CS Jul-Aug 2022
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
QUANTUM FACE-OFF<br />
The race for advantage has<br />
begun and it could get nasty<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
WELL VERSED<br />
Interest in the metaverse is<br />
on the up and up,<br />
but what's it all about?<br />
BURNING AMBITIONS<br />
Cyber Power is being<br />
bigged up as the future<br />
great protector. Can it<br />
live up to that billing?<br />
UNREADY, STEADY, GO!<br />
Businesses invest heavily,<br />
but are still poorly prepared<br />
for ransomware attacks<br />
Computing Security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong>
comment<br />
MAY THIS FORCE NOT BE WITH YOU<br />
The main feature on page 20 in this issue is focused on a topic that provokes a<br />
great deal of response, as it becomes an ever more malignant and increasingly<br />
sophisticated force: ransomware.<br />
As the National Cyber Security Centre advises: "Since there's no way to completely<br />
protect your organisation against malware infection, you should adopt a 'defence-indepth'<br />
approach. This means using layers of defence with several mitigations at each<br />
layer. You'll have more opportunities to detect malware, and then stop it before it<br />
causes real harm to your organisation. You should assume that some malware will<br />
infiltrate your organisation, so you can take steps to limit the impact this would cause<br />
and speed up your response."<br />
Amongst those in our article calling on organisations to adopt basic best practice,<br />
educate users and reinforce through repetition is Joseph Carson, chief security scientist<br />
and advisory CISO at Delinea: "Whether made by a public or private organisation,<br />
security processes should ultimately be the same and user access should be a top<br />
priority, given insider threats are the predominant cause of phishing and other<br />
breaches," he states.<br />
Meanhile, Richard Watson, EY Global & Asia-Pacific cybersecurity leader, says that 77%<br />
of security leaders have witnessed an increase in the number of disruptive attacks over<br />
the last year (according to the latest EY Global Information Security Survey). "Leaders<br />
need to put in place a comprehensive cybersecurity strategy that incorporates both<br />
technology and human elements," he says, "especially since phishing attacks take<br />
advantage of human vulnerabilities and weaknesses."<br />
It is a problem that will undoubtedly grow worse over time. Organisations need to<br />
devote the right resources to carefully thought-through strategies that will enable them<br />
to shield against the kinds of mayhem that ransomware is already leaving in its wake.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2022</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
QUANTUM FACE-OFF<br />
The race for advantage has<br />
begun and it could get nasty<br />
BURNING AMBITIONS<br />
Cyber Power is being<br />
bigged up as the future<br />
great protector. Can it<br />
live up to that billing?<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
WELL VERSED<br />
Interest in the metaverse is<br />
on the up and up,<br />
but what's it all about?<br />
UNREADY, STEADY, GO!<br />
COMMENT 3<br />
May this force NOT be with you<br />
Businesses invest heavily,<br />
but are still poorly prepared<br />
for ransomware attacks<br />
ARTICLES<br />
NEWS 6 & 8<br />
Tackling threats, showing resilience<br />
No let-up in ransomware attacks<br />
UK data reform bill warning<br />
Cautious welcome for digital strategy<br />
COMPLIANCE AND INFORMATION<br />
SECURITY IN THE SPOTLIGHT 13<br />
Paul Harris, Managing Director at Pentest<br />
Limited, looks at the key issues and how<br />
to tackle them<br />
PHISHING IN THE DARK 10<br />
Phishing is no new phenomenon. In the new<br />
hybrid working world, organisations have<br />
been left seriously exposed to cyberattacks,<br />
used as a formidable weapon with which<br />
to target victims. What can be done to<br />
counteract the damage?<br />
INFOSEC EUROPE SHOW MAKES<br />
WELCOME AND WINNING RETURN 14<br />
After all the trials and tribulations of Covid<br />
lockdowns, the cybersecurity community<br />
‘MOST MALWARE ENCRYPTED’ 18<br />
was finally able to come back together in<br />
A new report suggests that, without HTTPS<br />
person for Infosecurity Europe <strong>2022</strong><br />
inspection of encrypted traffic and advanced<br />
behaviour-based threat detection and<br />
STEERING ON THE SAFE<br />
response, organisations are missing up to<br />
SIDE OF AUTONOMY 16<br />
two-thirds of incoming threats. The report<br />
Peter Lane, Information Security Consultant,<br />
Xcina Consulting, offers his insights on<br />
also highlights that the UK was a top target<br />
how networks and systems can be properly<br />
for cyber criminals in Q1.<br />
protected from concerted attacks or the<br />
vulnerabilities of autonomy<br />
A WORLD APART 28<br />
Interest in the metaverse is on the up,<br />
but is it an illusory world fraught with<br />
RANSOMWARE DEVASTATION 20<br />
dangers or one with real promise?<br />
Despite spending billions on cybersecurity<br />
tools, businesses are alleged still to be<br />
CYBER WOES 30<br />
poorly prepared for ransomware attacks.<br />
Many organisations are feeling no more<br />
What then might be the best means to<br />
confident in their ability to respond to<br />
tackle this huge problem - or has<br />
cyber risks now than they did in 2019.<br />
What has taken its toll on them?<br />
ransomware become a law unto itself?<br />
STEAL NOW, PROTECT NOW 32<br />
Global cyber security experts Norman<br />
Willox and Tom Patterson defend the<br />
change of quantum computing from<br />
POWER VACUUM 24<br />
science fiction to science fact<br />
Cyber Power - the ability to protect and<br />
AT WAR WITH CYBER-ATTACKS 34<br />
promote national interests in and through<br />
The ongoing conflict in Ukraine has<br />
cyberspace - may be a vital component in<br />
seen the resurrection of the infamous<br />
protecting national interests, but how<br />
Industroyer malware and other threats.<br />
effectively will it play out back on terra<br />
What impact are these having?<br />
firma?<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
news<br />
Muhi Majzoub,<br />
OpenText.<br />
NEW ERA OF REAL-TIME VISIBILITY<br />
OpenText has announced the release<br />
of BrightCloud Cloud Service<br />
Intelligence, enabling Cloud Access<br />
Security Brokers (CASB) and other<br />
security and technology vendors to<br />
enforce data-centric security policies<br />
and prevent unwanted interactions<br />
with cloud services and associated<br />
applications, the company states.<br />
"The risks in securing cloud<br />
applications are fairly straightforward,"<br />
says OpenText chief product officer Muhi<br />
Majzoub. "If IT doesn't know about an<br />
unsanctioned application or service, they<br />
can't adequately protect it or the data<br />
it accesses and stores.<br />
"Modern user practices, tools and<br />
remote work are demanding a new era<br />
of real-time visibility. Which is why realtime<br />
threat intelligence is built into this<br />
new cloud-specific solution, utilising<br />
over 10 years of innovation at the<br />
forefront of AI and ML."<br />
Through a suite of three components -<br />
Cloud Application Classification,<br />
Cloud Application Function and Cloud<br />
Application Reputation - partners can<br />
use BrightCloud Cloud Service<br />
Intelligence to identify, classify, and<br />
block/allow access based on the<br />
application's classification, functions,<br />
and reputation score.<br />
TACKLING THREATS, SHOWING RESILIENCE<br />
The Scottish Business Resilience Centre (SBRC) is SBRC team at cyberQuarter.<br />
taking space at Abertay University's newly<br />
launched Abertay cyberQuarter in Dundee and<br />
becomes one of the founding members of the<br />
cybersecurity research and development centre.<br />
This increased presence in the city looks set to<br />
boost opportunities for the organisation to engage<br />
with businesses from Tayside as it hosts workshops<br />
and meetings, as well as provide a space for its 20-<br />
part-time ethical hackers based out of Abertay University to work and collaborate. The SBRC will<br />
contribute to the Dundee centre's aim to bring together students, academics and organisations<br />
to help solve global cyber security challenges. "Abertay has long held an excellent reputation<br />
in the cyber industry," says Jude McCorry, CEO of the SBRC. "This launch of the brand-new<br />
cyberQuarter at Abertay University will extend this, and we have no doubt that it will be a<br />
positive space where academia and industry can unite to tackle cyber threats."<br />
SEAL OF APPROVAL<br />
AGlasgow Caledonian University cyber security programme<br />
has been hailed as the first Scottish Graduate Apprenticeship<br />
to achieve full National Cyber Security Centre Certification.<br />
The MSc Cyber Security Graduate Apprenticeship has been<br />
given the seal of approval by the National Cyber Security<br />
Centre, along with a programme at another Scottish university.<br />
The MSc Apprenticeship is targeted towards existing IT<br />
professionals who need to develop their current skills and<br />
experience in assessing security risks across a broad range of<br />
technical security solutions and designs. Head of department<br />
Dr Jackie Riley said: "Achieving N<strong>CS</strong>C Certification is the<br />
culmination of three years of work for the department. The<br />
process includes evaluation of the degree content, the staff<br />
skill set, the facilities available to the students and the Dr Jackie Riley.<br />
commitment of the university to cyber security."<br />
NO LET-UP IN RANSOMWARE ATTACKS<br />
Arcserve has released the first in a series of findings of its<br />
annual independent global research study on current<br />
experiences and attitudes of IT decision makers (ITDMs)<br />
around data protection and recovery. Key findings show<br />
that ransomware attacks continue to impact organisations<br />
worldwide with high costs, but they are still largely<br />
unprepared. "As our annual survey confirmed, ransomware<br />
attacks continue to significantly disrupt business worldwide,<br />
with staggering costs and the real threat of losing missioncritical<br />
data," says Florian Malecki, executive vice president,<br />
marketing at Arcserve. "IT decision makers must review and<br />
modernise their IT security infrastructure by making data<br />
Florian Malecki, Arcserve.<br />
6<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
news<br />
John Hetherton,<br />
Evervault.<br />
UK DATA REFORM BILL WARNING<br />
Prince Charles' announcement in the<br />
Queen's speech that a new data<br />
reform bill will allow the UK to deviate<br />
from EU privacy legislation has caused<br />
mutterings in many quarters.<br />
Amongst those urging caution was<br />
John Hetherton, head of compliance at<br />
encryption firm Evervault: "Given the<br />
current stalemate between the US and<br />
Europe over Schrems (ii), the UK would<br />
be unwise to deviate too far from the<br />
GDPR and risk losing its adequacy<br />
status."<br />
Schrems II is the short name given to<br />
the 2020 decision by Europe's top court<br />
(the CJEU), that invalidated Privacy<br />
Shield, the adequacy decision that we all<br />
relied on to legitimately transfer personal<br />
data from the EEA (effectively including<br />
the UK at the time) to the USA.<br />
Adds Hetherton: "It's fair to say that,<br />
while some white smoke has risen<br />
between Presidents Biden and Von der<br />
Leyen [Ursula Von der Leyen, president of<br />
the European Commission], an adequacy<br />
agreement between the two countries is<br />
likely a ways away.<br />
"Large Tech currently find themselves in<br />
the unenviable position of having to<br />
duplicate infrastructures already present<br />
in the US into Europe in order to process<br />
EU citizens' data in line with GDPR, a fate<br />
that UK organisations are keen to avoid."<br />
CALL FOR BACKUP - AND RESTORE!<br />
In a survey, almost all (99%) of IT decision makers stated they<br />
Jon Fielding, Apricorn.<br />
have backup strategies in place, but just over a quarter (26%)<br />
admitted they were unable to fully restore all data/documents<br />
when recovering from a backup. This is according to an annual<br />
survey conducted in April <strong>2022</strong> by Apricorn. Almost 60% of<br />
those that have backups in place acknowledged they did so via<br />
an automated backup to a central repository only. "This is<br />
concerning," says Jon Fielding, managing director, EMEA<br />
Apricorn, "as using the cloud (or any storage repository) as the<br />
sole backup location risks costly business disruption, if a<br />
business suffers a cyber-attack or a technical issue that renders<br />
that service or their data unavailable." Backups are essential,<br />
but backups that work even more so, he adds. "Organisations<br />
need to embrace the '3-2-1 rule': have three copies of data, on<br />
two different media, one of which is offsite."<br />
ENCRYPTION TAKES CENTRE STAGE<br />
The number of UK organisations implementing data encryption as a core part of<br />
their cybersecurity strategy has continued to rise, with 32% introducing a policy<br />
to encrypt all corporate information as standard in the last year. Almost half (47%)<br />
of organisations now require the encryption of all data, whether it's at rest or in<br />
transit. This is according to an annual survey of IT decision makers carried out by<br />
Apricorn.<br />
"Thirty-two per cent of organisations encrypt all data when it's stored on their<br />
systems or in the cloud. Only 2% do not currently see encryption as a priority,"<br />
states Apricorn. "The stakes are getting higher for those organisations that don't<br />
give the approach sufficient attention."<br />
Some 16% of those surveyed admitted a lack of encryption had been the main<br />
cause of a data breach within their company, up from 12% in 2021. When asked<br />
the main reason their organisation has increased the implementation of encryption<br />
over the past year, 24% of respondents said this was due to the increase in remote<br />
working, with 16% citing the rise in ransomware attacks.<br />
CAUTIOUS WELCOME FOR DIGITAL STRATEGY<br />
Having security at the heart of the government's latest UK Digital Strategy has been<br />
welcomed by Verona Hulse, senior public affairs manager at NCC Group, with the<br />
focus on secure infrastructure and environments, data and 'pro-innovation'<br />
regulatory frameworks, seen as particularly pleasing.<br />
"Considering these within the geopolitical landscape, given the ever-evolving,<br />
global digital environment we operate in, will be key to truly realising this<br />
strategy's ambitions," she adds. "The focus on education and skills is also<br />
