Cyber Defense eMagazine February Edition for 2022

How Criminals Have Migrated Through 

Identity Theft and Privacy into Cyber Attacks 

The Top 5 Cloud Security Predictions for 2022 

Mitigating Risk from Insider Threats in 2022 

Responding To the Ransomware Pandemic 

…and much more… 

Cyber Defense eMagazine – February 2022 Edition 1 

Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s February 2022 Issue -------------------------------------------------------------------------------- 6 

How Criminals Have Migrated Through Identity Theft and Privacy into Cyber Attacks ------------------- 17 

By P. William Zivanchev, Executive Director, Institute of Consumer Financial Education 

The Top 5 Cloud Security Predictions for 2022 ----------------------------------------------------------------------- 24 

By Amit Shaked, CEO, Laminar 

Cybercriminals Hunt For Medical Data. Zero Trust As The Only Good Option To Keep The Healthcare 

System Secure ---------------------------------------------------------------------------------------------------------------- 28 

By Tomasz Kowalski, CEO, Secfense 

How Do I Reliably Identify You If I Cannot See You? --------------------------------------------------------------- 31 

By John Callahan, CTO, VeridiumID 

How To Improve Federal Endpoint Detection and Response Tactics and Gain Network Visibility ----- 35 

By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium 

Decision Trees in Case of a Ransomware Attack -------------------------------------------------------------------- 39 

By Zsolt Baranya, Information Security Auditor, Black Cell Ltd. 

Mitigating Risk from Insider Threats in 2022 ------------------------------------------------------------------------ 42 

By Isaac Kohen, Teramind 

Web Application Penetration Testing Checklist with OWASP Top 10 ------------------------------------------ 46 

By Ankit Pahuja, Marketing Lead & Evangelist at Astra Security 

5 Ways to Protect Your Workplace from Cybersecurity Threats ------------------------------------------------ 52 

By Nicole Allen, Marketing Executive, Salt Communications 

Today's Digital Battlefield Demands Resilience Beyond Infrastructure --------------------------------------- 57 

By Mohammed Al Mohtadi, Cyber Information Security Officer, Injazat 

Why Ransomware is Only a Symptom of a Larger Problem ------------------------------------------------------ 61 

By Jeff Palatt, Vice President, Technical Advisory Services at MOXFIVE 

Responding To the Ransomware Pandemic -------------------------------------------------------------------------- 64 

By Tom McVey, Solution Architect, Menlo Security 

Killware is the Next Big Cybersecurity Threat ------------------------------------------------------------------------ 67 

By Brian Erickson, Vice President or Strategy and Solutions and retired U.S. Navy Captain, Vidoori 



Combining True MDR & SOC for Robust Cybersecurity ------------------------------------------------------------ 71 

By Jon Murchison, Founder and CEO, Blackpoint Cyber 

The Cybersecurity Trends You Need to Know About In 2022 ----------------------------------------------------- 76 

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group 

Detect Ransomware Data Exfiltration Immediately --------------------------------------------------------------- 81 

By Randy Reiter CEO of Don’t Be Breached 

Understanding Identity Detection and Response ------------------------------------------------------------------- 84 

By Dr. Edward G. Amoroso Chief Executive Officer, TAG Cyber LLC 

Cyber Insurance: What Executives Need to Know Before Obtaining Coverage ----------------------------- 89 

By Amanda Surovec, Director of Security Engagement and Claims, Resilience Cyber Insurance Solutions, and 

Shawn Melito, Chief Revenue Officer, BreachQuest 

Data Security Must Be a Priority as Employees Quit in Record Numbers ------------------------------------- 93 

By Tim Sadler, Co-founder and CEO, Tessian 

Why Building Managers Need to Prioritize Cybersecurity -------------------------------------------------------- 97 

By Shaun Cooley, Founder and CEO of Mapped 



@MILIEFSKY 

From the 

Publisher… 

Dear Friends, 

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a 

The view from the Publisher’s desk is very encouraging, based on celebrating 10 years of growth and 

success at Cyber Defense Magazine! 

When our tiny team began our journey at Cyber Defense Media Group (CDMG) together in January 2012, 

we were happy to help smaller, lesser-known innovators of infosec, get their message out there and Rise 

Above the noise. Now, after 10 years, we’re even helping multi-billion-dollar companies and 

governments around the globe with our offices in D.C., London, N.Y. and other locations in play, as we 

continue to scale, thanks to you – our readers, listeners, viewers and media partners. 

Beyond the magazine, in response to the demands of our markets, the scope of CDMG’s activities has 

grown into many media endeavors. They now include Cyber Defense Awards; Cyber Defense 

Conferences; Cyber Defense Professionals (job postings); Cyber Defense TV, Radio, and Webinars; and 

Cyber Defense Ventures (partnering with investors). 

Please check them out and see how much more CDMG has to offer! 

The full list, with links, can be accessed at: 

https://www.cyberdefensemagazine.com/cyber-defense-media-group-10-year-anniversary-dailycelebration-in-2022/ 

Warmest regards, 

Platinum Media Partner of RSA Conference on June 06 – 09 , 2022 – See You There! 

Gary S.Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information about 

CDM, please use #CDM and @CyberDefenseMag and 

@Miliefsky – it helps spread the word about our free resources 

even more quickly 



@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media Group and 

distributed electronically via opt-in Email, HTML, PDF and Online 

Flipbook formats. 

InfoSec Knowledge is Power. We will 

always strive to provide the latest, most 

up to date FREE InfoSec information. 

Congratulations to our Outgoing 

International Editor-in-Chief 

For nearly all of the 10-year history of Cyber Defense Magazine, we 

have been very blessed and incredibly fortunate to count on the 

active participation and support of Pierluigi Paganini, in his capacity 

as our International Editor-in-Chief. While it is our loss, we 

celebrate Pierluigi’s career move, though he will no longer be 

available to serve Cyber Defense Magazine and our readers in that 

capacity. 

At the same time, we are pleased to assure our readers that we will 

continue to seek and publish relevant articles on cybersecurity 

developments in the international arena, as we continue to expand 

into new markets, globally. 

Pierluigi is a globally recognized cybersecurity leader and with 

bittersweet goodbye, working with him has always been 

amazing. He’s always on top of the latest cybersecurity news, 

trends and activities. 

On behalf of the entire team at Cyber Defense Media Group, please 

keep in touch and know that we will always consider CDMG your 

home, 

Yan Ross, Editor-in-Chief 

Gary S. Miliefsky, Publisher 

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER 

Pierluigi Paganini, CEH 

Pierluigi.paganini@cyberdefensemagazine.com 

US EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

http://www.cyberdefensemagazine.com 

Copyright © 2022, Cyber Defense Magazine, a division of 

CYBER DEFENSE MEDIA GROUP 

1717 Pennsylvania Avenue NW, Suite 1025 

Washington, D.C. 20006 USA 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

PUBLISHER 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

10 YEARS OF EXCELLENCE! 

Providing free information, best practices, tips, and techniques 

on cybersecurity since 2012, Cyber Defense magazine is your 

go-to-source for Information Security. We’re a proud division 

of Cyber Defense Media Group: 

CYBERDEFENSEMEDIAGROUP.COM 

MAGAZINE TV RADIO AWARDS 

PROFESSIONALS VENTURES WEBINARS 

CYBERDEFENSECONFERENCES 



Welcome to CDM’s February 2022 Issue 

From the Editor-in-Chief 

As the Cyber Defense Magazine team members take a look back at the first 10 years of the publication, 

we also look forward to developments expected in the future. 

This month we are pleased to feature an article from the Institute of Consumer Financial Education (ICFE) 

which provides a longer-term perspective, including the transition from identity theft as a distinct 

phenomenon to an integrated set of threats and responses involving many aspects of privacy and 

cybersecurity. 

We note the importance we place on perspectives and high-altitude ways to analyze and understand the 

interaction among technical professionals and organizations from very different parts of our society and 

economy. 

As a brief glance through the Table of Contents of this month’s issue will demonstrate, this is another 

way Cyber Defense Magazine keeps our readers current on emerging trends and solutions in the world 

of cybersecurity. That continues to be our guiding star in proceeding on this journey with our readers. 

Wishing you all success in your cybersecurity endeavors, 

Yan Ross 

US Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of Cyber 

Defense Magazine. He is an accredited author and educator and has 

provided editorial services for award-winning best-selling books on a variety 

of topics. He also serves as ICFE's Director of Special Projects, and the author 

of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® 

course. As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, 

privacy, and cyber security for consumers and organizations holding sensitive personal information. You can reach 

him by e-mail at yan.ross@cyberdefensemediagroup.com 























How Criminals Have Migrated Through Identity Theft and 

Privacy into Cyber Attacks 

By P. William Zivanchev, Executive Director, Institute of Consumer Financial Education 

Introduction 

At first glance, readers may wonder why an article on identity theft appears in Cyber Defense Magazine, 

and why it comes from the Institute of Consumer Financial Education (ICFE). To understand today’s 

cyber criminal trends, it’s necessary to delve into the history of the phenomenon. 

For nearly 20 years, the ICFE has provided the premier identity theft risk management course for 

professionals working with consumers and businesses. ICFE is the certifying and publishing authority 

for the nationally recognized Certified Identity Theft Risk Management - CITRMS® course, a credential 

which has been earned by thousands of professional advisers and case workers. 

During that period, we have seen many changes in the threat landscape, but also many continuing trends 

in the ways in which cyber criminals operate and the ways in which defenders, both public and private, 

have responded. 



Three Types of Cyber Criminals 

Functionally, there continue to be three principal types of cyber criminals – and they are consistent with 

the three types of identity thieves: 

• Money-motivated criminals, who commit identity theft, privacy infractions, and cyber crimes for 

the financial payoff 

• State-sponsored and terrorist attackers, who desire to perpetrate disruptive effects on critical 

infrastructure systems and other vulnerable databases 

• Thrill-seekers, who find satisfaction in being able to interfere with the smooth operations and 

lives of individuals and organizations holding protected information, such as personally 

identifiable information (PII). 

High Tech versus High Touch 

Over the years, the main changes have been in the tools and methods the cyber criminals utilize to 

perpetrate their exploits. Mirroring these developments, the responses have tended to concentrate on 

exploit-by-exploit methods, rather than more generalized criminal actions. 

One interesting constant has been the phenomenon of social engineering, otherwise known as 

manipulation of the target in order to gain access to sensitive information to which the criminal is not 

authorized – and then to use that information to perpetrate identity fraud (unlawful use of the personal 

information accessed by identity theft). 

Phone Scams to Email and Text Scams 

For about the same time period as the ICFE has been engaged in the CITRMS® program, the Federal 

Trade Commission has been responsible for the administration of the “Do Not Call” list. It’s no 

coincidence that one of the principal means used by identity thieves is the spam call, in which the 

perpetrator pretends to be a family member or trusted organization seeking to extract sensitive 

information from the target individual or company. 

Many of the reported cases of identity theft begin with the call to the phone number of the target, using 

manipulative scripts to produce urgency and the desire to help in a critical situation – but resulting in the 

undue sharing of sensitive information. 

As the internet has augmented, or even replaced, conventional phone conversations, social engineering 

has leaped from spam calls to spam emails. These provocations typically involve some unrealistic offer 

or urgent message seemingly from a known party (but actually from the cyber criminal). 

And, of course, the proliferation of social media platforms and usage expands these types of provocative 

communication into text messaging (often referred to as “smishing” in the vernacular). 



Quite often the perpetrator claims to be calling or emailing from a government agency with urgent need 

to get information to maintain the target’s benefits or tax status; of course, Social Security and the Internal 

Revenue Service are the agencies most often cloned by the criminals. 

Also common is the hyperlink which appears to come from a legitimate source, often a company where 

the target already has an account, but directed to a bogus website where the target’s username and 

password are collected by the criminals; this information is then used to hijack the target’s real accounts. 

Privacy 

As identity theft threats have developed, an important aspect of the legal and regulatory response has 

arisen out of privacy concerns and consumer rights. This response started with the adoption of privacy 

laws by States and has become a focal point for federal action. 

In addition to setting standards and requirements for holders of protected sensitive information, broader 

provisions have been created, such as disclosure and notification standards and even private rights of 

action. Under private rights of action, affected parties whose sensitive information has been 

compromised due to failure on the part of the holders, can sue for damages directly rather than waiting 

for government fines or punitive actions. 

It’s easy to see how any failures in cybersecurity practices resulting in data breaches involving protect 

personal information can trigger the provisions and penalties of privacy laws and regulations. 

As a result, privacy initiatives have become a major driver with immediate effect on cyber practices. It’s 

worth noting that even compliance with privacy laws may not provide a complete shield against liability 

in the event of a breach. 

In the view of the ICFE, in identity theft risk management, substantial coverage of privacy issues is a 

necessity, especially as they affect vulnerable demographics, such as seniors, children, and veterans. 

ICFE is pleased to report that this emphasis on privacy issues has resulted in the acceptance for CE 

credit by the leading organization in the field, the International Association of Privacy Professionals. 

Enter Cyber Attacks and Cybersecurity 

By the time of the most recent update to the CITRMS® XV course, cybersecurity had developed to the 

point that the ICFE included a whole section on the topic. We were fortunate enough to count on Gary 

Miliefsky, Publisher of Cyber Defense Magazine, to provide that content for the course. 

At this juncture, ICFE is undertaking to launch an update and expansion of the CITRMS® course. 

This will include an enhanced section on Cybersecurity, developments in the attack vectors, public and 

private responses, and the implications for consumers, businesses, and organizations with the 

responsibility of maintaining the confidentiality, integrity, and accessibility of sensitive information. 



Defensive Measures 

In response to the continuation of new means used by criminals to gain access to protected 

information, both high-tech and granular methods of foiling such attacks have tended to focus on both 

resilience and sustainability. 

Of course, it’s important to prevent a cyber exploit in the first place. But it’s equally important to 

be able to recover in both the short term (resilience) and in the long term (sustainability). 

Organizationally, this generally translates to maintaining systems with such actions as software 

updates, education and training for all employees with access to the systems, and procedures to be 

followed diligently. A good example is the set of “Red Flag Rules” from the Federal Trade Commission 

to Identify, Detect, Protect and Mitigate, and Update (for the future). 

See: 

https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-howguide-business 

Also on the organizational level, but a with more granular focus, a fundamental requirement is initial and 

ongoing programs to train personnel to avoid falling into traps such as “clicking” on attachments from 

unknown or untrusted sources. 

Insider threats 

Personnel training addresses one aspect of insider threats, but there are several others which have 

resulted in the creation of an entire discipline of recognizing, identifying and responding to insider threats. 

They are divided into several categories, based on the individuals and their access to sensitive 

information. 

• Knowing v. Unwitting Vulnerabilities 

The insider threat is typically an employee or other individual (such as a volunteer in non-profit 

organizations) with access to records and files with personal sensitive information. A breach, or 

access by unauthorized parties, often occurs due to action or inaction by such an individual. The 

unwitting breach occurs when the person with access is manipulated into sharing a password, 

allowing physical viewing of sensitive information, or otherwise permits the breach. The “knowing” 

individual is aware of the unauthorized access and may be under threat or financial incentive to allow 

it to happen. 

• Bribery/Blackmail/Disgruntled Employee 

In the case of the “knowing” insider allowing a breach, there may be any of several reasons. Most 

commonly, the knowing party has been bribed, or threatened with some adverse action, of may be a 

disgruntled current or prior employee, depending on the circumstances. 



• Identity Access Management (IAM) 

Whether the vulnerability occurs under any of the above circumstances, an active Identity Access 

Management program is a necessity. With an IAM in place, authorization for access can be restricted, 

which in turn makes it more difficult for the criminal to gain access to sensitive information. 

Changes in levels of access should be imposed when a new employee comes on board, changes 

positions or responsibilities, leaves the organization, and in any case, on a periodic basis (just like 

periodically requiring updating passwords). 

Ransomware & Malware 

Ransomware and other malware are on the rise nearly everywhere accessible throughout the internet. 

The trend is away from simple data breaches and toward ransomware attacks. Malware in general is 

software which invades the systems of the target organization and either prevents them from operating 

as they are intended or gives access and control to the criminals. Ransomware is a more specialized 

attack where the cybercriminal demands payment for the data it has accessed and holds hostage to 

encryption or public disclosure. 

On a financial return basis, this makes sense. Under earlier data breach exploits, the criminals simply 

gained access to the personal information in the data bank of the target organization, then sold that 

information (usually on the Dark Web) based on the value of the data (financial, medical, etc.). 

Typically, the sale would take the form of an auction, in which various (known and unknown) parties 

would bid and make the purchase. That process is fraught with vulnerabilities, such as the means of 

payment and the trustworthiness of both parties to the transaction. 

In a ransomware attack, there’s just one motivated “buyer” for the safe return of the data held hostage 

by the criminal. The stakes are high, due to the way the ransomware operates. 

The cyber attacker gets 2 bites at the apple: deny access to the target organization; and threaten to make 

public the ransomed data. Either or both of these threats compromises the ability of target to continue 

as a going concern. 

