24.05.2022 Views

CS May-Jun 2022

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

NEWS<br />

OPINION<br />

INDUSTRY<br />

COMMENT<br />

CASE STUDIES<br />

PRODUCT REVIEWS<br />

CHAINS OF FREEDOM<br />

Stabilising the wild swings and<br />

uncertainties of the supply line<br />

QUANTUM GOES BIG!<br />

Lift-off for commercial trial of quantum secured<br />

communication services<br />

GET THE BASI<strong>CS</strong> RIGHT<br />

Guidance to see you<br />

through tough times<br />

ISOLATED AND VULNERABLE<br />

Human error levels hit new high<br />

as hackers step up attacks on<br />

solitary workers<br />

Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong><br />

'ZERO TRUST'<br />

SPECIAL INSIDE


Nobody likes feeling<br />

vulnerable.<br />

It’s the same when it comes<br />

to information security.<br />

That’s why our information security services have<br />

been designed to provide you with the robust security<br />

assurances you require.<br />

Penetration Testing<br />

Red Teaming<br />

Information Security Consultancy<br />

www.pentest.co.uk<br />

0161 233 0100<br />

pentest<br />

INFORMATION SECURITY ASSURANCE


comment<br />

COLONIAL PIPELINE ATTACK REMEMBERED<br />

Saturday, 7 <strong>May</strong>, this<br />

year marked the first<br />

anniversary of the<br />

infamous Colonial<br />

Pipeline hack, which<br />

ended with a ransom fee<br />

of US$4.4 million being<br />

handed over. In July<br />

2021, ISA Cybersecurity<br />

of Canada published a set<br />

of takeaways from the<br />

event. "They are still valid<br />

today and sync well with the Biden administration Executive Orders that grew out of the<br />

attack," says Bedrock Open Secure Automation.<br />

LESSON 1: THE IMPORTANCE OF SYSTEM MONITORING<br />

Although the publicised attack was on <strong>May</strong> 7, 2021, the hackers reportedly breached<br />

the system on April 29, a week earlier. ISA says that Security Information and Event<br />

Management (SIEM) tools, coupled with advanced threat intelligence, detection and<br />

monitoring, can help to recognise anomalous activities.<br />

LESSON 2: THE IMPORTANCE OF IT GOVERNANCE<br />

In his testimony to the United States Senate, Colonial Pipeline President and CEO Joseph<br />

Blount said: "We believe the attacker exploited a legacy virtual private network (VPN)<br />

profile that was not intended to be in use."<br />

LESSON 3: OT AND IT NETWORK CONVERGENCE CREATES ADDITIONAL RISK<br />

Colonial Pipeline shut down its system, because it did not know who was attacking,<br />

why or how it might affect its OT network, demonstrating the need for complete<br />

visibility into OT network operations and integrations.<br />

LESSON 4: SUCCESSFUL BREACHES CARRY A VARIETY OF COSTS<br />

Although the FBI recovered about 85% of the ransom paid, the threat actors still reaped<br />

hundreds of thousands of dollars in extorted funds and Colonial's Blount revealed at the<br />

time that it would cost the company "tens of millions of dollars" to repair the damage<br />

and restore all its business systems fully.<br />

LESSON 5: A SUCCESSFUL BREACH BREEDS OTHER HACKING EFFORTS<br />

This is the timeliest warning for every vulnerable organisation - and it needs to heeded.<br />

Brian Wall<br />

Editor<br />

Computing Security<br />

brian.wall@btc.co.uk<br />

EDITOR: Brian Wall<br />

(brian.wall@btc.co.uk)<br />

LAYOUT/DESIGN: Ian Collis<br />

(ian.collis@btc.co.uk)<br />

SALES:<br />

Edward O’Connor<br />

(edward.oconnor@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

Lyndsey Camplin<br />

(lyndsey.camplin@btc.co.uk)<br />

+ 44 (0)7946 679 853<br />

Stuart Leigh<br />

(stuart.leigh@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

PUBLISHER: John Jageurs<br />

(john.jageurs@btc.co.uk)<br />

Published by Barrow & Thompkins<br />

Connexions Ltd (BTC)<br />

35 Station Square,<br />

Petts Wood, Kent, BR5 1LZ<br />

Tel: +44 (0)1689 616 000<br />

Fax: +44 (0)1689 82 66 22<br />

SUBSCRIPTIONS:<br />

UK: £35/year, £60/two years,<br />

£80/three years;<br />

Europe: £48/year, £85/two years,<br />

£127/three years<br />

R.O.W:£62/year, £115/two years,<br />

£168/three years<br />

Single copies can be bought for<br />

£8.50 (includes postage & packaging).<br />

Published 6 times a year.<br />

© <strong>2022</strong> Barrow & Thompkins<br />

Connexions Ltd. All rights reserved.<br />

No part of the magazine may be<br />

reproduced without prior consent,<br />

in writing, from the publisher.<br />

www.computingsecurity.co.uk <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

@<strong>CS</strong>MagAndAwards<br />

3


Secure systems, secure data, secure people, secure business<br />

Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong><br />

contents<br />

CONTENTS<br />

Computing<br />

Security<br />

CHAINS OF FREEDOM<br />

Stabilising the wild swings and<br />

uncertainties of the supply line<br />

QUANTUM GOES BIG!<br />

Lift-off for commercial trial of quantum secured<br />

communication services<br />

NEWS<br />

OPINION<br />

INDUSTRY<br />

COMMENT<br />

CASE STUDIES<br />

PRODUCT REVIEWS<br />

GET THE BASI<strong>CS</strong> RIGHT<br />

Guidance to see you<br />

through tough times<br />

ISOLATED AND VULNERABLE<br />

COMMENT 3<br />

Colonial Pipeline attack remembered<br />

Human error levels hit new high<br />

as hackers step up attacks on<br />

solitary workers<br />

'ZERO TRUST'<br />

SPECIAL INSIDE<br />

ARTICLES<br />

NEWS 6 & 8<br />

Cyberattack on Toyota sparks alarm<br />

Top court rules on misuse of data<br />

Malware back with a vengeance<br />

No let-up in lack of diversity<br />

ALL SET TO EXCEL! 10<br />

This year’s Infosecurity Europe show is<br />

now fast approaching - and promises<br />

to deliver a great line-up of exhibitors,<br />

events, presentations and more at the<br />

ExCeL in London. See our preview<br />

ABSOLUTE ZERO 18<br />

Organisations are starting to switch from a<br />

model based on 'trust anyone and anything<br />

inside the network' to a 'trust no one and<br />

nothing' architecture. Brian Wall reports<br />

SECURE SYSTEMS: IS HARDWARE<br />

THE STARTING POINT? 11<br />

Hardware-assisted security capabilities are<br />

CHAINS OF FREEDOM 26<br />

seen as critical to robust security strategy<br />

Supply chains are prone to wild swings and<br />

uncertainties. How exactly can those chains<br />

SEVEN KEY TIPS WHEN CHOOSING<br />

be stabilised and less exposed, in order to<br />

AN IDENTITY SECURITY SOLUTION 12<br />

create a cooperative supply-chain platform?<br />

SecurEnvoy points to the advantages of<br />

selecting an offering that can be deployed<br />

as public cloud, fully Managed Service<br />

Provider (MSP) or On-Premise<br />

THE CAPTIVATING QUESTION 14<br />

Why aren't more companies using packet<br />

capture? asks Cary Wright of Endace<br />

HACKING GETS BACKING! 15<br />

ISOLATED AND VULNERABLE 30<br />

A university ethical challenge platform has<br />

Hackers are driving up the levels of human<br />

won government backing in the build-up<br />

error by preying increasingly on solitary<br />

to its launch into the commercial market<br />

workers - especially those at home, cut off<br />

from immediate IT support<br />

RANSOMWARE AND THE CLOUD 16<br />

John Tipton, Adarma, looks at the deep<br />

impact that ransomware is now making,<br />

especially through 'RansomCloud'<br />

GET THE BASI<strong>CS</strong> RIGHT… 29<br />

Adoption of cyber security-related tools a<br />

growing problem in cyber security world,<br />

QUANTUM GOES BIG! 32<br />

warns Brookcourt Solutions' Steven Usher<br />

BT and Toshiba, along with EY, have<br />

IF YOU CAN'T STAND THE HEAT… 34<br />

launched the trial of what is described as<br />

… then do something about it. The time<br />

a "world-first commercial quantum-secured<br />

has arrived to fight back as Highly Evasive<br />

metro network". The infrastructure will be<br />

Adaptive Threats (HEAT) hit hard<br />

able to connect numerous customers<br />

across London. How safe will that be?<br />

PRODUCT REVIEW 24<br />

Endace Endaceprobe 9200 G4<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />

4


news<br />

Senior lawyer<br />

Edward<br />

Machin<br />

TOP COURT STEPS IN TO RULE<br />

AGAINST THE MISUSE OF DATA<br />

The European Court of Justice has<br />

recently ruled that the general and<br />

indiscriminate retention of traffic and<br />

location data, for the purposes of<br />

combatting serious crime, is prohibited<br />

by EU law.*<br />

The court found in favour of convicted<br />

murderer Graham Dwyer who had<br />

duly challenged Ireland's use of mobile<br />

phone metadata in his conviction, with<br />

potential implications for criminal<br />

investigations across Europe.<br />

Comments Edward Machin, a senior<br />

lawyer in Ropes & Gray's data, privacy<br />

& cybersecurity practice: "This decision is<br />

no surprise, given the court's previous<br />

rulings on data retention. Indeed, the<br />

repeated references to 'settled case-law'<br />

perhaps betray its snark in having to<br />

reiterate that indiscriminate retention<br />

is not permitted for combatting serious<br />

crime," he states.<br />

"The case is timely, as it follows the<br />

recent agreement in principle of a new<br />

transatlantic data pact between the EU<br />

and US," continues Machin.<br />

"Given that the agreement is designed<br />

to rein in US government surveillance,<br />

that a European member state has again<br />

breached similar obligations under EU<br />

law doesn't look good when the US is<br />

being told that it needs to reform its<br />

snooping laws, if it wants a data deal,"<br />

he points out.*<br />

https://curia.europa.eu/jcms/upload/docs/application<br />

/pdf/<strong>2022</strong>-04/cp220058en.pdf<br />

CYBERATTACK ON TOYOTA SPARKS ALARM AND SERVES AS WARNING<br />

The fact that the world's largest car manufacturer Toyota<br />

was recently forced to shut down 14 factories and 28<br />

production lines for an entire day due to a cyberattack serves<br />

as a warning in these volatile times, warns Tim Wallen,<br />

LogPoint UK&I regional director. "While the manufacture<br />

of cars is not necessarily critical to societies, it's a warning<br />

of how cyberattacks can influence 'in real life', not limited<br />

to leaks of digital information or systems being held for<br />

Ransome. When production lines are halted, and workers<br />

have to stay at home, we have to carefully consider whether<br />

we have done enough to protect our digital infrastructures.<br />

"With some 180,000 people employed directly in<br />

automotive manufacturing in the UK and in excess of<br />

864,000 across the wider automotive industry," adds<br />

Tim Wallen, LogPoint<br />

Wallen, "this is a crucial industry to protect."<br />

MALWARE BACK WITH A VENGEANCE AS PANDEMIC APPEARS TO WANE<br />

Malwarebytes recently announced the findings of<br />

its <strong>2022</strong> Threat Review (formerly the 'State of<br />

Malware' report), showing that, while the global<br />

pandemic may be waning, the 'cyberthreat epidemic'<br />

is likely here to stay for businesses and consumers.<br />

The research has uncovered a massive 2021<br />

resurgence of cyberthreats across multiple categories<br />

after pandemic-induced declines in 2020, tracking<br />

a 77% increase in malware detections over 2020.<br />

Business-focused cyberthreats jumped 143%, while<br />

consumer-specific threats rose by 65% to more than<br />

152 million. The resurgence was much more than a<br />

"return to business as usual, with detection numbers<br />

far exceeding pre-pandemic numbers, too", according<br />

to the company.<br />

ONE IN THREE COMPANIES ARE VICTIMS OF CYBERATTACK STATES SURVEY<br />

Cyber security awareness provider SoSafe's<br />

Dr Niklas-<br />

'Human Risk Review <strong>2022</strong>' survey shows an<br />

Hellemann,<br />

SoSafe<br />

ever-worsening cyberthreat situation.<br />

According to the survey, a worrying one in three<br />

organisations (35%) has experienced a successful<br />

cyberattack in the past year. Furthermore, nine<br />

out of 10 (90%) cyber security experts confirmed<br />

this deteriorating situation. "With the Human Risk<br />

Review, we want to provide insights into current<br />

trends and developments in the European cyber threat landscape. Our goal is to further raise<br />

awareness of this topic - especially for the 'human factor' in information security," says Dr Niklas<br />

Hellemann, managing director of SoSafe.<br />

6<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


Strengthen your data resilience with<br />

Immutable Backup from Arcserve<br />

Buy an Arcserve Appliance secured by Sophos,<br />

and get OneXafe immutable storage!<br />

Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve<br />

brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat<br />

ransomware and provide the best-in-class data management and data protection solution in the market.<br />

