Cyber Defense eMagazine July 2021 Edition
Cyber Defense eMagazine July Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine July Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Colonial Key Business Pipeline, Lessons JBS <strong>Cyber</strong> Learned Attacks from Shine The<br />
Spotlight SolarWinds on Operational Hack Technology<br />
Vulnerabilities for Wide Range of Business<br />
Sectors Data Loss Prevention in Turbulent Times<br />
Getting A Digital The Journey: Cloud Right A Long - Security and Winding and Road<br />
Compliance<br />
Why Ensuring <strong>Cyber</strong> Resilience Has Never Been<br />
Flipping More Critical the <strong>Cyber</strong> or More Script Challenging Than It Is<br />
Today<br />
…and much more…<br />
…and much more…<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 1<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
CONTENTS<br />
Welcome to CDM’s <strong>July</strong> <strong>2021</strong> Issue ------------------------------------------------------------------------------------------------- 7<br />
Colonial Pipeline, JBS <strong>Cyber</strong> Attacks Shine Spotlight on Operational Technology Vulnerabilities for<br />
Wide Range of Business Sectors ----------------------------------------------------------------------------------------- 33<br />
By Fred Gordy, Director of <strong>Cyber</strong> Security at Intelligent Buildings --------------------------------------------------- 33<br />
Getting The Cloud Right - Security and Compliance ---------------------------------------------------------------- 36<br />
By Tim Dinsmore, Technical Director, Appurity -------------------------------------------------------------------------------- 36<br />
Flipping the <strong>Cyber</strong> Script --------------------------------------------------------------------------------------------------- 39<br />
By Mark Sincevich, Federal Director, Illumio ----------------------------------------------------------------------------------- 39<br />
How To Make The Most of Increased <strong>Cyber</strong>security Spend ------------------------------------------------------ 42<br />
By Stu Sjouwerman, CEO, KnowBe4 ---------------------------------------------------------------------------------------------- 42<br />
Common Sense <strong>Cyber</strong>security Steps for Managed Service Providers (MSPs) -------------------------------- 45<br />
By Wes Spencer, CISO at Perch Security – a ConnectWise Solution ----------------------------------------------- 45<br />
Threat Intelligence Should Be Shared Not Shamed ----------------------------------------------------------------- 48<br />
By Nuno Povoa, Eurofins <strong>Cyber</strong>security US ------------------------------------------------------------------------------------- 48<br />
NATO to Consider Military Response to <strong>Cyber</strong>attacks ------------------------------------------------------------- 51<br />
By Doug Britton, CEO, Haystack Solutions --------------------------------------------------------------------------------------- 51<br />
Know Thy Enemy, Break Their <strong>Cyber</strong> Kill Chain ---------------------------------------------------------------------- 54<br />
By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies ----------------------------------------- 54<br />
Uncovering the Dark Side of the Colonial Pipeline Attack -------------------------------------------------------- 57<br />
By Alon Nachmany, Director of Customer Success AppViewX ------------------------------------------------------------- 57<br />
How To Protect Power Infrastructure from Ransomware Attacks ---------------------------------------------- 60<br />
By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas, Eaton ------------------- 60<br />
Ransomware and the <strong>Cyber</strong>security Industry’s Problem of Perception --------------------------------------- 63<br />
By Jack B. Blount, President and CEO, INTRUSION, Inc. --------------------------------------------------------------------- 63<br />
Easyjet Data Breach One-Year On: What Are the Next Steps? -------------------------------------------------- 66<br />
By Aman Johal, Director and Lawyer at Your Lawyers ----------------------------------------------------------------------- 66<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 2<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Ransomware, the Ultimate <strong>Cyber</strong> Threat to Municipalities ------------------------------------------------------ 69<br />
By Yehudah Sunshine, Head of PR, odix ----------------------------------------------------------------------------------------- 69<br />
Operational Technology (OT) Ransomware - How Did We Get Here? ----------------------------------------- 72<br />
By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions ----------------------------------------------------- 72<br />
A Case of Identity: A New Approach To User Authentication Protecting Personal Credentials Remains<br />
The Weakest Link In Data Security -------------------------------------------------------------------------------------- 75<br />
By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd ------------------------------------------- 75<br />
A 3-Part Plan for Getting Started with <strong>Cyber</strong>security -------------------------------------------------------------- 79<br />
By Doug Folsom, President of <strong>Cyber</strong>security and Chief Technology Officer, TRIMEDX --------------------------- 79<br />
How to Deal with Online Security --------------------------------------------------------------------------------------- 82<br />
By Gary Alterson, Vice President Security Solutions, Rackspace Technology------------------------------------------ 82<br />
The Risks of The Vulnerable Iot Devices ------------------------------------------------------------------------------- 85<br />
By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt --------------------------------------------------------------- 85<br />
Three Steps to Building Email <strong>Cyber</strong> Resilience ---------------------------------------------------------------------- 89<br />
By Toni Buhrke, Director of Sales Engineering, Mimecast ----------------------------------------------------------------- 89<br />
Guided-Saas NDR: Redefining A Solution So SOC/IR Teams Aren’t Fighting Adversaries Alone,<br />
Distracted and In The Dark ----------------------------------------------------------------------------------------------- 92<br />
By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon ------------------------------------------------------ 92<br />
Hardware Trojan Detection----------------------------------------------------------------------------------------------- 95<br />
By Sylvain Guilley, General Manager and CTO at Secure-IC ---------------------------------------------------------------- 95<br />
StayHackFree – Your Kid’s Sports Team ----------------------------------------------------------------------------- 100<br />
By James Gorman, CISO, Authx --------------------------------------------------------------------------------------------------- 100<br />
Tips for Avoiding Online Scams During COVID-19 ---------------------------------------------------------------- 103<br />
By Cindy Murphy, President, Tetra <strong>Defense</strong> ------------------------------------------------------------------------- 103<br />
Banking Fraud up 159% as Transactions Hit Pre-Pandemic Volumes --------------------------------------- 108<br />
By Rajiv Pimplaskar, CRO, Veridium -------------------------------------------------------------------------------------------- 108<br />
Why <strong>Cyber</strong> Risk Is the Top Concern of The Financial Services Industry -------------------------------------- 111<br />
By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz Global Corporate &<br />
Specialty -------------------------------------------------------------------------------------------------------------------------------- 111<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 3<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
What Educational Institutions Need to Do to Protect Themselves From <strong>Cyber</strong> Threats? --------------- 115<br />
By Cyril James, Founder and CEO, Secure Triad ------------------------------------------------------------------------------ 115<br />
Business Continuity: Where InfoSec and Disaster Recovery Meet -------------------------------------------- 119<br />
By Adam Berger, VP of Global IT and Cloud Operations, Infrascale ---------------------------------------------------- 119<br />
Biometrics Challenges ---------------------------------------------------------------------------------------------------- 123<br />
By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 123<br />
Epic V. Apple Trial - Impact of Big Tech Battles on Consumers' Rights -------------------------------------- 125<br />
By Brad Ree, CTO, The ioXt Alliance --------------------------------------------------------------------------------------------- 125<br />
How The Pandemic Has Changed the Value of Health Data --------------------------------------------------- 128<br />
By Aman Johal, Lawyer and Director of Your Lawyers --------------------------------------------------------------------- 128<br />
Galvanizing the <strong>Cyber</strong> Workforce in Private Industry ------------------------------------------------------------ 132<br />
By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC ------------------------------------- 132<br />
Play 'Smart' on the Crime Scene --------------------------------------------------------------------------------------- 136<br />
By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 136<br />
The Top 10 <strong>Cyber</strong>security Conferences of <strong>2021</strong> -------------------------------------------------------------------- 138<br />
By Nicole Allen, Marketing Executive, SaltDNA. ----------------------------------------------------------------------------- 138<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 4<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
@MILIEFSKY<br />
From the<br />
Publisher…<br />
New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />
Dear Friends,<br />
From the 30,000-foot view of the Publisher, the scenery has changed. In the space of only a month, we are seeing<br />
COVID yielding space to CYBER. Put another way, the pandemic vector is transitioning from health space to cyber<br />
space.<br />
There are powerful cybersecurity considerations involved in re-imposing defensive protocols in a concentrated<br />
network environment, as well as making adjustments for those who will remain in a remote work location.<br />
In light of more ransomware developments in all areas of activity, it’s imperative for more and deeper cooperation<br />
among the sectors of government, private and publicly traded companies, nonprofits, and especially small and<br />
medium-size companies. It’s become apparent that there is no such thing as “too small to attack” for ransomware<br />
criminals.<br />
We continue to monitor closely the discussion of whether ransom payments should be prohibited, restricted,<br />
regulated or otherwise treated by governments. It appears that those organizations doing business with<br />
government entities, especially in the supply chain of critical infrastructure elements, would logically be among<br />
the first to be subjected to such government intervention.<br />
Among the valuable resources we rely on to respond to these threats are the providers of cybersecurity solutions.<br />
<strong>Cyber</strong> <strong>Defense</strong> Media Group has now opened nominations for the <strong>2021</strong> Black Unicorns Awards. Details are posted<br />
at: https://cyberdefenseawards.com/black-unicorn-awards-for-<strong>2021</strong>-fact-sheet/<br />
Wishing you all success in your own cyber endeavors.<br />
Warmest regards,<br />
Gary S. Miliefsky<br />
Gary S.Miliefsky, CISSP®, fmDHS<br />
CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />
Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
P.S. When you share a story or an article or information about<br />
CDM, please use #CDM and @<strong>Cyber</strong><strong>Defense</strong>Mag and<br />
@Miliefsky – it helps spread the word about our free resources<br />
even more quickly<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 5<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
@CYBERDEFENSEMAG<br />
CYBER DEFENSE eMAGAZINE<br />
Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />
distributed electronically via opt-in Email, HTML, PDF and Online<br />
Flipbook formats.<br />
PRESIDENT & CO-FOUNDER<br />
Stevin Miliefsky<br />
stevinv@cyberdefensemagazine.com<br />
InfoSec Knowledge is Power. We will<br />
always strive to provide the latest, most<br />
up to date FREE InfoSec information.<br />
From the International<br />
Editor-in-Chief…<br />
For the first time, cybersecurity has been among the most pressing topics<br />
at a meeting of the “Group of 7” countries. The summit took place in mid-<br />
June, and it appears that the participants are taking firm actions to forestall<br />
attacks on the elements of their critical infrastructure.<br />
See, for example: https://www.reuters.com/world/europe/g7-demandaction-russia-cybercrimes-chemical-weapon-use-<strong>2021</strong>-06-13/<br />
These 7 nations have identified certain sources of cyber attacks and have<br />
demanded that those involved put a stop to them. In particular, the group<br />
issued a communique which said Russia must "hold to account those within<br />
its borders who conduct ransomware attacks, abuse virtual currency to<br />
launder ransoms, and other cybercrimes."<br />
INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER<br />
Pierluigi Paganini, CEH<br />
Pierluigi.paganini@cyberdefensemagazine.com<br />
US EDITOR-IN-CHIEF<br />
Yan Ross, JD<br />
Yan.Ross@cyberdefensemediagroup.com<br />
ADVERTISING<br />
Marketing Team<br />
marketing@cyberdefensemagazine.com<br />
CONTACT US:<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Toll Free: 1-833-844-9468<br />
International: +1-603-280-4451<br />
SKYPE: cyber.defense<br />
http://www.cyberdefensemagazine.com<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />
CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />
276 Fifth Avenue, Suite 704, New York, NY 10001<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
In an action closely related to this cybersecurity response, the EU has<br />
recently taken action on a privacy initiative with strong cyber implications.<br />
We continue to see regulatory actions on privacy which also can have<br />
positive effects on cybersecurity defenses.<br />
It’s important to remember, however, that even compliance with laws,<br />
treaties and regulations may not absolve organizations from liability in the<br />
event of a data breach or ransomware attack.<br />
As always, we encourage cooperation and compatibility among nations and<br />
international organizations in responding to these cybersecurity and privacy<br />
matters.<br />
To our faithful readers, we thank you,<br />
Pierluigi Paganini<br />
International Editor-in-Chief<br />
PUBLISHER<br />
Gary S. Miliefsky, CISSP®<br />
Learn more about our founder & publisher at:<br />
http://www.cyberdefensemagazine.com/about-our-founder/<br />
9 YEARS OF EXCELLENCE!<br />
Providing free information, best practices, tips and<br />
techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />
magazine is your go-to-source for Information Security.<br />
We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />
CDMG<br />
B2C MAGAZINE<br />
B2B/B2G MAGAZINE TV RADIO AWARDS<br />
PROFESSIONALS<br />
WEBINARS<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 6<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Welcome to CDM’s <strong>July</strong> <strong>2021</strong> Issue<br />
From the U.S. Editor-in-Chief<br />
Reflecting on the topics of our articles this month, this is what we see: an increase in the number and<br />
depth of articles with actionable information for cybersecurity professionals and others interested in the<br />
trends and implications of these developments.<br />
In particular, we are pleased to carry over 30 articles this month on lessons to be learned and actions to<br />
take in response to ransomware attacks, protection of critical infrastructure, and applications of<br />
cybersecurity practices and programs.<br />
We’re pleased to include articles on a full spectrum of recognition of threats, preventive measures,<br />
means of assuring resilience and sustainability, and even the structural aspects of organizations with<br />
responsibility to maintain the confidentiality, accessibility, and integrity of sensitive data.<br />
As editor, I would encourage our readers to become familiar with the 16 areas of critical infrastructure<br />
designated by the Department of Homeland Security, found at www.dhs.gov . Going forward, activities<br />
in these areas will become more and more important in the world of cybersecurity.<br />
We strive to make <strong>Cyber</strong> <strong>Defense</strong> Magazine most valuable to our readers by keeping current on emerging<br />
trends and solutions in the world of cybersecurity. To this end, we commend your attention to the<br />
valuable actionable information provided by our expert contributors.<br />
Wishing you all success in your cybersecurity endeavors,<br />
Yan Ross<br />
U.S. Editor-in-Chief<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
About the US Editor-in-Chief<br />
Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & U.S. Editor-in-Chief of<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine. He is an accredited author and educator and<br />
has provided editorial services for award-winning best-selling books on<br />
a variety of topics. He also serves as ICFE's Director of Special Projects,<br />
and the author of the Certified Identity Theft Risk Management Specialist<br />
® XV CITRMS® course. As an accredited educator for over 20 years,<br />
Yan addresses risk management in the areas of identity theft, privacy,<br />
and cyber security for consumers and organizations holding sensitive<br />
personal information. You can reach him by e-mail at<br />
yan.ross@cyberdefensemediagroup.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 7<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 8<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 9<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 10<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 11<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 12<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 13<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 14<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 15<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 16<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 17<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 18<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 19<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 20<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 21<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 22<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 23<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 24<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 25<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 26<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 27<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 28<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 29<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 30<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 31<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 32<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Colonial Pipeline, JBS <strong>Cyber</strong> Attacks Shine Spotlight on<br />
Operational Technology Vulnerabilities for Wide Range<br />
of Business Sectors<br />
By Fred Gordy, Director of <strong>Cyber</strong> Security at Intelligent Buildings<br />
The recent Colonial Pipeline Co. and JBS SA cyber attacks were about more than the temporary crippling<br />
of the gas industry in the southeast United States or a short-term delay in meat production. It lays bare<br />
the vulnerabilities faced by any company that uses operational technology (OT) and information<br />
technology (IT).<br />
OT refers to the hardware and software used to change, monitor, or control physical devices, processes,<br />
and events within a company or organization. Most office workers are more familiar with IT. Having an<br />
issue with your computer? Call IT. Have a suspicious email in your inbox? Report it to IT. The IT<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 33<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
department is responsible for keeping the company’s computer systems safe. OT departments may not<br />
be as commonplace, but the pipeline crisis highlights the need for dedicated OT staff or contracted<br />
professionals.<br />
For Colonial Pipeline, the bottom line is they didn’t understand how their own IT and OT systems were<br />
connected. It takes both to work the problem. Without a fully vetted incident response plan, companies<br />
are not prepared for system compromises. OT is not exclusive to pipelines, production plants, dams, and<br />
other infrastructure and industrial environments. All commercial buildings, including office complexes,<br />
retail, hospitality, education, healthcare, government, and others have OT systems.<br />
The OT systems in these facilities may include HVAC, elevators, lighting controls, metering, fire safety,<br />
access control, and other technologies, all subject to hacking, misconfiguration, phishing, and<br />
ransomware. Call it intelligent buildings, smart building systems, or whatever you like — building system<br />
cybersecurity matters. Attacks have caused catastrophic operational interruptions in many buildings.<br />
These attacks generally go unreported because they do not involve compromising sensitive personal<br />
information of users or customers, but that does not mean they are unimportant.<br />
The Colonial Pipeline Co. incident made national news because the company’s shutdown led to a fuel<br />
shortage and price increase in the southeast United States that prompted officials to warn folks not to try<br />
using plastic bags to stockpile gasoline. Foreign hackers used basic ransomware technology to take<br />
control of Colonial’s IT systems. To regain control, the company paid the hackers more than $4 million.<br />
Just weeks after this event, JBS SA, the world’s largest meat processing company, experienced a similar<br />
cyberattack, which caused temporary closures of plant operations due to affected servers supporting its<br />
operations in North America and Australia.<br />
These incidents — and the relatively low level of skill needed to carry out the attacks — should have all<br />
company leaders moving to assess vulnerabilities of their buildings’ OT systems, as the gateway to IT<br />
systems. Working with professionals, such as those at Intelligent Buildings, will become even more<br />
important as the federal government prepares to issue cybersecurity regulations for pipelines that will<br />
also impact other industries. Complexity will continue to increase and the effect will be felt at a lower<br />
level, even down to its influence on insurance premiums.<br />
Even if the regulations do not extend beyond pipelines or other critical infrastructure, they will include<br />
sound guidance that applies across sectors. For example, one part of the regulations would require the<br />
periodic review of remote network connections that can be soft spots for hackers to attack. This is<br />
especially pertinent with so many more people working from home during the pandemic and several<br />
companies considering at least a hybrid model that allows at least some work from home days.<br />
While the pipeline and plant shutdowns affected thousands and may seem far removed from many<br />
business leaders, building tenants know that convenience, productivity, and health and safety play a vital<br />
role in occupant experience. Additionally, having hackers take control of a building’s elevators or shutting<br />
down a company’s production lines can also have catastrophic impact on a more local level, so one thing<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 34<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
is clear: <strong>Cyber</strong>attacks will continue and companies large and small need increased focus on cybersecurity<br />
of both IT and OT systems.<br />
About the Author<br />
Fred Gordy is Director of <strong>Cyber</strong> Security at Intelligent Buildings, a<br />
company focused on Smart Building advisory, assessment, and<br />
managed services at scale for both new projects and existing<br />
portfolios. Intelligent Buildings helps customers manage risk,<br />
enhance occupant well-being, and continually improve performance<br />
by providing unmatched expertise, practical recommendations, and<br />
targeted services. Fred can be reached at<br />
fred.gordy@intelligentbuildings.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 35<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Getting The Cloud Right - Security and Compliance<br />
By Tim Dinsmore, Technical Director, Appurity<br />
COVID has been responsible for many things. Perhaps cloud computing doesn’t spring to the top of your<br />
list, but the pandemic has certainly spurred many organisations into adopting a cloud-first strategy.<br />
Indeed, research carried out by Forbes suggested that the majority of businesses surveyed had<br />
accelerated their move to cloud due to the pandemic. The underlying force of course is an overall shift<br />
towards remote working - this is where cloud computing can flex its muscles. But it’s not only remote<br />
working that has fueled cloud adoption - data (and its inherent security / protection) is a prime factor for<br />
organisations to move towards a cloud-first working environment.<br />
With security in mind, cloud service providers (CSPs) offer better security than when an organisation<br />
stores data ‘on-premise’. However, moving to a cloud-centric way of working still provides challenges<br />
when it comes to privacy and security. For example, consider the use and handling of data. Once upon<br />
a time, data management was the sole concern of the business. In recent years however, governments<br />
and other concerned parties have sought to gain control (thus ensuring higher levels of data security) by<br />
introducing legislation - the EU’s GDPR for example. Such levels of legislation ultimately adds new levels<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 36<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
of management complexity for any business that handles and stores data. And it’s not just GDPR that<br />
businesses need to comply with. There are various data management and protection requirements that<br />
exist across a number of industries. And whilst most businesses can outsource their operations to some<br />
degree or other, when it comes to compliance, then the business is left to carry the can. And this can’t<br />
be taken lightly - if your business falls foul of compliance then you face expensive penalties and even<br />
reputational damage.<br />
Visibility is key if your business aspires to a secure and compliant cloud system. Popular, well-known<br />
SaaS solutions come with inbuilt security as standard - however, they also have blind spots. Also, many<br />
SaaS offer features that are only offered at the top end of the price range, inevitably making them too<br />
expensive if you are not at enterprise level. This makes reporting a laborious affair for those tasked with<br />
putting together and auditing data from a variety of sources. Organisations are also seeing a surge in the<br />
use of personal devices along with an increase in BYOD policies. This has brought about the need to<br />
increase the resource assigned to monitoring the escalating use of out-of-scope apps. But adopting<br />
security and data solutions is a process that needs to be tempered against productivity and user<br />
experience - this should not be compromised. Employees and users at every level of the organisation<br />
need access to data regardless of their location or choice of device.<br />
A Cloud Access Security Broker (CASB) solution can optimise visibility across an organisation, by<br />
monitoring all user activity within cloud applications (company-approved and shadow apps) and enforce<br />
both internal policies and external compliance requirements. A CASB solution should additionally be<br />
adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection,<br />
monitoring, and consolidation. Many CASB solutions are designed with compliance in mind. They provide<br />
granular visibility and control over user interaction with cloud applications and broad audit trails of such<br />
user activity. They are perfect for centralised control, management and ease of use.<br />
Taking compliance and data protection seriously requires a proactive approach to data management. By<br />
understanding where potential data breaches exist, they can be eliminated at source. The risk of infected<br />
or malicious files making their way into the cloud, or the threat of identity theft for example, are still<br />
prevalent and must be considered as part of any data protection strategy. Identity theft, perhaps via stolen<br />
passwords, is a leading cause of data breaches. This makes it imperative for businesses to adopt<br />
stronger-than-password protection - an absolute necessity. One-time passcodes (OTPs) are used widely<br />
by businesses as an extra layer of security to password protection, but some are vulnerable to<br />
interception or phishing attempts. It is highly advisable to choose real-time generated OTPs to boost<br />
security.<br />
As businesses of all shapes and sizes increasingly move to the Cloud to manage and store all of their<br />
data and apps, the need for a robust and comprehensive solution for security and compliance in the cloud<br />
should be the foremost consideration. At the end of the day, an informed and planned proactive strategy<br />
affords those in charge all the confidence they need that compliance regulations are being met, rather<br />
than having to respond in a reactive manner with the ensuing chaos that can arise. Cloud-centered<br />
working is officially here to stay so let’s do it efficiently, securely and by the book.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 37<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Tim Dinsmore is the Technical Director of Appurity, the cross-platform<br />
mobility specialists.<br />
https://appurity.co.uk/security-in-the-cloud/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 38<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Flipping the <strong>Cyber</strong> Script<br />
Getting Ahead of Attackers with a Zero Trust Architecture<br />
By Mark Sincevich, Federal Director, Illumio<br />
It’s hard to find a recent cybersecurity attack where the company didn’t have an existing firewall with<br />
antivirus protection. Last year alone, the world spent $173 billion on cybersecurity. Yet, cyberattacks are<br />
more detrimental and frequent than ever before. A lack of spending isn’t the issue, the real problem is<br />
not implementing the correct strategy.<br />
As an industry, we’ve been focused on having a strong perimeter without considering what happens if,<br />
or more realistically when, an attack breaches the perimeter. Assuming a breach has occurred is one of<br />
the tenants of a Zero Trust architecture. If agencies don’t up-level defense, and soon, attackers will<br />
always be one, or many, steps ahead.<br />
The Current Security Model Isn’t Working<br />
Federal efforts such as the Department of Homeland Security’s (DHS) Continuous Diagnostics and<br />
Mitigation (CDM) Program have provided a dynamic approach to ensure federal civilian agencies install<br />
‘detect and defend’ antivirus software and have recently upgraded firewall hardware among other<br />
recommendations. However, as evidenced by the recent SolarWinds and Colonial Pipeline attacks, these<br />
measures alone are insufficient.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 39<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Additionally, both CDM and the DHS EINSTEIN detection system, deployed to catch known malware,<br />
missed the SolarWinds attack and failed to report anything was amiss. Since new attacks move quickly<br />
and often go undetected, deploying assets to 'chase the enemy’ often means the damage is already<br />
done. The traditional detect and defend approach will not prevent attacks from moving around the<br />
network, which is when the real harm continues to occur.<br />
Federal CISO, Chris DeRusha, noted the need for agencies to move in a new direction, “Everyone and<br />
everything is untrustworthy until we prove otherwise.”<br />
Rather than relying on “comply-to-connect” security policies, teams must adhere to a key pillar of Zero<br />
Trust – assume that an initial breach has already occurred and that attackers are already inside of the<br />
network.<br />
Thankfully, We Have a New Model That Does Work…<br />
Here’s the good news: The White House recently released new cybersecurity guidance in an Executive<br />
Order, directing agencies to adopt the principles of Zero Trust security to modernize and bolster the<br />
nation’s cyber defenses. A Zero Trust security model gives federal cyber leaders the ability to make their<br />
networks and agencies more resilient to attacks.<br />
While Zero Trust is not new, many agencies will need to start implementing this security methodology<br />
from the ground up – a good place to start is from the inside out. Start by identifying your most valuable<br />
assets. For most, these live in the data center and cloud. Then, segment these assets from other parts<br />
