CS Oct 2021

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.



Secure systems, secure data, secure people, secure business


The supply chain has never

been more vulnerable and at risk








How to achieve backup

protection - with your

workforce fully engaged


If you are a victim, should

you give in or fight it out?


Some resources you just can’t do

without and top intel is one of them

Computing Security October 2021

A First & Last

Line of Defence

Against Cyberattacks



Arcserve best-in-class solutions - that manage, protect, and recover all data workloads,

from SMB to enterprise - eliminate standalone, discrete products for threat prevention,

ransomware disaster recovery and application availability. Safeguarded by Sophos

Intercept X Advanced for Server, Arcserve uniquely combines deep learning server

protection, immutable storage, and scalable onsite and offsite business continuity that

delivers complete data resilience for the next generation of hybrid data centres.




EDITOR: Brian Wall




Jake Moore, ESET: blaming social media and

other technology companies is a desperate

and empty argument.

The Metropolitan Police commissioner recently accused tech giants of making it harder to

identify and stop terrorists, according to the BBC News. The tech giants' focus on end-to-end

encryption was making it "impossible in some cases" for the police to do their jobs, Dame

Cressida Dick wrote in The Telegraph. In her piece marking the 20th anniversary of the 9/11

attacks, she stressed that advances in communication technologies meant terrorists were now

able to "recruit anyone, anywhere and at any time" through social media and the internet. In

response, the UK was needing to constantly develop its own digital capabilities to keep up with

terrorists exploiting technology to their advantage.

Perhaps not too surprisingly, her message echoed that of Home Secretary Priti Patel, who, at

a meeting of the G7 interior ministers, launched the Safety Tech Challenge Fund. The fund will

award five applicants up to £85,000 each to develop new technologies that enable the detection

of child sexual abuse material (CSAM) online, without breaking end-to-end encryption.

But is the stance taken by Dick and Patel fair - or even accurate? Jake Moore, Cybersecurity

Specialist at ESET, who sees the endless encryption debate from the police showing no sign of

slowing down, believes not. "While more needs to be done to combat online crime, blaming

social media and other technology companies is a desperate and empty argument," he says.

"Encryption should never be generated with a backdoor - for any use whatsoever. If it were

possible, it not only breaks the internet, but would also be abused: used for hacking, tracking

and more. It makes a mockery of any attempt at online privacy, which is slowly becoming more

important for many people."

Moore adds that what is needed now is better privacy and security, and that "criticising the

current encryption system makes the police look like they've lost the war on digital crime".

The answer, he argues, lies with a different approach to investigations altogether, adding:

"Long gone are the days where the police can call upon an organisation to retrieve logs and

communications between two suspects to surveil their actions."

Clearly, it is high time that the forces of law become forces for good by getting out of the blame

game and taking some of the burden and responsibility on their own shoulders.

Brian Wall


Computing Security



Edward O’Connor


+ 44 (0)1689 616 000

Lyndsey Camplin


+ 44 (0)7946 679 853

Stuart Leigh


+ 44 (0)1689 616 000

PUBLISHER: John Jageurs


Published by Barrow & Thompkins

Connexions Ltd (BTC)

35 Station Square,

Petts Wood, Kent, BR5 1LZ

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22


UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2021 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk October 2021 computing security



Secure systems, secure data, secure people, secure business

Computing Security October 2021













How to achieve backup

The supply chain has never

protection - with your

been more vulnerable and at risk

workforce fully engaged


If you are a victim, should

you give in or fight it out?


Police point finger at tech giants


Some resources you just can’t do

without and top intel is one of them



Gareth Owen of Redkey USB delves into

the world of Data Wipe Standards


With supply chains under heavy pressure

and shortages forecast, Paul Harris,

Pentest Limited, looks at the implications



A new type of expertise is helping to safeguard

personal, business and government

data - and to defend critical infrastructure

against hostile attacks







Patrick Wragg, Integrity360: the key to

advanced threat protection is layers

ensuring your operating systems and

applications are up to date; users are

educated; and that you have the latest

security solutions in place.

dvanced threat protection (ATP)

refers to a category of security

solutions that defends against

sophisticated malware or hacking-based

attacks, targeting sensitive data. ATP

solutions can be available as software or

as managed services. They can differ in

approaches and components, but most

include some combination of endpoint

agents, network devices, email gateways,

malware protection systems, and a

centralised management console to

correlate alerts and manage defences.

But how do they operate and perform 'in

anger', so to speak, and where might there

be any weaknesses? At the same time,

in a world where the threat levels alter

i ally and rapidly at an alarming rate,

d to be adapted to


email attack is phishing [ie, harvesting login

information using spoofed web pages of

trusted brands]; once attackers have the

ability to remotely log in to a corporate

network, they can launch convincible fraud

campaigns and surveil the environment to

find the most sensitive data to steal or the

most business-critical servers to infect with


Security controls beyond the gateway

have traditionally focused on data loss

prevention, sophisticated malware analysis

and endpoint security solutions, he points

out. "However, advanced email threats still

evade detection and containment largely

because attackers use trusted cloud servic

and constantly change their tactics to avo

known patterns of behaviour. Endpoint

security agents can quickly spot a

compromised device, but it may be too

loss prevention can detect sensiti

rganisation, but



Can advanced threat protection (ATP) outwit

attackers who now use trusted cloud services

and constantly change their tactics to avoid

known patterns of behaviour? Or is keeping

ahead of such potent forces slipping out of

the grasp of those under fire?



What approach should an enterprise take to

Steven Usher, Brookcourt Solutions, offers

ensure it has the best protections in place -

his insights on measuring the success of

a cyber threat intelligence program

as well as employees who are fully engaged

in making the process work? Getting this


right is a complex, but essential, process

The time has come to 'DIAL' it in, states

and the payback its own reward!

ADISA founder Steve Mellings


When threatened with a ransom demand,

should you just submit? Steven Usher, of

Brookcourt Solutions, weighs up the pros

and cons


Paying ransomware is a topic that greatly


divides opinion, especially in the corporate

James Drake, of XCINA Consulting, looks

boardroom. Cold logic might dictate that

at the challenges and many opportunities

any demand should be firmly rejected.

that new regulations will bring

What if it turned out to be a matter of life


or death, though - wouldn’t that change

Organisations have been opened up to


a world of new and unmanaged cyber risk


Nick Evans, of SecurEnvoy, considers a


perplexing dilemma - and the role of MFA

Threat intelligence is massively important


for all levels of organisations, since even

Tim Callan, of Sectigo, on how easy it is to

large companies have limitations on

manipulate and falsify business emails

resources. So, efforts must be put into

projects that will pay off and help keep


enterprises that much safer

• Redkey USB 6

• Zivver Secure Email 27

computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

product review


With all the focus on cybercriminals

and internet attacks,

it's easy to forget that data

breaches can easily occur, if businesses

fail to remove confidential data when

discarding or selling on their old

computers. It's more environmentally

friendly to recycle. rather than destroy

them. but simply formatting a drive or

deleting the data residing on it is not

enough. as they must be securely erased

to ensure it cannot be recovered.

There are plenty of free disk wipe

utilities available, but few provide

any certification of data removal for

auditing purposes and regulatory

compliance. Redkey USB looks the ideal

solution, as this unassuming memory

stick is loaded with military-grade tools

for securely erasing SATA HDDs and

SSDs, plus USB, NVMe, M.2, PCIe and

eMMC storage devices.

Some commercial erasure utilities

enforce pay-per-drive licensing, but

RedKey USB can be used as many times

as you want. A single payment allows

you to use the device an unlimited

number of times on any number of

Windows or Mac computers, and it

includes perpetual online updates

and support.

Three editions are available and we

review the Ultimate version, which

enables every feature the company

has to offer. All three editions deliver

certified secure erase technology, plus

25 defence wipe standards with an

Ultimate license, enabling editable

reports with field pre-fill options and

automated scripting, so the device runs

a custom sequence of events when

a computer is booted from it.

Security starts before you've even

received the product, as it is sent via

tracked delivery, with the Redkey USB

supplied in a tough tamper-proof

package. It arrives blank and is prepared

using the Redkey USB Updater utility -

a portable executable that must be run

on a Windows system with internet


Activation is simple, as you insert

the device and enter the 20-digit

authorisation code hidden under

a scratch panel inside the package.

Once the code is verified, you can leave

the utility to download all required

files and prepare the Redkey USB as

a bootable device.

At this point, you can use the default

automated erase settings or customise

them from the utility, while scripting for

the Ultimate edition uses a text file

on the device that can be modified to

define specific wipe sequences. You

can, for example, set priorities for

erase functions, create a sequence of

events, including automatic computer

shutdown on wipe completion, and

enable auto-saving for erasure reports.

To test the Redkey USB, we left it on

its default settings, inserted it in a Dell

Precision Windows 10 Pro workstation

and selected its UEFI one-time boot

option. On first contact, you can choose

the default GUI or swap to a text-based

version, if the former isn't supported.

Countdown timers and audio assistance

are provided throughout and, if

you do nothing, it will start the erase

process on discovered storage devices

after one minute. Our test system had

a 3TB WD Red SATA HDD, which the

Redkey USB automatically 'unfroze' to

allow the SATA secure erase command

to be used, and then took seven hours

to complete the full wipe process,

accompanied by screensavers and


A detailed PDF report is generated on

completion, which can be manually

edited with information such as where

a backup has been stored and who

conducted the erase. This can then

be saved directly to the Redkey USB

or another removable device.

The Redkey USB is an elegant and

affordable solution for professionals

and businesses that want certified,

standards-based disk erasure services,

with lifetime support. If you need to

know without any doubt that your data

is gone for good, you need Redkey USB.

Product: Redkey USB

Supplier: Redkey USB Ltd

Web site: www.redkeyusb.com

Sales: contact@redkeyusb.com

Price: Home, £19.95, Professional,

£39.95, Ultimate, £59.95

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


ADISA ICT Asset Recovery Standard 8.0

is formally approved by the UK ICO

(Approval ICO – CSC/003 and ICO – CSC/004)

Use an ADISA Certified company to be assured of UK GDPR compliance

when disposing of your IT assets.

Visit adisa.global to find out more

Want to know how to retire assets

so you can promote reuse AND meet

data protection legislation?

ADISA offers a range of training courses all presented by

leaders in the field, including a brand-new course which helps

data controllers write an asset retirement program to achieve

the objective of meeting sustainability and security targets.

Visit adisa.global/training to find out more

data management





When a computer is liquidated,

recycled or repurposed, it is

standard practice to sanitise all

user data. Typically, this involves erasing

the contents of the hard drive to eliminate

the possibility of a data breach.

Various regulations exist to ensure

organisations handle this process

responsibly, so most organisations will

either take care of the process in-house

or outsource the procedure altogether.


Except in the case of physical destruction,

a certified data wipe product will likely be

at the heart of the process and, with this,

a data wipe 'Standard' will be applied.

Data wipe standards provide a convenient,

defined and repeatable process. If

a data wipe standard is already specified

within organisational policy, then little

consideration is required. However,

if a specific standard is not established,

or you suspect your current procedure is

inadequate, where do you start?