Arcserve UDP Data<br />

Protection Software<br />

Unified data and ransomware<br />

protection to neutralize<br />

ransomware attacks,<br />

restore data, and perform<br />

orchestrated recovery.<br />

Arcserve Appliances<br />

All-in-one enterprise backup,<br />

cybersecurity, and disaster<br />

recovery, with multipetabyte<br />

scalability.<br />

StorageCraft OneXafe<br />

Immutable Storage<br />

Scale-out object-based NAS<br />

storage with immutable<br />

snapshots to safeguard data.<br />

Get multi-layer protection!<br />

SCAN HERE


news<br />

Camellia Chan,<br />

X-PHY<br />

LACK OF DIVERSITY<br />

AND INCLUSION PERSISTS<br />

Asevere lack of diversity and inclusion in<br />

technology was one of the issues that<br />

was highlighted on International Women's<br />

Day. Camellia Chan, CEO and founder of<br />

cybersecurity company X-PHY (a Flexxon<br />

brand), firmly believes that talent is crucial<br />

to the industry, "especially as we witness<br />

an upheaval in innovation and digital<br />

transformation. Despite this, the number<br />

of tech roles held by women increased by<br />

a mere 2% in 2021".<br />

Chan also points out: "In order to increase<br />

this figure, as a society, we need to<br />

empower women from a young age and<br />

encourage them to be ambitious. Seeing<br />

women in high-powered roles is excellent<br />

and proactivity is key to ensuring they stay<br />

there."<br />

NORMS MUST BE CHALLENGED<br />

Businesses, too, have a crucial role to play,<br />

she adds. "Hiring and recruitment practices<br />

are incredibly important and, with visible<br />

female role models and leaders in the<br />

industry, we encourage women to envision<br />

a future in tech. Put simply, diverse talent<br />

brings new perspectives and innovation.<br />

Talented, driven women - as well as<br />

employees of different ages, nationalities<br />

and domains - create an impactful<br />

environment by challenging norms, building<br />

competencies and championing excellence."<br />

UK RANSOMWARE ATTACKS 'UP 200%' IN THE LAST YEAR, SAYS LAW FIRM<br />

New data released by law firm RPC has revealed that UK<br />

Jack Chapman, Egress<br />

ransomware attacks have doubled in the last year.<br />

Comments cybersecurity expert Jack Chapman, VP of Threat<br />

Intelligence at Egress: "Ransomware is one of the most serious<br />

cybersecurity threats facing UK organisations today. Our recent<br />

study found that less than a quarter of board of directors see<br />

ransomware as a top priority - organisations must tackle a<br />

number of serious threats, not just ransomware, and many<br />

just don't know where to focus their efforts."<br />

Preventing ransomware must become a top concern for<br />

organisations, and leadership must focus on building a robust<br />

security posture, he adds. "That includes evaluating overall<br />

spend and what's in the security stack, looking to intelligent<br />

technology to tackle sophisticated phishing attacks and other<br />

common entry points for malware."<br />

BEWARE THE LURKING DANGERS AS RETURN TO THE OFFICE GROWS<br />

The lifting of working from home restrictions means it's<br />

time for IT departments to consider that employees<br />

Chris Vaughan - Tanium<br />

returning to the office and reconnecting their devices to<br />

the corporate network may increase risks, warns Chris<br />

Vaughan, AVP - Technical Account Management, Tanium.<br />

"Employees working off personal laptops, tablets and<br />

mobiles often carry higher cybersecurity risks, due to<br />

issues like not having up-to-date patches installed.<br />

"Now, as employees return to the office, there is a<br />

possibility that they will unknowingly bring in devices that<br />

are infected with malware, trojans, viruses etc that have<br />

laid dormant until this point, ready to spread when an<br />

opportunity occurs."<br />

Once reconnected to a network, malware can then travel<br />

through a company, infecting every computer, he warns.<br />

SUPPLY CHAIN SECURITY RISKS SERVE AS 'BACK DOOR' FOR HACKERS<br />

New research unveiled by NCC Group suggests that cyber-attacks on supply chains<br />

soared by 51% in the last six months of 2021.<br />

"Organisations have an opportunity to reduce their third-party risk by clarifying whether<br />

they or their suppliers are responsible for supply chain risk management," says the company.<br />

Around one in three (36%) surveyed said they are more responsible for preventing,<br />

detecting and resolving supply chain attacks than their suppliers. Just over half (53%) said<br />

their company and its suppliers are equally responsible for the security of supply chains.<br />

"This could affect organisations' third-party risk, if it means that they are not conducting<br />

appropriate due diligence on their suppliers, and could expose them to regulatory<br />

penalties." Encouragingly, respondents recognised supplier risk as one of their top<br />

challenges for the next 6-12 months and report that they plan to increase their security<br />

