01.07.2021 Views

Cyber Defense eMagazine July 2021 Edition

Cyber Defense eMagazine July Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine July Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Colonial Key Business Pipeline, Lessons JBS <strong>Cyber</strong> Learned Attacks from Shine The<br />

Spotlight SolarWinds on Operational Hack Technology<br />

Vulnerabilities for Wide Range of Business<br />

Sectors Data Loss Prevention in Turbulent Times<br />

Getting A Digital The Journey: Cloud Right A Long - Security and Winding and Road<br />

Compliance<br />

Why Ensuring <strong>Cyber</strong> Resilience Has Never Been<br />

Flipping More Critical the <strong>Cyber</strong> or More Script Challenging Than It Is<br />

Today<br />

…and much more…<br />

…and much more…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 1<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


CONTENTS<br />

Welcome to CDM’s <strong>July</strong> <strong>2021</strong> Issue ------------------------------------------------------------------------------------------------- 7<br />

Colonial Pipeline, JBS <strong>Cyber</strong> Attacks Shine Spotlight on Operational Technology Vulnerabilities for<br />

Wide Range of Business Sectors ----------------------------------------------------------------------------------------- 33<br />

By Fred Gordy, Director of <strong>Cyber</strong> Security at Intelligent Buildings --------------------------------------------------- 33<br />

Getting The Cloud Right - Security and Compliance ---------------------------------------------------------------- 36<br />

By Tim Dinsmore, Technical Director, Appurity -------------------------------------------------------------------------------- 36<br />

Flipping the <strong>Cyber</strong> Script --------------------------------------------------------------------------------------------------- 39<br />

By Mark Sincevich, Federal Director, Illumio ----------------------------------------------------------------------------------- 39<br />

How To Make The Most of Increased <strong>Cyber</strong>security Spend ------------------------------------------------------ 42<br />

By Stu Sjouwerman, CEO, KnowBe4 ---------------------------------------------------------------------------------------------- 42<br />

Common Sense <strong>Cyber</strong>security Steps for Managed Service Providers (MSPs) -------------------------------- 45<br />

By Wes Spencer, CISO at Perch Security – a ConnectWise Solution ----------------------------------------------- 45<br />

Threat Intelligence Should Be Shared Not Shamed ----------------------------------------------------------------- 48<br />

By Nuno Povoa, Eurofins <strong>Cyber</strong>security US ------------------------------------------------------------------------------------- 48<br />

NATO to Consider Military Response to <strong>Cyber</strong>attacks ------------------------------------------------------------- 51<br />

By Doug Britton, CEO, Haystack Solutions --------------------------------------------------------------------------------------- 51<br />

Know Thy Enemy, Break Their <strong>Cyber</strong> Kill Chain ---------------------------------------------------------------------- 54<br />

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies ----------------------------------------- 54<br />

Uncovering the Dark Side of the Colonial Pipeline Attack -------------------------------------------------------- 57<br />

By Alon Nachmany, Director of Customer Success AppViewX ------------------------------------------------------------- 57<br />

How To Protect Power Infrastructure from Ransomware Attacks ---------------------------------------------- 60<br />

By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas, Eaton ------------------- 60<br />

Ransomware and the <strong>Cyber</strong>security Industry’s Problem of Perception --------------------------------------- 63<br />

By Jack B. Blount, President and CEO, INTRUSION, Inc. --------------------------------------------------------------------- 63<br />

Easyjet Data Breach One-Year On: What Are the Next Steps? -------------------------------------------------- 66<br />

By Aman Johal, Director and Lawyer at Your Lawyers ----------------------------------------------------------------------- 66<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 2<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Ransomware, the Ultimate <strong>Cyber</strong> Threat to Municipalities ------------------------------------------------------ 69<br />

By Yehudah Sunshine, Head of PR, odix ----------------------------------------------------------------------------------------- 69<br />

Operational Technology (OT) Ransomware - How Did We Get Here? ----------------------------------------- 72<br />

By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions ----------------------------------------------------- 72<br />

A Case of Identity: A New Approach To User Authentication Protecting Personal Credentials Remains<br />

The Weakest Link In Data Security -------------------------------------------------------------------------------------- 75<br />

By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd ------------------------------------------- 75<br />

A 3-Part Plan for Getting Started with <strong>Cyber</strong>security -------------------------------------------------------------- 79<br />

By Doug Folsom, President of <strong>Cyber</strong>security and Chief Technology Officer, TRIMEDX --------------------------- 79<br />

How to Deal with Online Security --------------------------------------------------------------------------------------- 82<br />

By Gary Alterson, Vice President Security Solutions, Rackspace Technology------------------------------------------ 82<br />

The Risks of The Vulnerable Iot Devices ------------------------------------------------------------------------------- 85<br />

By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt --------------------------------------------------------------- 85<br />

Three Steps to Building Email <strong>Cyber</strong> Resilience ---------------------------------------------------------------------- 89<br />

By Toni Buhrke, Director of Sales Engineering, Mimecast ----------------------------------------------------------------- 89<br />

Guided-Saas NDR: Redefining A Solution So SOC/IR Teams Aren’t Fighting Adversaries Alone,<br />

Distracted and In The Dark ----------------------------------------------------------------------------------------------- 92<br />

By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon ------------------------------------------------------ 92<br />

Hardware Trojan Detection----------------------------------------------------------------------------------------------- 95<br />

By Sylvain Guilley, General Manager and CTO at Secure-IC ---------------------------------------------------------------- 95<br />

StayHackFree – Your Kid’s Sports Team ----------------------------------------------------------------------------- 100<br />

By James Gorman, CISO, Authx --------------------------------------------------------------------------------------------------- 100<br />

Tips for Avoiding Online Scams During COVID-19 ---------------------------------------------------------------- 103<br />

By Cindy Murphy, President, Tetra <strong>Defense</strong> ------------------------------------------------------------------------- 103<br />

Banking Fraud up 159% as Transactions Hit Pre-Pandemic Volumes --------------------------------------- 108<br />

By Rajiv Pimplaskar, CRO, Veridium -------------------------------------------------------------------------------------------- 108<br />

Why <strong>Cyber</strong> Risk Is the Top Concern of The Financial Services Industry -------------------------------------- 111<br />

By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz Global Corporate &<br />

Specialty -------------------------------------------------------------------------------------------------------------------------------- 111<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 3<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


What Educational Institutions Need to Do to Protect Themselves From <strong>Cyber</strong> Threats? --------------- 115<br />

By Cyril James, Founder and CEO, Secure Triad ------------------------------------------------------------------------------ 115<br />

Business Continuity: Where InfoSec and Disaster Recovery Meet -------------------------------------------- 119<br />

By Adam Berger, VP of Global IT and Cloud Operations, Infrascale ---------------------------------------------------- 119<br />

Biometrics Challenges ---------------------------------------------------------------------------------------------------- 123<br />

By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 123<br />

Epic V. Apple Trial - Impact of Big Tech Battles on Consumers' Rights -------------------------------------- 125<br />

By Brad Ree, CTO, The ioXt Alliance --------------------------------------------------------------------------------------------- 125<br />

How The Pandemic Has Changed the Value of Health Data --------------------------------------------------- 128<br />

By Aman Johal, Lawyer and Director of Your Lawyers --------------------------------------------------------------------- 128<br />

Galvanizing the <strong>Cyber</strong> Workforce in Private Industry ------------------------------------------------------------ 132<br />

By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC ------------------------------------- 132<br />

Play 'Smart' on the Crime Scene --------------------------------------------------------------------------------------- 136<br />

By Milica D. Djekic ------------------------------------------------------------------------------------------------------------------- 136<br />

The Top 10 <strong>Cyber</strong>security Conferences of <strong>2021</strong> -------------------------------------------------------------------- 138<br />

By Nicole Allen, Marketing Executive, SaltDNA. ----------------------------------------------------------------------------- 138<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 4<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


@MILIEFSKY<br />

From the<br />

Publisher…<br />

New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />

Dear Friends,<br />

From the 30,000-foot view of the Publisher, the scenery has changed. In the space of only a month, we are seeing<br />

COVID yielding space to CYBER. Put another way, the pandemic vector is transitioning from health space to cyber<br />

space.<br />

There are powerful cybersecurity considerations involved in re-imposing defensive protocols in a concentrated<br />

network environment, as well as making adjustments for those who will remain in a remote work location.<br />

In light of more ransomware developments in all areas of activity, it’s imperative for more and deeper cooperation<br />

among the sectors of government, private and publicly traded companies, nonprofits, and especially small and<br />

medium-size companies. It’s become apparent that there is no such thing as “too small to attack” for ransomware<br />

criminals.<br />

We continue to monitor closely the discussion of whether ransom payments should be prohibited, restricted,<br />

regulated or otherwise treated by governments. It appears that those organizations doing business with<br />

government entities, especially in the supply chain of critical infrastructure elements, would logically be among<br />

the first to be subjected to such government intervention.<br />

Among the valuable resources we rely on to respond to these threats are the providers of cybersecurity solutions.<br />

<strong>Cyber</strong> <strong>Defense</strong> Media Group has now opened nominations for the <strong>2021</strong> Black Unicorns Awards. Details are posted<br />

at: https://cyberdefenseawards.com/black-unicorn-awards-for-<strong>2021</strong>-fact-sheet/<br />

Wishing you all success in your own cyber endeavors.<br />

Warmest regards,<br />

Gary S. Miliefsky<br />

Gary S.Miliefsky, CISSP®, fmDHS<br />

CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />

Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

P.S. When you share a story or an article or information about<br />

CDM, please use #CDM and @<strong>Cyber</strong><strong>Defense</strong>Mag and<br />

@Miliefsky – it helps spread the word about our free resources<br />

even more quickly<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 5<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


@CYBERDEFENSEMAG<br />

CYBER DEFENSE eMAGAZINE<br />

Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />

distributed electronically via opt-in Email, HTML, PDF and Online<br />

Flipbook formats.<br />

PRESIDENT & CO-FOUNDER<br />

Stevin Miliefsky<br />

stevinv@cyberdefensemagazine.com<br />

InfoSec Knowledge is Power. We will<br />

always strive to provide the latest, most<br />

up to date FREE InfoSec information.<br />

From the International<br />

Editor-in-Chief…<br />

For the first time, cybersecurity has been among the most pressing topics<br />

at a meeting of the “Group of 7” countries. The summit took place in mid-<br />

June, and it appears that the participants are taking firm actions to forestall<br />

attacks on the elements of their critical infrastructure.<br />

See, for example: https://www.reuters.com/world/europe/g7-demandaction-russia-cybercrimes-chemical-weapon-use-<strong>2021</strong>-06-13/<br />

These 7 nations have identified certain sources of cyber attacks and have<br />

demanded that those involved put a stop to them. In particular, the group<br />

issued a communique which said Russia must "hold to account those within<br />

its borders who conduct ransomware attacks, abuse virtual currency to<br />

launder ransoms, and other cybercrimes."<br />

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER<br />

Pierluigi Paganini, CEH<br />

Pierluigi.paganini@cyberdefensemagazine.com<br />

US EDITOR-IN-CHIEF<br />

Yan Ross, JD<br />

Yan.Ross@cyberdefensemediagroup.com<br />

ADVERTISING<br />

Marketing Team<br />

marketing@cyberdefensemagazine.com<br />

CONTACT US:<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Toll Free: 1-833-844-9468<br />

International: +1-603-280-4451<br />

SKYPE: cyber.defense<br />

http://www.cyberdefensemagazine.com<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />

276 Fifth Avenue, Suite 704, New York, NY 10001<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

In an action closely related to this cybersecurity response, the EU has<br />

recently taken action on a privacy initiative with strong cyber implications.<br />

We continue to see regulatory actions on privacy which also can have<br />

positive effects on cybersecurity defenses.<br />

It’s important to remember, however, that even compliance with laws,<br />

treaties and regulations may not absolve organizations from liability in the<br />

event of a data breach or ransomware attack.<br />

As always, we encourage cooperation and compatibility among nations and<br />

international organizations in responding to these cybersecurity and privacy<br />

matters.<br />

To our faithful readers, we thank you,<br />

Pierluigi Paganini<br />

International Editor-in-Chief<br />

PUBLISHER<br />

Gary S. Miliefsky, CISSP®<br />

Learn more about our founder & publisher at:<br />

http://www.cyberdefensemagazine.com/about-our-founder/<br />

9 YEARS OF EXCELLENCE!<br />

Providing free information, best practices, tips and<br />

techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />

magazine is your go-to-source for Information Security.<br />

We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />

CDMG<br />

B2C MAGAZINE<br />

B2B/B2G MAGAZINE TV RADIO AWARDS<br />

PROFESSIONALS<br />

WEBINARS<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 6<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Welcome to CDM’s <strong>July</strong> <strong>2021</strong> Issue<br />

From the U.S. Editor-in-Chief<br />

Reflecting on the topics of our articles this month, this is what we see: an increase in the number and<br />

depth of articles with actionable information for cybersecurity professionals and others interested in the<br />

trends and implications of these developments.<br />

In particular, we are pleased to carry over 30 articles this month on lessons to be learned and actions to<br />

take in response to ransomware attacks, protection of critical infrastructure, and applications of<br />

cybersecurity practices and programs.<br />

We’re pleased to include articles on a full spectrum of recognition of threats, preventive measures,<br />

means of assuring resilience and sustainability, and even the structural aspects of organizations with<br />

responsibility to maintain the confidentiality, accessibility, and integrity of sensitive data.<br />

As editor, I would encourage our readers to become familiar with the 16 areas of critical infrastructure<br />

designated by the Department of Homeland Security, found at www.dhs.gov . Going forward, activities<br />

in these areas will become more and more important in the world of cybersecurity.<br />

We strive to make <strong>Cyber</strong> <strong>Defense</strong> Magazine most valuable to our readers by keeping current on emerging<br />

trends and solutions in the world of cybersecurity. To this end, we commend your attention to the<br />

valuable actionable information provided by our expert contributors.<br />

Wishing you all success in your cybersecurity endeavors,<br />

Yan Ross<br />

U.S. Editor-in-Chief<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

About the US Editor-in-Chief<br />

Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & U.S. Editor-in-Chief of<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine. He is an accredited author and educator and<br />

has provided editorial services for award-winning best-selling books on<br />

a variety of topics. He also serves as ICFE's Director of Special Projects,<br />

and the author of the Certified Identity Theft Risk Management Specialist<br />

® XV CITRMS® course. As an accredited educator for over 20 years,<br />

Yan addresses risk management in the areas of identity theft, privacy,<br />

and cyber security for consumers and organizations holding sensitive<br />

personal information. You can reach him by e-mail at<br />

yan.ross@cyberdefensemediagroup.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 7<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 8<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 9<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 10<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 11<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 12<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 13<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 14<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 15<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 16<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 17<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 18<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 19<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 20<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 21<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 22<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 23<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 24<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 25<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 26<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 27<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 28<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 29<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 30<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 31<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 32<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Colonial Pipeline, JBS <strong>Cyber</strong> Attacks Shine Spotlight on<br />

Operational Technology Vulnerabilities for Wide Range<br />

of Business Sectors<br />

By Fred Gordy, Director of <strong>Cyber</strong> Security at Intelligent Buildings<br />

The recent Colonial Pipeline Co. and JBS SA cyber attacks were about more than the temporary crippling<br />

of the gas industry in the southeast United States or a short-term delay in meat production. It lays bare<br />

the vulnerabilities faced by any company that uses operational technology (OT) and information<br />

technology (IT).<br />

OT refers to the hardware and software used to change, monitor, or control physical devices, processes,<br />

and events within a company or organization. Most office workers are more familiar with IT. Having an<br />

issue with your computer? Call IT. Have a suspicious email in your inbox? Report it to IT. The IT<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 33<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


department is responsible for keeping the company’s computer systems safe. OT departments may not<br />

be as commonplace, but the pipeline crisis highlights the need for dedicated OT staff or contracted<br />

professionals.<br />

For Colonial Pipeline, the bottom line is they didn’t understand how their own IT and OT systems were<br />

connected. It takes both to work the problem. Without a fully vetted incident response plan, companies<br />

are not prepared for system compromises. OT is not exclusive to pipelines, production plants, dams, and<br />

other infrastructure and industrial environments. All commercial buildings, including office complexes,<br />

retail, hospitality, education, healthcare, government, and others have OT systems.<br />

The OT systems in these facilities may include HVAC, elevators, lighting controls, metering, fire safety,<br />

access control, and other technologies, all subject to hacking, misconfiguration, phishing, and<br />

ransomware. Call it intelligent buildings, smart building systems, or whatever you like — building system<br />

cybersecurity matters. Attacks have caused catastrophic operational interruptions in many buildings.<br />

These attacks generally go unreported because they do not involve compromising sensitive personal<br />

information of users or customers, but that does not mean they are unimportant.<br />

The Colonial Pipeline Co. incident made national news because the company’s shutdown led to a fuel<br />

shortage and price increase in the southeast United States that prompted officials to warn folks not to try<br />

using plastic bags to stockpile gasoline. Foreign hackers used basic ransomware technology to take<br />

control of Colonial’s IT systems. To regain control, the company paid the hackers more than $4 million.<br />

Just weeks after this event, JBS SA, the world’s largest meat processing company, experienced a similar<br />

cyberattack, which caused temporary closures of plant operations due to affected servers supporting its<br />

operations in North America and Australia.<br />

These incidents — and the relatively low level of skill needed to carry out the attacks — should have all<br />

company leaders moving to assess vulnerabilities of their buildings’ OT systems, as the gateway to IT<br />

systems. Working with professionals, such as those at Intelligent Buildings, will become even more<br />

important as the federal government prepares to issue cybersecurity regulations for pipelines that will<br />

also impact other industries. Complexity will continue to increase and the effect will be felt at a lower<br />

level, even down to its influence on insurance premiums.<br />

Even if the regulations do not extend beyond pipelines or other critical infrastructure, they will include<br />

sound guidance that applies across sectors. For example, one part of the regulations would require the<br />

periodic review of remote network connections that can be soft spots for hackers to attack. This is<br />

especially pertinent with so many more people working from home during the pandemic and several<br />

companies considering at least a hybrid model that allows at least some work from home days.<br />

While the pipeline and plant shutdowns affected thousands and may seem far removed from many<br />

business leaders, building tenants know that convenience, productivity, and health and safety play a vital<br />

role in occupant experience. Additionally, having hackers take control of a building’s elevators or shutting<br />

down a company’s production lines can also have catastrophic impact on a more local level, so one thing<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 34<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


is clear: <strong>Cyber</strong>attacks will continue and companies large and small need increased focus on cybersecurity<br />

of both IT and OT systems.<br />

About the Author<br />

Fred Gordy is Director of <strong>Cyber</strong> Security at Intelligent Buildings, a<br />

company focused on Smart Building advisory, assessment, and<br />

managed services at scale for both new projects and existing<br />

portfolios. Intelligent Buildings helps customers manage risk,<br />

enhance occupant well-being, and continually improve performance<br />

by providing unmatched expertise, practical recommendations, and<br />

targeted services. Fred can be reached at<br />

fred.gordy@intelligentbuildings.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 35<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Getting The Cloud Right - Security and Compliance<br />

By Tim Dinsmore, Technical Director, Appurity<br />

COVID has been responsible for many things. Perhaps cloud computing doesn’t spring to the top of your<br />

list, but the pandemic has certainly spurred many organisations into adopting a cloud-first strategy.<br />

Indeed, research carried out by Forbes suggested that the majority of businesses surveyed had<br />

accelerated their move to cloud due to the pandemic. The underlying force of course is an overall shift<br />

towards remote working - this is where cloud computing can flex its muscles. But it’s not only remote<br />

working that has fueled cloud adoption - data (and its inherent security / protection) is a prime factor for<br />

organisations to move towards a cloud-first working environment.<br />

With security in mind, cloud service providers (CSPs) offer better security than when an organisation<br />

stores data ‘on-premise’. However, moving to a cloud-centric way of working still provides challenges<br />

when it comes to privacy and security. For example, consider the use and handling of data. Once upon<br />

a time, data management was the sole concern of the business. In recent years however, governments<br />

and other concerned parties have sought to gain control (thus ensuring higher levels of data security) by<br />

introducing legislation - the EU’s GDPR for example. Such levels of legislation ultimately adds new levels<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 36<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


of management complexity for any business that handles and stores data. And it’s not just GDPR that<br />

businesses need to comply with. There are various data management and protection requirements that<br />

exist across a number of industries. And whilst most businesses can outsource their operations to some<br />

degree or other, when it comes to compliance, then the business is left to carry the can. And this can’t<br />

be taken lightly - if your business falls foul of compliance then you face expensive penalties and even<br />

reputational damage.<br />

Visibility is key if your business aspires to a secure and compliant cloud system. Popular, well-known<br />

SaaS solutions come with inbuilt security as standard - however, they also have blind spots. Also, many<br />

SaaS offer features that are only offered at the top end of the price range, inevitably making them too<br />

expensive if you are not at enterprise level. This makes reporting a laborious affair for those tasked with<br />

putting together and auditing data from a variety of sources. Organisations are also seeing a surge in the<br />

use of personal devices along with an increase in BYOD policies. This has brought about the need to<br />

increase the resource assigned to monitoring the escalating use of out-of-scope apps. But adopting<br />

security and data solutions is a process that needs to be tempered against productivity and user<br />

experience - this should not be compromised. Employees and users at every level of the organisation<br />

need access to data regardless of their location or choice of device.<br />

A Cloud Access Security Broker (CASB) solution can optimise visibility across an organisation, by<br />

monitoring all user activity within cloud applications (company-approved and shadow apps) and enforce<br />

both internal policies and external compliance requirements. A CASB solution should additionally be<br />

adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection,<br />

monitoring, and consolidation. Many CASB solutions are designed with compliance in mind. They provide<br />

granular visibility and control over user interaction with cloud applications and broad audit trails of such<br />

user activity. They are perfect for centralised control, management and ease of use.<br />

Taking compliance and data protection seriously requires a proactive approach to data management. By<br />

understanding where potential data breaches exist, they can be eliminated at source. The risk of infected<br />

or malicious files making their way into the cloud, or the threat of identity theft for example, are still<br />

prevalent and must be considered as part of any data protection strategy. Identity theft, perhaps via stolen<br />

passwords, is a leading cause of data breaches. This makes it imperative for businesses to adopt<br />

stronger-than-password protection - an absolute necessity. One-time passcodes (OTPs) are used widely<br />

by businesses as an extra layer of security to password protection, but some are vulnerable to<br />

interception or phishing attempts. It is highly advisable to choose real-time generated OTPs to boost<br />

security.<br />

As businesses of all shapes and sizes increasingly move to the Cloud to manage and store all of their<br />

data and apps, the need for a robust and comprehensive solution for security and compliance in the cloud<br />

should be the foremost consideration. At the end of the day, an informed and planned proactive strategy<br />

affords those in charge all the confidence they need that compliance regulations are being met, rather<br />

than having to respond in a reactive manner with the ensuing chaos that can arise. Cloud-centered<br />

working is officially here to stay so let’s do it efficiently, securely and by the book.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 37<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Tim Dinsmore is the Technical Director of Appurity, the cross-platform<br />

mobility specialists.<br />

https://appurity.co.uk/security-in-the-cloud/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 38<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Flipping the <strong>Cyber</strong> Script<br />

Getting Ahead of Attackers with a Zero Trust Architecture<br />

By Mark Sincevich, Federal Director, Illumio<br />

It’s hard to find a recent cybersecurity attack where the company didn’t have an existing firewall with<br />

antivirus protection. Last year alone, the world spent $173 billion on cybersecurity. Yet, cyberattacks are<br />

more detrimental and frequent than ever before. A lack of spending isn’t the issue, the real problem is<br />

not implementing the correct strategy.<br />

As an industry, we’ve been focused on having a strong perimeter without considering what happens if,<br />

or more realistically when, an attack breaches the perimeter. Assuming a breach has occurred is one of<br />

the tenants of a Zero Trust architecture. If agencies don’t up-level defense, and soon, attackers will<br />

always be one, or many, steps ahead.<br />

The Current Security Model Isn’t Working<br />

Federal efforts such as the Department of Homeland Security’s (DHS) Continuous Diagnostics and<br />

Mitigation (CDM) Program have provided a dynamic approach to ensure federal civilian agencies install<br />

‘detect and defend’ antivirus software and have recently upgraded firewall hardware among other<br />

recommendations. However, as evidenced by the recent SolarWinds and Colonial Pipeline attacks, these<br />

measures alone are insufficient.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 39<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Additionally, both CDM and the DHS EINSTEIN detection system, deployed to catch known malware,<br />

missed the SolarWinds attack and failed to report anything was amiss. Since new attacks move quickly<br />

and often go undetected, deploying assets to 'chase the enemy’ often means the damage is already<br />

done. The traditional detect and defend approach will not prevent attacks from moving around the<br />

network, which is when the real harm continues to occur.<br />

Federal CISO, Chris DeRusha, noted the need for agencies to move in a new direction, “Everyone and<br />

everything is untrustworthy until we prove otherwise.”<br />

Rather than relying on “comply-to-connect” security policies, teams must adhere to a key pillar of Zero<br />

Trust – assume that an initial breach has already occurred and that attackers are already inside of the<br />

network.<br />

Thankfully, We Have a New Model That Does Work…<br />

Here’s the good news: The White House recently released new cybersecurity guidance in an Executive<br />

Order, directing agencies to adopt the principles of Zero Trust security to modernize and bolster the<br />

nation’s cyber defenses. A Zero Trust security model gives federal cyber leaders the ability to make their<br />

networks and agencies more resilient to attacks.<br />

While Zero Trust is not new, many agencies will need to start implementing this security methodology<br />

from the ground up – a good place to start is from the inside out. Start by identifying your most valuable<br />

assets. For most, these live in the data center and cloud. Then, segment these assets from other parts<br />

of the network. The more granular these segments are, the better.<br />

Rather than blindly segmenting the network, agencies should leverage Zero Trust Segmentation, which<br />

establishes allowlists that indicate which apps and workloads can connect. Any connection that is not<br />

explicitly stated is denied by default.<br />

When a ransomware attack tries to move from the initially compromised point to the rest of the network,<br />