encouraging, with nods to Ofsted's review of computing education and the need to<br />
retrain adults for roles in the cyber sector. However, there's definitely scope to go<br />
further, so that we have a clear approach to education, recruitment and retention<br />
across the sector."<br />
8<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ADISA ICT Asset Recovery Standard 8.0<br />
is formally approved by the UK ICO<br />
(Approval ICO – <strong>CS</strong>C/003 and ICO – <strong>CS</strong>C/004)<br />
Use an ADISA Certified company to be assured of UK GDPR compliance<br />
when disposing of your IT assets.<br />
Visit adisa.global to find out more<br />
Want to know how to retire assets<br />
so you can promote reuse AND meet<br />
data protection legislation?<br />
ADISA offers a range of training courses all presented by<br />
leaders in the field, including a brand-new course which helps<br />
data controllers write an asset retirement program to achieve<br />
the objective of meeting sustainability and security targets.<br />
Visit adisa.global/training to find out more
phishing<br />
PHISHING IN THE DARK<br />
PHISHING IS NO NEW PHENOMENON - BUT IT IS BEING USED MORE AND MORE AS A FORMIDABLE<br />
WEAPON TO ATTACK VICTIMS WITH. WHAT CAN BE DONE TO NEGATE ITS IMPACT?<br />
Anew phishing assault unleashed<br />
on the NHS has been described<br />
as a "timely reminder" to all<br />
organisations, both in the public and<br />
private sector, that they need to cover<br />
both the technology and human aspects<br />
of cybersecurity to develop an adequate<br />
level of protection. What should such<br />
a strategy look like? How does it differ<br />
from what most organisations are doing<br />
right now? And what are the likely<br />
consequences, if they fail to take those<br />
steps?<br />
"In the new hybrid working world,<br />
organisations have been left seriously<br />
exposed to cyberattacks," points out<br />
Richard Watson, EY Global & Asia-Pacific<br />
cybersecurity leader. "In fact, 77% of<br />
security leaders have witnessed an<br />
increase in the number of disruptive<br />
attacks over the last year [according to<br />
the latest EY Global Information Security<br />
Survey]. In addition, phishing tactics<br />
used by cyber criminals have become<br />
increasingly sophisticated and difficult to<br />
detect, compounding the problem even<br />
further.<br />
"Leaders need to put in place a comprehensive<br />
cybersecurity strategy that<br />
incorporates both technology and human<br />
elements, especially since phishing attacks<br />
take advantage of human vulnerabilities<br />
and weaknesses," adds Watson, who<br />
suggests the following approach:<br />
Know the signs of a phishing attack -<br />
"Despite years of sitting through<br />
computer-based training modules, too<br />
many employees are still not aware of the<br />
signs of a phishing attack, often falling<br />
victim to them. Leaders should make<br />
cybersecurity training mandatory for all<br />
employees, so they can identify a phishing<br />
attack immediately and that training<br />
should be experienced based (for example<br />
simulated phishing exercises) as this is<br />
considered to be a very effective way to<br />
really get the message home," he states.<br />
Foster greater communication and<br />
collaboration between the CISO and<br />
C-Suite - "Cybersecurity is too often<br />
a technical conversation causing many<br />
executives and boards to shy away from<br />
it. To help manage this, CISOs should<br />
use business language with the C-suite,<br />
articulating the risks, not reams of<br />
technical operational data, to ensure<br />
they're properly educated about the<br />
realities of cyber-incidents and how to<br />
mitigate them. This will also help with<br />
10<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
phishing<br />
the conversation about funding - which<br />
many CISOs consider to be the hardest<br />
part of their job."<br />
Security by design approach - "All teams<br />
should follow this approach when<br />
creating systems, products and services<br />
within their businesses and, to do it<br />
properly, cyber experts should be involved<br />
in the planning process of any new<br />
initiative from the very start. This is a term<br />
that has become known as 'left shifting<br />
security in the plan'. This means that cyber<br />
protection is built into everything from<br />
the outset and is maintained through<br />
consistent monitoring, testing and<br />
implementation of safeguarding<br />
procedures. Worryingly, today just 19% of<br />
cybersecurity professionals feel like they<br />
are consulted in the planning stages of<br />
new business initiatives - so it's clear there<br />
is significant room for improvement."<br />
If leaders fail to take these steps, says<br />
Watson, the consequences for their<br />
organisations could be catastrophic<br />
and lead to significant financial and<br />
reputational damage, especially for those<br />
who hold sensitive customer data or<br />
operate critical infrastructure.<br />
STAYING IN CONTROL<br />
Phishing is a threat that cannot be<br />
avoided, but it can be controlled, argues<br />
Lee Schor, chief revenue officer of VIPRE,<br />
outlining crucial technology tools and<br />
training needed to reduce the threat<br />
of such attacks and ultimately for<br />
organisations to create a phishing<br />
prevention toolkit. "Technology solutions<br />
can support businesses by acting as<br />
a layer of security protection to help<br />
identify, stop and block potential phishing<br />
threats from entering the network.<br />
Email is the leading attack vector used<br />
by cybercriminals to deliver phishing,<br />
ransomware and malware attacks. The<br />
first step in preventing phishing via email,<br />
is to ensure that businesses have the right<br />
protection in place at the time of<br />
receiving and handling emails, such<br />
as email attachment sandboxing; antiphishing<br />
protection; data loss prevention<br />
tools (DLP); and outbound email<br />
protection."<br />
Innovative technologies such as machine<br />
learning can be used to scan emails for<br />
possible phishing scams by comparing<br />
links to known phishing data, he adds.<br />
"Additionally, DLP tools help to stop<br />
sensitive information from leaving the<br />
organisation at the time an employee<br />
sends an email by offering a crucial<br />
double-check."<br />
Digital tools can help to identify and stop<br />
potential phishing emails - but these<br />
technologies are not the complete<br />
solution. "No phishing prevention plan is<br />
effective without users understanding the<br />
threat landscape," says Schor. "Therefore,<br />
it is crucial that businesses implement a<br />
security and phishing awareness training<br />
programme that educates users on the<br />
different types of phishing and potential<br />
threats. It is vital that this training<br />
includes phishing simulations and<br />
penetration testing, so that employees<br />
can face real-life scenarios. This type of<br />
education will help identify areas of<br />
weakness where organisations need to<br />
provide support to employees through<br />
additional training, for example, and<br />
will help businesses to continuously assess<br />
the success of a phishing awareness<br />
programme."<br />
Investing in a phishing toolbox is<br />
essential to fully protect your organisation<br />
against ever-changing attacks and zeroday<br />
threats delivered via SMS, phone and<br />
email, he concludes. "By implementing<br />
the right technology, combined with user<br />
education and security awareness training<br />
to give all-around protection, businesses<br />
can carefully manage and avoid phishing<br />
threats. As the growth of the cyber<br />
Richard Watson, EY: phishing tactics<br />
used by cyber-criminals have become<br />
increasingly sophisticated and difficult<br />
to detect.<br />
security threat landscape shows no signs<br />
of slowing down, organisations can be<br />
reassured that they have the necessary<br />
protective layers in place to combat the<br />
modern threat landscape by using the<br />
right tools and training."<br />
TWO-FOLD APPROACH<br />
Tackling the threat of phishing requires<br />
a two-fold approach, says Jamie Akhtar,<br />
CEO & co-founder of CyberSmart. "On<br />
the one hand, organisations must deploy<br />
technologies that can help filter through<br />
incoming communications for any<br />
suspicious language, links and<br />
attachments; quarantining these until<br />
they have been inspected by the security<br />
team. In conjunction, measures must be<br />
implemented to educate employees on<br />
the threats that exist and how they can<br />
best manage them. The latter is trickier to<br />
do, and requires a good understanding of<br />
cyber psychology and human behaviour to<br />
be effective."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
11
phishing<br />
Most employees, generally, prioritise their<br />
efforts on direct work tasks and deliverables,<br />
employing slow and deliberate (or 'system 2')<br />
thinking to do so, he points out. "Cybersecurity<br />
concerns, however, usually come secondary to<br />
these tasks and may not receive the same<br />
amount of attention. Instead, the majority of<br />
individuals will use system 1, or automatic<br />
thinking, when assessing threats. We use<br />
cognitive shortcuts, like identifying familiar<br />
logos, images and names, when making a<br />
judgement on the safety of clicking a link or<br />
downloading an attachment. There is also an<br />
element of learned helplessness when it comes<br />
to cybersecurity, because it is often made out<br />
to be a complex and intimidating matter.<br />
Therefore, it is critical that organisations foster<br />
good cybersecurity habits as early as possible<br />
and embed them into the company culture."<br />
There are a couple of ways to make this work<br />
in practice, suggests Akhtar. "The first is to<br />
leverage security tools and other awareness<br />
training technologies that are user friendly to<br />
improve overall security posture. For instance,<br />
introducing regular, bite-sized training videos<br />
that address specific knowledge gaps in the<br />
organisation. The second important step is to<br />
build an empowering and encouraging<br />
culture where it is okay to ask questions, make<br />
mistakes and learn from them. If your<br />
employees are scared or uncomfortable<br />
reporting an issue to your security team, that is<br />
when you should be worried."<br />
In the past, employees have been vilified for<br />
being the 'weakest link' and fear was used to<br />
instil best practices, he adds. "Yet research has<br />
shown that relying on fear to enact change is<br />
not sustainable, so we need to take steps to<br />
bolster employee confidence in handling<br />
threats. We should also place greater<br />
emphasis on the benefits of being cyber<br />
secure and compliant, such as keeping their<br />
data safe, as opposed to the dangers that<br />
exist."<br />
INSIDER THREATS<br />
"Phishing is not a new phenomenon,"<br />
comments Joseph Carson, chief security<br />
scientist and advisory CISO at Delinea, "so<br />
strategies need not drastically change, but<br />
organisations need to adopt basic best<br />
practice, educate users and reinforce through<br />
repetition. Whether made by a public or<br />
private organisation, security processes should<br />
ultimately be the same and user access should<br />
be a top priority, given insider threats are the<br />
predominant cause of phishing and other<br />
breaches."<br />
Carson points to the proliferation of NHS<br />
email, SMS and web-based phishing attacks<br />
over the past year, adding that so far we've<br />
seen cyberattack campaigns lure thousands of<br />
victims into leaking sensitive information, such<br />
as log-in credentials and payment details. "In<br />
fact, these phishing campaigns have been so<br />
sophisticated and widespread that business<br />
leaders can only reasonably assume that a<br />
colleague or employee has already fallen victim<br />
to one - especially if they have been working<br />
remotely for the first time in their career."<br />
Cybersecurity and awareness training for all<br />
employees should be a top priority, adds<br />
Carson. "The earlier you identify attacks, the<br />
quicker you can implement detection and<br />
response controls to mitigate any impact.<br />
However, training alone is not enough and we<br />
shouldn't expect employees to all become<br />
cybersecurity professionals. While they should<br />
be made aware of common phishing<br />
techniques and how to identify and report<br />
such attacks, it is imperative for companies to<br />
adopt a zero-trust approach enforced by least<br />
privilege access.<br />
"This way, a user will only get access to<br />
specific applications and data once their<br />
identity has been verified and only for the time<br />
needed to complete the task, thus ensuring<br />
that leaked log-in credentials do not<br />
necessarily translate to a breach of data. Every<br />
organisation will likely have at least one<br />
employee who will click on something bad, so<br />
let's adopt a zero-trust approach to reduce the<br />
impact of when that happens."<br />
TUNNEL VISION<br />
According to recent research from OpenText,<br />
there was a 1,122% increase in phishing<br />
attacks in the first quarter of <strong>2022</strong>,<br />
compared to Q1 in 2021. To ensure cyber<br />
resilience, it states, organisations must<br />
deploy strong, multi-layered security and<br />
data protection policies to prevent, respond<br />
to and quickly recover from threats. With this<br />
in mind, OpenText Security Solutions has<br />
unveiled new patent-pending technology<br />
that, it says, "stops rogue DNS requests and<br />
identifies and blocks vulnerabilities exposed<br />
through DNS, including tunnelling and data<br />
exfiltration attacks".<br />
Real-time threat intelligence is an essential<br />
component of a business's cyber resilience<br />
strategy, advises Open Text, citing the<br />
following findings in a <strong>2022</strong> BrightCloud<br />
Threat Intelligence report:<br />
1,122% increase in phishing in the first<br />
quarter of <strong>2022</strong>, compared to 2021 Q1<br />
phishing numbers, indicating a buck in<br />
the trend of hackers taking holiday in Q1<br />
For the first time, Instagram broke into<br />
the top five most impersonated brands<br />
for phishing, demonstrating increased<br />
targeting of younger users<br />
36.1% reduction in malware encounters<br />
for customers using both endpoint and<br />
DNS protection versus only endpoint<br />
protection, reinforcing the added efficacy<br />
benefit of securing DNS and using layered<br />
security.<br />
"With security risks escalating worldwide<br />
and a persistent state of evolving threats,<br />
compromises are inevitable, so security<br />
remains job number one," says Mark J.<br />