budgets by an average of 10% this year.<br />

8<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


shows & events<br />

ALL SET TO EXCEL!<br />

INFOSECURITY EUROPE, BILLED AS THE BIGGEST GATHERING OF THE<br />

INFORMATION SECURITY COMMUNITY IN EUROPE, IS ALMOST HERE<br />

Infosecurity Europe has played a key role<br />

in connecting the Infosec community for<br />

more than 25 years. Attracting over 13,000<br />

visitors, 300 exhibitors and 170 speakers, this<br />

year's event will take place from 21-23 <strong>Jun</strong>e<br />

at ExCeL London, bringing industry peers<br />

together to network, share and ultimately, say<br />

the organisers, "become stronger together".<br />

CONFERENCE THEME & PROGRAMME<br />

Infosecurity Europe <strong>2022</strong>'s theme, Together<br />

we are Stronger, will focus on the need<br />

for cybersecurity professionals to increase<br />

collaboration to keep society safe and secure.<br />

The conference programme will explore<br />

several associated topics. The Keynote Stage<br />

will cover key threats and adversaries, tackling<br />

insider threats, building a security culture,<br />

the paradigm change in ransomware,<br />

monetisation of threats, Cybercrime-as-a-<br />

Service (CaaS), third party risk, how cyber<br />

criminals are changing their approaches,<br />

and improving the detection of known and<br />

unknown threats.<br />

Visitors will have the chance to engage in<br />

discussions around the latest cybersecurity<br />

challenges on the Insight Stage, equipping<br />

themselves with new strategies and techniques,<br />

and exchanging ideas and expertise.<br />

In the Talking Tactics theatre, real-world case<br />

studies will provide practical and actionable<br />

knowledge on how to keep up with the<br />

increasing sophistication of security threats.<br />

This year, Infosecurity Europe has also<br />

teamed up with NotSoSecure, which will<br />

deliver formal cybersecurity training courses<br />

live on the show floor for the first time.<br />

KEY SPEAKERS<br />

The Keynote Stage will give delegates direct<br />

access to information security knowledge and<br />

expertise from some of the industry's leading<br />

practitioners, policymakers, analysts and<br />

thought leaders.<br />

The main opening keynote speaker will be<br />

Major General Tom Copinger-Symes CBE,<br />

director of Strategy and Military Digitisation<br />

with UK Strategic Command, who will lead<br />

with his presentation, ‘Tackling the Uncertain<br />

Future of Security Threats’ (Tuesday 21 <strong>Jun</strong>e,<br />

10:20).<br />

Baroness Eliza Manningham-Buller, former<br />

Head of MI5 and now serving on the Lords<br />

Select Committee on Science and Technology,<br />

will discuss ‘Leadership in an Age of<br />

Uncertainty’ (Wednesday 22 <strong>Jun</strong>e, 10:10).<br />

Misha Glenny, author, journalist and<br />

specialist in organised crime and cybersecurity,<br />

has acted as consultant to European<br />

governments and the EU on the Balkans, and<br />

advised the US departments of State and of<br />

Justice on US-European relationships. He will<br />

discuss ‘Geopolitics and Cyber Insecurity’<br />

(Tuesday 21 <strong>Jun</strong>e, 15:20).<br />

FACTFILE<br />

Investigative journalist Geoff White, a<br />

reporter for the BBC and Channel 4 and<br />

author of The Lazarus Heist, will explore<br />

‘Lessons Learned from Most Recent<br />

Cybercrime Investigations’ (Wednesday 22<br />

<strong>Jun</strong>e, 16:10).<br />

WHY ATTEND?<br />

"With threats increasing [39% of UK<br />

businesses reported a breach in the last year],<br />

acquiring the right knowledge and tools has<br />

never been more important," add the<br />

organisers. "At Infosecurity Europe <strong>2022</strong>, you<br />

will have the opportunity to Learn, Explore<br />

and Network."<br />

Learn: Attend conference sessions and<br />

speak with industry experts. Earn CPE &<br />

CPD credits at a series of immersive<br />

workshops and demonstrations<br />

Explore: Discover, evaluate and benchmark<br />

products, solutions and innovations to<br />

transform your business<br />

Network: Meet new and established<br />

international suppliers from around the<br />

world. Build relationships with a diverse<br />

range of infosecurity professionals.<br />

To register to attend the show, go to:<br />

https://www.infosecurityeurope.com/en-gb<br />

WHAT: Infosecurity Europe <strong>2022</strong><br />

WHEN: 21-23 <strong>Jun</strong>e <strong>2022</strong><br />

WHERE: ExCeL London, Royal Victoria Dock, London E16 1XL<br />

OPENING TIMES:<br />

Tuesday 21 <strong>Jun</strong>e: 9:30am-5:00pm<br />

Wednesday 22 <strong>Jun</strong>e: 9:30am-5:00pm<br />

Thursday 23 <strong>Jun</strong>e: 9:30am-4:00pm<br />

10<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


esearch special<br />

SECURE SYSTEMS:<br />

IS HARDWARE THE<br />

STARTING POINT?<br />

ORGANISATIONS VIEW<br />

HARDWARE-ASSISTED SECURITY<br />

CAPABILITIES AS CRITICAL TO<br />

A ROBUST SECURITY STRATEGY<br />

Key findings in a new Intelsponsored<br />

study reveal that<br />

"organisations value security<br />

product innovation, especially at the<br />

hardware level, when purchasing<br />

technologies and services", states the<br />

company.<br />

Businesses are expected to spend some<br />

$172 billion in <strong>2022</strong> on increasing<br />

their cybersecurity commitments and<br />

enhancing measures to protect<br />

themselves. "Organisations recognise<br />

hardware-assisted security capabilities<br />

are critical to a robust security strategy,<br />

with many searching out transparent<br />

technology providers to supply<br />

innovative security solutions," adds Intel.<br />

And adoption is growing; while the<br />

study found only 36% of respondents<br />

say that their organisation's current<br />

cybersecurity protocols use hardwareassisted<br />

security solutions, 47% state<br />

that these solutions will be adopted<br />

within the next six months (24%) or<br />

12 months (23%).<br />

"The security threat landscape<br />

continues to evolve, becoming more<br />

sophisticated and challenging for<br />

organisations to defend against,"<br />

comments Suzy Greenberg, vice<br />

president, Intel Product Assurance and<br />

Security, pictured above. "Today more<br />

than ever, companies are demanding<br />

assurance capabilities and hardwareenhanced<br />

security solutions that help<br />

protect the entire compute stack."<br />

Key findings from the study include:<br />

64% of respondents say their<br />

organisations are more likely to<br />

purchase technologies and services<br />

from technology providers that are<br />

leading edge with respect to<br />

innovation.<br />

The top areas of focus for security<br />

innovation are security automation<br />

(41% of respondents), security at the<br />

silicon level (40%), cloud migration<br />

(40%), and education and training<br />

(38% of respondents).<br />

53% of those surveyed say their<br />

organisations refreshed their security<br />

strategy because of the pandemic.<br />

Of the 36% of organisations using<br />

hardware-assisted security solutions,<br />

85% say hardware - and/or firmwarebased<br />

security - is a high or very high<br />

priority in their organisation. And<br />

64% also say it is important for a<br />

vendor to offer both hardware- and<br />

software-assisted security<br />

capabilities.<br />

IMPACT OF ZERO TRUST AND<br />

TRANSPARENCY TRENDS<br />

Key findings indicate that organisations<br />

are looking to integrate hardware-based<br />

security solutions into their Zero Trust<br />

strategies. Of the 36% of organisations<br />

using hardware-assisted security<br />

solutions, 32% of respondents have<br />

implemented a Zero Trust infrastructure<br />

strategy and 75% expressed increased<br />

interest in Zero Trust models as the<br />

pandemic continues and the remote<br />

workforce grows.<br />

As organisations incorporate new<br />

security technologies, hardware-assisted<br />

security complements existing protocols<br />

and bolsters overall security hygiene.<br />

Additionally, the rapid sophistication<br />

of the threat landscape requires<br />

organisations to be one step ahead of<br />

security updates, although challenges<br />

remain when it comes to managing<br />

vulnerabilities and patching updates.<br />

The study reveals that fewer than half<br />

of organisations have visibility into<br />

newly disclosed vulnerabilities and<br />

patches/updates (48% of respondents)<br />

and mainly prioritise security updates<br />

for the latest product generation (42%),<br />

when there are still many legacy devices<br />

in use around the world.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

11


identity security<br />

7 REASONS WHY SECURENVOY MIGHT<br />

SERVE AS AN ALTERNATIVE TO MICROSOFT<br />

AZURE AD MFA FOR IDENTITY SECURITY<br />

THE SUMMER OF 2020 SAW MICROSOFT ROLL OUT AZURE AD<br />

PREMIUM 1 FEATURES TO ALL MICROSOFT 365 BUSINESS PREMIUM<br />

ACCOUNTS. IS THIS THE SILVER BULLET FOR ALL IAM ISSUES? ASKS<br />

TOM HILLS, PRE-SALES CONSULTANT AT SECURENVOY<br />

" This article is our experience and<br />

customer feedback over the past<br />

12-24 months, covering the key<br />

considerations and reasons why organisations<br />

might look outside of their Microsoft<br />

licensing schemes," states Tom Hills, pre-sales<br />

consultant at SecurEnvoy. Here follows his<br />

take on that topic and the suggested '7<br />

Reasons' for taking that path:<br />

1. Deployment Flexibility<br />

On-Premise & Cloud Deployment<br />

"SecurEnvoy's offering can be deployed<br />

either as a public cloud, fully Managed<br />

Service (MSP) or On-Premise," says Hills.<br />

"This flexibility is key for clients where<br />

security is paramount, or where clients are<br />

bound by local law and compliances."<br />

Speed of Deployment<br />

"SecurEnvoy product offerings are based<br />

around a quick time to deploy. The onpremise<br />

platform is light on requirements.<br />

SecurEnvoy IAM offers agents that, once<br />

installed, can enable synchronisation of user<br />

identities from Active Directory in moments."<br />

2. Simplified Administration & Management<br />

Intuitive Administration<br />

"The SecurEnvoy administration console is<br />

clutter free. Configurations are easily<br />

accessible and not hidden within nested<br />

menus. Administrators familiarise their way<br />

around the UI quickly. Often, configurations<br />

are only applied once, so there is little need<br />

to constantly tweak the solution."<br />

Integrations Out of the Box<br />

"Use prebuilt application integrations from<br />

the catalogue. The integration automatically<br />

generates identity provider (IdP) URLs and<br />

certificates. Enable single-sign-on (SSO)<br />

to the applications in a couple of clicks.<br />

Application access centralised from day one."<br />

Single Pane of Glass<br />

"An easy to interpret dashboard provides<br />

a visualisation of both live and historical<br />

activity, capturing user metrics such as logon<br />

activity, licence count, agent connection<br />

status, throughput and application access,"<br />

according to Hills.<br />

Self-Service<br />

"Reduce helpdesk overheads by providing the<br />

users with self-service password reset. The<br />

password reset can be completed from either<br />

Desktop, web portal or the mobile app.<br />

For users who have lost their MFA method,<br />

a self-service helpdesk portal can allow the<br />

user to securely create a new temporary MFA<br />

method."<br />

User Lifecycle Management<br />

"Onboarding is automatically controlled from<br />

the parent directory, (Azure AD, Microsoft<br />

AD, Google Directory). The synchronisation<br />

control granularity varies depending on<br />

domain, OU or group membership."<br />

3. Protecting Desktop Logon<br />

Protect Windows with MFA<br />

"The Windows Logon Agent is installed on<br />

Windows workstations and Servers. Console<br />

and RDP logins can be secured with MFA.<br />

Anyone attempting to access Windows<br />

will be prompted for MFA. MFA can still<br />

be provided, if a user is attempting to<br />

authenticate whilst offline. Users can be<br />

enabled for MFA via Group Memberships.<br />

For example, only Domain or Local<br />

Administrators can be prompted for MFA<br />

12<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


identity security<br />

when authenticating, mitigating the risk of<br />

credential misuse."<br />

Protect MacOS with MFA<br />

"Users of these devices are typically business<br />

executives, board members, software<br />

developers and security teams, meaning<br />

securing this attack vector should be a<br />

priority. The MacOS Logon Agent can be<br />

deployed to enable MFA access to the<br />

MacOS devices, reducing the risk of<br />

unauthorised access into the environment."<br />

4. Advanced RADIUS Support<br />

"On-premise environments are often<br />

protected by a VPN or other remote access<br />

methods. Predominantly, these methods<br />

support the RADIUS protocol. Microsoft<br />

Azure AD MFA can support the RADIUS<br />

protocol; however, it requires Network Policy<br />

Server (NPS), which can increase complexity.<br />

Also, some users feel that NPS does not<br />

always integrate well with all VPNs."<br />

Support RADIUS-Based Clients with MFA.<br />

"SecurEnvoy offers rich RADIUS capability,<br />

meaning support for a variety of use cases,<br />

including traditional VPN based technologies<br />

and Remote Desktop environments. Support<br />

for RADIUS clients extends to implementing<br />

a 'Trusted Networks' policy, where users<br />

connecting from a specific network would<br />

not get prompted for MFA. Secondly,<br />

'Blocked Networks' can be added.<br />

Authentication attempts from a specified<br />

network location(s) will get blocked. 'Trusted<br />

Groups' can also be configured, whereby<br />

users within specified groups will not<br />

require MFA. For example, users within the<br />

'administrators' group must always provide<br />

MFA. Authentication can only be permitted<br />

from specific domains, too, which is ideal<br />

with Managed Service Providers running<br />

multi-tenant environments."<br />

5. Increased Granularity of Authentication<br />

Policies<br />

"Challenges exist around authentication<br />

methods and some configurations are only<br />

available as a global 'on/off' setting. For<br />

example, this can leave organisations unable<br />

to configure policies to only allow mechanisms<br />

such as SMS OTP for some low-risk user<br />

activities. Organisations must have a broad<br />

range of authentication mechanisms at their<br />

disposal to address each use case and user<br />

group appropriately."<br />

Select Authentication Methods Based on<br />

Group/User Profile<br />

"SecurEnvoy offers the ability to configure<br />

a range of authentication methods that are<br />

available for user or group. Options vary<br />

from biometrically protected smart phone<br />

apps, hardware tokens, to SMS OTP options.<br />

The platform can report on which users are<br />

enrolled for which authentication methods<br />

at any time, providing a bird's eye view of<br />

selected authentication types."<br />

Reduce IT overhead with self-service<br />

"Providing users with the ability to select<br />

their desired Multi Factor method during<br />

enrolment speeds up deployment and<br />

creates a positive user experience.<br />

SecurEnvoy has self-service functionality<br />

built in, which allows users to change their<br />

authentication method securely, quickly and<br />

easily. A different method might be required<br />

in case of a new device, or the working<br />

environment changes."<br />

Implement True Location Awareness<br />

"SecurEnvoy can guarantee user location<br />

at time of authentication, so strict policies<br />

can be used to allow exact pre-defined<br />

'safe' locations, or an allowed amount<br />

of deviation between the request and<br />

the authentication (PUSH) response.<br />

Corporations can be assured not only<br />

the identity of the user, but also an exact<br />

location, to provide a deeper level of user<br />

access control."<br />

6. Multiple Directory Environments<br />

"Projects to consolidate multi-domain<br />

environments typically take a long time,<br />

drain internal resources, are costly and, if<br />

not well thought-out can lead to security<br />

issues," adds Hills.<br />

SecurEnvoy Universal Directory<br />

"A Universal Directory is the core of the IAM<br />

platform, synchronising bi-directionally<br />

against multiple directories and Domains.<br />

SecurEnvoy becomes the identity provider<br />

(IdP), creating a single digital user identity.<br />

This approach then allows for consistent<br />

security and access policies to be deployed,<br />

minimising security risks. Joiners, movers and<br />

leavers (JML) are handled on an automated<br />

basis: if a user is disabled somewhere, ALL<br />

their access is disabled, in real time."<br />

7. Enhanced Concierge Style Customer<br />

Support<br />

Dedicated Support Team<br />

"Calls are answered directly by an engineer.<br />

Calls are resolved quickly, without having to<br />

navigate time consuming 1st line helpdesk<br />

functions," he comments. "We often assign<br />

calls to engineers who have previously<br />

worked with the customer, maintaining<br />

deeper understanding of the customer<br />

environment. Customers benefit from our<br />

unique consultative approach, helping solve<br />

technical and business issues."<br />

"To summarise, Microsoft Azure AD MFA<br />

does work well in most environments, but<br />

certainly not all. The deployment and<br />

management can be complex and, in many<br />

areas, lacks flexibility and granular controls.<br />

To have all your eggs in one basket with one<br />

vendor may leave you open to unexpected<br />

downtime. Particularly with Microsoft, due<br />

to its global customer footprint, it could be<br />

a prominent target for hackers. Some of our<br />

customers have raised concerns about the<br />

licensing model, commenting they feel<br />

locked in, leaving them vulnerable to price<br />

increases. Prices increased on 1 March <strong>2022</strong><br />

(around 10% overall). Taking a Microsoft<br />

'plus' approach could be the way forward,<br />

subscribing to the minimum bundle and<br />

integrating best-of-breed solutions to<br />

achieve business objectives."<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