Traditionally, data wiping involves

overwriting a drive with a continuous

stream of binary data until the drive is

full. This has the effect of destroying any

previously stored information.

Conventional data wipe standards, such

as US 'DOD' and the 'Gutmann 35 pass'

wipe method, may sound familiar, but it's

common knowledge that traditional data

wipe standards are ineffective with

modern drives. For example, SSDs and

NVME use internal wear management,

causing part of the storage medium to

be hidden from the user.


More than one method of sanitising

a drive has existed for some time now.

Drives can now be wiped internally/

securely. When the ATA command set

was introduced, it enabled the ability to

directly interact with the internal functions

of a drive. With the right tool, modern

drives can be instructed to self-erase.

Even more modern drives use the NVMe

command set, which implements similar

internal erase functions.

A fringe benefit of employing these

methods is that the process is relatively

fast, because internal erasing is not

hampered by any sort of interface

bottleneck. Full support for the ATA/NVMe

command sets varies between drives,

because the implementation of the erase

functions is manufacturer dependent.

Also, it is not always possible to be 100%

sure that a data wipe has been successful,

using internal erasure alone.

Besides this, many internal erase

compatible drives contain 'hidden areas',

such as the Host Protected Area (HPA)

and Device Configuration Overlay (DCO).

These hidden areas are not ordinarily

accessible, yet can potentially hold any

form of sensitive data, including malware.

Therefore, it's essential that your data wipe

standard incorporates the elimination of

hidden areas into its process.


The most secure data wipe standards must

then eliminate any hidden areas before

wiping a drive, using a combination of

both internal and external erasing

methods. More modern standards, such

as AGISM (Australian Government

Information Security Manual), BSI-GSE,

NIST 800-88 Purge and the ADISA

Certified Redkey Level 1 standard, already

incorporate this degree of complexity into

their processes, so are firmly compliant

with respect to GDPR, HIPPA and NIST

guidelines for data destruction.

However, one minor drawback of the

most secure data wipe standards is that

they can be time-costly and perhaps even

overkill for some low-risk situations. For

example, when a computer is redeployed

internally within an organisation. Under

such circumstances, a more efficient HPA

and DCO Reset, combined with a secure

erase, may suffice.


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

supply chain threats

Paul Harris, Pentest: Digital supply chains can

be seen as an easy target for malicious threats.






As I write this article, supply chains

are hitting the headlines. Retailers

are warning there could be a

shortage of toys at Christmas, McDonalds

ran out of milkshakes and Nando's were

forced to close restaurants, because their

supply chain was, and I quote, "having a

bit of a 'mare". These are the more trivial

headlines, but things could be serious

and everyone from car manufacturers to

building merchants, the NHS to food

producers, are talking about supply chain


Whether these supply chain issues

are because of Brexit, Covid, increasing

demand, staffing levels or a combination

of things is up for debate and it's yet

to be seen whether many will play out.

But, whatever the cause, or whatever the

outcome, these scenarios clearly

demonstrate the effects supply chain

disruption can have from an economic

and business standpoint, as well as on

a personal level.


Physical supply chains are the focus of

these headlines and the threat of empty

supermarket shelves, as well as raising

prices, is always going to hit the news.

But, for organisations, supply chains

aren't just physical, they can also be

digital. Many, if not most, of today's

organisations rely on digital products

and software suppliers to ensure day-today

operations, and if that supply chain

was disrupted, for any reason, then

organisations, and ultimately consumers,

could see similar negative effects.

An example of this occurred in June this

year, when a 'bug' within the software

of the content delivery provider (CDN),

Fastly, was triggered by a customer. The

flaw ultimately took down 85% of the

company's network and caused outages

for many of its well-known customers,

such as BBC News, Spotify, Amazon and


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

supply chain threats

the Gov.uk website. The outage lasted

for just under an hour and, for many, it

wasn't too serious, but for those reliant

on website traffic and online orders - for

example, Amazon - the outage could

have cost the company $32m in sales,

according to one calculation. This just

shows the business impact when part

of your digital infrastructure, supplied by

a third-party, is disrupted.

Companies will obviously want to

mitigate against disruptions such as the

one above by having contingency plans

in place, but technology issues aren't the

only consideration organisations need to

be making when looking at their digital

supply chain: they also need to look at


Digital supply chains can be seen as an

easy target for malicious threats and, in

some cases, they can provide the most

effective route into an organisation,

especially those with robust security

measures in place. Why spend time trying

to breach an organisation with tough

security measures when you can target

a smaller, less security mature company

within their supply chain and look for

a way to move between them? It can be

as easy as that.


Take the example of Target, the US

retailer. In 2013, attackers managed

to access Target's point of sale (POS)

systems, gaining access to 40 million

payment card credentials and 70 million

customer records. But Target wasn't the

original target, so to speak; it was a

heating, ventilation and air conditioning

supplier, which used Target's vendor

portal to monitor stores.

With access to the portal, attackers were

able to move across Target's network and

ultimately access the POS systems. That's

not the only example. The British Airways

breach, which affected around 400,000

customers, was achieved through a

breach of a payment software provider,

not the company itself.


For me, one of the most interesting

examples of a digital supply chain attack

was the recent SolarWinds breach. This

breach wasn't simply about criminals

stealing credit card details, but a

sophisticated, potentially state-sponsored

attack, which used compromised

SolarWinds software to successfully gain

access to, and spy on, their customers -

mainly US government agencies and highprofile

Fortune 500 companies.

Whether the threat is from criminal

enterprise, nation state operations or

hacktivists, these examples clearly show

the potential consequences of supply

chain attacks and even, if you think you're

not a target, someone in your supply

chain just might be. Security, throughout

the supply chain, should be everyone's

responsibility, but how do you go about

making your supply chain more secure?


Supply chain security improvement

needs to start within your own company

and you'll want to ensure, as much as

possible, that supply chains attacks aren't

going to be able to affect your business,

its operation, sensitive data or be able

to utilise your company to target others

within your supply chain.

Simple measures can make a big

impact and measures such as network

segregation, robust privilege levels and

monitoring tools can help you detect

potential breaches, restrict access to

sensitive information and reduce the

chances of a malicious threat being able

to move from a compromised network

onto your main company networks.

Every organisation will be different, of

course, and security measures should be

tailored to the real-world risks faced.

That's why scenario and risk analysis

planning can be useful to undertake,

helping you uncover the potential risks

of a supply chain attack and to ensure

effective measures are put in place to

mitigate against the most likely scenarios.

Undertaking this improvement work

isn't just good from a security standpoint,

however; it's also good from a business

aspect. GDPR compliance, as well as

potentially hefty fines, has forced

organisations to become more security

conscious and customers, both inside

and outside the supply chain, are now

requiring robust security assurances

before they commit to working with a

company. So, by having the good security

practices in place and being able to

provide evidence of security testing or

compliance, it can make your life much

easier when it comes to winning business.



Just as customers will be asking for

security assurances from you, you should

be asking for security assurances from

your suppliers. Have they had an

independent security audit? Do they have

evidence of infrastructure and application

security testing? Are they working

towards ISO 27001 standards or have

certification? Does the company have

Cyber Essentials?

The assurances needed will obviously

depend on the nature of the relationship,

the information and services that are

being procured and the potential risks

involved. Some relationships will require a

light touch, in terms of security assurance,

but some may require rigorous standards.

It's up to every company to define what

level of security they want from their

suppliers and to ensure these are in place,

before committing to working with them.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


special focus on NI




naturally. From pioneering digital banking to the evolution of Fintech and

Regtech, the region has played a significant role in driving and shaping the

future of law, finance and commerce - and it continues to do so today.

Digitalisation has been a crucial catalyst in this respect, creating

opportunities for these industries to connect and grow through data,

technology and information. This has established a fertile ground for new

types of professional services and home-grown success stories like First

Derivatives, Kainos and FinTru, while also attracting major investment from

players keen to futureproof their businesses for the digital age, such as EY,

Deloitte, PWC, Citi and KPMG.

At the same time, however, the digital world has opened Pandora's box,

unleashing ever-evolving threats in the sinister shape of cybercrime. One of

the world's least-welcome growth industries, it costs the global economy an

estimated $2.9 million per minute. The resulting challenges are many and

varied - and could potentially counter the many positives that digital progress

has sought to create.

But with challenges come opportunities, and with digital transformation

happening rapidly in the professional services sector, Northern Ireland's cyber

security sector responded accordingly. The need to safeguard personal,

business and government data from theft, protect computer networks against

intrusion, keep devices clean of malware and defend critical infrastructure

against hostile attacks has generated demand for a new type of expertise

which Northern Ireland has been able to deliver in abundance through its

talent pipeline and through R&D.

"Over the last 20 years, effective cybersecurity has become one of society's

critical needs. Here at QUB we recognised we had the skills and ambition to

tackle this need head-on and, in doing so, boost economic renewal in Belfast

and Northern Ireland."

Professor Máire O'Neill, CSIT's Principal Investigator


t the recent National Cyber Security Centre's CYBERUK conference,

Foreign Secretary, Dominic Raab, referred proudly to Northern Ireland

as a "…world-leading cyber security hub, and a top international

investment location for cyber security firms." Raab's comments may have been

news to those unfamiliar with the region - but, to US tech investors, it is the

No.1 place to be, and has been for several years.

Indeed, in little more than a decade, Northern Ireland has taken a small,

nascent cluster of native businesses and nurtured it into a global centre of

excellence that's bursting with talent, academic prowess and commercial

expertise. Together, local industry, academia and the region's public bodies

have seized a mounting threat (which now costs the global economy over

US$600 billion/per year) and carved out a unique role for Northern Ireland in

an ever more digital world.

But how has this been achieved, and what does the future hold? Let's take a

closer look.


The professional services sector, in the form of legal, financial and business

consultancy, has been part of Northern Ireland's economic and skills repertoire

for several decades now, which is why leadership in these areas has come so


Today, the region is home to around 4% of the UK's cyber security workforce),

which for an area that represents around 2.8% of the UK population, is just

one indicator of its strengths in this field. What's more, almost 5% of cyber

firms in the UK market call Northern Ireland home, helping to deliver its

ambition to grow its sector workforce to 5000 by 2030. At the heart of this

lies CSIT - the award-winning Centre for Secure Information Technologies at

Queen's University Belfast.

Where digitalisation has been the spark, CSIT has undeniably been the

catalyst that's turned Northern Ireland's cluster into a thriving ecosystem

encompassing finance, banking, insurance, legal, telecoms, threat

intelligence, defence, security, healthcare… for the cyber risk is everywhere.

As a result, the centre has not only attracted millions in global investment

from the likes of WhiteHat, Rapid7, Proofpoint, IBM Q1 Labs and Black Duck -

it has triggered new start-ups, supported over 2000 local jobs in the Belfast

area alone and produced proven solutions to some of the biggest cyber

challenges facing economies globally today.

