CS Mar Apr 2022

Computing
Security
Secure systems, secure data, secure people, secure business
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
The Cloud Conundrum
Often hailed as the way forward, why is
cloud sometimes poorly protected?
IT equipment junked
Many devices are dumped
before end of working life
Virtual world,
real danger
The Metaverse spells much
promise - and many perils
Global menace
Vulnerabilities pave way for
all-out ransomware attacks
Computing Security March/April 2022

comment
ALTERING THE BALANCE OF POWER
There is still a clear
lack of diversity and
inclusion in tech.
Early in March, on
International Women's Day,
this discrepancy was
highlighted, encouraging
many to re-evaluate their
organisations, hiring
practices and more.
As a female founder and
CEO of a cybersecurity
company, International
Women's Day was
incredibly important to Camellia Chan, CEO and founder X-PHY, a Flexxon brand (AIcybersecurity
company) - pictured above. "I'm a firm believer that diverse talent is crucial
to the industry, especially as we witness an upheaval in innovation and digital
transformation," she states.
Despite this, the number of tech roles held by women increased by a mere 2% in
2021, she points out.
How can a better balance be achieved? "We need to empower women from a young
age and encourage them to be ambitious," she comments. "Seeing women in highpowered
roles is excellent and proactivity is key to ensuring they stay there. Businesses,
too, have a crucial role to play. Hiring and recruitment practices are incredibly important
and, with visible female role models and leaders in the industry, we encourage women
to envision a future in tech."
Put simply, she adds, diverse talent brings new perspectives and innovation. "Talented,
driven women - as well as employees of different ages, nationalities and domains -
create an impactful environment by challenging norms, building competencies and
championing excellence."
While progress has been made, she concludes, "we need to remember there is still
work to be done in the world of cybersecurity and tech. We must be more dedicated
than ever to inspiring, encouraging and influencing women".
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2022 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Mar/Apr 2022 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security March/April 2022
contents
CONTENTS
Computing
Security
The Cloud Conundrum
Often hailed as the way forward, why is
cloud sometimes poorly protected?
IT equipment junked
Many devices are dumped
before end of working life
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Virtual world,
real danger
The Metaverse spells much
promise - and many perils
COMMENT 3
Altering the balance of power
Global menace
Vulnerabilities pave way for
all-out ransomware attacks
ARTICLES
NEWS 6 & 8
Ransomware's next big victim
Malware steals details in '30 minutes'
Return to office sparks danger fears
Adarma research findings reveal
ransomware disconnect
Cloudflare swoops in to buy up Vectrix
BETTER INFORMATION SECURITY:
ALL IN THE MINDSET 10
Paul Harris, Managing Director, Pentest
Limited, discusses what is needed for
successful information security
improvement
THE CLOUD CONUNDRUM 18
Cloud, in its various shapes, is often hailed as
the way forward - so why is it sometimes so
poorly protected? Computing Security finds
out where the cracks are in an increasingly
cloud-laden age
THE MSP ATTACK TARGET 12
NHS BREACHES - WHAT NEXT? 24
Managed services providers are fast
NHS data leaks are all too frequent.
overtaking their customers as a primary
Particularly disturbing recently was how
target, according to recent research
the private medical information on tens of
VIRTUAL WORLD, REAL DANGER 14
thousands of patients was hacked. Have
The Metaverse is a virtual reality world
we all but reached the point where nothing
characterised by a 3D multi-sensory
can be protected anymore?
experience - and many dangers
ESET AND INTEL JOIN FORCES 15
ESET has set out to integrate Intel Threat
Detection Technology into its multilayered
cybersecurity technology suite
RANSOMWARE: GLOBAL MENACE 28
GETTING RIGHT TO THE
With many organisations using outdated
HEART OF YOUR DATA 16
and ineffective technology and corporate
Businesses now have tools and software
strategies, the fear is they could soon be
platforms galore to run their operations.
victims of an all-out attack
Nick Evans, Sales & Marketing Manager,
Geolang, looks at what this means for
data management
UKRAINE’S CALL FOR CYBER HELP
PROMPTS RAPID RESPONSE 21
An international team commits to help
defend the country from cyber-attacks
LOGJAM OF CONCERNS 32
Log4shell is a critical vulnerability in the
I.T. EQUIPMENT JUNKED EARLY 22
Many UK businesses admit to disposing
logging tool Log4j, used by millions of
of devices and IT equipment before they
computers worldwide. Some months on,
reach the end of their useful working life
although fixes have been issued, they
will still need to be implemented and it
PRODUCT REVIEW 11
appears this has been far from universal.
Hornetsecurity 365 Total Protection
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk
4

news
Jake Moore,
ESET
NEW MALWARE NEEDS 30 MINUTES
TO STEAL YOUR DETAILS
Anew malware only needs 30 minutes
to steal your details. That's the new
finding from Bleeping Computer.
The widespread malware known as
Qbot (aka Qakbot or QuakBot) has
recently returned to light-speed attacks
and, according to analysts, it only takes
around half an hour to steal sensitive
data after the initial infection.
According to a new report by DFIR,
Qbot was performing these quick datasnatching
strikes back in October 2021
and it now appears that the threat
actors behind it have returned to similar
tactics.
SYSTEM PRIVILEGES GAINED
The initial access is typically achieved
via an Excel (XLS) document that uses
a macro to drop the DLL loader on the
target machine. This payload then
executes to create a scheduled task via
the msra.exe process and elevates itself
to system privileges.
Additionally, the malware adds the
Qbot DLL to Microsoft Defender's
exclusion list, so it won't be detected
when injection into msra.exe happens.
"The quicker malware can execute, the
more chance it has of performing its
mission before it is detected," says Jake
Moore - pictured top - former head of
Digital Forensics at Dorset Police, now
the global cybersecurity advisor at ESET.
"It is vital that people are aware of
attachments in emails, even from known
senders, and to question whether they
really need to edit the document."
GOVERNMENTS ARE RANSOMWARE'S NEXT BIG VICTIM
Asustained meteoric rise in ransomware is identified in a
Bill Conner, SonicWall
new report, with 623.3 million attacks occurring globally.
Nearly all monitored threats, cyberattacks and malicious
digital assaults rose in 2021, including: ransomware,
encrypted threats, IoT malware and cryptojacking.
"Cyberattacks become more attractive and potentially more
disastrous as dependence on information technology
increases," states SonicWall president and CEO Bill Conner
in the wake of the company's 2022 SonicWall Cyber Threat
Report. "Securing information in a boundless world is a near
impossible and thankless job, especially as the boundaries of
organisations are ever-expanding to limitless endpoints and
networks." SonicWall Capture Labs recorded 318.6 million
more ransomware attacks than 2020 - a 105% increase.
Ransomware volume has risen 232% since 2019.
CLOUDFLARE SWOOPS IN TO BUY UP VECTRIX
Cloudflare has acquired Vectrix, a provider of one-click
visibility and control across their SaaS applications.
Vectrix is reported to enhance Cloudflare's existing Zero Trust
platform, Cloudflare One, by allowing security teams to scan
third-party tools - including Google Workspace, GitHub and
AWS - to detect and mitigate issues such as inappropriate
file sharing and user permission misconfigurations.
"Tens of thousands of organisations rely on Cloudflare One's
Zero Trust platform to keep their teams and data secure,"
says Matthew Prince, co-founder and CEO of Cloudflare.
"Cloudflare's global network blocks attempts to compromise
data at multiple levels while accelerating traffic to the
Internet. We're excited to welcome the Vectrix team to
Cloudflare to help deliver the fastest, most secure, and
robust Zero Trust platform for the enterprise."
BITDEFENDER PLEDGES SUPPORT TO UKRAINE
Matthew Prince,
Cloudflare
Bitdefender is now offering its cybersecurity
Florin Talpes,
expertise to Ukraine, in the wake of the
Bitdefender
Russian invasion. The company has expanded
its collaboration with Romania's National Cyber
Security Directorate (DNSC) to provide that knowhow,
threat intelligence and technology free "to
support the people of Ukraine and its allies".
Says Florin Talpes, co-founder and CEO of
Bitdefender: "We are deeply saddened by the
unprovoked brutal act of war against the free people of Ukraine and are committed to doing
what we can to support them and our NATO allies. As proud Romanians and a company of
global citizens, we stand with our northern neighbours who bravely fight for their future."
6
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

Strengthen your data resilience with
Immutable Backup from Arcserve
Buy an Arcserve Appliance secured by Sophos,
and get OneXafe immutable storage!
Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve
brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat
ransomware and provide the best-in-class data management and data protection solution in the market.
Arcserve UDP Data
Protection Software
Unified data and ransomware
protection to neutralize
ransomware attacks,
restore data, and perform
orchestrated recovery.
Arcserve Appliances
All-in-one enterprise backup,
cybersecurity, and disaster
recovery, with multipetabyte
scalability.
StorageCraft OneXafe
Immutable Storage
Scale-out object-based NAS
storage with immutable
snapshots to safeguard data.
Get multi-layer protection!
SCAN HERE

news
THE CYBERTHREAT HEAT IS ON
Menlo Security has identified a surge in
cyberthreats, termed Highly Evasive
Adaptive Threats (HEAT), that bypass
traditional security defences.
HEAT attacks are a class of cyber threats
targeting web browsers as the attack vector
and employs techniques to evade detection
by multiple layers in current security stacks
including firewalls, Secure Web Gateways,
sandbox analysis, URL Reputation and
phishing detection.
HEAT attacks are used to deliver malware
or to compromise credentials, which in
many cases leads to ransomware attacks.
In an analysis of almost 500,000 malicious
domains, The Menlo Security Labs research
team discovered that 69% of these websites
used Highly Evasive Adaptive Threats tactics
to deliver malware.
These attacks empower bad actors to
deliver malicious content to the endpoint
by adapting to the targeted environment.
Since July 2021, Menlo Security has seen
a massive 224% increase in HEAT attacks.
Says Amir Ben-Efraim, co-founder and CEO
of Menlo Security: "An industry report found
that 75% of the working day is spent in
a web browser, which has quickly become
the primary attack surface for threat actors,
ransomware and other attacks.
“The industry has seen an explosion in the
number and sophistication of these highly
evasive attacks," he continues, "and most
businesses are unprepared and lack the
resources to prevent them."
ADARMA RESEARCH FINDINGS REVEAL RANSOMWARE DISCONNECT
UK independent cyber threat management company
John Maynard, Adarma
Adarma has released research findings into how
organisations perceive today's threats and how prepared
they are to respond. "Ransomware is at epidemic levels and
there is a disconnect between organisations' confidence in
their levels of preparedness in the face of an attack and what
we are seeing on the ground," says John Maynard, chief
executive officer at Adarma.
"With almost 60% of UK businesses with more than 2,000
employees having experienced a ransomware attack, it is
critical that we elevate this risk within our own organisations."
The research - from a ransomware study of 500 C-level
executives at UK businesses with over 2,000 employees -
found that a worrying 58% of respondents have experienced
a ransomware attack.
RETURN TO THE OFFICE OF EMPLOYEES SPARKS MANY DANGERS
With COVID restrictions lifted and employees
increasingly returning to their offices, it's
Chris Vaughan, Tanium
important for IT teams to consider all the risks that
are associated with this move, says Chris Vaughan,
AVP - technical account management, Tanium. "It's
time for IT departments to consider that employees
returning to the office and reconnecting their devices
to the corporate network may increase risks.
Employees working off personal laptops, tablets and
mobiles often carry higher cybersecurity risks, due to
issues like not having up to date patches installed.
"There is a possibility that they will unknowingly bring
in devices that are infected with malware, trojans,
viruses etc that have laid dormant until this point,
ready to spread when an opportunity occurs."
OLD I.T. EQUIPMENT DITCHED PREMATURELY, ACCORDING TO NEW STUDY
Anew study by EuroPC has revealed that nearly
three quarters of UK business owners throw
their old or broken IT equipment away, with
laptops, servers and routers the most common
items disposed of.
Moreover, 59% of UK businesses have thrown
away a piece of equipment before it broke and
still had life left in it. More than half surveyed
admitted that they switch out their IT equipment
and devices every three to five years, on average.
More encouragingly, some 87% of business owners surveyed confirmed that they want to
make greener tech choices in the future.
8
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

