CS Oct 2021
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
SUPPLY & DEMAND<br />
The supply chain has never<br />
been more vulnerable and at risk<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
BACKING YOURSELF<br />
How to achieve backup<br />
protection - with your<br />
workforce fully engaged<br />
RANSOMWARE PAYDAYS<br />
If you are a victim, should<br />
you give in or fight it out?<br />
CYBER THREAT INTELLIGENCE<br />
Some resources you just can’t do<br />
without and top intel is one of them<br />
Computing Security <strong>Oct</strong>ober <strong>2021</strong>
A First & Last<br />
Line of Defence<br />
Against Cyberattacks<br />
CREATE A SINGLE STRATEGY FOR DISASTER RECOVERY, BACKUP,<br />
CYBERSECURITY, AND APPLICATION AVAILABILITY WITH AR<strong>CS</strong>ERVE!<br />
Arcserve best-in-class solutions - that manage, protect, and recover all data workloads,<br />
from SMB to enterprise - eliminate standalone, discrete products for threat prevention,<br />
ransomware disaster recovery and application availability. Safeguarded by Sophos<br />
Intercept X Advanced for Server, Arcserve uniquely combines deep learning server<br />
protection, immutable storage, and scalable onsite and offsite business continuity that<br />
delivers complete data resilience for the next generation of hybrid data centres.<br />
arcserve.com/ransomware
comment<br />
POLICE POINT FINGER AT TECH GIANTS<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
Jake Moore, ESET: blaming social media and<br />
other technology companies is a desperate<br />
and empty argument.<br />
The Metropolitan Police commissioner recently accused tech giants of making it harder to<br />
identify and stop terrorists, according to the BBC News. The tech giants' focus on end-to-end<br />
encryption was making it "impossible in some cases" for the police to do their jobs, Dame<br />
Cressida Dick wrote in The Telegraph. In her piece marking the 20th anniversary of the 9/11<br />
attacks, she stressed that advances in communication technologies meant terrorists were now<br />
able to "recruit anyone, anywhere and at any time" through social media and the internet. In<br />
response, the UK was needing to constantly develop its own digital capabilities to keep up with<br />
terrorists exploiting technology to their advantage.<br />
Perhaps not too surprisingly, her message echoed that of Home Secretary Priti Patel, who, at<br />
a meeting of the G7 interior ministers, launched the Safety Tech Challenge Fund. The fund will<br />
award five applicants up to £85,000 each to develop new technologies that enable the detection<br />
of child sexual abuse material (<strong>CS</strong>AM) online, without breaking end-to-end encryption.<br />
But is the stance taken by Dick and Patel fair - or even accurate? Jake Moore, Cybersecurity<br />
Specialist at ESET, who sees the endless encryption debate from the police showing no sign of<br />
slowing down, believes not. "While more needs to be done to combat online crime, blaming<br />
social media and other technology companies is a desperate and empty argument," he says.<br />
"Encryption should never be generated with a backdoor - for any use whatsoever. If it were<br />
possible, it not only breaks the internet, but would also be abused: used for hacking, tracking<br />
and more. It makes a mockery of any attempt at online privacy, which is slowly becoming more<br />
important for many people."<br />
Moore adds that what is needed now is better privacy and security, and that "criticising the<br />
current encryption system makes the police look like they've lost the war on digital crime".<br />
The answer, he argues, lies with a different approach to investigations altogether, adding:<br />
"Long gone are the days where the police can call upon an organisation to retrieve logs and<br />
communications between two suspects to surveil their actions."<br />
Clearly, it is high time that the forces of law become forces for good by getting out of the blame<br />
game and taking some of the burden and responsibility on their own shoulders.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2021</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Oct</strong>ober <strong>2021</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
SUPPLY & DEMAND<br />
BACKING YOURSELF<br />
How to achieve backup<br />
The supply chain has never<br />
protection - with your<br />
been more vulnerable and at risk<br />
workforce fully engaged<br />
RANSOMWARE PAYDAYS<br />
If you are a victim, should<br />
you give in or fight it out?<br />
COMMENT 3<br />
Police point finger at tech giants<br />
CYBER THREAT INTELLIGENCE<br />
Some resources you just can’t do<br />
without and top intel is one of them<br />
ARTICLES<br />
ACHIEVING A SECURE WIPE 8<br />
Gareth Owen of Redkey USB delves into<br />
the world of Data Wipe Standards<br />
SECURITY AND THE SUPPLY CHAIN 10<br />
With supply chains under heavy pressure<br />
and shortages forecast, Paul Harris,<br />
Pentest Limited, looks at the implications<br />
NORTHERN IRELAND: HELPING TO<br />
BUILD A CYBER-SECURE FUTURE 12<br />
A new type of expertise is helping to safeguard<br />
personal, business and government<br />
data - and to defend critical infrastructure<br />
against hostile attacks<br />
4<br />
A SHAPE-SHIFTING WORLD<br />
ATTACKERS USE TRUSTED CLOUD SERVICES AND CONSTANTLY CHANGE THEIR<br />
TACTI<strong>CS</strong> TO AVOID KNOWN PATTERNS OF BEHAVIOUR. CAN ADVANCED THREAT<br />
PROTECTION STILL BE EXPECTED TO KEEP PACE AGAINST SUCH FORCES?<br />
A<br />
Patrick Wragg, Integrity360: the key to<br />
advanced threat protection is layers<br />
ensuring your operating systems and<br />
applications are up to date; users are<br />
educated; and that you have the latest<br />
security solutions in place.<br />
dvanced threat protection (ATP)<br />
refers to a category of security<br />
solutions that defends against<br />
sophisticated malware or hacking-based<br />
attacks, targeting sensitive data. ATP<br />
solutions can be available as software or<br />
as managed services. They can differ in<br />
approaches and components, but most<br />
include some combination of endpoint<br />
agents, network devices, email gateways,<br />
malware protection systems, and a<br />
centralised management console to<br />
correlate alerts and manage defences.<br />
But how do they operate and perform 'in<br />
anger', so to speak, and where might there<br />
be any weaknesses? At the same time,<br />
in a world where the threat levels alter<br />
i ally and rapidly at an alarming rate,<br />
d to be adapted to<br />
HEART OF THE ORGANISATION<br />
email attack is phishing [ie, harvesting login<br />
information using spoofed web pages of<br />
trusted brands]; once attackers have the<br />
ability to remotely log in to a corporate<br />
network, they can launch convincible fraud<br />
campaigns and surveil the environment to<br />
find the most sensitive data to steal or the<br />
most business-critical servers to infect with<br />
ransomware."<br />
Security controls beyond the gateway<br />
have traditionally focused on data loss<br />
prevention, sophisticated malware analysis<br />
and endpoint security solutions, he points<br />
out. "However, advanced email threats still<br />
evade detection and containment largely<br />
because attackers use trusted cloud servic<br />
and constantly change their tactics to avo<br />
known patterns of behaviour. Endpoint<br />
security agents can quickly spot a<br />
compromised device, but it may be too<br />
loss prevention can detect sensiti<br />
rganisation, but<br />
i<br />
A SHAPE-SHIFTING WORLD 14<br />
Can advanced threat protection (ATP) outwit<br />
attackers who now use trusted cloud services<br />
and constantly change their tactics to avoid<br />
known patterns of behaviour? Or is keeping<br />
ahead of such potent forces slipping out of<br />
the grasp of those under fire?<br />
CALLING FOR BACKUP 20<br />
ALL THE LATEST INTEL 17<br />
What approach should an enterprise take to<br />
Steven Usher, Brookcourt Solutions, offers<br />
ensure it has the best protections in place -<br />
his insights on measuring the success of<br />
a cyber threat intelligence program<br />
as well as employees who are fully engaged<br />
in making the process work? Getting this<br />
DATA IMPACT ASSURANCE LEVELS 18<br />
right is a complex, but essential, process<br />
The time has come to 'DIAL' it in, states<br />
and the payback its own reward!<br />
ADISA founder Steve Mellings<br />
SHOULD YOU PAY THE RANSOM? 23<br />
When threatened with a ransom demand,<br />
should you just submit? Steven Usher, of<br />
Brookcourt Solutions, weighs up the pros<br />
and cons<br />
TO PAY OR NOT TO PAY? 28<br />
Paying ransomware is a topic that greatly<br />
OPERATIONAL RESILIENCE 24<br />
divides opinion, especially in the corporate<br />
James Drake, of XCINA Consulting, looks<br />
boardroom. Cold logic might dictate that<br />
at the challenges and many opportunities<br />
any demand should be firmly rejected.<br />
that new regulations will bring<br />
What if it turned out to be a matter of life<br />
THE FLAWS IN HOME WORKING 25<br />
or death, though - wouldn’t that change<br />
Organisations have been opened up to<br />
everything?<br />
a world of new and unmanaged cyber risk<br />
AUTHENTICATION VS INSURANCE 26<br />
Nick Evans, of SecurEnvoy, considers a<br />
KNOWING YOUR ENEMY 32<br />
perplexing dilemma - and the role of MFA<br />
Threat intelligence is massively important<br />
STING IN THE TALE 34<br />
for all levels of organisations, since even<br />
Tim Callan, of Sectigo, on how easy it is to<br />
large companies have limitations on<br />
manipulate and falsify business emails<br />
resources. So, efforts must be put into<br />
projects that will pay off and help keep<br />
PRODUCT REVIEWS<br />
enterprises that much safer<br />
• Redkey USB 6<br />
• Zivver Secure Email 27<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
REDKEY USB<br />
With all the focus on cybercriminals<br />
and internet attacks,<br />
it's easy to forget that data<br />
breaches can easily occur, if businesses<br />
fail to remove confidential data when<br />
discarding or selling on their old<br />
computers. It's more environmentally<br />
friendly to recycle. rather than destroy<br />
them. but simply formatting a drive or<br />
deleting the data residing on it is not<br />
enough. as they must be securely erased<br />
to ensure it cannot be recovered.<br />
There are plenty of free disk wipe<br />
utilities available, but few provide<br />
any certification of data removal for<br />
auditing purposes and regulatory<br />
compliance. Redkey USB looks the ideal<br />
solution, as this unassuming memory<br />
stick is loaded with military-grade tools<br />
for securely erasing SATA HDDs and<br />
SSDs, plus USB, NVMe, M.2, PCIe and<br />
eMMC storage devices.<br />
Some commercial erasure utilities<br />
enforce pay-per-drive licensing, but<br />
RedKey USB can be used as many times<br />
as you want. A single payment allows<br />
you to use the device an unlimited<br />
number of times on any number of<br />
Windows or Mac computers, and it<br />
includes perpetual online updates<br />
and support.<br />
Three editions are available and we<br />
review the Ultimate version, which<br />
enables every feature the company<br />
has to offer. All three editions deliver<br />
certified secure erase technology, plus<br />
25 defence wipe standards with an<br />
Ultimate license, enabling editable<br />
reports with field pre-fill options and<br />
automated scripting, so the device runs<br />
a custom sequence of events when<br />
a computer is booted from it.<br />
Security starts before you've even<br />
received the product, as it is sent via<br />
tracked delivery, with the Redkey USB<br />
supplied in a tough tamper-proof<br />
package. It arrives blank and is prepared<br />
using the Redkey USB Updater utility -<br />
a portable executable that must be run<br />
on a Windows system with internet<br />
access.<br />
Activation is simple, as you insert<br />
the device and enter the 20-digit<br />
authorisation code hidden under<br />
a scratch panel inside the package.<br />
Once the code is verified, you can leave<br />
the utility to download all required<br />
files and prepare the Redkey USB as<br />
a bootable device.<br />
At this point, you can use the default<br />
automated erase settings or customise<br />
them from the utility, while scripting for<br />
the Ultimate edition uses a text file<br />
on the device that can be modified to<br />
define specific wipe sequences. You<br />
can, for example, set priorities for<br />
erase functions, create a sequence of<br />
events, including automatic computer<br />
shutdown on wipe completion, and<br />
enable auto-saving for erasure reports.<br />
To test the Redkey USB, we left it on<br />
its default settings, inserted it in a Dell<br />
Precision Windows 10 Pro workstation<br />
and selected its UEFI one-time boot<br />
option. On first contact, you can choose<br />
the default GUI or swap to a text-based<br />
version, if the former isn't supported.<br />
Countdown timers and audio assistance<br />
are provided throughout and, if<br />
you do nothing, it will start the erase<br />
process on discovered storage devices<br />
after one minute. Our test system had<br />
a 3TB WD Red SATA HDD, which the<br />
Redkey USB automatically 'unfroze' to<br />
allow the SATA secure erase command<br />
to be used, and then took seven hours<br />
to complete the full wipe process,<br />
accompanied by screensavers and<br />
music.<br />
A detailed PDF report is generated on<br />
completion, which can be manually<br />
edited with information such as where<br />
a backup has been stored and who<br />
conducted the erase. This can then<br />
be saved directly to the Redkey USB<br />
or another removable device.<br />
The Redkey USB is an elegant and<br />
affordable solution for professionals<br />
and businesses that want certified,<br />
standards-based disk erasure services,<br />
with lifetime support. If you need to<br />
know without any doubt that your data<br />
is gone for good, you need Redkey USB.<br />
Product: Redkey USB<br />
Supplier: Redkey USB Ltd<br />
Web site: www.redkeyusb.com<br />
Sales: contact@redkeyusb.com<br />
Price: Home, £19.95, Professional,<br />
£39.95, Ultimate, £59.95<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
06
ADISA ICT Asset Recovery Standard 8.0<br />
is formally approved by the UK ICO<br />
(Approval ICO – <strong>CS</strong>C/003 and ICO – <strong>CS</strong>C/004)<br />
Use an ADISA Certified company to be assured of UK GDPR compliance<br />
when disposing of your IT assets.<br />
Visit adisa.global to find out more<br />
Want to know how to retire assets<br />
so you can promote reuse AND meet<br />
data protection legislation?<br />
ADISA offers a range of training courses all presented by<br />
leaders in the field, including a brand-new course which helps<br />
data controllers write an asset retirement program to achieve<br />
the objective of meeting sustainability and security targets.<br />
Visit adisa.global/training to find out more
data management<br />
ACHIEVING A SECURE WIPE<br />
GARETH OWEN, MANAGING DIRECTOR OF REDKEY USB, DELVES INTO THE WORLD<br />
OF DATA WIPE STANDARDS AND, WHERE THERE IS ANY DOUBT OR CONFUSION,<br />
ADVISES HOW ORGANISATIONS CAN HANDLE THIS PROCESS RESPONSIBLY<br />
When a computer is liquidated,<br />
recycled or repurposed, it is<br />
standard practice to sanitise all<br />
user data. Typically, this involves erasing<br />
the contents of the hard drive to eliminate<br />
the possibility of a data breach.<br />
Various regulations exist to ensure<br />
organisations handle this process<br />
responsibly, so most organisations will<br />
either take care of the process in-house<br />
or outsource the procedure altogether.<br />
DATA WIPE STANDARD<br />
Except in the case of physical destruction,<br />
a certified data wipe product will likely be<br />
at the heart of the process and, with this,<br />
a data wipe 'Standard' will be applied.<br />
Data wipe standards provide a convenient,<br />
defined and repeatable process. If<br />
a data wipe standard is already specified<br />
within organisational policy, then little<br />
consideration is required. However,<br />
if a specific standard is not established,<br />
or you suspect your current procedure is<br />
inadequate, where do you start?<br />
EXTERNAL ERASE<br />
Traditionally, data wiping involves<br />