It all started in 2009 as a greenfield site at what is now known as Catalyst,

which was previously the Northern Ireland Science Park and part of one of the

world's biggest urban-waterfront regeneration projects. By bringing

academia, industry and public sector support together under one roof, CSIT's

partners and funders (EPSRC, Innovate UK and Invest Northern Ireland)


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

special focus on NI

believed they could create a hub where leading-edge research could translate

rapidly into market-relevant, market-ready products and services. And they were


CSIT is now home to a 90-strong team of industry-experienced engineers,

electronic and computational researchers, business development specialists and

passionately motivated postgraduates. But this is only one ingredient in the

recipe for CSIT's success. An impressive roster of business members such as

Thales, Allstate and BAE Systems help shape its research strategy, while close

collaboration with First Derivatives, Seagate, Nvidia and other IT giants, and with

leading global cybersecurity institutes, adds an extra dimension to its expansive

vision and worldwide reach.

"Because we are a relatively small region, the government, the universities, and

regional development organisations work very closely together… We are acutely

aware of the market's demands and the types of companies coming in, so we

can be more agile in developing novel programs to support them."

David Crozier, head of strategic partnerships and engagement, CSIT


As you might expect from a centre of excellence with such extensive global

reach, CSIT has attracted much recognition during its short lifespan. In 2015, for

example, it won a Queen's Anniversary Prize, celebrating excellence, innovation

and public benefit at UK universities, and four years later, Máire O'Neill, CSIT's

Principal Investigator, secured a prestigious Blavatnik Award, recognising her

work as an outstanding young scientist. More recently (February 2021), Queen's

University was recognised for its cybersecurity education program and work

promoting cyber-skills by the National Cyber Security Centre (NCSC).

Such plaudits are well deserved. CSIT has delivered a consistent stream of

cutting-edge, real-world cybersecurity advances - including 10 new product

concepts with a clear route to market. For example:

Working with a US insurance firm, it has developed graph-mining analysis

systems that automatically detect anomalous and potentially fraudulent

insurance claims by pinpointing suspicious patterns

Algorithms developed at CSIT are enabling a major financial services company

to spot malicious trading activity over its communication channels and data

flows, protecting against regulatory non-compliance and potentially massive


Working with vendors of control systems that underpin electricity, water and

other key infrastructure to pinpoint and eliminate vulnerabilities to cyberattack

Helping satellite developers keep their hardware cyber-safe in Earth's orbit, with

enormous benefits such as future-proofing the security of communications by

introducing quantum-safe cryptographic algorithms

"This is an extremely exciting time for cyber security in Northern Ireland but

also for the sector globally... At CSIT, our researchers are leading cutting-edge

research in cyber security. We are also developing the next generation of

industry leaders to meet the huge demand from industry for cyber security


Professor Máire O'Neill


For as long as the digital age prevails, cyber security will be needed, and with

that, the only way is up for CSIT and the Northern Irish industry. It is now an

authoritative source of counsel among governments and other organisations

worldwide (including the London Office for Rapid Cybersecurity Advancement

(LORCA)), and its appeal as a destination for investors, big and small, shows

no sign of waning.

In the past 18 months, for instance, the market has seen a new or increased

Northern Ireland presence established by Angoka, Aflac, Cygilant and Rapid7,

while a new centre of excellence was established by consulting giant, KPMG.

This is the tip off the iceberg.

Thanks to an ever-expanding track record of achievement, CSIT and the

innovation ecosystem that surrounds it are set to flourish further, gaining

more momentum, for example, by planned investment in infrastructure as

part of the Belfast Region City Deal.

A major project connected to the deal is the Global Innovation Institute (GII),

which will be a nexus for co-innovation between researchers and industry in

data security, connectivity and analytics. As we are faced with the data deluge

in our increasingly connected world, secure, connected intelligence will

become ever more critical.

So, as with CSIT, GII hopes that, by creating a space where local and global

companies, entrepreneurs and researchers can come together, Northern

Ireland can continue this story of success - and keep playing its part in

building a safe, cyber secure, future for all.

Invest Northern Ireland is the region's business development organisation. Its

role is to grow the local economy by helping new and existing businesses to

compete internationally, and by attracting new investment to Northern


Find out more about how we can work together with you and your business.


Crucially, underpinning all the above is access to local talent, and so far, a

pipeline of students have enrolled onto CSIT's Masters programme, producing

experts with the state-of-the-art skills the cybersecurity sector needs. At the

same time, 17 cybersecurity start-ups have graduated from the CSIT Labs

incubator programme and six CSIT spinouts have been established in fields

ranging from content inspection to automated image and video processing.

As you might expect from the tech industry, these fledgling success stories

have subsequently brought bigger names to Northern Ireland's shores: Titan IC,

for instance, was acquired by Nvidia in 2020, giving the US chip manufacturer a

firm foothold in the Belfast cybersecurity ecosystem.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


advanced threat protection





Patrick Wragg, Integrity360: the key to

advanced threat protection is layers -

ensuring your operating systems and

applications are up to date; users are

educated; and that you have the latest

security solutions in place.

Advanced threat protection (ATP)

refers to a category of security

solutions that defends against

sophisticated malware or hacking-based

attacks, targeting sensitive data. ATP

solutions can be available as software or

as managed services. They can differ in

approaches and components, but most

include some combination of endpoint

agents, network devices, email gateways,

malware protection systems, and a

centralised management console to

correlate alerts and manage defences.

But how do they operate and perform 'in

anger', so to speak, and where might there

be any weaknesses? At the same time,

in a world where the threat levels alter

dramatically and rapidly at an alarming rate,

where might they need to be adapted to

counter future emerging challenges?

"Perhaps it's become a cliché, but advanced

threat protection requires detection and

containment, 'beyond the email gateway',"

says Mike Fleck, VP marketing at Cyren.

"Cybersecurity and industry professionals

have been using this term to describe the

need for organisations to have a layered

security approach with security controls and

incident response capabilities to deal with

the advanced threats that slip past the email

perimeter and arrive in a user's mailbox.


"Email is the most common method of

delivering threats - advanced and otherwise

- because it is one of the few ways to

transport an attack straight to the heart of

an organisation, through its people. What's

more, the most favoured approach to an

email attack is phishing [ie, harvesting login

information using spoofed web pages of

trusted brands]; once attackers have the

ability to remotely log in to a corporate

network, they can launch convincible fraud

campaigns and surveil the environment to

find the most sensitive data to steal or the

most business-critical servers to infect with


Security controls beyond the gateway

have traditionally focused on data loss

prevention, sophisticated malware analysis

and endpoint security solutions, he points

out. "However, advanced email threats still

evade detection and containment largely

because attackers use trusted cloud services

and constantly change their tactics to avoid

known patterns of behaviour. Endpoint

security agents can quickly spot a

compromised device, but it may be too late.

Data loss prevention can detect sensitive

data as it leaves the organisation, but only

after the initial compromise. There is clearly

a gap in advanced threat protection

capabilities between the email server and

the end user device. This gap is easy to see

when you understand the degree to which

enterprises rely on employees to identify

advanced threats in their mailboxes."

A better way is to simply add a layer of

automated detection and incident response

to the mailboxes, Fleck adds. "As enterprises

migrate their email servers to cloud

offerings like Office 365, it becomes easier

to close this gap by using APIs to connect

advanced threat protection clouds to

email mailbox clouds. This layer of

control complements the detection and

containment efforts already underway by


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

advanced threat protection

cloud providers, enterprise email security

gateways, network intrusion detection and

endpoint security agents. It also relieves

users from the expectation that they will

reliably spot and avoid advanced threats like

spear phishing and business email



The advanced threat protection category is,

of course, nothing particularly new, points

out James Preston, security architect for

ANSecurity, but rather "an evolution of

technologies including anti-virus along with

intrusion prevention and detection systems -

packaged under a new heading". However,

no matter what it's called, technology alone

cannot protect against every type of threat,

he cautions.

"ATP solutions generally don't understand

where your organisation has weaknesses.

From a threat actors' point of view, there

is always a stage where they will try to

reconnoitre a target looking for weaknesses.

This could be a long-forgotten VPN server,

an unpatched application or badly designed

user sign-in process. In fact, this

reconnaissance phase is often the deciding

factor for a cyber threat actor to expand real

effort to break in - or find a more open

victim. Most ATP solutions don't emulate

this reconnaissance process, so enterprises

need to initially focus on finding and fixing

structural weaknesses to make themselves

less attractive targets."

A great place to start is by using a cyber

security framework such as the MITRE

ATT&CK framework - with free tools like the

ATT&CK navigator, Preston advises. "These

allow you to map out the likely avenues for

exploit and then work out where you have

adequate protections and best practice

processes - versus areas where you are

lacking. This is a task you can do internally

or, if you have limited resources, through a

trusted expert third-party. Either way, it will

give you a better starting position to fix any

issues than just deploying lots of vendor

solutions in an ad-hoc fashion."

Integration is also key. "It's unlikely that any

enterprise will have a complete stack of

cyber security products from a single

vendor. And, as such, disparate security

solutions often work in little silos, without

sharing the valuable security information to

make early breach detection easier. So, it's

essential that organisations must also

establish what is integrated - and, in some

cases, this might require a dedicated

integration layer like a SIEM or SOAR

platform. This might not always mean

spending more budget as, in some cases,

a SIEM can allow you to reduce the number

of overlapping security tools and focus on

better utilising a smaller set of


One of the biggest security issues now,

he adds, is how fast cyber criminals can

escalate a slight breach into a full-blown

extortion attempt of theft of sensitive data.

"Sometimes, the tell-tale signs are spotted

by cyber security systems, but the decision

to quarantine PCs, servers or network

functions requires manual action. This

approval delay can mean the difference

between successful defence or a painful

breach. As such, enterprises are going to

need to start trusting automated response

a bit more - even if it means that the

occasional false alarm impacts the business."

Yes, this is a big step, he concedes -

and there will be a bedding in period as

these systems start to understand the

environment and learn from mistakes.

"However, to deal with the next generation

of advanced threats, APT systems must be

given the freedom to start mitigation faster

than a typical human operator."


Patrick Wragg, cyber incident response

manager with Integrity360, points to how

traditional basic threat prevention strategies

James Preston, ANSecurity: technology alone

cannot protect against every type of threat.

Mike Fleck, Cyren: there is clearly a gap in

advanced threat protection capabilities

between email server and end user device.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


advanced threat protection

rely on a singular approach, whereby each

unique security tool/component in an

organisations defence arsenal has one

job and is relied upon heavily for that job.

"Advanced threat prevention, however, takes

a multi-faceted approach whereby the

detection capabilities of multiple security

tool/components in an organisations

defence arsenal are combined to provide

a 'big picture' view of a possible compromise.

For example, a combination of EDR

(Endpoint, Detection and Response) agents,

network monitoring agents, email gateways,

user privilege/account monitoring and cloud

monitoring solutions all submitting their

alerts to a centralised management tool that

correlates them and alerts a security team in


However, there is no one size fits all

approach, in terms of advanced threat

protection. "Solutions need to be scalable,

flexible and intelligent, and enable

organisations to bolster those defences that

work well and can evolve to meet the everchanging

threat environment. Businesses

need to cover all bases with systems in place

designed to manage, detect and respond

(MDR), monitor, mitigate/prevent and,

where necessary and applicable, remediate

with incident response (IR)."