ehavioural insights
INFORMATION SECURITY
IMPROVEMENT - IT'S ALL
IN THE MINDSET
PAUL HARRIS, MANAGING DIRECTOR
AT PENTEST LIMITED, TALKS ABOUT
THE MINDSET THAT IS NEEDED FOR
SUCCESSFUL INFORMATION
SECURITY IMPROVEMENT
Whether you're looking to get fit,
learn a new language or improve
your information security, starting
any improvement process can be difficult.
You're going to have to learn skills,
understand new concepts, think about
things differently and, most importantly,
put the effort in. It's not going to be easy,
but with consistent effort in the right areas,
improvements will follow.
However, for many, improvement efforts
aren't consistent. Many do the hard work of
getting started, achieve some of the desired
benefits and then think it is time to ease
off, to take a foot off the accelerator and
continue the same process. Improvements
will surely continue, right? Wrong - that's
where the improvement process slows
down or even comes to a grinding halt.
IMPROVEMENT NEVER STOPS
The truth is that the improvement process
never truly stops. One week you're riding
high, feeling like you've mastered it, the next
week you realise you've barely scratched the
surface. Perfection is unattainable. That
'perfect' body is always just out of reach,
fluency in a second language doesn't mean
that you know everything and being 100%
secure just isn't possible.
The improvement process should never be
about achieving perfection. It's about having
a growth mindset, one that embraces
challenges and effort, striving for progress,
rather than perfection. You only have to look
at some of the world's top-performing teams
and organisations to see this mindset in
action. Yes, they demand results, but it isn't
about seeking perfect results; it's about
challenging themselves to do better, time
and time again. If they're not moving
forward, then they're falling behind.
When it comes to information security, this
progressive mindset has been one that has
been developing, albeit slowly. For many
years, information security was seen as
a nice to have and, if you didn't have
dedicated security personnel, or a large
security budget, then the chances are
security was seen as an afterthought. But
times have quickly changed, end users are
now increasingly aware of their data and
how it is protected, clients and suppliers are
now demanding robust security assurances
before entering into contracts, there is
increased awareness of the impact successful
breaches can have and regulations such as
GDPR have quickly pushed information
security up the agenda.
'TICK-IN-THE-BOX' EXERCISE
But there is still a lot of work to be done;
many organisations still see information
security as a tick-in-the-box exercise and
many have plateaued when it comes to
their improvement efforts. Any security
improvement work is better than none,
but basic checks and comfortable well-worn
processes won't deliver major improvements
or supply the continuous assurances that
many now need.
Progressive companies are now demanding
more, in terms of their security: from themselves,
from suppliers and from security
partners. And it's these companies that will
see the greatest improvements. So, you
have to ask yourself, have you got the right
mindset when it comes to your information
security improvement efforts and, if not, are
you up for the challenge?
10
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

product review
HORNETSECURITY 365 TOTAL PROTECTION
The concerted move to home and
hybrid working practices has seen
cloud services uptake increase
exponentially and none more so than
Microsoft 365. This popularity brings its
own challenges, though, as Microsoft 365
has become one of the top targets for
cybercriminals and yet its email security
features are comparatively limited.
The safest course of action is to adopt
a multi-layered defence, using a third-party
specialist product to bolster Microsoft's
native security tools, and Hornetsecurity
365 Total Protection looks a great choice.
It delivers a highly affordable solution
that's easy to deploy and its wealth of
email security measures include artificial
intelligence (AI)-based protection.
Three options are available with the
Business package, providing all key threat
defence measures, along with live email
tracking, compliance filtering and content
control. The Enterprise version includes
ATP (advanced threat protection) cloud
sandboxing, 10-year email archiving,
forensics analysis tools, e-discovery and
continuity services, while the Backup
package adds automated backup and
recovery for mailboxes, Teams, OneDrive
plus SharePoint and even Windows
endpoints.
We tested 365 Total Protection in a live
environment and found the 30-second
deployment claim quite achievable. After
changing our MX records, we used the
registration link to authenticate with our
Microsoft 365 account and sat back while
the setup routine created the necessary
connectors for inbound and outbound mail
processing by the Hornetsecurity servers.
Protection is instant, as the default
settings enable full spam and malware
protection, which block suspect emails
before they reach your mailbox. Nuisance
newsletters and mass marketing campaigns
are handled efficiently by the Infomail filter,
which uses over 15,000 heuristics to weed
them out.
We could keep a close eye on the action,
as the cloud portal's live email tracking view
shows logs of all inbound and outbound
email activity. Emails are colour-coded to
clearly show their classification and we
could view all details about each one,
including header information.
The list can be refined with filters and
each message provides a drop-down menu
for adding the sender to deny or allow lists,
reporting it as spam or releasing it with the
Enterprise version, ensuring suspect emails
are passed to the ATP service for further
examination. Self-service features enable
users to review emails in their personal
portal and release them, if permitted,
while regular reports showing spam activity,
quarantined attachments, plus the reasons
for rejection, are sent to each user.
Performance is excellent as, during our
month-long live tests, not a single suspect
message slipped past Hornetsecurity's
defences. The content control service
also worked well, with it removing
encrypted attachments and those
containing executables or Word, Excel
and PowerPoint files with macros.
The compliance filter provides more
granular control of emails by applying
data leak prevention rules to outbound
messages that look for keywords in the
body, subject and attachment and rejects
them, if a match is found. Another valuable
feature is enforcing rule-based encryption for
specific outbound messages, with recipients
receiving a web link to view them securely.
The Enterprise ATP service deals efficiently
with emails containing malicious URLs,
content or attachments and its URL rewrite
feature opens a web session to a secure
proxy to check where the link connects to
and if threats are present. Spear phishing
emails are dealt with by the targeted
forensics filter, which identifies spoofed
addresses, determines the message intent
and sees if it is attempting to fool users into
handing over passwords.
Hornetsecurity 365 Total Protection
impressed us with its swift deployment,
extensive mail security measures and flawless
performance. Furthermore, it's perfect for
small business and enterprises alike, as all
three packages are offered at very attractive
prices.
Product: 365 Total Protection
Supplier: Hornetsecurity
Web site: www.hornetsecurity.com
Contact: +44 2030 869-833
Email: sales@hornetsecurity.com
Price: Business from £1.75 per user per
month (exc VAT)
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
11

MSP insights
THE MSP ATTACK TARGET
MANAGED SERVICES PROVIDERS ARE QUICKLY OVERTAKING THEIR CUSTOMERS AS
A PRIMARY TARGET, ACCORDING TO RESEARCH THAT HAS RECENTLY BEEN RELEASED
Lee Robinson, Meta Eagle: the industry has
a major role to play in guiding businesses
down the right path.
Attacks on MSPs - managed service
providers - and their customers have
almost doubled in the last 18 months,
while security remains a top growth
opportunity.
Research conducted by an independent
research firm and commissioned by N-able
has found that managed services providers
are quickly overtaking their customers as
a primary target for cybercriminals. The
findings also reveal that, while 90% of the
surveyed MSPs suffered a cyberattack in
the last 18 months, the number of attacks
these MSPs are preventing has almost
doubled, from 6 to 11.
The report, 'State of the Market: The New
Threat Landscape', reflects the responses of
500 participants - sourced from the US and
Europe by an independent research team -
about their security experiences before the
COVID-19 pandemic and today to discover
what had changed. There has been an
assumption that the increase in hybrid
working has meant a shift in how threat
attackers are operating. N-able's research has
been looking at that shift and what it means
for MSPs.
"MSPs have worked tirelessly throughout
the pandemic to ensure that the businesses
they support can stay online and connected
as circumstances changed," comments Dave
MacKinnon, chief security officer, N-able. "But
the cybercriminals they're protecting against
are working equally as hard to make use of
these shifts against their targets. MSPs need
to understand how the threat landscape
continues to evolve, and make the changes
needed to protect both their customers and
themselves, and make the most of the
enormous opportunity that enhancing
security provides."
The N-able research reveals:
Almost all (90%) MSPs have suffered a
successful cyberattack of some sort in the
last 18 months and the same amount
have seen an increase in the number of
attacks they are preventing each month.
On average, the number of attacks being
prevented has risen from six to 11
82% of MSPs have also seen attacks on
their customers rise, though not quite at
the same rate, with an average of 14
attacks prevented per month
While some progress is being made on
important security processes, such as
automating backup, many basics are still
not in place. For example, while most
MSPs offer two-factor authentication to
their customers, only 40% have
implemented it in-house
DDoS and ransomware are among the
main attacks MSPs are detecting, but the
top attack remains phishing
The effects of cyberattacks are wide
ranging. Over half of MSPs say that
financial loss and business disruption
resulted after a cyberattack, but many said
they have lost business (46%), suffered
reputational effects (45%) and even seen
their customers suffer a loss of trust
(28%). While MSP budgets are only
increasing at an average of 5%, they are
focusing this extra investment on key
areas, including data security, cloud
security and infrastructure protection.
There's good news, too. The majority of
SMEs, seven in every 10, are planning to
increase their security budget. The one outlier
is France, but, even there, six in 10 SMEs are
increasing their budgets, according to the
report. "Of the rest, most are maintaining
the same budgets, with only 2% looking to
12
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

MSP insights
decrease budgets. The increases are
substantial, an average of 7%. Given recent
circumstances, this is a solid investment by
businesses in security. For MSPs, this means
there is a big opportunity available. For many
customers, they do not have to work hard to
convince them that security is important and
needs investment; rather, the conversation
needs to be about where the money should
be spent and how to make the most of this
increase.
"SMEs are keen to spend this increase on
data security and cloud security, with identity
access way down the priority list. MSPs
should follow their customers' lead to an
extent when offering additional and improved
services, but should also remember that they
are the experts."
WHERE ARE MSPS SPENDING THEIR
MONEY RIGHT NOW?
The most common security tools receiving
this extra investment include data security,
cloud security, and infrastructure protection.
Identity access is the least common
investment. "The toolsets MSPs are
implementing include data encryption,
antivirus and multifactor authentication.
There are also some interesting regional
variations, with French MSPs investing heavily
in VPNs, while the UK and Germany are
putting money into email filtering solutions."
"Automating key functions is critical to
making headway against cybercriminals,"
adds N-able. "Automated backups are the
most common form of automation used by
MSPs to keep their customers' businesses
secure, used by 85% of all respondents."
LAST LINE OF DEFENCE
Backup is seen as crucial - the last line of
defence - and MSPs must be able to recover
customers' data and systems, no matter what.
"In general, backup is provided to most
customers, but of major concern is the fact
that only 40% of businesses are backing up
workstations every 48 hours or less."
THREAT GROWS GREATER
Lee Robinson, co-founder and director, Meta
Eagle, is equally alarmed by the way in which
MSPs are being singled out. "As this report
reveals, the threat among the MSP
community is becoming increasingly real.
"And now we're seeing our customers
becoming more aware to exploits and
vulnerabilities out there in the world. They
want to actively engage in conversation, so
they can understand how best they can be
protected," he points out.
"The industry has a major role to play in
guiding businesses down the right path. This
includes a cultural shift from having an IT
partner that is simply looked at as a bottomline
cost, but more of an investment into
your business. Strong IT support, while
empowering you to work from anywhere,
should also secure your data, mitigate risk
and put contingences in place, should the
worse happen."
MUTI-FACETED PROBLEM
Lisa Niekamp-Urwin, CEO, Tomorrow's
Technology Today, points to the "shocking
statistics" within the report regarding the very
real cyber threat for the MSP community and
says it "speaks to the need to address the
issue from many sides".
In particular, she says hygiene becomes
a critical factor - "removing admin rights,
MFA, EDR, MDR, backup, log retention,
monitoring, hardening, the list goes on and
on. When I joined this MSP twenty years
ago, I didn't anticipate having a security
engineer on staff full-time. Yet, here we are -
it's a huge priority".
In today's climate, she adds, the industry
needs to step up its game. "MSPs need to do
their research, understand and listen to what
is happening to their community; interrogate
their stack and make sure there are no holes.
And follow the golden rule…. MFA [multifactor
authenticate] everything!"
Dave MacKinnon, N-able: MSPs need
to understand how the threat landscape
continues to evolve and make changes to
protect themselves and their customers.
Lisa Niekamp-Urwin, Tomorrow's
Technology Today: MSPs need to do their
research, understand and listen to what is
happening to their community.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
13