How does this work in practice? Once the ransomware attack is in place, the attacker has full access to 

the underlying data and files. The next step is to notify the target organization that it no longer has access 

to its own information. Usually, the notification discloses that the data has been encrypted, and only by 

paying the ransom can the target get access again. 

Now there is an important trust issue: can the criminal be trusted to provide the decryption key or other 

means of returning access to the rightful owner? There is no reliable information or statistic on this 

question, due to the secrecy involved in the ransom process, as might be expected. Even payment of 

the demanded ransom cannot assure the safe return of the hijacked data. 

If it turns out that the target organization has viable back-up files of the breached data, the attacker can 

fall back to the secondary position of demanding payment to refrain from making all the sensitive 



information public. If course, such disclosure would undermine the trusted relationship between the 

target organization and its customers and clients. That’s why it continues as a threat to the survival of 

the breached organization. 

How difficult is it for criminals to get ransomware? Unfortunately, fairly easy. The software itself can be 

purchased outright or even used through “Ransomware as a Service” facilities available on the internet. 

As a result, the ease of use and financial advantages of ransomware have become widespread among 

cyber criminals, and there is no indication of any diminution of this trend. 

Cyber Insurance 

The classic description of “risk management” is making an informed decision on which risks to retain and 

which ones to lay off on someone else (usually in the form of buying insurance to cover specified risks). 

As might be expected, the perceived need for insurance against adverse cyber events has been met by 

a broad array of offerings by major insurance carriers. Some are added on to integrated packages for 

errors & omissions, director & officer, and business continuity coverage. Some are stand-alone 

specialized policies. 

There appears to be no standardized underwriting process among the dozens of insurance carriers 

offering some form of cyber insurance. As a result, it is difficult for potential insured parties to make 

“apples to apples” comparisons of coverage limits, exclusions, deductibles, premiums, and other terms. 

Further, as the carriers gain more experience with claims and payments, it appears that the market will 

continue to be in flux for the foreseeable future. One thing is certain: the carriers must conduct their 

business in a profitable manner. So ultimately, the rewards (in the form of premiums) must outweigh the 

risks (in the form of claims payments). 

When the Risk becomes a Reality 

We come full circle in this discussion, as the educational mission of ICFE is brought to bear on these 

challenges. 

With the pending update of the ICFE’s Certified Identity Theft Risk Management - CITRMS® course, 

integration of all of these trends will include adding the expanded Restoration/Remediation section. 

The entire realm of Identity Theft Risk Management and its implications for Privacy and Cybersecurity 

developments continues to be a challenging, but very worthwhile, arena for the ICFE to make its 

contribution to organizations, professionals, and consumers at large. 



About The Author 

Active with the ICFE since 1987, Mr. Zivanchev worked 

alongside of Paul Richard, the then president of the ICFE as 

the graphic and publication designer for the ICFE. In 2000, 

Mr. Zivanchev was appointed the office of Vice President 

and Secretary to the ICFE Board of Directors and titled the 

Director of Information Technology. The ICFE hit the 

internet with its online presence in 2000, with its offerings to 

consumers and organizations in ICFE Certification Courses, 

Identity Theft Risk Management and Credit Report 

Reviewing taking the lead. 

Mr. Zivanchev, stepped in as the Executive Director for the 

ICFE with the passing of Mr. Richard, 2020. It is Mr. 

Zivanchev’s goal to take the ICFE to the next step in its 

evolution in the digital age. 

ICFE company website https://icfe.org/ 



The Top 5 Cloud Security Predictions for 2022 

New threats, new apps, new players – but data plays the biggest role in shaping the future. 

By Amit Shaked, CEO, Laminar 

2021 Attacks Set New Records 

Looking back, 2021 had its fair share of cybersecurity incidents. Take for example the Colonial Pipeline 

breach, where the U.S. fuel supply was at risk of coming to a grinding halt. A ransom of $2.3 million in 

Bitcoin was paid to avoid catastrophe and continue business operations. 

You can likely expect a continued rise in attacks and new methods of targeting in 2022. However, the 

one element to the advancement of security measures making a huge difference next year is data — 

cloud data. 

According to Techjury, on average, every human created at least 1.7 MB of data per second in 2020. Per 

second, think about that. Data is the critical element in every environment and having a plan to safeguard 

yours is paramount. The democratization of data means putting it in the hands of more users and data 

scientists who can quickly create customer value. What better place to do this than the cloud? However 

as developers now have extreme flexibility and power to do what they want in the cloud, data protection 

teams have fallen behind. 



Given the rise in cyber-attacks, the ubiquity of cloud computing, and the ever-increasing production of 

data, here are our top five cloud security predictions for 2022. 

The Top 5 Cloud Security Predictions 

1- Increased Investment will Lead to Better Cloud Security 

Each and every year we see increased investments in cloud security. 

According to Gartner, cloud security is the fastest growing security segment, projected to increase 41.2% 

between 2020 and 2021, reaching nearly $1 billion. 

What does all of this mean? Better cloud security. 

Data protection is the highest priority for many organizations, especially since much of the data lives in 

the cloud. Consumers and businesses expect protection, and they will weigh in with their dollars. It’s 

essential for organizations to continue to invest in data protection in order to reach a better outcome. 

2 - Cloud Data Protection Will Make Strides to Keep up With Data Democratization 

Every organization, no matter how big or small, is changing the way they operate through digital 

technology. The majority of these changes involve moving processes and data to the cloud and making 

data accessible to everyone in the organization. This is data democratization. 

2022 will see cloud data protection begin to keep pace with data democratization. 

Data is the new currency. It’s the critical factor in making informed business decisions and delivering 

personalized experiences that consumers are not only anticipating but expecting. 

Protecting and monitoring your data is crucial to survival, but in order to have proper defenses, 

organizations must have a baseline understanding of their data. 

IT leaders should know the answers to five very important questions: 

1. Where is my data? 

2. Who has access? 

3. What’s the security posture? 

4. Who owns the data? 

5. Where is my data going? 



One sensitive breach can bring a company to its knees. So as more investments are made in the digital 

transformation, more investments are needed in data protection. 

3- Cloud-Native Security Tools Will Become Mainstream 

As more data is moved to the cloud, more workloads, processes and solutions are being natively built 

and run there. 

Cloud-native applications are run and hosted in the cloud, and are designed to capitalize on the inherent 

characteristics of a cloud computing software delivery model. 

Security solutions built for the cloud, in the cloud, aren’t totally mainstream yet, but are growing much 

faster than their legacy counterparts. In 2022, we’ll see many more of them arise and mature. 

4 - Security Teams Will Move from Gatekeepers to Enablers 

It’s the responsibility of the security team to ensure every process follows strict security protocols, so 

historically, they are viewed as a barrier to progress. 2022 is going to see a change in that pattern, as 

security teams move from being the gatekeepers to the enablers. 

Why is this? Because more applications are being built in the cloud, as opposed to on-premises. 

Cloud application developers don’t have as many restrictions, and don't have to wait on multiple 

stakeholders to move to the next phase. At the same time, security teams are deploying cloud-native 

solutions that continuously monitor and enforce policies, enabling a “trust but verify” stance. This way, 

developers are not hindered and security teams can move at the speed of the cloud. 

So to continue digital transformation yet stay secure, the once-restricting gatekeepers will harness the 

power of cloud development and become the enablers. 

5 - Best of Breed Tools Will Continue to Emerge, not Consolidate…Yet 

According to The Cyber Research Databank, there are more than 3,500 cybersecurity vendors in the 

market. 

If you’re a security leader, you’re probably bombarded with offers for the next best solution. You may 

wish there was one tool that served as a one-stop-shop for all of the features and capabilities you need, 

but we're not quite there yet. 

Consolidation is happening, but we think vendor proliferation will continue in 2022. 



Why is that? 

Let’s take COVID-19 as an example. Think of the virus as a new breach. When that breach hit, people 

scrambled to build the defenses to battle it. You developed a vaccine and are feeling good, but then the 

Delta variant pops up, and you scramble again. Hoping to quell that variant, suddenly Omicron arises. 

On it goes. How many variants will appear before we feel we’ve addressed every threat? There is no way 

to tell, so you keep building defenses to stay safe. 

The security world is similar. Each year we see new threats arise and we build the tools to combat them. 

Before these breaches slow down, there will continue to be a proliferation of new tools in the market. 

The Year that Data Matters More 

Data truly is the key element for business survival and, as a result, it’s also the element you need to 

protect the most. It is the new business currency and something everyone benefits from when harnessed 

securely. 

In this cloud-first world, where digital transformation is happening fast and complexity is high, traditional 

methods are falling away. The ability to discover, classify, and categorize all the data within your public 

cloud environment is a necessity to stay safe and nimble. 

About the Author 

Amit Shaked, CEO, Laminar. He is also the Founder of 

Laminar which started in 2020. 



Cybercriminals Hunt For Medical Data. Zero Trust As The 

Only Good Option To Keep The Healthcare System Secure 

By Tomasz Kowalski, CEO, Secfense 

According to a Trustwave report, medical data may cost up to $250 per record on the black market, while 

stolen payment card data is sold for $5.40. That is why the healthcare institutions are becoming the main 

vector of cybercriminals attacks. How to defend against them? The right approach is to protect the space 

where usually attacks come the most often so the accounts of all employees of clinics or hospitals. 

Zero trust security is a cybersecurity concept that implies a total lack of trust in users, systems, or services 

within the network. What does this mean and how does it relate to the safety of the healthcare industry? 

Zero trust relies on 100% certainty that the right person is on the other side of the computer, and not a 

thief who wants to take over your sensitive data. 

Medical data worth its weight in gold! 

Medical data is extremely attractive to cybercriminals. Mainly because intruders know very well how to 

cash them. Theft of medical data can threaten the reputation of individuals or institutions and cause 

enormous damage. That is why all healthcare facilities must remodel their approach to IT security as 



soon as possible and base it on strict user authorization, restriction of permissions and limiting access to 

medical resources in accordance with the principle: never trust, always verify. 

One of the latest media attacks against a medical institution was an attempt by intruders to get into the 

computers of AstraZeneca employees (including those who worked on the Covid-19 vaccine). 

North Korean cybercriminals used phishing and social engineering claiming to be recruiters. According 

to the Wall Street Journal the attackers also tried to steal vaccine information from Johnson & Johnson 

and Novovax, as well as from three South Korean drug makers. 

2-Step Verification 

The credential theft - employees' passwords and logins - is one of the most common causes of attacks 

on medical institutions today. 

Cybercriminals usually send an e-mail designed to trick the person into thinking that the message comes 

from a legitimate source and then obtain credentials. Bad actors also often use WhatsApp or LinkedIn 

messengers, as happened in the case of the attack on AstraZeneca. 

Why is this happening? The healthcare industry is one of the worst when it comes to data security 

knowledge. Data from the Wombat Security’s learning management system shows that 23% of best 

practice questions are answered wrong on average by medical personnel. Fraudsters know that very 

well. The difficult period associated with the pandemic only makes it easier for them to get access to 

extremely valuable information, for which, for example, they can receive a large ransom (ransomware 

attacks). 

User access security broker is an approach to cybersecurity consistent with the zero trust security 

approach. It triggers MFA during a login session on any hospital or clinic web application - regardless of 

whether the person logging in is currently at the facility or works remotely. Before the employee enters 

the application or system, he must enter, for example, a one-time code or verify his identity through face 

biometrics or a fingerprint. 

What’s important is that the integration of MFA takes place without changing the protected application’s 

code. This basically means that the security broker can add multi-factor authentication on the accounts 

of all employees in any number of applications without any subsequent support for IT specialists, who 

are constantly lacking in the medical sector. It also allows for convenient scaling - simple and quick adding 

of users and protected resources, regardless of their number and complexity. Moreover, organizations 

do not have to share any of their information with third parties - strong authentication can be easily applied 

to the current infrastructure without long and tedious programming. This is important in the case of 

dynamically developing private hospitals and medical clinics. 

Cybercriminals use the pandemic very efficiently and target the weak points of the healthcare system. 

Therefore, medical facilities must ultimately do a very difficult task and protect not only selected, but in 

reality all applications used by their employees on a daily basis. This could mean using advanced 



analytics to track identities on their network, multi-factor authentication, and enforcing "least privilege 

policies" for specific accounts. 

One thing to remember - flexibility, scalability and speed of response in the case of precise and 

increasingly sophisticated attacks will be a key factor influencing the final result. Well-thought-out choices 

in this context really pay off. The costs of healthcare attacks are growing exponentially as prolonged 

system downtime not only hampers but often paralyzes medical care for patients. 


Tomasz Kowalski is a CEO and co-founder of Secfense. He has 

nearly 20 years of experience in the sale of IT technology. He was 

involved in hundreds of hardware and software implementations in 

large and medium-sized companies from the finance 

telecommunication, industry and military sectors. Tomasz can be 

reached online at (tomek@secfense.com, Tomasz Kowalski | 

LinkedIn) and at our company website https://secfense.com/ 



How Do I Reliably Identify You If I Cannot See You? 

eKnow Your Customer Requirements Driving Change 

By John Callahan, CTO, VeridiumID 

KYC – Know Your Customer is a process used around the globe for many years to validate the identity 

of a customer. Many of you will have already experienced KYC, if you have ever opened a bank account, 

bought a property or even obtained a SIM card for your mobile phone. You will have been asked by the 

bank/solicitor/mobile operator for proof of identity. 

Organisations have typically required you to present passport/driving license or ID card, perhaps with a 

recent utility bill for proof of address before providing you services. 

Why do they do this? 

It may seem fairly obvious for certain use cases, particularly for banking or where financial transactions 

occur. Fraud is a significant challenge in Financial Services, fraud always increases during economic 



downturns and it would appear during global pandemics according to a recent study by the World Bank. 

Fraud presents itself in many different formats, from false account setup, unauthorised account access 

and money laundering. While the criminal fraternity, may look to line their own pockets, there is a more 

extreme side, which funds drugs cartels or finances terror organisations. 

After the financial crisis of 2008, financial organisations became heavily regulated and KYC was 

introduced as a regulatory requirement after a series of major fraud, money laundering and tax evasion 

cases. However, even in the last decade global financial services have been exposed by a number of 

money laundering scandals which have resulted in over $36 billion in fines. 

Heavy regulation ultimately creates more friction, especially for the consumer. 1 in 5 banks onboarding 

times have doubled, from 4 to 8 weeks and expect this time to increase even further. This challenge has 

been typically addressed head on by throwing money and head count at the very manual and legacy 

process for KYC. However, COVID has forced a new way of thinking. 

eKYC/mKYC – (Electronic/Mobile) requirements have driven transformational change in organisations, 

who can no longer expect customers to visit branch offices and present themselves in person for manual 

KYC. Additionally, using computer vision and artificial intelligence has removed the subjective human 

error prone process of matching a person to a photograph, providing higher levels of assurance, that an 

individual is who they claim to be. 

But what options are available for eKYC? Actually, there are a number of options available to 

organisations to securely and remotely perform Identity Verification. Let’s explore a couple of them. 

Firstly, it is now possible to take the tried and tested identity document, such as passport, driving license 

or identity card and remotely scan that document into a mobile application, this can be done by simply 

capturing the document with the mobile camera or for a more reliable and performant solution, leveraging 

the document RFID chip to extract information via NFC to the smartphone. While not everybody has the 

latest phones capable of using NFC and not every government documentation that has a RFID chip to 

extract information from, it’s encouraging to know there is always a fall-back option of simply taking a 

picture of the document. 

We then simply use the same application to take a selfie and the application attempts to match the selfie 

with the face image extracted from the documentation. In the background there is a validation check of 

the document itself, is it a genuine document, has it been reported lost or stolen? All of these factors 

combined, allow organisations to deliver a remote and secure on-boarding capability, which also provides 

a frictionless user experience for customers. It accelerates the KYC process and reduces costs at the 

same time. 

All good? Well not quite, unfortunately Government documentation availability is not a certainty, 

additionally face matching from a 10-year-old photograph which has been captured using the mobile 

phone camera (as opposed to NFC) comes with its challenges in terms of performance and reliability. 

Additionally, cultural and religious requirements can present additional problems when the app asks to 

perform a selfie for face verification, add in poor lighting conditions and a requirement for “liveness” 



validation, what can be a very reliable and performant solution takes a performance hit and can lead to 

a frustrating user experience. 

Since biometrics are clearly the preferred method for eKYC and where face recognition may present 

challenges and/or there is no documentation available with which to match the face against, there needs 

to be flexibility of biometric modalities to provide not only choice to the customer, but performance and 

security improvements to the organisation. 

Fingerprint recognition is the other obvious biometric modality that could be used for Identity verification. 

Fingerprints as well as face images are stored on many forms of government documentation around the 

globe, however this doesn’t help where that documentation is not readily available. There is an alternative 

to Government documentation though and that is National Identity Databases. 

National Identity databases are scattered around the globe but are prominent in Latin America, Middle 

East / Africa as well as ASIA. These databases provide a trust anchor for the government who 

ask/mandate citizens to enrol themselves into the database in order to leverage Identity verification. 

