Cyber Defense eMagazine February Edition for 2022

The view from the Publisher’s desk is very encouraging, based on celebrating 10 years of growth and success at Cyber Defense Magazine! When our tiny team began our journey at Cyber Defense Media Group (CDMG) together in January 2012, we were happy to help smaller, lesser-known innovators of infosec, get their message out there and Rise Above the noise. Now, after 10 years, we’re even helping multi-billion-dollar companies and governments around the globe with our offices in D.C., London, N.Y. and other locations in play, as we continue to scale, thanks to you – our readers, listeners, viewers and media partners. Beyond the magazine, in response to the demands of our markets, the scope of CDMG’s activities has grown into many media endeavors. They now include Cyber Defense Awards; Cyber Defense Conferences; Cyber Defense Professionals (job postings); Cyber Defense TV, Radio, and Webinars; and Cyber Defense Ventures (partnering with investors). Please check them out and see how much more CDMG has to offer! Very respectfully and with much appreciation, Gary Miliefsky, Publisher

The view from the Publisher’s desk is very encouraging, based on celebrating 10 years of growth and success at Cyber Defense Magazine! When our tiny team began our journey at Cyber Defense Media Group (CDMG) together in January 2012, we were happy to help smaller, lesser-known innovators of infosec, get their message out there and Rise Above the noise. Now, after 10 years, we’re even helping multi-billion-dollar companies and governments around the globe with our offices in D.C., London, N.Y. and other locations in play, as we continue to scale, thanks to you – our readers, listeners, viewers and media partners. Beyond the magazine, in response to the demands of our markets, the scope of CDMG’s activities has grown into many media endeavors. They now include Cyber Defense Awards; Cyber Defense Conferences; Cyber Defense Professionals (job postings); Cyber Defense TV, Radio, and Webinars; and Cyber Defense Ventures (partnering with investors).
Please check them out and see how much more CDMG has to offer!

Very respectfully and with much appreciation,
Gary Miliefsky, Publisher


You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

How Criminals Have Migrated Through<br />

Identity Theft and Privacy into <strong>Cyber</strong> Attacks<br />

The Top 5 Cloud Security Predictions <strong>for</strong> <strong>2022</strong><br />

Mitigating Risk from Insider Threats in <strong>2022</strong><br />

Responding To the Ransomware Pandemic<br />

…and much more…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 1<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Welcome to CDM’s <strong>February</strong> <strong>2022</strong> Issue -------------------------------------------------------------------------------- 6<br />

How Criminals Have Migrated Through Identity Theft and Privacy into <strong>Cyber</strong> Attacks ------------------- 17<br />

By P. William Zivanchev, Executive Director, Institute of Consumer Financial Education<br />

The Top 5 Cloud Security Predictions <strong>for</strong> <strong>2022</strong> ----------------------------------------------------------------------- 24<br />

By Amit Shaked, CEO, Laminar<br />

<strong>Cyber</strong>criminals Hunt For Medical Data. Zero Trust As The Only Good Option To Keep The Healthcare<br />

System Secure ---------------------------------------------------------------------------------------------------------------- 28<br />

By Tomasz Kowalski, CEO, Secfense<br />

How Do I Reliably Identify You If I Cannot See You? --------------------------------------------------------------- 31<br />

By John Callahan, CTO, VeridiumID<br />

How To Improve Federal Endpoint Detection and Response Tactics and Gain Network Visibility ----- 35<br />

By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium<br />

Decision Trees in Case of a Ransomware Attack -------------------------------------------------------------------- 39<br />

By Zsolt Baranya, In<strong>for</strong>mation Security Auditor, Black Cell Ltd.<br />

Mitigating Risk from Insider Threats in <strong>2022</strong> ------------------------------------------------------------------------ 42<br />

By Isaac Kohen, Teramind<br />

Web Application Penetration Testing Checklist with OWASP Top 10 ------------------------------------------ 46<br />

By Ankit Pahuja, Marketing Lead & Evangelist at Astra Security<br />

5 Ways to Protect Your Workplace from <strong>Cyber</strong>security Threats ------------------------------------------------ 52<br />

By Nicole Allen, Marketing Executive, Salt Communications<br />

Today's Digital Battlefield Demands Resilience Beyond Infrastructure --------------------------------------- 57<br />

By Mohammed Al Mohtadi, <strong>Cyber</strong> In<strong>for</strong>mation Security Officer, Injazat<br />

Why Ransomware is Only a Symptom of a Larger Problem ------------------------------------------------------ 61<br />

By Jeff Palatt, Vice President, Technical Advisory Services at MOXFIVE<br />

Responding To the Ransomware Pandemic -------------------------------------------------------------------------- 64<br />

By Tom McVey, Solution Architect, Menlo Security<br />

Killware is the Next Big <strong>Cyber</strong>security Threat ------------------------------------------------------------------------ 67<br />

By Brian Erickson, Vice President or Strategy and Solutions and retired U.S. Navy Captain, Vidoori<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 2<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Combining True MDR & SOC <strong>for</strong> Robust <strong>Cyber</strong>security ------------------------------------------------------------ 71<br />

By Jon Murchison, Founder and CEO, Blackpoint <strong>Cyber</strong><br />

The <strong>Cyber</strong>security Trends You Need to Know About In <strong>2022</strong> ----------------------------------------------------- 76<br />

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group<br />

Detect Ransomware Data Exfiltration Immediately --------------------------------------------------------------- 81<br />

By Randy Reiter CEO of Don’t Be Breached<br />

Understanding Identity Detection and Response ------------------------------------------------------------------- 84<br />

By Dr. Edward G. Amoroso Chief Executive Officer, TAG <strong>Cyber</strong> LLC<br />

<strong>Cyber</strong> Insurance: What Executives Need to Know Be<strong>for</strong>e Obtaining Coverage ----------------------------- 89<br />

By Amanda Surovec, Director of Security Engagement and Claims, Resilience <strong>Cyber</strong> Insurance Solutions, and<br />

Shawn Melito, Chief Revenue Officer, BreachQuest<br />

Data Security Must Be a Priority as Employees Quit in Record Numbers ------------------------------------- 93<br />

By Tim Sadler, Co-founder and CEO, Tessian<br />

Why Building Managers Need to Prioritize <strong>Cyber</strong>security -------------------------------------------------------- 97<br />

By Shaun Cooley, Founder and CEO of Mapped<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 3<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


From the<br />

Publisher…<br />

Dear Friends,<br />

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a<br />

The view from the Publisher’s desk is very encouraging, based on celebrating 10 years of growth and<br />

success at <strong>Cyber</strong> <strong>Defense</strong> Magazine!<br />

When our tiny team began our journey at <strong>Cyber</strong> <strong>Defense</strong> Media Group (CDMG) together in January 2012,<br />

we were happy to help smaller, lesser-known innovators of infosec, get their message out there and Rise<br />

Above the noise. Now, after 10 years, we’re even helping multi-billion-dollar companies and<br />

governments around the globe with our offices in D.C., London, N.Y. and other locations in play, as we<br />

continue to scale, thanks to you – our readers, listeners, viewers and media partners.<br />

Beyond the magazine, in response to the demands of our markets, the scope of CDMG’s activities has<br />

grown into many media endeavors. They now include <strong>Cyber</strong> <strong>Defense</strong> Awards; <strong>Cyber</strong> <strong>Defense</strong><br />

Conferences; <strong>Cyber</strong> <strong>Defense</strong> Professionals (job postings); <strong>Cyber</strong> <strong>Defense</strong> TV, Radio, and Webinars; and<br />

<strong>Cyber</strong> <strong>Defense</strong> Ventures (partnering with investors).<br />

Please check them out and see how much more CDMG has to offer!<br />

The full list, with links, can be accessed at:<br />

https://www.cyberdefensemagazine.com/cyber-defense-media-group-10-year-anniversary-dailycelebration-in-<strong>2022</strong>/<br />

Warmest regards,<br />

Platinum Media Partner of RSA Conference on June 06 – 09 , <strong>2022</strong> – See You There!<br />

Gary S.Miliefsky, CISSP®, fmDHS<br />

CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />

Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

P.S. When you share a story or an article or in<strong>for</strong>mation about<br />

CDM, please use #CDM and @<strong>Cyber</strong><strong>Defense</strong>Mag and<br />

@Miliefsky – it helps spread the word about our free resources<br />

even more quickly<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 4<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.



Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />

distributed electronically via opt-in Email, HTML, PDF and Online<br />

Flipbook <strong>for</strong>mats.<br />

InfoSec Knowledge is Power. We will<br />

always strive to provide the latest, most<br />

up to date FREE InfoSec in<strong>for</strong>mation.<br />

Congratulations to our Outgoing<br />

International Editor-in-Chief<br />

For nearly all of the 10-year history of <strong>Cyber</strong> <strong>Defense</strong> Magazine, we<br />

have been very blessed and incredibly <strong>for</strong>tunate to count on the<br />

active participation and support of Pierluigi Paganini, in his capacity<br />

as our International Editor-in-Chief. While it is our loss, we<br />

celebrate Pierluigi’s career move, though he will no longer be<br />

available to serve <strong>Cyber</strong> <strong>Defense</strong> Magazine and our readers in that<br />

capacity.<br />

At the same time, we are pleased to assure our readers that we will<br />

continue to seek and publish relevant articles on cybersecurity<br />

developments in the international arena, as we continue to expand<br />

into new markets, globally.<br />

Pierluigi is a globally recognized cybersecurity leader and with<br />

bittersweet goodbye, working with him has always been<br />

amazing. He’s always on top of the latest cybersecurity news,<br />

trends and activities.<br />

On behalf of the entire team at <strong>Cyber</strong> <strong>Defense</strong> Media Group, please<br />

keep in touch and know that we will always consider CDMG your<br />

home,<br />

Yan Ross, Editor-in-Chief<br />

Gary S. Miliefsky, Publisher<br />


Pierluigi Paganini, CEH<br />

Pierluigi.paganini@cyberdefensemagazine.com<br />


Yan Ross, JD<br />

Yan.Ross@cyberdefensemediagroup.com<br />


Marketing Team<br />

marketing@cyberdefensemagazine.com<br />


<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Toll Free: 1-833-844-9468<br />

International: +1-603-280-4451<br />

http://www.cyberdefensemagazine.com<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />


1717 Pennsylvania Avenue NW, Suite 1025<br />

Washington, D.C. 20006 USA<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />


Gary S. Miliefsky, CISSP®<br />

Learn more about our founder & publisher at:<br />

http://www.cyberdefensemagazine.com/about-our-founder/<br />


Providing free in<strong>for</strong>mation, best practices, tips, and techniques<br />

on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong> magazine is your<br />

go-to-source <strong>for</strong> In<strong>for</strong>mation Security. We’re a proud division<br />

of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />





<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 5<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Welcome to CDM’s <strong>February</strong> <strong>2022</strong> Issue<br />

From the Editor-in-Chief<br />

As the <strong>Cyber</strong> <strong>Defense</strong> Magazine team members take a look back at the first 10 years of the publication,<br />

we also look <strong>for</strong>ward to developments expected in the future.<br />

This month we are pleased to feature an article from the Institute of Consumer Financial Education (ICFE)<br />

which provides a longer-term perspective, including the transition from identity theft as a distinct<br />

phenomenon to an integrated set of threats and responses involving many aspects of privacy and<br />

cybersecurity.<br />

We note the importance we place on perspectives and high-altitude ways to analyze and understand the<br />

interaction among technical professionals and organizations from very different parts of our society and<br />

economy.<br />

As a brief glance through the Table of Contents of this month’s issue will demonstrate, this is another<br />

way <strong>Cyber</strong> <strong>Defense</strong> Magazine keeps our readers current on emerging trends and solutions in the world<br />

of cybersecurity. That continues to be our guiding star in proceeding on this journey with our readers.<br />

Wishing you all success in your cybersecurity endeavors,<br />

Yan Ross<br />

US Editor-in-Chief<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

About the US Editor-in-Chief<br />

Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & U.S. Editor-in-Chief of <strong>Cyber</strong><br />

<strong>Defense</strong> Magazine. He is an accredited author and educator and has<br />

provided editorial services <strong>for</strong> award-winning best-selling books on a variety<br />

of topics. He also serves as ICFE's Director of Special Projects, and the author<br />

of the Certified Identity Theft Risk Management Specialist ® XV CITRMS®<br />

course. As an accredited educator <strong>for</strong> over 20 years, Yan addresses risk management in the areas of identity theft,<br />

privacy, and cyber security <strong>for</strong> consumers and organizations holding sensitive personal in<strong>for</strong>mation. You can reach<br />

him by e-mail at yan.ross@cyberdefensemediagroup.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 6<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 7<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 8<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 9<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 10<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 11<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 12<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 13<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 14<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 15<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 16<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

How Criminals Have Migrated Through Identity Theft and<br />

Privacy into <strong>Cyber</strong> Attacks<br />

By P. William Zivanchev, Executive Director, Institute of Consumer Financial Education<br />

Introduction<br />

At first glance, readers may wonder why an article on identity theft appears in <strong>Cyber</strong> <strong>Defense</strong> Magazine,<br />

and why it comes from the Institute of Consumer Financial Education (ICFE). To understand today’s<br />

cyber criminal trends, it’s necessary to delve into the history of the phenomenon.<br />

For nearly 20 years, the ICFE has provided the premier identity theft risk management course <strong>for</strong><br />

professionals working with consumers and businesses. ICFE is the certifying and publishing authority<br />

<strong>for</strong> the nationally recognized Certified Identity Theft Risk Management - CITRMS® course, a credential<br />

which has been earned by thousands of professional advisers and case workers.<br />

During that period, we have seen many changes in the threat landscape, but also many continuing trends<br />

in the ways in which cyber criminals operate and the ways in which defenders, both public and private,<br />

have responded.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 17<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Three Types of <strong>Cyber</strong> Criminals<br />

Functionally, there continue to be three principal types of cyber criminals – and they are consistent with<br />

the three types of identity thieves:<br />

• Money-motivated criminals, who commit identity theft, privacy infractions, and cyber crimes <strong>for</strong><br />

the financial payoff<br />

• State-sponsored and terrorist attackers, who desire to perpetrate disruptive effects on critical<br />

infrastructure systems and other vulnerable databases<br />

• Thrill-seekers, who find satisfaction in being able to interfere with the smooth operations and<br />

lives of individuals and organizations holding protected in<strong>for</strong>mation, such as personally<br />

identifiable in<strong>for</strong>mation (PII).<br />

High Tech versus High Touch<br />

Over the years, the main changes have been in the tools and methods the cyber criminals utilize to<br />

perpetrate their exploits. Mirroring these developments, the responses have tended to concentrate on<br />

exploit-by-exploit methods, rather than more generalized criminal actions.<br />

One interesting constant has been the phenomenon of social engineering, otherwise known as<br />

manipulation of the target in order to gain access to sensitive in<strong>for</strong>mation to which the criminal is not<br />

authorized – and then to use that in<strong>for</strong>mation to perpetrate identity fraud (unlawful use of the personal<br />

in<strong>for</strong>mation accessed by identity theft).<br />

Phone Scams to Email and Text Scams<br />

For about the same time period as the ICFE has been engaged in the CITRMS® program, the Federal<br />

Trade Commission has been responsible <strong>for</strong> the administration of the “Do Not Call” list. It’s no<br />

coincidence that one of the principal means used by identity thieves is the spam call, in which the<br />

perpetrator pretends to be a family member or trusted organization seeking to extract sensitive<br />

in<strong>for</strong>mation from the target individual or company.<br />

Many of the reported cases of identity theft begin with the call to the phone number of the target, using<br />

manipulative scripts to produce urgency and the desire to help in a critical situation – but resulting in the<br />

undue sharing of sensitive in<strong>for</strong>mation.<br />

As the internet has augmented, or even replaced, conventional phone conversations, social engineering<br />

has leaped from spam calls to spam emails. These provocations typically involve some unrealistic offer<br />

or urgent message seemingly from a known party (but actually from the cyber criminal).<br />

And, of course, the proliferation of social media plat<strong>for</strong>ms and usage expands these types of provocative<br />

communication into text messaging (often referred to as “smishing” in the vernacular).<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 18<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Quite often the perpetrator claims to be calling or emailing from a government agency with urgent need<br />

to get in<strong>for</strong>mation to maintain the target’s benefits or tax status; of course, Social Security and the Internal<br />

Revenue Service are the agencies most often cloned by the criminals.<br />

Also common is the hyperlink which appears to come from a legitimate source, often a company where<br />

the target already has an account, but directed to a bogus website where the target’s username and<br />

password are collected by the criminals; this in<strong>for</strong>mation is then used to hijack the target’s real accounts.<br />

Privacy<br />

As identity theft threats have developed, an important aspect of the legal and regulatory response has<br />

arisen out of privacy concerns and consumer rights. This response started with the adoption of privacy<br />

laws by States and has become a focal point <strong>for</strong> federal action.<br />

In addition to setting standards and requirements <strong>for</strong> holders of protected sensitive in<strong>for</strong>mation, broader<br />

provisions have been created, such as disclosure and notification standards and even private rights of<br />

action. Under private rights of action, affected parties whose sensitive in<strong>for</strong>mation has been<br />

compromised due to failure on the part of the holders, can sue <strong>for</strong> damages directly rather than waiting<br />

<strong>for</strong> government fines or punitive actions.<br />

It’s easy to see how any failures in cybersecurity practices resulting in data breaches involving protect<br />

personal in<strong>for</strong>mation can trigger the provisions and penalties of privacy laws and regulations.<br />

As a result, privacy initiatives have become a major driver with immediate effect on cyber practices. It’s<br />

worth noting that even compliance with privacy laws may not provide a complete shield against liability<br />

in the event of a breach.<br />

In the view of the ICFE, in identity theft risk management, substantial coverage of privacy issues is a<br />

necessity, especially as they affect vulnerable demographics, such as seniors, children, and veterans.<br />

ICFE is pleased to report that this emphasis on privacy issues has resulted in the acceptance <strong>for</strong> CE<br />

credit by the leading organization in the field, the International Association of Privacy Professionals.<br />

Enter <strong>Cyber</strong> Attacks and <strong>Cyber</strong>security<br />

By the time of the most recent update to the CITRMS® XV course, cybersecurity had developed to the<br />

point that the ICFE included a whole section on the topic. We were <strong>for</strong>tunate enough to count on Gary<br />

Miliefsky, Publisher of <strong>Cyber</strong> <strong>Defense</strong> Magazine, to provide that content <strong>for</strong> the course.<br />

At this juncture, ICFE is undertaking to launch an update and expansion of the CITRMS® course.<br />

This will include an enhanced section on <strong>Cyber</strong>security, developments in the attack vectors, public and<br />

private responses, and the implications <strong>for</strong> consumers, businesses, and organizations with the<br />

responsibility of maintaining the confidentiality, integrity, and accessibility of sensitive in<strong>for</strong>mation.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 19<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Defensive Measures<br />

In response to the continuation of new means used by criminals to gain access to protected<br />

in<strong>for</strong>mation, both high-tech and granular methods of foiling such attacks have tended to focus on both<br />

resilience and sustainability.<br />

Of course, it’s important to prevent a cyber exploit in the first place. But it’s equally important to<br />

be able to recover in both the short term (resilience) and in the long term (sustainability).<br />

Organizationally, this generally translates to maintaining systems with such actions as software<br />

updates, education and training <strong>for</strong> all employees with access to the systems, and procedures to be<br />

followed diligently. A good example is the set of “Red Flag Rules” from the Federal Trade Commission<br />

to Identify, Detect, Protect and Mitigate, and Update (<strong>for</strong> the future).<br />

See:<br />

https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-howguide-business<br />

Also on the organizational level, but a with more granular focus, a fundamental requirement is initial and<br />

ongoing programs to train personnel to avoid falling into traps such as “clicking” on attachments from<br />

unknown or untrusted sources.<br />

Insider threats<br />

Personnel training addresses one aspect of insider threats, but there are several others which have<br />

resulted in the creation of an entire discipline of recognizing, identifying and responding to insider threats.<br />