13


ehavioural insights<br />

<strong>2022</strong>: WHERE PACKET CAPTURE<br />

WENT NEXT<br />

IN TODAY'S RAPIDLY CHANGING THREAT LANDSCAPE, WHY AREN'T<br />

MORE COMPANIES UTILISING PACKET CAPTURE? CARY WRIGHT,<br />

VP OF PRODUCT MANAGEMENT, ENDACE, OFFERS HIS VIEWS<br />

Historically, packet analysis has had<br />

real accessibility challenges. Security<br />

teams have often struggled to<br />

wrangle massive packet capture files to<br />

find the evidence they need within them.<br />

Packet capture has also mainly been used<br />

by senior security analysts with deep<br />

experience in packet forensics. How can<br />

we change things, so that even junior<br />

analysts can quickly find the data they need,<br />

get to relevant packets from alerts in their<br />

relevant tools and extract value from full<br />

packet data?<br />

ACCESS THE ACTUAL CONTENT OF<br />

NETWORK CONVERSATIONS<br />

Modern packet capture solutions have<br />

matured significantly. Companies are now<br />

deploying distributed, full packet capture<br />

solutions that provide the evidence needed<br />

to accelerate investigation and response<br />

times.<br />

They've moved beyond relying on logs and<br />

metadata to recording full packet data,<br />

which lets analysts analyse historical traffic to<br />

investigate threats more closely. This provides<br />

access to files, malware, ransomware,<br />

executables, zip archives, exfiltrated<br />

documents, code downloads and more -<br />

anything attackers use to compromise user<br />

and network security and steal data.<br />

Analysts can also re-analyse recorded<br />

packet data to generate detailed logs -<br />

including DNS, HTTPS, TLS, SMTP, database<br />

transactions, and more. And re-scan<br />

historical traffic using new detection rules to<br />

provide deep contextual insight into network<br />

activity.<br />

ACCELERATING INVESTIGATION<br />

AND RESPONSE<br />

Many organisations' previous experience<br />

with packet capture was that it was<br />

challenging both to accurately record and<br />

manage large volumes of data at high-speed<br />

- and then time-consuming to locate the<br />

specific data that is needed for an<br />

investigation.<br />

However, modern packet capture solutions<br />

are scalable, and can cost-effectively record<br />

weeks to months of history. They enable<br />

analysts to find packets of interest quickly<br />

and easily and integrate that critical evidence<br />

into workflows and investigations. Scalable<br />

solutions can provide always-on recording<br />

at today's fast network speeds (10 Gbps up<br />

to 100 Gbps or more) and deep storage<br />

capacity - giving analysts time to go back<br />

and investigate historical events.<br />

Analysts can search/data-mine recorded<br />

data to find and analyse relevant packets<br />

quickly from within what may be petabytes<br />

of data. Integration with a wide variety of<br />

cybersecurity solutions makes it possible to<br />

'pivot' in-context from an alert in a security<br />

or performance monitoring tool directly to<br />

the relevant packets. This speeds up and<br />

streamlines the investigation process and can<br />

also enable the automation of common<br />

evidence collection and analysis tasks (eg,<br />

using SOAR tools).<br />

EASY EXTRACTION AND<br />

ANALYSIS OF DATA<br />

Analysts can also extract and analyse useful<br />

information from packet data easily - such<br />

as reassembling files or generating detailed<br />

analysis logs - without needing deep packet<br />

analysis expertise.<br />

Recorded packet history can be easily<br />

and quickly reviewed for incident response,<br />

threat-hunting or troubleshooting network<br />

or application performance issues. Networkwide<br />

packet capture can be enabled using a<br />

scalable fabric with multiple capture points,<br />

which can be centrally searched and<br />

managed.<br />

With these improvements and more, the<br />

next generation of packet capture solutions<br />

can provide the gold standard for<br />

understanding the threats traversing<br />

networks and resolving IT operational or<br />

performance issues.<br />

14<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


ethical hacking<br />

HACKING GETS BACKING!<br />

UNIVERSITY ETHICAL CHALLENGE PLATFORM WINS GOVERNMENT<br />

BACKING TO PREPARE FOR LAUNCH INTO COMMERCIAL MARKET<br />

internationally and there is potential for so<br />

many more people to gain from what we<br />

have developed - from security professionals<br />

to other universities and employers."<br />

Aunique and innovative cyber security<br />

hacking and education platform -<br />

created by academics at Leeds Beckett<br />

University - has received government funding<br />

to help prepare it to launch into the<br />

commercial market.<br />

Hacktivity Cyber Security Labs is a virtual lab<br />

environment, allowing computing students<br />

to remotely log into virtual machines (VMs)<br />

and receive randomly generated security or<br />

ethical hacking challenges, individualised to<br />

each user. The platform features hands-on<br />

tasks, league tables, progress monitoring<br />

dashboards, and instant feedback and<br />

challenges through a chatbot.<br />

Dr Z. Cliffe Schreuders, reader in Computer<br />

Security and Director of the Cybercrime and<br />

Security Innovation Centre at Leeds Beckett,<br />

designed the Hacktivity platform. "Hacktivity<br />

is the product of nine years of academic<br />

research and development," he says.<br />

"Creating hacking challenges for our<br />

students helps them to put theory into<br />

practice. We want to make it fun and<br />

engaging to learn cyber security - so we have<br />

been developing a lot of our own software<br />

and techniques."<br />

The £32,000 funding boost was awarded as<br />

part of Innovate UK's Cyber Academic Startup<br />

Accelerator Programme (CyberASAP),<br />

which aims to help universities commercialise<br />

cyber security research. The academic team<br />

will receive training to develop a value<br />

proposition, carry out market research and<br />

investigate the pathways to commercialising<br />

the platform. The team will then pitch for<br />

further stages of funding, to begin working<br />

with partner organisations and carry out<br />

further research and development.<br />

"CyberASAP is a great opportunity to learn<br />

from experts how we can commercialise our<br />

state-of-the-art platform, grow its user-base<br />

outside of the university and fund its<br />

continued growth," continues Schreuders,<br />

"including further technical development and<br />

content creation. Hacktivity is a unique and<br />

useful resource, and has had a great impact<br />

on our students. Our open-source framework,<br />

SecGen, is already used by many<br />

There are several unique features that<br />

Hacktivity provides in comparison to other<br />

existing platforms, according to Paul Doney,<br />

head of Subject for Computing at Leeds<br />

Beckett. "Most hacking challenges involve<br />

manually setting up a challenge, which you<br />

would use once, and each student would<br />

have the exact same challenge. Our software<br />

creates and automates that process and<br />

makes it interesting by randomising it, so<br />

that each student has a uniquely configured<br />

system and problem and a unique<br />

experience. We also have Hackerbot<br />

automated chatbots which present hacking<br />

and defensive challenges and carry out real<br />

attacks."<br />

Hacktivity has a large library of content. It<br />

has all been mapped to the Cyber Security<br />

Body of Knowledge (CyBOK), the national<br />

Body of Knowledge informing and<br />

underpinning education and professional<br />

training for the cyber security sector. It<br />

challenges students' skills on areas including<br />

systems security and defensive controls,<br />

web and network security, ethical hacking<br />

and penetration testing, malware analysis,<br />

software exploitation, and incident response<br />

and investigation.<br />

Last year, Leeds Beckett University's BSc<br />

(Hons) and MSc Cyber Security degree<br />

courses received accreditation from the<br />

National Cyber Security Centre N<strong>CS</strong>C, the<br />

UK's leading technical authority on cyber<br />

security. It is one of only nine universities in<br />

the UK to be awarded the accreditation for<br />

an undergraduate degree.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

15


ansomware<br />

RANSOMCLOUD: HOW RANSOMWARE<br />

IS ATTACKING THE CLOUD<br />

JOHN TIPTON, SENIOR SECURITY CONSULTANT AT ADARMA, LOOKS AT THE DEEPLY CONCERNING IMPACT<br />

RANSOMWARE IS NOW MAKING, ESPECIALLY WITH THE EMERGENCE OF 'RANSOMCLOUD'<br />

John Tipton, Adarma<br />

Within the mob of malware,<br />

ransomware appears to be leading<br />

the pack. While other malicious<br />

software - such as viruses, worms, spyware,<br />

and adware - ransack computer systems,<br />

ransomware goes further by making<br />

demands. It infiltrates computers and servers<br />

with intention, encrypting files and data<br />

along the way; thus, rendering devices<br />

unusable. Once satisfied, the operators<br />

behind the attack will insist that a hefty sum<br />

is paid up in return for the decryption key.<br />

It's the age-old tactic of extortion, but reenacted<br />

in the digital world. Now that our<br />

everyday lives have become highly dependent<br />

on the internet, the playing field for this<br />

particular strain of malware has expanded<br />

immeasurably. At the same time, cybersecurity<br />

threats are growing - in 2020, malware and<br />

ransomware attacks increased by 358%<br />

and 435% respectively - and are outpacing<br />

societies' Though ransomware may have<br />

started as an operation of opportunity, it<br />

has since become an established criminal<br />

enterprise in its own right. And in the same<br />

way a legitimate business might adapt and<br />

evolve to remain competitive in the market,<br />

threat actors leveraging ransomware are<br />

doing the same. The mass shift to the cloud<br />

is a prime example of this.<br />

Cloud migration is not a new phenomenon,<br />

but it has certainly been expedited by the<br />

pandemic. In an effort to maintain businesses<br />

continuity, companies have transferred their<br />

digital assets and operations to a cloud<br />

computing environment; minimising or even<br />

eliminating the use of on-premise databases.<br />

In other words, software, services and<br />

databases can now be accessed via the<br />

internet. Among a host of other benefits,<br />

cloud computing has enabled companies to<br />

be more flexible and mobile, while improving<br />

collaboration efficiency. It has also facilitated<br />

scalability and reduced overall IT costs.<br />

Unfortunately, cybercriminals have recognised<br />

this shift and the valuable data now held<br />

within the cloud; leading to 'Ransomcloud'<br />

attacks. Such attacks occur through three key<br />

methods: File sync piggybacking, remote<br />

connection with stolen credentials and<br />

attacking the cloud provider. Here is how<br />

these approaches work.<br />

FILE SYNC PIGGYBACKING<br />

The first type of ransomcloud attack leverages<br />

the common attack vector of phishing to<br />

infect the victim's local computer. Contrary<br />

to popular belief, the malicious attachment<br />

or link included in the email, often does not<br />

contain the malware payload. Rather, it<br />

delivers a small program that runs stealthily<br />

in the background, and it is this program<br />

that will then install the malware.<br />

Once in the system, the malware will<br />

disguise itself as a popup permission request<br />

from a trusted software like an anti-virus<br />

scan request. By approving, the malware is<br />

activated and can now disseminate itself;<br />

not just in the local computer, but across the<br />

network to any machine or server it may be<br />

16<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


ansomware<br />

connected to. As it spreads, threat actors will<br />

be on the lookout for a file sync service<br />

interacting with a cloud service. When it has<br />

been identified, the ransomware piggybacks<br />

on the file sync allowing threat actors to<br />

access, infect and encrypt data in the cloud.<br />

Of course, should the organisation have<br />

measures such as air gapping in place,<br />

ransomware may be unable to compromise<br />

a route to the cloud and settle on local<br />

infection instead. It's no wonder then that<br />

we are witnessing a rise in the use of Google<br />

Drive, Slack, Microsoft Teams etc. to distribute<br />

malicious software. These applications sit<br />

between the cloud and on-premise devices,<br />

syncing relevant files as appropriate. Once<br />

compromised, it becomes incredibly difficult<br />

to reverse the impact. This is where Advanced<br />

Cloud Access Security Broker (CASB) tools<br />

prove useful as they sit between the onpremise<br />

and cloud infrastructures, vetting<br />

the traffic between them.<br />

REMOTE CONNECTION WITH STOLEN<br />

CREDENTIALS<br />

The second tactic sees threat actors monitor<br />

network connections for authentication<br />

attempts. They will then capture the user's<br />

cloud credentials; usually, by presenting a fake<br />

login portal masquerading as the real cloud<br />

platform. By tracking the keystrokes on the<br />

infected local computer, connection details<br />

can be copied to a remote computer and<br />

automatically entered to the real cloud<br />

platform from there. As the local malware<br />

captures the keystrokes and passes this on to<br />

the remote computer, cybercriminals can gain<br />

entry to the cloud via simultaneous login.<br />

Therefore potentially bypassing two-factor<br />

authentication methods that ask for a code,<br />

as the user would type this in also. Now, they<br />

have a connection to the cloud from their<br />

own computer and gain as much or as little<br />

access as the cloned user, depending on their<br />

privilege level.<br />

ATTACKING THE CLOUD PROVIDER<br />

Last but not least, a ransomcloud attack<br />

could arise by targeting the cloud provider<br />

directly. This is the most damaging of<br />

methods and most lucrative for the attacker,<br />

because, if they are successful, it would mean<br />

they have compromised the entire cloud<br />

platform. In short, they could demand<br />

ransoms from some or all customers of the<br />

compromised service.<br />

Consider Microsoft Azure cloud. In August<br />

2021, Microsoft was notified of a vulnerability<br />

in their Azure Cosmos Database. The vulnerability,<br />

an issue identified within Jupyter<br />

Notebooks, enabled the perpetrator to<br />

escalate privileges and move laterally across<br />

the Microsoft cloud. Although it was quickly<br />

rectified and there were no reported incidents<br />

of ransomware, it does highlight the risk.<br />

Having now investigated the ways in which<br />

the cloud could be compromised, we might<br />

then ask who bears the responsibility of<br />

maintaining its security. The truth of the<br />

matter is the responsibility is shared. Cloud<br />

vendors, businesses or its managed service<br />

provider and even individual employees all<br />

have a role to play; though it may flex<br />

depending on how the business consumes<br />

cloud. For instance, a cloud provider will<br />

bear greater responsibility for businesses<br />

who adopt serverless computing. Conversely,<br />

the business will own a greater degree of<br />

responsibility if they utilise an Infrastructure<br />

as a Service (IaaS) model. One must simply<br />

establish who is responsible for what early in<br />

the cloud migration process.<br />

Nevertheless, it is important to remember<br />

that a business is always responsible for its<br />

data; regardless of where it is hosted. With<br />

that said, they need to be attentive to their<br />

permissive policies, insider threats, phishing<br />

campaigns and leaked credentials. The best<br />

way to combat some of these challenges is<br />

to adopt best-practice measures, like<br />

following the principle of least privilege to<br />

limit the damaging actions that may transpire<br />

should a cloud account be hacked. It also<br />

means investing in security awareness training<br />

to curb successful phishing attempts.<br />

Businesses must also ensure they have clear<br />

visibility of their cloud environments, so they<br />

can detect and remediate issues sooner,<br />

rather than later.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

17


special focus<br />

ABSOLUTE ZERO<br />

ORGANISATIONS ARE STARTING TO SWITCH FROM A MODEL BASED ON 'TRUST ANYONE AND ANYTHING<br />

INSIDE THE NETWORK' TO A 'TRUST NO ONE AND NOTHING' ARCHITECTURE. BRIAN WALL REPORTS<br />

Zero Trust has become an ever-growing<br />

mantra across the security community,<br />

but what exactly does it mean?<br />

According to Cloudflare, Zero Trust is an IT<br />

security model that requires strict identity<br />

verification for every person and device<br />

trying to access resources on a private<br />

network, "regardless of whether they are<br />

sitting within or outside of the network<br />

perimeter". ZTNA - Zero Trust Network<br />

Access - is the main technology associated<br />

with Zero Trust architecture; but Zero Trust<br />

is a holistic approach to network security<br />

that incorporates several different principles<br />

and technologies.<br />

"More simply put," states Cloudflare,<br />

"traditional IT network security trusts anyone<br />

and anything inside the network. A Zero<br />

Trust architecture trusts no one and<br />

nothing. Traditional IT network security is<br />

based on the castle-and-moat concept. In<br />

castle-and-moat security, it is hard to obtain<br />

access from outside the network, but<br />

everyone inside the network is trusted by<br />

default. The problem with this approach is<br />

that once an attacker gains access to the<br />

network, they have free rein over everything<br />

inside."<br />

This vulnerability in castle-and-moat<br />

security systems is exacerbated by the fact<br />

that companies no longer have their data in<br />

just one place, it adds. "Today, information<br />

is often spread across cloud vendors, which<br />

makes it more difficult to have a single<br />

security control for an entire network. Zero<br />

Trust security means that no one is trusted<br />

by default from inside or outside the<br />

network and verification is required from<br />

everyone trying to gain access to resources<br />

on the network. This added layer of security<br />

has been shown to prevent data breaches.<br />

Studies have shown that the average cost<br />

of a single data breach is over $3 million.<br />

Considering that figure, it should come as<br />

no surprise that many organisations are<br />

now eager to adopt a Zero Trust security<br />

policy.<br />

Meanwhile, Cloudflare is integrating its<br />

Zero Trust platform with CrowdStrike Falcon<br />

Zero Trust Assessment (ZTA) to ensure<br />

employees have secure access to<br />

applications wherever they are working.<br />

"Every business needs to protect users and<br />

teams, no matter where they are or how<br />

they're working," says John Graham-<br />

Cumming, chief technology officer at<br />

Cloudflare. "Cloudflare's Zero Trust platform<br />

delivers comprehensive protection to<br />

organisations of all sizes. Now we're<br />

making it even easier for joint customers<br />

of Cloudflare and CrowdStrike to benefit<br />

from new combined security features for<br />

the connect-from-anywhere economy."<br />

According to Zeki Turedi, CTO EMEA,<br />

CrowdStrike, it's natural for leaders to be<br />

complacent when a situation seems<br />

business-as-usual. But can a state of<br />

constant attack from adversaries,<br />

particularly when sheltered by national<br />

authorities, really be judged that way?<br />

"Moving to a strong state of cybersecurity<br />

preparedness is the only way organisations<br />

can control their fate," he states. "Best<br />

practices and technology constantly evolve,<br />

and working towards a Zero Trust policy<br />

and technology initiative is the part of the<br />

strongest defences we have. It's the way<br />

businesses can take control of their riskreadiness."<br />

HOT TOPIC, BUT NO SILVER BULLET<br />

Zero Trust is without doubt the hottest topic<br />

in cybersecurity right now, and certainly<br />

presents an approach for organisations to<br />

redress their approach to trust and secure<br />

access to apps, networks and data.<br />

However, like all models, it's not a silver<br />

bullet, cautions Neil Langridge, marketing<br />

director, e92plus, and for many<br />

organisations highlights significant<br />

challenges to be overcome before it can<br />

be deemed a success.<br />

"First, Zero Trust is often effectively used<br />

for a grouping of products, rather than a<br />

strategy, because it's those cybersecurity<br />

18<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


special focus<br />

products that form the actual defences.<br />

This means that the success of the Zero<br />

Trust strategy ends where those products<br />

end, not where the company needs it [as<br />

they are third party the company doesn't<br />

control or legacy software that could have<br />

critical vulnerabilities, but are businessessential<br />

and can't be simply replaced].<br />

"Secondly, that's compounded by having<br />

multiple vendors involved with their own<br />

definition of Zero Trust or consolidated to<br />

one single vendor, which is not just hard<br />

for a comprehensive, layered cybersecurity<br />

strategy but also presents its own risk with<br />

a single point of failure," states Langridge.<br />

"Finally, there's the cost and implementation<br />

- Zero Trust reverses the usual<br />

approach of allowing access and then<br />

controlling it, so can easily impact<br />

productivity as the IT learns what's<br />

essential and what's not, and sprawl can<br />

quickly happen as those lessons are learnt.<br />

It could even result in lower security to<br />

balance out the need for productivity in<br />

the short term."<br />

Nothing is non-negotiable, he adds,<br />

and, if the CEO can't connect his corporate<br />

laptop to his personal printer at home<br />

for something urgent, then red lines can<br />

become quickly blurred!<br />

"In terms of practical steps, the ideal<br />

approach would be to build from the<br />

ground up - but that's invariably not<br />

practical, in terms of overhauling strategy,<br />

processes and technology. We're seeing<br />

most engagement in the enterprise, but,<br />

as it filters down to smaller organisations,<br />

the focus is often on particular sections<br />

of a business, technology areas or newer<br />

deployments to start with. This means that<br />

Zero Trust is a guiding principle or best<br />

practice, but avoids consuming all focus<br />

and slowing down the realities of ensuring<br />

technology is keeping a business running,<br />

balanced against the promises that digital<br />

transformation brings."<br />

ACCELERATING MOMENTUM<br />

The pandemic has caused the existing<br />

momentum for Zero Trust to accelerate, as<br />

the approach aligns with the technological<br />

and cultural evolution taking place within<br />

organisations, points out Laurence Pitt,<br />

security strategist, <strong>Jun</strong>iper Networks.<br />

"With hybrid work fully in swing, the<br />

workforce is now distributed across<br />

multiple locations, expanding the network<br />

perimeter far beyond the traditional<br />

confines of an organisation. "As employees<br />

work from home, the door to network<br />

vulnerabilities is being opened by higher<br />

numbers of non-managed, mobile,<br />

Internet of Things [IoT] and other<br />

connected devices.<br />

"Organisations now have an extensible<br />

edge, extending to wherever data users<br />

are located. Even prior to the pandemic,<br />

the growth of technologies like IoT and<br />

5G meant data was increasingly being<br />

generated, processed and consumed at<br />

the edge of the network. Applications,<br />

workloads and data are anywhere and<br />

everywhere, spanning multiple clouds<br />

and multiple locations, rather than being<br />

confined to the corporate data centre."<br />

Therefore, to truly secure the data centre,<br />

organisations must consistently and<br />

reliably secure applications everywhere<br />

and anywhere. However, as the surface<br />

vulnerable to attack continues to expand,<br />

gaps in visibility and protection are<br />

widening, and companies are often forced<br />

to bolt on multiple, disconnected tools to<br />

see and secure everything, advises Pitt.<br />

"As organisations realise that inherently<br />

trusting internal users, networks and<br />

systems is no longer a viable option,<br />

Zero Trust is gaining traction. Its guiding<br />

principle is the belief that user and device<br />

identity must be authenticated every time<br />

to access a network and anything on it,<br />

such as business applications, servers or<br />

other devices.<br />

"By using controls to create micro<br />

perimeters around critical data, applications<br />

and services, IT teams can ensure that only<br />

known, allowed traffic and applications<br />

have access to assets. With a Zero Trust<br />

architecture, IT professionals can set<br />

controls close to the protected assets,<br />

preventing unauthorised access and<br />

potential exfiltration of sensitive, valuable<br />

data," he says.<br />

An extensible edge requires new<br />

architectures that enable users to connect<br />

directly to data wherever they are. In this<br />

case, the secure access service edge (SASE)<br />

is increasingly proposed, in conjunction<br />

with Zero Trust, to safeguard users, their<br />

applications and their infrastructure. SASE<br />

intends to move security from the enterprise<br />

data centre and closer to users and devices.<br />

"It must be noted, however, that SASE isn't<br />

a product - despite what some vendors<br />

might say," points out Pitt. "They may say<br />

that organisations can deploy SASE,<br />

regardless of what else they have on their<br />

network; but SASE is much more than that.<br />

The SASE umbrella can include a collection<br />

of components, such as software-defined<br />

WAN, centralised security management,<br />

zero-trust network access, advanced threat<br />

protection and next-generation firewall<br />

services."<br />

METEORIC RISE IN ATTACKS<br />

The <strong>2022</strong> SonicWall Cyber Threat Report<br />

clearly exposes why organisation should<br />

always follow a Zero Trust approach to<br />

cybersecurity, maintains David Trossell, CEO<br />

and CTO of Bridgeworks. Over the course of<br />

the last 12 months, the company's threat<br />

researchers have noticed what they describe<br />

as a "meteoric rise in cyberattacks…across<br />

all threat vectors", with significant increases<br />

in ransomware [623 million ransomware<br />

attacks in 2021, up 105% YoY], cryptojacking,<br />

encrypted threats, Internet of<br />

Things (IoT) malware and Zero-day attacks.<br />

Other kinds of cyber-attacks have also been<br />

noted - as has a significant increase in<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