overwriting a drive with a continuous<br />
stream of binary data until the drive is<br />
full. This has the effect of destroying any<br />
previously stored information.<br />
Conventional data wipe standards, such<br />
as US 'DOD' and the 'Gutmann 35 pass'<br />
wipe method, may sound familiar, but it's<br />
common knowledge that traditional data<br />
wipe standards are ineffective with<br />
modern drives. For example, SSDs and<br />
NVME use internal wear management,<br />
causing part of the storage medium to<br />
be hidden from the user.<br />
INTERNAL ERASE<br />
More than one method of sanitising<br />
a drive has existed for some time now.<br />
Drives can now be wiped internally/<br />
securely. When the ATA command set<br />
was introduced, it enabled the ability to<br />
directly interact with the internal functions<br />
of a drive. With the right tool, modern<br />
drives can be instructed to self-erase.<br />
Even more modern drives use the NVMe<br />
command set, which implements similar<br />
internal erase functions.<br />
A fringe benefit of employing these<br />
methods is that the process is relatively<br />
fast, because internal erasing is not<br />
hampered by any sort of interface<br />
bottleneck. Full support for the ATA/NVMe<br />
command sets varies between drives,<br />
because the implementation of the erase<br />
functions is manufacturer dependent.<br />
Also, it is not always possible to be 100%<br />
sure that a data wipe has been successful,<br />
using internal erasure alone.<br />
Besides this, many internal erase<br />
compatible drives contain 'hidden areas',<br />
such as the Host Protected Area (HPA)<br />
and Device Configuration Overlay (DCO).<br />
These hidden areas are not ordinarily<br />
accessible, yet can potentially hold any<br />
form of sensitive data, including malware.<br />
Therefore, it's essential that your data wipe<br />
standard incorporates the elimination of<br />
hidden areas into its process.<br />
CONCLUSION<br />
The most secure data wipe standards must<br />
then eliminate any hidden areas before<br />
wiping a drive, using a combination of<br />
both internal and external erasing<br />
methods. More modern standards, such<br />
as AGISM (Australian Government<br />
Information Security Manual), BSI-GSE,<br />
NIST 800-88 Purge and the ADISA<br />
Certified Redkey Level 1 standard, already<br />
incorporate this degree of complexity into<br />
their processes, so are firmly compliant<br />
with respect to GDPR, HIPPA and NIST<br />
guidelines for data destruction.<br />
However, one minor drawback of the<br />
most secure data wipe standards is that<br />
they can be time-costly and perhaps even<br />
overkill for some low-risk situations. For<br />
example, when a computer is redeployed<br />
internally within an organisation. Under<br />
such circumstances, a more efficient HPA<br />
and DCO Reset, combined with a secure<br />
erase, may suffice.<br />
8<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
supply chain threats<br />
Paul Harris, Pentest: Digital supply chains can<br />
be seen as an easy target for malicious threats.<br />
SECURITY AND THE SUPPLY CHAIN<br />
WITH SUPPLY CHAINS UNDER EXTREME PRESSURE AND SHORTAGES<br />
FORECAST, PAUL HARRIS, MANAGING DIRECTOR, PENTEST LIMITED,<br />
LOOKS AT THE IMPLICATIONS OF SUCH THREATS FROM AN ECONOMIC,<br />
BUSINESS - AND SECURITY - STANDPOINT<br />
As I write this article, supply chains<br />
are hitting the headlines. Retailers<br />
are warning there could be a<br />
shortage of toys at Christmas, McDonalds<br />
ran out of milkshakes and Nando's were<br />
forced to close restaurants, because their<br />
supply chain was, and I quote, "having a<br />
bit of a 'mare". These are the more trivial<br />
headlines, but things could be serious<br />
and everyone from car manufacturers to<br />
building merchants, the NHS to food<br />
producers, are talking about supply chain<br />
issues.<br />
Whether these supply chain issues<br />
are because of Brexit, Covid, increasing<br />
demand, staffing levels or a combination<br />
of things is up for debate and it's yet<br />
to be seen whether many will play out.<br />
But, whatever the cause, or whatever the<br />
outcome, these scenarios clearly<br />
demonstrate the effects supply chain<br />
disruption can have from an economic<br />
and business standpoint, as well as on<br />
a personal level.<br />
DIGITAL SUPPLY CHAIN<br />
Physical supply chains are the focus of<br />
these headlines and the threat of empty<br />
supermarket shelves, as well as raising<br />
prices, is always going to hit the news.<br />
But, for organisations, supply chains<br />
aren't just physical, they can also be<br />
digital. Many, if not most, of today's<br />
organisations rely on digital products<br />
and software suppliers to ensure day-today<br />
operations, and if that supply chain<br />
was disrupted, for any reason, then<br />
organisations, and ultimately consumers,<br />
could see similar negative effects.<br />
An example of this occurred in June this<br />
year, when a 'bug' within the software<br />
of the content delivery provider (CDN),<br />
Fastly, was triggered by a customer. The<br />
flaw ultimately took down 85% of the<br />
company's network and caused outages<br />
for many of its well-known customers,<br />
such as BBC News, Spotify, Amazon and<br />
10<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
supply chain threats<br />
the Gov.uk website. The outage lasted<br />
for just under an hour and, for many, it<br />
wasn't too serious, but for those reliant<br />
on website traffic and online orders - for<br />
example, Amazon - the outage could<br />
have cost the company $32m in sales,<br />
according to one calculation. This just<br />
shows the business impact when part<br />
of your digital infrastructure, supplied by<br />
a third-party, is disrupted.<br />
Companies will obviously want to<br />
mitigate against disruptions such as the<br />
one above by having contingency plans<br />
in place, but technology issues aren't the<br />
only consideration organisations need to<br />
be making when looking at their digital<br />
supply chain: they also need to look at<br />
security.<br />
Digital supply chains can be seen as an<br />
easy target for malicious threats and, in<br />
some cases, they can provide the most<br />
effective route into an organisation,<br />
especially those with robust security<br />
measures in place. Why spend time trying<br />
to breach an organisation with tough<br />
security measures when you can target<br />
a smaller, less security mature company<br />
within their supply chain and look for<br />
a way to move between them? It can be<br />
as easy as that.<br />
ON TARGET<br />
Take the example of Target, the US<br />
retailer. In 2013, attackers managed<br />
to access Target's point of sale (POS)<br />
systems, gaining access to 40 million<br />
payment card credentials and 70 million<br />
customer records. But Target wasn't the<br />
original target, so to speak; it was a<br />
heating, ventilation and air conditioning<br />
supplier, which used Target's vendor<br />
portal to monitor stores.<br />
With access to the portal, attackers were<br />
able to move across Target's network and<br />
ultimately access the POS systems. That's<br />
not the only example. The British Airways<br />
breach, which affected around 400,000<br />
customers, was achieved through a<br />
breach of a payment software provider,<br />
not the company itself.<br />
SOLARWINDS BREACH<br />
For me, one of the most interesting<br />
examples of a digital supply chain attack<br />
was the recent SolarWinds breach. This<br />
breach wasn't simply about criminals<br />
stealing credit card details, but a<br />
sophisticated, potentially state-sponsored<br />
attack, which used compromised<br />
SolarWinds software to successfully gain<br />
access to, and spy on, their customers -<br />
mainly US government agencies and highprofile<br />
Fortune 500 companies.<br />
Whether the threat is from criminal<br />
enterprise, nation state operations or<br />
hacktivists, these examples clearly show<br />
the potential consequences of supply<br />
chain attacks and even, if you think you're<br />
not a target, someone in your supply<br />
chain just might be. Security, throughout<br />
the supply chain, should be everyone's<br />
responsibility, but how do you go about<br />
making your supply chain more secure?<br />
GET YOUR OWN SECURITY IN ORDER<br />
Supply chain security improvement<br />
needs to start within your own company<br />
and you'll want to ensure, as much as<br />
possible, that supply chains attacks aren't<br />
going to be able to affect your business,<br />
its operation, sensitive data or be able<br />
to utilise your company to target others<br />
within your supply chain.<br />
Simple measures can make a big<br />
impact and measures such as network<br />
segregation, robust privilege levels and<br />
monitoring tools can help you detect<br />
potential breaches, restrict access to<br />
sensitive information and reduce the<br />
chances of a malicious threat being able<br />
to move from a compromised network<br />
onto your main company networks.<br />
Every organisation will be different, of<br />
course, and security measures should be<br />
tailored to the real-world risks faced.<br />
That's why scenario and risk analysis<br />
planning can be useful to undertake,<br />
helping you uncover the potential risks<br />
of a supply chain attack and to ensure<br />
effective measures are put in place to<br />
mitigate against the most likely scenarios.<br />
Undertaking this improvement work<br />
isn't just good from a security standpoint,<br />
however; it's also good from a business<br />
aspect. GDPR compliance, as well as<br />
potentially hefty fines, has forced<br />
organisations to become more security<br />
conscious and customers, both inside<br />
and outside the supply chain, are now<br />
requiring robust security assurances<br />
before they commit to working with a<br />
company. So, by having the good security<br />
practices in place and being able to<br />
provide evidence of security testing or<br />
compliance, it can make your life much<br />
easier when it comes to winning business.<br />
SEEK SECURITY ASSURANCES<br />
FROM YOUR SUPPLIERS<br />
Just as customers will be asking for<br />
security assurances from you, you should<br />
be asking for security assurances from<br />
your suppliers. Have they had an<br />
independent security audit? Do they have<br />
evidence of infrastructure and application<br />
security testing? Are they working<br />
towards ISO 27001 standards or have<br />
certification? Does the company have<br />
Cyber Essentials?<br />
The assurances needed will obviously<br />
depend on the nature of the relationship,<br />
the information and services that are<br />
being procured and the potential risks<br />
involved. Some relationships will require a<br />
light touch, in terms of security assurance,<br />
but some may require rigorous standards.<br />
It's up to every company to define what<br />
level of security they want from their<br />
suppliers and to ensure these are in place,<br />
before committing to working with them.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
11
special focus on NI<br />
HOW NORTHERN IRELAND IS<br />
HELPING TO BUILD A<br />
CYBER-SECURE FUTURE<br />
naturally. From pioneering digital banking to the evolution of Fintech and<br />
Regtech, the region has played a significant role in driving and shaping the<br />
future of law, finance and commerce - and it continues to do so today.<br />
Digitalisation has been a crucial catalyst in this respect, creating<br />
opportunities for these industries to connect and grow through data,<br />
technology and information. This has established a fertile ground for new<br />
types of professional services and home-grown success stories like First<br />
Derivatives, Kainos and FinTru, while also attracting major investment from<br />
players keen to futureproof their businesses for the digital age, such as EY,<br />
Deloitte, PWC, Citi and KPMG.<br />
At the same time, however, the digital world has opened Pandora's box,<br />
unleashing ever-evolving threats in the sinister shape of cybercrime. One of<br />
the world's least-welcome growth industries, it costs the global economy an<br />
estimated $2.9 million per minute. The resulting challenges are many and<br />
varied - and could potentially counter the many positives that digital progress<br />
has sought to create.<br />
But with challenges come opportunities, and with digital transformation<br />
happening rapidly in the professional services sector, Northern Ireland's cyber<br />
security sector responded accordingly. The need to safeguard personal,<br />
business and government data from theft, protect computer networks against<br />
intrusion, keep devices clean of malware and defend critical infrastructure<br />
against hostile attacks has generated demand for a new type of expertise<br />
which Northern Ireland has been able to deliver in abundance through its<br />
talent pipeline and through R&D.<br />
"Over the last 20 years, effective cybersecurity has become one of society's<br />
critical needs. Here at QUB we recognised we had the skills and ambition to<br />
tackle this need head-on and, in doing so, boost economic renewal in Belfast<br />
and Northern Ireland."<br />
Professor Máire O'Neill, <strong>CS</strong>IT's Principal Investigator<br />
A<br />
t the recent National Cyber Security Centre's CYBERUK conference,<br />
Foreign Secretary, Dominic Raab, referred proudly to Northern Ireland<br />
as a "…world-leading cyber security hub, and a top international<br />
investment location for cyber security firms." Raab's comments may have been<br />
news to those unfamiliar with the region - but, to US tech investors, it is the<br />
No.1 place to be, and has been for several years.<br />
Indeed, in little more than a decade, Northern Ireland has taken a small,<br />
nascent cluster of native businesses and nurtured it into a global centre of<br />
excellence that's bursting with talent, academic prowess and commercial<br />
expertise. Together, local industry, academia and the region's public bodies<br />
have seized a mounting threat (which now costs the global economy over<br />
US$600 billion/per year) and carved out a unique role for Northern Ireland in<br />
an ever more digital world.<br />
But how has this been achieved, and what does the future hold? Let's take a<br />
closer look.<br />
EARLY ORIGINS<br />
The professional services sector, in the form of legal, financial and business<br />
consultancy, has been part of Northern Ireland's economic and skills repertoire<br />
for several decades now, which is why leadership in these areas has come so<br />
BUILD IT AND THEY WILL COME<br />
Today, the region is home to around 4% of the UK's cyber security workforce),<br />
which for an area that represents around 2.8% of the UK population, is just<br />
one indicator of its strengths in this field. What's more, almost 5% of cyber<br />
firms in the UK market call Northern Ireland home, helping to deliver its<br />
ambition to grow its sector workforce to 5000 by 2030. At the heart of this<br />
lies <strong>CS</strong>IT - the award-winning Centre for Secure Information Technologies at<br />
Queen's University Belfast.<br />
Where digitalisation has been the spark, <strong>CS</strong>IT has undeniably been the<br />
catalyst that's turned Northern Ireland's cluster into a thriving ecosystem<br />
encompassing finance, banking, insurance, legal, telecoms, threat<br />
intelligence, defence, security, healthcare… for the cyber risk is everywhere.<br />
As a result, the centre has not only attracted millions in global investment<br />
from the likes of WhiteHat, Rapid7, Proofpoint, IBM Q1 Labs and Black Duck -<br />
it has triggered new start-ups, supported over 2000 local jobs in the Belfast<br />
area alone and produced proven solutions to some of the biggest cyber<br />
challenges facing economies globally today.<br />
It all started in 2009 as a greenfield site at what is now known as Catalyst,<br />
which was previously the Northern Ireland Science Park and part of one of the<br />
world's biggest urban-waterfront regeneration projects. By bringing<br />
academia, industry and public sector support together under one roof, <strong>CS</strong>IT's<br />
partners and funders (EPSRC, Innovate UK and Invest Northern Ireland)<br />