On top of automating where possible, and

an overall strengthening of the security

posture, the key to advanced threat

protection is layers, he adds - ensuring your

operating systems and applications are up

to date; your users are educated; and you

have up to date security solutions in place.

"The future of advanced threat protection

comes down to having the right service

provider in place to provide on-demand

access to highly skilled cybersecurity experts

who can deliver emergency support for any

cyber threat, including proactive guidance

on MDR and IR planning, and new and

evolving threats. The security team should

also be able to respond instantly, in realtime,

via pre-built automated incident

response playbooks."


"For years, threat actors like nation states

and cybercriminals had distinct motivations

and different tools," comments Sam Curry,

chief security officer, Cybereason. "Nation

states, or 'advanced persistent threats', as we

called them, moved like submarines stalking

ships in the waters of target networks,

carrying out the policies of their

governments and providing asymmetric

options aside from the normal diplomatic,

economic, and military strategies and

tactics. By contrast, the fight against

cybercriminals more resembled battleship

warfare than submarine. The motivation

among criminals was profit and, as such,

it was about maximising the number of

victims and wringing every drop from an

infection for as long as possible. Even in the

old days, the security industry was not up

to the task of stopping either the malicious

operations of nation states nor the smashand-grab

theft of cybercriminals."

The silver lining, however, is the emergence

of endpoint detection and response (EDR),

which is often mistaken for a mere extension

of existing endpoint protection technologies

like antivirus or personal firewalls. "It is a tool

for finding the advanced operations and

provides the hunter-killer options for the

cyber conflicts being waged on corporate

and government networks," he explains.

"EDR has evolved first into managed

detection and response (MDR), providing

the men and women behind screens in

managed services, and into extended

detection response (XDR), uplifting the

telemetry recording from formerly

ubiquitous endpoints to the transformed

enterprise of SaaS, Cloud Infrastructure

and beyond."

Fast forward to today and the dark side

ecosystem is very different, states Curry. "The

attackers have not slowed down and have,

in fact, evolved at a faster rate than

defenders have, except perhaps among the

most sophisticated defenders. Not only are

they attacking the newer infrastructure

associated with SaaS services, but they are

now targeting the new IT stack in the form

of IaaS and PaaS compromise.

"In the last five years, the lines among

attackers have become more blurred, with

sharing of tools and relationships that mirror

the alliances, investments and partnerships

of the more normal and legitimate

industries. Further, the motivations for each

actor have become less distinct, with nation

states pursuing currency in the case of North

Korea, fostering ransomware in the case of

Russia, and development of supply chain

compromises in the case of Russia and

China, to name just a few."

The most insidious examples of these are

developments in the last six months. "The

first is ransomware, which is really a

combination of the old APT-style delivery

mechanism through stealthy submarine-like

operations but doing so for profit. The

second and most recent is evident in the

recent Kaseya attack: supply chain

compromise for the purpose of delivering

ransomware as the payload. This is a killer


This is the reason for the mandate of EDR

(or MDR or XDR) for the US Federal

government in the recent White House

Executive Order. "Having a means of finding

the attacks as they move in the slow, subtle,

stealthy way through networks isn't an

option. This class of tool isn't the be-all and

end-all, but it's at the top of the toolkit,

along with more advanced prevention,

building resilience, ensuring that the blast

radius of payloads is minimised and generally

using peace time to foster anti-fragility." The

most significant takeaway? "It's not about

who we hire or what we buy. It's about how

we adapt and improve every day."


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

cyber threat intelligence




Cyber threat intelligence can be found in

numerous ways. One of the most

popular ways to gather intelligence is

via feeds, both open source and commercial

feeds. These feeds can be fed into various

tools to be searched and produce actionable

data that can be added to Block and Watch



Most companies who can make use of this

'raw' intelligence and be able to act on the

results usually have a mature approach to

cyber security - typically including a SOC

(Security Operation Centre), IR (Incident

Response) and at the very least a job role that

will exclusively deal with cyber threat


Feeds are not the only way cyber threat

intelligence can be used. Some of the most

common alternative uses for cyber threat

intelligence include the production of reports

for a customer by a company that specialises

in the topic, monitoring of specific datapoints

for mentions online and monitoring publicly

known data breaches for company

information. Services of this nature are more

common with smaller companies that do not

have the staff or internal knowledge to carry

out the monitoring and analysis of cyber

threat intelligence. However, this is not to say

larger companies do not also use these

services to augment the intelligence

generated internally.


How do you measure the success of a cyber

threat intelligence program? This is not an

easy question to answer, simply due to the

nature of what cyber threat intelligence is.

There are naturally the obvious examples of

success, such as finding data that is linked to

or belongs to a company online or finding

information relating to an attack planned on

the company - effectively anything that

would show an obvious and direct benefit of

cyber threat intelligence to the company.

However, incidents of this nature make a

small minority of the uses and successes of

cyber threat intelligence.

The general value in cyber threat intelligence

is knowing what is going on in the busines

world and in many cases your industry, this

allows for preventative measures to be taken,

as well as the ability to better prepare for

potential incidents in the future. The MITRE

ATTACK framework is a brilliant example of

intelligence that can be used to better

prepare and test a company's readiness.


There is always room for improvement when

it comes to this type of work. There are

alternative data sources, different tools and,

new approaches that should, at the very

least, be considered when collecting and

interpreting the data and information that is

available. As the methods of attack evolve,

change and die out, being replaced with

completely new tactics and techniques, so

should the views, processes and runbooks

that are used to combat them.

Cyber threat intelligence is often a part of

threat intelligence as a whole and it should

be considered that some of the services that

are offered to businesses can be used for

more than simply cyber threat intelligence.

Some of the other uses are geographic

intelligence, intelligence relating to real world

products and activities related to those

products, and intelligence that is more

focused on the high-level individuals within

the company.

Steven Usher, Senior Security Analyst,

Brookcourt Solutions

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


data impact assurance level



By completing your Data Impact Assurance Level (DIAL) and using a company certified to 8.0, you are assured of meeting UK GDPR compliance

Over the coming weeks, businesses

should start to be asked to create a

Data Impact Assurance Level (DIAL)

by companies who they engaged with to

collect their redundant equipment and

sanitise the media. But what on earth is a

DIAL and what is the benefit to you by

creating one?

This article explains what the DIAL

concept is and why it was crucial in the

approval of ADISA Asset Recovery Standard

8.0 by the UK Information Commissioner's

Office. And most importantly, why this

helps organisations comply with UK GDPR

when disposing of redundant equipment.


When ADISA launched in 2010, our

ambition was to help improve risk

management for companies when they

dispose of their redundant equipment by

the development of Standards. Our ICT

Asset Recovery Standard has gained

significant traction in the UK and is well

supported by the leading IT Asset Disposal

(ITAD) companies in the sector. When EU

GDPR was passed into law, we saw that

approved Certification Schemes were

covered within the articles and so we

started exploring how we might evolve our

program by achieving official recognition

under the overarching data protection law.




In July 2019 ADISA submitted our ICT Asset

Recovery Standard to the ICO for approval


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

data impact assurance

as a EU GDPR Certification Scheme. (This

would later move to UK GDPR post-Brexit!)

Our Standard was structured such that risks

to data were identified and

countermeasures were required to remove

or mitigate those risks. These

countermeasures were presented as

prescriptive criteria which were included in

the Standard and companies being certified

were required to meet those criteria to

evidence how they were managing those

risks on behalf of their customers.

When we started working with the ICO it

soon became clear that rather than

focusing on the industry we needed to look

at the process from the data controller's

viewpoint. Whilst the previously identified

risks remained the same, who determined

whether the countermeasures were

appropriate was not. Previously it was

either ADISA, via the publication of the

Standard, or the ITAD, through provision of

the service, who determined the

appropriateness of the countermeasures to

be deployed. Clearly, within UK GDPR what

is deemed "appropriate" will vary from one

data controller to the next, so how could a

binary standard claim to represent all data

controller's own requirements?

This created a quandary; how do we allow

the data controller to first see all the points

in the process where risk exists, and then

secondly how can they then influence the

risk treatments to suit their own specific


The answer to this was to create the

concept which is Data Impact Assurance


When working with the regulator it was

clear that to deem whether something is an

appropriate risk treatment, we must first

understand a range of variables for each

data controller. ADISA identified five


Threat - Who are we protecting our

data from and what are their


Risk Appetite - Do we permit additional

treatments to be available, at a price, or

do we require all possible risk

treatments to be applied?

Volume of Data - What is the

aggregated risk we are trying to


Categories of Data - What data are we

having processed?

Impact of a data breach - If we suffered

a data breach what would happen?

Share price impact, loss of reputation or

regulatory action?

Within each of these variables a data

controller can determine what is their own

position by following the workings laid out

in Part 1 of the ADISA Standard or using

the free to use software on our website. By

working through these questions, the data

controller produces a single DIAL rating

which can be used to indicate what level of

controls would be appropriate to be

applied to each of the risks which are being

managed on their behalf by their certified

ITAD partner. This simple approach finally

gives the data controller a means of

influencing risk management in a process

which is often both out of sight and out of



By introducing the DIAL concept to our

Standard, ADISA was able to meet the UK

ICO's expectation on how risk was to be

managed by the data controller when they

dispose of redundant equipment. This is

particularly important where the disposal of

redundant equipment is concerned as the

volume of data being processed is

enormous making it one of the biggest

risks within enterprise data protection. Due

to the transactional nature of the process

including moving physical assets outside of

existing security environments, there are a

significant number of points in the process

where risk exists. By presenting DIAL to the

ITAD partner a data controller is indicating

what controls they want to have in place

on those processes which is reflective of

their own situation. This is achieved by

there being different levels of risk treatment

for each identified risk which offer

increasingly better levels of risk


Of course, increased controls for

unnecessary reasons could lead to

unnecessary cost, which is why the DIAL

concept enables data controllers to manage

risk directly attributed to their own



Companies already certified by ADISA are

working towards the new 8.0 Standard and

as such will be able to issue you a URL to

the ADISA website where you can answer

five questions which then create your DIAL

and a certificate. Even if your existing

partner is not certified, you can go to the

ADISA website yourself and complete the

same process to create your own DIAL.

Each ITAD when being certified will

achieve their own DIAL rating which

indicates the potential DIAL they are

capable of operating at. You should verify

that your ITAD partner's DIAL rating meets

your requirements. If they do not have a

DIAL or operate at a lower level than you

require, they will either need to become

certified, improve their capability or you

should deem them unsuitable.

Standard 8.0 incorporating the DIAL

concept assures you of meeting UK GDPR

compliance not because your ITAD partner

is telling you nor because ADISA is telling

you. You are assured of meeting UK GDPR

because the ICO has confirmed that using

an ITAD who is certified to 8.0 by a UKAS

approved audit process is UK GDPR


To find out more, click here.


www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


ackup & recovery


What approach should an enterprise take to ensure it has the best

protection in place - as well as employees who are fully engaged in

making it work? Getting this right is a complex,but essential, process

The purpose of backup is to create a

copy of data that can be recovered in

the event of a primary data failure.

