuously assess externally facing
applications for vulnerabilities. "A Which?
study carried out midway through last year
looked at vulnerabilities in systems owned by
ninety-eight of the travel industry's biggest
names and identified many with hundreds of
vulnerabilities, including companies like BA
and Marriott, some of which had already
suffered major breaches. Marriott was the
worst, with 497 vulnerabilities."
There is nothing unique about the
challenges facing companies in this sector,
Walters continues. "Perhaps what is different
is that the travel industry has undergone a
dramatic transformation in recent years, with
web apps replacing brochures and travel
agents. What players in this industry have
failed to do is understand the associated
security issues. It's no different to what
we're seeing in the automotive industry,
with attacks on connected vehicles, or in
the medical device industry. None of the
companies in these sectors is an expert in
cyber security, but they seem unable to realise
they have a need to engage with companies
that are."
There is little doubt that security ecosystem
complexity - with larger organisations using
70-plus security point products - is also a
contributing factor. "Censornet research has
found that 92% of enterprises get more than
500 SOC alerts per day - which is a problem
when you consider that a single analyst
can handle just 10 alerts per day. Human
resources alone are dangerously insufficient,
leaving no time for proactive threat hunting
or searching for indicators of compromise.
There is an urgent need to bridge the gap
between alert overload and analyst capacity
in every sector - and the travel industry is
no different," he says. "The reality is that
breaches are often missed, due to alert
overload. All of the Indicators of Compromise
(IOCs) were almost certainly there in the logs
somewhere!"
BUILDING A FORTRESS NOW
'UNTENABLE'
System breaches are not declining. Theft,
business disruptions, data leaks all continue
to occur, even though leaders know the risks.
Why? "Today's IT systems have only gotten
more complex," responds Keith Driver, chief
technical officer at Titania. "The rise of BYOD,
Software as a Service, the move to public or
hybrid cloud and especially working from
remote locations have given IT risk holders
a headache."
Building a fortress around IT assets is still
the norm, he points out, but it's become
an untenable form of protection for two
reasons. "First, the complexity of the IT
infrastructure makes it challenging to
determine and manage where the boundary
between corporate and external data exists.
22
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

all at sea
Secondly, adversaries' capabilities [be they
individuals or more sophisticated and wellfunded
actors] continues to grow.
"As a result, the ability to keep attackers
at bay gets harder and harder, resulting in
breaches. Determined attackers will always
find a way in. This is where Zero Trust
Architecture comes into play - approaching
security as if a compromise has or will occur
using functional blocks within a network that
require authorisation/authentication steps to
access resources. More organisations need to
adopt this approach. It requires a cultural
shift in addition to a different approach to
solutions. But once this assumption is made,
the strategy is one to ensure damage is
minimal. When there is no assumption of
trust, there is no assumption of identity
and no automatic authorisation to enter
a system. All of this makes it more difficult
for an attacker to move around a network
to gain access to more valuable assets."
It's not just about Zero Trust either, Driver
adds. "It's also important to segment a
network and control the access to it. This
makes it harder for attackers to navigate
from one end to the other and hit their
target. Here's where businesses fall down.
While both are critical to network security,
being vigilant about configuration can't take
a back seat. It needs to be correct and unable
to be compromised - either by attackers or by
accident.
"Businesses need to identify these vulnerabilities,
examining routers, switches and
firewalls using tools that score the level of
risk and let them assess where the priorities
lie, so time and resources are allocated
appropriately. This gives organisations a
complete picture of where, how and what
can be compromised - across the network,
on every device at every point of the day."
NEGLECT OVER ACCESS
"One common reason why data breaches
take place is no - or improper - access
control," says Amit Sharma, security engineer,
Synopsys Software Integrity Group. "Thirdparty
access is an area that is oftentimes
neglected, thus providing opportunities to
cyber-attackers. My recommendation would
be for organisations to carry out in-depth
checks on their infrastructure and the
services they employ to operate and manage
their applications and data. The first step
involves classifying your data and then using
the appropriate controls to protect it
depending on the classification."
VENDOR MANAGEMENT POLICIES
Other proactive measures that organisations
can and should take is implementing
an identity and access management (IAM)
policy governing access controls, using
strong passwords (and not re-using
a password across services) and using
encryption. "Secure vendor management
policies should be in place, which should
vet partners and vendors, thereby managing
and controlling access to data that is
exposed to vendors, contractors and third
parties. Regular testing for loopholes and
routine checks on the infrastructure are
also important mechanisms to build into
your security strategy. With the constant
advancement in technologies, attack
patterns are also changing rapidly and we
need to evolve along with it. Firewalls are
simply not enough," insists Sharma.
Reviewing the processes governing data
handling is also crucial to ensure customer
data is securely maintained. "With the
ongoing pandemic, it's very common to see
data being transmitted from unsecured
networks and unmanaged machines.
"Other measures to consider include
network segmentation, active monitoring
and developing capabilities to respond to
incidents effectively. Security awareness
training not only for employees, but also
for partners who are handling sensitive data,
is also a very important consideration for
an organisation."
Keith Driver, Titania: important to segment
a network and control the access to it.