Barrenechea, OpenText CEO and CTO.<br />
"Through our breadth of OpenText Security<br />
Cloud, we make it easier for businesses to<br />
increase their cyber resilience posture and<br />
protect themselves against threats. And if a<br />
vulnerability unfortunately leads to a breach,<br />
our solutions enable quick detection,<br />
response and recovery to minimise<br />
disruption."<br />
12<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
compliance<br />
IS COMPLIANCE ENOUGH WHEN<br />
IT COMES TO YOUR INFORMATION<br />
SECURITY?<br />
PAUL HARRIS, MANAGING DIRECTOR AT PENTEST LIMITED, LOOKS<br />
AT THE ISSUE OF INFORMATION SECURITY WITHIN COMPLIANCE<br />
As a penetration testing company,<br />
we often get approached by<br />
organisations looking to conduct<br />
security testing as part of their compliance<br />
obligations, whether that's to comply with<br />
industry specific regul-ations, such as PCI DSS,<br />
more general regulations such as GDPR,<br />
government-backed schemes, such as Cyber<br />
Essentials Plus, or as part of international<br />
quality standards, such as ISO 27001.<br />
Whatever the compliance need, information<br />
security has quickly become a core<br />
requirement within both regulatory and<br />
voluntary compliance standards across<br />
the globe.<br />
In many ways, compliance requirements have<br />
been a fantastic driver for information security<br />
improvement, bringing much needed<br />
attention to the issues and ensuring that<br />
necessary security measures are being put in<br />
place, even if this has been slightly forced<br />
upon them.<br />
For many organisations, however, achieving<br />
compliance has now become the end goal<br />
when it comes to their information security<br />
efforts, with many believing that compliance<br />
shows they've done enough. Box ticked; job<br />
done. For this year at least.<br />
Whilst any information security improve-ment<br />
effort is to be commended, achieving<br />
compliance doesn't necessarily mean your<br />
organisation is secure. Far from it. In fact,<br />
many information security requirements are<br />
designed as a minimum, baseline standard,<br />
rather than an end goal.<br />
Yes, having a certificate or accreditation is<br />
an important achievement and it's something<br />
that can be shouted about. But is a baseline<br />
truly enough for your organisation, and<br />
your clients, when it comes to information<br />
security? For many, the answer should be no,<br />
but that's not to say it isn't a good starting<br />
point. So, how do you take your information<br />
security efforts further, using your compliance<br />
requirements as a starting point?<br />
EXPAND YOUR FOCUS<br />
The first thing to mention is that compliance<br />
can often have a limited scope, whether it's<br />
your Card Data Environment (PCI DSS) or your<br />
information security systems (ISO 27001).<br />
Whilst these critical areas certainly require<br />
attention, purely focusing your security efforts<br />
on satisfying compliance requirements could<br />
mean that other, potentially less secure, areas<br />
of your business are being overlooked, if not<br />
completely ignored.<br />
Security efforts therefore need to take a much<br />
broader view than your compliance<br />
obligations, looking at your business as a<br />
whole, rather than specific areas in isolation.<br />
MAKE SURE SECURITY EFFORTS<br />
ARE ONGOING, NOT ONE-OFFS<br />
When it comes to compliance, it's easy to think<br />
that once certification is achieved its<br />
job done. However, compliance is only truly<br />
effective when efforts are made continuously.<br />
The same can be said for your wider security.<br />
What is considered 'safe' today could be<br />
vulnerable tomorrow and there are no set<br />
standards to aim for; it's about employing<br />
an ongoing improvement mindset, rather than<br />
looking to reach a one-off goal.<br />
HOLD YOURSELF TO HIGHER<br />
STANDARDS; YOUR CUSTOMERS<br />
OFTEN WILL<br />
Compliance isn't an issue for many<br />
organisations, why? Because their own<br />
internal standards far surpass the requirements<br />
set out by the necessary regulations. When<br />
you set yourself these higher standards,<br />
compliance is achieved almost by default.<br />
This mindset can be driven by the<br />
organisation itself, though it can also be driven<br />
by security-aware customers, many of whom<br />
will require more robust assurances than basic<br />
compliance standards can offer.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
13
events & exhibitions<br />
Infosec <strong>2022</strong> at the ExCeL was a showcase for much of the latest technologies and solutions.<br />
INFOSEC EUROPE MAKES WELCOME RETURN<br />
AFTER ALL THE TRIALS AND TRIBULATIONS OF THE COVID LOCKDOWNS, THE CYBERSECURITY COMMUNITY<br />
WAS FINALLY ABLE TO COME BACK TOGETHER IN PERSON FOR INFOSECURITY EUROPE <strong>2022</strong><br />
In the spirit of Infosecurity Europe<br />
<strong>2022</strong>'s theme, 'Stronger Together',<br />
more than 370 exhibitors, 249<br />
speakers and many thousands of visitors<br />
came through the doors at London's<br />
ExCeL.<br />
On the exhibition floor, numerous<br />
companies used Infosecurity Europe as<br />
a platform for launching new products,<br />
demoing their solutions and announcing<br />
their news.<br />
Visitors were able to explore specialist<br />
zones and showcases dedicated to new<br />
technologies, innovative companies and<br />
the security leaders of tomorrow. These<br />
included the Discovery Zone, the Start-Up<br />
Zone, and the Technology Showcase -<br />
where they could discover the latest<br />
products, services and solutions, as well<br />
as learn about solving technical problems.<br />
Infosecurity Europe <strong>2022</strong> offered plenty<br />
of chances for people to get together<br />
and network, including the sixth annual<br />
Women in Cybersecurity Networking<br />
Event, and the Leaders Lounge, an<br />
exclusive 'home' for CISOs and heads<br />
of information security.<br />
Cyber professionals also took full<br />
advantage of the opportunities to develop<br />
their knowledge, expertise and skills.<br />
These included immersive learning<br />
activities and in-depth roundtable<br />
discussions on Geek Street, and a series<br />
of Security Workshops delivered by<br />
experts from organisations including<br />
Cisco, Google Cloud, the Chartered<br />
Institute of Information Security and<br />
Cloud Security Alliance.<br />
TALKING HEADS<br />
Meanwhile, the conference programme<br />
opened with a keynote presentation from<br />
Lieutenant General Tom Copinger-Symes<br />
of UK Strategic Command, responsible for<br />
accelerating the digital transformation<br />
of UK Defence. His talk focused on how<br />
to tackle the uncertain future of security<br />
threats, adapting to the changing<br />
landscape to anticipate, prevent, prepare<br />
for, respond to and recover from risks.<br />
14<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
events & exhibitions<br />
The TryHackMe team, with (on the left) Erika Lewis,<br />
director, Cyber Security and Digital Identity, DCMS.<br />
Topping the bill on the second day<br />
was former Head of MI5 Baroness Eliza<br />
Manningham-Buller, who has led<br />
organisations through remarkable and<br />
pressurised times, from counter terrorism<br />
to pandemics. Through this lens, she<br />
explored the topic of how to lead an<br />
organisation when things have turned<br />
decidedly unpredictable.<br />
Day Two also saw TryHackMe ‘crowned’<br />
as the winner of the UK's Most Innovative<br />
Cyber SME competition, run by the<br />
Department for Digital, Culture, Media<br />
& Sport (DCMS), Infosecurity Europe and<br />
techUK. The company provides hands-on,<br />
immersive security training through realworld<br />
scenarios, via a platform anyone<br />
can access through their browser.<br />
The main keynote presentation on the<br />
final day was delivered by International<br />
Hostage and Kidnap Negotiation Expert<br />
Suzanne Williams, who shared the lessons<br />
learned from her experiences of remaining<br />
resilient in difficult situations, decisionmaking<br />
under pressure and calculated risktaking.<br />
Also on Day Three, renowned 'People<br />
Hacker' Jenny Radcliffe became the latest<br />
industry luminary to be inducted into<br />
the Infosecurity Hall of Fame. Radcliffe<br />
is celebrated for her work exploring,<br />
identifying and addressing human-centred<br />
information security vulnerabilities.<br />
Following her induction, she delivered the<br />
Infosecurity Hall of Fame Annual Lecture,<br />
in which she reflected on her lifetime of<br />
social engineering and physical infiltration<br />
work.<br />
THREAT INSIGHTS<br />
Also attracting large audiences on the<br />
Keynote Stage were investigative journalist<br />
Geoff White, author of 'The Lazarus Heist',<br />
who gave an account of how governmentsponsored<br />
cyber attackers are increasingly<br />
interacting with organised crime gangs,<br />
and Misha Glenny - author, journalist<br />
and specialist in organised crime and<br />
cybersecurity - who offered unique<br />
insights into the challenges geo-political<br />
tensions are creating across the tech<br />
sector. There were a number of other<br />
confer-ence theatres open during the<br />
event, many of which enjoyed full houses,<br />
with speakers exploring various topics,<br />
from ransomware response, threat<br />
detection and battling endpoint<br />
cybercrime, to back-up strategies, IoT<br />
security and DevSecOps.<br />
The Tech & Strategy Talks stage, for<br />
example, featured bite-size presentations<br />
sharing cybersecurity insight, knowledge<br />
and expertise from organisations including<br />
Trend Micro, Canonic Security, Microsoft,<br />
Osirium, Varonis and CrowdStrike.<br />
Infosecurity Europe 2023 will run from 20-<br />
22 June at ExCeL London.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
15
autonomous vehicles & threats<br />
STEERING ON THE SAFE SIDE OF AUTONOMY<br />
AUTONOMOUS VEHICLES ARE INCREASINGLY MAKING HEADLINES AND NOT ALWAYS FOR THE RIGHT REASONS.<br />
HERE, PETER LANE, INFORMATION SECURITY CONSULTANT, XCINA CONSULTING, LOOKS AT HOW NETWORKS<br />
AND SYSTEMS CAN BE PROTECTED FROM ATTACKS OR VULNERABILITIES<br />
There was once a time when travel was<br />
far more simple. To board a vehicle<br />
and save your personal energy was<br />
an achievement, even when the 'vehicle'<br />
was a bicycle. The same may be said for<br />
communication, when a message would<br />
be delivered by hand and then, eventually,<br />
by a miraculous feat, flown through the<br />
waves in invisible data packets and taking<br />
several minutes to upload and then receive.<br />
However, the exponential growth in technology<br />
have brought us to our present day.<br />
Advances in technology continue on a<br />
near daily basis. A strong example of this is<br />
Autonomous Vehicles (AVs) and the rate in<br />
which they are experiencing rapid growth<br />
and acceptance throughout the world.<br />
There are several levels of AVs, depending<br />
on their degree of autonomy. The levels<br />
shown in the table on page 17 have been<br />
created by the Society of Automotive<br />
Engineers (SAE) and adopted by the US<br />
Department of Transportation.<br />
THREATS TO AVS<br />
As we commonly see in security, the threats<br />
may broadly be segregated by the CIA<br />
triad. Confidentiality of information in<br />
the vehicle or pertaining to the driver.<br />
Integrity of information that the vehicle<br />
or organisation rely on. This may be the<br />
vehicle sending false data or even receiving<br />
false data during what it believes is an<br />
'over the air' software update. Availability,<br />
perhaps of the communication systems or<br />
worse, the vehicle controls themselves.<br />
Modern vehicles contain tools to aid in<br />
the efficiency and overall experience of<br />
driving. Unfortunately, they also create<br />
a number of vulnerabilities by relying on<br />
Electronic Computing Units (ECUs) to<br />
conduct the complex processes required<br />
for your driver assist and infotainment<br />
functions.<br />
This results in up to 100 million lines<br />
of code programmed into the ECUs, a<br />
significant number when compared to<br />
the approximately 25 million lines of code<br />
written into the ECUs of a passenger<br />
aeroplane. Vehicles contain a myriad<br />
of sensors, cameras, radars and Light<br />
Detection and Ranging (LIDAR) systems, all<br />
of which contain their own vulnerabilities.<br />
Common attack vectors are not unique to<br />
vehicles: they are shared throughout the<br />
wider cybersecurity industry with all<br />
connected systems. From unauthorised<br />
software modifications to Denial of Service<br />
(DoS) attacks, compromising user privacy<br />
and vehicle safety is achievable and has<br />
16<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
autonomous vehicles & threats<br />
been proven on several occasions - see the<br />
graphic on page 16.<br />
Another target may be the occupants<br />
or owner's information. From a private<br />
owner's perspective, owning a vehicle and<br />
using its technology paints a map of your<br />
life and lifestyle. The information you rely<br />
on your vehicle for is growing with each<br />
new technological development. Owners<br />
and organisations need to consider the<br />
safety of people in the vehicle and around<br />
them but also need to consider the private<br />
data that is at risk. The vehicle itself<br />
contains data such as the locations visited<br />
and as most drivers now use some level<br />
of mobile phone connectivity within the<br />
vehicle, their personal data is also<br />
vulnerable.<br />
COMBAT THE THREAT<br />
Considering the modern vehicle as a form<br />
of computer is actually a good first step.<br />
How do we protect our networks and<br />
systems from attacks or vulnerabilities?<br />
The answer is 'Deter', 'Prevent' and 'Detect'<br />
the attacks. Unfortunately, the ability to<br />
prevent and deter are hampered somewhat<br />
by the logistical difficulties in vehicle<br />
manufacturing, but progress is being<br />
made. Due to the myriad of third parties<br />
involved in vehicle manufacture, a holistic<br />
approach to security is very difficult to<br />
achieve. Components found within<br />
a vehicle may come from different<br />
companies or even different countries,<br />
each with their own approach to security.<br />
In June 2020 the World Forum for<br />
Harmonization of Vehicle Regulations<br />
under the United Nations Economic<br />
Commission for Europe (UNECE)<br />
announced the adoption of frameworks to<br />
address the increase and significance of<br />
software and connectivity in vehicles. This<br />
has provided a basis for new regulations<br />
that have enacted cybersecurity<br />
requirements for future vehicle in more<br />