They are divided into several categories, based on the individuals and their access to sensitive<br />

in<strong>for</strong>mation.<br />

• Knowing v. Unwitting Vulnerabilities<br />

The insider threat is typically an employee or other individual (such as a volunteer in non-profit<br />

organizations) with access to records and files with personal sensitive in<strong>for</strong>mation. A breach, or<br />

access by unauthorized parties, often occurs due to action or inaction by such an individual. The<br />

unwitting breach occurs when the person with access is manipulated into sharing a password,<br />

allowing physical viewing of sensitive in<strong>for</strong>mation, or otherwise permits the breach. The “knowing”<br />

individual is aware of the unauthorized access and may be under threat or financial incentive to allow<br />

it to happen.<br />

• Bribery/Blackmail/Disgruntled Employee<br />

In the case of the “knowing” insider allowing a breach, there may be any of several reasons. Most<br />

commonly, the knowing party has been bribed, or threatened with some adverse action, of may be a<br />

disgruntled current or prior employee, depending on the circumstances.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 20<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

• Identity Access Management (IAM)<br />

Whether the vulnerability occurs under any of the above circumstances, an active Identity Access<br />

Management program is a necessity. With an IAM in place, authorization <strong>for</strong> access can be restricted,<br />

which in turn makes it more difficult <strong>for</strong> the criminal to gain access to sensitive in<strong>for</strong>mation.<br />

Changes in levels of access should be imposed when a new employee comes on board, changes<br />

positions or responsibilities, leaves the organization, and in any case, on a periodic basis (just like<br />

periodically requiring updating passwords).<br />

Ransomware & Malware<br />

Ransomware and other malware are on the rise nearly everywhere accessible throughout the internet.<br />

The trend is away from simple data breaches and toward ransomware attacks. Malware in general is<br />

software which invades the systems of the target organization and either prevents them from operating<br />

as they are intended or gives access and control to the criminals. Ransomware is a more specialized<br />

attack where the cybercriminal demands payment <strong>for</strong> the data it has accessed and holds hostage to<br />

encryption or public disclosure.<br />

On a financial return basis, this makes sense. Under earlier data breach exploits, the criminals simply<br />

gained access to the personal in<strong>for</strong>mation in the data bank of the target organization, then sold that<br />

in<strong>for</strong>mation (usually on the Dark Web) based on the value of the data (financial, medical, etc.).<br />

Typically, the sale would take the <strong>for</strong>m of an auction, in which various (known and unknown) parties<br />

would bid and make the purchase. That process is fraught with vulnerabilities, such as the means of<br />

payment and the trustworthiness of both parties to the transaction.<br />

In a ransomware attack, there’s just one motivated “buyer” <strong>for</strong> the safe return of the data held hostage<br />

by the criminal. The stakes are high, due to the way the ransomware operates.<br />

The cyber attacker gets 2 bites at the apple: deny access to the target organization; and threaten to make<br />

public the ransomed data. Either or both of these threats compromises the ability of target to continue<br />

as a going concern.<br />

How does this work in practice? Once the ransomware attack is in place, the attacker has full access to<br />

the underlying data and files. The next step is to notify the target organization that it no longer has access<br />

to its own in<strong>for</strong>mation. Usually, the notification discloses that the data has been encrypted, and only by<br />

paying the ransom can the target get access again.<br />

Now there is an important trust issue: can the criminal be trusted to provide the decryption key or other<br />

means of returning access to the rightful owner? There is no reliable in<strong>for</strong>mation or statistic on this<br />

question, due to the secrecy involved in the ransom process, as might be expected. Even payment of<br />

the demanded ransom cannot assure the safe return of the hijacked data.<br />

If it turns out that the target organization has viable back-up files of the breached data, the attacker can<br />

fall back to the secondary position of demanding payment to refrain from making all the sensitive<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 21<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

in<strong>for</strong>mation public. If course, such disclosure would undermine the trusted relationship between the<br />

target organization and its customers and clients. That’s why it continues as a threat to the survival of<br />

the breached organization.<br />

How difficult is it <strong>for</strong> criminals to get ransomware? Un<strong>for</strong>tunately, fairly easy. The software itself can be<br />

purchased outright or even used through “Ransomware as a Service” facilities available on the internet.<br />

As a result, the ease of use and financial advantages of ransomware have become widespread among<br />

cyber criminals, and there is no indication of any diminution of this trend.<br />

<strong>Cyber</strong> Insurance<br />

The classic description of “risk management” is making an in<strong>for</strong>med decision on which risks to retain and<br />

which ones to lay off on someone else (usually in the <strong>for</strong>m of buying insurance to cover specified risks).<br />

As might be expected, the perceived need <strong>for</strong> insurance against adverse cyber events has been met by<br />

a broad array of offerings by major insurance carriers. Some are added on to integrated packages <strong>for</strong><br />

errors & omissions, director & officer, and business continuity coverage. Some are stand-alone<br />

specialized policies.<br />

There appears to be no standardized underwriting process among the dozens of insurance carriers<br />

offering some <strong>for</strong>m of cyber insurance. As a result, it is difficult <strong>for</strong> potential insured parties to make<br />

“apples to apples” comparisons of coverage limits, exclusions, deductibles, premiums, and other terms.<br />

Further, as the carriers gain more experience with claims and payments, it appears that the market will<br />

continue to be in flux <strong>for</strong> the <strong>for</strong>eseeable future. One thing is certain: the carriers must conduct their<br />

business in a profitable manner. So ultimately, the rewards (in the <strong>for</strong>m of premiums) must outweigh the<br />

risks (in the <strong>for</strong>m of claims payments).<br />

When the Risk becomes a Reality<br />

We come full circle in this discussion, as the educational mission of ICFE is brought to bear on these<br />

challenges.<br />

With the pending update of the ICFE’s Certified Identity Theft Risk Management - CITRMS® course,<br />

integration of all of these trends will include adding the expanded Restoration/Remediation section.<br />

The entire realm of Identity Theft Risk Management and its implications <strong>for</strong> Privacy and <strong>Cyber</strong>security<br />

developments continues to be a challenging, but very worthwhile, arena <strong>for</strong> the ICFE to make its<br />

contribution to organizations, professionals, and consumers at large.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 22<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About The Author<br />

Active with the ICFE since 1987, Mr. Zivanchev worked<br />

alongside of Paul Richard, the then president of the ICFE as<br />

the graphic and publication designer <strong>for</strong> the ICFE. In 2000,<br />

Mr. Zivanchev was appointed the office of Vice President<br />

and Secretary to the ICFE Board of Directors and titled the<br />

Director of In<strong>for</strong>mation Technology. The ICFE hit the<br />

internet with its online presence in 2000, with its offerings to<br />

consumers and organizations in ICFE Certification Courses,<br />

Identity Theft Risk Management and Credit Report<br />

Reviewing taking the lead.<br />

Mr. Zivanchev, stepped in as the Executive Director <strong>for</strong> the<br />

ICFE with the passing of Mr. Richard, 2020. It is Mr.<br />

Zivanchev’s goal to take the ICFE to the next step in its<br />

evolution in the digital age.<br />

ICFE company website https://icfe.org/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 23<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The Top 5 Cloud Security Predictions <strong>for</strong> <strong>2022</strong><br />

New threats, new apps, new players – but data plays the biggest role in shaping the future.<br />

By Amit Shaked, CEO, Laminar<br />

2021 Attacks Set New Records<br />

Looking back, 2021 had its fair share of cybersecurity incidents. Take <strong>for</strong> example the Colonial Pipeline<br />

breach, where the U.S. fuel supply was at risk of coming to a grinding halt. A ransom of $2.3 million in<br />

Bitcoin was paid to avoid catastrophe and continue business operations.<br />

You can likely expect a continued rise in attacks and new methods of targeting in <strong>2022</strong>. However, the<br />

one element to the advancement of security measures making a huge difference next year is data —<br />

cloud data.<br />

According to Techjury, on average, every human created at least 1.7 MB of data per second in 2020. Per<br />

second, think about that. Data is the critical element in every environment and having a plan to safeguard<br />

yours is paramount. The democratization of data means putting it in the hands of more users and data<br />

scientists who can quickly create customer value. What better place to do this than the cloud? However<br />

as developers now have extreme flexibility and power to do what they want in the cloud, data protection<br />

teams have fallen behind.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 24<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Given the rise in cyber-attacks, the ubiquity of cloud computing, and the ever-increasing production of<br />

data, here are our top five cloud security predictions <strong>for</strong> <strong>2022</strong>.<br />

The Top 5 Cloud Security Predictions<br />

1- Increased Investment will Lead to Better Cloud Security<br />

Each and every year we see increased investments in cloud security.<br />

According to Gartner, cloud security is the fastest growing security segment, projected to increase 41.2%<br />

between 2020 and 2021, reaching nearly $1 billion.<br />

What does all of this mean? Better cloud security.<br />

Data protection is the highest priority <strong>for</strong> many organizations, especially since much of the data lives in<br />

the cloud. Consumers and businesses expect protection, and they will weigh in with their dollars. It’s<br />

essential <strong>for</strong> organizations to continue to invest in data protection in order to reach a better outcome.<br />

2 - Cloud Data Protection Will Make Strides to Keep up With Data Democratization<br />

Every organization, no matter how big or small, is changing the way they operate through digital<br />

technology. The majority of these changes involve moving processes and data to the cloud and making<br />

data accessible to everyone in the organization. This is data democratization.<br />

<strong>2022</strong> will see cloud data protection begin to keep pace with data democratization.<br />

Data is the new currency. It’s the critical factor in making in<strong>for</strong>med business decisions and delivering<br />

personalized experiences that consumers are not only anticipating but expecting.<br />

Protecting and monitoring your data is crucial to survival, but in order to have proper defenses,<br />

organizations must have a baseline understanding of their data.<br />

IT leaders should know the answers to five very important questions:<br />

1. Where is my data?<br />

2. Who has access?<br />

3. What’s the security posture?<br />

4. Who owns the data?<br />

5. Where is my data going?<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 25<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

One sensitive breach can bring a company to its knees. So as more investments are made in the digital<br />

trans<strong>for</strong>mation, more investments are needed in data protection.<br />

3- Cloud-Native Security Tools Will Become Mainstream<br />

As more data is moved to the cloud, more workloads, processes and solutions are being natively built<br />

and run there.<br />

Cloud-native applications are run and hosted in the cloud, and are designed to capitalize on the inherent<br />

characteristics of a cloud computing software delivery model.<br />

Security solutions built <strong>for</strong> the cloud, in the cloud, aren’t totally mainstream yet, but are growing much<br />

faster than their legacy counterparts. In <strong>2022</strong>, we’ll see many more of them arise and mature.<br />

4 - Security Teams Will Move from Gatekeepers to Enablers<br />

It’s the responsibility of the security team to ensure every process follows strict security protocols, so<br />

historically, they are viewed as a barrier to progress. <strong>2022</strong> is going to see a change in that pattern, as<br />

security teams move from being the gatekeepers to the enablers.<br />

Why is this? Because more applications are being built in the cloud, as opposed to on-premises.<br />

Cloud application developers don’t have as many restrictions, and don't have to wait on multiple<br />

stakeholders to move to the next phase. At the same time, security teams are deploying cloud-native<br />

solutions that continuously monitor and en<strong>for</strong>ce policies, enabling a “trust but verify” stance. This way,<br />

developers are not hindered and security teams can move at the speed of the cloud.<br />

So to continue digital trans<strong>for</strong>mation yet stay secure, the once-restricting gatekeepers will harness the<br />

power of cloud development and become the enablers.<br />

5 - Best of Breed Tools Will Continue to Emerge, not Consolidate…Yet<br />

According to The <strong>Cyber</strong> Research Databank, there are more than 3,500 cybersecurity vendors in the<br />

market.<br />

If you’re a security leader, you’re probably bombarded with offers <strong>for</strong> the next best solution. You may<br />

wish there was one tool that served as a one-stop-shop <strong>for</strong> all of the features and capabilities you need,<br />

but we're not quite there yet.<br />

Consolidation is happening, but we think vendor proliferation will continue in <strong>2022</strong>.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 26<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Why is that?<br />

Let’s take COVID-19 as an example. Think of the virus as a new breach. When that breach hit, people<br />

scrambled to build the defenses to battle it. You developed a vaccine and are feeling good, but then the<br />

Delta variant pops up, and you scramble again. Hoping to quell that variant, suddenly Omicron arises.<br />

On it goes. How many variants will appear be<strong>for</strong>e we feel we’ve addressed every threat? There is no way<br />

to tell, so you keep building defenses to stay safe.<br />

The security world is similar. Each year we see new threats arise and we build the tools to combat them.<br />

Be<strong>for</strong>e these breaches slow down, there will continue to be a proliferation of new tools in the market.<br />

The Year that Data Matters More<br />

Data truly is the key element <strong>for</strong> business survival and, as a result, it’s also the element you need to<br />

protect the most. It is the new business currency and something everyone benefits from when harnessed<br />

securely.<br />

In this cloud-first world, where digital trans<strong>for</strong>mation is happening fast and complexity is high, traditional<br />

methods are falling away. The ability to discover, classify, and categorize all the data within your public<br />

cloud environment is a necessity to stay safe and nimble.<br />

About the Author<br />

Amit Shaked, CEO, Laminar. He is also the Founder of<br />

Laminar which started in 2020.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 27<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong>criminals Hunt For Medical Data. Zero Trust As The<br />

Only Good Option To Keep The Healthcare System Secure<br />

By Tomasz Kowalski, CEO, Secfense<br />

According to a Trustwave report, medical data may cost up to $250 per record on the black market, while<br />

stolen payment card data is sold <strong>for</strong> $5.40. That is why the healthcare institutions are becoming the main<br />

vector of cybercriminals attacks. How to defend against them? The right approach is to protect the space<br />

where usually attacks come the most often so the accounts of all employees of clinics or hospitals.<br />

Zero trust security is a cybersecurity concept that implies a total lack of trust in users, systems, or services<br />

within the network. What does this mean and how does it relate to the safety of the healthcare industry?<br />

Zero trust relies on 100% certainty that the right person is on the other side of the computer, and not a<br />

thief who wants to take over your sensitive data.<br />

Medical data worth its weight in gold!<br />

Medical data is extremely attractive to cybercriminals. Mainly because intruders know very well how to<br />

cash them. Theft of medical data can threaten the reputation of individuals or institutions and cause<br />

enormous damage. That is why all healthcare facilities must remodel their approach to IT security as<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 28<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

soon as possible and base it on strict user authorization, restriction of permissions and limiting access to<br />

medical resources in accordance with the principle: never trust, always verify.<br />

One of the latest media attacks against a medical institution was an attempt by intruders to get into the<br />

computers of AstraZeneca employees (including those who worked on the Covid-19 vaccine).<br />

North Korean cybercriminals used phishing and social engineering claiming to be recruiters. According<br />

to the Wall Street Journal the attackers also tried to steal vaccine in<strong>for</strong>mation from Johnson & Johnson<br />

and Novovax, as well as from three South Korean drug makers.<br />

2-Step Verification<br />

The credential theft - employees' passwords and logins - is one of the most common causes of attacks<br />

on medical institutions today.<br />

<strong>Cyber</strong>criminals usually send an e-mail designed to trick the person into thinking that the message comes<br />

from a legitimate source and then obtain credentials. Bad actors also often use WhatsApp or LinkedIn<br />

messengers, as happened in the case of the attack on AstraZeneca.<br />

Why is this happening? The healthcare industry is one of the worst when it comes to data security<br />

knowledge. Data from the Wombat Security’s learning management system shows that 23% of best<br />

practice questions are answered wrong on average by medical personnel. Fraudsters know that very<br />

well. The difficult period associated with the pandemic only makes it easier <strong>for</strong> them to get access to<br />

extremely valuable in<strong>for</strong>mation, <strong>for</strong> which, <strong>for</strong> example, they can receive a large ransom (ransomware<br />

attacks).<br />

User access security broker is an approach to cybersecurity consistent with the zero trust security<br />

approach. It triggers MFA during a login session on any hospital or clinic web application - regardless of<br />

whether the person logging in is currently at the facility or works remotely. Be<strong>for</strong>e the employee enters<br />

the application or system, he must enter, <strong>for</strong> example, a one-time code or verify his identity through face<br />

biometrics or a fingerprint.<br />

What’s important is that the integration of MFA takes place without changing the protected application’s<br />

code. This basically means that the security broker can add multi-factor authentication on the accounts<br />

of all employees in any number of applications without any subsequent support <strong>for</strong> IT specialists, who<br />

are constantly lacking in the medical sector. It also allows <strong>for</strong> convenient scaling - simple and quick adding<br />

of users and protected resources, regardless of their number and complexity. Moreover, organizations<br />

do not have to share any of their in<strong>for</strong>mation with third parties - strong authentication can be easily applied<br />

to the current infrastructure without long and tedious programming. This is important in the case of<br />

dynamically developing private hospitals and medical clinics.<br />

<strong>Cyber</strong>criminals use the pandemic very efficiently and target the weak points of the healthcare system.<br />

There<strong>for</strong>e, medical facilities must ultimately do a very difficult task and protect not only selected, but in<br />

reality all applications used by their employees on a daily basis. This could mean using advanced<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 29<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

analytics to track identities on their network, multi-factor authentication, and en<strong>for</strong>cing "least privilege<br />

policies" <strong>for</strong> specific accounts.<br />

One thing to remember - flexibility, scalability and speed of response in the case of precise and<br />

increasingly sophisticated attacks will be a key factor influencing the final result. Well-thought-out choices<br />

in this context really pay off. The costs of healthcare attacks are growing exponentially as prolonged<br />

system downtime not only hampers but often paralyzes medical care <strong>for</strong> patients.<br />

About the Author<br />

Tomasz Kowalski is a CEO and co-founder of Secfense. He has<br />

nearly 20 years of experience in the sale of IT technology. He was<br />

involved in hundreds of hardware and software implementations in<br />

large and medium-sized companies from the finance<br />

telecommunication, industry and military sectors. Tomasz can be<br />

reached online at (tomek@secfense.com, Tomasz Kowalski |<br />

LinkedIn) and at our company website https://secfense.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 30<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

How Do I Reliably Identify You If I Cannot See You?<br />

eKnow Your Customer Requirements Driving Change<br />

By John Callahan, CTO, VeridiumID<br />

KYC – Know Your Customer is a process used around the globe <strong>for</strong> many years to validate the identity<br />

of a customer. Many of you will have already experienced KYC, if you have ever opened a bank account,<br />

bought a property or even obtained a SIM card <strong>for</strong> your mobile phone. You will have been asked by the<br />

bank/solicitor/mobile operator <strong>for</strong> proof of identity.<br />

Organisations have typically required you to present passport/driving license or ID card, perhaps with a<br />

recent utility bill <strong>for</strong> proof of address be<strong>for</strong>e providing you services.<br />

Why do they do this?<br />

It may seem fairly obvious <strong>for</strong> certain use cases, particularly <strong>for</strong> banking or where financial transactions<br />

occur. Fraud is a significant challenge in Financial Services, fraud always increases during economic<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 31<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

downturns and it would appear during global pandemics according to a recent study by the World Bank.<br />

Fraud presents itself in many different <strong>for</strong>mats, from false account setup, unauthorised account access<br />

and money laundering. While the criminal fraternity, may look to line their own pockets, there is a more<br />

extreme side, which funds drugs cartels or finances terror organisations.<br />

After the financial crisis of 2008, financial organisations became heavily regulated and KYC was<br />

introduced as a regulatory requirement after a series of major fraud, money laundering and tax evasion<br />

cases. However, even in the last decade global financial services have been exposed by a number of<br />

money laundering scandals which have resulted in over $36 billion in fines.<br />

Heavy regulation ultimately creates more friction, especially <strong>for</strong> the consumer. 1 in 5 banks onboarding<br />

times have doubled, from 4 to 8 weeks and expect this time to increase even further. This challenge has<br />

been typically addressed head on by throwing money and head count at the very manual and legacy<br />

process <strong>for</strong> KYC. However, COVID has <strong>for</strong>ced a new way of thinking.<br />

eKYC/mKYC – (Electronic/Mobile) requirements have driven trans<strong>for</strong>mational change in organisations,<br />

who can no longer expect customers to visit branch offices and present themselves in person <strong>for</strong> manual<br />

KYC. Additionally, using computer vision and artificial intelligence has removed the subjective human<br />

error prone process of matching a person to a photograph, providing higher levels of assurance, that an<br />

individual is who they claim to be.<br />

But what options are available <strong>for</strong> eKYC? Actually, there are a number of options available to<br />

organisations to securely and remotely per<strong>for</strong>m Identity Verification. Let’s explore a couple of them.<br />