Organisations who can reference these databases have a ready-made platform to query and using 

biometrics to validate individual identity with a simple capture of fingerprint or face (where available). The 

benefit here is, this is a centralised database, the risk of fraudulent documentation is eliminated, in 

addition the biometric “image” is clean, no holograms over passport pictures to affect face matching 

performance. 

Since fingerprint has no cultural, racial or religious bias and fingerprints are largely unaffected by the 

aging process, fingerprint recognition delivers a highly performant and secure biometric modality to verify 

Identity. Fingerprint also eliminates the “twins” issue associated with facial recognition, since every 

fingerprint in unique. The challenge now is how to capture the fingerprint remotely…..Any of us who have 

experienced US border control or watched a Mission Impossible film, will of seen the requirement to place 

your fingers/thumbs onto a hardware scanner of some description. Sadly, very few of us have these 

devices available to us at home and before you jump to the assumption that your phone has a fingerprint 

scanner built into it, sadly that particular sensor has no mechanism to capture a fingerprint image and 

send it outside the phone for matching. 

However, at Veridium we developed a mobile software solution that uses just a smartphone camera to 

capture fingerprint images, by simply taking a picture of your hand. This fingerprint image can be used in 

addition to, or as an alternative to face matching. It can be matched by National Identity Databases (and 

Security Services Databases) as well as matching against documentation where fingerprint images are 

stored on RFID chips. Since every smartphone has a camera and a torch, performance is assured in 

pitch black or bright blue sky conditions, coupled with in built liveness detection to deter against simple 

and complex presentation attacks. 

Now organisations can securely and reliably deliver eKYC/mKYC for their clients, deliver flexibile 

biometric modalities of face and fingerprint capture, leverage Government issued documentation or 

National Identity database and provide flexibility to ensure they are not caught out with racial, religious 

or cultural bias. Organisations can now reliably identify you without seeing you in person. Provide a 

frictionless onboarding experience to customers and help eliminate fraud, all at the fraction of the cost of 

traditional KYC processes. 




Dr. John Callahan is responsible for the development of the 

company’s world class enterprise-ready biometric solutions, 

leading a global team of software developers, computer vision 

scientists and sales engineers. 

He has previously served as the Associate Director for 

Information Dominance at the U.S. Navy’s Office of Naval 

Research Global, London UK office, via an Intergovernmental 

Personnel Act assignment from the Johns Hopkins University 

Applied Physics Laboratory. John completed his PhD in 

Computer Science at the University of Maryland, College Park. 

John can be reached online at https://www.linkedin.com/in/john-callahan-430707/ and at 

https://www.veridiumid.com/ 



How To Improve Federal Endpoint Detection and 

Response Tactics and Gain Network Visibility 

By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium 

Endpoint detection and response (EDR) was put on center-stage when the Office of Management and 

Budget (OMB) released a memo requiring that agencies must collaborate during the development and 

deployment of their EDR solutions. 

The OMB memo intends to create government-wide visibility through a centrally located EDR initiative, 

implemented by the Cybersecurity and Infrastructure Security Agency (CISA), to support host-level 

visibility, attribution, and response across federal information systems. 

Within 90 days of the memo’s release, agencies are required to provide CISA with access to their current 

and future EDR tools, and CISA is to provide recommendations for accelerating EDR adoption. Within 

120 days, agencies must analyze their EDR solutions with CISA and identify any gaps. 

A recent report stated that since the shift to working-from-home, 79 percent of IT teams have seen an 

increase in breaches at the endpoint. There is a dire need for useful EDR solutions within the federal 

government, especially in the era of remote work, as they will improve “the ability to detect and respond 

to increasingly sophisticated threat activity on Federal networks.” 



What is EDR? 

EDR is a capability that identifies and responds to cyber threats by combining real-time 

continuous monitoring of data and endpoint collection with rules-based automated response and analysis 

capabilities. EDR tools have gained a significant amount of popularity among IT security operations 

teams due to their ease of use and the understanding that endpoints can provide the richest data about 

intruders. 

EDR enables: 

‣ Automated, simple pattern detection of known bad-attack types, leading to triage and 

investigation of those alerts 

‣ Automated response in the sense that pre-determined actions can be configured from the 

detection rules 

‣ Centralization of endpoint log and telemetry data in the cloud for offline analysis 

While useful, EDR technology only locates certain types of activity, or “known bad” activity. Most 

EDR tools limit the activity they record to reduce bandwidth and storage. So, what happens when there 

is an “unknown bad” in a network? This vulnerability gap creates plenty of blind spots for attackers to 

enter, but it is possible to diminish those issues through other solutions. 



What should agencies look for in a solution? 

Skilled attackers are aware of the EDR capabilities and know how to get around them. If agencies pair a 

threat hunting solution with their EDR technologies, they will have a deeper, more 

comprehensive visibility over their endpoints. 

When looking for the right threat hunting platform, it is crucial that agencies keep certain criteria in mind – 

adaptability, scalability, and extensibility. It is also important to use a platform that is fully powered by 

accurate data and can respond to threats in seconds. Here are some elements to look for when choosing 

an EDR solution: 

‣ Continuous monitoring of endpoints. Legacy security solutions tend to employ a collection of 

incompatible point solutions tied together in a SIEM, resulting in a data set that is weeks old, and 

doesn’t include unmanaged, offline, or off-network endpoints. Instead, it is important to have 

a comprehensive platform to gather in-depth endpoint data, giving agencies the ability to collect 

accurate, real-time data in minutes, not months 

‣ Formatted, organized data. Many tools require you to export data from different sources, 

normalize output, then attempt to combine it all into one report. It is important for agencies to 

streamline this process through a solution that provides actionable data that is already in the 

correct format for use 

‣ Zero-trust architecture. Achieving a strong endpoint defense requires complete visibility into the 

entire operating environment. Agencies should look for a platform with a zero-trust architecture 

that continually monitors device health and checks whether it is patched, secure, compliant, and 

managed 

An endpoint security and management platform solution can dig deeper into the suspicious activity 

detected by EDR to understand the threat and protect any additional machines that may have been 

compromised. A single platform of this nature gathers in-depth endpoint data, giving agencies the ability 

to collect accurate, real-time data in minutes. 

The time to improve cyber is now, and everyone plays a part in this process. The federal government has 

set the precedent with this memo, and agencies understand the importance of the guidance. Agencies 

must implement a strong EDR solution and enhance their EDR capabilities to improve their security 

posture and response capability. 




Matt Marsden is the Vice President, Technical Account Management, 

Federal at Tanium. He is a career cyber professional with more than 24 

years of experience working with the Federal government. Matt began his 

federal service in the United States Navy supporting submarine operations 

afloat and transitioned to Civil Service where he supported the DoD and 

Intelligence Communities prior to joining Tanium. Matt can be reached online 

at LinkedIn and at our company website 

https://www.tanium.com/solutions/federal-government/ 



Decision Trees in Case of a Ransomware Attack 

Does Your Organization Have a Procedure to Handle a Ransomware? Is It Worth Paying the 

Attackers? 

By Zsolt Baranya, Information Security Auditor, Black Cell Ltd. 

The number of ransomware attacks is growing from day to day, as mentioned many of the publications 

and reports. The ransomware kill chain, describes the phases of a ransomware attack, and each phases 

the security trams can implement some actions to mitigate the probability of occurrence. For example, 

the first phase of the ransomware kill chain is the campaign, where the security team can reduce the 

success of the campaign with awareness trainings. The second phase is the infection, where the security 

team can handle the situation with restricted file downloading methods and so on. 

But if the chain reaches the encryption phase, the preventive actions were not effective. In this case, only 

a few organizations have a playbook specified to handle the consequences of ransomware attacks. A 

decision tree had been created to help organizations where this type of playbook is missed. 

Consider actions for ransomware attack event 

Firstly, all the affected devices and systems that have been attacked have to be identified and must be 

disconnected from the network as soon as the detection occurred. This is the most important action 

before the incident handling starts! 



1. Check that the encrypted data classified or not. In case of the classified data is mission critical, 

the incident handlers must know the recovery point objective (RPO) of the data to identify how 

much time the organization have from the business continuity perspective. (This may be related 

in the future to how much time the attacker gives to contact or pay.) 

2. The security event should be reported to the relevant CERT or CSIRT. The response teams 

maybe have some information about the specific ransomware or the attacker that can help. 

3. Make sure that your organization have security backups of the affected data. If there is, check the 

backup restoration tests results, and if the restoration was successful there is no risk to the 

restore. Before you restore the data, you should check the system status. System could have 

backdoors in or other relevant risks. If the organization didn’t have such a test, or the test result 

was unsuccessful, you can consider that the restoration as a risk factor. 

4. If your organization doesn’t have a backup, you should check other alternatives to replace the 

data has been encrypted (for example: whether it exists on paper or may be available from 

another organization, etc.). If yes, consideration shall be given to recovering it within the time 

limits referred to in point 1. set up encrypted files with an alternative solution. If so, this may be 

the solution for incident management. 

5. If steps described in point 3. and 4. did not lead to results, you can search on the internet and 

open-source databases (for example: nomoreransom). There is a possibility you could find some 

information related to the specific ransomware or system to find some recommendations to 

restore your files. Sometimes these sites publish the secret key pairs (decryption key) to decrypt 

the affected files. 

6. If your efforts unsuccessful after the 5 points, and the data counts as mission critical, you should 

consider paying the attackers. 

Pay or not to pay decision process 

1. The first thing to consider is whether it is worthwhile for the organization to get Bitcoin. If the last 

chance to give back the data is the paying, not necessarily have to spend time purchasing Bitcoin. 

2. If the affected data counts as mission critical, and the earlier actions were unsuccessful, it should 

be to check if we have files that is both encrypted and original available. If so, you can turn to 

expert organizations, but it is not guaranteed the success. If not, you can go to the next step. 

3. There are some cyber security firms, who are expertise of cyberattacks handling. If the 

organization has received the cyber security firms quote, and it’s more than the attacker’s 

demand, the head of the organization should consider that whichever is better, paying to the 

attackers or the experts. (In neither of these cases have 100% guarantee that the original of all 

encrypted files will be decrypted and returned to organization.) 

4. Attackers usually give a deadline for the payment of the dept. If the victim organization wants to 

use the professional services of a cyber security firm, must consider the deadline and the 



expertise’s recommended returning time. There is a chance that an expert team needs more than 

24 or 72 hours (which commonly given by the attackers) for the restoration of the original files . 

5. If the encrypted files count as critical and the management decided to pay the attackers, it should 

be considered whether it is worthwhile to communicate to media about the ransomware attack, in 

the hope that attackers obtain information about the incident coming to light. In this case, there is 

a chance for the organization to get help for a fee. It would be extremely bad ‘marketing’ for the 

attackers if the organization did not get the original. 

6. Another opportunity to mandate a negotiator to reduce the amount of the attackers. Sometimes it 

works, so the decision makers should consider this solution. 

These are very important issues to be decided to handle a situation after a ransomware attack. In any 

case, it is necessary to consider what damage a ransomware attack can cause. In comparison, incident 

management needs to be built and implemented for a price that an attack could cost. 

Pay for attackers is not recommended. In any case, this should be the last option to solve the incident. 

The present study is not intended to encourage paying to attackers. The study merely attempts to draw 

attention to the complexity of such an attack, and what all is worth considering before doing anything an 

organization does after a security incident is detected. 


Zsolt Baranya is an Information Security Auditor and head of compliance 

of the Black Cell Ltd. in Hungary. Formerly, he has filled information 

security officer and data protection officer roles at a local governmental 

organization. He worked as a senior desk officer at National Directorate 

General for Disaster Management, Department for Critical Infrastructure 

Coordination, where he was responsible for the Hungarian critical 

infrastructure’s information security compliancy. Zsolt can be reached 

online at zsolt.baranya@blackcell.io and at his company’s website 

https://blackcell.io/ 



Mitigating Risk from Insider Threats in 2022 

By Isaac Kohen, Teramind 

Back in August 2020, a story of an insider threat caught headlines when the employee turned down a 

$1M bribe to put ransomware on Tesla’s servers at the Gigafactory outside of Reno. 

That story was exceptional both for the amount of the payoff and for the fact that it really is the exception 

to the rule. 

The far more common case is that a malicious actor will find someone inside who can help them to carry 

out their attacks, thus getting around whatever protections that the organization has put in place to defend 

itself from external threats. 

One area where we have seen this story repeat time and again is in the cellular service industry. 

Mobile Mischief is Afoot 

The mobile industry has found itself the target of malicious actors who have used insiders to worm their 

way in and effectively steal from the service providers. In September, a man named Muhammad Fahd 



was sentenced to 12 years for paying employees at AT&T a $1M to help him unlock phones and then 

later implant malware on the company’s system that allowed him to do the dirty work himself. 

While you can buy an unlocked phone, AT&T and other companies offer lower prices for customers to 

sign on with their service as an incentive. They also have a revenue stream that is generated by unlocking 

phones for customers. 

According to reports, Fahd and his co-conspirators succeeded in unlocking some 1.9 million phones. 

This fraud was shown to cost AT&T $201M out of their pocket. So good ROI for Fahd’s bribes and a bad 

time for AT&T. 

The court documents note how the malware used by Fahd could be used for stealing credentials, helping 

him impersonate legitimate AT&T employees for use in his fraud. This allowed him to continue his 

operations even after the company made changes that would have blocked his illicit activities. 

From the looks of it, AT&T had done a pretty good job of protecting itself, limiting who was authorized to 

unlock devices to specific users and only under certain conditions. However, despite the protections, the 

criminals were able to exploit the human element and had the insiders knowingly compromise their 

employer. 

Defining the Insider Threat 

Insider threats are where someone inside your organization is the one doing the harm. 

The 2020 Verizon report indicates that insider threats are on the rise. Their statistics show that these 

types of threats are nearing 40%, pushing up nearly 20% in just five years. To be clear, external threats 

still outnumber the number of internal incidents by a wide margin. There is also an additional component 

that insiders are oftentimes not malicious but simply careless. However, despite the intention, the results 

are the same. 

Insider threats are a double risk in that anything that an insider can access, an attacker who has 

compromised a privileged user’s account can access too. In a world where user credentials are constantly 

being compromised in data leaks, hacks, and other sorts of mischief, the chances are more than 

reasonable that a legitimate user will have their credentials used by attackers. If they have a highly 

privileged account or there are paths for escalation, then the organization may be in for a bad day ahead. 

And it can always be worse as the details of the story unfold. 

Why Insider Attacks Can Be More Damaging to Victim Organizations 

All cases of a breach are bad news for an organization. The level of bad can vary depending on if they 

were negligent or the victim of elite state actor hackers. 

What nobody wants to hear is that your customer’s data was knowingly compromised by an employee. 

Such incidents can kill user trust and be hard to bounce back from. 



Partners, investors, and of course customers, all want to know that they are working with trustworthy 

folks. Winning over customers in the first place is hard enough, just ask your marketing and sales teams. 

Especially in markets where the customers are asked to share access to their data and the core of their 

products, they need to feel that your organization is trustworthy and their data protected. Having your 

system breached by a hacker can be a hard knock to customer trust. 

Regaining their trust after the damage came from the inside is an even bigger uphill battle, so this really 

might be a case where an ounce of prevention can be worth a pound of cure. 

3 Tips for Mitigating Insider Threat Risks 

Risks from inside and out are always present, but there are steps that we can take to lower our potential 

for threats and mitigate damage when they do occur. 

1. Train Your Team to Identify Risky Situations 

Whenever attackers approach a prospective insider to get them to expose their organization, they offer 

serious rewards while downplaying the severity of what they are doing. In some cases, an insider may 

know that they are doing something wrong but will not understand the repercussions of their actions. If 

the person approaching them is a friend or family member, then they may be even more likely to go 

through with it. 

Talk to your employees to explain the risks that can emerge from them taking steps that can compromise 

the organization. Give them tools to spot red flags before they may unwittingly take part in something 

destructive. 

Finally, clarify what your policy is and let them know that you have protections in place. 

2. Use Solutions to Monitor User Actions 

Having the right tools in place to identify when a user is performing actions that may fall outside of their 

normal duties or another kind of anomaly, can help to stop them sooner. 

User and Entity Behavior Analytics can help to detect these threats, understanding what the baseline of 

normal behavior is and alerting when a user strays from their expected routine. 

3. Use MFA Whenever Possible 

As we have noted, credentials will be compromised. In those instances, multi-factor authentication can 

play a serious role keeping the attackers out because having your credentials are no longer enough. 

Many organizations use SMS as their MFA solution, but this is against best practices that call for using 

an app to generate the one-time-codes. For extra points, get a Yubikey for your most privileged users, 

adding that extra layer of security. 



Verify But Trust 

Managing insider threats is a balancing act. 

We hire our people because we believe that they will be good workers who will look out for the 

organization’s best interests. Putting protections in place to help keep folks honest or catch an external 

threat actor are common sense and can help avoid some uncomfortable situations. 