Zero Trust Segmentation will stop it in its tracks. In other words, even if malicious actors gain access,<br />

they cannot move to the applications and data that agencies deem most critical because they are blocked<br />

by default. This approach will only allow connections between authorized and legitimate applications and<br />

workloads and will deny everything else.<br />

Maturing the Zero Trust Model<br />

Perimeter security and detection are important parts of the cybersecurity equation, but alone, they’re not<br />

enough to keep us secure. A Zero Trust strategy requires a permanent change in philosophy where<br />

teams trust nothing in their network by default.<br />

Teams should architect their networks from the inside out using Zero Trust Segmentation to increase<br />

visibility and stop the spread of ransomware across systems. As agencies design and implement Zero<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 40<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Trust strategies, they will prevent cyber incidents from becoming disasters. Our data, networks, and our<br />

nation will be safer for it.<br />

About the Author<br />

Mark Sincevich is the Federal Director at Illumio.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 41<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How To Make The Most of Increased <strong>Cyber</strong>security<br />

Spend<br />

The average organization devotes 21% of its IT budget to cybersecurity.<br />

By Stu Sjouwerman, CEO, KnowBe4<br />

With the threat of malware touching more and more organizations, boards are beginning to devote greater<br />

resources to cybersecurity. The unfortunate truth is that a successful cyberattack can sink a business.<br />

The average remediation cost of a ransomware attack, for example, is $1.85 million, according to a<br />

Sophos report. The cost of non-compliance if sensitive data is exfiltrated can also be considerable, and<br />

the lasting reputational damage is hard to quantify.<br />

Companies that may have been tempted to gamble in the past are now seeing the financial sense in<br />

increasing cybersecurity spend. The average organization devotes 21% of its IT budget to cybersecurity,<br />

according to the Hiscox <strong>Cyber</strong> Readiness Report; an increase that has been driven by a sustained rise<br />

in the frequency of cyberattacks recently.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 42<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The growing threat<br />

In the last 12 months, the percentage of organizations experiencing a cyber-attack jumped from 38% to<br />

43%, according to Hiscox data, and 73% of those victims experienced more than one attack. A paltry 9%<br />

reported they were able to defend the attack with no impact on operations. Stronger defenses and better<br />

preparation are required to avoid potential disaster.<br />

Beyond the disruptive impact of ransomware or DDoS attacks, there lurks the even worse threat of a fullblown<br />

data breach. It takes 280 days on average to identify and contain a data breach and costs $3.86<br />

million, according to the Ponemon Institute. It’s far better to spend a fraction of that amount to bolster<br />

your defenses and harden your security posture.<br />

The question is where to spend it to ensure the greatest impact.<br />

Phishing and BEC attacks<br />

We know that malware can usually be traced back to a phishing attack. Threat actors are increasingly<br />

picking their targets and getting smarter about how they approach them. Spear phishing is on the rise<br />

and sophisticated attacks employ stolen credentials to attack laterally. If a message or email appears<br />

legitimate, or worse comes from a colleague’s account that has been hacked, the risk of someone clicking<br />

a link or downloading a file and triggering a malware installation is much greater. The unpleasant truth is<br />

that anyone can be fooled. Employees of all levels can fall victim to phishing scams.<br />

Business Email Compromise (BEC) is also a serious concern, with the FBI reporting $1.8 billion losses<br />

through BEC, which is a staggering 42% of the cybercrime loss total. Much more sophisticated and<br />

targeted at CEOs, CFOs, and other high-ranking executives, BEC can be the result of months of<br />

reconnaissance, with attackers building complex infrastructures and hacking multiple accounts in pursuit<br />

of a big payday.<br />

Spending effectively to boost security<br />

The temptation to sink any budget increase for cybersecurity into a tool or platform that promises to<br />

safeguard your data is understandable, but there’s a better way to strengthen your security. If we accept<br />

that security systems can always be bypassed by persuading people to unwittingly grant access, then<br />

it’s clear that the best way forward is to educate and empower your workforce.<br />

Security awareness training is crucial because by teaching people to spot the common signs of a phishing<br />

attack will develop the muscle memory you want to see.<br />

Establish a baseline before you begin and set targets for improvement with periodic tests, such as mock<br />

phishing campaigns, to determine what progress has been made. Test results and any real-life security<br />

incidents that occur should be leveraged as learning opportunities and used to inform ongoing training.<br />

Make sure that you combine training with stronger security controls and strict procedures. At the shallow<br />

end, you have to provide phish alert buttons to make it easy to report suspicious emails. Reports should<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 43<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


trigger an investigation that includes feedback for the employee who flagged the message.<br />

Responsibilities, processes, and expectations should be clear and easily accessible for everyone.<br />

To tackle more sophisticated spear phishing or BEC attacks, design controls around funds transfers or<br />

sensitive data sharing. By requiring multiple people to sign off on transactions over a certain amount or<br />

insisting on in-person meetings or video calls to confirm the legitimacy of data or funds requests, you can<br />

prevent major losses. Consider the worst-case scenarios and design controls that will block scammers.<br />

Enlisting your employees<br />

Employees are your most valuable resource. They have the deepest understanding of your business and<br />

are invested in helping you strengthen security. Ask for their advice and input to identify the greatest risks<br />

and learn how best to safeguard their areas of responsibility. Having an open dialog for prioritizing the<br />

assets that need securing will send a clear message and encourages people to take risk management<br />

more seriously.<br />

If you educate employees and equip them with the right tools, you can quickly make vast improvements<br />

to your cybersecurity stance. Continuous training and a program of attack simulations that emulates realworld<br />

threats will deliver tangible benefits.<br />

Ultimately, it’s by enlisting employees that you will squeeze the greatest value from any increase in your<br />

cybersecurity spend.<br />

About the Author<br />

Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE]<br />

developer of security awareness training and simulated phishing<br />

platforms, with over 37,000 customers and more than 25 million users.<br />

KnowBe4 also offers a KCM GRC platform that provides ready-made<br />

templates for quick compliance evaluations and reporting. Centralized<br />

policy distribution and tracking helps users remain compliant, as does<br />

flagging risky users. Sjouwerman was previously co-founder of Sunbelt<br />

Software, the anti-malware software company acquired in 2010. He is the<br />

author of four books, his latest being “<strong>Cyber</strong>heist: The Biggest Financial<br />

Threat Facing American Businesses.” He can be reached at<br />

ssjouwerman@knowbe4.com or company website<br />

https://www.knowbe4.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 44<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Common Sense <strong>Cyber</strong>security Steps for Managed<br />

Service Providers (MSPs)<br />

By Wes Spencer, CISO at Perch Security – a ConnectWise Solution<br />

Covid-19 changed the IT landscape for a lot of MSPs helping customers, suppliers and partners as they<br />

struggled to adopt digital services and technologies to make work-from-home models a reality. This rapid<br />

transformation opened the door for opportunistic cybercriminals to figure out new ways to target MSP<br />

clients, particularly small and medium-size businesses (SMBs).<br />

Case-in-point: nearly 73% of MSPs we surveyed for our Perch Security <strong>2021</strong> MSP Threat Report<br />

confirmed at least one customer had a security incident last year and that nearly 60% of these incidents<br />

were related to ransomware.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 45<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Why MSPs and their customers are uniquely vulnerable to cybercriminals.<br />

MSPs are increasingly in the line of fire for cybercriminals, as seen during last year’s crisis. MSPs hold<br />

the keys to hundreds of organizations that they manage, making it attractive to go after many at once.<br />

“Buffalo Jump” attacks occur when an MSP is breached and more than one managed organization is<br />

compromised with malware as a result. Ransomware has also moved to the cloud.<br />

Attackers understand MSP tools and know how to exploit the vulnerabilities and tools that MSPs depend<br />

upon. They know that enterprise-grade security solutions are rarely built for use by MSPs, who represent<br />

a large number of companies, each with its own appetite for risk, or lack of understanding of cybersecurity<br />

tools or resource constraints.<br />

Last year marked a rapid digital transformation as more customers shifted to the cloud. This introduced<br />

a slew of potential new vulnerabilities and risks for uneducated and unshielded customers. In fact, 82%<br />

of MSPs told us that the budget reserved for cybersecurity increased in 2020, with 75% of respondents<br />

indicating their spending would increase on average by 12.1% in <strong>2021</strong>. Of the three types identified in<br />

our report - front runners, trying to keep up, and lagging behind - MSPs in the last category that don’t<br />

prioritize a security-first approach for a fast-evolving threat landscape take the biggest risk in terms of<br />

time and money loss.<br />

Common sense cybersecurity steps for MSPs<br />

MSPs need to take threats seriously, even if their customers don’t. Here are some common sense<br />

security steps and approaches for MSPs:<br />

• Recognize you’re a valuable target – Most importantly, if you lack the right staff and training,<br />

then get on board with trusted partners and peers that can help you grow your security know-how<br />

and capabilities.<br />

• Educate customers –Becoming more assertive with customers and bundling security into all<br />

packages will put you in a stronger position.<br />

• Evaluate Budget – Educating leadership on the gaps and risks with a self-assessment is the only<br />

way to get an increased security budget.<br />

• Get Dedicated Staff – Tools alone aren’t enough; you need human capacity to operate and<br />

interact with security solutions, whether with dedicated security personnel or managed security<br />

services.<br />

• Reduce tool sprawl – Find security controls that work well together and with your current ticketing<br />

systems and complement your stack.<br />

• Maximize your spread – When thinking about what to bundle into basic packages, keep in mind<br />

the realities of today’s increasingly converged customer environments, including must-have<br />

SOC/SIEM with additional XDR/MDR/EDR layered tools.<br />

• Tackle passwords and training –Passwords remain a key weak link where security failures are<br />

concerned, so password reuse training, architecting multi-factor authentication and security keys<br />

for single-sign-on are important.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 46<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The next big thing: addressing remote workforce security gaps<br />

What happens when everyone suddenly starts working from home? Security becomes pushed to the<br />

backburner. With fully remote and hybrid working models set to stay for the long term, MSPs must<br />

urgently review the effectiveness of existing security controls in terms of where employees – and their<br />

customers’ users – now work and determine whether an alternative deployment architecture or controls<br />

are needed to cover the risk.<br />

There are a lot of timely reasons for MSPs to get their cybersecurity ducks in a row, from protecting<br />

customers to insurance firms hardening their attitudes toward cyber policies and new compliance<br />

regulations. Whatever the reason, the time is now.<br />

About the Author<br />

Wes Spencer is the CISO at Perch Security, which was<br />

acquired by ConnectWise in November 2020. He is<br />

responsible for leading external security strategies,<br />

working with external constituencies and media. He also<br />

provides cybersecurity thought leadership to<br />

ConnectWise’s partners, enabling them to build more<br />

mature cybersecurity programs for themselves and their<br />

clients.<br />

Wes has been in the technology industry for 22 years,<br />

garnering awards such as <strong>Cyber</strong> Educator of the Year by<br />

the <strong>Cyber</strong>security Excellence Awards in 2020. Additionally,<br />

Wes is a part of multiple boards, serving on the Advisory<br />

Committee on <strong>Cyber</strong>security at the University of Florida,<br />

the Advisory Board on <strong>Cyber</strong>security Management at<br />

Murray State University, and as Chairman at the<br />

Community Institution Council Advisory Group, FS-ISAC. He has been featured in numerous<br />

publications, including The Wall Street Journal, ProPublica, Dark Reading, and Bleeping Computer.<br />

Wes attended Murray State University, earning both a Bachelor of Science in <strong>Cyber</strong>security and a Master<br />

of Science in <strong>Cyber</strong>security. In 2017, he was named among Murray State’s Alumni of the Year.<br />

Outside of work, Wes runs a YouTube channel with 30,000 subscribers covering cybersecurity and<br />

cryptocurrency. He is happily married and enjoys gaming and exploring the outdoors with his four<br />

children.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 47<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Threat Intelligence Should Be Shared Not Shamed<br />

By Nuno Povoa, Eurofins <strong>Cyber</strong>security US<br />

When the DarkSide ransomware group shut down the Colonial Pipelines’ gas distribution that stretches<br />

from Texas to New Jersey, something rather remarkable happened: the criminals apologized.<br />

The DarkSide group issued an apology, saying its goal was not in "creating problems for society" but "to<br />

make money." According to Newsweek, the hacker’s statement released on the Darkweb read in part,<br />

"Our goal is to make money, and not to create problems for society. From today we introduce moderation<br />

and check each company that our partners want to encrypt to avoid social consequences in the future."<br />

The world witnessed a cyber-terrorist organization playing a type of PR game to frame their attack as a<br />

‘Robin Hood’-type of good deed.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 48<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Applying PR tactics is a new page in the hacker playbook to mask the organizational root causes of<br />

cyberattacks. Within these companies being targeted, it’s not a factor of negligence, it’s a lack of a clear<br />

understanding as to what these cybersecurity risks mean and how to translate them into impact. There's<br />

a big gap between the IT side of the house and the operational departments; each side has a separate<br />

administration department that doesn't always share security-related information in a timely manner. In<br />

the Colonial Pipeline’s case, their corporate exposure to the internet was most likely very tight, but<br />

exposure through its refineries—where they probably have their own security rules and procedures—<br />

was weaker and may not have matched up more stringent corporate security policies.<br />

Threat intelligence remains very compartmentalized and there's no central repository to share<br />

information. In many of these cybersecurity instances, investigators have to go to multiple sources, in<br />

multiple departments, to begin pinpointing the root cause of the attack. The highly operationalized<br />

companies who prioritized what is only important to their specific part of the organization prolong the<br />

attack identification process. From the IT department down to the industrial control systems, there needs<br />

to be a better accountability structure in place and support for corporate-wide threat/risk data sharing—<br />

especially in utilities.<br />

Attackers - A Victimless Mindset<br />

Oftentimes, criminals who do these types of attacks are under the impression that it’s a victimless crime<br />

and at one point, the company will get reimbursed by their cyber insurance provider. In the Colonial<br />

Pipeline case, the hackers are hitting the company’s bottom line as well as affecting the price of gas all<br />

along the U.S Eastern seaboard. “We are sorry. We wanted to start a little fire not a big fire” is far from<br />

an already morally dubious ‘Robin Hood’ act. Imagine what would have happened if this was a wellcalculated<br />

attack on purpose, like the 2015 attack on the Ukraine power grid.<br />

To combat criminal hackers there needs to be a real-time, institutional understanding of what the threats<br />

are and a universal repository of data shared among all organizations, similar to how the National Oceanic<br />

and Atmospheric Administration (NOAA) shares all weather-related information to benefit everyone. But<br />

the fact remains that companies don't want to talk about their cybersecurity issues fearing bad PR and<br />

shareholder repercussions. All organizations need to share information on security breaches to create<br />

resiliency that enables quicker and more effective attack responses. To achieve this resiliency and<br />

collective response, companies need to have an overall risk management strategy—not just a bunch of<br />

vendor management tools—to create a reasonable strategy.<br />

Conclusion<br />

We live in a world where virtually everything is connected to the internet and there will always be bad<br />

actors looking for a way in. Companies need to embrace this reality, but a lot of organizations chose to<br />

downplay their chances of being hacked. The minute devices are connected to the internet there is an<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 49<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


access port for hackers - companies must take this seriously and be ready to respond with a well-thoughtout<br />

plan.<br />

Aligning with “industry best practices” has been the security mantra and goal of many niche industries,<br />

and while there's clear value in understanding and replicating the security goals within a particular<br />

technology or business vertical, it's crucial that the experience of other industries is not overlooked in the<br />

process. In the event of an attack, victims need to quickly disseminate the information so there is a<br />

universal understanding of the attack and a cooperative solution-share. This stands in stark contrast to<br />

the present-day concern companies have of simply comparing themselves to competitors in order to<br />

establish their security posture—oil, gas, energy, and manufacturing organizations are noticeably trapped<br />

in that mindset.<br />

Companies should not be relying solely on automated security tools for defense. No security tool is<br />

perfect, most security software demands constant tuning, writing another correlation rule, ingesting and<br />

parsing more logs, or configuring alerts based on a new predetermined condition. Adding to the<br />

complexity, many tools now employ machine learning and behavioral analytics, further abstracting the<br />

analysts from what is happening in the background. Risk rises alongside the evolving complexity of the<br />

system, and more than ever organizations need to implement a layered defense containing perimeter<br />

controls, EDR response, risk assessment processes, patch management, and people managing the<br />

security logs. Only with a layered defense for visibility and business resilience, and the universal,<br />

immediate, sharing of intelligence will we be able to remove one of the cyberattacker’s most valuable<br />

tools—corporate shame.<br />

About the Author<br />

As Senior Security Consultant, Nuno Povoa is the lead penetration tester<br />

at Eurofins <strong>Cyber</strong>security US. For over a decade, Nuno has developed<br />

strategic and technical insights to actively improve data and business<br />

resilience for major organizations in the USA, Europe and Asia. His past<br />

and present clients include major Oil & Gas, automotive manufacturing,<br />

broadcasting, and health care organizations.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 50<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


NATO to Consider Military Response to <strong>Cyber</strong>attacks<br />

As NATO Nations Face New Realities, The Worldwide Search For <strong>Cyber</strong> Talent Picks Up.<br />

By Doug Britton, CEO, Haystack Solutions<br />

In yesterday’s Brussels Summit Communiqué - Issued by the Heads of State and Government<br />

participating in the meeting of the North Atlantic Council in Brussels 14 June <strong>2021</strong>, NATO alerts<br />

that it will consider on a case-by-case basis treating cyberattacks similar to physical attacks against allies.<br />

The communique indicates NATO may launch a military response against perpetrators.<br />

Under Article 5 of the 1949 NATO treaty, any armed attack on a NATO ally is considered an attack on all<br />

alliance members, who may then defend the ally. At the North Atlantic Council meeting in Brussels<br />

yesterday, the alliance disclosed a Comprehensive <strong>Cyber</strong> Defence Policy in which Article 5 responses<br />

may be taken following a cyberattack.<br />

The move follows several recent high-profile cyberattacks on commercial/industrial sector providers of<br />

critical infrastructure and services.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 51<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The Loud Clarion Call:<br />

As a former linguist and HUMINTer in U.S. Army intelligence with U.S. Special Forces Command during<br />

Operation Enduring Freedom and former cyber-intel initiative contributor at Lockheed, this news jumped<br />

out to me on several levels.<br />

First, NATO is acknowledging that Russia, China and other nation-states pose major cybersecurity<br />

threats, both because of direct actions and because of the third-party threat actors operating on their soil,<br />

presumably with tacit permission.<br />

The first half of <strong>2021</strong> has seen both an increase in commercial/industrial critical infrastructure<br />

cyberattacks, and a dramatic escalation of their potential impact - Colonial Pipeline, food processor JBL,<br />

as well as commercial sector corporations such as Fuji being just the latest example.<br />

New findings from researchers with Check Point show that ransomware attacks have increased 93%<br />

year over year. Moreover:<br />

• The number of organizations impacted by ransomware has risen to 1,210 in June <strong>2021</strong> alone,<br />

• Check Point Research sees a 41% increase in attacks since the beginning of <strong>2021</strong>, contributing<br />

to the aforementioned 93% increase, and<br />

• Surprisingly, despite the high-profile U.S. entities attacked, Latin America and Europe saw the<br />

largest increase in ransomware attacks since the beginning of <strong>2021</strong>, marking a 62% and a 59%<br />

increase, respectively.<br />

Elena Elkina, JD, CIPP/US, CIPP/E, CIPT, and Partner with corporate privacy consultants Aleada, noted<br />

that we live in a world where cyber defense is imperative for companies and countries. “In the light of the<br />

frequency, complexity, and destructive power of the most recent attacks, the only surprise is that it took<br />

NATO up to this point to make public this decision and take assertive action. The time for delicacy is<br />

over, and it is time for NATO to reaffirm its position and request other countries to act respectfully and<br />

responsibly.”<br />

Help Wanted in The Hunt for Premium Talent: This communique makes clear that the U.S. and her<br />

allies must change the urgency and economics around finding the undiscovered cyber geniuses whose<br />

innate aptitudes make them among the potential best and brightest, and then train them at a new pace<br />

and price point, and get them into the fight as soon as possible. This is a clarion call for the best talent<br />

on defense, repelling attackers at the cyber borders, and on offense, deploying cyber weapons against<br />

adversaries.”<br />

As Garret Grajek, CEO of YouAttest, observed, the open nature of the democratic nations’ networks<br />

forces the West to apply pressure on the points of origin of such attacks. “NATO’s message is a strong<br />

sign to the nations that either harbor or turn a blind-eye to attackers on its soil that these malware<br />

campaigns will be taken very seriously.”<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 52<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The number of open positions in various cyber roles exceeds the number of people that are currently in<br />

the profession today, with some suggesting that there will be another 145% growth required over the next<br />

5 years. Our current methods of identifying talent clearly aren’t able to keep up. The industry is also<br />

suffering from a somewhat polarizing perception of being a bro-network of hackers, at the fuzzy edge of<br />

ethics and laws.<br />

To change the math and attract new entrants, the industry needs new perspectives. The sheer number<br />

of people needed in cyber jobs do not align with the 4+ year timeline of college programs. The economy<br />

requires the ability to add people into the fight with months of training vs. years. One way we get people<br />

ready in months vs. years is to focus on learners that have the highest likelihood of internalizing the<br />

training and putting it to work on cyber battlefields.<br />

Typically, cyber training has a high percentage of washouts that either don’t complete the training or fail<br />

to transition into practice. Advances in cognitive testing around cyber would allow for more efficient<br />

deployment of training resources. Additionally, the same methods can give people with no technical<br />

background or prior experience, perhaps from philosophy or criminal justice, a pathway to becoming<br />

cyber warriors.<br />

NATO’s ability to meet this enemy on the multifaceted battlefield requires that we can find, train, and<br />

equip the cyber warriors. A revolution in talent development can get us there, if we move quickly.<br />

About the Author<br />

Doug Britton is the founding CEO of Haystack Solutions. Doug<br />

drew from his years in military intelligence and years as a cyber<br />

executive to craft a better way to find cyber talent. Haystack<br />

Solutions finds cyber genius using test methods developed for the<br />

US intelligence community and DOD, transferred out of the<br />

University of Maryland. Additionally, Doug is the CTO and a<br />

Director of RunSafe Security. As RunSafe’s CTO, Doug plays an<br />

essential role in showcasing how RunSafe’s technology changes<br />

the economics of cyber defense, and he has been instrumental in<br />

driving the RunSafe technology strategy and roadmap, the<br />

development of its patent portfolio and IP strategy, managing<br />

software development teams, and building a world-class security research team. Prior to RunSafe<br />

Security, Doug founded Kaprica Security which sold its Tachyon business to Samsung. He has also<br />

managed large-scale security research, reverse engineering, and exploit development programs for<br />

Lockheed Martin and SAIC. A trained computer scientist, Doug started his career in the National Center<br />

for Supercomputing Applications at the University of Illinois, before serving as a Russian Linguist and<br />

Interrogator in the US Army. He has also earned an MBA from the University of Maryland and mentors<br />

several entrepreneurs and students launching their business.<br />

Doug can be reached online at @CATA_Haystacks and at our company website<br />

http://www.haystacksolutions.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 53<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Know Thy Enemy, Break Their <strong>Cyber</strong> Kill Chain<br />

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies<br />

The <strong>Cyber</strong> Kill Chain, developed by Lockheed Martin in 2011, appropriates the military’s concept of ‘kill<br />

chain’ relating to structuring an attack into stages – from identifying an adversary’s weak links to exploiting<br />

them. In the same way that the traditional kill chain describes the seven steps in a physical attack –<br />

identification of the target, forced dispatch to the target, decision, order to attack the target, and finally,<br />

target destruction – the <strong>Cyber</strong> Kill Chain describes the modus operandi of a typical cyber intrusion in<br />

seven phases:<br />

1. External Reconnaissance – Identifying the target’s weaknesses, studying them, and then<br />

selecting which methods of attack can be executed with the highest degree of success. This initial<br />

stage involves the harvesting of organizational details such as mailing lists, social network activity,<br />

information on technology choices, conference details, etc.<br />

2. Weaponization and Packaging – This phase can take many shapes, including web application<br />

exploitation, compound document vulnerabilities delivered in Office, PDF or other document<br />

formats, off-the-shelf or custom malware, or watering hole attacks. Essentially, this is the part<br />

where the attacker packages up the exploit with a backdoor into a deliverable payload.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 54<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


3. Delivery – Transmission of the payload is either target-initiated (a user browses to a malicious<br />

web presence, leading to an exploit delivering malware, or they open a malicious PDF file) or<br />

attacker-initiated (network service compromise or SQL injection) – whichever digital method and<br />

means of transporting or launching the attack best suits the intended target.<br />

4. Exploitation – Once the payload has been delivered to the user, device or computer, it will work<br />

to compromise the asset, thereby gaining a foothold in the target’s IT environment. How this is<br />

achieved technically hinges on the type of digital attack selected. This can involve an exploit<br />

mechanism, like specialized code that takes advantage of a known software vulnerability to<br />

execute on a victim’s system. Depending on the victim, zero-day exploitation is a possibility as<br />

well, but in most cases, it isn’t necessary for adversaries to go to this expense.<br />

5. Installation – The objective of this step is to establish persistence on the victim system. It typically<br />

involves the installation of malware, such as a bot client or trojan, that will proceed to run<br />

whenever the compromised device powers on or reboots. This is typically designed to gain<br />

persistence at the endpoints where it has access and enables the adversary’s control of the<br />

application without alerting the target’s organization.<br />

6. Command and Control – This stage is simple: Set up and initiate a communication mechanism,<br />

or the “Command and Control (C2) channel” as security experts call it, to exercise authority on<br />

the affected devices and exfiltrate data remotely. The level of complexity in this step can range<br />

from simply transmitting data via normal network services (e.g., HTTP, IRC, and others), to<br />

something much more sophisticated like concealing specially encrypted traffic in tricky,<br />

unexpected network services (in ICMP messages or DNS options, for example). Some of the<br />

more modern threats even use social media mechanisms, like Facebook or Twitter posts, for<br />

command and control. Ultimately, this channel enables the adversary to tell the controlled “asset”<br />

what to do next and what information to gather.<br />

7. Actions on Targets – In the seventh and final phase, intruders use the “hands on keyboard”<br />

access they’ve gained to carry out any malicious actions necessary to achieve their original goals.<br />

