CS Sep-Oct 2022
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
EMPLOYEES ARE ‘NOT THE FOE’<br />
Human error demands an empathic and<br />
supportive approach<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
TO PAY OR NOT TO PAY<br />
Some solicitors are said to<br />
be advising their clients to<br />
pay up after a ransomware<br />
attack. Wise or foolish?<br />
INSTRUMENTS OF THREAT<br />
Safety fears soar<br />
as connected IOT<br />
devices set to hit<br />
27 billion by 2025<br />
REELING THEM IN<br />
Phishing has never been<br />
a bigger or more exploited<br />
weapon for attackers<br />
Computing Security <strong>Sep</strong>tember/<strong>Oct</strong>ober <strong>2022</strong>
Nobody likes feeling<br />
vulnerable.<br />
It’s the same when it comes<br />
to information security.<br />
That’s why our services have been designed<br />
to provide you with the information security<br />
assurances you, and your clients, require.<br />
Penetration Testing<br />
Red Teaming<br />
Information Security Consultancy<br />
www.pentest.co.uk<br />
contact@pentest.co.uk<br />
0161 233 0100<br />
pentest<br />
INFORMATION SECURITY ASSURANCE
comment<br />
A WING AND A PRAYER?<br />
How likely is it that criminal gangs are going to return all your data intact and<br />
untarnished after a ransomware attack, if you comply with their requirements<br />
and pay whatever it is they demand of you? Logic tells you that the odds are<br />
extremely low. Yet, for an organisation that finds itself a victim of an attack, hope must<br />
spring eternal that they will be treated kindly - because many pay up, it is reported.<br />
In a letter to the Law Society, the National Cyber Security Centre (N<strong>CS</strong>C) - which is a<br />
part of GCHQ - and Information Commissioner's Office (ICO) say they have seen<br />
evidence of a rise in ransomware payments and that, in some cases, solicitors may have<br />
been advising clients to pay, in the belief that it will keep data safe or lead to a lower<br />
penalty from the ICO. They have asked the Law Society to remind its members of their<br />
advice on ransomware and emphasise that paying a ransom will not keep data safe or<br />
be viewed by the ICO as a mitigation in regulatory action.<br />
As Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research<br />
Centre for Ransomware, states in our comprehensive coverage of ransomware on page<br />
18: "The perception that payment will guarantee a quick resolution to the problem lost<br />
access to systems and data is a fallacy," before pointing out: "Since the primary business<br />
objective for these criminals is monetary gain, it should come as no surprise that they<br />
test their encryption better than they do their restoration processes - and that there is<br />
no support line to call, should the restoration process fail. They are after all, criminals,<br />
so there is nothing to prevent one criminal group from compiling a list of victims willing<br />
to pay ransom and then selling that to other criminal organisations."<br />
As ever, prevention remains the best cure, of course. However, in the event of a<br />
successful breach, having an effective backup strategy in place, whereby data can be<br />
recovered and restored quickly, is vital - something covered in depth in our ransomware<br />
feature.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2022</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Sep</strong>tember/<strong>Oct</strong>ober <strong>2022</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
EMPLOYEES ARE ‘NOT THE FOE’<br />
Human error demands an empathic and<br />
supportive approach<br />
INSTRUMENTS OF THREAT<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
TO PAY OR NOT TO PAY<br />
Some solicitors are said to<br />
be advising their clients to<br />
pay up after a ransomware<br />
attack. Wise or foolish?<br />
Safety fears soar<br />
as connected IOT<br />
devices set to hit<br />
27 billion by 2025<br />
REELING THEM IN<br />
COMMENT 3<br />
A wing and a prayer<br />
Phishing has never been<br />
a bigger or more exploited<br />
weapon for attackers<br />
NEWS 6 & 8<br />
Blackhat gang strikes again<br />
Teen extortion exposes cyber gaps<br />
Overworked, understaffed<br />
Manufacturing 'most attacked sector'<br />
Post-quantum crack-up<br />
ARTICLES<br />
HOW SENSITIVE IS YOUR DATA? 10<br />
Keeping track of stored data can often<br />
prove to be a complex, difficult task. Nick<br />
Evans, GeoLang, offers a way forward<br />
IOT - INSTRUMENTS OF THREAT 11<br />
With the global number of connected IoT<br />
devices expected to reach 27 billion by 2025<br />
is our ability to defend against attacks likely<br />
to become something of a losing battle?<br />
TO TRUST OR NOT TO TRUST,<br />
THAT IS THE QUESTION 14<br />
What exactly is Zero Trust and how can<br />
RANSOMWARE DEMANDS:<br />
this be achieved? Tom Hills, Pre-Sales<br />
HOLD FIRM OR PAY UP? 18<br />
Consultant, SecurEnvoy, offers his insights<br />
Reports that some solicitors may have been<br />
on this challenging topic<br />
advising clients to pay a ransomware, in the<br />
belief it will keep data safe or lead to a lower<br />
WELCOME TO THE (THIRD) PARTY! 16<br />
breach penalty, have caused a backlash<br />
Computing Security recently caught up<br />
with Hornetsecurity chief technical officer<br />
Yvonne Bernard in our latest Q&A session<br />
to find out her thoughts on cloud email<br />
systems and their rapid uptake<br />
OBJECT ARCHIVE SOFTWARE:<br />
THE INSIDE STORY 30<br />
EMPLOYEES ARE 'NOT THE ENEMY' 24<br />
Fujifilm's Object Archive is described as<br />
How do you prevent your workforce from<br />
'an S3-compatible tape storage system<br />
laying the business open to a possible<br />
for long-term data preservation and data<br />
breach? Is education and awareness<br />
protection'. We speak with the company's<br />
training the best solution - or should you<br />
Richard Alderson, Head of Recording<br />
just lock them out of vulnerable areas<br />
Media - UK, Ireland and Scandinavia<br />
altogether?<br />
BIGGER 'PHISH' TO FRY! 34<br />
Phishing remains a highly-prized asset<br />
by attackers when seeking to gain initial<br />
access to organisations by hooking in the<br />
unprepared<br />
CHANGING THE GAME 32<br />
Today, the ITAD sector has emerged as<br />
PRODUCT REVIEWS<br />
a professional value-add industry and<br />
it's been a long, hard road getting there.<br />
Gatewatcher AIONIQ 23<br />
But the battle is far from over, says Steve<br />
Mellings, founder and CEO of ADISA<br />
Rohde & Schwarz Cybersecurity:<br />
R&S Browser in the Box 31<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
www.adisa.global
news<br />
David Mahdi,<br />
Sectigo.<br />
BLACKHAT GANG STRIKES AGAIN<br />
The recent Blackhat ransomware attack<br />
on the Japanese gaming publisher<br />
Bandi Namco - in which the group seized<br />
hold of customer data - comes hard on<br />
the heels of an FBI warning in the wake<br />
of reports that the Blackhat group has<br />
successfully breached over 60 entities<br />
worldwide.<br />
David Mahdi, digital identities expert and<br />
chief strategy officer at cybersecurity firm<br />
Sectigo, comments: "Organisations and<br />
government entities carry a responsibility<br />
to consumers and civilians alike to guard<br />
their most valuable information at all cost.<br />
Personal information that does not change<br />
as easily as a credit card or bank account<br />
number drives a high price on the Dark<br />
Web. This kind of 'Personally Identifiable<br />
Information' is highly sought after by<br />
cybercriminals for monetary gain."<br />
Companies should be implementing<br />
security best practices such as a layered<br />
approach to protection, as well as<br />
proactively updating any out-of-date<br />
security devices, he advises.<br />
But how do you prevent such attacks?<br />
"The answer," he responds, "is combining<br />
identity-first principles with least-privilege<br />
data access security, all while leveraging a<br />
variety of cybersecurity best practices and<br />
technologies [ie, email security, endpoint<br />
security and patch management]."<br />
DATA ENCRYPTION GAINS MOMENTUM<br />
The number of UK organisations implementing data<br />
encryption as a core part of their cybersecurity strategy has<br />
continued to rise, with 32% introducing a policy to encrypt all<br />
corporate information as standard in the last year. Almost half<br />
(47%) of organisations now require the encryption of all data,<br />
whether it's at rest or in transit. This is according to an annual<br />
survey of IT decision makers carried out by Apricorn. Only 2%<br />
do not currently see encryption as a priority. "It's encouraging<br />
to see encryption high up on corporate priority lists," says Jon<br />
Fielding, managing director EMEA Apricorn. "Messages about<br />
the crucial role it has to play in protecting sensitive information<br />
are clearly getting through. "When data is encrypted, it's fully<br />
protected - if an unauthorised individual gains entry to an IT<br />
system or picks up a device that's been left in an Uber, for<br />
Jon Fielding, Apricorn.<br />
instance, the information will remain unreadable."<br />
TEEN EXTORTION GROUP EXPOSES CYBER GAPS<br />
Notorious extortion-only LAPSUS$ ransomware group has<br />
successfully carried out multiple high-profile attacks on<br />
companies such as Microsoft, Samsung and Ubisoft.<br />
Unlike ransomware operators, the LAPSUS$ group represents<br />
a growing breed of extortion-only cybercriminals, focusing<br />
exclusively on data theft and extortion by gaining access to<br />
victims through tried-and-true methods like phishing and<br />
stealing the most sensitive data it can find without deploying<br />
data-encrypting malware. "Just like ransomware, extortion<br />
attacks aren't going anywhere until they are made too<br />
complicated or costly to conduct," says Claire Tills, senior<br />
research engineer at Tenable. "Organisations should evaluate<br />
what defences they have in place against the tactics used, how<br />
they can be hardened and whether their response playbooks Claire Tills, Tenable.<br />
effectively account for these incidents."<br />
OVERWORKED, UNDERSTAFFED - AND BATTLING ON<br />
As breaches continue to rise, cybersecurity and<br />
development professionals are feeling the<br />
pressure to maintain their organisations' security<br />
postures. Invicti Security has released research in<br />
its 'State of the DevSecOps Professional: At Work<br />
and off the Clock' that unveils how overworked<br />
and understaffed these key employees are.<br />
The survey reveals how impending cyberattacks<br />
have created added stress. Tellingly, DevSecOps<br />
professionals "spend more than four hours each workday addressing security issues that never<br />
should have happened in the first place, with 41% of cybersecurity professionals spending 5+<br />
hours addressing security issues, compared to 32% of their developer counterparts".<br />
6<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
news<br />
Chris Vaughan,<br />
Tanium.<br />
CAN YOU TRUST YOUR<br />
THIRD-PARTY VENDORS?<br />
When British recruitment agency<br />
Morgan Hunt suffered a digital<br />
burglary recently, intruders seized personal<br />
data of some of the freelancers on its<br />
books. Morgan Hunt - which provides<br />
personnel services to clients in the charity<br />
education, finance, government, housing<br />
and technology sectors - confirmed the<br />
break-in in a letter to contractors.<br />
Comments Chris Vaughan, area VP and<br />
technical account manager EMEA at<br />
Tanium: "Companies often place a huge<br />
amount of trust in third-party vendors -<br />
usually down to reputation, if they haven't<br />
been breached before, or if they claim to<br />
invest heavily in cybersecurity. However,<br />
IT teams need to be more thorough<br />
than this. They should ask themselves<br />
questions, such as: 'Do I really know<br />
how well our suppliers manage their<br />
operations, including areas like credential<br />
management and patching? How can<br />
we tell how much technical debt they are<br />
carrying? Is the vendor that was breached<br />
three years ago - and then invested a<br />
massive amount improving their security -<br />
less of a risk than a vendor that's never<br />
had a publicly disclosed breach?'<br />
"Only once these questions have been<br />
answered - using data - can organisations<br />
place full trust in the third-party suppliers<br />
they work with."<br />
MANUFACTURING IS NOW THE 'MOST ATTACKED SECTOR'<br />
Manufacturing overtook financial services as<br />
the most attacked sector last year. Yet, for<br />
nearly half (47%) of organisations, cybersecurity in<br />
smart factories still isn't a C-level concern.<br />
This is according to a new report from Capgemini,<br />
'Smart & Secure: Why smart factories need to<br />
prioritize cybersecurity', which examines how<br />
organisations are securing their smart factories and<br />
the challenges they must overcome to do so.<br />
The report's findings include:<br />
People remain the top threat to cybersecurity - of firms impacted by cyberattacks in the past<br />
12 months, 28% noted an increase in employees or vendors bringing in infected devices<br />
More than half of respondents (53%) say smart-factory leaders need to collaborate more<br />
closely with <strong>CS</strong>Os, as their inability to communicate hinders the organisations' capability to<br />
detect cyber-attacks early, leading to a higher level of damage.<br />
POST-QUANTUM CRACK-UP<br />
Scientists are reported to have finally come up<br />
with a quantum computer that breaks free from<br />
the binary system. Jason Soroko, quantum and<br />
cryptography expert and CTO at cybersecurity firm<br />
Sectigo, says one area where we could see direct<br />
impact is the inevitable outcome that quantum<br />
computers break the cryptographic foundation<br />
stones of our modern digital systems.<br />
"For post-quantum cryptographic algorithms, this<br />
means that the progress path of quantum computers<br />
stable enough to crack traditional algorithms that<br />
we use today is happening," he cautions, adding that<br />
it is now "time to engage with the vendor community<br />
and begin building competency on post-quantum<br />
algorithms and their new associated technologies".<br />
Jason Soroko, Sectigo.<br />
SMART FACTORIES ARE AN EVER-INCREASING TARGET FOR CYBERATTACKS<br />
Anew report that has been released by the Capgemini Research Institute has<br />
found that 51% of industrial organisations believe the number of cyberattacks<br />
on smart factories was likely to increase over the next 12 months. Yet nearly half<br />
(47%) of manufacturers say cybersecurity in their smart factories is not a C-level<br />
concern. According to the Capgemini report, 'Smart & Secure: Why smart factories<br />
need to prioritise cybersecurity', few manufacturers have mature practices across<br />
the critical pillars of cybersecurity.<br />
The connected nature of smart factories is exponentially increasing the risks of<br />
attacks in the Intelligent Industry era, the report states.<br />
Around 53% of organisations - including 60% of heavy-industry and 56% of<br />
pharma and life sciences firms - agree that most future cyberthreats will feature<br />
smart factories as their primary targets.<br />
8<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
obotics & automation<br />
HOW SENSITIVE IS YOUR DATA?<br />
KEEPING TRACK OF STORED DATA IS A<br />
COMPLEX, DIFFICULT TASK. NICK EVANS,<br />
SALES AND MARKETING MANAGER AT<br />
GEOLANG, OFFERS A WAY FORWARD<br />
So, how sensitive is your data? And<br />
no, we don't mean in a <strong>2022</strong><br />
snowflake kind of way. We mean in<br />