metaverse
VIRTUAL WORLD, REAL DANGER
THE METAVERSE IS A VIRTUAL REALITY WORLD
CHARACTERISED BY A 3D MULTI-SENSORY EXPERIENCE -
AND ALSO MANY DANGERS
Francis Gaffney, Mimecast: each metaverse
uses its own economy, giving rise to
countless new cryptocurrencies.
As the buzz surrounding the emergence
of what has become known as the
'metaverse' increases, many are raising
concerns about the potential risks in an
environment where the boundaries between
the physical and virtual worlds continue to blur
- and amongst those sharing this alarm is
weforum.org.
"Addressing the necessity of constructing
trusted ecosystems within the technologies
developed for the metaverse is a critical
consideration," it states. "These trusted
ecosystems will constitute building in
algorithms, structures, frameworks,
regulations and policies within hardware and
software development cycles to address the
distinct elements of safety, privacy and security
within the DNA of the technology."
SERIOUS RISKS EMERGING
With Microsoft, Google and ,most recently,
Disney all working towards a profoundly
augmented reality, there is real potential for
an explosion of growth to an already trilliondollar
market. That is where security concerns
arise for Francis Gaffney, director of Threat
Intelligence at Mimecast. "Despite claims
that virtual worlds will be subject to the
forthcoming Online Safety Bill and stringent
UK regulation, the risk of any new technological
revolution should not be underestimated
and serious risks are emerging as
more users adopt the metaverse concept,"
warns Gaffney.
As companies in the metaverse can monitor
physiological responses and biometric data,
such as voice recognition and heart-rate
sensors, there is much concern that the vast
amount of data collected and stored online
will form an increasingly attractive target for
the growing number of advanced cyber
criminals. "This depth of information being
stored online means that theft of metaverse
user accounts, their unique access, or
biometric data will become commonplace in
the virtual world," he adds, "as cyber criminals
look to either steal or 'spoof' biometric data
and commit identity theft."
As we shift from stealing passwords to
stealing fingerprints and move towards crimes
being committed through digital transactions,
the virtual world is becoming increasingly
difficult to police, he says. "Another target for
criminals will be new cryptocurrencies. Each
metaverse uses its own economy, giving rise to
countless new cryptocurrencies. In these virtual
economies, portability and secure exchange
offices are required. Maintaining security of
these will be a major challenge as threat actors
will be hoping to launder 'money' and exploit
currency exchanges in this domain."
Additional security consideration includes
exposing younger users to harm, grooming
and radicalisation in a setting with little
regulation and the growing trend of
'hacktivism'. "While, a serious violation can
lead to a ban, there's nothing stopping these
individuals from creating a new account,"
Gaffney points out. "Having a persistent avatar
linked biometrically to a person in the physical
domain may go some way to limit this, but
this raises debates around individual human
rights and privacy."
THE FIGHTBACK
So, how do we deal with the ongoing and
ever more complex challenges around data
storage and security? "The metaverse must
differentiate themselves from the competition
by providing 'good security'," he advises.
"To achieve this, preparatory work needs
to be done by security organisations to
understand the risks and deploy the right
cybersecurity resources, in order to establish
a virtual environment that everyone can enjoy
safely and without consequence."
14
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

joint venture
ESET AND INTEL JOIN FORCES
MOVE AIMS TO ENHANCE ENDPOINT SECURITY WITH HARDWARE-BASED RANSOMWARE DETECTION
ESET has set out to integrate Intel
Threat Detection Technology
(Intel TDT) into its multi-layered
cybersecurity technology suite.
"Recognising the complex and evolving
nature of ransomware, an ever more
formidable threat to customers' work
and personal lives, ESET will enhance its
software-based detection technologies
with a ransomware detection only Intel
hardware can deliver," says the company.
With continuous progress in technological
innovations often bringing new
tools for the sustained growth and
security of SMBs, the integration of Intel
TDT aims to ensure that ESET endpoint
security software running on Intel-based
PCs can "deliver superior ransomware
protection", adds ESET.
States Elöd Kironský, chief of Endpoint
Solutions and Security Technologies at
ESET: "This collaboration recognises
the immediate boost in ransomware
protection that integrating Intel's
hardware-based ransomware detection
technology can deliver. Tapping into
telemetry at the CPU level is an effective
step we can take to enable improved
tracking of malicious encryption.
Basically, for ESET this means exposing
ransomware as it attempts to avoid
detection in memory. ESET has always
believed in the multi-layered approach
and, by adding the silicon layer, we
recognise that hardware-based security
is the next milestone in battling threats."
Due to the devastating impacts of
past ransomware attacks and the evergrowing
complexity of maintaining
secure endpoint defences, ransomware
remains a top concern right across the
industry. In order to better address this,
integrating ransomware detection
improvements to ESET endpoint security
solutions will seek to deliver enhanced
immunity to most detection bypasses.
"Furthermore, with Intel TDT machine
learning constantly evolving and
progressing, the ability of ESET endpoint
security solutions to detect derivative
variants of ransomware threats will
progress in lockstep," continues the
company.
PARALLEL BENEFITS
For ESET and its clients, the value
proposition of this collaboration is said
to lie in the parallel benefits of using
Intel TDT machine learning models to
assist with the detection of ransomware
and simultaneously offloading these
processing demands to the Intel
integrated graphics controller (GPU),
in the process keeping overall system
performance high.
"Low impact to system performance is
an area that ESET has always prioritised
within its multi-layered software
architecture," points out Kironský, "and
is a key selling point for many of our
clients. Leveraging tech that can help
us with prevention and protection,
while also preserving performance, is
a win-win choice."
The benefits of this integration will
become available later this year in an
upcoming release of ESET's endpoint
security products. In the first round of
releases, ESET will focus on endpoints
with 9th Gen and newer Intel Core and
Intel vPro Windows-based PCs, which
Elöd Kironský, ESET: his company
"recognises that hardware-based security
is the next milestone in battling threats".
are capable of leveraging Intel TDT "outof-the-box".
Adds Carla Rodriguez, senior
director Ecosystem Partner Enablement,
Intel Corp: "Ransomware impacts both
small businesses and large enterprises
and can result in economic fallout
on a global scale. ESET's ransomware
optimisations will work across both Intel
vPro Enterprise and our new Intel vPro
Essentials targeted for SMBs.
"This delivers a compelling hardware
and software bundle that delivers rightsized
security for businesses of any size
and delivers higher efficacy security when
ESET software is run on Intel-based PCs.
This is a major step forward to turn the
tide against ransomware."
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
15

compliance
GETTING TO THE HEART OF YOUR DATA
TOP COMPANIES NOW USE A RAFT OF TOOLS AND SOFTWARE PLATFORMS TO RUN THEIR OPERATIONS.
NICK EVANS, SALES & MARKETING MANAGER, GEOLANG (PICTURED BELOW) LOOKS AT THE IMPLICATIONS
THIS HAS FOR DATA MANAGEMENT
Today, it is more important than ever
to have a solid understanding of your
data, but with an increasing number
of business systems being used, it's also
harder than ever before to have this
understanding. Since the implementation
of GDPR, the UK has reported 40,026
personal data breach notifications, with
8,355 being reported in 2020 and 9,490
in 2021 - a 13.6% increase in one year.
(ITPro.co.uk - Sabina Weston - Jan 2022)
From CRMs to ERPs, payrolls to
inventories, data runs everything and
businesses are now collecting more of it
than ever before, but what does this mean
when you're having to work in line with
localised data compliance laws (eg, GDPR,
HIPPA, CCPA etc)?
Sure, some of the collected information
isn't a problem - anyone knowing how
much handwash they have in their
cleaning cupboard is only a good thing
now - but storing GDPR-related data is
a whole different story.
Top companies today use an average of
37 different tools or software platforms
to run their day-to-day operations. On
average, small to medium-sized businesses
in 2022 use nearly 10 (9.6, to be exact)
business systems operationally, with larger
businesses using up to a staggering 37
systems. That's a lot of solutions that tend
to store a lot of the same information
(first/last names, email addresses, postal
addresses, dates of birth, financial
records, health records etc). So, how
easy is it to understand what is going
on inside all these different systems -
all the endpoints (Windows, Mac, Linux
machines) and the fileservers that run
a business in 2022? Simply put, it's not
easy at all.
WHY DO I NEED TO UNDERSTAND
WHAT MY DATA LOOKS LIKE?
If you don't understand what data is
being stored inside your digital estate,
how can you confidently know that you
are operating inside your local data
compliance laws? Since its inception
on 25 May 2018, GDPR (General Data
Protection Regulation) has been put
in place to govern the way in which
a business can use, process and store
personal data (information about an
identifiable, living person) and provides a
very strict set of rules in how that business
can use, manage and handle this data.
If a business is found to be operating
outside of these rules, there can be major
consequences and crippling fines.
16
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