than 60 countries. To help combat the<br />
threat, new companies and services<br />
are developed. Large automotive<br />
manufacturers are now seeking their<br />
guidance or use of the products during<br />
design and production stages. Porsche,<br />
for example, enlisted GuardKnox<br />
(an Israel-based cybersecurity and<br />
technology company) to improve the<br />
cybersecurity of vehicles produced.<br />
This leaves 'Detect'. Fortunately, the<br />
reliance on computing plays to our favour<br />
here. The Controller Area Network (CAN) is<br />
a communication protocol found in most<br />
modern AVs and is responsible for relaying<br />
information between sensors in the vehicle.<br />
Whilst this has been seen in the past as<br />
a vulnerability with weak security, many<br />
companies are now working to rely on<br />
the CAN to feed an interior Intrusion<br />
Detection System (IDS). Paired with<br />
network behavioural analysis or machine<br />
learning, the IDS will alert a driver or<br />
designated entity when malicious activity<br />
is suspected.<br />
Unfortunately, this will not stop malicious<br />
actors finding new vulnerabilities in the<br />
system throughout the vehicle's lifespan,<br />
but it does address the previously mixed<br />
approach to security by design. Owners and<br />
organisations can implement small security<br />
procedures through their own practice to<br />
lower certain risks:<br />
Adopt strict password procedures<br />
(complex and changed regularly)<br />
Organisations may use network<br />
segmentation for connected vehicles<br />
in their fleets<br />
Limit the use of GPS services, use<br />
them only when needed<br />
Educate users on security implications<br />
and risks to personal or company data.<br />
If all else fails, Ferrari announced in June<br />
<strong>2022</strong> that they will limit autonomy in their<br />
vehicles to Level 2. Whilst their intention<br />
is to preserve 'emotion' for the driver, less<br />
autonomy will aid in less security vulnerabilities<br />
that we have discussed in this article.<br />
However, one might argue that not everyone<br />
can afford that choice.<br />
ADVICE & SUPPORT<br />
If your firm would benefit from our advice and<br />
support, visit us at www.xcinaconsulting.com.<br />
We provide our clients with pragmatic advice<br />
and guidance to ensure the protection of<br />
connected devices.<br />
For more information, contact us at:<br />
info@xcinaconsulting.com<br />
LEVEL<br />
DESCRIPTION<br />
0 No automation; all major systems are human-controlled<br />
1 Includes automated systems, such as cruise control or automatic braking<br />
2 Partial driving automation, but human intervention is still needed<br />
3 Conditional automation and environmental detection; human override still necessary<br />
4 Officially driverless vehicles. Can operate in self-driving mode in limited areas and speeds, but legislative and<br />
infrastructure limitations restrict full adoption of these vehicles<br />
5 Full vehicle autonomy; no legislative or infrastructure restrictions limitations and no human interaction required.<br />
Testing of fully autonomous vehicles is currently ongoing in several markets globally; however, none are currently<br />
available for the public yet<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
17
encryption<br />
'TWO-THIRDS OF MALWARE ENCRYPTED'<br />
REPORT HIGHLIGHTS DANGERS THAT THREATEN WITHOUT<br />
HTTPS INSPECTION AND FINDS THE UK IS A TOP TARGET<br />
Amassive 67% of all malware in Q1<br />
2020 was delivered via encrypted<br />
HTTPS (Hypertext Transfer Protocol<br />
Secure) connections, with 72% of encrypted<br />
malware classified as zero day - and so would<br />
have evaded signature-based antivirus<br />
protection.<br />
These findings - in WatchGuard<br />
Technologies' latest Internet Security Report* -<br />
suggest that, without HTTPS inspection of<br />
encrypted traffic and advanced behaviourbased<br />
threat detection and response,<br />
organisations are missing up to two-thirds of<br />
incoming threats. The report also highlights<br />
that the UK was a top target for cyber<br />
criminals in Q1, earning a spot in the top<br />
three countries for the five most widespread<br />
network attacks.<br />
"Some organisations are reluctant to set up<br />
HTTPS inspection due to the extra work<br />
involved, but our threat data clearly shows<br />
that a majority of malware is delivered<br />
through encrypted connections and that<br />
letting traffic go uninspected is simply no<br />
longer an option," says Corey Nachreiner,<br />
chief technology officer at WatchGuard.<br />
"As malware continues to become more<br />
advanced and evasive, the only reliable<br />
approach to defence is implementing a set of<br />
layered security services, including advanced<br />
threat detection methods and HTTPS<br />
inspection." Other key findings from<br />
WatchGuard's report includethe following:<br />
Monero cryptominers surge in popularity. Five<br />
of the top ten domains distributing malware<br />
in Q1 (identified by WatchGuard's DNS<br />
filtering service DNSWatch) either hosted or<br />
controlled Monero cryptominers. This sudden<br />
jump in cryptominer popularity could simply<br />
be due to its utility; adding a cryptomining<br />
module to malware is an easy way for online<br />
criminals to generate passive income.<br />
Flawed-Ammyy and Cryxos malware variants<br />
join top lists. The Cryxos trojan was third on<br />
WatchGuard's top-five encrypted malware<br />
list and also third on its top-five most<br />
widespread malware detections list, primarily<br />
targeting Hong Kong. It is delivered as an<br />
email attachment disguised as an invoice<br />
and will ask the user to enter their email and<br />
password, which it then stores. Flawed-<br />
Ammyy is a support scam where the attacker<br />
uses the Ammyy Admin support software to<br />
gain remote access to the victim's computer.<br />
Three-year-old Adobe vulnerability appears<br />
in top network attacks. An Adobe Acrobat<br />
Reader exploit that was patched in <strong>Aug</strong>ust<br />
2017 appeared in WatchGuard's top network<br />
attacks list for the first time in Q1. This<br />
vulnerability resurfacing several years after<br />
being discovered and resolved illustrates the<br />
importance of regularly patching and<br />
updating systems.<br />
Mapp Engage, AT&T and Bet365 targeted<br />
with spear phishing campaigns. Three new<br />
domains hosting phishing campaigns<br />
appeared on WatchGuard's top-ten list in Q1<br />
2020. They impersonated digital marketing<br />
and analytics product Mapp Engage, online<br />
betting platform Bet365 (this campaign was<br />
in Chinese) and an AT&T login page (this<br />
campaign is no longer active at the time of<br />
the report's publication).<br />
MASSIVE ATTACK SURGE<br />
COVID-19 Impact. Q1 2020 was only the<br />
start of the massive changes to the cyber<br />
threat landscape brought on by the COVID-<br />
19 pandemic. Even in these first three<br />
months of 2020, we still saw a massive rise<br />
in remote workers and attacks targeting<br />
individuals.<br />
Malware hits and network attacks decline.<br />
Overall, there were 6.9% fewer malware hits<br />
and 11.6% fewer network attacks in Q1,<br />
despite a 9% increase in the number of<br />
Fireboxes contributing data. This could be<br />
attributed to fewer potential targets<br />
operating within the traditional network<br />
perimeter with worldwide work-from-home<br />
policies in full force during the COVID-19<br />
pandemic.<br />
SEEKING GREATER CONTROL<br />
Organisations reporting having a consistent,<br />
enterprise-wide encryption strategy leapt<br />
from 50% to 62%, as they seek greater<br />
control of the data they have distributed<br />
across multiple cloud environments. This<br />
is according to the Entrust <strong>2022</strong> Global<br />
Encryption Trends Study, the 17th annual<br />
18<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
encryption<br />
multinational survey of security and IT<br />
professionals conducted by the Ponemon<br />
Institute.<br />
The latest findings suggest companies are<br />
taking data protection more seriously, but<br />
there's still a way to go, it is stated. While the<br />
Ponemon research has shown a steady<br />
increase in enterprise-wide encryption<br />
adoption over the years, this year's study<br />
revealed a dramatic jump from 50% to<br />
62% in those respondents saying that their<br />
organisations have an encryption policy<br />
that is consistently applied. Similarly, 61%<br />
of respondents rated the level of their<br />
senior leaders' support for enterprise-wide<br />
encryption strategy as significant or very<br />
significant.<br />
This year's report also revealed significant<br />
decreases since 2021 in the top two biggest<br />
challenges in planning and executing a data<br />
encryption strategy, namely finding the data<br />
(55% down from 65%) and classifying it<br />
(27% down from 34%).<br />
"The large jump in respondents reporting<br />
consistently applied encryption policies across<br />
their organisations, together with high<br />
support from senior leadership, points to<br />
a real enterprise awakening to the need for<br />
proactive data security," says John Metzger,<br />
vice president of product marketing for<br />
digital security solutions at Entrust. "While<br />
this year's study also reveals that there are still<br />
gaps in the implementation of encryption for<br />
several categories of data, it's nonetheless<br />
a big step forward."<br />
an important part of an encryption and key<br />
management strategy, half said they were<br />
still lacking HSMs. These results highlight<br />
the accelerating digital transformation<br />
underpinned by the movement to the cloud,<br />
as well as the increased focus on data<br />
protection.<br />
UNPROTECTED DATA TRANSFERS<br />
This year's study also reveals how the flow<br />
of sensitive data into multiple cloud<br />
environments is forcing enterprises to<br />
increase their security in this space. Notably,<br />
this includes containerised applications,<br />
where the use of HSMs reached an all-time<br />
high of 40%.<br />
More than half of respondents (55%)<br />
admitted that their organisations transfer<br />
sensitive or confidential data to the cloud<br />
whether or not it is encrypted or made<br />
unreadable via some other mechanism, such<br />
as tokenisation or data masking. However,<br />
another 27% said they expect to do so in the<br />
next one to two years.<br />
"The rising adoption of multi-cloud<br />
environments, containers and serverless<br />
deployments, as well as IoT platforms, is<br />
creating a new kind of IT security headache<br />
for many organisations," adds Metzger. "This<br />
is compounded by the growth in<br />
ransomware and other cybersecurity attacks.<br />
This year's Global Encryption Trends study<br />
shows that organisations are responding by<br />
looking to maintain control over encrypted<br />
data, rather than leaving it to platform<br />
providers to secure."<br />
Corey Nachreiner, WatchGuard: the only<br />
reliable approach to defence is<br />
implementing a set of layered security<br />
services.<br />
John Metzger, Entrust: organisations are<br />
looking to maintain control over encrypted<br />
data, rather than leaving it to platform<br />
providers to secure.<br />
While the results indicate that companies<br />
have gone from assessing the problem to<br />
acting on it, they also reveal encryption<br />
implementation gaps across many sensitive<br />
data categories. For example, just 34% of<br />
respondents say that encryption is extensively<br />
deployed across containers, 31% for big data<br />
repositories and 34% across IoT platforms.<br />
Similarly, while 63% of global respondents<br />
rate hardware security modules (HSMs) as<br />
* The findings in WatchGuard's Internet Security<br />
Reports are drawn from anonymised Firebox Feed<br />
data from active WatchGuard appliances whose<br />
owners have opted in to share data to support the<br />
Threat Lab's research efforts. Today, over 44,000<br />
appliances worldwide contribute threat intelligence<br />
data to the report. In Q1 2020, they blocked over<br />
32,148,519 malware variants in total (730 samples<br />
per device) and more than 1,660,000 network<br />
attacks (38 attacks per device).<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
19
ansomware<br />
RANSOMWARE DEVASTATION<br />
DESPITE SPENDING BILLIONS ON CYBERSECURITY TOOLS, BUSINESSES ARE ALLEGED<br />
STILL TO BE POORLY PREPARED FOR RANSOMWARE ATTACKS. WHAT’S THE SOLUTION?<br />
Ransomware attacks continue to impact<br />
organisations worldwide - and the costs<br />
are staggering, says Florian Malecki,<br />
executive vice president marketing, Arcserve.<br />
"A new global survey of over 1,100 IT decision<br />
makers at small and midsize companies found<br />
that 50% had been targeted by a ransomware<br />
attack, with 35% asked to pay over<br />
$100,000 in ransom, and 20% asked to pay<br />
between $1 million and $10 million. In the<br />
UK, 50% of respondents said they had no<br />
choice but to pay the ransom."<br />
And he adds. "The sad truth is that, despite<br />
spending billions on cybersecurity tools,<br />
businesses are still poorly prepared for<br />
ransomware attacks. For this reason,<br />
companies must take a new approach to data<br />
resilience. They must strengthen their disasterrecovery<br />
strategies, backup systems and<br />
immutable storage solutions to prevent the<br />
loss of mission-critical data." He offers five<br />
steps that organisations can take to reduce<br />
their exposure to ransomware and "avoid<br />
staggering losses":<br />
Educate employees. "It's essential to invest in<br />
training for staff, so that they're aware of how<br />
ransomware works. From there, employees<br />
will be better prepared to recognise and<br />
prevent it."<br />
Focus on cures, as well as prevention. "It's time<br />
for companies to stop focusing entirely on<br />
prevention. They should also invest in curative<br />
measures like backup & recovery and<br />
immutable storage that allow them to quickly<br />
restore their data and avoid paying the<br />
ransom when attackers break in."<br />
Place a premium on data resilience. "Your data<br />
resilience is only as strong as your weakest<br />
link. Monitor your weaknesses, fix them when<br />
you find them, and you can bounce back<br />
quickly from disruption and return to normal<br />
operation. To do this, you must have the<br />
technologies required to back up your data<br />
and recover it, if necessary, along with the<br />
proper mindset."<br />
Know what data is most critical. "Data varies<br />
in value. If you're concerned about costs, as<br />
most organisations are these days, you don't<br />
have to store or back up all your data in the<br />
same place. Look into storage solutions that<br />