This can involve ransomware installation, keylogging, grabbing password hashes, using the<br />

webcam to spy, collecting any or all of your files and data, and much more.<br />

One criticism of Lockheed’s original <strong>Cyber</strong> Kill Chain is that it doesn’t adequately address a common<br />

stage of attack known as lateral movement or pivoting. Often, the first device a malicious actor gets<br />

control of isn’t the intended target, so they must take additional measures to gain access to the key<br />

systems or data required to accomplish their mission. To account for this, Lockheed considers its <strong>Cyber</strong><br />

Kill Chain to be circular rather than linear.<br />

Ultimately, understanding the <strong>Cyber</strong> Kill Chain helps those tasked with protecting systems and data<br />

identify the different and varying defenses that need to be in place for effective security. While<br />

cybercriminals are constantly evolving their attack techniques, their approach will always consist of these<br />

fundamental stages. Effective security defenses rely on intimate knowledge of adversaries and their tools<br />

and tactics. And, the closer to the first link of the <strong>Cyber</strong> Kill Chain an attack can be stopped, the better.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 55<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong>criminals have a knack for tracking down the weakest point of entry between them and an attack<br />

on a corporate network, which is often through endpoint devices such as mobile phones, tablets and<br />

laptops, or other wireless and IoT devices. The massive shift to remote work this past year has inhibited<br />

traditional corporate network security because it can’t protect users beyond its perimeter. For this reason,<br />

security strategies for our “new normal” need to strengthen defenses on remote employees’ endpoints at<br />

home. Endpoint protection (EPP) detects and prevents many phases of the <strong>Cyber</strong> Kill Chain, completely<br />

thwarting most attacks or enabling IT administrators to remediate the most complex and sophisticated<br />

threats in later stages.<br />

While adversaries must advance through each of the seven phases in the <strong>Cyber</strong> Kill Chain in order to<br />

realize success, IT/security teams just need to shut down a single link to break it. Malicious actors can<br />

often access the most valuable assets of the organization they’re targeting via endpoints in homes where<br />

employees are doing their work remotely. Therefore, stopping malicious actors at the endpoint radically<br />

reduces the likelihood of a successful cyberattack.<br />

About the Author<br />

Corey Nachreiner is the CSO of WatchGuard Technologies. A frontline<br />

cybersecurity expert for nearly two decades, Corey regularly<br />

contributes to security publications and speaks internationally at<br />

leading industry trade shows like RSA. He has written thousands of<br />

security alerts and educational articles and is the primary contributor<br />

to the Secplicity Community, which provides daily videos and content<br />

on the latest security threats, news and best practices. A Certified<br />

Information Systems Security Professional (CISSP), Corey enjoys<br />

"modding" any technical gizmo he can get his hands on and<br />

considers himself a hacker in the old sense of the word.<br />

Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 56<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Uncovering the Dark Side of the Colonial Pipeline Attack<br />

By Alon Nachmany, Director of Customer Success AppViewX<br />

The Colonial Pipeline, which stretches more than 5,500 miles from Houston to New York and provides<br />

the eastern United States with almost half of its diesel, gas, and jet fuel, was shuttered after a ransomware<br />

cyber-attack. The attack was carried out by DarkSide, a cyber-criminal gang that attacks privately-owned<br />

businesses and donates a portion of what they take to charity. DarkSide also sells the ransomware they<br />

develop to other cyber-criminals who can then use it to carry out attacks in exchange for part of the profit.<br />

The impact of the attack hasn’t been catastrophic; there were some spikes in price in some states and<br />

some gas stations did run out of gas. The national average gas price rose by two cents, and the more<br />

significant effects have been a result of people's panic buying fuel and businesses making attempts to<br />

save fuel. But the attack has highlighted just how vulnerable both the pipeline and the American energy<br />

systems are.<br />

The Colonial Pipeline is nearly 60 years old. Over time, expansions and loops have been added to the<br />

pipeline to increase its capacity and make the process more high-tech and automated. Today, the<br />

company uses pumps, thermostats, sensors, and valves to monitor and control the pipeline, and a robot<br />

to inspect the thousands of miles of pipeline and find and report any anomalies. All of these technologies<br />

are connected to a central system that was targeted by DarkSide. Colonial has the pipeline back up and<br />

running and is now working closely with the Energy Department to ensure that something like this does<br />

not happen again.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 57<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Outdated and Vulnerable OT Systems are Becoming Easy Targets<br />

The major factor that impacted the pipeline’s restart is how quickly Colonial could determine precisely<br />

how much of their infrastructure was affected by the attack. With many Operational Technology (OT)<br />

systems, there is a lack of visibility, meaning it could take a significant amount of time to determine the<br />

severity of an attack. OT systems were designed in the 1970s and have become incredibly outdated over<br />

the last 50 years as technology has become significantly more sophisticated.<br />

So have hackers.<br />

These OT systems were built with one thing in mind -- “Availability.” They simply cannot go down.<br />

Operational Technology is the technology that runs our utilities and critical infrastructure. As listed above,<br />

OT includes, among others, pumps, thermostats, sensors, and valves—devices that cannot afford to be<br />

shut down. And often, communications within these systems are not encrypted. In fact, some might even<br />

use a clear text username and password, if any authentication is required at all. OT systems are simply<br />

not like IT systems which are managed and secured by an IT team who know the system inside and out<br />

and can access any aspect of it in seconds to determine the damage caused. Many IT and cyber teams<br />

aren’t even aware of OT systems and how they are set up, so they aren’t able to easily manage or secure<br />

them, though this is currently changing.<br />

This is a big part of why the entire pipeline was shut down. Due to the lack of visibility and not knowing<br />

what information the hackers had taken, Colonial had no way of knowing what DarkSide could do next.<br />

So, their safest and quickest option was to halt the entire process until they could determine the extent<br />

of the attack. But shutting down also indicates that the company does not have a lot of faith in its OT<br />

security, which is a major red flag and something that needs to be addressed by the industry as a whole.<br />

Biden’s <strong>Cyber</strong>security Executive Order Comes as a Saving Grace<br />

In the days since the Colonial Pipeline cyber-attack, President Biden and other officials have prepared to<br />

issue an executive order requiring federal agencies and their contractors to strengthen their<br />

cybersecurity. The order created a <strong>Cyber</strong>security Incident Review Board similar to the National<br />

Transportation Safety Board, which investigates civil transportation accidents in the air or at sea.<br />

Once the order is put into effect, it will require software vulnerabilities to be reported to the government<br />

so that they can be addressed rather than being swept under the rug. This would hold companies liable,<br />

in a way they aren’t currently. If a company’s software doesn’t comply with regulations or they fail to<br />

report a vulnerability, there are consequences including a possible ban from selling their software to the<br />

government, which can kill their business’s viability.<br />

That being said, many of utilities are private for-profit companies. This means that utility companies, like<br />

other companies, apply the “<strong>Cyber</strong>security Risk Equation.” A simple calculation of the probability of a<br />

cyber event times the cost of that event would be the budget for securing the solution. What this equation<br />

won’t take into account is the cost to the general public. For example, as we saw with the short gas<br />

outages, what if there is no gas? What happens when first responders don’t have fuel?<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 58<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Energy and Utilities – You Have No Choice but to Reinvent Your Security<br />

The Energy and Utility industry is our country’s lifeline providing essential everyday services to people.<br />

Any breakdown in this critical infrastructure can paralyze the entire system and have debilitating impacts<br />

on the consumers and a country’s economy at large. Ironically, the sector has been more lax than<br />

necessary in building a resilient cybersecurity posture.<br />

The increasing convergence of IT and OT systems and the lack of adequate OT security have introduced<br />

many security weak links into the infrastructure, making it an attractive target for cybercriminals. The<br />

Colonial Pipeline attack is a classic case exposing these security gaps and blatantly highlighting the need<br />

to bridge them with a well thought-through, strong, and sustainable security strategy.<br />

Biden’s executive order is a welcome move in that direction. Let us hope that the industry will act soon,<br />

or history won’t be kind.<br />

About the Author<br />

Alon Nachmany is the Director of Customer Success at AppViewX.<br />

He has more than 15 years of cybersecurity experience including<br />

being a former Chief Information Security Officer (CISO). He has<br />

worked with critical infrastructure, specifically with operational<br />

technology, and has consulted for water treatment and power<br />

companies as well as major airports and governments. In May<br />

2019, He was a speaker at the DOE’s <strong>Cyber</strong>security Conference.<br />

He can be reached via Twitter @AppViewX and at our company<br />

website @AppViewX.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 59<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How To Protect Power Infrastructure from Ransomware<br />

Attacks<br />

Why every point count in the era of increasing intelligence<br />

By Hervé Tardy, Vice President, Marketing and Strategy for Power Quality, Americas,<br />

Eaton<br />

The continuing emergence of IoT is bringing new meaning to the old saying: “a chain is only as strong as<br />

its weakest link.” Advancements in connected technologies are helping enterprises achieve many<br />

benefits, allowing them to tap into new data insights and streamline efficiency in exciting ways. However,<br />

with this integration comes the responsibility to ensure the entire network remains protected, as more<br />

points of intelligent capabilities create more potential areas for cybersecurity risk.<br />

<strong>Cyber</strong> attackers are out in full force and more savvy than ever before, businesses need to consider every<br />

possible avenue to keep their organization properly protected, including power infrastructure. In this<br />

article, we’ll cover how to approach the threat of ransomware attacks through power devices and provide<br />

measures to keep cyber criminals at bay.<br />

<strong>Cyber</strong>security in current context<br />

Safeguarding against ransomware strikes has never been more critical. In 2020 alone, the prevalence of<br />

ransomware attacks in the U.S. skyrocketed by 109 percent, according to the 2020 SonicWall <strong>Cyber</strong><br />

Threat Report, costing businesses more than $75 billion a year, part of which is attributed to downtime<br />

expenses. Experts attribute the rapid increase of threats to the influx of home-based employees resulting<br />

from the COVID-19 pandemic.<br />

When businesses migrate to a hyper distributed IT environment flexibility will grow but the threat of<br />

growing cyberattacks can’t be ignored. This point was driven home recently when Colonial Pipeline faced<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 60<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


a cyberattack that shut down approximately 5,500 miles of pipeline, causing panic among travelers facing<br />

gas shortages and long lines at gas pumps across the eastern seaboard.<br />

These type of events underscore the importance of safeguarding all network-connected equipment<br />

against cyber threats, which encompasses uninterruptible power systems (UPSs), power distribution and<br />

cooling systems.<br />

A resource guide for power protection<br />

As hackers continually attempt to overcome the cybersecurity mitigations businesses are putting in place,<br />

organizations must ensure that there is no point of access for malicious activity. Having a running<br />

cybersecurity checklist for power management can help IT teams keep their strategy up-to-date and<br />

effective in the face of evolving threats.<br />

• Keep certifications in check: One of the best things IT teams can do to drive the most effective<br />

level of security is to stay on top of cybersecurity certifications being developed by global<br />

standards organizations like Underwriters Laboratories (UL) and the International Electrotechnical<br />

Commission (IEC). These organizations are expanding their processes for certifying products as<br />

secure across the network which includes power backup devices.<br />

There are UPS network management cards available with UL 2900-1 and ISA/IEC 62443<br />

certification that have built-in cybersecurity capabilities and features. Buying products with these<br />

types of safeguards against possible ransomware attacks can transform a UPS into an enterprise<br />

IoT device with cybersecurity protection.<br />

• Use software to manage firmware updates: By pairing backup equipment with power<br />

management software, enterprises have the ability to make timely firmware installation and<br />

updates to stay ahead of emerging cybersecurity threats. As new threats are identified,<br />

businesses can work with their technology service providers to embed necessary patches or<br />

solutions.<br />

For example, as Ripple20 vulnerabilities were recently identified in the Quadros stack, potentially<br />

billions of connected devices were exposed to this vulnerability. Power management software<br />

allows mass updating to apply patches and remove this exposure, at scale, quickly across the<br />

power<br />

chain.<br />

• Look for ways to expand and improve: Although primarily developed to monitor and manage<br />

UPSs and rack PDUs—as well as gracefully shut downloads during a loss of utility power, even<br />

in virtualized environments—power management solutions may also be used to provide an<br />

inexpensive, highly viable air gap solution. The security measure helps keep secure networks<br />

physically isolated from unsecured ones such as the Internet.<br />

Power management software has the capability to integrate with Windows operating systems and<br />

common virtualization systems, allowing IT teams to automatically discover and monitor common<br />

power infrastructure and IT equipment. Some solutions can also be customized to trigger specific<br />

actions on a customized schedule in alignment with UPSs and/or power distribution units (PDUs).<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 61<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Merge physical and digital solutions: Enterprises should also consider physical security as part<br />

of their strategy to keep power management equipment safe. Taking measures to deploy smart<br />

security locks on IT racks can help to ensure that only authorized personnel have access to IT<br />

equipment.<br />

While ransomware attacks are a mounting threat across every business landscape, they are especially<br />

risky to small- and medium-sized organizations that tend to have smaller security budgets and less<br />

dedicated IT personnel. By deploying simple measures, companies can help safeguard their IT<br />

infrastructure against these expensive and detrimental attacks.<br />

Business continuity planning is a must<br />

Successful enterprises not only utilize the previously discussed mitigations to prevent becoming a victim<br />

of ransomware, but also have a comprehensive business continuity plan in place. The first step is to<br />

make sure that files are regularly backed up. In some cases, this simple process will allow victims to<br />

recover their data at no cost.<br />

It is possible that ransomware attackers will attempt to coerce a company to pay the ransom by<br />

threatening to publicly release sensitive information. For this reason, organizations should always encrypt<br />

their data to prevent attackers from gaining this type of leverage. It is also possible for ransomware<br />

attackers to encrypt or destroy backups. Because of this, it is essential to maintain a copy of backups in<br />

a separate location that is isolated from the network as a last line of defense.<br />

The journey forward<br />

Enterprises will keep looking for new ways to use IoT solutions as the technology landscape advances.<br />

Businesses stand to benefit significantly from this evolution, but cybersecurity must remain top-of-mind<br />

to protect against operational downtime, data loss and negative impact on lifecycle costs and brand<br />

reputation. With a multi-faceted strategy that includes power management in the equation, businesses<br />

can ensure that progress and protection go hand-in-hand.<br />

About the Author<br />

Hervé Tardy is Vice President of Marketing and Strategy for Eaton’s<br />

Power Quality business unit in the Americas region. In this role, Hervé<br />

manages the Americas product roadmap for power solutions, software<br />

and connectivity products to reinforce Eaton’s technology leadership.<br />

You can find more information at Eaton.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 62<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Ransomware and the <strong>Cyber</strong>security Industry’s Problem<br />

of Perception<br />

By Jack B. Blount, President and CEO, INTRUSION, Inc.<br />

In the past year, we’ve seen ransomware attacks spike significantly – not only in frequency but also in<br />

scale. A recent Checkpoint Research report (CPR) noted a 57% increase in organizations affected by<br />

ransomware within the past 6 months.<br />

Attacks by groups such as Babuk, Hafnium, DearCry and most recently Darkside have made big<br />

headlines – impacting large organizations, infrastructure, and public safety. And these attacks don’t just<br />

affect the target companies – the recent attack on Microsoft affected more than 30,000 organizations<br />

using Microsoft Exchange servers. Before that, it was the Sunburst breach that, aside from creating other<br />

calamities, allowed these bad actors to look deep into Microsoft’s software code, browsing to their heart’s<br />

content. Now, the Colonial Pipeline ransomware attack resulted in one of the country’s biggest suppliers<br />

of fuel to the East Coast being shut down for days – the ramifications of which are yet to be seen.<br />

It is scary to think what destructive minds can do once they get unfettered access to the systems that run<br />

the world’s commerce, education, manufacturing, critical infrastructure, defense, and even entire<br />

governments.<br />

The most common worms and malware causing this surge are Ryuk and Maze. But there are other<br />

popular ones – Bad Rabbit, Cryptolocker, GoldenEye, Jigsaw, LeChiffre, Locky, NotPetya, Petya, and<br />

WannaCry – to name a few. As these existing malwares, along with an ever-increasing number of<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 63<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


variants, gain momentum from well-funded and well-organized adversaries, we can expect to see a<br />

growing number of headlines of compromised organizations of all sizes.<br />

WannaCry makes a comeback<br />

It's no surprise that WannaCry is also rearing its ugly head. Back in 2017, the WannaCry outbreak<br />

infected as many as 200,000 computers within 72 hours. Using the EternalBlue exploit in Windows SMB<br />

(server message block protocol) the malware could infect new victims on its own, spreading exponentially<br />

over the internet. WannaCry is still infecting Windows servers for one simple reason: they are unpatched.<br />

It's astonishing, really, that it’s been four years since Microsoft released the fixes for WannaCry, yet there<br />

are still unpatched servers that exist today. Common segments targeted by WannaCry are<br />

government/military, manufacturing, banking, and healthcare. According to CPR, the United States is the<br />

primary target recipient, garnering 49% of all exploit attempts. Auditing of server software is needed<br />

immediately to identify unpatched servers, with special attention to those that haven’t been powered up<br />

in a long time.<br />

Looking at <strong>Cyber</strong>security from a New Angle<br />

The reason these ransomware attacks continue to be successful is that the solutions we use to prevent<br />

cyberattacks haven’t changed much. We continue to focus on signatures and an outside-in approach,<br />

giving organizations a false sense of security. The reality is that the cybercriminals keep finding new ways<br />

to breach our outer layers of protection. Once they are in a network, they can live there for months,<br />

searching for an organization’s most valuable data or assets. Because most solutions don’t monitor<br />

outgoing traffic, these criminals are able to steal an organization’s data and figuratively walk right out the<br />

door with it, with little to no monitoring.<br />

It’s time we start looking at cybersecurity with a new perspective, and focus on solutions that monitor<br />

both incoming and outgoing traffic. Hackers first accessed SolarWinds on September 4, 2019, and the<br />

hackers got away with their code long before the malware was discovered. It had been living in that<br />

network for about nine months before it was detected – it had gotten past firewalls and other solutions<br />

meant to keep it out.<br />

No matter the type, malware needs a connection in order to carry out its task of stealing data. Without<br />

being able to “call home” or connect to an outside server, it cannot deploy malicious code.<br />

Monitoring and immediately killing these connections is the only way to successfully prevent these<br />

damaging ransomware attacks that leave organizations in the impossible position to decide whether to<br />

pay up, or lose their valuable data, information and assets.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 64<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Jack Blount is President and CEO of INTRUSION, Inc., a leading<br />

provider of entity identification, high speed data mining, cybercrime<br />

and advanced persistent threat detection products.<br />

Blount has an extensive career in technology as a visionary in the<br />

personal computer, local area networking, ERP, mobile computing,<br />

big data, cybersecurity, and AI fields. Most recently, he was the<br />

founder of a strategic consultancy for enterprise, startup and federal<br />

government organizations. Prior to that, he served as CIO of the<br />

United States Department of Agriculture where he was responsible<br />

for designing a new, 10-layer cyber security architecture, protecting<br />

more than 100,000 employees and billions of dollars.<br />

His experience also includes roles at IBM and Novell, where he served as SVP of Business Development<br />

and helped expand its business from $50M to $2B in just six years. Blount has served as the CTO, COO,<br />

and CEO of eight technology, turnaround companies, and has served on twelve technology company<br />

Boards of Directors.<br />

Blount graduated from Southern Methodist University with a degree in Mathematics and did his graduate<br />

MBA studies while working at IBM.<br />

Jack can be reached online at our company website https://www.intrusion.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 65<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Easyjet Data Breach One-Year On: What Are the Next<br />

Steps?<br />

By Aman Johal, Director and Lawyer at Your Lawyers<br />

The EasyJet 2020 data breach<br />

On Wednesday 19 th May, we passed the one-year anniversary of the EasyJet 2020 data breach hitting<br />

the headlines, one of the largest data breaches in UK history.<br />

Resulting from a “highly sophisticated” attack, the personal details of around nine million EasyJet<br />

customers were exposed to hackers. While the airline was quick to claim that there was no evidence that<br />

any personal information had been misused, it did admit that, as well as email addresses and travel<br />

details, the hackers had stolen the credit card details of approximately 2,208 customers.<br />

The stolen credit card data are understood to have included the three-digit security code – known as the<br />

CVV number – on the back of cards.<br />

In a statement following the hack, EasyJet said it had gone public to warn the nine million customers<br />

whose personal details had been exposed. However, it did not provide any further details about the nature<br />

of the attack or the suspected motives. Instead, the airline’s own investigation suggested that hackers<br />

were targeting the company’s intellectual property, rather than hunting for information that could be used<br />

to commit crimes like identity theft.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 66<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The airline industry’s poor record on cybersecurity<br />

The airline industry does not have a great track record concerning cybersecurity. In 2018, it was<br />

discovered that the personal details of almost half a million British Airways customers had been harvested<br />

by hackers over two separate attacks. Users of the airline’s website and app had their data copied to<br />

criminals who had exploited a weakness in the payment processing systems. The personal information<br />

exposed included full names, debit and credit card numbers, addresses, email addresses, and CVV<br />

numbers.<br />

The Information Commissioner’s Office originally announced an intention to fine British Airways £183<br />

million for the breach. However, this was dramatically reduced to just £20 million in October 2020.<br />

You would hope that the British Airways data breach debacle was a warning to the airline industry.<br />

Unfortunately, it appears that such warnings have fallen on deaf ears. On May 23 rd , Air India said that<br />

the personal data of about 4.5 million passengers had been compromised following an incident at SITA,<br />

the Indian flag carrier airline’s data processor.<br />

The stolen information included passengers’ names, credit card details, dates of birth, contact<br />

information, passport information, ticket information, and frequent flyer data.<br />

While Air India claimed it did not hold CVV/CVC data, it did encourage passengers to change passwords<br />

“wherever applicable to ensure the safety of their personal data”.<br />

The potential compensation payouts for EasyJet<br />

In this sense, the type of data stolen in the Air India hack is similar to the EasyJet breach in 2020, so we<br />

can use past breaches – such as the British Airways hack – to estimate the likely compensation pay-out<br />

for victims of EasyJet’s data breach.<br />

For the British Airways data breach, we believe that the average compensation awards could be in the<br />

region of £6,000 for each claimant, meaning that the airline could face a potential compensation bill of<br />

up to £2.4 billion. Based on current case law, which is the foundation on which the Judge will assess the<br />

British Airways case, together with data from our own settled claims, we can estimate that average<br />

settlements for data protection and privacy breach cases are in the region of £6,500 for damages, with<br />

common amounts ranging from around £500 to £15,000.<br />

Any victims of the EasyJet data breach should keep these compensation figures in mind and remember<br />

that data breaches are often caused by businesses not adhering to best practice when implementing<br />

cybersecurity measures. The process of claiming compensation is often far simpler than first imagined<br />

and, as illustrated by our updated compensation estimates, there can be significant financial rewards for<br />

claimants seeking the compensation they are owed.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 67<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Aman founded consumer action law firm Your Lawyers in 2006,<br />

and over the last decade he has grown Your Lawyers into a<br />

highly profitable litigation firm.<br />

Your Lawyers is a firm which is determined to fight on behalf of<br />

Claimants and to pursue cases until the best possible outcomes<br />

are reached. They have been appointed Steering Committee<br />

positions by the High Court of Justice against big corporations like British Airways - the first GDPR GLO<br />

- as well as the Volkswagen diesel emissions scandal, which is set to be the biggest consumer action<br />

ever seen in England and Wales.<br />

Aman has also has successfully recovered millions of pounds for a number of complex personal injury<br />

and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in<br />

the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of<br />

law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic<br />

data leak and the Ticketmaster breach.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 68<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Ransomware, the Ultimate <strong>Cyber</strong> Threat to<br />

Municipalities<br />

With 45% of ransomware attacks targeting municipalities, something must shift the needle.<br />

By Yehudah Sunshine, Head of PR, odix<br />

Municipalities face the risk of persistent cyber-attacks in every direction. From embedded malware in file<br />

attachments, malicious code uploaded via removable media, and the endless risk of viruses and dubious<br />

data uploaded via self-service/ file transfer portals, municipalities, and local governments are increasingly<br />

in the crosshairs of hackers, state-sponsored cyber campaigns, and opportunist looking to cash out at<br />

the expense of local coffers.<br />

Much like in the physical battlefield, the only way the manage the risks and prioritize threats is through<br />

triage. In the case of municipalities that means focusing on ransomware and its devastating effects to<br />

secure data and vital resources needed to keep communities operating.<br />

Why are municipalities so vulnerable to attack?<br />

Municipalities have become a beacon to cybercriminals due to their role as a storehouse to vast swaths<br />

of private data which are more often than not poorly protected by out-of-date security protocols littered<br />

with excessive systems admins and countless security gaps. The data, ranging from tax information and<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 69<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


voting records to social security numbers, and everything in between, if compromised can result in<br />

extensive financial liability to the municipality and far greater loss to the individuals.<br />

