CS Sep-Oct 2022

Computing
Security
Secure systems, secure data, secure people, secure business
EMPLOYEES ARE ‘NOT THE FOE’
Human error demands an empathic and
supportive approach
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
TO PAY OR NOT TO PAY
Some solicitors are said to
be advising their clients to
pay up after a ransomware
attack. Wise or foolish?
INSTRUMENTS OF THREAT
Safety fears soar
as connected IOT
devices set to hit
27 billion by 2025
REELING THEM IN
Phishing has never been
a bigger or more exploited
weapon for attackers
Computing Security September/October 2022

Nobody likes feeling
vulnerable.
It’s the same when it comes
to information security.
That’s why our services have been designed
to provide you with the information security
assurances you, and your clients, require.
Penetration Testing
Red Teaming
Information Security Consultancy
www.pentest.co.uk
contact@pentest.co.uk
0161 233 0100
pentest
INFORMATION SECURITY ASSURANCE

comment
A WING AND A PRAYER?
How likely is it that criminal gangs are going to return all your data intact and
untarnished after a ransomware attack, if you comply with their requirements
and pay whatever it is they demand of you? Logic tells you that the odds are
extremely low. Yet, for an organisation that finds itself a victim of an attack, hope must
spring eternal that they will be treated kindly - because many pay up, it is reported.
In a letter to the Law Society, the National Cyber Security Centre (NCSC) - which is a
part of GCHQ - and Information Commissioner's Office (ICO) say they have seen
evidence of a rise in ransomware payments and that, in some cases, solicitors may have
been advising clients to pay, in the belief that it will keep data safe or lead to a lower
penalty from the ICO. They have asked the Law Society to remind its members of their
advice on ransomware and emphasise that paying a ransom will not keep data safe or
be viewed by the ICO as a mitigation in regulatory action.
As Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research
Centre for Ransomware, states in our comprehensive coverage of ransomware on page
18: "The perception that payment will guarantee a quick resolution to the problem lost
access to systems and data is a fallacy," before pointing out: "Since the primary business
objective for these criminals is monetary gain, it should come as no surprise that they
test their encryption better than they do their restoration processes - and that there is
no support line to call, should the restoration process fail. They are after all, criminals,
so there is nothing to prevent one criminal group from compiling a list of victims willing
to pay ransom and then selling that to other criminal organisations."
As ever, prevention remains the best cure, of course. However, in the event of a
successful breach, having an effective backup strategy in place, whereby data can be
recovered and restored quickly, is vital - something covered in depth in our ransomware
feature.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2022 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Sept/Oct 2022 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security September/October 2022
contents
CONTENTS
Computing
Security
EMPLOYEES ARE ‘NOT THE FOE’
Human error demands an empathic and
supportive approach
INSTRUMENTS OF THREAT
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
TO PAY OR NOT TO PAY
Some solicitors are said to
be advising their clients to
pay up after a ransomware
attack. Wise or foolish?
Safety fears soar
as connected IOT
devices set to hit
27 billion by 2025
REELING THEM IN
COMMENT 3
A wing and a prayer
Phishing has never been
a bigger or more exploited
weapon for attackers
NEWS 6 & 8
Blackhat gang strikes again
Teen extortion exposes cyber gaps
Overworked, understaffed
Manufacturing 'most attacked sector'
Post-quantum crack-up
ARTICLES
HOW SENSITIVE IS YOUR DATA? 10
Keeping track of stored data can often
prove to be a complex, difficult task. Nick
Evans, GeoLang, offers a way forward
IOT - INSTRUMENTS OF THREAT 11
With the global number of connected IoT
devices expected to reach 27 billion by 2025
is our ability to defend against attacks likely
to become something of a losing battle?
TO TRUST OR NOT TO TRUST,
THAT IS THE QUESTION 14
What exactly is Zero Trust and how can
RANSOMWARE DEMANDS:
this be achieved? Tom Hills, Pre-Sales
HOLD FIRM OR PAY UP? 18
Consultant, SecurEnvoy, offers his insights
Reports that some solicitors may have been
on this challenging topic
advising clients to pay a ransomware, in the
belief it will keep data safe or lead to a lower
WELCOME TO THE (THIRD) PARTY! 16
breach penalty, have caused a backlash
Computing Security recently caught up
with Hornetsecurity chief technical officer
Yvonne Bernard in our latest Q&A session
to find out her thoughts on cloud email
systems and their rapid uptake
OBJECT ARCHIVE SOFTWARE:
THE INSIDE STORY 30
EMPLOYEES ARE 'NOT THE ENEMY' 24
Fujifilm's Object Archive is described as
How do you prevent your workforce from
'an S3-compatible tape storage system
laying the business open to a possible
for long-term data preservation and data
breach? Is education and awareness
protection'. We speak with the company's
training the best solution - or should you
Richard Alderson, Head of Recording
just lock them out of vulnerable areas
Media - UK, Ireland and Scandinavia
altogether?
BIGGER 'PHISH' TO FRY! 34
Phishing remains a highly-prized asset
by attackers when seeking to gain initial
access to organisations by hooking in the
unprepared
CHANGING THE GAME 32
Today, the ITAD sector has emerged as
PRODUCT REVIEWS
a professional value-add industry and
it's been a long, hard road getting there.
Gatewatcher AIONIQ 23
But the battle is far from over, says Steve
Mellings, founder and CEO of ADISA
Rohde & Schwarz Cybersecurity:
R&S Browser in the Box 31
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk
4

www.adisa.global

news
David Mahdi,
Sectigo.
BLACKHAT GANG STRIKES AGAIN
The recent Blackhat ransomware attack
on the Japanese gaming publisher
Bandi Namco - in which the group seized
hold of customer data - comes hard on
the heels of an FBI warning in the wake
of reports that the Blackhat group has
successfully breached over 60 entities
worldwide.
David Mahdi, digital identities expert and
chief strategy officer at cybersecurity firm
Sectigo, comments: "Organisations and
government entities carry a responsibility
to consumers and civilians alike to guard
their most valuable information at all cost.
Personal information that does not change
as easily as a credit card or bank account
number drives a high price on the Dark
Web. This kind of 'Personally Identifiable
Information' is highly sought after by
cybercriminals for monetary gain."
Companies should be implementing
security best practices such as a layered
approach to protection, as well as
proactively updating any out-of-date
security devices, he advises.
But how do you prevent such attacks?
"The answer," he responds, "is combining
identity-first principles with least-privilege
data access security, all while leveraging a
variety of cybersecurity best practices and
technologies [ie, email security, endpoint
security and patch management]."
DATA ENCRYPTION GAINS MOMENTUM
The number of UK organisations implementing data
encryption as a core part of their cybersecurity strategy has
continued to rise, with 32% introducing a policy to encrypt all
corporate information as standard in the last year. Almost half
(47%) of organisations now require the encryption of all data,
whether it's at rest or in transit. This is according to an annual
survey of IT decision makers carried out by Apricorn. Only 2%
do not currently see encryption as a priority. "It's encouraging
to see encryption high up on corporate priority lists," says Jon
Fielding, managing director EMEA Apricorn. "Messages about
the crucial role it has to play in protecting sensitive information
are clearly getting through. "When data is encrypted, it's fully
protected - if an unauthorised individual gains entry to an IT
system or picks up a device that's been left in an Uber, for
Jon Fielding, Apricorn.
instance, the information will remain unreadable."
TEEN EXTORTION GROUP EXPOSES CYBER GAPS
Notorious extortion-only LAPSUS$ ransomware group has
successfully carried out multiple high-profile attacks on
companies such as Microsoft, Samsung and Ubisoft.
Unlike ransomware operators, the LAPSUS$ group represents
a growing breed of extortion-only cybercriminals, focusing
exclusively on data theft and extortion by gaining access to
victims through tried-and-true methods like phishing and
stealing the most sensitive data it can find without deploying
data-encrypting malware. "Just like ransomware, extortion
attacks aren't going anywhere until they are made too
complicated or costly to conduct," says Claire Tills, senior
research engineer at Tenable. "Organisations should evaluate
what defences they have in place against the tactics used, how
they can be hardened and whether their response playbooks Claire Tills, Tenable.
effectively account for these incidents."
OVERWORKED, UNDERSTAFFED - AND BATTLING ON
As breaches continue to rise, cybersecurity and
development professionals are feeling the
pressure to maintain their organisations' security
postures. Invicti Security has released research in
its 'State of the DevSecOps Professional: At Work
and off the Clock' that unveils how overworked
and understaffed these key employees are.
The survey reveals how impending cyberattacks
have created added stress. Tellingly, DevSecOps
professionals "spend more than four hours each workday addressing security issues that never
should have happened in the first place, with 41% of cybersecurity professionals spending 5+
hours addressing security issues, compared to 32% of their developer counterparts".
6
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

news
Chris Vaughan,
Tanium.
CAN YOU TRUST YOUR
THIRD-PARTY VENDORS?
When British recruitment agency
Morgan Hunt suffered a digital
burglary recently, intruders seized personal
data of some of the freelancers on its
books. Morgan Hunt - which provides
personnel services to clients in the charity
education, finance, government, housing
and technology sectors - confirmed the
break-in in a letter to contractors.
Comments Chris Vaughan, area VP and
technical account manager EMEA at
Tanium: "Companies often place a huge
amount of trust in third-party vendors -
usually down to reputation, if they haven't
been breached before, or if they claim to
invest heavily in cybersecurity. However,
IT teams need to be more thorough
than this. They should ask themselves
questions, such as: 'Do I really know
how well our suppliers manage their
operations, including areas like credential
management and patching? How can
we tell how much technical debt they are
carrying? Is the vendor that was breached
three years ago - and then invested a
massive amount improving their security -
less of a risk than a vendor that's never
had a publicly disclosed breach?'
"Only once these questions have been
answered - using data - can organisations
place full trust in the third-party suppliers
they work with."
MANUFACTURING IS NOW THE 'MOST ATTACKED SECTOR'
Manufacturing overtook financial services as
the most attacked sector last year. Yet, for
nearly half (47%) of organisations, cybersecurity in
smart factories still isn't a C-level concern.
This is according to a new report from Capgemini,
'Smart & Secure: Why smart factories need to
prioritize cybersecurity', which examines how
organisations are securing their smart factories and
the challenges they must overcome to do so.
The report's findings include:
People remain the top threat to cybersecurity - of firms impacted by cyberattacks in the past
12 months, 28% noted an increase in employees or vendors bringing in infected devices
More than half of respondents (53%) say smart-factory leaders need to collaborate more
closely with CSOs, as their inability to communicate hinders the organisations' capability to
detect cyber-attacks early, leading to a higher level of damage.
POST-QUANTUM CRACK-UP
Scientists are reported to have finally come up
with a quantum computer that breaks free from
the binary system. Jason Soroko, quantum and
cryptography expert and CTO at cybersecurity firm
Sectigo, says one area where we could see direct
impact is the inevitable outcome that quantum
computers break the cryptographic foundation
stones of our modern digital systems.
"For post-quantum cryptographic algorithms, this
means that the progress path of quantum computers
stable enough to crack traditional algorithms that
we use today is happening," he cautions, adding that
it is now "time to engage with the vendor community
and begin building competency on post-quantum
algorithms and their new associated technologies".
Jason Soroko, Sectigo.
SMART FACTORIES ARE AN EVER-INCREASING TARGET FOR CYBERATTACKS
Anew report that has been released by the Capgemini Research Institute has
found that 51% of industrial organisations believe the number of cyberattacks
on smart factories was likely to increase over the next 12 months. Yet nearly half
(47%) of manufacturers say cybersecurity in their smart factories is not a C-level
concern. According to the Capgemini report, 'Smart & Secure: Why smart factories
need to prioritise cybersecurity', few manufacturers have mature practices across
the critical pillars of cybersecurity.
The connected nature of smart factories is exponentially increasing the risks of
attacks in the Intelligent Industry era, the report states.
Around 53% of organisations - including 60% of heavy-industry and 56% of
pharma and life sciences firms - agree that most future cyberthreats will feature
smart factories as their primary targets.
8
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