a compliance way! Do you know what<br />
sensitive data is being stored in your<br />
Atlassian Confluence, Jira and Bitbucket<br />
environments? If you are like a lot of<br />
businesses we speak to today, you may<br />
be struggling to understand what data is<br />
being stored in your Atlassian tools, and<br />
having to use teams of people, a lot of<br />
time and big budgets to manage that<br />
data.<br />
Atlassian products are used heavily in<br />
the Financial Services sector and, because<br />
of the amount of data those businesses<br />
are constantly creating, it's an ever<br />
increasingly difficult task to stay on top<br />
of the sensitive data they are storing.<br />
Add the complication of constant audits,<br />
understanding data is a critical task.<br />
WHAT WOULD THE ATLASSIAN<br />
TOOLS TYPICALLY BE USED FOR?<br />
Confluence - Confluence is a team<br />
workspace where knowledge and<br />
collaboration meet. Dynamic pages give<br />
your team a place to create, capture, and<br />
collaborate on any project or idea.<br />
Jira - Helps teams plan, assign, track,<br />
report and manage work, and brings<br />
teams together for everything from agile<br />
software development and customer<br />
support, to start-ups and enterprises.<br />
Bitbucket - A Git repository management<br />
solution. It gives you a central place to<br />
manage git repositories, collaborate on<br />
your source code and guide you through<br />
the development flow.<br />
In essence, a business's 'Crown Jewels'<br />
can be, and usually are, stored in the<br />
Atlassian suite of tools.<br />
To complicate matters even more, the<br />
Atlassian tools have traditionally<br />
deployed on customers' servers, but<br />
Atlassian has recently announced that<br />
they will stop the support of on-premises<br />
environments from February 2024 (You<br />
can read the announcement and planned<br />
timeline here) and are wanting their<br />
customers to embrace the Atlassian<br />
Cloud - but not all types of businesses<br />
can easily (or safely) move their data into<br />
cloud environments.<br />
Best practices state that, before any<br />
data is migrated, that data is cleaned<br />
first. Before Data can be cleaned, it<br />
needs to be discovered, so that a<br />
business can understand what they are<br />
working with.<br />
The GeoLang Data Discovery has been<br />
designed to make the discovery of<br />
sensitive data being stored in<br />
Confluence, Jira and Bitbucket as simple<br />
as possible. Customers find that not only<br />
is the stress removed from their sensitive<br />
data management processes, but they<br />
also see reductions in operational costs.<br />
As stated above, businesses are usually<br />
having to employ many people to run<br />
their search tasks; so, by automating that<br />
process, resources can focus on other<br />
areas of business that may have been<br />
neglected because so much time is spent<br />
on running manual searches and<br />
scouring through masses of data.<br />
We recently created a case study with a<br />
Tier-1 bank that has adopted the<br />
GeoLang Data Discovery tool and the<br />
case study highlights just how our Data<br />
Discovery tool has drastically reduced the<br />
time and effort (and bill) it has taken to<br />
manage the Sensitive Data they are<br />
working with. You can read that case<br />
study here.<br />
To discuss how GeoLang can help, get<br />
in touch at contact@geolang.com.<br />
10<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
IoT devices<br />
IOT - INSTRUMENTS OF THREAT?<br />
WITH THE GLOBAL NUMBER OF CONNECTED IOT DEVICES EXPECTED TO REACH 27 BILLION BY 2025 IS OUR<br />
ABILITY TO DEFEND AGAINST ATTACKS LIKELY TO BECOME A LOSING BATTLE?<br />
We are soon going to be faced with<br />
an IoT device saturated workspace<br />
and the big question is: how can<br />
all of the security risks that go with these<br />
devices be controlled? According to IoT<br />
Analytics, the global number of connected<br />
IoT devices is expected to grow 9%, reaching<br />
27 billion by 2025. "With that dramatic<br />
rise in connected devices also comes an<br />
increased need for security," states Kaspersky.<br />
"In fact, Gartner highlights that, in the past<br />
three years, nearly 20% of organisations<br />
have already observed cyberattacks on IoT<br />
devices in their network."<br />
While two thirds of organisations (64%)<br />
globally use IoT solutions, according to<br />
Kaspersky, 43% don't protect them<br />
completely. "This means that for some of<br />
their IoT projects - which may be anything<br />
from an EV charging station to connected<br />
medical equipment - businesses don't use<br />
any protection tools. The reasons behind this<br />
may be due to the great diversity of IoT<br />
devices and systems, which are not always<br />
compatible with security solutions. Almost<br />
half of businesses fear that cybersecurity<br />
products can affect the performance of IoT<br />
(46%) or that it can be too hard to find a<br />
suitable solution (40%). Other common<br />
issues businesses face when implementing<br />
cybersecurity tools are high costs (40%),<br />
being unable to justify investment to the<br />
board (36%) and lack of staff or specific<br />
IoT security expertise (35%)."<br />
64 BILLION DEVICES<br />
It is estimated that, by 2026, there will be<br />
64 billion IoT devices installed around the<br />
world, according to Kaspersky, with the<br />
trend towards remote working helping to<br />
drive this increase. "So many additional<br />
devices change the dynamics and size of<br />
what is sometimes called the cyber-attack<br />
surface - that is, the number of potential<br />
entry points for malicious actors," the<br />
company reports. Compared to laptops and<br />
smartphones, most IoT devices have fewer<br />
processing and storage capabilities. "This can<br />
make it harder to employ firewalls, antivirus<br />
and other security applications to safeguard<br />
them," it points out.<br />
Furthermore, cybersecurity risks are seen by<br />
more than half of organisations (57%) as the<br />
main barrier to implementing IoT. This can<br />
occur when companies struggle to address<br />
cyber-risks at the design stage and then have<br />
to carefully weigh up all pros and cons<br />
before implementation.<br />
"Cybersecurity must be front and centre for<br />
IoT," advises Stephen Mellor, chief technology<br />
officer at Industry IoT Consortium. "Managing<br />
risk is a major concern, as life, limb and the<br />
environment are at stake. An IT error can be<br />
embarrassing and expensive; an IoT error can<br />
be fatal. But cybersecurity is only one part of<br />
making a system trustworthy. We also need<br />
physical security, privacy, resilience, reliability<br />
and safety. And these need to be reconciled:<br />
what can make a building secure [locked<br />
doors, for example], could make it unsafe, if<br />
you cannot get out quickly."<br />
Adds Eric Kao, director, WISE-Edge+ of<br />
Advantech, a global vendor of industrial IoT<br />
solutions: "IoT projects are very fragmented,<br />
loosely-coupled, domain-specific and<br />
integration-heavy in nature. In comparison,<br />
IT projects such as messaging/communication,<br />
analytics, CRM etc have around 80%<br />
of common requirements. In the case of IoT<br />
implementation, however, we have to deal<br />
with all kinds of legacy systems, physical<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
11
IoT devices<br />
Dave Adams, Prism Infosec: many<br />
systems are not currently zero trust<br />
enabled.<br />
Jim Hietala, The Open Group: it's not<br />
possible to consider any IoT device as<br />
'trusted' in today's environment.<br />
constraints, domain protocols, multiple<br />
vendor solutions etc and maintain a<br />
reasonable balance in availability, scalability<br />
and security. In pursuit of higher availability<br />
and scalability, certain cloud infrastructure<br />
has to be leveraged, the system has to be<br />
open to some extent, then security becomes<br />
an enormous challenge."<br />
Why are IoT devices so vulnerable?<br />
According to Trend Micro, "largely because<br />
these devices lack the necessary built-in<br />
security to counter threats. Aside from the<br />
technical aspects, users also contribute to<br />
the devices' vulnerability to threats".<br />
RISK FACTORS<br />
Some of the reasons that Trend Micro offers<br />
as to why these smart devices remain at risk<br />
include the following:<br />
Limited computational abilities and<br />
hardware limitations. These devices have<br />
specific functions that warrant only<br />
limited computational abilities, leaving<br />
little room for robust security mechanisms<br />
and data protection<br />
Heterogeneous transmission technology.<br />
Devices often use a variety of transmission<br />
technology. This can make it difficult<br />
to establish standard protection methods<br />
and protocols<br />
Components of the device are vulnerable.<br />
Vulnerable basic components affect<br />
millions of deployed smart devices<br />
Users lacking security awareness. Lack<br />
of user security awareness could expose<br />
smart devices to vulnerabilities and attack<br />
openings<br />
Device vulnerabilities allow cybercriminals<br />
to use them as a foothold for their<br />
attacks, which reinforces the importance<br />
of security from the design phase.<br />
How do device vulnerabilities affect users?<br />
"Looking into some of the more notable<br />
attacks on IoT devices shows how it can<br />
affect users," adds Trend Micro. "Threat<br />
actors can use vulnerable devices for lateral<br />
movement, allowing them to reach critical<br />
targets. Attackers can also use vulnerabilities<br />
to target devices themselves and weaponise<br />
them for larger campaigns or use them to<br />
spread malware to the network."<br />
IoT botnets serve as an example that<br />
demonstrates the impact of device<br />
vulnerabilities and how cybercriminals have<br />
evolved to use them, it continues. "In 2016,<br />
Mirai, one of the most prominent types of<br />
IoT botnet malware, made a name for itself<br />
by taking down prominent websites in a<br />
distributed denial of service (DDoS)<br />
campaign consisting of thousands of<br />
compromised household IoT devices.<br />
"From a business perspective, IoT devices<br />
further blur the distinction between the<br />
necessary security of businesses and homes,<br />
especially in work-from-home scenarios.<br />
Introducing IoT devices to the household can<br />
open new entry points in an environment<br />
that might have weak security, exposing<br />
employees to malware and attacks that<br />
could slip into a company's network. It's a<br />
significant consideration when implementing<br />
bring your own device (BYOD) and workfrom-home<br />
arrangements. Attackers can<br />
also use IoT devices with existing issues to<br />
get into internal networks. These threats<br />
range from DNS rebinding attacks that allow<br />
for gathering and exfiltrating information<br />
from internal networks to new attacks via<br />
side channels, such as infrared laser inducted<br />
attacks against smart devices in homes and<br />
corporate environments."<br />
Trend Micro points to a number of cases<br />
that, it says, demonstrate the impact of IoT<br />
vulnerabilities; some of them involve realworld<br />
settings and others as research into<br />
these devices. "The Open Web Application<br />
Security Project (OWASP), a non-profit<br />
foundation for improving software, annually<br />
releases a list of the top IoT vulnerabilities."<br />
Examples of these common flaws include<br />
weak, guessable or hardcoded passwords.<br />
"New variants of malware typically use this<br />
vulnerability. For example, we found a Mirai<br />
12<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
IoT devices<br />
variant called Mukashi, which took<br />
advantage of CVE-2020-9054 and used<br />
brute force attacks with default credentials<br />
to log into Zyxel NAS products."<br />
Adoption of the Secure by Design Code of<br />
Practice, launched back in 2018, has been<br />
lacklustre to say the least, comments David<br />
Adams, security consultant at Prism Infosec.<br />
"Without any carrot or stick, there was little<br />
incentive for IoT vendors to implement any<br />
of the 13 principles and the government has<br />
admitted as much saying that 'too many<br />
insecure consumer-connected products<br />
remain on the market and we need to take<br />
steps'."<br />
‘CARROT AND STICK’<br />
The Product Security and Telecommunications<br />
Infrastructure (PSTI) Bill aims to<br />
address this by mandating compliance with<br />
the top three guidelines in the Code of<br />
Practice, namely a ban on universal default<br />
passwords, vulnerability reporting and a<br />
minimum support period, and is expected<br />
to come into force from 2023. "It will act as<br />
the stick," states Adams, "but what of the<br />
carrot? To help prepare the way for regulation,<br />
the DCMS put out a tender for a<br />
kitemark scheme whereby manufacturers<br />
are voluntarily assessed by an independent<br />
third party.<br />
"IASME launched its scheme last year,<br />
featuring three levels, Basic, Silver and Gold,<br />
which align with ETSI's EN 303 645, the PSTI,<br />
and are also mapped to the IoTSF Security<br />
Compliance Framework. Vendors that meet<br />
the criteria will be able to display a badge on<br />
their IoT device."<br />
And plenty seem to have taken the carrot<br />
and the biggest one at that, he adds. "All<br />
those we've come across have gone for gold,<br />
because they see it as a way to not only<br />
reassure customers, but also get ahead of<br />
the curve and differentiate their offerings.<br />
No doubt uptake is being watched closely in<br />
the US, where NIST has proposed a similar<br />
'labelling', although it has yet to appoint an<br />
overseer that would fulfil the same remit<br />
as IASME. The scheme and PSTI will mean<br />
that from 2023 we can expect a real<br />
improvement in IoT security, with security<br />
controls baked in from conception and<br />
devices no longer susceptible to takeover en<br />
masse through the use of default passwords.<br />
However, there is still an army of unsecure<br />
devices out there."<br />
With over 30 billion devices already<br />
deployed, it's retro-managing these devices<br />
that is liable to cause businesses and<br />
consumers alike problems over the coming<br />
years, he points out, particularly as passwords<br />
are leaked, new vulnerabilities emerge<br />
and devices outlive their support. "To ensure<br />
that IoT devices on networks don't represent<br />
the weakest link, steps need to be taken<br />
towards embracing a zero trust strategy."<br />
"However, this presents further challenges,<br />
as many systems are not currently zero trust<br />
enabled. We can therefore expect a sizable<br />
transition period and it's during this time,<br />
when systems are being retired and<br />
replaced, that networks are liable to be at<br />
their most susceptible to attack. This begs<br />
the question: do we also need to encourage<br />
retrospective assessments to get us through<br />
the dark age of the IoT?"<br />
DEFECTS AND VULNERABILITIES<br />
According to Jim Hietala, vice president,<br />
Business Development & Security, The<br />
Open Group, it's no secret that there is an<br />
increasing threat of cyber-attacks across<br />
any industry and for any organisation. "As<br />
reliance on technology grows, organisations<br />
need to focus on how to protect their<br />
devices from these cyber threats by ensuring<br />
the systems involved are secure and free of<br />
major defects and vulnerabilities. However,<br />
devices inevitably have vulnerabilities<br />