provide options like data tiering. These enable<br />
you to place less-important data in lessexpensive<br />
levels of storage or 'tiers'."<br />
Put a disaster-recovery plan in place. "A good<br />
disaster-recovery solution will back up your<br />
data to a location of your choice and on a<br />
schedule that suits you. It will also be easy to<br />
test, which is crucial because testing is the<br />
only way you can validate that your recoverytime<br />
goals can be met."<br />
SOPHISTICATED AND BOLDER<br />
Year on year, threat actors have ramped up<br />
ransomware activities. But, in the past two<br />
years, they have become more sophisticated<br />
and bolder, with devastating consequences,<br />
points out Brett Raybould, EMEA solutions<br />
architect, Menlo Security. "Critical<br />
infrastructure attacks are on the rise, with<br />
the Colonial Pipeline attack perhaps the<br />
most well-known example. Sadly in 2021,<br />
one ransomware attack on a hospital in<br />
Duesseldorf led to the death of a woman after<br />
she was diverted to another city to be treated.<br />
The year also saw a record $70m ransom<br />
demand from Kaseya, the company affected<br />
by a zero-day exploitation that went on to<br />
affect 1,500 businesses - a supply chain attack<br />
rivalling that of the SolarWinds incident of<br />
2020."<br />
Since the pandemic, and the transition<br />
to remote and hybrid working models,<br />
companies continue to expand their digital<br />
footprint and reliance on web-based<br />
applications, leading to a greater volume of<br />
ransomware attacks exploiting vulnerabilities<br />
in cloud applications and tools. "For<br />
ransomware to be curbed effectively, there<br />
needs to be a greater focus on business<br />
continuity and disaster recovery strategies, so<br />
firms can limit the damages inflicted by a<br />
potential attack," he adds. "Greater attention<br />
must be placed on the threat of supply chain<br />
20<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
attacks and third-party connectivity. This<br />
involves a mindset shift to prepare for the risks<br />
presented by third parties to reduce what is a<br />
growing attack surface among organisations."<br />
Right now, this largely requires a proactive<br />
initiative from companies, states Raybould.<br />
"But we could see a change in regulations and<br />
government guidance in the future."<br />
According to a Menlo Security poll, over half<br />
(55%) of respondents felt that responsibility<br />
for protection should fall to government.<br />
"For more organisations to pay attention,<br />
governments may need to take greater action<br />
in the fight against ransomware. We're<br />
already seeing mandatory reporting<br />
procedures on ransomware in APAC, so I<br />
wouldn't be surprised to see this elsewhere.<br />
"We also anticipate greater collaboration<br />
between governments and large corporations<br />
like Google and Microsoft - initiatives that are<br />
beginning to gather momentum already,<br />
as demonstrated by DMARC email<br />
authentication. Such initiatives provide the<br />
building blocks for something greater.<br />
Without question, open collaboration and<br />
the sharing of tools across the industry could<br />
really help to address the ransomware<br />
challenges businesses and governments<br />
currently face."<br />
EASY ACCESS FOR CYBERCRIMINALS<br />
The explanation for the exponential growth<br />
of ransomware attacks, which sometimes<br />
doubles or even quadruples, year-on-year, can<br />
be attributed to the highly agile nature of the<br />
market, states James Tamblin, president,<br />
BlueVoyant UK. "The cyber-criminal economy<br />
presents a cybercrime-as-a-service (CaaS)<br />
model that provides ready-made tools and<br />
services, lowering the barriers to entry for<br />
newcomers and groups alike. It allows less<br />
'tech savvy' cyber criminals easy access to<br />
the market which ensures even more<br />
organisations fall victim. Not to mention, the<br />
increased digitalisation over the last two years<br />
where organisations and services rapidly<br />
shifted online and, in parallel, rapidly<br />
increased their attack vectors, leaving their<br />
digital front door open to threat."<br />
Another explanation for the increase is new<br />
tactics, including double extortion, where<br />
criminals exfiltrate data in addition to<br />
encrypting it. "Double extortion has now<br />
escalated to triple extortion with tactics such<br />
as leak sites, a hugely successful method used<br />
in ransomware attacks. Triple extortion often<br />
leads to associated media publicity, ensuring<br />
companies 'pay the piper'."<br />
This public extortion method has reduced<br />
the ability to contain an attack, adds Tamblin.<br />
"Ransomware attacks have a huge knock-on<br />
effect, not only fiscally, but it is also almost<br />
impossible to quantify the final impact of the<br />
attack after reputation is damaged, customer<br />
relationships sullied and operations affected.<br />
The burden of compliance fines further<br />
increases the secrecy shrouding ransomware,<br />
as companies may choose to pay the<br />
ransomware in secret. Companies can expect<br />
this cost to rise as regulations tighten and<br />
future government policy may increasingly<br />
need to address this burden."<br />
In this climate, companies and organisations<br />
must increase their awareness and risk<br />
tolerance toward cyber threats, he continues.<br />
"There are a range of ways organisations<br />
can reduce this risk and contain the threat,<br />
starting with implementing multi-factor<br />
authentication (MFA) across all accounts.<br />
BlueVoyant has observed that cyber attackers<br />
will often move on to easier targets when<br />
MFA is used effectively. Other important<br />
methods include implementing both a Zero-<br />
Trust approach and the 'principle of least<br />
privilege', a security concept wherein<br />
employees only hold access they need."<br />
BEYOND THE DISCONNECT<br />
While newfound awareness of the existing<br />
cyber threat landscape is a critical first step<br />
towards building a robust defence, this has<br />
yet to be paired with the necessary security<br />
measures and strategies, argues Mike Varley,<br />
threat consultant at Adarma. "For the most<br />
part, there appears to be a disconnect<br />
between how prepared businesses believe<br />
themselves to be and where they truly stand.<br />
Despite 96% of respondents stating that they<br />
were confident in their existing deterrents and<br />
preventive measures, a staggering 58% of<br />
businesses surveyed have already been hit<br />
with ransomware," he comments. "Moreover,<br />
more than one in every five companies does<br />
not have an incident plan in place, suggesting<br />
that cybersecurity is not as much of a priority<br />
as they claim. To put it simply, many are failing<br />
to walk the talk."<br />
Organisations must also take a proactive<br />
approach to mitigating ransomware attacks,<br />
Varley says - "that is, prevent, prepare, detect<br />
and eliminate" - while recommending the<br />
following actions:<br />
Keep software updated - "Keeping systems<br />
up to date should be a priority. Organisations<br />
must ensure effective management of their<br />
technology infrastructure, systems and<br />
services, including the adequate patching of<br />
devices and systems, ensure sufficient network<br />
security and replace unsupported software."<br />
Adopt a proactive mindset - "Organisations<br />
need to adopt a proactive approach to<br />
cybersecurity to ensure that essential functions<br />
and operations can continue even after<br />
a cyber-criminal has penetrated defences<br />
and compromised digital assets."<br />
Utilise better threat detection - "When<br />
ransomware worms its way past your<br />
defences, damage is measured by the time<br />
taken to detect, investigate, contain and<br />
resolve the threat. The longer your exposure,<br />
the greater the incident impact. It's more<br />
efficient to stop a ransomware attack before<br />
it has a chance to do any damage."<br />
Regularly back up data - "To prevent<br />
ransomware disrupting business operations,<br />
it's vital that organisations regularly back up<br />
company data. If a cyber incident occurs, the<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
21
ansomware<br />
Brett Raybould, Menlo Security: in the<br />
past two years, threat actors have<br />
become more sophisticated and bolder,<br />
with devastating consequences.<br />
Nigel Thorpe, SecureAge: cybercriminals<br />
continually use new techniques to prevent<br />
their malware from being identified.<br />
organisation will be able to quickly fall back<br />
on a recent backup version."<br />
Improve employee cyber awareness -<br />
"Ransomware attacks can be the result of<br />
poor employee cyber awareness or bad<br />
habits. For example, employees may use easily<br />
guessable passwords or the same password<br />
for multiple accounts. Organisations can<br />
mitigate this risk by providing employee<br />
training and running regular attack<br />
simulations/digital health check-ups to see<br />
if their employees are practising good cyber<br />
hygiene."<br />
ONE STEP AHEAD<br />
The traditional way to prevent ransomware is<br />
to identify and then block malicious activities,<br />
points out Nigel Thorpe, technical director at<br />
SecureAge. "But cybercriminals have a habit of<br />
being one step ahead and continually use<br />
new techniques to prevent their malware<br />
from being identified."<br />
In a business environment, there is generally<br />
no reason for a previously unknown<br />
executable or script to run, he says. "The<br />
software for a typical business PC is built to<br />
a standard design that includes all the tools<br />
that its user will require. A better way is to<br />
block all unauthorised processes which are<br />
not on the 'allow list' from executing. So, if<br />
a malicious executable or script attempts to<br />
run, it is simply blocked.<br />
"The other mainstream approach to<br />
protecting data is to encrypt it using tools<br />
such as database and full disk encryption,<br />
such as BitLocker. But while full disk<br />
encryption is fine, if you lose your laptop;<br />
on a running system, it will simply hand over<br />
decrypted data to every process that asks for<br />
it - legitimate or malicious. As cybercriminals<br />
can only steal data from running systems, full<br />
disk encryption cannot prevent this theft."<br />
As you can't demand a ransom for data that<br />
is already encrypted, the answer is to encrypt<br />
all of your data, all of the time, at rest, in<br />
transit and in use and no matter where it gets<br />
copied - including when it is stolen, Thorpe<br />
states. "This way, stolen data remains<br />
worthless - reverse ransomware you might<br />
say. We must stop believing that it's possible<br />
to block all data exfiltration and accept that,<br />
at some time, someone will gain access to the<br />
network with the aim to steal data and that<br />
they will succeed."<br />
Only by encrypting data at source, and by<br />
maintaining data encryption throughout its<br />
lifecycle can ransomware be truly defeated,<br />
he adds. "File-level encryption works silently<br />
in the background so that neither the user<br />
nor the administrator needs to make any<br />
decisions about what should or should not<br />
be encrypted. Data-centric security goes to<br />
the heart of the whole ransomware attack<br />
problem by securing data against both theft<br />
and crypto attacks."<br />
CRITICAL NATIONAL INFRASTRUCTURE<br />
Cyber-attacks on Critical National<br />
Infrastructure (CNI), which largely comprise<br />
of industrial entities are usually politically<br />
motivated and carried out by 'cyber terrorists'<br />
from adversarial nation states; where the<br />
hacker's goal is to disrupt operations or steal<br />
confidential information which does not<br />
necessarily have a direct financial reward.<br />
Ransomware in the context of CNI brings<br />
a different threat-actor to the forefront -<br />
financial cyber-criminals. "Financial cyber-crime<br />
has found a sweet spot in banking and retail<br />
sectors, but the shift in focus to the industrial<br />
sector/CNI is enabled firstly by a general lack<br />
of cyber-awareness and cyber-investment in<br />
these areas, which makes hacking a CNI<br />
or process industry easier in comparison<br />
to banking infrastructure," says Sashank<br />
Tadimeti, a manager in Protiviti's Technology<br />
Consulting Group.<br />
"Secondly, evolution of 'Ransomware as<br />
a Service' [RaaS] has enabled non-skilled<br />
malicious actors to hire cyber-criminals to<br />
target CNI entities, increasing the number<br />
of ransomware incidents. Thirdly, and most<br />
22<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
importantly, the anonymity of cryptocurrency<br />
transactions makes it easier for these<br />
malicious actors to extort money, with a<br />
reduced threat of being identified. All these<br />
factors make ransomware a huge success,<br />
leading to the manifestation of a new threat<br />
in the CNI cyber-space."<br />
The compounded risk arising from these<br />
factors concerns even the most cyber matured<br />
organisations; testimony to which are well<br />
known CNI attacks such as Stuxnet, Shamoon<br />
and more recently the Colonial Pipeline<br />
incident, he adds.<br />
"Whilst there is a limited role individual<br />
organisations can play in combating the risk<br />
arising from RaaS and anonymity of cryptotransactions;<br />
'Cyber-Awareness' must be a key<br />
focus for CNI organisations and government<br />
entities. CNI organisations historically have<br />
placed a lot of importance on 'safety' and<br />
often have well-structured and effective safety<br />
awareness programs. CNI Organisations<br />
should consider leveraging these models in<br />
internally advocating cyber awareness and<br />
must ensure the training material stays at<br />
pace with the ever-evolving digital space."<br />
Tadimeti also advises that organisations<br />
should not limit cybersecurity to a compliance<br />
exercise, but aspire to adopt cybersecurity<br />
in its essence. Adopting new technology/<br />
digital solutions without understanding its<br />
ramifications to security or spending heavily<br />
on cyber tools without properly configuring<br />
them result in half-baked solutions, leaving<br />
organisations vulnerable to ransomware and<br />
other cyber threats.<br />
"Whilst we are just getting started on our<br />
'CNI - Security journey', the threat actors<br />
and their methodologies are evolving. The<br />
emergence of 'RaaS' and 'Double-Extortion<br />
Ransomware'; where hackers demand<br />
a ransom payment from the attacked<br />
organisation and simultaneously seek buyers<br />
for the attacked organisation's confidential<br />