obotics & automation
HOW SENSITIVE IS YOUR DATA?
KEEPING TRACK OF STORED DATA IS A
COMPLEX, DIFFICULT TASK. NICK EVANS,
SALES AND MARKETING MANAGER AT
GEOLANG, OFFERS A WAY FORWARD
So, how sensitive is your data? And
no, we don't mean in a 2022
snowflake kind of way. We mean in
a compliance way! Do you know what
sensitive data is being stored in your
Atlassian Confluence, Jira and Bitbucket
environments? If you are like a lot of
businesses we speak to today, you may
be struggling to understand what data is
being stored in your Atlassian tools, and
having to use teams of people, a lot of
time and big budgets to manage that
data.
Atlassian products are used heavily in
the Financial Services sector and, because
of the amount of data those businesses
are constantly creating, it's an ever
increasingly difficult task to stay on top
of the sensitive data they are storing.
Add the complication of constant audits,
understanding data is a critical task.
WHAT WOULD THE ATLASSIAN
TOOLS TYPICALLY BE USED FOR?
Confluence - Confluence is a team
workspace where knowledge and
collaboration meet. Dynamic pages give
your team a place to create, capture, and
collaborate on any project or idea.
Jira - Helps teams plan, assign, track,
report and manage work, and brings
teams together for everything from agile
software development and customer
support, to start-ups and enterprises.
Bitbucket - A Git repository management
solution. It gives you a central place to
manage git repositories, collaborate on
your source code and guide you through
the development flow.
In essence, a business's 'Crown Jewels'
can be, and usually are, stored in the
Atlassian suite of tools.
To complicate matters even more, the
Atlassian tools have traditionally
deployed on customers' servers, but
Atlassian has recently announced that
they will stop the support of on-premises
environments from February 2024 (You
can read the announcement and planned
timeline here) and are wanting their
customers to embrace the Atlassian
Cloud - but not all types of businesses
can easily (or safely) move their data into
cloud environments.
Best practices state that, before any
data is migrated, that data is cleaned
first. Before Data can be cleaned, it
needs to be discovered, so that a
business can understand what they are
working with.
The GeoLang Data Discovery has been
designed to make the discovery of
sensitive data being stored in
Confluence, Jira and Bitbucket as simple
as possible. Customers find that not only
is the stress removed from their sensitive
data management processes, but they
also see reductions in operational costs.
As stated above, businesses are usually
having to employ many people to run
their search tasks; so, by automating that
process, resources can focus on other
areas of business that may have been
neglected because so much time is spent
on running manual searches and
scouring through masses of data.
We recently created a case study with a
Tier-1 bank that has adopted the
GeoLang Data Discovery tool and the
case study highlights just how our Data
Discovery tool has drastically reduced the
time and effort (and bill) it has taken to
manage the Sensitive Data they are
working with. You can read that case
study here.
To discuss how GeoLang can help, get
in touch at contact@geolang.com.
10
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

IoT devices
IOT - INSTRUMENTS OF THREAT?
WITH THE GLOBAL NUMBER OF CONNECTED IOT DEVICES EXPECTED TO REACH 27 BILLION BY 2025 IS OUR
ABILITY TO DEFEND AGAINST ATTACKS LIKELY TO BECOME A LOSING BATTLE?
We are soon going to be faced with
an IoT device saturated workspace
and the big question is: how can
all of the security risks that go with these
devices be controlled? According to IoT
Analytics, the global number of connected
IoT devices is expected to grow 9%, reaching
27 billion by 2025. "With that dramatic
rise in connected devices also comes an
increased need for security," states Kaspersky.
"In fact, Gartner highlights that, in the past
three years, nearly 20% of organisations
have already observed cyberattacks on IoT
devices in their network."
While two thirds of organisations (64%)
globally use IoT solutions, according to
Kaspersky, 43% don't protect them
completely. "This means that for some of
their IoT projects - which may be anything
from an EV charging station to connected
medical equipment - businesses don't use
any protection tools. The reasons behind this
may be due to the great diversity of IoT
devices and systems, which are not always
compatible with security solutions. Almost
half of businesses fear that cybersecurity
products can affect the performance of IoT
(46%) or that it can be too hard to find a
suitable solution (40%). Other common
issues businesses face when implementing
cybersecurity tools are high costs (40%),
being unable to justify investment to the
board (36%) and lack of staff or specific
IoT security expertise (35%)."
64 BILLION DEVICES
It is estimated that, by 2026, there will be
64 billion IoT devices installed around the
world, according to Kaspersky, with the
trend towards remote working helping to
drive this increase. "So many additional
devices change the dynamics and size of
what is sometimes called the cyber-attack
surface - that is, the number of potential
entry points for malicious actors," the
company reports. Compared to laptops and
smartphones, most IoT devices have fewer
processing and storage capabilities. "This can
make it harder to employ firewalls, antivirus
and other security applications to safeguard
them," it points out.
Furthermore, cybersecurity risks are seen by
more than half of organisations (57%) as the
main barrier to implementing IoT. This can
occur when companies struggle to address
cyber-risks at the design stage and then have
to carefully weigh up all pros and cons
before implementation.
"Cybersecurity must be front and centre for
IoT," advises Stephen Mellor, chief technology
officer at Industry IoT Consortium. "Managing
risk is a major concern, as life, limb and the
environment are at stake. An IT error can be
embarrassing and expensive; an IoT error can
be fatal. But cybersecurity is only one part of
making a system trustworthy. We also need
physical security, privacy, resilience, reliability
and safety. And these need to be reconciled:
what can make a building secure [locked
doors, for example], could make it unsafe, if
you cannot get out quickly."
Adds Eric Kao, director, WISE-Edge+ of
Advantech, a global vendor of industrial IoT
solutions: "IoT projects are very fragmented,
loosely-coupled, domain-specific and
integration-heavy in nature. In comparison,
IT projects such as messaging/communication,
analytics, CRM etc have around 80%
of common requirements. In the case of IoT
implementation, however, we have to deal
with all kinds of legacy systems, physical
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
11

IoT devices
Dave Adams, Prism Infosec: many
systems are not currently zero trust
enabled.
Jim Hietala, The Open Group: it's not
possible to consider any IoT device as
'trusted' in today's environment.
constraints, domain protocols, multiple
vendor solutions etc and maintain a
reasonable balance in availability, scalability
and security. In pursuit of higher availability
and scalability, certain cloud infrastructure
has to be leveraged, the system has to be
open to some extent, then security becomes
an enormous challenge."
Why are IoT devices so vulnerable?
According to Trend Micro, "largely because
these devices lack the necessary built-in
security to counter threats. Aside from the
technical aspects, users also contribute to
the devices' vulnerability to threats".
RISK FACTORS
Some of the reasons that Trend Micro offers
as to why these smart devices remain at risk
include the following:
Limited computational abilities and
hardware limitations. These devices have
specific functions that warrant only
limited computational abilities, leaving
little room for robust security mechanisms
and data protection
Heterogeneous transmission technology.
Devices often use a variety of transmission
technology. This can make it difficult
to establish standard protection methods
and protocols
Components of the device are vulnerable.
Vulnerable basic components affect
millions of deployed smart devices
Users lacking security awareness. Lack
of user security awareness could expose
smart devices to vulnerabilities and attack
openings
Device vulnerabilities allow cybercriminals
to use them as a foothold for their
attacks, which reinforces the importance
of security from the design phase.
How do device vulnerabilities affect users?
"Looking into some of the more notable
attacks on IoT devices shows how it can
affect users," adds Trend Micro. "Threat
actors can use vulnerable devices for lateral
movement, allowing them to reach critical
targets. Attackers can also use vulnerabilities
to target devices themselves and weaponise
them for larger campaigns or use them to
spread malware to the network."
IoT botnets serve as an example that
demonstrates the impact of device
vulnerabilities and how cybercriminals have
evolved to use them, it continues. "In 2016,
Mirai, one of the most prominent types of
IoT botnet malware, made a name for itself
by taking down prominent websites in a
distributed denial of service (DDoS)
campaign consisting of thousands of
compromised household IoT devices.
"From a business perspective, IoT devices
further blur the distinction between the
necessary security of businesses and homes,
especially in work-from-home scenarios.
Introducing IoT devices to the household can
open new entry points in an environment
that might have weak security, exposing
employees to malware and attacks that
could slip into a company's network. It's a
significant consideration when implementing
bring your own device (BYOD) and workfrom-home
arrangements. Attackers can
also use IoT devices with existing issues to
get into internal networks. These threats
range from DNS rebinding attacks that allow
for gathering and exfiltrating information
from internal networks to new attacks via
side channels, such as infrared laser inducted
attacks against smart devices in homes and
corporate environments."
Trend Micro points to a number of cases
that, it says, demonstrate the impact of IoT
vulnerabilities; some of them involve realworld
settings and others as research into
these devices. "The Open Web Application
Security Project (OWASP), a non-profit
foundation for improving software, annually
releases a list of the top IoT vulnerabilities."
Examples of these common flaws include
weak, guessable or hardcoded passwords.
"New variants of malware typically use this
vulnerability. For example, we found a Mirai
12
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