through their connection to a network. With<br />
the growing use of IoT devices, a business'<br />
attack service grows alongside, as attacks<br />
can originate from the channels that<br />
connect IoT devices." What's more, he<br />
adds, cybercrime has become a lucrative<br />
and mature market and criminal groups<br />
are collaborating with peers to align<br />
strategies and select targets.<br />
"This means that attacks are becoming<br />
more sophisticated, as malicious actors<br />
become fully-fledged criminal enterprises,<br />
providing as-a-service offerings and<br />
malware licences to established customer<br />
bases and target markets. As seen with<br />
recent ransomware attacks, no amount of<br />
network-focused security can prevent an<br />
attack, if cyber criminals work a situation<br />
where the actual point of infiltration is<br />
carried out by genuinely authorised users<br />
- a tactic that becomes more viable for<br />
attackers with IoT devices and a digital<br />
infrastructure that is more complex."<br />
That, Hietala continues, is why it's not<br />
possible to consider any IoT device as<br />
'trusted' in today's environment. "This is<br />
where Zero Trust is a critical concept to<br />
control and mitigate associated security<br />
risks. When it comes to the influx of IoT<br />
devices, securing networks is no longer<br />
enough. Organisations should be looking<br />
to models that secure the data and assets<br />
those networks are there to carry.<br />
"Rather than assuming any device on a<br />
network must have passed a security<br />
checkpoint and is therefore trustworthy,<br />
Zero Trust assumes every action is<br />
potentially malicious and performs<br />
security on an ongoing, case-by-case<br />
basis," he points out.<br />
"Defending against the cyber threats<br />
facing IoT devices is not a losing battle.<br />
However, the industry must establish<br />
standards and best practices for Zero<br />
Trust, in order to successfully implement<br />
this and ensure that proactive mitigation<br />
of cyber threats is a commonplace tactic<br />
for protecting IoT devices against increasingly<br />
sophisticated cyber criminals."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
13
zero trust<br />
TO TRUST OR NOT TO TRUST,<br />
THAT IS THE QUESTION<br />
WHAT EXACTLY IS ZERO TRUST AND HOW CAN THIS BE ACHIEVED?<br />
TOM HILLS, PRE-SALES CONSULTANT, SECURENVOY, OFFERS HIS<br />
INSIGHTS ON THIS CHALLENGING TOPIC<br />
The fundamental belief of Zero Trust<br />
is that organisations should not<br />
automatically trust anything inside or<br />
outside the organisation's IT boundaries.<br />
Implicit trust should be removed and<br />
risk-appropriate explicit trust used before<br />
allowing that user (or Identity) any form of<br />
access to the organisation. Zero Trust can<br />
be a bit of a misnomer, because it doesn't<br />
mean necessarily 'no trust', but is the basis<br />
of establishing trust first. As we're all too<br />
familiar with today, existing IT architectures<br />
in organisations are rife with implicit trusts.<br />
Historically, architectures have been built<br />
with products and solutions that provide<br />
hardened perimeters at physical locations,<br />
that wrapped around a fleshy and chewy<br />
interior - think 'prickly pear' or a 'castle and<br />
moat' scenario.<br />
Zero Trust presents a change in mentality<br />
that defence shouldn't just extend to the<br />
perimeter of our network, but also challenge<br />
what is already inside. Analysis of the most<br />
egregious security breaches shows us they<br />
were successful because, after penetrating<br />
the firewalls, attackers were able to laterally<br />
move around undetected and unchallenged<br />
by exploiting implicit trusts. Therefore,<br />
implicit trusts are unsuitable for preventing<br />
modern treats and now more than ever in<br />
2021, especially with the change in modern<br />
working environments. The number of<br />
people working from home during 2020<br />
doubled in the UK as a result of the<br />
pandemic. This has not suddenly caused<br />
people to become untrustworthy; it is just<br />
now their environments and equipment are<br />
not so secure. Organisations, rightly,<br />
extended their VPNs, but this created a large<br />
and easy target for attackers. The network,<br />
still supporting implicit trust, cannot adapt<br />
to the new working environment.<br />
Combine the possibility of users bringing<br />
their own unmanaged devices, and the data<br />
that the user is accessing being outside of a<br />
physical office or network perimeter, means<br />
the risks associated have greatly increased.<br />
When working remotely, users have been<br />
seen to be less security aware and more<br />
susceptible to click on suspicious links or files.<br />
According to Cyber Crime Magazine, global<br />
Ransomware damages is expected to reach<br />
$20bn by 2021!<br />
For an organisation set out to achieve Zero<br />
Trust, this will require systemically removing<br />
the existing implicit trusts within the<br />
environment. There are also challenges in<br />
changing mentalities to implementing<br />
technologies and resources. It's not an<br />
overnight transformation and there is no<br />
single silver bullet to apply; it is as much<br />
about technology' as much as business<br />
processes. Some starting points are:<br />
Assume compromise and that the<br />
attacker is currently active<br />
Use context and Identity (Contextual<br />
Identity) as the foundation for access<br />
decisions<br />
Location isn't a key trust factor, but<br />
may be one attribute to develop trust<br />
Encrypt your data at rest and in transfer<br />
Monitor everything to identify and<br />
investigate anomalies.<br />
Building an architecture that 'never trusts,<br />
always verifies' leads to a highly resilient and<br />
flexible environment, which is more capable<br />
of meeting modern working demands and<br />
makes potential attackers lives more difficult.<br />
If an anomaly were to be detected, staff have<br />
more time to react and isolate and manage<br />
the incident, whether network breach,<br />
ransomware outbreak or data compromise.<br />
HOW CAN SECURENVOY PRODUCTS<br />
CONTRIBUTE TO A ZERO TRUST<br />
MODEL?<br />
SecurEnvoy offerings in IAM (Identity and<br />
Access Management), MFA (Multi Factor<br />
Authentication) and DLP (Data Loss<br />
Prevention) can help build foundations<br />
of a Zero Trust architecture model.<br />
MODERN AUTHENTICATION<br />
Modern authentication is the combination<br />
of access polices and MFA. SecurEnvoy<br />
introduces adaptive, conditional access to<br />
determine if access will be allowed and/<br />
or MFA enforced. Based on the signals<br />
SecurEnvoy receives, we're able to<br />
automatically (or on a configured basis)<br />
control whether a user can access and if<br />
they're prompted for MFA or not. Based<br />
on these signals, we're able to verify again,<br />
before trusting. Least Privilege is also a<br />
methodology that complements Zero Trust -<br />
that users will only be allowed the least<br />
amount of access required to complete<br />
their task or the job at hand.<br />
A rule-based access policy can also be<br />
configured - see next page:<br />
14<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
zero trust<br />
controls, inadvertent data leaks are<br />
prevented.<br />
MFA responses can be delivered in<br />
real time (or preloaded) using SMS,<br />
email, PUSH or a Soft token via the<br />
SecurEnvoy Authenticator App.<br />
Also, integration with biometrics and<br />
the use of hardware tokens means MFA<br />
is always available, even if the user is<br />
offline. SecurEnvoy's MFA can also be<br />
implemented right at the very start<br />
of the user's interaction with the<br />
environment - by applying MFA at<br />
the point of authentication into the<br />
environment with the Windows Login<br />
Agent (WLA). We can be certain that<br />
the user is who they say they are by<br />
prompting that user for an MFA<br />
response. WLA can support Windows<br />
Endpoints and Servers both console<br />
and remote connections.<br />
In addition, MFA can also be applied<br />
against VPNs, IIS applications, RDS and<br />
ADFS enabled applications. This ensures<br />
remote connectivity is secured and<br />
access to applications protected against<br />
unauthorised access with just username<br />
and passwords. We know username and<br />
passwords just aren't enough anymore.<br />
IAM<br />
SecurEnvoy's IAM product synchronises<br />
across multiple directories (Azure AD,<br />
Microsoft AD, Google Workspace)<br />
to become the single source of truth<br />
for user directory membership and<br />
management. Bi-directional synchronisation<br />
means, if a change is made<br />
in either SecurEnvoy or directory, the<br />
change is synched everywhere.<br />
At the directory level, we are clearly<br />
able to detect if anyone is attempting to<br />
elevate permissions through directory.<br />
Secondly, SecurEnvoy IAM also serves as<br />
a portal for users to access their cloud<br />
applications and resources. Leveraging<br />
SAML, SecurEnvoy can provide SSO onto<br />
these applications, such as Salesforce,<br />
Workday, O365 etc. Once federated with<br />
these applications, access is only possible<br />
via SecurEnvoy.<br />
DLP<br />
SecurEnvoy's DLP product can go<br />
towards securing access to critical data.<br />
We're able to classify data and control<br />
the movement of that data. By using<br />
stringent email sender and recipient<br />
SecurEnvoy DLP can discover where<br />
data resides, monitor and detect access<br />
to data. One data protection policy can<br />
provide a single pane of glass view into<br />
the visibility of your data.<br />
PATHWAY TO ZERO TRUST<br />
Knowing in real time exactly where data<br />
resides, who has access to that data and<br />
protecting the transfer methods of that<br />
data can go towards achieving Zero Trust<br />
by ensuring that only verified users can<br />
access the data. Automated controls are<br />
in place to prevent activities occurring<br />
that are outside of the level of trust.<br />
To summarise, the future of work will<br />
be hybrid, so a modern working environment<br />
must be flexible and adaptive. It<br />
must support remote workers, remote<br />
data and remote applications (such as<br />
SaaS). The architecture may restrict<br />
access, but it must be flexible enough to<br />
support an increasingly interconnected<br />
business. It must adapt to the needs<br />
of the business, while allowing that<br />
business to thrive, despite the threats<br />
enabled by being so connected.<br />
CONTEXT AND IDENTITY<br />
Zero Trust supports all these goals by<br />
using context and identity as the control<br />
plane and minimising access to the least<br />
required to do the job at hand. This<br />
allows the business to work as needed<br />
and not to be inappropriately constrained<br />
by security controls.<br />
Users can have risk-appropriate access<br />
to resources from any device, any time<br />
and any location, and with the same<br />
security controls in place, regardless of<br />
the situation. It enables the secure use<br />
of cloud computing and secure access to<br />
on-premises resources and facilitates the<br />
migration from the latter to the former.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
15
Q&A<br />
WELCOME TO THE (THIRD) PARTY!<br />
COMPUTING SECURITY RECENTLY CAUGHT UP WITH HORNETSECURITY CHIEF TECHNICAL OFFICER<br />
YVONNE BERNARD TO FIND OUT HER THOUGHTS ON CLOUD EMAIL SYSTEMS AND THEIR RAPID UPTAKE<br />
Computing Security: According to a<br />
market survey on email security carried<br />
out by analysts Gartner, the adoption<br />
of cloud email systems continues to grow,<br />
"forcing security and risk management<br />
leaders to evaluate the native capabilities<br />
offered by these providers". What do you see<br />
as the most compelling reasons to go down<br />
the cloud email systems route?<br />
Yvonne Bernard: It is a fact that the more<br />
popular a platform is, the more likely it is to<br />
be targeted by cyberattacks - because<br />
there are lucrative gains to be<br />
made. Boosting inbuilt protection<br />
therefore is key and largely boils<br />
down to cost: how much are you<br />
able and willing to pay for<br />
security? In other surveys, Gartner<br />
recommends investing in thirdparty<br />
security to decrease the risk<br />
of cyberattacks targeted at cloud<br />
customers that currently only rely<br />
on native, out-of-the-box security<br />
features, such as when using<br />
Microsoft 365. An additional<br />
layer of security is a must to give<br />
customers the peace of mind<br />
they need and deserve. Some<br />
features, like our-Ex Post Deletion,<br />
are true lifesavers for the IT<br />
admins and MSPs who rely on<br />
our solutions to protect customer<br />
data.<br />
<strong>CS</strong>: Not everyone, of course, has<br />
been convinced that they need to<br />
move to a cloud email system - at<br />
least not yet. Why do you feel that<br />
might be and are there indeed solid<br />
alternatives that make just as much<br />
sense?<br />
YB: In most cases, those who fear a move<br />
to cloud email systems do so because they<br />
think they may lose control by not having<br />
physical control over their data and its flow.<br />
Although such concerns have been<br />
addressed years ago from a compliance<br />
perspective, they continue to haunt a few<br />
customers and keep them from moving into<br />
the cloud. However, a cloud email system<br />
brings many benefits, including reduced<br />
maintenance and operational costs, and far<br />
superior security if used with a third- party<br />
solution, and it is these factors that have<br />
convinced so many customers to move away<br />
from their on-prem solution to the cloud.<br />
<strong>CS</strong>: How does Hornetsecurity's own<br />
Managed Security Services solution help<br />
protect businesses from the kind of<br />
increasingly malicious and sophisticated<br />
attacks we are now seeing?<br />
YB: We are proud to have a fantastic inhouse<br />
Security Lab, which not only monitors<br />
our current traffic, but also the latest trends<br />
in attacks, darknet, etc. This allows us to<br />
always be at least one step ahead and be<br />
proactive. In addition to that, our product's<br />
AI engines also learn new patterns before<br />
they even appear in research or real-world<br />
traffic.<br />
<strong>CS</strong>: Data storage is an important part<br />
of the Hornetsecurity offering. How can<br />
organisations be sure that their precious data<br />
is really and truly safe? Aren't they taking<br />
something of a gamble by handing over<br />
ownership to a third party?<br />
YB: Hornetsecurity offers its own highperformance,<br />
redundant, S3-compatible<br />
storage via in our data centres. Customers<br />
16<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Q&A<br />
can choose which location (EU, UK, US,<br />
Canada) they want to use to meet their<br />
compliance needs. Ultimately, it is a question<br />
of trust and so far our customers are very<br />
happy with the choice they made: we have<br />
received very positive feedback about the<br />
availability, security, speed and quality of our<br />
data storage technology.<br />
<strong>CS</strong>: What are the most worrying forms of<br />
threats we are likely to see in the coming<br />
months, years?<br />
YB: Deepfakes and multi-level threats (e.g.,<br />
email, phone, video) are rising. Therefore, it<br />
is important not only to rely on email security<br />
to protect both company data and<br />
employees, but also to adopt a holistic<br />
approach to company security that includes<br />