compliance
ORGANISATIONS LOSE AN AVERAGE
OF $4 MILLION IN REVENUE, DUE TO
A SINGLE NON-COMPLIANCE EVENT.
(Saviynt.com - The True Cost of Non-
Compliance - MJ Kaufmann - Apr 2021)
WHAT SORT OF FINE COULD I FACE,
IF I AM NOT COMPLYING WITH GDPR
LAWS?
The UK GDPR and DPA 2018 set a
maximum fine of £17.5 million or 4%
of annual global turnover, whichever is
greater, for infringements while the EU
GDPR sets a maximum fine of €20 million
(about £18?million) or 4% of annual
global turnover, whichever is greater,
for infringements. (Legislation.gov.uk -
Relevant provisions of the Act - See
Sections 155 to 159, Part 6)
HOW HAS COVID-19 CHANGED THE
WAY THAT DATA IS MANAGED?
With all the disruptions from Covid-19,
businesses have had to quickly find new
ways of working. For many companies
around the world, remote working is
the new normal. With remote working,
businesses have had to figure out ways of
having their workforce collaborate and
work together, resulting in a significant
spike in organisations adopting the usage
of platforms like Microsoft Teams, Google
Workplace, Atlassian tools (Confluence,
Jira and Bitbucket), Alfresco, Slack…the
list is forever growing.
Collaboration is a truly wonderful thing,
but with this rise in collaborative tools
being adopted, key sensitive data is now
stored in even more places, making it
even harder for businesses to get a firm
grasp of how data is being shared
between their staff.
Not only have IT teams had to adopt
this new way of working, evaluate and
implement new tools to keep businesses
running, but they've also had to get
their heads around the complexities of
compliance regulations, which is no easy
feat. To many business leaders, IT teams
today are modern-day saints. The top
three skills for compliance officers are:
subject matter expertise, communication
skills and anticipating future regulatory
trends. With businesses only growing the
number of solutions they use, surely
staying on top of their data will become
an unmanageable task?
REGULATORS FINED BANKS $10
BILLION IN A 15-MONTH PERIOD
THROUGH 2019, WITH MOST OF
THOSE FINES CAUSED BY CYBER-
ATTACKS (60%) (Fenergo - Jan 24,
2020)
What if there was a solution that provided
a report highlighting exactly what GDPRrelated
data was being stored and where
it was stored? What if that solution was
able to scan not just one single instance
of a collaborative tool, but the entire
digital estate (CRMs, marketing tools,
sharing platforms, endpoints, fileservers)
and provide visibility into data stored
EVERYWHERE? Would that make the
unmanageable manageable? Having a
rich understanding of stored compliancerelated
data, across all tools and solutions
used inside a business, is the only way of
operating in line with ones regionalised
compliance regulations.
Stagnant budgets and a shifting
workforce have left many compliance
teams feeling stretched, with 87% of
businesses reporting that they have
no additional capacity, due to being
understaffed or only adequately staffed.
ENTER GEOLANG DATA DISCOVERY
The GeoLang Data Discovery tool has
been created to help organisations
confidently operate within the compliance
regulations they must follow by scanning
their digital estate (endpoints, fileservers,
Office 365, Google Workspace, Atlassian
Jira/Confluence/Bitbucket [data centre and
cloud] and Alfresco), providing a report
(The Hero Report) that highlights the
company risk profile, what sensitive data
has been found, where sensitive data has
been found, key risk areas, how current
risks have been mitigated, mean time to
resolution and the current risk exposure.
In all, 44% of businesses say that their
top compliance management challenges
are handling compliance assessments,
undergoing control testing, and implementing
policy and process updates.
(MetricStream State of Compliance Survey
Report 2021)
Generated at the touch of a button (or
delivered automatically), the high-level
Data Discovery Executive Summary
('HERO Report') provides configurable
and periodic reporting on risk assessment
and risk mitigation, as a dynamic report,
but also available in PDF or editable
format for distribution to managers. Userfriendly
dashboards are also available in
one central location.
Pre-defined and bespoke rule sets,
including GDPR, PCI, or HIPAA, are
supported, along with granular regular
expressions, keyword lists and compound
queries. GeoLang Data Discovery searches
unstructured datasets stored in over 200
formats across your digital estate and
with the 'find files similar to' function,
one can quickly build repositories from
dispersed business data.
To understand how GeoLang can help
simplify the management of data
compliance, help get your data ready for
a cloud migration/digital transformation
project or even ease how Digital Subject
Access Requests (DSARs) are managed,
you can check out the Geolang website
at: www.geolang.com. Alternatively,
contact the company by emailing:
contact@geolang.com.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
17

cloud
THE CLOUD CONUNDRUM
CLOUD, IN ITS VARIOUS SHAPES, IS OFTEN HAILED AS THE WAY
FORWARD - SO WHY IS IT SOMETIMES SO POORLY PROTECTED?
COMPUTING SECURITY FINDS OUT WHERE THE CRACKS ARE IN
AN INCREASINGLY CLOUD-LADEN AGE
Arecent study found that 88% of
respondents believe the security of
their cloud environment will become
increasingly important over the next year.
At the same time, 79% of respondents
expressed misgivings (overwhelmed,
uncertain, lack of control etc) over their
organisation's current security posture.
Why are so many failing to enact greater
protections in the face of an enemy that only
gets more determined to exploit them? And
what are the likely outcomes where they
continue to pursue that same path?
There are many factors that play into this
scenario, states John Stevenson, a managing
director in Protiviti's security and privacy
practice. "A good number of organisations
simply lack power in their technical
organisations, which means vulnerabilities
don't get remediated as they should.
Instead, exceptions are put in place, because
remediation is deemed too risky for the
business units. Couple that with what
usually appears to be a grossly understaffed
vulnerability remediation team and you're
left with a situation ripe for ransomware,
takeover etc."
Over the last few years, Stevenson has
encountered an increase in remediation
exceptions being put in place versus
implementing technical compensating
controls to serve as security rings around
the vulnerable asset. "Most companies do a
decent job at document their compensating
controls, but very few take the time to
perform TESTS of their compensating
controls. They just assume things will work
as planned versus doing real-world analysis."
VULNERABILITIES CHAINED TOGETHER
One of the other downfalls of traditional
vulnerability management programs that he
singles out is the failure to fully understand
how vulnerabilities could be chained together
to create a major opening for attackers. "Take,
for example, a low or medium vulnerability
that only allows non-administrative access to
a server, then a different low or medium
severity vulnerability that allows privileged
access, but only if already authenticated.
Programs that patch only high and critical
vulnerabilities are, by default, creating higher
risk, since they're not gathering enough
information to show this type of scenario."
How do you resolve this and get to a place
where exposure is consistently minimal?
"Lack of adequate staffing and non-robust
programs are the two largest contributing
factors to the problem," says Stevenson. "In
most instances, companies should strongly
consider outsourcing their vulnerability
management program to a reputable vendor
with a strong offering in this area.
"If outsourcing is not an option, companies
should consider investing in a deeply rooted,
robust vulnerability management program
that aggregates vulnerabilities and weighs
the individual business units, so the risk rating
is accurate for a particular section of the
overall enterprise. As an example: a low-risk
vulnerability that focuses on availability may
be okay for a technology company to accept,
but could end up being a life-or-death
situation for a hospital. Without proper
context, risk ratings and power to implement
and adequate staffing, organisations will
continue to struggle with managing risk to
their systems."
UNRESTRICTED ACCESS TO SERVICES
According to Raghu Nandakumara, senior
director, head of industry solutions at Illumio,
one of the most frequent mistakes that is
seen during cloud implementation is teams
unintentionally enabling unrestricted access
to services, often caused by misconfigured
security policy. "Any resources left accessible
via the internet are essentially fair game for
threat actors," he cautions, "and, if something
is connected to the internet, with enough
time and effort criminals will find a way to
access it.
Today, however, as our operating models
evolve and data becomes increasingly
dispersed, due to at-home working, firms
18
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

cloud
are battling even harder to keep up with
accelerated change, he adds. "A recent
Forrester study saw 63% of respondents
claim that their firm was unprepared for
the quickened pace of cloud migration and
transformation. An equal number found it
difficult to maximise the productivity of
remote workers without introducing new
security risks.
"The growing complexity of inter-cloud
and data centre communications makes it
particularly challenging for organisations
to understand and properly protect their
environments, which leaves the door wide
open for attackers. In such instances,
where decision makers feel constrained by
inadequate technologies for today's new
challenges, Zero Trust is one of the most
effective, and necessary, approaches for any
organisation looking to digitally transform
and grow their company in a secure way."
A major challenge when it comes to cloud
security is visibility, he continues. "Whether
it's hybrid cloud, multi-cloud or both, you
need to see your entire environment, and
how your applications and workloads
interact. Zero Trust builds resilience into
organisations' multi-cloud environments
to dramatically reduce the fallout of cyberattacks."
With comprehensive, intelligent visibility
(that incorporates vulnerability data on your
networks' assets), organisations can have
single interface to understand and mitigate
risk across multi-cloud, hybrid cloud and
on-premises data centre environments,
he asserts. "This means that users can see
all communication between workloads and
applications across their distributed business
estate, understand which assets and data to
prioritise, respond to threats and ultimately
better protect their organisation."
Cloud is now shaping the way businesses
manage their processes and handle their
data, so ensuring that these services are
thoroughly secure must be priority number
one, adds Nandakumara. "Most company
infrastructures will now be comprised of
multiple cloud environments, as well as
some on-premises systems. Visibility is
crucial for maintaining a strong defence line
along the perimeter and will also pave the
way for a more secure and resilient future
based on Zero Trust."
STRIKING THE PERFECT BALANCE
Winny Thomas, principal security architect
at Versa Networks, believes the greatest
challenge when it comes to cloud
environments is striking the perfect balance
between accessibility and security. "All
users want to feel the same quality of user
experience, irrespective of whether they are
working in an office or working from home.
Whilst this is crucial, organisations also have
to consider the security implications when
growing their cloud infrastructure."
The acceleration of digital transformation
over the last two years has, Thomas states,
caused a significant increase in cloud
infrastructure within organisations. "This
ultimately creates security gaps and blind
spots, especially when organisations
have overlapping cloud and on-premises
technology. If a threat actor breaches an
organisation's network, then malware is
free to move laterally and cause significant
damage. Therefore, it is crucial that
organisations implement solutions that are
able to manage both network performance
and security."
MEETING BUSINESS NEEDS
Solutions, such as secure access service
edge (SASE), which deliver a tighter
integration between security and network
performance through the cloud, would
ensure that all users are adequately secure,
while also being able to meet their business
needs, Thomas argues. "With SASE, security
teams can be confident that every endpoint
on the network has the same security and
management capabilities, which reduces
John Stevenson, Protiviti: too many
organisations lack power in their
technical organisations, resulting in
vulnerabilities not being remediated.
the gaps in their hybrid-cloud, multi-cloud
or cloud-native environment and ultimately
makes it harder for threat actors to breach.
"With segmentation policies also
integrated into SASE, threat actors no
longer have the freedom to move laterally.
Restricting malware to one area of the
network ensures that security teams are
able to find threats quicker and ultimately
deal with them much faster. Not only does
SASE strengthen an organisation's security
posture, but also its networking
performance."
As SASE is a single software stack, data
no longer needs to pass through multiple
devices or virtual network functions,
improving connection speeds and reducing
latency. "Organisations that implement
solutions such as SASE will be able to
guarantee that their cloud infrastructure
can offer users the best possible
connectivity, while ensuring the network
is impregnable to malicious actors."
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
19

cloud
Raghu Nandakumara, Illumio: a frequent
mistake during cloud implementation is
teams unintentionally enabling unrestricted
access to services, often caused by
misconfigured security policy.
Winny Thomas, Vera Networks: the greatest
challenge with cloud environments is striking
the perfect balance between accessibility and
security.
CLOUD TECHNOLOGY ADOPTION
IS ALL SET TO TAKE OFF
Meanwhile, a new survey has found that
93% of IT industry are planning to adopt
cloud technology within five years. The
survey, conducted by Hornetsecurity, points
to hybrid cloud solutions becoming the longterm
target for two in three companies
The hybrid cloud adoption survey of 900-
plus IT professionals, primarily based in
Europe and North America, reveals that the
majority of businesses (93%) are adopting a
hybrid of cloud and on-premise solutions or
migrating fully to the cloud within five years.
Half of respondents (51%) reported that they
will be 'mostly in the cloud' in five years, with
one or two workloads remaining on premise.
In all, 28% of respondents said they would
remain 'mostly on premise', with a workload
or two in the cloud.
Hybrid cloud solution as permanent
destination
While 29% of respondents said they are using
hybrid cloud solutions as a stepping stone to
a full cloud environment, 67% of respondents
see hybrid as a final destination for their
infrastructure, due to workloads that must
remain on premise. The rest claim to be
remaining 100% on premise. When asked
why companies were remaining on premise,
many respondents cited data control, security
and cost concerns with cloud technology.
Trust issues with cloud
The hybrid cloud adoption survey also found
that trust issues with the public cloud are
present within companies of all sizes, with
31-36% of all surveyed company size
categories reporting concerns.
The survey also showed that with experience
comes more distrust in the public cloud.
Respondents with 20-plus years’ experience
were more likely to express concerns with the
trustworthiness of cloud platforms (34%)
than those with 1-5 years’ experience (24%).
Half of all respondents mentioned 'legacy
systems or software' as another major reason
certain workloads must remain on premise,
while 'application compatibility' was reported
as a roadblock to cloud migration for four in
10 companies. Industry regulations such as
GDPR, HIPAA and CMMC, amongst others,
were also cited as an obstacle for cloud
adoption by 29% of respondents.
Multiple challenges blocking cloud adoption
Many companies surveyed stated they were
holding back from full cloud migration, due
to a lack of 'technical know-how or certified
staff' (48%), difficulties with 'application of
best practices within the company' (33%),
issues with connectivity (33%), and 'secured
access' (29%).
The most common workload preventing IT
departments from lifting all services to the
cloud was 'Print & Imaging Services' (55%).
Databases, file storage and application
services are also cited as reasons for
remaining partially on premise, with 50%,
45%, and 43% of respondents indicating
such intentions respectively.
Hornetsecurity's survey shows that hybrid
cloud solutions still bring with them several
challenges. Chief among them is 'monitoring
and security', with half of respondents
expressing concerns in this area. 'Networking
and connectivity' is another concern shared by
nearly half of all respondents (48%). Finally,
'training and certification', 'manageability and
tooling', and 'resiliency and data recovery' also
factor into the disquiet shared by 35%, 35%,
and 33% of respondents respectively.
Cloud solutions versus on premise
Some 47% of respondents who form part of
internal IT teams reported that they see their
workloads 'mostly in the cloud' in five years,
versus 52% of respondents whose company
used MSP services, and 54% of respondents
that worked at MSPs. Internal IT departments
reported a lack of trust in cloud services at
almost the same rate as those using MSP
services, with 34% and 33% respectively.
20
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