But at the end of the day we have to trust that we have the right people working with us, and it is up to 

us to make them feel that they are part of our team. Work with your team to have transparent 

conversations about the protections that you have in place so that everyone will be on the same page. In 

this case, honesty really is the best policy. 

Balancing the right mix of surveillance with trust is important for the long term success of the organization, 

if only because employees who feel that they are guilty until proven innocent simply will not stick around 

for long. 


Isaac Kohen is VP of R&D at Teramind, a leading global provider of 

employee monitoring, data loss prevention (“DLP”) and workplace 

productivity solutions. Follow on Twitter: @teramindco and LinkedIn. 



Web Application Penetration Testing Checklist with 

OWASP Top 10 

We've gone ahead and compiled this article to shed some light on the top ten web application security 

risks according to OWASP and how you can use this as a guiding light while penetration testing. 

By Ankit Pahuja, Marketing Lead & Evangelist at Astra Security 

Image Source: Appknox.com 



We now live in a world where the internet has altered our daily lives for good. Working and interacting 

with one another no longer requires the physical presence of both parties within the same room. The 

number of people on the Internet is rapidly increasing, with around 3 billion individuals now having access. 

This has led to an exponential growth of web applications in recent years. Web applications, though 

convenient, also come with vulnerabilities. When it comes to web application security, organisations turn 

to penetration testing in order to identify potential vulnerabilities and weaknesses in their applications. 

We've gone ahead and compiled this article to shed some light on the top ten web application security 

risks according to OWASP and how you can use this as a guiding light while penetration testing. Let's 

get started. 

What is penetration testing? 

Penetration testing specifically in the web application domain is the process of testing for vulnerabilities 

by simulating attacks on it. Penetration testers use a variety of methods to attempt to exploit vulnerabilities 

in order to gain access to sensitive data or systems. The main goal of penetration testing is to identify 

and report on any security weaknesses that may exist in an organization's web applications and have 

them fixed as soon as possible. 

Why do you need to perform penetration tests on web applications? 

Image Source: foregenix.com 

Web application pen testing is carried out for a number of reasons. The most important include: 

● To ensure that online applications are safer and have little to no vulnerabilities 

● To prevent unauthorized access 



● To comply with external regulations, policies and standards 

● To meet internal security requirements 

● To verify the effectiveness of security controls 

● To resolve issues uncovered during previous online penetration tests 

● To remain competitive among other top businesses 

What is the OWASP Top Ten? 

Image Source: cybervaultsec.com 

OWASP stands for Open Web Application Security Project. The OWASP Foundation is a global nonprofit 

organization striving to improve the security of web applications and related technology. OWASP 

publishes an annual list pertaining to the top ten web application vulnerabilities. The list was originally 

published in 2007 and has been updated since then. It covers all areas from common coding to cyber 

attacks. Although these are not the only threats out there, they are the most common ones that web 

developers should address before releasing an app into production for use by customers, clients, and 

employees. 

OWASP Top 10 Web Application Security Risks for 2022 

1. Broken Access Control - An adversary is able to obtain access to resources or data that they 

should not have access to when normal security measures, such as permissions and access 

controls have been poorly implemented. 



2. Cryptographic Failures - Cryptographic failures are when a web application's underlying 

cryptographic algorithms or protocols are compromised and can be exploited. 

3. Injection and Cross-Site Scripting - Injection occurs when an attacker is able to inject 

malicious code into input fields on a web page, such as in a search bar or comment box. Cross- 

Site Scripting is when the attacker inserts malicious code into a web page while or before it is 

viewed by other users. 

4. Insecure Design - A web application that is designed in an insecure way leaves room for 

attackers to exploit. This is often the case since web application developers are not well versed 

with secure coding practices. 

5. Security Misconfiguration - Security settings that are incorrectly configured are quite 

prevalent, making it simple for attackers to capitalize. 

6. Vulnerable and Outdated Components - When an attacker is able to take benefit of known 

vulnerabilities in the application or underlying platform, it's possible that vulnerable and obsolete 

components will be involved. 

7. Identification and Authentication Failures - This is when an attacker is able to impersonate 

another user or gain access to restricted sections of the application without having proper 

authentication. 

8. Software and Data Integrity Failures - This happens when an attacker is able to gain access 

to sensitive information within the application, such as user credentials or credit card numbers. 

9. Security Logging and Monitoring Failures - Security logging and monitoring failures occur 

when an attacker is able to disable or circumvent the logging mechanisms in place, making it 

difficult to track activity within the application. 

10. Server-Side Request Forgery - This occurs when an attacker is able to inject illegitimate 

requests from the server-side, such as forgery of login credentials. 

These are errors developers often make when creating websites that, if exploited, can lead to serious 

consequences for your business - including data theft or financial loss! 



What is OWASP penetration testing? 

Image Source: kirkpatrickprice.com 

OWASP penetration testing is pen testing specifically to eradicate the vulnerabilities mentioned in the 

OWASP top ten list. This is a good starting point but your penetration tests should not be limited to these. 

OWASP Penetration Testing Checklist 

Keeping in mind the OWASP top ten web app vulnerabilities, we have compiled a checklist to help you 

with your penetration testing process: 

1. Review the application's architecture and design 

2. Identify and attempt to exploit all input fields, including hidden fields 

3. Tamper with data entered into the application 

4. Use a variety of automated tools to find vulnerabilities 

5. Scan the network for exposed systems and services 

6. Attack authentication mechanisms - try logging in as different users with known credentials, or 

using brute force techniques 

7. Try to gain access to restricted parts of the web application that should otherwise be only 

reachable by authorized individuals 

8. Intercept and modify communications between the client-side and the server-side 

9. Exploit known vulnerabilities in the web application platform or frameworks it is built on 

Once you have completed your penetration test, document your findings in a concise report and begin 

patching your web application immediately. 



Conclusion 

Penetration testing is a very important step in securing your web application and should not be 

overlooked. The OWASP Top Ten list is a great starting point, but it should not be the end of your 

penetration testing journey. In order for penetration tests to be effective, you need an experienced 

security team who can perform these types of audits and also provide actionable results in a timely 

manner. 


Ankit Pahuja is the Marketing Lead & Evangelist at Astra Security. Ever 

since his adulthood (literally, he was 20 years old), he began finding 

vulnerabilities in websites & network infrastructures. Starting his 

professional career as a software engineer at one of the unicorns 

enables him in bringing "engineering in marketing" to reality. Working 

actively in the cybersecurity space for more than 2 years makes him 

the perfect T-shaped marketing professional. Ankit is an avid speaker 

in the security space and has delivered various talks in top companies, 

early-age startups, and online events. 

Ankit can be reached online at Email, LinkedIn and at his company 

website http://www.getastra.com/ 



5 Ways to Protect Your Workplace from Cybersecurity 

Threats 

The cybersecurity environment is rapidly evolving. Meanwhile, technological advancements are steadily 

improving the ability for cyber criminals and hackers to exploit data security flaws. 

By Nicole Allen, Marketing Executive, Salt Communications 

The cybersecurity environment is rapidly evolving. Meanwhile, technological advancements are steadily 

improving the ability for cyber criminals and hackers to exploit data security flaws. The ever-increasing 

scope of data breaches and cybersecurity threats should be a major source of concern for all types of 

organisations. 

No one could have predicted the holes in network security postures that the 2020 coronavirus pandemic 

has revealed with the increase of employees working from home. Unsecured home networks, BYOD 

(bring-your-own-device) policies, and compartmentalised operations turned previously evident hazards 

on corporate networks into invisible, hidden threats on a wider range of networks. As a result of the 

increasing attack surface even more than usual phishing vishing, and ransomware assaults were 

launched. So in this article Salt Communications are going to explain five ways to protect your workplace 

from cybersecurity threats. 



1. Increase enterprise security protection 

Mobile workplaces can boost productivity and access to work-related resources, but they also raise the 

danger of data leaks due to apps and services like email, social media, and cloud access. Maintaining a 

more secure organisation while enabling mobile productivity requires creating a safer environment for 

employees to work remotely. 

The risks to organisations from actions or inactions of employees come from a wide range of factors: 

such as human error - this can include sending sensitive information or personal data to the wrong person 

by accident. There's also the issue of system misconfiguration, which can lead to unauthorised access if 

sensitive data isn't adequately secured, encrypted, or password protected. It's also crucial to consider 

the loss of sensitive information-containing devices or documents. 

Many businesses do not take data security as seriously as it should be. They have weak passwords, 

important files that aren't encrypted, and servers that aren't configured correctly. More than 4 billion data 

records containing sensitive information were allegedly compromised in the first six months of the year 

in 2021 as a result of this negligent attitude. 

2. Enable secured collaboration for business communications 

Since the recent crisis-forced transition to remote work, there has been an increase in the use and 

reliance on communication tools. Employees across organisations are looking for an effective, secure 

approach to continue collaborating throughout the business now that they are dispersed in various remote 

locations. Migration to business communication platforms as a replacement for in-person and other 

technical communication has become a major goal for a business's digital transformation. 

Companies become more vulnerable to major security concerns when more communication – and 

business-critical information – is shared across cloud platforms likeZoom and Teams. As we saw with 

COVID-19, there has been an increase in hacks, including targeted Teams attacks using impersonating 

Teams notifications and GIFs vulnerabilities. 

With the likes of Teams in terms of external vulnerabilities, federated access to external users is enabled 

by default when Teams is implemented out of the box. This means that anyone in the world can send an 

email to a user, request to chat with them, or exchange files with them, exposing the individual, and 

hence their entire organisation, to messages that are frequently hostile in nature. 

Whereas, if an organisation uses a closed communications platform such as Salt they don’t leave 

themselves open to these types of threats. Salt Communications recognizes that encryption alone isn’t 

enough to keep an organisation’s data safe. Salt delivers a highly secure platform that gives the same 

convenient user experience as consumer apps, but in a safer and more secure manner, allowing the 



usiness to maintain complete, centralised management of the system at all times and therefore ensure 

complete control. 

3. Ensure you are reducing malware exposure 

Malware infections is frequently linked to user mistakes. Phishing and spoofing schemes have advanced 

to the point where they can trick users into downloading innocuous-looking apps that contain hidden 

attacks by sending them fake emails from trusted brands. These emails lure users in with fake news 

stories, or very personalised offers, which leaves themselves and their companies open to attack. As well 

as this in the past year there has been an increase in ‘smishing’ attacks which are threatening businesses 

worldwide. Smishing is a form of ‘phishing’ using SMS or text messages instead of emails to entice 

recipients to click on fake links which downloads malware onto their device. 

On their own devices, users cannot be prevented from surfing the web, utilising social media, or 

accessing personal email. How can you assist them in performing these routine duties in a safer manner? 

Request that all staff read basic instructions and/or participate in training that covers common malware 

attack strategies. 

Employers should also teach users to double-check URLs in emails to ensure they are accurate, relevant, 

and trustworthy. Also, think about deploying email security solutions that can help prevent malware and 

phishing attacks from reaching employees' inboxes. It makes no difference if you have the world's most 

secure security system. It only takes one inexperienced employee to be deceived by a phishing attempt 

and hand up the information you've worked so hard to safeguard. Make sure you and your staff are both 

aware of these specific email phishing examples, as well as all of the warning indicators of a phishing 

attempt. 

4. Back everything up regularly 

What if your organisation already has a backup system in place? First and foremost, kudos on a job well 

done; but, the task does not end there. It's critical to test your backup recovery process on a frequent 

basis. It's pointless to back up data if you can't recover it. You'll know if your backup procedure is working 

properly if you run that test on a frequent basis. It's not uncommon for a backup drive to run out of disc 

space for no one to notice. 

Performing a proper backup can be a challenging task. Therefore, backups should be included in your 

business continuity plan. A business continuity plan, according to Travelers Insurance, is "a proactive 

plan to avoid and manage risks associated with a disruption of operations." 

It outlines the measures that must be performed before, during, and after an event in order for an 

organisation's financial viability to be maintained. That implies that if your business systems are affected, 

whether by a fire or flood in the office or, more recently, a cyber-attack, you'll have a plan in place to 



minimise the impact on business performance. Backing up your company's data could mean the 

difference between surviving a cyber attack and going out of business. 

5. Manage all organisational devices 

Security concerns are growing as the Bring Your Own Device (BYOD) trend rises and the use of 

Software-as-a-Service (SaaS) applications spreads. Organisations can begin with user education on 

devices is a simple but crucial step in securing them. It guarantees that every employee in your company 

is informed of the best procedures for safeguarding your data. While it starts with onboarding, teaching 

your staff how to safeguard their devices is a continuous activity. 

Mobile security should be at the top of any company's cybersecurity priority list, especially in an era where 

remote working has become the standard and isn't going away anytime soon. Many of the companies 

and organisations in which Salt Communications works have experienced a surge in mobile usage for 

communications and day-to-day tasks. Often, businesses will consider creating a mobile security policy 

that outlines what users should and should not do while using their mobile devices. Other businesses 

have implemented MDM/UEM systems to lock down devices and add an extra layer of security to 

company-issued devices that employees use. 

Allowing employees to be flexible does not have to mean jeopardising the security of your cybersecurity, 

mobile security and corporate communications. You can provide your employees the freedom to work 

anywhere, anytime with adequate planning, the correct tools, and education while avoiding risk. Our team 

of professionals have worked with a variety of organisations to assist them in dealing with cybersecurity 

issues. 

To discuss this article in greater detail with the team, or to sign up for a free trial of Salt Communications 

contact us on info@saltcommunications.com or visit our website at saltcommunications.com. 

About Salt Communications 

Salt Communications is a multi-award winning cyber security company providing a fully enterprisemanaged 

software solution giving absolute privacy in mobile communications. It is easy to deploy and 

uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications 

offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and 

secure communications, to protect their trusted relationships and stay safe. Salt is headquartered in 

Belfast, N. Ireland, for more information visit Salt Communications. 




Nicole Allen, Marketing Executive at Salt Communications. 

Nicole has been working within the Salt Communications 

Marketing team for several years and has played a crucial role 

in building Salt Communications reputation. Nicole implements 

many of Salt Communications digital efforts as well as managing 

Salt Communications presence at events, both virtual and in 

person events for the company. 

Nicole can be reached online at (LINKEDIN, TWITTER or by 

emailing nicole.allen@saltcommunications.com) and at our 

company website https://saltcommunications.com/ 



Today's Digital Battlefield Demands Resilience Beyond 

Infrastructure 

By Mohammed Al Mohtadi, Cyber Information Security Officer, Injazat 

There is a battle underway globally that requires every business to identify their risks of attack, fortify 

their defences, and continually evolve their capabilities. Every company will need to be on the front foot 

in terms of being equipped with the latest skills to deal with it and innovating their armoury to counter it. 

The battle for data increasingly sees sophisticated attacks by organised hackers rising rapidly. 

A study by Cybersecurity Ventures indicated that cybercrimes will be the reason for the greatest transfer 

of economic wealth in history, costing the world $10.5 trillion by 2025. To place that in the context of a 

country wealth equivalent, it would be the world's third-largest economy after the U.S. and China. 

Reframing the Digital Battleground 

With the level of technology integration in nearly every business, it could be argued that every company, 

to some degree, is a technology business. As a result, each could face extremely damaging risks to the 

business by losing productivity, operations, reputation and incurring a substantial financial loss. 

This digital battleground is constantly evolving. With it is the need for the business world to change its 

approach from simple prevention steps to a more proactive approach rooted in a dynamic business-wide 

state of readiness. Given the current landscape, the focus should shift towards better detection and 

readiness for the inevitable to survive the digital battlefield today. 



It is no longer the case that the "it will never happen to us" attitude is accurate. In fact, to the contrary, as 

every 39 seconds, there is a new attack somewhere on the web, and the rapidly rising cost of global 

cyber hacks rising every year around 15 per cent. 

Testing your resilience: Attack yourself. 

It is now more vitally important than ever before to test the company's resilience to ensure that critical 

data is secure and vulnerabilities are identified. These vulnerabilities can also include programming 

errors, or improper computer or security configurations which can be then be exploited by hackers who 

discover these unintentional flaws and use these an opportunity for cyberattacks which are known as 

zero day attacks. To address this, the software developers have to release updated software patches. 

However, since they have just learned of the flaws, they have “zero days” to fix the problem and protect 

the users. 

A secure way to achieve the testing of resilience is by evaluating your company's vulnerabilities through 

being breached voluntarily. Therefore, attack yourself before hackers do, and assess what weaknesses 

in your IT infrastructure would make them successful and proactively fix them. You stand a significant 

chance to reduce the impact of an attack, provided you have a robust response plan and that it is 

consistently tested. 

Most security leaders do not know how their team would react to a cyber breach. These exercises are 

critical to help provide an understanding of the capabilities of your team and your existing technology and 

are great for building muscle memory and assessing where to invest budgets. 

Fortunately, there are several ways and methods to do this today, from tabletop exercises to penetration 

testing and simulation exercises such as red teaming. 