19


special focus<br />

Ashley Stephenson, Corero: any company<br />

that hasn't made itself aware of Zero<br />

Trust is essentially being negligent.<br />

Brian Foster, ReliaQuest: Zero Trust stops<br />

security complacency, as it takes many of the<br />

key security questions out of human hands.<br />

activity following the start of the war in<br />

Ukraine.<br />

"These cyber-risks, threats and trends<br />

mean that small businesses, government<br />

agencies, enterprises and other<br />

organisations cannot be complacent,"<br />

Trossell comments. "Protecting themselves<br />

to remain able to operate without<br />

downtime is crucial. It's also about<br />

protecting their supply chains, their<br />

partnerships, their reputations and their<br />

customer relation-ships. All of them should<br />

therefore consider cyber-security as being<br />

non-negotiable - or face the reckoning of<br />

customers, partners and regulators<br />

worldwide."<br />

Cybersecurity isn't just about having<br />

firewalls, anti-virus software and other<br />

measures in place. Organisations,<br />

particularly those with large data centres,<br />

need to make sure data centres aren't<br />

located in the same circles of disruption by<br />

setting them far apart. "They ideally need to<br />

back up their data in three locations, having<br />

a service continuity plan that involves<br />

deploying WAN Acceleration solutions to<br />

mitigate the effects of latency and packet<br />

loss to allow accelerated backups and<br />

restores," adds Trossell. This approach can<br />

enable the organisation to keep running,<br />

even in the face of any type of cyber-attack.<br />

"Furthermore, it's important to create<br />

airgaps to protect an organisation's most<br />

sensitive data - including personal data -<br />

which falls under EU General Data<br />

Protection Regulation (GPDR) and under<br />

the UK version of it. By preventing data<br />

breaches, organisations can ensure<br />

regulatory compliance and forestall any<br />

need to pay huge fines: UK GDPR and Data<br />

Protection Act 2018 set a maximum fine<br />

of £17.5 million or 4% of annual global<br />

turnover. So, by taking a Zero Trust<br />

approach, data protection compliance can<br />

be achieved, data secured and penalties<br />

like this avoided."<br />

The challenge, he says, is that data<br />

volumes are increasing exponentially - and<br />

this can become a major issue, whether an<br />

organisation is backing up their data,<br />

restoring it after a ransomware attack or<br />

doing it for indexing purposes to comply<br />

with regulations, such as GDPR. Doing all<br />

this over Wide Area Networks (WANs) can<br />

be both slow and expensive. Slow, because<br />

WANs are often impacted by latency and<br />

packet loss; issues that WAN Optimisation<br />

can't adequately mitigate. "It also can't<br />

handle encrypted data, making data<br />

security a concern. SD-WANs are a good<br />

option, but they also need a boost and this<br />

can be achieved with a WAN Acceleration<br />

overlay - making it harder for hackers to<br />

divert data traffic, while providing a<br />

supporting platform for a Zero Trust<br />

approach to effective cybersecurity."<br />

WIDENING THE ATTACK VISTA<br />

As Dave Waterson, CEO, SentryBay,<br />

confirms, hybrid working has pushed up the<br />

number of companies that have adopted<br />

bring-your-own-device (BYOD) models.<br />

While this has the advantage of helping<br />

them to control, even reduce, capital<br />

expenditure on hardware, it also has the<br />

potential to leave organisations even more<br />

wide open to cybersecurity attacks.<br />

"The problem lies in the lack of control<br />

over employee's home PCs, laptops or<br />

mobile phones, many of which may not be<br />

adequately protected by up-to-date and<br />

appropriate security. The pandemic saw<br />

a rapid increase in malicious cyber activity,<br />

with attacks including keylogging, screen<br />

scraping, infiltration of browsers, file<br />

interception and RDP double-hop events,<br />

and the effect can be devastating to<br />

companies.<br />

"One way of combatting the risk is by<br />

adopting Zero Trust," he states. "This means<br />

that anybody and any device that wants to<br />

connect with an organisation's network,<br />

whether it's on-premise, in the cloud or<br />

20<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


special focus<br />

across a hybrid IT set-up, must first be<br />

verified before it - or they - can be allowed<br />

access to data, applications or platforms,"<br />

he adds.<br />

He also reiterates how Zero Trust is not a<br />

technology, but an approach, and requires<br />

a serious commitment to implement<br />

successfully. "Building Zero Trust into an<br />

organisation's IT and security strategy must<br />

be done in manageable stages and the<br />

first step for security teams is to elevate<br />

the company's security posture. A layered<br />

defence helps to ensure that attacks can be<br />

foiled by a second measure, even if they<br />

get past a first, so it's best to use a set of<br />

solutions that provide a common security<br />

baseline. Even better, if they are fit for<br />

purpose, wrap data and applications in<br />

a secure container, and do this without<br />

regard for the status or type of device that<br />

the employee is using."<br />

KEY SHIFT IN FOCUS<br />

Paul German, CEO, Certes Networks, hails a<br />

new set of standards relating to Zero Trust.<br />

"Until recently, the debate around Zero Trust<br />

has remained, in my view, focused solely on<br />

authenticating the user within the system,<br />

rather than taking a more holistic approach<br />

and looking at user authentication and<br />

access to sensitive data using protected<br />

micro-segments. This concept has changed<br />

with NIST's [US National Institute of<br />

Standards and Technology] Special Publication<br />

[SP 800-207]; no longer is the<br />

network the focus of Zero Trust, finally it<br />

is the data that traverses the network."<br />

At its core, NIST's Special Publication<br />

decouples data security from the network,<br />

he continues. "Its key tenets of policy<br />

definition and dynamic policy enforcement,<br />

micro-segmentation and observability offer<br />

a new standard of Zero Trust Architecture<br />

(ZTA), for which today's enterprise is responsible.<br />

Under NIST's Zero Trust standards,<br />

access to individual enterprise resources is<br />

granted on a per-session basis, based on a<br />

combination of component relationships,<br />

such as the observable state of client<br />

identity, application/service and the<br />

requesting asset-and may include other<br />

behavioural and environmental attributes -<br />

with operational policy enforcement."<br />

Authentication and authorisation to one<br />

resource does not grant access to another<br />

resource, he points out.<br />

"It is also dynamic, requiring a constant<br />

cycle of obtaining access, scanning and<br />

assessing threats, adapting and continually<br />

re-evaluating trust in ongoing communication."<br />

states Gerrman. "Moreover,<br />

cybersecurity best practice demands that,<br />

by creating fine-grain policies, authentication<br />

and authorisation are done on<br />

a 'per-packet' basis, only allowing access<br />

to the resources required.<br />

ZERO-DAY VULNERABILITIES<br />

EXPLOITED<br />

By the end of 2021, Mandiant Threat<br />

Intelligence had identified 80 zero-days<br />

exploited in the wild, more than double<br />

the previous record volume in 2019.<br />

State-sponsored groups continue to be<br />

the primary actors exploiting zero-day<br />

vulnerabilities, led by Chinese groups, says<br />

the company's James Sadowski. "The<br />

proportion of financially motivated actorsparticularly<br />

ransomware groups-deploying<br />

zero-day exploits also grew significantly,<br />

and nearly 1 in 3 identified actors exploiting<br />

zero-days in 2021 was financially<br />

motivated. We suggest that a number of<br />

factors contribute to growth in the quantity<br />

of zero-days exploited. For example, the<br />

continued move toward cloud hosting,<br />

mobile and Internet-of-Things (IoT)<br />

technologies increases the volume and<br />

complexity of systems and devices<br />

connected to the internet-put simply, more<br />

software leads to more software flaws."<br />

The expansion of the exploit broker<br />

marketplace also likely contributes to this<br />

growth, adds Sadowski, with more<br />

Dave Roche, DigiCert: business leaders<br />

can get distracted with trends and forget<br />

about fundamentals such as digital trust.<br />

John Graham-Cumming, Cloudflare: every<br />

business needs to protect users and teams,<br />

no matter where they are or how they're<br />

working.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

21


special focus<br />

resources being shifted toward research and<br />

development of zero-days, both by private<br />

companies and researchers, as well as threat<br />

groups. "Finally, enhanced defences also<br />

likely allow defenders to detect more zeroday<br />

exploitation now than in previous years<br />

and more organisations have tightened<br />

security protocols to reduce compromises<br />

through other vectors."<br />

Significant campaigns based on zero-day<br />

exploitation are increasingly accessible to<br />

a wider variety of state-sponsored and<br />

financially motivated actors, including as a<br />

result of the proliferation of vendors selling<br />

exploits and sophisticated ransomware<br />

operations potentially developing custom<br />

exploits. "The marked increase in<br />

exploitation of zero-day vulnerabilities,<br />

particularly in 2021, expands the risk<br />

portfolio for organisations in nearly every<br />

industry sector and geography," Sadowski<br />

adds. "While exploitation peaked in 2021,<br />

there are indications that the pace of<br />

exploitation of new zero-days slowed in the<br />

latter half of the year; however, zero-day<br />

exploitation is still occurring at an elevated<br />

rate, compared to previous years."<br />

PROFOUND PROBLEM<br />

Business complacency has become a<br />

profound problem for security, says Brian<br />

Foster, chief product officer, ReliaQuest.<br />

"It's that kind of attitude which prevents<br />

an organisation from spotting the gaps<br />

which attackers exploit. Zero Trust stops<br />

this security complacency, because it takes<br />

many of these key security questions out<br />

of human hands."<br />

Traditional security architectures have<br />

a binary vision of trust. "Those outside of<br />

the network perimeter are considered<br />

untrustworthy and those on the inside are<br />

trusted. However, once that wall is passed,<br />

security controls often stop and the<br />

supposedly trustworthy entity is given free<br />

rein of the corporate network. That's why<br />

cybercriminals have focused on, and have<br />

become so good at, getting past perimeter<br />

defences."<br />

Zero Trust architecture embeds security<br />

controls throughout the network and<br />

continuously ensures that entities on that<br />

network can be trusted. "While there is no<br />

single product that enables Zero Trust, there<br />

are a number of architectural elements that<br />

make Zero Trust possible," adds Foster.<br />

Asset Discovery: "Zero Trust architectures<br />

must first have a command over all the<br />

assets that sit within an enterprise's<br />

environment and be able to map network<br />

transaction flows."<br />

Data Classification and Access<br />

Management: "Zero Trust portions out<br />

access according to the potential risk of that<br />

interaction. More sensitive assets - such<br />

as classified or personally identifiable<br />

information - will need higher levels of<br />

protection and more restricted access."<br />

Continuous Monitoring and Automation:<br />

"Zero Trust architectures are constantly<br />

verifying the security of the entities within<br />

the network," Foster points out. "It ensures<br />

this hygiene by using multiple factors of<br />

identification and continuous monitoring<br />

to ensure that trust is maintained and that<br />

those entities are not behaving suspiciously."<br />

ZERO TRUST IN ACTION<br />

"To put it plainly, any company that hasn't<br />

made itself aware of Zero Trust is essentially<br />

being negligent," says Ashley Stephenson,<br />

CTO, for Corero Network Security, who<br />

points out that Zero Trust is often spoken<br />

about as if it were a single end-to-end<br />

solution. "But that's a misapprehension.<br />

The Zero Trust model is a series of design<br />

principles which adapt network architectures<br />

to both modern threats and modern<br />

computing. There are multiple parts to a<br />

Zero Trust Architecture and many companies<br />

are busily adopting those individual<br />

principles, if not the whole package."<br />

When it comes to trusting people, Multi<br />

Factor Authentication (MFA or 2FA) is<br />

already a widespread security practice, he<br />

adds. "The same goes for biometrics, single<br />

sign on (SSO), and identity and access<br />

management (IAM), which increasingly can<br />

be found throughout the most popular<br />

consumer apps and devices."<br />

When it comes to applications,<br />

organisations are beginning to use microsegmentation,<br />

restricting which applications<br />

can talk to each other and watching the<br />

communications that go on between them.<br />

"For networking, organisations are taking<br />

fundamental steps to reorganise how they<br />

interact with the open internet. When an IP<br />

address shows up at a network port from<br />

the internet, that IP address is often<br />

considered trustworthy. In most cases,<br />

anybody can come to a website without any<br />

prior validation or trust assessment at all.<br />

That's a big problem when it comes to<br />

DDoS attacks, in which a flood of malicious<br />

traffic attempts to overpower a targeted<br />

website or service.<br />

"As a result, Zero Trust principles are also<br />

being used to head off these threats. They're<br />

validating the origins of web traffic to make<br />

sure it doesn't come from a suspicious or<br />

spoofed IP addresses; they're also using<br />

proxies which could obscure or shield the<br />

true IP address, making them harder to<br />

target and they're using Captchas to make<br />

sure that the entity accessing their website<br />

is indeed a human being. Most importantly,<br />

they are also inspecting inbound traffic in<br />

real time and trying to build rules that can<br />

be used to remove untrustworthy or<br />

malicious traffic." Zero Trust may soon<br />

become non-negotiable, says Stephenson.<br />

"The price of entry into the digital market<br />

will be some form or elements of Zero Trust<br />

embedded within a security architecture."<br />

DON'T FIXATE!<br />

When it comes to security, business leaders<br />

can get distracted with trends and forget<br />

22<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


special focus<br />

about fundamentals such as digital trust,<br />

comments Dave Roche, senior product<br />

manager, DigiCert. "But it's those basic<br />

foundational elements that actually defend<br />

against attacks. While leaders get fixated<br />

on things like cloud native or blockchain,<br />

those foundational elements fall by the<br />

wayside.<br />

"In the meantime, stretched engineers<br />

and Infosec personnel are busy putting out<br />

fires when they should be stopping them<br />

from breaking out in the first place. In<br />

the last year, we've seen log4j, Zero Day<br />

Vulnerabilities for Spring Core Java and<br />

the Okta hack, among a long list of other<br />

widespread security problems."<br />

So, while business leaders are distracted<br />

with fashion trends and Infosec personnel<br />

are firefighting, fundamental security<br />

questions get left by the wayside, he points<br />

out. "Code Signing is a good example of<br />

this. It's a practice that secures code and<br />

engenders digital trust as it passes from<br />

link to link along the supply chain. It's a<br />

foundational part of creating connected<br />

trust throughout digital ecosystems. But<br />

many merely sign their software and stop<br />

there. They don't realise that it's not good<br />

enough just to sign the code; they also<br />

have to secure the process of signing itself."<br />

To adequately secure the process, states<br />

Roche, signing keys have to be protected<br />

and access to them has to be restricted<br />

and logged, so that the process can be<br />

audited at any time.<br />

"Furthermore, generation of those keys<br />

must also be a controlled and secure<br />

process, so that your infosec standards<br />

flow down to your engineers. Code<br />

repositories must be secured, too, so you<br />

can make sure the code is malware and<br />

vulnerability free. Then, code signing<br />

processes must be systematised and Code<br />

signing should be automated, using CI/CD<br />

tools to minimise human error."<br />

LOGICAL STEP<br />

With Zero Trust at its heart being a<br />

collection of IT security design principles<br />

attempting to reduce or eliminate the<br />

chances of the wrong entity getting a hold<br />

of vital information or resources possessed<br />

by your organisation, Felix Rosbach, VP of<br />

product management at comforte AG for<br />

the Zero Trust feature, sees this as "a logical<br />

step in a world where breaches are<br />

inevitable, due to the complexity of our<br />

modern IT landscape".<br />

When thinking of Zero Trust, most security<br />

practitioners think of network segmentation<br />

first. "But is network segmentation<br />

the real goal of a Zero Trust architecture?"<br />

he asks. "According to NIST, Zero Trust at its<br />

core removes any implicit trust or privilege,<br />

which might be granted to users or devices<br />

based on where those people/things are<br />

physically or on the network (NIST Special<br />

Publication 800-207). Keep in mind that<br />

what you're guarding is actually information<br />

[data] and services [resources], not<br />

parts of an environment.<br />

"Data isn't a supporting part of the IT<br />

infrastructure the way networks and devices<br />

and applications are. Data is on top, king<br />

of the hill, the crowning glory of your IT<br />

infrastructure and your entire organisation.<br />

We call it information technology for a<br />

reason. Remember, the ultimate objective<br />

is to protect the data itself by rendering it<br />

useless in the wrong hands."<br />

Another key point to recall, continues<br />

Rosbach, is that one of the basic premises<br />

of Zero Trust is to assume a breach has<br />

already occurred, meaning that perimeter<br />

defences have already failed and that a bad<br />

actor is actively working within your IT<br />

environment. "When we protect the data<br />

itself, we assume that it will fall into the<br />

wrong hands eventually," he adds, "but the<br />

outcome will not be severe, because<br />

sensitive knowledge is in some way made<br />

incomprehensible."<br />

Laurence Pitt, <strong>Jun</strong>iper Networks: Zero<br />

Trust’s guiding principle is the belief<br />

that user and device identity must be<br />

authenticated every time to access<br />

a network and anything on it.<br />

Neil Langridge, e92plus: for many<br />

organisations, the Zero Trust model<br />

highlights significant challenges that have<br />

to be overcome before it can be deemed<br />

a success.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

23


product review<br />

ENDACE ENDACEPROBE 9200 G4<br />

Packet capture is an essential tool for<br />

SecOps and NetOps teams but full<br />

visibility into network activity demands a<br />

solution that records with zero packet loss.<br />

For teams to respond quickly to cyberattacks<br />

and resolve network or application<br />

performance issues quickly the solution must<br />

be able to capture, store, index and analyse a<br />

completely accurate historical record of all<br />

activity.<br />

Endace specialises in high-speed packet<br />

capture. Its EndaceProbe Analytics Platform<br />

appliances offer a range of features you won't<br />

find elsewhere. Endace's flagship model, the<br />

EndaceProbe 9200 G4, is the world's first<br />

appliance to deliver petabyte storage capacity<br />

and record at a sustained 40Gbps with<br />

nanosecond accurate timestamping.<br />

This 4U rack-mount appliance achieves this<br />

storage density by combining a very high raw<br />

storage capacity with Endace's integral<br />

hardware compression and patented Smart<br />

Truncation technology. Compared with<br />

previous EndaceProbe models, the 9200 G4<br />

offers a four-fold increase in storage capacity<br />

and can record weeks or months of network<br />

traffic data enabling customers to go much<br />

further back in time when investigating<br />

security threats.<br />

Aimed at data centre deployments, the<br />

9200 G4 offers a choice of eight 1/10GbE or<br />

dual 40GbE recording interfaces. It scales<br />

easily with demand as multiple appliances<br />

can be stacked to increase storage capacity<br />

and capture rates. A stack of five 9200 G4<br />

appliances, for example, can deliver a<br />

sustained 200Gbits/sec recording speed with<br />

bursts up to 400Gbits/sec. The stack provides<br />

up to 5PB of storage allowing it to record up<br />

to five days of traffic at an average rate of<br />

100Gbits/sec.<br />

EndaceFabric takes scalability to the next<br />

level as single EndaceProbes and stacks<br />

located in globally distributed networks can<br />

be centrally managed by EndaceCMS, which<br />

provides a single pane of glass for all<br />

administrative functions, including health<br />

monitoring, configuration and upgrades.<br />

Likewise, searches, data mining and<br />

investigations are fully centralised with<br />

Endace's InvestigationManager application.<br />

Using InvestigationManager's integrated<br />

EndaceVision - a browser-based analysis tool<br />

- analysts can choose data sources from<br />

multiple EndaceProbes, view them<br />

simultaneously and use data visualisation<br />

tools to zero-in on areas of interest such as<br />

flows, top talkers, protocols and users. Its<br />

parallel, distributed architecture delivers rapid<br />

search that enables multiple users to conduct<br />

searches simultaneously across many<br />

appliances and petabytes of data with results<br />

delivered in seconds.<br />

An outstanding feature of EndaceProbe<br />

appliances is that they enable third-party<br />

applications to be hosted on the appliance<br />

where they can access and analyse real-time<br />

or recorded packet data. This is a major<br />

differentiator with competing full-stack<br />

solutions as it lets customers host best-ofbreed<br />

analytics solutions from multiple<br />

vendors.<br />

Endace partners with an impressive range of<br />

vendors. Its appliances can integrate with and<br />

host tools such as Cisco StealthWatch and<br />

Firepower, Palo Alto Networks NG Firewalls,<br />

Plixer Scrutinizer and many more. Even better,<br />

Endace's APIs enable integration directly into<br />

the user-interfaces of these products so<br />

analysts can analyse packet data directly from<br />

the tools they already use.<br />

For example, when Splunk shows alerts or<br />

events, analysts can click on that alert in<br />

Splunk to access related packets so there's no<br />

need to change their existing workflows.<br />

Analysts can create, share and customise<br />

investigations accessing data from multiple<br />

EndaceProbes, view conversations, extract<br />

files from suspicious communications,<br />

generate rich logs for insight into network<br />

activity, and decode packets directly in hosted<br />

Wireshark without needing to download<br />

pcap files.<br />

The EndaceProbe Analytics Platform gives<br />

SecOps and NetOps teams the visibility and<br />

agility they need to see everything that's<br />

happening on their networks and respond<br />

quickly to cyberattacks. EndaceProbes deliver<br />

industry leading performance and storage<br />

capacity and their 100% accurate packet<br />

recording fills the knowledge gaps other<br />

solutions leave behind.<br />

Product: EndaceProbe 9200 G4<br />

Supplier: Endace<br />

Web site: www.endace.com<br />

Sales: +44 (0)800 088 5008<br />

24<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


ADISA ICT Asset Recovery Standard 8.0<br />

is formally approved by the UK ICO<br />

(Approval ICO – <strong>CS</strong>C/003 and ICO – <strong>CS</strong>C/004)<br />