12<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
special focus on NI<br />
believed they could create a hub where leading-edge research could translate<br />
rapidly into market-relevant, market-ready products and services. And they were<br />
right.<br />
<strong>CS</strong>IT is now home to a 90-strong team of industry-experienced engineers,<br />
electronic and computational researchers, business development specialists and<br />
passionately motivated postgraduates. But this is only one ingredient in the<br />
recipe for <strong>CS</strong>IT's success. An impressive roster of business members such as<br />
Thales, Allstate and BAE Systems help shape its research strategy, while close<br />
collaboration with First Derivatives, Seagate, Nvidia and other IT giants, and with<br />
leading global cybersecurity institutes, adds an extra dimension to its expansive<br />
vision and worldwide reach.<br />
"Because we are a relatively small region, the government, the universities, and<br />
regional development organisations work very closely together… We are acutely<br />
aware of the market's demands and the types of companies coming in, so we<br />
can be more agile in developing novel programs to support them."<br />
David Crozier, head of strategic partnerships and engagement, <strong>CS</strong>IT<br />
EXCELLENCE IN ACTION<br />
As you might expect from a centre of excellence with such extensive global<br />
reach, <strong>CS</strong>IT has attracted much recognition during its short lifespan. In 2015, for<br />
example, it won a Queen's Anniversary Prize, celebrating excellence, innovation<br />
and public benefit at UK universities, and four years later, Máire O'Neill, <strong>CS</strong>IT's<br />
Principal Investigator, secured a prestigious Blavatnik Award, recognising her<br />
work as an outstanding young scientist. More recently (February <strong>2021</strong>), Queen's<br />
University was recognised for its cybersecurity education program and work<br />
promoting cyber-skills by the National Cyber Security Centre (N<strong>CS</strong>C).<br />
Such plaudits are well deserved. <strong>CS</strong>IT has delivered a consistent stream of<br />
cutting-edge, real-world cybersecurity advances - including 10 new product<br />
concepts with a clear route to market. For example:<br />
Working with a US insurance firm, it has developed graph-mining analysis<br />
systems that automatically detect anomalous and potentially fraudulent<br />
insurance claims by pinpointing suspicious patterns<br />
Algorithms developed at <strong>CS</strong>IT are enabling a major financial services company<br />
to spot malicious trading activity over its communication channels and data<br />
flows, protecting against regulatory non-compliance and potentially massive<br />
fines<br />
Working with vendors of control systems that underpin electricity, water and<br />
other key infrastructure to pinpoint and eliminate vulnerabilities to cyberattack<br />
Helping satellite developers keep their hardware cyber-safe in Earth's orbit, with<br />
enormous benefits such as future-proofing the security of communications by<br />
introducing quantum-safe cryptographic algorithms<br />
"This is an extremely exciting time for cyber security in Northern Ireland but<br />
also for the sector globally... At <strong>CS</strong>IT, our researchers are leading cutting-edge<br />
research in cyber security. We are also developing the next generation of<br />
industry leaders to meet the huge demand from industry for cyber security<br />
professionals."<br />
Professor Máire O'Neill<br />
WHAT'S NEXT?<br />
For as long as the digital age prevails, cyber security will be needed, and with<br />
that, the only way is up for <strong>CS</strong>IT and the Northern Irish industry. It is now an<br />
authoritative source of counsel among governments and other organisations<br />
worldwide (including the London Office for Rapid Cybersecurity Advancement<br />
(LORCA)), and its appeal as a destination for investors, big and small, shows<br />
no sign of waning.<br />
In the past 18 months, for instance, the market has seen a new or increased<br />
Northern Ireland presence established by Angoka, Aflac, Cygilant and Rapid7,<br />
while a new centre of excellence was established by consulting giant, KPMG.<br />
This is the tip off the iceberg.<br />
Thanks to an ever-expanding track record of achievement, <strong>CS</strong>IT and the<br />
innovation ecosystem that surrounds it are set to flourish further, gaining<br />
more momentum, for example, by planned investment in infrastructure as<br />
part of the Belfast Region City Deal.<br />
A major project connected to the deal is the Global Innovation Institute (GII),<br />
which will be a nexus for co-innovation between researchers and industry in<br />
data security, connectivity and analytics. As we are faced with the data deluge<br />
in our increasingly connected world, secure, connected intelligence will<br />
become ever more critical.<br />
So, as with <strong>CS</strong>IT, GII hopes that, by creating a space where local and global<br />
companies, entrepreneurs and researchers can come together, Northern<br />
Ireland can continue this story of success - and keep playing its part in<br />
building a safe, cyber secure, future for all.<br />
Invest Northern Ireland is the region's business development organisation. Its<br />
role is to grow the local economy by helping new and existing businesses to<br />
compete internationally, and by attracting new investment to Northern<br />
Ireland.<br />
Find out more about how we can work together with you and your business.<br />
InvestNI.com/Europe<br />
Crucially, underpinning all the above is access to local talent, and so far, a<br />
pipeline of students have enrolled onto <strong>CS</strong>IT's Masters programme, producing<br />
experts with the state-of-the-art skills the cybersecurity sector needs. At the<br />
same time, 17 cybersecurity start-ups have graduated from the <strong>CS</strong>IT Labs<br />
incubator programme and six <strong>CS</strong>IT spinouts have been established in fields<br />
ranging from content inspection to automated image and video processing.<br />
As you might expect from the tech industry, these fledgling success stories<br />
have subsequently brought bigger names to Northern Ireland's shores: Titan IC,<br />
for instance, was acquired by Nvidia in 2020, giving the US chip manufacturer a<br />
firm foothold in the Belfast cybersecurity ecosystem.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
13
advanced threat protection<br />
A SHAPE-SHIFTING WORLD<br />
ATTACKERS USE TRUSTED CLOUD SERVICES AND CONSTANTLY CHANGE THEIR<br />
TACTI<strong>CS</strong> TO AVOID KNOWN PATTERNS OF BEHAVIOUR. CAN ADVANCED THREAT<br />
PROTECTION STILL BE EXPECTED TO KEEP PACE AGAINST SUCH FORCES?<br />
Patrick Wragg, Integrity360: the key to<br />
advanced threat protection is layers -<br />
ensuring your operating systems and<br />
applications are up to date; users are<br />
educated; and that you have the latest<br />
security solutions in place.<br />
Advanced threat protection (ATP)<br />
refers to a category of security<br />
solutions that defends against<br />
sophisticated malware or hacking-based<br />
attacks, targeting sensitive data. ATP<br />
solutions can be available as software or<br />
as managed services. They can differ in<br />
approaches and components, but most<br />
include some combination of endpoint<br />
agents, network devices, email gateways,<br />
malware protection systems, and a<br />
centralised management console to<br />
correlate alerts and manage defences.<br />
But how do they operate and perform 'in<br />
anger', so to speak, and where might there<br />
be any weaknesses? At the same time,<br />
in a world where the threat levels alter<br />
dramatically and rapidly at an alarming rate,<br />
where might they need to be adapted to<br />
counter future emerging challenges?<br />
"Perhaps it's become a cliché, but advanced<br />
threat protection requires detection and<br />
containment, 'beyond the email gateway',"<br />
says Mike Fleck, VP marketing at Cyren.<br />
"Cybersecurity and industry professionals<br />
have been using this term to describe the<br />
need for organisations to have a layered<br />
security approach with security controls and<br />
incident response capabilities to deal with<br />
the advanced threats that slip past the email<br />
perimeter and arrive in a user's mailbox.<br />
HEART OF THE ORGANISATION<br />
"Email is the most common method of<br />
delivering threats - advanced and otherwise<br />
- because it is one of the few ways to<br />
transport an attack straight to the heart of<br />
an organisation, through its people. What's<br />
more, the most favoured approach to an<br />
email attack is phishing [ie, harvesting login<br />
information using spoofed web pages of<br />
trusted brands]; once attackers have the<br />
ability to remotely log in to a corporate<br />
network, they can launch convincible fraud<br />
campaigns and surveil the environment to<br />
find the most sensitive data to steal or the<br />
most business-critical servers to infect with<br />
ransomware."<br />
Security controls beyond the gateway<br />
have traditionally focused on data loss<br />
prevention, sophisticated malware analysis<br />
and endpoint security solutions, he points<br />
out. "However, advanced email threats still<br />
evade detection and containment largely<br />
because attackers use trusted cloud services<br />
and constantly change their tactics to avoid<br />
known patterns of behaviour. Endpoint<br />
security agents can quickly spot a<br />
compromised device, but it may be too late.<br />
Data loss prevention can detect sensitive<br />
data as it leaves the organisation, but only<br />
after the initial compromise. There is clearly<br />
a gap in advanced threat protection<br />
capabilities between the email server and<br />
the end user device. This gap is easy to see<br />
when you understand the degree to which<br />
enterprises rely on employees to identify<br />
advanced threats in their mailboxes."<br />
A better way is to simply add a layer of<br />
automated detection and incident response<br />
to the mailboxes, Fleck adds. "As enterprises<br />
migrate their email servers to cloud<br />
offerings like Office 365, it becomes easier<br />
to close this gap by using APIs to connect<br />
advanced threat protection clouds to<br />
email mailbox clouds. This layer of<br />
control complements the detection and<br />
containment efforts already underway by<br />
14<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
advanced threat protection<br />
cloud providers, enterprise email security<br />
gateways, network intrusion detection and<br />
endpoint security agents. It also relieves<br />
users from the expectation that they will<br />
reliably spot and avoid advanced threats like<br />
spear phishing and business email<br />
compromise."<br />
EVOLUTION OF TECHNOLOGIES<br />
The advanced threat protection category is,<br />
of course, nothing particularly new, points<br />
out James Preston, security architect for<br />
ANSecurity, but rather "an evolution of<br />
technologies including anti-virus along with<br />
intrusion prevention and detection systems -<br />
packaged under a new heading". However,<br />
no matter what it's called, technology alone<br />
cannot protect against every type of threat,<br />
he cautions.<br />
"ATP solutions generally don't understand<br />
where your organisation has weaknesses.<br />
From a threat actors' point of view, there<br />
is always a stage where they will try to<br />
reconnoitre a target looking for weaknesses.<br />
This could be a long-forgotten VPN server,<br />
an unpatched application or badly designed<br />
user sign-in process. In fact, this<br />
reconnaissance phase is often the deciding<br />
factor for a cyber threat actor to expand real<br />
effort to break in - or find a more open<br />
victim. Most ATP solutions don't emulate<br />
this reconnaissance process, so enterprises<br />
need to initially focus on finding and fixing<br />
structural weaknesses to make themselves<br />
less attractive targets."<br />
A great place to start is by using a cyber<br />
security framework such as the MITRE<br />
ATT&CK framework - with free tools like the<br />
ATT&CK navigator, Preston advises. "These<br />
allow you to map out the likely avenues for<br />
exploit and then work out where you have<br />
adequate protections and best practice<br />
processes - versus areas where you are<br />
lacking. This is a task you can do internally<br />
or, if you have limited resources, through a<br />
trusted expert third-party. Either way, it will<br />
give you a better starting position to fix any<br />
issues than just deploying lots of vendor<br />
solutions in an ad-hoc fashion."<br />
Integration is also key. "It's unlikely that any<br />
enterprise will have a complete stack of<br />
cyber security products from a single<br />
vendor. And, as such, disparate security<br />
solutions often work in little silos, without<br />
sharing the valuable security information to<br />
make early breach detection easier. So, it's<br />
essential that organisations must also<br />
establish what is integrated - and, in some<br />
cases, this might require a dedicated<br />
integration layer like a SIEM or SOAR<br />
platform. This might not always mean<br />
spending more budget as, in some cases,<br />
a SIEM can allow you to reduce the number<br />
of overlapping security tools and focus on<br />
better utilising a smaller set of<br />
technologies."<br />
One of the biggest security issues now,<br />
he adds, is how fast cyber criminals can<br />
escalate a slight breach into a full-blown<br />
extortion attempt of theft of sensitive data.<br />
"Sometimes, the tell-tale signs are spotted<br />
by cyber security systems, but the decision<br />
to quarantine PCs, servers or network<br />
functions requires manual action. This<br />
approval delay can mean the difference<br />
between successful defence or a painful<br />
breach. As such, enterprises are going to<br />
need to start trusting automated response<br />
a bit more - even if it means that the<br />
occasional false alarm impacts the business."<br />
Yes, this is a big step, he concedes -<br />
and there will be a bedding in period as<br />
these systems start to understand the<br />
environment and learn from mistakes.<br />
"However, to deal with the next generation<br />
of advanced threats, APT systems must be<br />
given the freedom to start mitigation faster<br />
than a typical human operator."<br />
'BIG PICTURE' VIEW<br />
Patrick Wragg, cyber incident response<br />
manager with Integrity360, points to how<br />
traditional basic threat prevention strategies<br />
James Preston, ANSecurity: technology alone<br />
cannot protect against every type of threat.<br />
Mike Fleck, Cyren: there is clearly a gap in<br />
advanced threat protection capabilities<br />
between email server and end user device.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
15
advanced threat protection<br />
rely on a singular approach, whereby each<br />
unique security tool/component in an<br />
organisations defence arsenal has one<br />
job and is relied upon heavily for that job.<br />
"Advanced threat prevention, however, takes<br />
a multi-faceted approach whereby the<br />
detection capabilities of multiple security<br />
tool/components in an organisations<br />
defence arsenal are combined to provide<br />
a 'big picture' view of a possible compromise.<br />
For example, a combination of EDR<br />
(Endpoint, Detection and Response) agents,<br />
network monitoring agents, email gateways,<br />
user privilege/account monitoring and cloud<br />
monitoring solutions all submitting their<br />
alerts to a centralised management tool that<br />
correlates them and alerts a security team in<br />
real-time."<br />
However, there is no one size fits all<br />
approach, in terms of advanced threat<br />
protection. "Solutions need to be scalable,<br />
flexible and intelligent, and enable<br />
organisations to bolster those defences that<br />
work well and can evolve to meet the everchanging<br />
threat environment. Businesses<br />
need to cover all bases with systems in place<br />
designed to manage, detect and respond<br />
(MDR), monitor, mitigate/prevent and,<br />
where necessary and applicable, remediate<br />
with incident response (IR)."<br />
On top of automating where possible, and<br />