IoT devices
variant called Mukashi, which took
advantage of CVE-2020-9054 and used
brute force attacks with default credentials
to log into Zyxel NAS products."
Adoption of the Secure by Design Code of
Practice, launched back in 2018, has been
lacklustre to say the least, comments David
Adams, security consultant at Prism Infosec.
"Without any carrot or stick, there was little
incentive for IoT vendors to implement any
of the 13 principles and the government has
admitted as much saying that 'too many
insecure consumer-connected products
remain on the market and we need to take
steps'."
‘CARROT AND STICK’
The Product Security and Telecommunications
Infrastructure (PSTI) Bill aims to
address this by mandating compliance with
the top three guidelines in the Code of
Practice, namely a ban on universal default
passwords, vulnerability reporting and a
minimum support period, and is expected
to come into force from 2023. "It will act as
the stick," states Adams, "but what of the
carrot? To help prepare the way for regulation,
the DCMS put out a tender for a
kitemark scheme whereby manufacturers
are voluntarily assessed by an independent
third party.
"IASME launched its scheme last year,
featuring three levels, Basic, Silver and Gold,
which align with ETSI's EN 303 645, the PSTI,
and are also mapped to the IoTSF Security
Compliance Framework. Vendors that meet
the criteria will be able to display a badge on
their IoT device."
And plenty seem to have taken the carrot
and the biggest one at that, he adds. "All
those we've come across have gone for gold,
because they see it as a way to not only
reassure customers, but also get ahead of
the curve and differentiate their offerings.
No doubt uptake is being watched closely in
the US, where NIST has proposed a similar
'labelling', although it has yet to appoint an
overseer that would fulfil the same remit
as IASME. The scheme and PSTI will mean
that from 2023 we can expect a real
improvement in IoT security, with security
controls baked in from conception and
devices no longer susceptible to takeover en
masse through the use of default passwords.
However, there is still an army of unsecure
devices out there."
With over 30 billion devices already
deployed, it's retro-managing these devices
that is liable to cause businesses and
consumers alike problems over the coming
years, he points out, particularly as passwords
are leaked, new vulnerabilities emerge
and devices outlive their support. "To ensure
that IoT devices on networks don't represent
the weakest link, steps need to be taken
towards embracing a zero trust strategy."
"However, this presents further challenges,
as many systems are not currently zero trust
enabled. We can therefore expect a sizable
transition period and it's during this time,
when systems are being retired and
replaced, that networks are liable to be at
their most susceptible to attack. This begs
the question: do we also need to encourage
retrospective assessments to get us through
the dark age of the IoT?"
DEFECTS AND VULNERABILITIES
According to Jim Hietala, vice president,
Business Development & Security, The
Open Group, it's no secret that there is an
increasing threat of cyber-attacks across
any industry and for any organisation. "As
reliance on technology grows, organisations
need to focus on how to protect their
devices from these cyber threats by ensuring
the systems involved are secure and free of
major defects and vulnerabilities. However,
devices inevitably have vulnerabilities
through their connection to a network. With
the growing use of IoT devices, a business'
attack service grows alongside, as attacks
can originate from the channels that
connect IoT devices." What's more, he
adds, cybercrime has become a lucrative
and mature market and criminal groups
are collaborating with peers to align
strategies and select targets.
"This means that attacks are becoming
more sophisticated, as malicious actors
become fully-fledged criminal enterprises,
providing as-a-service offerings and
malware licences to established customer
bases and target markets. As seen with
recent ransomware attacks, no amount of
network-focused security can prevent an
attack, if cyber criminals work a situation
where the actual point of infiltration is
carried out by genuinely authorised users
- a tactic that becomes more viable for
attackers with IoT devices and a digital
infrastructure that is more complex."
That, Hietala continues, is why it's not
possible to consider any IoT device as
'trusted' in today's environment. "This is
where Zero Trust is a critical concept to
control and mitigate associated security
risks. When it comes to the influx of IoT
devices, securing networks is no longer
enough. Organisations should be looking
to models that secure the data and assets
those networks are there to carry.
"Rather than assuming any device on a
network must have passed a security
checkpoint and is therefore trustworthy,
Zero Trust assumes every action is
potentially malicious and performs
security on an ongoing, case-by-case
basis," he points out.
"Defending against the cyber threats
facing IoT devices is not a losing battle.
However, the industry must establish
standards and best practices for Zero
Trust, in order to successfully implement
this and ensure that proactive mitigation
of cyber threats is a commonplace tactic
for protecting IoT devices against increasingly
sophisticated cyber criminals."
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
13

zero trust
TO TRUST OR NOT TO TRUST,
THAT IS THE QUESTION
WHAT EXACTLY IS ZERO TRUST AND HOW CAN THIS BE ACHIEVED?
TOM HILLS, PRE-SALES CONSULTANT, SECURENVOY, OFFERS HIS
INSIGHTS ON THIS CHALLENGING TOPIC
The fundamental belief of Zero Trust
is that organisations should not
automatically trust anything inside or
outside the organisation's IT boundaries.
Implicit trust should be removed and
risk-appropriate explicit trust used before
allowing that user (or Identity) any form of
access to the organisation. Zero Trust can
be a bit of a misnomer, because it doesn't
mean necessarily 'no trust', but is the basis
of establishing trust first. As we're all too
familiar with today, existing IT architectures
in organisations are rife with implicit trusts.
Historically, architectures have been built
with products and solutions that provide
hardened perimeters at physical locations,
that wrapped around a fleshy and chewy
interior - think 'prickly pear' or a 'castle and
moat' scenario.
Zero Trust presents a change in mentality
that defence shouldn't just extend to the
perimeter of our network, but also challenge
what is already inside. Analysis of the most
egregious security breaches shows us they
were successful because, after penetrating
the firewalls, attackers were able to laterally
move around undetected and unchallenged
by exploiting implicit trusts. Therefore,
implicit trusts are unsuitable for preventing
modern treats and now more than ever in
2021, especially with the change in modern
working environments. The number of
people working from home during 2020
doubled in the UK as a result of the
pandemic. This has not suddenly caused
people to become untrustworthy; it is just
now their environments and equipment are
not so secure. Organisations, rightly,
extended their VPNs, but this created a large
and easy target for attackers. The network,
still supporting implicit trust, cannot adapt
to the new working environment.
Combine the possibility of users bringing
their own unmanaged devices, and the data
that the user is accessing being outside of a
physical office or network perimeter, means
the risks associated have greatly increased.
When working remotely, users have been
seen to be less security aware and more
susceptible to click on suspicious links or files.
According to Cyber Crime Magazine, global
Ransomware damages is expected to reach
$20bn by 2021!
For an organisation set out to achieve Zero
Trust, this will require systemically removing
the existing implicit trusts within the
environment. There are also challenges in
changing mentalities to implementing
technologies and resources. It's not an
overnight transformation and there is no
single silver bullet to apply; it is as much
about technology' as much as business
processes. Some starting points are:
Assume compromise and that the
attacker is currently active
Use context and Identity (Contextual
Identity) as the foundation for access
decisions
Location isn't a key trust factor, but
may be one attribute to develop trust
Encrypt your data at rest and in transfer
Monitor everything to identify and
investigate anomalies.
Building an architecture that 'never trusts,
always verifies' leads to a highly resilient and
flexible environment, which is more capable
of meeting modern working demands and
makes potential attackers lives more difficult.
If an anomaly were to be detected, staff have
more time to react and isolate and manage
the incident, whether network breach,
ransomware outbreak or data compromise.
HOW CAN SECURENVOY PRODUCTS
CONTRIBUTE TO A ZERO TRUST
MODEL?
SecurEnvoy offerings in IAM (Identity and
Access Management), MFA (Multi Factor
Authentication) and DLP (Data Loss
Prevention) can help build foundations
of a Zero Trust architecture model.
MODERN AUTHENTICATION
Modern authentication is the combination
of access polices and MFA. SecurEnvoy
introduces adaptive, conditional access to
determine if access will be allowed and/
or MFA enforced. Based on the signals
SecurEnvoy receives, we're able to
automatically (or on a configured basis)
control whether a user can access and if
they're prompted for MFA or not. Based
on these signals, we're able to verify again,
before trusting. Least Privilege is also a
methodology that complements Zero Trust -
that users will only be allowed the least
amount of access required to complete
their task or the job at hand.
A rule-based access policy can also be
configured - see next page:
14
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

zero trust
controls, inadvertent data leaks are
prevented.
MFA responses can be delivered in
real time (or preloaded) using SMS,
email, PUSH or a Soft token via the
SecurEnvoy Authenticator App.
Also, integration with biometrics and
the use of hardware tokens means MFA
is always available, even if the user is
offline. SecurEnvoy's MFA can also be
implemented right at the very start
of the user's interaction with the
environment - by applying MFA at
the point of authentication into the
environment with the Windows Login
Agent (WLA). We can be certain that
the user is who they say they are by
prompting that user for an MFA
response. WLA can support Windows
Endpoints and Servers both console
and remote connections.
In addition, MFA can also be applied
against VPNs, IIS applications, RDS and
ADFS enabled applications. This ensures
remote connectivity is secured and
access to applications protected against
unauthorised access with just username
and passwords. We know username and
passwords just aren't enough anymore.
IAM
SecurEnvoy's IAM product synchronises
across multiple directories (Azure AD,
Microsoft AD, Google Workspace)
to become the single source of truth
for user directory membership and
management. Bi-directional synchronisation
means, if a change is made
in either SecurEnvoy or directory, the
change is synched everywhere.
At the directory level, we are clearly
able to detect if anyone is attempting to
elevate permissions through directory.
Secondly, SecurEnvoy IAM also serves as
a portal for users to access their cloud
applications and resources. Leveraging
SAML, SecurEnvoy can provide SSO onto
these applications, such as Salesforce,
Workday, O365 etc. Once federated with
these applications, access is only possible
via SecurEnvoy.
DLP
SecurEnvoy's DLP product can go
towards securing access to critical data.
We're able to classify data and control
the movement of that data. By using
stringent email sender and recipient
SecurEnvoy DLP can discover where
data resides, monitor and detect access
to data. One data protection policy can
provide a single pane of glass view into
the visibility of your data.
PATHWAY TO ZERO TRUST
Knowing in real time exactly where data
resides, who has access to that data and
protecting the transfer methods of that
data can go towards achieving Zero Trust
by ensuring that only verified users can
access the data. Automated controls are
in place to prevent activities occurring
that are outside of the level of trust.
To summarise, the future of work will
be hybrid, so a modern working environment
must be flexible and adaptive. It
must support remote workers, remote
data and remote applications (such as
SaaS). The architecture may restrict
access, but it must be flexible enough to
support an increasingly interconnected
business. It must adapt to the needs
of the business, while allowing that
business to thrive, despite the threats
enabled by being so connected.
CONTEXT AND IDENTITY
Zero Trust supports all these goals by
using context and identity as the control
plane and minimising access to the least
required to do the job at hand. This
allows the business to work as needed
and not to be inappropriately constrained
by security controls.
Users can have risk-appropriate access
to resources from any device, any time
and any location, and with the same
security controls in place, regardless of
the situation. It enables the secure use
of cloud computing and secure access to
on-premises resources and facilitates the
migration from the latter to the former.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
15

Q&A
WELCOME TO THE (THIRD) PARTY!
COMPUTING SECURITY RECENTLY CAUGHT UP WITH HORNETSECURITY CHIEF TECHNICAL OFFICER
YVONNE BERNARD TO FIND OUT HER THOUGHTS ON CLOUD EMAIL SYSTEMS AND THEIR RAPID UPTAKE
Computing Security: According to a
market survey on email security carried
out by analysts Gartner, the adoption
of cloud email systems continues to grow,
"forcing security and risk management
leaders to evaluate the native capabilities
offered by these providers". What do you see
as the most compelling reasons to go down
the cloud email systems route?
Yvonne Bernard: It is a fact that the more
popular a platform is, the more likely it is to
be targeted by cyberattacks - because
there are lucrative gains to be
made. Boosting inbuilt protection
therefore is key and largely boils
down to cost: how much are you
able and willing to pay for
security? In other surveys, Gartner
recommends investing in thirdparty
security to decrease the risk
of cyberattacks targeted at cloud
customers that currently only rely
on native, out-of-the-box security
features, such as when using
Microsoft 365. An additional
layer of security is a must to give
customers the peace of mind
they need and deserve. Some
features, like our-Ex Post Deletion,
are true lifesavers for the IT
admins and MSPs who rely on
our solutions to protect customer
data.
CS: Not everyone, of course, has
been convinced that they need to
move to a cloud email system - at
least not yet. Why do you feel that
might be and are there indeed solid
alternatives that make just as much
sense?
YB: In most cases, those who fear a move
to cloud email systems do so because they
think they may lose control by not having
physical control over their data and its flow.
Although such concerns have been
addressed years ago from a compliance
perspective, they continue to haunt a few
customers and keep them from moving into
the cloud. However, a cloud email system
brings many benefits, including reduced
maintenance and operational costs, and far
superior security if used with a third- party
solution, and it is these factors that have
convinced so many customers to move away
from their on-prem solution to the cloud.
CS: How does Hornetsecurity's own
Managed Security Services solution help
protect businesses from the kind of
increasingly malicious and sophisticated
attacks we are now seeing?
YB: We are proud to have a fantastic inhouse
Security Lab, which not only monitors
our current traffic, but also the latest trends
in attacks, darknet, etc. This allows us to
always be at least one step ahead and be
proactive. In addition to that, our product's
AI engines also learn new patterns before
they even appear in research or real-world
traffic.
CS: Data storage is an important part
of the Hornetsecurity offering. How can
organisations be sure that their precious data
is really and truly safe? Aren't they taking
something of a gamble by handing over
ownership to a third party?
YB: Hornetsecurity offers its own highperformance,
redundant, S3-compatible
storage via in our data centres. Customers
16
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