Use an ADISA Certified company to be assured of UK GDPR compliance<br />

when disposing of your IT assets.<br />

Visit adisa.global to find out more<br />

Want to know how to retire assets<br />

so you can promote reuse AND meet<br />

data protection legislation?<br />

ADISA offers a range of training courses all presented by<br />

leaders in the field, including a brand-new course which helps<br />

data controllers write an asset retirement program to achieve<br />

the objective of meeting sustainability and security targets.<br />

Visit adisa.global/training to find out more


supply chain<br />

CHAINS OF FREEDOM<br />

SUPPLY CHAINS ARE PRONE TO WILD SWINGS AND UNCERTAINTIES. HOW CAN THEY BE STABILISED<br />

AND LESS EXPOSED, IN ORDER TO CREATE A COOPERATIVE SUPPLY-CHAIN PLATFORM?<br />

The third-party supply chain ecosystem of<br />

a modern business is much more farreaching<br />

and porous than ever before,"<br />

cautions Ewen O'Brien, SVP of Third-Party<br />

Cyber Risk Management at BlueVoyant. "This<br />

presents a cybersecurity threat that both<br />

government and industry should take very<br />

seriously. It is increasingly hard to have full<br />

visibility; only in recent years have businesses<br />

realised the scale of the threat that weakened<br />

cybersecurity amongst third parties can pose<br />

to their organisations, even if they have done<br />

a very good job in protecting their own<br />

networks."<br />

With supply chains growing at an<br />

exponential rate, risk visibility and risk<br />

mitigation should be a priority, he adds.<br />

"Security teams need an inherent<br />

understanding of an attacker's mindset and<br />

the vulnerabilities that they are looking to<br />

exploit. These weaknesses are unlikely to be<br />

present in the 'prime' organisation, which is<br />

usually the best-defended entity, but in those<br />

third-party providers that have left ports<br />

open, that haven't patched or have general<br />

poor cybersecurity practices. Whilst many<br />

attackers are described as 'sophisticated',<br />

many breaches are achieved using old<br />

methods. Therefore, organisations and their<br />

supply chain have to start getting the basics<br />

right."<br />

Recent cyber incidents and the COVID-19<br />

pandemic has highlighted the fragility of<br />

supply chains, and the resulting business<br />

disruption that incidents can cause, states<br />

O'Brien. "This has forced organisations to take<br />

a hard look at their software development<br />

security stance, particularly those within the<br />

critical national infrastructure. With opensource<br />

development becoming increasingly<br />

popular, organisations are particularly<br />

focusing on improving testing and standards<br />

to ensure that developers know what they're<br />

doing when it comes to security.<br />

"The scale of vendor ecosystems often<br />

means full visibility into cyber risk is beyond<br />

the capabilities of in-house teams. The<br />

businesses best able to protect their<br />

organisation and meet new government<br />

regulations will be those that seek external<br />

expertise to triage and manage incidents<br />

based on cyber risk tolerance and business<br />

context, freeing their in-house teams to focus<br />

on true cyber risk management.<br />

"However, recent, high-profile cyber-attacks<br />

have reinforced that, if one company in a<br />

supply chain doesn't have the security they<br />

need, this presents a sizeable risk for both the<br />

private and public sector. Most recently, we<br />

saw an illustration of this in the LAPSUS$<br />

breach at Okta, which caused a ripple effect<br />

across a wide network of customers from<br />

a range of industries.<br />

"For this reason, the solution demands<br />

a joint effort between governments and<br />

industry, in which the value of cybersecurity<br />

is enforced through regulatory efforts,<br />

incentives, and business competition," he<br />

concludes.<br />

MORE COMPLEX SUPPLY CHAINS<br />

Although businesses have always struggled<br />

with supply chain disruptions, it has become<br />

worse as the chains have grown longer and<br />

more complex, making them increasingly<br />

vulnerable to geopolitical and economic<br />

shocks.<br />

That is the view of Harry Powell, head of<br />

Industry Solutions, TigerGraph, who adds:<br />

"Although disruptions will always be with us,<br />

our ability to adapt would improve greatly,<br />

if we had better supply chain visibility."<br />

But how do we achieve this? "The obvious<br />

solution would be for all parts of the supply<br />

chain to pool their information into a single<br />

platform," he suggests. "Surely this would be<br />

easily done in the Cloud - and then everyone<br />

would have more certainty."<br />

However, there are commercial and<br />

technical reasons why this is not feasible,<br />

adds Powell. "First, each participant in the<br />

supply chain is competing as much with<br />

its partners as it is cooperating. Although<br />

cooperation is required at the operational<br />

level, businesses also seek to maximise<br />

revenues and profit at the expense of others,<br />

and it is in their best interests to withhold<br />

26<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


supply chain<br />

information from customers and suppliers to<br />

achieve greater leverage in negotiations."<br />

The second reason he singles out is that<br />

every IT system is different, and it is hard<br />

enough to combine information from<br />

different business units and geographies<br />

within a single business, let alone from<br />

separate companies.<br />

"Thirdly, the Cloud presents problems in<br />

itself. Who will control the information and<br />

how it is used? Can businesses trust that<br />

platform owners will only use the data as<br />

agreed? By putting the data on a common<br />

platform, will all the businesses in that supply<br />

chain become vassals of the platform owner?<br />

It only takes one link in the chain to have<br />

these doubts and the rationale behind a<br />

cooperative supply-chain platform falls apart."<br />

Some businesses are taking a different<br />

approach to how to deal with the wild<br />

swings and uncertainties in supply chains, he<br />

adds. "They are using graph databases and<br />

graph analytics to analyse supply chain data<br />

in real-time, run supply chain scenarios and<br />

feed high-value data to machine learning<br />

systems. And they are using data they already<br />

hold to do it.<br />

"Conventional data systems find it difficult<br />

to do 'what-if' analyses on complex systems,<br />

but graph data platforms are optimised to<br />

do this naturally and quickly, allowing these<br />

businesses to model and evaluate supply<br />

chains in real time, and act with greater<br />

speed and agility than their competitors."<br />

SECURITY HYGIENE<br />

Securing data with third-party vendors in<br />

mind will be critical, emphasises Bindu<br />

Sundaresan, director, AT&T Cybersecurity.<br />

"Today, a robust cybersecurity posture<br />

encompasses much more than your<br />

employees, your hardware and software,<br />

and security tools. Any third-party tools or<br />

vendors with access to your environment<br />

should be considered a critical component<br />

of your security hygiene." As she also points<br />

out, attacks via third parties are increasing<br />

every year, as reliance on third-party vendors<br />

continues to grow. "Organisations must<br />

prioritise the assessment of top-tier vendors,<br />

evaluating their network access, security<br />

procedures and interactions with the<br />

business. Unfortunately, there are many<br />

operational obstacles that will make this<br />

assessment difficult, including a lack of<br />

resources, increased organisational costs and<br />

insufficient processes. The lack of up-to-date<br />

risk visibility on current third-party ecosystems<br />

can lead to loss of productivity, monetary<br />

damages and damage to brand reputation."<br />

Vendor management is a complex and timeintensive<br />

task, to which many organisations<br />

do not - and, in many cases, cannot - dedicate<br />

the time and resources to managing.<br />

"For companies with a small number of<br />

vendors, this can be manageable, but most<br />

organisations will need additional support to<br />

create and implement these programmes<br />

effectively.<br />

By dedicating resources to developing<br />

a programme, organisations can begin to<br />

understand and mitigate the threats posed<br />

by third parties. For those organisations that<br />

do not have the resources to establish or<br />

maintain this type of programme, there<br />

are many options available to help create,<br />

implement and manage vendor management<br />

programs of any size." For a successful thirdparty<br />

risk management programme, she<br />

offers the following '4 Cs' as a guideline:<br />

• Comprehensive - evaluate all aspects<br />

of the third- party, including systems,<br />

processes and personnel<br />

• Configurable - 'one-size-fits-all' evaluations<br />

are not accurate; measure what matters<br />

• Collaborative - identifying the risks is only<br />

the first step; working to correct deficiencies<br />

is the key<br />

• Continuous - organisations evolve, so<br />

you need to monitor and adjust to truly<br />

understand the risks.<br />

Ewen O'Brien, BlueVoyant: the third-party<br />

supply chain ecosystem of a modern<br />

business is much more far-reaching and<br />

porous than ever before.<br />

CYBER SECURITY PRINCIPLES<br />

The National Institute of Standards and<br />

Technology (NIST) points out that<br />

cybersecurity in the supply chain cannot be<br />

viewed as an IT problem only. "Cyber supply<br />

chain risks touch sourcing, vendor<br />

management, supply chain continuity and<br />

quality, transportation security and many<br />

other functions across the enterprise and<br />

require a coordinated effort to address," it<br />

states, while offering these three cyber supply<br />

chain security principles:<br />

1. Develop your defences based on the<br />

principle that your systems will be breached.<br />

When one starts from the premise that a<br />

breach is inevitable, it changes the decision<br />

matrix on next steps. The question becomes<br />

not just how to prevent a breach, but how to<br />

mitigate an attacker's ability to exploit the<br />

information they have accessed and how to<br />

recover from the breach<br />

2. Cybersecurity is never just a technology<br />

problem, it's a people, processes and<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