an overall strengthening of the security<br />
posture, the key to advanced threat<br />
protection is layers, he adds - ensuring your<br />
operating systems and applications are up<br />
to date; your users are educated; and you<br />
have up to date security solutions in place.<br />
"The future of advanced threat protection<br />
comes down to having the right service<br />
provider in place to provide on-demand<br />
access to highly skilled cybersecurity experts<br />
who can deliver emergency support for any<br />
cyber threat, including proactive guidance<br />
on MDR and IR planning, and new and<br />
evolving threats. The security team should<br />
also be able to respond instantly, in realtime,<br />
via pre-built automated incident<br />
response playbooks."<br />
BATTLESHIP WARFARE<br />
"For years, threat actors like nation states<br />
and cybercriminals had distinct motivations<br />
and different tools," comments Sam Curry,<br />
chief security officer, Cybereason. "Nation<br />
states, or 'advanced persistent threats', as we<br />
called them, moved like submarines stalking<br />
ships in the waters of target networks,<br />
carrying out the policies of their<br />
governments and providing asymmetric<br />
options aside from the normal diplomatic,<br />
economic, and military strategies and<br />
tactics. By contrast, the fight against<br />
cybercriminals more resembled battleship<br />
warfare than submarine. The motivation<br />
among criminals was profit and, as such,<br />
it was about maximising the number of<br />
victims and wringing every drop from an<br />
infection for as long as possible. Even in the<br />
old days, the security industry was not up<br />
to the task of stopping either the malicious<br />
operations of nation states nor the smashand-grab<br />
theft of cybercriminals."<br />
The silver lining, however, is the emergence<br />
of endpoint detection and response (EDR),<br />
which is often mistaken for a mere extension<br />
of existing endpoint protection technologies<br />
like antivirus or personal firewalls. "It is a tool<br />
for finding the advanced operations and<br />
provides the hunter-killer options for the<br />
cyber conflicts being waged on corporate<br />
and government networks," he explains.<br />
"EDR has evolved first into managed<br />
detection and response (MDR), providing<br />
the men and women behind screens in<br />
managed services, and into extended<br />
detection response (XDR), uplifting the<br />
telemetry recording from formerly<br />
ubiquitous endpoints to the transformed<br />
enterprise of SaaS, Cloud Infrastructure<br />
and beyond."<br />
Fast forward to today and the dark side<br />
ecosystem is very different, states Curry. "The<br />
attackers have not slowed down and have,<br />
in fact, evolved at a faster rate than<br />
defenders have, except perhaps among the<br />
most sophisticated defenders. Not only are<br />
they attacking the newer infrastructure<br />
associated with SaaS services, but they are<br />
now targeting the new IT stack in the form<br />
of IaaS and PaaS compromise.<br />
"In the last five years, the lines among<br />
attackers have become more blurred, with<br />
sharing of tools and relationships that mirror<br />
the alliances, investments and partnerships<br />
of the more normal and legitimate<br />
industries. Further, the motivations for each<br />
actor have become less distinct, with nation<br />
states pursuing currency in the case of North<br />
Korea, fostering ransomware in the case of<br />
Russia, and development of supply chain<br />
compromises in the case of Russia and<br />
China, to name just a few."<br />
The most insidious examples of these are<br />
developments in the last six months. "The<br />
first is ransomware, which is really a<br />
combination of the old APT-style delivery<br />
mechanism through stealthy submarine-like<br />
operations but doing so for profit. The<br />
second and most recent is evident in the<br />
recent Kaseya attack: supply chain<br />
compromise for the purpose of delivering<br />
ransomware as the payload. This is a killer<br />
combination."<br />
This is the reason for the mandate of EDR<br />
(or MDR or XDR) for the US Federal<br />
government in the recent White House<br />
Executive Order. "Having a means of finding<br />
the attacks as they move in the slow, subtle,<br />
stealthy way through networks isn't an<br />
option. This class of tool isn't the be-all and<br />
end-all, but it's at the top of the toolkit,<br />
along with more advanced prevention,<br />
building resilience, ensuring that the blast<br />
radius of payloads is minimised and generally<br />
using peace time to foster anti-fragility." The<br />
most significant takeaway? "It's not about<br />
who we hire or what we buy. It's about how<br />
we adapt and improve every day."<br />
16<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber threat intelligence<br />
ALL THE LATEST INTEL<br />
HOW DO YOU MEASURE THE SUCCESS OF A CYBER THREAT INTELLIGENCE PROGRAM? STEVEN USHER,<br />
SENIOR SECURITY ANALYST, BROOKCOURT SOLUTIONS, OFFERS HIS INSIGHTS ON A CHALLENGING TOPIC<br />
Cyber threat intelligence can be found in<br />
numerous ways. One of the most<br />
popular ways to gather intelligence is<br />
via feeds, both open source and commercial<br />
feeds. These feeds can be fed into various<br />
tools to be searched and produce actionable<br />
data that can be added to Block and Watch<br />
Lists.<br />
INGEST<br />
Most companies who can make use of this<br />
'raw' intelligence and be able to act on the<br />
results usually have a mature approach to<br />
cyber security - typically including a SOC<br />
(Security Operation Centre), IR (Incident<br />
Response) and at the very least a job role that<br />
will exclusively deal with cyber threat<br />
intelligence.<br />
Feeds are not the only way cyber threat<br />
intelligence can be used. Some of the most<br />
common alternative uses for cyber threat<br />
intelligence include the production of reports<br />
for a customer by a company that specialises<br />
in the topic, monitoring of specific datapoints<br />
for mentions online and monitoring publicly<br />
known data breaches for company<br />
information. Services of this nature are more<br />
common with smaller companies that do not<br />
have the staff or internal knowledge to carry<br />
out the monitoring and analysis of cyber<br />
threat intelligence. However, this is not to say<br />
larger companies do not also use these<br />
services to augment the intelligence<br />
generated internally.<br />
QUANTIFY<br />
How do you measure the success of a cyber<br />
threat intelligence program? This is not an<br />
easy question to answer, simply due to the<br />
nature of what cyber threat intelligence is.<br />
There are naturally the obvious examples of<br />
success, such as finding data that is linked to<br />
or belongs to a company online or finding<br />
information relating to an attack planned on<br />
the company - effectively anything that<br />
would show an obvious and direct benefit of<br />
cyber threat intelligence to the company.<br />
However, incidents of this nature make a<br />
small minority of the uses and successes of<br />
cyber threat intelligence.<br />
The general value in cyber threat intelligence<br />
is knowing what is going on in the busines<br />
world and in many cases your industry, this<br />
allows for preventative measures to be taken,<br />
as well as the ability to better prepare for<br />
potential incidents in the future. The MITRE<br />
ATTACK framework is a brilliant example of<br />
intelligence that can be used to better<br />
prepare and test a company's readiness.<br />
IMPROVE AND EXPAND<br />
There is always room for improvement when<br />
it comes to this type of work. There are<br />
alternative data sources, different tools and,<br />
new approaches that should, at the very<br />
least, be considered when collecting and<br />
interpreting the data and information that is<br />
available. As the methods of attack evolve,<br />
change and die out, being replaced with<br />
completely new tactics and techniques, so<br />
should the views, processes and runbooks<br />
that are used to combat them.<br />
Cyber threat intelligence is often a part of<br />
threat intelligence as a whole and it should<br />
be considered that some of the services that<br />
are offered to businesses can be used for<br />
more than simply cyber threat intelligence.<br />
Some of the other uses are geographic<br />
intelligence, intelligence relating to real world<br />
products and activities related to those<br />
products, and intelligence that is more<br />
focused on the high-level individuals within<br />
the company.<br />
Steven Usher, Senior Security Analyst,<br />
Brookcourt Solutions<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
17
data impact assurance level<br />
DATA IMPACT ASSURANCE LEVELS EXPLAINED<br />
THE TIME HAS COME TO 'DIAL' IT IN, STATES ADISA FOUNDER STEVE MELLINGS<br />
By completing your Data Impact Assurance Level (DIAL) and using a company certified to 8.0, you are assured of meeting UK GDPR compliance<br />
Over the coming weeks, businesses<br />
should start to be asked to create a<br />
Data Impact Assurance Level (DIAL)<br />
by companies who they engaged with to<br />
collect their redundant equipment and<br />
sanitise the media. But what on earth is a<br />
DIAL and what is the benefit to you by<br />
creating one?<br />
This article explains what the DIAL<br />
concept is and why it was crucial in the<br />
approval of ADISA Asset Recovery Standard<br />
8.0 by the UK Information Commissioner's<br />
Office. And most importantly, why this<br />
helps organisations comply with UK GDPR<br />
when disposing of redundant equipment.<br />
WHERE DID IT ALL BEGIN?<br />
When ADISA launched in 2010, our<br />
ambition was to help improve risk<br />
management for companies when they<br />
dispose of their redundant equipment by<br />
the development of Standards. Our ICT<br />
Asset Recovery Standard has gained<br />
significant traction in the UK and is well<br />
supported by the leading IT Asset Disposal<br />
(ITAD) companies in the sector. When EU<br />
GDPR was passed into law, we saw that<br />
approved Certification Schemes were<br />
covered within the articles and so we<br />
started exploring how we might evolve our<br />
program by achieving official recognition<br />
under the overarching data protection law.<br />
WORKING WITH THE UK<br />
INFORMATION COMMISSIONER'S<br />
OFFICE.<br />
In July 2019 ADISA submitted our ICT Asset<br />
Recovery Standard to the ICO for approval<br />
18<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
data impact assurance<br />
as a EU GDPR Certification Scheme. (This<br />
would later move to UK GDPR post-Brexit!)<br />
Our Standard was structured such that risks<br />
to data were identified and<br />
countermeasures were required to remove<br />
or mitigate those risks. These<br />
countermeasures were presented as<br />
prescriptive criteria which were included in<br />
the Standard and companies being certified<br />
were required to meet those criteria to<br />
evidence how they were managing those<br />
risks on behalf of their customers.<br />
When we started working with the ICO it<br />
soon became clear that rather than<br />
focusing on the industry we needed to look<br />
at the process from the data controller's<br />
viewpoint. Whilst the previously identified<br />
risks remained the same, who determined<br />
whether the countermeasures were<br />
appropriate was not. Previously it was<br />
either ADISA, via the publication of the<br />
Standard, or the ITAD, through provision of<br />
the service, who determined the<br />
appropriateness of the countermeasures to<br />
be deployed. Clearly, within UK GDPR what<br />
is deemed "appropriate" will vary from one<br />
data controller to the next, so how could a<br />
binary standard claim to represent all data<br />
controller's own requirements?<br />
This created a quandary; how do we allow<br />
the data controller to first see all the points<br />
in the process where risk exists, and then<br />
secondly how can they then influence the<br />
risk treatments to suit their own specific<br />
requirements.<br />
The answer to this was to create the<br />
concept which is Data Impact Assurance<br />
Levels.<br />
When working with the regulator it was<br />
clear that to deem whether something is an<br />
appropriate risk treatment, we must first<br />
understand a range of variables for each<br />
data controller. ADISA identified five<br />
variables.<br />
Threat - Who are we protecting our<br />
data from and what are their<br />
capabilities.<br />
Risk Appetite - Do we permit additional<br />
treatments to be available, at a price, or<br />
do we require all possible risk<br />
treatments to be applied?<br />
Volume of Data - What is the<br />
aggregated risk we are trying to<br />
manage?<br />
Categories of Data - What data are we<br />
having processed?<br />
Impact of a data breach - If we suffered<br />
a data breach what would happen?<br />
Share price impact, loss of reputation or<br />
regulatory action?<br />
Within each of these variables a data<br />
controller can determine what is their own<br />
position by following the workings laid out<br />
in Part 1 of the ADISA Standard or using<br />
the free to use software on our website. By<br />
working through these questions, the data<br />
controller produces a single DIAL rating<br />
which can be used to indicate what level of<br />
controls would be appropriate to be<br />
applied to each of the risks which are being<br />
managed on their behalf by their certified<br />
ITAD partner. This simple approach finally<br />
gives the data controller a means of<br />
influencing risk management in a process<br />
which is often both out of sight and out of<br />
mind.<br />
WHY IS DIAL GOOD?<br />
By introducing the DIAL concept to our<br />
Standard, ADISA was able to meet the UK<br />
ICO's expectation on how risk was to be<br />
managed by the data controller when they<br />
dispose of redundant equipment. This is<br />
particularly important where the disposal of<br />
redundant equipment is concerned as the<br />
volume of data being processed is<br />
enormous making it one of the biggest<br />
risks within enterprise data protection. Due<br />
to the transactional nature of the process<br />
including moving physical assets outside of<br />
existing security environments, there are a<br />
significant number of points in the process<br />
where risk exists. By presenting DIAL to the<br />
ITAD partner a data controller is indicating<br />
what controls they want to have in place<br />
on those processes which is reflective of<br />
their own situation. This is achieved by<br />
there being different levels of risk treatment<br />
for each identified risk which offer<br />
increasingly better levels of risk<br />
management.<br />
Of course, increased controls for<br />
unnecessary reasons could lead to<br />
unnecessary cost, which is why the DIAL<br />
concept enables data controllers to manage<br />
risk directly attributed to their own<br />
situation.<br />
CREATING YOUR DIAL<br />
Companies already certified by ADISA are<br />
working towards the new 8.0 Standard and<br />
as such will be able to issue you a URL to<br />
the ADISA website where you can answer<br />
five questions which then create your DIAL<br />
and a certificate. Even if your existing<br />
partner is not certified, you can go to the<br />
ADISA website yourself and complete the<br />
same process to create your own DIAL.<br />
Each ITAD when being certified will<br />
achieve their own DIAL rating which<br />
indicates the potential DIAL they are<br />
capable of operating at. You should verify<br />
that your ITAD partner's DIAL rating meets<br />
your requirements. If they do not have a<br />
DIAL or operate at a lower level than you<br />
require, they will either need to become<br />
certified, improve their capability or you<br />
should deem them unsuitable.<br />
Standard 8.0 incorporating the DIAL<br />
concept assures you of meeting UK GDPR<br />
compliance not because your ITAD partner<br />
is telling you nor because ADISA is telling<br />
you. You are assured of meeting UK GDPR<br />
because the ICO has confirmed that using<br />
an ITAD who is certified to 8.0 by a UKAS<br />
approved audit process is UK GDPR<br />
compliant.<br />
To find out more, click here.<br />