of the network. The more granular these segments are, the better.<br />
Rather than blindly segmenting the network, agencies should leverage Zero Trust Segmentation, which<br />
establishes allowlists that indicate which apps and workloads can connect. Any connection that is not<br />
explicitly stated is denied by default.<br />
When a ransomware attack tries to move from the initially compromised point to the rest of the network,<br />
Zero Trust Segmentation will stop it in its tracks. In other words, even if malicious actors gain access,<br />
they cannot move to the applications and data that agencies deem most critical because they are blocked<br />
by default. This approach will only allow connections between authorized and legitimate applications and<br />
workloads and will deny everything else.<br />
Maturing the Zero Trust Model<br />
Perimeter security and detection are important parts of the cybersecurity equation, but alone, they’re not<br />
enough to keep us secure. A Zero Trust strategy requires a permanent change in philosophy where<br />
teams trust nothing in their network by default.<br />
Teams should architect their networks from the inside out using Zero Trust Segmentation to increase<br />
visibility and stop the spread of ransomware across systems. As agencies design and implement Zero<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 40<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Trust strategies, they will prevent cyber incidents from becoming disasters. Our data, networks, and our<br />
nation will be safer for it.<br />
About the Author<br />
Mark Sincevich is the Federal Director at Illumio.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 41<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How To Make The Most of Increased <strong>Cyber</strong>security<br />
Spend<br />
The average organization devotes 21% of its IT budget to cybersecurity.<br />
By Stu Sjouwerman, CEO, KnowBe4<br />
With the threat of malware touching more and more organizations, boards are beginning to devote greater<br />
resources to cybersecurity. The unfortunate truth is that a successful cyberattack can sink a business.<br />
The average remediation cost of a ransomware attack, for example, is $1.85 million, according to a<br />
Sophos report. The cost of non-compliance if sensitive data is exfiltrated can also be considerable, and<br />
the lasting reputational damage is hard to quantify.<br />
Companies that may have been tempted to gamble in the past are now seeing the financial sense in<br />
increasing cybersecurity spend. The average organization devotes 21% of its IT budget to cybersecurity,<br />
according to the Hiscox <strong>Cyber</strong> Readiness Report; an increase that has been driven by a sustained rise<br />
in the frequency of cyberattacks recently.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 42<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The growing threat<br />
In the last 12 months, the percentage of organizations experiencing a cyber-attack jumped from 38% to<br />
43%, according to Hiscox data, and 73% of those victims experienced more than one attack. A paltry 9%<br />
reported they were able to defend the attack with no impact on operations. Stronger defenses and better<br />
preparation are required to avoid potential disaster.<br />
Beyond the disruptive impact of ransomware or DDoS attacks, there lurks the even worse threat of a fullblown<br />
data breach. It takes 280 days on average to identify and contain a data breach and costs $3.86<br />
million, according to the Ponemon Institute. It’s far better to spend a fraction of that amount to bolster<br />
your defenses and harden your security posture.<br />
The question is where to spend it to ensure the greatest impact.<br />
Phishing and BEC attacks<br />
We know that malware can usually be traced back to a phishing attack. Threat actors are increasingly<br />
picking their targets and getting smarter about how they approach them. Spear phishing is on the rise<br />
and sophisticated attacks employ stolen credentials to attack laterally. If a message or email appears<br />
legitimate, or worse comes from a colleague’s account that has been hacked, the risk of someone clicking<br />
a link or downloading a file and triggering a malware installation is much greater. The unpleasant truth is<br />
that anyone can be fooled. Employees of all levels can fall victim to phishing scams.<br />
Business Email Compromise (BEC) is also a serious concern, with the FBI reporting $1.8 billion losses<br />
through BEC, which is a staggering 42% of the cybercrime loss total. Much more sophisticated and<br />
targeted at CEOs, CFOs, and other high-ranking executives, BEC can be the result of months of<br />
reconnaissance, with attackers building complex infrastructures and hacking multiple accounts in pursuit<br />
of a big payday.<br />
Spending effectively to boost security<br />
The temptation to sink any budget increase for cybersecurity into a tool or platform that promises to<br />
safeguard your data is understandable, but there’s a better way to strengthen your security. If we accept<br />
that security systems can always be bypassed by persuading people to unwittingly grant access, then<br />
it’s clear that the best way forward is to educate and empower your workforce.<br />
Security awareness training is crucial because by teaching people to spot the common signs of a phishing<br />
attack will develop the muscle memory you want to see.<br />
Establish a baseline before you begin and set targets for improvement with periodic tests, such as mock<br />
phishing campaigns, to determine what progress has been made. Test results and any real-life security<br />
incidents that occur should be leveraged as learning opportunities and used to inform ongoing training.<br />
Make sure that you combine training with stronger security controls and strict procedures. At the shallow<br />
end, you have to provide phish alert buttons to make it easy to report suspicious emails. Reports should<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 43<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
trigger an investigation that includes feedback for the employee who flagged the message.<br />
Responsibilities, processes, and expectations should be clear and easily accessible for everyone.<br />
To tackle more sophisticated spear phishing or BEC attacks, design controls around funds transfers or<br />
sensitive data sharing. By requiring multiple people to sign off on transactions over a certain amount or<br />
insisting on in-person meetings or video calls to confirm the legitimacy of data or funds requests, you can<br />
prevent major losses. Consider the worst-case scenarios and design controls that will block scammers.<br />
Enlisting your employees<br />
Employees are your most valuable resource. They have the deepest understanding of your business and<br />
are invested in helping you strengthen security. Ask for their advice and input to identify the greatest risks<br />
and learn how best to safeguard their areas of responsibility. Having an open dialog for prioritizing the<br />
assets that need securing will send a clear message and encourages people to take risk management<br />
more seriously.<br />
If you educate employees and equip them with the right tools, you can quickly make vast improvements<br />
to your cybersecurity stance. Continuous training and a program of attack simulations that emulates realworld<br />
threats will deliver tangible benefits.<br />
Ultimately, it’s by enlisting employees that you will squeeze the greatest value from any increase in your<br />
cybersecurity spend.<br />
About the Author<br />
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE]<br />
developer of security awareness training and simulated phishing<br />
platforms, with over 37,000 customers and more than 25 million users.<br />
KnowBe4 also offers a KCM GRC platform that provides ready-made<br />
templates for quick compliance evaluations and reporting. Centralized<br />
policy distribution and tracking helps users remain compliant, as does<br />
flagging risky users. Sjouwerman was previously co-founder of Sunbelt<br />
Software, the anti-malware software company acquired in 2010. He is the<br />
author of four books, his latest being “<strong>Cyber</strong>heist: The Biggest Financial<br />
Threat Facing American Businesses.” He can be reached at<br />
ssjouwerman@knowbe4.com or company website<br />
https://www.knowbe4.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 44<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Common Sense <strong>Cyber</strong>security Steps for Managed<br />
Service Providers (MSPs)<br />
By Wes Spencer, CISO at Perch Security – a ConnectWise Solution<br />
Covid-19 changed the IT landscape for a lot of MSPs helping customers, suppliers and partners as they<br />
struggled to adopt digital services and technologies to make work-from-home models a reality. This rapid<br />
transformation opened the door for opportunistic cybercriminals to figure out new ways to target MSP<br />
clients, particularly small and medium-size businesses (SMBs).<br />
Case-in-point: nearly 73% of MSPs we surveyed for our Perch Security <strong>2021</strong> MSP Threat Report<br />
confirmed at least one customer had a security incident last year and that nearly 60% of these incidents<br />
were related to ransomware.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 45<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Why MSPs and their customers are uniquely vulnerable to cybercriminals.<br />
MSPs are increasingly in the line of fire for cybercriminals, as seen during last year’s crisis. MSPs hold<br />
the keys to hundreds of organizations that they manage, making it attractive to go after many at once.<br />
“Buffalo Jump” attacks occur when an MSP is breached and more than one managed organization is<br />
compromised with malware as a result. Ransomware has also moved to the cloud.<br />
Attackers understand MSP tools and know how to exploit the vulnerabilities and tools that MSPs depend<br />
upon. They know that enterprise-grade security solutions are rarely built for use by MSPs, who represent<br />
a large number of companies, each with its own appetite for risk, or lack of understanding of cybersecurity<br />
tools or resource constraints.<br />
Last year marked a rapid digital transformation as more customers shifted to the cloud. This introduced<br />
a slew of potential new vulnerabilities and risks for uneducated and unshielded customers. In fact, 82%<br />
of MSPs told us that the budget reserved for cybersecurity increased in 2020, with 75% of respondents<br />
indicating their spending would increase on average by 12.1% in <strong>2021</strong>. Of the three types identified in<br />
our report - front runners, trying to keep up, and lagging behind - MSPs in the last category that don’t<br />
prioritize a security-first approach for a fast-evolving threat landscape take the biggest risk in terms of<br />
time and money loss.<br />
Common sense cybersecurity steps for MSPs<br />
MSPs need to take threats seriously, even if their customers don’t. Here are some common sense<br />
security steps and approaches for MSPs:<br />
• Recognize you’re a valuable target – Most importantly, if you lack the right staff and training,<br />
then get on board with trusted partners and peers that can help you grow your security know-how<br />
and capabilities.<br />
• Educate customers –Becoming more assertive with customers and bundling security into all<br />
packages will put you in a stronger position.<br />
• Evaluate Budget – Educating leadership on the gaps and risks with a self-assessment is the only<br />
way to get an increased security budget.<br />
• Get Dedicated Staff – Tools alone aren’t enough; you need human capacity to operate and<br />
interact with security solutions, whether with dedicated security personnel or managed security<br />
services.<br />
• Reduce tool sprawl – Find security controls that work well together and with your current ticketing<br />
systems and complement your stack.<br />
• Maximize your spread – When thinking about what to bundle into basic packages, keep in mind<br />
the realities of today’s increasingly converged customer environments, including must-have<br />
SOC/SIEM with additional XDR/MDR/EDR layered tools.<br />
• Tackle passwords and training –Passwords remain a key weak link where security failures are<br />
concerned, so password reuse training, architecting multi-factor authentication and security keys<br />
for single-sign-on are important.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 46<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The next big thing: addressing remote workforce security gaps<br />
What happens when everyone suddenly starts working from home? Security becomes pushed to the<br />
backburner. With fully remote and hybrid working models set to stay for the long term, MSPs must<br />
urgently review the effectiveness of existing security controls in terms of where employees – and their<br />
customers’ users – now work and determine whether an alternative deployment architecture or controls<br />
are needed to cover the risk.<br />
There are a lot of timely reasons for MSPs to get their cybersecurity ducks in a row, from protecting<br />
customers to insurance firms hardening their attitudes toward cyber policies and new compliance<br />
regulations. Whatever the reason, the time is now.<br />
About the Author<br />
Wes Spencer is the CISO at Perch Security, which was<br />
acquired by ConnectWise in November 2020. He is<br />
responsible for leading external security strategies,<br />
working with external constituencies and media. He also<br />
provides cybersecurity thought leadership to<br />
ConnectWise’s partners, enabling them to build more<br />
mature cybersecurity programs for themselves and their<br />
clients.<br />
Wes has been in the technology industry for 22 years,<br />
garnering awards such as <strong>Cyber</strong> Educator of the Year by<br />
the <strong>Cyber</strong>security Excellence Awards in 2020. Additionally,<br />
Wes is a part of multiple boards, serving on the Advisory<br />
Committee on <strong>Cyber</strong>security at the University of Florida,<br />
the Advisory Board on <strong>Cyber</strong>security Management at<br />
Murray State University, and as Chairman at the<br />
Community Institution Council Advisory Group, FS-ISAC. He has been featured in numerous<br />
publications, including The Wall Street Journal, ProPublica, Dark Reading, and Bleeping Computer.<br />
Wes attended Murray State University, earning both a Bachelor of Science in <strong>Cyber</strong>security and a Master<br />
of Science in <strong>Cyber</strong>security. In 2017, he was named among Murray State’s Alumni of the Year.<br />
Outside of work, Wes runs a YouTube channel with 30,000 subscribers covering cybersecurity and<br />
cryptocurrency. He is happily married and enjoys gaming and exploring the outdoors with his four<br />
children.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 47<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Threat Intelligence Should Be Shared Not Shamed<br />
By Nuno Povoa, Eurofins <strong>Cyber</strong>security US<br />
When the DarkSide ransomware group shut down the Colonial Pipelines’ gas distribution that stretches<br />
from Texas to New Jersey, something rather remarkable happened: the criminals apologized.<br />
The DarkSide group issued an apology, saying its goal was not in "creating problems for society" but "to<br />
make money." According to Newsweek, the hacker’s statement released on the Darkweb read in part,<br />
"Our goal is to make money, and not to create problems for society. From today we introduce moderation<br />
and check each company that our partners want to encrypt to avoid social consequences in the future."<br />
The world witnessed a cyber-terrorist organization playing a type of PR game to frame their attack as a<br />
‘Robin Hood’-type of good deed.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 48<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Applying PR tactics is a new page in the hacker playbook to mask the organizational root causes of<br />
cyberattacks. Within these companies being targeted, it’s not a factor of negligence, it’s a lack of a clear<br />
understanding as to what these cybersecurity risks mean and how to translate them into impact. There's<br />
a big gap between the IT side of the house and the operational departments; each side has a separate<br />
administration department that doesn't always share security-related information in a timely manner. In<br />
the Colonial Pipeline’s case, their corporate exposure to the internet was most likely very tight, but<br />
exposure through its refineries—where they probably have their own security rules and procedures—<br />
was weaker and may not have matched up more stringent corporate security policies.<br />
Threat intelligence remains very compartmentalized and there's no central repository to share<br />
information. In many of these cybersecurity instances, investigators have to go to multiple sources, in<br />
multiple departments, to begin pinpointing the root cause of the attack. The highly operationalized<br />
companies who prioritized what is only important to their specific part of the organization prolong the<br />
attack identification process. From the IT department down to the industrial control systems, there needs<br />
to be a better accountability structure in place and support for corporate-wide threat/risk data sharing—<br />
especially in utilities.<br />
Attackers - A Victimless Mindset<br />
Oftentimes, criminals who do these types of attacks are under the impression that it’s a victimless crime<br />
and at one point, the company will get reimbursed by their cyber insurance provider. In the Colonial<br />
Pipeline case, the hackers are hitting the company’s bottom line as well as affecting the price of gas all<br />
along the U.S Eastern seaboard. “We are sorry. We wanted to start a little fire not a big fire” is far from<br />
an already morally dubious ‘Robin Hood’ act. Imagine what would have happened if this was a wellcalculated<br />
attack on purpose, like the 2015 attack on the Ukraine power grid.<br />
To combat criminal hackers there needs to be a real-time, institutional understanding of what the threats<br />
are and a universal repository of data shared among all organizations, similar to how the National Oceanic<br />
and Atmospheric Administration (NOAA) shares all weather-related information to benefit everyone. But<br />
the fact remains that companies don't want to talk about their cybersecurity issues fearing bad PR and<br />
shareholder repercussions. All organizations need to share information on security breaches to create<br />
resiliency that enables quicker and more effective attack responses. To achieve this resiliency and<br />
collective response, companies need to have an overall risk management strategy—not just a bunch of<br />
vendor management tools—to create a reasonable strategy.<br />
Conclusion<br />
We live in a world where virtually everything is connected to the internet and there will always be bad<br />
actors looking for a way in. Companies need to embrace this reality, but a lot of organizations chose to<br />
downplay their chances of being hacked. The minute devices are connected to the internet there is an<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 49<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
access port for hackers - companies must take this seriously and be ready to respond with a well-thoughtout<br />
plan.<br />
Aligning with “industry best practices” has been the security mantra and goal of many niche industries,<br />
and while there's clear value in understanding and replicating the security goals within a particular<br />
technology or business vertical, it's crucial that the experience of other industries is not overlooked in the<br />
process. In the event of an attack, victims need to quickly disseminate the information so there is a<br />
universal understanding of the attack and a cooperative solution-share. This stands in stark contrast to<br />
the present-day concern companies have of simply comparing themselves to competitors in order to<br />
establish their security posture—oil, gas, energy, and manufacturing organizations are noticeably trapped<br />
in that mindset.<br />
Companies should not be relying solely on automated security tools for defense. No security tool is<br />
perfect, most security software demands constant tuning, writing another correlation rule, ingesting and<br />
parsing more logs, or configuring alerts based on a new predetermined condition. Adding to the<br />
complexity, many tools now employ machine learning and behavioral analytics, further abstracting the<br />
analysts from what is happening in the background. Risk rises alongside the evolving complexity of the<br />
system, and more than ever organizations need to implement a layered defense containing perimeter<br />
controls, EDR response, risk assessment processes, patch management, and people managing the<br />
security logs. Only with a layered defense for visibility and business resilience, and the universal,<br />
immediate, sharing of intelligence will we be able to remove one of the cyberattacker’s most valuable<br />
tools—corporate shame.<br />
About the Author<br />
As Senior Security Consultant, Nuno Povoa is the lead penetration tester<br />
at Eurofins <strong>Cyber</strong>security US. For over a decade, Nuno has developed<br />
strategic and technical insights to actively improve data and business<br />
resilience for major organizations in the USA, Europe and Asia. His past<br />
and present clients include major Oil & Gas, automotive manufacturing,<br />
broadcasting, and health care organizations.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 50<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
NATO to Consider Military Response to <strong>Cyber</strong>attacks<br />
As NATO Nations Face New Realities, The Worldwide Search For <strong>Cyber</strong> Talent Picks Up.<br />
By Doug Britton, CEO, Haystack Solutions<br />
In yesterday’s Brussels Summit Communiqué - Issued by the Heads of State and Government<br />
participating in the meeting of the North Atlantic Council in Brussels 14 June <strong>2021</strong>, NATO alerts<br />
that it will consider on a case-by-case basis treating cyberattacks similar to physical attacks against allies.<br />
The communique indicates NATO may launch a military response against perpetrators.<br />
Under Article 5 of the 1949 NATO treaty, any armed attack on a NATO ally is considered an attack on all<br />
alliance members, who may then defend the ally. At the North Atlantic Council meeting in Brussels<br />
yesterday, the alliance disclosed a Comprehensive <strong>Cyber</strong> Defence Policy in which Article 5 responses<br />
may be taken following a cyberattack.<br />
The move follows several recent high-profile cyberattacks on commercial/industrial sector providers of<br />
critical infrastructure and services.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 51<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Loud Clarion Call:<br />
As a former linguist and HUMINTer in U.S. Army intelligence with U.S. Special Forces Command during<br />
Operation Enduring Freedom and former cyber-intel initiative contributor at Lockheed, this news jumped<br />
out to me on several levels.<br />
First, NATO is acknowledging that Russia, China and other nation-states pose major cybersecurity<br />
threats, both because of direct actions and because of the third-party threat actors operating on their soil,<br />
presumably with tacit permission.<br />
The first half of <strong>2021</strong> has seen both an increase in commercial/industrial critical infrastructure<br />
cyberattacks, and a dramatic escalation of their potential impact - Colonial Pipeline, food processor JBL,<br />
as well as commercial sector corporations such as Fuji being just the latest example.<br />
New findings from researchers with Check Point show that ransomware attacks have increased 93%<br />
year over year. Moreover:<br />
• The number of organizations impacted by ransomware has risen to 1,210 in June <strong>2021</strong> alone,<br />
• Check Point Research sees a 41% increase in attacks since the beginning of <strong>2021</strong>, contributing<br />
to the aforementioned 93% increase, and<br />
• Surprisingly, despite the high-profile U.S. entities attacked, Latin America and Europe saw the<br />
largest increase in ransomware attacks since the beginning of <strong>2021</strong>, marking a 62% and a 59%<br />
increase, respectively.<br />
Elena Elkina, JD, CIPP/US, CIPP/E, CIPT, and Partner with corporate privacy consultants Aleada, noted<br />
that we live in a world where cyber defense is imperative for companies and countries. “In the light of the<br />
frequency, complexity, and destructive power of the most recent attacks, the only surprise is that it took<br />
NATO up to this point to make public this decision and take assertive action. The time for delicacy is<br />
over, and it is time for NATO to reaffirm its position and request other countries to act respectfully and<br />
responsibly.”<br />
Help Wanted in The Hunt for Premium Talent: This communique makes clear that the U.S. and her<br />
allies must change the urgency and economics around finding the undiscovered cyber geniuses whose<br />
innate aptitudes make them among the potential best and brightest, and then train them at a new pace<br />
and price point, and get them into the fight as soon as possible. This is a clarion call for the best talent<br />
on defense, repelling attackers at the cyber borders, and on offense, deploying cyber weapons against<br />
adversaries.”<br />
As Garret Grajek, CEO of YouAttest, observed, the open nature of the democratic nations’ networks<br />
forces the West to apply pressure on the points of origin of such attacks. “NATO’s message is a strong<br />
sign to the nations that either harbor or turn a blind-eye to attackers on its soil that these malware<br />
campaigns will be taken very seriously.”<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 52<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The number of open positions in various cyber roles exceeds the number of people that are currently in<br />
the profession today, with some suggesting that there will be another 145% growth required over the next<br />
5 years. Our current methods of identifying talent clearly aren’t able to keep up. The industry is also<br />
suffering from a somewhat polarizing perception of being a bro-network of hackers, at the fuzzy edge of<br />
ethics and laws.<br />
To change the math and attract new entrants, the industry needs new perspectives. The sheer number<br />
of people needed in cyber jobs do not align with the 4+ year timeline of college programs. The economy<br />
requires the ability to add people into the fight with months of training vs. years. One way we get people<br />
ready in months vs. years is to focus on learners that have the highest likelihood of internalizing the<br />
training and putting it to work on cyber battlefields.<br />
Typically, cyber training has a high percentage of washouts that either don’t complete the training or fail<br />
to transition into practice. Advances in cognitive testing around cyber would allow for more efficient<br />
deployment of training resources. Additionally, the same methods can give people with no technical<br />
background or prior experience, perhaps from philosophy or criminal justice, a pathway to becoming<br />
cyber warriors.<br />
NATO’s ability to meet this enemy on the multifaceted battlefield requires that we can find, train, and<br />
equip the cyber warriors. A revolution in talent development can get us there, if we move quickly.<br />
About the Author<br />
Doug Britton is the founding CEO of Haystack Solutions. Doug<br />
drew from his years in military intelligence and years as a cyber<br />
executive to craft a better way to find cyber talent. Haystack<br />
Solutions finds cyber genius using test methods developed for the<br />
US intelligence community and DOD, transferred out of the<br />
University of Maryland. Additionally, Doug is the CTO and a<br />
Director of RunSafe Security. As RunSafe’s CTO, Doug plays an<br />
essential role in showcasing how RunSafe’s technology changes<br />
the economics of cyber defense, and he has been instrumental in<br />
driving the RunSafe technology strategy and roadmap, the<br />
development of its patent portfolio and IP strategy, managing<br />
software development teams, and building a world-class security research team. Prior to RunSafe<br />
Security, Doug founded Kaprica Security which sold its Tachyon business to Samsung. He has also<br />
managed large-scale security research, reverse engineering, and exploit development programs for<br />
Lockheed Martin and SAIC. A trained computer scientist, Doug started his career in the National Center<br />
for Supercomputing Applications at the University of Illinois, before serving as a Russian Linguist and<br />
Interrogator in the US Army. He has also earned an MBA from the University of Maryland and mentors<br />
several entrepreneurs and students launching their business.<br />
Doug can be reached online at @CATA_Haystacks and at our company website<br />
http://www.haystacksolutions.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 53<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Know Thy Enemy, Break Their <strong>Cyber</strong> Kill Chain<br />
By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies<br />
The <strong>Cyber</strong> Kill Chain, developed by Lockheed Martin in 2011, appropriates the military’s concept of ‘kill<br />
chain’ relating to structuring an attack into stages – from identifying an adversary’s weak links to exploiting<br />
them. In the same way that the traditional kill chain describes the seven steps in a physical attack –<br />
identification of the target, forced dispatch to the target, decision, order to attack the target, and finally,<br />
target destruction – the <strong>Cyber</strong> Kill Chain describes the modus operandi of a typical cyber intrusion in<br />
seven phases:<br />
1. External Reconnaissance – Identifying the target’s weaknesses, studying them, and then<br />
selecting which methods of attack can be executed with the highest degree of success. This initial<br />
stage involves the harvesting of organizational details such as mailing lists, social network activity,<br />
information on technology choices, conference details, etc.<br />
2. Weaponization and Packaging – This phase can take many shapes, including web application<br />
exploitation, compound document vulnerabilities delivered in Office, PDF or other document<br />
formats, off-the-shelf or custom malware, or watering hole attacks. Essentially, this is the part<br />
where the attacker packages up the exploit with a backdoor into a deliverable payload.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 54<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
3. Delivery – Transmission of the payload is either target-initiated (a user browses to a malicious<br />
web presence, leading to an exploit delivering malware, or they open a malicious PDF file) or<br />
attacker-initiated (network service compromise or SQL injection) – whichever digital method and<br />
means of transporting or launching the attack best suits the intended target.<br />
4. Exploitation – Once the payload has been delivered to the user, device or computer, it will work<br />
to compromise the asset, thereby gaining a foothold in the target’s IT environment. How this is<br />
achieved technically hinges on the type of digital attack selected. This can involve an exploit<br />
mechanism, like specialized code that takes advantage of a known software vulnerability to<br />
execute on a victim’s system. Depending on the victim, zero-day exploitation is a possibility as<br />
well, but in most cases, it isn’t necessary for adversaries to go to this expense.<br />
5. Installation – The objective of this step is to establish persistence on the victim system. It typically<br />
involves the installation of malware, such as a bot client or trojan, that will proceed to run<br />
whenever the compromised device powers on or reboots. This is typically designed to gain<br />
persistence at the endpoints where it has access and enables the adversary’s control of the<br />
application without alerting the target’s organization.<br />
6. Command and Control – This stage is simple: Set up and initiate a communication mechanism,<br />
or the “Command and Control (C2) channel” as security experts call it, to exercise authority on<br />
the affected devices and exfiltrate data remotely. The level of complexity in this step can range<br />
from simply transmitting data via normal network services (e.g., HTTP, IRC, and others), to<br />
something much more sophisticated like concealing specially encrypted traffic in tricky,<br />
unexpected network services (in ICMP messages or DNS options, for example). Some of the<br />
more modern threats even use social media mechanisms, like Facebook or Twitter posts, for<br />
command and control. Ultimately, this channel enables the adversary to tell the controlled “asset”<br />
what to do next and what information to gather.<br />
7. Actions on Targets – In the seventh and final phase, intruders use the “hands on keyboard”<br />
access they’ve gained to carry out any malicious actions necessary to achieve their original goals.<br />
This can involve ransomware installation, keylogging, grabbing password hashes, using the<br />
webcam to spy, collecting any or all of your files and data, and much more.<br />
One criticism of Lockheed’s original <strong>Cyber</strong> Kill Chain is that it doesn’t adequately address a common<br />
stage of attack known as lateral movement or pivoting. Often, the first device a malicious actor gets<br />