Q&A
can choose which location (EU, UK, US,
Canada) they want to use to meet their
compliance needs. Ultimately, it is a question
of trust and so far our customers are very
happy with the choice they made: we have
received very positive feedback about the
availability, security, speed and quality of our
data storage technology.
CS: What are the most worrying forms of
threats we are likely to see in the coming
months, years?
YB: Deepfakes and multi-level threats (e.g.,
email, phone, video) are rising. Therefore, it
is important not only to rely on email security
to protect both company data and
employees, but also to adopt a holistic
approach to company security that includes
IT security awareness training.
CS: IT security awareness training is
something Hornetsecurity has just invested
in. Tell me more about that acquisition and
the reasoning behind it.
YB: Yes, we recently acquired IT-Seal, a
security awareness training company that
specialises in establishing a sustainable
security culture. Apart from promoting
cybersecurity awareness to our partners and
customers through educational blog posts,
ebooks, webinars and reports, we can now
provide IT security training as part of our
cybersecurity package. This way, coupled
with our established email security and
backup and recovery solutions, we can cover
all aspects of the awareness-preventiondetection
cycle, with a particular focus on
Microsoft 365. The automated training
service uses innovative technologies to train
employees and incudes a scientific, patented
security awareness indicator (Employee
Security Index - ESI) to make security
awareness measurable and comparable.
Every person makes an important
contribution to everyone's IT security and
focusing on the human factor through
training helps secure both the digital society
and the economy, as well as our customers.
CS: How do vendors like Hornetsecurity
keep pace with the ever-steepening threat
curve? Is that even possible?
YB: It's an arms race: you constantly have to
be ahead of the attackers - which means you
have to invest heavily into research, as well
as finding and training the right staff to cope
with the increasing challenges. From my
point of view, having employees with the
right mindset is hugely important - as you
can educate them and they will step up to
the next level with intrinsic motivation and
the right skills.
CS: How is the emergence of quantum
computing going to worsen the concerns
that organisations already feel and what
would Hornetsecurity like to see done at
a governmental level to help ward off those
threats, by working with vendors such as
yourselves?
YB: Quantum computing was the last area
I had focused on when completing my
Master's degree at university. It was purely
theoretical back then and has now become
reality. Having said that, I do not think this
is so much something to worry about,
but rather it has great potential to solve
computational problems faster than ever.
Yes, this power can be used to break
encryption, but it can also be used for a
good cause. Quantum computing will, of
course, lead to a faster deprecation of nonresistant
cipher suites, but there are already
quantum-computing resistant cipher suites
available and we are already well prepared
for real-world usage.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
17

ansomware
RANSOMWARE DEMAND? 'DON'T PAY IT!'
REPORTS THAT SOME SOLICITORS MAY HAVE BEEN ADVISING CLIENTS TO PAY A RANSOMWARE,
IN THE BELIEF IT WILL KEEP DATA SAFE OR LEAD TO A LOWER PENALTY, HAVE CAUSED A BACKLASH
In a recent letter to the Law Society, the
National Cyber Security Centre (NCSC) -
which is a part of GCHQ - and the
Information Commissioner's Office (ICO)
say they have seen evidence of a rise in
ransomware payments and that, in some
cases, solicitors may have been advising
clients to pay, in the belief that it will keep
data safe or lead to a lower penalty from
the ICO. They have asked the Law Society
to remind its members of their advice on
ransomware and emphasise that paying
a ransom will not keep data safe or be
viewed by the ICO as a mitigation in
regulatory action.
How sound is their advice and should
anyone hit by ransomware follow it without
exception? What if your organisation faces
possible meltdown from such an attack,
unless it can get its systems back up and
running - and fast? Most importantly, for
those who have never yet been a victim, is
a ransomware attack bound to succeed, if
you are targeted, or are their 'foolproof'
ways to stay protected?
"Payment of a ransom is fundamentally an
act enabling future attacks," comments Tim
Mackey, principal security strategist at the
Synopsys Cybersecurity Research Centre for
Ransomware. "The perception that payment
will guarantee a quick resolution to the
problem lost access to systems and data is
a fallacy. Ransomware is an evolutionary
tactic used by cyber criminals as part of
their criminal operations. Five years ago,
the hot topic in cyber defence was data
breaches where criminals sold access to
data acquired in an attack. This then
evolved to ransomware, wherein the
criminals encrypted data and could
nominally sell restoration of operations
upon payment of a ransom to their victims.
"Of course, nothing prevented those
criminals from also selling the data they
encrypted, meaning they now have at least
two revenue streams. Since the primary
business objective for these criminals is
monetary gain, it should come as no
surprise that they test their encryption
better than they do their restoration
processes - and that there is no support line
to call, should the restoration process fail.
They are, after all, criminals, so there is
nothing to prevent one criminal group from
compiling a list of victims willing to pay
ransom and then selling that to other
criminal organisations."
Mackey says that addressing ransomware
needs to move from a reactionary mindset
to a proactive one. "If your organisation isn't
performing threat model analysis with a
focus on defending against data breaches
and ransomware, then you are more likely
to fall victim to ransomware than an
organisation which did put in the effort.
Such threat modelling would look at how
systems and data are accessed, by whom
and what the scope of access might be. It
then looks at how systems are deployed,
and how data is retained, backed up and
processed to determine potential access
points an attacker might use to gain access.
Those access points are then candidates for
increased monitoring for abnormal or
unexpected usage - all with the goal of
identifying something out of normal
operations quickly.
"Whatever set of threats that are identified
should be addressed, but there should also
be an emphasis on the processes teams
should follow in the event of an attack,
along with simulated drills," he adds. "After
18
computing security Sept/oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
all, the worst point in time to create an
incident response plan is whilst in the midst
of addressing an incident. It is precisely the
lack of response planning that leads some
organisations to believe that its expedient
to pay a ransom."
RANSOMWARE PROLIFERATING
"It's estimated that there are now over 120
separate families of ransomware and
hackers have become very adept at hiding
malicious code," states Jornt van der Wiel,
security researcher, Global Research &
Analysis Team. "Ransomware is a relatively
easy way for hackers to gain financial
rewards, which is partly behind its rise.
Another factor was the Covid-19 pandemic.
The accelerated digitisation of many
organisations, coupled with remote
working, created new targets for
ransomware. Ransomware attackers are
becoming more sophisticated in their
phishing exploits through machine learning
and with more coordinated sharing on the
dark web. Hackers typically demand
payment in cryptocurrencies, which are
difficult to trace. We can expect to see
more ransomware attacks on organisations
that are not cyber secure in the near term."
When identifying ransomware, a basic
distinction must be made, he advises. In
particular, certain types of ransomware are
very popular:
Locker ransomware. "This type of malware
blocks basic computer functions. For
example, you may be denied access to the
desktop, while the mouse and keyboard
are partially disabled. This allows you to
continue to interact with the window
containing the ransom demand in order
to make the payment."
Crypto ransomware. "The aim of crypto
ransomware is to encrypt your important
data, such as documents, pictures and
videos, but not to interfere with basic
computer functions. This spreads panic,
because users can see their files, but cannot
access them."
WordPress ransomware: as the name
suggests, this targets WordPress website
files. "The victim is extorted for ransom
money, as is typical of ransomware. The
more in-demand the WordPress site,
the more likely it is to be attacked by
cybercriminals using ransomware."
The Wolverine case. "Wolverine Solutions
Group [a healthcare supplier] was the victim
of a ransomware attack in September 2018.
The malware encrypted a large number of
the company's files, making it impossible for
many employees to open them. Fortunately,
forensics experts were able to decrypt and
restore the data on October 3. However, a
lot of patient data was compromised in the
attack. Names, addresses, medical data and
other personal information could have
fallen into the hands of cybercriminals."
So, how do you stay safe, in the face of all
these threats? By addressing all of these
negatives, suggests van der Wiel:
The device used is no longer state of
the art
The device has outdated software
Browsers and/or operating systems
are no longer patched
No proper backup plan exists
Insufficient attention has been paid
to cybersecurity and a concrete plan
is not in place.
'MILLIONS OF DOLLARS' RANSOM
DEMAND
Meanwhile, Sygnia's Incident Response
team has been methodically tracking the
'Luna Moth' ransom group over the last few
months. Its modus-operandi "resembles
scammers, with the twist of corporate data
theft, leveraging the threat of publication to
demand millions of dollars in ransom".
'Luna Moth' focuses on data breach
extortion attacks, threatening to leak stolen
information if the demanded ransom is not
paid. The initial compromise is achieved by
deceiving victims in a phishing campaign
under the theme of Zoho MasterClass and
Duolingo subscriptions, leading to the
installation of an initial tool on the
compromised host.
"The group uses commercial remote
administration tools [RATs] and publicly
available tools to operate on compromised
devices and maintain persistency,
demonstrating once more the simplicity
and effectiveness of ransom attacks," says
Sygnia. "The group acts and operates in an
opportunistic way: even if there are no
assets or devices to compromise in the
network, they exfiltrate any data that is
accessible; this emphasises the importance
of managing sensitive corporate
information."
With the rise in ransomware activity over
the past years, the security industry has
become used to hearing about double
extortion, and even triple extortion attacks,
and new crime groups of all kinds. In a blog
post, Sygnia has shed light on a relatively
new threat actor, which goes by the name
of the 'Silent Ransom Group' (or 'SRG') - and
then was dubbed 'Luna Moth' by Sygnia. "By
launching a phishing campaign with a wide
coverage area, 'Luna Moth' infiltrates and
compromises victim devices. These attacks
can be categorised as data breach ransom
attacks, in which the main focus of the
group is to gain access to sensitive
documents and information, and demand
payment to withhold publication of the
stolen data. Simple as they may be, these
attacks can create serious issues for victims,
if sensitive data and information is stolen in
this way."
In response to the 'Luna Moth' attack,
Mark Warren, product specialist, Osirium,
had this to say: "The increase in cases of
phishing attacks highlights just how
sophisticated these threats are becoming,
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
19