IT security awareness training.<br />
<strong>CS</strong>: IT security awareness training is<br />
something Hornetsecurity has just invested<br />
in. Tell me more about that acquisition and<br />
the reasoning behind it.<br />
YB: Yes, we recently acquired IT-Seal, a<br />
security awareness training company that<br />
specialises in establishing a sustainable<br />
security culture. Apart from promoting<br />
cybersecurity awareness to our partners and<br />
customers through educational blog posts,<br />
ebooks, webinars and reports, we can now<br />
provide IT security training as part of our<br />
cybersecurity package. This way, coupled<br />
with our established email security and<br />
backup and recovery solutions, we can cover<br />
all aspects of the awareness-preventiondetection<br />
cycle, with a particular focus on<br />
Microsoft 365. The automated training<br />
service uses innovative technologies to train<br />
employees and incudes a scientific, patented<br />
security awareness indicator (Employee<br />
Security Index - ESI) to make security<br />
awareness measurable and comparable.<br />
Every person makes an important<br />
contribution to everyone's IT security and<br />
focusing on the human factor through<br />
training helps secure both the digital society<br />
and the economy, as well as our customers.<br />
<strong>CS</strong>: How do vendors like Hornetsecurity<br />
keep pace with the ever-steepening threat<br />
curve? Is that even possible?<br />
YB: It's an arms race: you constantly have to<br />
be ahead of the attackers - which means you<br />
have to invest heavily into research, as well<br />
as finding and training the right staff to cope<br />
with the increasing challenges. From my<br />
point of view, having employees with the<br />
right mindset is hugely important - as you<br />
can educate them and they will step up to<br />
the next level with intrinsic motivation and<br />
the right skills.<br />
<strong>CS</strong>: How is the emergence of quantum<br />
computing going to worsen the concerns<br />
that organisations already feel and what<br />
would Hornetsecurity like to see done at<br />
a governmental level to help ward off those<br />
threats, by working with vendors such as<br />
yourselves?<br />
YB: Quantum computing was the last area<br />
I had focused on when completing my<br />
Master's degree at university. It was purely<br />
theoretical back then and has now become<br />
reality. Having said that, I do not think this<br />
is so much something to worry about,<br />
but rather it has great potential to solve<br />
computational problems faster than ever.<br />
Yes, this power can be used to break<br />
encryption, but it can also be used for a<br />
good cause. Quantum computing will, of<br />
course, lead to a faster deprecation of nonresistant<br />
cipher suites, but there are already<br />
quantum-computing resistant cipher suites<br />
available and we are already well prepared<br />
for real-world usage.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
17
ansomware<br />
RANSOMWARE DEMAND? 'DON'T PAY IT!'<br />
REPORTS THAT SOME SOLICITORS MAY HAVE BEEN ADVISING CLIENTS TO PAY A RANSOMWARE,<br />
IN THE BELIEF IT WILL KEEP DATA SAFE OR LEAD TO A LOWER PENALTY, HAVE CAUSED A BACKLASH<br />
In a recent letter to the Law Society, the<br />
National Cyber Security Centre (N<strong>CS</strong>C) -<br />
which is a part of GCHQ - and the<br />
Information Commissioner's Office (ICO)<br />
say they have seen evidence of a rise in<br />
ransomware payments and that, in some<br />
cases, solicitors may have been advising<br />
clients to pay, in the belief that it will keep<br />
data safe or lead to a lower penalty from<br />
the ICO. They have asked the Law Society<br />
to remind its members of their advice on<br />
ransomware and emphasise that paying<br />
a ransom will not keep data safe or be<br />
viewed by the ICO as a mitigation in<br />
regulatory action.<br />
How sound is their advice and should<br />
anyone hit by ransomware follow it without<br />
exception? What if your organisation faces<br />
possible meltdown from such an attack,<br />
unless it can get its systems back up and<br />
running - and fast? Most importantly, for<br />
those who have never yet been a victim, is<br />
a ransomware attack bound to succeed, if<br />
you are targeted, or are their 'foolproof'<br />
ways to stay protected?<br />
"Payment of a ransom is fundamentally an<br />
act enabling future attacks," comments Tim<br />
Mackey, principal security strategist at the<br />
Synopsys Cybersecurity Research Centre for<br />
Ransomware. "The perception that payment<br />
will guarantee a quick resolution to the<br />
problem lost access to systems and data is<br />
a fallacy. Ransomware is an evolutionary<br />
tactic used by cyber criminals as part of<br />
their criminal operations. Five years ago,<br />
the hot topic in cyber defence was data<br />
breaches where criminals sold access to<br />
data acquired in an attack. This then<br />
evolved to ransomware, wherein the<br />
criminals encrypted data and could<br />
nominally sell restoration of operations<br />
upon payment of a ransom to their victims.<br />
"Of course, nothing prevented those<br />
criminals from also selling the data they<br />
encrypted, meaning they now have at least<br />
two revenue streams. Since the primary<br />
business objective for these criminals is<br />
monetary gain, it should come as no<br />
surprise that they test their encryption<br />
better than they do their restoration<br />
processes - and that there is no support line<br />
to call, should the restoration process fail.<br />
They are, after all, criminals, so there is<br />
nothing to prevent one criminal group from<br />
compiling a list of victims willing to pay<br />
ransom and then selling that to other<br />
criminal organisations."<br />
Mackey says that addressing ransomware<br />
needs to move from a reactionary mindset<br />
to a proactive one. "If your organisation isn't<br />
performing threat model analysis with a<br />
focus on defending against data breaches<br />
and ransomware, then you are more likely<br />
to fall victim to ransomware than an<br />
organisation which did put in the effort.<br />
Such threat modelling would look at how<br />
systems and data are accessed, by whom<br />
and what the scope of access might be. It<br />
then looks at how systems are deployed,<br />
and how data is retained, backed up and<br />
processed to determine potential access<br />
points an attacker might use to gain access.<br />
Those access points are then candidates for<br />
increased monitoring for abnormal or<br />
unexpected usage - all with the goal of<br />
identifying something out of normal<br />
operations quickly.<br />
"Whatever set of threats that are identified<br />
should be addressed, but there should also<br />
be an emphasis on the processes teams<br />
should follow in the event of an attack,<br />
along with simulated drills," he adds. "After<br />
18<br />
computing security <strong>Sep</strong>t/oct <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
all, the worst point in time to create an<br />
incident response plan is whilst in the midst<br />
of addressing an incident. It is precisely the<br />
lack of response planning that leads some<br />
organisations to believe that its expedient<br />
to pay a ransom."<br />
RANSOMWARE PROLIFERATING<br />
"It's estimated that there are now over 120<br />
separate families of ransomware and<br />
hackers have become very adept at hiding<br />
malicious code," states Jornt van der Wiel,<br />
security researcher, Global Research &<br />
Analysis Team. "Ransomware is a relatively<br />
easy way for hackers to gain financial<br />
rewards, which is partly behind its rise.<br />
Another factor was the Covid-19 pandemic.<br />
The accelerated digitisation of many<br />
organisations, coupled with remote<br />
working, created new targets for<br />
ransomware. Ransomware attackers are<br />
becoming more sophisticated in their<br />
phishing exploits through machine learning<br />
and with more coordinated sharing on the<br />
dark web. Hackers typically demand<br />
payment in cryptocurrencies, which are<br />
difficult to trace. We can expect to see<br />
more ransomware attacks on organisations<br />
that are not cyber secure in the near term."<br />
When identifying ransomware, a basic<br />
distinction must be made, he advises. In<br />
particular, certain types of ransomware are<br />
very popular:<br />
Locker ransomware. "This type of malware<br />
blocks basic computer functions. For<br />
example, you may be denied access to the<br />
desktop, while the mouse and keyboard<br />
are partially disabled. This allows you to<br />
continue to interact with the window<br />
containing the ransom demand in order<br />
to make the payment."<br />
Crypto ransomware. "The aim of crypto<br />
ransomware is to encrypt your important<br />
data, such as documents, pictures and<br />
videos, but not to interfere with basic<br />
computer functions. This spreads panic,<br />
because users can see their files, but cannot<br />
access them."<br />
WordPress ransomware: as the name<br />
suggests, this targets WordPress website<br />
files. "The victim is extorted for ransom<br />
money, as is typical of ransomware. The<br />
more in-demand the WordPress site,<br />
the more likely it is to be attacked by<br />
cybercriminals using ransomware."<br />
The Wolverine case. "Wolverine Solutions<br />
Group [a healthcare supplier] was the victim<br />
of a ransomware attack in <strong>Sep</strong>tember 2018.<br />
The malware encrypted a large number of<br />
the company's files, making it impossible for<br />
many employees to open them. Fortunately,<br />
forensics experts were able to decrypt and<br />
restore the data on <strong>Oct</strong>ober 3. However, a<br />
lot of patient data was compromised in the<br />
attack. Names, addresses, medical data and<br />
other personal information could have<br />
fallen into the hands of cybercriminals."<br />
So, how do you stay safe, in the face of all<br />
these threats? By addressing all of these<br />
negatives, suggests van der Wiel:<br />
The device used is no longer state of<br />
the art<br />
The device has outdated software<br />
Browsers and/or operating systems<br />
are no longer patched<br />
No proper backup plan exists<br />
Insufficient attention has been paid<br />
to cybersecurity and a concrete plan<br />
is not in place.<br />
'MILLIONS OF DOLLARS' RANSOM<br />
DEMAND<br />
Meanwhile, Sygnia's Incident Response<br />
team has been methodically tracking the<br />
'Luna Moth' ransom group over the last few<br />
months. Its modus-operandi "resembles<br />
scammers, with the twist of corporate data<br />
theft, leveraging the threat of publication to<br />
demand millions of dollars in ransom".<br />
'Luna Moth' focuses on data breach<br />
extortion attacks, threatening to leak stolen<br />
information if the demanded ransom is not<br />
paid. The initial compromise is achieved by<br />
deceiving victims in a phishing campaign<br />
under the theme of Zoho MasterClass and<br />
Duolingo subscriptions, leading to the<br />
installation of an initial tool on the<br />
compromised host.<br />
"The group uses commercial remote<br />
administration tools [RATs] and publicly<br />
available tools to operate on compromised<br />
devices and maintain persistency,<br />
demonstrating once more the simplicity<br />
and effectiveness of ransom attacks," says<br />
Sygnia. "The group acts and operates in an<br />
opportunistic way: even if there are no<br />
assets or devices to compromise in the<br />
network, they exfiltrate any data that is<br />
accessible; this emphasises the importance<br />
of managing sensitive corporate<br />
information."<br />
With the rise in ransomware activity over<br />
the past years, the security industry has<br />
become used to hearing about double<br />
extortion, and even triple extortion attacks,<br />
and new crime groups of all kinds. In a blog<br />
post, Sygnia has shed light on a relatively<br />
new threat actor, which goes by the name<br />
of the 'Silent Ransom Group' (or 'SRG') - and<br />
then was dubbed 'Luna Moth' by Sygnia. "By<br />
launching a phishing campaign with a wide<br />
coverage area, 'Luna Moth' infiltrates and<br />
compromises victim devices. These attacks<br />
can be categorised as data breach ransom<br />
attacks, in which the main focus of the<br />
group is to gain access to sensitive<br />
documents and information, and demand<br />
payment to withhold publication of the<br />
stolen data. Simple as they may be, these<br />
attacks can create serious issues for victims,<br />
if sensitive data and information is stolen in<br />
this way."<br />
In response to the 'Luna Moth' attack,<br />
Mark Warren, product specialist, Osirium,<br />
had this to say: "The increase in cases of<br />
phishing attacks highlights just how<br />
sophisticated these threats are becoming,<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
19
ansomware<br />
Jon Fielding, Apricorn: training should be<br />
combined with a policy that mandates<br />
the encryption of all data as standard.<br />
Jornt van der Wiel, Kaspersky: estimates<br />
indicate that there are now more than<br />
120 separate families of ransomware.<br />
in order to circumvent both people and<br />
processes. Training of staff will help avoid<br />
falling victim to these attacks, but that<br />
needs to be backed up by systems and<br />
processes that prevent or limit damage<br />
when the attacks break through (as they<br />
will, given the volume of attacks issued<br />
and human fallibility).<br />
"All organisations should remove local<br />
admin permissions from end users to<br />
prevent malware installation [but do it in<br />
a way that doesn't stop them from doing<br />
their work] and users should never have<br />
direct access to either valuable corporate IT<br />
systems or the admin accounts on those<br />
systems."<br />
RISK MANAGEMENT<br />
According to Jon Fielding, managing<br />
director EMEA of Apricorn, each employee<br />
must be considered as an individual<br />
endpoint that needs to be managed and<br />
secured. "This sounds like a Herculean task,<br />
but a combination of policy, education and<br />
technology will make the process pretty<br />
straightforward. Employee training is often<br />
mentioned as the key factor in managing<br />
risk - and ongoing education in best<br />
practice is indeed crucial to engaging the<br />
workforce in strengthening the company's<br />
security posture. They also need to fully<br />
understand the context around what<br />
they're being asked to do: the specific<br />
threats the business faces, the risks<br />
associated with mishandling information,<br />
and the potential consequences of a<br />
breach."<br />
At the same time, he recognises that<br />
humans will remain fallible, however well<br />
versed they are in the risks to data and<br />
systems and the cybersecurity policies they<br />
must follow. "In Apricorn's latest survey of IT<br />
decision makers, 31% said they expected<br />
employees who were aware of the risks of<br />
a data breach to still lose data and expose<br />
the organisation to a potential breach.<br />
Meanwhile, phishing and user error were<br />
cited as the main causes of breaches within<br />
the surveyed organisations - emphasising<br />
the continued risk that employees pose to<br />
the integrity of critical information."<br />
This is why training should be combined<br />
with a policy that mandates the encryption<br />
of all data as standard, whether it's at rest<br />
or in transit, he continues. "When<br />
information is encrypted, it's fully protected<br />
- if an unauthorised individual gains entry<br />
to an IT system or picks up a device that's<br />