control of isn’t the intended target, so they must take additional measures to gain access to the key<br />
systems or data required to accomplish their mission. To account for this, Lockheed considers its <strong>Cyber</strong><br />
Kill Chain to be circular rather than linear.<br />
Ultimately, understanding the <strong>Cyber</strong> Kill Chain helps those tasked with protecting systems and data<br />
identify the different and varying defenses that need to be in place for effective security. While<br />
cybercriminals are constantly evolving their attack techniques, their approach will always consist of these<br />
fundamental stages. Effective security defenses rely on intimate knowledge of adversaries and their tools<br />
and tactics. And, the closer to the first link of the <strong>Cyber</strong> Kill Chain an attack can be stopped, the better.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 55<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong>criminals have a knack for tracking down the weakest point of entry between them and an attack<br />
on a corporate network, which is often through endpoint devices such as mobile phones, tablets and<br />
laptops, or other wireless and IoT devices. The massive shift to remote work this past year has inhibited<br />
traditional corporate network security because it can’t protect users beyond its perimeter. For this reason,<br />
security strategies for our “new normal” need to strengthen defenses on remote employees’ endpoints at<br />
home. Endpoint protection (EPP) detects and prevents many phases of the <strong>Cyber</strong> Kill Chain, completely<br />
thwarting most attacks or enabling IT administrators to remediate the most complex and sophisticated<br />
threats in later stages.<br />
While adversaries must advance through each of the seven phases in the <strong>Cyber</strong> Kill Chain in order to<br />
realize success, IT/security teams just need to shut down a single link to break it. Malicious actors can<br />
often access the most valuable assets of the organization they’re targeting via endpoints in homes where<br />
employees are doing their work remotely. Therefore, stopping malicious actors at the endpoint radically<br />
reduces the likelihood of a successful cyberattack.<br />
About the Author<br />
Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline<br />
cybersecurity expert for nearly two decades, Corey regularly<br />
contributes to security publications and speaks internationally at<br />
leading industry trade shows like RSA. He has written thousands of<br />
security alerts and educational articles and is the primary contributor<br />
to the Secplicity Community, which provides daily videos and content<br />
on the latest security threats, news and best practices. A Certified<br />
Information Systems Security Professional (CISSP), Corey enjoys<br />
"modding" any technical gizmo he can get his hands on and<br />
considers himself a hacker in the old sense of the word.<br />
Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 56<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Uncovering the Dark Side of the Colonial Pipeline Attack<br />
By Alon Nachmany, Director of Customer Success AppViewX<br />
The Colonial Pipeline, which stretches more than 5,500 miles from Houston to New York and provides<br />
the eastern United States with almost half of its diesel, gas, and jet fuel, was shuttered after a ransomware<br />
cyber-attack. The attack was carried out by DarkSide, a cyber-criminal gang that attacks privately-owned<br />
businesses and donates a portion of what they take to charity. DarkSide also sells the ransomware they<br />
develop to other cyber-criminals who can then use it to carry out attacks in exchange for part of the profit.<br />
The impact of the attack hasn’t been catastrophic; there were some spikes in price in some states and<br />
some gas stations did run out of gas. The national average gas price rose by two cents, and the more<br />
significant effects have been a result of people's panic buying fuel and businesses making attempts to<br />
save fuel. But the attack has highlighted just how vulnerable both the pipeline and the American energy<br />
systems are.<br />
The Colonial Pipeline is nearly 60 years old. Over time, expansions and loops have been added to the<br />
pipeline to increase its capacity and make the process more high-tech and automated. Today, the<br />
company uses pumps, thermostats, sensors, and valves to monitor and control the pipeline, and a robot<br />
to inspect the thousands of miles of pipeline and find and report any anomalies. All of these technologies<br />
are connected to a central system that was targeted by DarkSide. Colonial has the pipeline back up and<br />
running and is now working closely with the Energy Department to ensure that something like this does<br />
not happen again.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 57<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Outdated and Vulnerable OT Systems are Becoming Easy Targets<br />
The major factor that impacted the pipeline’s restart is how quickly Colonial could determine precisely<br />
how much of their infrastructure was affected by the attack. With many Operational Technology (OT)<br />
systems, there is a lack of visibility, meaning it could take a significant amount of time to determine the<br />
severity of an attack. OT systems were designed in the 1970s and have become incredibly outdated over<br />
the last 50 years as technology has become significantly more sophisticated.<br />
So have hackers.<br />
These OT systems were built with one thing in mind -- “Availability.” They simply cannot go down.<br />
Operational Technology is the technology that runs our utilities and critical infrastructure. As listed above,<br />
OT includes, among others, pumps, thermostats, sensors, and valves—devices that cannot afford to be<br />
shut down. And often, communications within these systems are not encrypted. In fact, some might even<br />
use a clear text username and password, if any authentication is required at all. OT systems are simply<br />
not like IT systems which are managed and secured by an IT team who know the system inside and out<br />
and can access any aspect of it in seconds to determine the damage caused. Many IT and cyber teams<br />
aren’t even aware of OT systems and how they are set up, so they aren’t able to easily manage or secure<br />
them, though this is currently changing.<br />
This is a big part of why the entire pipeline was shut down. Due to the lack of visibility and not knowing<br />
what information the hackers had taken, Colonial had no way of knowing what DarkSide could do next.<br />
So, their safest and quickest option was to halt the entire process until they could determine the extent<br />
of the attack. But shutting down also indicates that the company does not have a lot of faith in its OT<br />
security, which is a major red flag and something that needs to be addressed by the industry as a whole.<br />
Biden’s <strong>Cyber</strong>security Executive Order Comes as a Saving Grace<br />
In the days since the Colonial Pipeline cyber-attack, President Biden and other officials have prepared to<br />
issue an executive order requiring federal agencies and their contractors to strengthen their<br />
cybersecurity. The order created a <strong>Cyber</strong>security Incident Review Board similar to the National<br />
Transportation Safety Board, which investigates civil transportation accidents in the air or at sea.<br />
Once the order is put into effect, it will require software vulnerabilities to be reported to the government<br />
so that they can be addressed rather than being swept under the rug. This would hold companies liable,<br />
in a way they aren’t currently. If a company’s software doesn’t comply with regulations or they fail to<br />
report a vulnerability, there are consequences including a possible ban from selling their software to the<br />
government, which can kill their business’s viability.<br />
That being said, many of utilities are private for-profit companies. This means that utility companies, like<br />
other companies, apply the “<strong>Cyber</strong>security Risk Equation.” A simple calculation of the probability of a<br />
cyber event times the cost of that event would be the budget for securing the solution. What this equation<br />
won’t take into account is the cost to the general public. For example, as we saw with the short gas<br />
outages, what if there is no gas? What happens when first responders don’t have fuel?<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 58<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Energy and Utilities – You Have No Choice but to Reinvent Your Security<br />
The Energy and Utility industry is our country’s lifeline providing essential everyday services to people.<br />
Any breakdown in this critical infrastructure can paralyze the entire system and have debilitating impacts<br />
on the consumers and a country’s economy at large. Ironically, the sector has been more lax than<br />
necessary in building a resilient cybersecurity posture.<br />
The increasing convergence of IT and OT systems and the lack of adequate OT security have introduced<br />
many security weak links into the infrastructure, making it an attractive target for cybercriminals. The<br />
Colonial Pipeline attack is a classic case exposing these security gaps and blatantly highlighting the need<br />
to bridge them with a well thought-through, strong, and sustainable security strategy.<br />
Biden’s executive order is a welcome move in that direction. Let us hope that the industry will act soon,<br />
or history won’t be kind.<br />
About the Author<br />
Alon Nachmany is the Director of Customer Success at AppViewX.<br />
He has more than 15 years of cybersecurity experience including<br />
being a former Chief Information Security Officer (CISO). He has<br />
worked with critical infrastructure, specifically with operational<br />
technology, and has consulted for water treatment and power<br />
companies as well as major airports and governments. In May<br />
2019, He was a speaker at the DOE’s <strong>Cyber</strong>security Conference.<br />
He can be reached via Twitter @AppViewX and at our company<br />
website @AppViewX.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 59<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How To Protect Power Infrastructure from Ransomware<br />
Attacks<br />
Why every point count in the era of increasing intelligence<br />
By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas,<br />
Eaton<br />
The continuing emergence of IoT is bringing new meaning to the old saying: “a chain is only as strong as<br />
its weakest link.” Advancements in connected technologies are helping enterprises achieve many<br />
benefits, allowing them to tap into new data insights and streamline efficiency in exciting ways. However,<br />
with this integration comes the responsibility to ensure the entire network remains protected, as more<br />
points of intelligent capabilities create more potential areas for cybersecurity risk.<br />
<strong>Cyber</strong> attackers are out in full force and more savvy than ever before, businesses need to consider every<br />
possible avenue to keep their organization properly protected, including power infrastructure. In this<br />
article, we’ll cover how to approach the threat of ransomware attacks through power devices and provide<br />
measures to keep cyber criminals at bay.<br />
<strong>Cyber</strong>security in current context<br />
Safeguarding against ransomware strikes has never been more critical. In 2020 alone, the prevalence of<br />
ransomware attacks in the U.S. skyrocketed by 109 percent, according to the 2020 SonicWall <strong>Cyber</strong><br />
Threat Report, costing businesses more than $75 billion a year, part of which is attributed to downtime<br />
expenses. Experts attribute the rapid increase of threats to the influx of home-based employees resulting<br />
from the COVID-19 pandemic.<br />
When businesses migrate to a hyper distributed IT environment flexibility will grow but the threat of<br />
growing cyberattacks can’t be ignored. This point was driven home recently when Colonial Pipeline faced<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 60<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
a cyberattack that shut down approximately 5,500 miles of pipeline, causing panic among travelers facing<br />
gas shortages and long lines at gas pumps across the eastern seaboard.<br />
These type of events underscore the importance of safeguarding all network-connected equipment<br />
against cyber threats, which encompasses uninterruptible power systems (UPSs), power distribution and<br />
cooling systems.<br />
A resource guide for power protection<br />
As hackers continually attempt to overcome the cybersecurity mitigations businesses are putting in place,<br />
organizations must ensure that there is no point of access for malicious activity. Having a running<br />
cybersecurity checklist for power management can help IT teams keep their strategy up-to-date and<br />
effective in the face of evolving threats.<br />
• Keep certifications in check: One of the best things IT teams can do to drive the most effective<br />
level of security is to stay on top of cybersecurity certifications being developed by global<br />
standards organizations like Underwriters Laboratories (UL) and the International Electrotechnical<br />
Commission (IEC). These organizations are expanding their processes for certifying products as<br />
secure across the network which includes power backup devices.<br />
There are UPS network management cards available with UL 2900-1 and ISA/IEC 62443<br />
certification that have built-in cybersecurity capabilities and features. Buying products with these<br />
types of safeguards against possible ransomware attacks can transform a UPS into an enterprise<br />
IoT device with cybersecurity protection.<br />
• Use software to manage firmware updates: By pairing backup equipment with power<br />
management software, enterprises have the ability to make timely firmware installation and<br />
updates to stay ahead of emerging cybersecurity threats. As new threats are identified,<br />
businesses can work with their technology service providers to embed necessary patches or<br />
solutions.<br />
For example, as Ripple20 vulnerabilities were recently identified in the Quadros stack, potentially<br />
billions of connected devices were exposed to this vulnerability. Power management software<br />
allows mass updating to apply patches and remove this exposure, at scale, quickly across the<br />
power<br />
chain.<br />
• Look for ways to expand and improve: Although primarily developed to monitor and manage<br />
UPSs and rack PDUs—as well as gracefully shut downloads during a loss of utility power, even<br />
in virtualized environments—power management solutions may also be used to provide an<br />
inexpensive, highly viable air gap solution. The security measure helps keep secure networks<br />
physically isolated from unsecured ones such as the Internet.<br />
Power management software has the capability to integrate with Windows operating systems and<br />
common virtualization systems, allowing IT teams to automatically discover and monitor common<br />
power infrastructure and IT equipment. Some solutions can also be customized to trigger specific<br />
actions on a customized schedule in alignment with UPSs and/or power distribution units (PDUs).<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 61<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
• Merge physical and digital solutions: Enterprises should also consider physical security as part<br />
of their strategy to keep power management equipment safe. Taking measures to deploy smart<br />
security locks on IT racks can help to ensure that only authorized personnel have access to IT<br />
equipment.<br />
While ransomware attacks are a mounting threat across every business landscape, they are especially<br />
risky to small- and medium-sized organizations that tend to have smaller security budgets and less<br />
dedicated IT personnel. By deploying simple measures, companies can help safeguard their IT<br />
infrastructure against these expensive and detrimental attacks.<br />
Business continuity planning is a must<br />
Successful enterprises not only utilize the previously discussed mitigations to prevent becoming a victim<br />
of ransomware, but also have a comprehensive business continuity plan in place. The first step is to<br />
make sure that files are regularly backed up. In some cases, this simple process will allow victims to<br />
recover their data at no cost.<br />
It is possible that ransomware attackers will attempt to coerce a company to pay the ransom by<br />
threatening to publicly release sensitive information. For this reason, organizations should always encrypt<br />
their data to prevent attackers from gaining this type of leverage. It is also possible for ransomware<br />
attackers to encrypt or destroy backups. Because of this, it is essential to maintain a copy of backups in<br />
a separate location that is isolated from the network as a last line of defense.<br />
The journey forward<br />
Enterprises will keep looking for new ways to use IoT solutions as the technology landscape advances.<br />
Businesses stand to benefit significantly from this evolution, but cybersecurity must remain top-of-mind<br />
to protect against operational downtime, data loss and negative impact on lifecycle costs and brand<br />
reputation. With a multi-faceted strategy that includes power management in the equation, businesses<br />
can ensure that progress and protection go hand-in-hand.<br />
About the Author<br />
Hervé Tardy is Vice President of Marketing and Strategy for Eaton’s<br />
Power Quality business unit in the Americas region. In this role, Hervé<br />
manages the Americas product roadmap for power solutions, software<br />
and connectivity products to reinforce Eaton’s technology leadership.<br />
You can find more information at Eaton.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 62<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Ransomware and the <strong>Cyber</strong>security Industry’s Problem<br />
of Perception<br />
By Jack B. Blount, President and CEO, INTRUSION, Inc.<br />
In the past year, we’ve seen ransomware attacks spike significantly – not only in frequency but also in<br />
scale. A recent Checkpoint Research report (CPR) noted a 57% increase in organizations affected by<br />
ransomware within the past 6 months.<br />
Attacks by groups such as Babuk, Hafnium, DearCry and most recently Darkside have made big<br />
headlines – impacting large organizations, infrastructure, and public safety. And these attacks don’t just<br />
affect the target companies – the recent attack on Microsoft affected more than 30,000 organizations<br />
using Microsoft Exchange servers. Before that, it was the Sunburst breach that, aside from creating other<br />
calamities, allowed these bad actors to look deep into Microsoft’s software code, browsing to their heart’s<br />
content. Now, the Colonial Pipeline ransomware attack resulted in one of the country’s biggest suppliers<br />
of fuel to the East Coast being shut down for days – the ramifications of which are yet to be seen.<br />
It is scary to think what destructive minds can do once they get unfettered access to the systems that run<br />
the world’s commerce, education, manufacturing, critical infrastructure, defense, and even entire<br />
governments.<br />
The most common worms and malware causing this surge are Ryuk and Maze. But there are other<br />
popular ones – Bad Rabbit, Cryptolocker, GoldenEye, Jigsaw, LeChiffre, Locky, NotPetya, Petya, and<br />
WannaCry – to name a few. As these existing malwares, along with an ever-increasing number of<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 63<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
variants, gain momentum from well-funded and well-organized adversaries, we can expect to see a<br />
growing number of headlines of compromised organizations of all sizes.<br />
WannaCry makes a comeback<br />
It's no surprise that WannaCry is also rearing its ugly head. Back in 2017, the WannaCry outbreak<br />
infected as many as 200,000 computers within 72 hours. Using the EternalBlue exploit in Windows SMB<br />
(server message block protocol) the malware could infect new victims on its own, spreading exponentially<br />
over the internet. WannaCry is still infecting Windows servers for one simple reason: they are unpatched.<br />
It's astonishing, really, that it’s been four years since Microsoft released the fixes for WannaCry, yet there<br />
are still unpatched servers that exist today. Common segments targeted by WannaCry are<br />
government/military, manufacturing, banking, and healthcare. According to CPR, the United States is the<br />
primary target recipient, garnering 49% of all exploit attempts. Auditing of server software is needed<br />
immediately to identify unpatched servers, with special attention to those that haven’t been powered up<br />
in a long time.<br />
Looking at <strong>Cyber</strong>security from a New Angle<br />
The reason these ransomware attacks continue to be successful is that the solutions we use to prevent<br />
cyberattacks haven’t changed much. We continue to focus on signatures and an outside-in approach,<br />
giving organizations a false sense of security. The reality is that the cybercriminals keep finding new ways<br />
to breach our outer layers of protection. Once they are in a network, they can live there for months,<br />
searching for an organization’s most valuable data or assets. Because most solutions don’t monitor<br />
outgoing traffic, these criminals are able to steal an organization’s data and figuratively walk right out the<br />
door with it, with little to no monitoring.<br />
It’s time we start looking at cybersecurity with a new perspective, and focus on solutions that monitor<br />
both incoming and outgoing traffic. Hackers first accessed SolarWinds on September 4, 2019, and the<br />
hackers got away with their code long before the malware was discovered. It had been living in that<br />
network for about nine months before it was detected – it had gotten past firewalls and other solutions<br />
meant to keep it out.<br />
No matter the type, malware needs a connection in order to carry out its task of stealing data. Without<br />
being able to “call home” or connect to an outside server, it cannot deploy malicious code.<br />
Monitoring and immediately killing these connections is the only way to successfully prevent these<br />
damaging ransomware attacks that leave organizations in the impossible position to decide whether to<br />
pay up, or lose their valuable data, information and assets.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 64<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Jack Blount is President and CEO of INTRUSION, Inc., a leading<br />
provider of entity identification, high speed data mining, cybercrime<br />
and advanced persistent threat detection products.<br />
Blount has an extensive career in technology as a visionary in the<br />
personal computer, local area networking, ERP, mobile computing,<br />
big data, cybersecurity, and AI fields. Most recently, he was the<br />
founder of a strategic consultancy for enterprise, startup and federal<br />
government organizations. Prior to that, he served as CIO of the<br />
United States Department of Agriculture where he was responsible<br />
for designing a new, 10-layer cyber security architecture, protecting<br />
more than 100,000 employees and billions of dollars.<br />
His experience also includes roles at IBM and Novell, where he served as SVP of Business Development<br />
and helped expand its business from $50M to $2B in just six years. Blount has served as the CTO, COO,<br />
and CEO of eight technology, turnaround companies, and has served on twelve technology company<br />
Boards of Directors.<br />
Blount graduated from Southern Methodist University with a degree in Mathematics and did his graduate<br />
MBA studies while working at IBM.<br />
Jack can be reached online at our company website https://www.intrusion.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 65<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Easyjet Data Breach One-Year On: What Are the Next<br />
Steps?<br />
By Aman Johal, Director and Lawyer at Your Lawyers<br />
The EasyJet 2020 data breach<br />
On Wednesday 19 th May, we passed the one-year anniversary of the EasyJet 2020 data breach hitting<br />
the headlines, one of the largest data breaches in UK history.<br />
Resulting from a “highly sophisticated” attack, the personal details of around nine million EasyJet<br />
customers were exposed to hackers. While the airline was quick to claim that there was no evidence that<br />
any personal information had been misused, it did admit that, as well as email addresses and travel<br />
details, the hackers had stolen the credit card details of approximately 2,208 customers.<br />
The stolen credit card data are understood to have included the three-digit security code – known as the<br />
CVV number – on the back of cards.<br />
In a statement following the hack, EasyJet said it had gone public to warn the nine million customers<br />
whose personal details had been exposed. However, it did not provide any further details about the nature<br />
of the attack or the suspected motives. Instead, the airline’s own investigation suggested that hackers<br />
were targeting the company’s intellectual property, rather than hunting for information that could be used<br />
to commit crimes like identity theft.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 66<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The airline industry’s poor record on cybersecurity<br />
The airline industry does not have a great track record concerning cybersecurity. In 2018, it was<br />
discovered that the personal details of almost half a million British Airways customers had been harvested<br />
by hackers over two separate attacks. Users of the airline’s website and app had their data copied to<br />
criminals who had exploited a weakness in the payment processing systems. The personal information<br />
exposed included full names, debit and credit card numbers, addresses, email addresses, and CVV<br />
numbers.<br />
The Information Commissioner’s Office originally announced an intention to fine British Airways £183<br />
million for the breach. However, this was dramatically reduced to just £20 million in October 2020.<br />
You would hope that the British Airways data breach debacle was a warning to the airline industry.<br />
Unfortunately, it appears that such warnings have fallen on deaf ears. On May 23 rd , Air India said that<br />
the personal data of about 4.5 million passengers had been compromised following an incident at SITA,<br />
the Indian flag carrier airline’s data processor.<br />
The stolen information included passengers’ names, credit card details, dates of birth, contact<br />
information, passport information, ticket information, and frequent flyer data.<br />
While Air India claimed it did not hold CVV/CVC data, it did encourage passengers to change passwords<br />
“wherever applicable to ensure the safety of their personal data”.<br />
The potential compensation payouts for EasyJet<br />
In this sense, the type of data stolen in the Air India hack is similar to the EasyJet breach in 2020, so we<br />
can use past breaches – such as the British Airways hack – to estimate the likely compensation pay-out<br />
for victims of EasyJet’s data breach.<br />
For the British Airways data breach, we believe that the average compensation awards could be in the<br />
region of £6,000 for each claimant, meaning that the airline could face a potential compensation bill of<br />
up to £2.4 billion. Based on current case law, which is the foundation on which the Judge will assess the<br />
British Airways case, together with data from our own settled claims, we can estimate that average<br />
settlements for data protection and privacy breach cases are in the region of £6,500 for damages, with<br />
common amounts ranging from around £500 to £15,000.<br />
Any victims of the EasyJet data breach should keep these compensation figures in mind and remember<br />
that data breaches are often caused by businesses not adhering to best practice when implementing<br />
cybersecurity measures. The process of claiming compensation is often far simpler than first imagined<br />
and, as illustrated by our updated compensation estimates, there can be significant financial rewards for<br />
claimants seeking the compensation they are owed.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 67<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Aman founded consumer action law firm Your Lawyers in 2006,<br />
and over the last decade he has grown Your Lawyers into a<br />
highly profitable litigation firm.<br />
Your Lawyers is a firm which is determined to fight on behalf of<br />
Claimants and to pursue cases until the best possible outcomes<br />
are reached. They have been appointed Steering Committee<br />
positions by the High Court of Justice against big corporations like British Airways - the first GDPR GLO<br />
- as well as the Volkswagen diesel emissions scandal, which is set to be the biggest consumer action<br />
ever seen in England and Wales.<br />
Aman has also has successfully recovered millions of pounds for a number of complex personal injury<br />
and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in<br />
the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of<br />
law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic<br />
data leak and the Ticketmaster breach.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 68<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Ransomware, the Ultimate <strong>Cyber</strong> Threat to<br />
Municipalities<br />
With 45% of ransomware attacks targeting municipalities, something must shift the needle.<br />
By Yehudah Sunshine, Head of PR, odix<br />
Municipalities face the risk of persistent cyber-attacks in every direction. From embedded malware in file<br />
attachments, malicious code uploaded via removable media, and the endless risk of viruses and dubious<br />
data uploaded via self-service/ file transfer portals, municipalities, and local governments are increasingly<br />
in the crosshairs of hackers, state-sponsored cyber campaigns, and opportunist looking to cash out at<br />
the expense of local coffers.<br />
Much like in the physical battlefield, the only way the manage the risks and prioritize threats is through<br />
triage. In the case of municipalities that means focusing on ransomware and its devastating effects to<br />
secure data and vital resources needed to keep communities operating.<br />
Why are municipalities so vulnerable to attack?<br />
Municipalities have become a beacon to cybercriminals due to their role as a storehouse to vast swaths<br />
of private data which are more often than not poorly protected by out-of-date security protocols littered<br />
with excessive systems admins and countless security gaps. The data, ranging from tax information and<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 69<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
voting records to social security numbers, and everything in between, if compromised can result in<br />
extensive financial liability to the municipality and far greater loss to the individuals.<br />
Further exacerbating the situation, municipalities by law are required to be transparent and provide their<br />
constituency with vast data points on any number of vital services or projects they may implement. While<br />
the public may appreciate this consideration, hackers have capitalized on this obligation to exploit the<br />
public infrastructure for personal gains.<br />
“Because local governments maintain sensitive personally identifiable information, they have a fiduciary<br />
duty to safeguard that information. As large-scale data breaches continue to make headlines, local<br />
governments must make cybersecurity a priority.”<br />
Between the financial obligations and the massive and publicly embarrassing cyber-attacks which have<br />
plagued cities for the past 5 years, many prominent voices are demanded broader municipal cyber<br />
accountability and a cohesive strategy to mitigating cyber risk.<br />
Why do 45% of ransomware attacks target municipalities?<br />
Municipalities have become a major focal point of hackers because they often fail to implement effective<br />
data protection policies. From rarely backing up data, not implementing multifactor authentication, failing<br />
to provide consistent cybersecurity education for their employees to not deploying innovative endpoint<br />
and cloud security solutions, municipalities' significant and easily exploited weak points make them<br />
particularly susceptible to attack.<br />
Complicating matters “Small and medium-sized cities [often] do not have the resources or funds they<br />
need to invest in IT security. Cities also struggle to keep pace with technology. For example, refresh<br />
cycles may not be timely because of the required continuity of their services for its citizens, or new IPbased<br />
delivery activities are implemented on aging computer systems. Additionally, municipalities deal<br />
with fractured organizational structure and public-sector bureaucracy, which lead to slower<br />
deployment of security measures.”<br />
As a direct culmination of a lack of effective IT governance and a proven history of paying ransoms,<br />
attackers continue to target municipalities for massive financial gains.<br />
How to mitigate the risks?<br />
Municipalities must tactfully balance the needs for prevention, deterrence, identification, and discovery<br />
of the attack itself, with an effective strategy for the response, crisis management, damage control, and<br />