The travel sector seems to struggle with
securing content in databases linked to
externally-facing web applications.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
23

information security
PRIVACY PAYOFF: CHAMPIONING DATA VIGILANCE
AS PEOPLE CONSIDER POST-PANDEMIC LIFE
WHILE EDUCATING CONSUMERS IS IMPORTANT, INDIVIDUALS MUST ENGAGE BY REFLECTING ON THEIR
ONLINE SECURITY AND ITS IMPACT, STATES DAVID EMM, PRINCIPAL SECURITY RESEARCHER AT KASPERSKY
Much has been made of the 'new
normal' that awaits us beyond
COVID - or at least, this stage
of COVID. As we learn to live either with
or without the virus, we have already
entered our post-lockdown lives. Those
long-awaited holidays, that music
festival, a three-time-postponed sporting
event. Or, via a few clicks of a button,
your online shopping network, your
updated communications apps, your
more dispersed and digitised social life.
It's understandable that people have
been eager to get back to normal now
that restrictions have lifted. However,
in the race to return to these events,
there has been an increased security
conundrum - but what is the privacy
price people are willing to pay to ensure
that they are at the front of the queue
when getting back into events, going
on holiday and more?
What personal data are those in Europe
willing to sacrifice for post-pandemic
freedoms? At first glance, it's clear that
we are willing to pay quite a hefty
price. A new data privacy heatmap has
explored the new consumer dynamic
across Europe to gauge what people are,
and are not, willing to share in the form
of personal data, in order to access these
new freedoms, solutions and online
services.
In the UK, for example, almost threequarters
(72%) would be happy to share
personal healthcare, location and contact
data if it meant a quicker release of
restrictions and back into events,
festivals, social spaces or airports. And
seven in 10 European respondents also
stated they would be prepared to
provide personal healthcare and
movement data for more freedoms.
Furthermore, 45% of European
respondents said they would willingly
provide healthcare and movement data
to help their own country overcome
COVID-19. On the domestic front, 84%
of Brits would share personal data for
free digital services, while lures of
discounts, online convenience or 'free
gifts' would also tempt many out of their
private details. While the promise of gifts
and details may seem appealing, many
don't realise the privacy implications of
giving such information away.
These insights and attitudes bring fresh
cybersecurity concerns to the fore. But is
it a lack of awareness or a lack of care
that is failing to halt the data deluge? It
seems to be the latter. Almost all (95%)
of Brits claim that data privacy is
important to them, and they also seem
to be aware of the pitfalls, with 83%
voicing concern that their data could fall
into the wrong hands over the next
two years. And this sentiment is echoed
throughout Europe, too. In fact, as
revealed by the heatmap, 95% of
Europeans feel data privacy is important
but only 52% of the continent's
population feel in control of their
personal data. Eight in 10 Europeans
also fear that their personal data will fall
into hands of criminals, just as Brits do
as well.
While educating consumers is
important, it is equally crucial that
individuals themselves engage in
considering their online security and its
impact. A prime example would be social
media and the ease through which
people often share large amounts of
private data without considering the
wider implications as to whom can
access that information, such as
advertisers and marketers for example.
It is a case of taking responsibility for
their online safety as they would in
person. This includes understanding
the information they are giving and
whether the benefits outweigh the risks.
PRIORITISING CUSTOMER PRIVACY
That being said, businesses hold the
main responsibility for making people's
privacy a priority. They must ask
themselves not only from a legal
standpoint, but from an ethical one:
what is the purpose of the data that is
being collected? And: what are the
implications of having this data, should
there be a security breach? After all, the
more data that is held, the more at risk
it becomes, meaning that only essential
information should be collected. The
most important question that businesses
must ask themselves, however, is: what
are we doing to protect consumers?
Not only will asking this question mean
businesses are protecting customer's data
24
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

information security
more effectively, but they will also help
protect themselves. After all, a GDPR
violation can lead to fines of up to 20
million Euros, or up to four per cent of
the company's global annual turnover -
quite a hefty price to pay. And that's not
including the reputational damage that
comes with a data breach, if consumers
understandably lose faith in a business's
ability to manage their data.
Ian Thornton-Trump, CISO at Cyjax,
suggests that the way to tackle many
of the issues faced is through endpoint
detection and response (EDR). "Increasingly,
EDR is finding favour over traditional
anti-virus, but to be most effective,
these solutions must be deployed into
a managed, licensed and hardened IT
environment."
This, in essence, would enable
businesses to become more vigilant, in
terms of cyber threats, equipping them
with the tools to spot and manage them.
Though an EDR solution is not a silver
bullet, it's a vital part of an organisation's
cybersecurity arsenal - which, when
combined with staff education and a
professional and personal sense of data
protection responsibility, will help keep
people's personal assets safe.
The majority of consumers are
concerned about their data being stolen
in the near future - and though the
onus is on businesses to protect this
information, individuals should also
understand the implications of giving out
their personal data - especially if it's for
free gifts or discounts - and consider if it
is really worth the return they receive.
Overall, a careful balance must be struck
between both the excitement of getting
back to life as it once was and what data
needs to be shared to unlock those
freedoms.
SIMPLE STEPS TO STAY SAFE
The public has long looked forward to
embarking on much-missed holidays and
attending events; however, as they get
more confident and life resumes as
normal, we must also seek to support
them in their cybersecurity hygiene, as
well as increasing their knowledge about
how to protect themselves and their
personal data, allowing them to enjoy
those well-earned post-pandemic
experiences safely.
Simple steps to limit the amount of
personal data that is accessible that can
be taken by consumers include: deleting
profiles and accounts from websites or
apps that are no longer used; investing
in password managers, which create,
save and store passwords automatically,
meaning people don't have to use the
same password for all of the online
services they use; and utilising the Right
to Erasure, better known as 'The Right to
Be Forgotten', which empowers people
to be able to request that their data is
completely removed from business
servers.