27


supply chain<br />

Bindu Sundaresan, AT&T Cybersecurity: any<br />

third-party tools or vendors with access to<br />

your environment should be considered a<br />

critical component of your security hygiene.<br />

Harry Powell, TigerGraph: our ability to<br />

adapt would improve greatly, if we had<br />

better supply chain visibility.<br />

knowledge problem. Breaches tend to be<br />

less about a technology failure and more<br />

about human error. IT security systems won't<br />

secure critical information and intellectual<br />

property unless employees throughout the<br />

supply chain use secure cybersecurity<br />

practices<br />

3. Security is Security. There should be no<br />

gap between physical and cybersecurity.<br />

Sometimes the bad guys exploit lapses in<br />

physical security in order to launch a cyberattack.<br />

By the same token, an attacker<br />

looking for ways into a physical location<br />

might exploit cyber vulnerabilities to get<br />

access.<br />

"Cyber supply chain risks cover a lot of<br />

territory," the NIST adds. Some of the<br />

concerns include risks from:<br />

• Third-party service providers or vendors -<br />

from janitorial services to software<br />

engineering -- with physical or virtual<br />

access to information systems, software<br />

code, or IP<br />

• Poor information security practices by<br />

lower-tier suppliers<br />

• Compromised software or hardware<br />

purchased from suppliers<br />

• Software security vulnerabilities in supply<br />

chain management or supplier systems<br />

• Counterfeit hardware or hardware<br />

with embedded malware<br />

• Third-party data storage or data<br />

aggregators.<br />

NIST also points to a range of questions<br />

companies are using to determine how risky<br />

their suppliers' cybersecurity practices are:<br />

• Is the vendor's software/hardware<br />

design process documented?<br />

Repeatable? Measurable?<br />

• Is the mitigation of known vulnerabilities<br />

factored into product design (through<br />

product architecture, run-time protection<br />

techniques, code review)?<br />

• How does the vendor stay current on<br />

emerging vulnerabilities? What are<br />

vendor capabilities to address new 'zero<br />

day' vulnerabilities?<br />

• What controls are in place to manage<br />

and monitor production processes?<br />

• How is configuration management<br />

performed? Quality assurance? How is it<br />

tested for code quality or vulnerabilities?<br />

• What levels of malware protection and<br />

detection are performed?<br />

• What steps are taken to 'tamper proof'<br />

products? Are backdoors closed?<br />

• What physical security measures are<br />

in place? Documented? Audited?<br />

• What access controls, both cyber and<br />

physical are in place? How are they<br />

documented and audited?<br />

• What type of employee background<br />

checks are conducted and how<br />

frequently?<br />

• What security practice expectations<br />

are set for upstream suppliers? How is<br />

adherence to these standards assessed?<br />

• How secure is the distribution process?<br />

• Have approved and authorised<br />

distribution channels been clearly<br />

documented?<br />

• What is the component disposal risk<br />

and mitigation strategy?<br />

• How does vendor assure security<br />

through product life cycle?<br />

Finally, the NIST looks at some practices that<br />

companies have adopted to help manage<br />

their cyber supply chain risks, such as:<br />

• Security requirements are included<br />

in every RFP and contract<br />

• Once a vendor is accepted in the formal<br />

supply chain, a security team works with<br />

them on-site to address any vulnerabilities<br />

and security gaps<br />

• 'One strike and you're out' policies with<br />

respect to vendor products that are either<br />

counterfeit or do not match specification<br />

• Component purchases are tightly<br />

controlled; component purchases from<br />

approved vendors are prequalified.<br />

Parts purchased from other vendors<br />

are unpacked, inspected and X-rayed<br />

before being accepted.<br />

28<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


expert view<br />

GET THE BASI<strong>CS</strong> RIGHT…<br />

THE EXPONENTIAL ADOPTION OF NEW CYBER SECURITY RELATED TOOLS IS A GROWING PROBLEM IN<br />

THE CYBER SECURITY WORLD, CAUTIONS STEVEN USHER, SENIOR ANALYST, BROOKCOURT SOLUTIONS<br />

Year-on-year, the number of cyber<br />

security tools that are being used by<br />

companies of all sizes is growing at a<br />

rate that many consider unsustainable longterm<br />

and this almost frenetic rate of adoption<br />

could lead to cyber security issues; in fact,<br />

it is already.<br />

While this situation is notable, what is,<br />

in fact, more of a concern is that, while<br />

companies are rushing to adopt newer and<br />

more complex technologies to deal with the<br />

ever-expanding cyber security threats, they<br />

rarely, if ever, have even got the basics right.<br />

I am talking here about firewall rules, base<br />

endpoint security policies, data loss prevention<br />

or, at the very least, awareness of what<br />

data is on their network, a robust and<br />

sensible password policy and most of all -<br />

in my eyes at least - most companies do<br />

not have an up-to-date inventory of what<br />

hardware and software is on their network.<br />

ESSENTIAL BULDING BLOCK<br />

Knowing what you are protecting should be<br />

considered one of the main building blocks<br />

of creating a cyber security program within<br />

your organisation. The fact that this often<br />

seems to not be the case is a concern. How<br />

do you protect and defend what you do not<br />

know about? The same applies to a software<br />

inventory - without knowing what is currently<br />

in use in your organisation, how do you<br />

determine which patches have priority, where<br />

the major points of potential ingress are or<br />

who is at the greatest risk of exploitation?<br />

After decades of dealing with incidents, it is<br />

common for unknown hardware or software<br />

to have a hand in the incident.<br />

Both hardware and software inventories are<br />

made more complicated in the modern world<br />

with concepts like BYOD (Bring Your Own<br />

Device) which allow all sorts of hardware<br />

onto networks and inside the defences of<br />

an organisation. While there is the idea that,<br />

with solid security policies, BYOD can be<br />

managed appropriately, the truth is that<br />

BYOD is a true security nightmare and<br />

often results in the overall weakening of<br />

an organisation's security posture. Another<br />

concept that is worth considering here is<br />

WFH (Work From Home).<br />

While there is the fact that company<br />

hardware can be sent out to users and<br />

centrally managed, there are various other<br />

pieces of hardware on that home network<br />

and even the hardware - for example, routers<br />

- used to host the network in that home<br />

that are not only unknown, monitored<br />

or updated appropriately, but simply not<br />

capable of being managed in the first place.<br />

There is no magic method to solve this<br />

issue. There are products that can help<br />

considerably with scanning, listing and, more<br />

importantly, managing the various hardware<br />

and software found on the networks, but it<br />

is down to the people to constantly question,<br />

scan and investigate to ensure that any and<br />

every possible piece of hardware and<br />

software is documented and known about.<br />

Steven<br />

Usher,<br />

Senior<br />

Analyst,<br />

Brookcourt<br />

Solutions.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

29


insider threats<br />

ISOLATED AND VULNERABLE<br />

HACKERS ARE DRIVING UP THE LEVELS OF HUMAN ERROR BY PREYING INCREASINGLY ON<br />

SOLITARY WORKERS - ESPECIALLY THOSE AT HOME, CUT OFF FROM IMMEDIATE I.T. SUPPORT<br />

Oliver Paterson, VIPRE: hackers prey on<br />

those working from home, away from their<br />

trusted IT teams.<br />

As the yearly number of cyber-attacks<br />

continues to accelerate, hackers are<br />

becoming more innovative in their<br />

tactics. "They can spot weaknesses in<br />

workforces, preying on those who are<br />

working from home as a result of the<br />

pandemic, away from their trusted IT<br />

teams," points out Oliver Paterson,<br />

product expert, VIPRE<br />

Security Awareness<br />

Training and<br />

Safesend.<br />

It is no surprise that hackers use humans to<br />

their advantage, as human error is the cause<br />

of 90% of cyber data breaches, Paterson<br />

continues. "Humans make mistakes - stressed,<br />

tired employees who are distracted at home<br />

will make even more mistakes; whether<br />

it's sending a confidential document to the<br />

wrong person or clicking on a phishing email,<br />

no organisation is immune to human error<br />

and the consequences this can have on the<br />

business."<br />

Yet these risks can be mitigated by educating<br />

workforces on the modern threat landscape<br />

and the existing risks, he says. "Teamed with<br />

anti-malware solutions and technology,<br />

employees can be alerted to double-check<br />

their email attachments and recipients, as well<br />

as any potentially malicious incoming emails.<br />

Additionally, it is essential that businesses<br />

implement consistent training programmes<br />

to get the most value and retention out of<br />

this learning. Such educational programmes<br />

should be relevant, adding in real-life<br />

situations, including phishing simulations,<br />

that help to fortify crucial cyber threat<br />

prevention messaging and educate<br />

workforces on how to protect both the<br />

business and themselves. This, in turn,<br />

strengthens the workforce security culture,<br />

ensuring employees know what to do<br />

when faced with a cyber threat."<br />

Once educated on existing security<br />

risks, workforces must understand<br />

their responsibilities when securing<br />

an organisation's IT infrastructure.<br />

"Now, more than ever, the responsibility<br />

must be reinforced<br />

throughout the entire business.<br />

After all, the final choice in<br />

sending sensitive information<br />

via email is with them."<br />

Organisations have been spending millions<br />

in building defences against external threat<br />

actors, comments Gagan Arora, director in<br />

Protiviti UK's Technology Consulting Practice.<br />

"While this approach has been effective to<br />

some extent towards mitigating risks leading<br />

to a breach, the risks associated with the<br />

internal threat actors continue to remain<br />

unaddressed to a large extent. Significant<br />

reliance is placed on human and process<br />

elements of a capability/control [eg, forcing<br />

IT workers to change passwords as per rules<br />

written in a policy], which often leads to<br />

failure and significant exposure of the valuable<br />

assets in the organisation."<br />

PRIVILEGED CREDENTIALS RISKS<br />

One of the key capabilities to provide a strong<br />

defence against internal threat actors<br />

is Privileged Access Management (PAM), he<br />

states. "Today, the root cause of most of the<br />

breaches is the misuse of privileged credentials,<br />

whether this is on the cloud or for onprem<br />

assets. The risk is further heightened<br />

when privileged credentials remain with the<br />

users who are connecting remotely, which is<br />

a norm these days, or with third parties who<br />

are providing services to the IT organisation.<br />

"Many organisations have also embraced<br />

agile delivery practices, such as continuous<br />

integration/continuous delivery (CI/CD),<br />

for delivering business applications, which<br />

introduces a different set of risks from their<br />

DevOps environment. While statistics vary<br />

on the prevalence of breaches caused by<br />

attackers within an organisation, the existence<br />

of proven tools to mitigate these has made<br />

them a de facto expectation of boards,<br />

regulators and insurers."<br />

PAM capabilities offered by various leading<br />

solutions in the market today provide a strong<br />

30<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


insider threats<br />

defence against several scenarios that could<br />

lead to a breach, he further comments. "These<br />

capabilities include automatic password<br />

retrieval, pass-word rotation, session<br />

management, session isolation, just-in-time<br />

access, session recording and monitoring.<br />

The coverage over IT estate is also expanding,<br />

as various solution providers now offer<br />

capabilities for protecting DevOps secrets,<br />

SaaS applications access and even managing<br />

cloud infrastructure entitlements.<br />

Organisations lacking PAM capability and<br />

controls should assess their technology<br />

environment, risk landscape and invest into<br />

a solution that is relevant not only for their<br />

existing environment, but also for future<br />

needs."<br />

MORE DAMAGING IMPACT<br />

"Ever since the days of Edward Snowden<br />

leaking secrets, organisations have been<br />

considering what they could do to prevent<br />

insider threats," says Javvad Malik, lead<br />

security awareness advocate at KnowBe4.<br />

"While breaches caused by insiders may not be<br />

as prevalent as external attackers, the impact<br />

is often a lot more damaging. But before<br />

proceeding, let's take a step back to define<br />

precisely what we mean by an insider threat.<br />

"An insider could be defined as any individual<br />

with legitimate access to corporate assets,<br />

physical or virtual. It includes permanent and<br />

temporary employees, third-party contractors,<br />

as well as third-party support companies and<br />

outsourced service providers."<br />

In this context, states Malik, threat is better<br />

defined as abuse of the trust the company<br />

has placed in an insider. "To sum it up, an<br />

insider threat is someone who misuses<br />

legitimate access granted to them for the<br />

purposes of self-interest that could potentially<br />

harm the organisation. It's worth noting that<br />

not all insiders who fall within this definition<br />

of insider threats will harm the organisation.<br />

Abuse of trust could be as simple as someone<br />

trying to get their job done by using the<br />

wrong tools or, for example, using their<br />

personal unapproved device to work on<br />

sensitive documents."<br />

When breaking down the different types<br />

of insiders, insiders can be of three types,<br />

he adds: malicious, non-malicious or<br />

compromised. "A malicious insider, as the<br />

name suggests, is one that is knowingly<br />

undertaking activities that can cause harm to<br />

the organisation. A non-malicious insider is<br />

one who, in many cases, wants to get their<br />

job done, but goes about it in the wrong way,<br />

therefore weakening the security of the<br />

organisation. A compromised insider is where<br />

an account has been taken over by a third<br />

party, so it can be used to access internal<br />

resources."<br />

For risk purposes, organisations can map<br />

out the types of insiders and their impact with<br />

a matrix. Then, the various threats can be<br />

positioned in the matrix, depending on the<br />

intent and harm, with the size of the bubble<br />

representing the likelihood of it occurring.<br />

By way of example of a particular matrix,<br />

while espionage might show as the most<br />

severe harm to an organisation, the likelihood<br />

of it occurring is relatively low, compared, say,<br />