Firstly, it is now possible to take the tried and tested identity document, such as passport, driving license<br />

or identity card and remotely scan that document into a mobile application, this can be done by simply<br />

capturing the document with the mobile camera or <strong>for</strong> a more reliable and per<strong>for</strong>mant solution, leveraging<br />

the document RFID chip to extract in<strong>for</strong>mation via NFC to the smartphone. While not everybody has the<br />

latest phones capable of using NFC and not every government documentation that has a RFID chip to<br />

extract in<strong>for</strong>mation from, it’s encouraging to know there is always a fall-back option of simply taking a<br />

picture of the document.<br />

We then simply use the same application to take a selfie and the application attempts to match the selfie<br />

with the face image extracted from the documentation. In the background there is a validation check of<br />

the document itself, is it a genuine document, has it been reported lost or stolen? All of these factors<br />

combined, allow organisations to deliver a remote and secure on-boarding capability, which also provides<br />

a frictionless user experience <strong>for</strong> customers. It accelerates the KYC process and reduces costs at the<br />

same time.<br />

All good? Well not quite, un<strong>for</strong>tunately Government documentation availability is not a certainty,<br />

additionally face matching from a 10-year-old photograph which has been captured using the mobile<br />

phone camera (as opposed to NFC) comes with its challenges in terms of per<strong>for</strong>mance and reliability.<br />

Additionally, cultural and religious requirements can present additional problems when the app asks to<br />

per<strong>for</strong>m a selfie <strong>for</strong> face verification, add in poor lighting conditions and a requirement <strong>for</strong> “liveness”<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 32<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

validation, what can be a very reliable and per<strong>for</strong>mant solution takes a per<strong>for</strong>mance hit and can lead to<br />

a frustrating user experience.<br />

Since biometrics are clearly the preferred method <strong>for</strong> eKYC and where face recognition may present<br />

challenges and/or there is no documentation available with which to match the face against, there needs<br />

to be flexibility of biometric modalities to provide not only choice to the customer, but per<strong>for</strong>mance and<br />

security improvements to the organisation.<br />

Fingerprint recognition is the other obvious biometric modality that could be used <strong>for</strong> Identity verification.<br />

Fingerprints as well as face images are stored on many <strong>for</strong>ms of government documentation around the<br />

globe, however this doesn’t help where that documentation is not readily available. There is an alternative<br />

to Government documentation though and that is National Identity Databases.<br />

National Identity databases are scattered around the globe but are prominent in Latin America, Middle<br />

East / Africa as well as ASIA. These databases provide a trust anchor <strong>for</strong> the government who<br />

ask/mandate citizens to enrol themselves into the database in order to leverage Identity verification.<br />

Organisations who can reference these databases have a ready-made plat<strong>for</strong>m to query and using<br />

biometrics to validate individual identity with a simple capture of fingerprint or face (where available). The<br />

benefit here is, this is a centralised database, the risk of fraudulent documentation is eliminated, in<br />

addition the biometric “image” is clean, no holograms over passport pictures to affect face matching<br />

per<strong>for</strong>mance.<br />

Since fingerprint has no cultural, racial or religious bias and fingerprints are largely unaffected by the<br />

aging process, fingerprint recognition delivers a highly per<strong>for</strong>mant and secure biometric modality to verify<br />

Identity. Fingerprint also eliminates the “twins” issue associated with facial recognition, since every<br />

fingerprint in unique. The challenge now is how to capture the fingerprint remotely…..Any of us who have<br />

experienced US border control or watched a Mission Impossible film, will of seen the requirement to place<br />

your fingers/thumbs onto a hardware scanner of some description. Sadly, very few of us have these<br />

devices available to us at home and be<strong>for</strong>e you jump to the assumption that your phone has a fingerprint<br />

scanner built into it, sadly that particular sensor has no mechanism to capture a fingerprint image and<br />

send it outside the phone <strong>for</strong> matching.<br />

However, at Veridium we developed a mobile software solution that uses just a smartphone camera to<br />

capture fingerprint images, by simply taking a picture of your hand. This fingerprint image can be used in<br />

addition to, or as an alternative to face matching. It can be matched by National Identity Databases (and<br />

Security Services Databases) as well as matching against documentation where fingerprint images are<br />

stored on RFID chips. Since every smartphone has a camera and a torch, per<strong>for</strong>mance is assured in<br />

pitch black or bright blue sky conditions, coupled with in built liveness detection to deter against simple<br />

and complex presentation attacks.<br />

Now organisations can securely and reliably deliver eKYC/mKYC <strong>for</strong> their clients, deliver flexibile<br />

biometric modalities of face and fingerprint capture, leverage Government issued documentation or<br />

National Identity database and provide flexibility to ensure they are not caught out with racial, religious<br />

or cultural bias. Organisations can now reliably identify you without seeing you in person. Provide a<br />

frictionless onboarding experience to customers and help eliminate fraud, all at the fraction of the cost of<br />

traditional KYC processes.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 33<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Dr. John Callahan is responsible <strong>for</strong> the development of the<br />

company’s world class enterprise-ready biometric solutions,<br />

leading a global team of software developers, computer vision<br />

scientists and sales engineers.<br />

He has previously served as the Associate Director <strong>for</strong><br />

In<strong>for</strong>mation Dominance at the U.S. Navy’s Office of Naval<br />

Research Global, London UK office, via an Intergovernmental<br />

Personnel Act assignment from the Johns Hopkins University<br />

Applied Physics Laboratory. John completed his PhD in<br />

Computer Science at the University of Maryland, College Park.<br />

John can be reached online at https://www.linkedin.com/in/john-callahan-430707/ and at<br />

https://www.veridiumid.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 34<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

How To Improve Federal Endpoint Detection and<br />

Response Tactics and Gain Network Visibility<br />

By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium<br />

Endpoint detection and response (EDR) was put on center-stage when the Office of Management and<br />

Budget (OMB) released a memo requiring that agencies must collaborate during the development and<br />

deployment of their EDR solutions.<br />

The OMB memo intends to create government-wide visibility through a centrally located EDR initiative,<br />

implemented by the <strong>Cyber</strong>security and Infrastructure Security Agency (CISA), to support host-level<br />

visibility, attribution, and response across federal in<strong>for</strong>mation systems.<br />

Within 90 days of the memo’s release, agencies are required to provide CISA with access to their current<br />

and future EDR tools, and CISA is to provide recommendations <strong>for</strong> accelerating EDR adoption. Within<br />

120 days, agencies must analyze their EDR solutions with CISA and identify any gaps.<br />

A recent report stated that since the shift to working-from-home, 79 percent of IT teams have seen an<br />

increase in breaches at the endpoint. There is a dire need <strong>for</strong> useful EDR solutions within the federal<br />

government, especially in the era of remote work, as they will improve “the ability to detect and respond<br />

to increasingly sophisticated threat activity on Federal networks.”<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 35<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

What is EDR?<br />

EDR is a capability that identifies and responds to cyber threats by combining real-time<br />

continuous monitoring of data and endpoint collection with rules-based automated response and analysis<br />

capabilities. EDR tools have gained a significant amount of popularity among IT security operations<br />

teams due to their ease of use and the understanding that endpoints can provide the richest data about<br />

intruders.<br />

EDR enables:<br />

‣ Automated, simple pattern detection of known bad-attack types, leading to triage and<br />

investigation of those alerts<br />

‣ Automated response in the sense that pre-determined actions can be configured from the<br />

detection rules<br />

‣ Centralization of endpoint log and telemetry data in the cloud <strong>for</strong> offline analysis<br />

While useful, EDR technology only locates certain types of activity, or “known bad” activity. Most<br />

EDR tools limit the activity they record to reduce bandwidth and storage. So, what happens when there<br />

is an “unknown bad” in a network? This vulnerability gap creates plenty of blind spots <strong>for</strong> attackers to<br />

enter, but it is possible to diminish those issues through other solutions.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 36<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

What should agencies look <strong>for</strong> in a solution?<br />

Skilled attackers are aware of the EDR capabilities and know how to get around them. If agencies pair a<br />

threat hunting solution with their EDR technologies, they will have a deeper, more<br />

comprehensive visibility over their endpoints.<br />

When looking <strong>for</strong> the right threat hunting plat<strong>for</strong>m, it is crucial that agencies keep certain criteria in mind –<br />

adaptability, scalability, and extensibility. It is also important to use a plat<strong>for</strong>m that is fully powered by<br />

accurate data and can respond to threats in seconds. Here are some elements to look <strong>for</strong> when choosing<br />

an EDR solution:<br />

‣ Continuous monitoring of endpoints. Legacy security solutions tend to employ a collection of<br />

incompatible point solutions tied together in a SIEM, resulting in a data set that is weeks old, and<br />

doesn’t include unmanaged, offline, or off-network endpoints. Instead, it is important to have<br />

a comprehensive plat<strong>for</strong>m to gather in-depth endpoint data, giving agencies the ability to collect<br />

accurate, real-time data in minutes, not months<br />

‣ Formatted, organized data. Many tools require you to export data from different sources,<br />

normalize output, then attempt to combine it all into one report. It is important <strong>for</strong> agencies to<br />

streamline this process through a solution that provides actionable data that is already in the<br />

correct <strong>for</strong>mat <strong>for</strong> use<br />

‣ Zero-trust architecture. Achieving a strong endpoint defense requires complete visibility into the<br />

entire operating environment. Agencies should look <strong>for</strong> a plat<strong>for</strong>m with a zero-trust architecture<br />

that continually monitors device health and checks whether it is patched, secure, compliant, and<br />

managed<br />

An endpoint security and management plat<strong>for</strong>m solution can dig deeper into the suspicious activity<br />

detected by EDR to understand the threat and protect any additional machines that may have been<br />

compromised. A single plat<strong>for</strong>m of this nature gathers in-depth endpoint data, giving agencies the ability<br />

to collect accurate, real-time data in minutes.<br />

The time to improve cyber is now, and everyone plays a part in this process. The federal government has<br />

set the precedent with this memo, and agencies understand the importance of the guidance. Agencies<br />

must implement a strong EDR solution and enhance their EDR capabilities to improve their security<br />

posture and response capability.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 37<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Matt Marsden is the Vice President, Technical Account Management,<br />

Federal at Tanium. He is a career cyber professional with more than 24<br />

years of experience working with the Federal government. Matt began his<br />

federal service in the United States Navy supporting submarine operations<br />

afloat and transitioned to Civil Service where he supported the DoD and<br />

Intelligence Communities prior to joining Tanium. Matt can be reached online<br />

at LinkedIn and at our company website<br />

https://www.tanium.com/solutions/federal-government/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 38<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Decision Trees in Case of a Ransomware Attack<br />

Does Your Organization Have a Procedure to Handle a Ransomware? Is It Worth Paying the<br />

Attackers?<br />

By Zsolt Baranya, In<strong>for</strong>mation Security Auditor, Black Cell Ltd.<br />

The number of ransomware attacks is growing from day to day, as mentioned many of the publications<br />

and reports. The ransomware kill chain, describes the phases of a ransomware attack, and each phases<br />

the security trams can implement some actions to mitigate the probability of occurrence. For example,<br />

the first phase of the ransomware kill chain is the campaign, where the security team can reduce the<br />

success of the campaign with awareness trainings. The second phase is the infection, where the security<br />

team can handle the situation with restricted file downloading methods and so on.<br />

But if the chain reaches the encryption phase, the preventive actions were not effective. In this case, only<br />

a few organizations have a playbook specified to handle the consequences of ransomware attacks. A<br />

decision tree had been created to help organizations where this type of playbook is missed.<br />

Consider actions <strong>for</strong> ransomware attack event<br />

Firstly, all the affected devices and systems that have been attacked have to be identified and must be<br />

disconnected from the network as soon as the detection occurred. This is the most important action<br />

be<strong>for</strong>e the incident handling starts!<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 39<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

1. Check that the encrypted data classified or not. In case of the classified data is mission critical,<br />

the incident handlers must know the recovery point objective (RPO) of the data to identify how<br />

much time the organization have from the business continuity perspective. (This may be related<br />

in the future to how much time the attacker gives to contact or pay.)<br />

2. The security event should be reported to the relevant CERT or CSIRT. The response teams<br />

maybe have some in<strong>for</strong>mation about the specific ransomware or the attacker that can help.<br />

3. Make sure that your organization have security backups of the affected data. If there is, check the<br />

backup restoration tests results, and if the restoration was successful there is no risk to the<br />

restore. Be<strong>for</strong>e you restore the data, you should check the system status. System could have<br />

backdoors in or other relevant risks. If the organization didn’t have such a test, or the test result<br />

was unsuccessful, you can consider that the restoration as a risk factor.<br />

4. If your organization doesn’t have a backup, you should check other alternatives to replace the<br />

data has been encrypted (<strong>for</strong> example: whether it exists on paper or may be available from<br />

another organization, etc.). If yes, consideration shall be given to recovering it within the time<br />

limits referred to in point 1. set up encrypted files with an alternative solution. If so, this may be<br />

the solution <strong>for</strong> incident management.<br />

5. If steps described in point 3. and 4. did not lead to results, you can search on the internet and<br />

open-source databases (<strong>for</strong> example: nomoreransom). There is a possibility you could find some<br />

in<strong>for</strong>mation related to the specific ransomware or system to find some recommendations to<br />

restore your files. Sometimes these sites publish the secret key pairs (decryption key) to decrypt<br />

the affected files.<br />

6. If your ef<strong>for</strong>ts unsuccessful after the 5 points, and the data counts as mission critical, you should<br />

consider paying the attackers.<br />

Pay or not to pay decision process<br />

1. The first thing to consider is whether it is worthwhile <strong>for</strong> the organization to get Bitcoin. If the last<br />

chance to give back the data is the paying, not necessarily have to spend time purchasing Bitcoin.<br />

2. If the affected data counts as mission critical, and the earlier actions were unsuccessful, it should<br />

be to check if we have files that is both encrypted and original available. If so, you can turn to<br />

expert organizations, but it is not guaranteed the success. If not, you can go to the next step.<br />

3. There are some cyber security firms, who are expertise of cyberattacks handling. If the<br />

organization has received the cyber security firms quote, and it’s more than the attacker’s<br />

demand, the head of the organization should consider that whichever is better, paying to the<br />

attackers or the experts. (In neither of these cases have 100% guarantee that the original of all<br />

encrypted files will be decrypted and returned to organization.)<br />

4. Attackers usually give a deadline <strong>for</strong> the payment of the dept. If the victim organization wants to<br />

use the professional services of a cyber security firm, must consider the deadline and the<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 40<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

expertise’s recommended returning time. There is a chance that an expert team needs more than<br />

24 or 72 hours (which commonly given by the attackers) <strong>for</strong> the restoration of the original files .<br />

5. If the encrypted files count as critical and the management decided to pay the attackers, it should<br />

be considered whether it is worthwhile to communicate to media about the ransomware attack, in<br />

the hope that attackers obtain in<strong>for</strong>mation about the incident coming to light. In this case, there is<br />

a chance <strong>for</strong> the organization to get help <strong>for</strong> a fee. It would be extremely bad ‘marketing’ <strong>for</strong> the<br />

attackers if the organization did not get the original.<br />

6. Another opportunity to mandate a negotiator to reduce the amount of the attackers. Sometimes it<br />

works, so the decision makers should consider this solution.<br />

These are very important issues to be decided to handle a situation after a ransomware attack. In any<br />

case, it is necessary to consider what damage a ransomware attack can cause. In comparison, incident<br />

management needs to be built and implemented <strong>for</strong> a price that an attack could cost.<br />

Pay <strong>for</strong> attackers is not recommended. In any case, this should be the last option to solve the incident.<br />

The present study is not intended to encourage paying to attackers. The study merely attempts to draw<br />

attention to the complexity of such an attack, and what all is worth considering be<strong>for</strong>e doing anything an<br />

organization does after a security incident is detected.<br />

About the Author<br />

Zsolt Baranya is an In<strong>for</strong>mation Security Auditor and head of compliance<br />

of the Black Cell Ltd. in Hungary. Formerly, he has filled in<strong>for</strong>mation<br />

security officer and data protection officer roles at a local governmental<br />

organization. He worked as a senior desk officer at National Directorate<br />

General <strong>for</strong> Disaster Management, Department <strong>for</strong> Critical Infrastructure<br />

Coordination, where he was responsible <strong>for</strong> the Hungarian critical<br />

infrastructure’s in<strong>for</strong>mation security compliancy. Zsolt can be reached<br />

online at zsolt.baranya@blackcell.io and at his company’s website<br />

https://blackcell.io/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 41<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Mitigating Risk from Insider Threats in <strong>2022</strong><br />

By Isaac Kohen, Teramind<br />

Back in August 2020, a story of an insider threat caught headlines when the employee turned down a<br />

$1M bribe to put ransomware on Tesla’s servers at the Gigafactory outside of Reno.<br />

That story was exceptional both <strong>for</strong> the amount of the payoff and <strong>for</strong> the fact that it really is the exception<br />

to the rule.<br />

The far more common case is that a malicious actor will find someone inside who can help them to carry<br />

out their attacks, thus getting around whatever protections that the organization has put in place to defend<br />

itself from external threats.<br />

One area where we have seen this story repeat time and again is in the cellular service industry.<br />

Mobile Mischief is Afoot<br />

The mobile industry has found itself the target of malicious actors who have used insiders to worm their<br />

way in and effectively steal from the service providers. In September, a man named Muhammad Fahd<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 42<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

was sentenced to 12 years <strong>for</strong> paying employees at AT&T a $1M to help him unlock phones and then<br />

later implant malware on the company’s system that allowed him to do the dirty work himself.<br />

While you can buy an unlocked phone, AT&T and other companies offer lower prices <strong>for</strong> customers to<br />

sign on with their service as an incentive. They also have a revenue stream that is generated by unlocking<br />

phones <strong>for</strong> customers.<br />

According to reports, Fahd and his co-conspirators succeeded in unlocking some 1.9 million phones.<br />

This fraud was shown to cost AT&T $201M out of their pocket. So good ROI <strong>for</strong> Fahd’s bribes and a bad<br />

time <strong>for</strong> AT&T.<br />

The court documents note how the malware used by Fahd could be used <strong>for</strong> stealing credentials, helping<br />

him impersonate legitimate AT&T employees <strong>for</strong> use in his fraud. This allowed him to continue his<br />

operations even after the company made changes that would have blocked his illicit activities.<br />

From the looks of it, AT&T had done a pretty good job of protecting itself, limiting who was authorized to<br />

unlock devices to specific users and only under certain conditions. However, despite the protections, the<br />

criminals were able to exploit the human element and had the insiders knowingly compromise their<br />

employer.<br />

Defining the Insider Threat<br />

Insider threats are where someone inside your organization is the one doing the harm.<br />

The 2020 Verizon report indicates that insider threats are on the rise. Their statistics show that these<br />

types of threats are nearing 40%, pushing up nearly 20% in just five years. To be clear, external threats<br />

still outnumber the number of internal incidents by a wide margin. There is also an additional component<br />

that insiders are oftentimes not malicious but simply careless. However, despite the intention, the results<br />

are the same.<br />

Insider threats are a double risk in that anything that an insider can access, an attacker who has<br />

compromised a privileged user’s account can access too. In a world where user credentials are constantly<br />

being compromised in data leaks, hacks, and other sorts of mischief, the chances are more than<br />

reasonable that a legitimate user will have their credentials used by attackers. If they have a highly<br />

privileged account or there are paths <strong>for</strong> escalation, then the organization may be in <strong>for</strong> a bad day ahead.<br />

And it can always be worse as the details of the story unfold.<br />

Why Insider Attacks Can Be More Damaging to Victim Organizations<br />

All cases of a breach are bad news <strong>for</strong> an organization. The level of bad can vary depending on if they<br />

were negligent or the victim of elite state actor hackers.<br />

What nobody wants to hear is that your customer’s data was knowingly compromised by an employee.<br />

Such incidents can kill user trust and be hard to bounce back from.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 43<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Partners, investors, and of course customers, all want to know that they are working with trustworthy<br />

folks. Winning over customers in the first place is hard enough, just ask your marketing and sales teams.<br />

Especially in markets where the customers are asked to share access to their data and the core of their<br />

products, they need to feel that your organization is trustworthy and their data protected. Having your<br />

system breached by a hacker can be a hard knock to customer trust.<br />

Regaining their trust after the damage came from the inside is an even bigger uphill battle, so this really<br />

might be a case where an ounce of prevention can be worth a pound of cure.<br />

3 Tips <strong>for</strong> Mitigating Insider Threat Risks<br />

Risks from inside and out are always present, but there are steps that we can take to lower our potential<br />