With these steps taken, and the
amount of personal data 'out there'
drastically lessened, people can feel more
assured that their information is safe,
and controlled, offering them far greater
protection from their data being used for
criminal or unethical gains.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
25

new-world shake-up
HOW TO PROTECT BUSINESS DATA WHILE
EMPLOYEES WORK FROM ANYWHERE
CARMEN OPRITA, MANAGER SALES AND BUSINESS DEVELOPMENT AT
ENDPOINT PROTECTOR BY COSOSYS, LOOKS AT THE MANY OUTSIDER
AND INSIDER THREATS THAT CAN DAMAGE BUSINESSES - AND HOW
THEY CAN FIGHT BACK
benefits productivity, due to reduced travel
time, fewer distractions and a more flexible
schedule, organisations must ensure that
they are equipped with the right security
tools. In the new reality of working from
anywhere, there are various outsider and
insider threats that can cause damages to a
business, including fines, penalties, and loss
of consumer trust. There are also new ways
of accessing confidential information,
posing higher risks for sensitive data.
And, if an employee compromises data
while working remotely, it is more difficult
to identify how and when it happened.
HIGHER COST OF BREACHES
According to a Malwarebytes report,
Enduring from Home: COVID-19's Impact
on Business Security, the potential for
cyberattacks and data breaches has
increased since employees are working from
home. Some 20% of respondents said they
encountered a security breach, due to a
remote worker, since the outbreak of the
COVID-19 pandemic. This has led to higher
costs, too, with 24% of respondents saying
they paid unexpected expenses to address
a cybersecurity breach or malware attack
following shelter-in-place orders.
Remote work has changed from an
option to a necessity, as organisations
worldwide have closed their offices
amid the COVID-19 health crisis. With a
remote or hybrid workforce, it's essential for
companies to have proper security tools in
place, preventing them from various threats
that could lead to data breaches.
The work scene has completely changed
since the outbreak of the COVID-19
pandemic. Last year, work from home
became the new normal for many employees
worldwide, followed by announcements of
hybrid work arrangements this year. While,
according to the Velocity Smart Technology
Market Research Report 2021, remote work
Therefore, the prevention and protection
of data remain of utmost importance.
Companies need to ensure that employees
are handling and storing sensitive data such
as Personally Identifiable Information (PII)
securely, in accordance with different data
protection laws. To achieve this, employers
should put additional safeguards and
provisions in place to prevent sensitive
data from being misused or mislaid while
employees work remotely.
Here are the most important steps
companies with a distributed workforce
should take to ensure data security:
1. Train employees
Cybersecurity training should be mandatory
26
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

new-world shakeup
for every employee, regardless of their role
or position in the company. They should be
aware of the most common types of threats,
including those caused by malicious
outsiders, such as phishing attacks and those
originating within the organisation itself
caused by social engineering, shadow IT
or sharing data with unauthorised persons.
While criminal attacks are responsible for
many data breaches, human error is also
a significant contributor to security issues.
In these days of remote work, organisations
need to take extra precautions regarding
COVID-19 related scams. Employees need to
be aware of suspicious links or attachments
related to COVID-19, as internet criminals
have widely exploited the pandemic in
numerous phishing and scam campaigns.
With employees working outside the office,
companies must ensure that everybody
knows basic password security, safe
browsing habits and physical security.
Training should be an ongoing procedure,
with required video courses, assessments
etc.
2. Create a remote work policy
Establishing clear rules to govern how
employees work remotely is another crucial
step towards security. A telework or remote
work policy needs to provide information
to the workforce on how to act safely with
corporate devices and data when working
from outside the office. The absence of such
a policy can compromise the compliance of
the organisation.
To ensure security in the age of remote
and hybrid work arrangements, the telework
policy should include information on:
whether employees are allowed or not to
use personal devices when working outside
of the office; if they can install non-work
related software on the devices used for
remote access; how should they report
suspicious incidents while working from
home etc.
3. Require two-factor or
multi-factor authentication
Two-factor authentication (2FA) or multifactor
authentication (MFA) is a security
enhancement that can help to keep accounts
and information safe from unauthorised
entities. By applying this additional security
layer, companies can ensure that unauthorised
parties cannot remotely access their
networks or user accounts.
When employees use 2FA or MFA to access
and use any company apps, resources, tools
or data, the likelihood of malicious outsiders
gaining access to information is considerably
reduced.
4. Have visibility and control
over your company data
Data cannot be protected without knowing
where it is stored and how it is used. An
effective data security strategy ensures both.
By deploying a Data Loss Prevention (DLP)
solution, such as Endpoint Protector,
companies can discover where their sensitive
data resides and monitor the data flow.
Unauthorised data transfers can be blocked
with DLP software and administrators are
alerted. In this way, it is possible to ensure
that sensitive data, such as customers'
personal data or intellectual property, does
not get outside the corporate network or
a user without access.
5. Ensure policies remain active offline
When employees work remotely, they may
not always have a continuous internet
connection available. This means that, while
their computer is offline, data protection
policies are not active.
In this way, companies risk data loss and
non-compliance with data protection laws
like the GDPR or PCI DSS. By using a DLP
solution that applies policies directly on the
endpoint, organisations can ensure that data
continues to be protected and monitored,
whether a computer is online or not.