adisa.global/dial<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
19
ackup & recovery<br />
CALLING FOR BACKUP<br />
What approach should an enterprise take to ensure it has the best<br />
protection in place - as well as employees who are fully engaged in<br />
making it work? Getting this right is a complex,but essential, process<br />
The purpose of backup is to create a<br />
copy of data that can be recovered in<br />
the event of a primary data failure.<br />
Such failures can be the result of hardware<br />
or software malfunctions, data corruption<br />
or a human-caused event, such as a<br />
malicious attack (virus or malware), or<br />
accidental deletion of data. Backup copies<br />
allow data to be restored from an earlier<br />
point in time to help the business recover<br />
from an unplanned event.<br />
Storing the copy of the data on separate<br />
medium is critical to protect against<br />
primary data loss or corruption, but what<br />
works to best advantage? The additional<br />
medium could be as simple as an external<br />
drive or USB stick, or something more<br />
substantial, such as a disk storage<br />
system, cloud storage<br />
container or tape<br />
drive. The<br />
alternate medium can be in the same<br />
location as the primary data or at a remote<br />
location. The possibility of weather-related<br />
events may justify having copies of data at<br />
remote locations.<br />
But what approach should an enterprise<br />
take to ensure it has the best protection -<br />
as well as employees who are fully<br />
engaged in making it work? One of the<br />
preventive measures and possibly the most<br />
efficient layer of defence, in the case of<br />
any cyber-attack threat, is simply enforcing<br />
healthy security habits and having the<br />
discipline to follow them, says Robert<br />
Allen, European director of marketing &<br />
technical services at Kingston Technology<br />
Europe. "Following these best<br />
practices and procedures<br />
that were created<br />
before a<br />
cyber security attack, whilst backing them<br />
up with several protective frameworks to<br />
make a layered defence, is the most ideal<br />
strategy in mitigating attacks. Pro-active<br />
thinking, threat intelligence and<br />
continuous risk assessment can help<br />
prepare the initial response to the<br />
anticipated 'what if' scenario."<br />
MITIGATING INITIAL IMPACT<br />
As one of the proactive measures, daily<br />
data backups can help to mitigate initial<br />
impact on systems, which were<br />
compromised through ransomware attack.<br />
"In the ideal case, it would be a good<br />
practice to be aware of the value of the<br />
data in storage, and then being selective<br />
in accordance with their priority level and<br />
back them up on a daily basis. This<br />
practice can help to recover from initial<br />
'denial of access' to compromised systems<br />
through a ransomware attack.<br />
IronKey DataTraveler.<br />
20<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ackup & recovery<br />
"Furthermore, this method can help to<br />
restore systems elsewhere, so you can<br />
continue your daily activities, with<br />
relatively low inconvenience. Backup of<br />
data needs to be part of a larger cyber<br />
security mitigation plan. This strategy<br />
could be also seen as the last line of<br />
defence in a critical system failure<br />
scenario."<br />
Daily backup of sensitive data can help us<br />
to recover from ransomware or other<br />
attacks. "To put it simply," adds Allen, "if<br />
the worst was to happen, it's always the<br />
better option to lose one day's data than<br />
months or years. Here, you can use the<br />
benefits of an encrypted USB drive, which<br />
ensures further cryptographic protection<br />
for data, critical if you need to take data<br />
elsewhere to restore a compromised<br />
system. This practice is again completely<br />
dependent on your efforts in following<br />
good security habits and information<br />
security hygiene."<br />
As the possible vectors or attacks are<br />
constantly evolving, we will be always part<br />
of this game of chess where one needs to<br />
think several moves forward, he continues.<br />
"There will be always a new vector of<br />
attack or system vulnerability and then the<br />
reactive countermeasure to negate it.<br />
But good security habits, and your<br />
organisations discipline in following them,<br />
on a daily basis, combined with overall<br />
contingency plans., will help mitigate loss<br />
to your business, if the worst were to<br />
happen."<br />
MIT<br />
Having a data backup in place is now<br />
a critical component to any IT/security<br />
strategy. "Threats to data come in many<br />
forms, as the OVH datacentre fire earlier<br />
this year highlighted," says Jon Fielding,<br />
managing director, EMEA Apricorn. "It was<br />
not simply a case of needing to have a<br />
solid backup in place, but it stressed the<br />
importance of where, and how, data<br />
backups are stored. Unfortunately for<br />
OVH, its customer data was backed up in<br />
the same location, resulting in both sets of<br />
data being destroyed, with no means for<br />
recovery or business continuity."<br />
When disaster strikes, every minute<br />
counts. "Data loss, particularly on this<br />
scale, with large data sets at risk, could be<br />
costing your business resources, money<br />
and customers, so by implementing<br />
a recovery plan, businesses can get back<br />
up and running as soon as possible. We<br />
work in a 'real-time' culture and, in the<br />
case of data loss, users expect it to be<br />
restored at once and can't afford to wait<br />
weeks, days or even hours. By having<br />
backup recovery processes in place,<br />
businesses can ensure mission-critical<br />
applications are functional and data is<br />
recovered quickly."<br />
That said, physical disasters are only<br />
the tip of the iceberg. Cyber-attacks are<br />
wreaking havoc for businesses everywhere<br />
and ransomware demands are making<br />
headlines on an almost daily basis.<br />
Not to mention the ongoing stream of<br />
vulnerabilities, malware and viruses we've<br />
come to expect. "A regular and reliable<br />
backup process will protect businesses<br />
from unexpected data loss from all<br />
potential sources," adds Fielding. "One<br />
of the easiest ways to create backups of<br />
business data is to simply store copies of<br />
important files on hard drives, or other<br />
storage devices connected to your systems<br />
or network. Having an offline & off-site<br />
copy, in addition to on-premise and cloud<br />
storage options, is crucial. These storage<br />
devices should be encrypted, ideally in<br />
hardware, to ensure data privacy<br />
compliance."<br />
An offline backup is particularly<br />
important as a defence against<br />
ransomware when data can't be<br />
reinstalled. Copying files to hard drives,<br />
USB flash drives, external drives or other<br />
devices is an effective way of ensuring<br />
backups are available locally when you<br />
need them and businesses can restore<br />
from a clean, protected data set, he says.<br />
"On top of this, businesses are facing<br />
increased threat from the rise in remote<br />
working, which has intensified the need<br />
for backups as data continues to move<br />
beyond the corporate boundaries. By<br />
providing employees with removable USBs<br />
and hard drives that automatically encrypt<br />
all data written to them, companies can<br />
deliver the capability to securely store<br />
data offline. When correctly implemented,<br />
hardware encryption offers much greater<br />
security than software encryption and PIN<br />
pad authenticated hardware encrypted<br />
USB storage devices enable employees to<br />
move sensitive and often regulated data<br />
of the corporate network. These devices<br />
can also be used to backup data locally,<br />
mitigating the risk of targeting in the<br />
cloud."<br />
In line with this, businesses should test<br />
their backups regularly, he adds - verify<br />
that the operating system, applications,<br />
and data are intact and functional. "This<br />
allows them to recover systems and files<br />
more efficiently, should an incident occur."<br />
AVOIDING WORKING LIFE PITFALLS<br />
Backups are more common than you<br />
think, says Sarah Doherty, product<br />
marketing manager at iland, impinging on<br />
just about every aspect of our daily lives.<br />
"Every day, you most likely have a backup<br />
in place, whether it be someone who<br />
can cover for you to watch your puppy, if<br />
something interrupts your schedule, or<br />
even that spare tyre that is in your car in<br />
case of a puncture. Backup and recovery<br />
plans apply to just about everything that<br />
you can think of in your daily life."<br />
Focusing on the business end of things,<br />
she turns to some of the top reasons why<br />
you need to have a secure and reliable<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
21
ackup & recovery<br />
Jon Fielding, Apricorn: we work in a 'realtime'<br />
culture and, in the case of data loss,<br />
users expect it to be restored at once.<br />
Robert Allen, Kingston Technology Europe:<br />
a most efficient layer of defence, in the face<br />
of any cyber threat, is enforcing healthy<br />
security habits and having the discipline to<br />
follow them.<br />
backup solution. "Everyone makes<br />
mistakes. This happens more than we<br />
would like to admit. Emails and documents<br />
containing some type of virus are<br />
accidentally opened all the time, while<br />
critical documents are unintentionally<br />
deleted.<br />
"One way to combat these problems is<br />
to continually back up your data and<br />
therefore allow for the ability to restore<br />
your data. Or, more importantly, recover<br />
the file prior to it being deleted."<br />
Audit and compliance requirements.<br />
"Many, if not most, organisations are<br />
required to keep records for extended<br />
periods of time, depending on local or<br />
industry requirements. There may come<br />
a time when an audit forces your business<br />
to look at something from a few years<br />
ago. The big mistake here is that most<br />
assume that data is available on a<br />
computer when, in fact, it may not be.<br />
"Relying on one copy of the data may be<br />
a mistake that you just don't want to have<br />
to deal with when it comes to an audit.<br />
Creating offsite backups of critical data<br />
can really save you time and money,<br />
with fewer headaches for all involved.<br />
Governing agencies won't really care if<br />
you say that you had a data disaster.<br />
It is critical for your business to remain<br />
compliant."<br />
Avoid any deadly downtime. According<br />
to Doherty, studies show that 40-60%<br />
of small businesses won't reopen after<br />
data loss. "Of companies that suffer<br />
catastrophic data loss, 43% never reopen<br />
and 51% close within two years. Not every<br />
data loss event is caused by a disaste; it is<br />
also possible that human errors can cause<br />
data catastrophes. The solution is to be<br />
sure to have an effective backup and<br />
disaster recovery plan in place that will<br />
help mitigate these types of data threats.<br />
Planning and preparing ahead of time<br />
when it comes to data security and<br />
availability can allow your business to<br />
be the winner."<br />
A step ahead of your competitors. "If your<br />
organisation experiences a disaster, it will<br />
be critical to get back online, and up and<br />
running fast. It is a race to remain competitive,<br />
while winning over other businesses.<br />
A pre-planned backup strategy<br />
means you can be that much more<br />
prepared and win the business while<br />
others struggle. You will survive the data<br />
disaster, while others may not be so lucky."<br />
If you don't have time to do it right,<br />
when will you have time to do it… all over<br />
again? "Doing it right the first time will<br />
save time and money when it comes to<br />
protecting your data," she points out. "If<br />
you don't have backups, you may only be<br />
able to recover some of your data and<br />
you may never know what critical data is<br />
really missing. Major data loss can mean<br />
possibly recreating or re-doing everything<br />
that has ever been done at your business<br />
and very rarely do companies survive these<br />
types of data losses."<br />
The leading causes of data loss are<br />
similar in just about every type of business.<br />
"Most of us believe that once the data<br />
is saved to a computer it's safe and can<br />
always be accessed. The reality is that<br />
backing up data is critical -because data<br />
loss is unpredictable."<br />
It might be just the right time to consider<br />
migrating to a cloud service, she adds.<br />
"Organisations that have chosen cloud<br />
backup have moved away from capital<br />
expenditures and simplified the process of<br />
protecting vital information. Choosing an<br />
industry leader for your business means<br />
that data protection is looking after your<br />
data and a global cloud platform that<br />
delivers the much-needed automation<br />
and orchestration to protect your critical<br />
business workloads and secure your data."<br />
22<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
SHOULD YOU PAY THE RANSOM?<br />
WHEN THREATENED WITH A RANSOM DEMAND, SHOULD YOU SIMPLY SUBMIT? THERE IS NO SIMPLE ANSWER<br />
TO THE QUESTION, AS STEVEN USHER, SENIOR SECURITY ANALYST, BROOKCOURT SOLUTIONS, EXPLAINS<br />
Every incident has a different impact,<br />
circumstance and various nuances<br />
that cannot be accounted for in a<br />
general answer to the question: should<br />
you pay the ransom? We would all like to<br />
think that no one should ever pay the<br />
ransom, but that simply is not the case in<br />
the real world.<br />
Home users have a complicated<br />
situation, in that they do not have the<br />
access to IT skills, tools and teams that a<br />
business does. In addition to this, there is<br />
a sentimental and home business point of<br />
view that involves personal items, such as<br />
photos, texts, videos or even data linked<br />
to a home business that hold sentimental<br />
value to people, putting them at risk of<br />
having more to lose.<br />
WHEN PAYING SEEMS WORTH THE<br />
RISK<br />
For this reason, these smaller ransoms can<br />
easily be worth the risk for some in<br />
paying, with the hope that their data can<br />
be returned. These personal attacks also<br />
do not carry the responsibility of having<br />
to report the incident. There is also the<br />
psychological aspect of shame linked to<br />
these incidents that makes them less likely<br />
to be shared, if one pays the ransom and<br />
it fails.<br />
Businesses, however, have numerous<br />
other concerns when it comes to this<br />
question: should we pay the ransom or<br />
not? Businesses have to consider factors<br />
such as public perception, which could<br />
result in a loss of business, incidents not<br />
only having to be reported in an official<br />
capacity, but formal public<br />
announcements have to be carried out<br />
when personal data is involved. Then<br />
there are factors for some businesses<br />
whose daily responsibilities could include<br />
vital services - and paying the ransom<br />
may be the quickest and easiest cure to<br />
restoring systems.<br />
WHAT CAN YOU DO? PRACTISE,<br />
EDUCATE, PRACTISE, PREPARE<br />
Practise your response to a ransomware<br />
incident by war gaming or tabletop<br />
gaming an incident and testing the<br />
response of the IT teams who would be<br />
involved. This will allow for the issues,<br />
choke points and confusion to be<br />
addressed before a real-world incident<br />
occurs.<br />
Educate all your users to a level and in a<br />
manner that is equivalent to their<br />
technical knowledge in potential ingress<br />
points for ransomware and what to do, if<br />
a ransomware infection is suspected.<br />
REGULAR TESTING ESSENTIAL<br />
While many companies have backup<br />
processes in place, the restoration of<br />
those backups is rarely comprehensively<br />
tested and numerous issues have been<br />
found when the restoration is not<br />
regularly tested. This will, once again,<br />
allow any issues and confusion for choke<br />
points to be identified.<br />
PREPARE FOR A RANSOMWARE<br />