<strong>for</strong> threats and mitigate damage when they do occur.<br />

1. Train Your Team to Identify Risky Situations<br />

Whenever attackers approach a prospective insider to get them to expose their organization, they offer<br />

serious rewards while downplaying the severity of what they are doing. In some cases, an insider may<br />

know that they are doing something wrong but will not understand the repercussions of their actions. If<br />

the person approaching them is a friend or family member, then they may be even more likely to go<br />

through with it.<br />

Talk to your employees to explain the risks that can emerge from them taking steps that can compromise<br />

the organization. Give them tools to spot red flags be<strong>for</strong>e they may unwittingly take part in something<br />

destructive.<br />

Finally, clarify what your policy is and let them know that you have protections in place.<br />

2. Use Solutions to Monitor User Actions<br />

Having the right tools in place to identify when a user is per<strong>for</strong>ming actions that may fall outside of their<br />

normal duties or another kind of anomaly, can help to stop them sooner.<br />

User and Entity Behavior Analytics can help to detect these threats, understanding what the baseline of<br />

normal behavior is and alerting when a user strays from their expected routine.<br />

3. Use MFA Whenever Possible<br />

As we have noted, credentials will be compromised. In those instances, multi-factor authentication can<br />

play a serious role keeping the attackers out because having your credentials are no longer enough.<br />

Many organizations use SMS as their MFA solution, but this is against best practices that call <strong>for</strong> using<br />

an app to generate the one-time-codes. For extra points, get a Yubikey <strong>for</strong> your most privileged users,<br />

adding that extra layer of security.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 44<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Verify But Trust<br />

Managing insider threats is a balancing act.<br />

We hire our people because we believe that they will be good workers who will look out <strong>for</strong> the<br />

organization’s best interests. Putting protections in place to help keep folks honest or catch an external<br />

threat actor are common sense and can help avoid some uncom<strong>for</strong>table situations.<br />

But at the end of the day we have to trust that we have the right people working with us, and it is up to<br />

us to make them feel that they are part of our team. Work with your team to have transparent<br />

conversations about the protections that you have in place so that everyone will be on the same page. In<br />

this case, honesty really is the best policy.<br />

Balancing the right mix of surveillance with trust is important <strong>for</strong> the long term success of the organization,<br />

if only because employees who feel that they are guilty until proven innocent simply will not stick around<br />

<strong>for</strong> long.<br />

About the Author<br />

Isaac Kohen is VP of R&D at Teramind, a leading global provider of<br />

employee monitoring, data loss prevention (“DLP”) and workplace<br />

productivity solutions. Follow on Twitter: @teramindco and LinkedIn.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 45<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Web Application Penetration Testing Checklist with<br />

OWASP Top 10<br />

We've gone ahead and compiled this article to shed some light on the top ten web application security<br />

risks according to OWASP and how you can use this as a guiding light while penetration testing.<br />

By Ankit Pahuja, Marketing Lead & Evangelist at Astra Security<br />

Image Source: Appknox.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 46<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

We now live in a world where the internet has altered our daily lives <strong>for</strong> good. Working and interacting<br />

with one another no longer requires the physical presence of both parties within the same room. The<br />

number of people on the Internet is rapidly increasing, with around 3 billion individuals now having access.<br />

This has led to an exponential growth of web applications in recent years. Web applications, though<br />

convenient, also come with vulnerabilities. When it comes to web application security, organisations turn<br />

to penetration testing in order to identify potential vulnerabilities and weaknesses in their applications.<br />

We've gone ahead and compiled this article to shed some light on the top ten web application security<br />

risks according to OWASP and how you can use this as a guiding light while penetration testing. Let's<br />

get started.<br />

What is penetration testing?<br />

Penetration testing specifically in the web application domain is the process of testing <strong>for</strong> vulnerabilities<br />

by simulating attacks on it. Penetration testers use a variety of methods to attempt to exploit vulnerabilities<br />

in order to gain access to sensitive data or systems. The main goal of penetration testing is to identify<br />

and report on any security weaknesses that may exist in an organization's web applications and have<br />

them fixed as soon as possible.<br />

Why do you need to per<strong>for</strong>m penetration tests on web applications?<br />

Image Source: <strong>for</strong>egenix.com<br />

Web application pen testing is carried out <strong>for</strong> a number of reasons. The most important include:<br />

● To ensure that online applications are safer and have little to no vulnerabilities<br />

● To prevent unauthorized access<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 47<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

● To comply with external regulations, policies and standards<br />

● To meet internal security requirements<br />

● To verify the effectiveness of security controls<br />

● To resolve issues uncovered during previous online penetration tests<br />

● To remain competitive among other top businesses<br />

What is the OWASP Top Ten?<br />

Image Source: cybervaultsec.com<br />

OWASP stands <strong>for</strong> Open Web Application Security Project. The OWASP Foundation is a global nonprofit<br />

organization striving to improve the security of web applications and related technology. OWASP<br />

publishes an annual list pertaining to the top ten web application vulnerabilities. The list was originally<br />

published in 2007 and has been updated since then. It covers all areas from common coding to cyber<br />

attacks. Although these are not the only threats out there, they are the most common ones that web<br />

developers should address be<strong>for</strong>e releasing an app into production <strong>for</strong> use by customers, clients, and<br />

employees.<br />

OWASP Top 10 Web Application Security Risks <strong>for</strong> <strong>2022</strong><br />

1. Broken Access Control - An adversary is able to obtain access to resources or data that they<br />

should not have access to when normal security measures, such as permissions and access<br />

controls have been poorly implemented.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 48<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

2. Cryptographic Failures - Cryptographic failures are when a web application's underlying<br />

cryptographic algorithms or protocols are compromised and can be exploited.<br />

3. Injection and Cross-Site Scripting - Injection occurs when an attacker is able to inject<br />

malicious code into input fields on a web page, such as in a search bar or comment box. Cross-<br />

Site Scripting is when the attacker inserts malicious code into a web page while or be<strong>for</strong>e it is<br />

viewed by other users.<br />

4. Insecure Design - A web application that is designed in an insecure way leaves room <strong>for</strong><br />

attackers to exploit. This is often the case since web application developers are not well versed<br />

with secure coding practices.<br />

5. Security Misconfiguration - Security settings that are incorrectly configured are quite<br />

prevalent, making it simple <strong>for</strong> attackers to capitalize.<br />

6. Vulnerable and Outdated Components - When an attacker is able to take benefit of known<br />

vulnerabilities in the application or underlying plat<strong>for</strong>m, it's possible that vulnerable and obsolete<br />

components will be involved.<br />

7. Identification and Authentication Failures - This is when an attacker is able to impersonate<br />

another user or gain access to restricted sections of the application without having proper<br />

authentication.<br />

8. Software and Data Integrity Failures - This happens when an attacker is able to gain access<br />

to sensitive in<strong>for</strong>mation within the application, such as user credentials or credit card numbers.<br />

9. Security Logging and Monitoring Failures - Security logging and monitoring failures occur<br />

when an attacker is able to disable or circumvent the logging mechanisms in place, making it<br />

difficult to track activity within the application.<br />

10. Server-Side Request Forgery - This occurs when an attacker is able to inject illegitimate<br />

requests from the server-side, such as <strong>for</strong>gery of login credentials.<br />

These are errors developers often make when creating websites that, if exploited, can lead to serious<br />

consequences <strong>for</strong> your business - including data theft or financial loss!<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 49<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

What is OWASP penetration testing?<br />

Image Source: kirkpatrickprice.com<br />

OWASP penetration testing is pen testing specifically to eradicate the vulnerabilities mentioned in the<br />

OWASP top ten list. This is a good starting point but your penetration tests should not be limited to these.<br />

OWASP Penetration Testing Checklist<br />

Keeping in mind the OWASP top ten web app vulnerabilities, we have compiled a checklist to help you<br />

with your penetration testing process:<br />

1. Review the application's architecture and design<br />

2. Identify and attempt to exploit all input fields, including hidden fields<br />

3. Tamper with data entered into the application<br />

4. Use a variety of automated tools to find vulnerabilities<br />

5. Scan the network <strong>for</strong> exposed systems and services<br />

6. Attack authentication mechanisms - try logging in as different users with known credentials, or<br />

using brute <strong>for</strong>ce techniques<br />

7. Try to gain access to restricted parts of the web application that should otherwise be only<br />

reachable by authorized individuals<br />

8. Intercept and modify communications between the client-side and the server-side<br />

9. Exploit known vulnerabilities in the web application plat<strong>for</strong>m or frameworks it is built on<br />

Once you have completed your penetration test, document your findings in a concise report and begin<br />

patching your web application immediately.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 50<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Conclusion<br />

Penetration testing is a very important step in securing your web application and should not be<br />

overlooked. The OWASP Top Ten list is a great starting point, but it should not be the end of your<br />

penetration testing journey. In order <strong>for</strong> penetration tests to be effective, you need an experienced<br />

security team who can per<strong>for</strong>m these types of audits and also provide actionable results in a timely<br />

manner.<br />

About the Author<br />

Ankit Pahuja is the Marketing Lead & Evangelist at Astra Security. Ever<br />

since his adulthood (literally, he was 20 years old), he began finding<br />

vulnerabilities in websites & network infrastructures. Starting his<br />

professional career as a software engineer at one of the unicorns<br />

enables him in bringing "engineering in marketing" to reality. Working<br />

actively in the cybersecurity space <strong>for</strong> more than 2 years makes him<br />

the perfect T-shaped marketing professional. Ankit is an avid speaker<br />

in the security space and has delivered various talks in top companies,<br />

early-age startups, and online events.<br />

Ankit can be reached online at Email, LinkedIn and at his company<br />

website http://www.getastra.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 51<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

5 Ways to Protect Your Workplace from <strong>Cyber</strong>security<br />

Threats<br />

The cybersecurity environment is rapidly evolving. Meanwhile, technological advancements are steadily<br />

improving the ability <strong>for</strong> cyber criminals and hackers to exploit data security flaws.<br />

By Nicole Allen, Marketing Executive, Salt Communications<br />

The cybersecurity environment is rapidly evolving. Meanwhile, technological advancements are steadily<br />

improving the ability <strong>for</strong> cyber criminals and hackers to exploit data security flaws. The ever-increasing<br />

scope of data breaches and cybersecurity threats should be a major source of concern <strong>for</strong> all types of<br />

organisations.<br />

No one could have predicted the holes in network security postures that the 2020 coronavirus pandemic<br />

has revealed with the increase of employees working from home. Unsecured home networks, BYOD<br />

(bring-your-own-device) policies, and compartmentalised operations turned previously evident hazards<br />

on corporate networks into invisible, hidden threats on a wider range of networks. As a result of the<br />

increasing attack surface even more than usual phishing vishing, and ransomware assaults were<br />

launched. So in this article Salt Communications are going to explain five ways to protect your workplace<br />

from cybersecurity threats.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 52<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

1. Increase enterprise security protection<br />

Mobile workplaces can boost productivity and access to work-related resources, but they also raise the<br />

danger of data leaks due to apps and services like email, social media, and cloud access. Maintaining a<br />

more secure organisation while enabling mobile productivity requires creating a safer environment <strong>for</strong><br />

employees to work remotely.<br />

The risks to organisations from actions or inactions of employees come from a wide range of factors:<br />

such as human error - this can include sending sensitive in<strong>for</strong>mation or personal data to the wrong person<br />

by accident. There's also the issue of system misconfiguration, which can lead to unauthorised access if<br />

sensitive data isn't adequately secured, encrypted, or password protected. It's also crucial to consider<br />

the loss of sensitive in<strong>for</strong>mation-containing devices or documents.<br />

Many businesses do not take data security as seriously as it should be. They have weak passwords,<br />

important files that aren't encrypted, and servers that aren't configured correctly. More than 4 billion data<br />

records containing sensitive in<strong>for</strong>mation were allegedly compromised in the first six months of the year<br />

in 2021 as a result of this negligent attitude.<br />

2. Enable secured collaboration <strong>for</strong> business communications<br />

Since the recent crisis-<strong>for</strong>ced transition to remote work, there has been an increase in the use and<br />

reliance on communication tools. Employees across organisations are looking <strong>for</strong> an effective, secure<br />

approach to continue collaborating throughout the business now that they are dispersed in various remote<br />

locations. Migration to business communication plat<strong>for</strong>ms as a replacement <strong>for</strong> in-person and other<br />

technical communication has become a major goal <strong>for</strong> a business's digital trans<strong>for</strong>mation.<br />

Companies become more vulnerable to major security concerns when more communication – and<br />

business-critical in<strong>for</strong>mation – is shared across cloud plat<strong>for</strong>ms likeZoom and Teams. As we saw with<br />

COVID-19, there has been an increase in hacks, including targeted Teams attacks using impersonating<br />

Teams notifications and GIFs vulnerabilities.<br />

With the likes of Teams in terms of external vulnerabilities, federated access to external users is enabled<br />

by default when Teams is implemented out of the box. This means that anyone in the world can send an<br />

email to a user, request to chat with them, or exchange files with them, exposing the individual, and<br />

hence their entire organisation, to messages that are frequently hostile in nature.<br />

Whereas, if an organisation uses a closed communications plat<strong>for</strong>m such as Salt they don’t leave<br />

themselves open to these types of threats. Salt Communications recognizes that encryption alone isn’t<br />

enough to keep an organisation’s data safe. Salt delivers a highly secure plat<strong>for</strong>m that gives the same<br />

convenient user experience as consumer apps, but in a safer and more secure manner, allowing the<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 53<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

usiness to maintain complete, centralised management of the system at all times and there<strong>for</strong>e ensure<br />

complete control.<br />

3. Ensure you are reducing malware exposure<br />

Malware infections is frequently linked to user mistakes. Phishing and spoofing schemes have advanced<br />

to the point where they can trick users into downloading innocuous-looking apps that contain hidden<br />

attacks by sending them fake emails from trusted brands. These emails lure users in with fake news<br />

stories, or very personalised offers, which leaves themselves and their companies open to attack. As well<br />

as this in the past year there has been an increase in ‘smishing’ attacks which are threatening businesses<br />

worldwide. Smishing is a <strong>for</strong>m of ‘phishing’ using SMS or text messages instead of emails to entice<br />

recipients to click on fake links which downloads malware onto their device.<br />

On their own devices, users cannot be prevented from surfing the web, utilising social media, or<br />

accessing personal email. How can you assist them in per<strong>for</strong>ming these routine duties in a safer manner?<br />

Request that all staff read basic instructions and/or participate in training that covers common malware<br />

attack strategies.<br />

Employers should also teach users to double-check URLs in emails to ensure they are accurate, relevant,<br />

and trustworthy. Also, think about deploying email security solutions that can help prevent malware and<br />

phishing attacks from reaching employees' inboxes. It makes no difference if you have the world's most<br />

secure security system. It only takes one inexperienced employee to be deceived by a phishing attempt<br />

and hand up the in<strong>for</strong>mation you've worked so hard to safeguard. Make sure you and your staff are both<br />

aware of these specific email phishing examples, as well as all of the warning indicators of a phishing<br />

attempt.<br />

4. Back everything up regularly<br />

What if your organisation already has a backup system in place? First and <strong>for</strong>emost, kudos on a job well<br />

done; but, the task does not end there. It's critical to test your backup recovery process on a frequent<br />

basis. It's pointless to back up data if you can't recover it. You'll know if your backup procedure is working<br />

properly if you run that test on a frequent basis. It's not uncommon <strong>for</strong> a backup drive to run out of disc<br />

space <strong>for</strong> no one to notice.<br />

Per<strong>for</strong>ming a proper backup can be a challenging task. There<strong>for</strong>e, backups should be included in your<br />

business continuity plan. A business continuity plan, according to Travelers Insurance, is "a proactive<br />

plan to avoid and manage risks associated with a disruption of operations."<br />

It outlines the measures that must be per<strong>for</strong>med be<strong>for</strong>e, during, and after an event in order <strong>for</strong> an<br />

organisation's financial viability to be maintained. That implies that if your business systems are affected,<br />

whether by a fire or flood in the office or, more recently, a cyber-attack, you'll have a plan in place to<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 54<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

minimise the impact on business per<strong>for</strong>mance. Backing up your company's data could mean the<br />

difference between surviving a cyber attack and going out of business.<br />

5. Manage all organisational devices<br />

Security concerns are growing as the Bring Your Own Device (BYOD) trend rises and the use of<br />

Software-as-a-Service (SaaS) applications spreads. Organisations can begin with user education on<br />

devices is a simple but crucial step in securing them. It guarantees that every employee in your company<br />

is in<strong>for</strong>med of the best procedures <strong>for</strong> safeguarding your data. While it starts with onboarding, teaching<br />

your staff how to safeguard their devices is a continuous activity.<br />

Mobile security should be at the top of any company's cybersecurity priority list, especially in an era where<br />

remote working has become the standard and isn't going away anytime soon. Many of the companies<br />

and organisations in which Salt Communications works have experienced a surge in mobile usage <strong>for</strong><br />

communications and day-to-day tasks. Often, businesses will consider creating a mobile security policy<br />

that outlines what users should and should not do while using their mobile devices. Other businesses<br />

have implemented MDM/UEM systems to lock down devices and add an extra layer of security to<br />

company-issued devices that employees use.<br />

Allowing employees to be flexible does not have to mean jeopardising the security of your cybersecurity,<br />

mobile security and corporate communications. You can provide your employees the freedom to work<br />

anywhere, anytime with adequate planning, the correct tools, and education while avoiding risk. Our team<br />

of professionals have worked with a variety of organisations to assist them in dealing with cybersecurity<br />

issues.<br />

To discuss this article in greater detail with the team, or to sign up <strong>for</strong> a free trial of Salt Communications<br />

contact us on info@saltcommunications.com or visit our website at saltcommunications.com.<br />

About Salt Communications<br />

Salt Communications is a multi-award winning cyber security company providing a fully enterprisemanaged<br />

software solution giving absolute privacy in mobile communications. It is easy to deploy and<br />

uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications<br />

offers ‘Peace of Mind’ <strong>for</strong> Organisations who value their privacy, by giving them complete control and<br />

secure communications, to protect their trusted relationships and stay safe. Salt is headquartered in<br />

Belfast, N. Ireland, <strong>for</strong> more in<strong>for</strong>mation visit Salt Communications.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 55<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Nicole Allen, Marketing Executive at Salt Communications.<br />

Nicole has been working within the Salt Communications<br />

Marketing team <strong>for</strong> several years and has played a crucial role<br />

in building Salt Communications reputation. Nicole implements<br />

many of Salt Communications digital ef<strong>for</strong>ts as well as managing<br />

Salt Communications presence at events, both virtual and in<br />

person events <strong>for</strong> the company.<br />

Nicole can be reached online at (LINKEDIN, TWITTER or by<br />

emailing nicole.allen@saltcommunications.com) and at our<br />

company website https://saltcommunications.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 56<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Today's Digital Battlefield Demands Resilience Beyond<br />

Infrastructure<br />

By Mohammed Al Mohtadi, <strong>Cyber</strong> In<strong>for</strong>mation Security Officer, Injazat<br />

There is a battle underway globally that requires every business to identify their risks of attack, <strong>for</strong>tify<br />

their defences, and continually evolve their capabilities. Every company will need to be on the front foot<br />

in terms of being equipped with the latest skills to deal with it and innovating their armoury to counter it.<br />

The battle <strong>for</strong> data increasingly sees sophisticated attacks by organised hackers rising rapidly.<br />

A study by <strong>Cyber</strong>security Ventures indicated that cybercrimes will be the reason <strong>for</strong> the greatest transfer<br />

of economic wealth in history, costing the world $10.5 trillion by 2025. To place that in the context of a<br />

country wealth equivalent, it would be the world's third-largest economy after the U.S. and China.<br />

Reframing the Digital Battleground<br />

With the level of technology integration in nearly every business, it could be argued that every company,<br />

to some degree, is a technology business. As a result, each could face extremely damaging risks to the<br />

business by losing productivity, operations, reputation and incurring a substantial financial loss.<br />

This digital battleground is constantly evolving. With it is the need <strong>for</strong> the business world to change its<br />

approach from simple prevention steps to a more proactive approach rooted in a dynamic business-wide<br />

state of readiness. Given the current landscape, the focus should shift towards better detection and<br />

readiness <strong>for</strong> the inevitable to survive the digital battlefield today.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 57<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