ansomware
Jon Fielding, Apricorn: training should be
combined with a policy that mandates
the encryption of all data as standard.
Jornt van der Wiel, Kaspersky: estimates
indicate that there are now more than
120 separate families of ransomware.
in order to circumvent both people and
processes. Training of staff will help avoid
falling victim to these attacks, but that
needs to be backed up by systems and
processes that prevent or limit damage
when the attacks break through (as they
will, given the volume of attacks issued
and human fallibility).
"All organisations should remove local
admin permissions from end users to
prevent malware installation [but do it in
a way that doesn't stop them from doing
their work] and users should never have
direct access to either valuable corporate IT
systems or the admin accounts on those
systems."
RISK MANAGEMENT
According to Jon Fielding, managing
director EMEA of Apricorn, each employee
must be considered as an individual
endpoint that needs to be managed and
secured. "This sounds like a Herculean task,
but a combination of policy, education and
technology will make the process pretty
straightforward. Employee training is often
mentioned as the key factor in managing
risk - and ongoing education in best
practice is indeed crucial to engaging the
workforce in strengthening the company's
security posture. They also need to fully
understand the context around what
they're being asked to do: the specific
threats the business faces, the risks
associated with mishandling information,
and the potential consequences of a
breach."
At the same time, he recognises that
humans will remain fallible, however well
versed they are in the risks to data and
systems and the cybersecurity policies they
must follow. "In Apricorn's latest survey of IT
decision makers, 31% said they expected
employees who were aware of the risks of
a data breach to still lose data and expose
the organisation to a potential breach.
Meanwhile, phishing and user error were
cited as the main causes of breaches within
the surveyed organisations - emphasising
the continued risk that employees pose to
the integrity of critical information."
This is why training should be combined
with a policy that mandates the encryption
of all data as standard, whether it's at rest
or in transit, he continues. "When
information is encrypted, it's fully protected
- if an unauthorised individual gains entry
to an IT system or picks up a device that's
been left in an Uber, for instance, it will
remain unreadable. Automatic encryption
will secure the endpoint and the data,
without employees needing to do anything
extra or change the way they work.
"Finally, an effective backup strategy will
further protect data by enabling it to be
recovered and restored quickly, if an
employee does make a mistake that results
in a breach - for instance, by clicking on a
ransomware link. Information should be
backed up regularly, to at minimum one
onsite and one offsite location, and one
copy should be held offline. One of the
most straightforward ways to create offline
backups is to store files on high-capacity
external hard drives and USBs, which can
be disconnected from the network to
create an air gap between information and
threat. These will also provide employees
with the capability to recover data quickly
and locally, if needs be, as well as being
able to safely move data around offline."
'CASH COW' PAYOUTS
It's no secret that the scale of ransomware
attacks has accelerated in sophistication
and frequency, states Usman Choudhary,
chief product officer of VIPRE, "and those
businesses which fall victim to these types
of attacks are increasingly paying the
ransom, with attackers knowing that, if the
business pays once, they will pay multiple
times. And to the attacker, a successful
ransomware attack can be used on multiple
occasions against many organisations,
20
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
turning a simple attack into a cash cow for
criminal organisations. Despite businesses
paying the ransom, there is no guarantee
that the data will be un-encrypted,
returned and not leaked publicly".
However, by mitigating these attacks with
the right process in place, ransomware
threats can be avoided by providing both
the business and the user with the
necessary education and support.
"Consistent security awareness training will
help users to build their knowledge of the
cyber threats they could face and, more
importantly, teach them how to prevent
those attacks from occurring," adds
Choudhary. "Additionally, using technology
solutions such as sandboxing helps to block
malware before it enters the network.
This process allows both the user and the
organisation to remain in control of the
email and the network access points,
preventing dangerous emails from entering
the user's inbox."
Furthermore, he recommends that smart
security email tools should be deployed that
prompt the user to double-check an email
before they click send, for example: 'Are
your recipients the right people to share
this information with?' This type of smart
technology enables the user to make more
informed decisions, while alerting them at
the point of potential data leakage - before
it is too late.
"In the event of a ransomware attack,
having a recovery plan is crucial to
containing and limiting the damage," he
also advises. "It supports an organisation
short-term to minimise disruption, but it
will also benefit businesses long-term to
learn from potential errors. Good business
practice post-attack should ensure that a
retrospective audit is conducted of what
happened, and that these findings are
shared across the business to help develop
the best security approach and mitigate the
risk of another attack occurring again."
Implementing regular security awareness
training, email protection and a recovery
plan are all important layers of cyber
security protection against ransomware
attacks, adds Choudhary. "But, by
themselves, they do not reach the
maximum potential of security and face
leaving potential gaps for attackers to
leverage. Instead, combining them together
and creating a multi-faceted approach is
key to transforming and strengthening
security measures, giving businesses
confidence and reassurance against the
modern threat landscape."
WELCOME WARNING
As ransomware remains one of the most
lucrative and popular cybercriminal tactics,
states Pete Bowers, COO at NormCyber, "we
welcome the NCSC's warning: there can be
no mixed messages when it comes to legal
advice - paying the ransom does not
guarantee protection of the stolen data
or a lower penalty by the ICO. The advice
holds up for multiple reasons. Ransomware
is a criminal enterprise where those that pay
the ransom act as 'investors', effectively
funding an attack on the next victim. Be
under no illusion: cybercriminals are not
trustworthy people. Just because they say
they are going to give you the password to
get your systems back up and running
doesn't mean they will, and you could find
yourself out of pocket and still locked out of
your systems. Even if they do give you the
password, what's to stop them returning in
the near future?"
Even if you find a way to minimise the
financial fallout from a ransomware attack,
the fines imposed by the regulator can stack
up, he cautions. "The only way to avoid data
protection pitfalls is to have the adequate
technical and organisational measures in
place. This includes following basic cyber
hygiene practices and regularly backing up
systems and data in secured storage, which
allows the restoration of operations with
minimal disruption. Simply put, there is no
Mark Warren, Osirium: training needs to
be backed up by systems and processes
that prevent or limit damage when the
attacks break through.
Pete Bowers, NormCyber: the most effective
strategy against ransomware requires joinedup
thinking in three core areas: people,
process and technology.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
21

ansomware
'failproof' way to stay protected from
ransomware - sometimes cybercriminals just
find a way - but certain approaches work
better than others. The most effective
strategy requires joined-up thinking in three
core areas: people, process and technology.
Enforce adequate training of all staff to help
them spot the signs that an attack; instil the
correct processes to allow for a fast
response; and ensure your technology stack
can continuously monitor your network for
malicious activity and known vulnerabilities."
FALSE HOPES
The mantra of 'don't pay the ransom' is an
important message that organisations
should heed, comments Paul Prudhomme,
head of threat intelligence advisory at
Rapid7. "Along with the NCSC, both the
FBI and Europol have adopted similar
positions by recommending that enterprises
should not pay ransom demands. If an
organisation pays a ransom, there is no
guarantee that cyber criminals will send a
functioning decryption key. They may try to
extort more money from a compliant victim
or technical errors may prevent the
decryption key from decrypting all files.
Furthermore, paying ransomware groups
helps fund other criminal activities."
In recent years, he points out, cyber
criminals have expanded the scope of
ransomware attacks by using 'double
extortion'. "This usually entails threat actors
not only holding data hostage for money,
but also threatening to release that
data to extort even more money from
organisations. Organisations can take
steps to protect themselves from the data
disclosure layer of double extortion
ransomware attacks. If an organisation
better knows its enemy, it can then pinpoint
which data assets ransomware gangs are
most likely to target for compromise and
disclosure. For example, our research has
shown that 63% of ransomware disclosures
contain finance and accounting data, and
43% contain employee PII [Personal
Identifiable Information] and HR records.
Organisations can place extra layers of
defence, such as encryption and network
segmentation, around those data assets
that ransomware operators are most likely
to target."
By providing additional layers of protection
for particularly vulnerable data assets
such as finance data or employee PII, it
then becomes much harder for threat
actors
to expose an organisation's data, adds
Prudhomme. "If ransomware gangs are
unable to use double extortion techniques
on their victim, it deprives them of a means
of exerting additional extortionate pressure
on that victim to pay. Therefore, organisations
must construct lines of defence
against both layers of double extortion."
Backups might be the best line of defence
against file encryption; however, they do
not work against data disclosures, cautions
Prudhomme. "In order to combat data
disclosures, businesses must implement
network segmentation, so as to limit the
likelihood of attackers gaining access to
critical data sets, and encryption to render
them unreadable in the event that attackers
do gain access to them. Whilst it is
important that organisations do not pay
the ransom, it is equally important that
businesses put in proactive security
measures which can stop them from falling
victim to ransomware in the first place."
SAME TARGETS ATTACKED AGAIN
Organisations that pay ransomware
demands think that the problem has gone
away, agrees Karen Crowley, director of
Product Solutions at Deep Instinct.
"However, they couldn't be more wrong.
Our research shows that only 32% of those
who paid a ransom ended up receiving all
their data back and were subsequently left
alone. Once cybercriminals have taken
advantage, history shows they will strike
the same target again. In fact, 38% of
organisations who paid got their data back,
then received further demands. An additional
30% who paid the ransom only
received a portion of their data or got
nothing back at all."
While some organisations pay the ransom,
in order to avoid business consequences
like downtime, others pay due to a lack of
understanding when it comes to the true
financial risk, she adds. "Unfortunately,
many organisations experience significant
disconnects among senior decision makers
when it comes to the realities of a ransomware
attack. CFOs, in particular, play a
leading role in resource management and
budgeting, yet only 12% were actively
involved in determining the organisation's
risk from a cyberattack and only 28% had
a critical role in planning an effective
response."
Despite the potentially enormous financial
impact of a ransomware attack, only 14%
of CFOs were directly involved in the final
decision to pay these ransoms, compared
to nearly a third of CEOs, CISOs and other
technical heads, reveals Crowley. "When
CFOs have not been engaged in the conversation
around ransomware, organisations
are unlikely to accurately assess the
monetary value of their data and digital
assets. Research has shown that 34% of
organisations have tried and failed, were
unhappy with the result or had only taken
a broad estimate in the first place when
trying to assess the value of their data and
digital assets."
Key decision makers must have a seat at
the table to create a plan for how they will
react and to understand the financial
impact if they are hit by ransomware,
Crowley concludes. "CEOs, CIOs and CISOs
must work in partnership with the CFO
or financial director to properly calculate
and assess their financial risk, and create
proactive strategy to financially prepare the
businesses."
22
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

product review
GATEWATCHER AIONIQ
As cyber-attacks increase in
magnitude and sophistication,
organisations of all sizes can no
longer afford to constantly play catch-up.
They need to stay one step ahead of
cybercriminals, if they want to survive.
Gatewatcher's AIONIQ changes the
landscape. This next-generation NDR
(network detection & response) solution
combines artificial intelligence (AI)-
powered human insights, machine
learning, statistical and dynamic analysis
that allows it to conduct mapping, and
behavioural analysis of all threats and
provide full visibility into targeted attacks.
AIONIQ is an exciting new platform
designed to detect zero-day and
advanced cyber threats from day one
of installation and claims extremely low
false positives for fast mean time to
detect (MTTD) rates. It offers a barrage
of sophisticated technologies, as, along
with passively mapping all organisation
assets and users, it provides Shellcode
and PowerShell decoding to detect
advanced attacks, incorporates Cyber
Threat Intelligence feeds, employs
16 anti-malware engines to reassemble
and scan every file, and implements
sandboxing for deeper file analysis.
Deployment options are extensive, as
AIONIQ supports on-premises, hybrid and
Cloud models. Central to all operations is
the Gatewatcher GCenter management
server, which stores and analyses all
information sent to it by virtual and
physical GCAP detection probes, provides
configuration and reporting interfaces,
and exports data to SIEM systems.
Connected to a TAP, packet broker
or switch mirror port, GCAP probes
analyse received flows to detect, capture,
reconstruct, sort and transmit files,
malicious code and events to the GCenter.
Multiple probes can be deployed locally
and remotely. This architecture allows
AIONIQ to provide a full 360-degree
risk view, as it can analyse all internal,
external, north-south and east-west
communications, and detect lateral
movement, exfiltration and compromised
endpoints.
The GCenter web console opens with
informative dashboards offering a curated
view of all risks, allowing security operation
centre teams to focus on essential tasks.
Coloured blocks highlight critical, high and
medium risks for 24-hour and seven-day
periods, a status view shows which threat
modules are in an alert state and a smart
central panel provides clear specifics on
detected threats.
Clicking on a risk in the list below the
graphics panel presents a wealth of
valuable information, such as the alert
type, the risk by asset, level and user, plus
the MITRE association. When used during
an attack, analysts can download the
Shellcode, see the number of instances,
how many times it was encoded and the
actual calls being made.
Zero-day attacks using ShellCode are
difficult to detect and prevent, but AIONIQ
has distinct advantages, as, in this
reviewer’s experience, it decodes Shellcode
more times than any other vendor, making
it more likely to discover the attack. Next,
you can go hunting where AIONIQ
transports you to screens showing the
underlying communication data for the
attack, tactical information, infected files
and the number affected, file transactions,
source and destination addresses, and
much more.
Drilling down to the user level reveals
details of user risk and a map of all
interactions with other users, making it
easy to spot lateral movement and track
it back to patient zero. Another standout
feature is AIONIQ's ability to detect C2
communication, especially using domaingenerated
algorithms showing which assets
have been compromised.
Gatewatcher's AIONIQ takes threat
detection and response to new levels,
as this highly scalable platform requires
no learning processes and provides high
fidelity attack data from the moment it is
deployed. It's a cost-effective solution for
organisations of all sizes and is one of few
security platforms that delivers the full
spectrum of static, dynamic and AI/ML
analysis, hardening, compliance, NDR,
threat intel and cyber cartography functions
in a single, easily managed solution.
Product: AIONIQ
Supplier: Gatewatcher
Web site: www.gatewatcher.com
Sales: +44 (0)203 743 0900
Email: contact@gatewatcher.com
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
23