Such failures can be the result of hardware

or software malfunctions, data corruption

or a human-caused event, such as a

malicious attack (virus or malware), or

accidental deletion of data. Backup copies

allow data to be restored from an earlier

point in time to help the business recover

from an unplanned event.

Storing the copy of the data on separate

medium is critical to protect against

primary data loss or corruption, but what

works to best advantage? The additional

medium could be as simple as an external

drive or USB stick, or something more

substantial, such as a disk storage

system, cloud storage

container or tape

drive. The

alternate medium can be in the same

location as the primary data or at a remote

location. The possibility of weather-related

events may justify having copies of data at

remote locations.

But what approach should an enterprise

take to ensure it has the best protection -

as well as employees who are fully

engaged in making it work? One of the

preventive measures and possibly the most

efficient layer of defence, in the case of

any cyber-attack threat, is simply enforcing

healthy security habits and having the

discipline to follow them, says Robert

Allen, European director of marketing &

technical services at Kingston Technology

Europe. "Following these best

practices and procedures

that were created

before a

cyber security attack, whilst backing them

up with several protective frameworks to

make a layered defence, is the most ideal

strategy in mitigating attacks. Pro-active

thinking, threat intelligence and

continuous risk assessment can help

prepare the initial response to the

anticipated 'what if' scenario."


As one of the proactive measures, daily

data backups can help to mitigate initial

impact on systems, which were

compromised through ransomware attack.

"In the ideal case, it would be a good

practice to be aware of the value of the

data in storage, and then being selective

in accordance with their priority level and

back them up on a daily basis. This

practice can help to recover from initial

'denial of access' to compromised systems

through a ransomware attack.

IronKey DataTraveler.


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

ackup & recovery

"Furthermore, this method can help to

restore systems elsewhere, so you can

continue your daily activities, with

relatively low inconvenience. Backup of

data needs to be part of a larger cyber

security mitigation plan. This strategy

could be also seen as the last line of

defence in a critical system failure


Daily backup of sensitive data can help us

to recover from ransomware or other

attacks. "To put it simply," adds Allen, "if

the worst was to happen, it's always the

better option to lose one day's data than

months or years. Here, you can use the

benefits of an encrypted USB drive, which

ensures further cryptographic protection

for data, critical if you need to take data

elsewhere to restore a compromised

system. This practice is again completely

dependent on your efforts in following

good security habits and information

security hygiene."

As the possible vectors or attacks are

constantly evolving, we will be always part

of this game of chess where one needs to

think several moves forward, he continues.

"There will be always a new vector of

attack or system vulnerability and then the

reactive countermeasure to negate it.

But good security habits, and your

organisations discipline in following them,

on a daily basis, combined with overall

contingency plans., will help mitigate loss

to your business, if the worst were to



Having a data backup in place is now

a critical component to any IT/security

strategy. "Threats to data come in many

forms, as the OVH datacentre fire earlier

this year highlighted," says Jon Fielding,

managing director, EMEA Apricorn. "It was

not simply a case of needing to have a

solid backup in place, but it stressed the

importance of where, and how, data

backups are stored. Unfortunately for

OVH, its customer data was backed up in

the same location, resulting in both sets of

data being destroyed, with no means for

recovery or business continuity."

When disaster strikes, every minute

counts. "Data loss, particularly on this

scale, with large data sets at risk, could be

costing your business resources, money

and customers, so by implementing

a recovery plan, businesses can get back

up and running as soon as possible. We

work in a 'real-time' culture and, in the

case of data loss, users expect it to be

restored at once and can't afford to wait

weeks, days or even hours. By having

backup recovery processes in place,

businesses can ensure mission-critical

applications are functional and data is

recovered quickly."

That said, physical disasters are only

the tip of the iceberg. Cyber-attacks are

wreaking havoc for businesses everywhere

and ransomware demands are making

headlines on an almost daily basis.

Not to mention the ongoing stream of

vulnerabilities, malware and viruses we've

come to expect. "A regular and reliable

backup process will protect businesses

from unexpected data loss from all

potential sources," adds Fielding. "One

of the easiest ways to create backups of

business data is to simply store copies of

important files on hard drives, or other

storage devices connected to your systems

or network. Having an offline & off-site

copy, in addition to on-premise and cloud

storage options, is crucial. These storage

devices should be encrypted, ideally in

hardware, to ensure data privacy


An offline backup is particularly

important as a defence against

ransomware when data can't be

reinstalled. Copying files to hard drives,

USB flash drives, external drives or other

devices is an effective way of ensuring

backups are available locally when you

need them and businesses can restore

from a clean, protected data set, he says.

"On top of this, businesses are facing

increased threat from the rise in remote

working, which has intensified the need

for backups as data continues to move

beyond the corporate boundaries. By

providing employees with removable USBs

and hard drives that automatically encrypt

all data written to them, companies can

deliver the capability to securely store

data offline. When correctly implemented,

hardware encryption offers much greater

security than software encryption and PIN

pad authenticated hardware encrypted

USB storage devices enable employees to

move sensitive and often regulated data

of the corporate network. These devices

can also be used to backup data locally,

mitigating the risk of targeting in the


In line with this, businesses should test

their backups regularly, he adds - verify

that the operating system, applications,

and data are intact and functional. "This

allows them to recover systems and files

more efficiently, should an incident occur."


Backups are more common than you

think, says Sarah Doherty, product

marketing manager at iland, impinging on

just about every aspect of our daily lives.

"Every day, you most likely have a backup

in place, whether it be someone who

can cover for you to watch your puppy, if

something interrupts your schedule, or

even that spare tyre that is in your car in

case of a puncture. Backup and recovery

plans apply to just about everything that

you can think of in your daily life."

Focusing on the business end of things,

she turns to some of the top reasons why

you need to have a secure and reliable

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


ackup & recovery

Jon Fielding, Apricorn: we work in a 'realtime'

culture and, in the case of data loss,

users expect it to be restored at once.

Robert Allen, Kingston Technology Europe:

a most efficient layer of defence, in the face

of any cyber threat, is enforcing healthy

security habits and having the discipline to

follow them.

backup solution. "Everyone makes

mistakes. This happens more than we

would like to admit. Emails and documents

containing some type of virus are

accidentally opened all the time, while

critical documents are unintentionally


"One way to combat these problems is

to continually back up your data and

therefore allow for the ability to restore

your data. Or, more importantly, recover

the file prior to it being deleted."

Audit and compliance requirements.

"Many, if not most, organisations are

required to keep records for extended

periods of time, depending on local or

industry requirements. There may come

a time when an audit forces your business

to look at something from a few years

ago. The big mistake here is that most

assume that data is available on a

computer when, in fact, it may not be.

"Relying on one copy of the data may be

a mistake that you just don't want to have

to deal with when it comes to an audit.

Creating offsite backups of critical data

can really save you time and money,

with fewer headaches for all involved.

Governing agencies won't really care if

you say that you had a data disaster.

It is critical for your business to remain


Avoid any deadly downtime. According

to Doherty, studies show that 40-60%

of small businesses won't reopen after

data loss. "Of companies that suffer

catastrophic data loss, 43% never reopen

and 51% close within two years. Not every

data loss event is caused by a disaste; it is

also possible that human errors can cause

data catastrophes. The solution is to be

sure to have an effective backup and

disaster recovery plan in place that will

help mitigate these types of data threats.

Planning and preparing ahead of time

when it comes to data security and

availability can allow your business to

be the winner."

A step ahead of your competitors. "If your

organisation experiences a disaster, it will

be critical to get back online, and up and

running fast. It is a race to remain competitive,

while winning over other businesses.

A pre-planned backup strategy

means you can be that much more

prepared and win the business while

others struggle. You will survive the data

disaster, while others may not be so lucky."

If you don't have time to do it right,

when will you have time to do it… all over

again? "Doing it right the first time will

save time and money when it comes to

protecting your data," she points out. "If

you don't have backups, you may only be

able to recover some of your data and

you may never know what critical data is

really missing. Major data loss can mean

possibly recreating or re-doing everything

that has ever been done at your business

and very rarely do companies survive these

types of data losses."

The leading causes of data loss are

similar in just about every type of business.

"Most of us believe that once the data

is saved to a computer it's safe and can

always be accessed. The reality is that

backing up data is critical -because data

loss is unpredictable."

It might be just the right time to consider

migrating to a cloud service, she adds.

"Organisations that have chosen cloud

backup have moved away from capital

expenditures and simplified the process of

protecting vital information. Choosing an

industry leader for your business means

that data protection is looking after your

data and a global cloud platform that

delivers the much-needed automation

and orchestration to protect your critical

business workloads and secure your data."


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk





Every incident has a different impact,

circumstance and various nuances

that cannot be accounted for in a

general answer to the question: should

you pay the ransom? We would all like to

think that no one should ever pay the

ransom, but that simply is not the case in

the real world.

Home users have a complicated

situation, in that they do not have the

access to IT skills, tools and teams that a

business does. In addition to this, there is

a sentimental and home business point of

view that involves personal items, such as

photos, texts, videos or even data linked

to a home business that hold sentimental

value to people, putting them at risk of

having more to lose.



For this reason, these smaller ransoms can

easily be worth the risk for some in

paying, with the hope that their data can

be returned. These personal attacks also

do not carry the responsibility of having

to report the incident. There is also the

psychological aspect of shame linked to

these incidents that makes them less likely

to be shared, if one pays the ransom and

it fails.

Businesses, however, have numerous

other concerns when it comes to this

question: should we pay the ransom or

not? Businesses have to consider factors

such as public perception, which could

result in a loss of business, incidents not

only having to be reported in an official

capacity, but formal public

announcements have to be carried out

when personal data is involved. Then

there are factors for some businesses

whose daily responsibilities could include

vital services - and paying the ransom

may be the quickest and easiest cure to

restoring systems.



Practise your response to a ransomware

incident by war gaming or tabletop

gaming an incident and testing the

response of the IT teams who would be

involved. This will allow for the issues,

choke points and confusion to be

addressed before a real-world incident


Educate all your users to a level and in a

manner that is equivalent to their

technical knowledge in potential ingress

points for ransomware and what to do, if

a ransomware infection is suspected.


While many companies have backup

processes in place, the restoration of

those backups is rarely comprehensively

tested and numerous issues have been

found when the restoration is not

regularly tested. This will, once again,

allow any issues and confusion for choke

points to be identified.



While this could be linked to practising

your response - and, in some ways, it is -

preparing for an incident in this sense

means having email templates for internal

and, if needed, external users prepared,

ensuring that, if a public statement is

needed, that it is prepared, together with

any potential formal responses required.

Steven Usher, Senior Security Analyst,

Brookcourt Solutions

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security









James Drake, Senior Director,

Xcina Consulting Limited.