been left in an Uber, for instance, it will<br />
remain unreadable. Automatic encryption<br />
will secure the endpoint and the data,<br />
without employees needing to do anything<br />
extra or change the way they work.<br />
"Finally, an effective backup strategy will<br />
further protect data by enabling it to be<br />
recovered and restored quickly, if an<br />
employee does make a mistake that results<br />
in a breach - for instance, by clicking on a<br />
ransomware link. Information should be<br />
backed up regularly, to at minimum one<br />
onsite and one offsite location, and one<br />
copy should be held offline. One of the<br />
most straightforward ways to create offline<br />
backups is to store files on high-capacity<br />
external hard drives and USBs, which can<br />
be disconnected from the network to<br />
create an air gap between information and<br />
threat. These will also provide employees<br />
with the capability to recover data quickly<br />
and locally, if needs be, as well as being<br />
able to safely move data around offline."<br />
'CASH COW' PAYOUTS<br />
It's no secret that the scale of ransomware<br />
attacks has accelerated in sophistication<br />
and frequency, states Usman Choudhary,<br />
chief product officer of VIPRE, "and those<br />
businesses which fall victim to these types<br />
of attacks are increasingly paying the<br />
ransom, with attackers knowing that, if the<br />
business pays once, they will pay multiple<br />
times. And to the attacker, a successful<br />
ransomware attack can be used on multiple<br />
occasions against many organisations,<br />
20<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
turning a simple attack into a cash cow for<br />
criminal organisations. Despite businesses<br />
paying the ransom, there is no guarantee<br />
that the data will be un-encrypted,<br />
returned and not leaked publicly".<br />
However, by mitigating these attacks with<br />
the right process in place, ransomware<br />
threats can be avoided by providing both<br />
the business and the user with the<br />
necessary education and support.<br />
"Consistent security awareness training will<br />
help users to build their knowledge of the<br />
cyber threats they could face and, more<br />
importantly, teach them how to prevent<br />
those attacks from occurring," adds<br />
Choudhary. "Additionally, using technology<br />
solutions such as sandboxing helps to block<br />
malware before it enters the network.<br />
This process allows both the user and the<br />
organisation to remain in control of the<br />
email and the network access points,<br />
preventing dangerous emails from entering<br />
the user's inbox."<br />
Furthermore, he recommends that smart<br />
security email tools should be deployed that<br />
prompt the user to double-check an email<br />
before they click send, for example: 'Are<br />
your recipients the right people to share<br />
this information with?' This type of smart<br />
technology enables the user to make more<br />
informed decisions, while alerting them at<br />
the point of potential data leakage - before<br />
it is too late.<br />
"In the event of a ransomware attack,<br />
having a recovery plan is crucial to<br />
containing and limiting the damage," he<br />
also advises. "It supports an organisation<br />
short-term to minimise disruption, but it<br />
will also benefit businesses long-term to<br />
learn from potential errors. Good business<br />
practice post-attack should ensure that a<br />
retrospective audit is conducted of what<br />
happened, and that these findings are<br />
shared across the business to help develop<br />
the best security approach and mitigate the<br />
risk of another attack occurring again."<br />
Implementing regular security awareness<br />
training, email protection and a recovery<br />
plan are all important layers of cyber<br />
security protection against ransomware<br />
attacks, adds Choudhary. "But, by<br />
themselves, they do not reach the<br />
maximum potential of security and face<br />
leaving potential gaps for attackers to<br />
leverage. Instead, combining them together<br />
and creating a multi-faceted approach is<br />
key to transforming and strengthening<br />
security measures, giving businesses<br />
confidence and reassurance against the<br />
modern threat landscape."<br />
WELCOME WARNING<br />
As ransomware remains one of the most<br />
lucrative and popular cybercriminal tactics,<br />
states Pete Bowers, COO at NormCyber, "we<br />
welcome the N<strong>CS</strong>C's warning: there can be<br />
no mixed messages when it comes to legal<br />
advice - paying the ransom does not<br />
guarantee protection of the stolen data<br />
or a lower penalty by the ICO. The advice<br />
holds up for multiple reasons. Ransomware<br />
is a criminal enterprise where those that pay<br />
the ransom act as 'investors', effectively<br />
funding an attack on the next victim. Be<br />
under no illusion: cybercriminals are not<br />
trustworthy people. Just because they say<br />
they are going to give you the password to<br />
get your systems back up and running<br />
doesn't mean they will, and you could find<br />
yourself out of pocket and still locked out of<br />
your systems. Even if they do give you the<br />
password, what's to stop them returning in<br />
the near future?"<br />
Even if you find a way to minimise the<br />
financial fallout from a ransomware attack,<br />
the fines imposed by the regulator can stack<br />
up, he cautions. "The only way to avoid data<br />
protection pitfalls is to have the adequate<br />
technical and organisational measures in<br />
place. This includes following basic cyber<br />
hygiene practices and regularly backing up<br />
systems and data in secured storage, which<br />
allows the restoration of operations with<br />
minimal disruption. Simply put, there is no<br />
Mark Warren, Osirium: training needs to<br />
be backed up by systems and processes<br />
that prevent or limit damage when the<br />
attacks break through.<br />
Pete Bowers, NormCyber: the most effective<br />
strategy against ransomware requires joinedup<br />
thinking in three core areas: people,<br />
process and technology.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
21
ansomware<br />
'failproof' way to stay protected from<br />
ransomware - sometimes cybercriminals just<br />
find a way - but certain approaches work<br />
better than others. The most effective<br />
strategy requires joined-up thinking in three<br />
core areas: people, process and technology.<br />
Enforce adequate training of all staff to help<br />
them spot the signs that an attack; instil the<br />
correct processes to allow for a fast<br />
response; and ensure your technology stack<br />
can continuously monitor your network for<br />
malicious activity and known vulnerabilities."<br />
FALSE HOPES<br />
The mantra of 'don't pay the ransom' is an<br />
important message that organisations<br />
should heed, comments Paul Prudhomme,<br />
head of threat intelligence advisory at<br />
Rapid7. "Along with the N<strong>CS</strong>C, both the<br />
FBI and Europol have adopted similar<br />
positions by recommending that enterprises<br />
should not pay ransom demands. If an<br />
organisation pays a ransom, there is no<br />
guarantee that cyber criminals will send a<br />
functioning decryption key. They may try to<br />
extort more money from a compliant victim<br />
or technical errors may prevent the<br />
decryption key from decrypting all files.<br />
Furthermore, paying ransomware groups<br />
helps fund other criminal activities."<br />
In recent years, he points out, cyber<br />
criminals have expanded the scope of<br />
ransomware attacks by using 'double<br />
extortion'. "This usually entails threat actors<br />
not only holding data hostage for money,<br />
but also threatening to release that<br />
data to extort even more money from<br />
organisations. Organisations can take<br />
steps to protect themselves from the data<br />
disclosure layer of double extortion<br />
ransomware attacks. If an organisation<br />
better knows its enemy, it can then pinpoint<br />
which data assets ransomware gangs are<br />
most likely to target for compromise and<br />
disclosure. For example, our research has<br />
shown that 63% of ransomware disclosures<br />
contain finance and accounting data, and<br />
43% contain employee PII [Personal<br />
Identifiable Information] and HR records.<br />
Organisations can place extra layers of<br />
defence, such as encryption and network<br />
segmentation, around those data assets<br />
that ransomware operators are most likely<br />
to target."<br />
By providing additional layers of protection<br />
for particularly vulnerable data assets<br />
such as finance data or employee PII, it<br />
then becomes much harder for threat<br />
actors<br />
to expose an organisation's data, adds<br />
Prudhomme. "If ransomware gangs are<br />
unable to use double extortion techniques<br />
on their victim, it deprives them of a means<br />
of exerting additional extortionate pressure<br />
on that victim to pay. Therefore, organisations<br />
must construct lines of defence<br />
against both layers of double extortion."<br />
Backups might be the best line of defence<br />
against file encryption; however, they do<br />
not work against data disclosures, cautions<br />
Prudhomme. "In order to combat data<br />
disclosures, businesses must implement<br />
network segmentation, so as to limit the<br />
likelihood of attackers gaining access to<br />
critical data sets, and encryption to render<br />
them unreadable in the event that attackers<br />
do gain access to them. Whilst it is<br />
important that organisations do not pay<br />
the ransom, it is equally important that<br />
businesses put in proactive security<br />
measures which can stop them from falling<br />
victim to ransomware in the first place."<br />
SAME TARGETS ATTACKED AGAIN<br />
Organisations that pay ransomware<br />
demands think that the problem has gone<br />
away, agrees Karen Crowley, director of<br />
Product Solutions at Deep Instinct.<br />
"However, they couldn't be more wrong.<br />
Our research shows that only 32% of those<br />
who paid a ransom ended up receiving all<br />
their data back and were subsequently left<br />
alone. Once cybercriminals have taken<br />
advantage, history shows they will strike<br />
the same target again. In fact, 38% of<br />
organisations who paid got their data back,<br />
then received further demands. An additional<br />
30% who paid the ransom only<br />
received a portion of their data or got<br />
nothing back at all."<br />
While some organisations pay the ransom,<br />
in order to avoid business consequences<br />
like downtime, others pay due to a lack of<br />
understanding when it comes to the true<br />
financial risk, she adds. "Unfortunately,<br />
many organisations experience significant<br />
disconnects among senior decision makers<br />
when it comes to the realities of a ransomware<br />
attack. CFOs, in particular, play a<br />
leading role in resource management and<br />
budgeting, yet only 12% were actively<br />
involved in determining the organisation's<br />
risk from a cyberattack and only 28% had<br />
a critical role in planning an effective<br />
response."<br />
Despite the potentially enormous financial<br />
impact of a ransomware attack, only 14%<br />
of CFOs were directly involved in the final<br />
decision to pay these ransoms, compared<br />
to nearly a third of CEOs, CISOs and other<br />
technical heads, reveals Crowley. "When<br />
CFOs have not been engaged in the conversation<br />
around ransomware, organisations<br />
are unlikely to accurately assess the<br />
monetary value of their data and digital<br />
assets. Research has shown that 34% of<br />
organisations have tried and failed, were<br />
unhappy with the result or had only taken<br />
a broad estimate in the first place when<br />
trying to assess the value of their data and<br />
digital assets."<br />
Key decision makers must have a seat at<br />
the table to create a plan for how they will<br />
react and to understand the financial<br />
impact if they are hit by ransomware,<br />
Crowley concludes. "CEOs, CIOs and CISOs<br />
must work in partnership with the CFO<br />
or financial director to properly calculate<br />
and assess their financial risk, and create<br />
proactive strategy to financially prepare the<br />
businesses."<br />
22<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
GATEWATCHER AIONIQ<br />
As cyber-attacks increase in<br />
magnitude and sophistication,<br />
organisations of all sizes can no<br />
longer afford to constantly play catch-up.<br />
They need to stay one step ahead of<br />
cybercriminals, if they want to survive.<br />
Gatewatcher's AIONIQ changes the<br />
landscape. This next-generation NDR<br />
(network detection & response) solution<br />
combines artificial intelligence (AI)-<br />
powered human insights, machine<br />
learning, statistical and dynamic analysis<br />
that allows it to conduct mapping, and<br />
behavioural analysis of all threats and<br />
provide full visibility into targeted attacks.<br />
AIONIQ is an exciting new platform<br />
designed to detect zero-day and<br />
advanced cyber threats from day one<br />
of installation and claims extremely low<br />
false positives for fast mean time to<br />
detect (MTTD) rates. It offers a barrage<br />
of sophisticated technologies, as, along<br />
with passively mapping all organisation<br />
assets and users, it provides Shellcode<br />
and PowerShell decoding to detect<br />
advanced attacks, incorporates Cyber<br />
Threat Intelligence feeds, employs<br />
16 anti-malware engines to reassemble<br />
and scan every file, and implements<br />
sandboxing for deeper file analysis.<br />
Deployment options are extensive, as<br />
AIONIQ supports on-premises, hybrid and<br />
Cloud models. Central to all operations is<br />
the Gatewatcher GCenter management<br />
server, which stores and analyses all<br />
information sent to it by virtual and<br />
physical GCAP detection probes, provides<br />
configuration and reporting interfaces,<br />
and exports data to SIEM systems.<br />
Connected to a TAP, packet broker<br />
or switch mirror port, GCAP probes<br />
analyse received flows to detect, capture,<br />
reconstruct, sort and transmit files,<br />
malicious code and events to the GCenter.<br />
Multiple probes can be deployed locally<br />
and remotely. This architecture allows<br />
AIONIQ to provide a full 360-degree<br />
risk view, as it can analyse all internal,<br />
external, north-south and east-west<br />
communications, and detect lateral<br />
movement, exfiltration and compromised<br />
endpoints.<br />
The GCenter web console opens with<br />
informative dashboards offering a curated<br />
view of all risks, allowing security operation<br />
centre teams to focus on essential tasks.<br />
Coloured blocks highlight critical, high and<br />
medium risks for 24-hour and seven-day<br />
periods, a status view shows which threat<br />
modules are in an alert state and a smart<br />
central panel provides clear specifics on<br />
detected threats.<br />
Clicking on a risk in the list below the<br />
graphics panel presents a wealth of<br />
valuable information, such as the alert<br />
type, the risk by asset, level and user, plus<br />
the MITRE association. When used during<br />
an attack, analysts can download the<br />
Shellcode, see the number of instances,<br />
how many times it was encoded and the<br />
actual calls being made.<br />
Zero-day attacks using ShellCode are<br />
difficult to detect and prevent, but AIONIQ<br />
has distinct advantages, as, in this<br />
reviewer’s experience, it decodes Shellcode<br />
more times than any other vendor, making<br />
it more likely to discover the attack. Next,<br />