eventually a protocol to return to regular operations. The complexity of this task demands a<br />
comprehensive understanding of the interplay of malicious players and the expanding attack surface to<br />
win the battle of critical infrastructure cybersecurity.<br />
It is critical that municipalities prioritize cyber threats, allocate much-needed funds to implement important<br />
technical solutions, and instill a holistic cybersecurity culture from the top down through the support of<br />
key leaders and ongoing employee education to build cyber resilience the application of industry best<br />
security practices.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 70<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Yehudah Sunshine, Head of PR, odix. Bringing together his<br />
diverse professional cyber know-how, intellectual fascination with<br />
history and culture, and eclectic academic background focusing on<br />
diplomacy and the cultures of Central Asia, Yehudah Sunshine<br />
keenly blends his deep understanding of the global tech ecosystem<br />
with a nuanced worldview of the underlying socio-economic and<br />
political forces which drive policy and impact innovation in the<br />
cyber sectors. Yehudah's current work focuses on how to create<br />
and enhance marketing strategies and cyber-driven thought<br />
leadership for odix, an Israel-based cybersecurity start-up.<br />
Sunshine has written and researched extensively within<br />
cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli<br />
diplomatic inroads, Israeli innovation and technology, and Chinese economic policy. Yehudah can be<br />
reached online at (Yehudah@odi-x.com & https://www.linkedin.com/in/yehudah-sunshine/) and at our<br />
company website http://www.odi-x.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 71<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Operational Technology (OT) Ransomware - How Did We<br />
Get Here?<br />
By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions<br />
In the last 18 months, ransomware was responsible for all disclosed shutdowns of OT networks,<br />
manufacturing plants and other physical operations. High profile victims include the Colonial Pipeline,<br />
JBS meat packing plants, a Honda factory and X-FAB's semiconductor plants. What's going on here?<br />
Mega-Trends<br />
To an extent, this problem reflects long-standing trends in industry and in computing. For decades, both<br />
business operations and more recently physical operations, have been automating steadily, deploying<br />
ever more computer networks and ever more software. All this comes “built in” with hidden defects,<br />
software vulnerabilities and the potential for mis-configuration and mis-operation. The result is a steadily<br />
increasing population of targets for ransomware.<br />
Looking deeper, networking is the lifeblood of modern automation. The problem is that all cyber-sabotage<br />
attacks have the ability to move between computers and within networks, and all network connections<br />
can convey such attacks. With a constantly increasing pool of connected targets, that we see steadily<br />
more cyber attacks shutting down physical operations makes perfect sense.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 72<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
A second reason for the increase in ransomware is, bluntly, cryptocurrency. In the early days of<br />
ransomware, criminals depended on credit card payments, bank transfers, or even cash. However, credit<br />
card vendors were not keen to cooperate in criminal ventures, bank transfers were easily traceable, and<br />
cash required physical access. Reliable, untraceable, and anonymized payment processing was a<br />
problem. Today, pretty much all ransomware actors receive payment in cryptocurrencies, as they are<br />
much less susceptible to influence by legitimate authorities than are other payment mechanisms. Entire<br />
underground economies have emerged to launder such funds. With reasonably reliable ways of being<br />
paid, the profits for ransomware criminal groups are increasing sharply.<br />
A third reason for the increase in ransomware with OT consequences is the widespread use of<br />
sophisticated attack tools and techniques. In the last decade, nation-state-grade attack tools have leaked<br />
into the public domain. The most prominent such incident was the Shadow Brokers releasing materials<br />
they stole from the “Equation Group,” a group widely believed to be a branch of the US National Security<br />
Agency (NSA). There was a day when many organizations would ask “Yes, these nation-state attacks<br />
are powerful, but we're just not that important - why would anyone spend an attack that powerful on us?”<br />
Today the answer is clear - criminal groups are using the tools and techniques of nation-states. These<br />
groups target anyone with money. Do you have money?<br />
OT Consequences<br />
The most serious OT consequences attributed to ransomware in the last 18 months have been production<br />
shutdowns, with the biggest in US history being the recent Colonial Pipeline shutdown. Details of exactly<br />
how the ransomware triggered these shutdowns vary - some ransomware, such as SNAKE/EKANS<br />
variants, target and penetrate OT systems specifically. Other ransomware targets IT networks and<br />
impairs IT systems that are vital to physical operations. Still other attacks target IT networks, but<br />
enterprises shut down their physical operations as precautionary measures. In all cases, the result is the<br />
same, with the same damage.<br />
Enterprises with physical operations are valuable ransomware targets, whether or not OT networks are<br />
specifically targeted by the criminals. This is because OT networks are soft targets. A great deal of<br />
production equipment is very sensitive - recertifying an OT network for safe and reliable operation after<br />
a significant software upgrade can be extremely expensive and can take days, weeks and sometimes<br />
even longer. Most organizations are not willing to incur this expense at all frequently, resulting in large<br />
numbers of old versions of operating system and applications running in those networks. An attack that<br />
gets loose in one of these networks can do a great deal of damage very quickly.<br />
Couple this with the fact that physical operations represent huge investments in infrastructure, raw<br />
materials, and lost opportunities during shutdowns, and it is no surprise that many industrial operations<br />
are willing to pay large ransoms in hopes of materially reducing the duration and severity of shutdowns.<br />
In recent events, Colonial Pipeline has admitted to paying $4.4 million dollars in ransom, though part of<br />
that ransom was later recovered by authorities. The JBS organization is reported to have paid $11 million.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 73<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
OT <strong>Cyber</strong> Solutions<br />
To try and reduce OT consequences due to ransomware attacks, enterprises need OT-specific security<br />
monitoring solutions, coupled with IT security monitoring systems, good backups regimes, and practiced<br />
incident response teams. We should not, however, confuse these measures with each other. In terms of<br />
the NIST Framework, we prevent downtime with protective security measures, while we reduce the<br />
duration of downtime with detective, responsive and recovery measures. The top goal of any OT security<br />
program is to prevent production downtime due to ransomware.<br />
OT-specific protective measures include securely designed network segmentation, use of unidirectional<br />
security gateways, secure scheduled updates, and very secure remote access systems. Making physical<br />
operations networks impervious to ransomware both reduces production risks and reduces the urgency<br />
of any ransomware payment. When IT networks are compromised by ransomware, robust OT security<br />
measures give us the time we need to recover those IT systems from backups without paying the<br />
criminals. Robust OT security allows production to continue throughout the IT outage - gasoline is still in<br />
the pipeline, and finished goods are still coming out of the manufacturing plants.<br />
What do we do?<br />
Do not believe criminals who claim, like Darkside did with the Colonial Pipeline, that OT consequences<br />
are not their intent. So long as enterprises with physical operations are more likely than average to pay<br />
ransoms, criminals will continue to target those enterprises. Only when we stop paying the criminals for<br />
targeting businesses with industrial operations will the criminals find other targets.<br />
About the Author<br />
Lior Frenkel, CEO & Co-Founder of Waterfall Security<br />
Solutions. With more than 20 years of hardware and software<br />
research and development experience, Mr. Frenkel leads<br />
Waterfall Security with extensive business and management<br />
expertise. As part of his thought leadership and contribution<br />
for the industry, Lior serves as member of management at<br />
Israeli High-Tech Association (HTA), of the Manufacturers’<br />
Association of Israel and Chairman of the <strong>Cyber</strong> Forum of<br />
HTA. Lior can be reached at @WaterfallSecure and at our<br />
company website www.waterfall-security.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 74<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
A Case of Identity: A New Approach To User<br />
Authentication Protecting Personal Credentials Remains<br />
The Weakest Link In Data Security.<br />
By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd<br />
Protecting identity and personal credentials remain the weak link in data security. As infosec managers<br />
strengthen the wall around enterprise assets and apply new strategies to protect cloud data, individual<br />
users still fall prey to phishing attacks and have their credentials stolen, putting enterprise data at risk.<br />
Identity theft continues to be the primary source of data breaches, and with the new movement toward<br />
work-from-home following the COVID-19 pandemic, it has become more important than ever to secure<br />
individual identity and prevent data from being compromised due to human error. It’s time to rethink user<br />
authentication.<br />
The number of cyberattacks designed to steal personal identity continues to skyrocket. According to the<br />
U.S. Federal Trade Commission, the number of identity theft cases doubled from 2019 to 2020, with a<br />
spike immediately following the coronavirus lockdown. The new work-from-home business culture makes<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 75<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
identity theft even more attractive since employee credentials can unlock enterprise access as well as<br />
enabling identity theft. As a result, employers are seeing a rise in problems related to stolen credentials.<br />
With the coming of the COVID-19 pandemic, organizations found themselves scrambling to extend<br />
security to work-from-home employees. To promote business continuity and still maintain systems<br />
security, companies realized they had to secure employees’ home networks, laptops, and mobile devices.<br />
At the same time, more than half of workers reported having to find a workaround to security measures<br />
to do their jobs.<br />
The old security strategies are inadequate to support the new remote workforce. What is needed is a<br />
new approach that makes personal security and identity authentication easy, foolproof, and costeffective.<br />
A digital trust ecosystem could be the golden ticket to security. But, organizations must first<br />
learn from the pandemic and adapt to the challenges it presents.<br />
Security Lessons Learned from the Pandemic<br />
Among the emerging trends from the pandemic is the new work-from-home culture. According to Gartner,<br />
82% of corporate leaders plan to make some form of remote work-from-home policy permanent. What<br />
started as a scramble to support a new remote workforce is now an enduring part of the enterprise<br />
landscape. While maintaining firewalls and malware protection is still essential, infosec managers also<br />
must give more attention to securing home offices and validating remote worker credentials.<br />
Authenticating individual employees is an ongoing challenge for the enterprise. While reports of malware<br />
attacks are down, phishing attacks are on the rise with companies reporting an average of 1,185 attacks<br />
per month, with most attacks seeking to acquire user credentials. No matter how resilient a company’s<br />
security measures are, user behavior continues to be a wild card. Any employee can be fooled by a<br />
phishing attack and inadvertently hand their keys to corporate access to a cybercriminal.<br />
Personal identity continues to be the weak link in security. By acquiring the right personal information,<br />
cybercriminals gain unauthorized access to business assets, personal finances, medical records, and<br />
more, or they can use stolen credentials to open fraudulent accounts. Since individual user authentication<br />
is the weak point in security, there must be a better approach to secure identity.<br />
The ideal solution is to create a unique, foolproof personal identifier that stays with the individual. Such<br />
an identifier must be able to authenticate identity without revealing personal information that can be used<br />
for identity theft, such as a social security number or even a mother’s maiden name. Managing these<br />
individual credentials also must create little or no work for infosec while still giving them the means to<br />
control access to enterprise assets.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 76<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Implementing a digital trust ecosystem based on distributed ledger technology like that used in blockchain<br />
offers the ideal approach.<br />
Creating a Digital Trust Ecosystem<br />
Distributed ledger technology has created new possibilities for managing digital identity. Unlike a<br />
traditional database, distributed ledgers record transactional or record details in multiple locations at the<br />
same time, with each node verifying every item to create a consensus. For identity management, using<br />
distributed ledger allows you to authenticate identity or credentials without exposing the credentials<br />
themselves. The only thing that is revealed is that the distributed ledger system has verified the<br />
information to prove identity.<br />
Using distributed ledger technology, you can create a digital trust ecosystem as a SaaS platform. This<br />
approach can be used by a single organization, such as a company, or it can be established as a<br />
confidential consortium where multiple entities use the same digital identity verification system.<br />
While the underlying technology of a digital trust ecosystem is somewhat complex, the practical approach<br />
is simple:<br />
1. It starts with a trusted attribute authority that validates identity information. It could be a<br />
government agency such as the Department of Motor Vehicles, or it could be a private company.<br />
2. Users who want to participate need to onboard the consortium. That way they stay in control of<br />
who has access to their identity data.<br />
3. During the onboarding process, their identity is verified. The attribute authority validates<br />
individuals using whatever information is necessary, such as a social security number, birth certificate,<br />
or login credentials, and that data is protected using a distributed ledger. The individual is then given a<br />
unique authenticator, such as a QR code.<br />
4. Any organization can opt into the same consortium to authenticate user identity. Since none of<br />
the credentials themselves are exposed, there is no risk of identity theft, and there is no longer any need<br />
to share passwords or login credentials.<br />
The benefit of this approach is the unique identifier follows the user, so the same code can be used for<br />
multiple applications. Anyone who wants to use the system simply downloads a QR reader for their<br />
smartphone. There is no added work for IT or infosec to secure enterprise users, and the same identity<br />
can be extended to partners, suppliers, and other parties without having to set up new credentials each<br />
time.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 77<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The future of enterprise security needs to focus more on secure identity authentication and less on<br />
protecting assets with passwords and biometrics. By adopting distributed ledger technology,<br />
authentication credentials can be made secure while giving users a digital identity card that is impossible<br />
to counterfeit and can potentially be used everywhere. The potential applications for a digital identity card<br />
go well beyond employee verifications. It can be used for professional certifications, travel authorization,<br />
even for vaccine passports. You can protect personal medical data in the same way you protect<br />
passwords and personal identifiers. The technology is already being used in New South Wales to issue<br />
digital drivers’ licenses and professional trade licenses.<br />
By having security reside with the individual rather than using passwords or access keys, you place the<br />
user in control of authentication while providing infosec managers with the means to authenticate<br />
employees without adding security overhead. That’s a secure and scalable approach for everyone.<br />
About the Author<br />
Benjamin Kiunisala is Head of Customer Engagement at TrustGrid Pty,<br />
Ltd. TrustGrid enables governments and organizations to create<br />
secure digital ecosystems anywhere in the world with sovereign control<br />
of data and maximized citizen privacy. TrustGrid orchestrates multiple<br />
state-of-the-art technologies into a single platform, combining<br />
innovative cryptography, data privacy, confidential computing and<br />
distributed ledger technology into a highly customizable digital<br />
ecosystem platform. Benjamin can be reached online at<br />
benjamink@trustgrid.com and at our company website<br />
http://trustgrid.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 78<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
A 3-Part Plan for Getting Started with <strong>Cyber</strong>security<br />
By Doug Folsom, President of <strong>Cyber</strong>security and Chief Technology Officer, TRIMEDX<br />
Imagine a hospital has just added a host of MRI scanners and infusion pumps to its network.<br />
Responsibility for the security of the devices is murky: Are clinical engineers the primary caretakers, or do<br />
information technology teams monitor those devices? It’s often unclear, and in the confusion, devices are<br />
left vulnerable. The situation is a cybercriminal’s dream, and it happens more often than expected.<br />
Years ago, the lines on device management were clear: Clinical engineering (CE) monitored medical<br />
equipment while IT managed the network and the corresponding data. However, the increase in the sheer<br />
number of devices connected to the internet has blurred these lines and made it easier for devices to fall<br />
through the cracks.<br />
Not only that, but additional “gray zone” connected devices are often overlooked. If a refrigerator is used<br />
to store COVID-19 vaccines, is it considered a medical device? Such questions have not all been<br />
answered, leaving holes in cybersecurity efforts that criminals are taking advantage of.<br />
Thankfully, having a robust cybersecurity plan can help hospitals prevent threats by assigning ownership<br />
to connected devices, effectively eliminating much of the vulnerability for cybercrime.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 79<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong>security is not optional<br />
Let’s be clear: Hospital cybercrime is not going away anytime soon. With nearly 70% of medical devices<br />
expected to be network-connected by 2025, hospitals will be more vulnerable than ever, creating a need<br />
for awareness of what they own and who's responsible for it.<br />
While not the prime entry point for a cyberattack, connected devices are an opening for cybercriminals<br />
to exploit. Criminals have recognized the ability to “kidnap” devices, shut down critical hospital operations<br />
and demand a ransom. A recent joint advisory by the <strong>Cyber</strong>security and Infrastructure Security Agency,<br />
the Department of Health and Human Services and the FBI says there’s “credible information of an<br />
increased imminent cybercrime threat to U.S. hospitals and healthcare providers.”<br />
Not only are hospital cyberattacks dangerous for patients, but they’re costly. According to research by<br />
Comparitech, last year alone over 91 US healthcare organizations suffered some type of ransomware<br />
attack, with an estimated cost of nearly $21 billion. The resulting administrative effects of an attack —<br />
canceled appointments, lost records and potential lawsuits — can prove damaging both financially and<br />
reputationally.<br />
Step 1: The framework<br />
The first step toward establishing medical device cybersecurity is to develop an overall idea of what<br />
effective cybersecurity efforts look like. The NIST <strong>Cyber</strong>security Framework Core defines five basic<br />
activities to get there:<br />
Identify: Analyze existing inventory to establish an accurate baseline to work with. Determine whether<br />
security policies and procedures are aligned across CE and IT responsibilities.<br />
Protect: Ensure that physical and remote access to CE assets are protected. Develop a formal<br />
management process for any clinical assets that lasts throughout installation, maintenance, transfers and<br />
disposition.<br />
Detect: Monitor personnel activity to detect potential cybersecurity threats. Continuously improve<br />
detection processes through monitoring and adjustment.<br />
Respond: Establish a response plan in case of an incident. Implement established criteria for any<br />
incident reports.<br />
Recover: Plan recovery training and testing for CE and IT teams in response to an incident. Consider<br />
hospital reputation in recovery plan development.<br />
The first and most important step toward effective cybersecurity efforts is to ensure that CE and IT teams<br />
are aligned on ownership of devices with a roadmap for shared responsibility.<br />
Step 2: The action plan<br />
After you’ve walked through the framework to develop a sense of where you’re currently at, the next step<br />
is to implement a plan of action. Be sure to empower your core CE team with reliable inventory assets<br />
before it joins the cybersecurity effort. Having a comprehensive assessment of inventory allows both<br />
teams to better identify risks and cross-reference vulnerabilities.<br />
Once teams have been assigned responsibilities, move to other functions to ensure device security.<br />
Prioritize data collection and vulnerability tracking and research, as well as OEM management and<br />
relationships. Monitor patches and address them efficiently. Having an idea of current and potential<br />
device vulnerabilities can best help CE and IT teams spot problems before they become threats.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 80<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
As threats continue to evolve, it’s important that cybersecurity action plans evolve with them.<br />
Implementing all of these pieces together enables CE and IT teams to reduce, detect and counter threats<br />
before they have a chance to do lasting damage.<br />
Step 3: The execution<br />
With a tailored action plan in place, you’re finally ready to set everything moving. Don’t treat medical<br />
devices like normal workplace devices — they aren’t. A laptop in the office is not the same as a monitor<br />
in the hospital.<br />
OEMs are great resources for helping to address vulnerabilities because they know the devices better<br />
than anyone. Ensure that all patches and remediations are validated by the manufacturer before<br />
implementing them. If unsure of installation procedures, request instructions and updated manuals. The<br />
best way to start is by identifying clinical equipment with critical vulnerabilities for which there are already<br />
OEM-validated patches to install. Be sure to record those efforts in the computerized maintenance<br />
management system (CMMS) inventory.<br />
Consider integrating a network-based medical device monitoring solution as well. These tools help in<br />
streamlining and expanding connected device inventory, and they enable collaboration and transparency<br />
between CE and IT teams.<br />
It’s easy to be shaken by the potential of a cybersecurity threat, especially given what attacks can do to<br />
hospital systems. Luckily, there are solutions available for administrators who are ready to implement<br />
them. By using a framework to get started, a plan of action and effective execution, hospitals have the<br />
ability to help their teams protect against the damage that cyberattacks can cause.<br />
About the Author<br />
Doug Folsom is president of cybersecurity and chief technology<br />
officer for TRIMEDX, an industry-leading, independent clinical<br />
asset management company delivering comprehensive clinical<br />
engineering services, clinical asset informatics and medical device<br />
cybersecurity. Doug has nearly 30 years of information technology<br />
leadership experience. Previously, he held positions at Kohl’s<br />
Department Stores, Sterling Commerce and The Spiegel Group.<br />
He earned his master’s degree in business from Ohio University<br />
and a bachelor’s degree in electrical engineering technology from<br />
DeVry Institute of Technology.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 81<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How to Deal with Online Security<br />
Security Considerations for the Post-COVID, Cloud-First World<br />
By Gary Alterson, Vice President Security Solutions, Rackspace Technology<br />
Organizations have always had to think about protection. Locks on the storefront may have done the job<br />
back in the day, but as interactions become more digital, organizations face an increasingly elaborate<br />
threat landscape. The constant cycle of change, reaction and evolution is like an arms race between<br />
defenders and adversaries.<br />
A decade ago, we were talking about firewalls and how to protect networks. Today, the focus is on how<br />
to protect companies as they move to cloud native environments, tinker with low-code/no-code<br />
development and exploit data with AI and machine learning. The new technology landscape means<br />
preparing for new cybersecurity realities. As organizations forge into adopting cloud native environments,<br />
there are four areas that require significant focus.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 82<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
1. Endpoint and user protection<br />
Despite having the best intentions, the biggest security vulnerability in any organization is your<br />
own people. Even with cybersecurity training, employees make mistakes and it only takes one<br />
mistake to create a catastrophe.<br />
Train your people to be a little bit more paranoid. Users should be on high alert for suspicious<br />
emails, social engineering attempts and other low-tech intrusion tactics. Establishing visibility via<br />
sophisticated endpoint security monitoring and management tools adds an extra layer of<br />
protection to detect and respond to intrusions. Basic endpoint security diligence can no longer be<br />
achieved via basic anti-virus.<br />
2. Zero Trust<br />
As you provide access to your systems, it’s critical that you ensure that the person on the endpoint<br />
and the endpoint itself are trustworthy. Even after authenticated into the network, users should<br />
only be able to access what they need to complete their job — so that access to the most sensitive<br />
data is limited. That's the basis of Zero Trust security: don’t extend full trust to anyone or anything.<br />
Multi-factor authentication helps to further confirm an authorized device is used by an authorized<br />
individual. With so many workers using BYOD and working off of the corporate network,<br />
authentication should also validate the trustworthiness of the device itself by, for example, testing<br />
for patching or up-to-date security software.<br />
To limit the impact of a potential incident, be sure to implement layers — like segmentation,<br />
intrusion prevention and host-based protection — to help provide defense-in-depth security. With<br />
overlapping layers, if one fails, there’s another layer of protection.<br />
3. System hygiene<br />
Many of the security breaches we hear about in the news could have easily been avoided. Why?<br />
Because they hadn’t installed the latest security patches. The result is usually weeks of cleanup,<br />
significant financial impact and the possibility of significant business disruption.<br />
Hygiene is just as important in your cloud environment. Unlike physical systems, cloud hygiene<br />
embraces automation. Instead of patching, you'd bring up new images and take down old images<br />
and VMs, but it's the same basic hygiene principles. As you start using serverless and functions<br />
to build applications, make sure that you're taking care of basic security hygiene within your code.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 83<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
4. Security automation<br />
Security threats can happen in seconds, so AI and machine learning are becoming indispensable<br />
in quickly identifying and acting on anomalies. Behavioral analytics monitors the behaviors of<br />
objects in the cloud, network devices or users to see potential threats. Having that computerbased<br />
eye lets you detect and respond to incidents before they turn into attacks.<br />
Instead of waiting for someone to manually respond to an alert, automated tools can be set to<br />
detect atypical behavior, determine whether it's malicious and respond to it based on your<br />
predetermined parameters. Automation enables the system to see when activity looks odd and<br />
flag it or automatically block access altogether.<br />
Security hasn’t changed, but the tools and threats have evolved. Focusing on these four areas, in addition<br />
to manning security basics, is the foundation of a modern cybersecurity strategy.<br />
About the Author<br />
Gary Alterson is VP of Security Solutions at Rackspace. In this role<br />
he acts as GM for Rackspace’s security solutions focused on<br />
supporting digital transformations and cloud acceleration.<br />
Previously, Gary led Customer Experience and Services Product<br />
Management at Cisco Systems where he built professional,<br />
managed, and support services addressing cloud security and<br />
advanced threats. At Cisco and at Neohapsis, a nationally<br />
recognized cybersecurity boutique consultancy, Gary and his teams<br />
were instrumental in transforming enterprise and government<br />
security programs to effectively address shifting business models,<br />
emerging technologies, and the evolving threat environment.<br />
As a previous CISO and security architect, Gary has over 20 years<br />
experience on the front lines of security, protecting and responding<br />
to threats across multiple industries. Gary is often sought out to speak<br />
on secure digitization, cloud, and emerging technology security frameworks as well as enterprise security.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 84<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Risks of The Vulnerable Iot Devices<br />
By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt<br />
Internet of Things (IoT) is a trending topic that has been made headlines from the last decade and causing<br />
enormous constraints for home users and companies from the security point of view. The damage caused<br />
by vulnerabilities in IoT devices is tremendous and allows cybercriminals to get access and take control<br />
of them remotely in attacks that can be exploited to gain access to the internal networks.<br />
In addition, these kinds of vulnerabilities provide cybercriminals with a baseline to bypass firewalls, gain<br />
access to private networks and also steal sensitive and critical information as it travels across connected<br />
device environments. In this sense, the risk associated with these compromised devices also allows<br />
cyberattacks to spread to other networked systems, proliferating internally, maintaining persistence for<br />
large months and even years because of the detection and monitorization of anomalous activity on these<br />
devices is still a big challenge.<br />
The Big Picture<br />
The number, and type of vulnerabilities are from lack of device management to critical flaws on hardware<br />
or software. In a recent article, it’s possible to learn about a vulnerability tracked as CVE-<strong>2021</strong>-31251 –<br />
a vulnerability on the telnet protocol – that can be explored to get a remote privileged session, which can<br />
be abused to take control of the device and used as an initial entry point to access the internal networks.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 85<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
There is no perfect formula to resolve this problem, as part of IoT devices are vulnerable to a wide range<br />
of flaws due to the limited computational abilities and hardware limitations. Device vulnerabilities allow<br />
cybercriminals to use them as a foothold for their attacks, which reinforces the importance of security<br />
from the design phase. Some of those vulnerabilities can be enumerated as presented below.<br />