data to optimise their profits, are testimony<br />
to this evolution. Awareness, vigilance and<br />
intelligence are key to combating this<br />
growing epidemic."<br />
MONEY SPEAKS LOUDEST<br />
Ransomware is a variation on the old data<br />
breach, points out Tim Mackey, who is<br />
principal security strategist at the Synopsys<br />
Cybersecurity Research Centre. "In effect, the<br />
cyber criminals have discovered a new way<br />
to monetise their investment in both attack<br />
techniques and processes. If my comments<br />
make it sound like cyber criminals are<br />
behaving like businesses, that's because they<br />
are. If you consider the lifecycle of an attack,<br />
the entry point might be a phishing attack or<br />
the exploitation of a vulnerability.<br />
"The team discovering that entry point might<br />
then install some command-and-control<br />
software, at which point they can sell access<br />
to the system. A buyer of that access then<br />
uses the compromised systems for their<br />
purposes, which might include exfiltration<br />
of data or a combination of ransomware and<br />
data exfiltration.<br />
"Defending against these attacks starts with<br />
first principles. If an attacker is unable to<br />
readily exploit a weakness in people, process<br />
or technology, then they can't execute their<br />
attack and move on an easier target.<br />
Identifying weaknesses is the province of<br />
threat models, and such models recognise<br />
that no security is perfect. Instead, they<br />
focus on identifying the threat, then defining<br />
reasonable protections to mitigate the threat,<br />
and lastly monitoring for indications that<br />
someone has successfully used the threat<br />
in an attack.<br />
"Avoiding being targeted is easy - resist<br />
the urge to pay the ransom. There is no<br />
guarantee that decryption keys provided<br />
by an attacker will completely restore<br />
a system and, once you pay, your identity<br />
and willingness to pay ransoms is data<br />
that can be sold as part of a post-attack<br />
monetisation plan," he concludes.<br />
James Tamblin, BlueVoyant UK: "The<br />
cyber-criminal economy presents a<br />
cybercrime-as-a-service (CaaS) model that<br />
provides ready-made tools and services.<br />
Sashank Tadimeti, Protiviti: evolution of<br />
'Ransomware as a Service' [RaaS] has enabled<br />
non-skilled malicious actors to hire cybercriminals<br />
to target CNI entities.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
23
cyber power<br />
POWER VACUUM<br />
CYBER POWER MAY WELL BE A VITAL COMPONENT IN PROTECTING NATIONAL<br />
INTERESTS, BUT HOW EFFECTIVELY WILL IT PLAY OUT IN REALITY?<br />
Cyber Power - the ability to protect and<br />
promote national interests in and<br />
through cyberspace - is, according to<br />
the UK government, becoming an ever more<br />
vital lever of national power and a source of<br />
strategic advantage. But it comes at a price -<br />
the mounting cyber threats that are associated<br />
with it. The government's National Cyber<br />
Strategy <strong>2022</strong> sets out to exploit<br />
opportunities, and tackle evolving threats and<br />
risks. We asked some of the industry's key<br />
players whether that strategy is up to the task<br />
and what else needs to be done to make the<br />
UK more resilient to cyber-attacks.<br />
"A lot of noise from some geopolitical<br />
pundits and think tanks - potentially backed<br />
by cyber security and defence lobbyists -<br />
continues to be generated against the<br />
backdrop of the war in the Ukraine," says<br />
Ian Thornton-Trump, CISO, Cyjax. With the<br />
conflict now running well over the 100 days'<br />
mark, many assumptions about the strength<br />
of the Russian military and cyber capabilities<br />
appear to have been greatly exaggerated. "The<br />
evidence of Russian military incompetence is<br />
littered across the battlefield and the idea<br />
that a Russian 'Battalion Tactical Group' could<br />
perform as a near peer adversary to the<br />
integrated NATO Battle Group was<br />
aspirational at best and farcical at worst."<br />
So, too, it appears with Russian cyber forces,<br />
which also seem to have failed to achieve any<br />
sort of impactful, substantial or persistent<br />
cyber-attack on Ukraine during the conflict, he<br />
adds. "In fact, western technology firms were<br />
geared up and ready for a potential Russian<br />
onslaught of global cyber war, which has<br />
completely failed (so far) to materialise. These<br />
revelations about the iron and cyber curtain of<br />
the Russian 'Great Oz' should spark a NATO<br />
and G-20 rethink."<br />
The idea of 'Cyber Power' as this vital lever<br />
of national power and a source of strategic<br />
advantage is questionable, states Thornton-<br />
Trump. "This does not seem to be the case and<br />
is being oversold as a solution to complex<br />
geopolitical relationships. China, for instance,<br />
is not going to cease being a protagonist<br />
against Taiwan's move towards independence<br />
because of a DDoS attack."<br />
And as he points out: "Although some NATO<br />
cyber capabilities have greatly assisted the<br />
Ukraine defensive efforts, especially when it<br />
comes to Intelligence, Surveillance, Tracking<br />
& Reconnaissance (ISTAR) of Russian army<br />
leadership, Ukraine is not crying out for more<br />
cyber capabilities: it is requesting heavier<br />
weapons, such as more rocket artillery,<br />
howitzers and main battle tanks to defeat the<br />
enemy occupiers. Equal to the heavy weapons<br />
request, and perhaps even more effective, has<br />
been the extraordinary economic sanctions<br />
brought against Russia, which appear to be<br />
degrading and directly disrupting the ability of<br />
the Kremlin to wage the war with the bonus<br />
of undermining Putin's regime."<br />
Setting aside the thoughts of the military<br />
industrial complex's lobbying efforts, what<br />
does he believe 'Cyber Power' can actually<br />
achieve, in real terms? "Not very much, it<br />
seems, other than espionage and surveillance<br />
of persons and groups of interest. Of course,<br />
there have been covert and overt cyber-attacks<br />
conducted by nation state actors against<br />
nation state defenders - by both sides - but<br />
the question to ask is whether any of those<br />
attacks have curtailed a nation state's<br />
behaviour or achieved any substantial geopolitical<br />
outcomes? Without access to<br />
classified analysis reports on 'this top-secret<br />
cyber-attack or espionage campaign altered<br />
the course of history', Chinese, Russian, Iranian<br />
and North Korean leaders all seem eager to<br />
continue to pursue their own aggressive<br />
foreign policy objectives.<br />
"'Cyber power' - if we even want to accept it<br />
as a term - is just another tool of implementing<br />
foreign policy and, like others, it cannot<br />
24<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber power<br />
stand alone or achieve any objectives without<br />
diplomatic, coalition building, economic aid<br />
(or sanctions) or overt or covert action, all of<br />
which require investment and support. When<br />
it comes to nation state objectives there is no<br />
'cyber easy button': it remains a difficult and<br />
messy business."<br />
BASIC SECURITY NEED<br />
"In the National Cyber Strategy <strong>2022</strong>, the<br />
UK government details its commitment to<br />
establishing a future where the nation is more<br />
resilient to cyberattack, cyber is a national<br />
economic and strategic asset, and the UK<br />
effectively defends its position as a 'cyber<br />
power'," states Phil Lewis, CEO at Titania. "One<br />
of the key areas the strategy rightly focuses on<br />
is the increasing need for basic cyber security<br />
across all sectors and highlights what more<br />
businesses should be doing to prevent cyber<br />
security breaches and close the gaps in<br />
national resilience. Because, without the<br />
basics in place, the nation is exposed."<br />
The research used in the strategy indicates<br />
that 39% of businesses and 26% of charities<br />
have reported a security breach in the last<br />
year. But perhaps more worrying, says Lewis,<br />
is the line from Part 1 of the strategy that<br />
reads: 'Industry tells us that many businesses<br />
do not understand the cyber risks they face...<br />
and that there is often little motivation to<br />
report breaches and attacks.'<br />
Understanding the potentially catastrophic<br />
risk that exploitable vulnerabilities can pose<br />
to an organisation's operations - or indeed<br />
an entire supply chain - is key to prioritising<br />
remediation and mitigation strategies in order<br />
to develop better resilience, he insists. "It's as<br />
important as threat detection and response,<br />
and arguably a more basic requirement for<br />
every organisation. There are world-leading<br />
UK solutions designed to automate the<br />
detection and remediation of complex<br />
network vulnerabilities, as well as endpoint<br />
vulnerabilities. And some of these tools can<br />
even help prioritise remediation, based on the<br />
criticality of the risk the vulnerability poses to<br />
businesses. So, understanding the true extent<br />
of risks is now within reach of businesses of all<br />
shapes and sizes within the UK economy and<br />
the supply chain."<br />
Perhaps it's not surprising then that<br />
understanding and prioritising cyber risks to<br />
better defend networks appears to underpin<br />
all five of the pillars outlined in the strategy,<br />
he comments, "as this has never been a<br />
more achievable goal with the right risk<br />
management frameworks and automation<br />
technology in place. And it's great to see that<br />
the Government continue to lead by example,<br />
significantly reducing its own cyber risks<br />
across the public sector by 2025, in order to<br />
advance the UK's global position as a cyber<br />
power."<br />
Does the strategy and its implementation<br />
go far enough to ensure all critical national<br />
infrastructure (both commercial and<br />
governmental) and their supply chains<br />
establish defendable networks? "Time will tell,"<br />
responds Lewis. "But its commitment to<br />
investing in cyber people, skills, partnerships,<br />
technologies and trusted risk management<br />
frameworks is clearly in the nation's best<br />
interest."<br />
SIGNIFICANT CHANGE<br />
Working over the last 15 years in the<br />
Government sector cyber security industry,<br />
Martin Walsham, director of Cyber Security,<br />
AMR CyberSecurity, has witnessed significant<br />
change in the level of cross-connectivity,<br />
dependency on the ICT systems to operate<br />
and deliver core business functions, and the<br />
evolving threat level. This period has also seen<br />
a lot of stimulus to the digital cyber economy,<br />
with the development and growth of a large<br />
number of SMEs.<br />
"This has resulted in the maturing of the UK<br />
market, the creation of new jobs and export<br />
opportunities; examples of these include<br />
Digital Shadows and Nettitude, which have<br />
grown, been acquired or received significant<br />
investment," he says. "This is something that<br />
Ian Thornton-Trump, Cyjax: a lot of noise<br />
from some geopolitical pundits and think<br />
tanks continues to be generated against the<br />
backdrop of the war in the Ukraine.<br />
Martin Walsham, AMR CyberSecurity:<br />
what has been put forward is a balanced<br />
comprehensive strategy, so it is important<br />
to focus on implementing what has been<br />
proposed.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
25
cyber power<br />
Phil Lewis, Titania: one key area the strategy<br />
rightly focuses on is the increasing need for<br />
basic cyber security across all sectors.<br />
Scott McAvoy, Kyndryl: cybersecurity is very<br />
much a shared responsibility and businesses<br />
need to play their part.<br />
I experienced first-hand with my first cyber<br />
start-up organisation, Info-Assure, which was<br />
acquired in 2016." The Government's current<br />
cyber strategy clearly sets out the main and<br />
evolving challenges, adds Walsham.<br />
"It is based on an honest appraisal of the<br />
shortfalls in current posture relating to<br />
legacy systems and the presence of known<br />
vulnerabilities within aspects of the<br />
Government systems, as well as reflecting<br />
on N<strong>CS</strong>C involvement - in 777 incidents<br />
managed by the National Cyber Security<br />
Centre between September 2020 and <strong>Aug</strong>ust<br />
2021, around 40% were aimed at the public<br />
sector. This upward trend shows no signs of<br />
abating." As with all strategies, it could be<br />
argued that more could be done and quicker,<br />
he says. "However, what has been put forward<br />
is a balanced comprehensive strategy, so it is<br />
important to focus on implementing what<br />
has been proposed. Most of the strategy<br />
detail is focused on resilience, detection and<br />
response. Very little detail is included outlining<br />
the Government strategy to deter and disrupt<br />
the root causes of cyber threats."<br />
This is alluded to within the strategy, he<br />
adds, but very little detail has been provided:<br />
"Such capabilities will include advanced<br />
protection and detection techniques, as well<br />
as targeted use of government's offensive<br />
cyber capability and broader international and<br />
diplomatic efforts to disrupt and deter such<br />
threats."<br />
If the strategy is to be effective, Walsham<br />
concludes, "then resilience, detection and<br />
response mechanisms need to be supported<br />
with robust measures to deter and disrupt,<br />
such as breaking up criminal networks and<br />
applying sanctions and other measures to<br />
aggressive nation states harming the UK<br />
sovereign cyber interests."<br />
FIVE KEY PILLARS<br />
With cyber-attacks posing an increasingly<br />
dangerous threat to society, Government<br />
initiatives such as the National Cyber Strategy<br />
are more essential than ever, says Scott<br />
McAvoy, UKI associate partner A & IS Security<br />
Practice, Kyndryl. "This latest strategy rests<br />
on five key pillars, ultimately aiming to<br />
strengthen the UK cyber ecosystem and build<br />
a more resilient digital UK. While it addresses<br />
some of the chinks in the current UK<br />
cybersecurity armour, the very nature of<br />
cybersecurity suggests it cannot protect<br />
entirely. Cyberthreats are an ever-moving and<br />
changing entity, and we need to reflect this<br />
in our approach to combatting them."<br />
According to McAvoy, we're at the point<br />
where nothing and no-one is immune to<br />
the nefarious charms of cyber-attackers. "As<br />
such, cybersecurity is very much a shared<br />
responsibility and businesses need to play<br />
their part. As well as following the guidelines<br />
set out in the National Cyber Strategy,<br />