Why choose proactive simulation 

Penetration testing identifies possible vulnerabilities and security holes but is highly dependent on the 

skill of the pentester. This is where immersive solutions such as red teaming have a massive advantage. 

It presents you with a heart-pounding, first-hand experience that reproduces the real impact of an attack. 

It helps prepare your teams to respond and enables you to understand how competent your response is 

and how fluent you are in your response incident response plan. 

It is also crucial for the business to view cyber security as a shared responsibility, not simply the IT head's 

sole responsibility. Instead, everyone has a role in ensuring the organisation remains cyber secure. 

Response plans will have assigned responsibilities for the key decision makers such as the CEO, CIO, 

CHRO etc and simulation exercises guarantee that all protocols are fully understood by all parties and 

strengthen the cybersecurity bench providing critical in a low-risk, low-cost way to learn from your failures. 



UAE can be a cyber security powerhouse 

The UAE is the third most attractive target for cybercriminals, according to the Cyber Risk Index released 

by NordVPN, costing the businesses in this country a whopping $1.4 billion per year. 

Therefore, it should not come as a surprise that the UAE have announced a national bug bounty program 

to enlist the services of qualified global security researchers in an incentive-based programme for 

cybersecurity penetration testing and vulnerability identification, towards better prevention against cyberattacks. 

As a nation that has always been at the forefront of embracing innovative ways to enhance cybersecurity 

across the critical infrastructure in the country, the UAE knows not to stop at just penetration testing. To 

align and direct these national cyber security efforts, the UAE Government has a vast array of initiatives 

that are designed to improve the national cyber security, and protect the country’s national information 

and communications infrastructure. The UAE Information Assurance (IA) Regulation provides the 

requirements for raising the minimum level of IA across all relevant entities in the UAE. This is further 

supported through the information security standards such as ISO 27001 which is focused on keeping 

information assets secure. 

With a 250% increase in cyberattacks since last year, the UAE Cybersecurity Council, in cooperation with 

National Crisis and Emergency Management Authority (NCEMA), announced a "Protective Shield Cyber 

Drill", demonstrating how these exercises and practices can be encouraged from a government level. 

As the national technology champion, Injazat is also a leader in cyber security through the provision of 

its 'Cyber Fusion Centre'. This capability stands out ahead compared to other less able solutions in the 

market. Integrating behavior analytics and machine learning, the Cyber Fusion Center is distinctive. It 

leads the MENA region as it provides a proactive and unified approach to neutralize potential threats 

before they occur. The platform leverages an Artificial Intelligence-based recommendation engine, 

suggesting remediation actions based on previous behavior patterns and reducing response times. 

As we approach 2022 next month, now is the time to double up on the action to ensure that every 

business is cyber aware and has the proper proactive defences to ensure that they win in the digital 

battleground. Every company must act now to put the winning strategy in place and not wait until it's too 

late. The cost of not doing so could be high. 




Mohammed Al Muhtadi is a highly accomplished cybersecurity and 

information governance professional with over 12 years of experience in 

leading and implementing security solutions and mitigation plans. 

As the Chief Information Security Officer of Injazat, Mohamed is 

responsible for spearheading and improving the security programs, 

assessment of the organization’s digital landscape, managing disaster 

recovery and providing cybersecurity awareness training. 

In the span of his career, Mohammed has helped corporate giants in the 

region such as Du, Dubai World, Masdar, General Electric and ENOC to 

design, implement, operate, grow, and manage their digital infrastructure. 

Highly qualified, Mohammed holds an MBA and a Bachelors degree in 

Information Technology with over 13 certifications ranging from ethical hacking to data privacy solutions. 

The rich and extensive experience he has gained in his previous roles has fully equipped him with the 

tools needed to support any company’s security and information strategies and ensure a smooth flow of 

operations within the team. Mohammed can be reached online at 

https://www.linkedin.com/in/mohammed-al-muhtadi/ 



Why Ransomware is Only a Symptom of a Larger Problem 

While ransomware is arguably the greatest current security threat to organizations, its rise has 

distracted us from the true issue at hand: extortion-based crimes. 

By Jeff Palatt, Vice President, Technical Advisory Services at MOXFIVE 

Encrypted files, corrupted applications, deleted backups, and stolen data - all are debilitating symptoms 

attributed to ransomware. With the shift to digital currencies, the monetization from attacks has only 

become easier for threat actors to turn unauthorized access to an organization’s computer network into 

financial gain. 

Where We Are 

Since cyber thieves first began physically skimming credit card machines to collect the information 

needed for counterfeit credit cards, unauthorized access to private data has led to a 



windfall of financial gain for the threat actors. In the time between WannaCry and the Colonial Pipeline 

attacks, ransomware has shifted from single-system encryption events with extortion amounts of less 

than $15,000 to enterprise-level encryption events with demands routinely in the tens of millions of 

dollars. There has been an alarming increase in the number of instances where organizations have 

backups to restore their IT operations, yet still pay a ransom to “buy silence” from the threat actor. 

Ransomware is currently the sharpest tool attackers have to monetize these attacks, but it is by no means 

the only one. 

Where We’re Going 

As ransomware continues to gain attention, threat actors will adopt additional escalation techniques to 

continue profiting. We are already seeing a sampling of what’s to come, including: 

• Distributed Denial of Service (DDOS) Attacks: While not as common today, the threat of a 

DDOS can be increased to where threat actors target critical networking gear and block control 

of network traffic into and out of the network, which would cripple an environment. Organizations 

that rely on a significant Internet presence need to contract with DDOS mitigation firms in a 

proactive manner to help mitigate the threat of DDOS attacks. Furthermore, organizations should 

implement centralized management of network gear to easily manage, and secure, network 

devices in their environment. 

• Destructive Attacks: If desperate, or lucrative enough, threat actors could shift to threatening to 

bring the environment completely and permanently down if a ransom is not paid in a certain 

amount of time. While this type of attack would be difficult, it is not impossible and could leave an 

organization scrambling to investigate and remediate as quickly as possible to mitigate damage. 

Defending against these types of attacks requires a layered security approach that starts with the 

basics and matures into a robust security program. Organizations need a prioritized security 

roadmap that pinpoints specific risk areas in an organization and targets pinpoint solutions that 

maximize the return on value of security investments. 

The Disease: Extortion-Based Attacks 

An endless supply of highly skilled adversaries, a precedent of successfully extorting victims for higher 

payouts, and less friction collecting (and spending) funds thanks to digital currencies has opened the 

floodgates for the frequency and severity of extortion-based attacks. While ransomware has the spotlight 

for now, we need to remember that it is merely a symptom of the extortion-based crime disease. To truly 

combat extortion-based crimes, starting with ransomware, organizations need a robust defense strategy 

that protects environments from current and future trends. Cybersecurity needs to go beyond addressing 

the immediate threat of ransomware to impair the ability of threat actors monetizing attacks, starting at 

the organizational level to reduce overall risk and repercussions. 

Depending on the size and complexity of the network, and the maturity of the security program a 

determination should be made with respect to resources, technology, and capability. Smaller 

organizations should consider outsourcing a good portion of their security to a Managed Detection and 



Response vendor that can leverage an Endpoint Detection and Response (EDR) or Extended Detection 

& Response (XDR) solution. Larger organizations can often handle security in house but may want to 

consider a hybrid model where the security strategy and program is run internally, and specific services 

may be provided by a Managed Security Service Provider (MSSP). In any case, all organizations need 

to have basic controls in place, from immutable backups and network segmentation to multifactor 

authentication (MFA) and privileged access management. 

The Cure: Holistic Cybersecurity 

A key part of the game for threat actors is the continual escalation of techniques for profit. To combat 

extortion-based crimes, organizations need robust defense strategies that protect environments against 

current and future attack trends, addressing the threat of ransomware and impairing the threat actors 

from monetizing attacks. Beyond encrypting systems and implementing backup solutions, organizations 

need a holistic approach that bands the security, software, and hardware communities together to 

eradicate these threats. 

Organizations must continue to address the symptoms of extortion-based attacks, like ransomware, but 

must also not lose sight of the true disease. The solution will not be quick, complete, or without pain. But 

together as an industry we can reverse the concerning trend in the rise of extortion-based attacks. 


As Vice President of Technical Advisory Services, Jeff leads MOXFIVE's 

team of expert Technical Advisors who provide strategic incident 

management services and solutions to clients. Prior to MOXFIVE, Jeff was 

the Director of Cyber Defense and Incident Response at RSA Security, 

joining RSA through the NetWitness acquisition in 2011 where he helped 

build the Incident Response Practice from the ground up. Jeff has held 

other leadership positions including Delivery Manager for Emergency 

Response Services at IBM where he was instrumental in getting IBM ISS 

listed as a PCI Qualified Incident Response Assessor (QIRA) in 2006 

during the acquisition of Internet Security Systems and assisting with the 

integration of the teams through the transfer of trade. Before moving into practice leadership roles, Jeff 

was a Principal Consultant (Incident Responder) with Internet Security Systems and has held various 

other positions as a Security Engineer, Security Analyst, and Security Auditor. 

Jeff has a Master of Forensic Sciences in High Technology Crime Investigations from the George 

Washington University, and a Bachelor of Science in Business Administration from Old Dominion 

University. He is a Certified Information Security Manager (CISM), Certified Information Systems Security 

Professional (CISSP, and a Certified Information Systems Auditor (CISA). Jeff currently resides in 

Virginia Beach with his wife and three children. Jeff can be reached online at our company website 

https://www.moxfive.com/. 



Responding To the Ransomware Pandemic 

By Tom McVey, Solution Architect, Menlo Security 

Last year, Kaseya became the victim of the largest ransomware attack in history when Russian-linked 

hacker group REvil breached the US software company’s systems, in turn gaining access to the 

subsequent systems of approximately one million other companies. The ransom they demanded was a 

staggering $70 million. 

We saw a similar story in May 2021. Both Irish Health Services and insurance company AXA were hit by 

ransomware attacks, the former forced to shut down its systems entirely to protect itself, causing mass 

disruption and placing a huge strain on the country’s healthcare service. In the same month, the 

University of Northampton of the UK saw its entire network go down as a result of a ransomware attack, 

severely impacting students’ learning. 

It is no coincidence that such significant attacks were orchestrated in such a short space of time. 

According to Bitdefender’s Mid-Year Threat Landscape Report 2020 ransomware attacks were up 700 

per cent that year. 

Much of this spike can be attributed to the changes brought about by the pandemic. Where remote 

working shifted to a lockdown-enforced necessity, countless organisations had no choice but to switch 

from physical to digital working practices almost overnight. 



Critical IT infrastructure had to be adapted. Consequently the digital landscape was greatly expanded, 

which led to the exposure of security vulnerabilities that cyber criminals have since exploited at scale. 

While the volume is increasing, what is even more alarming is the fact that such attacks are becoming 

increasingly sophisticated. 

In recent years there have been huge strides made in technological advancements, much of which have 

been put to good use in many ways. Yet, for cyber criminals, it is allowing them to create highly legitimate 

looking campaigns, such as credentials phishing, with the ability to tap into personal information gleaned 

from social engineering initiatives. 

It is now easier than ever for them to get a targeted user to click on a link in an email that looks like it’s 

coming from a colleague or a trusted person or brand. All it takes is that one click to set the attack in 

motion. 

It’s not just emails either. Ransomware is also being embedded in digital advertisements and content 

modules on news sites, making the filtering of URLs using white/blacklists redundant in preventing many 

ransomware attacks. 

Extortion Attacks 

Beyond these complex phishing techniques, we are seeing the emergence of a new category of 

ransomware attacks called double extortion attacks. This is when ransomware is embedded with counter 

incident response tools baked right into the malicious code. Alongside this, tactics such as security tool 

disablement/bypass, distributed denial-of-service (DDoS) attacks and log destruction are also on the rise; 

one of the key reasons that over two thirds of breaches remain undetected for months. 

Such is the severity of the problem that a 2021 Menlo Security survey revealed that more than two thirds 

of people believe cyber criminals should receive prison sentences. Meanwhile, 60 per cent believe that 

ransomware attacks should be viewed as seriously as terrorist attacks. 

While harsher penalties may deter some threat actors, it is highly likely that ransomware attacks will 

continue to grow, and organisations need to be proactive in protecting core assets. 

So what can be done to overcome the challenge? Enter isolation and zero trust – a security-focused 

combination that can be used to stop ransomware in its tracks. 

Isolation technology has been designed with the purpose of protecting users as they navigate the web. 

It works by creating a virtual air gap between the Internet and enterprise networks. All email and web 

traffic goes through the isolation layer, where the content is still visible but is never actually downloaded 

to the endpoint. 



It does not impact the user experience. Rather, it simply removes the risk of malware exploiting 

vulnerabilities on the endpoint. 

Zero trust enhances this, working to block both known and unknown potentially malicious activity. It 

assumes that all web content is harmful and prevents any website from running code on users’ devices. 

It’s a way of protecting users from untrusted actors without inhibiting their ability to do work. 

Using this combination, attackers are both prevented from gaining an initial foothold in a network, leaving 

ransomware with no route to reach its targeted endpoints. 


Tom McVey, Solution Architect, Menlo Security. Tom is a Solution Architect 

at Menlo Security for the EMEA region, a leader in cloud security. He works 

with customers to meet their technical requirements and architects web and 

email isolation deployments for organisations across different industries. 

Coming from a varied background in cyber, Tom provides expert 

cybersecurity advice and strategic guidance to clients. Tom previously 

worked for LogRhythm and Varonis. 



Killware is the Next Big Cybersecurity Threat 

By Brian Erickson, Vice President or Strategy and Solutions and retired U.S. Navy Captain, 

Vidoori 

Today's battlefield has expanded to a digital landscape, and the impact affects the general population as 

well as government agencies. America’s enemies now aim to access sensitive information, disrupt critical 

infrastructure, or stop the maneuverability of our armed forces. 

As the battlefield continues to evolve, so too do the types of attacks. Phishing attacks, voice bot scams, 

and crypto ransomware are examples of how the world of cyberattacks has evolved in recent years. 

With these increasingly complex attacks comes new legislation to defend against them. For example, 

President Biden's May Executive Order and the Defense Information Systems Agency (DISA) and 

Department of Defense’s (DoD) new Zero Trust cybersecurity reference architecture display the efforts 

to help mitigate and fight against these threats. 

However, with large-scale ransomware attacks - such as the Colonial Pipeline and Solar Winds - going 

after our nation's critical infrastructure and putting citizens' lives at risk, cybercriminals have already 

displayed the willingness to escalate ransomware attacks to levels previously unheard of. 



This new kind of ransomware attack goes after a person's physical safety and can even take someone's 

life and has been called “killware” by Alejandro Mayorkas, Secretary of the U.S. Department of Homeland 

Security (DHS). 

The Dangers of Killware 

Killware is defined by its result, not by its methods like malware and ransomware are and is intentionally 

designed to cause real-life harm or death by targeting the health of its victims. 

In a Gartner blog titled, The Emergence of Killware, the Lethal Malware, it is predicted that by 2025, 

cybercriminals will have weaponized operational technology (OT) environments to intentionally and 

successfully kill people. 

As our reliance on digital resources increases so does the likelihood of cyber-attacks. And incidents in 

the digital world will have a much more significant effect on the physical world as the cyber-physical world 

evolves with IoT, smart buildings/cities, and autonomous vehicles. According to Gartner, the predicted 

monetary impact of cyber-physical systems attacks will reach over $50 billion by 2023. 

However, our critical infrastructure is currently most vulnerable to killware targets. Systems and service 

providers like hospitals, water and waste suppliers, power grids and dispatch operations that would result 

in physical harm or death should they be compromised in a killware attack. 

This malicious cyber activity has already begun to take place. In October, the Federal Bureau of 

Investigation, the Cybersecurity and Infrastructure Agency, the Environmental Protection Agency, and 

the National Security Agency issued a joint advisory highlighting attempts to compromise the system 

integrity of U.S. Water and Wastewater Systems (WWS) Sector facilities. This advisory indicates a larger 

problem, as cyber threats continue to increase across all critical infrastructure sectors. 

A Military Problem 

While the term may be new, the intended outcome of killware is not new to members of the military – 

adversaries have been targeting defense systems for decades to disrupt communications and endanger 

the lives of our armed forces. 

Historically, adversary tactics, techniques and procedures (TTP) are as varied as an individual's choice 

in an automobile purchase – they depend on the desired outcome. If the objective of the attack is financial 

gain, then the attackers will use ransomware. If the attacker simply wants to disrupt operations and cause 

chaos, then malware intrusions into OT systems, such as industrial control systems (ICS) and supervisory 

control and data acquisition (SCADA) may be chosen tactic. Stuxnet, a malicious computer worm first 

uncovered in 2010, is one of many examples of malicious malware designed to attack these systems. 

However, as killware attacks become more prevalent, our defense agencies will have to evolve to ensure 

the safety and security of warfighters here and abroad. 5G, future 6G and the Internet of Things (IoT) 

introduce a whole new set of rules that may cause lethal results from non-kinetic actions. 