Further exacerbating the situation, municipalities by law are required to be transparent and provide their<br />

constituency with vast data points on any number of vital services or projects they may implement. While<br />

the public may appreciate this consideration, hackers have capitalized on this obligation to exploit the<br />

public infrastructure for personal gains.<br />

“Because local governments maintain sensitive personally identifiable information, they have a fiduciary<br />

duty to safeguard that information. As large-scale data breaches continue to make headlines, local<br />

governments must make cybersecurity a priority.”<br />

Between the financial obligations and the massive and publicly embarrassing cyber-attacks which have<br />

plagued cities for the past 5 years, many prominent voices are demanded broader municipal cyber<br />

accountability and a cohesive strategy to mitigating cyber risk.<br />

Why do 45% of ransomware attacks target municipalities?<br />

Municipalities have become a major focal point of hackers because they often fail to implement effective<br />

data protection policies. From rarely backing up data, not implementing multifactor authentication, failing<br />

to provide consistent cybersecurity education for their employees to not deploying innovative endpoint<br />

and cloud security solutions, municipalities' significant and easily exploited weak points make them<br />

particularly susceptible to attack.<br />

Complicating matters “Small and medium-sized cities [often] do not have the resources or funds they<br />

need to invest in IT security. Cities also struggle to keep pace with technology. For example, refresh<br />

cycles may not be timely because of the required continuity of their services for its citizens, or new IPbased<br />

delivery activities are implemented on aging computer systems. Additionally, municipalities deal<br />

with fractured organizational structure and public-sector bureaucracy, which lead to slower<br />

deployment of security measures.”<br />

As a direct culmination of a lack of effective IT governance and a proven history of paying ransoms,<br />

attackers continue to target municipalities for massive financial gains.<br />

How to mitigate the risks?<br />

Municipalities must tactfully balance the needs for prevention, deterrence, identification, and discovery<br />

of the attack itself, with an effective strategy for the response, crisis management, damage control, and<br />

eventually a protocol to return to regular operations. The complexity of this task demands a<br />

comprehensive understanding of the interplay of malicious players and the expanding attack surface to<br />

win the battle of critical infrastructure cybersecurity.<br />

It is critical that municipalities prioritize cyber threats, allocate much-needed funds to implement important<br />

technical solutions, and instill a holistic cybersecurity culture from the top down through the support of<br />

key leaders and ongoing employee education to build cyber resilience the application of industry best<br />

security practices.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 70<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Yehudah Sunshine, Head of PR, odix. Bringing together his<br />

diverse professional cyber know-how, intellectual fascination with<br />

history and culture, and eclectic academic background focusing on<br />

diplomacy and the cultures of Central Asia, Yehudah Sunshine<br />

keenly blends his deep understanding of the global tech ecosystem<br />

with a nuanced worldview of the underlying socio-economic and<br />

political forces which drive policy and impact innovation in the<br />

cyber sectors. Yehudah's current work focuses on how to create<br />

and enhance marketing strategies and cyber-driven thought<br />

leadership for odix, an Israel-based cybersecurity start-up.<br />

Sunshine has written and researched extensively within<br />

cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli<br />

diplomatic inroads, Israeli innovation and technology, and Chinese economic policy. Yehudah can be<br />

reached online at (Yehudah@odi-x.com & https://www.linkedin.com/in/yehudah-sunshine/) and at our<br />

company website http://www.odi-x.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 71<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Operational Technology (OT) Ransomware - How Did We<br />

Get Here?<br />

By Lior Frenkel, CEO and Co-Founder, Waterfall Security Solutions<br />

In the last 18 months, ransomware was responsible for all disclosed shutdowns of OT networks,<br />

manufacturing plants and other physical operations. High profile victims include the Colonial Pipeline,<br />

JBS meat packing plants, a Honda factory and X-FAB's semiconductor plants. What's going on here?<br />

Mega-Trends<br />

To an extent, this problem reflects long-standing trends in industry and in computing. For decades, both<br />

business operations and more recently physical operations, have been automating steadily, deploying<br />

ever more computer networks and ever more software. All this comes “built in” with hidden defects,<br />

software vulnerabilities and the potential for mis-configuration and mis-operation. The result is a steadily<br />

increasing population of targets for ransomware.<br />

Looking deeper, networking is the lifeblood of modern automation. The problem is that all cyber-sabotage<br />

attacks have the ability to move between computers and within networks, and all network connections<br />

can convey such attacks. With a constantly increasing pool of connected targets, that we see steadily<br />

more cyber attacks shutting down physical operations makes perfect sense.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 72<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A second reason for the increase in ransomware is, bluntly, cryptocurrency. In the early days of<br />

ransomware, criminals depended on credit card payments, bank transfers, or even cash. However, credit<br />

card vendors were not keen to cooperate in criminal ventures, bank transfers were easily traceable, and<br />

cash required physical access. Reliable, untraceable, and anonymized payment processing was a<br />

problem. Today, pretty much all ransomware actors receive payment in cryptocurrencies, as they are<br />

much less susceptible to influence by legitimate authorities than are other payment mechanisms. Entire<br />

underground economies have emerged to launder such funds. With reasonably reliable ways of being<br />

paid, the profits for ransomware criminal groups are increasing sharply.<br />

A third reason for the increase in ransomware with OT consequences is the widespread use of<br />

sophisticated attack tools and techniques. In the last decade, nation-state-grade attack tools have leaked<br />

into the public domain. The most prominent such incident was the Shadow Brokers releasing materials<br />

they stole from the “Equation Group,” a group widely believed to be a branch of the US National Security<br />

Agency (NSA). There was a day when many organizations would ask “Yes, these nation-state attacks<br />

are powerful, but we're just not that important - why would anyone spend an attack that powerful on us?”<br />

Today the answer is clear - criminal groups are using the tools and techniques of nation-states. These<br />

groups target anyone with money. Do you have money?<br />

OT Consequences<br />

The most serious OT consequences attributed to ransomware in the last 18 months have been production<br />

shutdowns, with the biggest in US history being the recent Colonial Pipeline shutdown. Details of exactly<br />

how the ransomware triggered these shutdowns vary - some ransomware, such as SNAKE/EKANS<br />

variants, target and penetrate OT systems specifically. Other ransomware targets IT networks and<br />

impairs IT systems that are vital to physical operations. Still other attacks target IT networks, but<br />

enterprises shut down their physical operations as precautionary measures. In all cases, the result is the<br />

same, with the same damage.<br />

Enterprises with physical operations are valuable ransomware targets, whether or not OT networks are<br />

specifically targeted by the criminals. This is because OT networks are soft targets. A great deal of<br />

production equipment is very sensitive - recertifying an OT network for safe and reliable operation after<br />

a significant software upgrade can be extremely expensive and can take days, weeks and sometimes<br />

even longer. Most organizations are not willing to incur this expense at all frequently, resulting in large<br />

numbers of old versions of operating system and applications running in those networks. An attack that<br />

gets loose in one of these networks can do a great deal of damage very quickly.<br />

Couple this with the fact that physical operations represent huge investments in infrastructure, raw<br />

materials, and lost opportunities during shutdowns, and it is no surprise that many industrial operations<br />

are willing to pay large ransoms in hopes of materially reducing the duration and severity of shutdowns.<br />

In recent events, Colonial Pipeline has admitted to paying $4.4 million dollars in ransom, though part of<br />

that ransom was later recovered by authorities. The JBS organization is reported to have paid $11 million.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 73<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


OT <strong>Cyber</strong> Solutions<br />

To try and reduce OT consequences due to ransomware attacks, enterprises need OT-specific security<br />

monitoring solutions, coupled with IT security monitoring systems, good backups regimes, and practiced<br />

incident response teams. We should not, however, confuse these measures with each other. In terms of<br />

the NIST Framework, we prevent downtime with protective security measures, while we reduce the<br />

duration of downtime with detective, responsive and recovery measures. The top goal of any OT security<br />

program is to prevent production downtime due to ransomware.<br />

OT-specific protective measures include securely designed network segmentation, use of unidirectional<br />

security gateways, secure scheduled updates, and very secure remote access systems. Making physical<br />

operations networks impervious to ransomware both reduces production risks and reduces the urgency<br />

of any ransomware payment. When IT networks are compromised by ransomware, robust OT security<br />

measures give us the time we need to recover those IT systems from backups without paying the<br />

criminals. Robust OT security allows production to continue throughout the IT outage - gasoline is still in<br />

the pipeline, and finished goods are still coming out of the manufacturing plants.<br />

What do we do?<br />

Do not believe criminals who claim, like Darkside did with the Colonial Pipeline, that OT consequences<br />

are not their intent. So long as enterprises with physical operations are more likely than average to pay<br />

ransoms, criminals will continue to target those enterprises. Only when we stop paying the criminals for<br />

targeting businesses with industrial operations will the criminals find other targets.<br />

About the Author<br />

Lior Frenkel, CEO & Co-Founder of Waterfall Security<br />

Solutions. With more than 20 years of hardware and software<br />

research and development experience, Mr. Frenkel leads<br />

Waterfall Security with extensive business and management<br />

expertise. As part of his thought leadership and contribution<br />

for the industry, Lior serves as member of management at<br />

Israeli High-Tech Association (HTA), of the Manufacturers’<br />

Association of Israel and Chairman of the <strong>Cyber</strong> Forum of<br />

HTA. Lior can be reached at @WaterfallSecure and at our<br />

company website www.waterfall-security.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 74<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A Case of Identity: A New Approach To User<br />

Authentication Protecting Personal Credentials Remains<br />

The Weakest Link In Data Security.<br />

By Benjamin Kiunisala, Head of Customer Engagement, TrustGrid Pty, Ltd<br />

Protecting identity and personal credentials remain the weak link in data security. As infosec managers<br />

strengthen the wall around enterprise assets and apply new strategies to protect cloud data, individual<br />

users still fall prey to phishing attacks and have their credentials stolen, putting enterprise data at risk.<br />

Identity theft continues to be the primary source of data breaches, and with the new movement toward<br />

work-from-home following the COVID-19 pandemic, it has become more important than ever to secure<br />

individual identity and prevent data from being compromised due to human error. It’s time to rethink user<br />

authentication.<br />

The number of cyberattacks designed to steal personal identity continues to skyrocket. According to the<br />

U.S. Federal Trade Commission, the number of identity theft cases doubled from 2019 to 2020, with a<br />

spike immediately following the coronavirus lockdown. The new work-from-home business culture makes<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 75<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


identity theft even more attractive since employee credentials can unlock enterprise access as well as<br />

enabling identity theft. As a result, employers are seeing a rise in problems related to stolen credentials.<br />

With the coming of the COVID-19 pandemic, organizations found themselves scrambling to extend<br />

security to work-from-home employees. To promote business continuity and still maintain systems<br />

security, companies realized they had to secure employees’ home networks, laptops, and mobile devices.<br />

At the same time, more than half of workers reported having to find a workaround to security measures<br />

to do their jobs.<br />

The old security strategies are inadequate to support the new remote workforce. What is needed is a<br />

new approach that makes personal security and identity authentication easy, foolproof, and costeffective.<br />

A digital trust ecosystem could be the golden ticket to security. But, organizations must first<br />

learn from the pandemic and adapt to the challenges it presents.<br />

Security Lessons Learned from the Pandemic<br />

Among the emerging trends from the pandemic is the new work-from-home culture. According to Gartner,<br />

82% of corporate leaders plan to make some form of remote work-from-home policy permanent. What<br />

started as a scramble to support a new remote workforce is now an enduring part of the enterprise<br />

landscape. While maintaining firewalls and malware protection is still essential, infosec managers also<br />

must give more attention to securing home offices and validating remote worker credentials.<br />

Authenticating individual employees is an ongoing challenge for the enterprise. While reports of malware<br />

attacks are down, phishing attacks are on the rise with companies reporting an average of 1,185 attacks<br />

per month, with most attacks seeking to acquire user credentials. No matter how resilient a company’s<br />

security measures are, user behavior continues to be a wild card. Any employee can be fooled by a<br />

phishing attack and inadvertently hand their keys to corporate access to a cybercriminal.<br />

Personal identity continues to be the weak link in security. By acquiring the right personal information,<br />

cybercriminals gain unauthorized access to business assets, personal finances, medical records, and<br />

more, or they can use stolen credentials to open fraudulent accounts. Since individual user authentication<br />

is the weak point in security, there must be a better approach to secure identity.<br />

The ideal solution is to create a unique, foolproof personal identifier that stays with the individual. Such<br />

an identifier must be able to authenticate identity without revealing personal information that can be used<br />

for identity theft, such as a social security number or even a mother’s maiden name. Managing these<br />

individual credentials also must create little or no work for infosec while still giving them the means to<br />

control access to enterprise assets.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 76<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Implementing a digital trust ecosystem based on distributed ledger technology like that used in blockchain<br />

offers the ideal approach.<br />

Creating a Digital Trust Ecosystem<br />

Distributed ledger technology has created new possibilities for managing digital identity. Unlike a<br />

traditional database, distributed ledgers record transactional or record details in multiple locations at the<br />

same time, with each node verifying every item to create a consensus. For identity management, using<br />

distributed ledger allows you to authenticate identity or credentials without exposing the credentials<br />

themselves. The only thing that is revealed is that the distributed ledger system has verified the<br />

information to prove identity.<br />

Using distributed ledger technology, you can create a digital trust ecosystem as a SaaS platform. This<br />

approach can be used by a single organization, such as a company, or it can be established as a<br />

confidential consortium where multiple entities use the same digital identity verification system.<br />

While the underlying technology of a digital trust ecosystem is somewhat complex, the practical approach<br />

is simple:<br />

1. It starts with a trusted attribute authority that validates identity information. It could be a<br />

government agency such as the Department of Motor Vehicles, or it could be a private company.<br />

2. Users who want to participate need to onboard the consortium. That way they stay in control of<br />

who has access to their identity data.<br />

3. During the onboarding process, their identity is verified. The attribute authority validates<br />

individuals using whatever information is necessary, such as a social security number, birth certificate,<br />

or login credentials, and that data is protected using a distributed ledger. The individual is then given a<br />

unique authenticator, such as a QR code.<br />

4. Any organization can opt into the same consortium to authenticate user identity. Since none of<br />

the credentials themselves are exposed, there is no risk of identity theft, and there is no longer any need<br />

to share passwords or login credentials.<br />

The benefit of this approach is the unique identifier follows the user, so the same code can be used for<br />

multiple applications. Anyone who wants to use the system simply downloads a QR reader for their<br />

smartphone. There is no added work for IT or infosec to secure enterprise users, and the same identity<br />

can be extended to partners, suppliers, and other parties without having to set up new credentials each<br />

time.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 77<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The future of enterprise security needs to focus more on secure identity authentication and less on<br />

protecting assets with passwords and biometrics. By adopting distributed ledger technology,<br />

authentication credentials can be made secure while giving users a digital identity card that is impossible<br />

to counterfeit and can potentially be used everywhere. The potential applications for a digital identity card<br />

go well beyond employee verifications. It can be used for professional certifications, travel authorization,<br />

even for vaccine passports. You can protect personal medical data in the same way you protect<br />

passwords and personal identifiers. The technology is already being used in New South Wales to issue<br />

digital drivers’ licenses and professional trade licenses.<br />

By having security reside with the individual rather than using passwords or access keys, you place the<br />

user in control of authentication while providing infosec managers with the means to authenticate<br />

employees without adding security overhead. That’s a secure and scalable approach for everyone.<br />

About the Author<br />

Benjamin Kiunisala is Head of Customer Engagement at TrustGrid Pty,<br />

Ltd. TrustGrid enables governments and organizations to create<br />

secure digital ecosystems anywhere in the world with sovereign control<br />

of data and maximized citizen privacy. TrustGrid orchestrates multiple<br />

state-of-the-art technologies into a single platform, combining<br />

innovative cryptography, data privacy, confidential computing and<br />

distributed ledger technology into a highly customizable digital<br />

ecosystem platform. Benjamin can be reached online at<br />

benjamink@trustgrid.com and at our company website<br />

http://trustgrid.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 78<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A 3-Part Plan for Getting Started with <strong>Cyber</strong>security<br />

By Doug Folsom, President of <strong>Cyber</strong>security and Chief Technology Officer, TRIMEDX<br />

Imagine a hospital has just added a host of MRI scanners and infusion pumps to its network.<br />

Responsibility for the security of the devices is murky: Are clinical engineers the primary caretakers, or do<br />

information technology teams monitor those devices? It’s often unclear, and in the confusion, devices are<br />

left vulnerable. The situation is a cybercriminal’s dream, and it happens more often than expected.<br />

Years ago, the lines on device management were clear: Clinical engineering (CE) monitored medical<br />

equipment while IT managed the network and the corresponding data. However, the increase in the sheer<br />

number of devices connected to the internet has blurred these lines and made it easier for devices to fall<br />

through the cracks.<br />

Not only that, but additional “gray zone” connected devices are often overlooked. If a refrigerator is used<br />

to store COVID-19 vaccines, is it considered a medical device? Such questions have not all been<br />

answered, leaving holes in cybersecurity efforts that criminals are taking advantage of.<br />

Thankfully, having a robust cybersecurity plan can help hospitals prevent threats by assigning ownership<br />

to connected devices, effectively eliminating much of the vulnerability for cybercrime.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 79<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong>security is not optional<br />

Let’s be clear: Hospital cybercrime is not going away anytime soon. With nearly 70% of medical devices<br />

expected to be network-connected by 2025, hospitals will be more vulnerable than ever, creating a need<br />

for awareness of what they own and who's responsible for it.<br />

While not the prime entry point for a cyberattack, connected devices are an opening for cybercriminals<br />

to exploit. Criminals have recognized the ability to “kidnap” devices, shut down critical hospital operations<br />

and demand a ransom. A recent joint advisory by the <strong>Cyber</strong>security and Infrastructure Security Agency,<br />

the Department of Health and Human Services and the FBI says there’s “credible information of an<br />

increased imminent cybercrime threat to U.S. hospitals and healthcare providers.”<br />

Not only are hospital cyberattacks dangerous for patients, but they’re costly. According to research by<br />

Comparitech, last year alone over 91 US healthcare organizations suffered some type of ransomware<br />

attack, with an estimated cost of nearly $21 billion. The resulting administrative effects of an attack —<br />

canceled appointments, lost records and potential lawsuits — can prove damaging both financially and<br />

reputationally.<br />

Step 1: The framework<br />

The first step toward establishing medical device cybersecurity is to develop an overall idea of what<br />

effective cybersecurity efforts look like. The NIST <strong>Cyber</strong>security Framework Core defines five basic<br />

activities to get there:<br />

Identify: Analyze existing inventory to establish an accurate baseline to work with. Determine whether<br />

security policies and procedures are aligned across CE and IT responsibilities.<br />

Protect: Ensure that physical and remote access to CE assets are protected. Develop a formal<br />

management process for any clinical assets that lasts throughout installation, maintenance, transfers and<br />

disposition.<br />

Detect: Monitor personnel activity to detect potential cybersecurity threats. Continuously improve<br />

detection processes through monitoring and adjustment.<br />

Respond: Establish a response plan in case of an incident. Implement established criteria for any<br />

incident reports.<br />

Recover: Plan recovery training and testing for CE and IT teams in response to an incident. Consider<br />

hospital reputation in recovery plan development.<br />

The first and most important step toward effective cybersecurity efforts is to ensure that CE and IT teams<br />

are aligned on ownership of devices with a roadmap for shared responsibility.<br />

Step 2: The action plan<br />

After you’ve walked through the framework to develop a sense of where you’re currently at, the next step<br />

is to implement a plan of action. Be sure to empower your core CE team with reliable inventory assets<br />

before it joins the cybersecurity effort. Having a comprehensive assessment of inventory allows both<br />

teams to better identify risks and cross-reference vulnerabilities.<br />

Once teams have been assigned responsibilities, move to other functions to ensure device security.<br />

Prioritize data collection and vulnerability tracking and research, as well as OEM management and<br />

relationships. Monitor patches and address them efficiently. Having an idea of current and potential<br />

device vulnerabilities can best help CE and IT teams spot problems before they become threats.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 80<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


As threats continue to evolve, it’s important that cybersecurity action plans evolve with them.<br />

Implementing all of these pieces together enables CE and IT teams to reduce, detect and counter threats<br />

before they have a chance to do lasting damage.<br />

Step 3: The execution<br />

With a tailored action plan in place, you’re finally ready to set everything moving. Don’t treat medical<br />

devices like normal workplace devices — they aren’t. A laptop in the office is not the same as a monitor<br />

in the hospital.<br />

OEMs are great resources for helping to address vulnerabilities because they know the devices better<br />

than anyone. Ensure that all patches and remediations are validated by the manufacturer before<br />

implementing them. If unsure of installation procedures, request instructions and updated manuals. The<br />

best way to start is by identifying clinical equipment with critical vulnerabilities for which there are already<br />

OEM-validated patches to install. Be sure to record those efforts in the computerized maintenance<br />

management system (CMMS) inventory.<br />

Consider integrating a network-based medical device monitoring solution as well. These tools help in<br />

streamlining and expanding connected device inventory, and they enable collaboration and transparency<br />

between CE and IT teams.<br />

It’s easy to be shaken by the potential of a cybersecurity threat, especially given what attacks can do to<br />

hospital systems. Luckily, there are solutions available for administrators who are ready to implement<br />

them. By using a framework to get started, a plan of action and effective execution, hospitals have the<br />

ability to help their teams protect against the damage that cyberattacks can cause.<br />

About the Author<br />

Doug Folsom is president of cybersecurity and chief technology<br />

officer for TRIMEDX, an industry-leading, independent clinical<br />

asset management company delivering comprehensive clinical<br />

engineering services, clinical asset informatics and medical device<br />

cybersecurity. Doug has nearly 30 years of information technology<br />

leadership experience. Previously, he held positions at Kohl’s<br />

Department Stores, Sterling Commerce and The Spiegel Group.<br />

He earned his master’s degree in business from Ohio University<br />

and a bachelor’s degree in electrical engineering technology from<br />

DeVry Institute of Technology.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 81<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How to Deal with Online Security<br />

Security Considerations for the Post-COVID, Cloud-First World<br />

By Gary Alterson, Vice President Security Solutions, Rackspace Technology<br />

Organizations have always had to think about protection. Locks on the storefront may have done the job<br />

back in the day, but as interactions become more digital, organizations face an increasingly elaborate<br />

threat landscape. The constant cycle of change, reaction and evolution is like an arms race between<br />

defenders and adversaries.<br />

A decade ago, we were talking about firewalls and how to protect networks. Today, the focus is on how<br />

to protect companies as they move to cloud native environments, tinker with low-code/no-code<br />

development and exploit data with AI and machine learning. The new technology landscape means<br />

preparing for new cybersecurity realities. As organizations forge into adopting cloud native environments,<br />

there are four areas that require significant focus.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 82<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


1. Endpoint and user protection<br />

Despite having the best intentions, the biggest security vulnerability in any organization is your<br />

own people. Even with cybersecurity training, employees make mistakes and it only takes one<br />

mistake to create a catastrophe.<br />

Train your people to be a little bit more paranoid. Users should be on high alert for suspicious<br />

emails, social engineering attempts and other low-tech intrusion tactics. Establishing visibility via<br />

sophisticated endpoint security monitoring and management tools adds an extra layer of<br />

protection to detect and respond to intrusions. Basic endpoint security diligence can no longer be<br />

achieved via basic anti-virus.<br />

2. Zero Trust<br />

As you provide access to your systems, it’s critical that you ensure that the person on the endpoint<br />

and the endpoint itself are trustworthy. Even after authenticated into the network, users should<br />

only be able to access what they need to complete their job — so that access to the most sensitive<br />

data is limited. That's the basis of Zero Trust security: don’t extend full trust to anyone or anything.<br />

Multi-factor authentication helps to further confirm an authorized device is used by an authorized<br />

individual. With so many workers using BYOD and working off of the corporate network,<br />

authentication should also validate the trustworthiness of the device itself by, for example, testing<br />

for patching or up-to-date security software.<br />

To limit the impact of a potential incident, be sure to implement layers — like segmentation,<br />

intrusion prevention and host-based protection — to help provide defense-in-depth security. With<br />

overlapping layers, if one fails, there’s another layer of protection.<br />

3. System hygiene<br />

Many of the security breaches we hear about in the news could have easily been avoided. Why?<br />

Because they hadn’t installed the latest security patches. The result is usually weeks of cleanup,<br />

significant financial impact and the possibility of significant business disruption.<br />

Hygiene is just as important in your cloud environment. Unlike physical systems, cloud hygiene<br />

embraces automation. Instead of patching, you'd bring up new images and take down old images<br />

and VMs, but it's the same basic hygiene principles. As you start using serverless and functions<br />

to build applications, make sure that you're taking care of basic security hygiene within your code.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 83<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


4. Security automation<br />

Security threats can happen in seconds, so AI and machine learning are becoming indispensable<br />

in quickly identifying and acting on anomalies. Behavioral analytics monitors the behaviors of<br />

objects in the cloud, network devices or users to see potential threats. Having that computerbased<br />

eye lets you detect and respond to incidents before they turn into attacks.<br />

Instead of waiting for someone to manually respond to an alert, automated tools can be set to<br />

detect atypical behavior, determine whether it's malicious and respond to it based on your<br />

predetermined parameters. Automation enables the system to see when activity looks odd and<br />

flag it or automatically block access altogether.<br />

Security hasn’t changed, but the tools and threats have evolved. Focusing on these four areas, in addition<br />

to manning security basics, is the foundation of a modern cybersecurity strategy.<br />

About the Author<br />

Gary Alterson is VP of Security Solutions at Rackspace. In this role<br />

he acts as GM for Rackspace’s security solutions focused on<br />

supporting digital transformations and cloud acceleration.<br />

Previously, Gary led Customer Experience and Services Product<br />

Management at Cisco Systems where he built professional,<br />

managed, and support services addressing cloud security and<br />

advanced threats. At Cisco and at Neohapsis, a nationally<br />

recognized cybersecurity boutique consultancy, Gary and his teams<br />

were instrumental in transforming enterprise and government<br />

security programs to effectively address shifting business models,<br />

emerging technologies, and the evolving threat environment.<br />

As a previous CISO and security architect, Gary has over 20 years<br />

experience on the front lines of security, protecting and responding<br />

to threats across multiple industries. Gary is often sought out to speak<br />

on secure digitization, cloud, and emerging technology security frameworks as well as enterprise security.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 84<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The Risks of The Vulnerable Iot Devices<br />

By Pedro Tavares, Editor-in-Chief seguranca-informatica.pt<br />

Internet of Things (IoT) is a trending topic that has been made headlines from the last decade and causing<br />

enormous constraints for home users and companies from the security point of view. The damage caused<br />

by vulnerabilities in IoT devices is tremendous and allows cybercriminals to get access and take control<br />

of them remotely in attacks that can be exploited to gain access to the internal networks.<br />