It is no longer the case that the "it will never happen to us" attitude is accurate. In fact, to the contrary, as<br />

every 39 seconds, there is a new attack somewhere on the web, and the rapidly rising cost of global<br />

cyber hacks rising every year around 15 per cent.<br />

Testing your resilience: Attack yourself.<br />

It is now more vitally important than ever be<strong>for</strong>e to test the company's resilience to ensure that critical<br />

data is secure and vulnerabilities are identified. These vulnerabilities can also include programming<br />

errors, or improper computer or security configurations which can be then be exploited by hackers who<br />

discover these unintentional flaws and use these an opportunity <strong>for</strong> cyberattacks which are known as<br />

zero day attacks. To address this, the software developers have to release updated software patches.<br />

However, since they have just learned of the flaws, they have “zero days” to fix the problem and protect<br />

the users.<br />

A secure way to achieve the testing of resilience is by evaluating your company's vulnerabilities through<br />

being breached voluntarily. There<strong>for</strong>e, attack yourself be<strong>for</strong>e hackers do, and assess what weaknesses<br />

in your IT infrastructure would make them successful and proactively fix them. You stand a significant<br />

chance to reduce the impact of an attack, provided you have a robust response plan and that it is<br />

consistently tested.<br />

Most security leaders do not know how their team would react to a cyber breach. These exercises are<br />

critical to help provide an understanding of the capabilities of your team and your existing technology and<br />

are great <strong>for</strong> building muscle memory and assessing where to invest budgets.<br />

Fortunately, there are several ways and methods to do this today, from tabletop exercises to penetration<br />

testing and simulation exercises such as red teaming.<br />

Why choose proactive simulation<br />

Penetration testing identifies possible vulnerabilities and security holes but is highly dependent on the<br />

skill of the pentester. This is where immersive solutions such as red teaming have a massive advantage.<br />

It presents you with a heart-pounding, first-hand experience that reproduces the real impact of an attack.<br />

It helps prepare your teams to respond and enables you to understand how competent your response is<br />

and how fluent you are in your response incident response plan.<br />

It is also crucial <strong>for</strong> the business to view cyber security as a shared responsibility, not simply the IT head's<br />

sole responsibility. Instead, everyone has a role in ensuring the organisation remains cyber secure.<br />

Response plans will have assigned responsibilities <strong>for</strong> the key decision makers such as the CEO, CIO,<br />

CHRO etc and simulation exercises guarantee that all protocols are fully understood by all parties and<br />

strengthen the cybersecurity bench providing critical in a low-risk, low-cost way to learn from your failures.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 58<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

UAE can be a cyber security powerhouse<br />

The UAE is the third most attractive target <strong>for</strong> cybercriminals, according to the <strong>Cyber</strong> Risk Index released<br />

by NordVPN, costing the businesses in this country a whopping $1.4 billion per year.<br />

There<strong>for</strong>e, it should not come as a surprise that the UAE have announced a national bug bounty program<br />

to enlist the services of qualified global security researchers in an incentive-based programme <strong>for</strong><br />

cybersecurity penetration testing and vulnerability identification, towards better prevention against cyberattacks.<br />

As a nation that has always been at the <strong>for</strong>efront of embracing innovative ways to enhance cybersecurity<br />

across the critical infrastructure in the country, the UAE knows not to stop at just penetration testing. To<br />

align and direct these national cyber security ef<strong>for</strong>ts, the UAE Government has a vast array of initiatives<br />

that are designed to improve the national cyber security, and protect the country’s national in<strong>for</strong>mation<br />

and communications infrastructure. The UAE In<strong>for</strong>mation Assurance (IA) Regulation provides the<br />

requirements <strong>for</strong> raising the minimum level of IA across all relevant entities in the UAE. This is further<br />

supported through the in<strong>for</strong>mation security standards such as ISO 27001 which is focused on keeping<br />

in<strong>for</strong>mation assets secure.<br />

With a 250% increase in cyberattacks since last year, the UAE <strong>Cyber</strong>security Council, in cooperation with<br />

National Crisis and Emergency Management Authority (NCEMA), announced a "Protective Shield <strong>Cyber</strong><br />

Drill", demonstrating how these exercises and practices can be encouraged from a government level.<br />

As the national technology champion, Injazat is also a leader in cyber security through the provision of<br />

its '<strong>Cyber</strong> Fusion Centre'. This capability stands out ahead compared to other less able solutions in the<br />

market. Integrating behavior analytics and machine learning, the <strong>Cyber</strong> Fusion Center is distinctive. It<br />

leads the MENA region as it provides a proactive and unified approach to neutralize potential threats<br />

be<strong>for</strong>e they occur. The plat<strong>for</strong>m leverages an Artificial Intelligence-based recommendation engine,<br />

suggesting remediation actions based on previous behavior patterns and reducing response times.<br />

As we approach <strong>2022</strong> next month, now is the time to double up on the action to ensure that every<br />

business is cyber aware and has the proper proactive defences to ensure that they win in the digital<br />

battleground. Every company must act now to put the winning strategy in place and not wait until it's too<br />

late. The cost of not doing so could be high.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 59<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Mohammed Al Muhtadi is a highly accomplished cybersecurity and<br />

in<strong>for</strong>mation governance professional with over 12 years of experience in<br />

leading and implementing security solutions and mitigation plans.<br />

As the Chief In<strong>for</strong>mation Security Officer of Injazat, Mohamed is<br />

responsible <strong>for</strong> spearheading and improving the security programs,<br />

assessment of the organization’s digital landscape, managing disaster<br />

recovery and providing cybersecurity awareness training.<br />

In the span of his career, Mohammed has helped corporate giants in the<br />

region such as Du, Dubai World, Masdar, General Electric and ENOC to<br />

design, implement, operate, grow, and manage their digital infrastructure.<br />

Highly qualified, Mohammed holds an MBA and a Bachelors degree in<br />

In<strong>for</strong>mation Technology with over 13 certifications ranging from ethical hacking to data privacy solutions.<br />

The rich and extensive experience he has gained in his previous roles has fully equipped him with the<br />

tools needed to support any company’s security and in<strong>for</strong>mation strategies and ensure a smooth flow of<br />

operations within the team. Mohammed can be reached online at<br />

https://www.linkedin.com/in/mohammed-al-muhtadi/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 60<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Why Ransomware is Only a Symptom of a Larger Problem<br />

While ransomware is arguably the greatest current security threat to organizations, its rise has<br />

distracted us from the true issue at hand: extortion-based crimes.<br />

By Jeff Palatt, Vice President, Technical Advisory Services at MOXFIVE<br />

Encrypted files, corrupted applications, deleted backups, and stolen data - all are debilitating symptoms<br />

attributed to ransomware. With the shift to digital currencies, the monetization from attacks has only<br />

become easier <strong>for</strong> threat actors to turn unauthorized access to an organization’s computer network into<br />

financial gain.<br />

Where We Are<br />

Since cyber thieves first began physically skimming credit card machines to collect the in<strong>for</strong>mation<br />

needed <strong>for</strong> counterfeit credit cards, unauthorized access to private data has led to a<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 61<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

windfall of financial gain <strong>for</strong> the threat actors. In the time between WannaCry and the Colonial Pipeline<br />

attacks, ransomware has shifted from single-system encryption events with extortion amounts of less<br />

than $15,000 to enterprise-level encryption events with demands routinely in the tens of millions of<br />

dollars. There has been an alarming increase in the number of instances where organizations have<br />

backups to restore their IT operations, yet still pay a ransom to “buy silence” from the threat actor.<br />

Ransomware is currently the sharpest tool attackers have to monetize these attacks, but it is by no means<br />

the only one.<br />

Where We’re Going<br />

As ransomware continues to gain attention, threat actors will adopt additional escalation techniques to<br />

continue profiting. We are already seeing a sampling of what’s to come, including:<br />

• Distributed Denial of Service (DDOS) Attacks: While not as common today, the threat of a<br />

DDOS can be increased to where threat actors target critical networking gear and block control<br />

of network traffic into and out of the network, which would cripple an environment. Organizations<br />

that rely on a significant Internet presence need to contract with DDOS mitigation firms in a<br />

proactive manner to help mitigate the threat of DDOS attacks. Furthermore, organizations should<br />

implement centralized management of network gear to easily manage, and secure, network<br />

devices in their environment.<br />

• Destructive Attacks: If desperate, or lucrative enough, threat actors could shift to threatening to<br />

bring the environment completely and permanently down if a ransom is not paid in a certain<br />

amount of time. While this type of attack would be difficult, it is not impossible and could leave an<br />

organization scrambling to investigate and remediate as quickly as possible to mitigate damage.<br />

Defending against these types of attacks requires a layered security approach that starts with the<br />

basics and matures into a robust security program. Organizations need a prioritized security<br />

roadmap that pinpoints specific risk areas in an organization and targets pinpoint solutions that<br />

maximize the return on value of security investments.<br />

The Disease: Extortion-Based Attacks<br />

An endless supply of highly skilled adversaries, a precedent of successfully extorting victims <strong>for</strong> higher<br />

payouts, and less friction collecting (and spending) funds thanks to digital currencies has opened the<br />

floodgates <strong>for</strong> the frequency and severity of extortion-based attacks. While ransomware has the spotlight<br />

<strong>for</strong> now, we need to remember that it is merely a symptom of the extortion-based crime disease. To truly<br />

combat extortion-based crimes, starting with ransomware, organizations need a robust defense strategy<br />

that protects environments from current and future trends. <strong>Cyber</strong>security needs to go beyond addressing<br />

the immediate threat of ransomware to impair the ability of threat actors monetizing attacks, starting at<br />

the organizational level to reduce overall risk and repercussions.<br />

Depending on the size and complexity of the network, and the maturity of the security program a<br />

determination should be made with respect to resources, technology, and capability. Smaller<br />

organizations should consider outsourcing a good portion of their security to a Managed Detection and<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 62<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Response vendor that can leverage an Endpoint Detection and Response (EDR) or Extended Detection<br />

& Response (XDR) solution. Larger organizations can often handle security in house but may want to<br />

consider a hybrid model where the security strategy and program is run internally, and specific services<br />

may be provided by a Managed Security Service Provider (MSSP). In any case, all organizations need<br />

to have basic controls in place, from immutable backups and network segmentation to multifactor<br />

authentication (MFA) and privileged access management.<br />

The Cure: Holistic <strong>Cyber</strong>security<br />

A key part of the game <strong>for</strong> threat actors is the continual escalation of techniques <strong>for</strong> profit. To combat<br />

extortion-based crimes, organizations need robust defense strategies that protect environments against<br />

current and future attack trends, addressing the threat of ransomware and impairing the threat actors<br />

from monetizing attacks. Beyond encrypting systems and implementing backup solutions, organizations<br />

need a holistic approach that bands the security, software, and hardware communities together to<br />

eradicate these threats.<br />

Organizations must continue to address the symptoms of extortion-based attacks, like ransomware, but<br />

must also not lose sight of the true disease. The solution will not be quick, complete, or without pain. But<br />

together as an industry we can reverse the concerning trend in the rise of extortion-based attacks.<br />

About the Author<br />

As Vice President of Technical Advisory Services, Jeff leads MOXFIVE's<br />

team of expert Technical Advisors who provide strategic incident<br />

management services and solutions to clients. Prior to MOXFIVE, Jeff was<br />

the Director of <strong>Cyber</strong> <strong>Defense</strong> and Incident Response at RSA Security,<br />

joining RSA through the NetWitness acquisition in 2011 where he helped<br />

build the Incident Response Practice from the ground up. Jeff has held<br />

other leadership positions including Delivery Manager <strong>for</strong> Emergency<br />

Response Services at IBM where he was instrumental in getting IBM ISS<br />

listed as a PCI Qualified Incident Response Assessor (QIRA) in 2006<br />

during the acquisition of Internet Security Systems and assisting with the<br />

integration of the teams through the transfer of trade. Be<strong>for</strong>e moving into practice leadership roles, Jeff<br />

was a Principal Consultant (Incident Responder) with Internet Security Systems and has held various<br />

other positions as a Security Engineer, Security Analyst, and Security Auditor.<br />

Jeff has a Master of Forensic Sciences in High Technology Crime Investigations from the George<br />

Washington University, and a Bachelor of Science in Business Administration from Old Dominion<br />

University. He is a Certified In<strong>for</strong>mation Security Manager (CISM), Certified In<strong>for</strong>mation Systems Security<br />

Professional (CISSP, and a Certified In<strong>for</strong>mation Systems Auditor (CISA). Jeff currently resides in<br />

Virginia Beach with his wife and three children. Jeff can be reached online at our company website<br />

https://www.moxfive.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 63<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Responding To the Ransomware Pandemic<br />

By Tom McVey, Solution Architect, Menlo Security<br />

Last year, Kaseya became the victim of the largest ransomware attack in history when Russian-linked<br />

hacker group REvil breached the US software company’s systems, in turn gaining access to the<br />

subsequent systems of approximately one million other companies. The ransom they demanded was a<br />

staggering $70 million.<br />

We saw a similar story in May 2021. Both Irish Health Services and insurance company AXA were hit by<br />

ransomware attacks, the <strong>for</strong>mer <strong>for</strong>ced to shut down its systems entirely to protect itself, causing mass<br />

disruption and placing a huge strain on the country’s healthcare service. In the same month, the<br />

University of Northampton of the UK saw its entire network go down as a result of a ransomware attack,<br />

severely impacting students’ learning.<br />

It is no coincidence that such significant attacks were orchestrated in such a short space of time.<br />

According to Bitdefender’s Mid-Year Threat Landscape Report 2020 ransomware attacks were up 700<br />

per cent that year.<br />

Much of this spike can be attributed to the changes brought about by the pandemic. Where remote<br />

working shifted to a lockdown-en<strong>for</strong>ced necessity, countless organisations had no choice but to switch<br />

from physical to digital working practices almost overnight.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 64<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Critical IT infrastructure had to be adapted. Consequently the digital landscape was greatly expanded,<br />

which led to the exposure of security vulnerabilities that cyber criminals have since exploited at scale.<br />

While the volume is increasing, what is even more alarming is the fact that such attacks are becoming<br />

increasingly sophisticated.<br />

In recent years there have been huge strides made in technological advancements, much of which have<br />

been put to good use in many ways. Yet, <strong>for</strong> cyber criminals, it is allowing them to create highly legitimate<br />

looking campaigns, such as credentials phishing, with the ability to tap into personal in<strong>for</strong>mation gleaned<br />

from social engineering initiatives.<br />

It is now easier than ever <strong>for</strong> them to get a targeted user to click on a link in an email that looks like it’s<br />

coming from a colleague or a trusted person or brand. All it takes is that one click to set the attack in<br />

motion.<br />

It’s not just emails either. Ransomware is also being embedded in digital advertisements and content<br />

modules on news sites, making the filtering of URLs using white/blacklists redundant in preventing many<br />

ransomware attacks.<br />

Extortion Attacks<br />

Beyond these complex phishing techniques, we are seeing the emergence of a new category of<br />

ransomware attacks called double extortion attacks. This is when ransomware is embedded with counter<br />

incident response tools baked right into the malicious code. Alongside this, tactics such as security tool<br />

disablement/bypass, distributed denial-of-service (DDoS) attacks and log destruction are also on the rise;<br />

one of the key reasons that over two thirds of breaches remain undetected <strong>for</strong> months.<br />

Such is the severity of the problem that a 2021 Menlo Security survey revealed that more than two thirds<br />

of people believe cyber criminals should receive prison sentences. Meanwhile, 60 per cent believe that<br />

ransomware attacks should be viewed as seriously as terrorist attacks.<br />

While harsher penalties may deter some threat actors, it is highly likely that ransomware attacks will<br />

continue to grow, and organisations need to be proactive in protecting core assets.<br />

So what can be done to overcome the challenge? Enter isolation and zero trust – a security-focused<br />

combination that can be used to stop ransomware in its tracks.<br />

Isolation technology has been designed with the purpose of protecting users as they navigate the web.<br />

It works by creating a virtual air gap between the Internet and enterprise networks. All email and web<br />

traffic goes through the isolation layer, where the content is still visible but is never actually downloaded<br />

to the endpoint.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 65<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

It does not impact the user experience. Rather, it simply removes the risk of malware exploiting<br />

vulnerabilities on the endpoint.<br />

Zero trust enhances this, working to block both known and unknown potentially malicious activity. It<br />

assumes that all web content is harmful and prevents any website from running code on users’ devices.<br />

It’s a way of protecting users from untrusted actors without inhibiting their ability to do work.<br />

Using this combination, attackers are both prevented from gaining an initial foothold in a network, leaving<br />

ransomware with no route to reach its targeted endpoints.<br />

About the Author<br />

Tom McVey, Solution Architect, Menlo Security. Tom is a Solution Architect<br />

at Menlo Security <strong>for</strong> the EMEA region, a leader in cloud security. He works<br />

with customers to meet their technical requirements and architects web and<br />

email isolation deployments <strong>for</strong> organisations across different industries.<br />

Coming from a varied background in cyber, Tom provides expert<br />

cybersecurity advice and strategic guidance to clients. Tom previously<br />

worked <strong>for</strong> LogRhythm and Varonis.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 66<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Killware is the Next Big <strong>Cyber</strong>security Threat<br />

By Brian Erickson, Vice President or Strategy and Solutions and retired U.S. Navy Captain,<br />

Vidoori<br />

Today's battlefield has expanded to a digital landscape, and the impact affects the general population as<br />

well as government agencies. America’s enemies now aim to access sensitive in<strong>for</strong>mation, disrupt critical<br />

infrastructure, or stop the maneuverability of our armed <strong>for</strong>ces.<br />

As the battlefield continues to evolve, so too do the types of attacks. Phishing attacks, voice bot scams,<br />

and crypto ransomware are examples of how the world of cyberattacks has evolved in recent years.<br />

With these increasingly complex attacks comes new legislation to defend against them. For example,<br />

President Biden's May Executive Order and the <strong>Defense</strong> In<strong>for</strong>mation Systems Agency (DISA) and<br />

Department of <strong>Defense</strong>’s (DoD) new Zero Trust cybersecurity reference architecture display the ef<strong>for</strong>ts<br />

to help mitigate and fight against these threats.<br />

However, with large-scale ransomware attacks - such as the Colonial Pipeline and Solar Winds - going<br />

after our nation's critical infrastructure and putting citizens' lives at risk, cybercriminals have already<br />

displayed the willingness to escalate ransomware attacks to levels previously unheard of.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 67<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

This new kind of ransomware attack goes after a person's physical safety and can even take someone's<br />

life and has been called “killware” by Alejandro Mayorkas, Secretary of the U.S. Department of Homeland<br />

Security (DHS).<br />

The Dangers of Killware<br />

Killware is defined by its result, not by its methods like malware and ransomware are and is intentionally<br />

designed to cause real-life harm or death by targeting the health of its victims.<br />

In a Gartner blog titled, The Emergence of Killware, the Lethal Malware, it is predicted that by 2025,<br />

cybercriminals will have weaponized operational technology (OT) environments to intentionally and<br />

successfully kill people.<br />

As our reliance on digital resources increases so does the likelihood of cyber-attacks. And incidents in<br />

the digital world will have a much more significant effect on the physical world as the cyber-physical world<br />

evolves with IoT, smart buildings/cities, and autonomous vehicles. According to Gartner, the predicted<br />

monetary impact of cyber-physical systems attacks will reach over $50 billion by 2023.<br />

However, our critical infrastructure is currently most vulnerable to killware targets. Systems and service<br />

providers like hospitals, water and waste suppliers, power grids and dispatch operations that would result<br />

in physical harm or death should they be compromised in a killware attack.<br />

This malicious cyber activity has already begun to take place. In October, the Federal Bureau of<br />

Investigation, the <strong>Cyber</strong>security and Infrastructure Agency, the Environmental Protection Agency, and<br />

the National Security Agency issued a joint advisory highlighting attempts to compromise the system<br />

integrity of U.S. Water and Wastewater Systems (WWS) Sector facilities. This advisory indicates a larger<br />

problem, as cyber threats continue to increase across all critical infrastructure sectors.<br />