The most effective way to defend against these threats is to develop and deploy a Zero Trust Architecture 

across the enterprise. An effective ZTA can be found in the Office of Management and Budget’s recent 

Federal Zero Trust draft strategy. It creates an environment of trust and, depending on the technology, 

can create IP cloaking that prevents adversaries from striking what they cannot see. 

ZTA is a solution that can be used across all agencies and environments. Although networks may have 

certain unique qualities depending on the function and system, all networks are simply a combination of 

1’s and 0’s that all require the same basic needs (power, space, cooling, processor) to operate. Thanks 

to the similarities, good cyber hygiene addressing all key securing concerns can be applied not only 

across agencies, but across industries, from Federal to DoD to commercial. 

The current administration and legislators understand this potential, and have made it a point to prioritize 

cybersecurity, allocating around two billion in funding for cybersecurity in the recently passed 

Infrastructure Bill and releasing a series of Zero Trust guidance. The new Infrastructure Bill also includes 

funding for a state and local Cyber Grant Program and over $100 million for the Cyber Response and 

Recovery Fund. 

The DoD and DISA are also taking large strides to sure up cybersecurity, creating a new Zero Trust 

security portfolio office, and sharing cross-agency guidance by creating a Zero Trust cybersecurity 

reference architecture. 

What’s Next? 

Looking ahead, the DoD and defense agencies must continue to combat this new threat by implementing 

a comprehensive ZTA, recruiting and retaining cyber talent, ensuring employees are taught and have 

effective cyber hygiene, and continually assessing their systems through proactive testing and 

integration. 

Agencies must have organic staff, educated in the art of hacking and cybersecurity, that are able to 

routinely test networks using past and present TTPs. The key to successful network protection is to 

continue a defensive posture and think strategically to predict where future attacks may come from given 

the course of technology (6G, exascale and quantum computing, hyper-converged drone warfare). 

With cyber threats ever evolving and killware being designated a concern by the DHS, the federal 

government should leverage lessons learned from the DoD to get ahead of our adversaries. Continuing 

to make cybersecurity a legislative priority and taking a forward-looking approach to defensive and 

offensive tactics is critical in protecting critical infrastructure from lethal attacks. 




Brian Erickson is Vidoori’s Vice President for Strategy and Solutions. 

In this role, he oversees the company’s west coast operations and brand 

expansion. Prior to Vidoori, Brian served 26 years as a Senior Naval Officer 

(Captain/O6) in the aviation and information warfare communities. 

Brian earned a Bachelor of Arts degree in Economics from San Diego State 

University. He also earned a Master of Science degree in Information 

Technology from the Naval Postgraduate School. Additionally, he holds 

numerous professional certifications in business and cybersecurity. 



Combining True MDR & SOC for Robust Cybersecurity 

By Jon Murchison, Founder and CEO, Blackpoint Cyber 

Assessing the Current Threat Landscape 

The only constant in the cyberthreat landscape is that it is ever evolving. Amid a global pandemic, 

cybercriminals have moved quickly to exploit vulnerabilities as organizations make the change to remote 

and flexible work environments. Cybersecurity is now a key concern for small and medium-sized 

businesses (SMBs) during this shift to a virtual world. More than ever, there is a high demand for efficient 

and affordable cybersecurity solutions to help ensure business continuity as much of the workforce 

adjusts. 

While cyber defense solutions such as anti-virus and anti-malware are affordable and a common choice, 



they are no longer able to fight back increasingly sophisticated cybercriminals and attack methods. 

Rather than bulking up your security stack with various solutions, many businesses are now combining 

the expertise of a Security Operations Center (SOC) paired with the robust abilities of Managed 

Detection & Response (MDR) technology to build a pragmatic, streamlined approach to cybersecurity. 

Combating Advanced Cyberattacks 

For many organizations, the current pandemic has shown how security programs and tools such as 

fire walls, anti-virus, and anti-malware are not enough to fight back cyber adversaries. No doubt they 

are useful in providing protection against known viruses and malware, but they cannot thwart dedicated 

criminals leveraging newer attack methods such as ransomware and zero-day exploits. 

The threat landscape continues to change, and it is evolving much faster than such tools can keep 

up with. Consider the following challenges: 

• Traditional signature-based anti-virus technology is rooted in blacklisting known viruses, files, and 

malware. However, Advance Persistent Threats (APTs) can easily bypass this model by 

remaining undetected for lengthy periods of time within a victim’s networks. Further, anti-virus 

solutions are only as strong as their last update. The time in between updates is more than plenty 

for well-funded and experienced cybercriminals to launch an attack. 

• Even next-generation anti-virus and anti-malware software are not able to fully eradicate 

cyberthreats. While they do address some weaknesses found in their traditional counterparts, 

their technology is centered around machine learning and analysis to catch specific suspicious 

behaviors. Next-gen anti-virus and anti-malware solutions are still unable to respond quickly 

enough to catch new trending patterns and methods. 

• Cybercriminals are customizing their malware attacks. Unfortunately, cybercriminals can tailor 

their attacks to best infiltrate their victim’s networks and bypass the anti-virus's methods of 

detection. 

• Over 85% of major cyber incidents occur in organizations that have anti-virus software installed. In 

many of these cases, the software either missed detecting the attack completely, or managed to 

identify the malicious file but not a critical component of the attack such as a second payload or 

a process injection. 

• Attack types are varied and advanced. While e-mails and bad links are still a top access vector 

into a victim’s networks, organizations also need to be prepared to defend their businesses 

against zero-day exploits, ransomware, fileless attacks, credential theft, infected devices, 

vulnerable VPN services, and open remote desktop protocol (RDP). These are all ways that 

threat actors can infiltrate networks, spread laterally, and launch their attack. 

In the current pandemic, many organizations are overwhelmed trying to keep their IT environments 

secure and it can seem that cyber adversaries are always a few moves ahead. To combat this, investing 

in a Security Operations Center (SOC) can significantly streamline how organizations meet evolving 

cyberthreats. Within optimized security operations, organizations develop both their offensive strategy, 

as well as their defense. Engaging with a SOC is an increasingly positive option for many businesses, 



especially those who want to build a robust security framework backed by security experts with 

experience in dealing with unrelenting waves of advanced threats. 

SOC Key Functions 

A Security Operations Center (SOC) is a centralized hub that combines dedicated security analysts, 

processes, and technology to continuously monitor an organization’s security posture. SOCs are focused 

on using telemetry measured from across an organization’s IT infrastructure and assets to prevent, 

detect, assess, and respond to cybersecurity incidents. 

All SOCs are built differently, and many providers allow organizations to select the specific services that 

best serve their line of business. These are some of the common key functions that a majority of SOCs 

will offer: 

• Asset Discovery and Management – SOCs are responsible for two general categories of assets: 

the devices, processes, and applications of the organization they are defending, and the specific 

tools and software in place to protect the former. Complete visibility and control are key in SOC 

operation. They take stock of all the available assets on their client’s networks to eliminate the 

chance of missing a blind spot. With a complete view of all the endpoints, software, servers, 

services, SOCs can stay on top of the nature of traffic flowing between these assets and monitor 

for anomalies. 

• 24/7/365 Proactive Monitoring – Proactive behavior monitoring, and analysis requires the SOC to 

scan on a 24/7/365 basis. The SOC is notified anytime their technology flags an anomaly or there 

is evidence of suspicious activities within a network. Consistent monitoring allows SOCs to stay 

ahead of adversaries and be able to properly prevent or mitigate malicious actions. Further, it is 

a common strategy for cybercriminals to schedule their attacks intentionally during off hours and 

weekends to maximize the potential rate of success of their operation. Without a SOC monitoring 

all hours and days of the week, an in-house IT team may not be able to catch and apply any 

defensive efforts until the following business day. 

• Alert Severity Ranking – Alert fatigue is a common challenge faced by in-house IT teams, 

especially if they are relying on a complex platform such as a Security Information and Event 

Management (SIEM) tool to log events across their organization’s networks. A team may quickly 

become overwhelmed if their technology is triggering alerts constantly. While some may be valid 

early warnings of a cyberattack, there are also false positives and alerts triggered due to lack of 

configuration settings. Alert fatigue is the main reason why some legitimate notifications are 

missed or not placed at a higher priority. MDR teams are able to better sift through the 

complexities of incoming alerts and efficiently determine if they are plausible warnings of a breach 

needing immediate action. 

• Threat Response – A SOC is a first responder. With 24/7/365 coverage, the SOC team closes the 

gap between the identification of an event and the actual response and remediation. By 

immediately shutting down or isolating endpoints, they can terminate malicious processes, delete 

bad files, and stop the threat from moving deeper into other systems. 



Take Your Cybersecurity Strategy to the Next Level 

Ultimately, a SOC allows its organizations to operate knowing that cyberthreats can be identified and 

prevented in real-time. Regardless of how many endpoints, networks, assets, or locations an 

organization spans, SOCs provide a centralized view to ensure that they are monitored and performing 

as needed. 

From a security strategy standpoint, having a SOC means responding faster, minimizing damages and 

costs, and safeguarding data and business continuity. However, is there a way to further maximize 

cybersecurity to the next level? 

Pairing SOC & Managed Detection Response (MDR) Services 

An optimized security strategy is one that streamlines the right methods of threat management into an 

effective security solution. All functions should work in tandem so that the solution is easy to integrate 

and operate day-to-day. Having the right stack of services in place is a significant measure of how mature 

an organization’s security posture is. What a managed SOC cannot do alone is combine network 

visualization, insider threat monitoring, anti-malware, traffic analysis, and endpoint security into a 

24/7/365 managed service focused solely on detecting and detaining threats in real-time. This is where 

MDR comes into play. 

To develop the most comprehensive solution, SOCs may augment their services by operating a Managed 

Detection Response (MDR) platform. As the SOC collects and monitors various data sources within the 

organization, it is the MDR that adds context and makes the information more valuable and actionable 

within the overall threat management process. 

Take the Offense by Threat Hunting 

Threat hunting is the practice of being proactive in the search for cyberthreats within an organization’s 

network. It is performed deep within the network to deliberately search for hidden actors and malware 

that may have found a way to exist undetected otherwise. Many organizations invest in various managed 

services and tools to develop their defensive strategy, but MDR threat hunting is a crucial element to 

ensuring the offensive strategy is just as robust. The art of threat hunting relies on three important 

elements: 

• Investigation through threat intelligence and hypothesis 

• Analysis of Indicators of Compromise (IoC) / Indicators of Attack (IoA) 

• Machine learning and advanced telemetry 

Experienced MDR analysts are highly specialized and trained specifically in hacking tradecraft. They 

always take an ‘assume breach’ stance and investigate thoroughly to find evidence of suspicious 

behavior or changes that may indicate the existence of threat. They rely on experience and the analysis 

of current threat tactics, techniques, and procedures (TTP) to instigate hypothesis-driven hunts. The 

human-powered element is a critical element and the link that synchronizes collected threat 



intelligence, data logs, and advanced security technology towards an offensive method for safeguarding 

businesses. 

Summary 

The hard reality is that cybercriminals and the market for their work have become more advanced than 

ever before. Despite the constant challenge to fend them off, cybercriminals continue to evolve swiftly 

in their tactics. Within the past year alone, some of the largest players in the cybersecurity arena have 

fallen victim to breaches. Though the adversary moves fast, there are ways to get ahead of them. By 

combining the centralized functionality of a SOC with an MDR’s capability for advanced threat hunting 

and network analysis, organizations can build a robust and pragmatic security strategy to protect 

themselves against cyberthreats today. 


Jon Murchison, founder and CEO of Blackpoint Cyber, started his 

career in network engineering and IT operations but quickly made 

the switch over to the covert world of the intelligence community. He 

has since spent more than 12 years planning, conducting, and 

executing high-priority national security missions. As a former NSA 

computer operations expert and IT professional, he brings a unique 

perspective to the mission of developing cyber defense software that 

effectively detects and detains purposeful cyber intrusions and 

insider threats. Jon has also helmed multiple cybersecurity 

assessments, including Fortune 500 enterprises and critical port 

infrastructures. Currently, Jon holds multiple patents in methods of 

network analysis, network defense, pattern analytics, and mobile 

platforms. 

Jon can be reached online on LinkedIn, and on our company’s website https://blackpointcyber.com/ 



The Cybersecurity Trends You Need to Know About In 

2022 

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group 

In 2021, no sector of the Australian economy was safe from cybercrime. From government agencies to 

family businesses, and every type of organisation in between, it’s been one of the worst years on record 

– so it’s important to stay ahead of the curve and be aware of what’s coming down the pipeline in 2022. 

The explosion in remote work and the accelerated pace of digitalisation have opened plenty of doors for 

cybercriminals to walk through. The Australian Cyber Security Centre (ACSC) received a report of a cyber 

attack once every eight minutes over the 2020-21 financial year, up from once every 10 minutes the 

previous year, and unfortunately, those attacks will probably only become more frequent in the new year. 



But when it comes to cybercrime, a little planning and preparation go a long way – so here are the trends 

your organisation should be focused on in 2022. 

Rules and regulations are coming 

One of the reasons that cybercriminals have been able to operate with virtual impunity is that they’ve felt 

secure in the knowledge that technology has always been a step ahead of regulators. 

But with the total economic impact of cybercrime estimated at $3.5 billion in Australia alone, and $1 trillion 

worldwide, the law is finally catching up to the threat these criminals pose – and in 2022, we can expect 

to see much greater regulatory pressure to address the risk of cybercrime. 

We’ve already seen legislation for consumer privacy pick up steam, beginning with the EU’s General 

Data Protection Regulation (GDPR) and followed by Brazil’s General Personal Data Protection Law 

(LGPD) and the California Consumer Privacy Act (CCPA). It’s a sure thing that jurisdictions around the 

world – at a national level, but also at a state and local government level – will continue to pass legislation 

along these lines. 

But that’s just the beginning. In Australia, we’ve seen the recent introduction of emergency laws that 

require the operators of ‘critical infrastructure’ to report cyber attacks to the Australian Signals Directorate 

(ASD) as they happen. The laws give the ASD the power to plug into the networks of these organisations 

to help them fend off attacks. 

Those laws were just a prelude to a second bill, expected to be introduced in 2022, that will impose 

positive security obligations on businesses, requiring them to develop risk management plans and reach 

certain cybersecurity standards. Under these laws, company directors could be made personally liable 

for cyber-attacks. 

I expect we’ll also see the Government move to make the payment of ransomware illegal – Labor has 

already introduced a bill that would require ransomware victims to disclose whenever they make a 

payment, and my sense is that both sides of the aisle are keen to disincentivise and defund hackers by 

criminalising payments altogether. (Whether or not this would actually help victims is a more complicated 

question.) 

In their totality, these laws could make the regulatory landscape more confusing and/or costly for 

organisations that aren’t prepared for them. But they should also have the effect of raising the 

cybersecurity floor, and setting a new standard that, quite frankly, most organisations should be meeting 

already. 

In much the same way that tougher legal obligations made workplace health and safety a top priority for 

employers, we’ll see businesses lift their game when it comes to cybersecurity, and start taking their 

stewardship of data more seriously in order to comply with new rules and regulations. 



Cybersecurity will be treated as a company-wide responsibility 

I was recently speaking to the CEO of a large organisation with 10,000 employees. I asked him how 

many people were in his cybersecurity team – ‘10,000’, he responded, without missing a beat. 

That’s the attitude every employer should have moving forward. Cybersecurity awareness and training 

for all staff will be absolutely crucial – because while not everyone on your team needs to be an IT 

professional or a cybersecurity specialist, everyone will need to be regularly briefed on the latest 

techniques being utilised by cybercriminals, and be aware of best practices. 

Businesses have never been more at risk, and the widening of attack surfaces that’s resulted from the 

COVID-19 pandemic is a major factor. With more employees using more of their own devices, it’s harder 

than ever to secure the perimeter. 

IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches are 17.5 per cent more 

costly where remote work is a factor, and that organisations that have more than half of their workforce 

working remotely take 58 days longer to identify and contain breaches, on average. 

That’s why every member of your team will need to be trained to make their connection more secure, 

and made aware of the importance of updating passwords and patches, avoiding public networks, 

backing up data regularly, and recognising the signs of social engineering scams like phishing emails. 

It’s always been the case that when it comes to cybersecurity, your people have the potential to be your 

biggest weakness – because if they can be tricked into granting access to an intruder, all the perimeter 

security and monitoring in the world won’t be able to protect your system from being compromised. 

But now, with the ever-increasing interconnectivity and borderless nature of the modern workplace, it’s 

more important than ever that every link in your chain is as strong as it can be. 

Cybercriminals are becoming more professional, and more predatory 

It’s no secret that ransomware is on the rise. In June 2021, the Director-General of the Australian Signals 

Directorate told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per 

cent increase in ransomware attacks on Australian businesses over the previous 12 months. 