6. Use encryption
Data encryption is another important best
practice from a security standpoint. When
employees work remotely, it is even more
critical, as it can ensure that, if a device is
lost or stolen, data can't be accessed by
unauthorised people. Hard drives and
individual files can be encrypted with native
encryption tools, like BitLocker in Windows
and FileVault in macOS, without requiring
additional investments.
Data transfers between company-owned
systems and remote work locations should
also be encrypted. A Virtual Private Network
(VPN) is an easy and cost-efficient method
to do this, with some VPNs offering militarygrade
256-bit encryption of data. By
providing a VPN service to all employees,
their internet activities are carried out as if
they are working directly in the office.
7. Keep systems and programs up to date
In these times of teleworking, ensuring that
programs and operating systems are updated
regularly is a critical aspect of security.
Outdated systems and third-party
applications often have weak spots and
vulnerabilities, opening up the business
for cyberattacks. Besides regularly updating
the operating system and third-party
applications, it is essential to keep an eye
on the antivirus and antimalware program, as
well as firewall firmware.
While work from home comes with IT
security risks, the COVID-19 pandemic has
irrevocably changed the world and remote
work is here to stay. Employees enjoy a more
relaxed environment, and that there's no
more stress and wasted time to commute,
while employers can save money on office
space and equipment, with no loss of
productivity.
With this transition to remote work looking
to be long term, now is the perfect time to
secure employees' endpoints and ensure the
company's data stays safe.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
27

global intelligence
CYBER AGENCIES FLEX THEIR GLOBAL MUSCLES
INTERNATIONAL ALLIES SHARE DETAILS OF TOP 30 VULNERABILITIES
THAT WERE ROUTINELY EXPLOITED BY MALICIOUS ACTORS IN 2020
Advice on countering the most publicly
known-and often dated-software
vulnerabilities has been published
for private and public sector organisations
worldwide. It is part of a global initiative to
combat cyber attacks by sharing intelligence
and creating a united front.
The cyber agencies behind the drive are the
UK's National Cyber Security Centre (NCSC),
Cybersecurity and Infrastructure Security
Agency (CISA), Australian Cyber Security
Centre (ACSC) and Federal Bureau of
Investigation (FBI) have published a joint
advisory*, highlighting 30 vulnerabilities
routinely exploited by cyber actors in 2020
and those being exploited in 2021.
In 2021, malicious cyber actors continued
to target vulnerabilities in perimeter-type
devices. Today's advisory lists the vendors,
products, and CVEs, and recommends that
organisations prioritise patching those listed.
GLOBAL CYBER WEAKNESSES
"We are committed to working with allies to
raise awareness
of global
cyber
weaknesses - and present easily actionable
solutions to mitigate them," states NCSC
director for operations, Paul Chichester.
"The advisory… puts the power in every
organisation's hands to fix the most common
vulnerabilities, such as unpatched VPN
gateway devices. Working with our
international partners, we will continue
to raise awareness of the threats posed by
those that seek to cause harm."
As well as alerting organisations to the
threat, the advisory directs public and private
sector partners to the support and resources
available to mitigate and remediate these
vulnerabilities.
Meanwhile, guidance for organisations
on how to protect themselves in cyberspace
can be found on the NCSC website. The
centre’s '10 Steps to Cyber Security collection'
(https://www.ncsc.gov.uk/collection/10-steps)
provides a summary of advice for security and
technical professionals. On the mitigation
of vulnerabilities, network defenders are
encouraged to familiarise themselves
with guidance on
establishing an
effective vulnerability management process.
EARLY WARNING SYSTEM
Elsewhere, the NCSC's Early Warning Service
(https://www.ncsc.gov.uk/information/earlywarning-service)
also provides vulnerability
and open port alerts. This is a free NCSC
service designed to inform your organisation
of potential cyber attacks on your network as
soon as possible. The service uses a variety of
information feeds from the NCSC, trusted
public, commercial and closed sources, which
includes several privileged feeds not available
elsewhere.
To sign up to the NCSC's Early Warning
Service, go to:
https://www.earlywarning.service.ncsc.gov.uk
/?referrer=acdwebsite.
So, what exactly does the service do? Early
Warning filters millions of events that the
NCSC receives every day and, using the IP and
domain names you provide, correlates those
which are relevant to your organisation
into daily notifications for your nominated
contacts via the Early Warning portal.
Organisations that are signed up
receive the following highlevel
types of alerts:
28
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

global intelligence
Incident Notifications - activity that
suggests an active compromise of your
system. For example: a host on your
network has most likely been infected with
a strain of malware
Network Abuse Events - this may be
indicators that your assets have been
associated with malicious or undesirable
activity, such as a client on your network
has been detected scanning the internet
Vulnerability and Open Port Alerts -
indications of vulnerable services running
on your network or potentially undesired
applications are exposed to the internet.
For example: you have a vulnerable
application or have an exposed
Elasticsearch service.
Cyber security researchers will often uncover
malicious activity on the internet or discover
weaknesses in organisations security controls
and release this information in information
feeds. In addition, the NCSC or its partners
may uncover information that is indicative of
a cyber security compromise on a network.
The NCSC will collate this information and
use this data to alert organisations about
potential attacks on their networks.
There are two types of alerts that will be sent
out when an alert has been detected for any
organisation:
Daily Threat Alert - this includes Incident
Notifications and Network Abuse Reports
Weekly Vulnerability Alert - this includes
Vulnerability and Open Port Alerts.