A Military Problem<br />

While the term may be new, the intended outcome of killware is not new to members of the military –<br />

adversaries have been targeting defense systems <strong>for</strong> decades to disrupt communications and endanger<br />

the lives of our armed <strong>for</strong>ces.<br />

Historically, adversary tactics, techniques and procedures (TTP) are as varied as an individual's choice<br />

in an automobile purchase – they depend on the desired outcome. If the objective of the attack is financial<br />

gain, then the attackers will use ransomware. If the attacker simply wants to disrupt operations and cause<br />

chaos, then malware intrusions into OT systems, such as industrial control systems (ICS) and supervisory<br />

control and data acquisition (SCADA) may be chosen tactic. Stuxnet, a malicious computer worm first<br />

uncovered in 2010, is one of many examples of malicious malware designed to attack these systems.<br />

However, as killware attacks become more prevalent, our defense agencies will have to evolve to ensure<br />

the safety and security of warfighters here and abroad. 5G, future 6G and the Internet of Things (IoT)<br />

introduce a whole new set of rules that may cause lethal results from non-kinetic actions.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 68<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The most effective way to defend against these threats is to develop and deploy a Zero Trust Architecture<br />

across the enterprise. An effective ZTA can be found in the Office of Management and Budget’s recent<br />

Federal Zero Trust draft strategy. It creates an environment of trust and, depending on the technology,<br />

can create IP cloaking that prevents adversaries from striking what they cannot see.<br />

ZTA is a solution that can be used across all agencies and environments. Although networks may have<br />

certain unique qualities depending on the function and system, all networks are simply a combination of<br />

1’s and 0’s that all require the same basic needs (power, space, cooling, processor) to operate. Thanks<br />

to the similarities, good cyber hygiene addressing all key securing concerns can be applied not only<br />

across agencies, but across industries, from Federal to DoD to commercial.<br />

The current administration and legislators understand this potential, and have made it a point to prioritize<br />

cybersecurity, allocating around two billion in funding <strong>for</strong> cybersecurity in the recently passed<br />

Infrastructure Bill and releasing a series of Zero Trust guidance. The new Infrastructure Bill also includes<br />

funding <strong>for</strong> a state and local <strong>Cyber</strong> Grant Program and over $100 million <strong>for</strong> the <strong>Cyber</strong> Response and<br />

Recovery Fund.<br />

The DoD and DISA are also taking large strides to sure up cybersecurity, creating a new Zero Trust<br />

security portfolio office, and sharing cross-agency guidance by creating a Zero Trust cybersecurity<br />

reference architecture.<br />

What’s Next?<br />

Looking ahead, the DoD and defense agencies must continue to combat this new threat by implementing<br />

a comprehensive ZTA, recruiting and retaining cyber talent, ensuring employees are taught and have<br />

effective cyber hygiene, and continually assessing their systems through proactive testing and<br />

integration.<br />

Agencies must have organic staff, educated in the art of hacking and cybersecurity, that are able to<br />

routinely test networks using past and present TTPs. The key to successful network protection is to<br />

continue a defensive posture and think strategically to predict where future attacks may come from given<br />

the course of technology (6G, exascale and quantum computing, hyper-converged drone warfare).<br />

With cyber threats ever evolving and killware being designated a concern by the DHS, the federal<br />

government should leverage lessons learned from the DoD to get ahead of our adversaries. Continuing<br />

to make cybersecurity a legislative priority and taking a <strong>for</strong>ward-looking approach to defensive and<br />

offensive tactics is critical in protecting critical infrastructure from lethal attacks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 69<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Brian Erickson is Vidoori’s Vice President <strong>for</strong> Strategy and Solutions.<br />

In this role, he oversees the company’s west coast operations and brand<br />

expansion. Prior to Vidoori, Brian served 26 years as a Senior Naval Officer<br />

(Captain/O6) in the aviation and in<strong>for</strong>mation warfare communities.<br />

Brian earned a Bachelor of Arts degree in Economics from San Diego State<br />

University. He also earned a Master of Science degree in In<strong>for</strong>mation<br />

Technology from the Naval Postgraduate School. Additionally, he holds<br />

numerous professional certifications in business and cybersecurity.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 70<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Combining True MDR & SOC <strong>for</strong> Robust <strong>Cyber</strong>security<br />

By Jon Murchison, Founder and CEO, Blackpoint <strong>Cyber</strong><br />

Assessing the Current Threat Landscape<br />

The only constant in the cyberthreat landscape is that it is ever evolving. Amid a global pandemic,<br />

cybercriminals have moved quickly to exploit vulnerabilities as organizations make the change to remote<br />

and flexible work environments. <strong>Cyber</strong>security is now a key concern <strong>for</strong> small and medium-sized<br />

businesses (SMBs) during this shift to a virtual world. More than ever, there is a high demand <strong>for</strong> efficient<br />

and af<strong>for</strong>dable cybersecurity solutions to help ensure business continuity as much of the work<strong>for</strong>ce<br />

adjusts.<br />

While cyber defense solutions such as anti-virus and anti-malware are af<strong>for</strong>dable and a common choice,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 71<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

they are no longer able to fight back increasingly sophisticated cybercriminals and attack methods.<br />

Rather than bulking up your security stack with various solutions, many businesses are now combining<br />

the expertise of a Security Operations Center (SOC) paired with the robust abilities of Managed<br />

Detection & Response (MDR) technology to build a pragmatic, streamlined approach to cybersecurity.<br />

Combating Advanced <strong>Cyber</strong>attacks<br />

For many organizations, the current pandemic has shown how security programs and tools such as<br />

fire walls, anti-virus, and anti-malware are not enough to fight back cyber adversaries. No doubt they<br />

are useful in providing protection against known viruses and malware, but they cannot thwart dedicated<br />

criminals leveraging newer attack methods such as ransomware and zero-day exploits.<br />

The threat landscape continues to change, and it is evolving much faster than such tools can keep<br />

up with. Consider the following challenges:<br />

• Traditional signature-based anti-virus technology is rooted in blacklisting known viruses, files, and<br />

malware. However, Advance Persistent Threats (APTs) can easily bypass this model by<br />

remaining undetected <strong>for</strong> lengthy periods of time within a victim’s networks. Further, anti-virus<br />

solutions are only as strong as their last update. The time in between updates is more than plenty<br />

<strong>for</strong> well-funded and experienced cybercriminals to launch an attack.<br />

• Even next-generation anti-virus and anti-malware software are not able to fully eradicate<br />

cyberthreats. While they do address some weaknesses found in their traditional counterparts,<br />

their technology is centered around machine learning and analysis to catch specific suspicious<br />

behaviors. Next-gen anti-virus and anti-malware solutions are still unable to respond quickly<br />

enough to catch new trending patterns and methods.<br />

• <strong>Cyber</strong>criminals are customizing their malware attacks. Un<strong>for</strong>tunately, cybercriminals can tailor<br />

their attacks to best infiltrate their victim’s networks and bypass the anti-virus's methods of<br />

detection.<br />

• Over 85% of major cyber incidents occur in organizations that have anti-virus software installed. In<br />

many of these cases, the software either missed detecting the attack completely, or managed to<br />

identify the malicious file but not a critical component of the attack such as a second payload or<br />

a process injection.<br />

• Attack types are varied and advanced. While e-mails and bad links are still a top access vector<br />

into a victim’s networks, organizations also need to be prepared to defend their businesses<br />

against zero-day exploits, ransomware, fileless attacks, credential theft, infected devices,<br />

vulnerable VPN services, and open remote desktop protocol (RDP). These are all ways that<br />

threat actors can infiltrate networks, spread laterally, and launch their attack.<br />

In the current pandemic, many organizations are overwhelmed trying to keep their IT environments<br />

secure and it can seem that cyber adversaries are always a few moves ahead. To combat this, investing<br />

in a Security Operations Center (SOC) can significantly streamline how organizations meet evolving<br />

cyberthreats. Within optimized security operations, organizations develop both their offensive strategy,<br />

as well as their defense. Engaging with a SOC is an increasingly positive option <strong>for</strong> many businesses,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 72<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

especially those who want to build a robust security framework backed by security experts with<br />

experience in dealing with unrelenting waves of advanced threats.<br />

SOC Key Functions<br />

A Security Operations Center (SOC) is a centralized hub that combines dedicated security analysts,<br />

processes, and technology to continuously monitor an organization’s security posture. SOCs are focused<br />

on using telemetry measured from across an organization’s IT infrastructure and assets to prevent,<br />

detect, assess, and respond to cybersecurity incidents.<br />

All SOCs are built differently, and many providers allow organizations to select the specific services that<br />

best serve their line of business. These are some of the common key functions that a majority of SOCs<br />

will offer:<br />

• Asset Discovery and Management – SOCs are responsible <strong>for</strong> two general categories of assets:<br />

the devices, processes, and applications of the organization they are defending, and the specific<br />

tools and software in place to protect the <strong>for</strong>mer. Complete visibility and control are key in SOC<br />

operation. They take stock of all the available assets on their client’s networks to eliminate the<br />

chance of missing a blind spot. With a complete view of all the endpoints, software, servers,<br />

services, SOCs can stay on top of the nature of traffic flowing between these assets and monitor<br />

<strong>for</strong> anomalies.<br />

• 24/7/365 Proactive Monitoring – Proactive behavior monitoring, and analysis requires the SOC to<br />

scan on a 24/7/365 basis. The SOC is notified anytime their technology flags an anomaly or there<br />

is evidence of suspicious activities within a network. Consistent monitoring allows SOCs to stay<br />

ahead of adversaries and be able to properly prevent or mitigate malicious actions. Further, it is<br />

a common strategy <strong>for</strong> cybercriminals to schedule their attacks intentionally during off hours and<br />

weekends to maximize the potential rate of success of their operation. Without a SOC monitoring<br />

all hours and days of the week, an in-house IT team may not be able to catch and apply any<br />

defensive ef<strong>for</strong>ts until the following business day.<br />

• Alert Severity Ranking – Alert fatigue is a common challenge faced by in-house IT teams,<br />

especially if they are relying on a complex plat<strong>for</strong>m such as a Security In<strong>for</strong>mation and Event<br />

Management (SIEM) tool to log events across their organization’s networks. A team may quickly<br />

become overwhelmed if their technology is triggering alerts constantly. While some may be valid<br />

early warnings of a cyberattack, there are also false positives and alerts triggered due to lack of<br />

configuration settings. Alert fatigue is the main reason why some legitimate notifications are<br />

missed or not placed at a higher priority. MDR teams are able to better sift through the<br />

complexities of incoming alerts and efficiently determine if they are plausible warnings of a breach<br />

needing immediate action.<br />

• Threat Response – A SOC is a first responder. With 24/7/365 coverage, the SOC team closes the<br />

gap between the identification of an event and the actual response and remediation. By<br />

immediately shutting down or isolating endpoints, they can terminate malicious processes, delete<br />

bad files, and stop the threat from moving deeper into other systems.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 73<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Take Your <strong>Cyber</strong>security Strategy to the Next Level<br />

Ultimately, a SOC allows its organizations to operate knowing that cyberthreats can be identified and<br />

prevented in real-time. Regardless of how many endpoints, networks, assets, or locations an<br />

organization spans, SOCs provide a centralized view to ensure that they are monitored and per<strong>for</strong>ming<br />

as needed.<br />

From a security strategy standpoint, having a SOC means responding faster, minimizing damages and<br />

costs, and safeguarding data and business continuity. However, is there a way to further maximize<br />

cybersecurity to the next level?<br />

Pairing SOC & Managed Detection Response (MDR) Services<br />

An optimized security strategy is one that streamlines the right methods of threat management into an<br />

effective security solution. All functions should work in tandem so that the solution is easy to integrate<br />

and operate day-to-day. Having the right stack of services in place is a significant measure of how mature<br />

an organization’s security posture is. What a managed SOC cannot do alone is combine network<br />

visualization, insider threat monitoring, anti-malware, traffic analysis, and endpoint security into a<br />

24/7/365 managed service focused solely on detecting and detaining threats in real-time. This is where<br />

MDR comes into play.<br />

To develop the most comprehensive solution, SOCs may augment their services by operating a Managed<br />

Detection Response (MDR) plat<strong>for</strong>m. As the SOC collects and monitors various data sources within the<br />

organization, it is the MDR that adds context and makes the in<strong>for</strong>mation more valuable and actionable<br />

within the overall threat management process.<br />

Take the Offense by Threat Hunting<br />

Threat hunting is the practice of being proactive in the search <strong>for</strong> cyberthreats within an organization’s<br />

network. It is per<strong>for</strong>med deep within the network to deliberately search <strong>for</strong> hidden actors and malware<br />

that may have found a way to exist undetected otherwise. Many organizations invest in various managed<br />

services and tools to develop their defensive strategy, but MDR threat hunting is a crucial element to<br />

ensuring the offensive strategy is just as robust. The art of threat hunting relies on three important<br />

elements:<br />

• Investigation through threat intelligence and hypothesis<br />

• Analysis of Indicators of Compromise (IoC) / Indicators of Attack (IoA)<br />

• Machine learning and advanced telemetry<br />

Experienced MDR analysts are highly specialized and trained specifically in hacking tradecraft. They<br />

always take an ‘assume breach’ stance and investigate thoroughly to find evidence of suspicious<br />

behavior or changes that may indicate the existence of threat. They rely on experience and the analysis<br />

of current threat tactics, techniques, and procedures (TTP) to instigate hypothesis-driven hunts. The<br />

human-powered element is a critical element and the link that synchronizes collected threat<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 74<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

intelligence, data logs, and advanced security technology towards an offensive method <strong>for</strong> safeguarding<br />

businesses.<br />

Summary<br />

The hard reality is that cybercriminals and the market <strong>for</strong> their work have become more advanced than<br />

ever be<strong>for</strong>e. Despite the constant challenge to fend them off, cybercriminals continue to evolve swiftly<br />

in their tactics. Within the past year alone, some of the largest players in the cybersecurity arena have<br />

fallen victim to breaches. Though the adversary moves fast, there are ways to get ahead of them. By<br />

combining the centralized functionality of a SOC with an MDR’s capability <strong>for</strong> advanced threat hunting<br />

and network analysis, organizations can build a robust and pragmatic security strategy to protect<br />

themselves against cyberthreats today.<br />

About the Author<br />

Jon Murchison, founder and CEO of Blackpoint <strong>Cyber</strong>, started his<br />

career in network engineering and IT operations but quickly made<br />

the switch over to the covert world of the intelligence community. He<br />

has since spent more than 12 years planning, conducting, and<br />

executing high-priority national security missions. As a <strong>for</strong>mer NSA<br />

computer operations expert and IT professional, he brings a unique<br />

perspective to the mission of developing cyber defense software that<br />

effectively detects and detains purposeful cyber intrusions and<br />

insider threats. Jon has also helmed multiple cybersecurity<br />

assessments, including Fortune 500 enterprises and critical port<br />

infrastructures. Currently, Jon holds multiple patents in methods of<br />

network analysis, network defense, pattern analytics, and mobile<br />

plat<strong>for</strong>ms.<br />

Jon can be reached online on LinkedIn, and on our company’s website https://blackpointcyber.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 75<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

The <strong>Cyber</strong>security Trends You Need to Know About In<br />

<strong>2022</strong><br />

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group<br />

In 2021, no sector of the Australian economy was safe from cybercrime. From government agencies to<br />

family businesses, and every type of organisation in between, it’s been one of the worst years on record<br />

– so it’s important to stay ahead of the curve and be aware of what’s coming down the pipeline in <strong>2022</strong>.<br />

The explosion in remote work and the accelerated pace of digitalisation have opened plenty of doors <strong>for</strong><br />

cybercriminals to walk through. The Australian <strong>Cyber</strong> Security Centre (ACSC) received a report of a cyber<br />

attack once every eight minutes over the 2020-21 financial year, up from once every 10 minutes the<br />

previous year, and un<strong>for</strong>tunately, those attacks will probably only become more frequent in the new year.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 76<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

But when it comes to cybercrime, a little planning and preparation go a long way – so here are the trends<br />

your organisation should be focused on in <strong>2022</strong>.<br />

Rules and regulations are coming<br />

One of the reasons that cybercriminals have been able to operate with virtual impunity is that they’ve felt<br />

secure in the knowledge that technology has always been a step ahead of regulators.<br />

But with the total economic impact of cybercrime estimated at $3.5 billion in Australia alone, and $1 trillion<br />

worldwide, the law is finally catching up to the threat these criminals pose – and in <strong>2022</strong>, we can expect<br />

to see much greater regulatory pressure to address the risk of cybercrime.<br />

We’ve already seen legislation <strong>for</strong> consumer privacy pick up steam, beginning with the EU’s General<br />

Data Protection Regulation (GDPR) and followed by Brazil’s General Personal Data Protection Law<br />

(LGPD) and the Cali<strong>for</strong>nia Consumer Privacy Act (CCPA). It’s a sure thing that jurisdictions around the<br />

world – at a national level, but also at a state and local government level – will continue to pass legislation<br />

along these lines.<br />

But that’s just the beginning. In Australia, we’ve seen the recent introduction of emergency laws that<br />

require the operators of ‘critical infrastructure’ to report cyber attacks to the Australian Signals Directorate<br />

(ASD) as they happen. The laws give the ASD the power to plug into the networks of these organisations<br />

to help them fend off attacks.<br />

Those laws were just a prelude to a second bill, expected to be introduced in <strong>2022</strong>, that will impose<br />

positive security obligations on businesses, requiring them to develop risk management plans and reach<br />

certain cybersecurity standards. Under these laws, company directors could be made personally liable<br />

<strong>for</strong> cyber-attacks.<br />

I expect we’ll also see the Government move to make the payment of ransomware illegal – Labor has<br />

already introduced a bill that would require ransomware victims to disclose whenever they make a<br />

payment, and my sense is that both sides of the aisle are keen to disincentivise and defund hackers by<br />

criminalising payments altogether. (Whether or not this would actually help victims is a more complicated<br />

question.)<br />

In their totality, these laws could make the regulatory landscape more confusing and/or costly <strong>for</strong><br />

organisations that aren’t prepared <strong>for</strong> them. But they should also have the effect of raising the<br />

cybersecurity floor, and setting a new standard that, quite frankly, most organisations should be meeting<br />

already.<br />

In much the same way that tougher legal obligations made workplace health and safety a top priority <strong>for</strong><br />

employers, we’ll see businesses lift their game when it comes to cybersecurity, and start taking their<br />

stewardship of data more seriously in order to comply with new rules and regulations.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 77<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong>security will be treated as a company-wide responsibility<br />

I was recently speaking to the CEO of a large organisation with 10,000 employees. I asked him how<br />

many people were in his cybersecurity team – ‘10,000’, he responded, without missing a beat.<br />

That’s the attitude every employer should have moving <strong>for</strong>ward. <strong>Cyber</strong>security awareness and training<br />

<strong>for</strong> all staff will be absolutely crucial – because while not everyone on your team needs to be an IT<br />

professional or a cybersecurity specialist, everyone will need to be regularly briefed on the latest<br />

techniques being utilised by cybercriminals, and be aware of best practices.<br />

Businesses have never been more at risk, and the widening of attack surfaces that’s resulted from the<br />

COVID-19 pandemic is a major factor. With more employees using more of their own devices, it’s harder<br />

than ever to secure the perimeter.<br />

IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches are 17.5 per cent more<br />

costly where remote work is a factor, and that organisations that have more than half of their work<strong>for</strong>ce<br />

working remotely take 58 days longer to identify and contain breaches, on average.<br />

That’s why every member of your team will need to be trained to make their connection more secure,<br />

and made aware of the importance of updating passwords and patches, avoiding public networks,<br />

backing up data regularly, and recognising the signs of social engineering scams like phishing emails.<br />

It’s always been the case that when it comes to cybersecurity, your people have the potential to be your<br />

biggest weakness – because if they can be tricked into granting access to an intruder, all the perimeter<br />

security and monitoring in the world won’t be able to protect your system from being compromised.<br />

But now, with the ever-increasing interconnectivity and borderless nature of the modern workplace, it’s<br />

more important than ever that every link in your chain is as strong as it can be.<br />

<strong>Cyber</strong>criminals are becoming more professional, and more predatory<br />

It’s no secret that ransomware is on the rise. In June 2021, the Director-General of the Australian Signals<br />

Directorate told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per<br />

cent increase in ransomware attacks on Australian businesses over the previous 12 months.<br />

What’s less understood is the fact that the organisations behind these attacks are becoming increasingly<br />

sophisticated. Rather than operating as lone wolves, hackers have developed cyber cartels that operate<br />

much like the mafia, collaborating as affiliates to pool resources, pass on stolen data, and exploit security<br />

vulnerabilities within hours of their disclosure.<br />

The tradecraft of ransomware is evolving at a rapid rate. In 2020, ransomware group REvil popularised<br />

the tactic known as double extortion, which not only requires organisations to pay a ransom to unlock<br />

their files, but also requires them to pay an additional ransom to prevent those files being leaked.<br />