you can go hunting where AIONIQ<br />
transports you to screens showing the<br />
underlying communication data for the<br />
attack, tactical information, infected files<br />
and the number affected, file transactions,<br />
source and destination addresses, and<br />
much more.<br />
Drilling down to the user level reveals<br />
details of user risk and a map of all<br />
interactions with other users, making it<br />
easy to spot lateral movement and track<br />
it back to patient zero. Another standout<br />
feature is AIONIQ's ability to detect C2<br />
communication, especially using domaingenerated<br />
algorithms showing which assets<br />
have been compromised.<br />
Gatewatcher's AIONIQ takes threat<br />
detection and response to new levels,<br />
as this highly scalable platform requires<br />
no learning processes and provides high<br />
fidelity attack data from the moment it is<br />
deployed. It's a cost-effective solution for<br />
organisations of all sizes and is one of few<br />
security platforms that delivers the full<br />
spectrum of static, dynamic and AI/ML<br />
analysis, hardening, compliance, NDR,<br />
threat intel and cyber cartography functions<br />
in a single, easily managed solution.<br />
Product: AIONIQ<br />
Supplier: Gatewatcher<br />
Web site: www.gatewatcher.com<br />
Sales: +44 (0)203 743 0900<br />
Email: contact@gatewatcher.com<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
23
human error<br />
EMPLOYEES ARE 'NOT THE ENEMY'<br />
HOW DO YOU PREVENT YOUR WORKFORCE FROM LAYING THE BUSINESS OPEN TO A POSSIBLE BREACH?<br />
IS EDUCATION AND AWARENESS TRAINING THE BEST SOLUTION OR SHOULD YOU JUST LOCK THEM OUT<br />
OF VULNERABLE AREAS ALTOGETHER?<br />
Human error remains a major root<br />
cause of data breaches, a new report<br />
has found. Verizon's annual Data<br />
Breach Investigations Report for <strong>2022</strong><br />
revealed that human elements, such as<br />
social engineering and misuse of privileged<br />
access, were a factor in more than four out<br />
of five breaches.<br />
All of which raises questions as to how<br />
organisations can get control over what<br />
has often been branded 'the enemy within' -<br />
their own people. What controls need to<br />
be put in place to prevent such abuses<br />
happening in the workplace? Are there any<br />
'failsafe' systems that can be implemented<br />
or is it mostly about damage limitation?<br />
Another pressing matter is how employee<br />
behaviour can be better monitored without<br />
alienating the very people on whom these<br />
organisations rely for their success.<br />
"It is important to remember that<br />
employees are not the enemy when it<br />
comes to data security," points out Daniel<br />
Hofmann, CEO, Hornetsecurity. "In most<br />
cases, they are unaware of the risks and<br />
unaware that their actions can contribute<br />
to a data breach. Education is critical to<br />
mitigating the risk of human error - and<br />
it should be done in a way that does not<br />
make employees feel like they are being<br />
treated as suspects, while encouraging<br />
them to take part."<br />
A combination of technical and<br />
behavioural controls and educational<br />
programs can help to mitigate the risks<br />
posed by employees, he says. "For example,<br />
technical controls such as data encryption<br />
and privileged access management (PAM)<br />
can prevent privileged users from accessing<br />
confidential information. Such controls<br />
can restrict users' access to certain areas<br />
or systems. Effectively, this also reduces<br />
the risk of unauthorised access to sensitive<br />
information through user errors or by users<br />
with malicious intent, because they cannot<br />
view or make changes to sensitive data that<br />
is out of bounds.<br />
"Absolutely perfect 'failsafe' systems that<br />
do not severely harm a company's agility<br />
are rare as unicorns," adds Hofmann.<br />
"Yet implementing a mix of technical and<br />
behavioural controls can help to minimise<br />
the chances of employee-related data<br />
breaches occurring."<br />
In addition to these controls, organisations<br />
should consider implementing technologies<br />
that can help to monitor employee behaviour<br />
and flag potential risks, he advises. "For<br />
instance, user activity monitoring (UAM) can<br />
track which users are accessing which data,<br />
when and from where. This information<br />
can be used to identify unusual or suspicious<br />
activity that may indicate an attempt<br />
at data theft or misuse. UAM does not<br />
interfere with the day-to-day life of<br />
employees and therefore doesn't create<br />
negative impressions among them."<br />
The key to success is creating a security<br />
culture of trust and respect for employees.<br />
"This must be achieved by having and<br />
24<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
human error<br />
sharing a clear understanding of the<br />
company's security policies and procedures.<br />
Employees must feel comfortable reporting<br />
suspicious activity or concerns without fear<br />
of reprisal. It must be assured that all<br />
reports are investigated promptly and<br />
confidentially," Hofmann insists. "While<br />
employees are often seen as the weakest<br />
link in an organisation's data security<br />
defences, they can actually be a powerful<br />
asset, if they are adequately trained and<br />
empowered to help protect the<br />
organisation's data."<br />
Steve Forbes, government cyber security<br />
expert at Nominet, points to an incident<br />
earlier this year when authentication<br />
platform Okta was breached by hackers<br />
after gaining remote access to a machine<br />
that belonged to a subcontracted company<br />
employee. "The fact that this contractor's<br />
password was exported from a document<br />
on their company's server shows how poor<br />
system administration can lead to serious<br />
consequences. Had the organisation<br />
implemented a stronger security plan, this<br />
could have been avoided. Using password<br />
managers is a great strategy, as it removes<br />
the reliance on employees memorising lists<br />
of passwords, allows them to use stronger<br />
ones, as well as using different passwords<br />
for every system."<br />
Phishing, stolen credentials and system<br />
misconfigurations are some of the most<br />
common types of breaches as a result of<br />
human error and, because of the ease in<br />
which hackers can take advantage, it's clear<br />
that these types of attacks are here to stay,<br />
he adds. "There are no failsafe systems, but<br />
there are steps you can take to reduce the<br />
impact of human error. Businesses should<br />
consider prioritising their defence strategy as<br />
a first port of call to protect critical systems,<br />
both from outside and within. Ensuring you<br />
have robust access management, network<br />
segmentation and defences that stop users<br />
from even seeing things like phishing emails<br />
or phishing websites is far more effective.<br />
"Getting the basics right can also go a long<br />
way towards protecting against most if not<br />
all cyber threats," states Forbes. "This means<br />
patching systems regularly, having tested<br />
and resilient backups, and configuring<br />
your endpoints and networks against best<br />
practice. Having an assumed breach<br />
mentality is also important to help understand<br />
how you can limit the damage an<br />
attacker can achieve, if they do get into<br />
your network."<br />
While cyber security training is important,<br />
he agrees, even with all the training in the<br />
world a sophisticated phishing attack is<br />
going to be successful, because it will look<br />
and feel like a genuine email or a normal<br />
piece of activity. "While raising awareness<br />
of evolving threats can mitigate risk and<br />
is a key way for companies to protect<br />
themselves, it can't be solely relied upon.<br />
Much of the advice goes against human<br />
nature or simply stops us from doing our<br />
jobs, and so more needs to be done to<br />
protect users and ensure that any human<br />
caused errors have a limited impact on<br />
company systems.<br />
"Relying strictly on user awareness and not<br />
properly securing systems is a quick way to a<br />
massive breach. Having the right balance of<br />
automated security operations and human<br />
involvement will ensure companies have the<br />
strongest defence against breaches of all<br />
kinds."<br />
PROACTIVE MONITORING<br />
"Organisations traditionally focused on<br />
securing the perimeter, blocking external<br />
actors coming into the network," points<br />
out Andrea Themistou, senior manager in<br />
Protiviti's Digital Identity Practice. "However,<br />
when looking to protect the business, it is<br />
equally important to address the internal<br />
threat that sometimes gets overlooked, the<br />
insider, who already has access and may<br />
intentionally or unintentionally cause harm<br />
to the business." While many organisations<br />
have placed a focus on employee education,<br />
some are turning to monitoring to proactively<br />
identify threats, in order to stop<br />
them before they happen.<br />
But what is too much and how do you<br />
focus on preventing breaches, while<br />
respecting your team's privacy rights?<br />
"Organisations need to be strategic about<br />
how they look to address their insider<br />
threats," she adds. "They shouldn't just rely<br />
on technology, but also on their security<br />
leaders, alongside their strategic partners,<br />
to help define a customised approach to<br />
mitigate the risk within their organisation."<br />
Meanwhile, Belton Flournoy, director in<br />
Protiviti's Technology & Digital Consulting<br />
Practice, offers some practical tips to help<br />
organisations sharpen their focus when<br />
looking to address insider threats:<br />
Be transparent. "Our people understand we<br />
need to protect critical information-and<br />
many organisations do a good job through<br />
their awareness programmes of highlighting<br />
key cyber threats and simulating phishing<br />
attacks. More focus, however, is required<br />
to educate our employees on what types<br />
of activities are actually monitored, as well<br />
as clear explanations to the benefits of<br />
this type of monitoring. When employees<br />
understand the 'why', the monitoring no<br />
longer seems as invasive."<br />
Be innovative about least privilege. "While<br />
the concept of 'least privilege' is not new,<br />
the ways you can apply this to your<br />
application estate has changed drastically<br />
over the past five years. We no longer need<br />
to provide all our employees with direct<br />
connectivity to our entire network when<br />
they might only require access to 20% of<br />
it. With the ever-increasing use of SaaS<br />
technologies, pervasive platforms and cloud<br />
infrastructure as well as the adoption of<br />
essential security tools such as identity and<br />
privileged access management solutions,<br />
organisations should challenge how they<br />
architect their business to achieve this. One<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
25
human error<br />
Andrea Themistou, Protiviti: organisations<br />
need to be strategic about how they look<br />
to address their insider threats.<br />
Daniel Hofmann, Hornetsecurity: employees<br />
are not the enemy when it comes to data<br />
security.<br />
question you should ask yourself, do you<br />
know how many contractors have access<br />
to move money out of your organisation?<br />
We now have the technology and tools to<br />
construct a more secure perimeter; many<br />
sometimes just think about it the wrong<br />
way."<br />
Leverage 'next generation' technology.<br />
"The problem with many technology<br />
implementations is when the organisation<br />
believes that the technology itself will solve<br />
the issue," states Flournoy. "It is vital to<br />
understand that technology is only a tool;<br />
it's how you implement it that matters.<br />
There are now a number of tools that can<br />
leverage artificial intelligence and machine<br />
learning to analyse user behaviour, in order<br />
to identify anomalies and respond in real<br />
time. The lesson? You need smart teams of<br />
people to understand how to best configure<br />
this technology to protect your<br />
organisation."<br />
BASTION OF CYBERSECURITY<br />
According to Kev Breen, director of Cyber<br />
Threat Research at Immersive Labs,<br />
"cybersecurity has long been seen as<br />
a responsibility falling exclusively on the<br />
shoulders of the IT department and<br />
employees as a weakness in the<br />
organisation's defences, doomed to click<br />
on inevitable phishing links or using<br />
personal devices without consideration<br />
for security. However, we see it entirely<br />
differently: employees should be seen as<br />
a core part of the company's defence".<br />
Cybersecurity risk impacts every single<br />
person within an organisation, he states,<br />
and it's long overdue that all those involved<br />
in keeping a business running are seen as<br />
an inherent part of the initiative to keep<br />
it safe. "To help turn a workforce into a<br />
bastion of cybersecurity best practices, a<br />
more effective people-centric approach<br />
to cybersecurity is needed - one that can<br />
help organisations assess, build, and prove<br />
workforce resilience. Traditionally, security<br />
awareness training (SAT) takes a predictable<br />
and unvarying approach of<br />
tackling one cyber threat at a time.<br />
Moreover, rather than education workers<br />
on how best to defend their company,<br />
SAT encourages them to regurgitate<br />
monotonous facts from multiple choice<br />
questions that bear no relevance to the<br />
role they play day-to-day, yet alone during<br />
a real-life crisis."<br />
BREAKING THE CYCLE<br />
Immersive Labs' <strong>2022</strong> Cyber Workforce<br />
Benchmark report found that it takes an<br />
average of three months (96 days) for<br />
cybersecurity teams to defend against<br />
breaking cyber threats. "Indeed, one<br />
breaking threat - a critical, actively<br />
exploited vulnerability in popular mail<br />
transfer agent Exim that left 4.1 million<br />
systems potentially vulnerably - took over<br />
six months (204 days) for security teams at<br />
large organisations to master on average.<br />
This is despite national cybersecurity bodies<br />
recommending that technical infrastructure<br />
is patched in days or, in some cases, hours."<br />
By contrast, successful resilience in today's<br />
high-paced threat environment requires<br />
the optimisation of human knowledge,<br />
skills and judgement across the entire<br />
organisations, from legal to HR departments,<br />
to comms and the executive team,<br />
he argues.<br />
OPTIMAL CYBER CAPABILITIES<br />
"Organisations, when it comes to preparing<br />
for, responding to and remediating<br />
against cyber threats, must focus on these<br />
simple factors to optimise the cyber<br />
capabilities of their entire workforce:<br />
exercising, benchmarking, upskilling and<br />
proving cyber resilience. In other words,<br />
continually benchmark the knowledge,<br />
skills and judgement of the workforce,<br />
demonstrating risk levels across all business<br />
functions by using data gathered from<br />
simulations and use regular cyber exercises<br />
to remedy any skill gaps."<br />
26<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
human error<br />
A company's culture has quite a lot to do<br />
with the ability to close down attack vectors<br />
and thwart cyberattacks, asserts Erfan<br />
Shadabi, cybersecurity expert at comforte<br />