Ransomware has been on the threat

radar for many years now and is not

new to many businesses or industry

sectors, yet we are all still feeling the effects

and the approach to dealing with this threat

is varied.

Some organisations will invest in new

technologies and tools to assist in its recovery

from an attack, whereas some will prefer to

simply pay the ransom.

While we are trying to defend ourselves

against the constant threat of ransomware,

organisations are often challenged with an

ever-evolving legal and regulatory landscape.

We all experienced this with the introduction

of GDPR and there is not a day that goes by

that I do not speak to a client regarding their

challenges relating to this, even years after its



It is widely recognised that good basic security

hygiene measures will reduce the impact or

likelihood of a ransomware attack significantly

- eg, maintaining regular patching of critical

systems or ensuring that systems and data

recovery processes are in place.

If your business is in the financial sector,

you may already be aware of the FCA rules

coming into effect on 31/03/2022 regarding

Operational Resilience. This will certainly

be a challenge, but I always look at the

introduction of new rules and regulations as

an opportunity. When trying to decide where

to invest limited funds and resources into new

security controls, the introduction of new

mandatory rules is one of the best drivers for

prioritisation of those resources or potentially

securing more.



The FCA describes 'Operational Resilience' as

follows: "Operational resilience is the ability

of firms, financial market infrastructures and

the financial sector as a whole to prevent,

adapt and respond to, recover and learn

from operational disruption."

The reason this is so important, in terms of

ransomware, is that the principles of the

controls to be in place are commensurate with

the controls to significantly reduce the impact

or likelihood of a ransomware attack even


The principles are as follows:

Identify your important business services -

equally as important when designing

controls to defeat ransomware

Set impact tolerances - Business Impact


Carry out mapping and testing to a level of

sophistication necessary to classify critical

business services and identify vulnerabilities

in its operational resilience

Conduct 'lessons learnt' exercises to identify,

prioritise and invest in your ability to

respond and recover from disruptions as

effectively as possible

Develop internal and external

communications plans for when important

business services are disrupted

Maintain a self-assessment document,

detailing the firm's Operational Resilience


Whether your business is in the financial

sector or not, the employment of the new FCA

rules regarding Operational Resilience would

significantly reduce the impact or likelihood of

a ransomware attack affecting your business.

You can find out more about how Xcina

Consulting helps clients to address risk

management challenges by clicking here.


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

emote working




(right), Tenable: as

more businesses

establish remote

and/or flexible hybrid

working policies, the

corporate attack

surface has exploded.

Some 72% of UK organisations attribute

recent business-impacting* cyberattacks

to vulnerabilities in technology that

were put in place during the pandemic, while

more than two-thirds (68%) suffered attacks

that targeted remote workers.

The data is drawn from 'Beyond Boundaries:

The Future of Cybersecurity in the New World

of Work,' a commissioned study of more than

1,300 security leaders, business executives

and remote employees, including 168

respondents in the UK, conducted by

Forrester Consulting on behalf of Tenable.

Over a year after work-from-home

mandates went into effect, many

organisations are planning their long-term

hybrid and remote work models. In fact,

70% of UK organisations now support

remote employees, compared to 31%

prior to the pandemic, while 86% plan to

permanently adopt a remote working policy

or have already done so. But embracing this

new world of work has opened organisations

to new and unmanaged cyber risk.

Enabling a workforce without boundaries:

Only 48% of UK organisations are adequately

prepared to support hybrid working models

from a security standpoint. The result is that

78% of security and business leaders believe

their organisation is more exposed to risk as

a result of remote working.

Cloud adoption accelerated for critical

systems: As part of changes made in

response to the pandemic, 46% of

organisations moved business-critical

functions to the cloud, including accounting

and finance (42%) and human resources

(33%). When asked if this exposed the

organisation to increased cyber risk,

80% of security leaders believed it did

Attackers are taking advantage: 90% of

organisations experienced a businessimpacting

cyberattack* in the last 12 months,

with 51% falling victim to three or more.

Hybrid work models and a digital-first

economy have brought cybersecurity front

and centre as a critical investment that can

make or break short- and long-term business

strategies. To address this demand, 75% of

UK security leaders plan to increase their

network security investments over the next

12 to 24 months; 73% will increase spend

on cloud security; 66% plan to spend more

on vulnerability management.

"At the outset of the pandemic, and

following the work from home mandate by

the UK government, many employers had

no choice but to enable remote employees,"

says David Cummins, vice president of EMEA,

Tenable. "Today, and as more businesses

establish remote and/or flexible hybrid

working policies, the corporate attack surface

has exploded. Many of the remote work and

cloud tools that were pressed into service,

sometimes without security controls and, in

some cases, the tools themselves are nascent

and their security controls are immature,

leaving businesses vulnerable to cyberattacks."

With consequences such as loss of

customers, employees, confidential data,

operational disruptions and ransomware payouts,

businesses must look to prioritise cyber

security. "A joint advisory issued earlier this

year by the National Cyber Security Centre

(NCSC), the Cybersecurity and Infrastructure

Security Agency (CISA) and Australian

Cybersecurity Centre (ACSC) confirmed that,

rather than creative threat vectors, bad actors

will typically target known vulnerabilities to

compromise unpatched systems and breach

an organisation's defences," he states.

"This means basic cyber hygiene practices

can eradicate the majority of threats."

*'Business-impacting' relates to a cyberattack or

compromise that results in one or more of the following

outcomes: a loss of customer, employee, or other

confidential data; interruption of day-to-day operations;

ransomware payout; financial loss or theft; and/or theft

of intellectual property.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


MFA in the spotlight




Nick Evans, SecurEnvoy: demanding that

MFA is in place will become the norm.

Atrend that we are seeing in the

marketplace is businesses being

forced to investigate MFA (Multi-

Factor Authentication) by Cyber Insurance

providers. But why? Cyber-Insurance

vendors understand that large and

enterprise-sized companies are no longer

the only target for cybercriminals: the

reality is that EVERYONE is a target.

Everyone's at risk and it's no longer a case

of IF, but WHEN, regarding cyberattacks.

Insurance vendors don't want to leave

themselves open to constant pay-outs to

their policy holders, so demanding that

MFA is in place will become the norm.


'Authentication' in technology is the act of

verifying that a user is who they say they

are. Typically, this is a Username/Password


The problem with passwords is that

they can be cracked easily. And once

they’ve been cracked, they're distributed

throughout the cybercriminal network.


Factor 1 - Something you know

(a Password/Pin/Security Question)

Factor 2 - Something you have (Hardware

Token/One-time authentication code/SMS)

Factor 3 - Something you are (Biometrics -


Factor 4 - Somewhere you are - a known

location (Home/Office).



Most carriers now require these MFA

controls to be in place:

MFA for remote networks - A massive

increase in remote-working due to

Covid-19. (MFA for remote networks

reduces the potential for a network

security breach caused by comprom -

ised password)

MFA for admin access - This area is

of massive importance; your business

solution admins hold the keys to your

business! (MFA for admin access

limits an attacker's ability access

a compromised network)

MFA for remote email access - So

much detail in the data that is

bouncing around in your emails.


Why are insurance carriers demanding that

we have MFA, rather than recommending?

Here’s what Microsoft say on this:

“By providing an extra barrier and layer of

security that makes it incredibly difficult

for attackers to get past, MFA can block

over 99.9 percent of account compromise

attacks. Knowing or cracking the password

won't be enough to gain access."

Passwords cannot be your only form

of defence, and hackers can crack your

password and immediately gain access

to all services available to you, within

seconds/minutes. MFA provides a massive

obstacle that needs to be put in place, so

those criminals can't just walk into your

house and take what they want - ie, your


Microsoft and Google suggest that

MFA can block over 99% of account

compromise attacks

The Cyber insurance market is expected

to grow by 21% in 2021 making it

a $9.5 billion industry

31% of cyberattacks are aimed at

businesses with under 250 staff

Microsoft registers over 300 million

fraudulent sign-in attempts, daily

60% of your customers will think about

leaving you, should a cyber breach ever

occur and become public knowledge.

30% will walk away.

Is the loss of 30% of your business more

or less than an adequate cyber resilience

budget? And what about reputational

damage as well? The loss of 30% of

business is one thing, but what about

the loss of future new business?


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

product review


Email is responsible for the majority

of data breaches - and leaks with

human error are cited regularly as

the main cause. The reasons are manifold

and range from misaddressed emails to

using CC, instead of BCC; and, if the

message contains confidential information,

companies could be violating

GDPR compliance and facing hefty fines.

This is where Zivver steps in, as its

Secure Email is a deceptively simple

solution that combines machine learning,

AI and end-to-end encryption to protect

outbound email throughout the entire

creation and delivery processes. A key

feature of Zivver is extreme ease of use,

as it slips seamlessly into existing working

practices with minimal disruption and

integrates neatly with Outlook, OWA

and Gmail, so users only require basic


Fundamental to Zivver is its business

rules, as these are applied in real-time to

every message during creation and prior

to sending. Examples include options to

enforce 2FA when sensitive information

in the subject, body or attachment is

detected, BCC checks and non-recent

sharing of confidential information.

Zivver detects NHS and credit card

numbers in emails and uses checksum

algorithms to confirm they are genuine

numbers. Rules have three actions where

they highlight possible rule breaches,

warn users that they should rectify the

breach or block them, if they don't.

Deployment is, indeed, a simple process

and starts by providing organisation and

email domain details in your Zivver cloud

portal account. Customisation features

are extensive, and include portal branding

and creating personalised notification

messages for recipients.

Setting up Zivver users is simple, as

you can add them manually where

they receive an invitation to create a

personal account and set up 2FA.

Larger organisations can employ Zivver's

SyncTool to synchronise Active Directory

and Exchange accounts.

Our test users were running Outlook

and just needed to download the Zivver

Office plug-in. This added a new option

to the Outlook menu ribbon where they

could log in to their account and, if

permitted, access its message control


Procedures for creating new Outlook

emails are exactly the same, but Zivver

adds an upper toolbar to the message

highlighting actions required by the user.

Each new recipient must be verified and

methods include sending them an email,

providing a one-time access code,

applying an organisational code and

sending an SMS to a valid mobile number.

If sensitive information is detected,

the toolbar highlights this and reacts

dynamically to changes made to any part

of the message. Attachments are scanned

when added and a standout feature is

that Zivver supports file sizes up to 5TB.

To open secure emails, recipients simply

click the message body link and they are

transported to the Zivver portal where

they enter their verification details. They

don't require a Zivver account, and can

receive secure emails and reply to them,

irrespective of their location or email


We all know how ineffective standard

email recall processes are, but Zivver

users can confidently recall messages

sent in error. Furthermore, if they haven't

been accessed by any recipients prior

to withdrawal, Zivver guarantees that

potential data leaks have been contained

and won't need reporting.

Along with extensive auditing features

in the admin portal, users can view

all emails from their client, see which

recipients opened them and who

downloaded attachments. They can also

log in in to their personal Zivver portal

account and view them from there as


Zivver Secure Email is a simple solution

to a major problem that plagues businesses

of all sizes. It's incredibly easy to

deploy, requires no changes in working

practices and ensures that confidential

information sent by email is totally secure.