In addition, these kinds of vulnerabilities provide cybercriminals with a baseline to bypass firewalls, gain<br />

access to private networks and also steal sensitive and critical information as it travels across connected<br />

device environments. In this sense, the risk associated with these compromised devices also allows<br />

cyberattacks to spread to other networked systems, proliferating internally, maintaining persistence for<br />

large months and even years because of the detection and monitorization of anomalous activity on these<br />

devices is still a big challenge.<br />

The Big Picture<br />

The number, and type of vulnerabilities are from lack of device management to critical flaws on hardware<br />

or software. In a recent article, it’s possible to learn about a vulnerability tracked as CVE-<strong>2021</strong>-31251 –<br />

a vulnerability on the telnet protocol – that can be explored to get a remote privileged session, which can<br />

be abused to take control of the device and used as an initial entry point to access the internal networks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 85<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


There is no perfect formula to resolve this problem, as part of IoT devices are vulnerable to a wide range<br />

of flaws due to the limited computational abilities and hardware limitations. Device vulnerabilities allow<br />

cybercriminals to use them as a foothold for their attacks, which reinforces the importance of security<br />

from the design phase. Some of those vulnerabilities can be enumerated as presented below.<br />

Lack of a Secure Update Mechanism<br />

“Lack of ability to securely update the device. This includes lack of firmware validation on the device, lack<br />

of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of<br />

security changes due to updates.”<br />

From this point, it’s necessary to consider how these updates will take place and how to make them more<br />

secure. For example, when designing a device like a smartwatch or a sensor, it’s necessary to consider<br />

building an update mechanism for timely updates.<br />

Lack of Device Management<br />

“Lack of security support on devices deployed in production, including asset management, update<br />

management, secure decommissioning, systems monitoring, and response capabilities.”<br />

One of IoT’s most significant safety risks and challenges is managing all of our devices and closing the<br />

perimeter. In order to fight that, the scanning and profiling of devices allow IT security teams to have<br />

visibility of their networked IoT devices, their risks, behavior, and so on.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 86<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Insecure Data Transfer and Storage<br />

“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest,<br />

in transit, or during processing.”<br />

The network and communication layers play a central role in all IoT applications and implementations,<br />

facilitating sharing information between different layers and generating value through real-time interaction<br />

between IoT devices. The usage of a certificate authority that certifies the complete validation of the<br />

certified party’s identity shall issue each digital certificate and is seen as a good candidate to mitigate this<br />

problem. On the other side, data tokenization can protect sensitive encrypted data that only authorized<br />

devices can decode.<br />

Weak, Guessable, or Default Passwords<br />

“Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in<br />

firmware or client software that grants unauthorized access to deployed systems.”<br />

A common and pervasive vulnerability in IoT systems today stems from weak or unchanged default<br />

passwords. Poor management of device credentials places IoT devices at greater risk of becoming<br />

targets of a brute force attack.<br />

Insecure Network Services<br />

“Unnecessary or unsafe network services that run on the devices, particularly those that are exposed to<br />

the internet, jeopardize the availability of confidentiality, integrity / authenticity of information, and open<br />

the risk of unauthorized remote control of IoT devices.”<br />

IoT devices are today integrated into the network infrastructure and can transmit, retrieve, and interpret<br />

data from linked smart devices, such as smoke alarms, proximity sensors, or optical devices. The<br />

system’s communication mechanisms will vary but may include network protocols ranging from BLE and<br />

ZigBee to WiFi, cellular data, and Ethernet. System administrators must scan and close unneeded open<br />

ports and services which exchange information on their networks as a security measure.<br />

Insufficient Privacy Protection<br />

“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly,<br />

or without permission.”<br />

When individuals request personal data deletion, the provider must ensure that all third parties delete the<br />

data.<br />

Insecure Settings by Default<br />

“Devices or systems shipped with insecure default settings or lack the ability to make the system more<br />

secure by restricting operators from modifying configurations.”<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 87<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Device onboard occurs when a new device is added to the restricted IoT ecosystem. Eavesdropping may<br />

take place during the onboard step of a new device where the hacker can intercept secret keys that are<br />

used to establish communications within a constrained network.<br />

Final Thoughts<br />

The potential for unpredictable cascading effects of vulnerabilities and poor security in the IoT greatly<br />

affects the overall security of the Internet. Ensuring that these devices are secure is the shared<br />

responsibility of its stakeholders. For example, manufacturers need to address known vulnerabilities in<br />

succeeding products, release patches for existing ones, and report the end of support for older products.<br />

As a general security measure, it’s strongly recommended to protect network access to devices with<br />

appropriate mechanisms, and in some cases, isolate them to make difficult their exploration and doing it<br />

a time-consuming task from the cybercriminals’ point of view.<br />

At last but not least, let’s take IoT security seriously because this field has been used massively by<br />

cybercriminals to compromise organizations and their networks turning this into a big and real threat in<br />

<strong>2021</strong>.<br />

About the Author<br />

Pedro Tavares is a cybersecurity professional and a<br />

founding member of CSIRT.UBI and Editor-in-Chief of<br />

seguranca-informatica.pt.<br />

In recent years he has invested in the field of information<br />

security, exploring and analyzing a wide range of topics,<br />

malware, ethical hacking (OSCP-certified), cybersecurity,<br />

IoT and security in computer networks. He is also a<br />

Freelance Writer.<br />

Segurança Informática blog: www.seguranca-informatica.pt<br />

LinkedIn:<br />

https://www.linkedin.com/in/sirpedrotavares<br />

Twitter:<br />

https://twitter.com/sirpedrotavares<br />

Contact me: ptavares@seguranca-informatica.pt<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 88<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Three Steps to Building Email <strong>Cyber</strong> Resilience<br />

By Toni Buhrke, Director of Sales Engineering, Mimecast<br />

In yet another “nobody saw this one coming” moment, the HAFNIUM MS Exchange hack sent a warning<br />

shot to global enterprises to better protect fragile corporate email systems. The hack exploited four<br />

software vulnerabilities in Exchange on-premises services, allowing a state-sponsored threat actor to<br />

gain access to corporate email networks. While Microsoft issued patching, the breach quickly escalated<br />

from affecting a handful of companies to compromising more than 250,000 organizations worldwide.<br />

This breach demonstrated the fragility of corporate email systems, which have never been under more<br />

pressure than in today’s pandemic-driven “digital workplace.” According to Statista, in 2020<br />

approximately 306 billion e-mails were sent and received every day worldwide. For enterprises, any<br />

disruption of this vital communications infrastructure from outages of malicious traffic can be immensely<br />

damaging.<br />

While organizations should continue to mitigate their security risks by immediately installing the latest<br />

patches, they should take their security a step further by implementing an email resilience strategy that<br />

addresses three key areas of weakness: data risk mitigation, recoverability and continuity.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 89<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Data Housekeeping<br />

Today’s organizations simply hold on to too much data. There are good intentions behind this − ranging<br />

from compliance regulations to e-discovery. But having all this data sitting in employee email accounts<br />

holds significant risk. The more data (especially transactional data) a company holds, the greater a target<br />

it becomes for hackers. Think about how much of this data could be exposed by the HAFNIUM attack,<br />

and the problem becomes clear. When sensitive customer data, confidential company information,<br />

personal data, etc., are left out in the open in common Exchange environments, it’s up for grabs for<br />

hackers to possibly exploit.<br />

The solution is to make sure your organization is regularly moving data out of production, a sort of<br />

“housekeeping.” If email data is regularly and securely archived, it is removed from the production email<br />

environment and becomes much more difficult for hackers to access. It can always be retrieved if needed<br />

– but there’s no reason to leave it out in the open, all the time, where the threat actors can potentially get<br />

it.<br />

Ensure Emails are Easily Recovered<br />

In many organizations, employee email inboxes are like full-fledged file systems holding organizational<br />

history, records, transactions and projects to help employees make intelligent business decisions. It’s<br />

inevitable an organization will lose some of this data, whether from human error, system outages,<br />

cyberattacks, natural disasters or other events.<br />

Restoring lost emails when one of these events occurs is critical to limiting data loss, mitigating business<br />

damage and minimizing interruptions to productivity. IT and security teams should look for data recovery<br />

solutions that are tailored to their email solution. A good data recovery solution will automatically sync<br />

and archive not only email, but also contacts, calendars and personal folders, and be able to provide fast<br />

and streamlined mail recovery after a disaster.<br />

Have an Email Continuity Plan<br />

Continuity is the last and most critical step in building a comprehensive email resilience strategy.<br />

Companies need to have a backup system in place in case their primary email solution goes down. This<br />

enables email to continue flowing while issues with the primary system are resolved.<br />

Even IT departments with the best intentions can’t always install patches immediately and typically will<br />

wait until a maintenance window to do so. This is why an email continuity solution is essential. It provides<br />

flexibility, so IT teams can patch, investigate and respond to disruptions while keeping the flow of email<br />

going with a contingency solution. This ensures a company’s email system doesn’t go offline, which in<br />

turn keeps the digital workplace functioning full steam, even in the event of a production-system outage.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 90<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Plan Ahead and Avoid Disaster<br />

The HAFNIUM attack makes it clear that enterprise IT teams need to create a comprehensive email cyber<br />

resilience strategy. This is even more important today, with threat actors trying to take advantage of the<br />

unsettled remote-work environment – Mimecast’s “Year of Social Distancing” report revealed a 48%<br />

increase in threat volume from March 2020 – February <strong>2021</strong> over the previous year, and “The State of<br />

Email Security” report states that 70% of organizations believe their business will be harmed by email<br />

attacks in <strong>2021</strong>.<br />

This research confirms that with the new digital workplace, immediate technical mitigation work should<br />

be a priority if organizations want to limit their risk to malicious attacks. Taking the three steps to email<br />

resilience is a fast and efficient way to protect not only against the next HAFNIUM, but also all of the<br />

smaller issues that inevitably arise during the course of business.<br />

About the Author<br />

Toni Buhrke is a Director of Sales Engineering at Mimecast with<br />

more than 20 years of experience in the cybersecurity industry.<br />

Together, Toni and her team are responsible for designing<br />

customized email security solutions for Named and Enterprise<br />

customers in the Eastern region of the U.S. Prior to joining<br />

Mimecast, she was a Global Director of Systems Engineering at<br />

Forescout Technologies. During her 12-year tenure there she led<br />

various systems engineering teams focused on helping commercial<br />

and public sector organizations and channel partners architect and<br />

deploy security solutions to protect complex networking<br />

environments. Throughout her career, Toni’s focus has always been<br />

on bridging the gap between technology and her customers. She has<br />

a Master of Business Administration (MBA) and is a Certified Information Systems Security Professional<br />

(CISSP). Toni is also very active in Women in Technology initiatives throughout the industry. Learn more<br />

about Toni on LinkedIn, and learn more about Mimecast at https://www.mimecast.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 91<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Guided-Saas NDR: Redefining A Solution So SOC/IR<br />

Teams Aren’t Fighting Adversaries Alone, Distracted and<br />

In The Dark<br />

By Fayyaz Rajpari, Sr. Director of Product Management, Gigamon<br />

The time has come for SaaS-based security offerings to evolve. While the concepts of SaaS date back<br />

to 1961 as MIT introduced the use of terminals connected to mainframes, the SaaS concept we know<br />

today is largely attributed to Salesforce’s launch in 1999. Starting in the late 2000s cyber-security vendors<br />

started to offer email and web security gateway solutions through a SaaS delivery model, removing the<br />

complexities of on-premises hardware and software deployment and maintenance while providing a<br />

uniform security policy across the enterprise. Cloud-native architectures, continuous<br />

development/deployment and the ability to apply elastic computing to cloud-based analytics have<br />

propelled innovation to cyber-security products that can’t be achieved by on-premises solutions.<br />

Now, ten-plus years later, SaaS-based security offerings need to be re-imagined. By examining the<br />

Network Detection and Response (NDR) market we can see SaaS-based security must evolve. SOC/IR<br />

teams are rapidly adopting NDRs because of the visibility gaps left by SIEMs and EDRs to identify the<br />

presence of adversaries in their network.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 92<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


NDR technology is built on three principal tenets to provide SOC/IR teams:<br />

●<br />

●<br />

●<br />

Visibility to and metadata retention of corporate network traffic across cloud and core networks;<br />

Advanced detection techniques designed to identify presence of adversaries inside the<br />

organization; and<br />

Capabilities to triage, threat hunt, and investigate activity to understand the adversaries’ activities<br />

and formulate comprehensive response plans.<br />

These fall into the category of three steps forward, but NDR technology can force SOC/IR teams to take<br />

three steps back if we don’t redefine how SaaS-NDR solutions are delivered.<br />

Guided-SaaS Step 1: No longer… In The Dark<br />

Sixty-nine percent of IT and security practitioners cite network visibility as the top reason for SOC<br />

ineffectiveness. As packets are tamper-proof (unlike EDR logs), NDRs provide network context to<br />

confidently triage, hunt, and investigate threats effectively. But NDRs don’t magically provide<br />

comprehensive visibility. While traditional SaaS-based NDR vendors might work to ensure optimal<br />

visibility at the time of deployment, the responsibility falls on the customer’s security teams to make sure<br />

the NDR sensors are functioning properly and that the right mirrored traffic is getting to the NDR as<br />

networks dynamically change. That’s easier said than done in today’s complex hybrid-world and it doesn’t<br />

take long before blind spots popup and the SOC/IR team are left in the dark. A Guided-SaaS NDR<br />

delivery model recognizes the importance of including expert lead routine visibility and health checks,<br />

where the vendor’s specialists assist to optimize visibility and ensure the NDR sensors are healthy.<br />

Guided-SaaS Step 2: No longer… Distracted.<br />

Perhaps the most alarming statistic is that 84% of IT and security practitioners also reported that the<br />

“Minimization of false positives” as the most important SOC activity. While NDRs provide anomaly-based<br />

machine learning detection techniques, they come at a very expensive cost. Most NDRs require an initial<br />

4 weeks of laborious efforts by security analysts to ‘train’ the technology on what is benign and malicious<br />

with the end goal of at best ‘reducing’ false positives if done properly. Oh, and then security analysts<br />

have to come back and routinely retrain the solution. In other words, the NDR vendor is putting the burden<br />

on the customer, distracting them from their focus of identifying and responding to adversaries. That is<br />

a crime.<br />

Cloud-native NDRs afford us a different approach. With machine learning, behavioral analysis, and threat<br />

intel-based detection engines working in the vendor’s cloud, Guided-SaaS NDR vendors can perform the<br />

QA and training of their detection engines for their customers, producing high true-positive findings and<br />

removing tedious distractions from the SOC/IR team.<br />

Guided-SaaS Step 3: No longer… Alone.<br />

It’s no secret to anyone with experience in day-to-day SOC activities that the job is intense with 70% of<br />

SOC analysts reporting burnout due to the high-pressure environment. Not only is it a race to respond<br />

before adversaries carry out their mission, but it's daunting to face the challenge without external<br />

support… effectively going it alone. It is here where redefining SaaS can provide a unique benefit to<br />

customers. One of the adjacent advances linked to SaaS offerings is software vendors embracing<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 93<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Customer Success, the mechanism of engaging with customers to understand their needs and drive<br />

value from the solution.<br />

Guided-SaaS NDR takes this concept to the next level. Guided-SaaS staffs their customer success teams<br />

with field-tested security analysts and incident responders who understand the pressures their customers<br />

face sitting in the defender’s hot-seat. This empathy allows for better initial and ongoing enablement on<br />

the product, increasing product proficiency and value. As trusted advisors, these Guided-SaaS security<br />

experts also can pass along best practices for triage, hunting and investigations, resulting in stronger<br />

skills for the customer’s security teams.<br />

Perhaps the most valuable and unique benefit is that when a customer is actively investigating an<br />

incident, they have access to experienced Guided-SaaS analysts and responders to ask for guidance<br />

and knowledge of the threat and how best to triage and investigate. During these high-pressure incidents,<br />

having access to expertise and thus gaining confidence you are taking the right steps to respond<br />

alleviates pressure and allows for faster and more comprehensive response actions.<br />

A Call for Vendors to Do Better<br />

Simply put, vendors must have empathy for the challenges facing SOC/IR teams and transition from<br />

delivering products that place a burden on the customer to delivering a comprehensive offering that frees<br />

security professionals to remain focused, ensure optimum visibility, and have access to expertise in the<br />

dismantling of adversaries. The Guided-SaaS model redefines and evolves how vendors should deliver<br />

security solutions to ensure technological advances such as enabling extensive visibility, machine<br />

learning adversary detection, and speedy triage, hunting, and investigation result is three steps forward<br />

without taking three steps back.<br />

About the Author<br />

Fayyaz Rajpari is the Sr. Director of Product Management of<br />

ThreatINSIGHT Guided-SaaS NDR at Gigamon, where he leads<br />

the firm’s security products. Fayyaz’s expertise includes serving<br />

as a lead incident responder for a large insurance provider<br />

before transitioning to bringing his expertise to driving products<br />

for FireEye, Mandiant, and Recorded Future.<br />

Fayyaz can be reached online at fayyaz.rajpari@gigamon.com<br />

or at http://www.gigamon.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 94<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Hardware Trojan Detection<br />

By Sylvain Guilley, General Manager and CTO at Secure-IC<br />

Hardware Trojan attacks have become more concerning in recent years due to a series of serious events<br />

in the electronics industry supply chain around the world because of them, such as data theft and<br />

backdoor insertions. These attacks are based on the concealment and subsequent exploitation of<br />

malicious hardware in integrated circuits and thus have been nicknamed “Trojan Horses”. These<br />

malicious attacks can have several purposes such as sabotaging the infrastructures used by the circuits<br />

or eavesdropping on confidential communications.<br />

The ability to detect and deal with Trojan Horses has become vital for organizations charged with<br />

protecting key infrastructure, government and assets. On a business level, today’s applications can be<br />

critical and security is paramount in many industries such as automotive or avionics; it is important to<br />

screen and check unreliable chips.<br />

A Trojan Horse is often defined as malware disguised as legitimate software. Nowadays, we are talking<br />

about Hardware Trojan Horses that have proven to be very dangerous and have the ability to maliciously<br />

modify integrated chips.<br />

Classification of Trojans and the means to detect them<br />

There are many types of Trojans, and they can be inserted pretty much everywhere in the microchip.<br />

This is what makes them so difficult to locate, as one could well be located in the chip’s processor while<br />

another crouches in the chip’s power supply.<br />

The stealthiest Hardware Trojans are virtually undetectable because they do not appear in the bill of<br />

materials (BoM). They are implanted in the chip itself and therefore must be investigated at the silicon-<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 95<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


level to be detected. This creates a “needle in a haystack” situation when trying to flush a purported<br />

Trojan out.<br />

Trojans can also be implanted at different phases, from the specification phase to the assembly and<br />

packaging phase. They may also have different purposes once they are integrated. Some Trojans will<br />

want to change the functionality of a chip, while others will prefer to degrade performance or completely<br />

deny the service offered by the chip; still others may leak information.<br />

A Hardware Trojan Horse has different types of activation mechanisms which makes them hard to detect<br />

red handed.<br />

Hardware Trojan detection can almost be considered a type of reverse engineering for ”evidence of<br />

infection” purposes. While evaluating the system, the evaluator would look for abnormal behavior that<br />

might harm the functioning of the circuit. In order to be able to detect Hardware Trojans, one must have<br />

the appropriate skills and tools.<br />

To this end, two initial techniques have been put forward:<br />

• Deploying destructive reverse engineering schemes. The main drawback of this technique is that<br />

it can be very expensive and cannot guarantee the absence of Trojans in untested devices.<br />

• Using a VLSI testing scheme. The main drawback for this is that it is not very effective as the<br />

trigger condition is rarely satisfied, all the more for sequential Trojans as they need a sequence<br />

of vectors to be triggered.<br />

Based on these two techniques and their drawbacks, a number of other solutions have been<br />

implemented.<br />

The reactive way of dealing with Hardware Trojans<br />

One of the ways to find and deal with a Hardware Trojan is to first be aware of its presence in the system<br />

and then take action accordingly.<br />

Analog Detection<br />

There are many methods that can be used in a reactive way, such as reactive analog detection. Analog<br />

detection aims to detect abnormal behavior of the system in the pre- and post-silicon stages. This method<br />

can be static meaning detecting visible malicious components that are hidden on a printed circuit board<br />

(PCB), or in cable packaging but it can be very limited if the Trojan is hidden inside the system; this is<br />

where a dynamic method can be leveraged by observing the electromagnetic activity of the system. The<br />

dynamic method aims to detect unexpected electromagnetic activity and compare it with a golden method<br />

(a trusted asset with no Trojan).<br />

Hardware Assertions<br />

Another method consists in hardware assertions. Some Hardware Trojans are actually a combination of<br />

hardware and software vulnerabilities that, when combined, allow the system to be exploited. The<br />

hardware assertion method entails identifying some high-level and critical behavioral invariants and<br />

checking them while the circuit is running. With many Hardware Trojans, the attacker will attempt to<br />

modify the behavior or violate the property of the target circuit. Therefore, there is a necessity to check<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 96<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


the properties (user mode, memory access conditions, rules, instructions) of the asset with a hardware<br />

module. A single change in these properties betrays the hardware Trojan.<br />

Sensors<br />

Sensors can be used to prevent an attacker from performing active attacks where he attempts to disturb<br />

the normal behavior of the system. When the hardware Trojan is triggered, the system begins to behave<br />

abnormally, the power supply may decrease drastically and the clock system may be damaged in order<br />

to stress the system to the point where it cannot perform sensitive operations properly. Sensors are then<br />

triggered when noticing such events.<br />

A variety of methods exists to find and deal with Hardware Trojans. While these methods have been<br />

proven to be effective in detecting hardware Trojans when they are known to be present in the system,<br />

the need to be able to proactively search and deal with Trojans has rapidly arisen.<br />

The proactive way of dealing with Hardware Trojans<br />

While there is a reactive way of finding Hardware Trojan in a system, there is a constant need for<br />

additional trust. This is why new methods have begun to develop in the security sphere, a way of having<br />

in-depth protection in a more proactive approach.<br />

Indeed, since most hardware Trojans detection occur when malicious hardware in the system are already<br />

known, these new proactive methods are particularly effective in preventing Hardware Trojans in a<br />

proactive way. This means that the system is equipped with tools that can help it fend off incoming<br />

attacks.<br />

Machine Learning<br />

One of these successful proactive methods is clearly Machine Learning. Indeed, the use of computer<br />

systems that are able to learn and adapt without following explicit instructions will be key in the future for<br />

many topics, including hardware Trojan detection and protection. As each Trojan is different, it may be<br />

difficult to define a method applicable for each case. Machine learning can generate diverse complex<br />

models and make decisions based on those models. In addition, machine learning is also key in<br />

understanding hardware Trojans, as they are relatively new and machine learning will help aggregate<br />

data to help us better understand them. There are two ways to implement Machine Learning: the first is<br />

supervised learning, where evaluators inject known samples of Hardware Trojan into the system and<br />

determine how to detect them properly and machine learning enriches its database with those samples;<br />

the second way is unsupervised learning, where the characteristics of the Trojan are not known and<br />

machine learning has to detect it on its own by evaluating the parameters and the system’s behavior.<br />

The latter will help detect new types of Trojans as it is less limited than the former.<br />

While it is a reactive approach to have a hardware Trojan monitoring hardware IP in a chip for active<br />

detection of malicious processes on the chip during its runtime, it is often achieved with a higher cost of<br />

Chip out from<br />

JTAG testing<br />

Begin HT<br />

detection process<br />

EM signature<br />

capture of target<br />

chip<br />

ML or statistical<br />

analysis for<br />

detection<br />

Detection output<br />

(HT<br />

Present/Absent)<br />

Next step<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 97<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


inspection and additional computation which may not be desirable by many. Therefore, a proactive<br />

measure may be to include the Hardware Trojan analysis in the device testing flow. An example is shown<br />

in the following figure:<br />

Fig. Testing flow for Hardware Trojans for a chip lot<br />

<strong>Cyber</strong> Escort Unit<br />

Another method is to protect the CPU directly by mitigating vulnerabilities and attacks on code execution<br />

or integrity induced by software code bugs, malicious activity or sought-after performances neglecting<br />

security. These types of attacks have the particularity of engaging both software and hardware placing<br />

the protection layer in the hardware layer that protects both. By following the program execution step by<br />

step, we are able to detect any unexpected behavior of the CPU, it is not dedicated to a specific attack<br />

or Trojan type, so irrespective how the Trojan is triggered, by either Hardware or Software means, and<br />

whatever its payload, any alteration in code execution or code integrity can be detected.<br />

The Encoded Circuit Method<br />

The “encoded circuit” method is based on the observation that all integrated circuits are composed of two<br />

distinct parts: the combinational and sequential part. The sequential part includes the data and control<br />

registers which are easier to recognize on the IC layout because of their size. It is easier for an attacker<br />

to connect the Trojan to the sequential part; therefore, this method aims at encoding and masking all<br />

sequential registers with a Linear Boolean Code.<br />

Conclusion<br />

As hardware Trojans continue to be developed for nefarious purposes, it is our duty to protect devices<br />

from these new threats. While proactive methods are emphasized, it is important to note that reactive<br />

methods are still viable and should not be disregarded. With so many types of Trojans and so many ways<br />

to attack systems, companies should use all the tools at their disposal to fight potential threats to their<br />

systems.<br />

If you would like to include Hardware Trojan protections in your security plan to protect your systems<br />

from potential attacks, you can ask for our help.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 98<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

My Name is Sylvain Guilley. I am General Manager & CTO at Secure-<br />

IC, French company offering cybersecurity solutions for embedded<br />

systems.<br />

I am also professor at TELECOM-Paris, research associate at École<br />

Normale Supérieure (ENS, Paris), and adjunct professor at the<br />

Chinese Academy of Sciences (CAS, Beijing).<br />

My research interests are trusted computing, cyber-physical security,<br />

secure prototyping in FPGA & ASIC, and formal/mathematical<br />

methods.<br />

I am lead editor of international standards, such as ISO/IEC 20897 (Physically Unclonable Functions),<br />

ISO/IEC 20085 (Calibration of non-invasive testing tools), and ISO/IEC 24485 (White Box Cryptography).<br />