Lack of a Secure Update Mechanism<br />
“Lack of ability to securely update the device. This includes lack of firmware validation on the device, lack<br />
of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of<br />
security changes due to updates.”<br />
From this point, it’s necessary to consider how these updates will take place and how to make them more<br />
secure. For example, when designing a device like a smartwatch or a sensor, it’s necessary to consider<br />
building an update mechanism for timely updates.<br />
Lack of Device Management<br />
“Lack of security support on devices deployed in production, including asset management, update<br />
management, secure decommissioning, systems monitoring, and response capabilities.”<br />
One of IoT’s most significant safety risks and challenges is managing all of our devices and closing the<br />
perimeter. In order to fight that, the scanning and profiling of devices allow IT security teams to have<br />
visibility of their networked IoT devices, their risks, behavior, and so on.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 86<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Insecure Data Transfer and Storage<br />
“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest,<br />
in transit, or during processing.”<br />
The network and communication layers play a central role in all IoT applications and implementations,<br />
facilitating sharing information between different layers and generating value through real-time interaction<br />
between IoT devices. The usage of a certificate authority that certifies the complete validation of the<br />
certified party’s identity shall issue each digital certificate and is seen as a good candidate to mitigate this<br />
problem. On the other side, data tokenization can protect sensitive encrypted data that only authorized<br />
devices can decode.<br />
Weak, Guessable, or Default Passwords<br />
“Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in<br />
firmware or client software that grants unauthorized access to deployed systems.”<br />
A common and pervasive vulnerability in IoT systems today stems from weak or unchanged default<br />
passwords. Poor management of device credentials places IoT devices at greater risk of becoming<br />
targets of a brute force attack.<br />
Insecure Network Services<br />
“Unnecessary or unsafe network services that run on the devices, particularly those that are exposed to<br />
the internet, jeopardize the availability of confidentiality, integrity / authenticity of information, and open<br />
the risk of unauthorized remote control of IoT devices.”<br />
IoT devices are today integrated into the network infrastructure and can transmit, retrieve, and interpret<br />
data from linked smart devices, such as smoke alarms, proximity sensors, or optical devices. The<br />
system’s communication mechanisms will vary but may include network protocols ranging from BLE and<br />
ZigBee to WiFi, cellular data, and Ethernet. System administrators must scan and close unneeded open<br />
ports and services which exchange information on their networks as a security measure.<br />
Insufficient Privacy Protection<br />
“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly,<br />
or without permission.”<br />
When individuals request personal data deletion, the provider must ensure that all third parties delete the<br />
data.<br />
Insecure Settings by Default<br />
“Devices or systems shipped with insecure default settings or lack the ability to make the system more<br />
secure by restricting operators from modifying configurations.”<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 87<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Device onboard occurs when a new device is added to the restricted IoT ecosystem. Eavesdropping may<br />
take place during the onboard step of a new device where the hacker can intercept secret keys that are<br />
used to establish communications within a constrained network.<br />
Final Thoughts<br />
The potential for unpredictable cascading effects of vulnerabilities and poor security in the IoT greatly<br />
affects the overall security of the Internet. Ensuring that these devices are secure is the shared<br />
responsibility of its stakeholders. For example, manufacturers need to address known vulnerabilities in<br />
succeeding products, release patches for existing ones, and report the end of support for older products.<br />
As a general security measure, it’s strongly recommended to protect network access to devices with<br />
appropriate mechanisms, and in some cases, isolate them to make difficult their exploration and doing it<br />
a time-consuming task from the cybercriminals’ point of view.<br />
At last but not least, let’s take IoT security seriously because this field has been used massively by<br />
cybercriminals to compromise organizations and their networks turning this into a big and real threat in<br />
<strong>2021</strong>.<br />
About the Author<br />
Pedro Tavares is a cybersecurity professional and a<br />
founding member of CSIRT.UBI and Editor-in-Chief of<br />
seguranca-informatica.pt.<br />
In recent years he has invested in the field of information<br />
security, exploring and analyzing a wide range of topics,<br />
malware, ethical hacking (OSCP-certified), cybersecurity,<br />
IoT and security in computer networks. He is also a<br />
Freelance Writer.<br />
Segurança Informática blog: www.seguranca-informatica.pt<br />
LinkedIn:<br />
https://www.linkedin.com/in/sirpedrotavares<br />
Twitter:<br />
https://twitter.com/sirpedrotavares<br />
Contact me: ptavares@seguranca-informatica.pt<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 88<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Three Steps to Building Email <strong>Cyber</strong> Resilience<br />
By Toni Buhrke, Director of Sales Engineering, Mimecast<br />
In yet another “nobody saw this one coming” moment, the HAFNIUM MS Exchange hack sent a warning<br />
shot to global enterprises to better protect fragile corporate email systems. The hack exploited four<br />
software vulnerabilities in Exchange on-premises services, allowing a state-sponsored threat actor to<br />
gain access to corporate email networks. While Microsoft issued patching, the breach quickly escalated<br />
from affecting a handful of companies to compromising more than 250,000 organizations worldwide.<br />
This breach demonstrated the fragility of corporate email systems, which have never been under more<br />
pressure than in today’s pandemic-driven “digital workplace.” According to Statista, in 2020<br />
approximately 306 billion e-mails were sent and received every day worldwide. For enterprises, any<br />
disruption of this vital communications infrastructure from outages of malicious traffic can be immensely<br />
damaging.<br />
While organizations should continue to mitigate their security risks by immediately installing the latest<br />
patches, they should take their security a step further by implementing an email resilience strategy that<br />
addresses three key areas of weakness: data risk mitigation, recoverability and continuity.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 89<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Data Housekeeping<br />
Today’s organizations simply hold on to too much data. There are good intentions behind this − ranging<br />
from compliance regulations to e-discovery. But having all this data sitting in employee email accounts<br />
holds significant risk. The more data (especially transactional data) a company holds, the greater a target<br />
it becomes for hackers. Think about how much of this data could be exposed by the HAFNIUM attack,<br />
and the problem becomes clear. When sensitive customer data, confidential company information,<br />
personal data, etc., are left out in the open in common Exchange environments, it’s up for grabs for<br />
hackers to possibly exploit.<br />
The solution is to make sure your organization is regularly moving data out of production, a sort of<br />
“housekeeping.” If email data is regularly and securely archived, it is removed from the production email<br />
environment and becomes much more difficult for hackers to access. It can always be retrieved if needed<br />
– but there’s no reason to leave it out in the open, all the time, where the threat actors can potentially get<br />
it.<br />
Ensure Emails are Easily Recovered<br />
In many organizations, employee email inboxes are like full-fledged file systems holding organizational<br />
history, records, transactions and projects to help employees make intelligent business decisions. It’s<br />
inevitable an organization will lose some of this data, whether from human error, system outages,<br />
cyberattacks, natural disasters or other events.<br />
Restoring lost emails when one of these events occurs is critical to limiting data loss, mitigating business<br />
damage and minimizing interruptions to productivity. IT and security teams should look for data recovery<br />
solutions that are tailored to their email solution. A good data recovery solution will automatically sync<br />
and archive not only email, but also contacts, calendars and personal folders, and be able to provide fast<br />
and streamlined mail recovery after a disaster.<br />
Have an Email Continuity Plan<br />
Continuity is the last and most critical step in building a comprehensive email resilience strategy.<br />
Companies need to have a backup system in place in case their primary email solution goes down. This<br />
enables email to continue flowing while issues with the primary system are resolved.<br />
Even IT departments with the best intentions can’t always install patches immediately and typically will<br />
wait until a maintenance window to do so. This is why an email continuity solution is essential. It provides<br />
flexibility, so IT teams can patch, investigate and respond to disruptions while keeping the flow of email<br />
going with a contingency solution. This ensures a company’s email system doesn’t go offline, which in<br />
turn keeps the digital workplace functioning full steam, even in the event of a production-system outage.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 90<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Plan Ahead and Avoid Disaster<br />
The HAFNIUM attack makes it clear that enterprise IT teams need to create a comprehensive email cyber<br />
resilience strategy. This is even more important today, with threat actors trying to take advantage of the<br />
unsettled remote-work environment – Mimecast’s “Year of Social Distancing” report revealed a 48%<br />
increase in threat volume from March 2020 – February <strong>2021</strong> over the previous year, and “The State of<br />
Email Security” report states that 70% of organizations believe their business will be harmed by email<br />
attacks in <strong>2021</strong>.<br />
This research confirms that with the new digital workplace, immediate technical mitigation work should<br />
be a priority if organizations want to limit their risk to malicious attacks. Taking the three steps to email<br />
resilience is a fast and efficient way to protect not only against the next HAFNIUM, but also all of the<br />
smaller issues that inevitably arise during the course of business.<br />
About the Author<br />
Toni Buhrke is a Director of Sales Engineering at Mimecast with<br />
more than 20 years of experience in the cybersecurity industry.<br />
Together, Toni and her team are responsible for designing<br />
customized email security solutions for Named and Enterprise<br />
customers in the Eastern region of the U.S. Prior to joining<br />
Mimecast, she was a Global Director of Systems Engineering at<br />
Forescout Technologies. During her 12-year tenure there she led<br />
various systems engineering teams focused on helping commercial<br />
and public sector organizations and channel partners architect and<br />
deploy security solutions to protect complex networking<br />
environments. Throughout her career, Toni’s focus has always been<br />
on bridging the gap between technology and her customers. She has<br />
a Master of Business Administration (MBA) and is a Certified Information Systems Security Professional<br />
(CISSP). Toni is also very active in Women in Technology initiatives throughout the industry. Learn more<br />
about Toni on LinkedIn, and learn more about Mimecast at https://www.mimecast.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 91<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Guided-Saas NDR: Redefining A Solution So SOC/IR<br />
Teams Aren’t Fighting Adversaries Alone, Distracted and<br />
In The Dark<br />
By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon<br />
The time has come for SaaS-based security offerings to evolve. While the concepts of SaaS date back<br />
to 1961 as MIT introduced the use of terminals connected to mainframes, the SaaS concept we know<br />
today is largely attributed to Salesforce’s launch in 1999. Starting in the late 2000s cyber-security vendors<br />
started to offer email and web security gateway solutions through a SaaS delivery model, removing the<br />
complexities of on-premises hardware and software deployment and maintenance while providing a<br />
uniform security policy across the enterprise. Cloud-native architectures, continuous<br />
development/deployment and the ability to apply elastic computing to cloud-based analytics have<br />
propelled innovation to cyber-security products that can’t be achieved by on-premises solutions.<br />
Now, ten-plus years later, SaaS-based security offerings need to be re-imagined. By examining the<br />
Network Detection and Response (NDR) market we can see SaaS-based security must evolve. SOC/IR<br />
teams are rapidly adopting NDRs because of the visibility gaps left by SIEMs and EDRs to identify the<br />
presence of adversaries in their network.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 92<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
NDR technology is built on three principal tenets to provide SOC/IR teams:<br />
●<br />
●<br />
●<br />
Visibility to and metadata retention of corporate network traffic across cloud and core networks;<br />
Advanced detection techniques designed to identify presence of adversaries inside the<br />
organization; and<br />
Capabilities to triage, threat hunt, and investigate activity to understand the adversaries’ activities<br />
and formulate comprehensive response plans.<br />
These fall into the category of three steps forward, but NDR technology can force SOC/IR teams to take<br />
three steps back if we don’t redefine how SaaS-NDR solutions are delivered.<br />
Guided-SaaS Step 1: No longer… In The Dark<br />
Sixty-nine percent of IT and security practitioners cite network visibility as the top reason for SOC<br />
ineffectiveness. As packets are tamper-proof (unlike EDR logs), NDRs provide network context to<br />
confidently triage, hunt, and investigate threats effectively. But NDRs don’t magically provide<br />
comprehensive visibility. While traditional SaaS-based NDR vendors might work to ensure optimal<br />
visibility at the time of deployment, the responsibility falls on the customer’s security teams to make sure<br />
the NDR sensors are functioning properly and that the right mirrored traffic is getting to the NDR as<br />
networks dynamically change. That’s easier said than done in today’s complex hybrid-world and it doesn’t<br />
take long before blind spots popup and the SOC/IR team are left in the dark. A Guided-SaaS NDR<br />
delivery model recognizes the importance of including expert lead routine visibility and health checks,<br />
where the vendor’s specialists assist to optimize visibility and ensure the NDR sensors are healthy.<br />
Guided-SaaS Step 2: No longer… Distracted.<br />
Perhaps the most alarming statistic is that 84% of IT and security practitioners also reported that the<br />
“Minimization of false positives” as the most important SOC activity. While NDRs provide anomaly-based<br />
machine learning detection techniques, they come at a very expensive cost. Most NDRs require an initial<br />
4 weeks of laborious efforts by security analysts to ‘train’ the technology on what is benign and malicious<br />
with the end goal of at best ‘reducing’ false positives if done properly. Oh, and then security analysts<br />
have to come back and routinely retrain the solution. In other words, the NDR vendor is putting the burden<br />
on the customer, distracting them from their focus of identifying and responding to adversaries. That is<br />
a crime.<br />
Cloud-native NDRs afford us a different approach. With machine learning, behavioral analysis, and threat<br />
intel-based detection engines working in the vendor’s cloud, Guided-SaaS NDR vendors can perform the<br />
QA and training of their detection engines for their customers, producing high true-positive findings and<br />
removing tedious distractions from the SOC/IR team.<br />
Guided-SaaS Step 3: No longer… Alone.<br />
It’s no secret to anyone with experience in day-to-day SOC activities that the job is intense with 70% of<br />
SOC analysts reporting burnout due to the high-pressure environment. Not only is it a race to respond<br />
before adversaries carry out their mission, but it's daunting to face the challenge without external<br />
support… effectively going it alone. It is here where redefining SaaS can provide a unique benefit to<br />
customers. One of the adjacent advances linked to SaaS offerings is software vendors embracing<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 93<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Customer Success, the mechanism of engaging with customers to understand their needs and drive<br />
value from the solution.<br />
Guided-SaaS NDR takes this concept to the next level. Guided-SaaS staffs their customer success teams<br />
with field-tested security analysts and incident responders who understand the pressures their customers<br />
face sitting in the defender’s hot-seat. This empathy allows for better initial and ongoing enablement on<br />
the product, increasing product proficiency and value. As trusted advisors, these Guided-SaaS security<br />
experts also can pass along best practices for triage, hunting and investigations, resulting in stronger<br />
skills for the customer’s security teams.<br />
Perhaps the most valuable and unique benefit is that when a customer is actively investigating an<br />
incident, they have access to experienced Guided-SaaS analysts and responders to ask for guidance<br />
and knowledge of the threat and how best to triage and investigate. During these high-pressure incidents,<br />
having access to expertise and thus gaining confidence you are taking the right steps to respond<br />
alleviates pressure and allows for faster and more comprehensive response actions.<br />
A Call for Vendors to Do Better<br />
Simply put, vendors must have empathy for the challenges facing SOC/IR teams and transition from<br />
delivering products that place a burden on the customer to delivering a comprehensive offering that frees<br />
security professionals to remain focused, ensure optimum visibility, and have access to expertise in the<br />
dismantling of adversaries. The Guided-SaaS model redefines and evolves how vendors should deliver<br />
security solutions to ensure technological advances such as enabling extensive visibility, machine<br />
learning adversary detection, and speedy triage, hunting, and investigation result is three steps forward<br />
without taking three steps back.<br />
About the Author<br />
Fayyaz Rajpari is the Sr. Director of Product Management of<br />
ThreatINSIGHT Guided-SaaS NDR at Gigamon, where he leads<br />
the firm’s security products. Fayyaz’s expertise includes serving<br />
as a lead incident responder for a large insurance provider<br />
before transitioning to bringing his expertise to driving products<br />
for FireEye, Mandiant, and Recorded Future.<br />
Fayyaz can be reached online at fayyaz.rajpari@gigamon.com<br />
or at http://www.gigamon.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 94<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Hardware Trojan Detection<br />
By Sylvain Guilley, General Manager and CTO at Secure-IC<br />
Hardware Trojan attacks have become more concerning in recent years due to a series of serious events<br />
in the electronics industry supply chain around the world because of them, such as data theft and<br />
backdoor insertions. These attacks are based on the concealment and subsequent exploitation of<br />
malicious hardware in integrated circuits and thus have been nicknamed “Trojan Horses”. These<br />
malicious attacks can have several purposes such as sabotaging the infrastructures used by the circuits<br />
or eavesdropping on confidential communications.<br />
The ability to detect and deal with Trojan Horses has become vital for organizations charged with<br />
protecting key infrastructure, government and assets. On a business level, today’s applications can be<br />
critical and security is paramount in many industries such as automotive or avionics; it is important to<br />
screen and check unreliable chips.<br />
A Trojan Horse is often defined as malware disguised as legitimate software. Nowadays, we are talking<br />
about Hardware Trojan Horses that have proven to be very dangerous and have the ability to maliciously<br />
modify integrated chips.<br />
Classification of Trojans and the means to detect them<br />
There are many types of Trojans, and they can be inserted pretty much everywhere in the microchip.<br />
This is what makes them so difficult to locate, as one could well be located in the chip’s processor while<br />
another crouches in the chip’s power supply.<br />
The stealthiest Hardware Trojans are virtually undetectable because they do not appear in the bill of<br />
materials (BoM). They are implanted in the chip itself and therefore must be investigated at the silicon-<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 95<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
level to be detected. This creates a “needle in a haystack” situation when trying to flush a purported<br />
Trojan out.<br />
Trojans can also be implanted at different phases, from the specification phase to the assembly and<br />
packaging phase. They may also have different purposes once they are integrated. Some Trojans will<br />
want to change the functionality of a chip, while others will prefer to degrade performance or completely<br />
deny the service offered by the chip; still others may leak information.<br />
A Hardware Trojan Horse has different types of activation mechanisms which makes them hard to detect<br />
red handed.<br />
Hardware Trojan detection can almost be considered a type of reverse engineering for ”evidence of<br />
infection” purposes. While evaluating the system, the evaluator would look for abnormal behavior that<br />
might harm the functioning of the circuit. In order to be able to detect Hardware Trojans, one must have<br />
the appropriate skills and tools.<br />
To this end, two initial techniques have been put forward:<br />
• Deploying destructive reverse engineering schemes. The main drawback of this technique is that<br />
it can be very expensive and cannot guarantee the absence of Trojans in untested devices.<br />
• Using a VLSI testing scheme. The main drawback for this is that it is not very effective as the<br />
trigger condition is rarely satisfied, all the more for sequential Trojans as they need a sequence<br />
of vectors to be triggered.<br />
Based on these two techniques and their drawbacks, a number of other solutions have been<br />
implemented.<br />
The reactive way of dealing with Hardware Trojans<br />
One of the ways to find and deal with a Hardware Trojan is to first be aware of its presence in the system<br />
and then take action accordingly.<br />
Analog Detection<br />
There are many methods that can be used in a reactive way, such as reactive analog detection. Analog<br />
detection aims to detect abnormal behavior of the system in the pre- and post-silicon stages. This method<br />
can be static meaning detecting visible malicious components that are hidden on a printed circuit board<br />
(PCB), or in cable packaging but it can be very limited if the Trojan is hidden inside the system; this is<br />
where a dynamic method can be leveraged by observing the electromagnetic activity of the system. The<br />
dynamic method aims to detect unexpected electromagnetic activity and compare it with a golden method<br />
(a trusted asset with no Trojan).<br />
Hardware Assertions<br />
Another method consists in hardware assertions. Some Hardware Trojans are actually a combination of<br />
hardware and software vulnerabilities that, when combined, allow the system to be exploited. The<br />
hardware assertion method entails identifying some high-level and critical behavioral invariants and<br />
checking them while the circuit is running. With many Hardware Trojans, the attacker will attempt to<br />
modify the behavior or violate the property of the target circuit. Therefore, there is a necessity to check<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 96<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
the properties (user mode, memory access conditions, rules, instructions) of the asset with a hardware<br />
module. A single change in these properties betrays the hardware Trojan.<br />
Sensors<br />
Sensors can be used to prevent an attacker from performing active attacks where he attempts to disturb<br />
the normal behavior of the system. When the hardware Trojan is triggered, the system begins to behave<br />
abnormally, the power supply may decrease drastically and the clock system may be damaged in order<br />
to stress the system to the point where it cannot perform sensitive operations properly. Sensors are then<br />
triggered when noticing such events.<br />
A variety of methods exists to find and deal with Hardware Trojans. While these methods have been<br />
proven to be effective in detecting hardware Trojans when they are known to be present in the system,<br />
the need to be able to proactively search and deal with Trojans has rapidly arisen.<br />
The proactive way of dealing with Hardware Trojans<br />
While there is a reactive way of finding Hardware Trojan in a system, there is a constant need for<br />
additional trust. This is why new methods have begun to develop in the security sphere, a way of having<br />
in-depth protection in a more proactive approach.<br />
Indeed, since most hardware Trojans detection occur when malicious hardware in the system are already<br />
known, these new proactive methods are particularly effective in preventing Hardware Trojans in a<br />
proactive way. This means that the system is equipped with tools that can help it fend off incoming<br />
attacks.<br />
Machine Learning<br />
One of these successful proactive methods is clearly Machine Learning. Indeed, the use of computer<br />
systems that are able to learn and adapt without following explicit instructions will be key in the future for<br />
many topics, including hardware Trojan detection and protection. As each Trojan is different, it may be<br />
difficult to define a method applicable for each case. Machine learning can generate diverse complex<br />
models and make decisions based on those models. In addition, machine learning is also key in<br />
understanding hardware Trojans, as they are relatively new and machine learning will help aggregate<br />
data to help us better understand them. There are two ways to implement Machine Learning: the first is<br />
supervised learning, where evaluators inject known samples of Hardware Trojan into the system and<br />
determine how to detect them properly and machine learning enriches its database with those samples;<br />
the second way is unsupervised learning, where the characteristics of the Trojan are not known and<br />
machine learning has to detect it on its own by evaluating the parameters and the system’s behavior.<br />
The latter will help detect new types of Trojans as it is less limited than the former.<br />
While it is a reactive approach to have a hardware Trojan monitoring hardware IP in a chip for active<br />
detection of malicious processes on the chip during its runtime, it is often achieved with a higher cost of<br />
Chip out from<br />
JTAG testing<br />
Begin HT<br />
detection process<br />
EM signature<br />
capture of target<br />
chip<br />
ML or statistical<br />
analysis for<br />
detection<br />
Detection output<br />
(HT<br />
Present/Absent)<br />
Next step<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 97<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
inspection and additional computation which may not be desirable by many. Therefore, a proactive<br />
measure may be to include the Hardware Trojan analysis in the device testing flow. An example is shown<br />
in the following figure:<br />
Fig. Testing flow for Hardware Trojans for a chip lot<br />
<strong>Cyber</strong> Escort Unit<br />
Another method is to protect the CPU directly by mitigating vulnerabilities and attacks on code execution<br />
or integrity induced by software code bugs, malicious activity or sought-after performances neglecting<br />
security. These types of attacks have the particularity of engaging both software and hardware placing<br />
the protection layer in the hardware layer that protects both. By following the program execution step by<br />
step, we are able to detect any unexpected behavior of the CPU, it is not dedicated to a specific attack<br />
or Trojan type, so irrespective how the Trojan is triggered, by either Hardware or Software means, and<br />
whatever its payload, any alteration in code execution or code integrity can be detected.<br />
The Encoded Circuit Method<br />
The “encoded circuit” method is based on the observation that all integrated circuits are composed of two<br />
distinct parts: the combinational and sequential part. The sequential part includes the data and control<br />
registers which are easier to recognize on the IC layout because of their size. It is easier for an attacker<br />
to connect the Trojan to the sequential part; therefore, this method aims at encoding and masking all<br />
sequential registers with a Linear Boolean Code.<br />
Conclusion<br />
As hardware Trojans continue to be developed for nefarious purposes, it is our duty to protect devices<br />
from these new threats. While proactive methods are emphasized, it is important to note that reactive<br />
methods are still viable and should not be disregarded. With so many types of Trojans and so many ways<br />
to attack systems, companies should use all the tools at their disposal to fight potential threats to their<br />
systems.<br />
If you would like to include Hardware Trojan protections in your security plan to protect your systems<br />
from potential attacks, you can ask for our help.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 98<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
My Name is Sylvain Guilley. I am General Manager & CTO at Secure-<br />
IC, French company offering cybersecurity solutions for embedded<br />
systems.<br />
I am also professor at TELECOM-Paris, research associate at École<br />
Normale Supérieure (ENS, Paris), and adjunct professor at the<br />
Chinese Academy of Sciences (CAS, Beijing).<br />
My research interests are trusted computing, cyber-physical security,<br />
secure prototyping in FPGA & ASIC, and formal/mathematical<br />
methods.<br />
I am lead editor of international standards, such as ISO/IEC 20897 (Physically Unclonable Functions),<br />
ISO/IEC 20085 (Calibration of non-invasive testing tools), and ISO/IEC 24485 (White Box Cryptography).<br />
Associate editor of the Springer Journal of Cryptography Engineering (JCEN), I have co-authored 250+<br />
research papers & filed 40+ invention patents.<br />
Sylvain Guilley can be reached at contact@secure-ic.com and at our company website www.secureic.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 99<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
StayHackFree – Your Kid’s Sports Team<br />
Your Kids Sports team is better managed than your <strong>Cyber</strong> Team.<br />
By James Gorman, CISO, Authx<br />
Your Kid's Hockey team has better management than your <strong>Cyber</strong> Security team. Really, I am not kidding.<br />
How do I know? Let's start with - your kid's team has a coach, a plan, a practice schedule, and goals.<br />
Can you honestly say that about your <strong>Cyber</strong> Security team?<br />
Your kid's hockey team has a coach - who has some level of competency - in USA Hockey - they have<br />
to be at a certain level; for most, it is a level 3 that makes sure you have a base knowledge and<br />
understanding of the rule. In most organizations, there is not a specific person designated to be the<br />
"coach" of the incident response team, or is there a clearly defined person that will quarterback the<br />
incident response team? Is your lead technologist also the Incident Response Manager? Is that the right<br />
mix of responsibilities? There is nothing worse in the thick of an incident than not knowing who is in<br />
charge or who has the authority to make the difficult calls. Also, most of the kids I used to coach had<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 100<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
outside coaches - to help them improve the basics. So you need to have designated roles and<br />
responsibilities, an experienced coach, and outside trainers to reach the management level of your kid's<br />
hockey team. Outside and ongoing training and a culture of learning are critical to growing <strong>Cyber</strong>teams.<br />
How is your team stacking up so far?<br />
Your kid's hockey team has a game plan - or a playbook. They know where they are supposed to line<br />
up and what the objective depending on the game circumstance. If there is no formal plan, as is the case<br />