Product: Secure Email

Supplier: Zivver

Web site: www.zivver.com

Tel: +44 (0)20 3285 6300

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security








Some say 'yes', others say 'no' - should

you pay the ransom? Law enforcement

does not encourage, endorse, nor

condone the payment of ransom demands.

Why? Because they say that, if you do pay

the ransom:

There is no guarantee you will get access

to your data or computer

Your computer will still be infected

You will be paying criminal groups

You're more likely to be targeted in the


How true is this? Doesn't paying up and

having your data access reinstated give the

hackers a better image? Or are there so many

'pickings' put there, they don't really care one

way or the other?

Then there are all the other issues around

what has become a massive enterprise in

itself. Since there's no way to completely

protect your organisation against malware

infection, what should you do to keep

ransomware at bay? Is a 'defence-in-depth'

approach the right one, using layers of

protection, with several mitigations at each

layer? You'll have more opportunities to

detect malware by adopting that approach

and then stop it before it causes real harm

to your organisation. That said, should you

assume anyway that some malware will

infiltrate your organisation, at some point,

whatever strategies you put in place? For

every possible plus point there appears to be

a minus, so what is the best way to limit the

impact a ransomware attack would cause

and speed up your response?


Brooks Wallace, VP EMEA at Deep Instinct,

says that the argument as to whether or

not an organisation should pay a ransom is

"causing quite a dilemma" in the corporate

boardroom. "While it may be easy to say that

an organisation shouldn't pay ransom, there

are many factors to consider. Imagine you are

the family of someone in the intensive care

unit of a hospital taken offline by

ransomware attack. Think of critical

infrastructure providers or banks. At that

significant point in time, when hours count,

you don't care about principles or policies.

You just want the situation to be fixed."

There appears to be increasing discussions

among board members about what to do in

the case of a ransomware attack, how to

overcome it should one occur and whether

their insurance policies will help. "Trying to

make decisions during an attack itself only

adds to the pressure and could worsen the

crisis, so it is best to make these decisions

beforehand and plan in case of an attack.

This should include the decision of whether

to pay for the attack or not."

Condemning those organisations that are

unfortunate enough to have been hit be a

ransomware attack doesn't help anyone or

change behaviours, he adds. "Having best

practice guidelines and the rationale behind


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk


these would be more valuable. There should

be a strong encouragement not to pay

ransoms, but, in parallel, investment needs to

be made in stopping the attack in the first

place. Prevention is far better than cure."


Any intelligence that can be gathered post

breach helps understanding for the future.

"But what's even better is a 'prevention first'

approach that features a multi-layered

defence system, with more than one swing at

the ball to stop an attack. We need to spend

more time on stopping these attacks preexecution

before the damage is done. Many

technologies need an attack to execute and

run before they are picked up and checked to

see if they are malicious, sometimes taking as

long as 60 seconds or more. When dealing

with an unknown threat, 60 seconds is too

long to wait for an analysis."

In order to ensure business continuity,

organisations need to invest in solutions that

use technology such as deep learning, "which

can deliver a sub-20 millisecond response

time in stopping a ransomware attack, preexecution,

before it can take hold, actually

predicting the ransomware attack and

therefore protecting the organisation,"

Wallace states. "Using this type of technology

means organisations no longer need to worry

about whether or not to pay a ransom, as

there is a solution that prevents the attack


"Furthermore, investing in a solution that

offers a 'ransomware warranty', whereby the

organisation receives a certain amount if they

experience a ransomware attack, using that

provider's technology is beneficial. Warranties

ensure an extra level of protection, should a

ransomware attack occur, and allow for some

alleviation, in terms of how much it will cost

the organisation to recover after the attack."


Callum Roxan, head of Threat Intelligence

at F-Secure, accepts that the payment of

ransoms to cyber criminals is not a "socially

optimum outcome, but in the moment,

faced with the loss of income, data and

reputation, many organisations will feel

backed into a corner where they will 'have to'

pay. "Ever-evolving extortion models and

technological advances ensure organisations

need to continually invest to keep up to

speed with the latest threats posed by the

sprawling ransomware ecosystem. In purely

financial terms, the judgment is often made

that accepting the risk of ransomware is

more palatable than investing heavily into

cybersecurity to mitigate the risk."

The continued payment of ransom demands

funds additional advancements, continued

operation and acts as an incentive to

attract new actors to conduct ransomware

attacks. "Breaking this cycle is something

governments and the cyber security industry

need to fix, shifting the balance of incentives

to not paying ransoms and making securing

your organisation against these threats less

costly and more effective."


All too often, organisations put too much

focus on the detection and response of a

ransomware attack, instead of looking at the

steps that has allowed an attacker to get to

the point of demanding ransom, argues Mike

Fleck, VP marketing at Cyren. "The ransom of

an attack is so far along the attack chain

that, by the time the 'ransomware' attack has

already been deployed, it's too little, too late."

He divides ransomware attacks into two

categories: a 'drive-by attack', which tricks

users into installing malware onto their

devices, whether that be a PC at home or

a healthcare kiosk in an emergency room.

While these attacks directly affect those users,

they are random as to whom they affect. "The

more serious attacks are the ones that target

a specific organisation. The attackers look

for the most impactful way to infect an

organisation through the vulnerabilities they

find and then launch a ransomware attack.

In order to get to that point, the attackers

would have had to identify the organisation,

find the vulnerabilities within that organisation,

launch the malware and then deploy

the ransomware attack."

Often the cause of a ransomware attack

and the attacker's access point into an

organisation, adds Fleck, is through a

phishing email where an unsuspecting user

has clicked on a link, which then deploys a

backdoor on the device, allowing the attacker

to gain access into the organisation's network

and find its vulnerabilities. "Organisations

need to look at the precursors to ransomware

attacks and the steps that get the attacker to

where they need to be before they launch the

malware itself."

Phishing attacks will always enter your

network and breach your organisation, he

points out. "Therefore, the focus needs to

be on the antecedents to the attack and

understanding what they are, in order for the

organisation to deal with the attack better.

Only then will organisations be able to

remediate properly, rather than focus on

detection of, and response to, the final step

in the attacker's plan. At present, email

security is overly focused on prevention,

which demonstrates diminishing returns for

each new layer of detection. By adding a realtime

detection and automated remediation

capability to identify and eliminate phishing

threats rapidly, we can minimise the impact

of when a phishing email makes it through

our defences."?

At Bitdefender, while the company expects

to see ransomware operators continuing to

offer new and more dangerous versions of

ransomware, the company's director of

Threat Research and Reporting, Bogdan

Botezatu, states that it will maintain its

commitment to helping users regain control

of their digital lives and denying profits to

attackers. "Collaboration between major

cyber-security solution providers and law

enforcement agencies allows us to combat

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security



Bogdan Botezatu, Bitdefender: collaboration

between major cyber-security solution

providers and law enforcement agencies

allows us to combat the devastating effects

of ransomware.

Brooks Wallace, Deep Instinct: the argument

about whether or not an organisation

should pay a ransom is causing quite

a dilemma in the corporate boardroom.

the devastating effects of ransomware and

help victims whose data would otherwise

either be lost forever or generate large

amounts of money for the cyber-crime



Computing Security also wanted to get some

'historical' perspective on ransomware, such

as instances of who has paid up, where

attacks have been state-sponsored and the

emergence of ransomware-as-a-service.

Well versed in such matters is LogPoint CTO

Christian Have and he provided a detailed

inside view on all those issues.

"Ransomware attacks are becoming

increasingly devastating to companies. Not

only do they inflict massive disruptions to

operations, but criminals are also asking for

ever-larger ransoms to unlock the encrypted

files and machines hit by the attacks.

Throughout the last months, state-sponsored

ransomware attacks inflicting damage on

critical infrastructure have dominated the

headlines. JBS recently paid 11 million dollars

following an attack that shut down all the

companies' US beef plants. Just before that,

an attack paralysed Ireland's health services

for weeks in the middle of a pandemic. The

attack happened in the wake of the Colonial

Pipeline attack that caused fear of gas


"CNA Financial, one of the largest insurance

companies in the US, reportedly paid 40

million dollars to get access to its files and

to restore its operations, making it the

largest reported ransom paid to date. In

comparison, 40 million dollars is more than

most companies spend on their cybersecurity

budget - it is even more than what many

companies spend on their entire IT budget.

"Due to the surges in state-sponsored

ransomware attacks in the US and Europe,

many government institutions, including

the White House, have urged companies to

bolster their defences to help stop the

ransomware groups. The G7 group has

called on Russia, in particular, to identify,

disrupt and hold to account those within its

borders who conduct ransomware attacks

and other cybercrimes. One of the few

outcomes of the Biden-Putin summit is

an agreement to consult on cybersecurity.

However, the agreement is ambiguous

without any specific actions."



"Stopping ransomware groups is no small

task. The scale of the economy behind these

groups is significant. Many active groups

have corporate structures, with roles and

responsibilities that mirror regular software

development organisations," Have points out.

"These criminal organisations are well funded

and highly motivated to develop their attacks

- but their revenue streams do not begin or

end with victims paying up a ransom.

There is an entire ransomware ecosystem,

capitalising on successfully executing attacks."

This includes:

Groups selling access to platforms that

deliver end-to-end ransomware-as-aservice

for other groups to use.

Brokers that deliver teams of highly

specialised developers that can build

and deploy malware. Think of this as

malware recruiting.

Certain groups only gain access to

corporate networks. They will not actively

disrupt the operations or demand

ransom; instead, they sell access to

victims for other groups to capitalise on.

The increasing sophistication of

ransomware groups has led many

organisations to implement a multitude

of tools to help detect and prevent

attacks. But what really works?



For the last 15 years, CISOs, security

operations teams and security vendors have

put a significant focus on complex attacks


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk


and staying on top of the cutting edge of

what adversaries can do, he continues. "For

example, the malicious computer worm

Stuxnet launches extremely advanced

campaigns. The result is that a lot of

organisations have a relatively extensive

portfolio of advanced technologies. These

technologies are expensive, complex to use

and even more complex to integrate with

each other and the surrounding security


"The Colonial Pipeline breach happened

because a remote access platform

failed to enforce or require multi-factor

authentication. Combined with a shared

password used among several users,

attackers found a way into the infrastructure.

Advanced detection tools are not meant to

detect such basic mistakes.

"Failing to cover the basics - patching,

secure configurations or following best

practices - is a pattern repeating itself in

many of the recent attacks. It is not without

reason that every authority on cybersecurity

has patching and baselining configurations

as some of the first recommendations for

companies to strengthen their cybersecurity


So why are companies not just patching

everything, implementing the Zero

Trust model and forcing multi-factor

authentication everywhere? Especially when

the most considerable material risk to the

operations and existence of the organisation

is a ransomware attack? "IT operations is

hard," he responds. "The security operations

team, IT operations team and enterprise

risk management team often have siloed

thinking, with different objectives and

incentives. Aligning activities and goals

across various departments is, without

a doubt, part of the problem.