human error
EMPLOYEES ARE 'NOT THE ENEMY'
HOW DO YOU PREVENT YOUR WORKFORCE FROM LAYING THE BUSINESS OPEN TO A POSSIBLE BREACH?
IS EDUCATION AND AWARENESS TRAINING THE BEST SOLUTION OR SHOULD YOU JUST LOCK THEM OUT
OF VULNERABLE AREAS ALTOGETHER?
Human error remains a major root
cause of data breaches, a new report
has found. Verizon's annual Data
Breach Investigations Report for 2022
revealed that human elements, such as
social engineering and misuse of privileged
access, were a factor in more than four out
of five breaches.
All of which raises questions as to how
organisations can get control over what
has often been branded 'the enemy within' -
their own people. What controls need to
be put in place to prevent such abuses
happening in the workplace? Are there any
'failsafe' systems that can be implemented
or is it mostly about damage limitation?
Another pressing matter is how employee
behaviour can be better monitored without
alienating the very people on whom these
organisations rely for their success.
"It is important to remember that
employees are not the enemy when it
comes to data security," points out Daniel
Hofmann, CEO, Hornetsecurity. "In most
cases, they are unaware of the risks and
unaware that their actions can contribute
to a data breach. Education is critical to
mitigating the risk of human error - and
it should be done in a way that does not
make employees feel like they are being
treated as suspects, while encouraging
them to take part."
A combination of technical and
behavioural controls and educational
programs can help to mitigate the risks
posed by employees, he says. "For example,
technical controls such as data encryption
and privileged access management (PAM)
can prevent privileged users from accessing
confidential information. Such controls
can restrict users' access to certain areas
or systems. Effectively, this also reduces
the risk of unauthorised access to sensitive
information through user errors or by users
with malicious intent, because they cannot
view or make changes to sensitive data that
is out of bounds.
"Absolutely perfect 'failsafe' systems that
do not severely harm a company's agility
are rare as unicorns," adds Hofmann.
"Yet implementing a mix of technical and
behavioural controls can help to minimise
the chances of employee-related data
breaches occurring."
In addition to these controls, organisations
should consider implementing technologies
that can help to monitor employee behaviour
and flag potential risks, he advises. "For
instance, user activity monitoring (UAM) can
track which users are accessing which data,
when and from where. This information
can be used to identify unusual or suspicious
activity that may indicate an attempt
at data theft or misuse. UAM does not
interfere with the day-to-day life of
employees and therefore doesn't create
negative impressions among them."
The key to success is creating a security
culture of trust and respect for employees.
"This must be achieved by having and
24
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

human error
sharing a clear understanding of the
company's security policies and procedures.
Employees must feel comfortable reporting
suspicious activity or concerns without fear
of reprisal. It must be assured that all
reports are investigated promptly and
confidentially," Hofmann insists. "While
employees are often seen as the weakest
link in an organisation's data security
defences, they can actually be a powerful
asset, if they are adequately trained and
empowered to help protect the
organisation's data."
Steve Forbes, government cyber security
expert at Nominet, points to an incident
earlier this year when authentication
platform Okta was breached by hackers
after gaining remote access to a machine
that belonged to a subcontracted company
employee. "The fact that this contractor's
password was exported from a document
on their company's server shows how poor
system administration can lead to serious
consequences. Had the organisation
implemented a stronger security plan, this
could have been avoided. Using password
managers is a great strategy, as it removes
the reliance on employees memorising lists
of passwords, allows them to use stronger
ones, as well as using different passwords
for every system."
Phishing, stolen credentials and system
misconfigurations are some of the most
common types of breaches as a result of
human error and, because of the ease in
which hackers can take advantage, it's clear
that these types of attacks are here to stay,
he adds. "There are no failsafe systems, but
there are steps you can take to reduce the
impact of human error. Businesses should
consider prioritising their defence strategy as
a first port of call to protect critical systems,
both from outside and within. Ensuring you
have robust access management, network
segmentation and defences that stop users
from even seeing things like phishing emails
or phishing websites is far more effective.
"Getting the basics right can also go a long
way towards protecting against most if not
all cyber threats," states Forbes. "This means
patching systems regularly, having tested
and resilient backups, and configuring
your endpoints and networks against best
practice. Having an assumed breach
mentality is also important to help understand
how you can limit the damage an
attacker can achieve, if they do get into
your network."
While cyber security training is important,
he agrees, even with all the training in the
world a sophisticated phishing attack is
going to be successful, because it will look
and feel like a genuine email or a normal
piece of activity. "While raising awareness
of evolving threats can mitigate risk and
is a key way for companies to protect
themselves, it can't be solely relied upon.
Much of the advice goes against human
nature or simply stops us from doing our
jobs, and so more needs to be done to
protect users and ensure that any human
caused errors have a limited impact on
company systems.
"Relying strictly on user awareness and not
properly securing systems is a quick way to a
massive breach. Having the right balance of
automated security operations and human
involvement will ensure companies have the
strongest defence against breaches of all
kinds."
PROACTIVE MONITORING
"Organisations traditionally focused on
securing the perimeter, blocking external
actors coming into the network," points
out Andrea Themistou, senior manager in
Protiviti's Digital Identity Practice. "However,
when looking to protect the business, it is
equally important to address the internal
threat that sometimes gets overlooked, the
insider, who already has access and may
intentionally or unintentionally cause harm
to the business." While many organisations
have placed a focus on employee education,
some are turning to monitoring to proactively
identify threats, in order to stop
them before they happen.
But what is too much and how do you
focus on preventing breaches, while
respecting your team's privacy rights?
"Organisations need to be strategic about
how they look to address their insider
threats," she adds. "They shouldn't just rely
on technology, but also on their security
leaders, alongside their strategic partners,
to help define a customised approach to
mitigate the risk within their organisation."
Meanwhile, Belton Flournoy, director in
Protiviti's Technology & Digital Consulting
Practice, offers some practical tips to help
organisations sharpen their focus when
looking to address insider threats:
Be transparent. "Our people understand we
need to protect critical information-and
many organisations do a good job through
their awareness programmes of highlighting
key cyber threats and simulating phishing
attacks. More focus, however, is required
to educate our employees on what types
of activities are actually monitored, as well
as clear explanations to the benefits of
this type of monitoring. When employees
understand the 'why', the monitoring no
longer seems as invasive."
Be innovative about least privilege. "While
the concept of 'least privilege' is not new,
the ways you can apply this to your
application estate has changed drastically
over the past five years. We no longer need
to provide all our employees with direct
connectivity to our entire network when
they might only require access to 20% of
it. With the ever-increasing use of SaaS
technologies, pervasive platforms and cloud
infrastructure as well as the adoption of
essential security tools such as identity and
privileged access management solutions,
organisations should challenge how they
architect their business to achieve this. One
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
25

human error
Andrea Themistou, Protiviti: organisations
need to be strategic about how they look
to address their insider threats.
Daniel Hofmann, Hornetsecurity: employees
are not the enemy when it comes to data
security.
question you should ask yourself, do you
know how many contractors have access
to move money out of your organisation?
We now have the technology and tools to
construct a more secure perimeter; many
sometimes just think about it the wrong
way."
Leverage 'next generation' technology.
"The problem with many technology
implementations is when the organisation
believes that the technology itself will solve
the issue," states Flournoy. "It is vital to
understand that technology is only a tool;
it's how you implement it that matters.
There are now a number of tools that can
leverage artificial intelligence and machine
learning to analyse user behaviour, in order
to identify anomalies and respond in real
time. The lesson? You need smart teams of
people to understand how to best configure
this technology to protect your
organisation."
BASTION OF CYBERSECURITY
According to Kev Breen, director of Cyber
Threat Research at Immersive Labs,
"cybersecurity has long been seen as
a responsibility falling exclusively on the
shoulders of the IT department and
employees as a weakness in the
organisation's defences, doomed to click
on inevitable phishing links or using
personal devices without consideration
for security. However, we see it entirely
differently: employees should be seen as
a core part of the company's defence".
Cybersecurity risk impacts every single
person within an organisation, he states,
and it's long overdue that all those involved
in keeping a business running are seen as
an inherent part of the initiative to keep
it safe. "To help turn a workforce into a
bastion of cybersecurity best practices, a
more effective people-centric approach
to cybersecurity is needed - one that can
help organisations assess, build, and prove
workforce resilience. Traditionally, security
awareness training (SAT) takes a predictable
and unvarying approach of
tackling one cyber threat at a time.
Moreover, rather than education workers
on how best to defend their company,
SAT encourages them to regurgitate
monotonous facts from multiple choice
questions that bear no relevance to the
role they play day-to-day, yet alone during
a real-life crisis."
BREAKING THE CYCLE
Immersive Labs' 2022 Cyber Workforce
Benchmark report found that it takes an
average of three months (96 days) for
cybersecurity teams to defend against
breaking cyber threats. "Indeed, one
breaking threat - a critical, actively
exploited vulnerability in popular mail
transfer agent Exim that left 4.1 million
systems potentially vulnerably - took over
six months (204 days) for security teams at
large organisations to master on average.
This is despite national cybersecurity bodies
recommending that technical infrastructure
is patched in days or, in some cases, hours."
By contrast, successful resilience in today's
high-paced threat environment requires
the optimisation of human knowledge,
skills and judgement across the entire
organisations, from legal to HR departments,
to comms and the executive team,
he argues.
OPTIMAL CYBER CAPABILITIES
"Organisations, when it comes to preparing
for, responding to and remediating
against cyber threats, must focus on these
simple factors to optimise the cyber
capabilities of their entire workforce:
exercising, benchmarking, upskilling and
proving cyber resilience. In other words,
continually benchmark the knowledge,
skills and judgement of the workforce,
demonstrating risk levels across all business
functions by using data gathered from
simulations and use regular cyber exercises
to remedy any skill gaps."
26
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