in most organizations or worse - on a shelf, file server, or website, no one has looked at it since. A<br />
contractor wrote it for an audit that happened so long ago; the person or consultant who wrote it is on<br />
their 3rd job since the audit ended. Without a plan, when the time comes to respond, there is chaos.<br />
People with no direction lead to wasted valuable time and not minimizing or eliminating the impact of an<br />
incident and it’s cost to your business. A viable plan is critical to the timely execution of your cyber<br />
defenses.<br />
All kid's teams have a practice schedule. If your kid's team said - nope, no practices, just games, you<br />
would expect to lose every time to teams that practice. Your <strong>Cyber</strong>team needs to have a regularly<br />
scheduled practice. At a minimum, you need to exercise the incident plan with a "tabletop" simulation at<br />
least once a month. The boilerplate template you used for your Incident Management Plan likely calls<br />
for an annual test of the plan. In today's rapidly changing IT environment, you should exercise the plan<br />
and update it with lessons learned every month. The <strong>Cyber</strong> Hackers are out there, and every day they<br />
are knocking at your doors. What happens at the outset of an ongoing attack will mitigate the lasting<br />
effects. If you stumble or fumble initially, you beg for lasting consequences and maybe even front-page<br />
news. Just ask the teams at some of the recent highly publicized hacks.<br />
All kid's teams have goals. When I was coaching kids' teams, I would have three goals for a game.<br />
Usually, situational goals had to do with scoring first or not taking any penalties, winning 51%+ of faceoffs,<br />
with the over-arching aspiration being the main "goal" - having fun. For your <strong>Cyber</strong>team, your overarching<br />
goal should be to StayHackFree - remember, it is not a goal - it is an aspiration. Each month you should<br />
have or situational goals for your team. For example, one month could be improving the amount of<br />
Endpoint Protection deployed. Another week it could be who can find the error in the incident response<br />
plan. Consistently looking for ways to strengthen your threat posture or reduce your organization's attack<br />
surface is the point of the situational goals. It would be best to have situational and over-arching goals,<br />
but goals need to be tangible, measurable, and specific.<br />
So, to sum up. Use the model of your kid's sports teams to improve your cyber defense posture vastly.<br />
There is no reason not to have a point person or coach lead your incident response team. You must<br />
have a plan and know where to start before an incident happens. Frequent practice sessions and tabletop<br />
exercises with lessons learned are a must. Setting situational goals to improve your defense posture is<br />
critical to being prepared for all comers. Get a coach, get a plan, practice the plan, and have goals to<br />
StayHackFree.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 101<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
James Gorman CISO, Authx ,James is a solutions-driven,<br />
results-focused technologist and entrepreneur with experience<br />
securing, designing, building, deploying and maintaining largescale,<br />
mission-critical applications and networks. Over the last<br />
15 years he has lead teams through multiple NIST, ISO, PCI,<br />
and HITRUST compliance audits. As a consultant, he has helped<br />
multiple companies formulate their strategy for compliance and<br />
infrastructure scalability. His previous leadership roles include<br />
CISO, VP of Network Operations & Engineering, CTO, VP of<br />
Operations, Founder & Principal Consultant, Vice President and<br />
CEO at companies such as GE, Epoch Internet, NETtel, Cable<br />
and Wireless, SecureNet, and Transaction Network Services.<br />
James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/ ) and<br />
at our company website https://authx.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 102<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Tips for Avoiding Online Scams During COVID-19<br />
Follow these best practices and stay vigilant to significantly reduce risk for your organization<br />
By Cindy Murphy, President, Tetra <strong>Defense</strong><br />
Organizations have made significant changes in light of COVID-19, oftentimes favoring health and safety<br />
over profit. Cab services urge people to stay home. Restaurants offer no-contact deliveries. Perfume<br />
companies have shifted to making hand sanitizer, and vehicle manufacturers are now making ventilators.<br />
While many businesses are working hard to fight the hardships COVID-19 has brought about, other<br />
malicious organizations are working to do just the opposite.<br />
Since the pandemic took hold of America, there has been a substantial increase in the number of<br />
cyberattack attempts. Phishing emails are virtually all COVID-19-themed, social engineering involves<br />
concepts of sickness and health, and ransomware operations are attacking some of the organizations<br />
that we rely on most: essential businesses. While these scams are nothing new, the way they are<br />
presented, deployed, and the consequences they have are constantly changing in the COVID-19 era. To<br />
stay protected, either in person working at an essential business, working from home, or simply staying<br />
sane in quarantine using the Internet on personal devices, keep cybersecurity front-of-mind.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 103<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Major Online Scams<br />
The practice of crafting manipulative messages to elicit a specific behavior is considered to be “social<br />
engineering.” This is an abstract concept considering it casts the widest net, but it is a practice that nearly<br />
all scams and attacks, either in reality or in the cyber world, rely on. No matter how robust, up-to-date, or<br />
complicated your technology is to hack into, social engineering preys on the human behind the devices.<br />
Since the ‘90s, when the term was coined in this context, threat actors have found it’s easier to trick a<br />
person to give information or access than it is to trick a computer. Even for professional vulnerability<br />
testing, social engineering is implemented to see how robust security is when faced with someone who<br />
simply says all the right things to gain unauthorized access.<br />
Rather than a one-size-fits-all message, social engineering includes specific headlines, unique situations,<br />
and emotional manipulation to convince a victim to divulge information. Messages may range from the<br />
email from the “prince in Nigeria who needs your help,” to hyper-specific phone calls or even personalized<br />
texts that “want to confirm your banking credentials.” Social engineering attacks are always more<br />
successful the more information the threat actor has at the start. In the COVID-19 era, being able to<br />
assume that people are home, they are awaiting aid from a stimulus package, or they are collaborating<br />
with their managers and directors from a distance is enough information to deploy a successful,<br />
manipulative message.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 104<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Phishing Example 1<br />
Phishing refers to messages deployed via email, and this is the most popular channel in this context. For<br />
threat actors, email is an attractive option since it is most likely already connected to an essential device<br />
like a personal computer or smartphone, and it is most likely connected to the public Internet or an<br />
organization’s internal network. Since phishing attempts are now socially engineered to appear as though<br />
they are from credible health sources, the World Health Organization has published guidelines to protect<br />
potential victims.<br />
An acronym to become familiar with is BEC, or Business Email Compromise, the act of gaining<br />
unauthorized access to a business email account. It’s often achieved through the practice of perfectly<br />
impersonating trusted sources, usually via email. This allows threat actors to disguise themselves as a<br />
director, a CISO, or even a trusted colleague that is simply asking for information or suggesting you<br />
download their file. This is one of the most deceptive practices considering the innate trust that we place<br />
with correct email addresses. Without proper password protection, it’s important to consider that the<br />
person behind the address is no longer who you expect.<br />
Staying Vigilant During COVID-19<br />
Threat actors have an impressive toolkit that includes social engineering and impersonation techniques<br />
to harvest sensitive data, and this has been the case for decades. In light of COVID-19, the consequences<br />
of these attacks can prove to be especially devastating. When few businesses are operating at full capacity, and when<br />
healthcare organizations are quickly becoming overwhelmed, an attack can not only cause disruption, it could risk lives.<br />
In uncertain times, the last thing anyone wants to worry about is a threat actor gaining unauthorized<br />
access to valuable data and resources. Malicious organizations have already proven they have no ethical<br />
boundaries — they have targeted critical infrastructure like HHS to take advantage of the situation that<br />
COVID-19 has presented. Here are our tips for maintaining cybersecurity from home in this unique time:<br />
1. Practice “Zero Trust”<br />
As a best practice, maintaining a healthy level of suspicion is the strongest defense against social<br />
engineering. Threat actors are reliant on the naivety of users to grant them access and will present any<br />
number of stories or situations to exploit potential victims. Data manipulation tactics include offering a<br />
sweet return on an investment (i.e., the Nigerian prince will offer you endless riches), pose as people you<br />
may innately want to help or donate to, or even threaten you from the account of someone with authority.<br />
2. Ensure Links are Secure<br />
In many phishing attempts, there are malicious websites that either perfectly clone trusted sources or<br />
appear to be legitimate. These websites, however, often deploy malware at the first click. To ensure you<br />
are visiting trusted web sources, hover over a link before clicking. This will provide, in plain text, the URL<br />
the link will take you to. While you’re there, be sure to be cognizant of other security measures that your<br />
web browser will look out for.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 105<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
3. Employ Multi-Factor Authentication<br />
If a threat actor has your password credentials, or you suspect to have given information to a malicious<br />
source, Multi-Factor Authentication is a great backstop. If a password is entered, access will not be<br />
granted until a second device can confirm the request, usually through a code or prompt on a smartphone.<br />
This is a simple tool that is often available via major email providers and Internet-based accounts, and it<br />
can deter a threat actor from accessing your information.<br />
4. Use Robust Passwords<br />
While “password1,” or “123456,” are easy enough to remember, the pain of losing access to your<br />
accounts is far worse than the pain of implementing complicated, unique passwords to begin with. Threat<br />
actors can attempt the most common passwords on accounts by the thousands. They scan for any easy<br />
vulnerabilities they can exploit on the Internet, and you can arm yourself with a strong password to deter<br />
them. Common guidelines for building a strong password include using at least 12 characters,<br />
implementing long phrases, and unconventional punctuation.<br />
5. Update, Update, Update<br />
While it may be inconvenient to learn how to deal with a new operating system or a new interface,<br />
updating as quickly as possible ensures your devices are running with the most recent protections. When<br />
threat actors search for vulnerabilities, they can configure nearly any attack to fit a port of entry, even if<br />
that entry only operates on a slightly out-of-date app, mobile device, or computer system. Having a fully<br />
functioning piece of technology from a few years ago is fine, but being sure to update its protection<br />
systems is a simple safeguard as threat actors remain persistent in COVID-19.<br />
While organizations continue to implement changes in the name of health and safety, it’s important to<br />
keep in mind that threat actors are actively working against them. In situations where people are working<br />
from a new home set up, people are grieving the loss of normalcy, and people are awaiting information<br />
regarding their health and their paychecks, threat actors are creating messages to manipulate them.<br />
While these are unprecedented times, and cyberattacks are more consequential than ever, there’s<br />
comfort in knowing that security best practices still stand, and awareness of these online scams prove<br />
as a great safeguard in and of itself.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 106<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Cindy Murphy is the President of Tetra <strong>Defense</strong>, an incident<br />
response and digital forensics firm based in Madison, Wisconsin..<br />
She worked in law enforcement for 31 years, starting her career in<br />
the US Army in 1985 and joining the Madison Police Department in<br />
1991. She began investigating computer-related crimes in 1998<br />
before being promoted to detective in 2000. Since then, Cindy has<br />
become one of the most highly respected experts in the digital<br />
forensics field. She has been teaching digital forensics since 2002<br />
and helped develop a digital forensics certification curriculum for<br />
Madison Area Technical College and co-authored the SANS<br />
FOR585 Advanced Smartphone Forensics course.<br />
Cindy can be reached via Twitter @CindyMurph and at our company<br />
website: https://tetradefense.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 107<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Banking Fraud up 159% as Transactions Hit<br />
Pre-Pandemic Volumes<br />
Organizations and users should aggressively embrace passwordless authentication methods to<br />
establish a strong un-phishable relationship.<br />
By Rajiv Pimplaskar, CRO, Veridium<br />
The latest Feedzai Financial Crime Report Q2 <strong>2021</strong> <strong>Edition</strong> which factors in some 12 billion global<br />
transactions between January-March <strong>2021</strong>, shows that bank fraud is up 159%, including internet,<br />
telephone, and branch banking. Card-not-present (CNP) transactions were just 18% of all transactions,<br />
but drove 83% of all fraud attempts.<br />
The five most commonly attempted scams were Account Takeover (ATO)-up 47%; account opening<br />
identity theft-up 23%; impersonation scams-up 21%; purchase of goods that never arrived-up 15%’ and<br />
phishing scams-up 7%. A cyber and passwordless authentication expert with Veridium offers perspective.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 108<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The recent Feedzai report confirms several points regarding the industry’s hypotheses on financial<br />
fraud. First, as transaction volumes reach all-time highs, banks and insurance companies should brace<br />
for higher fraud volumes and proactively bolster their risk processes and customer identity and access<br />
management systems. Second, fraud vectors should be increasingly assumed to be multi modal as bad<br />
actors will often exploit channels with weaker Know Your Customer (KYC) verification processes, such<br />
as telephone banking or contact center, as seen by the high surge in fraud attempts from these<br />
channels. Sometimes even bank card fraud via traditional mail can manifest within the branch and digital<br />
channels for impersonation and Account Takeovers (ATO) scams. Finally, various forms of phishing,<br />
social engineering and Man-in-the-Middle (MITM) attacks can be highly effective at overwhelming a vast<br />
majority of conventional safeguards currently in place by the financial institution.<br />
Organizations and users should aggressively embrace passwordless authentication methods to establish<br />
a strong un-phishable relationship between the user’s designated authenticator and the bank systems.<br />
As identity becomes the new perimeter, strong customer authentication solutions such as Phoneas-a-<br />
Token and FIDO2 security keys are increasingly gaining popularity. Also, such authentication methods<br />
offer lower friction and can improve user experience and productivity.<br />
Fraud is Multi-modal, Constantly Evolves and Gravitates to the Weakest Channel<br />
With fraud costing the global economy over $5 trillion, financial services firms worldwide are focused on<br />
fraud prevention in a big way. In countries like the UK, fraud is currently the #1 crime – far outpacing all<br />
other crime categories! With cost containment being very important in driving shareholder value, fraud<br />
is a key area, which if not managed carefully, can quickly erode the bank’s earnings. Consequently,<br />
hundreds of millions of dollars are being invested and fraud defense systems are getting increasingly<br />
sophisticated. Customer education is also at an all-time high to ensure fraud awareness is top of mind,<br />
much like conventional wisdom of locking the front door to your house or not leaving valuables left in<br />
plain sight within your vehicle.<br />
However, fraudsters are also evolving at an alarming rate and continuously devising new approaches.<br />
For example, improved defense against ATO scams is being circumvented by a rise in authorized push<br />
payment fraud where an impersonator convinces the legitimate account owner to authorize a payment<br />
for a fake crypto currency investment, or a fake invoice. Often the account owner is coached regarding<br />
what to say if the bank’s fraud department contacts them and many times winds up taking sides with the<br />
fraudster against the bank’s investigators! From a bank’s perspective, this complicates matters<br />
significantly as apart from their usual screening, they must now also verify the legitimacy of the safe<br />
account where the payment is being wired. First party fraud is also on the rise. In several countries<br />
“money mules” are systematically recruited by organized gangs using a cover story promising quick<br />
monetary gain via social media with the objective of fraudulent account opening and laundering crime<br />
money. While several of the victims are college students and teenagers getting scammed, many do it<br />
for money. As controls over mobile and digital channels have strengthened, fraud has also shifted into<br />
the contact center where social engineering and MITM attacks can be highly effective at compromising<br />
traditional KBA (Knowledge Based Authentication).<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 109<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Strong Digital Identity Needs Modern Authentication<br />
Digital transformation initiatives can leverage a treasure trove of personal information already stored by<br />
the bank including biometrics, biographic information and behavioral data gathered since account<br />
opening. For example, a video face capture or liveness check during KYC could be combined with<br />
behavioral data to detect impersonation or known bad behavior. This identity verification could also be<br />
used as a “trust anchor” as defined by Gartner research, to step up authentication during risky or high<br />
value transactions, or during a vulnerable situation such as device enrollment or account recovery.<br />
Passwordless methods such as Phone-as-a-Token or FIDO2’s strong passwordless authentication can<br />
be adopted to improve website security and reduce dependence on passwords. FIDO2 is the set of<br />
standards and protocols developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to<br />
strengthen website authentication. An added benefit is that such technologies, while more secure, are<br />
also easier to use, providing a better overall user experience and satisfaction.<br />
Passwordless authentication options for consumers could include use of Phone-as-a-Token where an<br />
un-phishable trusted relationship is established between the individual and their enrolled mobile phone.<br />
Phone manufacturers and versions can be managed as part of a “allow / deny list” and potential issues<br />
exploited during MITM attacks such as jailbreak can be detected. Upon securing consent, the security<br />
level could be dynamically adjusted depending on the customer’s geolocation and/or behavior, which<br />
improves protection for the consumer, employee and the company. For private or secure environments<br />
like contact centers where a phone may not be feasible, FIDO2 security keys could be an efficient<br />
alternative.<br />
About the Author<br />
About the author: A seasoned cybersecurity executive, Rajiv Pimplaskar is<br />
driving global go-to-market strategy and revenue for Veridium. Based out of<br />
the company’s New York headquarters, Rajiv comes to Veridium from San<br />
Francisco-based Cloudmark – a leader in threat intelligence (acquired by<br />
Proofpoint). Previously, he held senior leadership roles spanning sales,<br />
marketing, product, and corporate development at Atlantis Computing<br />
(acquired by HiveIO) and Verizon. Rajiv is an Electrical Engineering and<br />
Computer Science professional by trade and is passionate about building and<br />
scaling enterprise software companies that offer a market disruption.<br />
Rajiv can be reached online at @veridiumid and at our company website https://www.veridiumid.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 110<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Why <strong>Cyber</strong> Risk Is the Top Concern of The Financial<br />
Services Industry<br />
The sector faces a wide range of challenges ranging from Covid to compliance to the cloud, to name just<br />
a few.<br />
By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz<br />
Global Corporate & Specialty<br />
Ever since Covid-19 led to an unplanned increase in homeworking and electronic trading, cyber security<br />
experts have been warning financial institutions of a perfect storm. In fact, attacks against the financial<br />
sector were reported to have increased by well over 200% globally from the beginning of February 2020<br />
to the end of April 2020, with some 80% of financial institutions reporting an increase in cyber-attacks,<br />
according to security firm VMware. Weaker controls and oversight, laxer security in the home office and<br />
the greater likelihood of employees falling victim to scams while working remotely were just some of the<br />
reasons cited behind this dramatic rise.<br />
The reason for the uptick in cyber-attacks on the financial services is simple. At the end of the day, cyber<br />
criminals go where the money is, and financial companies hold an extraordinary amount of sensitive data<br />
on individuals, businesses and governments. <strong>Cyber</strong> security has been an existential issue for financial<br />
institutions, and they have been investing heavily in it for years. However, with such potentially high<br />
rewards, cyber criminals will also invest time and money into attacking them. For example, the Carbanak<br />
and Cobalt malware campaigns targeted over 100 financial institutions in more than 40 countries over a<br />
five year period, stealing over $1bn.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 111<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Regulators get tougher<br />
At a time when financial institutions are becoming more reliant on technology and data to provide products<br />
and services to customers, they increasingly face a challenging regulatory environment. In many parts of<br />
the world, firms face a growing bank of regulation, including evolving data protection and privacy rules,<br />
as well as cyber security requirements.<br />
In particular, there has been a seismic shift in the regulatory view of privacy and cyber security. Where<br />
regulators previously looked to incentivize firms to invest in cyber security, they now see it through the<br />
lens of consumer rights and data privacy. With the General Data Protection Regulations (GDPR) in<br />
Europe and the likes of the California Consumer Privacy Act in the US, companies now need to<br />
operationalize their response to regulation and privacy rights, not just look at cyber security.<br />
The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines<br />
and regulatory costs, and growing third party liability. Under the GDPR, the number and value of fines for<br />
data and privacy has been growing while jurisdictions around the world have been introducing stricter<br />
data laws. Increasingly, breaches and regulatory actions are followed by litigation, with a number of group<br />
actions now pending in the UK as well as the US. A data breach at Capital One bank in 2019 – one of<br />
the largest-ever – resulted in an $80mn fine and a number of lawsuits by affected customers. More<br />
recently, following a number of major outages at banks and payment processing companies, regulators<br />
have begun drafting business continuity requirements in a bid to bolster resilience.<br />
Ransomware attacks on the rise<br />
Ransomware attacks continue to increase in frequency and severity, with ever larger ransom demands.<br />
Last year, the Securities Exchange Commission in the US warned about a rise in the number and<br />
sophistication of ransomware attacks on US financial institutions. Ransomware attacks were up nine fold<br />
between February and end of April 2020, according to VMware.<br />
A recent development has seen hackers steal sensitive data and threaten to publish it online if ransoms<br />
are not paid. US lender Flagstar Bank, for example, suffered a ransomware attack in early 2020 that saw<br />
hackers post personal details online in an attempt to extort money. Last year, Chilean bank BancoEstado<br />
shut down branches after a ransomware attack. In March <strong>2021</strong>, CNA Hardy was also hit by a<br />
sophisticated ransomware attack which impacted its operations and email systems and significantly<br />
disrupted the insurer for a number of weeks.<br />
If criminals can get access to critical systems or sensitive data, they will look to monetize the attack<br />
through extortion. At the same time, the rise of cryptocurrencies like Bitcoin is making it easier for cyber<br />
criminals to carry out successful ransomware or extortion attacks.<br />
“Fake presidents” and ATM “Jackpotting”<br />
With many employees working from home and under increased stress, Covid-19 has created<br />
opportunities for cyber criminals to carry out various scams and cyber-attacks. The US Federal Bureau<br />
of Investigation (FBI) received over 28,500 complaints related to Covid-19 cyber-crime alone in 2020.<br />
Many incidents looked to exploit stimulus funds and Paycheck Protection Program (PPP) loans, as well<br />
as to use Covid-19 related phishing attacks to steal money or personal data. Business email compromise<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 112<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
(BEC) attacks, also known as “fake president” attacks, are a particular problem for financial institutions<br />
that make large numbers of high value payments on behalf of their customers. The cost of BEC attacks<br />
reached $1.86bn in 2020, accounting for almost half of all reported cybercrime losses. Such attacks are<br />
becoming more sophisticated and increasingly involve identity theft and funds being converted to<br />
cryptocurrency.<br />
ATM “jackpotting” attacks continue to be a threat as well. On <strong>July</strong> 13, 2020, a Belgian savings bank<br />
Argenta shut down 143 cash machines after criminals tried to take control of their cash machines through<br />
their network servers. These attacks have become increasingly sophisticated and over the last five years,<br />
“jackpotting” has cost the financial services sector millions of dollars.<br />
Third party service providers can be the weak link in the cyber security chain<br />
One of the largest and most sophisticated cyber-attacks of the past year, the SolarWinds incident, was a<br />
supply chain attack. Hackers accessed SolarWinds’ network and injected malware into its management<br />
software in order to target thousands of organizations, including banks and agencies. The SolarWinds<br />
breach is an important reminder of the potential vulnerabilities of the financial services sector to cyberattacks<br />
and outages via their reliance on third-party suppliers and service providers, over which they<br />
have little or no control when it comes to cyber security. This is likely to become a bigger issue as<br />
regulators increasingly focus on business continuity and operational resilience going forward.<br />
Most financial institutions are now making use of cloud services-run software to access additional<br />
processing capacity, as well as for IT infrastructure or to carry out certain processes, such as fraud<br />
detection or analytics. On one hand, cloud providers are developing tools to help organizations manage<br />
and mitigate their cyber risks. On the other hand, there is a growing reliance on a relatively small number<br />
of cloud providers and an opaque cloud infrastructure can potentially create large and systemic risks. A<br />
Bank of England survey of banks and insurers last year found the provision of IT infrastructure in the<br />
cloud is already highly concentrated – the top two infrastructure-as-a-service providers had around twothirds<br />
market share for banks.<br />
How financial institutions manage risks presented by the cloud will be critical going forward. They are<br />
effectively offloading a significant portion of cyber security responsibilities to a third-party environment.<br />
Your cloud service vendors can become your exposure.<br />
Risk mitigation best practice<br />
<strong>Cyber</strong>-attacks often include a human element, where employees, contractors or even customers are<br />
unwittingly complicit in incidents. When talking to clients, they say cyber is the number one concern of<br />
every C-suite executive. Particularly we see growing concern for the human factor. Just one click on a<br />
link or a download can lead to a costly ransomware attack or a data breach, with reputational damage<br />
and loss of data.<br />
Training and technology can help minimize human error. As the first line of security and defense,<br />
employees can make or break an organization’s cyber security position and at often times, their<br />
reputation. Those that are well trained can significantly reduce the impact of a breach or even prevent it<br />
from happening. Employees should be regarded as part of the cyber security team, and, as such, there<br />
should be a corresponding investment in their training and education. The same applies to top<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 113<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
management, who should periodically rehearse scenarios to better prepare and respond to a major cyber<br />
incident. Since cyber security goes right up the chain, building resilience and business continuity planning<br />
is absolutely key to reduce the impact.<br />
Companies should consider taking the opportunity to carry out a desktop exercise with their insurer and<br />
broker, and include key internal and external stakeholders. This builds trust and can take the sting out of<br />
any crisis. Cross-sector exchange and cooperation among companies – such as what has been<br />
established by the Charter of Trust – is also key when it comes to defying highly commercially organized<br />
cyber crime, developing joint security standards and improving cyber resilience.<br />
About the Author<br />
Paul Schiavone, Global Industry Solutions Director Financial Services<br />
at Allianz Global Corporate & Specialty, has over twenty years of<br />
experience in the insurance industry as legal counsel, underwriter,<br />
broker, manager and Chief Underwriting Officer, working in New York,<br />
Paris, San Francisco and London.<br />
Paul can be reached online at https://www.linkedin.com/in/paulschiavone-91401b40/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 114<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
What Educational Institutions Need to Do to Protect<br />
Themselves From <strong>Cyber</strong> Threats?<br />
By Cyril James, Founder and CEO, Secure Triad<br />
The COVID 19 pandemic and the subsequent lockdown have forever changed how we socially mingle<br />
and live our lives. The effects are felt in our personal and professional lives as well.<br />
A major impact is felt in the education fraternity who as a response to the threats posed by the pandemic,<br />
has adopted an online learning and training format.<br />
The use of technology in the education sector is no longer considered a novelty but a norm, making them<br />
prime targets for cyber-attacks.<br />
Though online learning has made it possible for students across the world to continue their education<br />
from the safety of their homes. It has added new complexities to the cyber security challenges faced<br />
by educational institutes.<br />
The current pandemic has handed cybercriminals tailor-made opportunities for attacking the institutes'<br />
network and its teachers and students as well.<br />
Though this may not be a challenge unique to the education sector alone, it poses a larger threat. Unlike<br />