Associate editor of the Springer Journal of Cryptography Engineering (JCEN), I have co-authored 250+<br />

research papers & filed 40+ invention patents.<br />

Sylvain Guilley can be reached at contact@secure-ic.com and at our company website www.secureic.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 99<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


StayHackFree – Your Kid’s Sports Team<br />

Your Kids Sports team is better managed than your <strong>Cyber</strong> Team.<br />

By James Gorman, CISO, Authx<br />

Your Kid's Hockey team has better management than your <strong>Cyber</strong> Security team. Really, I am not kidding.<br />

How do I know? Let's start with - your kid's team has a coach, a plan, a practice schedule, and goals.<br />

Can you honestly say that about your <strong>Cyber</strong> Security team?<br />

Your kid's hockey team has a coach - who has some level of competency - in USA Hockey - they have<br />

to be at a certain level; for most, it is a level 3 that makes sure you have a base knowledge and<br />

understanding of the rule. In most organizations, there is not a specific person designated to be the<br />

"coach" of the incident response team, or is there a clearly defined person that will quarterback the<br />

incident response team? Is your lead technologist also the Incident Response Manager? Is that the right<br />

mix of responsibilities? There is nothing worse in the thick of an incident than not knowing who is in<br />

charge or who has the authority to make the difficult calls. Also, most of the kids I used to coach had<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 100<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


outside coaches - to help them improve the basics. So you need to have designated roles and<br />

responsibilities, an experienced coach, and outside trainers to reach the management level of your kid's<br />

hockey team. Outside and ongoing training and a culture of learning are critical to growing <strong>Cyber</strong>teams.<br />

How is your team stacking up so far?<br />

Your kid's hockey team has a game plan - or a playbook. They know where they are supposed to line<br />

up and what the objective depending on the game circumstance. If there is no formal plan, as is the case<br />

in most organizations or worse - on a shelf, file server, or website, no one has looked at it since. A<br />

contractor wrote it for an audit that happened so long ago; the person or consultant who wrote it is on<br />

their 3rd job since the audit ended. Without a plan, when the time comes to respond, there is chaos.<br />

People with no direction lead to wasted valuable time and not minimizing or eliminating the impact of an<br />

incident and it’s cost to your business. A viable plan is critical to the timely execution of your cyber<br />

defenses.<br />

All kid's teams have a practice schedule. If your kid's team said - nope, no practices, just games, you<br />

would expect to lose every time to teams that practice. Your <strong>Cyber</strong>team needs to have a regularly<br />

scheduled practice. At a minimum, you need to exercise the incident plan with a "tabletop" simulation at<br />

least once a month. The boilerplate template you used for your Incident Management Plan likely calls<br />

for an annual test of the plan. In today's rapidly changing IT environment, you should exercise the plan<br />

and update it with lessons learned every month. The <strong>Cyber</strong> Hackers are out there, and every day they<br />

are knocking at your doors. What happens at the outset of an ongoing attack will mitigate the lasting<br />

effects. If you stumble or fumble initially, you beg for lasting consequences and maybe even front-page<br />

news. Just ask the teams at some of the recent highly publicized hacks.<br />

All kid's teams have goals. When I was coaching kids' teams, I would have three goals for a game.<br />

Usually, situational goals had to do with scoring first or not taking any penalties, winning 51%+ of faceoffs,<br />

with the over-arching aspiration being the main "goal" - having fun. For your <strong>Cyber</strong>team, your overarching<br />

goal should be to StayHackFree - remember, it is not a goal - it is an aspiration. Each month you should<br />

have or situational goals for your team. For example, one month could be improving the amount of<br />

Endpoint Protection deployed. Another week it could be who can find the error in the incident response<br />

plan. Consistently looking for ways to strengthen your threat posture or reduce your organization's attack<br />

surface is the point of the situational goals. It would be best to have situational and over-arching goals,<br />

but goals need to be tangible, measurable, and specific.<br />

So, to sum up. Use the model of your kid's sports teams to improve your cyber defense posture vastly.<br />

There is no reason not to have a point person or coach lead your incident response team. You must<br />

have a plan and know where to start before an incident happens. Frequent practice sessions and tabletop<br />

exercises with lessons learned are a must. Setting situational goals to improve your defense posture is<br />

critical to being prepared for all comers. Get a coach, get a plan, practice the plan, and have goals to<br />

StayHackFree.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 101<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

James Gorman CISO, Authx ,James is a solutions-driven,<br />

results-focused technologist and entrepreneur with experience<br />

securing, designing, building, deploying and maintaining largescale,<br />

mission-critical applications and networks. Over the last<br />

15 years he has lead teams through multiple NIST, ISO, PCI,<br />

and HITRUST compliance audits. As a consultant, he has helped<br />

multiple companies formulate their strategy for compliance and<br />

infrastructure scalability. His previous leadership roles include<br />

CISO, VP of Network Operations & Engineering, CTO, VP of<br />

Operations, Founder & Principal Consultant, Vice President and<br />

CEO at companies such as GE, Epoch Internet, NETtel, Cable<br />

and Wireless, SecureNet, and Transaction Network Services.<br />

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/ ) and<br />

at our company website https://authx.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 102<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Tips for Avoiding Online Scams During COVID-19<br />

Follow these best practices and stay vigilant to significantly reduce risk for your organization<br />

By Cindy Murphy, President, Tetra <strong>Defense</strong><br />

Organizations have made significant changes in light of COVID-19, oftentimes favoring health and safety<br />

over profit. Cab services urge people to stay home. Restaurants offer no-contact deliveries. Perfume<br />

companies have shifted to making hand sanitizer, and vehicle manufacturers are now making ventilators.<br />

While many businesses are working hard to fight the hardships COVID-19 has brought about, other<br />

malicious organizations are working to do just the opposite.<br />

Since the pandemic took hold of America, there has been a substantial increase in the number of<br />

cyberattack attempts. Phishing emails are virtually all COVID-19-themed, social engineering involves<br />

concepts of sickness and health, and ransomware operations are attacking some of the organizations<br />

that we rely on most: essential businesses. While these scams are nothing new, the way they are<br />

presented, deployed, and the consequences they have are constantly changing in the COVID-19 era. To<br />

stay protected, either in person working at an essential business, working from home, or simply staying<br />

sane in quarantine using the Internet on personal devices, keep cybersecurity front-of-mind.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 103<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Major Online Scams<br />

The practice of crafting manipulative messages to elicit a specific behavior is considered to be “social<br />

engineering.” This is an abstract concept considering it casts the widest net, but it is a practice that nearly<br />

all scams and attacks, either in reality or in the cyber world, rely on. No matter how robust, up-to-date, or<br />

complicated your technology is to hack into, social engineering preys on the human behind the devices.<br />

Since the ‘90s, when the term was coined in this context, threat actors have found it’s easier to trick a<br />

person to give information or access than it is to trick a computer. Even for professional vulnerability<br />

testing, social engineering is implemented to see how robust security is when faced with someone who<br />

simply says all the right things to gain unauthorized access.<br />

Rather than a one-size-fits-all message, social engineering includes specific headlines, unique situations,<br />

and emotional manipulation to convince a victim to divulge information. Messages may range from the<br />

email from the “prince in Nigeria who needs your help,” to hyper-specific phone calls or even personalized<br />

texts that “want to confirm your banking credentials.” Social engineering attacks are always more<br />

successful the more information the threat actor has at the start. In the COVID-19 era, being able to<br />

assume that people are home, they are awaiting aid from a stimulus package, or they are collaborating<br />

with their managers and directors from a distance is enough information to deploy a successful,<br />

manipulative message.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 104<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Phishing Example 1<br />

Phishing refers to messages deployed via email, and this is the most popular channel in this context. For<br />

threat actors, email is an attractive option since it is most likely already connected to an essential device<br />

like a personal computer or smartphone, and it is most likely connected to the public Internet or an<br />

organization’s internal network. Since phishing attempts are now socially engineered to appear as though<br />

they are from credible health sources, the World Health Organization has published guidelines to protect<br />

potential victims.<br />

An acronym to become familiar with is BEC, or Business Email Compromise, the act of gaining<br />

unauthorized access to a business email account. It’s often achieved through the practice of perfectly<br />

impersonating trusted sources, usually via email. This allows threat actors to disguise themselves as a<br />

director, a CISO, or even a trusted colleague that is simply asking for information or suggesting you<br />

download their file. This is one of the most deceptive practices considering the innate trust that we place<br />

with correct email addresses. Without proper password protection, it’s important to consider that the<br />

person behind the address is no longer who you expect.<br />

Staying Vigilant During COVID-19<br />

Threat actors have an impressive toolkit that includes social engineering and impersonation techniques<br />

to harvest sensitive data, and this has been the case for decades. In light of COVID-19, the consequences<br />

of these attacks can prove to be especially devastating. When few businesses are operating at full capacity, and when<br />

healthcare organizations are quickly becoming overwhelmed, an attack can not only cause disruption, it could risk lives.<br />

In uncertain times, the last thing anyone wants to worry about is a threat actor gaining unauthorized<br />

access to valuable data and resources. Malicious organizations have already proven they have no ethical<br />

boundaries — they have targeted critical infrastructure like HHS to take advantage of the situation that<br />

COVID-19 has presented. Here are our tips for maintaining cybersecurity from home in this unique time:<br />

1. Practice “Zero Trust”<br />

As a best practice, maintaining a healthy level of suspicion is the strongest defense against social<br />

engineering. Threat actors are reliant on the naivety of users to grant them access and will present any<br />

number of stories or situations to exploit potential victims. Data manipulation tactics include offering a<br />

sweet return on an investment (i.e., the Nigerian prince will offer you endless riches), pose as people you<br />

may innately want to help or donate to, or even threaten you from the account of someone with authority.<br />

2. Ensure Links are Secure<br />

In many phishing attempts, there are malicious websites that either perfectly clone trusted sources or<br />

appear to be legitimate. These websites, however, often deploy malware at the first click. To ensure you<br />

are visiting trusted web sources, hover over a link before clicking. This will provide, in plain text, the URL<br />

the link will take you to. While you’re there, be sure to be cognizant of other security measures that your<br />

web browser will look out for.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 105<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


3. Employ Multi-Factor Authentication<br />

If a threat actor has your password credentials, or you suspect to have given information to a malicious<br />

source, Multi-Factor Authentication is a great backstop. If a password is entered, access will not be<br />

granted until a second device can confirm the request, usually through a code or prompt on a smartphone.<br />

This is a simple tool that is often available via major email providers and Internet-based accounts, and it<br />

can deter a threat actor from accessing your information.<br />

4. Use Robust Passwords<br />

While “password1,” or “123456,” are easy enough to remember, the pain of losing access to your<br />

accounts is far worse than the pain of implementing complicated, unique passwords to begin with. Threat<br />

actors can attempt the most common passwords on accounts by the thousands. They scan for any easy<br />

vulnerabilities they can exploit on the Internet, and you can arm yourself with a strong password to deter<br />

them. Common guidelines for building a strong password include using at least 12 characters,<br />

implementing long phrases, and unconventional punctuation.<br />

5. Update, Update, Update<br />

While it may be inconvenient to learn how to deal with a new operating system or a new interface,<br />

updating as quickly as possible ensures your devices are running with the most recent protections. When<br />

threat actors search for vulnerabilities, they can configure nearly any attack to fit a port of entry, even if<br />

that entry only operates on a slightly out-of-date app, mobile device, or computer system. Having a fully<br />

functioning piece of technology from a few years ago is fine, but being sure to update its protection<br />

systems is a simple safeguard as threat actors remain persistent in COVID-19.<br />

While organizations continue to implement changes in the name of health and safety, it’s important to<br />

keep in mind that threat actors are actively working against them. In situations where people are working<br />

from a new home set up, people are grieving the loss of normalcy, and people are awaiting information<br />

regarding their health and their paychecks, threat actors are creating messages to manipulate them.<br />

While these are unprecedented times, and cyberattacks are more consequential than ever, there’s<br />

comfort in knowing that security best practices still stand, and awareness of these online scams prove<br />

as a great safeguard in and of itself.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 106<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Cindy Murphy is the President of Tetra <strong>Defense</strong>, an incident<br />

response and digital forensics firm based in Madison, Wisconsin..<br />

She worked in law enforcement for 31 years, starting her career in<br />

the US Army in 1985 and joining the Madison Police Department in<br />

1991. She began investigating computer-related crimes in 1998<br />

before being promoted to detective in 2000. Since then, Cindy has<br />

become one of the most highly respected experts in the digital<br />

forensics field. She has been teaching digital forensics since 2002<br />

and helped develop a digital forensics certification curriculum for<br />

Madison Area Technical College and co-authored the SANS<br />

FOR585 Advanced Smartphone Forensics course.<br />

Cindy can be reached via Twitter @CindyMurph and at our company<br />

website: https://tetradefense.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 107<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Banking Fraud up 159% as Transactions Hit<br />

Pre-Pandemic Volumes<br />

Organizations and users should aggressively embrace passwordless authentication methods to<br />

establish a strong un-phishable relationship.<br />

By Rajiv Pimplaskar, CRO, Veridium<br />

The latest Feedzai Financial Crime Report Q2 <strong>2021</strong> <strong>Edition</strong> which factors in some 12 billion global<br />

transactions between January-March <strong>2021</strong>, shows that bank fraud is up 159%, including internet,<br />

telephone, and branch banking. Card-not-present (CNP) transactions were just 18% of all transactions,<br />

but drove 83% of all fraud attempts.<br />

The five most commonly attempted scams were Account Takeover (ATO)-up 47%; account opening<br />

identity theft-up 23%; impersonation scams-up 21%; purchase of goods that never arrived-up 15%’ and<br />

phishing scams-up 7%. A cyber and passwordless authentication expert with Veridium offers perspective.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 108<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The recent Feedzai report confirms several points regarding the industry’s hypotheses on financial<br />

fraud. First, as transaction volumes reach all-time highs, banks and insurance companies should brace<br />

for higher fraud volumes and proactively bolster their risk processes and customer identity and access<br />

management systems. Second, fraud vectors should be increasingly assumed to be multi modal as bad<br />

actors will often exploit channels with weaker Know Your Customer (KYC) verification processes, such<br />

as telephone banking or contact center, as seen by the high surge in fraud attempts from these<br />

channels. Sometimes even bank card fraud via traditional mail can manifest within the branch and digital<br />

channels for impersonation and Account Takeovers (ATO) scams. Finally, various forms of phishing,<br />

social engineering and Man-in-the-Middle (MITM) attacks can be highly effective at overwhelming a vast<br />

majority of conventional safeguards currently in place by the financial institution.<br />

Organizations and users should aggressively embrace passwordless authentication methods to establish<br />

a strong un-phishable relationship between the user’s designated authenticator and the bank systems.<br />

As identity becomes the new perimeter, strong customer authentication solutions such as Phoneas-a-<br />

Token and FIDO2 security keys are increasingly gaining popularity. Also, such authentication methods<br />

offer lower friction and can improve user experience and productivity.<br />

Fraud is Multi-modal, Constantly Evolves and Gravitates to the Weakest Channel<br />

With fraud costing the global economy over $5 trillion, financial services firms worldwide are focused on<br />

fraud prevention in a big way. In countries like the UK, fraud is currently the #1 crime – far outpacing all<br />

other crime categories! With cost containment being very important in driving shareholder value, fraud<br />

is a key area, which if not managed carefully, can quickly erode the bank’s earnings. Consequently,<br />

hundreds of millions of dollars are being invested and fraud defense systems are getting increasingly<br />

sophisticated. Customer education is also at an all-time high to ensure fraud awareness is top of mind,<br />

much like conventional wisdom of locking the front door to your house or not leaving valuables left in<br />

plain sight within your vehicle.<br />

However, fraudsters are also evolving at an alarming rate and continuously devising new approaches.<br />

For example, improved defense against ATO scams is being circumvented by a rise in authorized push<br />

payment fraud where an impersonator convinces the legitimate account owner to authorize a payment<br />

for a fake crypto currency investment, or a fake invoice. Often the account owner is coached regarding<br />

what to say if the bank’s fraud department contacts them and many times winds up taking sides with the<br />

fraudster against the bank’s investigators! From a bank’s perspective, this complicates matters<br />

significantly as apart from their usual screening, they must now also verify the legitimacy of the safe<br />

account where the payment is being wired. First party fraud is also on the rise. In several countries<br />

“money mules” are systematically recruited by organized gangs using a cover story promising quick<br />

monetary gain via social media with the objective of fraudulent account opening and laundering crime<br />

money. While several of the victims are college students and teenagers getting scammed, many do it<br />

for money. As controls over mobile and digital channels have strengthened, fraud has also shifted into<br />

the contact center where social engineering and MITM attacks can be highly effective at compromising<br />

traditional KBA (Knowledge Based Authentication).<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 109<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Strong Digital Identity Needs Modern Authentication<br />

Digital transformation initiatives can leverage a treasure trove of personal information already stored by<br />

the bank including biometrics, biographic information and behavioral data gathered since account<br />

opening. For example, a video face capture or liveness check during KYC could be combined with<br />

behavioral data to detect impersonation or known bad behavior. This identity verification could also be<br />

used as a “trust anchor” as defined by Gartner research, to step up authentication during risky or high<br />

value transactions, or during a vulnerable situation such as device enrollment or account recovery.<br />

Passwordless methods such as Phone-as-a-Token or FIDO2’s strong passwordless authentication can<br />

be adopted to improve website security and reduce dependence on passwords. FIDO2 is the set of<br />

standards and protocols developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to<br />

strengthen website authentication. An added benefit is that such technologies, while more secure, are<br />

also easier to use, providing a better overall user experience and satisfaction.<br />

Passwordless authentication options for consumers could include use of Phone-as-a-Token where an<br />

un-phishable trusted relationship is established between the individual and their enrolled mobile phone.<br />

Phone manufacturers and versions can be managed as part of a “allow / deny list” and potential issues<br />

exploited during MITM attacks such as jailbreak can be detected. Upon securing consent, the security<br />

level could be dynamically adjusted depending on the customer’s geolocation and/or behavior, which<br />

improves protection for the consumer, employee and the company. For private or secure environments<br />

like contact centers where a phone may not be feasible, FIDO2 security keys could be an efficient<br />

alternative.<br />

About the Author<br />

About the author: A seasoned cybersecurity executive, Rajiv Pimplaskar is<br />

driving global go-to-market strategy and revenue for Veridium. Based out of<br />

the company’s New York headquarters, Rajiv comes to Veridium from San<br />

Francisco-based Cloudmark – a leader in threat intelligence (acquired by<br />

Proofpoint). Previously, he held senior leadership roles spanning sales,<br />

marketing, product, and corporate development at Atlantis Computing<br />

(acquired by HiveIO) and Verizon. Rajiv is an Electrical Engineering and<br />

Computer Science professional by trade and is passionate about building and<br />

scaling enterprise software companies that offer a market disruption.<br />

Rajiv can be reached online at @veridiumid and at our company website https://www.veridiumid.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 110<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Why <strong>Cyber</strong> Risk Is the Top Concern of The Financial<br />

Services Industry<br />

The sector faces a wide range of challenges ranging from Covid to compliance to the cloud, to name just<br />

a few.<br />

By Paul Schiavone, Global Industry Solutions Director - Financial Institutions at Allianz<br />

Global Corporate & Specialty<br />

Ever since Covid-19 led to an unplanned increase in homeworking and electronic trading, cyber security<br />

experts have been warning financial institutions of a perfect storm. In fact, attacks against the financial<br />

sector were reported to have increased by well over 200% globally from the beginning of February 2020<br />

to the end of April 2020, with some 80% of financial institutions reporting an increase in cyber-attacks,<br />

according to security firm VMware. Weaker controls and oversight, laxer security in the home office and<br />

the greater likelihood of employees falling victim to scams while working remotely were just some of the<br />

reasons cited behind this dramatic rise.<br />

The reason for the uptick in cyber-attacks on the financial services is simple. At the end of the day, cyber<br />

criminals go where the money is, and financial companies hold an extraordinary amount of sensitive data<br />

on individuals, businesses and governments. <strong>Cyber</strong> security has been an existential issue for financial<br />

institutions, and they have been investing heavily in it for years. However, with such potentially high<br />

rewards, cyber criminals will also invest time and money into attacking them. For example, the Carbanak<br />

and Cobalt malware campaigns targeted over 100 financial institutions in more than 40 countries over a<br />

five year period, stealing over $1bn.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 111<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Regulators get tougher<br />

At a time when financial institutions are becoming more reliant on technology and data to provide products<br />

and services to customers, they increasingly face a challenging regulatory environment. In many parts of<br />

the world, firms face a growing bank of regulation, including evolving data protection and privacy rules,<br />

as well as cyber security requirements.<br />

In particular, there has been a seismic shift in the regulatory view of privacy and cyber security. Where<br />

regulators previously looked to incentivize firms to invest in cyber security, they now see it through the<br />

lens of consumer rights and data privacy. With the General Data Protection Regulations (GDPR) in<br />

Europe and the likes of the California Consumer Privacy Act in the US, companies now need to<br />

operationalize their response to regulation and privacy rights, not just look at cyber security.<br />

The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines<br />

and regulatory costs, and growing third party liability. Under the GDPR, the number and value of fines for<br />

data and privacy has been growing while jurisdictions around the world have been introducing stricter<br />

data laws. Increasingly, breaches and regulatory actions are followed by litigation, with a number of group<br />

actions now pending in the UK as well as the US. A data breach at Capital One bank in 2019 – one of<br />

the largest-ever – resulted in an $80mn fine and a number of lawsuits by affected customers. More<br />

recently, following a number of major outages at banks and payment processing companies, regulators<br />

have begun drafting business continuity requirements in a bid to bolster resilience.<br />

Ransomware attacks on the rise<br />

Ransomware attacks continue to increase in frequency and severity, with ever larger ransom demands.<br />

Last year, the Securities Exchange Commission in the US warned about a rise in the number and<br />

sophistication of ransomware attacks on US financial institutions. Ransomware attacks were up nine fold<br />

between February and end of April 2020, according to VMware.<br />

A recent development has seen hackers steal sensitive data and threaten to publish it online if ransoms<br />

are not paid. US lender Flagstar Bank, for example, suffered a ransomware attack in early 2020 that saw<br />

hackers post personal details online in an attempt to extort money. Last year, Chilean bank BancoEstado<br />

shut down branches after a ransomware attack. In March <strong>2021</strong>, CNA Hardy was also hit by a<br />

sophisticated ransomware attack which impacted its operations and email systems and significantly<br />

disrupted the insurer for a number of weeks.<br />

If criminals can get access to critical systems or sensitive data, they will look to monetize the attack<br />

through extortion. At the same time, the rise of cryptocurrencies like Bitcoin is making it easier for cyber<br />

criminals to carry out successful ransomware or extortion attacks.<br />

“Fake presidents” and ATM “Jackpotting”<br />

With many employees working from home and under increased stress, Covid-19 has created<br />

opportunities for cyber criminals to carry out various scams and cyber-attacks. The US Federal Bureau<br />

of Investigation (FBI) received over 28,500 complaints related to Covid-19 cyber-crime alone in 2020.<br />

Many incidents looked to exploit stimulus funds and Paycheck Protection Program (PPP) loans, as well<br />

as to use Covid-19 related phishing attacks to steal money or personal data. Business email compromise<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 112<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


(BEC) attacks, also known as “fake president” attacks, are a particular problem for financial institutions<br />

that make large numbers of high value payments on behalf of their customers. The cost of BEC attacks<br />

reached $1.86bn in 2020, accounting for almost half of all reported cybercrime losses. Such attacks are<br />

becoming more sophisticated and increasingly involve identity theft and funds being converted to<br />

cryptocurrency.<br />

ATM “jackpotting” attacks continue to be a threat as well. On <strong>July</strong> 13, 2020, a Belgian savings bank<br />

Argenta shut down 143 cash machines after criminals tried to take control of their cash machines through<br />

their network servers. These attacks have become increasingly sophisticated and over the last five years,<br />

“jackpotting” has cost the financial services sector millions of dollars.<br />

Third party service providers can be the weak link in the cyber security chain<br />

One of the largest and most sophisticated cyber-attacks of the past year, the SolarWinds incident, was a<br />

supply chain attack. Hackers accessed SolarWinds’ network and injected malware into its management<br />

software in order to target thousands of organizations, including banks and agencies. The SolarWinds<br />

breach is an important reminder of the potential vulnerabilities of the financial services sector to cyberattacks<br />

and outages via their reliance on third-party suppliers and service providers, over which they<br />

have little or no control when it comes to cyber security. This is likely to become a bigger issue as<br />

regulators increasingly focus on business continuity and operational resilience going forward.<br />

Most financial institutions are now making use of cloud services-run software to access additional<br />

processing capacity, as well as for IT infrastructure or to carry out certain processes, such as fraud<br />

detection or analytics. On one hand, cloud providers are developing tools to help organizations manage<br />

and mitigate their cyber risks. On the other hand, there is a growing reliance on a relatively small number<br />

of cloud providers and an opaque cloud infrastructure can potentially create large and systemic risks. A<br />

Bank of England survey of banks and insurers last year found the provision of IT infrastructure in the<br />

cloud is already highly concentrated – the top two infrastructure-as-a-service providers had around twothirds<br />

market share for banks.<br />

How financial institutions manage risks presented by the cloud will be critical going forward. They are<br />

effectively offloading a significant portion of cyber security responsibilities to a third-party environment.<br />