organisations need to adopt a 'resilience by<br />
design' mindset. Over the past 30 years, the<br />
IT industry has compartmentalised itself into<br />
neat towers and silos, which have eventually<br />
evolved into dedicated disciplines.<br />
Mainframe, server, network, cloud,<br />
applications, security etc, each is a dedicated<br />
discipline and often professionals managing<br />
these are only interested in their own<br />
performance, handing over responsibility<br />
whenever a problem falls outside their direct<br />
remit. This siloed approach is particularly<br />
unhelpful in the event of a cyberattack. The<br />
towers create responsibility gaps, which<br />
make it impossible to mount an effective<br />
recovery and response. Preparing for<br />
resilience means redefining the structure."<br />
To break down silos, CIOs need to<br />
understand what the viable business function<br />
requirements are and ask how the whole IT<br />
estate, together, can work to support them,<br />
he concludes. "At a high level, it comes down<br />
to making sure that there is a generalist,<br />
holistic view of resilience in place. It needs<br />
to address what will actually matter to the<br />
business, not just in terms of resilience as an<br />
abstract ideal."<br />
26<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Strengthen your data resilience with<br />
Immutable Backup from Arcserve<br />
Buy an Arcserve Appliance secured by Sophos,<br />
and get OneXafe immutable storage!<br />
Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve<br />
brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat<br />
ransomware and provide the best-in-class data management and data protection solution in the market.<br />
Arcserve UDP Data<br />
Protection Software<br />
Unified data and ransomware<br />
protection to neutralize<br />
ransomware attacks,<br />
restore data, and perform<br />
orchestrated recovery.<br />
Arcserve Appliances<br />
All-in-one enterprise backup,<br />
cybersecurity, and disaster<br />
recovery, with multipetabyte<br />
scalability.<br />
StorageCraft OneXafe<br />
Immutable Storage<br />
Scale-out object-based NAS<br />
storage with immutable<br />
snapshots to safeguard data.<br />
Get multi-layer protection!<br />
SCAN HERE
metaverse<br />
A WORLD APART<br />
INTEREST IN THE METAVERSE IS ON THE UP, BUT IS IT AN ILLUSORY<br />
WORLD FRAUGHT WITH DANGERS OR ONE WITH REAL PROMISE?<br />
The word 'metaverse' has yet<br />
to be fully defined, as it is<br />
not yet fully understood,<br />
states Dr Lydia Kostopoulos, SVP<br />
of emerging tech insights at<br />
KnowBe4. "However," she<br />
points out, "a high-level way<br />
to interpret it is an interactive<br />
digital space that can be<br />
experienced through<br />
virtual reality,<br />
augmented<br />
reality or<br />
on a<br />
traditional screen. Whether it is a digital<br />
environment on a screen, inside a VR<br />
headset or an augmented digital overlay<br />
on the physical environment, there are<br />
countless new business models, customer<br />
journeys and security needs that will<br />
arise."<br />
It is too early to know what will be<br />
successful and generate long-term value,<br />
but there are many things we do know,<br />
she adds. "We do know that there will be<br />
business models around the transactions<br />
of digital goods, advertising native<br />
to those environments and digital<br />
experiences. All of these models and<br />
experiences in these digital environments<br />
will create a multitude of data, from what<br />
was clicked to how long someone spent<br />
in a digital place or interacting with<br />
others. We know there will be artificial<br />
intelligence in the back-end, facilitating<br />
personalised ads, and also in the form of<br />
avatars or customer service chatbots."<br />
While development of these digital<br />
environments is still in the early stages,<br />
the benefits they bring are starting to<br />
show. "Musicians have been able to<br />
perform concerts for their fans in fully<br />
digital environments, fitness companies<br />
have created immersive worlds for people<br />
who want to exercise while feeling like<br />
they are flying over mountains or doing<br />
yoga on top of a mountain, artists have<br />
been able to digitally place their art in<br />
physical spaces to be seen only through<br />
special augmented reality apps, and there<br />
are many new use cases being developed<br />
today for immersive learning, medical<br />
28<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
metaverse<br />
visualisation of disease and also digital<br />
twins of factories."<br />
However, some challenges and risks will<br />
need to be mitigated, she states. "If these<br />
spaces are meant to be safe, welcoming<br />
to everyone and promote commerce, then<br />
there need to be rules; just as we have<br />
rules on how we interact in the physical<br />
world. The digital streets in the metaverse<br />
should also have rules and those rules<br />
need to be enforced, and there need to<br />
be ways for grievances to be heard and<br />
a transparent process for how they will<br />
be addressed." Besides rules, there should<br />
also be transparency on how data is<br />
collected and ways in which people can<br />
opt out or control the data they are<br />
generating with their activity.<br />
"Ask a dozen different people in digital<br />
what the metaverse is and you are likely<br />
to hear a dozen different answers," says<br />
Thomas Bedenk, VP Extended Reality at<br />
Endava. "However, as it is most commonly<br />
understood, the metaverse will enable<br />
users to interact with a digital continuous<br />
3D space, rather than operating as an<br />
outsider through an abstract interface.<br />
"This offers companies a unique<br />
opportunity to gain much more insight<br />
into their customers' behaviours and<br />
intentions than ever before, which is<br />
hugely valuable data for a business to<br />
have access to."<br />
This will all be possible through the next<br />
generation of AR and VR devices, which<br />
will offer more advanced sensors for the<br />
likes of gesture, eye and face tracking,<br />
skin response and heart rate, he adds.<br />
"By monitoring these stats continuously<br />
and holistically, alongside AI voice<br />
interaction, it will allow for completely<br />
new insights into customer behaviour,<br />
such as being able to measure attention<br />
and emotion, while interacting with a<br />
brand or application."<br />
Having access to that much data brings<br />
with it a whole level of security and<br />
privacy challenges that companies should<br />
be aware of, he cautions. "Users have an<br />
increased sensitivity to this kind of data,<br />
because it is so close to who they are in<br />
the real world and makes them easily<br />
identifiable," states Bedenk. "You can<br />
already see different approaches to this,<br />
with one stream of thought pushing<br />
towards decentralisation and data<br />
sovereignty, while big platform owners<br />
like Microsoft, Apple, Google and<br />
Facebook try to improve their branding<br />
and positioning around data privacy.<br />
"Accelerating digital strategies towards<br />
the metaverse will require a lot of<br />
understanding of the trends that have<br />
led to this so-called 'metaverse moment',<br />
such as 3D data, powerful use cases and<br />
excellent user experience -which many<br />
digital strategies may well already reflect.<br />
However, getting data security and privacy<br />
right, along with ethics, is another key<br />
ingredient for positioning an organisation<br />
well for growing successfully through the<br />
metaverse."<br />
IMPACT ON WELLBEING<br />
Anna Collard, SVP of content strategy and<br />
evangelist at KnowBe4, points to the<br />
immersive nature of the metaverse where<br />
negative experiences such as trolling,<br />
groping or harassment can have more<br />
impactful effects on people's psychological<br />
wellbeing. "Currently, platforms<br />
make users responsible for setting up<br />
'safe zones', which limit others coming<br />
into their space, but we feel there needs<br />
to be more moderation and rules<br />
enforced by default," she continues.<br />
"There are already companies developing<br />
AI-based 'bouncers' for the metaverse.<br />
Like anywhere in society, wherever many<br />
people come together, we have to protect<br />
the vulnerable from the non-desirable<br />
behaviour that comes with human<br />
nature."<br />
Anna Collard, KnowBe4: we have to protect<br />
the vulnerable from the non-desirable<br />
behaviour that comes with human nature.<br />
Lydia Kostopoulos, KnowBe4: some<br />
challenges and risks around the metaverse<br />
will need to be mitigated.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
29
cyber resilience<br />
CYBER WOES<br />
MANY ORGANISATIONS FEEL NO MORE CONFIDENT IN THEIR ABILITY TO RESPOND TO<br />
CYBER RISKS NOW THAN THEY DID IN 2019. WHAT HAS TAKEN ITS TOLL ON THEM?<br />
"<br />
Sarah Stephens, Marsh: no surprise many<br />
organisations do not feel any more confident<br />
in their ability to respond to cyber risks.<br />
The toll of almost three years of<br />
unrelenting workplace disruption,<br />
digital transformation and<br />
ransomware attacks means that most<br />
leaders are no more confident in their<br />
ability to manage cyber risk than they<br />
were two years ago. This is according to<br />
a report published recently by insurance<br />
broker and risk advisor Marsh, along<br />
with Microsoft.<br />
The report, The State of Cyber Resilience,<br />
questioned over 660 cyber risk decision<br />
makers globally and analysed how cyber<br />
risk is viewed by various functions and<br />
executives in leading organisations,<br />
including cybersecurity and IT, risk<br />
management and insurance, finance,<br />
and executive leadership.<br />
One thing holding back confidence is<br />
that most companies have not adopted an<br />
enterprise-wide approach<br />
to cyber<br />
risk: one that at its core is about broadbased<br />
communication and fosters<br />
collaboration and alignment between<br />
stakeholders during key decision-making<br />
moments of truth on their cyber resilience<br />
journey. "For example, all departments<br />
that touch cyber risk should be involved<br />
in cyber incident management and cyber<br />
insights should be shared across the<br />
enterprise to appropriately address<br />
organisational cybersecurity weak spots,"<br />
states Marsh.<br />
"This year, our report looks at how cyber<br />
risk is viewed by various functions and<br />
leaders in the company, specifically<br />
cybersecurity and IT, risk management<br />
and insurance, finance, and executive<br />
leadership. While all of these functions<br />
have common interests around cyber risks,<br />
we found they often act independently,<br />
missing the potential benefits that an<br />
enterprise-wide approach offers. Their<br />
different views and separate ways of<br />
managing cyber risks are reflected in our<br />
finding that only 41% of<br />
30<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber resilience<br />
organisations engage legal, corporate<br />
planning, finance, operations, or supply<br />
chain management in making cyber risk<br />
plans."<br />
According to the report, leadership<br />
confidence in their organisation's core<br />
cyber risk management capabilities -<br />
including the ability to understand/assess<br />
cyber threats, mitigate/prevent cyberattacks,<br />
and manage/respond to cyberattacks<br />
- is largely unchanged since 2019,<br />
when 19.7% of respondents stated they<br />
were highly confident, compared to 19%<br />
in <strong>2022</strong>.<br />
"As we analysed the responses from the<br />
<strong>2022</strong> Marsh and Microsoft Cyber Risk<br />
Survey, eight trends stood out, say the<br />
authors of the report:<br />
1<br />
. Cyber-specific enterprise-wide goals -<br />
including cybersecurity measures,<br />
insurance, data and analytics, and<br />
incident response plans - should be<br />
aligned to building cyber resilience versus<br />
simply preventing incidents, as every<br />
organisation can expect a cyberattack.<br />
73% of companies said they had<br />
experienced a cyberattack.<br />
2<br />
. Ransomware is considered the top<br />
cyber threat faced by companies,<br />
but not the only one. Other prevalent<br />
threats include phishing/social<br />
engineering, privacy breaches, and<br />
business interruption, due to an external<br />
supplier being attacked.<br />
3<br />
. Insurance is an important part of<br />
cyber risk management strategy, and<br />
influences the adoption of best practices<br />
and controls. 61% said their company<br />
buys some type of cyber insurance<br />
coverage.<br />
4<br />
. Adoption of more cybersecurity<br />
controls leads to higher cyber hygiene<br />
ratings. Just 3% of respondents rated<br />
their company's cyber hygiene as being<br />
excellent.<br />
5<br />
. Organisations lag in measuring cyber<br />
risk in financial terms, which hurts their<br />
ability to effectively communicate cyber<br />
threats across the enterprise. Just 26% of<br />
respondents said their organisation uses<br />
financial measures for cyber risk.<br />
6<br />
. Increased investment in cyber risk<br />
mitigation continues, though spending<br />
priorities vary across the enterprise. 64%<br />
said the spur to increasing cyber risk<br />
investments was having experienced an<br />
attack.<br />
7<br />
. New technologies need to be assessed<br />
and monitored on a continuous basis,<br />
not just during exploration and testing prior<br />
to adoption. 54% of companies said they<br />
do not extend risk assessments of new<br />
technologies beyond implementation.<br />
8<br />
. Firms take many cybersecurity actions,<br />
but widely overlook their vendors/digital<br />
supply chains. Only 43% have conducted<br />
a risk assessment of their vendor/supply<br />
chain.<br />
"Many conversations about cyber risk<br />
today begin with a discussion of the<br />
pervasiveness of ransomware," states the<br />
report. "Survey respondents ranked<br />
ransomware at the top of cyber risks facing<br />
their organisations, with more than onethird<br />
saying it is the number one threat,<br />
and nearly three-quarters placing it in the<br />
top three." Organisations also feel that<br />
the infinite number of vulnerabilities<br />
makes ransomware nearly impossible to<br />
safeguard against. "This hammers home<br />
the importance of developing a cyber<br />
resilient organisation."<br />
Professionals in risk management and<br />
insurance roles are more likely to point<br />
to ransomware as a key driver of attacks;<br />
board and CEO-level leaders are less likely<br />
to hold that view. "Given the continued rise<br />
of ransomware and the current tumultuous<br />
threat landscape, it is not surprising that<br />
many organisations do not feel any more<br />