INCIDENT<br />
While this could be linked to practising<br />
your response - and, in some ways, it is -<br />
preparing for an incident in this sense<br />
means having email templates for internal<br />
and, if needed, external users prepared,<br />
ensuring that, if a public statement is<br />
needed, that it is prepared, together with<br />
any potential formal responses required.<br />
Steven Usher, Senior Security Analyst,<br />
Brookcourt Solutions<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
23
masterclass<br />
RANSOMWARE - HOW CAN CHANGES<br />
IN REGULATION HELP AGAINST THIS<br />
EVER-EVOLVING THREAT?<br />
THE UPCOMING OPERATIONAL RESILIENCE REGULATIONS WILL BE<br />
TAXING. BUT “LOOK ON THEIR INTRODUCTION AS AN OPPORTUNITY”,<br />
SAYS JAMES DRAKE, SENIOR DIRECTOR AT XCINA CONSULTING LIMITED<br />
James Drake, Senior Director,<br />
Xcina Consulting Limited.<br />
Ransomware has been on the threat<br />
radar for many years now and is not<br />
new to many businesses or industry<br />
sectors, yet we are all still feeling the effects<br />
and the approach to dealing with this threat<br />
is varied.<br />
Some organisations will invest in new<br />
technologies and tools to assist in its recovery<br />
from an attack, whereas some will prefer to<br />
simply pay the ransom.<br />
While we are trying to defend ourselves<br />
against the constant threat of ransomware,<br />
organisations are often challenged with an<br />
ever-evolving legal and regulatory landscape.<br />
We all experienced this with the introduction<br />
of GDPR and there is not a day that goes by<br />
that I do not speak to a client regarding their<br />
challenges relating to this, even years after its<br />
introduction.<br />
SO, WHAT CAN WE DO NOW?<br />
It is widely recognised that good basic security<br />
hygiene measures will reduce the impact or<br />
likelihood of a ransomware attack significantly<br />
- eg, maintaining regular patching of critical<br />
systems or ensuring that systems and data<br />
recovery processes are in place.<br />
If your business is in the financial sector,<br />
you may already be aware of the FCA rules<br />
coming into effect on 31/03/2022 regarding<br />
Operational Resilience. This will certainly<br />
be a challenge, but I always look at the<br />
introduction of new rules and regulations as<br />
an opportunity. When trying to decide where<br />
to invest limited funds and resources into new<br />
security controls, the introduction of new<br />
mandatory rules is one of the best drivers for<br />
prioritisation of those resources or potentially<br />
securing more.<br />
WHAT ARE THE NEW RULES AND HOW<br />
DO THEY HELP WITH RANSOMWARE?<br />
The FCA describes 'Operational Resilience' as<br />
follows: "Operational resilience is the ability<br />
of firms, financial market infrastructures and<br />
the financial sector as a whole to prevent,<br />
adapt and respond to, recover and learn<br />
from operational disruption."<br />
The reason this is so important, in terms of<br />
ransomware, is that the principles of the<br />
controls to be in place are commensurate with<br />
the controls to significantly reduce the impact<br />
or likelihood of a ransomware attack even<br />
further.<br />
The principles are as follows:<br />
Identify your important business services -<br />
equally as important when designing<br />
controls to defeat ransomware<br />
Set impact tolerances - Business Impact<br />
Assessment<br />
Carry out mapping and testing to a level of<br />
sophistication necessary to classify critical<br />
business services and identify vulnerabilities<br />
in its operational resilience<br />
Conduct 'lessons learnt' exercises to identify,<br />
prioritise and invest in your ability to<br />
respond and recover from disruptions as<br />
effectively as possible<br />
Develop internal and external<br />
communications plans for when important<br />
business services are disrupted<br />
Maintain a self-assessment document,<br />
detailing the firm's Operational Resilience<br />
journey.<br />
Whether your business is in the financial<br />
sector or not, the employment of the new FCA<br />
rules regarding Operational Resilience would<br />
significantly reduce the impact or likelihood of<br />
a ransomware attack affecting your business.<br />
You can find out more about how Xcina<br />
Consulting helps clients to address risk<br />
management challenges by clicking here.<br />
24<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
emote working<br />
MASSIVE FLAWS IN HOME WORKING<br />
NEW WORLD OF WORK HAS OPENED UP ORGANISATIONS TO NEW AND UNMANAGED CYBER RISK<br />
David-Cummins<br />
(right), Tenable: as<br />
more businesses<br />
establish remote<br />
and/or flexible hybrid<br />
working policies, the<br />
corporate attack<br />
surface has exploded.<br />
Some 72% of UK organisations attribute<br />
recent business-impacting* cyberattacks<br />
to vulnerabilities in technology that<br />
were put in place during the pandemic, while<br />
more than two-thirds (68%) suffered attacks<br />
that targeted remote workers.<br />
The data is drawn from 'Beyond Boundaries:<br />
The Future of Cybersecurity in the New World<br />
of Work,' a commissioned study of more than<br />
1,300 security leaders, business executives<br />
and remote employees, including 168<br />
respondents in the UK, conducted by<br />
Forrester Consulting on behalf of Tenable.<br />
Over a year after work-from-home<br />
mandates went into effect, many<br />
organisations are planning their long-term<br />
hybrid and remote work models. In fact,<br />
70% of UK organisations now support<br />
remote employees, compared to 31%<br />
prior to the pandemic, while 86% plan to<br />
permanently adopt a remote working policy<br />
or have already done so. But embracing this<br />
new world of work has opened organisations<br />
to new and unmanaged cyber risk.<br />
Enabling a workforce without boundaries:<br />
Only 48% of UK organisations are adequately<br />
prepared to support hybrid working models<br />
from a security standpoint. The result is that<br />
78% of security and business leaders believe<br />
their organisation is more exposed to risk as<br />
a result of remote working.<br />
Cloud adoption accelerated for critical<br />
systems: As part of changes made in<br />
response to the pandemic, 46% of<br />
organisations moved business-critical<br />
functions to the cloud, including accounting<br />
and finance (42%) and human resources<br />
(33%). When asked if this exposed the<br />
organisation to increased cyber risk,<br />
80% of security leaders believed it did<br />
Attackers are taking advantage: 90% of<br />
organisations experienced a businessimpacting<br />
cyberattack* in the last 12 months,<br />
with 51% falling victim to three or more.<br />
Hybrid work models and a digital-first<br />
economy have brought cybersecurity front<br />
and centre as a critical investment that can<br />
make or break short- and long-term business<br />
strategies. To address this demand, 75% of<br />
UK security leaders plan to increase their<br />
network security investments over the next<br />
12 to 24 months; 73% will increase spend<br />
on cloud security; 66% plan to spend more<br />
on vulnerability management.<br />
"At the outset of the pandemic, and<br />
following the work from home mandate by<br />
the UK government, many employers had<br />
no choice but to enable remote employees,"<br />
says David Cummins, vice president of EMEA,<br />
Tenable. "Today, and as more businesses<br />
establish remote and/or flexible hybrid<br />
working policies, the corporate attack surface<br />
has exploded. Many of the remote work and<br />
cloud tools that were pressed into service,<br />
sometimes without security controls and, in<br />
some cases, the tools themselves are nascent<br />
and their security controls are immature,<br />
leaving businesses vulnerable to cyberattacks."<br />
With consequences such as loss of<br />
customers, employees, confidential data,<br />
operational disruptions and ransomware payouts,<br />
businesses must look to prioritise cyber<br />
security. "A joint advisory issued earlier this<br />
year by the National Cyber Security Centre<br />
(N<strong>CS</strong>C), the Cybersecurity and Infrastructure<br />
Security Agency (CISA) and Australian<br />
Cybersecurity Centre (A<strong>CS</strong>C) confirmed that,<br />
rather than creative threat vectors, bad actors<br />
will typically target known vulnerabilities to<br />
compromise unpatched systems and breach<br />
an organisation's defences," he states.<br />
"This means basic cyber hygiene practices<br />
can eradicate the majority of threats."<br />
*'Business-impacting' relates to a cyberattack or<br />
compromise that results in one or more of the following<br />
outcomes: a loss of customer, employee, or other<br />
confidential data; interruption of day-to-day operations;<br />
ransomware payout; financial loss or theft; and/or theft<br />
of intellectual property.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
25
MFA in the spotlight<br />
AUTHENTICATION VS INSURANCE<br />
ARE YOU BEING FORCED INTO THE MULTI-FACTOR AUTHENTICATION MARKET? NICK EVANS, PARTNER<br />
ENABLEMENT MANAGER (US & NORDIC REGIONS), SECURENVOY, EXAMINES WHY THIS IS HAPPENING<br />
Nick Evans, SecurEnvoy: demanding that<br />
MFA is in place will become the norm.<br />
Atrend that we are seeing in the<br />
marketplace is businesses being<br />
forced to investigate MFA (Multi-<br />
Factor Authentication) by Cyber Insurance<br />
providers. But why? Cyber-Insurance<br />
vendors understand that large and<br />
enterprise-sized companies are no longer<br />
the only target for cybercriminals: the<br />
reality is that EVERYONE is a target.<br />
Everyone's at risk and it's no longer a case<br />
of IF, but WHEN, regarding cyberattacks.<br />
Insurance vendors don't want to leave<br />
themselves open to constant pay-outs to<br />
their policy holders, so demanding that<br />
MFA is in place will become the norm.<br />
WHAT IS MFA?<br />
'Authentication' in technology is the act of<br />
verifying that a user is who they say they<br />
are. Typically, this is a Username/Password<br />
scenario.<br />
The problem with passwords is that<br />
they can be cracked easily. And once<br />
they’ve been cracked, they're distributed<br />
throughout the cybercriminal network.<br />
WHAT ARE MFA FACTORS?<br />
Factor 1 - Something you know<br />
(a Password/Pin/Security Question)<br />
Factor 2 - Something you have (Hardware<br />
Token/One-time authentication code/SMS)<br />
Factor 3 - Something you are (Biometrics -<br />
Fingerprint/Retina/Voice/Face)<br />
Factor 4 - Somewhere you are - a known<br />
location (Home/Office).<br />
WHAT CONTROLS NEED<br />
TO BE PUT IN PLACE?<br />
Most carriers now require these MFA<br />
controls to be in place:<br />
MFA for remote networks - A massive<br />
increase in remote-working due to<br />
Covid-19. (MFA for remote networks<br />
reduces the potential for a network<br />
security breach caused by comprom -<br />
ised password)<br />
MFA for admin access - This area is<br />
of massive importance; your business<br />
solution admins hold the keys to your<br />
business! (MFA for admin access<br />
limits an attacker's ability access<br />
a compromised network)<br />
MFA for remote email access - So<br />
much detail in the data that is<br />
bouncing around in your emails.<br />
PRESSURE TO EMBRACE MFA<br />
Why are insurance carriers demanding that<br />
we have MFA, rather than recommending?<br />
Here’s what Microsoft say on this:<br />
“By providing an extra barrier and layer of<br />
security that makes it incredibly difficult<br />
for attackers to get past, MFA can block<br />
over 99.9 percent of account compromise<br />
attacks. Knowing or cracking the password<br />
won't be enough to gain access."<br />
Passwords cannot be your only form<br />
of defence, and hackers can crack your<br />
password and immediately gain access<br />
to all services available to you, within<br />
seconds/minutes. MFA provides a massive<br />
obstacle that needs to be put in place, so<br />
those criminals can't just walk into your<br />
house and take what they want - ie, your<br />
data!<br />
Microsoft and Google suggest that<br />
MFA can block over 99% of account<br />
compromise attacks<br />
The Cyber insurance market is expected<br />
to grow by 21% in <strong>2021</strong> making it<br />
a $9.5 billion industry<br />
31% of cyberattacks are aimed at<br />
businesses with under 250 staff<br />
Microsoft registers over 300 million<br />
fraudulent sign-in attempts, daily<br />
60% of your customers will think about<br />
leaving you, should a cyber breach ever<br />
occur and become public knowledge.<br />
30% will walk away.<br />
Is the loss of 30% of your business more<br />
or less than an adequate cyber resilience<br />
budget? And what about reputational<br />
damage as well? The loss of 30% of<br />
business is one thing, but what about<br />
the loss of future new business?<br />
26<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
ZIVVER SECURE EMAIL<br />
Email is responsible for the majority<br />
of data breaches - and leaks with<br />
human error are cited regularly as<br />
the main cause. The reasons are manifold<br />
and range from misaddressed emails to<br />
using CC, instead of BCC; and, if the<br />
message contains confidential information,<br />
companies could be violating<br />
GDPR compliance and facing hefty fines.<br />
This is where Zivver steps in, as its<br />
Secure Email is a deceptively simple<br />
solution that combines machine learning,<br />
AI and end-to-end encryption to protect<br />
outbound email throughout the entire<br />
creation and delivery processes. A key<br />
feature of Zivver is extreme ease of use,<br />
as it slips seamlessly into existing working<br />
practices with minimal disruption and<br />
integrates neatly with Outlook, OWA<br />
and Gmail, so users only require basic<br />
training.<br />
Fundamental to Zivver is its business<br />
rules, as these are applied in real-time to<br />
every message during creation and prior<br />
to sending. Examples include options to<br />
enforce 2FA when sensitive information<br />
in the subject, body or attachment is<br />
detected, BCC checks and non-recent<br />
sharing of confidential information.<br />
Zivver detects NHS and credit card<br />
numbers in emails and uses checksum<br />
algorithms to confirm they are genuine<br />
numbers. Rules have three actions where<br />
they highlight possible rule breaches,<br />
warn users that they should rectify the<br />
breach or block them, if they don't.<br />
Deployment is, indeed, a simple process<br />
and starts by providing organisation and<br />
email domain details in your Zivver cloud<br />
portal account. Customisation features<br />
are extensive, and include portal branding<br />
and creating personalised notification<br />
messages for recipients.<br />
Setting up Zivver users is simple, as<br />
you can add them manually where<br />
they receive an invitation to create a<br />
personal account and set up 2FA.<br />
Larger organisations can employ Zivver's<br />
SyncTool to synchronise Active Directory<br />
and Exchange accounts.<br />
Our test users were running Outlook<br />
and just needed to download the Zivver<br />
Office plug-in. This added a new option<br />
to the Outlook menu ribbon where they<br />
could log in to their account and, if<br />
permitted, access its message control<br />
settings.<br />
Procedures for creating new Outlook<br />
emails are exactly the same, but Zivver<br />
adds an upper toolbar to the message<br />
highlighting actions required by the user.<br />
Each new recipient must be verified and<br />
methods include sending them an email,<br />
providing a one-time access code,<br />
applying an organisational code and<br />
sending an SMS to a valid mobile number.<br />
If sensitive information is detected,<br />
the toolbar highlights this and reacts<br />
dynamically to changes made to any part<br />
of the message. Attachments are scanned<br />
when added and a standout feature is<br />
that Zivver supports file sizes up to 5TB.<br />
To open secure emails, recipients simply<br />
click the message body link and they are<br />
transported to the Zivver portal where<br />
they enter their verification details. They<br />
don't require a Zivver account, and can<br />
receive secure emails and reply to them,<br />