"One of the things we hear from our

customers is that they need a unified

overview of the technical risk aspects.

Implementing a unified solution such as

ZeroTrust orchestration or XDR is complex

and, in many cases, expensive. Some of our

customers are turning to fewer vendors and

relying on open standards - for example,

MITRE for a taxonomy of attacks, MISP

to share threat observations and YARA to

identify malware indicators to offload

some of the headaches of aligning different

departments' ways of working."


When critical infrastructure is under attack

through large and small companies, it is

obvious that more technology will not solve

the issue alone, Have insists. "Outsourcing IT

operations or security operations alone is not

solving the problem either. With that in

mind, I see three paths forward."

Law enforcement agencies must cooperate

across borders to target ransomware groups,

track payments and ultimately change the

operational risk for these groups, so that it is

more expensive to do illicit business.

Breaking down silos within organisations,

getting the cybersecurity, IT operations and

risk management teams to speak the same

language and align expectations. Who owns

the backup - IT? Who is responsible for the

disaster recovery - Security? Who owns the

business continuity planning - Enterprise risk


More laws and regulations on the matter.

GDPR has done a lot to bring focus and

awareness about reporting breaches to

infrastructure. "But more is needed," Have

insists. "GPDR works for personal data, but

disruptions to critical infrastructure following

a ransomware attack are not necessarily

under the umbrella of GDPR and, as such,

can go under the radar. With more sharing,

increased focus and potentially fines levied

against organisations that fail to prevent

or protect their infrastructure adequately,

boardrooms will begin to take the threat


Callum Roxan, FSecure: ever-evolving

extortion models and technological

advances ensure organisations need to

continually invest to keep up to speed

with the latest threats.

Christian Have, LogPoint: many active groups

have corporate structures, with roles and

responsibilities that mirror regular software

development organisations.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


threat intelligence




Paul Prudhomme, Insights, a Rapid 7

company: good cyber threat intelligence

companies create reports on the

ransomware gangs that organisations

should watch out for.

According to Paul Prudhomme,

head of Cyber Threat Intelligence

Advisory at Insights, a Rapid 7

company, the goals of cyber threat

intelligence are to provide network

defenders with the specific information

they need, in order to improve their

defences against the continuously evolving

threat landscape and ultimately to prevent

those threats from compromising

organisations in the first place.

"Cyber threat intelligence programs

should aim to inform stakeholders about

potential attacks before they happen,

not after they happen. Many security

leaders learn about significant threats

and incidents, such as the May 2021

ransomware attack on the Colonial

Pipeline by Darkside ransomware

operators, from mainstream news media

coverage. If they had robust cyber threat

intelligence programs, however, they

would have already been familiar with the

Darkside ransomware affiliate program

well before the Colonial incident."

Darkside had already made a name for

itself in underground criminal circles and

should have shown up in any cyber

threat intelligence coverage of dark web

communities before the Colonial incident,

he points out. "Good cyber threat

intelligence companies create reports on

the ransomware gangs that organisations

should watch out for. If Colonial had been

receiving those reports, perhaps it could

have taken steps to improve its defences

against Darkside attacks and reduced the

attackers' likelihood of success."

In a multi-layered network defence

strategy, cyber threat intelligence is the

outermost layer, adds Prudhomme. "It

enables organisations to adjust their

defences in advance of a potential attack.

If cyber threat intelligence fails, and the

targeted organisation is unaware of, and


computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

threat intelligence

has not prepared for the threat, it must

fall back on its inner layers of network

defence and hope that they were already

robust enough to prevent the intrusion."


There are certain types of threats that are

nonetheless advanced enough to evade

many, most or all of an organisation's

multiple layers of defence, including cyber

threat intelligence, he adds. "Advanced

threat actors, which usually [but not

always and not necessarily] come

from state-sponsored groups, invest

considerably more time, effort and other

resources in their attempts to avoid

detection by security researchers and

security solutions. The state-sponsored

groups that are the source of most

advanced threats are also more relentless

in their pursuit of targets, as the

intelligence requirements of their

government stakeholders give them less

flexibility in their targeting than their

criminal counterparts."

The greater challenges of detecting

advanced threats that go to greater

lengths to evade detection have given rise

to the variety of security solutions known

as advanced threat protection (ATP),

Prudhomme continues - see page 24.

"Simpler and more conventional

detection methods, such as indicators of

compromise (IoC), are often inadequate

for detecting threats in this category. For

example, advanced threat actors may alter

their malware payloads more frequently,

in order to avoid IoC-based detection of

their file hashes. They may even monitor

security research publications to see if and

when security researchers have identified

their infrastructure as malicious and make

changes accordingly. Heuristics, machine

learning and artificial intelligence are

among the many ways that security

solutions can overcome these



Todd Carroll, CybelAngel CISO, says threat

intelligence is massively important for

organisations, since even large companies

have limitations on resources, so efforts

must be put into projects that will pay off

and keep them safer.

"Cybercriminals are calculated. They have

preferences on who they target - hospitals

generally pay out more often, but EUbased

targets tend to have more to offer.

Threat actors also have a pattern of

preparation for attacks, including buying

batches of credentials, using Shodan

to locate assets and hiring penetration

testers to see what access can be granted.

Next, they have a pattern of attack,

which includes accessing an RDP

(Remote Desktop Protocol), then

upgrading permissions with the chosen

CVE (Common Vulnerability Exposure) and

using a particular type of malware on

IP addresses to gain a foothold over

command and control servers. Finally,

they have a pattern of extortion: single

extortion, double extortion, potentially

data exfiltration and making decisions on

giving up decryption keys upon payment."

How do you choose to interrupt that

modus operandi and where will the

lightest touch have the biggest effect?

"Cyber Threat Intelligence is the answer,"

he states. "It informs a company that,

by updating their servers with a particular

patch, the crucial CVE is mitigated.

Maybe you block some IP addresses,

so that command and control servers

can't communicate with the malware/

ransomware program. Perhaps this cyber

threat is not interested in attacking your


How analysts go about this is through

cyber forensics and dark web monitoring.

"The forensics gives us the hard data: it

was this CVE, on that server type, port

number #### was used and this

person's password was compromised.

Dark web monitoring is useful, since many

criminals like to brag. Dark Web forums

have advertisements to recruit pen testers,

people with access and passwords for

sale: 'Join our ransomware gang!' 'Fair

pay!' 'Easy work!' 'All the steps are in this

playbook!' 'Helplines are available!'

Similar to solving a mystery, threat

intelligence combines the physical

evidence with motive to other companies

to see if they are at risk, too. "If yes, here

are tactical options, update that, block

this, monitor those. Then there are

strategic options - make RDPs harder to

spin up, automate security settings for

new databases and institute multifactor



Since the start of this year, Accenture

Cyber Threat Intelligence has, according to

its '2021 Cyber Threat Intelligence Report',

observed a slight, but noticeable, increase

in threat actors selling malware logs,

which constitute data derived from

information stealer malware.

Information stealers can collect and log

a wide range of sensitive system, user

and business information. "A threat actor

can use malware logs to masquerade

as a legitimate network user and avoid

detection, gaining initial access to a victim

system by using valid credentials. Threat

actors often use malware logs to access

an organisation's Web resources and

attempt to access privileged administrator

accounts on an organisation's webservers."

In some cases, they may try to access

computers on a victim's network via

services like RDP or SSH. A common

alternative action is for threat actors

to sell malware logs directly to hackers

or in bulk to 'malware log' Dark Web

marketplaces, such as Genesis Market or

Russian Market.

www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security


email spoofing




Tim Callan, Sectigo: it is scarily easy to

manipulate and falsify business emails

in myriad ways.

Business Email Compromise (BEC)

attacks are a technique where

cybercriminals spoof emails to

impersonate someone recognised, such

as an employee's supervisor, executive or

vendor. This is so they can exploit trusted

relationships and trick employees into

wiring company funds, the sharing of

proprietary information or even granting

access to the system.

As Tim Callan, chief compliance officer,

Sectigo, points out, the FBI's 2020 Internet

Crime Report i revealed how BEC-related

losses increased from some $1.29 billion

in 2018 to $1.86 billion in 2020. "Phases

of setting up an attack include the initial

researching and identifying of targets, and

then setting up the attack by performing

activities, such as spoofing email

addresses," he points out.

"In the execution phase of a BEC attack, it

could take place in one email or an entire

thread, often using language of persuasion

and urgency to gain the victim's trust, also

including instructions to facilitate making

payments to fraudulent accounts. Once the

money has been acquired by the attacker,

it is quickly collected and disseminated to

reduce traceability and retrieval chances."


"Virtually every single business relies

upon email as a fundamental form of

communication, especially in the era of

hybrid work, and ironically, it is scarily easy

to manipulate and falsify business emails

in myriad ways. Cyber-criminals are aware

of companies' reliance on them and are

perpetrating a variety of attacks to profit

from it," adds Callan.

The number of estimated business email

compromise (BEC) scam attempts that have

been perpetrated worldwide from 2017-

2020 ii has risen dramatically, from 9,708

to 17,607 attacks. Additionally, a total of

74% of organisations are not prepared for

phishing iii and malware attacks, with the

majority of these attacks being carried

out through BEC attacks specifically.

"Now it is even more concerning that

these cybercriminals are recruiting English

speakers iv for these forms of attack,

making them harder to spot and therefore

all the more effective. This will inevitably

see more of an increase of successful

campaigns, if businesses do not look at

ways to spot and prevent the attacks."


As a social engineering scam, employees

should be informed how to spot fraudulent

emails, advises Callan. "Most businesses are

successfully targeted, due to most employees

lacking IT-specific technical skills and

knowledge. Speed is paramount during an

attack, meaning industries must rapidly train

their employees to spot and avoid the latest

attack vectors."

Implementing email certificates is a quick

and easy fix to decrease the chances of BEC

attacks, combined with ongoing employee

training, he points out. "An ideal solution

should also integrate with secure email

gateways, allowing the gateway to decrypt,

encrypt, so that it can continue to deliver on

its valuable function. It should provide the

recipient better delivery choices and use the

native mail client to decrypt the email

without leaving the application.


"The appropriate certificate type to secure

public email is called a Secure/Multipurpose

Internet Mail Extension (S/MIME) certificate.

These certificates offer a logical approach

for preventing business email compromise

attacks. With this," he states, "businesses will

be able to block malicious actors."








computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk



Secure systems, secure data, secure people, secure business

Product Review Service



The Computing Security review service has been praised by vendors and

readers alike. Each solution is tested by an independent expert whose findings

are published in the magazine along with a photo or screenshot.

Hardware, software and services can all be reviewed.

Many vendors organise a review to coincide with a new launch. However,

please don’t feel that the service is reserved exclusively for new solutions.

A review can also be a good way of introducing an established solution to

a new audience. Are the readers of Computing Security as familiar with

your solution(s) as you would like them to be?

Contact Edward O’Connor on 01689 616000 or email

edward.oconnor@btc.co.uk to make it happen.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!