AG. "We're talking here about misconfigurations,<br />
lifting and shifting unprotected<br />
data or simply pure carelessness. Companies<br />
that try to move too quickly and put an<br />
emphasis on output, rather than process,<br />
are particularly vulnerable to human error."<br />
However, the organisation that actively<br />
instils a culture of data privacy and security<br />
among its employees has a much better<br />
chance of deterring one or multiple attacks,<br />
he adds. "This type of culture not only<br />
depends on the individual contributors<br />
caring about sustaining that culture,<br />
but also on the executive team placing<br />
value and meaning behind it, to assess<br />
performance and allocate rewards based<br />
on employees' willingness to be more<br />
sensitive to data privacy and security and<br />
follow the right processes to mitigate or<br />
eliminate human error."<br />
THE RIGHT CULTURE<br />
If executives are seen dismissing the 'rules'<br />
to get something accomplished, then this<br />
behaviour trickles throughout the company,<br />
as others emulate it, and soon that valuable<br />
culture falls apart. "Every member of an<br />
organisation must be absolutely committed<br />
to a corporate culture of data privacy and<br />
security," states Shadabi. "Also, organisations<br />
should consider implementing<br />
frameworks such as zero trust: assume<br />
you've been breached, provide no implicit<br />
trust, verify again and again, and only<br />
provide minimal privileges upon successful<br />
authentication. Protection methods such<br />
as tokenisation can complement this<br />
framework, because by tokenising sensitive<br />
data immediately upon entering the<br />
corporate data ecosystem - and then<br />
not de-protecting it - people can have<br />
minimal or no access to the truly sensitive<br />
information, while still being able to<br />
accomplish tasks."<br />
THE HUMAN FIREWALL<br />
Like a standard firewall, the 'human firewall'<br />
is only as strong as its configuration,<br />
maintenance and level of monitoring, says<br />
Alex Coburn, director at ThreeTwoFour.<br />
"Configuring the human firewall can be<br />
seen as setting the ground rules, the<br />
fundamentals that govern employee<br />
actions. Obviously, this consists of security<br />
awareness and training, but the success<br />
of this varies greatly from business to<br />
business."<br />
A key success factor is designing awareness<br />
and training that is fit for the audience.<br />
"Board members and the engineering team<br />
have vastly different threat profiles and<br />
must be treated accordingly. Secondly,<br />
the 'configuration' of identity and access<br />
management is another critical element<br />
of the 'human firewall'. Implementing<br />
least privilege access, and ensuring proper<br />
segregation of duties for normal and<br />
privileged users, is critical to protect against<br />
malicious insiders and to hamper the<br />
progress of attackers that may have<br />
obtained unauthorised access."<br />
Maintaining the human firewall is all about<br />
reinforcement to create a secure culture,<br />
Coburn adds. "Regular phishing exercises<br />
put theory into practice, while red-teaming<br />
with a focus on social engineering is a good<br />
approach to keep users aware of real-world<br />
threats. However, the most powerful tool in<br />
creating a secure culture is by leaders visibly<br />
investing in security through their actions,<br />
while also ensuring that the budget is<br />
available to keep the organisation safe."<br />
At some point, there are diminishing<br />
returns on preventative controls, he points<br />
out, so implementing monitoring and<br />
alerting to identify issues becomes a more<br />
proactive approach to managing human<br />
errors. "Tools that perform user behaviour<br />
analytics can sometimes raise concerns from<br />
end users. But users can be assured that, if<br />
implemented correctly, they are no more<br />
Matt Malarkey, Titania: the best way for<br />
IT administrators to get control over their<br />
networks is by taking it away.<br />
Steve Forbes, Nominet: there are no failsafe<br />
systems, but there are steps you can take to<br />
reduce the impact of human error.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
27
human error<br />
invasive than any existing retrospective<br />
analysis and offer organisations the ability<br />
to identify security issues before they arise,<br />
helping users by warning them of potential<br />
mistakes."<br />
ZERO TRUST SECURITY<br />
According to Dave Barnett, head of SASE<br />
EMEA, Cloudflare: "In today's business<br />
landscape, keeping employees, servers<br />
and applications under a watchful eye<br />
is imperative. However, the pandemic<br />
accelerated the need for applications to<br />
move outside of the business via the cloud,<br />
mobile devices and SaaS, meaning the<br />
potential for human error increased.<br />
Implementing zero trust security allows<br />
companies to minimise the risk of human<br />
failure, without alienating employees or<br />
enforcing strict rules on where employees<br />
work from. Traditional IT network security<br />
takes a castle-and-moat approach, meaning<br />
it's difficult to gain access from outside the<br />
network, but everyone inside is trusted as<br />
a default. Conversely, zero trust means that<br />
no one is trusted by default from either<br />
inside or outside the network and verification<br />
is required for each step of further<br />
access."<br />
With hybrid working now a common<br />
workplace expectation, this approach<br />
involves strict controls on device access,<br />
constantly monitoring how many different<br />
devices are trying to access their network<br />
and ensuring each is authorised and<br />
uncompromised. It also requires multi-factor<br />
authentication from users, meaning a<br />
traditional password alone is not enough.<br />
"Another principle of zero trust is 'least<br />
privilege', meaning users have access only<br />
to as much as they need to do their jobs,<br />
minimising their exposure to sensitive parts<br />
of the network and protecting classified<br />
data," he adds. "Once a user is in the system,<br />
zero trust protected networks use micro<br />
segmentation, meaning security perimeters<br />
are put around precisely the IT resources<br />
that the user needs to access at the time<br />
that they need to access. This extra step<br />
helps prevent a common problem in data<br />
breaches, known as 'lateral movement',<br />
where an attacker moves to a different part<br />
of the network to avoid detection, gain<br />
more information and retain access. Instead,<br />
once an attacker is detected, their account<br />
or device can be quarantined and blocked<br />
from future access."<br />
The added layers of security in zero trust<br />
have been shown to minimise the risk of a<br />
data breach by up to 91% and reduce the<br />
cost to a business by up to 35%, states<br />
Barnett, which cost organisations a global<br />
average of $3.86 million. "Additionally,<br />
when introduced correctly, zero trust has<br />
the added benefit of actually improving<br />
trust between the employer and employee.<br />
Employees can rest assured that their work<br />
is being protected and employers can feel<br />
more comfortable granting users access to<br />
their network. This leaves everyone safe in<br />
the knowledge that there are most up-todate<br />
precautions in place to simultaneously<br />
thwart external hackers and prevent those<br />
working inside the network from accessing<br />
more than they need."<br />
TAKING AWAY CONTROL<br />
"The best way for IT administrators to get<br />
control over their networks is by taking it<br />
away," argues Matt Malarkey, VP, Strategic<br />
Alliances, Titania. "That's the premise of a<br />
zero trust architecture and the approach<br />
that organisations need to adopt to keep<br />
their networks secure. The truth is that<br />
human error creates some of the most<br />
significant security risks to a business. It's<br />
usually not malicious, just the result of<br />
oversights. In some cases, it's technicians<br />
inadvertently misconfiguring devices that<br />
result in security vulnerabilities and the<br />
device falling out of compliance.<br />
"This is not something that can be patched<br />
and is only noticed when a network is either<br />
audited or breached. Sometimes it takes<br />
months, even years, to identify and fix these<br />
risks. This means that businesses are<br />
potentially leaving themselves vulnerable to<br />
preventable attacks time and time again.<br />
As a result, device misconfigurations are<br />
costing organisations millions - 9% of a<br />
company's annual revenue, according to<br />
a recent report."<br />
By adopting a zero trust mindset, you start<br />
by assuming that nothing on your network -<br />
your users, your applications etc - are<br />
trusted and secure, adds Malarkey. "This<br />
requires a mentality that says that you have<br />
been or will be compromised, meaning you<br />
can and should tighten network security<br />
across the board. Access control<br />
enforcement, for example, needs to be<br />
made as granular as possible."<br />
Segmenting networks into subnetworks<br />
is a practice that, alongside a zero trust<br />
strategy, can protect networks. "This way,<br />
if a threat is detected, you can limit the<br />
damage by shutting down a segment and<br />
prohibiting lateral movement. With a wellplanned<br />
segmented network, it is easier for<br />
teams to monitor the network, identifying<br />
threats quickly and isolating incidents more<br />
easily," he points out.<br />
"This lowers the mean time to detect<br />
(MTTD) and mean time to remediate (MTTR)<br />
security vulnerabilities. Configuration<br />
auditing for network devices is also essential<br />
for maintaining a resilient network, and<br />
high-value and sensitive subnetworks should<br />
have their networking devices audited on<br />
a more regular frequency."<br />
Humans are going to make mistakes and<br />
it's tough to prevent, he accepts. "But they<br />
don't have to cost you your business. Focus<br />
on minimising risk, so that, when an error<br />
occurs, you've shrunk the attack surface and<br />
the opportunity to do significant damage is<br />
reduced. You're not so much negating the<br />
potential for a breach, just the impact of<br />
one and the ability to respond to it."<br />
28<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Q&A<br />
OBJECT ARCHIVE SOFTWARE - THE INSIDE STORY<br />
FUJIFILM RECENTLY LAUNCHED OBJECT ARCHIVE, DESCRIBED AS<br />
‘AN S3-COMPATIBLE TAPE STORAGE SYSTEM FOR LONG-TERM DATA<br />
PRESERVATION AND DATA PROTECTION’. COMPUTING SECURITY<br />
FINDS OUT MORE FROM RICHARD ALDERSON,THE COMPANY'S HEAD<br />
OF RECORDING MEDIA - UK, IRELAND AND SCANDINAVIA<br />
Computing Security: tell us more<br />
about Object Archive and how it<br />
differs from other solutions and<br />
what advantages you feel it might offer.<br />
Richard Alderson: Object Archive is an<br />
archive solution, which creates a synergy<br />
between hard disk and tape technology<br />
by acting as an S3 bridge between hard<br />
disk and tape. The main differences to<br />
other solutions are:<br />
Object Archive has been developed in<br />
house by Fujifilm and we developed<br />
our own tape writing format, which<br />
is an open format called 'OTformat'<br />
that is specifically designed for saving<br />
objects on tape<br />
It has a free-and-easy exit strategy,<br />
with no vendor lock-in, and offers a<br />
scalable performance for users in all<br />
industries, such as the government<br />
administration, managed service<br />
providers, financial and scientific<br />
sectors<br />
It works with most brands of tape<br />
hardware, giving freedom of choice<br />
to the end user.<br />
<strong>CS</strong>: In these more straitened times, costs<br />
are always on the minds of organisations<br />
when deploying solutions. Object<br />
Archive is said to reduce recurring<br />
storage fees and expensive egress fees<br />
of cloud storage. Exactly how does it<br />
achieve this, and can these savings be<br />
monitored and validated by users in<br />
real time?<br />
RA: as mentioned, there is no vendor<br />
lock-in and therefore no exit fee. Also,<br />
all data is stored on tape, which is the<br />
most cost-effective method for the longterm<br />
storage of archived data.<br />
<strong>CS</strong>: Object Archive uses S3-compatible<br />
APIs for data operations to enable<br />
what is said to be "easy and seamless<br />
integration" with existing object storage<br />
platforms and data applications. Can<br />
you explain how that works - and is<br />
anything ever really seamless?<br />
RA: Object Archive works with hard disk,<br />
other object storage solutions, including<br />
Cloudian, Datacore and Netapp, and can<br />
also be used with other solutions, such<br />
as Ceph and Dell E<strong>CS</strong>, when using a<br />
datamover. For most day-to-day data<br />
usage, it is possible to manage data<br />
stored in tape through the object<br />
storage GUI.<br />
<strong>CS</strong>: The solution that you've launched is<br />
also said to 'create an air-gap' between<br />
archived data and your network, in order<br />
to enforce security. How does that work<br />
in practice and what are the biggest<br />
paybacks?<br />
RA: Tape technology is the most secure<br />
way to store long-term data and<br />
naturally creates an air gap solution,<br />
because it is removable. By removing<br />
tape, your data is isolated from any<br />
other device and therefore it minimises<br />
the vulnerability to cyber-attacks or<br />
hacking. Furthermore, with LTO9 tape<br />
media data can be archived for up to<br />
50 years, so your data will still be<br />
readable up to 2072.<br />
<strong>CS</strong>: Computational science relies on<br />
enormous banks of data to solve<br />
challenging problems with the power<br />
of computer analytics. So our wrap-up<br />
question for this Q&A is: In what ways<br />
will Object Archive help that cause?<br />
RA: As well as data security and the air<br />
gap, Object Archive has an impact cost<br />
Savings, as it gives the ability to reduce<br />
the amount of hard disk required, which<br />
can help users to reduce their energy<br />
consumption. What we really need to<br />
ask is: are we on the edge of a new era?<br />
As costs continue to dramatically<br />
increase, businesses need to ensure their<br />
data is protected against cyber-attacks<br />
and disasters, is stored in a sustainable<br />
way and that it is accessible for years to<br />
come. Object Archive addresses all of<br />
these concerns and is a big step forward<br />
in the world of data archiving.<br />
30<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
ROHDE & SCHWARZ CYBERSECURITY:<br />
R&S BROWSER IN THE BOX<br />
Cybercriminals are becoming ever<br />
more innovative with their attack<br />
vectors, but one of the weakest<br />
points inside any organisation's defence<br />
perimeter has always been the humble<br />
web browser. There are many ways to<br />
counteract these cyber-threats by deploying<br />
services such as secure web gateways,<br />
endpoint protection, content filtering and<br />
proxies, but these can significantly increase<br />
costs and management complexity.<br />
Rohde & Schwarz Cybersecurity (R&S)<br />
takes an innovative approach to this<br />
perennial problem. Its R&S Browser in<br />
the Box (BitBox) solution encapsulates<br />
the browser in a virtual machine (VM)<br />
and separates it entirely from the user's<br />
operating system (OS), local data, hardware<br />
and corporate intranet. It establishes a<br />
proactive network separation throughout<br />