confident in their ability to respond to cyber<br />
risks now than they were in 2019" is the<br />
view of Sarah Stephens, head of cyber,<br />
International, Marsh.<br />
Further, many organisations are still<br />
struggling to understand the risks posed by<br />
their vendors and digital supply chains as<br />
part of their cybersecurity strategies. Only<br />
43% of respondents stated that they have<br />
conducted a risk assessment of their<br />
vendors or supply chains.<br />
FURTHER INSIGHTS<br />
Other findings from the report include:<br />
Only 41% of organisations look beyond<br />
cybersecurity and insurance to engage<br />
their legal, corporate planning, finance,<br />
operations or supply chain management<br />
functions in making cyber risk plans<br />
Nearly four in ten respondents (38%)<br />
said their organisation uses quantitative<br />
methods to measure their cyber risk<br />
exposure, which is a critical step in<br />
understanding how cyberattacks and<br />
other events can create volatility. This is<br />
an improvement from the 2019 survey,<br />
when three in ten respondents (30%)<br />
stated that their organisation uses<br />
quantitative methods.<br />
Tom Reagan, cyber risk practice leader,<br />
US & Canada, Marsh, adds: "Cyber risks<br />
are pervasive across most organisations.<br />
Successfully countering cyber threats needs<br />
to be an enterprise-wide goal, aimed at<br />
building cyber resilience across the firm,<br />
rather than singular investments in incident<br />
prevention or cyber defence. Greater<br />
cross-enterprise communication can help<br />
organisations bridge the gaps that currently<br />
exist, boost confidence and better inform<br />
overall strategic decision-making around<br />
cyber threats."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
31
quantum on trial<br />
STEAL NOW - PROTECT NOW<br />
GLOBAL CYBER SECURITY EXPERTS NORMAN WILLOX AND TOM PATTERSON DEFEND<br />
THE CHANGE OF QUANTUM COMPUTING FROM SCIENCE FICTION TO SCIENCE FACT<br />
When it comes to the imminent and<br />
tremendous advances in quantum<br />
computing, do you wonder<br />
what position the world will be in, in just<br />
a few years' time? Do you wonder what<br />
government, industry and our adversaries<br />
are doing, and what you should be doing?<br />
The truth is that no one knows exactly what<br />
the state of quantum computing will be in<br />
the future, but there are already great strides<br />
being made by governments, academics<br />
and industry around the world in the race<br />
for 'quantum advantage.' When quantum<br />
advantage is achieved, bad actors won't need<br />
a sub-zero lab of their own, but will most<br />
probably be accessing it via a cloud service,<br />
much like the advanced technology of<br />
ransomware that has been made available to<br />
every crook with a computer and a credit<br />
card today.<br />
Defensively, key components of quantum<br />
resistance and encryption are now a reality,<br />
while quantum communication is underway<br />
and quantum clouds are beginning to<br />
become available for sensitive operations. The<br />
time for governments and companies to get<br />
ready is now. Our adversaries already are.<br />
The threat to governments, critical<br />
infrastructure and businesses, large and<br />
small, is most certainly real…it's just maths<br />
at this point. And these threats have already<br />
begun, with a new era of adversarial<br />
behaviour called 'steal now, decrypt later.'<br />
In these SNDL scenarios, adversaries are<br />
stealing large volumes of critical encrypted<br />
data that they cannot yet decrypt, but<br />
are confident that their coming quantum<br />
computers will soon be able to. We also<br />
know that quantum computer supported<br />
encryption hacking will come online years<br />
before the more mature quantum systems<br />
evolve; again highlighting that the most<br />
valuable information be protected now.<br />
PRESIDENT STEPS IN<br />
This matter is so significant, the President of<br />
the United States issued a National Security<br />
Memorandum and an Executive Order<br />
(EO) on 4 May <strong>2022</strong> aimed at securing the<br />
nation's competitive advantage in quantum<br />
information science (QIS), while mitigating<br />
the risks of quantum computers to the<br />
nation's cyber, economic and national<br />
security. This is the fourth such action just<br />
this year.<br />
Current public key encryption schemes rely<br />
on the outdated premise that it would take<br />
the fastest computers too many millions<br />
of years to be able to factor large prime<br />
numbers. So, as computers got incrementally<br />
faster, we just added extra bits to the key<br />
length to keep that premise alive. As the<br />
rapid advances of quantum computers over<br />
this past decade have gone from science<br />
fiction to science fact, we are getting<br />
closer and closer to 'Y2Q', when a quantum<br />
computer can run Shor's algorithm and read<br />
everything we've ever encrypted, regardless of<br />
key length. We need to not only have come<br />
up with better encryption by then, but we<br />
will need to have it be adopted, distributed,<br />
installed and maintained worldwide in<br />
advance. That takes years, so the time to<br />
begin that process is now.<br />
A bipartisan bill, the Quantum Computing<br />
Cyber Preparedness Act, was introduced into<br />
the House of Representatives in April, which<br />
seeks to speed, strengthen and provide<br />
regulation of quantum cyber security. The<br />
authors of this article both support this bill.<br />
While the bill helps to highlight the<br />
tremendous risks that are associated with<br />
the adversarial use of a quantum computer<br />
to decrypt government files and communications,<br />
it does not address the same need in<br />
the 16 critical infrastructure areas of our<br />
private sector. While this bill is a welcome<br />
step, Congress could go even further in<br />
protecting private corporations and business<br />
from this emerging and potentially imminent<br />
threat.<br />
The private sector owns approximately 85%<br />
of our critical infrastructure. Imagine if all our<br />
health records were laid bare, our banking<br />
information zeroed out, our transportation<br />
shut down or our energy turned off. All these<br />
critical infrastructure sectors rely on trusted<br />
encryption to provide even the most basic<br />
of operations. Additionally, the Federal<br />
Government is supported by a very large<br />
defence and security industrial base that has<br />
extensive sensitive government and industry<br />
32<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
quantum on trial<br />
information. Protecting these critical supply<br />
chains is as important as protecting the<br />
agencies themselves.<br />
FOUR-STEP PROCESS<br />
In order to protect against bad actors using<br />
quantum computing in criminal, terroristic or<br />
intelligence activities, we believe that every<br />
component of government and the critical<br />
infrastructure sectors should be implementing<br />
a four-step process immediately:<br />
Conduct a complete inventory of where<br />
your organisation uses encryption;<br />
document the specific encryption details<br />
including algorithm, key distribution,<br />
provider, and partner(s)<br />
Begin to make your encryption 'agile' in<br />
a way that will allow for easier changes<br />
in the future<br />
Leverage the latest encryption available<br />
today, like the Messaging Layer Security<br />
(MLS) that is already designed to resist<br />
aggressive collection methods for<br />
communications and collaboration,<br />
and quantum-generated shared keys<br />
for symmetric algorithms<br />
Research and test the NIST candidate<br />
'quantum resistance' algorithms (available<br />
via the providers you've just inventoried),<br />
AND the newer 'quantum encryption'<br />
systems that rely on currently available<br />
use of quantum physics with random<br />
numbers, keys and more to provide<br />
provably secure encryption today with<br />
some existing algorithms.<br />
KEY TO SUCCESS<br />
We believe the above four steps are the<br />
key to success for today and tomorrow.<br />
A quantum-proofing strategy today is both<br />
needed and required. Finding the right talent,<br />
experts, partners, products, and tools to do<br />
such and keep on delivering it into the future<br />
will be paramount. There is an understandable<br />
misconception that the threat of adversarial<br />
use of quantum computing is just for<br />
governments to worry about. But it has<br />
the potential to affect everyone and every<br />
business. Everyone has secrets, intellectual<br />
property and sensitive information that is the<br />
cornerstone of their business or life, and<br />
everyone is vulnerable when it gets out.<br />
Today's ransomware has shown that the<br />
most sophisticated of cyber weapons quickly<br />
finds its way into criminal hands. So, what<br />
secret data do you have that you rely on<br />
systems to keep safe? Will you favour a<br />
product that can protect your information<br />
into the future or doesn't it matter to you?<br />
AND DON'T FORGET ALL THE VIRTUES!<br />
While we are sounding the warning bells<br />
to get ready for quantum computing, we<br />
certainly can't end this piece by not also<br />
extolling all the virtues it will bring. Quantum<br />
computing promises not just faster<br />
computing, but computing in completely<br />
new ways. Entirely new problems can be<br />
crafted and addressed, communications can<br />
become instantons, universal, and secure,<br />
remote sensing will be a reality, and so very<br />
much more. Beyond code-breaking, sectors<br />
including fintech, pharma, logistics,<br />
communications, space, climate and data<br />
analytics are all actively working to leverage<br />
the quantum computing on the horizon.<br />
In the 1960s, Albert Einstein famously called<br />
quantum computing 'spooky.' Today, with<br />
everything we now know, we find quantum<br />
computing exhilarating!<br />
It will take us to intellectual places we have<br />
never even imagined and solve problems we<br />
never thought solvable.<br />
Norman Willox.<br />
Tom Patterson.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> computing security<br />
33
threat report<br />
AT WAR WITH CYBER-ATTACKS<br />
THE ONGOING CONFLICT IN UKRAINE HAS SEEN THE RESURRECTION<br />
OF THE INFAMOUS INDUSTROYER MALWARE AND OTHER THREATS<br />
ESET has released its T1 <strong>2022</strong> Threat<br />
Report, summarising key statistics<br />
from ESET detection systems and<br />
highlighting notable examples of the<br />
company’s cybersecurity research.<br />
The latest issue of the ESET Threat Report<br />
recounts the various cyberattacks connected<br />
to the ongoing war in Ukraine that ESET<br />
Roman Kovác, ESET : Ukrainians fighting<br />
for their lives and sovereignty.<br />
researchers analysed or helped to mitigate.<br />
This includes the resurrection of the now<br />
infamous Industroyer malware, attempting<br />
to target high-voltage electrical substations.<br />
ESET telemetry also recorded other changes<br />
in the cyberthreat realm that might have<br />
a connection to the situation in Ukraine.<br />
Roman Kovác, chief research officer at ESET,<br />
clarifies why this report is so focused on<br />
cyberthreats related to this war. "Several<br />
conflicts are raging in different parts of the<br />
world, but for us, this one is different. Right<br />
across Slovakia's eastern borders, where ESET<br />
has its HQ and several offices, Ukrainians are<br />
fighting for their lives and sovereignty."<br />
Shortly before the Russian invasion, ESET<br />
telemetry recorded a sharp drop in Remote<br />
Desktop Protocol (RDP) attacks. The decline<br />
in these attacks comes after two years of<br />
constant growth - and as explained in the<br />
Exploits section of the latest ESET Threat<br />
Report, this turn of events might be related<br />
to the war in Ukraine. But even with this fall,<br />
almost 60% of incoming RDP attacks seen in<br />
T1 <strong>2022</strong> originated in Russia.<br />
Another side effect of the war: while in<br />
the past, ransomware threats tended to<br />
avoid targets located in Russia, during<br />
this period, according to ESET<br />
telemetry, Russia was the most<br />
targeted country. Researchers at<br />
ESET even detected lock-screen<br />
variants using the Ukrainian<br />
national salute 'Slava Ukraini!'<br />
(Glory to Ukraine!). Since the<br />
Russian invasion of Ukraine,<br />
there has been an increase in<br />
the number of amateurish<br />
ransomware and wipers. Their<br />
authors often pledge support for<br />
one of the fighting sides and position the<br />
attacks as personal vendettas.<br />
Unsurprisingly, the war has also been<br />
noticeably exploited by spam and phishing<br />
threats, adds ESET. Immediately after the<br />
invasion on February 24, scammers started<br />
to take advantage of people trying to<br />
support Ukraine, using fictitious charities<br />
and fundraisers as lures. On that day, ESET<br />
telemetry detected a large spike in spam<br />
detections.<br />
ESET telemetry has also seen many other<br />
threats unrelated to the Russia/Ukraine war.<br />
"We can confirm that Emotet - the infamous<br />
malware, spread primarily through spam<br />
email - is back after last year's takedown<br />
attempts, and has shot back up in our<br />
telemetry," explains Ková?. Emotet operators<br />
spewed spam campaign after spam<br />
campaign in T1, with Emotet detections<br />
growing by more than a hundredfold.<br />
However, as the Threat Report notes, the<br />
campaigns relying on malicious macros<br />
might well have been the last, given<br />
Microsoft's recent move to disable macros<br />
from the internet by default in Office<br />
programs. Following the change, Emotet<br />
operators started testing other compromise<br />
vectors on much smaller samples of victims.<br />
The ESET T1 <strong>2022</strong> Threat Report also<br />
reviews the most important research<br />
findings, with ESET Research uncovering: the<br />
abuse of kernel driver vulnerabilities; high<br />
impact UEFI vulnerabilities; cryptocurrency<br />
malware targeting Android and iOS devices;<br />
a yet-unattributed campaign deploying<br />
the DazzleSpy macOS malware; and the<br />
campaigns of Mustang Panda, Donot Team,<br />
Winnti Group, and the TA410 APT group.<br />
34<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.
Nobody likes feeling<br />
vulnerable.<br />
It’s the same when it comes<br />
to information security.<br />
That’s why our information security services have<br />
been designed to provide you with the robust security<br />
assurances you require.<br />
Penetration Testing<br />
Red Teaming<br />
Information Security Consultancy<br />
www.pentest.co.uk<br />
0161 233 0100<br />
pentest<br />
INFORMATION SECURITY ASSURANCE