The double extortion tactic quickly became ubiquitous, and has now evolved into triple extortion, in which<br />

ransom demands are also directed at a victim's clients or suppliers – a method we expect to see plenty<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 78<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

of in <strong>2022</strong>. In effect, ransomware has become less of a singular attack, and more of a series of rolling<br />

demands springing <strong>for</strong>th from the initial intrusion.<br />

<strong>Cyber</strong> cartels have also begun offering ransomware-as-a-service (RaaS) to would-be cybercriminals<br />

lacking the expertise to pull off attacks on their own, even going so far as to provide them with 24/7<br />

technical support, in return <strong>for</strong> a slice of the unskilled attacker’s profits. This has effectively lowered the<br />

barrier to entry to the ‘industry’ – and the more cybercriminals are active, the greater the chance that your<br />

organisation may be targeted.<br />

A major factor in the increasing complexity and professionalisation of these cartels is that many of them<br />

operate freely within nation states that are willing to turn a blind eye to their activities, and even provide<br />

them with tacit support.<br />

These ‘contract hackers’ are carrying out state-sponsored activities, while at the same time extorting<br />

businesses <strong>for</strong> their own financial gain. In 2021, the United States took the unprecedented step of naming<br />

and shaming the Chinese government as the benefactors of the hackers responsible <strong>for</strong> the Microsoft<br />

Exchange attack – but the cyber cold war has only gotten hotter since then, and you can expect more<br />

high-profile breaches and raids on hospitals, universities and state-owned utilities in <strong>2022</strong>.<br />

Supply chain attacks are set to escalate<br />

It’s one thing to ensure your own organisation is secure. But in <strong>2022</strong>, we can expect to see attacks on<br />

supply chains – including widely used software products and services – expand in scope and frequency.<br />

In 2021, the high-profile Solar Winds and Kaseya hacks helped to popularise this attack vector. Closer<br />

to home, a recent attack on external payroll software provider Frontier Software enabled hackers to<br />

access the records of up to 80,000 South Australian government employees, including their names, dates<br />

of birth, tax file numbers, home addresses, bank account details, remuneration and superannuation<br />

contributions. The records, which were stolen and published on the dark web, may even have included<br />

Premier Steven Marshall’s details.<br />

The PWC <strong>2022</strong> Global Digital Trust Insights Survey, which polled 3,602 high-ranking business,<br />

technology, and security executives around the world, found that 56 per cent of respondents are<br />

expecting a rise in breaches via their software supply chain in <strong>2022</strong>.<br />

The advantage of this approach, from an attacker’s point of view, is that they can compromise a large<br />

number of organisations in one hit, making the potential reward <strong>for</strong> a successful attack quite significant.<br />

The downside <strong>for</strong> you is that your organisation might be one of those affected, even if you may never<br />

have previously been on the attacker’s radar.<br />

Given the high risk of collateral damage if a supplier falls victim to an attack, it will be up to organisations<br />

to closely scrutinise the security credentials and protocols of the third-party vendors they entrust with<br />

access to their data.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 79<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> insurance will become harder to obtain<br />

Given the increasing frequency of cyber attacks, and the losses that organisations stand to incur if their<br />

data is compromised, it makes sense that cyber insurance has become highly sought after.<br />

The problem is that most insurers never had any real risk matrix <strong>for</strong> cybercrime, and there<strong>for</strong>e no real<br />

sense of what they’d be left paying out. As ransomware has gone through the roof, they’ve been left<br />

scrambling to put limits on the coverage they’re willing to offer.<br />

<strong>Cyber</strong> insurance premiums <strong>for</strong> Australian businesses have shot up by up to 30 per cent, and are expected<br />

to keep rising in <strong>2022</strong>. Some insurers are refusing to take on new clients, or capping their coverage at<br />

about half of what they used to offer.<br />

To obtain coverage at reasonable rates in <strong>2022</strong> and beyond, organisations will need to be able to<br />

demonstrate that they meet strict cybersecurity standards and are following best practices, which may<br />

include providing cyber security education <strong>for</strong> all employees, using multi-factor authentication,<br />

implementing zero trust policies, securely backing up and encrypting their data, and having data breach<br />

incident response plans in place.<br />

Of course, my stance is that cyber insurance should only be used as a last resort, and that organisations<br />

should have these policies and practices in place anyway – because if there’s one thing we know <strong>for</strong> sure<br />

about cyber security in <strong>2022</strong>, it’s that cyber criminals aren’t going to take the next year off, so you can’t<br />

af<strong>for</strong>d to, either.<br />

About the Author<br />

Jamie Wilson is the founder and chairman of Cryptoloc,<br />

recognized by Forbes as one of the 20 Best <strong>Cyber</strong>security<br />

Startups to watch in 2020. Headquartered in Brisbane,<br />

Australia, with offices in Japan, US, South Africa and the UK,<br />

Cryptoloc have developed the world’s strongest encryption<br />

technology and the world’s safest cybersecurity plat<strong>for</strong>m,<br />

ensuring clients have complete control over their data. Jamie<br />

can be reached online at www.linkedin.com/in/jamie-wilson-<br />

07424a68 and at www.cryptoloc.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 80<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Detect Ransomware Data Exfiltration Immediately<br />

By Randy Reiter CEO of Don’t Be Breached<br />

Ransomeware Attacks Have Increased During the COVID-19 Pandemic<br />

An off-site work<strong>for</strong>ce has resulted in new security concerns since hackers now have many new ways to<br />

penetrate conventional security defenses. Ransomware gangs often go undetected <strong>for</strong> weeks or months<br />

once they have gained high level access to an organization’s network, servers and databases. The<br />

ransomware gang may try to move laterally across other systems in an organization to access as much<br />

confidential data as possible. Ransomeware attacks in the financial industry <strong>for</strong> example increased by<br />

1,300% in 2021.<br />

Prior to issuing a demand <strong>for</strong> a ransomware payment from an organization the hacker group has almost<br />

always already exfiltrated confidential database data from the organization. The exfiltrated data is then<br />

later sold on the Dark Web to other ransomware groups even if a ransomware payment has been made<br />

to the original hacking group.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 81<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Ransomeware Hackers May Be Hidden in Your Network <strong>for</strong> Months<br />

• JBS May 31, 2021. JBS is one of the largest meat suppliers in the US. Hackers caused it to<br />

temporarily halt operations at its five largest US-based plants. The ransomware attack also<br />

disrupted the company's Australia and UK operations. JBS paid the hackers $11 million in<br />

ransom money. The hackers began with a reconnaissance phase in <strong>February</strong> 2021, followed<br />

by Data Exfiltration from March 1 to May 29, 2021.<br />

• Colonial Pipeline May 6, 2021. The largest refined’ products pipeline in the US went offline on<br />

May 6 h . The pipeline covers 5,500 miles and transports 100 million gallons of fuel daily. The<br />

hackers gained access to their network April 29. On May 6 Data Exfiltration began with the<br />

hackers stealing 100 gigabytes of data be<strong>for</strong>e locking Colonial Pipeline computers with<br />

ransomeware. The pipeline paid hackers $4.4 million in ransom money on May 7th.<br />

• CNA Financial March 23, 2021. CNA Financial, the seventh largest commercial insurer in the<br />

US announced it had sustained a sophisticated cybersecurity attack. CNA Financial eventually<br />

paid $40 million in May 2021 to get its data back.<br />

Conventional approaches to cyber security may not prevent Data Exfiltration and Data Breaches. In<br />

2020 the DHS, Department of State, U.S. Marine Corps and the Missile <strong>Defense</strong> Agency recognized this<br />

and all issued requests <strong>for</strong> proposals (RFP) <strong>for</strong> network full packet data capture <strong>for</strong> Deep Packet<br />

Inspection analysis (DPI) of network traffic. This is an important step <strong>for</strong>ward protecting confidential<br />

database data and organization in<strong>for</strong>mation.<br />

Zero-day vulnerabilities that allow hackers to gain system privileges are a major threat to all<br />

organizations encrypted and unencrypted confidential data. Confidential data includes: credit card, tax<br />

ID, medical, social media, corporate, manufacturing, trade secrets, law en<strong>for</strong>cement, defense, homeland<br />

security, power grid and public utility data. This confidential data is almost always stored in DB2,<br />

In<strong>for</strong>mix, MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL and SAP Sybase databases.<br />

How to Stop Data Exfiltration and Data Breaches with Deep Packet Inspection<br />

Protecting encrypted and unencrypted confidential database data is much more than securing<br />

databases, operating systems, applications and the network perimeter against Hackers, Rogue Insiders<br />

and Supply Chain Attacks.<br />

Non-intrusive network sniffing technology can per<strong>for</strong>m a real-time Deep Packet Inspection (DPI) of<br />

100% the database activity from a network tap or proxy server with no impact on the database servers.<br />

The database SQL activity is very predictable. Database servers servicing 1,000 to 10,000 end-users<br />

typically process daily 2,000 to 10,000 unique queries or SQL commands that run millions of times a day.<br />

Deep Packet Analysis does not require logging into the monitored networks, servers or databases. This<br />

approach can provide CISOs with what they can rarely achieve. Total visibility into the database activity<br />

24x7 and 100% protection of confidential database data.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 82<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Advanced SQL Behavioral Analysis from DPI Prevents Data Exfiltration and Data Breaches<br />

Advanced SQL Behavioral Analysis of 100% of the real-time database SQL packets can learn what<br />

the normal database activity is. Now the database query and SQL activity can be non-intrusively<br />

monitored in real-time with DPI and non-normal SQL activity immediately pinpointed. This approach is<br />

inexpensive to setup and has a low cost of operation. Now non-normal database activity from Hackers,<br />

Rogue Insiders or and Supply Chain Attacks can be detected in a few milli seconds. The Security Team<br />

can be immediately notified and the Hacker session terminated so that confidential database data is not<br />

stolen, ransomed or sold on the Dark Web.<br />

About the Author<br />

Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools<br />

company. He is the architect of the Database <strong>Cyber</strong> Security Guard<br />

product, a database Data Breach prevention product <strong>for</strong> DB2, In<strong>for</strong>mix,<br />

MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL, and SAP<br />

Sybase databases. He has a Master’s Degree in Computer Science and<br />

has worked extensively over the past 25 years with real-time network<br />

sniffing and database security. Randy can be reached online at<br />

rreiter@DontBeBreached.com, www.DontBeBreached.com and<br />

www.SqlPower.com/<strong>Cyber</strong>-Attacks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 83<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Understanding Identity Detection and Response<br />

Identity Detection and Response (IDR) is a new enterprise cybersecurity method that relies on the use<br />

of identity-related in<strong>for</strong>mation to identify that a malicious attack campaign such as ransomware might<br />

be on-going on a corporate network.<br />

By Dr. Edward G. Amoroso Chief Executive Officer, TAG <strong>Cyber</strong> LLC<br />

Introduction<br />

<strong>Cyber</strong> defenders categorize security protections as either preventive or reactive. Preventive security,<br />

such as strong authentication, focuses on stopping something bad from happening. Reactive security,<br />

such as log analysis, deals with bad situations that have already commenced or completed.<br />

The prevention argument is that the cost and ef<strong>for</strong>t required to avoid a security problem will always be<br />

less than the corresponding cost and ef<strong>for</strong>t to respond and recover. The reactive argument is also familiar:<br />

Hacking is inevitable, goes the claim, so you’d better be ready to deal with problems as they occur.<br />

Regarding identities, which are central to every modern cybersecurity approach, the preventive aspect is<br />

controlled by identity and access management (IAM). Every practitioner will recognize IAM as consisting<br />

of the registration, administration, protection, and coordination of identities to support access policies to<br />

data and resources.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 84<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

In contrast, the corresponding reactive component <strong>for</strong> identities is just emerging. Known as identity<br />

detection and response (IDR), the new approach involves using metadata and telemetry from identities<br />

to detect, mitigate, and recover from enterprise attacks such as advanced persistent threats (APTs) and<br />

ransomware.<br />

<strong>Cyber</strong> Attack Progression<br />

Many attack strategies have been proposed including the MITRE ATT&CK framework 1 and the Lockheed<br />

Kill Chain 2 . The three-step process presented below simplifies these more complex models into the three<br />

most fundamental phases of every offensive cyber campaign.<br />

Phase 1: Accessing the Target<br />

The initial phase of any cyber breach involves exploiting weaknesses in an attack surface to enter a<br />

protected network, domain, system, or other entity. When crossing a perimeter, such access is referred<br />

to as a north-south connection, and firewall-based controls are designed to disallow such connection<br />

based on policy en<strong>for</strong>cement. Physical perimeters have recently been replaced with software-defined<br />

ones, but the control objective remains.<br />

Phase 2: Traversing the Target<br />

The second phase of a cyber breach involves lateral traversal and privilege escalation, often through<br />

theft and misuse of credentials and access to resources such as Microsoft Active Directory (AD). When<br />

this occurs slowly, we refer to the process as dwelling, and one of the toughest challenges <strong>for</strong> defenders<br />

involves minimizing attacker dwell time. This report makes the case that IDR offers hope that this<br />

challenge might be addressed.<br />

Phase 3: Consummating the Attack<br />

The final phase involves the attacker consummating the attack, either by exiting the targeted domain with<br />

stolen data, pushing the button on some integrity or availability attack, or otherwise taking whatever step<br />

is required to cause the intended consequence of the attack. Once this has occurred, the best that<br />

defenders can do is to respond, and this report also makes the case that IDR assists in this process.<br />

1<br />

https://attack.mitre.org/<br />

2<br />

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 85<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Figure 1. Three-Phase Attack Process Model<br />

What is Identity Detection and Response?<br />

The identity detection and response (IDR) strategy involves focusing on obtaining evidence during the<br />

latter two attack phases shown in Figure 1 that an adversary is traversing the targeted entity and<br />

preparing to create unwanted consequences. IDR relies on the following strategic protection activities by<br />

enterprise defenders:<br />

Establishing Identity Visibility<br />

With the dissolution of the perimeter, identities have become the new basis <strong>for</strong> access management. As<br />

a result, visibility into identity-related attack activity in<strong>for</strong>mation is now a key source of attack surface risk<br />

and an indication that security anomalies might be present. This represents a major shift in how intrusion<br />

detection can be accomplished in the enterprise.<br />

Protecting Credentials<br />

One weak or exposed credential can open the door <strong>for</strong> an attacker. Identity security starts with finding<br />

and removing exposed credentials. Policy-based controls can also bind credentials to their credential<br />

stores and prevent misuse. Used in conjunction with concealment and deception technology,<br />

organizations can also prevent theft and misuse by hiding production credentials and using deception<br />

lures and fake artifacts to trick attacker tools and divert the attack to decoys.<br />

Addressing Directory Services<br />

For many enterprise teams, their most essential identity resource is Microsoft Active Directory (AD).<br />

Through AD, administrators create new users, groups, and domains to set up policy-based en<strong>for</strong>cement<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 86<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

of how PCs, laptops, and other Windows-based services are accessed and managed. Adversaries thus<br />

target AD to gain domain control. Given that it is intrinsically insecure, the success rate <strong>for</strong> exploits it is<br />

generally high.<br />

Focusing on Privileges<br />

A key activity in the attack strategy <strong>for</strong> malicious actors involves escalating privileges and entitlements<br />

during dwell time and lateral traversal across the targeted enterprise. For this reason, IDR must also<br />

focus on this privilege-based aspect of an offensive campaign to detect that an anomaly might be present,<br />

and that some security action will be required.<br />

Figure 2. A Plat<strong>for</strong>m Model <strong>for</strong> Identity Detection and Response (IDR)<br />

Commercial implementations of these IDR requirements are beginning to appear – and all seem to tout<br />

the benefits of early detection of lateral traversal, directory-based probing, and misuse of privileges.<br />

Enterprise security teams now understand that IDR is emerging as a new required area of control <strong>for</strong><br />

their network.<br />

Action Plan<br />

Security teams should develop a plan to determine how best to leverage IDR solutions to reduce cyber<br />

risk. While the context of each enterprise will vary based on its local systems and infrastructure, most<br />

teams will benefit by following the steps listed below.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 87<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Step 1: Review of Identity-Related Exposures and Data Collection<br />

The enterprise team should begin with an inventory of how identity-related vulnerability and live attack<br />

activity in<strong>for</strong>mation is being handled today to determine exposures, attack status, and posture. In many<br />

cases, the answer will be that this is not being done.<br />

Step 2: Vendor Assessment and Review<br />

The enterprise team is next advised to per<strong>for</strong>m a commercial IDR plat<strong>for</strong>m review. This usually involves<br />

proof-of-concept testing in either a realistic simulated environment or on a live production network.<br />

Step 3: Implementation Planning<br />

Implementation planning involves phased introduction, especially <strong>for</strong> larger, more complex organizations.<br />

The goal, of course, is to deploy IDR quickly to begin detecting identity-based exposures and lateral<br />

traversals that might be occurring in the enterprise.<br />

To learn more about IDR and what to pay attention to throughout the IDR selection and implementation<br />

process, check out my recent report sponsored by Attivo Networks. This report provides a plan <strong>for</strong><br />

determining how to use IDR <strong>for</strong> risk mitigation and highlights the practical use of this technology though<br />

the Attivo Networks plat<strong>for</strong>m.<br />

About the Author<br />

Dr. Edward Amoroso, Founder and CEO of TAG <strong>Cyber</strong>,<br />

is an experienced CEO, CSO, CISO, University<br />

Professor, Security Consultant, Keynote Speaker,<br />

Computer Science Researcher, and Prolific Author (six<br />

published books). Dr Amoroso is skilled in<br />

<strong>Cyber</strong>security, Network Architecture, Wide Area<br />

Network (WAN), Managed Services, and Network<br />

Design. He has a PhD in Computer Science from the<br />

Stevens Institute of Technology and is a graduate of Columbia Business School. He Directly served four<br />

Presidential Administrations in <strong>Cyber</strong>security, and now serves as a Member of the M&T Bank Board of<br />

Directors, Senior Advisor <strong>for</strong> the Applied Physics Lab at Johns Hopkins University, Adjunct CS Professor<br />

at the Stevens Institute of Technology, CS Department Instructor at New York University, and Member<br />

of the NSA Advisory Board (NSAAB). Dr. Amoroso can be reached at eamoroso@tag-cyber.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 88<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> Insurance: What Executives Need to Know Be<strong>for</strong>e<br />

Obtaining Coverage<br />

By Amanda Surovec, Director of Security Engagement and Claims, Resilience <strong>Cyber</strong> Insurance<br />

Solutions, and Shawn Melito, Chief Revenue Officer, BreachQuest<br />

Introduction<br />

In the last six months, cyber attacks increased by 29 percent worldwide, as thousands of global<br />

organizations and insurers can attest to. This trend has been a driving factor <strong>for</strong> the growth of cyber<br />

insurance, which has come a long way in the last twenty plus years. However, even then, cyber experts<br />

were raising the alarm on attacks, calling attention to how easy it was <strong>for</strong> hackers to successfully breach<br />

a system and how little legislation there was to ensure breaches were handled appropriately.<br />

Fast <strong>for</strong>ward twenty years and these concerns have developed into full-fledged crises. Technology, the<br />

internet and growth of the software as a service (SaaS) industry have led to the majority of sensitive<br />

customer and company data being located online, and hackers have come to understand the incredible<br />

value of this data. Not only is this in<strong>for</strong>mation essential to day-to-day operations but being breached can<br />

damage customer trust. With so much at stake, cyber insurance has become a top priority <strong>for</strong> many<br />

SaaS-based businesses, yet with the rise of cyber threats and a hardening of the insurance market,<br />

obtaining coverage is becoming more difficult.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 89<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Creating a Game Plan<br />

On a global scale, cybercrime is expected to reach $10.5 trillion annually by 2025, up from $3 trillion in<br />

2015. So, when is a company “ready” to purchase cyber insurance? We hear this question a lot in our<br />

line of work.<br />

To start, any company that uses a computer system and the internet as part of conducting its business,<br />

or collects personally identifiable in<strong>for</strong>mation (PII) of employees, clients, or third-parties, should be<br />

pursuing cyber insurance if they do not have it already. The specific type of coverage, and how much<br />

insurance a company should have, can vary greatly based on the size and industry of the organization.<br />