The organisation involved can then use
this information passed on by Early Warning
to investigate the issue and implement
appropriate mitigation solutions where
required. The NCSC's website provides advice
and guidance on how to deal with most
cyber security concerns.
BENEFITS OF EARLY WARNING
By signing up to Early Warning, an organisation
will be alerted to the presence of
malware and vulnerabilities affecting its
network. Early Warning will notify on all
cyber attacks detected by feed suppliers
against that particular organisation. "This
should not be used as the only layer of
defence for a network," cautions the NCSC.
"Early Warning should complement your
existing security controls."
ENHANCING SECURITY
Early Warning aims to enhance security by
increasing awareness of the low-grade
incidents that could become much bigger
issues, so that organisations can act on these
at the earliest opportunity, so that they have
increased confidence in the security of their
networks. Other key considerations:
The service is free and fully funded
by the NCSC
Early Warning does not conduct any active
scanning of a networks itself. (However,
some of the feeds may use scan-derived
data - eg, from commercial feeds.)
CISA executive assistant director for
Cybersecurity, Eric Goldstein, comments:
"Organisations that apply the best practices of
cyber security, such as patching, can reduce
their risk to cyber actors exploiting known
vulnerabilities in their networks. Collaboration
is a crucial part of CISA's work and we have
partnered with ACSC, NCSC and FBI to
highlight cyber vulnerabilities that public and
private organisations should prioritise for
patching to minimise risk of being exploited
by malicious actors."
For his part, FBI cyber assistant director
Bryan Vorndran had this to add: "The FBI
remains committed to sharing information
with public and private organisations in an
effort to prevent malicious cyber actors from
exploiting vulnerabilities.
"We firmly believe that coordination and
collaboration with our federal and private
sector partners will ensure a safer cyber
environment to decrease the opportunity
for these actors to succeed."
LIFT COLLECTIVE DEFENCES
Head of the ACSC, Abigail Bradshaw CSC,
believes the guidance will be valuable for
enabling network defenders and
organisations to lift collective defences
against cyber threats. "This advisory
complements our advice available through
cyber.gov.au and underscores the
determination of the ACSC and our partner
agencies to collaboratively combat malicious
cyber activity."
Amongst those who see attacks and
breaches every day out in the commercial
world, Jon Fielding, managing director, EMEA
Apricorn, sees the NCSC joint advisory as a
great demonstration of collaboration and the
growing need to mitigate against these
common threats. "We are in a software age
and digitalisation is being embraced by more
and more businesses, but, in doing so, the
risks are extended, as security fails to keep
pace with the level of software development
which can provide a weak link into a
corporate network. Ultimately, businesses will
never be 100% secure and, whilst the joint
advisory is a positive step, data needs to be
kept offline and encrypted wherever possible.
Employing a hardware-centric approach,
void of software involvement and encrypting
sensitive data wherever it resides [server,
laptop, removable media] is imperative, so
that, if defences are breached, you remain
protected."
* https://us-cert.cisa.gov/ncas/alerts/aa21-209a
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
29

asset disposal
ADISA SETS THE STANDARD
ADISA ASSET RECOVERY STANDARD 8.0 IS FORMALLY
APPROVED BY UK INFORMATION COMMISSIONER'S OFFICE
determined by their own responses to those
key questions.
"This has allowed the ADISA Standard 8.0
to introduce a tiering level for the controls,
which are put in place in over 30 areas
where different risk countermeasures have
been identified. With a total number of 221
criteria, this is the most exacting assessment
of a data processor within this specific
industry," adds Mellings.
In July 2019, ADISA CEO Steve Mellings
sent a rather speculative email into the
ICO, asking for details about how he
could apply to get the ADISA ITAD Industry
Standard recognised under Article 42 of the
then EU GDPR. "That request now seems a
very long time ago," he reflects, "as we have
battled through Brexit, creation of UK GDPR
and, of course, COVID challenges. But, as
per the ICO press release on 19 August,
I'm delighted to now be able to publicly
confirm that ADISA IT Asset Recovery
Standard 8.0 has become one of the first
Standards approved by the Commissioner."
DATA IMPACT ASSURANCE LEVELS
"A key part of our work with the ICO was to
find a way to empower the data controller
to make decisions on critical processes
undertaken during the asset recovery and
data sanitisation activity which they may not
even be aware of," explains Mellings "These
processes introduce risk and the ICO made it
clear that the data controller needed to
be made aware of these and be able to
determine the level of controls required."
This caused much discussion about how it
could be achieved without a requirement for
the data controller to be completely handson
in the process and it wasn't until he
remembered the old CESG Business Impact
Levels that the solution became apparent.
"By customising that concept, ADISA has
created the 'Data Impact Assessment Level'
or 'DIAL'. This is a formula in which the data
controller answers five simple questions,
which will then identify them at a particular
DIAL rating. These questions are based
on threat, risk appetite, categories of data,
volume of data and, finally, impact of
a data breach, and will enable the controller
to present to their supplier a 'DIAL that is
WHAT DOES THIS MEAN
AND HOW CAN IT HELP YOU?
"In short, it means that, over the two-year
period, we've worked with the Commissioner
to agree on what needs to happen
during the Asset Recovery and Data
Sanitisation process for it to be viewed as
UK GDPR compliant. With data protection
and cyber security being a complex area,
this new ICO-approved Standard can help
fix one problem that many don't even know
they have - how to dispose of retired assets
and ensure regulatory compliance."