office employees, students lack exposure and training in dealing with school cyber security.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 115<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Challenges Faced by Education Institutes<br />
An increase in coronavirus related phishing mails is on the rise. With teachers, students and school<br />
administration workers spending more and more time online such mails can easily find their way into their<br />
inbox.<br />
These malware scams can easily prey on the naïve and untrained minds of students and teachers,<br />
making them victims of account takeovers and accidental sharing of private information.<br />
This provides cyber hackers with the information required to log into the institute's servers, access<br />
sensitive and important data, and launch Ransomware attacks.<br />
Another challenge faced by educational institutes is the lack of skilled IT staff, leaving the institution's<br />
network susceptible to such cyber threats.<br />
With institutions being shut down due to the pandemic, a skeletal staff is at work, with a majority working<br />
remotely from home. In such a scenario, the institute's cyber security needs such as identification of risky/<br />
suspicious users or mail, effective implementation of network security, device management, and endpoint<br />
security policies may be neglected.<br />
This lack of or weak cyber security infrastructure provides hackers with a golden opportunity to attack<br />
and infect the network. Many employees are using personal systems while working remotely, which does<br />
not possess a robust and sophisticated security system and is susceptible to malicious attacks easily.<br />
The aforementioned are some of the challenges faced by institutes. It is essential to understand the<br />
measures that need to be adopted to safeguard their network and data.<br />
Awareness and Training<br />
Basic training should be provided to the administration and faculty and the students and their parents.<br />
Especially in the case of younger students, parents should be responsible for monitoring the child’s<br />
activities online.<br />
Faculty, students, and parents need to be made aware of the risks of using online platforms and the<br />
threat of being targeted by cyber hackers. It is imperative to train staff, students, and parent in how to<br />
identify and deal with malware and phishing emails.<br />
In this way, the risk of accidental opening and clicking of phishing emails can be significantly reduced.<br />
Institutes should also prepare and enforce an acceptable use policy that clearly states to the students<br />
what is acceptable or what is not, and the faculty clearly understands the framework for what is allowed<br />
when using online learning forums.<br />
Technical Treat Response Support<br />
Institutes should hire cyber security experts. It should be looked at as an investment in the institute’s<br />
security. The team would be responsible for managing all the security needs of the institute, which<br />
includes configuration and update of the security system, threat hunting, detection, and response<br />
services 24/7.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 116<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Firewall Security<br />
VPN connectivity, giving institutes the option to choose either or both for secure remote connectivity.<br />
Having SD-WAN integrated in the firewall allows institutes to connect remotely and share data securely<br />
with each other.<br />
Synchronized security is also possible, making it easy to identify if a connected remote device is infected<br />
and can be isolated until it is clean and free of malware. This way they spread of infection across the<br />
network can be prevented.<br />
Two-factor or multi-factor authentication<br />
It is an effective tool against unauthorized access or phishing. To ensure that the faculty and students<br />
adhere to internet safety policies and as a precautionary measure, the institute should mandate turning<br />
on alerts for any suspicious activity or non-compliant devices.<br />
Antivirus and web access<br />
Unless institutes are providing faculty and students with a secure VPN, they will need to ensure their<br />
online safety, which can be easily done by setting up web filtering rules.<br />
Licensed antivirus software’s block access to inappropriate websites, stop risky files from being<br />
downloaded and provide category-based web filtering. Additionally, phishing can be prevented by using<br />
advanced endpoint protection technologies to stop the attack chain and predictively prevent future attacks<br />
of similar nature.<br />
The software should also be capable of automatic roll back to a pre-altered state if files are encrypted.<br />
This will protect data if faculty or students are using school-supplied laptops or tabs.<br />
The increase in the coronavirus cases has created uncertainty as to when educational institutes will be<br />
able to go back to functioning normally or is this going to give rise to an entirely new normal of online<br />
learning.<br />
This makes it essential that the educational institutes take the appropriate steps to adopt cyber security<br />
measures that will maximize their safety.<br />
If in case institutes do not have cyber security resources, third party managed security service providers<br />
can also be hired. These vendors can provide support or coordination in developing a sustainable, secure<br />
and successful online learning experience.<br />
However, when dealing with third party individuals who will be having access to sensitive data, institutes<br />
conduct their due diligence and background must check before hiring such entities to manage their<br />
systems and services.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 117<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Cyril James is the Founder and CEO, Secure Triad. He has a solid<br />
foundation in the Information Technology and Communication<br />
industry with over 13 years of experience. His expertise lies in<br />
Information Security, specializing in network, web and mobile<br />
applications, and cloud penetration testing across various industry<br />
domains like banking, insurance, energy, telecom, IT products and<br />
services, and others. He is well-versed in penetration testing<br />
methodologies including OWASP, OSSTMM and PTES. He has solid<br />
understanding of technical concepts of cloud computing, machine<br />
learning, and various programming languages. Cyril is a visionary and strategy-builder, has good<br />
communication skills, and is great with managing teams. Cyril can be reached online at (EMAIL,<br />
TWITTER, LinkedIn) and at our company website https://securetriad.io/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 118<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Business Continuity: Where InfoSec and Disaster<br />
Recovery Meet<br />
By Adam Berger, VP of Global IT and Cloud Operations, Infrascale<br />
The escalation of cyber-attacks and the intensity of recent natural disasters create the same fundamental<br />
risk for businesses large and small — business continuity. Every business manager feels the weight of a<br />
potential disruption to normal operations, whether ransomware attack or storm-induced mass power<br />
outages are to blame. Ensuring business continuity requires maintaining vigilance on two sides of a coin:<br />
preventing disruption from occurring in the first place and restoring operations as quickly as possible after<br />
any disruption. For the sake of this article, we’ll limit our use of “prevention” to topics of Information<br />
Security (InfoSec) (i.e., procedures or measures used to protect digital data from unauthorized use) in<br />
businesses with any online or digital presence.<br />
The efficacy of any business continuity plan depends largely on the fast, robust implementation of both<br />
information security and disaster recovery. But the reality is that the two are deeply intertwined, both<br />
fundamentally concerned with keeping network, infrastructure configurations, and data protected and<br />
usable.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 119<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Leaving Nothing to Chance: Assess and Mitigate your Risks Through Asset Identification and<br />
effective risk analysis. Three Effective Asset Determinations<br />
Developing information security and disaster recovery plans that ensure a high level of data protection<br />
and safeguard business continuity begins with a baseline evaluation that makes three vital determinations<br />
which can be done as part of a risk analysis.<br />
First, businesses must identify all assets important to the company, including physical and information<br />
assets. These might be servers, confidential files, intellectual property, customer product, and other key<br />
assets. While it sounds obvious, software asset management (SAM) isn’t only about optimizing<br />
purchases, deployment, and maintenance of tech. It begins with a comprehensive inventory of assets.<br />
This is important since many SMB and midsized businesses simply do not have a complete view into<br />
every tool and process their teams use.<br />
For information security plans, an inventory should include knowing what kinds of secure access and<br />
protections from data exploitation is in place for every asset. For disaster recovery, the inventory should<br />
include knowing the required availability of all infrastructure assets and data for internal or external<br />
customers to maintain service levels.<br />
Second, for each asset inventoried, businesses must specify the value of what they’re protecting, to both<br />
the company and to customers. If particular infrastructure processes or data were gone, what will the<br />
damage be to the company? This should be measured in terms of both direct revenue loss and in terms<br />
of reputation loss.<br />
Third, businesses must determine the level of investment the company is willing and able to make to<br />
protect each asset, including all types of data. An honest cost-benefit analysis and assessment of the<br />
company’s financial health should be factored into the level of investment required and weighed against<br />
other business priorities.<br />
Although these baseline evaluations are often tasked to particular management and technical teams, a<br />
company’s leadership team bears ultimate responsibility. An effective leadership team knows what assets<br />
the company has, the value of each, risks related to each and the investment that should be made to<br />
protect them based on a business’s risk tolerance. A healthy information security practice helps deliver<br />
an effective risk analysis to allow businesses make these critical decisions.<br />
Heads: Mitigating InfoSec Risks in Business Processes and in Technical Choices<br />
Beyond the baseline evaluations, the information security side of the equation requires that businesses<br />
drill down into the origin of risk. A sound plan should consider risk that comes from business processes<br />
as well as technical choices.<br />
With respect to risk in business processes, company leaders should ask:<br />
●<br />
●<br />
●<br />
●<br />
What vendors do we use, and do we understand their processes and protections?<br />
Are there third-party requirements such as protocols and regulations like ISO 27001, SOC, and<br />
HIPAA?<br />
Have we evaluated our contract management processes? Are these processes fully understood?<br />
What kinds of confidentiality agreements do we have in place?<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 120<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
●<br />
●<br />
●<br />
●<br />
How educated are employees on information security risks? Are they trained properly regarding<br />
acceptable use policy and how to protect infrastructure and data?<br />
Is there change management established to prevent infrastructure and data from being<br />
compromised by mistake or deliberately?<br />
If a software company, are engineering practices in place to make sure code is developed in a<br />
secure way?<br />
What regulatory laws are applicable to our business for the regions we operate in?<br />
With respect to technical choices, company leaders should ask:<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
What kinds of technical controls are in place for every asset, and do we know where every asset<br />
is located and who has access?<br />
Are appropriate antivirus and malware protections in place?<br />
Are the right tools in place to identify other kinds of malicious behavior?<br />
Is strong network protection in place, like firewalls and next generation options for enterprises?<br />
Are there different layers of application filtering and strong access control systems in place?<br />
Are there powerful logging tools in place that help ensure excellent visibility into what’s happening<br />
inside infrastructure?<br />
Are there powerful monitoring tools in place to detect any anomalies that may compromise servers<br />
and other infrastructure?<br />
For every interface from which critical information can be accessed, a company needs to have a tool or<br />
mechanism in place to identify what’s happening. The bottom line with risk, however, remains twofold. If<br />
information security is not baked into the ongoing business processes that support daily and changing<br />
business needs, a potential security threat could completely bypass all the powerful technical tools in<br />
place. A CISO can spend a million dollars on technical security and backup disaster recovery tools, but<br />
risks will remain if business processes are poorly managed. Making sure a company is investing in<br />
securing those “softer” processes, as well as its technical tools, is key and an often-overlooked part of<br />
information security.<br />
It’s noteworthy that approaches like zero trust architecture are best suited to mature enterprise security<br />
programs that can accommodate the level of granularity that zero trust requires. Zero trust makes sense<br />
for banks or companies with financial data and intellectual property or other information that is high value,<br />
where a security topology already features robust process management and significant financial<br />
investment. However, despite its value, SMB and midsized businesses typically are not able to make the<br />
investment in tools, people, and processes that zero trust requires.<br />
Tails: Upon Disruption, Planning for Optimal RPO and RTO – Your response to incidents is as<br />
important as your defense from them.<br />
If business disruption does occur and breaks through a company’s administrative processes and<br />
technical defenses, whether via attack or non-malicious disaster, disaster recovery planning dovetails<br />
with infosec incident management. For disaster recovery, two key metrics come into play, and both are<br />
very important for business leaders to understand.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 121<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Recovery Point Objective (RPO) refers to the amount of data a company can lose or the time period of<br />
data loss that a company can withstand and still be viable. Recovery Time Objective (RTO) refers to the<br />
time frame after a disaster until business operations are functioning normally again, with resources<br />
available for use. Financial institutions with sensitive data and real-time transactions require RPO and<br />
RTO that are much smaller and briefer — seconds or minutes — than other kinds of businesses that may<br />
be able to withstand hours of data loss and days until recovery. An RTO that is two minutes versus 24<br />
hours equates to a very different level of business investment in people, processes, and availability. Do<br />
your security and disaster response plans allow you to meet these objectives? Do you have the people<br />
and technical resources to executive on these plans?<br />
Another key consideration for disaster recovery planning is how to utilize cloud and on-premises<br />
resources. Enterprises with highly customized infrastructure may benefit from hosting their own data<br />
center or leveraging hybrid-cloud deployments. Smaller to midsized companies, where workloads are not<br />
as customized, may achieve a better return on investment (ROI) with a cloud provider. Public cloud can<br />
enable efficient spin up and getting infrastructure back online quickly when there’s no need for heavy<br />
customization of services.<br />
Companies must seek to safeguard business continuity both before disruption occurs and after the fact.<br />
Since the weight of a potential disruption to normal business operations can be crippling, business<br />
leaders need to clearly assess both information security and backup and disaster recovery. A data<br />
protection plan that includes both will ensure that the best and safest path forward is always available -<br />
on either side of the business continuity coin.<br />
About the Author<br />
Adam Berger is VP of Global IT and Cloud Operations at<br />
Infrascale. Prior to Infrascale, Adam has managed cloud<br />
operations organizations at VMWare, OVHcloud US and<br />
AWS. In his career, he has helped grow and run<br />
operations teams to provide world class infrastructure<br />
support, security and compliance as well as technical<br />
support.<br />
As the Director of Cloud Operations at VMware, he grew<br />
the cloud operations infrastructure team to support<br />
vCloud Air platform which expanded globally over three<br />
years. This included establishing a centralized global<br />
NOC, platform engineering teams and operational tooling development teams across US, APAC and<br />
EMEA. At OVHcloud US, as the Senior Director of Operations, he continued managing vCloud air<br />
(purchased by OVH) while helping the France-based based company establish their US footprint. This<br />
included helping launch the US service offering, operationalizing two new data centers, building the<br />
security and compliance organization as well as establishing the internal IT support functions. Most<br />
recently he was with AWS, where he served as the Global service owner for EC2 in their technical support<br />
group. Adam can be reached online at https://www.linkedin.com/in/adamlberger and at our company<br />
website https://www.infrascale.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 122<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Biometrics Challenges<br />
By Milica D. Djekic<br />
The armed guys have approached a bank and made an assault to its office. The security manager has<br />
followed procedures and the criminals have collected money safely leaving the crime scene. After several<br />
minutes the Police patrolling has arrived there. They have started an inspection as well as interviewing<br />
of all people being present at the crime scene at that moment. That seems as a lot of hard work. The first<br />
step the authorities have taken is collecting the findings and evidence from the place of the crime. The<br />
video monitoring system has served its role, but there have been some fingerprint and DNA footages as<br />
well. So, they have gotten an identity of offenders, but the good question is how they might track their<br />
route. The experienced investigators know that the criminals could take some of the communication<br />
devices with themselves, so that search could be run, too.<br />
It appears that’s only an empty bullet as the offenders have switched off their devices while on the crime<br />
scene. In other words, the authorities can get who they are, but not where they are. It seems like a maze,<br />
does not it? Think twice! If the Police deal with their biometrics parameters they can run a search through<br />
some domestic and international databases looking for ID documents that match such a criterion. Next,<br />
they will do so and bingo – the several passports with those biometrics inputs have been found for the<br />
same fingerprint trace. In other words, now the authorities know those guys cope with the fake passports.<br />
And what then? Still unclear? Basically, no!<br />
What’s possible to do in such a case is to figure out that the bank robbers need to make some route after<br />
committing the crime. They need the communication, logistics and accommodation in order to stay on<br />
the surface. Above all, they deal with the fake ID cards and passports, but the biometrics with those<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 123<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
documents is theirs. If not, they would fail at the simple identification anywhere. Also, what is obvious<br />
someone will insert those data into the Police register. Some corrupted staff or clever hacker – does not<br />
matter! The fact is the criminals are always on the move and sooner or later they will need to give their<br />
details for scanning if, for instance, they want to cross some border. That’s the moment the smart<br />
investigators have been waiting for. In other words, if that location and time are known, it’s possible to<br />
make some search for device being present then and there. Bingo again! The investigation has gotten<br />
the signal and the entire history and ongoing route have been discovered. The bad guys need some<br />
accommodation to spend their time there, so it will be a piece of cake to get those asset connections as<br />
well as all the contacts being made from there. It seems it’s not that hard to track the biometrics, right?<br />
The new tendencies could bring us a better focus of the offenders that will deactivate their devices at the<br />
place of checking out, but it’s quite challenging being that uncatchable, so far. Anyhow, we need the<br />
smart policing that will always be at least one step ahead of threats, so as the bad guys have capacity to<br />
think we must do so better than them, so far.<br />
About The Author<br />
Milica D. Djekic is an Independent Researcher from Subotica, the<br />
Republic of Serbia. She received her engineering background from<br />
the Faculty of Mechanical Engineering, University of Belgrade. She<br />
writes for some domestic and overseas presses and she is also the<br />
author of the book “The Internet of Things: Concept, Applications<br />
and Security” being published in 2017 with the Lambert Academic<br />
Publishing. Milica is also a speaker with the BrightTALK expert’s<br />
channel. She is the member of an ASIS International since 2017 and<br />
contributor to the Australian <strong>Cyber</strong> Security Magazine since 2018.<br />
Milica's research efforts are recognized with Computer Emergency Response Team for the European<br />
Union (CERT-EU), Censys Press, BU-CERT UK and EASA European Centre for <strong>Cyber</strong>security in<br />
Aviation (ECCSA). Her fields of interests are cyber defense, technology and business. Milica is a person<br />
with disability.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 124<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Epic V. Apple Trial - Impact of Big Tech Battles on<br />
Consumers' Rights<br />
By Brad Ree, CTO, The ioXt Alliance<br />
Recently, popular app Fortnite’s parent company Epic Games, has taken Apple to court over the hold the<br />
tech giant has over the app store ecosystem. The argument being made was that the Apple app store is<br />
a monopoly and stifles competition by charging exorbitant rates on purchases in the store and that it has<br />
breached antitrust laws by removing apps, including Fortnite, from the app store. Epic Games is fighting<br />
for app developers’ rights which would remove Apple’s power and require the shift in policies to allow<br />
developers to include in-app purchases without Apple its 30% “Apple tax” commission, which has the<br />
potential to permanently alter the mobile apps industry.<br />
As the closing arguments came to an end and we await a verdict, this “app battle royale” has certainly<br />
raised other questions on tech companies’ effect on consumers. When companies such as Apple put up<br />
walls and don't allow for competition within their devices or app stores by blocking outside apps and<br />
integrations within the ecosystem, the consumers’ right to choose is impacted.<br />
If Epic Games ends up winning the trial, the iOS store market will be forced to open to many, which would<br />
be a win for app developers and consumers, but could come with some security risks if not managed<br />
properly. The app store and developers need to consider how they should emphasize safety so<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 125<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
consumers are able to make informed decisions on what they download to mitigate security risks and put<br />
those app-users first.<br />
What does more open mobile ecosystems mean for the industry<br />
A more open app ecosystem would increase competition and allow consumers to have a bigger pool of<br />
apps to choose from. While competition benefits consumers, it also could open them up to some unknown<br />
risks and security vulnerabilities – especially as there aren’t currently universal security standards for app<br />
development.<br />
To execute a secure, open mobile app market properly, standards need to be put in place to ensure apps<br />
are developed with security in mind from the start to protect all consumers, and developers, from the<br />
devastating impacts of a data breach.<br />
Why the mobile app industry needs security standards<br />
According to Apple, it’s security standards in the iOS store are high which is why they limit developers in<br />
their store and is how they have earned consumers’ trust - and opening their ecosystem to other<br />
developers could threaten that. However, if they did open the store, Apple could adopt security measures<br />
for mobile apps to encourage competition and guarantee that any new and current apps have been<br />
developed per the guidelines to make them cyber-secure. To be the most effective, security standards<br />
should be based on industry-wide agreement and managed by a third party whose only interest is<br />
securing the applications for the consumer. Apple setting the standards and being the sole judge and jury<br />
leaves them in the same controlling seat that they are already in.<br />
Transparency from the developers and the app stores need to play a bigger role to protect consumers<br />
and give them the resources to make informed decisions on their downloads. Universal security<br />
standards for mobile apps could help create a safer environment for end-users and help provide cohesive<br />
guidelines for industry stakeholders to align with to mitigate security risks and put consumers first. There<br />
are already mobile app standards available through industry-led organizations such as the ioXt Alliance,<br />
which could help create uniformity when it comes to security across the mobile app ecosystems if<br />
implemented. With standards in place, consumers can be in control of their downloads and app<br />
developers could safely participate in the app store with minimal risks.<br />
The Epic Games vs. Apple trial has the potential to change the mobile apps industry if the verdict is<br />
swayed in Epic Games’ favor. This could set a standard to stop big tech companies from monopolizing<br />
ecosystems and stifling consumers’ right to choose, giving other developers a chance to benefit from an<br />
open market. Universal standards in place for mobile app development would help create a safer mobile<br />
apps industry and hold the app store and developers accountable to uphold security for all end-users –<br />
thus putting consumers first in this competitive market.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 126<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Brad Ree is the Chief Technology Officer at the ioXt Alliance,<br />
the leading organization for IoT standardized security and<br />
privacy requirements. In this role, he leads ioXt’s security<br />
products supporting the alliance. Brad holds more than 25<br />
patents and is the former security advisor chair for Zigbee. He<br />
has developed communication systems for AT&T, General<br />
Electric, and Arris. Before joining the ioXt Alliance, Brad was<br />
vice president of IoT security at Verimatrix, where he led the<br />
development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols<br />
and their associated security models.<br />
Brad can be reached at the ioXt Alliance company website : https://www.ioxtalliance.org/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 127<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How The Pandemic Has Changed the Value of Health<br />
Data<br />
By Aman Johal, Lawyer and Director of Your Lawyers<br />
The 11 th March marked one year since the World Health Organisation (WHO) declared the Covid-19<br />
outbreak a pandemic. To date, over 34,505,380 people in the UK have been vaccinated, paving the way<br />
for a return to normality by allowing the easing of restrictions. At present, people who have had a Covid<br />
jab receive a vaccination card and the details are stored on their medical records. The government is<br />
now considering how people could prove their Covid vaccination status, with vaccine passports the most<br />
likely solution as "a temporary measure". The hope is that this could reduce social distancing and facilitate<br />
international travel.<br />
According to UK government sources, the NHS app could host the vaccine passports, although it is<br />
unclear how far the project has progressed. A government source reportedly told the BBC that the app<br />
will not be ready “imminently”, while Vaccines Minister Nadhim Zahawi said work is underway to prepare<br />
it.<br />
However, the use of vaccine certification is proving controversial. Basing the passport on an app may<br />
discriminate against those with low incomes or older people who don’t have access to smartphones, and<br />
some may be unable or unwilling to have a vaccine. There are also worries that the immunity passports<br />
could pave the way for a full ID system, which civil rights group Liberty said could permanently curb rights<br />
and freedoms once the pandemic is over. Added to this, they could potentially heighten the risk of data<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 128<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
eaches because large amounts of highly private information could be readily available if a hacker gets<br />
access to a mobile device.<br />
The rise in cybercrime<br />
During the last year, the UK has seen a significant rise in cybercrime which was likely worsened by the<br />
pandemic. <strong>Cyber</strong>security firm ESET analysed the state of cybercrime in the UK for 2020, and identified<br />
an increase of 19% compared to 2019. The UK Government has announced “ground-breaking” plans to<br />
protect consumers using smart devices from cyberattacks. As sales in smart devices soar (up 49% since<br />
the start of the coronavirus pandemic), cybercriminals continue to become more adept at exploiting<br />
security weaknesses. Many devices remain vulnerable to attack, and just one vulnerable device could<br />
jeopardise a whole network – as illustrated by the 2017 North American casino attack.<br />
The legalities surrounding vaccine passports<br />
It is important to dissect whether companies like airlines can legally require travellers to input vaccination<br />
information, as the entitlement to process medical data normally requires consent. However, if it became<br />
a prerequisite for travel, the focus then is on whether a person wishes to travel or not. We should not<br />
simply assume consent.<br />
An overarching consideration is the highly sensitive nature of the information in question. The<br />
confidentiality and sensitivity of medical records makes them prized assets for cybercriminals, and<br />
potentially raises the chances of a data breach occurring.<br />
Compensation pay-outs for offending businesses are often far more costly because of the increased<br />
potential for consumers to experience distress and psychological trauma from breaches or leaks involving<br />
medical data. For example, victims of the 2018 British Airways (BA) data breach could be eligible to claim<br />
up to an estimated £16,000 in cases of severe psychological distress. Comparatively, in the case of<br />
the 56 Dean Street data breach in 2015, when a leak exposed the contact details of almost 800 patients<br />
using the clinic for HIV services, the most seriously affected claimants could potentially receive damages<br />
of up to £30,000.<br />
The importance of health data<br />
Storing any type of personal consumer data comes with risks. BA suffered two significant data breaches<br />
in 2018, exposing the personal information of more than 420,000 customers. As a result, the Information<br />
Commissioner’s Office (ICO) issued BA with a £20m fine, with the total compensation pay-out in the<br />
group action against BA potentially reaching an additional £2.4bn.<br />
Health data is among the most valuable data a cybercriminal can steal, with a single health record<br />
reportedly costing $250 on the black market, compared to a reported $5.40 for payment card details.<br />
Vaccine passports could heighten the risk to health data: increased accessibility may result in more<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 129<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
cybercriminals targeting the public’s health information as we loosen restrictions over the next few<br />
months.<br />
Gary Cantrell, Head of Investigations at the HHS Office of Inspector General, said hackers tend to steal<br />
medical records because they are like "a treasure trove of information about you." They can contain a<br />
patient's full name, address history, financial information, and National Insurance numbers, which can be<br />