In order to determine what is best <strong>for</strong> your company, and to help you prepare to purchase cyber<br />

insurance, you should start with conducting a cyber risk assessment and request a technical consultation<br />

with security and insurance broker experts. This risk and technical assessment will help you determine<br />

any potential gaps or areas <strong>for</strong> improvement in your organizations’ cyber security program, and help you<br />

decide what kind and how much coverage to purchase.<br />

Once you determine your organizations’ specific cyber insurance needs, your insurance broker will help<br />

you find the right cyber insurance carrier to best serve those needs. Some cyber insurance carriers, such<br />

as Resilience, provide additional risk management benefits during the procurement process and<br />

throughout the policy period to help organizations secure coverage and better improve their cyber risk<br />

posture.<br />

Dress to Impress<br />

With a hardening cyber market, securing cyber insurance can be challenging <strong>for</strong> even security-conscious<br />

organizations. That said, even be<strong>for</strong>e coverage is secured, brokers and insurers work with existing and<br />

potential clients to mitigate cyber risk. Once it has been determined that your business is ready <strong>for</strong> cyber<br />

insurance, executives can work with them to navigate what security actions need to be taken to ensure<br />

that the cost/risk benefit of the insurance plan will be balanced.<br />

Those that want to secure coverage should be able to come to the table with a robust cyber security plan<br />

that details where their data is located and how they protect it. This might include analyzing and<br />

implementing tools like VPNs and Endpoint Detection and Response (EDR), reconfiguring system<br />

infrastructure, adding multi-factor authentication, segmenting data and networks to better control access<br />

to help mitigate doxxing attacks, and utilizing backup functionalities that are tightly air gapped.<br />

Once set-up, organizations need to test these environments. If security tooling is in place, but done so or<br />

configured incorrectly, hackers can still breach the system through known vulnerabilities or brute <strong>for</strong>ce<br />

attacks. However, testing can mitigate this drastically, as well as help an organization determine if<br />

vulnerability management and patching should be done in-house or be outsourced. Security teams<br />

should also be trained on how to monitor and patch systems, privacy protection protocols and how to<br />

identify phishing attempts. If they are unable, then these functions must be outsourced.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 90<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Keeping Premiums Low Once Coverage is Secured<br />

Once secured, cyber insurance premiums can be kept low on renewal by continuously improving upon<br />

pre-established security postures, a process that can greatly help prevent attacks, such as those from<br />

business email compromise or ransomware. Still, successful attacks happen and when they do, taking<br />

the proper steps to mitigate risk can help keep your premiums low.<br />

If a breach occurs and company data is being held <strong>for</strong> ransom, companies need to implement strict<br />

policies that restrict anyone at the organization from reaching out to the threat actor. We have seen many<br />

cases where someone on either the security or leadership team contacted the hacker and divulged<br />

in<strong>for</strong>mation that made the situation even harder to resolve. Examples include providing their names,<br />

company, whether they have a cyber insurance policy and the value of the data that was taken - giving<br />

more power to the hacker than intended. Keep in mind, hackers don’t always know who they have<br />

attacked and how valuable the data they found is. Instead, teams should contact an experienced recovery<br />

and remediation group, along with their cyber insurance company, to get assistance as quickly as<br />

possible. With this approach, experts can begin to rebuild company infrastructure even as negotiations<br />

play out. It might be counter-intuitive to get the bill running sooner, but at the end of the day, it is almost<br />

always the most cost-effective option. This act reduces the potential business interruption claim, gets a<br />

head start on recovery and identifies systems that could be re-built or upgraded vs. paid to unlock faster.<br />

Having your counsel work with regulators when breached has also become more essential than ever.<br />

Most recently, in September 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control<br />

(OFAC) produced an updated advisory on the use of digital currencies in ransomware attacks and other<br />

financial crimes, discouraging companies from simply paying the ransom to regain operational control<br />

after a successful ransomware attack. While these advisories are aimed at the payment of ransoms to<br />

sanctioned entities, it also may address the ballooning of ransom demands and spiking cyber insurance<br />

costs over the past year.<br />

In working with the client, their counsel, an IR firm and the insurer, the decision to pay a ransom is always<br />

determined on a case-by-case basis, and only after an expert analysis of the situation can be compiled<br />

and payment due diligence completed. While there are still times when a ransom is paid, more and more<br />

often, companies are alternatively using the resources provided by their insurer to remediate and rebuild.<br />

Even with much of the cyber insurance landscape still in flux, opting into cyber insurance can provide a<br />

sense of security if a victim of a cyber attack. It can help companies recover after a data breach when<br />

thousands or even millions of dollars are accrued from business disruption, revenue loss, legal fees,<br />

<strong>for</strong>ensic analysis and more. To best obtain cyber insurance, working directly with brokers and insurers<br />

that can provide advice <strong>for</strong> setting up security tooling and processes and protocols can be a huge boon<br />

<strong>for</strong> candidates. Even as coverage is secured, keeping premiums low can be addressed by maintaining<br />

and improving upon internal and external security practices, which can help mitigate risk further, making<br />

your systems protected from the majority of inevitable attacks. And, should a breach occur, calling your<br />

broker, insurance agent and associated firms at the first sign of a breach, such as remediation and<br />

recovery or those well-versed in OFAC regulations, will enable businesses to get back online faster, with<br />

more business value intact.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 91<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Amanda Surovec is the Director of Security Engagement and<br />

Claims <strong>for</strong> Resilience <strong>Cyber</strong> Insurance Solutions where she<br />

oversees client onboarding and the Resilience Ransomware War<br />

Game Table Top Exercises. Previously, Surovec served as a<br />

claims manager at Beazley and as a claims specialist at Sphere<br />

Risk Partners. Surovec attended Penn State University where she<br />

earned a BA in Human Development and Family Studies.<br />

Shawn Melito serves as Chief Revenue Officer <strong>for</strong> BreachQuest.<br />

He is responsible <strong>for</strong> marketing and business development<br />

activities as they relate to the cyber insurance community,<br />

including breach coaches, cyber insurance companies and<br />

brokers. He brings over 20 years of management experience to<br />

his role. Previously, Shawn was a managing director <strong>for</strong> Kivu<br />

Consulting and a management consultant, in<strong>for</strong>mation systems<br />

analyst, and business unit leader <strong>for</strong> NPC’s Immersion Data<br />

Breach Response Service group, a leading notification and call<br />

center service provider to the cyber insurance community. He is<br />

a certified in<strong>for</strong>mation privacy professional (CIPP/US) through<br />

the International Association of Privacy Professionals (IAPP) and<br />

a previous member of their Canadian Advisory Board. He has<br />

chaired and spoken at many cyber insurance industry<br />

conferences. Shawn has a B.A. from the University of Toronto<br />

and an M.B.A. from the Richard Ivey School of Business in<br />

London, Ontario.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 92<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Data Security Must Be a Priority as Employees Quit in<br />

Record Numbers<br />

By Tim Sadler, Co-founder and CEO, Tessian<br />

The massive labor upheaval that dominated headlines in 2021 shows no signs of slowing down. The<br />

latest U.S. jobs report showed that 4.5 million people voluntarily left their jobs in November of 2021, a<br />

record high. Whether you call it the Great Resignation, Great Re-evaluation or Great Reshuffle, it’s not<br />

easing any time soon— and it could be a major data security risk <strong>for</strong> companies.<br />

Many companies are hiring remote employees to fill the gaps left by record turnover, creating a wider<br />

surface area that must be secured. Meanwhile, the influx of employees coming into or leaving an<br />

organization provides opportunity <strong>for</strong> more data breaches. This can have serious consequences, from<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 93<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

potential compliance violations and regulatory fines to a loss of customer trust. Data security must be a<br />

central focus <strong>for</strong> IT and security teams as we continue to see the impact of an uncertain labor market.<br />

Mid-career employees are resigning— and taking data with them<br />

Turnover trends have shifted since the start of the pandemic. Rather than early-career employees who<br />

dropped out of the work<strong>for</strong>ce early on to pivot their careers or pursue passion projects, turnover rates are<br />

now highest among mid-career employees. These employees are likely to be very knowledgeable and<br />

experienced in their role. They’re looking <strong>for</strong> more flexibility, better benefits and salary, or a company<br />

mission that aligns with their values.<br />

What does this mean <strong>for</strong> security? Mid-career employees are more likely to have a detailed knowledge<br />

of an organization’s products, processes and customers. What’s more, they may have greater access to<br />

sensitive (and potentially lucrative) data.<br />

Data exfiltration is a widespread problem when employees leave a company. A Tessian report found that<br />

45% of employees said they’ve “stolen” data be<strong>for</strong>e leaving or after being dismissed from a job. The<br />

Verizon Data Breach Investigations Report found that 72% of staff take some company data with them<br />

when they move on, although it isn’t always intentional. They also found that 70% of intellectual property<br />

theft occurs within the 90 days be<strong>for</strong>e an employee’s resignation announcement.<br />

Fortunately, there are signs that security teams can look out <strong>for</strong> to help spot and avoid data exfiltration.<br />

The key is to look <strong>for</strong> anomalous behavior; <strong>for</strong> example, major changes in email activity, an employee<br />

accessing documents or files at odd hours, or an increase in data transfers. Email is a popular method<br />

<strong>for</strong> these exfiltration attempts— employees will often email files or documents to a personal address—<br />

so securing this channel be<strong>for</strong>e a turnover surge is crucial. It’s also important <strong>for</strong> security and IT teams<br />

to be involved in the offboarding process to adjust data access privileges when someone resigns or<br />

changes their role.<br />

New staff are vulnerable to external security threats<br />

New employees who are hired to replace staffing gaps are often vulnerable to external threats like<br />

phishing and social engineering attacks. This is because they may not have met all their colleagues in<br />

person, while remote employees may be even less familiar with their colleagues and less able to verify a<br />

legitimate request. Malicious actors know this and will specifically target new employees in spear phishing<br />

and social engineering attacks.<br />

How do malicious actors know who has started a new job recently? All it takes is a quick search on social<br />

media. A report from Tessian found that 93% of U.S. employees post about a new job on social media<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 94<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

sites like Facebook or LinkedIn. <strong>Cyber</strong>criminals use this in<strong>for</strong>mation to develop targeted scams designed<br />

to trick new employees into sharing valuable data or login credentials, and even wiring money.<br />

According to the FBI, $26 billion has been lost to these kinds of business email compromise attacks since<br />

2016. In one costly example, a scammer posed as the CEO to trick an employee into transferring $17.2<br />

million to a Shanghai bank account as part of a fake deal to acquire another company. New employees<br />

in particular may not be familiar with their new CEO and what type of request is abnormal or suspicious,<br />

so it’s important to train them quickly and effectively.<br />

Comprehensive cybersecurity training should be part of the early onboarding process <strong>for</strong> all new<br />

employees to help avoid these data security risks. Training should be tailored specifically to the unique<br />

needs and risk factors of new and remote employees and delivered in real-time rather than at mandatory<br />

quarterly trainings. Basic security hygiene can also be effective at preventing data loss. New and existing<br />

employees should be consistently reminded of best practices and what to look <strong>for</strong> in a suspicious email.<br />

Data security and hiring challenges are intertwined<br />

No matter the issue — hiring new staff, addressing turnover, or preventing burnout among employees<br />

that stay in their roles — IT and security teams must be brought in so that data security impacts are<br />

<strong>for</strong>eseen and addressed. In these instances, securing the “human layer,” or the employees that handle<br />

a company’s most sensitive data, should be a priority.<br />

Securing important communications channels like email and establishing real-time, automated<br />

cybersecurity training <strong>for</strong> employees is an important part of the solution. Empower employees to work<br />

both productively and securely by making them part of the solution. Encourage them to report mistakes<br />

or suspicious activity to the IT and security team without fear of repercussions. When an employee<br />

resigns, make sure to walk through data security policies and set clear expectations to avoid inadvertent<br />

exfiltration. By building these processes into the full lifecycle of an employee’s experience, organizations<br />

can help prevent The Great Resignation from turning into a data security nightmare.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 95<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

About the Author<br />

Tim is the CEO and co-founder of Tessian. He holds three<br />

Masters degrees in design, engineering and innovation from<br />

Imperial College and <strong>for</strong>merly worked in HSBC's Global<br />

Banking division. Learn more about Tim on Twitter and at<br />

Tessian.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 96<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Why Building Managers Need to Prioritize <strong>Cyber</strong>security<br />

By Shaun Cooley, Founder and CEO of Mapped<br />

In an age increasingly dominated by the internet of Things (IoT), buildings have become elaborate<br />

networks of software and hardware designed to monitor and control complex mechanical and operational<br />

systems. Building owners and operators rely on teams of suppliers to install and integrate these systems,<br />

often across multiple properties. These systems improve the quality of the building <strong>for</strong> users and<br />

managers alike. However, each time a supplier connects to your system, that connection can expose<br />

your building to security threats that can proliferate across your entire portfolio. There are several critical<br />

ways that cyber attackers can use devices to access a building’s systems, including:<br />

●<br />

●<br />

●<br />

Open ports that connect to all systems in a building<br />

Remote support and software update connections<br />

Search engines like Shodan that can identify servers that are connected to the internet<br />

There is always a level of risk to integrating, managing and updating a building’s myriad systems. You<br />

can’t reliably predict the security habits of multiple vendors and managing their systems involves more<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 97<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

than en<strong>for</strong>cing physical security. The cloud is a wonderful asset, but multiple connections magnify the<br />

possibility of security breaches.<br />

The solution? Move your perimeter to the cloud<br />

A secure cloud plat<strong>for</strong>m that manages access to your systems will improve your security profile and<br />

reduce risk to your systems. To help mitigate these potential security threats, there are certain key<br />

features you should look <strong>for</strong> in a cloud solution. These include:<br />

Streamlined access to your systems A cloud plat<strong>for</strong>m with a single cloud API decreases<br />

security vulnerabilities because it reduces the number of access points to one. Your suppliers<br />

integrate their systems through the cloud API instead of ports in multiple buildings. This eliminates<br />

physical access to your systems and significantly reduces the threat of an on-premises attack.<br />

Integration with all the devices, systems, and sensors in your environment A building can<br />

have 50 or more different systems, including BAS, HVAC, lighting controls, Wi-Fi, digital signage<br />

and more. Your solution should be able to integrate all your systems and provide visibility and<br />

fine-grain control of the data flow between building systems, devices, sensors, and applications.<br />

Monitoring capabilities You should be able to track and monitor the current state of all<br />

environments and control data accessed by internal and external entities. A viable solution should<br />

have the capability to monitor your environments <strong>for</strong> operational data, firmware and other updates.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 98<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

It should also provide the means <strong>for</strong> peer communications as an ideal source <strong>for</strong> detecting<br />

unexpected changes to the environment and establishing zero-trust policy. You will be able to<br />

quickly identify any fluctuations in access or data flow that could signal a cyberattack.<br />

Visibility and fine-tuned control of data When you’re collecting data from multiple vendors, you<br />

can lose sight of where data is originating, transiting, and landing in your system. A solution should<br />

let you tag data <strong>for</strong> easy identification and provide controls that determines who can access the<br />

data.<br />

Some solutions provide account-level access to data types, but that leaves a security gap when it comes<br />

to giving access to actual data. A preferred solution is one where you can tag the data by location, system<br />

type, or personal identifiable in<strong>for</strong>mation (PII). For example, if data from a badge reader is tagged as PII,<br />

you should be able to identify and limit access to that in<strong>for</strong>mation.<br />

Protection through a single, secure pipeline solution<br />

Suppliers plug devices into building systems without thinking of the impact to your overall system. The<br />

lack of security protocols that led to the Target attack back in 2013 hasn’t remained an isolated incident.<br />

In 2020, hackers attacked building access control systems and downloaded malware that turned the<br />

system into a distributed denial-of-service (DDoS) bot.<br />

As ransomware and other attacks continue to rise, you need a dynamic solution to monitor and protect<br />

your environment. A secure and reliable API can change the dynamic <strong>for</strong> managing complex<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 99<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

environments. Moving access from your physical environment to a cloud plat<strong>for</strong>m with a single point of<br />

access and secure encryption can reduce risk and protect your systems.<br />

About the Author<br />

Shaun Cooley is the Founder and CEO of Mapped, the first data<br />

infrastructure plat<strong>for</strong>m <strong>for</strong> commercial and industrial IoT (Internet<br />

of Things). In his prior role as VP.CTO <strong>for</strong> Cisco’s Internet of<br />

Things (IoT) Business, he was responsible <strong>for</strong> Cisco’s long-term<br />

IoT technology strategy. This included shaping product<br />

architecture, security, privacy, and technology partnerships, as<br />

implemented by Cisco’s IoT business, advising governments on<br />

IoT regulation, driving Cisco’s participation in IoT related<br />

standards bodies and consortia, and championing innovation to<br />

solve existing or anticipated industry needs.<br />

Prior to joining Cisco, Shaun was a Distinguished Engineer <strong>for</strong> Norton, by Symantec, where he was a<br />

driving <strong>for</strong>ce in Norton’s shift from utilities to security. Over his 18-year tenure, Shaun contributed to the<br />

creation and advancement of offerings in the Norton portfolio – a product portfolio that produces over $2<br />

Billion in annual revenue.<br />

Shaun has over 25 years of industry experience, holds a master’s degree in computer science from<br />

University of Illinois, and is a Certified In<strong>for</strong>mation Systems Security Professional (CISSP). He is named<br />

inventor on 121 issued United States patents with over 100 more pending. He is an active angel investor<br />

and a start-up mentor through Acceleprise SF and advisor <strong>for</strong> Deep Angels. Shaun was previously a<br />

director of the Open Connectivity Foundation and <strong>for</strong>mer board member of Attivo Networks.<br />

Shaun can be reached on Twitter at @shauncooley and, and more in<strong>for</strong>mation can be found about<br />

Mapped at mapped.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 100<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 101<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 102<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 103<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 104<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 105<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 106<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 107<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 108<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 109<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 110<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 111<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 112<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 113<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 114<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 115<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 116<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 117<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 118<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 119<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 120<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 121<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 122<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong><strong>Defense</strong>.TV now has 200 hotseat interviews and growing…<br />

Market leaders, innovators, CEO hot seat interviews and much more.<br />

A division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 123<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Free Monthly <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> Via Email<br />

Enjoy our monthly electronic editions of our Magazines <strong>for</strong> FREE.<br />

This magazine is by and <strong>for</strong> ethical in<strong>for</strong>mation security professionals with a twist on innovative consumer<br />

products and privacy issues on top of best practices <strong>for</strong> IT security and Regulatory Compliance. Our<br />

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />

ideas, products and services in the in<strong>for</strong>mation technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />

arena plus we’ll in<strong>for</strong>m you as next generation and innovative technology vendors have news worthy of<br />

sharing with you – so enjoy. You get all of this <strong>for</strong> FREE, always, <strong>for</strong> our electronic editions. Click here<br />

to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />

newsletters along with this month’s newsletter.<br />

By signing up, you’ll always be in the loop with CDM.<br />

Copyright (C) <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />

<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />

<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, <strong>Cyber</strong><br />

<strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />

All rights reserved worldwide. Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />

recording, taping or by any in<strong>for</strong>mation storage retrieval system without the written permission of the publisher<br />

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />

the views of the publisher, and the publisher hereby disclaims any responsibility <strong>for</strong> them. Send us great content<br />

and we’ll post it in the magazine <strong>for</strong> free, subject to editorial approval and layout. Email us at<br />

marketing@cyberdefensemagazine.com<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

276 Fifth Avenue, Suite 704, New York, NY 1000<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

marketing@cyberdefensemagazine.com<br />

www.cyberdefensemagazine.com<br />


<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 02/02/<strong>2022</strong><br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 124<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH<br />

(with others coming soon...)<br />

10 Years in The Making…<br />

Thank You to our Loyal Subscribers!<br />

We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know What You Think. It's mobile<br />

and tablet friendly and superfast. We hope you like it. In addition, we're past the five nines of 7x24x365<br />

uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />

around the Globe, Faster and More Secure DNS and <strong>Cyber</strong><strong>Defense</strong>Magazine.com up and running as an<br />

array of live mirror sites and our new B2C consumer magazine <strong>Cyber</strong>SecurityMagazine.com. Millions of<br />

monthly readers and new plat<strong>for</strong>ms coming…starting with www.cyberdefenseconferences.com this<br />

month…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 125<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 126<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 127<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 128<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 129<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2022</strong> <strong>Edition</strong> 130<br />

Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!