Ukraine backup
CALL FOR HELP PROMPTS RAPID RESPONSE
A TEAM OF EXPERTS HAS BEEN SET UP TO HELP DEFEND UKRAINE FROM CYBER-ATTACKS
Acyber rapid-response team (CRRT) is
being deployed across Europe, after
a call went out from Ukraine for help,
as reported by the BBC.
The newly-formed team of eight to 12
experts from Lithuania, Croatia, Poland,
Estonia, Romania and the Netherlands has
committed to help defend Ukraine from
cyber-attacks - remotely and on site in the
country. An official warned attacks were
likely. "We can see that cyber-measures are an
important part of Russia's hybrid toolkit," the
CRRT official said.
It comes after the UK and the US blamed
Russia for cyber-attacks earlier this month
that temporarily took a small number of
Ukrainian banking and government websites
offline.
The Lithuanian Ministry of Defence tweeted:
"In response to Ukraine request, [we] are
activating [a] Lithuanian-led cyber rapidresponse
team, which will help Ukrainian
institutions to cope with growing cyberthreats.
#StandWithUkraine."
CRRTs are a European Union initiative to
deepen defence and co-operation between
member states. They are said to be equipped
with commonly developed cyber toolkits
designed to detect, recognise and mitigate
cyber-threats. An official told the BBC that
the team was "composed of different cyberexpertise,
such as incident response,
forensics, vulnerability assessment, to be able
to react to a variety of scenarios". Russia has
previously been accused of 'hybrid warfare',
combining cyber-attacks with traditional
military activity, in Georgia and Crimea. "The
EU and Ukraine blamed Russia after
thousands of people in multiple cities in
Ukraine experienced power cuts, in 2015 and
2016, when hackers temporarily shut off
electricity substations," states the BBC. "The
US, UK and EU also blamed it for the hugely
disruptive NotPetya wiper attack."
Experts say about 2,000 NotPetya attacks
were launched in 2017, mainly aimed at
Ukraine, but the malicious software spread
globally, causing billions of dollars of damage
to computer systems across Europe, Asia and
the Americas.
POSITIVE NEWS
According to John Fokker, head of cyber
investigations & principal engineer, Trellix, the
news that the EU is deploying a Cyber Rapid-
Response Team is extremely positive. "The
initial cyber-attacks on Ukraine were intended
to be very public and evident in their nature
and impact. However, we anticipate that this
will change in the future, and any attacks will
be incredibly discreet, as attackers seek to
conceal their activity and ultimate objectives.
"Cyber-attacks are increasingly used as
a means of modern warfare. Our research*
found that Russian and Chinese nation-state
backed groups are believed to be responsible
for nearly half (46% combined) of all
observed APT threat activity. Cybersecurity
John Fokker, Trellix: Cyber-attacks are
increasingly used as a means of modern
warfare.
must be a worldwide priority and we must
collaborate to defend against these threats."
Threat intelligence will be crucial to
mitigating risk, he adds. "It will allow security
professionals to strengthen detection, plus
respond in real-time to active threats. The use
of machine learning analytics will also help
to predict and detect attacks, identify root
causes, and guide adaption and response to
whatever threat Ukraine may face."
*https://www.trellix.com/en-us/threat-center/threatreports/jan-2022.html
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
21

tech scrap
I.T. EQUIPMENT JUNKED PREMATURELY
MANY UK BUSINESSES DUMPING THEIR DEVICES BEFORE THEY REACH END OF WORKING LIFE
More than 50% of businesses that
were questioned in a new study
acknowledged that they switched
out their IT equipment and devices every
three to five years, on average.
On the plus side, some 87% of business
owners admitted that they wanted to make
greener tech choices in the future.
The findings are revealed by EuroPC, whose
team conducted a survey as a part of an
ongoing study into the issue of electronic
waste. More than 1,200 UK business owners
took part, giving insight into their thoughts
on using refurbished IT products for work
purposes. This follows the revelation that
145,000 tonnes of commercial and industrial
waste are thrown away every year*.
THROWN AWAY
When asked what business owners typically
do with IT equipment that is no longer of
use, just 26% said they have a refurbishment
partner who repairs equipment for them on
the occasions where something does break.
The remaining businesses admitted that they
tend to throw their old or broken equipment
away (74%).
The most common IT equipment that
business owners have confessed to
disposing of were revealed to be: laptops -
87%; servers - 76%; routers - 63%;
monitors - 59%; and desktops - 48%.
What's more, approximately two thirds of
business owners said they have previously
thrown away IT equipment before it had
reached the end of its life (59%), and a
further 54% admitted to switching out their
devices every three to five years, on average.
Quizzed on the reasons why they replace
their equipment so often, 'improving speed'
was the most popular response given
(49%), along with increased reliability (24%)
and security (17%).
When asked about their thoughts on
refurbished products, one in three stated
that they naturally assumed refurbished IT
equipment would be less reliable and riskier.
However, almost four-fifths of business
owners said they would happily swap to
refurbished products, rather than brandnew,
if they could achieve the same level
of performance and save on costs (79%).
On top of this, over four quarters of
business owners also confessed that they
were not fully aware of the issues around
e-waste, nor the extent of its impact on the
environment (82%). With this in mind, all
business owners were asked whether they
would consider making greener tech
choices in the future, to which 87% of
respondents agreed - citing 'sustainability'
as the main reason why (78%).
Alan Gilmour, managing director at
www.EuroPC.co.uk, says there's a common
assumption that refurbished products are
more likely to fail, because used equipment
is seen as less reliable and riskier. "However,
this isn't the case, as refurbished equipment
can achieve the same level of performance
and save companies significant amounts
of money in the long run. By extending the
life of IT equipment that businesses already
have, companies can reduce the amount
of e-waste produced at the same time.
"It's certainly refreshing to see the sheer
number of business owners that are willing
to make greener tech choices in the future,
by choosing refurbished products over
brand-new," he concludes.
*https://www.letsrecycle.com/news/uk-the-secondlargest-producer-of-weee/
22
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

ADISA ICT Asset Recovery Standard 8.0
is formally approved by the UK ICO
(Approval ICO – CSC/003 and ICO – CSC/004)
Use an ADISA Certified company to be assured of UK GDPR compliance
when disposing of your IT assets.
Visit adisa.global to find out more
Want to know how to retire assets
so you can promote reuse AND meet
data protection legislation?
ADISA offers a range of training courses all presented by
leaders in the field, including a brand-new course which helps
data controllers write an asset retirement program to achieve
the objective of meeting sustainability and security targets.
Visit adisa.global/training to find out more

NHS breaches
NHS BREACHES - JUST A FACT OF LIFE NOW?
WHAT WILL IT TAKE TO STOP ALL OF THE HACKS ON THE NHS FROM HAPPENING...
OR HAVE WE REACHED THE POINT WHERE NOTHING CAN BE PROTECTED ANYMORE?
The NHS is no stranger to being hacked.
It has a sorry history of such breaches,
with particularly disturbing such incident
occurring in February this year when private
medical information about tens of thousands
of NHS patients was leaked. The confidential
files include hospital appointment letters for
women who have suffered miscarriages, test
results of cervical screening and letters to
parents of children needing urgent surgery
at Alder Hey Children's Hospital, Liverpool,
according to The Mail on Sunday.
Thousands of letters were leaked in error
by PSL Print Management, a Preston-based
consultancy firm paid millions each year by
the NHS. The lost documents were said to
have contained names, addresses, phone
numbers and NHS numbers. The information
is reported to date back as far as 2015,
despite data protection laws stipulating that
medical data must be deleted as soon as it
is no longer needed.
That the NHS gets breached shouldn't be that
much of a surprise, considering its scale and
unwieldy structure. But to fail to adhere to
the data protection laws, something that
should be built in to its operating processes,
suggests inattention and poor management.
One person who recognises the pressure
and strain that the NHS is under is Matt
Aldridge, principal solutions consultant,
Carbonite + Webroot. "The sheer size and
scope of the NHS, its complex supply chain,
and the fact that the public sector uses many
contractors and outside parties, makes it
a difficult task to manage and secure. It's
therefore unsurprising that breaches of
important medical information are becoming
more and more common.
MULTIPLE LAYERS OF DEFENCE NEEDED
"The defence of our data is an ongoing task
that never ends. To meet the challenge
of securing the increasing
amount of data generated and
shared across healthcare
networks, organisations need
to take a proactive stance
regarding
data protection and cybersecurity," he adds.
"Health data is incredibly important to people
and is far more 'personal' than other
information. This means that the industry is
very much in the spotlight and must address
security to the highest standard - and
organisations must ensure they have multiple
layers of defence in place to do so."
This involves ensuring robust measures
are in place to reduce the risks as much as
possible and applying strict controls on how
patient data can be stored and transmitted -
relying purely on technology as an organisation's
only form of defence is extremely
short-sighted, Aldridge points out. "An
organisation is only as strong as its weakest
link - and, in terms of cybersecurity, poorly
trained employees often unwittingly fill this
role. Providing employees with
the help that they need to
become more security
literate, as well as
ensuring they
make the
best
24
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