Your cloud service vendors can become your exposure.<br />

Risk mitigation best practice<br />

<strong>Cyber</strong>-attacks often include a human element, where employees, contractors or even customers are<br />

unwittingly complicit in incidents. When talking to clients, they say cyber is the number one concern of<br />

every C-suite executive. Particularly we see growing concern for the human factor. Just one click on a<br />

link or a download can lead to a costly ransomware attack or a data breach, with reputational damage<br />

and loss of data.<br />

Training and technology can help minimize human error. As the first line of security and defense,<br />

employees can make or break an organization’s cyber security position and at often times, their<br />

reputation. Those that are well trained can significantly reduce the impact of a breach or even prevent it<br />

from happening. Employees should be regarded as part of the cyber security team, and, as such, there<br />

should be a corresponding investment in their training and education. The same applies to top<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 113<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


management, who should periodically rehearse scenarios to better prepare and respond to a major cyber<br />

incident. Since cyber security goes right up the chain, building resilience and business continuity planning<br />

is absolutely key to reduce the impact.<br />

Companies should consider taking the opportunity to carry out a desktop exercise with their insurer and<br />

broker, and include key internal and external stakeholders. This builds trust and can take the sting out of<br />

any crisis. Cross-sector exchange and cooperation among companies – such as what has been<br />

established by the Charter of Trust – is also key when it comes to defying highly commercially organized<br />

cyber crime, developing joint security standards and improving cyber resilience.<br />

About the Author<br />

Paul Schiavone, Global Industry Solutions Director Financial Services<br />

at Allianz Global Corporate & Specialty, has over twenty years of<br />

experience in the insurance industry as legal counsel, underwriter,<br />

broker, manager and Chief Underwriting Officer, working in New York,<br />

Paris, San Francisco and London.<br />

Paul can be reached online at https://www.linkedin.com/in/paulschiavone-91401b40/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 114<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


What Educational Institutions Need to Do to Protect<br />

Themselves From <strong>Cyber</strong> Threats?<br />

By Cyril James, Founder and CEO, Secure Triad<br />

The COVID 19 pandemic and the subsequent lockdown have forever changed how we socially mingle<br />

and live our lives. The effects are felt in our personal and professional lives as well.<br />

A major impact is felt in the education fraternity who as a response to the threats posed by the pandemic,<br />

has adopted an online learning and training format.<br />

The use of technology in the education sector is no longer considered a novelty but a norm, making them<br />

prime targets for cyber-attacks.<br />

Though online learning has made it possible for students across the world to continue their education<br />

from the safety of their homes. It has added new complexities to the cyber security challenges faced<br />

by educational institutes.<br />

The current pandemic has handed cybercriminals tailor-made opportunities for attacking the institutes'<br />

network and its teachers and students as well.<br />

Though this may not be a challenge unique to the education sector alone, it poses a larger threat. Unlike<br />

office employees, students lack exposure and training in dealing with school cyber security.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 115<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Challenges Faced by Education Institutes<br />

An increase in coronavirus related phishing mails is on the rise. With teachers, students and school<br />

administration workers spending more and more time online such mails can easily find their way into their<br />

inbox.<br />

These malware scams can easily prey on the naïve and untrained minds of students and teachers,<br />

making them victims of account takeovers and accidental sharing of private information.<br />

This provides cyber hackers with the information required to log into the institute's servers, access<br />

sensitive and important data, and launch Ransomware attacks.<br />

Another challenge faced by educational institutes is the lack of skilled IT staff, leaving the institution's<br />

network susceptible to such cyber threats.<br />

With institutions being shut down due to the pandemic, a skeletal staff is at work, with a majority working<br />

remotely from home. In such a scenario, the institute's cyber security needs such as identification of risky/<br />

suspicious users or mail, effective implementation of network security, device management, and endpoint<br />

security policies may be neglected.<br />

This lack of or weak cyber security infrastructure provides hackers with a golden opportunity to attack<br />

and infect the network. Many employees are using personal systems while working remotely, which does<br />

not possess a robust and sophisticated security system and is susceptible to malicious attacks easily.<br />

The aforementioned are some of the challenges faced by institutes. It is essential to understand the<br />

measures that need to be adopted to safeguard their network and data.<br />

Awareness and Training<br />

Basic training should be provided to the administration and faculty and the students and their parents.<br />

Especially in the case of younger students, parents should be responsible for monitoring the child’s<br />

activities online.<br />

Faculty, students, and parents need to be made aware of the risks of using online platforms and the<br />

threat of being targeted by cyber hackers. It is imperative to train staff, students, and parent in how to<br />

identify and deal with malware and phishing emails.<br />

In this way, the risk of accidental opening and clicking of phishing emails can be significantly reduced.<br />

Institutes should also prepare and enforce an acceptable use policy that clearly states to the students<br />

what is acceptable or what is not, and the faculty clearly understands the framework for what is allowed<br />

when using online learning forums.<br />

Technical Treat Response Support<br />

Institutes should hire cyber security experts. It should be looked at as an investment in the institute’s<br />

security. The team would be responsible for managing all the security needs of the institute, which<br />

includes configuration and update of the security system, threat hunting, detection, and response<br />

services 24/7.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 116<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Firewall Security<br />

VPN connectivity, giving institutes the option to choose either or both for secure remote connectivity.<br />

Having SD-WAN integrated in the firewall allows institutes to connect remotely and share data securely<br />

with each other.<br />

Synchronized security is also possible, making it easy to identify if a connected remote device is infected<br />

and can be isolated until it is clean and free of malware. This way they spread of infection across the<br />

network can be prevented.<br />

Two-factor or multi-factor authentication<br />

It is an effective tool against unauthorized access or phishing. To ensure that the faculty and students<br />

adhere to internet safety policies and as a precautionary measure, the institute should mandate turning<br />

on alerts for any suspicious activity or non-compliant devices.<br />

Antivirus and web access<br />

Unless institutes are providing faculty and students with a secure VPN, they will need to ensure their<br />

online safety, which can be easily done by setting up web filtering rules.<br />

Licensed antivirus software’s block access to inappropriate websites, stop risky files from being<br />

downloaded and provide category-based web filtering. Additionally, phishing can be prevented by using<br />

advanced endpoint protection technologies to stop the attack chain and predictively prevent future attacks<br />

of similar nature.<br />

The software should also be capable of automatic roll back to a pre-altered state if files are encrypted.<br />

This will protect data if faculty or students are using school-supplied laptops or tabs.<br />

The increase in the coronavirus cases has created uncertainty as to when educational institutes will be<br />

able to go back to functioning normally or is this going to give rise to an entirely new normal of online<br />

learning.<br />

This makes it essential that the educational institutes take the appropriate steps to adopt cyber security<br />

measures that will maximize their safety.<br />

If in case institutes do not have cyber security resources, third party managed security service providers<br />

can also be hired. These vendors can provide support or coordination in developing a sustainable, secure<br />

and successful online learning experience.<br />

However, when dealing with third party individuals who will be having access to sensitive data, institutes<br />

conduct their due diligence and background must check before hiring such entities to manage their<br />

systems and services.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 117<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Cyril James is the Founder and CEO, Secure Triad. He has a solid<br />

foundation in the Information Technology and Communication<br />

industry with over 13 years of experience. His expertise lies in<br />

Information Security, specializing in network, web and mobile<br />

applications, and cloud penetration testing across various industry<br />

domains like banking, insurance, energy, telecom, IT products and<br />

services, and others. He is well-versed in penetration testing<br />

methodologies including OWASP, OSSTMM and PTES. He has solid<br />

understanding of technical concepts of cloud computing, machine<br />

learning, and various programming languages. Cyril is a visionary and strategy-builder, has good<br />

communication skills, and is great with managing teams. Cyril can be reached online at (EMAIL,<br />

TWITTER, LinkedIn) and at our company website https://securetriad.io/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 118<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Business Continuity: Where InfoSec and Disaster<br />

Recovery Meet<br />

By Adam Berger, VP of Global IT and Cloud Operations, Infrascale<br />

The escalation of cyber-attacks and the intensity of recent natural disasters create the same fundamental<br />

risk for businesses large and small — business continuity. Every business manager feels the weight of a<br />

potential disruption to normal operations, whether ransomware attack or storm-induced mass power<br />

outages are to blame. Ensuring business continuity requires maintaining vigilance on two sides of a coin:<br />

preventing disruption from occurring in the first place and restoring operations as quickly as possible after<br />

any disruption. For the sake of this article, we’ll limit our use of “prevention” to topics of Information<br />

Security (InfoSec) (i.e., procedures or measures used to protect digital data from unauthorized use) in<br />

businesses with any online or digital presence.<br />

The efficacy of any business continuity plan depends largely on the fast, robust implementation of both<br />

information security and disaster recovery. But the reality is that the two are deeply intertwined, both<br />

fundamentally concerned with keeping network, infrastructure configurations, and data protected and<br />

usable.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 119<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Leaving Nothing to Chance: Assess and Mitigate your Risks Through Asset Identification and<br />

effective risk analysis. Three Effective Asset Determinations<br />

Developing information security and disaster recovery plans that ensure a high level of data protection<br />

and safeguard business continuity begins with a baseline evaluation that makes three vital determinations<br />

which can be done as part of a risk analysis.<br />

First, businesses must identify all assets important to the company, including physical and information<br />

assets. These might be servers, confidential files, intellectual property, customer product, and other key<br />

assets. While it sounds obvious, software asset management (SAM) isn’t only about optimizing<br />

purchases, deployment, and maintenance of tech. It begins with a comprehensive inventory of assets.<br />

This is important since many SMB and midsized businesses simply do not have a complete view into<br />

every tool and process their teams use.<br />

For information security plans, an inventory should include knowing what kinds of secure access and<br />

protections from data exploitation is in place for every asset. For disaster recovery, the inventory should<br />

include knowing the required availability of all infrastructure assets and data for internal or external<br />

customers to maintain service levels.<br />

Second, for each asset inventoried, businesses must specify the value of what they’re protecting, to both<br />

the company and to customers. If particular infrastructure processes or data were gone, what will the<br />

damage be to the company? This should be measured in terms of both direct revenue loss and in terms<br />

of reputation loss.<br />

Third, businesses must determine the level of investment the company is willing and able to make to<br />

protect each asset, including all types of data. An honest cost-benefit analysis and assessment of the<br />

company’s financial health should be factored into the level of investment required and weighed against<br />

other business priorities.<br />

Although these baseline evaluations are often tasked to particular management and technical teams, a<br />

company’s leadership team bears ultimate responsibility. An effective leadership team knows what assets<br />

the company has, the value of each, risks related to each and the investment that should be made to<br />

protect them based on a business’s risk tolerance. A healthy information security practice helps deliver<br />

an effective risk analysis to allow businesses make these critical decisions.<br />

Heads: Mitigating InfoSec Risks in Business Processes and in Technical Choices<br />

Beyond the baseline evaluations, the information security side of the equation requires that businesses<br />

drill down into the origin of risk. A sound plan should consider risk that comes from business processes<br />

as well as technical choices.<br />

With respect to risk in business processes, company leaders should ask:<br />

●<br />

●<br />

●<br />

●<br />

What vendors do we use, and do we understand their processes and protections?<br />

Are there third-party requirements such as protocols and regulations like ISO 27001, SOC, and<br />

HIPAA?<br />

Have we evaluated our contract management processes? Are these processes fully understood?<br />

What kinds of confidentiality agreements do we have in place?<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 120<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


●<br />

●<br />

●<br />

●<br />

How educated are employees on information security risks? Are they trained properly regarding<br />

acceptable use policy and how to protect infrastructure and data?<br />

Is there change management established to prevent infrastructure and data from being<br />

compromised by mistake or deliberately?<br />

If a software company, are engineering practices in place to make sure code is developed in a<br />

secure way?<br />

What regulatory laws are applicable to our business for the regions we operate in?<br />

With respect to technical choices, company leaders should ask:<br />

●<br />

●<br />

●<br />

●<br />

●<br />

●<br />

●<br />

What kinds of technical controls are in place for every asset, and do we know where every asset<br />

is located and who has access?<br />

Are appropriate antivirus and malware protections in place?<br />

Are the right tools in place to identify other kinds of malicious behavior?<br />

Is strong network protection in place, like firewalls and next generation options for enterprises?<br />

Are there different layers of application filtering and strong access control systems in place?<br />

Are there powerful logging tools in place that help ensure excellent visibility into what’s happening<br />

inside infrastructure?<br />

Are there powerful monitoring tools in place to detect any anomalies that may compromise servers<br />

and other infrastructure?<br />

For every interface from which critical information can be accessed, a company needs to have a tool or<br />

mechanism in place to identify what’s happening. The bottom line with risk, however, remains twofold. If<br />

information security is not baked into the ongoing business processes that support daily and changing<br />

business needs, a potential security threat could completely bypass all the powerful technical tools in<br />

place. A CISO can spend a million dollars on technical security and backup disaster recovery tools, but<br />

risks will remain if business processes are poorly managed. Making sure a company is investing in<br />

securing those “softer” processes, as well as its technical tools, is key and an often-overlooked part of<br />

information security.<br />

It’s noteworthy that approaches like zero trust architecture are best suited to mature enterprise security<br />

programs that can accommodate the level of granularity that zero trust requires. Zero trust makes sense<br />

for banks or companies with financial data and intellectual property or other information that is high value,<br />

where a security topology already features robust process management and significant financial<br />

investment. However, despite its value, SMB and midsized businesses typically are not able to make the<br />

investment in tools, people, and processes that zero trust requires.<br />

Tails: Upon Disruption, Planning for Optimal RPO and RTO – Your response to incidents is as<br />

important as your defense from them.<br />

If business disruption does occur and breaks through a company’s administrative processes and<br />

technical defenses, whether via attack or non-malicious disaster, disaster recovery planning dovetails<br />

with infosec incident management. For disaster recovery, two key metrics come into play, and both are<br />

very important for business leaders to understand.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 121<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Recovery Point Objective (RPO) refers to the amount of data a company can lose or the time period of<br />

data loss that a company can withstand and still be viable. Recovery Time Objective (RTO) refers to the<br />

time frame after a disaster until business operations are functioning normally again, with resources<br />

available for use. Financial institutions with sensitive data and real-time transactions require RPO and<br />

RTO that are much smaller and briefer — seconds or minutes — than other kinds of businesses that may<br />

be able to withstand hours of data loss and days until recovery. An RTO that is two minutes versus 24<br />

hours equates to a very different level of business investment in people, processes, and availability. Do<br />

your security and disaster response plans allow you to meet these objectives? Do you have the people<br />

and technical resources to executive on these plans?<br />

Another key consideration for disaster recovery planning is how to utilize cloud and on-premises<br />

resources. Enterprises with highly customized infrastructure may benefit from hosting their own data<br />

center or leveraging hybrid-cloud deployments. Smaller to midsized companies, where workloads are not<br />

as customized, may achieve a better return on investment (ROI) with a cloud provider. Public cloud can<br />

enable efficient spin up and getting infrastructure back online quickly when there’s no need for heavy<br />

customization of services.<br />

Companies must seek to safeguard business continuity both before disruption occurs and after the fact.<br />

Since the weight of a potential disruption to normal business operations can be crippling, business<br />

leaders need to clearly assess both information security and backup and disaster recovery. A data<br />

protection plan that includes both will ensure that the best and safest path forward is always available -<br />

on either side of the business continuity coin.<br />

About the Author<br />

Adam Berger is VP of Global IT and Cloud Operations at<br />

Infrascale. Prior to Infrascale, Adam has managed cloud<br />

operations organizations at VMWare, OVHcloud US and<br />

AWS. In his career, he has helped grow and run<br />

operations teams to provide world class infrastructure<br />

support, security and compliance as well as technical<br />

support.<br />

As the Director of Cloud Operations at VMware, he grew<br />

the cloud operations infrastructure team to support<br />

vCloud Air platform which expanded globally over three<br />

years. This included establishing a centralized global<br />

NOC, platform engineering teams and operational tooling development teams across US, APAC and<br />

EMEA. At OVHcloud US, as the Senior Director of Operations, he continued managing vCloud air<br />

(purchased by OVH) while helping the France-based based company establish their US footprint. This<br />

included helping launch the US service offering, operationalizing two new data centers, building the<br />

security and compliance organization as well as establishing the internal IT support functions. Most<br />

recently he was with AWS, where he served as the Global service owner for EC2 in their technical support<br />

group. Adam can be reached online at https://www.linkedin.com/in/adamlberger and at our company<br />

website https://www.infrascale.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 122<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Biometrics Challenges<br />

By Milica D. Djekic<br />

The armed guys have approached a bank and made an assault to its office. The security manager has<br />

followed procedures and the criminals have collected money safely leaving the crime scene. After several<br />

minutes the Police patrolling has arrived there. They have started an inspection as well as interviewing<br />

of all people being present at the crime scene at that moment. That seems as a lot of hard work. The first<br />

step the authorities have taken is collecting the findings and evidence from the place of the crime. The<br />

video monitoring system has served its role, but there have been some fingerprint and DNA footages as<br />

well. So, they have gotten an identity of offenders, but the good question is how they might track their<br />

route. The experienced investigators know that the criminals could take some of the communication<br />

devices with themselves, so that search could be run, too.<br />

It appears that’s only an empty bullet as the offenders have switched off their devices while on the crime<br />

scene. In other words, the authorities can get who they are, but not where they are. It seems like a maze,<br />

does not it? Think twice! If the Police deal with their biometrics parameters they can run a search through<br />

some domestic and international databases looking for ID documents that match such a criterion. Next,<br />

they will do so and bingo – the several passports with those biometrics inputs have been found for the<br />

same fingerprint trace. In other words, now the authorities know those guys cope with the fake passports.<br />

And what then? Still unclear? Basically, no!<br />

What’s possible to do in such a case is to figure out that the bank robbers need to make some route after<br />

committing the crime. They need the communication, logistics and accommodation in order to stay on<br />

the surface. Above all, they deal with the fake ID cards and passports, but the biometrics with those<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 123<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


documents is theirs. If not, they would fail at the simple identification anywhere. Also, what is obvious<br />

someone will insert those data into the Police register. Some corrupted staff or clever hacker – does not<br />

matter! The fact is the criminals are always on the move and sooner or later they will need to give their<br />

details for scanning if, for instance, they want to cross some border. That’s the moment the smart<br />

investigators have been waiting for. In other words, if that location and time are known, it’s possible to<br />

make some search for device being present then and there. Bingo again! The investigation has gotten<br />

the signal and the entire history and ongoing route have been discovered. The bad guys need some<br />

accommodation to spend their time there, so it will be a piece of cake to get those asset connections as<br />

well as all the contacts being made from there. It seems it’s not that hard to track the biometrics, right?<br />

The new tendencies could bring us a better focus of the offenders that will deactivate their devices at the<br />

place of checking out, but it’s quite challenging being that uncatchable, so far. Anyhow, we need the<br />

smart policing that will always be at least one step ahead of threats, so as the bad guys have capacity to<br />

think we must do so better than them, so far.<br />

About The Author<br />

Milica D. Djekic is an Independent Researcher from Subotica, the<br />

Republic of Serbia. She received her engineering background from<br />

the Faculty of Mechanical Engineering, University of Belgrade. She<br />

writes for some domestic and overseas presses and she is also the<br />

author of the book “The Internet of Things: Concept, Applications<br />

and Security” being published in 2017 with the Lambert Academic<br />

Publishing. Milica is also a speaker with the BrightTALK expert’s<br />

channel. She is the member of an ASIS International since 2017 and<br />

contributor to the Australian <strong>Cyber</strong> Security Magazine since 2018.<br />

Milica's research efforts are recognized with Computer Emergency Response Team for the European<br />

Union (CERT-EU), Censys Press, BU-CERT UK and EASA European Centre for <strong>Cyber</strong>security in<br />

Aviation (ECCSA). Her fields of interests are cyber defense, technology and business. Milica is a person<br />

with disability.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 124<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Epic V. Apple Trial - Impact of Big Tech Battles on<br />

Consumers' Rights<br />

By Brad Ree, CTO, The ioXt Alliance<br />

Recently, popular app Fortnite’s parent company Epic Games, has taken Apple to court over the hold the<br />

tech giant has over the app store ecosystem. The argument being made was that the Apple app store is<br />

a monopoly and stifles competition by charging exorbitant rates on purchases in the store and that it has<br />

breached antitrust laws by removing apps, including Fortnite, from the app store. Epic Games is fighting<br />

for app developers’ rights which would remove Apple’s power and require the shift in policies to allow<br />

developers to include in-app purchases without Apple its 30% “Apple tax” commission, which has the<br />

potential to permanently alter the mobile apps industry.<br />

As the closing arguments came to an end and we await a verdict, this “app battle royale” has certainly<br />

raised other questions on tech companies’ effect on consumers. When companies such as Apple put up<br />

walls and don't allow for competition within their devices or app stores by blocking outside apps and<br />

integrations within the ecosystem, the consumers’ right to choose is impacted.<br />

If Epic Games ends up winning the trial, the iOS store market will be forced to open to many, which would<br />

be a win for app developers and consumers, but could come with some security risks if not managed<br />

properly. The app store and developers need to consider how they should emphasize safety so<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 125<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


consumers are able to make informed decisions on what they download to mitigate security risks and put<br />

those app-users first.<br />

What does more open mobile ecosystems mean for the industry<br />

A more open app ecosystem would increase competition and allow consumers to have a bigger pool of<br />

apps to choose from. While competition benefits consumers, it also could open them up to some unknown<br />

risks and security vulnerabilities – especially as there aren’t currently universal security standards for app<br />

development.<br />

To execute a secure, open mobile app market properly, standards need to be put in place to ensure apps<br />

are developed with security in mind from the start to protect all consumers, and developers, from the<br />

devastating impacts of a data breach.<br />

Why the mobile app industry needs security standards<br />

According to Apple, it’s security standards in the iOS store are high which is why they limit developers in<br />

their store and is how they have earned consumers’ trust - and opening their ecosystem to other<br />

developers could threaten that. However, if they did open the store, Apple could adopt security measures<br />

for mobile apps to encourage competition and guarantee that any new and current apps have been<br />

developed per the guidelines to make them cyber-secure. To be the most effective, security standards<br />

should be based on industry-wide agreement and managed by a third party whose only interest is<br />

securing the applications for the consumer. Apple setting the standards and being the sole judge and jury<br />

leaves them in the same controlling seat that they are already in.<br />

Transparency from the developers and the app stores need to play a bigger role to protect consumers<br />

and give them the resources to make informed decisions on their downloads. Universal security<br />

standards for mobile apps could help create a safer environment for end-users and help provide cohesive<br />

guidelines for industry stakeholders to align with to mitigate security risks and put consumers first. There<br />

are already mobile app standards available through industry-led organizations such as the ioXt Alliance,<br />

which could help create uniformity when it comes to security across the mobile app ecosystems if<br />

implemented. With standards in place, consumers can be in control of their downloads and app<br />

developers could safely participate in the app store with minimal risks.<br />

The Epic Games vs. Apple trial has the potential to change the mobile apps industry if the verdict is<br />

swayed in Epic Games’ favor. This could set a standard to stop big tech companies from monopolizing<br />

ecosystems and stifling consumers’ right to choose, giving other developers a chance to benefit from an<br />

open market. Universal standards in place for mobile app development would help create a safer mobile<br />

apps industry and hold the app store and developers accountable to uphold security for all end-users –<br />

thus putting consumers first in this competitive market.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 126<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Brad Ree is the Chief Technology Officer at the ioXt Alliance,<br />

the leading organization for IoT standardized security and<br />

privacy requirements. In this role, he leads ioXt’s security<br />

products supporting the alliance. Brad holds more than 25<br />

patents and is the former security advisor chair for Zigbee. He<br />

has developed communication systems for AT&T, General<br />

Electric, and Arris. Before joining the ioXt Alliance, Brad was<br />

vice president of IoT security at Verimatrix, where he led the<br />

development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols<br />

and their associated security models.<br />

Brad can be reached at the ioXt Alliance company website : https://www.ioxtalliance.org/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 127<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How The Pandemic Has Changed the Value of Health<br />

Data<br />

By Aman Johal, Lawyer and Director of Your Lawyers<br />

The 11 th March marked one year since the World Health Organisation (WHO) declared the Covid-19<br />

outbreak a pandemic. To date, over 34,505,380 people in the UK have been vaccinated, paving the way<br />

for a return to normality by allowing the easing of restrictions. At present, people who have had a Covid<br />

jab receive a vaccination card and the details are stored on their medical records. The government is<br />

now considering how people could prove their Covid vaccination status, with vaccine passports the most<br />

likely solution as "a temporary measure". The hope is that this could reduce social distancing and facilitate<br />

international travel.<br />

According to UK government sources, the NHS app could host the vaccine passports, although it is<br />

unclear how far the project has progressed. A government source reportedly told the BBC that the app<br />

will not be ready “imminently”, while Vaccines Minister Nadhim Zahawi said work is underway to prepare<br />

it.<br />

However, the use of vaccine certification is proving controversial. Basing the passport on an app may<br />

discriminate against those with low incomes or older people who don’t have access to smartphones, and<br />

some may be unable or unwilling to have a vaccine. There are also worries that the immunity passports<br />

could pave the way for a full ID system, which civil rights group Liberty said could permanently curb rights<br />

and freedoms once the pandemic is over. Added to this, they could potentially heighten the risk of data<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 128<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


eaches because large amounts of highly private information could be readily available if a hacker gets<br />

access to a mobile device.<br />

The rise in cybercrime<br />

During the last year, the UK has seen a significant rise in cybercrime which was likely worsened by the<br />

pandemic. <strong>Cyber</strong>security firm ESET analysed the state of cybercrime in the UK for 2020, and identified<br />

an increase of 19% compared to 2019. The UK Government has announced “ground-breaking” plans to<br />

protect consumers using smart devices from cyberattacks. As sales in smart devices soar (up 49% since<br />

the start of the coronavirus pandemic), cybercriminals continue to become more adept at exploiting<br />

security weaknesses. Many devices remain vulnerable to attack, and just one vulnerable device could<br />

jeopardise a whole network – as illustrated by the 2017 North American casino attack.<br />

The legalities surrounding vaccine passports<br />

It is important to dissect whether companies like airlines can legally require travellers to input vaccination<br />

information, as the entitlement to process medical data normally requires consent. However, if it became<br />

a prerequisite for travel, the focus then is on whether a person wishes to travel or not. We should not<br />

simply assume consent.<br />

An overarching consideration is the highly sensitive nature of the information in question. The<br />

confidentiality and sensitivity of medical records makes them prized assets for cybercriminals, and<br />

potentially raises the chances of a data breach occurring.<br />

Compensation pay-outs for offending businesses are often far more costly because of the increased<br />

potential for consumers to experience distress and psychological trauma from breaches or leaks involving<br />

medical data. For example, victims of the 2018 British Airways (BA) data breach could be eligible to claim<br />

up to an estimated £16,000 in cases of severe psychological distress. Comparatively, in the case of<br />

the 56 Dean Street data breach in 2015, when a leak exposed the contact details of almost 800 patients<br />

using the clinic for HIV services, the most seriously affected claimants could potentially receive damages<br />

of up to £30,000.<br />

The importance of health data<br />

Storing any type of personal consumer data comes with risks. BA suffered two significant data breaches<br />

in 2018, exposing the personal information of more than 420,000 customers. As a result, the Information<br />