What’s less understood is the fact that the organisations behind these attacks are becoming increasingly 

sophisticated. Rather than operating as lone wolves, hackers have developed cyber cartels that operate 

much like the mafia, collaborating as affiliates to pool resources, pass on stolen data, and exploit security 

vulnerabilities within hours of their disclosure. 

The tradecraft of ransomware is evolving at a rapid rate. In 2020, ransomware group REvil popularised 

the tactic known as double extortion, which not only requires organisations to pay a ransom to unlock 

their files, but also requires them to pay an additional ransom to prevent those files being leaked. 

The double extortion tactic quickly became ubiquitous, and has now evolved into triple extortion, in which 

ransom demands are also directed at a victim's clients or suppliers – a method we expect to see plenty 



of in 2022. In effect, ransomware has become less of a singular attack, and more of a series of rolling 

demands springing forth from the initial intrusion. 

Cyber cartels have also begun offering ransomware-as-a-service (RaaS) to would-be cybercriminals 

lacking the expertise to pull off attacks on their own, even going so far as to provide them with 24/7 

technical support, in return for a slice of the unskilled attacker’s profits. This has effectively lowered the 

barrier to entry to the ‘industry’ – and the more cybercriminals are active, the greater the chance that your 

organisation may be targeted. 

A major factor in the increasing complexity and professionalisation of these cartels is that many of them 

operate freely within nation states that are willing to turn a blind eye to their activities, and even provide 

them with tacit support. 

These ‘contract hackers’ are carrying out state-sponsored activities, while at the same time extorting 

businesses for their own financial gain. In 2021, the United States took the unprecedented step of naming 

and shaming the Chinese government as the benefactors of the hackers responsible for the Microsoft 

Exchange attack – but the cyber cold war has only gotten hotter since then, and you can expect more 

high-profile breaches and raids on hospitals, universities and state-owned utilities in 2022. 

Supply chain attacks are set to escalate 

It’s one thing to ensure your own organisation is secure. But in 2022, we can expect to see attacks on 

supply chains – including widely used software products and services – expand in scope and frequency. 

In 2021, the high-profile Solar Winds and Kaseya hacks helped to popularise this attack vector. Closer 

to home, a recent attack on external payroll software provider Frontier Software enabled hackers to 

access the records of up to 80,000 South Australian government employees, including their names, dates 

of birth, tax file numbers, home addresses, bank account details, remuneration and superannuation 

contributions. The records, which were stolen and published on the dark web, may even have included 

Premier Steven Marshall’s details. 

The PWC 2022 Global Digital Trust Insights Survey, which polled 3,602 high-ranking business, 

technology, and security executives around the world, found that 56 per cent of respondents are 

expecting a rise in breaches via their software supply chain in 2022. 

The advantage of this approach, from an attacker’s point of view, is that they can compromise a large 

number of organisations in one hit, making the potential reward for a successful attack quite significant. 

The downside for you is that your organisation might be one of those affected, even if you may never 

have previously been on the attacker’s radar. 

Given the high risk of collateral damage if a supplier falls victim to an attack, it will be up to organisations 

to closely scrutinise the security credentials and protocols of the third-party vendors they entrust with 

access to their data. 



Cyber insurance will become harder to obtain 

Given the increasing frequency of cyber attacks, and the losses that organisations stand to incur if their 

data is compromised, it makes sense that cyber insurance has become highly sought after. 

The problem is that most insurers never had any real risk matrix for cybercrime, and therefore no real 

sense of what they’d be left paying out. As ransomware has gone through the roof, they’ve been left 

scrambling to put limits on the coverage they’re willing to offer. 

Cyber insurance premiums for Australian businesses have shot up by up to 30 per cent, and are expected 

to keep rising in 2022. Some insurers are refusing to take on new clients, or capping their coverage at 

about half of what they used to offer. 

To obtain coverage at reasonable rates in 2022 and beyond, organisations will need to be able to 

demonstrate that they meet strict cybersecurity standards and are following best practices, which may 

include providing cyber security education for all employees, using multi-factor authentication, 

implementing zero trust policies, securely backing up and encrypting their data, and having data breach 

incident response plans in place. 

Of course, my stance is that cyber insurance should only be used as a last resort, and that organisations 

should have these policies and practices in place anyway – because if there’s one thing we know for sure 

about cyber security in 2022, it’s that cyber criminals aren’t going to take the next year off, so you can’t 

afford to, either. 


Jamie Wilson is the founder and chairman of Cryptoloc, 

recognized by Forbes as one of the 20 Best Cybersecurity 

Startups to watch in 2020. Headquartered in Brisbane, 

Australia, with offices in Japan, US, South Africa and the UK, 

Cryptoloc have developed the world’s strongest encryption 

technology and the world’s safest cybersecurity platform, 

ensuring clients have complete control over their data. Jamie 

can be reached online at www.linkedin.com/in/jamie-wilson- 

07424a68 and at www.cryptoloc.com 



Detect Ransomware Data Exfiltration Immediately 

By Randy Reiter CEO of Don’t Be Breached 

Ransomeware Attacks Have Increased During the COVID-19 Pandemic 

An off-site workforce has resulted in new security concerns since hackers now have many new ways to 

penetrate conventional security defenses. Ransomware gangs often go undetected for weeks or months 

once they have gained high level access to an organization’s network, servers and databases. The 

ransomware gang may try to move laterally across other systems in an organization to access as much 

confidential data as possible. Ransomeware attacks in the financial industry for example increased by 

1,300% in 2021. 

Prior to issuing a demand for a ransomware payment from an organization the hacker group has almost 

always already exfiltrated confidential database data from the organization. The exfiltrated data is then 

later sold on the Dark Web to other ransomware groups even if a ransomware payment has been made 

to the original hacking group. 



Ransomeware Hackers May Be Hidden in Your Network for Months 

• JBS May 31, 2021. JBS is one of the largest meat suppliers in the US. Hackers caused it to 

temporarily halt operations at its five largest US-based plants. The ransomware attack also 

disrupted the company's Australia and UK operations. JBS paid the hackers $11 million in 

ransom money. The hackers began with a reconnaissance phase in February 2021, followed 

by Data Exfiltration from March 1 to May 29, 2021. 

• Colonial Pipeline May 6, 2021. The largest refined’ products pipeline in the US went offline on 

May 6 h . The pipeline covers 5,500 miles and transports 100 million gallons of fuel daily. The 

hackers gained access to their network April 29. On May 6 Data Exfiltration began with the 

hackers stealing 100 gigabytes of data before locking Colonial Pipeline computers with 

ransomeware. The pipeline paid hackers $4.4 million in ransom money on May 7th. 

• CNA Financial March 23, 2021. CNA Financial, the seventh largest commercial insurer in the 

US announced it had sustained a sophisticated cybersecurity attack. CNA Financial eventually 

paid $40 million in May 2021 to get its data back. 

Conventional approaches to cyber security may not prevent Data Exfiltration and Data Breaches. In 

2020 the DHS, Department of State, U.S. Marine Corps and the Missile Defense Agency recognized this 

and all issued requests for proposals (RFP) for network full packet data capture for Deep Packet 

Inspection analysis (DPI) of network traffic. This is an important step forward protecting confidential 

database data and organization information. 

Zero-day vulnerabilities that allow hackers to gain system privileges are a major threat to all 

organizations encrypted and unencrypted confidential data. Confidential data includes: credit card, tax 

ID, medical, social media, corporate, manufacturing, trade secrets, law enforcement, defense, homeland 

security, power grid and public utility data. This confidential data is almost always stored in DB2, 

Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL and SAP Sybase databases. 

How to Stop Data Exfiltration and Data Breaches with Deep Packet Inspection 

Protecting encrypted and unencrypted confidential database data is much more than securing 

databases, operating systems, applications and the network perimeter against Hackers, Rogue Insiders 

and Supply Chain Attacks. 

Non-intrusive network sniffing technology can perform a real-time Deep Packet Inspection (DPI) of 

100% the database activity from a network tap or proxy server with no impact on the database servers. 

The database SQL activity is very predictable. Database servers servicing 1,000 to 10,000 end-users 

typically process daily 2,000 to 10,000 unique queries or SQL commands that run millions of times a day. 

Deep Packet Analysis does not require logging into the monitored networks, servers or databases. This 

approach can provide CISOs with what they can rarely achieve. Total visibility into the database activity 

24x7 and 100% protection of confidential database data. 



Advanced SQL Behavioral Analysis from DPI Prevents Data Exfiltration and Data Breaches 

Advanced SQL Behavioral Analysis of 100% of the real-time database SQL packets can learn what 

the normal database activity is. Now the database query and SQL activity can be non-intrusively 

monitored in real-time with DPI and non-normal SQL activity immediately pinpointed. This approach is 

inexpensive to setup and has a low cost of operation. Now non-normal database activity from Hackers, 

Rogue Insiders or and Supply Chain Attacks can be detected in a few milli seconds. The Security Team 

can be immediately notified and the Hacker session terminated so that confidential database data is not 

stolen, ransomed or sold on the Dark Web. 


Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools 

company. He is the architect of the Database Cyber Security Guard 

product, a database Data Breach prevention product for DB2, Informix, 

MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL, and SAP 

Sybase databases. He has a Master’s Degree in Computer Science and 

has worked extensively over the past 25 years with real-time network 

sniffing and database security. Randy can be reached online at 

rreiter@DontBeBreached.com, www.DontBeBreached.com and 

www.SqlPower.com/Cyber-Attacks. 



Understanding Identity Detection and Response 

Identity Detection and Response (IDR) is a new enterprise cybersecurity method that relies on the use 

of identity-related information to identify that a malicious attack campaign such as ransomware might 

be on-going on a corporate network. 

By Dr. Edward G. Amoroso Chief Executive Officer, TAG Cyber LLC 

Introduction 

Cyber defenders categorize security protections as either preventive or reactive. Preventive security, 

such as strong authentication, focuses on stopping something bad from happening. Reactive security, 

such as log analysis, deals with bad situations that have already commenced or completed. 

The prevention argument is that the cost and effort required to avoid a security problem will always be 

less than the corresponding cost and effort to respond and recover. The reactive argument is also familiar: 

Hacking is inevitable, goes the claim, so you’d better be ready to deal with problems as they occur. 

Regarding identities, which are central to every modern cybersecurity approach, the preventive aspect is 

controlled by identity and access management (IAM). Every practitioner will recognize IAM as consisting 

of the registration, administration, protection, and coordination of identities to support access policies to 

data and resources. 



In contrast, the corresponding reactive component for identities is just emerging. Known as identity 

detection and response (IDR), the new approach involves using metadata and telemetry from identities 

to detect, mitigate, and recover from enterprise attacks such as advanced persistent threats (APTs) and 

ransomware. 

Cyber Attack Progression 

Many attack strategies have been proposed including the MITRE ATT&CK framework 1 and the Lockheed 

Kill Chain 2 . The three-step process presented below simplifies these more complex models into the three 

most fundamental phases of every offensive cyber campaign. 

Phase 1: Accessing the Target 

The initial phase of any cyber breach involves exploiting weaknesses in an attack surface to enter a 

protected network, domain, system, or other entity. When crossing a perimeter, such access is referred 

to as a north-south connection, and firewall-based controls are designed to disallow such connection 

based on policy enforcement. Physical perimeters have recently been replaced with software-defined 

ones, but the control objective remains. 

Phase 2: Traversing the Target 

The second phase of a cyber breach involves lateral traversal and privilege escalation, often through 

theft and misuse of credentials and access to resources such as Microsoft Active Directory (AD). When 

this occurs slowly, we refer to the process as dwelling, and one of the toughest challenges for defenders 

involves minimizing attacker dwell time. This report makes the case that IDR offers hope that this 

challenge might be addressed. 

Phase 3: Consummating the Attack 

The final phase involves the attacker consummating the attack, either by exiting the targeted domain with 

stolen data, pushing the button on some integrity or availability attack, or otherwise taking whatever step 

is required to cause the intended consequence of the attack. Once this has occurred, the best that 

defenders can do is to respond, and this report also makes the case that IDR assists in this process. 

1 

https://attack.mitre.org/ 

2 

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html 



Figure 1. Three-Phase Attack Process Model 

What is Identity Detection and Response? 

The identity detection and response (IDR) strategy involves focusing on obtaining evidence during the 

latter two attack phases shown in Figure 1 that an adversary is traversing the targeted entity and 

preparing to create unwanted consequences. IDR relies on the following strategic protection activities by 

enterprise defenders: 

Establishing Identity Visibility 

With the dissolution of the perimeter, identities have become the new basis for access management. As 

a result, visibility into identity-related attack activity information is now a key source of attack surface risk 

and an indication that security anomalies might be present. This represents a major shift in how intrusion 

detection can be accomplished in the enterprise. 

Protecting Credentials 

One weak or exposed credential can open the door for an attacker. Identity security starts with finding 

and removing exposed credentials. Policy-based controls can also bind credentials to their credential 

stores and prevent misuse. Used in conjunction with concealment and deception technology, 

organizations can also prevent theft and misuse by hiding production credentials and using deception 

lures and fake artifacts to trick attacker tools and divert the attack to decoys. 

Addressing Directory Services 

For many enterprise teams, their most essential identity resource is Microsoft Active Directory (AD). 

Through AD, administrators create new users, groups, and domains to set up policy-based enforcement 



of how PCs, laptops, and other Windows-based services are accessed and managed. Adversaries thus 

target AD to gain domain control. Given that it is intrinsically insecure, the success rate for exploits it is 

generally high. 

Focusing on Privileges 

A key activity in the attack strategy for malicious actors involves escalating privileges and entitlements 

during dwell time and lateral traversal across the targeted enterprise. For this reason, IDR must also 

focus on this privilege-based aspect of an offensive campaign to detect that an anomaly might be present, 

and that some security action will be required. 

Figure 2. A Platform Model for Identity Detection and Response (IDR) 

Commercial implementations of these IDR requirements are beginning to appear – and all seem to tout 

the benefits of early detection of lateral traversal, directory-based probing, and misuse of privileges. 

Enterprise security teams now understand that IDR is emerging as a new required area of control for 

their network. 

Action Plan 

Security teams should develop a plan to determine how best to leverage IDR solutions to reduce cyber 

risk. While the context of each enterprise will vary based on its local systems and infrastructure, most 

teams will benefit by following the steps listed below. 



Step 1: Review of Identity-Related Exposures and Data Collection 

The enterprise team should begin with an inventory of how identity-related vulnerability and live attack 

activity information is being handled today to determine exposures, attack status, and posture. In many 

cases, the answer will be that this is not being done. 

Step 2: Vendor Assessment and Review 

The enterprise team is next advised to perform a commercial IDR platform review. This usually involves 

proof-of-concept testing in either a realistic simulated environment or on a live production network. 

Step 3: Implementation Planning 

Implementation planning involves phased introduction, especially for larger, more complex organizations. 

The goal, of course, is to deploy IDR quickly to begin detecting identity-based exposures and lateral 

traversals that might be occurring in the enterprise. 

To learn more about IDR and what to pay attention to throughout the IDR selection and implementation 

process, check out my recent report sponsored by Attivo Networks. This report provides a plan for 

determining how to use IDR for risk mitigation and highlights the practical use of this technology though 

the Attivo Networks platform. 


Dr. Edward Amoroso, Founder and CEO of TAG Cyber, 

is an experienced CEO, CSO, CISO, University 

Professor, Security Consultant, Keynote Speaker, 

Computer Science Researcher, and Prolific Author (six 

published books). Dr Amoroso is skilled in 

Cybersecurity, Network Architecture, Wide Area 

Network (WAN), Managed Services, and Network 

Design. He has a PhD in Computer Science from the 

Stevens Institute of Technology and is a graduate of Columbia Business School. He Directly served four 

Presidential Administrations in Cybersecurity, and now serves as a Member of the M&T Bank Board of 

Directors, Senior Advisor for the Applied Physics Lab at Johns Hopkins University, Adjunct CS Professor 

at the Stevens Institute of Technology, CS Department Instructor at New York University, and Member 

of the NSA Advisory Board (NSAAB). Dr. Amoroso can be reached at eamoroso@tag-cyber.com. 



Cyber Insurance: What Executives Need to Know Before 

Obtaining Coverage 

By Amanda Surovec, Director of Security Engagement and Claims, Resilience Cyber Insurance 

Solutions, and Shawn Melito, Chief Revenue Officer, BreachQuest 

Introduction 

In the last six months, cyber attacks increased by 29 percent worldwide, as thousands of global 

organizations and insurers can attest to. This trend has been a driving factor for the growth of cyber 

insurance, which has come a long way in the last twenty plus years. However, even then, cyber experts 

were raising the alarm on attacks, calling attention to how easy it was for hackers to successfully breach 

a system and how little legislation there was to ensure breaches were handled appropriately. 

Fast forward twenty years and these concerns have developed into full-fledged crises. Technology, the 

internet and growth of the software as a service (SaaS) industry have led to the majority of sensitive 

customer and company data being located online, and hackers have come to understand the incredible 

value of this data. Not only is this information essential to day-to-day operations but being breached can 

damage customer trust. With so much at stake, cyber insurance has become a top priority for many 

SaaS-based businesses, yet with the rise of cyber threats and a hardening of the insurance market, 

obtaining coverage is becoming more difficult. 