NHS breaches
use of provided technology, is crucial to a
successful multi-layered defence strategy."
Staff training is therefore essential for
defending against cyber-attacks, and
employees need to know what to look out
for, he points out. "The training materials
used need to be updated continuously to
reflect the latest threat trends - and regular
simulations should be run to ensure that the
training has the desired effect. Training will
help prevent data leaks like this one, which
seemingly occurred due to an employee error,
and reduce the severity of attacks overall."
There is also the added importance of
having unique passwords for each service
and enabling two-factor authentication
whenever possible. "Individuals should remain
vigilant in scrutinising the types of emails they
receive - and this should be underpinned
by cybersecurity technology such as email
filtering and anti-malware protection. In
addition to these layers of security, real-time
assessment of bad or anomalous behaviours
within the architecture are becoming more
prevalent to help with breach detection.
Finally, in this case, it appears that inadequate
data archiving measures were in place to
ensure compliance with data protection
regulations - and it is important that
archiving and backup processes are carefully
planned and monitored to ensure the most
effective data protection outcome."
These layers of protection all need to build
on a foundation of good cyber hygiene,
such as regularly installing patches on servers,
endpoints and network devices along with
running reputable antivirus and anti-malware
software, Aldridge concludes. "Policies and
processes should also be in place to prevent
confidential materials being sent via email or
being extracted to the external USB storage."
ANY DATA IS NOW AT RISK
Given the current landscape, we must face
the fact that any data is at risk of being
leaked, breached, stolen or encrypted, says
Peter Stelzhammer, co-founder at AV-
Comparatives. "Organisations must be
prepared and be aware that, even with the
best protection money can buy, there is still
the risk of an insider job, a hacker better than
your cybersecurity system or a software bug
in one of the systems." Information is there
to be shared and this is especially important
in the health sector- patient data must be
available always and everywhere for those
who need it, he states. "While this data is
vital for patient care, security should not be
sacrificed for accessibility."
There is far more at stake in this sector than
simply the loss of data, he continues: cyber
criminals could potentially alter data sets,
such as prescribed medications, or disrupt
medical schedules posing a risk to the
health and wellbeing of patients. "To protect
sensitive data, organisations should use stateof-the-art
multi-layered cybersecurity that is
independently tested and they must restrict
data access to only those people who really
need it."
Companies should also carry out risk
management, not only for a data breach, but
also what to do if your data gets lost, due to
a faulty IT system. "It's also important to have
a rolling back-up to help prevent huge data
losses and speed up the process of getting
back online," adds Stelzhammer. "If you can
prepare a plan of what to do if a data breach
happens by testing the systems and your
incident response processes, this will help the
entire workforce, not just the security team,
should a breach occur."
His final advice to organisations? "Don't bury
your head in the sand," he comments. "Seek
external help and, if a breach occurs, be sure
to inform those concerned and the authorities
immediately."
THE TRADITIONAL APPROACH IS NOT
THE WAY FORWARD
Felix Rosbach, product manager at comforte
AG, says that a data breach affecting the
highly sensitive data of tens of thousands
of NHS patients might make you question
whether healthcare providers are serious
about data privacy and security. "This
report should trigger alarm bells within the
healthcare sector," he states. "After all, it is
difficult to grasp a situation in which
thousands of subjects have had their most
personal and sensitive health information
compromised. And while it sometimes feels
like we reached the point where nothing
can be protected anymore, this is not the
case. Often, these types of data breaches
occur because of a traditional approach to
cybersecurity, protecting borders and
perimeters or limited budget due to unwise
business decisions."
Effective data security and the principles
of Zero Trust need to be applied directly to
sensitive patient information, he insists.
"By protecting patient information utilising
methods such as tokenisation or formatpreserving
encryption, organisations can
continue to work with sensitive data in its
protected state. Better yet, if [or when]
threat actors gain access to protected data,
they cannot comprehend it or leverage
it for personal gain or other nefarious
purposes. If a healthcare organisation isn't
actively assuming the worst and exploring
data-centric security to protect patient
data, the long-term prognosis doesn't look
good," Rosbach warns.
HUGE ATTACK SURFACE
The healthcare sector has always been
extremely attractive to threats actors
looking to cause havoc, sys Ronan David,
chief of strategy at EfficientIP. "Not only
do healthcare organisations hold a wealth
of customer and employee data, but the
large number of devices and platforms
connected to their networks means that
their attack surface is huge. If the functions
of the health system do not work, then it
puts patient lives at risk, thus putting a
severe amount of pressure on the NHS to
give into the threat actor's demands?
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
25

NHS breaches
Felix_Rosbach, comforte AG: effective
data security and the principles of
Zero Trust need to be applied directly
to sensitive patient information.
Matthew Aldridge, Webroot: unsurprising
that breaches of important medical
information are becoming more and more
common.
"We have witnessed many healthcare
organisations become victims of cyberattacks
and, while organisations have
concentrated on trying to secure endpoints
and certain devices, such as Internet-of-
Things (IoTs), they fail to secure the Domain
Name System (DNS), which is ultimately
being used as a path for cyber criminals to
launch cyberattacks. By design, DNS is an
open service, with virtually all internet and
internal network traffic travelling through it.
If a DNS server goes down, then the
network is essentially halted, which means
access to vital applications and services will
stop. DNS servers have therefore become a
leading point of entry for attackers and data
exfiltration."
Research by EfficientIP and IDC found that
the average cost per DNS attack increased to
£629,720 in 2021, a rise of 12% from 2020
and the sharpest increase seen, compared to
other industries such as telco, finance, retail
and education, he adds. "It is not just the
monetary cost which has a significant
impact on healthcare organisations, but
also the length of time systems are down."
According to David, it took the healthcare
industry an average 6.28 hours to mitigate
each attack, which is too long when it can
take only seconds for a cyber criminal to
launch an attack. 53% of companies said
that application downtime could have heavy
consequences for both patients and
providers. "When healthcare professionals
are already under enough pressure, the last
thing they need is an announcement that
their systems aren't working due to an
attack on the DNS. To ensure proper
protection, organisations need to implement
DNS security solutions that enable real-time
traffic analysis which can detect, and thwart
threats hidden in the traffic. Additionally,
application access control at the user level
strengthens the security chain at the earliest
point in the flow, reducing the attack
surface and blocking the lateral movement
of malware."
If the healthcare industry wants to protect
users, data and applications properly, DNS
security is a must-have in any modern
arsenal of defence against cybersecurity
threats, he insists. "It must be seen as the
absolute foundation to security and Zero-
Trust projects."
ACHIEVING THE PERFECT BALANCE
Paul Prudhomme, head of threat
intelligence advisory at IntSights, a Rapid7
Company, believes achieving the perfect
balance between usability and security has
always been the greatest challenge for IT
systems and this rings very true for the
healthcare sector. "The time-sensitive nature
of the healthcare industry has resulted in
the clash between the two sides and has
ultimately seen healthcare organisations
prioritising usability," he points out. "With
seconds making all the difference when
it comes to patient care, security can
sometimes be seen as an inconvenience,
especially when operations are delayed for
minutes or potentially hours due to security
teams needing to patch a vulnerable
device. However, this decision ultimately
makes the healthcare industry a priority
target for threat actors, knowing that there
are plenty of vulnerable devices on their
network, which have the potential to cause
significant damage."
Medical devices, such as operating room
monitors, are a popular entry point for
threat actors when trying to breach a
healthcare organisation's network. Their
weak security means that threat actors
can easily leverage them for access and
then move laterally across the network.
"Hospitals are popular targets for ransomware
gangs, due to the amount of personal
data they hold. Patient records contain
Personally Identifiable Information (PII),
which can be held to ransom from the
hospital or sold on the dark web."
With hospitals seemingly being the perfect
target for cyber criminals, the healthcare
26
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

NHS breaches
industry would greatly benefit from understanding
who is likely to attack them and
how, he adds. "It is also critical for the
healthcare sector to strike the right balance
between usability and security. Any chosen
solutions should improve security posture,
while minimising the impact on service."
First, healthcare organisations should
ensure that they have offline backups and
strong encryption in place, Prudhomme
recommends. "The best form of defence
against threats like ransomware attacks is
to eliminate the opportunity of paying a
ransom demand. Ransomware gangs have
learnt that backups are the best form of
defence against their attacks and strong
encryption is going to make it nearly
impossible for them to leak the data."
Healthcare organisations can look to
technology such as threat intelligence to
shed light on the tactics, techniques, and
procedures (TTPs) of threat actors and get
the heads up on threats before they
actually happen. "This allows them to tailor
their security strategy accordingly," he adds.
"When healthcare organisations understand
who may attack them and how they could
do it, they can put security measures in
place that are effective, but minimise the
cost."
CRIMINAL SUCCESS NOT A GIVEN
While attacks are inevitable, criminal
success is not, comments David Sygula,
senior analyst at CybelAngel. "The trouble
is that organisations are big and there is a
lot of data in many hands. Organisations
often don't realise that they've left sensitive
data exposed and therefore believe they're
completely secure." There are several ways
that organisations can unintentionally
leave data vulnerable to cyber theft, such
as exposed databases, forgotten databases
and third-party weaknesses.
"Over time," he states, "we've noticed that
a major cause of exposed cyber records is
human negligence, either because of skill
shortages, overwhelming workloads or lack
of visibility. "To keep data secure, teams
must stay on top of patching, although this
can be complicated and time-consuming.
Additionally, if the open API access is
misconfigured, then all efforts will go to
waste and the data will be left exposed
anyway. One wrong move could result in
devastating consequences."
Looking beyond the initial fear of losing
sensitive data, once an attacker gains
access to the network they will endeavour
to keep their foothold so they can breach
more data. "No part of the system will be
safe," warns Sygula. "It can be hard to tell
which areas of the network are infected.
Even if the initial point of entry is discovered,
criminals can navigate undetected,
causing major damage before they are
finally discovered."
GETTING THE BASICS RIGHT
An effective security strategy must be built
on strong foundations - which start with
getting the basics right, he adds.
"As patching systems are a crucial element
of securing data, organisations must ensure
the necessary training is provided to avoid
human error, especially if there is a skills
shortage. Additionally, IP scanning solutions
can help identify existing data leaks and
which databases, cloud storage or network
storage devices need priority action." The
final step, he points out, is automating this
process, so that incidents are handled
quickly and efficiently.
"Digital risk solutions are available to
disrupt their kill chain by blocking the
footholds that attackers rely on," Sygula
concludes. "Organisations will be able to
uncover existing exposures and correct any
weaknesses within databases before any
damage is done. This increased visibility is
vital for maintaining and strengthening
defences - and keeping attackers out."
Paul Prudhomme, IntSights, a Rapid7
Company: it is critical for the healthcare
sector to strike the right balance between
usability and security.
Ronan David, EfficientIP: the Domain Name
System is ultimately being used as a path for
cyber criminals to launch cyberattacks.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
27