irrespective of their location or email<br />
client.<br />
We all know how ineffective standard<br />
email recall processes are, but Zivver<br />
users can confidently recall messages<br />
sent in error. Furthermore, if they haven't<br />
been accessed by any recipients prior<br />
to withdrawal, Zivver guarantees that<br />
potential data leaks have been contained<br />
and won't need reporting.<br />
Along with extensive auditing features<br />
in the admin portal, users can view<br />
all emails from their client, see which<br />
recipients opened them and who<br />
downloaded attachments. They can also<br />
log in in to their personal Zivver portal<br />
account and view them from there as<br />
well.<br />
Zivver Secure Email is a simple solution<br />
to a major problem that plagues businesses<br />
of all sizes. It's incredibly easy to<br />
deploy, requires no changes in working<br />
practices and ensures that confidential<br />
information sent by email is totally secure.<br />
Product: Secure Email<br />
Supplier: Zivver<br />
Web site: www.zivver.com<br />
Tel: +44 (0)20 3285 6300<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
27
ansomware<br />
TO PAY OR NOT TO PAY?<br />
PAYING RANSOMWARE IS A TOPIC THAT GREATLY DIVIDES<br />
OPINION. COLD LOGIC MIGHT DICTATE THAT ANY DEMAND IS<br />
TURNED DOWN. BUT WHAT IF IT'S A MATTER OF LIFE OR<br />
DEATH?<br />
Some say 'yes', others say 'no' - should<br />
you pay the ransom? Law enforcement<br />
does not encourage, endorse, nor<br />
condone the payment of ransom demands.<br />
Why? Because they say that, if you do pay<br />
the ransom:<br />
There is no guarantee you will get access<br />
to your data or computer<br />
Your computer will still be infected<br />
You will be paying criminal groups<br />
You're more likely to be targeted in the<br />
future.<br />
How true is this? Doesn't paying up and<br />
having your data access reinstated give the<br />
hackers a better image? Or are there so many<br />
'pickings' put there, they don't really care one<br />
way or the other?<br />
Then there are all the other issues around<br />
what has become a massive enterprise in<br />
itself. Since there's no way to completely<br />
protect your organisation against malware<br />
infection, what should you do to keep<br />
ransomware at bay? Is a 'defence-in-depth'<br />
approach the right one, using layers of<br />
protection, with several mitigations at each<br />
layer? You'll have more opportunities to<br />
detect malware by adopting that approach<br />
and then stop it before it causes real harm<br />
to your organisation. That said, should you<br />
assume anyway that some malware will<br />
infiltrate your organisation, at some point,<br />
whatever strategies you put in place? For<br />
every possible plus point there appears to be<br />
a minus, so what is the best way to limit the<br />
impact a ransomware attack would cause<br />
and speed up your response?<br />
IN THE TEETH OF A GALE<br />
Brooks Wallace, VP EMEA at Deep Instinct,<br />
says that the argument as to whether or<br />
not an organisation should pay a ransom is<br />
"causing quite a dilemma" in the corporate<br />
boardroom. "While it may be easy to say that<br />
an organisation shouldn't pay ransom, there<br />
are many factors to consider. Imagine you are<br />
the family of someone in the intensive care<br />
unit of a hospital taken offline by<br />
ransomware attack. Think of critical<br />
infrastructure providers or banks. At that<br />
significant point in time, when hours count,<br />
you don't care about principles or policies.<br />
You just want the situation to be fixed."<br />
There appears to be increasing discussions<br />
among board members about what to do in<br />
the case of a ransomware attack, how to<br />
overcome it should one occur and whether<br />
their insurance policies will help. "Trying to<br />
make decisions during an attack itself only<br />
adds to the pressure and could worsen the<br />
crisis, so it is best to make these decisions<br />
beforehand and plan in case of an attack.<br />
This should include the decision of whether<br />
to pay for the attack or not."<br />
Condemning those organisations that are<br />
unfortunate enough to have been hit be a<br />
ransomware attack doesn't help anyone or<br />
change behaviours, he adds. "Having best<br />
practice guidelines and the rationale behind<br />
28<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
these would be more valuable. There should<br />
be a strong encouragement not to pay<br />
ransoms, but, in parallel, investment needs to<br />
be made in stopping the attack in the first<br />
place. Prevention is far better than cure."<br />
PREVENTION FIRST APPROACH<br />
Any intelligence that can be gathered post<br />
breach helps understanding for the future.<br />
"But what's even better is a 'prevention first'<br />
approach that features a multi-layered<br />
defence system, with more than one swing at<br />
the ball to stop an attack. We need to spend<br />
more time on stopping these attacks preexecution<br />
before the damage is done. Many<br />
technologies need an attack to execute and<br />
run before they are picked up and checked to<br />
see if they are malicious, sometimes taking as<br />
long as 60 seconds or more. When dealing<br />
with an unknown threat, 60 seconds is too<br />
long to wait for an analysis."<br />
In order to ensure business continuity,<br />
organisations need to invest in solutions that<br />
use technology such as deep learning, "which<br />
can deliver a sub-20 millisecond response<br />
time in stopping a ransomware attack, preexecution,<br />
before it can take hold, actually<br />
predicting the ransomware attack and<br />
therefore protecting the organisation,"<br />
Wallace states. "Using this type of technology<br />
means organisations no longer need to worry<br />
about whether or not to pay a ransom, as<br />
there is a solution that prevents the attack<br />
altogether.<br />
"Furthermore, investing in a solution that<br />
offers a 'ransomware warranty', whereby the<br />
organisation receives a certain amount if they<br />
experience a ransomware attack, using that<br />
provider's technology is beneficial. Warranties<br />
ensure an extra level of protection, should a<br />
ransomware attack occur, and allow for some<br />
alleviation, in terms of how much it will cost<br />
the organisation to recover after the attack."<br />
BACKED INTO A CORNER<br />
Callum Roxan, head of Threat Intelligence<br />
at F-Secure, accepts that the payment of<br />
ransoms to cyber criminals is not a "socially<br />
optimum outcome, but in the moment,<br />
faced with the loss of income, data and<br />
reputation, many organisations will feel<br />
backed into a corner where they will 'have to'<br />
pay. "Ever-evolving extortion models and<br />
technological advances ensure organisations<br />
need to continually invest to keep up to<br />
speed with the latest threats posed by the<br />
sprawling ransomware ecosystem. In purely<br />
financial terms, the judgment is often made<br />
that accepting the risk of ransomware is<br />
more palatable than investing heavily into<br />
cybersecurity to mitigate the risk."<br />
The continued payment of ransom demands<br />
funds additional advancements, continued<br />
operation and acts as an incentive to<br />
attract new actors to conduct ransomware<br />
attacks. "Breaking this cycle is something<br />
governments and the cyber security industry<br />
need to fix, shifting the balance of incentives<br />
to not paying ransoms and making securing<br />
your organisation against these threats less<br />
costly and more effective."<br />
WHERE DID IT ALL GO WRONG?<br />
All too often, organisations put too much<br />
focus on the detection and response of a<br />
ransomware attack, instead of looking at the<br />
steps that has allowed an attacker to get to<br />
the point of demanding ransom, argues Mike<br />
Fleck, VP marketing at Cyren. "The ransom of<br />
an attack is so far along the attack chain<br />
that, by the time the 'ransomware' attack has<br />
already been deployed, it's too little, too late."<br />
He divides ransomware attacks into two<br />
categories: a 'drive-by attack', which tricks<br />
users into installing malware onto their<br />
devices, whether that be a PC at home or<br />
a healthcare kiosk in an emergency room.<br />
While these attacks directly affect those users,<br />
they are random as to whom they affect. "The<br />
more serious attacks are the ones that target<br />
a specific organisation. The attackers look<br />
for the most impactful way to infect an<br />
organisation through the vulnerabilities they<br />
find and then launch a ransomware attack.<br />
In order to get to that point, the attackers<br />
would have had to identify the organisation,<br />
find the vulnerabilities within that organisation,<br />
launch the malware and then deploy<br />
the ransomware attack."<br />
Often the cause of a ransomware attack<br />
and the attacker's access point into an<br />
organisation, adds Fleck, is through a<br />
phishing email where an unsuspecting user<br />
has clicked on a link, which then deploys a<br />
backdoor on the device, allowing the attacker<br />
to gain access into the organisation's network<br />
and find its vulnerabilities. "Organisations<br />
need to look at the precursors to ransomware<br />
attacks and the steps that get the attacker to<br />
where they need to be before they launch the<br />
malware itself."<br />
Phishing attacks will always enter your<br />
network and breach your organisation, he<br />
points out. "Therefore, the focus needs to<br />
be on the antecedents to the attack and<br />
understanding what they are, in order for the<br />
organisation to deal with the attack better.<br />
Only then will organisations be able to<br />
remediate properly, rather than focus on<br />
detection of, and response to, the final step<br />
in the attacker's plan. At present, email<br />
security is overly focused on prevention,<br />
which demonstrates diminishing returns for<br />
each new layer of detection. By adding a realtime<br />
detection and automated remediation<br />
capability to identify and eliminate phishing<br />
threats rapidly, we can minimise the impact<br />
of when a phishing email makes it through<br />
our defences."?<br />
At Bitdefender, while the company expects<br />
to see ransomware operators continuing to<br />
offer new and more dangerous versions of<br />
ransomware, the company's director of<br />
Threat Research and Reporting, Bogdan<br />
Botezatu, states that it will maintain its<br />
commitment to helping users regain control<br />
of their digital lives and denying profits to<br />
attackers. "Collaboration between major<br />
cyber-security solution providers and law<br />
enforcement agencies allows us to combat<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
29
ansomware<br />
Bogdan Botezatu, Bitdefender: collaboration<br />
between major cyber-security solution<br />
providers and law enforcement agencies<br />
allows us to combat the devastating effects<br />
of ransomware.<br />
Brooks Wallace, Deep Instinct: the argument<br />
about whether or not an organisation<br />
should pay a ransom is causing quite<br />
a dilemma in the corporate boardroom.<br />
the devastating effects of ransomware and<br />
help victims whose data would otherwise<br />
either be lost forever or generate large<br />
amounts of money for the cyber-crime<br />
underground."<br />
INCREASING DEVASTATION<br />
Computing Security also wanted to get some<br />
'historical' perspective on ransomware, such<br />
as instances of who has paid up, where<br />
attacks have been state-sponsored and the<br />
emergence of ransomware-as-a-service.<br />
Well versed in such matters is LogPoint CTO<br />
Christian Have and he provided a detailed<br />
inside view on all those issues.<br />
"Ransomware attacks are becoming<br />
increasingly devastating to companies. Not<br />
only do they inflict massive disruptions to<br />
operations, but criminals are also asking for<br />
ever-larger ransoms to unlock the encrypted<br />
files and machines hit by the attacks.<br />
Throughout the last months, state-sponsored<br />
ransomware attacks inflicting damage on<br />
critical infrastructure have dominated the<br />
headlines. JBS recently paid 11 million dollars<br />
following an attack that shut down all the<br />
companies' US beef plants. Just before that,<br />
an attack paralysed Ireland's health services<br />
for weeks in the middle of a pandemic. The<br />
attack happened in the wake of the Colonial<br />
Pipeline attack that caused fear of gas<br />
shortages.<br />
"CNA Financial, one of the largest insurance<br />
companies in the US, reportedly paid 40<br />
million dollars to get access to its files and<br />
to restore its operations, making it the<br />
largest reported ransom paid to date. In<br />
comparison, 40 million dollars is more than<br />
most companies spend on their cybersecurity<br />
budget - it is even more than what many<br />
companies spend on their entire IT budget.<br />
"Due to the surges in state-sponsored<br />
ransomware attacks in the US and Europe,<br />
many government institutions, including<br />
the White House, have urged companies to<br />
bolster their defences to help stop the<br />
ransomware groups. The G7 group has<br />
called on Russia, in particular, to identify,<br />
disrupt and hold to account those within its<br />
borders who conduct ransomware attacks<br />
and other cybercrimes. One of the few<br />
outcomes of the Biden-Putin summit is<br />
an agreement to consult on cybersecurity.<br />
However, the agreement is ambiguous<br />
without any specific actions."<br />
A RANSOM PAYOUT ISN'T<br />
ALWAYS THE END GOAL<br />
"Stopping ransomware groups is no small<br />
task. The scale of the economy behind these<br />
groups is significant. Many active groups<br />
have corporate structures, with roles and<br />
responsibilities that mirror regular software<br />
development organisations," Have points out.<br />
"These criminal organisations are well funded<br />
and highly motivated to develop their attacks<br />
- but their revenue streams do not begin or<br />
end with victims paying up a ransom.<br />
There is an entire ransomware ecosystem,<br />
capitalising on successfully executing attacks."<br />
This includes:<br />
Groups selling access to platforms that<br />
deliver end-to-end ransomware-as-aservice<br />
for other groups to use.<br />
Brokers that deliver teams of highly<br />
specialised developers that can build<br />
and deploy malware. Think of this as<br />
malware recruiting.<br />
Certain groups only gain access to<br />
corporate networks. They will not actively<br />
disrupt the operations or demand<br />
ransom; instead, they sell access to<br />
victims for other groups to capitalise on.<br />
The increasing sophistication of<br />
ransomware groups has led many<br />
organisations to implement a multitude<br />
of tools to help detect and prevent<br />
attacks. But what really works?<br />
BASIC SECURITY ESSENTIAL<br />
TO PREVENT ATTACKS<br />
For the last 15 years, CISOs, security<br />
operations teams and security vendors have<br />
put a significant focus on complex attacks<br />
30<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
and staying on top of the cutting edge of<br />
what adversaries can do, he continues. "For<br />
example, the malicious computer worm<br />
Stuxnet launches extremely advanced<br />
campaigns. The result is that a lot of<br />
organisations have a relatively extensive<br />
portfolio of advanced technologies. These<br />
technologies are expensive, complex to use<br />
and even more complex to integrate with<br />
each other and the surrounding security<br />
ecosystem.<br />
"The Colonial Pipeline breach happened<br />
because a remote access platform<br />
failed to enforce or require multi-factor<br />
authentication. Combined with a shared<br />
password used among several users,<br />
attackers found a way into the infrastructure.<br />
Advanced detection tools are not meant to<br />
detect such basic mistakes.<br />
"Failing to cover the basics - patching,<br />
secure configurations or following best<br />
practices - is a pattern repeating itself in<br />
many of the recent attacks. It is not without<br />
reason that every authority on cybersecurity<br />
has patching and baselining configurations<br />
as some of the first recommendations for<br />