WE'RE ONLY HALFWAY THERE
"Whilst Standard 8.0 has now been formally
recognised, we are now undertaking the
second part of our project, which is to get
our auditing process UKAS accredited, such
that we have a UK GDPR-approved scheme,"
he adds. "We've been working on this
behind the scenes for over 12 months and
our application to UKAS is now in, and we
expect this process to take between 6-9
months. This will provide ample time for
existing certified ITADs and new applicants
to working towards 8.0 to ensure those
companies certified to Standard 8.0 can
genuinely evidence UK GDPR compliance."
To find out more, go to https://adisa.global - or
just click here.
30
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

CS Nominations 2021
NOMINATIONS OPEN NOW - AND WE WANT YOUR VOTES!
THE COMPUTING SECURITY AWARDS 2021 ARE FAST APPROACHING, SO IT'S TIME FOR YOU, OUR READERS,
TO CAST YOUR VOTES FOR THE COMPANIES, PRODUCTS AND SERVICES THAT HAVE IMPRESSED YOU MOST
IN THE PAST 12 MONTHS
It’s official: the Computing Security
Awards for 2021 will be taking place
LIVE in London in December! (Page 3)
Forced to go 'virtual' last year, the news
couldn't be more welcome - and we
plan to celebrate the occasion with all
the panache and passion of previous
awards. In the meantime, we need you - our
readers - to play a key part in the build-up by
nominating those Companies, Products &
Services you feel deserve recognition for
the impact they have had over the last 12
very difficult months. You may want to
reflect on some of the following criteria,
for example, in reaching your verdict:
Which companies have helped to
secure your organisation's digital
infrastructure over the past year?
What Cyber Security products/
services have most impressed you?
Are you a Cyber Security company
that’s proud of the service or technology
you have provided to customers?
Go to the awards nominations page now -
computingsecurityawards.co.uk - and cast
your votes.
HERE IS THE FULL LIST OF THE 2021 AWARDS CATEGORIES AWAITING YOUR VOTES:
Advanced Persistent Threat (APT) Solution of the Year
AI and Machine learning based Security Solution of the Year
Anti Malware Solution of the Year
Anti Phishing Solution of the Year
Cloud-Delivered Security Solution of Year
Compliance Award - Security
Contribution to CyberSecurity Award - Person
Customer Service Award - Security
Cyber Security Innovation Award: Countering Covid-19
.DLP Solution of the Year
Editor's Choice - Benchtested
Email Security Solution of the Year
Encryption Solution of the Year
Enterprise Security Solution of the Year
Identity and Access Management Solution of the Year
Incident Response & Investigation Security Service Provider of the Year
Mobile Security Solution of the Year
Network Security Solution of the Year
New Cloud-Delivered Security Solution of the Year
New Security Software Solution of the Year
One to Watch Security - Company
One to Watch Security - Product
Penetration Testing Solution of the Year
Remote Monitoring Security Solution of the Year
Secure Data & Asset Disposal Company of the Year
Security Company of the Year
Security Distributor of the Year
Security Education and Training Provider of the Year
Security Project Category(s) of the Year
Security Reseller of the Year
Security Service Provider of the Year
SME Security Solution of the Year
Threat Intelligence Award
Web Application Firewall of the Year
To discuss nominating, voting, becoming a sponsor or booking
seats at the Awards ceremony, please contact:
Edward O'Connor
Email: edward.oconnor@btc.co.uk
Tel: +44 (0) 1689 616000
Lyndsey Camplin
Email: lyndsey.camplin@btc.co.uk
Stuart Leigh
Email: stuart.leigh@btc.co.uk
CS AWARDS 2021 - KEY DATES:
Nominations open - 20 August
Nominations close - 24 September
Finalists announced & voting opens - 1 October
Voting closes - 19 November
Awards Ceremony - 2 December
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
31

APTs
HOW TO DISRUPT THE KILL-CHAIN
IT MIGHT TAKE ONLY MINUTES FOR A CYBERCRIMINAL TO BREAK
INTO YOUR NETWORK - SO HOW DO YOU ENSURE THEY NEVER
GET THAT FAR?
From cyber criminals who seek personal
financial information and intellectual
property to state-sponsored cyber
attacks designed to steal data and
compromise infrastructure, today's advanced
persistent threats (APTs) can sidestep cyber
security efforts and cause serious damage to
your organisation. A skilled and determined
cyber criminal can use multiple vectors and
entry points to navigate around defences,
breach your network in minutes and evade
detection for months. APTs present a massive
challenge for organisational cyber security
efforts.
"While traditional cybersecurity measures
are effective for dealing with opportunistic
cybercrime, they are not enough to protect
organisations against APT attacks," says David
Emm, principal security researcher, Kaspersky.
"Rather, it's essential to deploy a specific
anti-targeted attack solution that is able
to proactively monitor the network and
combines extended detection and response
capabilities - combining in-depth
investigation, threat hunting and central
management and co-ordination.
360-DEGREE VIEW
"Counteracting modern cyber-threats also
requires a 360-degree view of the TTPs
[Tactics, Techniques and Procedures] used by
advanced threat actors. While the TTPs of
some APT threat actors remain consistent
over time, others refresh their toolsets and
infrastructure, and extend the scope of
their activities. Nevertheless, it's difficult
for attackers to completely change their
behaviour and methods during attack
execution - so identification and analysis of
these patterns promptly helps organisations
deploy effective defensive mechanisms in
advance, thereby disarming attackers and
disrupting the kill-chain," states Emm.