ansomware
RANSOMWARE NOW A GLOBAL MENACE
WITH MANY ORGANISATIONS USING OUTDATED AND INEFFECTIVE TECHNOLOGY AND
CORPORATE STRATEGIES, THE FEAR IS THEY COULD SOON BE VICTIMS OF AN ALL-OUT ATTACK
Hackers are increasingly offering services
or exploits 'for hire', prompting the
chief executive of the National Cyber
Security Centre to urge organisations to
review their defences. With ransomware
branded "a rising global threat", what steps
should they take to protect themselves? And
are many of those using technology and
corporate strategies that are no longer fit for
purpose, leaving themselves increasingly likely
to be ransomware's next victims?
Here is what they seem to be up against.
The 'as a service' market on the darknet,
including ransomware-as-a-service, is
growing rapidly. "This makes it easier for
perpetrators to launch highly sophisticated
cyberattacks," cautions Daniel Hofmann, CEO,
Hornetsecurity. "In response, organisations
must be prepared and amplify their
defences."
First of all, this means investing in, or
upgrading to, a robust security service from
a reputable third party, coupled with backup
and recovery capabilities. This combined
approach protects against attacks while
enabling remediations should disaster strike.
Both parts of the equation are essential,
he says. "Heightened awareness across an
organisation is equally important. Employees
should receive cybersecurity training and
refreshers, so that they can recognise
ransomware and other malware, avoid
succumbing to such threats and know what
to do in case of an attack. As part of this,
companies should also have the appropriate
policies and an incident response (IR) plan,
with a view to risk mitigation and damage
control."
To further batten down the hatches,
companies should use multifactor
authentication (MFA) and apply judicious
permissions management, states Hofmann.
"MFA enforces more than one method of
user authentication. It is easy enough to
implement and is a perfect foil to cybercriminals
who have managed to steal
a user's login credentials, for instance, since
it prevents them from completing the next
step to gain access. "
Another tactic he singles out is to reduce
the permissions granted to users and user
accounts. "That, in turn, limits what an
attacker can do, should the account be
breached. This is particularly important
for the accounts of system administrators
themselves, given their access to entire
IT systems."
It's also about going back to basics to
reduce risks, he adds: "installing the latest
software updates to patch vulnerabilities,
since there are typically publicly available
exploits for these out there; and ensuring
that the company's backups are functional
through regular testing".
Hofmann points out that it is pointless
having a backup solution, if you are unable
to recover backed up data. "Failing to look
after aspects like this might leave systems
administrators with a false sense of security."
SOPHISTICATED, HIGH-IMPACT ATTACKS
Britain, the United States and Australia
recently issued a rare joint alert over
a wave of ransomware attacks, warning that
cyber gangs are becoming "increasingly
professional". Cybersecurity authorities in the
three countries said they had seen an increase
in "sophisticated, high-impact" attacks on
businesses, including in critical sectors such
as health, education, financial services and
energy, according to The Times.
in response, Jim Hietala, vice president,
business development and security for The
Open Group, told Computing Security: "In the
Digital Age, it's necessary for organisations
to ensure a seamless flow of data across
28
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
a plethora of networks, applications and
storages. However, the dilemma is that it
is no longer feasible, or even possible, to
consider all elements of the service topology
as 'trusted'. Zero Trust is a critical concept,
because it brings security to the users, data/
information, applications, APIs, devices,
networks, cloud etc wherever they may be -
instead of forcing them onto a 'secure'
network.
"The cybersecurity industry is more difficult
to navigate than ever before," he adds.
"Continuous data breaches and ransomware
attacks, which are impacting commercial
entities and governmental agencies, prove
that network-centric approaches no longer
work. The industry needs to establish
standards and best practices for Zero Trust
as the overarching information security
approach for the digital age and create
models that are data- and asset-centric,
as opposed to traditional network-centric
approaches."
DEPLORABLE STATE OF SECURITY
The only success story we can attribute to
ransomware is publicly benchmarking its
victims on the deplorable state of their
organisation's security, says Ian Thornton-
Trump, chief information security officer
for Cyjax. "Although sensational headlines
about a company becoming a victim and an
endless stream of cyber security vendor fear,
uncertainty and doubt related to 'protection
from ransomware', it seems most people
have missed the point. A cyber security event
that involves ransomware is the result of
one or more cyber security failures at a
technological or human level. In short,
ransomware is the symptom of the disease
of poor cyber security, not something which
'just happens'."
He likens ransomware's impact on an
organisation to the three-act structure model
used in narrative fiction that divides a story
into three parts (acts). Often called the
'Setup', the 'Confrontation' and the
'Resolution', it was popularised by Syd Field in
his 1979 book 'Screenplay: The Foundations
of Screenwriting'.
THE SETUP
In the beginning, systems are brought to
their knees - outages happen. that's a fact of
life, but it becomes sinister the moment you
are told the files are stolen, encrypted and
you must pay not to have them publicly
dumped and pay for a decryption key and
software. "Just a point here. If you claim you
are investigating a 'cyber security incident'
and its ransomware, and yet it takes you
more than a week to inform customers and
regulators, you may need to question your
organisations capacity for incident response
and understanding of governance, risk and
compliance."
THE CONFRONTATION
The middle of a ransomware event is
the 'chaos' of the event itself, requiring
extraordinary efforts to restore services and/
or negotiate with the attackers. This is the
organisation in 'true' crisis where the very
worst days of everyone's working life are
being played out. "The only word that can
adequately describe the feeling is profound
'tragedy' - it's a loss against malicious actors
and all the stages of grief are played out as
a mad hunt is on for the install CDs, the
licence codes and the backup tapes. It's an
extraordinary stressful time and the single
most destructive words to utter at this
moment are: 'I told you so'."
THE RESOLUTION
The end of the event is the realisation, after
the extraordinary expenditure of time, effort
and money, that the ransomware could have
been prevented, mitigated, if only the security
expense, life cycle management, asset
inventory etc
had all been done proactively. Every ransomware
event comes with a healthy amount of
hubris and lessons learned - only if the post
event discussion happens. Most organisations
survive a ransomware event, but it's financial
impact and customer trust may take years to
repair.
"When we examine the big ransomware
stories - at least the ones that share deep
technical details - there are always items
which we could have done better or been
more prepared for," continues Thornton-
Trump. "Since the first crypto locker viruses in
2015, it's hard to be sympathetic towards
organisations that succumb to this attack in
2021, but it's understandable. If you think
ransomware is what you need to protect your
organisation against, you're missing the story.
Ransomware is telling you about the state of
your security."
FINANCIAL INSTITUTIONS
TAKE A BATTERING
"Financial institutions are facing rising cyber
threats and the warning from the FCA serves
as a reminder that no business is safe from
attack," says Fabien Rech, VP EMEA, Trellix.
"We recently found that the financial services
industry accounted for 22% of ransomware
and 37% of Advanced Persistent Threat
detections in Q3 2021. As cybercriminals
adapt their methods to target the most
sensitive data and services, FS firms must
shore up their defences to mitigate further
threats."
How exactly? "They must deploy a security
strategy that includes a living platform that
can learn and adapt defences based on the
threat. This platform generates and prioritises
comprehensive threat insights from both
outside and inside the company to adaptively
strengthen detection, and it responds in realtime
to active threats."
According to research findings from Trellix,
in the third quarter of 2021 "high-profile
ransomware groups disappeared,
reappeared, reinvented and even attempted
to rebrand, while remaining relevant and
prevalent as a popular and potentially
devastating threat against an increasing
spectrum of sectors. Even though
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
29

ansomware
Daniel Hofmann, Hornetsecurity:
ransomware-as-a-service is growing.
This makes it easier for perpetrators to
launch highly sophisticated cyberattacks.
Jamie Moles, ExtraHop: there are things
that businesses can do to beef up their
cybersecurity posture.
ransomware activity was denounced and
banned from numerous cybercriminal forums
in Q2 2021, our team has observed activity
among the same threat actors on several
forums using alternate personas".
Tellingly, in December 2021 Trellix provided
research that assisted FBI and Europol in the
arrest of REvil affiliates and the seizure of
$2 million in ransom. "As the threat of
ransomware continues to grow, financial
institutions must rely on technology that
moves as quickly as the cybercriminals and
can adapt in real-time to get ahead," adds
the company. "Unfortunately, failing to take
this approach only means opening
themselves up to an attack."
ACTIVE COUNTERMEASURES NEEDED
Ransomware is, of course, highly profitable
and, as such, it's not going away anytime
soon, points out Ashok Sankar, VP of product
and solutions marketing, ReliaQuest. "The
enlarged attack surface of the modern,
digital enterprise, plus the interconnected
supply chain, makes trying to stop it
complex. Although the insistence of the
NCSC and other security leaders urging
organisations to strengthen defences is
welcomed, unfortunately thinking purely
from a reactionary perspective is not enough.
We also need to deploy active countermeasures
that target the weaknesses of
the hostage takers."
One of the characteristics of ransomware
is it has a relatively long dwell time, Sankar
adds. "On average, hackers are inside an
organisation for around 10 weeks before
striking. During this delay, hackers will move
laterally through the network to carry out
reconnaissance and pre-strike preparation
which generates detectable patterns.
Unfortunately, not every organisation has
the tools and skill sets to decipher these
'indicators of compromise' and react to the
adversary's tactics. And even the ones that
have are often chasing tails, due to potential
false alerts."
The response to ransomware needs three
key pillars, he states. "The first is, of course,
strengthening our defences. And that means
not just buying more tools, but embracing
organisation-wide frameworks and controls,
such as Cyber Essentials, NIST, ISO27001 -
or whatever works for your organisation.
The MITRE ATT&CK framework is particularly
useful in helping you to map out defences
and understanding your level of preparedness.
Implementation of controls needs to be
supported with regular training and external
audit, which recognises that people within
the organisations and the threat landscape
will constantly change."
Next is a pragmatic approach, he advises.
That means accepting that no single software
element can stop ransomware. "Instead, we
need to use what we have in more effective
ways. This requires unifying the myriad of
cyber security tools and ingesting telemetry
from across the ecosystem, so there are
no blind spots, driving singular situational
awareness. Technology platforms that
employ an XDR architecture can help
integrate disparate systems and threat
intelligence to make it easier to detect early
signs of ransomware dwell. Finally, we need
to be less prey and a bit more predator. We
must be proactive and go hunting! This
means employing expertise to actively chase
down indicators of compromise that suggest
hacker activities inside our systems. Just
assuming that our defences are bulletproof is
naïve, so allocating resources to more active
responses is vital."
FALSE SENSE OF SECURITY
Ransomware is extremely threatening to
organisations, whether they be government
entities, privately owned businesses,
healthcare providers or companies in charge
of critical national infrastructure, states Jamie
Moles, senior technical manager, ExtraHop.
"What most organisations lack, however, is
adequate IT security posture. According to
a recent survey, 75% of UK IT decisionmakers
are confident in their company's
30
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
ability to meet cybersecurity threats, yet 82%
of organisations have suffered a ransomware
attack in the past five years. This false sense
of security is dangerous and can leave the
door open for bad actors."
There are a few things businesses can do to
beef up their cybersecurity posture, Moles
adds. "Continuous monitoring of the network
for the use of insecure protocols is one
example. Having a network detection and
response (NDR) tool that can flag early signs
of a breach prior to exfiltration and the
ransomware payload being deployed is
a key step to stopping a full-blown attack.
A quick response will also allow identification
of where the threat actor entered, so that
developers can mitigate risk and, if possible,
patch vulnerable code."
Realistically, it's not possible to stop every
single attack, he points out. "Preventing
criminals from entering networks is still
important, but IT needs a plan for when
an intrusion does happen -catching the
attackers in their midgame before the
intrusion develops into a successful breach
and theft or encryption of data. Ensuring
good protocol, network segmentation and
behavioural monitoring of the environment
is crucial for organisations to help protect
themselves."
UNWANTED GIFT
Ransomware is "the gift that keeps on giving"
is the wry observation of Keith Driver, chief
technical officer at Titania. "It's one of
cybercriminals' favourite tactics, and it works.
Attacks are skyrocketing. It only takes a quick
search to find the names of recent victims -
Nvidia, McDonald's, Acer, Ultimate Kronos
Group (UKG), Colonial Pipeline. The list goes
on; and those are the ones we know about.
It's been reported that 84% of organisations
have fallen victim to some form of phishing
or ransomware attack in the last 12 months.
And it's predicted that the global costs will
reach $20 billion, a 75% increase from half
a decade ago." The escalating problem is
something businesses need to get ahead of,
he states. "As well as defending the permit,
educating users about phishing and the
dangers of corrupted devices, more robust
network security, especially around the core
network, needs to be at the centre of a
company's IT security plan. Maintaining
network integrity will prevent data from
being lost, stolen or held to ransom."
Network segmentation and the principle of
least privilege should be at the top of the
agenda, he says. "They help prevent lateral
movement within the network, limiting
attacker options and visibility of network data
during an assault. Segmenting the network
and implementing least privilege policies
helps with the journey to Zero Trust architectures:
design principles recommended by
CISA, DISA and the UK's NCSC.
The benefits of network segmentation are
numerous, he adds. "As well as making it
more difficult to move east to west to pivot
across networks, it makes it easier to monitor
the network, too, and reduces the mean time
to detect and remediate an attack (MTTD
and MTTR). Security professionals can identify
threats faster and isolate incidents quickly
with a well-planned segmented network.
With ransomware, the less access to valuable
information the criminals have, the less data
they can hold at ransom." As attacks level
up their sophistication, businesses need to
increase their security and overall cyber
hygiene to stay one step ahead. "You may
not prevent the bad guys from getting in,
but you can stop or limit them from getting
what they want and ruining your business."
THE LINUX LINK
Finally, VMware has released a threat report
titled 'Exposing Malware in Linux-Based
Multi-Cloud Environments'. Key findings that
detail how cybercriminals are using malware
to target Linux-based operating systems
include how ransomware is evolving to target
host images used to spin workloads in
virtualised environments.
Ashok Sankar, ReliaQuest: the enlarged
attack surface of the modern, digital
enterprise, plus the interconnected
supply chain, makes trying to stop
ransomware complex.
Ian Thornton-Trump, Cyjax: the only success
story we can attribute to ransomware is
publicly benchmarking its victims on the
deplorable state of their organisation's
security.
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
31