Commissioner’s Office (ICO) issued BA with a £20m fine, with the total compensation pay-out in the<br />

group action against BA potentially reaching an additional £2.4bn.<br />

Health data is among the most valuable data a cybercriminal can steal, with a single health record<br />

reportedly costing $250 on the black market, compared to a reported $5.40 for payment card details.<br />

Vaccine passports could heighten the risk to health data: increased accessibility may result in more<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 129<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


cybercriminals targeting the public’s health information as we loosen restrictions over the next few<br />

months.<br />

Gary Cantrell, Head of Investigations at the HHS Office of Inspector General, said hackers tend to steal<br />

medical records because they are like "a treasure trove of information about you." They can contain a<br />

patient's full name, address history, financial information, and National Insurance numbers, which can be<br />

enough information for hackers to take out a loan or set up a line of credit under patients' names.<br />

Increasingly, hackers are selling information for profit on the black market. According to Reuters, buyers<br />

might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false<br />

insurance claim.<br />

The impact of medical data breaches<br />

As we increasingly rely on technology, hackers are finding new ways to attack IT systems, disrupt<br />

computer networks, and steal information. There can be huge benefits when patient data is used<br />

responsibly to save lives and advance medical research, but it is undeniable that it comes with risks.<br />

The potential impact of a data breach often depends on the circumstances. Someone who has a sensitive<br />

medical condition may be much more concerned if part of their medical history was exposed or disclosed.<br />

The possibility that it might fall into the wrong hands could cause them emotional distress.<br />

According to Brandon Reagin, a victim of medical record theft, it's a "mess." Reagin's identity was stolen<br />

in 2004, and the person who accessed Reagin's personal information used it to steal cars and rack up<br />

$20,000 worth of medical procedures. He was reportedly unable to get the charges scrubbed from his<br />

credit report "until the next billing cycle." Then, the process would start all over again.<br />

The person who stole Reagin's identity served time in prison. But, 17 years later, he still hasn't been able<br />

to undo all of the damage, including to the integrity of his own medical files, as the “hospital may still have<br />

his information, his blood type under my name at that hospital… It's a little weird to think".<br />

Proactive steps consumers and healthcare providers can take to protect their data<br />

Healthcare providers and their business associates must balance delivering quality patient care with<br />

protecting patient privacy, always ensuring that they are meeting the strict regulatory requirements set<br />

out in legislation, such as the General Data Protection Regulation (GDPR).<br />

Healthcare staff can protect information with a number of measures including:<br />

• educating staff;<br />

• restricting access to information and applications;<br />

• implementing data usage controls;<br />

• logging, auditing and monitoring use;<br />

• encrypting data both on servers and when it is being transferred;<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 130<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• securing mobile and remote working devices;<br />

• mitigating connected device risks by conducting regular risk assessments;<br />

• backing up data to secure offsite locations;<br />

• carefully evaluating the security and compliance of business associates.<br />

The past has taught us that protecting information in the healthcare industry is not an easy task, but an<br />

important one nonetheless – even more so in a post-pandemic world.<br />

About the Author<br />

My name is Aman Johal, I am a lawyer and director at<br />

Your Lawyers.<br />

Aman can be reached online at his company website<br />

https://www.yourlawyers.co.uk/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 131<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Galvanizing the <strong>Cyber</strong> Workforce in Private Industry<br />

An agile approach for developing key talent<br />

By Brandon Rogers | CEO & Principal Consultant | Paradoxical Solutions, LLC<br />

Introduction<br />

<strong>Cyber</strong> is a highly specialized field that is in high demand for talented individuals, yet there is so much that<br />

is unknown about the field itself. How is it that we know that the field of cybersecurity is the future; on<br />

the horizon and unparalleled in employment opportunity but lack so much of the fundamental knowledge<br />

of what is needed in the field?<br />

According to cyberseek.org, there are approximately 465,000 cyber security job openings across the US<br />

in both private and public sectors (<strong>Cyber</strong>seek, <strong>2021</strong>). With the development of the National Institute of<br />

<strong>Cyber</strong>security Engineering (NICE) framework, the regulations defined by the National Institute of<br />

Standards and Technology (NIST) and the National Institute of <strong>Cyber</strong>security Careers and Studies<br />

(NICCS), the public sector has made great strides to develop cyber career pathways for government<br />

employees. In the private sector, there needs to be a similar push for organizations, as cyber<br />

vulnerabilities are a huge threat to corporations and proprietary information.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 132<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


This topic has great relevance because national security and protecting proprietary information are<br />

pressing issues on the minds of many corporate leaders. In addition to this, especially in a COVID<br />

environment, the way that we work is rapidly evolving. There is a high demand and short supply of<br />

talented cyber professionals and it seems that there is a need for a cyber version of “Talent Management”,<br />

and there is great need for versatility and agility in designing the cyber workforce of tomorrow.<br />

Observations from the field<br />

In both private and public industries, workforce development is usually broken into two separate<br />

functions: talent management and organization development. Talent management is usually positioned<br />

to focus on high potential individuals (a small subset of the full workforce), while organization<br />

development has been stated to encompass the whole. As the field of cyber security expands and<br />

organizations rush to fill the demand across the world, it seems that cyber career development is<br />

becoming a nearly separate initiative to talent management and organization development. It is<br />

imperative that cyber, organization development and talent management professionals begin to<br />

collaborate and dig deep into the field in its nascency to understand the needs of the upcoming workforce.<br />

For roughly six months, I had the opportunity to work as a contractor to a federal organization in a role<br />

focused on cyber workforce development. It was during this time that I learned about the various<br />

initiatives being taken within the public sector to strengthen national security defense against cyberattacks.<br />

One of the key efforts being taken was to develop cyber career pathways and comparative<br />

roles between sibling fields (i.e.- information technology, project management, etc.) and one of the most<br />

interesting observations I noted was the creation of a focused role specific to cyber workforce<br />

development. It’s become apparent to me that the public sector may be on to something; private industry<br />

should consider establishing such a function as well.<br />

Establishing a dedicated role for cyber workforce development<br />

When taking a step back to consider the compartmentalized nature of these three areas, relevant<br />

research by Bazerman et al. introduce two distinct concepts that inhibit creativity and rationale as to why<br />

this concept of a new hybrid role has not yet emerged (Bazerman et al., 2013, p. 63):<br />

• Bounded rationality – suggests that our thinking is limited and biased in systematic ways.<br />

• Bounded awareness – prevents people from noticing or focusing on useful, observable and<br />

relevant data<br />

The concepts of bounded rationality and bounded awareness continue the mindset of the past and<br />

potentially obstruct the logic for such a position to be created in the future. As private companies aim to<br />

protect critical business information, it may be well worth the time to develop key resources to create a<br />

strong team of cyber individuals. An effort of this magnitude highlights the need for organizations to have<br />

a resource with the combined skills of a talent management, organization development and cyber<br />

professional to execute such an endeavor.<br />

In order to identify key talent, it requires a seasoned cyber professional to understand the technical<br />

aspects of each role to build strengths, close gaps, and recognize the attributes necessary to be<br />

successful in cyber. In addition to technical acumen, a working knowledge of the human capital lifecycle<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 133<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


and organizational enablement is necessary to understand how to grow talent. Relevant literature<br />

supports the idea of hybrid roles when discussing the concept of the Versatilist, or “people whose<br />

widening portfolios of roles, knowledge, insight, context and experiences can be applied and recombined<br />

in numerous ways to fuel innovative business value” (Bopp et al., 2010, p. 130).<br />

One way to visualize such a role could be achieved is through the use of the cyber workforce development<br />

logic model:<br />

The logic model establishes <strong>Cyber</strong> Workforce and visualizes Development a dedicated Logic Model. role Rogers, (the <strong>2021</strong> cyber workforce development versatilist)<br />

for an individual that possesses the skills of a talent management and organizational development<br />

professional, and the arrows indicate support from those dedicated functions. This individual also<br />

possesses the technical skills of a cyber expert, and the light arrow indicates foundational support from<br />

information technology and cybersecurity. The expert is then able to properly support, grow, and<br />

enhance professionals at any stage of their career.<br />

Potential arguments and considerations<br />

With any new idea, there is always inherent risk. A potential argument to this proposal is that having a<br />

cyber workforce development versatilist role could be considered a duplication. As talent management<br />

and organization development professionals are skilled in developing individuals across the human<br />

capital lifecycle, the responsibility of recruiting by identifying expertise could be shifted to hiring<br />

managers. Hiring managers typically possess the technical skills and (ideally) have moved into<br />

management roles based on their ability to lead. As they possess the necessary skills needed to identify<br />

and recruit talent, they could work with talent management/organization development professionals to<br />

get the same result.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 134<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


I recommend that leaders of private organizations consider this framework and a dedicated role to cyber<br />

workforce development as there is a great need and not enough bandwidth on either side to ensure<br />

focused development of cyber professionals. Should this approach be adopted, private organizations<br />

(which tend to have less of a cyber team, and instead a cyber individual) would be able to better prepare<br />

for cyber threats and ultimately protect proprietary information. In addition to this, organizations would<br />

become more aware of the resources needed for proper cyber security and have a dedicated<br />

professional(s) for managing and developing those employees across the human capital lifecycle.<br />

Conclusion<br />

Ultimately, the key position is that the landscape of cyber is brand new and there is a great deal that we<br />

do not know about it, yet we still need to prepare. In order to do so, the public sector should consider<br />

developing a specific role (cyber workforce development versatilist) to develop that specific subset of<br />

talent. A cyber workforce professional would have the ability to conduct the responsibilities of a Talent<br />

Management/Organization Development professional but would also have the technical expertise of a<br />

cyber professional. That unique skillset would enable them to identify, recruit and develop talent and<br />

galvanize the workforce.<br />

About the Author<br />

Brandon Rogers is the Chief Executive Officer and Principal<br />

Consultant of Paradoxical Solutions, LLC and a second-year student<br />

at Bowling Green State University in the Doctorate in Organization<br />

Development and Change program. In his most recent role, he was<br />

responsible for cyberspace workforce development with a federal<br />

agency. Before this role, he worked at Honda R&D Americas and was<br />

responsible for implementing engineering tools for requirements<br />

management and Agile project management initiatives for the vehicle<br />

integrated controls department. Brandon graduated from Kent State<br />

University with a BA in I/O Psychology and obtained his MS in Positive<br />

Organizational Development and Change from Case Western Reserve<br />

University. Brandon can be reached online via email<br />

(Brandon.Rogers@paradoxicalsolutions.com) and at his company<br />

website www.paradoxicalsolutions.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 135<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Play 'Smart' on the Crime Scene<br />

By Milica D. Djekic<br />

In criminology, the crime scene is a transferrable term that can cover many physical locations at the same<br />

glance. Also, that spot can be correlated with one or more offenses and in such a fashion it’s important<br />

to deal with the policing as well as investigation skill in order to make an accurate estimation of what<br />

happened for real. It’s quite hard explaining what occurred somewhere and for such a purpose it’s needed<br />

to organize so many officers, detectives and investigators that are capable to during the certain period of<br />

time document the entire situation and do some tracking after the crime has been committed. The crime<br />

scene spot on its own can be permanent and temporary depending if the criminals with their activities are<br />

linked to some spot only for few hours or apparently, several years. In case anyone is doing an<br />

exploitation or production of some good it’s clear that such a group will not change their location that<br />

frequently. On the other hand, in case of some looting scenarios the offenders will just attack some place<br />

and vanish, so far. In both cases, playing smart on the crime scene means leaving no trace in the<br />

cyberspace and some well-organized criminal groups will know so and, say, in some armed robbery they<br />

will switch off their devices relying on the local telecommunication or satellite infrastructure. As it’s known,<br />

the best way to avoid tracking is to disclose device from the crime scene or probably remove its battery<br />

from the housing as that’s the most convenient method to stay invisible, so far. In this article, we will<br />

make a look at the possibilities of the interconnected world to get disconnected sometimes as well as<br />

analyze how it is feasible to avoid the criminal justice tracking for some time, but also never commit the<br />

perfect crime as it does not exist as the absolute security is still impossible.<br />

Many of us have read the news saying some criminal group or syndicate committed some heavy offense<br />

and consequently, they have been arrested after some period of time. Immediately after the incident the<br />

investigators have appeared on the crime scene and they collected the findings and evidence, so far.<br />

Some time has passed and the entire occurrence was under the investigation, so the criminals did not<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 136<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


fail that promptly. After, say, several months the law enforcement agency has announced that the<br />

offenders are finally behind the bars and the entire case is waiting its epilog on the court. It’s quite<br />

challenging to prove someone’s guiltiness and issue some kind of punishment, so it’s clear why it is<br />

significant to do the good investigation and clue collecting procedures. Indeed, the part of the public will<br />

be amazed with so effective policing work, while many will wonder how the officers have accomplished<br />

such a demanding task. The fact is the bad guys will not play that smart on the crime scene and they will<br />

take the activated devices with them. What does that mean? In case anyone is using internet, cell phone<br />

or satellite communication service their signal will leave some footage within the local ICT infrastructure.<br />

Any device amongst the range will do a plenty of recalling in the sub-second moment and doing so it will<br />

send the information it is still the part of the local grid. So, that recalling is crucial and if it is happening<br />

the local service provider will be quite confident that the trace comes from such a device. Another good<br />

point could be how we can know that such a device belongs to that offender.<br />

In the looting sort of crime when some place or person is attacked there will be heaps of security cameras<br />

that will precisely determine and record the moment of the criminal offense. On the other hand, if we<br />

know the time and place we can confirm with the local network if it has caught the signal of any portable<br />

device that uses the internet, cellular or satellite connectivity to deal with the rest of the environment.<br />

That was the piece of cake, was not that?<br />

About The Author<br />

Milica D. Djekic is an Independent Researcher from Subotica, the<br />

Republic of Serbia. She received her engineering background from<br />

the Faculty of Mechanical Engineering, University of Belgrade. She<br />

writes for some domestic and overseas presses and she is also the<br />

author of the book “The Internet of Things: Concept, Applications<br />

and Security” being published in 2017 with the Lambert Academic<br />

Publishing. Milica is also a speaker with the BrightTALK expert’s<br />

channel. She is the member of an ASIS International since 2017 and<br />

contributor to the Australian <strong>Cyber</strong> Security Magazine since 2018.<br />

Milica's research efforts are recognized with Computer Emergency<br />

Response Team for the European Union (CERT-EU), Censys Press,<br />

BU-CERT UK and EASA European Centre for <strong>Cyber</strong>security in Aviation (ECCSA). Her fields of interests<br />

are cyber defense, technology and business. Milica is a person with disability.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 137<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


The Top 10 <strong>Cyber</strong>security Conferences of <strong>2021</strong><br />

By Nicole Allen, Marketing Executive, SaltDNA.<br />

If you're anything like us, you love going to technology and cyber conferences. Expert forums,<br />

opportunities to test out emerging innovations, and opportunities to network with those in the industry are<br />

just a few reasons as to why attendees enjoy these events. It's important for business and security<br />

executives who want to implement successful cybersecurity programmes to stay up to date on industry<br />

best practises and technologies. That's why we've compiled a list of the best conferences to attend in<br />

<strong>2021</strong> from around the world. There's bound to be an event on this list that fits your interests, regardless<br />

of your status or goals!<br />

Despite the fact that COVID-19 has put an end to in-person industry conferences in most countries for<br />

the time being, the cybersecurity events calendar has remained impressively busy. Indoor events will<br />

almost certainly be among the last to return to normal once the Covid response-mandated restrictions in<br />

several countries are lifted. However, due to the widespread availability of vaccines, certain information<br />

security activities scheduled for the second half of <strong>2021</strong> will be held in person. If such plans are carried<br />

out or not, there may be no going back to the previous way things used to be.<br />

It will be interesting to see how many formerly in-person events stick with the online model, follow a hybrid<br />

model where those who can't participate can instead stream presentations, or dismiss the hybrid<br />

alternative altogether.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 138<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


1. Infosecurity Europe<br />

Where: Olympia, London<br />

When: 8th-10th June <strong>2021</strong><br />

The biggest cybersecurity conference in Europe is Infosecurity Europe. This year marks the 25th<br />

anniversary of the three-day festival. This year's theme is "resilience." Hours of information and<br />

cybersecurity content will provide attendees with realistic insight into governance, risk management, and<br />

compliance, identity and access control, data privacy, and threat intelligence.<br />

It is the European marketplace for information security professionals to conduct business, learn about<br />

industry trends, and communicate with current and potential clients or suppliers. Exhibitors will present<br />

the most diverse selection of new products and services on the market at the show. In addition, an<br />

unrivalled complementary education network draws delegates from all over the world. It will provide you<br />

with business critical knowledge, best practise, and realistic case studies while addressing the most<br />

recent issues and needs.<br />

2. <strong>2021</strong> National <strong>Cyber</strong> Summit<br />

Where: Huntsville, AL<br />

When: 8th-10th June <strong>2021</strong><br />

The National <strong>Cyber</strong> Summit is a premier cyber security-technology event that provides industry<br />

visionaries and rising leaders with unique educational, collaborative, and workforce development<br />

opportunities.<br />

The Summit gathers both government and business participants and is held in Huntsville, Alabama, one<br />

of the United States’ greatest technical hubs. Huntsville has long been renowned as the home of<br />

Department of <strong>Defense</strong> and civilian departments and agencies such as DHS, NIST, NASA, TVA, NSA,<br />

and DOE, but it also has a diverse range of companies. Healthcare, automotive, and energy industries,<br />

as well as academics, genetic research, and high technology, are all represented.<br />

3. Hack In Paris<br />

Where: Maison de la Chimie, Paris<br />

When: 28th June - 2nd <strong>July</strong><br />

This event is for hands-on cybersecurity enthusiasts, and it includes realistic laboratories, seminars, and<br />

wargames where you can put your hacking skills to the test against your peers. Hands-on malware<br />

analysis and reverse engineering training with Amr Thabet, a vulnerability researcher at Tenable, are<br />

among the notable training sessions already reported.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 139<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


4. Black Hat USA <strong>2021</strong><br />

Where: Mandalay Bay Convention Center, Las Vegas<br />

When: 31st <strong>July</strong>- 5th August <strong>2021</strong><br />

Black Hat USA, now in its 24th year, is hosting a unique hybrid event experience, giving the cybersecurity<br />

community the option of how they want to participate. Black Hat USA <strong>2021</strong> will kick off with four days of<br />

virtual training (<strong>July</strong> 31-August 3) that will be performed in real-time online with all instructors available at<br />

all times. The two-day main conference (August 4-5), which will include Briefings, Arsenal, Business Hall,<br />

and more, will be a hybrid event, including both an online (virtual) and a live, in-person event in Las<br />

Vegas.<br />

These trainings, which are often only available during Black Hat, are given by professionals from around<br />

the world and provide opportunity for offensive and defensive hackers of all levels to gain firsthand<br />

technical skill-building.<br />

5. DefCon 29<br />

Where: Las Vegas Nevada<br />

When: 5th-8th August <strong>2021</strong><br />

DefCon is the oldest event on the list, having been hosted for the first time in 1993. It is a hands-on<br />

gathering for amateur and professional hackers. The identity of the 25,000 attendees are kept hidden,<br />

and the event features lock-picking contests, cypher challenges, and technical pranks in a competitive<br />

atmosphere. Even the conference badges are highly complicated electronic artefacts full of challenges,<br />

rather than basic laminated pieces of paper.<br />

The badge challenge, which consists of many "sub-puzzles" placed around DEFCON, is one of the most<br />

popular cryptographic puzzle challenges at DefCon. Some tasks are classics that occur every year, while<br />

others are famously tough to solve.<br />

6. Women in <strong>Cyber</strong>security<br />

Where: Denver, Colorado<br />

When: 8th-10th September <strong>2021</strong><br />

This event honours women in academia, industry, and government who are leaders in the field of<br />

cybersecurity. It's a fantastic project to increase diversity in the cybersecurity field, encourage female<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 140<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


leaders, and help each other advance. There is a special emphasis on encouraging female students to<br />

enrol, with scholarships and other forms of support. The list of speakers hasn't been released yet, but<br />

we're expecting it to be fantastic! If you're a woman in cyberspace, you should attend this event.<br />

7. <strong>Cyber</strong>security & Cloud Expo Global <strong>2021</strong><br />

Where: Business Design Centre, London<br />

When: 6th - 7th September <strong>2021</strong><br />

The <strong>Cyber</strong> Security & Cloud Expo event is co-located with the IoT Tech Expo, AI & Big Data Expo, and<br />

Blockchain Expo on the 6-7 September in the Business Design Centre, and virtually from the 13-15<br />

September, so you can discover the future of these converging technologies under one roof.<br />

As modern companies evolve, the conference agenda will address the genuine concerns that CISOs and<br />

security professionals face today. With an emphasis on collaboration and support for the security<br />

community, we're displaying the most innovative and significant advances in the solutions industry. With<br />

a focus on learning and creating connections in the burgeoning cyber security and cloud arena, the<br />

conference will feature a series of top-level keynotes, interactive panel discussions, and solution-based<br />

case studies.<br />

8. Gartner Security & Risk Management Summit<br />

Where: Orlando, FL<br />

When: 20th-22nd September <strong>2021</strong><br />

The timetable and programme for <strong>2021</strong> are currently in the works. Gartner's own summary of the <strong>2021</strong><br />

event is as follows: Over the course of four days, leaders from security, identity and access management,<br />

and risk management joined Gartner experts digitally to provide vital ideas on developing an effective,<br />

risk-based cybersecurity programme. The conference will provide the tools needed to establish agile<br />

security and IT risk management plans in order to manage the risk that comes with digital companies<br />

and to be better prepared for the next global shock.<br />

9. InfoSec World<br />

Where: Disney Coronado Springs Resort, Orlando, Florida<br />

When: 25th-27th October <strong>2021</strong><br />

InfoSec World has been the "business of security" conference for the past 25 years. While the agenda<br />

has yet to be released, we have no doubt that the organisers will put together a fantastic lineup of<br />

speakers this year, as they always do. The InfoSec World conference is one of the world's largest,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 141<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


inging together information security professionals from all walks of life, industries, and fields of study -<br />

bringing together over 100 nations worldwide.<br />

The conference this year will combine the best of both worlds, with both an in-person and a virtual<br />

component. If you can, we recommend going in person because you'll be close enough to "breach" the<br />

Magic Kingdom main gate from the conference floor.<br />

10. ACM Conference on Computer and Communications Security<br />

Where: Seoul, South Korea<br />

When: 14th-19th November <strong>2021</strong><br />

The flagship annual conference of the Association of Computing Machinery's Special Interest Group on<br />

Security, Audit, and Control (SIGSAC) is primarily focused on research. Researchers, practitioners,<br />

developers, and users from all around the world will gather at the conference to discuss cutting-edge<br />

ideas and outcomes. The conference holds a range of keynotes with expert speakers specialising in<br />

information security, along with a variety of workshops to get involved in during the event.<br />

If you can’t wait for all of these events and are seeking a way to secure your organisation's<br />

communications in the meantime, please contact us.<br />

About SaltDNA<br />

SaltDNA is a multi-award winning cyber security company providing a fully enterprise-managed software<br />

solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered<br />

encryption techniques to meet the highest of security standards. SaltDNA offers ‘Peace of Mind’ for<br />

Organisations who value their privacy, by giving them complete control and secure communications, to<br />

protect their trusted relationships and stay safe. SaltDNA is headquartered in Belfast, N. Ireland, for more<br />

information visit SaltDNA.<br />

About the Author<br />

Nicole Allen, Marketing Executive at SaltDNA. Nicole has been working<br />

within the SaltDNA Marketing team for several years and has played a<br />

crucial role in building SaltDNA's reputation. Nicole implements many<br />

of SaltDNA's digital efforts as well as managing SaltDNA's presence at<br />

events, both virtual and in person events for the company.<br />

Nicole can be reached online at (LINKEDIN, TWITTER or by emailing<br />

nicole.allen@saltdna.com) and at our company website https://saltdna.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 142<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 143<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 144<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 145<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 146<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 147<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 148<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 149<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 150<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 151<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 152<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />

Hundreds of exceptional interviews and growing…<br />

Market leaders, innovators, CEO hot seat interviews and much more.<br />

A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 153<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL<br />

ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR FREE.<br />

This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />

ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />

to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />

newsletters along with this month’s newsletter.<br />

By signing up, you’ll always be in the loop with CDM.<br />

Copyright (C) <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />

<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />

<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />

All rights reserved worldwide. Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />

recording, taping or by any information storage retrieval system without the written permission of the publisher<br />

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />

marketing@cyberdefensemagazine.com<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

276 Fifth Avenue, Suite 704, New York, NY 1000<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

marketing@cyberdefensemagazine.com<br />

www.cyberdefensemagazine.com<br />

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 07/02/<strong>2021</strong><br />

Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guysebook/dp/B07KPNS9NH<br />

(with others coming soon...)<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 154<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


9 Years in The Making…<br />

Thank You to our Loyal Subscribers!<br />

We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />

What You Think. It's mobile and tablet friendly and superfast. We hope you<br />

like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />

scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />

around the Globe, Faster and More Secure DNS<br />

and <strong>Cyber</strong><strong>Defense</strong>Magazine.com up and running as an array of live mirror<br />

sites and our new B2C consumer magazine <strong>Cyber</strong>SecurityMagazine.com.<br />

Millions of monthly readers and new platforms coming…starting with<br />

https://www.cyberdefenseprofessionals.com this month…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 155<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 156<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 157<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2021</strong> <strong>Edition</strong> 158<br />

Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!