companies to strengthen their cybersecurity<br />
efforts."<br />
So why are companies not just patching<br />
everything, implementing the Zero<br />
Trust model and forcing multi-factor<br />
authentication everywhere? Especially when<br />
the most considerable material risk to the<br />
operations and existence of the organisation<br />
is a ransomware attack? "IT operations is<br />
hard," he responds. "The security operations<br />
team, IT operations team and enterprise<br />
risk management team often have siloed<br />
thinking, with different objectives and<br />
incentives. Aligning activities and goals<br />
across various departments is, without<br />
a doubt, part of the problem.<br />
"One of the things we hear from our<br />
customers is that they need a unified<br />
overview of the technical risk aspects.<br />
Implementing a unified solution such as<br />
ZeroTrust orchestration or XDR is complex<br />
and, in many cases, expensive. Some of our<br />
customers are turning to fewer vendors and<br />
relying on open standards - for example,<br />
MITRE for a taxonomy of attacks, MISP<br />
to share threat observations and YARA to<br />
identify malware indicators to offload<br />
some of the headaches of aligning different<br />
departments' ways of working."<br />
THE WAY FORWARD<br />
When critical infrastructure is under attack<br />
through large and small companies, it is<br />
obvious that more technology will not solve<br />
the issue alone, Have insists. "Outsourcing IT<br />
operations or security operations alone is not<br />
solving the problem either. With that in<br />
mind, I see three paths forward."<br />
Law enforcement agencies must cooperate<br />
across borders to target ransomware groups,<br />
track payments and ultimately change the<br />
operational risk for these groups, so that it is<br />
more expensive to do illicit business.<br />
Breaking down silos within organisations,<br />
getting the cybersecurity, IT operations and<br />
risk management teams to speak the same<br />
language and align expectations. Who owns<br />
the backup - IT? Who is responsible for the<br />
disaster recovery - Security? Who owns the<br />
business continuity planning - Enterprise risk<br />
management?<br />
More laws and regulations on the matter.<br />
GDPR has done a lot to bring focus and<br />
awareness about reporting breaches to<br />
infrastructure. "But more is needed," Have<br />
insists. "GPDR works for personal data, but<br />
disruptions to critical infrastructure following<br />
a ransomware attack are not necessarily<br />
under the umbrella of GDPR and, as such,<br />
can go under the radar. With more sharing,<br />
increased focus and potentially fines levied<br />
against organisations that fail to prevent<br />
or protect their infrastructure adequately,<br />
boardrooms will begin to take the threat<br />
seriously."<br />
Callum Roxan, FSecure: ever-evolving<br />
extortion models and technological<br />
advances ensure organisations need to<br />
continually invest to keep up to speed<br />
with the latest threats.<br />
Christian Have, LogPoint: many active groups<br />
have corporate structures, with roles and<br />
responsibilities that mirror regular software<br />
development organisations.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
31
threat intelligence<br />
KNOWING YOUR ENEMY<br />
CYBER THREAT INTELLIGENCE DOESN'T COME EASY OR CHEAP. HOWEVER,<br />
A CONTINUOUSLY EVOLVING THREAT LANDSCAPE IS MAKING IT A VITAL RESOURCE<br />
Paul Prudhomme, Insights, a Rapid 7<br />
company: good cyber threat intelligence<br />
companies create reports on the<br />
ransomware gangs that organisations<br />
should watch out for.<br />
According to Paul Prudhomme,<br />
head of Cyber Threat Intelligence<br />
Advisory at Insights, a Rapid 7<br />
company, the goals of cyber threat<br />
intelligence are to provide network<br />
defenders with the specific information<br />
they need, in order to improve their<br />
defences against the continuously evolving<br />
threat landscape and ultimately to prevent<br />
those threats from compromising<br />
organisations in the first place.<br />
"Cyber threat intelligence programs<br />
should aim to inform stakeholders about<br />
potential attacks before they happen,<br />
not after they happen. Many security<br />
leaders learn about significant threats<br />
and incidents, such as the May <strong>2021</strong><br />
ransomware attack on the Colonial<br />
Pipeline by Darkside ransomware<br />
operators, from mainstream news media<br />
coverage. If they had robust cyber threat<br />
intelligence programs, however, they<br />
would have already been familiar with the<br />
Darkside ransomware affiliate program<br />
well before the Colonial incident."<br />
Darkside had already made a name for<br />
itself in underground criminal circles and<br />
should have shown up in any cyber<br />
threat intelligence coverage of dark web<br />
communities before the Colonial incident,<br />
he points out. "Good cyber threat<br />
intelligence companies create reports on<br />
the ransomware gangs that organisations<br />
should watch out for. If Colonial had been<br />
receiving those reports, perhaps it could<br />
have taken steps to improve its defences<br />
against Darkside attacks and reduced the<br />
attackers' likelihood of success."<br />
In a multi-layered network defence<br />
strategy, cyber threat intelligence is the<br />
outermost layer, adds Prudhomme. "It<br />
enables organisations to adjust their<br />
defences in advance of a potential attack.<br />
If cyber threat intelligence fails, and the<br />
targeted organisation is unaware of, and<br />
32<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
threat intelligence<br />
has not prepared for the threat, it must<br />
fall back on its inner layers of network<br />
defence and hope that they were already<br />
robust enough to prevent the intrusion."<br />
INVISIBLE FORCES<br />
There are certain types of threats that are<br />
nonetheless advanced enough to evade<br />
many, most or all of an organisation's<br />
multiple layers of defence, including cyber<br />
threat intelligence, he adds. "Advanced<br />
threat actors, which usually [but not<br />
always and not necessarily] come<br />
from state-sponsored groups, invest<br />
considerably more time, effort and other<br />
resources in their attempts to avoid<br />
detection by security researchers and<br />
security solutions. The state-sponsored<br />
groups that are the source of most<br />
advanced threats are also more relentless<br />
in their pursuit of targets, as the<br />
intelligence requirements of their<br />
government stakeholders give them less<br />
flexibility in their targeting than their<br />
criminal counterparts."<br />
The greater challenges of detecting<br />
advanced threats that go to greater<br />
lengths to evade detection have given rise<br />
to the variety of security solutions known<br />
as advanced threat protection (ATP),<br />
Prudhomme continues - see page 24.<br />
"Simpler and more conventional<br />
detection methods, such as indicators of<br />
compromise (IoC), are often inadequate<br />
for detecting threats in this category. For<br />
example, advanced threat actors may alter<br />
their malware payloads more frequently,<br />
in order to avoid IoC-based detection of<br />
their file hashes. They may even monitor<br />
security research publications to see if and<br />
when security researchers have identified<br />
their infrastructure as malicious and make<br />
changes accordingly. Heuristics, machine<br />
learning and artificial intelligence are<br />
among the many ways that security<br />
solutions can overcome these<br />
countermeasures."<br />
LIMITED RESOURCES<br />
Todd Carroll, CybelAngel CISO, says threat<br />
intelligence is massively important for<br />
organisations, since even large companies<br />
have limitations on resources, so efforts<br />
must be put into projects that will pay off<br />
and keep them safer.<br />
"Cybercriminals are calculated. They have<br />
preferences on who they target - hospitals<br />
generally pay out more often, but EUbased<br />
targets tend to have more to offer.<br />
Threat actors also have a pattern of<br />
preparation for attacks, including buying<br />
batches of credentials, using Shodan<br />
to locate assets and hiring penetration<br />
testers to see what access can be granted.<br />
Next, they have a pattern of attack,<br />
which includes accessing an RDP<br />
(Remote Desktop Protocol), then<br />
upgrading permissions with the chosen<br />
CVE (Common Vulnerability Exposure) and<br />
using a particular type of malware on<br />
IP addresses to gain a foothold over<br />
command and control servers. Finally,<br />
they have a pattern of extortion: single<br />
extortion, double extortion, potentially<br />
data exfiltration and making decisions on<br />
giving up decryption keys upon payment."<br />
How do you choose to interrupt that<br />
modus operandi and where will the<br />
lightest touch have the biggest effect?<br />
"Cyber Threat Intelligence is the answer,"<br />
he states. "It informs a company that,<br />
by updating their servers with a particular<br />
patch, the crucial CVE is mitigated.<br />
Maybe you block some IP addresses,<br />
so that command and control servers<br />
can't communicate with the malware/<br />
ransomware program. Perhaps this cyber<br />
threat is not interested in attacking your<br />
company."<br />
How analysts go about this is through<br />
cyber forensics and dark web monitoring.<br />
"The forensics gives us the hard data: it<br />
was this CVE, on that server type, port<br />
number #### was used and this<br />
person's password was compromised.<br />
Dark web monitoring is useful, since many<br />
criminals like to brag. Dark Web forums<br />
have advertisements to recruit pen testers,<br />
people with access and passwords for<br />
sale: 'Join our ransomware gang!' 'Fair<br />
pay!' 'Easy work!' 'All the steps are in this<br />
playbook!' 'Helplines are available!'<br />
Similar to solving a mystery, threat<br />
intelligence combines the physical<br />
evidence with motive to other companies<br />
to see if they are at risk, too. "If yes, here<br />
are tactical options, update that, block<br />
this, monitor those. Then there are<br />
strategic options - make RDPs harder to<br />
spin up, automate security settings for<br />
new databases and institute multifactor<br />
authentication."<br />
MALWARE LOGS FOR SALE<br />
Since the start of this year, Accenture<br />
Cyber Threat Intelligence has, according to<br />
its '<strong>2021</strong> Cyber Threat Intelligence Report',<br />
observed a slight, but noticeable, increase<br />
in threat actors selling malware logs,<br />
which constitute data derived from<br />
information stealer malware.<br />
Information stealers can collect and log<br />
a wide range of sensitive system, user<br />
and business information. "A threat actor<br />
can use malware logs to masquerade<br />
as a legitimate network user and avoid<br />
detection, gaining initial access to a victim<br />
system by using valid credentials. Threat<br />
actors often use malware logs to access<br />
an organisation's Web resources and<br />
attempt to access privileged administrator<br />
accounts on an organisation's webservers."<br />
In some cases, they may try to access<br />
computers on a victim's network via<br />
services like RDP or SSH. A common<br />
alternative action is for threat actors<br />
to sell malware logs directly to hackers<br />
or in bulk to 'malware log' Dark Web<br />
marketplaces, such as Genesis Market or<br />
Russian Market.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
33
email spoofing<br />
BEC ATTACKS - THE STING IN THE TALE<br />
BUSINESS EMAIL COMPROMISE (BEC) ATTACKS ARE FUELLED BY PERPETRATORS WHO RELY ON SOCIAL<br />
ENGINEERING TECHNIQUES AND IMPERSONATION - AND THEIR VICTIMS ARE PAYING A MASSIVE PRICE<br />
Tim Callan, Sectigo: it is scarily easy to<br />
manipulate and falsify business emails<br />
in myriad ways.<br />
Business Email Compromise (BEC)<br />
attacks are a technique where<br />
cybercriminals spoof emails to<br />
impersonate someone recognised, such<br />
as an employee's supervisor, executive or<br />
vendor. This is so they can exploit trusted<br />
relationships and trick employees into<br />
wiring company funds, the sharing of<br />
proprietary information or even granting<br />
access to the system.<br />
As Tim Callan, chief compliance officer,<br />
Sectigo, points out, the FBI's 2020 Internet<br />
Crime Report i revealed how BEC-related<br />
losses increased from some $1.29 billion<br />
in 2018 to $1.86 billion in 2020. "Phases<br />
of setting up an attack include the initial<br />
researching and identifying of targets, and<br />
then setting up the attack by performing<br />
activities, such as spoofing email<br />
addresses," he points out.<br />
"In the execution phase of a BEC attack, it<br />
could take place in one email or an entire<br />
thread, often using language of persuasion<br />
and urgency to gain the victim's trust, also<br />
including instructions to facilitate making<br />
payments to fraudulent accounts. Once the<br />
money has been acquired by the attacker,<br />
it is quickly collected and disseminated to<br />
reduce traceability and retrieval chances."<br />
COMMONALITY OF BEC ATTACKS<br />
"Virtually every single business relies<br />
upon email as a fundamental form of<br />
communication, especially in the era of<br />
hybrid work, and ironically, it is scarily easy<br />
to manipulate and falsify business emails<br />
in myriad ways. Cyber-criminals are aware<br />
of companies' reliance on them and are<br />
perpetrating a variety of attacks to profit<br />
from it," adds Callan.<br />
The number of estimated business email<br />
compromise (BEC) scam attempts that have<br />
been perpetrated worldwide from 2017-<br />
2020 ii has risen dramatically, from 9,708<br />
to 17,607 attacks. Additionally, a total of<br />
74% of organisations are not prepared for<br />
phishing iii and malware attacks, with the<br />
majority of these attacks being carried<br />
out through BEC attacks specifically.<br />
"Now it is even more concerning that<br />
these cybercriminals are recruiting English<br />
speakers iv for these forms of attack,<br />
making them harder to spot and therefore<br />
all the more effective. This will inevitably<br />
see more of an increase of successful<br />
campaigns, if businesses do not look at<br />
ways to spot and prevent the attacks."<br />
HOW TO BEST DEFEND AGAINST BEC?<br />
As a social engineering scam, employees<br />
should be informed how to spot fraudulent<br />
emails, advises Callan. "Most businesses are<br />
successfully targeted, due to most employees<br />
lacking IT-specific technical skills and<br />
knowledge. Speed is paramount during an<br />
attack, meaning industries must rapidly train<br />
their employees to spot and avoid the latest<br />
attack vectors."<br />
Implementing email certificates is a quick<br />
and easy fix to decrease the chances of BEC<br />
attacks, combined with ongoing employee<br />
training, he points out. "An ideal solution<br />
should also integrate with secure email<br />
gateways, allowing the gateway to decrypt,<br />
encrypt, so that it can continue to deliver on<br />
its valuable function. It should provide the<br />
recipient better delivery choices and use the<br />
native mail client to decrypt the email<br />
without leaving the application.<br />
CERTIFIED WAY FORWARD<br />
"The appropriate certificate type to secure<br />
public email is called a Secure/Multipurpose<br />
Internet Mail Extension (S/MIME) certificate.<br />
These certificates offer a logical approach<br />
for preventing business email compromise<br />
attacks. With this," he states, "businesses will<br />
be able to block malicious actors."<br />
ihttps://www.ic3.gov/Media/PDF/AnnualReport/202<br />
0_IC3Report.pdf<br />
iihttps://www.statista.com/statistics/820912/numbe<br />
r-of-attempts-of-bec-scams-ceo-fraud<br />
iiihttps://www.techrepublic.com/article/companiesare-losing-the-war-against-phishing-as-attacksincrease-in-number-and-sophistication<br />
ivhttps://www.zdnet.com/article/scam-artists-arerecruiting-english-speakers-for-business-emailcampaigns<br />
34<br />
computing security <strong>Oct</strong>ober <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose findings<br />
are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.