Log4shell
LOGJAM OF CONCERNS
LOG4SHELL IS A CRITICAL VULNERABILITY IN THE LOGGING TOOL LOG4J, USED BY MILLIONS OF
COMPUTERS WORLDWIDE. THE FEAR IS THAT, SOME MONTHS ON, THE THREAT IT POSES IS FAR
FROM OVER
At the tail end of last year, a
vulnerability was found in Log4j, an
open-source logging library commonly
used by apps and services across the internet.
Log4shell is a critical vulnerability in the
widely used logging tool Log4j, which is used
by millions of computers worldwide running
online services. A wide range of people,
including organisations, governments and
individuals are likely to have been affected by
it.
The problem is that, with time passing, the
sense of threat diminishes and with it the
urgency to ensure that this vulnerability has
been dealt with properly. The crucial factor
here is that, although fixes have been issued,
they will still need to be implemented and it
appears that this has been far from universal.
What happens, if no action has been taken
yet? "If left unfixed, attackers can break into
systems, steal passwords and logins, extract
data and infect networks with malicious
software, the NCSC points out. "Log4j is used
worldwide across software applications and
online services, and the vulnerability requires
very little expertise to exploit. This makes
Log4shell potentially the most severe
computer vulnerability in years."
USED ACROSS MANY APPLICATIONS
Log4j is an open-source Java logging library
developed by the Apache Foundation. It is
widely used in many applications and is
present in many services as a dependency.
This includes enterprise applications,
including custom applications developed
within an organisation, as well as numerous
cloud services.
The Log4j library is frequently used in
enterprise Java software and is included in
Apache frameworks, including: Apache
Struts2, Apache Solr, Apache Druid, Apache
Flink and Apache Swift. Other large projects
including Netty, MyBatis and the Spring
Framework also make use of the library.
In December 2021, a number of
vulnerabilities were reported in Log4j:
CVE-2021-44228 - referred to as the
'Log4shell' vulnerability, affects Log4j
versions 2.0-beta9 to 2.14.1. It allows
remote code execution and information
disclosure if exploited
CVE-2021-45046 - affects versions 2.0-
beta9 to 2.15.0, excluding 2.12.2 and
was originally reported as a Denial of
Service when organisations are running a
vulnerable non-standard configuration.
Later research found that the same
vulnerable configuration allowed a
bypass of the mitigations to Log4shell,
allowing remote code execution and
information disclosure
CVE-2021-45105 - affects Log4j versions
from 2.0-beta9 to 2.16.0 - A similar
denial of service issue to CVE-2021-
45046 when organisations are running a
vulnerable non-standard configuration.
"An application is impacted by these
vulnerabilities, if it consumes untrusted user
input and passes this to a vulnerable version
of the Log4j logging library," adds the NCSC.
"Version 1 of the Log4j library is no longer
supported and is affected by multiple security
vulnerabilities. Developers should migrate to
the latest version of Log4j."
WHO IS AFFECTED BY THIS?
Almost all software will have some form of
ability to log (for development, operational
and security purposes), and Log4j is a very
common component used for this. "For
individuals, Log4j is almost certainly part of
the devices and services you use online every
day. The best thing you can do to protect
yourself is make sure your devices and apps
are as up to date as possible and continue to
update them regularly, particularly over the
next few weeks."
For organisations, it may not be
immediately clear that your web servers, web
applications, network devices and other
software and hardware use Log4j, points out
the NCSC. This makes it all the more critical
32
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

Log4shell
for every organisation to ensure they are not
exposed to any potential threats from the
logging tool and make all the necessary
mitigations to ensure they do not become
targeted.
MASSIVE SHAKE-UP
"The LogJam (or Log4Shell) debacle shook the
world to its knees," says Niels Hofmans, head
of security at Intigriti. "Open-source software
is incorporated everywhere into the software
we use on a daily basis. However, we often
don't know what software 'materials', such as
Log4j, are built into the code libraries and
tools we operate-or even develop."
The good news is that a new standard,
called Software Bill of Materials (SBOMs), will
hopefully bring some resolution to this
problem, where a 'bill of materials' can be
(securely) delivered along with packaged
software releases, he adds. "This important
bill will improve our supply chain security
issues, at least by tenfold, since we will be
able to track our software in a uniformed
way. At the same time, software developers
will be able to understand contents more
clearly, identify all (transitive) dependencies,
and match everything to any security
vulnerabilities later on."
At the least, companies should consume
threat intelligence feeds (TI feeds) that
describe the latest attacks, trends and
patches so they stay on top of threats and
prioritize accordingly. "And when
cyberattacks do happen, a modern Web
Application Firewall can stop web attacks
from reaching your server; even better, if it
allows you to tweak its settings to catch the
latest attacks."
Configuration hardening is the practice of
disabling and tweaking aspects in a system to
improve its security, which could have
prevented this logging library from being
exploited, advises Hofmans. "And, even if it's
too late, endpoint detection & response
should stop or alert any exploitation attempts
and trigger you to go into red alert based
on any abnormal system behaviour. Finally,
to ensure an infected machine can only go
so far, network segregation [akin to the
Zero Trust Model] will limit its blast radius
to only authorised peers and not the whole
network."
As the head of security for Intigriti and
part-time bug bounty hunter; Hofmans
warns that this type of creative attack
certainly won't be the last. "However, there
are many accessible controls software users
can proactively implement now, rather
than waiting for the next attack to
happen."
SERIOUS FLAWS MOUNT UP
According to John Graham-Cumming, CTO
at Cloudflare, Log4Shell is the third serious
flaw that has affected a wide range of
Internet services: Heartbleed in 2012,
ShellShock in 2014 and now Log4Shell in
2021. "The Log4Shell vulnerability allows
an attacker to execute code on a remote
server, a so-called Remote Code Execution
(RCE). The vulnerability was particularly
serious, because of the widespread use of
Java and Log4j. Importantly, even non-
Internet facing software that uses Java
could have been exploitable as data gets
passed from system to system.
"When vulnerabilities like this are
disclosed, it's important for companies to
do two things: make sure their firewall is
configured to block the attacks - and talk
to their firewall vendor to see if they've
rolled out a specific blocking rule - and
patch the vulnerability as soon as possible."
Other best practices he recommends
include filtering and logging DNS queries
to block queries made to known malicious
destinations, securing network traffic
leaving your infrastructure with an
updated, and inspecting and filtering HTTP
traffic, which can block attacker attempts
to reach their destinations.
Niels Hofmans, Intigriti: the good news is
that a new standard, called Software Bill
of Materials (SBOMs), will hopefully bring
some resolution to this problem.
DANGER ON THE HORIZON
While Tim Mackey, principal security strategist
at the Synopsys CyRC (Cybersecurity Research
Center), recognises how Log4Shell would
have impacted businesses on many levels, he
emphasises most of all how any attack
targeting Horizon could represent a
disruptive threat to operations for those who
are running VMware Horizon as part of a
remote work programme. "As background,
many VMware products include Apache
log4j2 as their logging mechanism," he
states, "and, as the evolution of the log4j2
patches occurred, VMware was proactive in
their patch and mitigation efforts." Patch and
mitigation information has been available for
Horizon since December.
"From a risk management perspective,
focusing attention on VMware Horizon, or
any other individual product that uses log4j2,
misses the real business risk associated with
Log4Shell. If your patch management
process missed Log4Shell or you had to
manually scan each system to identify log4j2
www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security
33

Log4shell
Jude McCorry, SBRC: all organisations must
consider themselves at risk of this global
vulnerability until it has been confirmed that
they are not.
Tim Mackey, Synopsys CyRC (Cybersecurity
Research Center): any attack targeting
Horizon could represent a disruptive threat
to operations for those who are running
VMware Horizon as part of a remote work
programme.
usage, then that patch management process
isn't really prepared for a world where open
source technologies power business. That's
unfortunate, as multiple reports hold that
upwards of 70% of commercial software is
based on open source libraries."
Of course, if your team patched Horizon, or
any other application using log4j2, that
doesn't mean the risk is mitigated, he warns.
"In the early days of a major vulnerability like
Log4Shell, attackers know that they're in a
race against the patch management team
and will quickly be locked out of vulnerable
systems as they are patched. To solve for this
problem, they compromise the vulnerable
systems and install software that they
control. That software can take many forms,
but its objective is to provide an entry point
for the attackers to mount the second phase
of their attack - potentially weeks or even
months later."
OUT OF CONTROL
It is that second phase where the real
damage is done and why patch
management is only part of the puzzle, he
adds. "Any system where the owner of the
system doesn't have a complete inventory of
all running and runnable software or where
such an inventory does exist, but isn't
validated against an approved bill of
materials for the software on the system,
can't claim to be in complete control of that
system. Put another way, if an attacker
knows more about what software is on a
computer system than the owner does, then
the attacker is in control."
As far as VMware Horizon is concerned,
one way to mitigate this risk is for all Horizon
components to be provisioned from golden
VM images where all patches are preapplied.
"Of course, that still leaves the
problem of patch management," states
Mackey, "and, where open source is involved,
that's a problem best solved using
technology known as Software Composition
Analysis, and the best tools work with both
binary and source files."
THE THREAT HAS NOT GONE AWAY
In the immediate wake of the Log4Shell
debacle, the Scottish Business Resilience
Centre (SBRC) was quick to call on all
organisations in Scotland to ensure their
systems and devices were updated to
mitigate the impact. It was just one more
serious issue that organisations needed to be
aware of.
Speaking of the vulnerability now, Jude
McCorry, CEO of SBRC, comments:
"Exploitation of Log4Shell has peaked, but
there will still be cases where the vulnerability
may not be uncovered, due to more obscure
entry points or them already being
embedded in proprietary software, both of
which are not as trivial to identify.
"When a vulnerability of this scale is
identified, organisations can't just assume
that it is only work devices that are on the
line - personal devices are also at risk and so
must be part of the updating process. Acting
quickly and looking into other services that
are used - including third-party software -
helps to provide peace of mind.
"Log4Shell had enormous public exposure
and in parallel we saw a huge volume of
attempts to discover the presence of the
vulnerability across infrastructure, both
ethical and malicious. Given the current
threat landscape, it is not enough to only
remediate critical vulnerabilities when they
are found," adds McCorry. "There must be a
concerted effort to search for indicators of
compromise to ensure that organisations
have not already been breached before
having a chance to patch any such
vulnerability. Individuals and organisations
must turn to trusted sources to keep up to
date on credible threats to operations like
this. The SBRC app provides push
notifications within minutes of the insight
being received, covering cyber threats with
accurate guidance."
34
computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
Product Review Service
VENDORS – HAS YOUR SOLUTION BEEN
REVIEWED BY COMPUTING SECURITY YET?
The Computing Security review service has been praised by vendors and
readers alike. Each solution is tested by an independent expert whose findings
are published in the magazine along with a photo or screenshot.
Hardware, software and services can all be reviewed.
Many vendors organise a review to coincide with a new launch. However,
please don’t feel that the service is reserved exclusively for new solutions.
A review can also be a good way of introducing an established solution to
a new audience. Are the readers of Computing Security as familiar with
your solution(s) as you would like them to be?
Contact Edward O’Connor on 01689 616000 or email
edward.oconnor@btc.co.uk to make it happen.

PLAY IT
SAFE WITH
365 TOTAL
PROTECTION!