enough information for hackers to take out a loan or set up a line of credit under patients' names.<br />
Increasingly, hackers are selling information for profit on the black market. According to Reuters, buyers<br />
might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false<br />
insurance claim.<br />
The impact of medical data breaches<br />
As we increasingly rely on technology, hackers are finding new ways to attack IT systems, disrupt<br />
computer networks, and steal information. There can be huge benefits when patient data is used<br />
responsibly to save lives and advance medical research, but it is undeniable that it comes with risks.<br />
The potential impact of a data breach often depends on the circumstances. Someone who has a sensitive<br />
medical condition may be much more concerned if part of their medical history was exposed or disclosed.<br />
The possibility that it might fall into the wrong hands could cause them emotional distress.<br />
According to Brandon Reagin, a victim of medical record theft, it's a "mess." Reagin's identity was stolen<br />
in 2004, and the person who accessed Reagin's personal information used it to steal cars and rack up<br />
$20,000 worth of medical procedures. He was reportedly unable to get the charges scrubbed from his<br />
credit report "until the next billing cycle." Then, the process would start all over again.<br />
The person who stole Reagin's identity served time in prison. But, 17 years later, he still hasn't been able<br />
to undo all of the damage, including to the integrity of his own medical files, as the “hospital may still have<br />
his information, his blood type under my name at that hospital… It's a little weird to think".<br />
Proactive steps consumers and healthcare providers can take to protect their data<br />
Healthcare providers and their business associates must balance delivering quality patient care with<br />
protecting patient privacy, always ensuring that they are meeting the strict regulatory requirements set<br />
out in legislation, such as the General Data Protection Regulation (GDPR).<br />
Healthcare staff can protect information with a number of measures including:<br />
• educating staff;<br />
• restricting access to information and applications;<br />
• implementing data usage controls;<br />
• logging, auditing and monitoring use;<br />
• encrypting data both on servers and when it is being transferred;<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 130<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
• securing mobile and remote working devices;<br />
• mitigating connected device risks by conducting regular risk assessments;<br />
• backing up data to secure offsite locations;<br />
• carefully evaluating the security and compliance of business associates.<br />
The past has taught us that protecting information in the healthcare industry is not an easy task, but an<br />
important one nonetheless – even more so in a post-pandemic world.<br />
About the Author<br />
My name is Aman Johal, I am a lawyer and director at<br />
Your Lawyers.<br />
Aman can be reached online at his company website<br />
https://www.yourlawyers.co.uk/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 131<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Galvanizing the <strong>Cyber</strong> Workforce in Private Industry<br />
An agile approach for developing key talent<br />
By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC<br />
Introduction<br />
<strong>Cyber</strong> is a highly specialized field that is in high demand for talented individuals, yet there is so much that<br />
is unknown about the field itself. How is it that we know that the field of cybersecurity is the future; on<br />
the horizon and unparalleled in employment opportunity but lack so much of the fundamental knowledge<br />
of what is needed in the field?<br />
According to cyberseek.org, there are approximately 465,000 cyber security job openings across the US<br />
in both private and public sectors (<strong>Cyber</strong>seek, <strong>2021</strong>). With the development of the National Institute of<br />
<strong>Cyber</strong>security Engineering (NICE) framework, the regulations defined by the National Institute of<br />
Standards and Technology (NIST) and the National Institute of <strong>Cyber</strong>security Careers and Studies<br />
(NICCS), the public sector has made great strides to develop cyber career pathways for government<br />
employees. In the private sector, there needs to be a similar push for organizations, as cyber<br />
vulnerabilities are a huge threat to corporations and proprietary information.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 132<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
This topic has great relevance because national security and protecting proprietary information are<br />
pressing issues on the minds of many corporate leaders. In addition to this, especially in a COVID<br />
environment, the way that we work is rapidly evolving. There is a high demand and short supply of<br />
talented cyber professionals and it seems that there is a need for a cyber version of “Talent Management”,<br />
and there is great need for versatility and agility in designing the cyber workforce of tomorrow.<br />
Observations from the field<br />
In both private and public industries, workforce development is usually broken into two separate<br />
functions: talent management and organization development. Talent management is usually positioned<br />
to focus on high potential individuals (a small subset of the full workforce), while organization<br />
development has been stated to encompass the whole. As the field of cyber security expands and<br />
organizations rush to fill the demand across the world, it seems that cyber career development is<br />
becoming a nearly separate initiative to talent management and organization development. It is<br />
imperative that cyber, organization development and talent management professionals begin to<br />
collaborate and dig deep into the field in its nascency to understand the needs of the upcoming workforce.<br />
For roughly six months, I had the opportunity to work as a contractor to a federal organization in a role<br />
focused on cyber workforce development. It was during this time that I learned about the various<br />
initiatives being taken within the public sector to strengthen national security defense against cyberattacks.<br />
One of the key efforts being taken was to develop cyber career pathways and comparative<br />
roles between sibling fields (i.e.- information technology, project management, etc.) and one of the most<br />
interesting observations I noted was the creation of a focused role specific to cyber workforce<br />
development. It’s become apparent to me that the public sector may be on to something; private industry<br />
should consider establishing such a function as well.<br />
Establishing a dedicated role for cyber workforce development<br />
When taking a step back to consider the compartmentalized nature of these three areas, relevant<br />
research by Bazerman et al. introduce two distinct concepts that inhibit creativity and rationale as to why<br />
this concept of a new hybrid role has not yet emerged (Bazerman et al., 2013, p. 63):<br />
• Bounded rationality – suggests that our thinking is limited and biased in systematic ways.<br />
• Bounded awareness – prevents people from noticing or focusing on useful, observable and<br />
relevant data<br />
The concepts of bounded rationality and bounded awareness continue the mindset of the past and<br />
potentially obstruct the logic for such a position to be created in the future. As private companies aim to<br />
protect critical business information, it may be well worth the time to develop key resources to create a<br />
strong team of cyber individuals. An effort of this magnitude highlights the need for organizations to have<br />
a resource with the combined skills of a talent management, organization development and cyber<br />
professional to execute such an endeavor.<br />
In order to identify key talent, it requires a seasoned cyber professional to understand the technical<br />
aspects of each role to build strengths, close gaps, and recognize the attributes necessary to be<br />
successful in cyber. In addition to technical acumen, a working knowledge of the human capital lifecycle<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 133<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
and organizational enablement is necessary to understand how to grow talent. Relevant literature<br />
supports the idea of hybrid roles when discussing the concept of the Versatilist, or “people whose<br />
widening portfolios of roles, knowledge, insight, context and experiences can be applied and recombined<br />
in numerous ways to fuel innovative business value” (Bopp et al., 2010, p. 130).<br />
One way to visualize such a role could be achieved is through the use of the cyber workforce development<br />
logic model:<br />
The logic model establishes <strong>Cyber</strong> Workforce and visualizes Development a dedicated Logic Model. role Rogers, (the <strong>2021</strong> cyber workforce development versatilist)<br />
for an individual that possesses the skills of a talent management and organizational development<br />
professional, and the arrows indicate support from those dedicated functions. This individual also<br />
possesses the technical skills of a cyber expert, and the light arrow indicates foundational support from<br />
information technology and cybersecurity. The expert is then able to properly support, grow, and<br />
enhance professionals at any stage of their career.<br />
Potential arguments and considerations<br />
With any new idea, there is always inherent risk. A potential argument to this proposal is that having a<br />
cyber workforce development versatilist role could be considered a duplication. As talent management<br />
and organization development professionals are skilled in developing individuals across the human<br />
capital lifecycle, the responsibility of recruiting by identifying expertise could be shifted to hiring<br />
managers. Hiring managers typically possess the technical skills and (ideally) have moved into<br />
management roles based on their ability to lead. As they possess the necessary skills needed to identify<br />
and recruit talent, they could work with talent management/organization development professionals to<br />
get the same result.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 134<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
I recommend that leaders of private organizations consider this framework and a dedicated role to cyber<br />
workforce development as there is a great need and not enough bandwidth on either side to ensure<br />
focused development of cyber professionals. Should this approach be adopted, private organizations<br />
(which tend to have less of a cyber team, and instead a cyber individual) would be able to better prepare<br />
for cyber threats and ultimately protect proprietary information. In addition to this, organizations would<br />
become more aware of the resources needed for proper cyber security and have a dedicated<br />
professional(s) for managing and developing those employees across the human capital lifecycle.<br />
Conclusion<br />
Ultimately, the key position is that the landscape of cyber is brand new and there is a great deal that we<br />
do not know about it, yet we still need to prepare. In order to do so, the public sector should consider<br />
developing a specific role (cyber workforce development versatilist) to develop that specific subset of<br />
talent. A cyber workforce professional would have the ability to conduct the responsibilities of a Talent<br />
Management/Organization Development professional but would also have the technical expertise of a<br />
cyber professional. That unique skillset would enable them to identify, recruit and develop talent and<br />
galvanize the workforce.<br />
About the Author<br />
Brandon Rogers is the Chief Executive Officer and Principal<br />
Consultant of Paradoxical Solutions, LLC and a second-year student<br />
at Bowling Green State University in the Doctorate in Organization<br />
Development and Change program. In his most recent role, he was<br />
responsible for cyberspace workforce development with a federal<br />
agency. Before this role, he worked at Honda R&D Americas and was<br />
responsible for implementing engineering tools for requirements<br />
management and Agile project management initiatives for the vehicle<br />
integrated controls department. Brandon graduated from Kent State<br />
University with a BA in I/O Psychology and obtained his MS in Positive<br />
Organizational Development and Change from Case Western Reserve<br />
University. Brandon can be reached online via email<br />
(Brandon.Rogers@paradoxicalsolutions.com) and at his company<br />
website www.paradoxicalsolutions.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 135<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Play 'Smart' on the Crime Scene<br />
By Milica D. Djekic<br />
In criminology, the crime scene is a transferrable term that can cover many physical locations at the same<br />
glance. Also, that spot can be correlated with one or more offenses and in such a fashion it’s important<br />
to deal with the policing as well as investigation skill in order to make an accurate estimation of what<br />
happened for real. It’s quite hard explaining what occurred somewhere and for such a purpose it’s needed<br />
to organize so many officers, detectives and investigators that are capable to during the certain period of<br />
time document the entire situation and do some tracking after the crime has been committed. The crime<br />
scene spot on its own can be permanent and temporary depending if the criminals with their activities are<br />
linked to some spot only for few hours or apparently, several years. In case anyone is doing an<br />
exploitation or production of some good it’s clear that such a group will not change their location that<br />
frequently. On the other hand, in case of some looting scenarios the offenders will just attack some place<br />
and vanish, so far. In both cases, playing smart on the crime scene means leaving no trace in the<br />
cyberspace and some well-organized criminal groups will know so and, say, in some armed robbery they<br />
will switch off their devices relying on the local telecommunication or satellite infrastructure. As it’s known,<br />
the best way to avoid tracking is to disclose device from the crime scene or probably remove its battery<br />
from the housing as that’s the most convenient method to stay invisible, so far. In this article, we will<br />
make a look at the possibilities of the interconnected world to get disconnected sometimes as well as<br />
analyze how it is feasible to avoid the criminal justice tracking for some time, but also never commit the<br />
perfect crime as it does not exist as the absolute security is still impossible.<br />
Many of us have read the news saying some criminal group or syndicate committed some heavy offense<br />
and consequently, they have been arrested after some period of time. Immediately after the incident the<br />
investigators have appeared on the crime scene and they collected the findings and evidence, so far.<br />
Some time has passed and the entire occurrence was under the investigation, so the criminals did not<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 136<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
fail that promptly. After, say, several months the law enforcement agency has announced that the<br />
offenders are finally behind the bars and the entire case is waiting its epilog on the court. It’s quite<br />
challenging to prove someone’s guiltiness and issue some kind of punishment, so it’s clear why it is<br />
significant to do the good investigation and clue collecting procedures. Indeed, the part of the public will<br />
be amazed with so effective policing work, while many will wonder how the officers have accomplished<br />
such a demanding task. The fact is the bad guys will not play that smart on the crime scene and they will<br />
take the activated devices with them. What does that mean? In case anyone is using internet, cell phone<br />
or satellite communication service their signal will leave some footage within the local ICT infrastructure.<br />
Any device amongst the range will do a plenty of recalling in the sub-second moment and doing so it will<br />
send the information it is still the part of the local grid. So, that recalling is crucial and if it is happening<br />
the local service provider will be quite confident that the trace comes from such a device. Another good<br />
point could be how we can know that such a device belongs to that offender.<br />
In the looting sort of crime when some place or person is attacked there will be heaps of security cameras<br />
that will precisely determine and record the moment of the criminal offense. On the other hand, if we<br />
know the time and place we can confirm with the local network if it has caught the signal of any portable<br />
device that uses the internet, cellular or satellite connectivity to deal with the rest of the environment.<br />
That was the piece of cake, was not that?<br />
About The Author<br />
Milica D. Djekic is an Independent Researcher from Subotica, the<br />
Republic of Serbia. She received her engineering background from<br />
the Faculty of Mechanical Engineering, University of Belgrade. She<br />
writes for some domestic and overseas presses and she is also the<br />
author of the book “The Internet of Things: Concept, Applications<br />
and Security” being published in 2017 with the Lambert Academic<br />
Publishing. Milica is also a speaker with the BrightTALK expert’s<br />
channel. She is the member of an ASIS International since 2017 and<br />
contributor to the Australian <strong>Cyber</strong> Security Magazine since 2018.<br />
Milica's research efforts are recognized with Computer Emergency<br />
Response Team for the European Union (CERT-EU), Censys Press,<br />
BU-CERT UK and EASA European Centre for <strong>Cyber</strong>security in Aviation (ECCSA). Her fields of interests<br />
are cyber defense, technology and business. Milica is a person with disability.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 137<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Top 10 <strong>Cyber</strong>security Conferences of <strong>2021</strong><br />
By Nicole Allen, Marketing Executive, SaltDNA.<br />
If you're anything like us, you love going to technology and cyber conferences. Expert forums,<br />
opportunities to test out emerging innovations, and opportunities to network with those in the industry are<br />
just a few reasons as to why attendees enjoy these events. It's important for business and security<br />
executives who want to implement successful cybersecurity programmes to stay up to date on industry<br />
best practises and technologies. That's why we've compiled a list of the best conferences to attend in<br />
<strong>2021</strong> from around the world. There's bound to be an event on this list that fits your interests, regardless<br />
of your status or goals!<br />
Despite the fact that COVID-19 has put an end to in-person industry conferences in most countries for<br />
the time being, the cybersecurity events calendar has remained impressively busy. Indoor events will<br />
almost certainly be among the last to return to normal once the Covid response-mandated restrictions in<br />
several countries are lifted. However, due to the widespread availability of vaccines, certain information<br />
security activities scheduled for the second half of <strong>2021</strong> will be held in person. If such plans are carried<br />
out or not, there may be no going back to the previous way things used to be.<br />
It will be interesting to see how many formerly in-person events stick with the online model, follow a hybrid<br />
model where those who can't participate can instead stream presentations, or dismiss the hybrid<br />
alternative altogether.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 138<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
1. Infosecurity Europe<br />
Where: Olympia, London<br />
When: 8th-10th June <strong>2021</strong><br />
The biggest cybersecurity conference in Europe is Infosecurity Europe. This year marks the 25th<br />
anniversary of the three-day festival. This year's theme is "resilience." Hours of information and<br />
cybersecurity content will provide attendees with realistic insight into governance, risk management, and<br />
compliance, identity and access control, data privacy, and threat intelligence.<br />
It is the European marketplace for information security professionals to conduct business, learn about<br />
industry trends, and communicate with current and potential clients or suppliers. Exhibitors will present<br />
the most diverse selection of new products and services on the market at the show. In addition, an<br />
unrivalled complementary education network draws delegates from all over the world. It will provide you<br />
with business critical knowledge, best practise, and realistic case studies while addressing the most<br />
recent issues and needs.<br />
2. <strong>2021</strong> National <strong>Cyber</strong> Summit<br />
Where: Huntsville, AL<br />
When: 8th-10th June <strong>2021</strong><br />
The National <strong>Cyber</strong> Summit is a premier cyber security-technology event that provides industry<br />
visionaries and rising leaders with unique educational, collaborative, and workforce development<br />
opportunities.<br />
The Summit gathers both government and business participants and is held in Huntsville, Alabama, one<br />
of the United States’ greatest technical hubs. Huntsville has long been renowned as the home of<br />
Department of <strong>Defense</strong> and civilian departments and agencies such as DHS, NIST, NASA, TVA, NSA,<br />
and DOE, but it also has a diverse range of companies. Healthcare, automotive, and energy industries,<br />
as well as academics, genetic research, and high technology, are all represented.<br />
3. Hack In Paris<br />
Where: Maison de la Chimie, Paris<br />
When: 28th June - 2nd <strong>July</strong><br />
This event is for hands-on cybersecurity enthusiasts, and it includes realistic laboratories, seminars, and<br />
wargames where you can put your hacking skills to the test against your peers. Hands-on malware<br />
analysis and reverse engineering training with Amr Thabet, a vulnerability researcher at Tenable, are<br />
among the notable training sessions already reported.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 139<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
4. Black Hat USA <strong>2021</strong><br />
Where: Mandalay Bay Convention Center, Las Vegas<br />
When: 31st <strong>July</strong>- 5th August <strong>2021</strong><br />
Black Hat USA, now in its 24th year, is hosting a unique hybrid event experience, giving the cybersecurity<br />
community the option of how they want to participate. Black Hat USA <strong>2021</strong> will kick off with four days of<br />
virtual training (<strong>July</strong> 31-August 3) that will be performed in real-time online with all instructors available at<br />
all times. The two-day main conference (August 4-5), which will include Briefings, Arsenal, Business Hall,<br />
and more, will be a hybrid event, including both an online (virtual) and a live, in-person event in Las<br />
Vegas.<br />
These trainings, which are often only available during Black Hat, are given by professionals from around<br />
the world and provide opportunity for offensive and defensive hackers of all levels to gain firsthand<br />
technical skill-building.<br />
5. DefCon 29<br />
Where: Las Vegas Nevada<br />
When: 5th-8th August <strong>2021</strong><br />
DefCon is the oldest event on the list, having been hosted for the first time in 1993. It is a hands-on<br />
gathering for amateur and professional hackers. The identity of the 25,000 attendees are kept hidden,<br />
and the event features lock-picking contests, cypher challenges, and technical pranks in a competitive<br />
atmosphere. Even the conference badges are highly complicated electronic artefacts full of challenges,<br />
rather than basic laminated pieces of paper.<br />
The badge challenge, which consists of many "sub-puzzles" placed around DEFCON, is one of the most<br />
popular cryptographic puzzle challenges at DefCon. Some tasks are classics that occur every year, while<br />
others are famously tough to solve.<br />
6. Women in <strong>Cyber</strong>security<br />
Where: Denver, Colorado<br />
When: 8th-10th September <strong>2021</strong><br />
This event honours women in academia, industry, and government who are leaders in the field of<br />
cybersecurity. It's a fantastic project to increase diversity in the cybersecurity field, encourage female<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 140<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
leaders, and help each other advance. There is a special emphasis on encouraging female students to<br />
enrol, with scholarships and other forms of support. The list of speakers hasn't been released yet, but<br />
we're expecting it to be fantastic! If you're a woman in cyberspace, you should attend this event.<br />
7. <strong>Cyber</strong>security & Cloud Expo Global <strong>2021</strong><br />
Where: Business Design Centre, London<br />
When: 6th - 7th September <strong>2021</strong><br />
The <strong>Cyber</strong> Security & Cloud Expo event is co-located with the IoT Tech Expo, AI & Big Data Expo, and<br />
Blockchain Expo on the 6-7 September in the Business Design Centre, and virtually from the 13-15<br />
September, so you can discover the future of these converging technologies under one roof.<br />
As modern companies evolve, the conference agenda will address the genuine concerns that CISOs and<br />
security professionals face today. With an emphasis on collaboration and support for the security<br />
community, we're displaying the most innovative and significant advances in the solutions industry. With<br />
a focus on learning and creating connections in the burgeoning cyber security and cloud arena, the<br />
conference will feature a series of top-level keynotes, interactive panel discussions, and solution-based<br />
case studies.<br />
8. Gartner Security & Risk Management Summit<br />
Where: Orlando, FL<br />
When: 20th-22nd September <strong>2021</strong><br />
The timetable and programme for <strong>2021</strong> are currently in the works. Gartner's own summary of the <strong>2021</strong><br />
event is as follows: Over the course of four days, leaders from security, identity and access management,<br />
and risk management joined Gartner experts digitally to provide vital ideas on developing an effective,<br />
risk-based cybersecurity programme. The conference will provide the tools needed to establish agile<br />
security and IT risk management plans in order to manage the risk that comes with digital companies<br />
and to be better prepared for the next global shock.<br />
9. InfoSec World<br />
Where: Disney Coronado Springs Resort, Orlando, Florida<br />
When: 25th-27th October <strong>2021</strong><br />
InfoSec World has been the "business of security" conference for the past 25 years. While the agenda<br />
has yet to be released, we have no doubt that the organisers will put together a fantastic lineup of<br />
speakers this year, as they always do. The InfoSec World conference is one of the world's largest,<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 141<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
inging together information security professionals from all walks of life, industries, and fields of study -<br />
bringing together over 100 nations worldwide.<br />
The conference this year will combine the best of both worlds, with both an in-person and a virtual<br />
component. If you can, we recommend going in person because you'll be close enough to "breach" the<br />
Magic Kingdom main gate from the conference floor.<br />
10. ACM Conference on Computer and Communications Security<br />
Where: Seoul, South Korea<br />
When: 14th-19th November <strong>2021</strong><br />
The flagship annual conference of the Association of Computing Machinery's Special Interest Group on<br />
Security, Audit, and Control (SIGSAC) is primarily focused on research. Researchers, practitioners,<br />
developers, and users from all around the world will gather at the conference to discuss cutting-edge<br />
ideas and outcomes. The conference holds a range of keynotes with expert speakers specialising in<br />
information security, along with a variety of workshops to get involved in during the event.<br />
If you can’t wait for all of these events and are seeking a way to secure your organisation's<br />
communications in the meantime, please contact us.<br />
About SaltDNA<br />
SaltDNA is a multi-award winning cyber security company providing a fully enterprise-managed software<br />
solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered<br />
encryption techniques to meet the highest of security standards. SaltDNA offers ‘Peace of Mind’ for<br />
Organisations who value their privacy, by giving them complete control and secure communications, to<br />
protect their trusted relationships and stay safe. SaltDNA is headquartered in Belfast, N. Ireland, for more<br />
information visit SaltDNA.<br />
About the Author<br />
Nicole Allen, Marketing Executive at SaltDNA. Nicole has been working<br />
within the SaltDNA Marketing team for several years and has played a<br />
crucial role in building SaltDNA's reputation. Nicole implements many<br />
of SaltDNA's digital efforts as well as managing SaltDNA's presence at<br />
events, both virtual and in person events for the company.<br />
Nicole can be reached online at (LINKEDIN, TWITTER or by emailing<br />
nicole.allen@saltdna.com) and at our company website https://saltdna.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 142<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 143<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 144<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 145<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 146<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 147<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 148<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 149<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 150<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 151<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 152<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />
Hundreds of exceptional interviews and growing…<br />
Market leaders, innovators, CEO hot seat interviews and much more.<br />
A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 153<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL<br />
ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR FREE.<br />
This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />
products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />
mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />
ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />
Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />
arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />
sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />
to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />
newsletters along with this month’s newsletter.<br />
By signing up, you’ll always be in the loop with CDM.<br />
Copyright (C) <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />
SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />
<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />
<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />
Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />
All rights reserved worldwide. Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />
newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />
recording, taping or by any information storage retrieval system without the written permission of the publisher<br />
except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />
the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />
no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />
the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />
and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />
marketing@cyberdefensemagazine.com<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
276 Fifth Avenue, Suite 704, New York, NY 1000<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
marketing@cyberdefensemagazine.com<br />
www.cyberdefensemagazine.com<br />
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 07/02/<strong>2021</strong><br />
Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH<br />
(with others coming soon...)<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 154<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
9 Years in The Making…<br />
Thank You to our Loyal Subscribers!<br />
We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />
What You Think. It's mobile and tablet friendly and superfast. We hope you<br />
like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />
scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />
around the Globe, Faster and More Secure DNS<br />
and <strong>Cyber</strong><strong>Defense</strong>Magazine.com up and running as an array of live mirror<br />
sites and our new B2C consumer magazine <strong>Cyber</strong>SecurityMagazine.com.<br />
Millions of monthly readers and new platforms coming…starting with<br />
https://www.cyberdefenseprofessionals.com this month…<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 155<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 156<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 157<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 158<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.