human error
A company's culture has quite a lot to do
with the ability to close down attack vectors
and thwart cyberattacks, asserts Erfan
Shadabi, cybersecurity expert at comforte
AG. "We're talking here about misconfigurations,
lifting and shifting unprotected
data or simply pure carelessness. Companies
that try to move too quickly and put an
emphasis on output, rather than process,
are particularly vulnerable to human error."
However, the organisation that actively
instils a culture of data privacy and security
among its employees has a much better
chance of deterring one or multiple attacks,
he adds. "This type of culture not only
depends on the individual contributors
caring about sustaining that culture,
but also on the executive team placing
value and meaning behind it, to assess
performance and allocate rewards based
on employees' willingness to be more
sensitive to data privacy and security and
follow the right processes to mitigate or
eliminate human error."
THE RIGHT CULTURE
If executives are seen dismissing the 'rules'
to get something accomplished, then this
behaviour trickles throughout the company,
as others emulate it, and soon that valuable
culture falls apart. "Every member of an
organisation must be absolutely committed
to a corporate culture of data privacy and
security," states Shadabi. "Also, organisations
should consider implementing
frameworks such as zero trust: assume
you've been breached, provide no implicit
trust, verify again and again, and only
provide minimal privileges upon successful
authentication. Protection methods such
as tokenisation can complement this
framework, because by tokenising sensitive
data immediately upon entering the
corporate data ecosystem - and then
not de-protecting it - people can have
minimal or no access to the truly sensitive
information, while still being able to
accomplish tasks."
THE HUMAN FIREWALL
Like a standard firewall, the 'human firewall'
is only as strong as its configuration,
maintenance and level of monitoring, says
Alex Coburn, director at ThreeTwoFour.
"Configuring the human firewall can be
seen as setting the ground rules, the
fundamentals that govern employee
actions. Obviously, this consists of security
awareness and training, but the success
of this varies greatly from business to
business."
A key success factor is designing awareness
and training that is fit for the audience.
"Board members and the engineering team
have vastly different threat profiles and
must be treated accordingly. Secondly,
the 'configuration' of identity and access
management is another critical element
of the 'human firewall'. Implementing
least privilege access, and ensuring proper
segregation of duties for normal and
privileged users, is critical to protect against
malicious insiders and to hamper the
progress of attackers that may have
obtained unauthorised access."
Maintaining the human firewall is all about
reinforcement to create a secure culture,
Coburn adds. "Regular phishing exercises
put theory into practice, while red-teaming
with a focus on social engineering is a good
approach to keep users aware of real-world
threats. However, the most powerful tool in
creating a secure culture is by leaders visibly
investing in security through their actions,
while also ensuring that the budget is
available to keep the organisation safe."
At some point, there are diminishing
returns on preventative controls, he points
out, so implementing monitoring and
alerting to identify issues becomes a more
proactive approach to managing human
errors. "Tools that perform user behaviour
analytics can sometimes raise concerns from
end users. But users can be assured that, if
implemented correctly, they are no more
Matt Malarkey, Titania: the best way for
IT administrators to get control over their
networks is by taking it away.
Steve Forbes, Nominet: there are no failsafe
systems, but there are steps you can take to
reduce the impact of human error.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
27

human error
invasive than any existing retrospective
analysis and offer organisations the ability
to identify security issues before they arise,
helping users by warning them of potential
mistakes."
ZERO TRUST SECURITY
According to Dave Barnett, head of SASE
EMEA, Cloudflare: "In today's business
landscape, keeping employees, servers
and applications under a watchful eye
is imperative. However, the pandemic
accelerated the need for applications to
move outside of the business via the cloud,
mobile devices and SaaS, meaning the
potential for human error increased.
Implementing zero trust security allows
companies to minimise the risk of human
failure, without alienating employees or
enforcing strict rules on where employees
work from. Traditional IT network security
takes a castle-and-moat approach, meaning
it's difficult to gain access from outside the
network, but everyone inside is trusted as
a default. Conversely, zero trust means that
no one is trusted by default from either
inside or outside the network and verification
is required for each step of further
access."
With hybrid working now a common
workplace expectation, this approach
involves strict controls on device access,
constantly monitoring how many different
devices are trying to access their network
and ensuring each is authorised and
uncompromised. It also requires multi-factor
authentication from users, meaning a
traditional password alone is not enough.
"Another principle of zero trust is 'least
privilege', meaning users have access only
to as much as they need to do their jobs,
minimising their exposure to sensitive parts
of the network and protecting classified
data," he adds. "Once a user is in the system,
zero trust protected networks use micro
segmentation, meaning security perimeters
are put around precisely the IT resources
that the user needs to access at the time
that they need to access. This extra step
helps prevent a common problem in data
breaches, known as 'lateral movement',
where an attacker moves to a different part
of the network to avoid detection, gain
more information and retain access. Instead,
once an attacker is detected, their account
or device can be quarantined and blocked
from future access."
The added layers of security in zero trust
have been shown to minimise the risk of a
data breach by up to 91% and reduce the
cost to a business by up to 35%, states
Barnett, which cost organisations a global
average of $3.86 million. "Additionally,
when introduced correctly, zero trust has
the added benefit of actually improving
trust between the employer and employee.
Employees can rest assured that their work
is being protected and employers can feel
more comfortable granting users access to
their network. This leaves everyone safe in
the knowledge that there are most up-todate
precautions in place to simultaneously
thwart external hackers and prevent those
working inside the network from accessing
more than they need."
TAKING AWAY CONTROL
"The best way for IT administrators to get
control over their networks is by taking it
away," argues Matt Malarkey, VP, Strategic
Alliances, Titania. "That's the premise of a
zero trust architecture and the approach
that organisations need to adopt to keep
their networks secure. The truth is that
human error creates some of the most
significant security risks to a business. It's
usually not malicious, just the result of
oversights. In some cases, it's technicians
inadvertently misconfiguring devices that
result in security vulnerabilities and the
device falling out of compliance.
"This is not something that can be patched
and is only noticed when a network is either
audited or breached. Sometimes it takes
months, even years, to identify and fix these
risks. This means that businesses are
potentially leaving themselves vulnerable to
preventable attacks time and time again.
As a result, device misconfigurations are
costing organisations millions - 9% of a
company's annual revenue, according to
a recent report."
By adopting a zero trust mindset, you start
by assuming that nothing on your network -
your users, your applications etc - are
trusted and secure, adds Malarkey. "This
requires a mentality that says that you have
been or will be compromised, meaning you
can and should tighten network security
across the board. Access control
enforcement, for example, needs to be
made as granular as possible."
Segmenting networks into subnetworks
is a practice that, alongside a zero trust
strategy, can protect networks. "This way,
if a threat is detected, you can limit the
damage by shutting down a segment and
prohibiting lateral movement. With a wellplanned
segmented network, it is easier for
teams to monitor the network, identifying
threats quickly and isolating incidents more
easily," he points out.
"This lowers the mean time to detect
(MTTD) and mean time to remediate (MTTR)
security vulnerabilities. Configuration
auditing for network devices is also essential
for maintaining a resilient network, and
high-value and sensitive subnetworks should
have their networking devices audited on
a more regular frequency."
Humans are going to make mistakes and
it's tough to prevent, he accepts. "But they
don't have to cost you your business. Focus
on minimising risk, so that, when an error
occurs, you've shrunk the attack surface and
the opportunity to do significant damage is
reduced. You're not so much negating the
potential for a breach, just the impact of
one and the ability to respond to it."
28
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

Q&A
OBJECT ARCHIVE SOFTWARE - THE INSIDE STORY
FUJIFILM RECENTLY LAUNCHED OBJECT ARCHIVE, DESCRIBED AS
‘AN S3-COMPATIBLE TAPE STORAGE SYSTEM FOR LONG-TERM DATA
PRESERVATION AND DATA PROTECTION’. COMPUTING SECURITY
FINDS OUT MORE FROM RICHARD ALDERSON,THE COMPANY'S HEAD
OF RECORDING MEDIA - UK, IRELAND AND SCANDINAVIA
Computing Security: tell us more
about Object Archive and how it
differs from other solutions and
what advantages you feel it might offer.
Richard Alderson: Object Archive is an
archive solution, which creates a synergy
between hard disk and tape technology
by acting as an S3 bridge between hard
disk and tape. The main differences to
other solutions are:
Object Archive has been developed in
house by Fujifilm and we developed
our own tape writing format, which
is an open format called 'OTformat'
that is specifically designed for saving
objects on tape
It has a free-and-easy exit strategy,
with no vendor lock-in, and offers a
scalable performance for users in all
industries, such as the government
administration, managed service
providers, financial and scientific
sectors
It works with most brands of tape
hardware, giving freedom of choice
to the end user.
CS: In these more straitened times, costs
are always on the minds of organisations
when deploying solutions. Object
Archive is said to reduce recurring
storage fees and expensive egress fees
of cloud storage. Exactly how does it
achieve this, and can these savings be
monitored and validated by users in
real time?
RA: as mentioned, there is no vendor
lock-in and therefore no exit fee. Also,
all data is stored on tape, which is the
most cost-effective method for the longterm
storage of archived data.
CS: Object Archive uses S3-compatible
APIs for data operations to enable
what is said to be "easy and seamless
integration" with existing object storage
platforms and data applications. Can
you explain how that works - and is
anything ever really seamless?
RA: Object Archive works with hard disk,
other object storage solutions, including
Cloudian, Datacore and Netapp, and can
also be used with other solutions, such
as Ceph and Dell ECS, when using a
datamover. For most day-to-day data
usage, it is possible to manage data
stored in tape through the object
storage GUI.
CS: The solution that you've launched is
also said to 'create an air-gap' between
archived data and your network, in order
to enforce security. How does that work
in practice and what are the biggest
paybacks?
RA: Tape technology is the most secure
way to store long-term data and
naturally creates an air gap solution,
because it is removable. By removing
tape, your data is isolated from any
other device and therefore it minimises
the vulnerability to cyber-attacks or
hacking. Furthermore, with LTO9 tape
media data can be archived for up to
50 years, so your data will still be
readable up to 2072.
CS: Computational science relies on
enormous banks of data to solve
challenging problems with the power
of computer analytics. So our wrap-up
question for this Q&A is: In what ways
will Object Archive help that cause?
RA: As well as data security and the air
gap, Object Archive has an impact cost
Savings, as it gives the ability to reduce
the amount of hard disk required, which
can help users to reduce their energy
consumption. What we really need to
ask is: are we on the edge of a new era?
As costs continue to dramatically
increase, businesses need to ensure their
data is protected against cyber-attacks
and disasters, is stored in a sustainable
way and that it is accessible for years to
come. Object Archive addresses all of
these concerns and is a big step forward
in the world of data archiving.
30
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