to a user falling for a spear phishing attack.<br />

"Organisations should use their own internal<br />

incident log data, in addition to external<br />

sources to build up a list of threats and the<br />

likelihood of them occurring," he states.<br />

A matrix could be used, for example, to<br />

identify the top three areas of focus for an<br />

organisation and the controls that would<br />

need be to implemented to reduce the<br />

likelihood of spear phishing, unskilled staff<br />

making errors and shadow IT. "By going<br />

through such a data-driven exercise,<br />

organisations will be far better placed to<br />

understand the actual insider threat they<br />

face and where to focus their efforts on<br />

to minimise the risk."<br />

i https://www.infosecurity-magazine.com<br />

/news/90-data-breaches-human-error<br />

Javid Malik, KnowBe4: insiders can be of<br />

three types - malicious, non-malicious or<br />

compromised.<br />

Gagan Arora, Protiviti: one of the key<br />

capabilities to provide a strong defence<br />

against internal threat actors is Privileged<br />

Access Management.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

31


quantum on trial<br />

QUANTUM GOES BIG!<br />

BT AND TOSHIBA LAUNCH FIRST COMMERCIAL TRIAL OF QUANTUM SECURED COMMUNICATION SERVICES<br />

BT and Toshiba, along with EY,<br />

have launched the trial of what<br />

is described as a "world-first<br />

commercial quantum-secured metro<br />

network". The infrastructure will be able<br />

to connect numerous customers across<br />

London, helping them to secure the<br />

transmission of valuable data and<br />

information between multiple physical<br />

locations over standard fibre optic links<br />

using quantum key distribution (QKD).<br />

QKD is an important technology, playing<br />

a fundamental role in protecting networks<br />

and data against the emerging threat of<br />

cyber-attack using quantum computing.<br />

The London network has been hailed<br />

as representing a critical step towards<br />

reaching the UK government's strategy to<br />

become a quantum-enabled economy.<br />

The network's first commercial customer<br />

EY will use the network to connect two of<br />

its sites in London, one in Canary Wharf<br />

and one near London Bridge. It will<br />

demonstrate how data secured using QKD<br />

can move between sites and showcase<br />

the benefits this network brings<br />

to its own customers.<br />

BT and Toshiba announced their<br />

commitment to creating a trial network<br />

in October 2021. BT will operate the<br />

network, providing a range of quantumsecured<br />

services, including dedicated high<br />

bandwidth end-to-end encrypted links,<br />

delivered over Openreach's private fibre<br />

networks, while Toshiba will provide<br />

quantum key distribution hardware and<br />

key management software. In the<br />

network, QKD keys will be combined with<br />

the in-built ethernet security, based on<br />

public-key based encryption, which will<br />

enable the resultant keys to be used to<br />

encrypt the data.<br />

Quantum computing certainly represents<br />

a unique challenge and opportunity, due<br />

to the scale and complexity of activity<br />

required, the size of the opportunity,<br />

the time to market, and the challenges<br />

quantum computing presents to modern<br />

encryption, states the government.<br />

"This requires a different approach to<br />

bring the community together and realise<br />

opportunities for growth. Being quantumready<br />

requires companies and government<br />

to engage now to upskill and<br />

explore applications that could have a<br />

significant impact on industry and wider<br />

society. Through the newly established<br />

National Quantum Computing Centre, we<br />

will undertake a programme of hardware<br />

building and software development,<br />

developing a UK capability, skills and<br />

knowhow and enabling the UK economy<br />

to explore useful applications."<br />

PROFOUND IMPACT<br />

Howard Watson, chief technology officer,<br />

BT, points to how quantum-enabled<br />

technologies are expected to have a<br />

profound impact on how society and<br />

business operates in the future, but adds<br />

pointedly: "they are remarkably complex<br />

to understand, develop and build: in<br />

32<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


quantum on trial<br />

particular, ensuring that the end-to-end<br />

service designs meet the stringent<br />

security requirements of the market. I'm<br />

incredibly proud that BT and Toshiba<br />

have successfully united to deliver this<br />

unique network, and with EY as our first<br />

trial customer, we are paving the way for<br />

further commercial explorations for<br />

quantum technologies and their use in<br />

commercial, and societal applications in<br />

the future".<br />

Preparation, technical deployment and<br />

testing for the network commenced in<br />

late 2021. This included equipment<br />

deployment in racks, adding security<br />

systems and resilience testing, and finally<br />

running and optimising the network.<br />

While 26 April marked the official launch<br />

of the network, it has been running since<br />

early April and will operate for an initial<br />

period of up to three years.<br />

Shunsuke Okada, corporate senior vice<br />

president and chief digital officer of<br />

Toshiba, states that both Toshiba and<br />

BT have demonstrated world-class<br />

technology development and leadership<br />

through decades of innovation and<br />

operation. "Combining BT's leadership<br />

in networks technologies and Toshiba's<br />

leadership in quantum technologies has<br />

brought this network to life, allowing<br />

businesses across London to benefit from<br />

quantum secured communications for<br />

the first time."<br />

VAST POTENTIAL - AND RISKS<br />

Moreover, the role of quantum and its<br />

vast potential are pinpointed by Praveen<br />

Shankar, EY UK & Ireland managing<br />

partner for Technology, Media and<br />

Telecoms (TMT). "Quantum technology<br />

creates new and significant opportunities<br />

for business, but presents potential risks.<br />

Quantum secure data transmission<br />

represents the next major leap forward in<br />

protecting data, an essential component<br />

of doing business in a digital economy.<br />

Our work with two of the world's leading<br />

technology innovators will allow us to<br />

demonstrate the power of quantum to<br />

both EY and our clients."<br />

The UK Government's 'strategic intent'<br />

to develop a quantum-enabled economy<br />

was first published in 2020. It sets out<br />

a vision for the next 10 years in which<br />

quantum technologies will become an<br />

integral part of the UK's digital<br />

backbone, unlock innovation to drive<br />

growth and help build a thriving and<br />

resilient economy, and contribute<br />

significant value to the UK's prosperity<br />

and security. This new era of quantum<br />

technologies will, claims the government,<br />

"transform economies in our maturing<br />

digital age and help to address society's<br />

challenges; advancing health care and<br />

environmental protection, achieving<br />

net zero targets and better land use,<br />

supporting financial services and<br />

communications, providing defence and<br />

security capabilities and computing<br />

power".<br />

These technologies will focus on<br />

creating new global market opportunities<br />

and competitive advantage for those able<br />

to develop and exploit them, unlocking<br />

innovation by integrating them into<br />

complex systems, it continues, and for<br />

this reason significant efforts are being<br />

put into developing quantum<br />

technologies globally. The National<br />

Quantum Technologies Programme<br />

(NQTP) was established in 2014 by<br />

several partners with the objective of<br />

making the UK "a global leader in the<br />

development and commercialisation of<br />

these technologies". The partners are:<br />

The Engineering and Physical Sciences<br />

Research Council, Science and Technology<br />

Facilities Council, Innovate UK,<br />

Defence and Science and Technology<br />

Laboratory, Ministry of Defence, National<br />

Physical Laboratory, Department for<br />

Business, Energy and Industrial Strategy,<br />

Government Communications Headquarters<br />

and the National Cyber Security<br />

Centre.<br />

A REVOLUTION GATHERING PACE<br />

According to the government: "In the<br />

past five years, remarkable progress has<br />

been made towards both producing<br />

integrated systems, many of which are<br />

now nearing the market, and creating<br />

a UK quantum technologies industry.<br />

Our thriving and unique interconnected<br />

ecosystem is comprised of world-leading<br />

research institutes, innovative quantum<br />

technology spin-outs, systems integrators<br />

and components suppliers from existing<br />

industries, as well as major multinationals,<br />

all interacting to generate real<br />

successes and drive the development of<br />

products and services." But the UK needs<br />

to progress quickly, the government<br />

concedes, as the next technological<br />

revolution, driven by a fusion of<br />

technologies, data and advanced<br />

computational abilities, gathers pace.<br />

BT's Howard Watson adds: "This is a<br />

significant moment in the UK's journey<br />

towards a quantum-enabled economy,<br />

but we're not there yet. Further investment<br />

commitments will be required to<br />

broaden the study of quantum technologies<br />

that will contribute to this new<br />

economy, including quantum computing,<br />

quantum cryptography and quantum<br />

communications. We look forward to<br />

working with our government and<br />

industry partners to continue the<br />

momentum BT has started and shaping<br />

the UK's quantum strategy."<br />

The technical collaboration for this<br />

network was conducted in BT's Adastral<br />

Park labs in Suffolk, UK, and the<br />

Quantum technology Business Division<br />

of Toshiba, based in Tokyo, Japan and<br />

Cambridge, UK, where the quantum<br />

key distribution technology has been<br />

developed and is manufactured.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />

33


threats insights<br />

IF YOU CAN'T STAND THE HEAT…<br />

… THEN DO SOMETHING ABOUT IT. TIME TO FIGHT BACK<br />

AS HIGHLY EVASIVE ADAPTIVE THREATS STRIKE HARD<br />

Mark Guntrip, Menlo Security: web<br />

threats are being more and more<br />

successfully deployed using HEAT<br />

techniques.<br />

Web malware (47%), along with<br />

ransomware (42%) now come<br />

out top of the list of security<br />

threats that organisations are most<br />

concerned about. Yet, despite these<br />

growing risks, less than a third (27%)<br />

have advanced threat protection in place<br />

on every endpoint device that can access<br />

corporate applications and resources.<br />

This is according to new research, 'The<br />

state of threat prevention: evasive threats<br />

take center stage', that has been<br />

published by Menlo Security, exploring<br />

what steps organisations are taking to<br />

secure themselves in the wake of a new<br />

class of cyber threats - known as Highly<br />

Evasive Adaptive Threats (HEAT). As<br />

employees spend more time working in<br />

the browser and accessing cloud-based<br />

applications, the risk of HEAT attacks<br />

increases substantially. Indeed, almost<br />

two-thirds of organisations have had a<br />

device compromised by a browser-based<br />

attack in the last 12 months.<br />

The report suggests that organisations<br />

are not being proactive enough in<br />

mitigating the risk of these threats, with<br />

45% failing to add strength to their<br />

network security stack over the past year.<br />

There are also conflicting views on the<br />

most effective place to deploy security to<br />

prevent advanced threats, with 43%<br />

citing the network, and 37% the cloud.<br />

"Threat actors seek to exploit gaps in<br />

traditional security defences and the fact<br />

that security capabilities haven't really<br />

changed over the past decade," states<br />

explains Mark Guntrip, senior director<br />

of Cybersecurity Strategy, Menlo Security.<br />

"One of the areas of focus for attackers is<br />

using web threats and we're seeing more<br />

and more of them successfully deployed<br />

using HEAT techniques. Last year, we<br />

saw Nobelium use HTML smuggling, a<br />

HEAT tactic to avoid static and dynamic<br />

content analysis, to deliver malware and<br />

ransomware attacks. The fact that these<br />

are successful means their usage will<br />

increase, which could have devastating<br />

consequences for companies of all sizes."<br />

"Working practices have changed," he<br />

points out, "and companies must stop<br />

relying on traditional tools and strategies<br />

that just don't cut it anymore. Adopting<br />

a prevention-driven approach to security<br />

is the only way to achieve this and using<br />

isolation-powered security to do so stops<br />

the browser from having any direct<br />

interaction with the website and content<br />

and ensures that HEAT attacks don't stand<br />

a chance."<br />

COMPETING SECURITY PRIORITIES<br />

According to the research among 500-<br />

plus IT decision makers in the UK and the<br />

US, hybrid/remote working (28%) is the<br />

biggest challenge that organisations<br />

expect to face this year when it comes<br />

to protecting their corporate network<br />

from advanced threats. This is followed<br />

by budget restrictions (15%), the<br />

presence of unmanaged devices (14%),<br />

and out-dated security solutions (13%).<br />

There are also a number of competing<br />

priorities for IT professionals when it<br />

comes to improving their security posture<br />

in <strong>2022</strong>. Training staff tops the list (61%),<br />

followed by technology investment to<br />

protect the corporate network (60%),<br />

adapting to new ways of working (50%),<br />

and investing in skilled security members<br />

at 45%.<br />

ADDITIONAL RESEARCH FINDINGS:<br />

Although 55% of respondents have<br />

invested in their security stack over the<br />

past year and 27% have advanced threat<br />

protection in place, it is simply not having<br />

the desired effect, as attacks are still<br />

successfully penetrating their defence<br />

lines. Half of respondents to the survey<br />

believe that firewalls are an effective way<br />

of mitigating HEAT attacks, while a total<br />

of 31% favour VPNs.<br />

34<br />

computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk


Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

Product Review Service<br />

VENDORS – HAS YOUR SOLUTION BEEN<br />

REVIEWED BY COMPUTING SECURITY YET?<br />

The Computing Security review service has been praised by vendors and<br />

readers alike. Each solution is tested by an independent expert whose findings<br />

are published in the magazine along with a photo or screenshot.<br />

Hardware, software and services can all be reviewed.<br />

Many vendors organise a review to coincide with a new launch. However,<br />

please don’t feel that the service is reserved exclusively for new solutions.<br />

A review can also be a good way of introducing an established solution to<br />

a new audience. Are the readers of Computing Security as familiar with<br />

your solution(s) as you would like them to be?<br />

Contact Edward O’Connor on 01689 616000 or email<br />

edward.oconnor@btc.co.uk to make it happen.


PLAY IT<br />

SAFE WITH<br />

365 TOTAL<br />

PROTECTION!

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!