"That's why it's important to harness the
benefits of threat intelligence, to track threat
actors and uncover the most sophisticated
and dangerous targeted attacks across
the world. This will enable organisations
to proactively deploy effective threat
detection and risk mitigation controls
for the associated campaigns - across
enterprises, financial services businesses,
government organisations and managed
security service providers."
Organisations that rely solely on defencein-depth,
firewalls and antivirus risk leaving
themselves open to cyber-attacks, especially
given how massive an undertaking tracking,
analysing, interpreting and mitigating
constantly evolving IT security threats is.
"Enterprises across all sectors are facing a
shortage of the up-to-the-minute, relevant
data they need to help manage the risks
associated with IT security threats, due to:
real threats being buried among thousands
of insignificant alerts; poor incident
prioritisation; inadequate internal funding
due to poor risk visibility; undiscovered, but
active, threats lurking within an organisation;
unknown attack vectors being missed;
and companies pursuing a security strategy
that's not aligned with the current threat
landscape," he cautions.
"Even sophisticated APT threat actors
typically gain an initial foothold by using
social engineering to trick staff into doing
something that jeopardises corporate security
- eg, clicking on a malicious link - so it's vital
to find imaginative ways to 'patch' the
organisation's human resources. This means
identifying risky behaviours and developing
a plan for reshaping people's behaviour. The
ultimate goal should be to develop a security
culture that encompasses digital and realworld
behaviour - and extends into how staff
operate when at home or when travelling.
Purpose-built online security awareness
platforms can help with this."
INFILTRATION
"Using Advanced Persistent Threats, threat
actors utilise various methods to infiltrate
targeted networks," says Bindu Sundaresan,
director at AT&T Cybersecurity." Some of the
standard attack methods she points out
include:
Social engineering: the attackers employ
manipulative means to obtain confidential
information. This includes phishing
attacks, pretexting, tailgating, and other
means to enter the targeted network
Zero-day attack: the attackers profit
from a security flaw in software before
a security patch is made or installed
Supply chain attack: the attackers exploit
vulnerabilities within the supply chain.
These may be commercial partners and
suppliers who are connected to the
targeted network
Use of backdoors: the attackers exploit
undocumented access to software or use
32
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

APTs
malware to install backdoors that
bypass authentication.
The defence-in-depth model needs to
evolve to stay relevant by adopting
automated security and a zero-trust model,
she points out. "With this model, security
teams can scale their efforts in the
constantly-changing world of cybersecurity.
There are different levels of traditional
cybersecurity tools, such as firewalls,
antivirus, and defence in depth (IPS, IDS),
which aren't enough against an attack by
an APT. Still, they are necessary as essential
foundational must-haves from a security
standpoint. Advanced security consisting of
network devices with sandboxing systems,
new generation SIEM, EDR and subscriptions
to cyber intelligence services are essential to
detect and respond to attacks of the APT
magnitude. Early detection of APT attacks
is critical for successful mitigation before
networks are compromised and sensitive
data is exposed."
APT is a multi-faceted attack and defences
must include multiple techniques, such
as email filtering, endpoint protection,
privileged access management, and visibility
into the traffic and user behaviour," continues
Sundaresan, expanding on these as follows:
Email filtering: "Most APT attacks leverage
phishing to gain initial access. Filtering
emails, and blocking malicious links or
attachments within emails, can stop these
penetration attempts."
Endpoint protection: "Most APT attacks
involve the takeover of endpoint devices.
Advanced anti-malware protection and
Endpoint Detection and Response can help
identify and react to compromise of an
endpoint by APT actors."
Access control and Privileged Access
Management: "Strong authentication
measures and close management of user
accounts, with a particular focus on
privileged accounts, can reduce APT risks."
Monitoring of traffic, user and entity
behaviour: "Visibility and monitoring can help
identify penetrations, lateral movement and
exfiltration at different stages of an APT
attack."
As the definition of APT implies success
against you and your organisation, never has
detection and response been so important,
she concludes. "Preparation is paramount;
the fight against APT is a continuous effort,"
she warns. "Organisations need to become
aware of the nature of these attacks, and the
types of effective practices and technologies
that can help to combat them."
MURKY DEPTHS
For years, threat actors, like nation states and
cybercriminals, had distinct motivations and
different tools, comments Sam Curry, chief
security officer, Cybereason. "Nation states, or
'advanced persistent threats' as we called
them, moved like submarines, stalking ships
in the waters of target networks, carrying out
the policies of their governments and
providing asymmetric options, aside from the
normal diplomatic, economic, and military
strategies and tactics.
"By contrast, the fight against cybercriminals
more resembled battleship warfare than
submarine. The motivation among criminals
was profit and, as such, it was about
maximising the number of victims and
wringing every drop from an infection for as
long as possible. Even in the old days, the
security industry was not up to the task of
stopping either the malicious operations of
nation states nor the smash-and-grab theft
of cybercriminals."
The silver lining, however, adds Curry, is
the emergence of endpoint detection and
response (EDR), which is often mistaken
for a mere extension of existing endpoint
protection technologies like antivirus or
personal firewalls. "It is a tool for finding the
Sam Curry, Cybereason: nation states moved
like submarines, stalking ships in the waters
of target networks.