Creating a Game Plan 

On a global scale, cybercrime is expected to reach $10.5 trillion annually by 2025, up from $3 trillion in 

2015. So, when is a company “ready” to purchase cyber insurance? We hear this question a lot in our 

line of work. 

To start, any company that uses a computer system and the internet as part of conducting its business, 

or collects personally identifiable information (PII) of employees, clients, or third-parties, should be 

pursuing cyber insurance if they do not have it already. The specific type of coverage, and how much 

insurance a company should have, can vary greatly based on the size and industry of the organization. 

In order to determine what is best for your company, and to help you prepare to purchase cyber 

insurance, you should start with conducting a cyber risk assessment and request a technical consultation 

with security and insurance broker experts. This risk and technical assessment will help you determine 

any potential gaps or areas for improvement in your organizations’ cyber security program, and help you 

decide what kind and how much coverage to purchase. 

Once you determine your organizations’ specific cyber insurance needs, your insurance broker will help 

you find the right cyber insurance carrier to best serve those needs. Some cyber insurance carriers, such 

as Resilience, provide additional risk management benefits during the procurement process and 

throughout the policy period to help organizations secure coverage and better improve their cyber risk 

posture. 

Dress to Impress 

With a hardening cyber market, securing cyber insurance can be challenging for even security-conscious 

organizations. That said, even before coverage is secured, brokers and insurers work with existing and 

potential clients to mitigate cyber risk. Once it has been determined that your business is ready for cyber 

insurance, executives can work with them to navigate what security actions need to be taken to ensure 

that the cost/risk benefit of the insurance plan will be balanced. 

Those that want to secure coverage should be able to come to the table with a robust cyber security plan 

that details where their data is located and how they protect it. This might include analyzing and 

implementing tools like VPNs and Endpoint Detection and Response (EDR), reconfiguring system 

infrastructure, adding multi-factor authentication, segmenting data and networks to better control access 

to help mitigate doxxing attacks, and utilizing backup functionalities that are tightly air gapped. 

Once set-up, organizations need to test these environments. If security tooling is in place, but done so or 

configured incorrectly, hackers can still breach the system through known vulnerabilities or brute force 

attacks. However, testing can mitigate this drastically, as well as help an organization determine if 

vulnerability management and patching should be done in-house or be outsourced. Security teams 

should also be trained on how to monitor and patch systems, privacy protection protocols and how to 

identify phishing attempts. If they are unable, then these functions must be outsourced. 



Keeping Premiums Low Once Coverage is Secured 

Once secured, cyber insurance premiums can be kept low on renewal by continuously improving upon 

pre-established security postures, a process that can greatly help prevent attacks, such as those from 

business email compromise or ransomware. Still, successful attacks happen and when they do, taking 

the proper steps to mitigate risk can help keep your premiums low. 

If a breach occurs and company data is being held for ransom, companies need to implement strict 

policies that restrict anyone at the organization from reaching out to the threat actor. We have seen many 

cases where someone on either the security or leadership team contacted the hacker and divulged 

information that made the situation even harder to resolve. Examples include providing their names, 

company, whether they have a cyber insurance policy and the value of the data that was taken - giving 

more power to the hacker than intended. Keep in mind, hackers don’t always know who they have 

attacked and how valuable the data they found is. Instead, teams should contact an experienced recovery 

and remediation group, along with their cyber insurance company, to get assistance as quickly as 

possible. With this approach, experts can begin to rebuild company infrastructure even as negotiations 

play out. It might be counter-intuitive to get the bill running sooner, but at the end of the day, it is almost 

always the most cost-effective option. This act reduces the potential business interruption claim, gets a 

head start on recovery and identifies systems that could be re-built or upgraded vs. paid to unlock faster. 

Having your counsel work with regulators when breached has also become more essential than ever. 

Most recently, in September 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control 

(OFAC) produced an updated advisory on the use of digital currencies in ransomware attacks and other 

financial crimes, discouraging companies from simply paying the ransom to regain operational control 

after a successful ransomware attack. While these advisories are aimed at the payment of ransoms to 

sanctioned entities, it also may address the ballooning of ransom demands and spiking cyber insurance 

costs over the past year. 

In working with the client, their counsel, an IR firm and the insurer, the decision to pay a ransom is always 

determined on a case-by-case basis, and only after an expert analysis of the situation can be compiled 

and payment due diligence completed. While there are still times when a ransom is paid, more and more 

often, companies are alternatively using the resources provided by their insurer to remediate and rebuild. 

Even with much of the cyber insurance landscape still in flux, opting into cyber insurance can provide a 

sense of security if a victim of a cyber attack. It can help companies recover after a data breach when 

thousands or even millions of dollars are accrued from business disruption, revenue loss, legal fees, 

forensic analysis and more. To best obtain cyber insurance, working directly with brokers and insurers 

that can provide advice for setting up security tooling and processes and protocols can be a huge boon 

for candidates. Even as coverage is secured, keeping premiums low can be addressed by maintaining 

and improving upon internal and external security practices, which can help mitigate risk further, making 

your systems protected from the majority of inevitable attacks. And, should a breach occur, calling your 

broker, insurance agent and associated firms at the first sign of a breach, such as remediation and 

recovery or those well-versed in OFAC regulations, will enable businesses to get back online faster, with 

more business value intact. 




Amanda Surovec is the Director of Security Engagement and 

Claims for Resilience Cyber Insurance Solutions where she 

oversees client onboarding and the Resilience Ransomware War 

Game Table Top Exercises. Previously, Surovec served as a 

claims manager at Beazley and as a claims specialist at Sphere 

Risk Partners. Surovec attended Penn State University where she 

earned a BA in Human Development and Family Studies. 

Shawn Melito serves as Chief Revenue Officer for BreachQuest. 

He is responsible for marketing and business development 

activities as they relate to the cyber insurance community, 

including breach coaches, cyber insurance companies and 

brokers. He brings over 20 years of management experience to 

his role. Previously, Shawn was a managing director for Kivu 

Consulting and a management consultant, information systems 

analyst, and business unit leader for NPC’s Immersion Data 

Breach Response Service group, a leading notification and call 

center service provider to the cyber insurance community. He is 

a certified information privacy professional (CIPP/US) through 

the International Association of Privacy Professionals (IAPP) and 

a previous member of their Canadian Advisory Board. He has 

chaired and spoken at many cyber insurance industry 

conferences. Shawn has a B.A. from the University of Toronto 

and an M.B.A. from the Richard Ivey School of Business in 

London, Ontario. 



Data Security Must Be a Priority as Employees Quit in 

Record Numbers 

By Tim Sadler, Co-founder and CEO, Tessian 

The massive labor upheaval that dominated headlines in 2021 shows no signs of slowing down. The 

latest U.S. jobs report showed that 4.5 million people voluntarily left their jobs in November of 2021, a 

record high. Whether you call it the Great Resignation, Great Re-evaluation or Great Reshuffle, it’s not 

easing any time soon— and it could be a major data security risk for companies. 

Many companies are hiring remote employees to fill the gaps left by record turnover, creating a wider 

surface area that must be secured. Meanwhile, the influx of employees coming into or leaving an 

organization provides opportunity for more data breaches. This can have serious consequences, from 



potential compliance violations and regulatory fines to a loss of customer trust. Data security must be a 

central focus for IT and security teams as we continue to see the impact of an uncertain labor market. 

Mid-career employees are resigning— and taking data with them 

Turnover trends have shifted since the start of the pandemic. Rather than early-career employees who 

dropped out of the workforce early on to pivot their careers or pursue passion projects, turnover rates are 

now highest among mid-career employees. These employees are likely to be very knowledgeable and 

experienced in their role. They’re looking for more flexibility, better benefits and salary, or a company 

mission that aligns with their values. 

What does this mean for security? Mid-career employees are more likely to have a detailed knowledge 

of an organization’s products, processes and customers. What’s more, they may have greater access to 

sensitive (and potentially lucrative) data. 

Data exfiltration is a widespread problem when employees leave a company. A Tessian report found that 

45% of employees said they’ve “stolen” data before leaving or after being dismissed from a job. The 

Verizon Data Breach Investigations Report found that 72% of staff take some company data with them 

when they move on, although it isn’t always intentional. They also found that 70% of intellectual property 

theft occurs within the 90 days before an employee’s resignation announcement. 

Fortunately, there are signs that security teams can look out for to help spot and avoid data exfiltration. 

The key is to look for anomalous behavior; for example, major changes in email activity, an employee 

accessing documents or files at odd hours, or an increase in data transfers. Email is a popular method 

for these exfiltration attempts— employees will often email files or documents to a personal address— 

so securing this channel before a turnover surge is crucial. It’s also important for security and IT teams 

to be involved in the offboarding process to adjust data access privileges when someone resigns or 

changes their role. 

New staff are vulnerable to external security threats 

New employees who are hired to replace staffing gaps are often vulnerable to external threats like 

phishing and social engineering attacks. This is because they may not have met all their colleagues in 

person, while remote employees may be even less familiar with their colleagues and less able to verify a 

legitimate request. Malicious actors know this and will specifically target new employees in spear phishing 

and social engineering attacks. 

How do malicious actors know who has started a new job recently? All it takes is a quick search on social 

media. A report from Tessian found that 93% of U.S. employees post about a new job on social media 



sites like Facebook or LinkedIn. Cybercriminals use this information to develop targeted scams designed 

to trick new employees into sharing valuable data or login credentials, and even wiring money. 

According to the FBI, $26 billion has been lost to these kinds of business email compromise attacks since 

2016. In one costly example, a scammer posed as the CEO to trick an employee into transferring $17.2 

million to a Shanghai bank account as part of a fake deal to acquire another company. New employees 

in particular may not be familiar with their new CEO and what type of request is abnormal or suspicious, 

so it’s important to train them quickly and effectively. 

Comprehensive cybersecurity training should be part of the early onboarding process for all new 

employees to help avoid these data security risks. Training should be tailored specifically to the unique 

needs and risk factors of new and remote employees and delivered in real-time rather than at mandatory 

quarterly trainings. Basic security hygiene can also be effective at preventing data loss. New and existing 

employees should be consistently reminded of best practices and what to look for in a suspicious email. 

Data security and hiring challenges are intertwined 

No matter the issue — hiring new staff, addressing turnover, or preventing burnout among employees 

that stay in their roles — IT and security teams must be brought in so that data security impacts are 

foreseen and addressed. In these instances, securing the “human layer,” or the employees that handle 

a company’s most sensitive data, should be a priority. 

Securing important communications channels like email and establishing real-time, automated 

cybersecurity training for employees is an important part of the solution. Empower employees to work 

both productively and securely by making them part of the solution. Encourage them to report mistakes 

or suspicious activity to the IT and security team without fear of repercussions. When an employee 

resigns, make sure to walk through data security policies and set clear expectations to avoid inadvertent 

exfiltration. By building these processes into the full lifecycle of an employee’s experience, organizations 

can help prevent The Great Resignation from turning into a data security nightmare. 




Tim is the CEO and co-founder of Tessian. He holds three 

Masters degrees in design, engineering and innovation from 

Imperial College and formerly worked in HSBC's Global 

Banking division. Learn more about Tim on Twitter and at 

Tessian.com. 



Why Building Managers Need to Prioritize Cybersecurity 

By Shaun Cooley, Founder and CEO of Mapped 

In an age increasingly dominated by the internet of Things (IoT), buildings have become elaborate 

networks of software and hardware designed to monitor and control complex mechanical and operational 

systems. Building owners and operators rely on teams of suppliers to install and integrate these systems, 

often across multiple properties. These systems improve the quality of the building for users and 

managers alike. However, each time a supplier connects to your system, that connection can expose 

your building to security threats that can proliferate across your entire portfolio. There are several critical 

ways that cyber attackers can use devices to access a building’s systems, including: 

● 

● 

● 

Open ports that connect to all systems in a building 

Remote support and software update connections 

Search engines like Shodan that can identify servers that are connected to the internet 

There is always a level of risk to integrating, managing and updating a building’s myriad systems. You 

can’t reliably predict the security habits of multiple vendors and managing their systems involves more 



than enforcing physical security. The cloud is a wonderful asset, but multiple connections magnify the 

possibility of security breaches. 

The solution? Move your perimeter to the cloud 

A secure cloud platform that manages access to your systems will improve your security profile and 

reduce risk to your systems. To help mitigate these potential security threats, there are certain key 

features you should look for in a cloud solution. These include: 

Streamlined access to your systems A cloud platform with a single cloud API decreases 

security vulnerabilities because it reduces the number of access points to one. Your suppliers 

integrate their systems through the cloud API instead of ports in multiple buildings. This eliminates 

physical access to your systems and significantly reduces the threat of an on-premises attack. 

Integration with all the devices, systems, and sensors in your environment A building can 

have 50 or more different systems, including BAS, HVAC, lighting controls, Wi-Fi, digital signage 

and more. Your solution should be able to integrate all your systems and provide visibility and 

fine-grain control of the data flow between building systems, devices, sensors, and applications. 

Monitoring capabilities You should be able to track and monitor the current state of all 

environments and control data accessed by internal and external entities. A viable solution should 

have the capability to monitor your environments for operational data, firmware and other updates. 



It should also provide the means for peer communications as an ideal source for detecting 

unexpected changes to the environment and establishing zero-trust policy. You will be able to 

quickly identify any fluctuations in access or data flow that could signal a cyberattack. 

Visibility and fine-tuned control of data When you’re collecting data from multiple vendors, you 

can lose sight of where data is originating, transiting, and landing in your system. A solution should 

let you tag data for easy identification and provide controls that determines who can access the 

data. 

Some solutions provide account-level access to data types, but that leaves a security gap when it comes 

to giving access to actual data. A preferred solution is one where you can tag the data by location, system 

type, or personal identifiable information (PII). For example, if data from a badge reader is tagged as PII, 

you should be able to identify and limit access to that information. 

Protection through a single, secure pipeline solution 

Suppliers plug devices into building systems without thinking of the impact to your overall system. The 

lack of security protocols that led to the Target attack back in 2013 hasn’t remained an isolated incident. 

In 2020, hackers attacked building access control systems and downloaded malware that turned the 

system into a distributed denial-of-service (DDoS) bot. 

As ransomware and other attacks continue to rise, you need a dynamic solution to monitor and protect 

your environment. A secure and reliable API can change the dynamic for managing complex 



environments. Moving access from your physical environment to a cloud platform with a single point of 

access and secure encryption can reduce risk and protect your systems. 


Shaun Cooley is the Founder and CEO of Mapped, the first data 

infrastructure platform for commercial and industrial IoT (Internet 

of Things). In his prior role as VP.CTO for Cisco’s Internet of 

Things (IoT) Business, he was responsible for Cisco’s long-term 

IoT technology strategy. This included shaping product 

architecture, security, privacy, and technology partnerships, as 

implemented by Cisco’s IoT business, advising governments on 

IoT regulation, driving Cisco’s participation in IoT related 

standards bodies and consortia, and championing innovation to 

solve existing or anticipated industry needs. 

Prior to joining Cisco, Shaun was a Distinguished Engineer for Norton, by Symantec, where he was a 

driving force in Norton’s shift from utilities to security. Over his 18-year tenure, Shaun contributed to the 

creation and advancement of offerings in the Norton portfolio – a product portfolio that produces over $2 

Billion in annual revenue. 

Shaun has over 25 years of industry experience, holds a master’s degree in computer science from 

University of Illinois, and is a Certified Information Systems Security Professional (CISSP). He is named 

inventor on 121 issued United States patents with over 100 more pending. He is an active angel investor 

and a start-up mentor through Acceleprise SF and advisor for Deep Angels. Shaun was previously a 

director of the Open Connectivity Foundation and former board member of Attivo Networks. 

Shaun can be reached on Twitter at @shauncooley and, and more information can be found about 

Mapped at mapped.com. 















































CyberDefense.TV now has 200 hotseat interviews and growing… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A division of Cyber Defense Media Group and sister to Cyber Defense Magazine. 



Free Monthly Cyber Defense eMagazine Via Email 

Enjoy our monthly electronic editions of our Magazines for FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2022, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. 

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a 

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com, 

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability 

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, Cyber 

Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com 

All rights reserved worldwide. Copyright © 2022, Cyber Defense Magazine. All rights reserved. No part of this 

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, 

recording, taping or by any information storage retrieval system without the written permission of the publisher 

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of 

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may 

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect 

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content 

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at 



276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 


www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 02/02/2022 



Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH 

(with others coming soon...) 

10 Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You Think. It's mobile 

and tablet friendly and superfast. We hope you like it. In addition, we're past the five nines of 7x24x365 

uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) 

around the Globe, Faster and More Secure DNS and CyberDefenseMagazine.com up and running as an 

array of live mirror sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of 

monthly readers and new platforms coming…starting with www.cyberdefenseconferences.com this 

month…

Cyber Defense eMagazine February Edition for 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?