the network.<br />
At the same time, access to the internet<br />
remains unrestricted for users and their<br />
familiar workflows. However, all applications<br />
and the operating system itself no<br />
longer have unrestricted access to the<br />
Internet or servers located there. This makes<br />
it impossible to load malicious code. The<br />
proactive separation also protects against<br />
unknown telemetry data or data leakage<br />
from new types of malware.<br />
Running the browser in an isolated<br />
environment has undeniable benefits,<br />
as threats using active content such as<br />
JavaScript, ActiveX or HTML5, browser<br />
hijacking and malicious email links and<br />
harmful attachments are all effectively<br />
nullified. Key advantages are any files<br />
downloaded are always contained in the<br />
VM and cannot cross over to the host<br />
platform; all data is destroyed when the<br />
browser is closed and when opened again;<br />
it is a completely fresh browser.<br />
A new feature that adds even more appeal<br />
is support for web conferencing. BitBox is<br />
the only solution that allows users to safely<br />
participate in conferences in a virtualised<br />
environment, and it also secures access to<br />
microphones and webcams.<br />
BitBox implements three distinct isolation<br />
layers, with the first being a hardened and<br />
minimalised Linux OS that is designed to<br />
only run the browser and no other application.<br />
This is augmented by AppArmor,<br />
which provides MAC (mandatory access<br />
control) security to limit the actions<br />
processes can take and is particularly useful<br />
for restricting applications that can be<br />
exploited - such as web browsers.<br />
Next is the virtualisation layer, which is<br />
handled by the open source VirtualBox.<br />
The third and final layer is a separate,<br />
non-interactive and limited Windows user<br />
context.<br />
It's important to understand that BitBox is<br />
not a sandbox. Unlike these technologies,<br />
it is truly isolated, as it doesn't share host<br />
system memory resources or kernels with<br />
the host OS and separates intranet and<br />
internet traffic at the network layer.<br />
There's more, as the 'Docs in the Box'<br />
product feature allows users to open<br />
unsecured documents and preview<br />
them safely in the virtualised environment.<br />
It works with all popular file formats.<br />
BitBox is simple to deploy with the R&S<br />
Trusted Objects Manager (TOM) central<br />
management appliance. Internet access<br />
security is assured, as the virtualised<br />
browser only communicates via a VPN<br />
connection handled by the R&S Trusted<br />
VPN gateway appliance, so, even if the<br />
browser is compromised with malware,<br />
it cannot get on to the corporate LAN.<br />
In cases where businesses need to<br />
download files using BitBox, the<br />
Information Flow Control function allows<br />
security administrators to strictly control<br />
what file types may be accessed by placing<br />
them in a staging area for malware scans<br />
and approval.<br />
Rohde & Schwarz Cybersecurity shows<br />
that sometimes it's easier to think inside<br />
the box for the best protection against<br />
cyber-threats. R&S Browser in the Box is a<br />
remarkably elegant solution for protecting<br />
organisations from threats that target<br />
browsers. It's simple to deploy and has<br />
impeccable credentials, as it was developed<br />
in cooperation with the German Federal<br />
Office for Information Security (BSI).<br />
Product: R&S Browser in the Box<br />
Supplier: Rohde & Schwarz Cybersecurity<br />
Website: www.rohde-schwarz.com<br />
/cybersecurity<br />
Sales: +44 (0)1252 818 835<br />
Email: cybersecurity@rohde-schwarz.com<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
31
IT asset disposal<br />
No one really considered what happened to old<br />
equipment as a genuine business process.<br />
CHANGING THE GAME<br />
TODAY, THE ITAD SECTOR HAS<br />
EMERGED AS A PROFESSIONAL<br />
VALUE-ADD INDUSTRY AND IT'S<br />
BEEN A LONG, HARD ROAD<br />
GETTING THERE. BUT THE<br />
BATTLE IS FAR FROM OVER,<br />
SAYS STEVE MELLINGS, FOUNDER<br />
AND CEO OF ADISA<br />
As the doors to the basement were<br />
unlocked, I was amazed not only by<br />
the size of the edifice underneath<br />
prime London real estate, but more so by<br />
the sheer volume of dusty redundant IT<br />
equipment. This was a major investment<br />
bank relocating to Canary Wharf and the<br />
brief to the team was "get rid everything in<br />
here".<br />
It was the late 90s when IT budgets were<br />
vast, and manufacturers tweaked<br />
performance and design in equal measure<br />
to trigger refresh rates which mean that<br />
hardware giants ruled the IT world. The<br />
attitude towards redundant equipment was<br />
lax, to say the least, mainly as the focus was<br />
on the production environment and keeping<br />
up with change. Internally, no one really<br />
considered what happened to old<br />
equipment as a genuine business process<br />
and, much like emptying the bins, we knew<br />
someone took our stuff away, but what<br />
happened to it was unknown and certainly<br />
not verified.<br />
90S TECHNOLOGY PICTURE<br />
Over the next decade into the 'Noughties',<br />
while regulatory requirements increased,<br />
attitudes to redundant equipment generally<br />
did not improve. The Waste Electrical and<br />
Electronic Equipment Directive was<br />
introduced in 2003 and the Data Protection<br />
Act in 1998, and, while both should have<br />
motivated businesses to consider how they<br />
deal with redundant equipment in more<br />
detail, the increasing need to protect the<br />
production environment meant that focus<br />
and budget were needed elsewhere.<br />
At this stage, an industry began to emerge<br />
that facilitated the removal of electrical<br />
'waste', often using 'WEEE Compliance' as<br />
justification for their role. For those in the<br />
genuine waste industry, this was just<br />
another waste stream, but for those in<br />
technology they saw growing demand from<br />
the emerging economies for equipment and<br />
saw opportunity to rehome redundant<br />
equipment overseas.<br />
At face value, this was a healthy industry,<br />
based on the premise of acquiring and, in<br />
many instances, exporting old equipment to<br />
find a new life, ideally in a data centre or on<br />
a desk; but sadly, without the right controls<br />
in place, some ended in landfill.<br />
An environment where the customer was<br />
unaware of the risks and the industry was<br />
able to operate freely is attractive and, with<br />
few barriers to entry, the ITAD (IT Asset<br />
Disposal or Disposition) market space<br />
flourished, based on offers to buy and sell<br />
redundant equipment, doing 'something'<br />
to the data and recycling anything they<br />
32<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
IT asset disposal<br />
ITAD process has consistently shown value,<br />
from the supply of refurbished technology<br />
for home workers through to helping bridge<br />
the digital divide from donations into<br />
schemes like 'Digital Access for All'. And this<br />
while protecting customer data from risks<br />
that the customer may not even have been<br />
aware.<br />
Flash-based storage media.<br />
couldn't sell. All of this, to a customer base<br />
which still didn't really see their redundant<br />
equipment as anything other than an<br />
inconvenience and were not motivated<br />
to take control.<br />
As we entered the second decade,<br />
independent studies from both the ICO and<br />
the University of South Wales found swathes<br />
of personal and corporate data across large<br />
samples of equipment offered for resale.<br />
The seminal article from Peter Warren, titled<br />
'Ghosts in the Machine', described how he<br />
found data relating to one of The Beatles on<br />
an old hard drive at a street market. It made<br />
a great headline in a national newspaper<br />
and, rightly so, brought focus from many<br />
businesses worried that it could be them in<br />
the next headline.<br />
The ITAD industry was quickly maturing<br />
and some excellent innovative companies<br />
were leading the way, including developers<br />
of data sanitisation products. However, it<br />
was over-congested, hugely competitive,<br />
and full of companies making the same type<br />
of claims. Who to trust with your data was<br />
a difficult decision for many companies to<br />
make without genuine due diligence being<br />
undertaken, which led to fear and concerns<br />
and encouraged a 'destroy' approach to old<br />
equipment.<br />
It was this business problem that ADISA<br />
sought to solve when launching in 2010 via<br />
the introduction of a certification scheme,<br />
which was aimed at ITADs and assessed the<br />
controls which they put in place to deal with<br />
risk permeating the disposal process.<br />
Over the last decade, industry maturity,<br />
longevity and a greater professionalism<br />
have seen what was viewed by many as<br />
a clandestine process raise its profile to be<br />
a necessary, but, all too often, undervalued<br />
service industry. The narrative for this<br />
industry does not stop here and, in a<br />
complex, changing business environment,<br />
ITAD has far more value to offer than before.<br />
ITAD AS A VALUE-ADD PROCESS<br />
We've all experienced some 'once in a<br />
lifetime' challenges across society, from Brexit<br />
through to COVID, and the greatest of all:<br />
climate change.<br />
Throughout these challenging<br />
environments, the previously undervalued<br />
Today, the ITAD sector is a professional<br />
value-add industry, but organisations<br />
releasing assets are still not fully in control.<br />
We see a lack of due diligence, a complex<br />
downstream supply chain and a lack of<br />
understanding of what standards should be<br />
applied or followed. The reason for this is<br />
still very much the same: as threats increase<br />
and become more sophisticated, the<br />
protection of the production environment<br />
requires even more focus, set against an<br />
increasingly heavy compliance burden,<br />
leaving ITAD low down the 'to-do' list.<br />
There is some good news. After three years<br />
of work, ADISA Standard 8.0 has officially<br />
been approved as a UK GDPR Certification<br />
Scheme, meaning that those in the sector<br />
who are certified can verify compliance to<br />
the law as confirmed by the regulator<br />
themselves.<br />
WHY IS THIS IMPORTANT?<br />
Technology is evolving and how to deal<br />
securely with risk to the physical asset and<br />
sanitise media is more complex now than<br />
ever before. If businesses are to maximise<br />
the potential of redundant equipment, the<br />
very minimum is that they should be assured<br />
that their data is being processed in a<br />
compliant and secure manner.<br />
The work carried out by UKAS and the<br />
ICO to accredit ADISA and Standard 8.0<br />
addresses the compliance question, which<br />
leaves the professional ITAD sector free to<br />
add the significant value that it offers to<br />
promote sustainability by extending the<br />
product lifecycle before recycling material<br />
for recovery and reuse.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> computing security<br />
33
phishing attacks<br />
BIGGER 'PHISH' TO FRY!<br />
PHISHING IS NEVER OUT OF SEASON. INDEED, IT REMAINS A MUCH-PRIZED ASSET BY ATTACKERS<br />
SEEKING TO GAIN INITIAL ACCESS TO ORGANISATIONS BY HOOKING IN THE UNPREPARED<br />
Alarge-scale phishing campaign used<br />
adversary-in-the-middle (AiTM)<br />
phishing sites, stole passwords,<br />
hijacked a user's sign-in session and skipped<br />
the authentication process, even if the user<br />
had enabled multifactor authentication<br />
(MFA).<br />
Revealing the breach, Microsoft says the<br />
attackers then used the stolen credentials<br />
and session cookies to access affected users'<br />
mailboxes and perform follow-on business<br />
email compromise (BEC) campaigns against<br />
other targets.<br />
"Based on our threat data, the AiTM<br />
phishing campaign attempted to target more<br />
than 10,000 organisations since <strong>Sep</strong>tember<br />
2021. From our observation, after a<br />
compromised account signed into the<br />
phishing site for the first time, the attacker<br />
used the stolen session cookie to authenticate<br />
to Outlook online (outlook.office.com),"<br />
members of the Microsoft 365 Defender<br />
Research Team and the Microsoft Threat<br />
Intelligence Center stated in a blog post.<br />
"In multiple cases, the cookies had an<br />
MFA claim, which means that, even if the<br />
organisation had an MFA policy, the attacker<br />
used the session cookie to gain access on<br />
behalf of the compromised account."<br />
In the days following the cookie theft,<br />
the threat actors accessed employee email<br />
accounts and looked for messages to use in<br />
business email compromise scams, which<br />
tricked targets into wiring large sums of<br />
money to accounts they believed belonged<br />
to co-workers or business partners. The<br />
attackers used those email threads and<br />
the hacked employee's forged identity to<br />
convince the other party to make a payment.<br />
Phishing remains to be one of the most<br />
common techniques attackers use in<br />
their attempts to gain initial access to<br />
organisations. "According to the 2021<br />
Microsoft Digital Defense Report, reports<br />
of phishing attacks doubled in 2020 and<br />
phishing is the most common type of<br />
malicious email observed in our threat<br />
signals," reveals Microsoft. "MFA provides an<br />
added security layer against credential theft<br />
and it is expected that more organisations<br />
will adopt it, especially in countries and<br />
regions where even governments are<br />
mandating it. Unfortunately, attackers are<br />
also finding new ways to circumvent this<br />
security measure." In AiTM phishing, attackers<br />
deploy a proxy server between a target user<br />
and the website the user wishes to visit (ie,<br />
the site the attacker wishes to impersonate).<br />
Such a setup allows the attacker to steal and<br />
intercept the target's password, and the<br />
session cookie that proves their ongoing and<br />
authenticated session with the website.<br />
"Note that this is not a vulnerability in MFA,"<br />
Microsoft points out. "Since AiTM phishing<br />
steals the session cookie, the attacker gets<br />
authenticated to a session on the user's<br />
behalf, regardless of the sign-in method the<br />
latter uses."<br />
Microsoft 365 Defender detects suspicious<br />
activities related to AiTM phishing attacks<br />
and their follow-on activities, such as session<br />
cookie theft and attempts to use the stolen<br />
cookie to sign into Exchange Online, adds<br />
the company. "However, to further protect<br />
themselves from similar attacks, organisations<br />
should also consider complementing MFA<br />
with conditional access policies, where sign-in<br />
requests are evaluated using additional<br />
identity-driven signals like user or group<br />
membership, IP location information and<br />
device status, among others."<br />
34<br />
computing security <strong>Sep</strong>t/<strong>Oct</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ALL-INCLUSIVE<br />
SECURITY<br />
SPAM FILTER &<br />
ADVANCED EMAIL SECURITY<br />
SIGNATURE & DISCLAIMER<br />
TOTAL PROTECTION<br />
ENTERPRISE BACKUP<br />
EMAIL ARCHIVING,<br />
ENCRYPTION & CONTINUITY<br />
BACKUP & RECOVERY<br />
FROM EMAIL SECURITY<br />
TO BACKUP & RECOVERY<br />
ALL IN ONE SOLUTION!<br />
START YOUR FREE<br />
30-DAY-TRIAL<br />
WWW.HORNETSECURITY.COM