Bindu Sundaresan, AT&T Cybersecurity: the
defence-in-depth model needs to evolve to
stay relevant.
www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security
33

APTs
David Emm, Kaspersky: it's essential to
deploy a specific anti-targeted attack
solution.
advanced operations and provides the
hunter-killer options for the cyber conflicts
being waged on corporate and government
networks. EDR has evolved first into
managed detection and response (MDR),
providing the men and women behind
screens in managed services, and into
extended detection response (XDR), uplifting
the telemetry recording from formerly
ubiquitous endpoints to the transformed
enterprise of SaaS, Cloud Infrastructure and
beyond."
Fast forward to today, and the dark side
ecosystem is very different, he states.
"The attackers have not slowed down and
have, in fact, evolved at a faster rate than
defenders have, except perhaps among the
most sophisticated defenders. Not only
are they attacking the newer infrastructure
associated with SaaS services, but they are
now targeting the new IT stack in the form
of IaaS and PaaS compromise. In the last
five years, the lines among attackers have
become more blurred, with sharing of tools
and relationships that mirror the alliances,
investments and partnerships of the more
normal and legitimate industries."
MIXED MOTIVES
Further, the motivations for each actor have
become less distinct, adds Curry, "with nation
states pursuing currency, in the case of North
Korea, fostering ransomware, in the case
of Russia, and development of supply chain
compromises, in the case of Russia and
China, to name just a few".
The most insidious examples of these are
developments in the last six months, he says.
"The first is ransomware, which is really a
combination of the old APT-style delivery
mechanism through stealthy submarine-like
operations, but doing so for profit. The
second and most recent is evident in
the recent Kaseya attack: supply chain
compromise for the purpose of delivering
ransomware as the payload. This is a killer
combination."
This is the reason for the mandate of EDR
(or MDR or XDR) for the US Federal
government in the recent White House
Executive Order, he points out. "Having a
means of finding the attacks as they move
in the slow, subtle, stealthy way through
networks isn't an option. This class of tool
isn't the be-all and end-all, but it's at the top
of the toolkit, along with more advanced
prevention, building resilience, ensuring that
the blast radius of payloads is minimised and
generally using peace time to foster antifragility.
The most significant takeaway: it's
not about who we hire or what we buy. It's
about how we adapt and improve every day."
HIGHLY TARGETED
The worst APTs - or the best APTs, depending
on which side of the fence you're on - are
highly targeted, comments Richard Walters,
CTO of Censornet. "They are painstakingly
researched and crafted with the exact target
environment in mind. In any security
ecosystem consisting of numerous point
products, there will be some that are not
fully integrated - even those that are multilayered
and provide defence-in-depth. This
means there will be security gaps."
APTs are written to relentlessly persist until
those gaps are found and access is gained,
he adds. "VPNs from Pulse Secure, Fortinet
and Palo Alto Networks, as well as VMware's
ESXi Hypervisor, SolarWinds Orion and
O365, have all been targeted. And
compromised.
"APTs are often so intricately coded to the
target network that they can only have been
designed and written by well-funded,
well-organised entities, such as a foreign
government, a criminal gang or large
enterprise. These need not be mutually
exclusive. Governments will use criminal
organisations to carry out cyber espionage,
enabling them to exercise plausible
deniability. There is an ever-growing body
of evidence for state and criminal actor cooperation
and cross-over.
"Whilst you must be an extremely attractive
and otherwise impenetrable target for state
or criminal actors to use a true zero-day
exploit against you," comments Walters
[given that they cost low single digit millions
of dollars], "customised malware variants
may often form part of an APT, using string
obfuscation to avoid detection by traditional
anti-malware tools. Sandboxing helps -
although not all sandboxes are the same -
but sandbox use is often limited to the email
security channel."
APTs may also consist of multiple layers.
"Too often, an initial threat or infection that
appears to be known and straightforward is
identified, the infected endpoint is cleaned,
rather than subjected to a complete, bare
metal install, and the infosec team moves on.
One month later, the next APT layer activates
and it is harder to detect using standard
security tools. A low and slow approach is
often more successful."
34
computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk

Pragmatic and experienced risk
management professionals
Xcina Consulting is committed to providing high quality risk assurance and advisory services informed by
many years of lived client experiences.
For over 10 years, our clients have enlisted our services to design, assess, test and implement risk
management frameworks in key areas of the organisation, ensuring compliance with best practice,
industry standards, laws and regulations.
We support all organisations with challenging and complex requirements to effectively manage their risks
to realise value.
Our pragmatic, well qualified and experienced consultants design targeted solutions suited to our clients’
specific requirements. No generic templates from us.
We are accredited by the Payment Card Industry’s Security Standards Council as a Qualified Security
Assessor (QSA) company and are a British Standards Institution (BSI) Platinum member for the provision of
ISO27001 (Information Security) and ISO22301 (Business Continuity) services.
Our Core Services:
• Operational Resilience
• Business Continuity and Crisis
Management
• Information Security / Cyber Security
• IT and OT Security
• Payment Card Industry
• Enterprise Risk Management
• Due Diligence
• Internal Audit
• Process Improvement
• Third Party Management (including
outsourcing)
• Regulatory Compliance (FCA, PRA)
• Data Protection
• Project and Change Management
• Internal Controls Assurance (ISAE3402,
SSAE18, SOX)
Xcina Consulting
1 King William Street | London | EC4N 7AF | E info@xcinaconsulting.com | T020 3985 8467 xcinaconsulting.com