product review
ROHDE & SCHWARZ CYBERSECURITY:
R&S BROWSER IN THE BOX
Cybercriminals are becoming ever
more innovative with their attack
vectors, but one of the weakest
points inside any organisation's defence
perimeter has always been the humble
web browser. There are many ways to
counteract these cyber-threats by deploying
services such as secure web gateways,
endpoint protection, content filtering and
proxies, but these can significantly increase
costs and management complexity.
Rohde & Schwarz Cybersecurity (R&S)
takes an innovative approach to this
perennial problem. Its R&S Browser in
the Box (BitBox) solution encapsulates
the browser in a virtual machine (VM)
and separates it entirely from the user's
operating system (OS), local data, hardware
and corporate intranet. It establishes a
proactive network separation throughout
the network.
At the same time, access to the internet
remains unrestricted for users and their
familiar workflows. However, all applications
and the operating system itself no
longer have unrestricted access to the
Internet or servers located there. This makes
it impossible to load malicious code. The
proactive separation also protects against
unknown telemetry data or data leakage
from new types of malware.
Running the browser in an isolated
environment has undeniable benefits,
as threats using active content such as
JavaScript, ActiveX or HTML5, browser
hijacking and malicious email links and
harmful attachments are all effectively
nullified. Key advantages are any files
downloaded are always contained in the
VM and cannot cross over to the host
platform; all data is destroyed when the
browser is closed and when opened again;
it is a completely fresh browser.
A new feature that adds even more appeal
is support for web conferencing. BitBox is
the only solution that allows users to safely
participate in conferences in a virtualised
environment, and it also secures access to
microphones and webcams.
BitBox implements three distinct isolation
layers, with the first being a hardened and
minimalised Linux OS that is designed to
only run the browser and no other application.
This is augmented by AppArmor,
which provides MAC (mandatory access
control) security to limit the actions
processes can take and is particularly useful
for restricting applications that can be
exploited - such as web browsers.
Next is the virtualisation layer, which is
handled by the open source VirtualBox.
The third and final layer is a separate,
non-interactive and limited Windows user
context.
It's important to understand that BitBox is
not a sandbox. Unlike these technologies,
it is truly isolated, as it doesn't share host
system memory resources or kernels with
the host OS and separates intranet and
internet traffic at the network layer.
There's more, as the 'Docs in the Box'
product feature allows users to open
unsecured documents and preview
them safely in the virtualised environment.
It works with all popular file formats.
BitBox is simple to deploy with the R&S
Trusted Objects Manager (TOM) central
management appliance. Internet access
security is assured, as the virtualised
browser only communicates via a VPN
connection handled by the R&S Trusted
VPN gateway appliance, so, even if the
browser is compromised with malware,
it cannot get on to the corporate LAN.
In cases where businesses need to
download files using BitBox, the
Information Flow Control function allows
security administrators to strictly control
what file types may be accessed by placing
them in a staging area for malware scans
and approval.
Rohde & Schwarz Cybersecurity shows
that sometimes it's easier to think inside
the box for the best protection against
cyber-threats. R&S Browser in the Box is a
remarkably elegant solution for protecting
organisations from threats that target
browsers. It's simple to deploy and has
impeccable credentials, as it was developed
in cooperation with the German Federal
Office for Information Security (BSI).
Product: R&S Browser in the Box
Supplier: Rohde & Schwarz Cybersecurity
Website: www.rohde-schwarz.com
/cybersecurity
Sales: +44 (0)1252 818 835
Email: cybersecurity@rohde-schwarz.com
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
31

IT asset disposal
No one really considered what happened to old
equipment as a genuine business process.
CHANGING THE GAME
TODAY, THE ITAD SECTOR HAS
EMERGED AS A PROFESSIONAL
VALUE-ADD INDUSTRY AND IT'S
BEEN A LONG, HARD ROAD
GETTING THERE. BUT THE
BATTLE IS FAR FROM OVER,
SAYS STEVE MELLINGS, FOUNDER
AND CEO OF ADISA
As the doors to the basement were
unlocked, I was amazed not only by
the size of the edifice underneath
prime London real estate, but more so by
the sheer volume of dusty redundant IT
equipment. This was a major investment
bank relocating to Canary Wharf and the
brief to the team was "get rid everything in
here".
It was the late 90s when IT budgets were
vast, and manufacturers tweaked
performance and design in equal measure
to trigger refresh rates which mean that
hardware giants ruled the IT world. The
attitude towards redundant equipment was
lax, to say the least, mainly as the focus was
on the production environment and keeping
up with change. Internally, no one really
considered what happened to old
equipment as a genuine business process
and, much like emptying the bins, we knew
someone took our stuff away, but what
happened to it was unknown and certainly
not verified.
90S TECHNOLOGY PICTURE
Over the next decade into the 'Noughties',
while regulatory requirements increased,
attitudes to redundant equipment generally
did not improve. The Waste Electrical and
Electronic Equipment Directive was
introduced in 2003 and the Data Protection
Act in 1998, and, while both should have
motivated businesses to consider how they
deal with redundant equipment in more
detail, the increasing need to protect the
production environment meant that focus
and budget were needed elsewhere.
At this stage, an industry began to emerge
that facilitated the removal of electrical
'waste', often using 'WEEE Compliance' as
justification for their role. For those in the
genuine waste industry, this was just
another waste stream, but for those in
technology they saw growing demand from
the emerging economies for equipment and
saw opportunity to rehome redundant
equipment overseas.
At face value, this was a healthy industry,
based on the premise of acquiring and, in
many instances, exporting old equipment to
find a new life, ideally in a data centre or on
a desk; but sadly, without the right controls
in place, some ended in landfill.
An environment where the customer was
unaware of the risks and the industry was
able to operate freely is attractive and, with
few barriers to entry, the ITAD (IT Asset
Disposal or Disposition) market space
flourished, based on offers to buy and sell
redundant equipment, doing 'something'
to the data and recycling anything they
32
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

IT asset disposal
ITAD process has consistently shown value,
from the supply of refurbished technology
for home workers through to helping bridge
the digital divide from donations into
schemes like 'Digital Access for All'. And this
while protecting customer data from risks
that the customer may not even have been
aware.
Flash-based storage media.
couldn't sell. All of this, to a customer base
which still didn't really see their redundant
equipment as anything other than an
inconvenience and were not motivated
to take control.
As we entered the second decade,
independent studies from both the ICO and
the University of South Wales found swathes
of personal and corporate data across large
samples of equipment offered for resale.
The seminal article from Peter Warren, titled
'Ghosts in the Machine', described how he
found data relating to one of The Beatles on
an old hard drive at a street market. It made
a great headline in a national newspaper
and, rightly so, brought focus from many
businesses worried that it could be them in
the next headline.
The ITAD industry was quickly maturing
and some excellent innovative companies
were leading the way, including developers
of data sanitisation products. However, it
was over-congested, hugely competitive,
and full of companies making the same type
of claims. Who to trust with your data was
a difficult decision for many companies to
make without genuine due diligence being
undertaken, which led to fear and concerns
and encouraged a 'destroy' approach to old
equipment.
It was this business problem that ADISA
sought to solve when launching in 2010 via
the introduction of a certification scheme,
which was aimed at ITADs and assessed the
controls which they put in place to deal with
risk permeating the disposal process.
Over the last decade, industry maturity,
longevity and a greater professionalism
have seen what was viewed by many as
a clandestine process raise its profile to be
a necessary, but, all too often, undervalued
service industry. The narrative for this
industry does not stop here and, in a
complex, changing business environment,
ITAD has far more value to offer than before.
ITAD AS A VALUE-ADD PROCESS
We've all experienced some 'once in a
lifetime' challenges across society, from Brexit
through to COVID, and the greatest of all:
climate change.
Throughout these challenging
environments, the previously undervalued
Today, the ITAD sector is a professional
value-add industry, but organisations
releasing assets are still not fully in control.
We see a lack of due diligence, a complex
downstream supply chain and a lack of
understanding of what standards should be
applied or followed. The reason for this is
still very much the same: as threats increase
and become more sophisticated, the
protection of the production environment
requires even more focus, set against an
increasingly heavy compliance burden,
leaving ITAD low down the 'to-do' list.
There is some good news. After three years
of work, ADISA Standard 8.0 has officially
been approved as a UK GDPR Certification
Scheme, meaning that those in the sector
who are certified can verify compliance to
the law as confirmed by the regulator
themselves.
WHY IS THIS IMPORTANT?
Technology is evolving and how to deal
securely with risk to the physical asset and
sanitise media is more complex now than
ever before. If businesses are to maximise
the potential of redundant equipment, the
very minimum is that they should be assured
that their data is being processed in a
compliant and secure manner.
The work carried out by UKAS and the
ICO to accredit ADISA and Standard 8.0
addresses the compliance question, which
leaves the professional ITAD sector free to
add the significant value that it offers to
promote sustainability by extending the
product lifecycle before recycling material
for recovery and reuse.
www.computingsecurity.co.uk @CSMagAndAwards Sept/Oct 2022 computing security
33

phishing attacks
BIGGER 'PHISH' TO FRY!
PHISHING IS NEVER OUT OF SEASON. INDEED, IT REMAINS A MUCH-PRIZED ASSET BY ATTACKERS
SEEKING TO GAIN INITIAL ACCESS TO ORGANISATIONS BY HOOKING IN THE UNPREPARED
Alarge-scale phishing campaign used
adversary-in-the-middle (AiTM)
phishing sites, stole passwords,
hijacked a user's sign-in session and skipped
the authentication process, even if the user
had enabled multifactor authentication
(MFA).
Revealing the breach, Microsoft says the
attackers then used the stolen credentials
and session cookies to access affected users'
mailboxes and perform follow-on business
email compromise (BEC) campaigns against
other targets.
"Based on our threat data, the AiTM
phishing campaign attempted to target more
than 10,000 organisations since September
2021. From our observation, after a
compromised account signed into the
phishing site for the first time, the attacker
used the stolen session cookie to authenticate
to Outlook online (outlook.office.com),"
members of the Microsoft 365 Defender
Research Team and the Microsoft Threat
Intelligence Center stated in a blog post.
"In multiple cases, the cookies had an
MFA claim, which means that, even if the
organisation had an MFA policy, the attacker
used the session cookie to gain access on
behalf of the compromised account."
In the days following the cookie theft,
the threat actors accessed employee email
accounts and looked for messages to use in
business email compromise scams, which
tricked targets into wiring large sums of
money to accounts they believed belonged
to co-workers or business partners. The
attackers used those email threads and
the hacked employee's forged identity to
convince the other party to make a payment.
Phishing remains to be one of the most
common techniques attackers use in
their attempts to gain initial access to
organisations. "According to the 2021
Microsoft Digital Defense Report, reports
of phishing attacks doubled in 2020 and
phishing is the most common type of
malicious email observed in our threat
signals," reveals Microsoft. "MFA provides an
added security layer against credential theft
and it is expected that more organisations
will adopt it, especially in countries and
regions where even governments are
mandating it. Unfortunately, attackers are
also finding new ways to circumvent this
security measure." In AiTM phishing, attackers
deploy a proxy server between a target user
and the website the user wishes to visit (ie,
the site the attacker wishes to impersonate).
Such a setup allows the attacker to steal and
intercept the target's password, and the
session cookie that proves their ongoing and
authenticated session with the website.
"Note that this is not a vulnerability in MFA,"
Microsoft points out. "Since AiTM phishing
steals the session cookie, the attacker gets
authenticated to a session on the user's
behalf, regardless of the sign-in method the
latter uses."
Microsoft 365 Defender detects suspicious
activities related to AiTM phishing attacks
and their follow-on activities, such as session
cookie theft and attempts to use the stolen
cookie to sign into Exchange Online, adds
the company. "However, to further protect
themselves from similar attacks, organisations
should also consider complementing MFA
with conditional access policies, where sign-in
requests are evaluated using additional
identity-driven signals like user or group
membership, IP location information and
device status, among others."
34
computing security Sept/Oct 2022 @CSMagAndAwards www.computingsecurity.co.uk

ALL-INCLUSIVE
SECURITY
SPAM FILTER &
ADVANCED EMAIL SECURITY
SIGNATURE & DISCLAIMER
TOTAL PROTECTION
ENTERPRISE BACKUP
EMAIL ARCHIVING,
ENCRYPTION & CONTINUITY
BACKUP & RECOVERY
FROM EMAIL SECURITY
TO BACKUP & RECOVERY
ALL IN ONE SOLUTION!
START YOUR FREE
30-DAY-TRIAL
WWW.HORNETSECURITY.COM